Workaround

If applicable and permitted (ie: do not perform the workaround if the affected host is a part of a vSAN cluster, has VVOL storage, or has distributed switches (VDS)):

1. Within the vCenter Server vSphere Client, place the affected host into Maintenance Mode.
2. Remove the affected host from vCenter's inventory.
3. Re-add the affected host.
4. Exit the host from Maintenance Mode.

If the "Remove from Inventory" option is greyed out, refer the KB "Remove from Inventory" option grayed out for ESXi host

Resolution

To clear the message, blank the key value (endorsement_key, attestation_identity_key) in the VPX_HOST table, followed by a disconnect/reconnect of the affected host.

1. Take an power-off snapshot (vCSA in power-off state) of the vCSA.

Note : To take power-off snapshot of vCenter Server which is recommended Enhanced Link Mode Deployments, you need to power-off the vCenter Server Appliance and then take a snapshot while it's in power-off state using vSphere Client.

     2. Place the affected host into Maintenance Mode

     3. SSH to the vCSA via root

     4. Stop the vpxd service

service-control --stop vmware-vpxd

Note: This command requires the bash shell prompt - Enable and Access the Bash Shell from the Appliance Shell

    5. Back up the VPX_HOST table

/opt/vmware/vpostgres/current/bin/pg_dump -U postgres -t VPX_HOST VCDB > /var/core/VPX_HOST.sql

    6. Identify the ID of the affected host from any of the 2 Options below:

1. 1. Run: 

      /opt/vmware/vpostgres/current/bin/psql -U postgres -d VCDB -h localhost -c "select ID,DNS_NAME,endorsement_key,attestation_identity_key from VPX_HOST;"

      Note: The above command will list all the hosts "endorsement_key, attestation_identity_key" connected to the vCenter

   2. To get a specific host ID details, run the below command
      

      /opt/vmware/vpostgres/current/bin/psql -U postgres -d VCDB -h localhost -c "select id,dns_name,endorsement_key,attestation_identity_key from VPX_HOST WHERE dns_name = 'FQDN_of_issued_host.domain';"

      Replace the FQDN_of_issued_host.domain with the issue Host's FQDN in above command.

Note: The host ID can also be identified/verified from the Web Browser (highlighted below)

• • • • • Login to the vCenter, select the affected host to find its host ID in the browser URL.
          e.g. "HostSystem:host-6074320:"
           
          Note: Select the value as shown from the URL, selecting only the numeric value after the colon.

      7. Clear the key value information

/opt/vmware/vpostgres/current/bin/psql -U postgres -d VCDB -h localhost -c "update VPX_HOST set endorsement_key='', attestation_identity_key='' where id = <Host ID in step 6>;"

Note: the output should look similar to:
UPDATE 1

    8. Confirm the key value for the affected host has been cleared

/opt/vmware/vpostgres/current/bin/psql -U postgres -d VCDB -h localhost -c "select ID,DNS_NAME,endorsement_key,attestation_identity_key from VPX_HOST where id = <Host ID in step 6>;"

    9. Start the VPXD service

service-control --start vmware-vpxd

   10. Disconnect and reconnect the affected host within the vSphere Client.

   11. Ensure the new key value information is stored in the column of the affected host.

/opt/vmware/vpostgres/current/bin/psql -U postgres -d VCDB -h localhost -c "select ID,DNS_NAME,endorsement_key,attestation_identity_key from VPX_HOST where id = <Host ID in step 6>;"

  12. Exit the host from Maintenance Mode.   

   13. After verifying the issue is resolved, consolidate the snapshot on the VCSA VM.