Hello,
we are testing BDE 1.0 beta with vSphere 5.5 beta2 and encountered the following problem after a succesfull installation and web client registration:
displayed Error dialogue:Could not connect to vSphere Web Client. Contact your administrator to fix this issue.
We also can't connect from vCenter BDE plugin to Serengeti management server to register the management server with BDE.
We are in an environment where http(s) communication is allowed only through a proxy. Could that raise this issue?
Regards,
daniel
I tried all suggestions from Cannot connect to Serengeti Server but I'm still not able to register the Serengeti Management Server with vCenter.
See attached Screenshot.
Is vCenter Server "localhost" pointing to a problem? Should there be the FQDN of the vcenter server?
We use the appliance.
How are the IPs acquired for VC server and BDE management server? static or DHCP?
Could you ping both from each other?
The error show that web client encounter a connection issue when query the information from the VM. Can you verify that whether you will get the same error when view the VM detail information in web client?
Could you provide the vSphere web client log so that we can trace the root cause of this issue? If you use the VCVA, the log location is /usr/lib/vmware-vsphere-client/server/serviceability/logs/vsphere_client_virgo.log
Both static assigned addresses.
Can ping from Serengeti console to VCVA and also from VCVA to Serengeti.
Nachricht geändert durch Daniel Pfuhl
Found that line in vsphere_client_virgo.log
[2013-08-01 16:07:51.714] [ERROR] http-bio-9443-exec-11 | o.a.c.core.ContainerBase.[Catalina].[localhost].[/serengeti-ui] StandardWrapper.Throwable org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: Line 1 in XML document from ServletContext resource [/WEB-INF/spring/bundle-context.xml] is invalid; nested exception is org.xml.sax.SAXParseException; systemId: http://hostnamechangedbydaniel.medizin.uni-leipzig.de/keinproxy.html; lineNumber: 1; columnNumber: 1; Content is not allowed in prolog. |
Which is generated when I press the test connection button in the "Connect to a Serengeti Server" dialog.
Where do I find the URL which vCenter is trying to reach with this request? I assume this is a DNS issue because the log line above indicates that our proxy server is involved in the communication. That means that the request can not be resolved internally so it is routed externally.
Any ideas?
Since you use static IP and the snapshot shows something like http://${vami.ip0.management-server}, does you DNS server has correct forward and reverse FQDN/IP resolution configured? This might reduce some problems.
forward and reverse lookup are both working now but the error stays the same 😕
If forward and reverse lookup was not working before , could you try restart vCenter Server (and redeploy BDE again) after it works ?
Hi Daniel, we're working on resovling your issue. Please wait for our response soon. -Jesse @Serengeti
Today we sniffed with Wireshark to track down the issue.
We saw only request from vCenter to Serengeti Management Server but no answers.
It's furthermore still unclear to us why the vCenter logs indicate that the Firewall/Proxy is serving the "no Proxy configured" page or why a request is getting this direction. We can't see http/https communication between vCenter and the FW or Serengeti Management and the FW.
Trying to connect via Serengeti CLI via port 8080 I found the following error message in /opt/serengeti/logs/serengeti.log
2013 Aug 06 17:18:21,545+0000 INFO main| org.springframework.web.servlet.DispatcherServlet: FrameworkServlet 'restapi': initialization completed in 346 ms
2013 Aug 06 17:18:58,083+0000 INFO http-8080-1| com.vmware.bdd.security.sso.UserAuthenticationProvider: Start to validate by sso authentication.
2013 Aug 06 17:18:59,548+0000 INFO http-8080-1| com.vmware.vim.sso.client.impl.X509TrustChainKeySelector: Failed to find trusted path to signing certificate <1.2.840.113549.1.9.2=#132a313337353133323137382c66363539396365352c35363464373736313732363532303439366536333265,CN=localhost.localdom,1.2.840.113549.1.9.1=#161b73736c2d63657274696669636174657340766d776172652e636f6d,OU=VMware Single Sign-on,O=VMware\, Inc.,L=Palo Alto,ST=California,C=US>
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:197)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:255)
at com.vmware.vim.sso.client.impl.X509TrustChainKeySelector.verifyTrustedPathExists(X509TrustChainKeySelector.java:176)
at com.vmware.vim.sso.client.impl.X509TrustChainKeySelector.select(X509TrustChainKeySelector.java:110)
at org.jcp.xml.dsig.internal.dom.DOMXMLSignature$DOMSignatureValue.validate(DOMXMLSignature.java:522)
at org.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(DOMXMLSignature.java:254)
[...]
2013 Aug 06 17:18:59,554+0000 ERROR http-8080-1| com.vmware.vim.sso.client.impl.SamlTokenImpl: Signature validation failed
javax.xml.crypto.dsig.XMLSignatureException: the keyselector did not find a validation key
After Serengeti roll out I already executed sucessfully EnableSSOAuth at console.
You mentioned that you can ping from Serengeti Management Server to VCVA and also from VCVA to Serengeti. Does the Firewall stand between Serengeti Management Server and VCVA ? Do you set any proxy for VCVA ? It can be found here https://vcva_ip:5480/#network.Proxy
No Firewall between VCSA and Serengeti. Both would need to go through the proxy to reach the internet. So currently I'm wondering why they try to go to the internet at this point?!
I have configured the proxy for VCSA.
I must admit that I changed the hostname of VCSA in an early stage and I have not been able to regenerate all certificates to match the right FQDN. See vCSA SSL Certificate regeneration not working
At this point I assume that the problem might come from the broken certificate chain? Could this be possible - I mean are certificates being validated for the communication between VCSA and BDE/Serengeti? Or should the communication between VCSA and BDE/Serengeti also work if certificates won't match the right FQDN hostname?
I think the error you met (routed to proxy server) is more likely related to proxy. Could you try disable the proxy for VCSA and restart it, then try use BDE ? I'm not sure the FQDN matters, let's disable proxy first then see what error you get.
Hi Jesse,
the error stays the same 😕
Regards
daniel
So proxy setting is not the root cuase in your env. As you mentioned "I must admit that I changed the hostname of VCSA in an early stage and I have not been able to regenerate all certificates to match the right FQDN", is it possible to reinstall a brand new VCSA with correct FQDN ?
Decided to redeploy a new VCVA with the latest SSO refresh code.
After that I was able to connect VCVA with Serengeti Management Server.