Certificate Replacement in vIDM & Aria Automation – Real-Time Experience and Troubleshooting

-

In this blog, I would like to share my real-time experience and troubleshooting steps while replacing certificates for:

  • VMware Identity Manager (vIDM): 3.3.7
  • VMware Aria Suite Lifecycle (vRLCM): 8.18.0 Patch 7
  • VMware Aria Automation: 8.18.1.36791

 

Pre-Activity Preparation

Before starting the certificate replacement activity, the following steps were completed:

  • Imported the custom certificate into Locker in vRLCM and verified it
  • Took snapshots of vIDM and Aria Automation nodes
  • Performed Inventory Sync from vRLCM successfully

 

Aria Automation Certificate Replacement

The certificate replacement for Aria Automation was completed successfully without any major issues.
The new certificate was applied and validated.

 

Issue During vIDM Certificate Replacement

While updating the certificate for vIDM, we encountered the following error:

Error Code: LCMVRAVACONFIG590008

Reference KB

We followed the official KB article:

https://knowledge.broadcom.com/external/article/425839/error-code-lcmvravaconfig590008-when-ret.html

As per the KB:

  • Replace the Load Balancer FQDN with the Primary Node IP/FQDN in the hostname field

After applying these steps, the request proceeded successfully to the next stage.

 

Post-Update Validation Issue

  • Certificate was successfully updated in vIDM System Dashboard
  • However, while accessing Aria Automation UI, we encountered the following error:

Incorrect issuer in SAML AuthnRequest

 

Support Investigation & Findings

After engaging the support team, two key issues were identified:

 

Mistake 1: Certificate Mismatch Between vIDM and Aria Automation

There was a mismatch between the vIDM certificate and Aria Automation configuration.

Reference KB:
https://knowledge.broadcom.com/external/article/322719/changing-vmware-aria-automation-8xs-vmwa.html

Resolution Steps:

  1. SSH into one of the Aria Automation nodes
  2. Run the following command:

vracli vidm set https://<vIDM-URL> admin <tenant>

Notes:

  • Replace <vIDM-URL> with:
    • Load Balancer FQDN (recommended for cluster setup)
    • Single node FQDN (if standalone)
  • Replace <tenant> with the correct tenant/user
  • Verify the certificate SHA256 fingerprint
  • Enter vIDM admin password

 

Apply Changes

vracli vidm apply

Monitor Services

kubectl get pods -n prelude -w | grep identity-service

Ensure all identity service pods are running successfully.

  

Mistake 2: Incorrect Hostname Usage (Primary vs Load Balancer)

During troubleshooting of error LCMVRAVACONFIG590008:

  • KB suggests using Primary Node FQDN/IP
  • However, based on our environment setup, this caused inconsistency

Actual Fix:

As advised by the GSS Support Team:

  • Use Load Balancer FQDN instead of Primary Node FQDN

After updating this configuration:

  • Certificate updates completed successfully
  • Integration between vIDM and Aria Automation was restored

 

 Key Takeaways

  • Always validate certificate consistency between vIDM and Aria Automation
  • KB recommendations may vary based on environment architecture
  • For clustered environments:
    • Prefer Load Balancer FQDN
  • Use vracli vidm set and apply to sync configurations properly
  • Always verify SAML authentication flow after certificate changes
  • Load balancer (NSXT) certificates update the manually. https://knowledge.broadcom.com/external/article?articleNumber=372708

 

Fixed Issues

  • Certificates successfully updated for both vIDM and Aria Automation
  • SAML authentication issue resolved
  • Aria Automation UI accessible without errors
  • Environment is fully stable

Comments

Post a Comment

Popular posts from this blog

Creating Snapshots for Unmanaged VMs in Aria Automation (vRealize Automation)

-
Image
 In multi-tenant environments powered by Aria Automation (vRealize Automation) , it's common for tenants to occasionally request snapshots for unmanaged virtual machines (VMs) . These unmanaged VMs exist in vCenter but are not provisioned through vRA and therefore fall outside the standard automation lifecycle. To address this need without impacting the broader environment or other tenants, we implemented a dedicated catalog item that allows tenants to safely request snapshots for their unmanaged VMs— securely, in isolation, and with auditability . Here’s how we approached this solution using a custom workflow and catalog configuration in Aria Automation. The Challenge Tenants may operate legacy or externally imported VMs that are not managed via vRA’s provisioning engine. Creating snapshots for these VMs traditionally requires manual intervention from infrastructure teams, which: Increases support overhead Introduces potential human errors Offers ...
Read more

Bulk import security policies into Palo Alto Networks firewalls

-
Image
To bulk import security policies into Palo Alto Networks firewalls, you'll typically need to leverage the Palo Alto API or CLI with a script. I am using an Excel file (XLS), IP address validation, and mapping source and destination zones, for comprehensive solution to automate the process. 1. Input from XLSX File : You will first need to read the data from the XLS file. 2. Check for Existing Rules : Before creating new rules, you should check if similar rules already exist on the firewall. This could be done by comparing the rule names, source, and destination IPs, and zones. 3. Mapping Source Zone and Destination Zone : Ensure that the source and destination zones are correctly mapped according to your firewall configuration. 4. IP Address Validation : Before adding a rule, you'll need to validate that the IP addresses specified in the file are valid 📝  Flow Diagram  (Text Representation) Further Automation If you need enhancements or additional automation features , fee...
Read more

Automating Tag Creation & Assignment to VMs with vRA + vRO

-
Image
  Use Case Summary A user provisions a VM from vRA. Once the VM is deployed in vCenter , a vRO workflow is triggered via Event Broker subscription. The workflow: Checks if the Tag exists (using REST API to NSX-T). If not found, creates the Tag under the correct category. Assigns the Tag to the newly provisioned VM. This eliminates the need for manual intervention and ensures every VM is tagged correctly for policies, automation, and visibility . High-Level Flow VM Provisioning in vRA User requests VM with required details (e.g., Environment, Owner, Application). Event Broker Subscription After provisioning, vRA triggers a vRO workflow . vRO Workflow Actions Connects to vCenter using REST API. Checks if Tag exists. If exists → Skip creation. If not exists → Create new Tag under category. Assigns Tag to the VM. Result VM is provisioned with the right tags automatically applied . Flow Diagram Steps Start VM Prov...
Read more