vSAN Data-In-Transit Encryption use of TCP port 12443
search cancel

vSAN Data-In-Transit Encryption use of TCP port 12443


Article ID: 302599


Updated On:


VMware vSAN


For vSAN vSAN Data in Transit encryption to be successfully enabled, TCP port 12443 must be open on the vsan-network between all data-nodes (and Witness/witness-network where applicable).
This port is utilized to establish a secure connection between the nodes via SSL handshake leveraging the host certificate and validating this information with the cert thumbprint for each node as stored in the unicastagent list.


Whether this connection can be successfully established between two nodes can be validated by running one node in server mode and connecting to it via another node:

On node1:
# openssl s_server -cert /etc/vmware/ssl/rui.crt -key /etc/vmware/ssl/rui.key -port 12443
On node2:
# openssl s_client -connect <vsan-ip-of-node1>:12443 -cert /etc/vmware/ssl/rui.crt -key /etc/vmware/ssl/rui.key

If the above works without issue but enabling vSAN Data in Transit encryption is still failing then validate the stored unicastagent list data vs the nodes actual current cert information e.g.:

On node1 (check the cert thumbprint info for node2):
# esxcli vsan cluster unicastagent list
Get the FQDN of node2 from the node UUIDs:
# cmmds-tool find -t HOSTNAME
On node2, check the current cert thumbprint and that it matches what is in unicastagent list of the other nodes:
# openssl x509 -in /etc/vmware/ssl/rui.crt -noout -sha1 -fingerprint