VMware Identity Manager 2.7 Fails when catalog.vmwareidentity.com is not reachable

This problem is fixed in VMware Identity Manager 2.71

During the deployment of VMware Identity Manager 2.7 we ran into a nasty bugger.
You can get vIDM deployed and basic config within an hour normally.
Walking through this setup is not that much of rocket science, add it to the AD so on and all works.
But the fun part starts when you add your Horizon environment to the Identity Manager.

This all goes well but when you hit that sync entitlements button the appliance breaks down.
In this case it does not matter if this done with single connection server with local entitlements or with a Cloud Pod Architecture with global entitlements. On both it breaks.

booom

Synching entitlements take normally a few seconds but when the catalog is unreachable this can take up to an hour.. After a successful sync, 2 pages in the vIDM will stop functioning. The Users & Groups and the Catalog page will not work at all. On the Users & Groups you will see it’s loading but nothing happens. same as for the catalog page but after 10 minutes you will see your inventory once..

Login in to the user portal it self you will be greeted by a loading screen and nothing will be shown at all.

screen-shot-2016-09-15-at-10-07-09

This problem does not occure on vIDM 2.6, in 2.7 a LDAP driver is upgraded an probably the culprit.
Upgrading your working 2.6 to 2.7 will also instantly break your appliance with the same behavior.

A Temporary FIX:

  • Connect it to the Internet.
  • Either put catalog.vmwareidentity.com into your own DNS and point to ping able address.
  • Allow it in your proxy server and add vIDM to the proxy via VAMI Proxy command. (this could break your appliance also, unable to login admin user)

OR:

  1. SSH onto the vIDM appliance
  2. Elevate yourself to root
  3. run vi /etc/hosts and add the following:
    “any ping able ip in organization” catalog.vmwareidentity.com
    For example: 10.153.52.55   catalog.vmwareidentity.com
  4. save with wq!
  5. Run “service horizon-workspace restart 5”.
  6. Run the View sync again
  7. Check the catalog page following the sync

After the restart, check the horizon.log file (/opt/vmware/horizon/workspace/logs/horizon.log) for the following exception: com.vmware.horizon.catalog.impl.GlobalCatalogCacheImpl – Error retrieving global catalog info from hosted location

You can check this actively by running “tail -f /opt/vmware/horizon/workspace/logs/horizon.log”
It will take around a minute to get the appliance back up.

EDIT:

Creating an internal zone vmwareidentity.com works partially, the users & groups page works again but another page dies. The Manage Desktop Applications > View Application stops working with the error below:


HTTP Status 500 – “uriTemplate” parameter is null.

type Exception report

message “uriTemplate” parameter is null.

description The server encountered an internal error that prevented it from fulfilling this request.

exception

java.lang.IllegalArgumentException: “uriTemplate” parameter is null.

        org.glassfish.jersey.uri.internal.JerseyUriBuilder.uri(JerseyUriBuilder.java:189)

        org.glassfish.jersey.uri.internal.JerseyUriBuilder.uri(JerseyUriBuilder.java:72)

        javax.ws.rs.core.UriBuilder.fromUri(UriBuilder.java:119)


This problem only occurs when catalog.vmwareidentity.com is not reachable, say blocked by proxy or other means.
This will be fixed in a upcoming release of vIDM in the future.
Will add more info to this blog, still working on it 🙂

vIDM 2.71 just released!

Portal renders correctly when Global Catalog is unreachable
Fixed the VMware Identity Manager 2.7 on-premises deployment issue about when the Global Catalog was unreachable, apps were not appearing in the portal.

 

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.