vCAC 6.1 secondary DEM Orcehstrator and Worker installation error (Error 3: -2147287038)

Just thought I’d share a peculiar error I’ve been getting while trying to deploy a second DEM Orchestrator / Worker component as a part of a redundant vCAC server deployment…..

I have a single IAAS server that was installed with the Model manager service and the default DEM Orchestrator (Active) and a DEM worker in one server and wanted to deploy a second instance of DEM Orchestrator (passive) and an additional DEM worker as per VMware best practise, on a separate IAAS server VM. (VMware best practise is for more than 1 DEM orchestrator to be deployed along with additional DEM workers). In order to achieve this, I was attempting a custom install of the IAAS setup where only the Distributed Execution Manager components were selected but the installation kept failing with the following error message every time despite all the pre-req’s being in place….. (Even the verification is passed successfully as shown below)


Error message below


I haven’t been able to find any KB articles from VMware with regards to this issue or how to fix it so having had a boring read through the install log, you can see the following lines with error codes (amongst other things – see the bold text)

  • MSI (s) (10:70) [02:01:17:654]: Note: 1: 2262 2: Error 3: -2147287038
  • Error executing: C:\Program Files (x86)\VMware\vCAC\Distributed Execution Manager\DEM2\RepoUtil.exe Model-Config-Import -c “C:\Program Files (x86)\VMware\vCAC\Distributed Execution Manager\DEM2\DEMSecurityConfig.xml” -v
    Error importing security config file DEMSecurityConfig.xml. Exception: System.Data.Services.Client.DataServiceTransportException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. —> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. —> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.  ——————————–
  • DynamicOps.Tools.Repoutil.Commands.ModelConfigImportCommand.Execute(CommandLineParser parser)Warning: Non-zero return code. Command failed.
    CustomAction RunRepoUtilCommandCA returned actual error code 1602 (note this may not be 100% accurate if translation happened inside sandbox)
    Action ended 02:01:48: InstallFinalize. Return value 2.

Turned out that this happens primarily due to the fact that my primary IAAS server’s default SSL certificate (self signed) not being trusted by the new server where I’m trying install the additional DEM components….

So the solution is  to manually import the certification from the primary IAAS server and add it to the certificate store of the new server first prior to attempting the install of the secondary DEM components.

You can grab the certificate from the primary IAAS server using the URL https://<FQDN of the primary IAAS server>/repository/Data/MetaModel.svc/

Make sure you import the certificate in to the Local Computer’s Certificate store and that you can see it under the Trusted Root Certificate Authorities…

Note to VMware: Perhaps you need to add a SSL certificate validation criteria to the Test option where this is checked properly within the initial screen???

See the screenshots below for guidance.






Once the SSL cert is added to the second server, the additional DEM components gets installed successfully.




Technologist, lucky enough to be working for a very technical company. Views are my own and not those of my employer..!


Leave a Reply

Your email address will not be published. Required fields are marked *