In the vSphere Client, the message "The new host TPM endorsement key doesn't match the one stored in the DB" appears.
search cancel

In the vSphere Client, the message "The new host TPM endorsement key doesn't match the one stored in the DB" appears.

book

Article ID: 316512

calendar_today

Updated On:

Products

VMware vCenter Server VMware vCenter Server 7.0 VMware vCenter Server 8.0

Issue/Introduction

After changing the system board with TPM, the following message may appear within the vSphere Client:

The new host TPM endorsement key doesn't match the one stored in the DB

Environment

VMware vCenter Server 7.0.x
VMware vCenter Server 8.0.x

Cause

The message appears due to a mismatch between the generated key value from the new TPM and the key value information stored in the vCenter Server's VCDB VPX_HOST table.

Resolution

To clear the message, blank the key value (endorsement_key, attestation_identity_key) in the VPX_HOST table, followed by a disconnect/reconnect of the affected host.

  1. Take an offline snapshot of the vCSA.

  2. Place the affected host into Maintenance Mode.

  3. SSH to the vCSA via root.

  4. Stop the vpxd service
    service-control --stop vmware-vpxd

    Note: This command requires the bash shell prompt - Enable and Access the Bash Shell from the Appliance Shell

  5. Back up the VPX_HOST table
    /opt/vmware/vpostgres/current/bin/pg_dump -U postgres -t VPX_HOST VCDB > /var/core/VPX_HOST.sql
  6. Identify the ID of the affected host from any of the 2 Option's below
    1. Run: 
      /opt/vmware/vpostgres/current/bin/psql -U postgres -d VCDB -h localhost -c "select ID,DNS_NAME,endorsement_key,attestation_identity_key from VPX_HOST;"

      Note: The above command will list all the hosts "endorsement_key, attestation_identity_key" connected to the vCenter


    2. To get a specific host ID details, run the below command
      /opt/vmware/vpostgres/current/bin/psql -U postgres -d VCDB -h localhost -c "select id,dns_name,endorsement_key,attestation_identity_key from VPX_HOST WHERE dns_name = 'FQDN_of_issued_host.domain';"

      Replace the FQDN_of_issued_host.domain with the issue Host's FQDN in above command.

      Note: The host ID can also be identified/verified from the Web Browser (highlighted below)
        • Login to the vCenter, select the affected host to find its host ID in the browser URL.

          Note
          : Select the value as shown from the URL, selecting only the numeric value after the colon.

          "HostSystem:host-6074320:"

           
  7. Clear the key value information
    /opt/vmware/vpostgres/current/bin/psql -U postgres -d VCDB -h localhost -c "update VPX_HOST set endorsement_key='', attestation_identity_key='' where id = <Host ID in step 6>;"

    Note: the output should look similar to:
    UPDATE 1

  8. Confirm the key value for the affected host has been cleared
    /opt/vmware/vpostgres/current/bin/psql -U postgres -d VCDB -h localhost -c "select ID,DNS_NAME,endorsement_key,attestation_identity_key from VPX_HOST;"
  9. Start the VPXD service
    service-control --start vmware-vpxd
  10. Disconnect and reconnect the affected host within the vSphere Client.

  11. Ensure the new key value information is stored in the column of the affected host.
    /opt/vmware/vpostgres/current/bin/psql -U postgres -d VCDB -h localhost -c "select ID,DNS_NAME,endorsement_key,attestation_identity_key from VPX_HOST;"
  12. Exit the host from Maintenance Mode. 
      
  13. After verifying the issue is resolved, consolidate the snapshot on the VCSA VM. 

Workaround

If applicable and permitted (ie: do not perform the workaround if the affected host is a part of a vSAN cluster, has VVOL storage, or has distributed switches (VDS)):

  1. Within the vCenter Server vSphere Client, place the affected host into Maintenance Mode.
  2. Remove the affected host from vCenter's inventory.
  3. Re-add the affected host.
  4. Exit the host from Maintenance Mode.