Repointing SSO domain to new domain fails on “Authz Data export”

This post was originally published on this site

Hello community,

 

I am trying to simply change the SSO domain of my vCenter 6.7 U3 6.7.45000 without replication partner.

When executing the domain repoint as following :

#cmsso-util domain-repoint -m execute –src-emb-admin Administrator –dest-domain-name vsphere.local

The process fails on export Authz data export.

 

After checking the logs, I can see in /var/log/vmware/cloudvm/domain_data_export.log the following error :

 

############ domain_data_export.log #####################

2020-08-31T12:52:17.812Z [main DEBUG com.vmware.vim.sso.client.impl.SoapBindingImpl opId=] Sending SOAP request to the STS server
2020-08-31T12:52:17.860Z [main DEBUG com.vmware.vim.sso.client.impl.ssl.StsSslTrustManager opId=] The SSL certificate of STS service cannot be verified against the list of client-trusted certificates
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:450)
  at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:317)
  at sun.security.validator.Validator.validate(Validator.java:262)
  at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:330)
  at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:235)

……………………………

2020-08-31T12:52:17.865Z [main DEBUG com.vmware.vim.sso.client.impl.ssl.StsSslTrustManager opId=] The SSL certificate of STS service cannot be verified against the client-trusted thumbprint
2020-08-31T12:52:17.880Z [main ERROR com.vmware.vim.sso.client.impl.SoapBindingImpl opId=] The SSL certificate of STS service cannot be verified
com.vmware.vim.sso.client.impl.ssl.UntrustedSslCertificateException: The SSL certificate of STS service cannot be verified
  at com.vmware.vim.sso.client.impl.ssl.StsSslTrustManager.validateServerIdentityWithThumbprint(StsSslTrustManager.java:227)
  at com.vmware.vim.sso.client.impl.ssl.StsSslTrustManager.checkServerTrusted(StsSslTrustManager.java:125)

######################################################

 

This happens with custom certificates and default VMware certificates.

 

Any idea from the community ?

Thank you

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.