ESXi Hosts TPM device is not trusted by vSphere Trust Authority
Article ID: 316537
Updated On:
Products
VMware vCenter Server
VMware vSphere ESXi
Issue/Introduction
Symptoms:
- When an ESXi host does not pass attestation, the kmxa.log on the host reports the following:
info kmxa[66720] [Originator@6876 sub=Libs] Starting attestation handshake for group host-8008:2792ba99-69fe-4f85-85d2-8b0f4ef39426
info kmxa[66720] [Originator@6876 sub=Libs] Connecting to attestd sb-esxi-02.domain.local:443
error kmxa[66720] [Originator@6876 sub=Libs] Error retrieving token from ATTEST: Error:
error kmxa[66720] [Originator@6876 sub=Libs] com.vmware.vapi.std.errors.error
error kmxa[66720] [Originator@6876 sub=Libs] Messages:
error kmxa[66720] [Originator@6876 sub=Libs] com.vmware.esx.attestation.report.unknown_tpm_ca
error kmxa[66720] [Originator@6876 sub=Libs]
error kmxa[66720] [Originator@6876 sub=Libs] Attestation handshake with sb-esxi-02.domain.local:443 failed to yield a token
info kmxa[66720] [Originator@6876 sub=Libs] Connecting to attestd sb-esxi-02.domain.local:443
error kmxa[66720] [Originator@6876 sub=Libs] Error retrieving token from ATTEST: Error:
error kmxa[66720] [Originator@6876 sub=Libs] com.vmware.vapi.std.errors.error
error kmxa[66720] [Originator@6876 sub=Libs] Messages:
error kmxa[66720] [Originator@6876 sub=Libs] com.vmware.esx.attestation.report.unknown_tpm_ca
error kmxa[66720] [Originator@6876 sub=Libs]
error kmxa[66720] [Originator@6876 sub=Libs] Attestation handshake with sb-esxi-02.domain.local:443 failed to yield a token
Environment
VMware vSphere ESXi 7.0.0
VMware vCenter Server 7.0.x
VMware vCenter Server 7.0.x
Cause
If you replace a TPM device on an ESXi host in a Trusted Cluster, or replace the certificate of the TPM device, the attestation might fail for that ESXi host. You must obtain the certificate of the replaced TPM and update the vSphere Trust Authority configuration.
Resolution
Prerequisites:
You must be at least a Trust Authority administrator.Procedure:
- Perform the following steps on the Trusted Host that is currently failing to attest.
- In a PowerCLI session, connect to the ESXi host that is failing to attest using the root user.
Connect - VIServer -server esxi_host -User root -Password ‘password'
- Assign the ESXi host to a variable.
$vmhost = Get-VMHost
- Assign the TPM Endorsement Key to a variable.
$tmp2 = Get-Tpm2EndorsementKey -VMHost $vmhost
- Export the TPM CA Certificate from the ESXi host. Ensure that the destination directory exists before running this command.
Export - Tpm2CACertificate -Tpm2EndorsementKey $tmp2 -FilePath C:\vta\cacert.zip
- Perform the following steps on the vSphere Trust Authority Cluster.
- Run the following commands to disconnect any current connection and connect to the vCenter Server of the Trust Authority Cluster using the Trust Authority administrator user.
Disconnect - VIServer -server * -Confirm:$false
Connect - VIServer -server TrustAuthorityCluster_VC_ip_address -User trust_admin_user -Password 'password'
Connect - VIServer -server TrustAuthorityCluster_VC_ip_address -User trust_admin_user -Password 'password'
- Assign the Trust Authority Cluster to a variable.
$TAcluster = Get-TrustAuthorityCluster "SB-Cluster"
- Import the TPM CA certificate previously exported from the ESXi host in step 1d.
New - TrustAuthorityTpm2CACertificate -Name tpmca -TrustAuthorityCluster $TAcluster -FilePath C:\vta\cacert.zip
- On the Trusted Host that is failing to attest, restart services or reboot the host.
Feedback
Yes
No
Powered by
