[Impact]

Re-registering SRM/VR would fail with an SSL error.

[Cause]

— Both SRM & VR save the entries of the lookupservice url in their respective DBs under various tables.
— These need to be manually updated with the correct entries of the now embedded VC node’s url & thumbprint.

[DB Tables to review]

Wile re-registering SRM :

1. In SRM, look for certificates in the following DB tables:

a. SELECT * FROM pd_sslthumbprintstore;

b. SELECT * FROM pd_localsite;

c. SELECT * FROM pd_remotesite;

d. SELECT * FROM pds_remotesite;

e. SELECT * from pds_solutionuser;

2. For vSphere Replication:

a. SELECT * from vmomiserverentity;

[Fix]

Manually update the thumbprint & url information as below (would be the same for both SRM & VR):

update vmomiserverentity set thumbprint = ‘C5:A1:31:FA:1F:A5:90:32:90:DX:3E:5F:49:A3:ED:51:79:4C:F4:A2‘ where dbid = ‘330‘;

where;
C5:A1:31:FA:1F:A5:90:32:90:DX:3E:5F:49:A3:ED:51:79:4C:F4:A2 is the thumbprint of the embedded VC’s machine ssl certificate.
330 is the database id of that particular entry.

I hope this helps!

When will you see this?

While attempting to do a site pair after a re-installation, upgrade of the VC/VR/SRM.

[Log Excerpt]

dr.log:

2020-05-05T21:32:13.527+05:30 warning vmware-dr[04864] [SRM@6876 sub=LocalHms] Failed to connect:
–> (vim.fault.InvalidLogin) {
–> faultCause = (vmodl.MethodFault) null,
–> faultMessage =
–> msg = “Received SOAP response fault from []: login
–> Cannot complete login due to an incorrect user name or password.”
–> }
–> [context]zKq7AVMEAAgAAFaTwQAMdm13YXJlLWRyAAAqPwJ2bWFjb3JlLmRsbAABtM4CdmltLXR5cGVzLmRsbAAB/X8yAqXCBXZtb21pLmRsbAACz+AFAOt+GwBLjhsAyYghA39PAk1TVkNSMTIwLmRsbAADJlECBNITAEtFUk5FTDMyLkRMTAAF9FQBbnRkbGwuZGxsAA==[/context]
–> [backtrace begin] product: VMware vCenter Site Recovery Manager, version: 8.1.2, build: build-12686166, tag: vmware-dr, cpu: x86_64, os: windows, buildType: release
–> backtrace[03] vmacore.dll[0x00023F2A]
–> backtrace[04] vim-types.dll[0x0002CEB4]
–> backtrace[05] vim-types.dll[0x00327FFD]
–> backtrace[06] vmomi.dll[0x0005C2A5]
–> backtrace[07] vmomi.dll[0x0005E0CF]
–> backtrace[08] vmacore.dll[0x001B7EEB]
–> backtrace[09] vmacore.dll[0x001B8E4B]
–> backtrace[10] vmacore.dll[0x002188C9]
–> backtrace[11] MSVCR120.dll[0x00024F7F]
–> backtrace[12] MSVCR120.dll[0x00025126]
–> backtrace[13] KERNEL32.DLL[0x000013D2]
–> backtrace[14] ntdll.dll[0x000154F4]
–> [backtrace end]

/opt/vmware/hms/logs/hms.log

2020-05-05 09:44:28.246 ERROR com.vmware.vim.sso.client.impl.SoapBindingImpl tcweb-11 operationID=lro-2-71e1a81-37ab-HMS-201468 | SOAP fault
com.sun.xml.internal.ws.fault.ServerSOAPFaultException: Client received SOAP Fault from server: Access not authorized! Please see the server log to find more detail regarding exact cause of the failure.

2020-05-05 09:44:28.247 ERROR jvsl.security.authentication.sm tcweb-11 operationID=lro-2-71e1a81-37ab-HMS-201468 | Invalid token
com.vmware.vim.sso.client.exception.InvalidTokenRequestException: Request is invalid: ns0:InvalidRequest: Access not authorized!

2020-05-05 09:44:28.248 INFO hms.i18n.class com.vmware.hms.response.filter.I18nActivationResponseFilter tcweb-11 operationID=lro-2-71e1a81-37ab-HMS-201468 | The localized message is: Cannot complete login due to an incorrect user name or password.

Why would we see this?

One or multiple SolutionUsers get removed from the groups they should be a part of, resulting in the issue.

Steps to resolve:

Following are the 4 SRM & VR SolutionUsers that one would have in their environment.

SRM-
SRM-remote-
h5-dr-
com.vmware.vr-

The following are the groups these SolutionUsers should be a part of:

1. SolutionUsers
   SRM-
   SRM-remote-
   h5-dr-
   com.vmware.vr-
2. ActAsUsers
   CN=h5-dr-
   com.vmware.vr-
3. Administrators
   SRM-
4. LicenseService.Administrators
   SRM-
5. SRM Remote Users
   SRM-remote-
6. HmsRemoteUsers
   SRM-remote-
7. Login to the vCenter Server using vsphere Flex client.
8. Navigate to Administration -> Single Sign-On -> Users and Groups -> Groups -> Add Group members.
9. Manually add the SolutionUsers to these groups.
10. Re-register SRM/VR.