VMware Cloud Community
yuanlinios
Contributor
Contributor
‎10-20-2016 08:42 PM

Can vRO register to multiple vCenters as extension?

Dears,

Not sure if my requirement is supported. My environment has 2 separated VCSA 6 (vcsa-01 and vcsa-02, no enhanced link mode).

Now I deployed vRO 7.0:

* use vcsa-01 as authentication provider

* add vcsa-01 instance to vRO

* register vRO to vcsa-01 as extension

Everything works OK. And then I want the vRO can also orchestrate vcsa-02, so I added vcsa-02 instance to the vRO. It also works without issue. And then I want vRO workflow can also be launched from vcsa-02's web client. So I tried to register the vRO to vcsa-02 as extension.

The register workflow finished without error, and I can also see the vRO UI (vRO Servers, Workflows, Scheduled workflows, Wait for interaction, etc) from vcsa-02 web client. But there is 0 entry under "Orchestrator servers". From vcsa-02's log file (/var/log/vmware/vsphere-client/logs/vsphere_client_virgo.log), I can see there are some 500 internal server errors:

[2016-10-20T02:05:35.985Z] [WARN ] data-service-pool-219  70000104 100006 200001 com.vmware.vco.session.impl.VcoServiceFactoryImpl  Error creating vCO service on [Configuration [servicePath=/vco/api/, vcoServiceUri=https://10.10.10.10:8281, serviceGuid=55d25bc9-0916-48cf-a5f9-54fdb1d07abf]] org.springframework.web.client.HttpServerErrorException: 500 Internal Server Error

    at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:92)

    at org.springframework.web.client.RestTemplate.handleResponseError(RestTemplate.java:494)

    at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:451)

    at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:409)

    at org.springframework.web.client.RestTemplate.getForEntity(RestTemplate.java:229)

    at com.vmware.vco.session.impl.VcoServiceFactoryImpl.authenticateVco(VcoServiceFactoryImpl.java:115)

    at com.vmware.vco.session.impl.VcoServiceFactoryImpl.access$000(VcoServiceFactoryImpl.java:44)

    at com.vmware.vco.session.impl.VcoServiceFactoryImpl$1.doCall(VcoServiceFactoryImpl.java:100)

    at com.vmware.vco.session.impl.VcoServiceFactoryImpl$1.doCall(VcoServiceFactoryImpl.java:95)

    at com.vmware.vco.adapter.concurrent.VcoServiceTask.call(VcoServiceTask.java:37)

    at com.vmware.vco.adapter.concurrent.VcoExecutorService.executeAndWaitForAnyWithTimeout(VcoExecutorService.java:80)

    at com.vmware.vco.session.impl.VcoServiceFactoryImpl.createVcoServices(VcoServiceFactoryImpl.java:109)

    at com.vmware.vco.session.impl.VcoServiceFactoryImpl.checkVcoServicesFor(VcoServiceFactoryImpl.java:217)

    at com.vmware.vco.session.impl.VcoSessionFactoryImpl.lookupVcoSession(VcoSessionFactoryImpl.java:240)

    at com.vmware.vco.session.impl.VcoSessionFactoryImpl.getVcoServicesForVc(VcoSessionFactoryImpl.java:221)

    at com.vmware.vco.session.impl.VcoSessionFactoryImpl.getVcoServices(VcoSessionFactoryImpl.java:94)

    at com.vmware.vco.adapter.dataservice.RootVcoNodePropertyProvider$1.call(RootVcoNodePropertyProvider.java:61)

    at com.vmware.vco.adapter.dataservice.RootVcoNodePropertyProvider$1.call(RootVcoNodePropertyProvider.java:55)

    at com.vmware.vco.adapter.util.PropertyProviderUtil.fetchProperty(PropertyProviderUtil.java:16)

    at com.vmware.vco.adapter.dataservice.RootVcoNodePropertyProvider.getOwnAdminRights(RootVcoNodePropertyProvider.java:55)

    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

    at java.lang.reflect.Method.invoke(Unknown Source)

    at com.vmware.vise.data.query.impl.ServicePropertyProviderAdapter.invokeMethod(ServicePropertyProviderAdapter.java:285)

    at com.vmware.vise.data.query.impl.ServicePropertyProviderAdapter.getProperties(ServicePropertyProviderAdapter.java:127)

    at com.vmware.vise.data.query.impl.DataManager.getDataFromPropertyProvider(DataManager.java:1403)

    at com.vmware.vise.data.query.impl.DataManager.getResultFromPropertyProvider(DataManager.java:1375)

    at com.vmware.vise.data.query.impl.DataManager.access$000(DataManager.java:79)

    at com.vmware.vise.data.query.impl.DataManager$1.call(DataManager.java:884)

    at com.vmware.vise.data.query.impl.DataManager$1.call(DataManager.java:880)

    at com.vmware.vise.util.concurrent.ExecutorUtil$3.call(ExecutorUtil.java:630)

    at com.vmware.vise.util.concurrent.ExecutorUtil$ThreadContextPropagatingCallable.call(ExecutorUtil.java:984)

    at java.util.concurrent.FutureTask.run(Unknown Source)

    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)

    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

    at java.lang.Thread.run(Unknown Source)

   

I also tried with enhanced link mode in my lab, but got the same result. Does anyone have experience in this kind of deployment?

VCIX6-DCV/NV, RHCA, CCIE www.linkedin.com/in/yuanlinios
Tags (2)
0 Kudos
2 Replies
iiliev
VMware Employee
VMware Employee
‎10-21-2016 12:15 PM

Hi,

Could you also check vRO logs around the same time (/var/log/vco/app-server/server.log)? There should be some errors/exceptions corresponding to this 500 internal server error you see at vcsa side.

To your question - yes, vRO can register as extension to multiple vCenters. The problem can appear later, as you already discovered.

So, when you login to vcsa-02's web client, it sees the extension and tries to connect to vRO server the extension is pointing at. The connection is established by calling vRO REST API, and authenticated by passing a SAML token acquired on behalf of the user you used to login to vcsa-02 web client.

Next, when the REST API call reaches vRO server, it fetches the passed SAML token and tries to validate it against the authentication provider the vRO is configured it, in your case vcsa-01's SSO server. So a SAML token issues from vcsa-02's SSO is sent for validation to vcsa-01's SSO server. This validation could either succeed of fail, depending on the trust established between these 2 SSO servers.

There should be some documentation, or KB articles, describing how group of 2 or more SSO servers can be configured in such a way to trust SAML tokens issued by the other servers from this group (for example, the set of token signing certificates should be identical on all the servers). Unfortunately, at the moment I don't have a link to such documentation.

0 Kudos
yuanlinios
Contributor
Contributor
‎10-24-2016 09:12 PM

Hi Ilian Iliev


Thanks a lot for your information! It looks you gives the correct direction. When I look into vRO side log, I can see the SAML token validation failed.


But it confused me a bit

* enhanced link mode is used this time, both vcsas belong to the same SSO domain (vsphere.local)

* I am accessing web client with the sso domain administrator (administrator@vsphere.local), and I also set "vsphere.local/Administrators" as vRO's admin group

* time is synchronized


Even in this case, these 2 sso servers still do not trust each other?



/var/log/vco/app-server/server.log:

2016-10-25 10:49:07.342+0800 [http-nio-0.0.0.0-8281-exec-10] ERROR {} [[restServlet]] Servlet.service() for servlet [restServlet] in context with path [/vco] threw exception

com.vmware.vcac.authentication.http.SamlAuthenticationException: Signature validation failed

        at com.vmware.vcac.authentication.http.SamlTokenExtractor.extractToken(SamlTokenExtractor.java:144)

        at com.vmware.vcac.authentication.http.SamlTokenExtractor.extractToken(SamlTokenExtractor.java:36)

        at com.vmware.o11n.security.auth.http.BaseTokenAuthenticationSupport.convertToObject(BaseTokenAuthenticationSupport.java:39)

        at com.vmware.o11n.security.auth.http.BaseTokenAuthenticationSupport.extractToken(BaseTokenAuthenticationSupport.java:31)

        at com.vmware.o11n.security.auth.sso.SamlTokenAuthenticationSupport.extractToken(SamlTokenAuthenticationSupport.java:66)

        at com.vmware.o11n.security.auth.http.TokenAuthenticationSupportProxy.extractToken(TokenAuthenticationSupportProxy.java:30)

        at com.vmware.o11n.web.auth.http.TokenAuthenticationFilter.doFilter(TokenAuthenticationFilter.java:63)

        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)

        at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)

        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)

        at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53)

        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)

        at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)

        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)

        at org.springframework.security.web.access.channel.ChannelProcessingFilter.doFilter(ChannelProcessingFilter.java:152)

        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)

        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)

        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)

        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)

        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

        at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:121)

        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

        at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:77)

        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

        at com.vmware.o11n.json.DefaultJsonVersionHeaderFilter.doFilter(DefaultJsonVersionHeaderFilter.java:95)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

        at com.vmware.o11n.web.cluster.RestActiveNodeFilter.doFilter(RestActiveNodeFilter.java:63)

        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)

        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)

        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)

        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:614)

        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)

        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)

        at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:676)

        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)

        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)

        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:521)

        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1096)

        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:674)

        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1500)

        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456)

        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

        at java.lang.Thread.run(Thread.java:745)

Caused by: com.vmware.vim.sso.client.exception.MalformedTokenException: Signature validation failed

        at com.vmware.identity.token.impl.SamlTokenImpl.validateSignature(SamlTokenImpl.java:659)

        at com.vmware.identity.token.impl.SamlTokenImpl.validate(SamlTokenImpl.java:535)

        at com.vmware.vim.sso.client.DefaultTokenFactory.parseToken(DefaultTokenFactory.java:46)

        at com.vmware.vcac.authentication.http.SamlTokenExtractor.tryParseToken(SamlTokenExtractor.java:187)

        at com.vmware.vcac.authentication.http.SamlTokenExtractor.tryParseToken(SamlTokenExtractor.java:193)

        at com.vmware.vcac.authentication.http.SamlTokenExtractor.extractToken(SamlTokenExtractor.java:140)

        ... 56 more

Caused by: javax.xml.crypto.dsig.XMLSignatureException: the keyselector did not find a validation key

        at org.jcp.xml.dsig.internal.dom.DOMXMLSignature$DOMSignatureValue.validate(DOMXMLSignature.java:561)

        at org.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(DOMXMLSignature.java:265)

        at com.vmware.identity.token.impl.SamlTokenImpl.validateSignature(SamlTokenImpl.java:653)

        ... 61 more

VCIX6-DCV/NV, RHCA, CCIE www.linkedin.com/in/yuanlinios
0 Kudos