Symptoms

The NetWorker VMware Protection integration is configured with the vProxy Appliance. Installation of the vCenter server plug-in is required to enable backup and recovery from the vCenter side.When installing the plug-in, NetWorker reports the installation was successful, but vCenter reports a failure in deployment along with the following error in vsphere_client_virgo.log: [YYYY-MM-DDTHH:MM:SSZ] [ERROR] -async-task-executor-pool-91 com.vmware.vise.extensionfw.plugins.impl.PluginStatusServiceImpl DOWNLOAD_FAILED: Error downloading plugin package com.dell.emc.nw:19.4.0.95 from https://:9090/vcui/plugin.json. Reason: Download error. Make sure that the URL is reachable and the thumbprint is correct. com.vmware.vise.plugin.download.PluginDownloadException: javax.net.ssl.SSLHandshakeException: Server certificate chain is not trusted and thumbprint doesn't match [YYYY-MM-DDTHH:MM:SSZ] [ERROR] -async-task-executor-pool-91 com.vmware.vise.vim.extension.VcExtensionManager Downloading plugin package: 'com.dell.emc.nw:19.4.0.95' registered in vCenter: '' has failed. java.util.concurrent.CompletionException: com.vmware.vise.plugin.download.PluginDownloadException: javax.net.ssl.SSLHandshakeException: Server certificate chain is not trusted and thumbprint doesn't match The issue was observed for multiple environments where the NetWorker certificates were replaced post-installation with CA-certificates.

Cause

The NetWorker Server is configured with a certificate authority (CA) signed certificate. The vCenter server is using the default self-signed certificate. This results in a trust issue between the vCenter and NetWorker server where the certificate thumbprint recognized by vCenter does not match the NetWorker certificate in chain.

Resolution

As a workaround, the Dell EMC NetWorker plug-in may be deployed using the vSphere Client SDK CLI in the vSphere environment or using manual extension registration in vCenter MOB while modifying the serverThumbprint record for plug-in server (NetWorker).Before applying either of the workarounds below, make sure there are no plug-in extensions from previous installation attempts and uninstall them if found, following the steps below: On the vCenter server appliance, stop the vSphere services using the command: service-control --stop vsphere-uiLog in to the vCenter server’s MOB through browser: >/mob/?moid=ExtensionManager" target="_blank">https:///mob/?moid=ExtensionManagerUnregister the following extensions: com.dell.emc.nwcom.emc.networker.backupcom.emc.networker.recover On the vCenter server appliance: Navigate to the following path: /etc/vmware/vsphere-ui/vc-packages/vsphere-client-serenity/Remove any com.dell.emc.nw-xx.x.x.xx directories if found: rm -drv Restart the vSphere services: service-control --start vsphere-ui Delete the browser history and relaunch the browser. Log in to vCenter and confirm that the plug-in is not listed in the UI. Workaround A - Plugin registration using vSphere Client SDK:1. Download the vSphere client SDK corresponding to the vCenter server version from the VMware website. You can keep the SDK in any Linux/Windows host which has the connectivity to NW and vCenter server. VMware vSphere Client SDK 6.7: https://customerconnect.vmware.com/downloads/get-download?downloadGroup=CLIENTSDK670 VMware vSphere Client SDK 7.0: https://customerconnect.vmware.com/downloads/get-download?downloadGroup=CLIENTSDK700 2. Extract the SDK package and go to path: html-client-sdk/vCenter plug-in registration/prebuilt/ This path contains extension-registration.sh and extension-registration.bat that can be run remotely on the host where the SDK is downloaded depending on the operating system. 3. Run the following command on vCenter server appliance/Linux NW server and take a note of the generated NetWorker server certificate thumbprint: keytool -printcert -sslserver NetWorker Server IP/FQDN>:9090 -rfc | openssl x509 -fingerprint -noout 4. Run the following command on the vCenter server appliance/Linux NW server and take a note of the generated vCenter server certificate thumbprint: keytool -printcert -sslserver vCenter Server IP/FQDN>:443 -rfc | openssl x509 -fingerprint -noout 5. Run the script as follows: On Windows: extension-registration.bat -action registerPlugin -remote -url https://vCenter server name or IP>/sdk -username administrator@vsphere.local -password vCenter password> -key com.dell.emc.nw -version 19.4.0.95 -pluginUrl https://NW server name/IP>:9090/vcui/plugin.json -serverThumbprint NetWorker thumbprint from step 3> -vct vCenter thumbprint from step 4> -c "Dell EMC" -n "NW Data Protection" -s "VCUI - vSphere Data Protection NetWorker" On Linux: Make the extension-registration.sh executable by running the command: chmod +x extension-registration.sh Run the script: ./extension-registration.sh -action registerPlugin -remote -url https://vCenter server name or IP>/sdk -username administrator@vsphere.local -password vCenter password> -key com.dell.emc.nw -version 19.4.0.95 -pluginUrl https://NW server name/IP>:9090/vcui/plugin.json -serverThumbprint NW Thumbprint from step 3> -vct vCenter Thumbprint from step 4> -c 'Dell EMC' -n 'NW Data Protection' -s 'VCUI - vSphere Data Protection NetWorker' 6. Logout and log in to vCenter in case of 6.7 to see the new plug-in. In the case of 7.0, refresh the vCenter browser to see the plug-in.7. Go to Plugin and enter NetWorker NMC credentials and login to perform backup and restore using the VCUI plug-in. Once you initiate backups/restores the com.emc.networker.backup and com.emc.networker.recover extensions should be populated in vCenter MOB.Workaround B - Manual extension registration from MOB: Obtain the NetWorker certificate thumbprint using the following command on VCSA: keytool -printcert -sslserver :9090 -rfc | openssl x509 -fingerprint -noout Login to the MOB extension manager: >/mob/?moid=ExtensionManager" target="_blank">https:///mob/?moid=ExtensionManagerSelect Register Extension.Use the attached com.dell.emc.nw extension configuration file as the extension value. Note: You must modify the following parameters/tag values in com.dell.emc.nw extension value to reflect your environment configuration: version -- your current NW version and build number, for example: If using NetWorker 19.3.0.2.Build.89, the version should be 19.3.0.89url -- https://:9090/vcui/plugin.jsonserverThumbprint -- from step 1lastHeartbeatTime -- current date/time in the format YYYY-MM-DDTHH:MM:SSZ Check the status of deployment on the vCenter server’s "Client Plug-in" tab and recent tasks. In the case of vCenter 6.7, you may need to log out and login to see the plug-in.

Support Cases