Symptoms

During installation of WAP different error while saving WAP settings, syncing plans at Plans pages, opening Admin Portal are thrown at Cloud Infrastructure > Windows Azure Pack > Settings page.

Examples of errors:

  • opening Admin Portal:

    P400002: Invalid request
    
  • Trying to submitting settings:

    [AZURE] Failed to communicate with WAP Admin API
    
  • syncing plans:

    [AZURE] javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificate not trusted
    

Cause

These errors are caused by misconfiguration in certificates.

Resolution

Please check the following:

  1. On OA MN run the command:

    # /usr/java/default/bin/keytool -list -destkeystore /usr/local/share/WAP/WAPKeyStore
    

    You will see the list of certificates: wap, mgmtsvc-adminapi, mgmtsvc-usage. Pay attention to their SHA1 field.

  2. Go to WAP node, open IIS Manager > Server Certificates and compare 'Certificate hash' with SHA1 values that you obtained at step 1 (for MgmtSvc-AdminAPI and MgmtSvc-Usage certificates)

  3. To verify WAP certificate, open Certificates snap-in as described in WAP guide (page 15, steps 13-17), navigate to Certificates > Trusted Root Certification Authorities, find WAP certificate, double-click it, switch to Details tab and compare SHA1 value with Thumbprint value.

    If thumbprints do not coincide, then export it again from IIS to MN (in case of MgmtSvc-AdminAPI/MgmtSvc-Usage) or from MN to WAP node (in case of wap certificate).

  4. check that certificates MgmtSvc-AdminAPI and MgmtSvc-Usage are bound to respective sites in IIS Manager. To do it (on the example of MgmtSvc-AdminAPI), go to IIS Manager > Sites > MgmtSvc-AdminAPI > Bindings, double click https binding and verify that MgmtSvc-AdminAPI certificate is selected in SSL Certificates drop-down menu.

  5. Check that the following cmdlets from Deployment Guide (page 16) were performed (use the special Azure Pack powershell console):

    PS> Set-MgmtSvcRelyingPartySettings -Target @('Admin', 'Tenant') -MetadataEndpoint https://WAP-APS:4486/wap/metadata.xml -ConnectionString $cnctString -DisableCertificateValidation 
    
    PS> Set-MgmtSvcIdentityProviderSettings -Target Membership –MetadataEndpoint https://WAP-APS:4486/wap/metadata.xml -ConnectionString $cnctString -DisableCertificateValidation
    
    $cnctString='Data Source=192.168.3.35;User ID=sa;Password=123qweASD'
    

Also, pay attention, that SQL server native ip address can differs from dsn database ip. Log into the WAP database SQL server and check the: SQL Server Configuration Manager -> SQL Server Network Configuration -> Protocols for MSSQLSERVER -> TCP\IP -> IP Adress (tab) -> 192.168.1.1 is active.

This ip address should be used in $cnctString variable.

Internal content

Link on internal Article