vRSLCM SSLHandshakeException error after updating VIDM SSL certificate

Introduction

I have been working on deploying VMware vRealize Suite Lifecycle Manager (vRSLCM) 1.2 for a customer into their environment.  One of the customer requirements was to be able to use SSO and RBAC with vRSLCM.  The only way to this in vRSLCM is to VMware Identity Manager (VIDM).

Whilst this process is semi-automated, it hasn’t been as easy as it should have been.  Following on from my initial article (VMware vRealize Suite Lifecycle Manager – The tale of SSO and RBAC) I came up against another issue that I thought was worth sharing.

VIDM Configuration Options

Within vRSLCM you can configure connectivity to VIDM in one of two ways.These are hopefully self explanatory from the titles, but just in case…

Option 1 – Add an Existing Identity Manager

With Option 1 you configure vRSLM to connect to an existing (version specific) VIDM solution/instance.

This existing VIDM could be a multi-node HA cluster with SQL server that has been configured to used for other products (such as WorkspaceONE, Horizon View, vRealize  Log Insight or vRealize Operations Manager) OR just a single VIDM appliance deployed purely for vRSLCM.

When a deployment needs to use CA-signed SSL certificates, you could safely expect that the existing VIDM solution that has been deployed to services other applications already has the SSL certificates configured before you try to establish a link between vRSLCM and VIDM.

Option 2 – Install New Identity Manager

With Option 2 you upload a specific version of VIDM (as an OVA) into vRSLCM and let vRSLCM do all the leg work by deploying a single standalone instance of VIDM to support SSO and RBAC just for vRSLCM only.

The Issue

The latest issue I have come up against can be described as follows:

After updating the existing self-signed certificates in VIDM with CA-signed certificates, you can no longer log into vRSLCM due to an SSL Handhake Exception.

The following error is shown in the browser when trying to connect directly to the vRSLM login page OR after you log into vIDM and click Open.

{“message”:”javax.net.ssl.SSLHandshakeException: General SSLEngine problem”,”statusCode”:400,”documentKind”:”com:vmware:xenon:common:ServiceErrorResponse”,”errorCode”:0}

Basically the SSL Certificates got out of sync between the two appliances even though I logged into vRSLCM and re-synchronized the AD configuration.

The Resolution

I spent about 30 mins enabling access to the underlying vRealize Orchestrator server. This can be achieved by following the VMware Docs – Debug vRealize Orchestrator Workflow. I wanted to do this to discover if we could find which certificate was not in either the SSL Trust Store or certstore.

Then I spent another 30 minutes with my number one advisor (google) but my google-fu failed me.  So I decided to post the problem internally and a colleague pointed out a KB article which (whilst its for vRSLCM 1.3) solved my issue.

https://kb.vmware.com/s/article/56462