Alert : The new host TPM endorsement key doesn't match the one stored in the DB
search cancel

Alert : The new host TPM endorsement key doesn't match the one stored in the DB

book

Article ID: 316512

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

After changing the system board with TPM, the following message may appear within the vSphere Client or host summary page

The new host TPM endorsement key doesn't match the one stored in the DB

Environment

  • vCenter Server 7.0
  • vCenter Server 8.0
  • vCenter Server 9.0

Cause

The message appears due to a mismatch between the generated key value from the new TPM and the key value information stored in the vCenter Server's VCDB VPX_HOST table.

Resolution

Workaround

If applicable and permitted (ie: do not perform the below workaround if the affected host is a part of a vSAN cluster, has VVOL storage, or has distributed switches (VDS)):

  1. Within the vCenter Server vSphere Client, place the affected host into Maintenance Mode.
  2. Remove the affected host from vCenter's inventory.
  3. Re-add the affected host.
  4. Exit the host from Maintenance Mode.

If the "Remove from Inventory" option is greyed out, refer the KB "Remove from Inventory" option grayed out for ESXi host

Resolution

To clear the message, blank the key value (endorsement_key, attestation_identity_key) in the VPX_HOST table, followed by a disconnect/reconnect of the affected host.

 

  1. Take an power-off snapshot (vCSA in power-off state) of the vCSA.

    Note : To take power-off snapshot of vCenter Server which is recommended Enhanced Link Mode Deployments, you need to power-off the vCenter Server Appliance and then take a snapshot while it's in power-off state using vSphere Client.

  2. Place the affected host into Maintenance Mode
  3. SSH to the vCSA via root
  4. Stop the vpxd service 
    service-control --stop vmware-vpxd

    Note: This command requires the bash shell prompt - Enable and Access the Bash Shell from the Appliance Shell
  5. Back up the VPX_HOST table 
    /opt/vmware/vpostgres/current/bin/pg_dump -U postgres -t VPX_HOST VCDB > /var/core/VPX_HOST.sql
  6. Identify the ID of the affected host from any of the 2 Options below:
    1. Run: 
      /opt/vmware/vpostgres/current/bin/psql -U postgres -d VCDB -h localhost -c "select ID,DNS_NAME,endorsement_key,attestation_identity_key from VPX_HOST;"

      Note: The above command will list all the hosts "endorsement_key, attestation_identity_key" connected to the vCenter
    2. To get a specific host ID details, run the below command 
      /opt/vmware/vpostgres/current/bin/psql -U postgres -d VCDB -h localhost -c "select id,dns_name,endorsement_key,attestation_identity_key from VPX_HOST WHERE dns_name = 'FQDN_of_issued_host.domain';"
      Replace the FQDN_of_issued_host.domain with the issue Host's FQDN in above command.


  7. Clear the key value information 
    /opt/vmware/vpostgres/current/bin/psql -U postgres -d VCDB -h localhost -c "update VPX_HOST set endorsement_key='', attestation_identity_key='' where id = <Host ID in step 6>;"
  8. Confirm the key value for the affected host has been cleared 
    /opt/vmware/vpostgres/current/bin/psql -U postgres -d VCDB -h localhost -c "select ID,DNS_NAME,endorsement_key,attestation_identity_key from VPX_HOST where id = <Host ID in step 6>;"
  9. Start the VPXD service 
    service-control --start vmware-vpxd
  10. Disconnect and reconnect the affected host within the vSphere Client.
  11. Ensure the new key value information is stored in the column of the affected host. 
    /opt/vmware/vpostgres/current/bin/psql -U postgres -d VCDB -h localhost -c "select ID,DNS_NAME,endorsement_key,attestation_identity_key from VPX_HOST where id = <Host ID in step 6>;"
  12. Exit the host from Maintenance Mode.  
  13. After verifying the issue is resolved, consolidate the snapshot on the VCSA VM
Powered by Wolken Software