Symptoms
During installation of WAP different error while saving WAP settings, syncing plans at Plans pages, opening Admin Portal are thrown at Cloud Infrastructure > Windows Azure Pack > Settings page.
Examples of errors:
opening Admin Portal:
P400002: Invalid request
Trying to submitting settings:
[AZURE] Failed to communicate with WAP Admin API
syncing plans:
[AZURE] javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificate not trusted
Cause
These errors are caused by misconfiguration in certificates.
Resolution
Please check the following:
On OA MN run the command:
# /usr/java/default/bin/keytool -list -destkeystore /usr/local/share/WAP/WAPKeyStore
You will see the list of certificates: wap, mgmtsvc-adminapi, mgmtsvc-usage. Pay attention to their SHA1 field.
Go to WAP node, open IIS Manager > Server Certificates and compare 'Certificate hash' with SHA1 values that you obtained at step 1 (for MgmtSvc-AdminAPI and MgmtSvc-Usage certificates)
To verify WAP certificate, open Certificates snap-in as described in WAP guide (page 15, steps 13-17), navigate to Certificates > Trusted Root Certification Authorities, find WAP certificate, double-click it, switch to Details tab and compare SHA1 value with Thumbprint value.
If thumbprints do not coincide, then export it again from IIS to MN (in case of MgmtSvc-AdminAPI/MgmtSvc-Usage) or from MN to WAP node (in case of wap certificate).
check that certificates MgmtSvc-AdminAPI and MgmtSvc-Usage are bound to respective sites in IIS Manager. To do it (on the example of MgmtSvc-AdminAPI), go to IIS Manager > Sites > MgmtSvc-AdminAPI > Bindings, double click https binding and verify that MgmtSvc-AdminAPI certificate is selected in SSL Certificates drop-down menu.
Check that the following cmdlets from Deployment Guide (page 16) were performed (use the special Azure Pack powershell console):
PS> Set-MgmtSvcRelyingPartySettings -Target @('Admin', 'Tenant') -MetadataEndpoint https://WAP-APS:4486/wap/metadata.xml -ConnectionString $cnctString -DisableCertificateValidation PS> Set-MgmtSvcIdentityProviderSettings -Target Membership –MetadataEndpoint https://WAP-APS:4486/wap/metadata.xml -ConnectionString $cnctString -DisableCertificateValidation $cnctString='Data Source=192.168.3.35;User ID=sa;Password=123qweASD'
Also, pay attention, that SQL server native ip address can differs from dsn database ip. Log into the WAP database SQL server and check the: SQL Server Configuration Manager -> SQL Server Network Configuration -> Protocols for MSSQLSERVER -> TCP\IP -> IP Adress (tab) -> 192.168.1.1 is active.
This ip address should be used in $cnctString variable.