During the initial assessment before the migration to VCF 4.x we encountering precheck errors related to password validation across all components such as vCenter, ESXi, vRealize Suite Lifecycle Manager (vRSLCM), VxRail, vRealize Automation (vRA), vRealize Operations (vROps), and vRealize Log Insight (vRLI) can present unexpected hurdles .
In this blog post, we'll delve into a real-life scenario where false positive precheck errors disrupted the migration process and how proactive measures were taken to mitigate the issue with the help of VMware Support.
Validation and Investigating False Positives :
Run sos health check for password : /opt/vmware/sddc-support/sos --password-health , where it was showing all password as never to expire and status showing Green.
Verified all the components are connected to SDDC Manager .
Verified all the password are correct in SDDC DB and able to login to the components from sddc manager .
Made sure there are no running tasks on sddc manager .
Checked the lcm.log and found below error 2024-01-16T13:36:14.295+0000 ERROR [0000000000000000,0000,precheckId=b2051d4d-bd86-4ce1-9979-9092513e55a3,resourceType=VRA,resourceId=2353ada3-2be8-4915-8147-c261bf46b055] [c.v.e.s.c.v.primitive.AdValidator,pool-2-thread-138] Failed to connect to xxxxxx.com with username xxxxxxx\srv.vra.deploy javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090273, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839^@] at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3252) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3207) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2993) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2907) at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:347) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(LdapCtxFactory.java:225) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:189) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:243) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:695) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) at javax.naming.InitialContext.init(InitialContext.java:244) at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154) at com.vmware.evo.sddc.common.validation.primitive.AdValidator$AdNoSslLogin.login(AdValidator.java:45) at com.vmware.evo.sddc.common.validation.primitive.AdValidator.login(AdValidator.java:182) at com.vmware.evo.sddc.lcm.primitive.impl.vrealize.VrealizeCredentialHelper.isLoginSuccessful(VrealizeCredentialHelper.java:91) at com.vmware.evo.sddc.lcm.primitive.impl.vrealize.VrealizeCredentialHelper.performVraAdConnctionCheck(VrealizeCredentialHelper.java:60) at com.vmware.evo.sddc.lcm.primitive.impl.vra.VraPrecheckRunner.performVraAdConnctionCheck(VraPrecheckRunner.java:243) at com.vmware.evo.sddc.lcm.primitive.impl.vra.VraPrecheckRunner.precheckResource(VraPrecheckRunner.java:101) at com.vmware.evo.sddc.lcm.primitive.impl.vrealize.VrslcmPrecheckUpgradeService.processPrecheckTasks(VrslcmPrecheckUpgradeService.java:80) at com.vmware.evo.sddc.lcm.primitive.impl.vrealize.VrealizeVrslcmPrimitiveImpl.precheck(VrealizeVrslcmPrimitiveImpl.java:102) at com.vmware.evo.sddc.lcm.services.impl.UpgradePrecheckAsyncHandler$1.run(UpgradePrecheckAsyncHandler.java:168) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) 2024-01-16T13:36:14.295+0000 WARN [0000000000000000,0000,precheckId=b2051d4d-bd86-4ce1-9979-9092513e55a3,resourceType=VRA,resourceId=2353ada3-2be8-4915-8147-c261bf46b055] [c.v.e.s.l.p.i.v.VrealizeCredentialHelper,pool-2-thread-138] Try connectivity check to SSL Acive Directory for vRA
Note : Have seen this kind of alarms in 3.x version as cosmetic , after the upgrade to 4.x this will fix the issue.
Workaround :
SSH to SDDC Manager Navigate to below path
Edit /opt/vmware/vcf/lcm/lcm-app/conf/feature.properties
Change feature.lcm.precheck.password.validation=true to false
Restarted LCM and precheck succeeded
Note : Once we change the setting to false , it wont check the password . Once the upgrade is done need to roll back to True.
Comments