vCSA Automated Backup Failure
Recently we have gone through the process of upgrading our Windows 6.0 vCenter Server with external SQL to vCSA 6.5. I must say now how good the entire process was from start to finish, VMware have really done themselves proud on that tool. Our environment isn’t huge but it is big enough that we thought we might see problems – but no!
Part of the migration work was to get backups up and runnign as they were with our Windows vCenter (if not slightly different/better). My understanding is that the supported method for backup is to use the VAMI interface and run a full “file dump” backup of the vCSA with which you can restore into any blank deployed vCSA and you are back in the game. We have a Rubrik for snapshotting but using the VMware method is of course supported and preferred.
The Issue
Upon using the VMware provided Bash Script we encountered the following error in the backup.log file that is produced:
“{“type”:”com.vmware.vapi.std.errors.unauthenticated”,”value”:{“messages”:[{“args”:[],”default_message”:”Unable to authenticate user”,”id”:”vapi.security.authentication.invalid”}]}}”
Further investigation showed further errors in the VAPI endpoint log
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
tailf -f /var/log/vmware/vapi/endpoint/endpoint.log 2018-03-14T15:26:49.073 [2456]INFO:twisted:"127.0.0.1" - - [14/Mar/2018:15:26:49 +0000] "POST /api HTTP/1.1" 200 2783 "-" "vAPI http client" 2018-03-14T15:30:14.073 [2456]ERROR:vmware.appliance.vapi.auth:Could not parse HOK Token Traceback (most recent call last): File "/usr/lib/applmgmt/vapi/py/vmware/appliance/vapi/auth.py", line 183, in authenticate token.validate() File "/usr/lib/applmgmt/lib/extensions/py/vmware/appliance/extensions/authentication/authentication_sso.py", line 530, in validate reference = self.validate_signature(signing_chain) File "/usr/lib/applmgmt/lib/extensions/py/vmware/appliance/extensions/authentication/authentication_sso.py", line 763, in validate_signature 'Invalid SAML token: element has ' AuthenticationError: Invalid SAML token: element has invalid digest. 2018-03-14T15:30:14.073 [2456]INFO:twisted:"127.0.0.1" - - [14/Mar/2018:15:30:14 +0000] "POST /api HTTP/1.1" 200 339 "-" "vAPI http client" 2018-03-14T15:30:24.073 [2456]ERROR:vmware.appliance.vapi.auth:Could not parse HOK Token Traceback (most recent call last): File "/usr/lib/applmgmt/vapi/py/vmware/appliance/vapi/auth.py", line 183, in authenticate token.validate() File "/usr/lib/applmgmt/lib/extensions/py/vmware/appliance/extensions/authentication/authentication_sso.py", line 530, in validate reference = self.validate_signature(signing_chain) File "/usr/lib/applmgmt/lib/extensions/py/vmware/appliance/extensions/authentication/authentication_sso.py", line 763, in validate_signature 'Invalid SAML token: element has ' AuthenticationError: Invalid SAML token: element has invalid digest. 2018-03-14T15:30:24.073 [2456]INFO:twisted:"127.0.0.1" - - [14/Mar/2018:15:30:24 +0000] "POST /api HTTP/1.1" 200 339 "-" "vAPI http client" |
We could run a manual backup from the VAMI interface as the root user but just not using the bash script which is essentially using the VAMI API to curl a request to run a backup. The error above seems related to “authentication_sso.py” and being unable to validate the signing chain signature. Without further help there was no way I was going in to modify or look at that script on my own on a now Production vCSA.
I also created a seperate master user in the @vsphere.local domain to test running the backups but still had no luck.
I ran the script manually and the problem occured at the start of the POST to the appliances rest API.
The Fix
After speaking with several smart people in the vExpert slack channel, I raised a case with VMware support. I eventually received a response which told me to edit the following file:
|
1 |
/usr/lib/applmgmt/lib/extensions/py/vmware/appliance/extensions/authentication/authentication_sso.py |
There is a value that needed changing from:
|
1 2 |
digest_value = self.xpath( '//ds:DigestValue', reference, expect=1)[0].text |
To the following:
|
1 |
digest_value = str(self.xpath('//ds:DigestValue', reference, expect=1)[0].text).replace('\r', '').replace('\n', '') |
Be careful with the amendment, there is space indentation on the code and there must be exactly 8 spaces in from the new line
Then a simple stop and start of the applmgmt service to apply the fix:
|
1 2 |
service-control --stop applmgmt service-control --start applmgmt |
Now the script runs perfectly daily to our backup respository. I believe this might become defunct in vSphere 6.7 as I think there is now a GUI way of scheduling backups!