In the vSphere Client, the message "The new host TPM endorsement key doesn't match the one stored in the DB" appears.
search cancel

In the vSphere Client, the message "The new host TPM endorsement key doesn't match the one stored in the DB" appears.

book

Article ID: 316512

calendar_today

Updated On:

Products

VMware vCenter Server VMware vCenter Server 7.0 VMware vCenter Server 8.0

Issue/Introduction

Symptoms:
After changing the system board with TPM, the following message may appear within the vSphere Client:

The new host TPM endorsement key doesn't match the one stored in the DB

Environment

VMware vCenter Server 8.0.x
VMware vCenter Server 7.0.x

Cause

The message appears due to a mismatch between the generated key value from the new TPM and the key value information stored in the vCenter Server's VCDB VPX_HOST table.

Resolution

To clear the message, blank the key value (endorsement_key, attestation_identity_key) in the VPX_HOST table, followed by a disconnect/reconnect of the host.

  1. Take a snapshot of the vCSA.
  2. Place the affected host into Maintenance Mode.
  3. SSH to the vCSA via root.
  4. Stop vpxd service :  
    service-control --stop vmware-vpxd
  5. Connect to the VCDB: 
    • /opt/vmware/vpostgres/current/bin/psql -d VCDB -U postgres
  6. Back up the VPX_HOST table: 
    • /opt/vmware/vpostgres/current/bin/pg_dump -U postgres -t VPX_HOST VCDB > /tmp/VPX_HOST.sql
  7. Identify the ID of the affected host from any of the 2 Option's below 
    1. select ID,DNS_NAME,endorsement_key,attestation_identity_key from VPX_HOST;
      Note: The above command will list all the Hosts "endorsement_key, attestation_identity_key" connected to the vCenter  
    2. To get a specific Host ID details run the below command
      select id,dns_name,endorsement_key,attestation_identity_key FROM vpx_host WHERE dns_name = 'FQDN_of_issued_host.domain';" -d VCDB

      Replace the FQDN_of_issued_host.domain with the Issue Host's FQDN in above command.

      Note: You can also Identify/Verify the Host ID from the Browser (Highlighted below)

        • Login to the vCenter and the affected Host and you can find Host ID in the browser the URL example image below
          Note: Select the Value as following from URL "HostSystem:host-6074320:" select only the numeric value util the colon.


           
  8. Clear the key value information using the following command: 
    • update VPX_HOST set endorsement_key='', attestation_identity_key='' where id = <Host ID in step 7>;

      • Note: the output should look similar to: 
        Update 1
  9. Confirm the key value for the affected host has been cleared: 
    • select ID,DNS_NAME,endorsement_key,attestation_identity_key from VPX_HOST;
  10. Start the VPXD service: 
    • service-control --start vmware-vpxd
  11. Disconnect and reconnect the affected host within the vSphere Client.
  12. Ensure the new key value information is stored in the column of the affected host. 
    • select ID,DNS_NAME,endorsement_key,attestation_identity_key from VPX_HOST;
  13. Exit the host from Maintenance Mode.     
  14. After verifying the issue is resolved, consolidate the snapshot on the VCSA VM. 

 


Workaround:
Perform the following workaround if applicable and permitted (ie: do not perform the workaround if the affected host is a part of a vSAN cluster, has VVOL storage, or has distributed switches (VDS)):

  1. Within the vCenter Server vSphere Client, place the affected host into Maintenance Mode.
  2. Remove the affected host from vCenter's inventory.
  3. Re-add the affected host.
  4. Exit the host from Maintenance Mode.



Powered by Wolken Software