Symptoms:
Back up of Native Key Provider has failed.VMware vCenter Server
The URL for downloading the backup file is dependent on the hostname. Therefore, if the hostname of the vCenter is unset, the URL will not be valid, and the backup file cannot be downloaded.
To validate if PNID of vCenter is IP/usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost
This is a known issue, and currently, there is no resolution. However, the following workaround can be applied:
Export vSphere Native Key Provider Configuration
# dcli com vmware vcenter cryptomanager kms providers list
Run the following command to export the provider details from source vCenter:
# dcli com vmware vcenter cryptomanager kms providers export --provider <nkp_name>
Replace <nkp_name> with the actual Native Key Provider name.
When prompted for the Username and Password, enter the SSO Admin user credentials (default: administrator@vsphere.local).
When asked to save credentials in the credstore, choose No (n).
Command Output Example:
location: download_token: expiry: [YYYY-MM-DDTHH:MM:SS] token: <alphanumeric token ID> url: https://localhost/cryptomanager/kms/nkp_name Type: location
Replace localhost with your vCenter IP in the URL, and append the token from step 1 after Bearer.
# wget 'https://<VCIP>/cryptomanager/kms/nkp_name' --header 'Authorization: Bearer <token from step 1>'
If the client has a proxy, to bypass it, use the command:
# wget --no-proxy 'https://<VCIP>/cryptomanager/kms/nkp_name' --header 'Authorization: Bearer <token from step 1>'
The file will not have an extension. Rename it with a .p12 extension:
# mv 'nkp_name' 'nkp_name.p12'
Use WinSCP or FileZilla to copy the file out of vCenter and then to the destination vCenter.
Import vSphere Native Key Provider Configuration
# dcli com vmware vcenter cryptomanager kms providers importprovider -- config /tmp/nkp_name.p12