Changing Certificates on vSphere Trust Authority Hosts
Article ID: 316538
Updated On:
Products
VMware vCenter Server
VMware vSphere ESXi
Issue/Introduction
Symptoms:
- The kmxa.log on the Trusted Cluster hosts reports the following:
info kmxa[66764] [Originator@6876 sub=Libs] Connecting to attestd <host name>.domain.local:443
error kmxa[66764] [Originator@6876 sub=Libs] Error retrieving token from ATTEST: Error:
error kmxa[66764] [Originator@6876 sub=Libs] system_error
error kmxa[66764] [Originator@6876 sub=Libs] Messages:
error kmxa[66764] [Originator@6876 sub=Libs] vapi.connect.failed
error kmxa[66764] [Originator@6876 sub=Libs]
error kmxa[66764] [Originator@6876 sub=Libs] Attestation handshake with <host name>.domain.local:443 failed to yield a token
error kmxa[66764] [Originator@6876 sub=Libs] Error retrieving token from ATTEST: Error:
error kmxa[66764] [Originator@6876 sub=Libs] system_error
error kmxa[66764] [Originator@6876 sub=Libs] Messages:
error kmxa[66764] [Originator@6876 sub=Libs] vapi.connect.failed
error kmxa[66764] [Originator@6876 sub=Libs]
error kmxa[66764] [Originator@6876 sub=Libs] Attestation handshake with <host name>.domain.local:443 failed to yield a token
Environment
VMware vCenter Server 7.0.x
VMware vSphere ESXi 7.0.0
VMware vSphere ESXi 7.0.0
Cause
If you replace certificates on the Trust Authority hosts in the vSphere Trust Authority Cluster, the Trusted Cluster hosts cannot attest to the vSphere Trust Authority Cluster.
Resolution
Prerequisites
You must be a Trust Authority administrator.
Procedure
- Perform the following steps on the vSphere Trust Authority Cluster.
- In a PowerCLI session, run the Connect-VIServer cmdlet to connect to the vCenter Server of the Trust Authority Cluster using the Trust Authority administrator user.
Connect-VIServer -server ###.###.###.### -User <admin username> -Password <admin password>
- Assign the Trust Authority Cluster to a variable.
$TAcluster = Get-TrustAuthorityCluster "SB-Cluster"
- Export the TrustAuthorityServicesInfo information so that you have the latest version. Ensure that the destination directory exists before running this command.
Export-TrustAuthorityServicesInfo -TrustAuthorityCluster $TAcluster -FilePath C:\<local directory>\cluster_settings_new.json
- Perform the following steps on the Trusted Cluster.
- Run the following commands to disconnect any current connection and connect to the vCenter Server of the Trusted Cluster using the Trust Authority administrator user.
Disconnect-VIServer -server * -Confirm:$false
Connect-VIServer -server ###.###.###.### -User <admin username> -Password <admin password>
- Assign the Trusted Cluster to a variable.
$TrustedCluster = Get-TrustedCluster "SA-Cluster"
- Disable the Trusted State of the Trusted Cluster.
Set-TrustedCluster -State Disabled -TrustedCluster $TrustedCluster
- Remove the AttestationServiceInfo desired state information from vCenter.
Get-AttestationServiceInfo| Remove-AttestationServiceInfo
- Remove the KeyProviderServiceInfo desired state information from vCenter.
Get-KeyProviderServiceInfo| Remove-KeyProviderServiceInfo
- Import the TrustAuthorityServicesInfo information into vCenter that you previously exported in step 1c.
Import-TrustAuthorityServicesInfo -FilePath C:\<local directory>\cluster_settings_new.json
- Enable the Trusted State of the Trusted Cluster.
Set-TrustedCluster -State Enabled -TrustedCluster $TrustedCluster
Feedback
Yes
No
Powered by
