How to renew an IOFilter Certificate
search cancel

How to renew an IOFilter Certificate

book

Article ID: 320568

calendar_today

Updated On:

Products

VMware Live Recovery VMware vSphere ESXi VMware vCenter Server VMware vCenter Server 7.0 VMware vCenter Server 8.0

Issue/Introduction

This article explains how to fix the IOfiler certificates on the vCenter Server Appliance.

  • IOFilter certificate expired
  • ESXi host IOFilter certificate nearing expiration and needs to be renewed 
  • After disconnect and reconnect of the ESXi host, the expiration date is still the same.
  • Delete IOFilter and create new certificate but still the same expiration data.
     

In the vCenter Server logs, you may see messages similar to the below:

sps.log: 

yyyy-dd-mmT00:11:34.197Z [Thread-17] ERROR opId=sps-Main-605481-414 com.vmware.vim.sms.client.VasaClientImpl - Setcontext() was interrupted
java.lang.InterruptedException: org.apache.axis2.AxisFault: self signed certificate
        at com.vmware.vim.sms.client.VasaClientImpl.executeWithTimeout(VasaClientImpl.java:240)
               at com.sun.proxy.$Proxy114.setContext(Unknown Source)

yyyy-dd-mmT00:11:34.197Z [Thread-17] ERROR opId=sps-Main-605481-414 com.vmware.vim.sms.provider.vasa.VasaProviderImpl - SetContext failed!
com.vmware.vim.sms.fault.VasaServiceException
        at com.vmware.vim.sms.client.VasaClientImpl.setContext(VasaClientImpl.java:191)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at com.vmware.vim.sms.StorageManagerImpl$ProviderLoader.run(StorageManagerImpl.java:289)

yyyy-dd-mmT00:11:34.197Z [Thread-17] ERROR opId=sps-Main-605481-414 com.vmware.vim.sms.provider.vasa.VasaProviderImpl - [load] Provider loading failed
com.vmware.vim.sms.fault.VasaServiceException
        at com.vmware.vim.sms.client.VasaClientImpl.setContext(VasaClientImpl.java:191)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at com.vmware.vim.sms.client.VasaClientHandler.invoke(VasaClientHandler.java:27)
        at com.sun.proxy.$Proxy114.setContext(Unknown Source)
        at com.vmware.vim.sms.provider.vasa.VasaProviderImpl.setContext(VasaProviderImpl.java:1462)

Environment

  • VMware vCenter Server 8.x
  • VMware vCenter Server 7.x
  • VMware vCenter Server 6.x

Resolution

Note: Please take valid snapshot of the vCenter before proceeding. If the vCenter is in enhanced linked mode, take offline snapshots of all the vCenters in enhanced linked mode. And, then proceed with caution.

1. Renew the ESXi host's SSL certificate and confirm the new certificate expiry date.
  Note: If the ESXi host's SSL certificate validity period is longer than the IOFilter VP Certificate validity period, there is no need to renew the ESXi host's SSL certificate.

  [CLI Step]
  a. SSH Into each ESXi Host
   cd /etc/vmware/ssl
 
  b. Rename the old rui.crt and rui.key file
    mv rui.crt old.rui.crt
  mv rui.key old.rui.key
 
  c. Run the certificate generation command
    /sbin/generate-certificates 
 
  d. Restart services.sh restart
     services.sh restart

   [GUI Step]
   following official document, execute [renew]

   vSphere 7.0 Renew or Refresh ESXi Certificates
   vSphere 8.0 Renew or Refresh ESXi Certificates
   

2.After renewing the ESXi host's SSL certificate, disconnect the ESXi host from vCenter Server and re-connect it.

    Disconnecting and Reconnecting an ESXi Host

3.After following the above 2 steps, If the IOFilter VP is not online or not the expiry date has not renewed for the IOFilter VP certificate, unregister and register IOFilter VP by following the below KB:

  Certain IOFIlter Providers are showing as offline
     

Note: For customers who wish to see updated certificate information in the vCenter Storage Provider UI, unregister the IOFilter VP first and restarting the vCenter Server SPS service will  automatically re-register IOFilter VP (follow the above KB 318887).

Caution:

  • Please do not delete SMS Self-Signed Certificate, SMS Self-Signed Certificate is used during communication with the IOFilter VP and SMS Self-Signed and VP certificate are two different entities.
  • Deleting sms_self_signed will make all Vasa Providers show offline on restart of the SPS service, requiring the need to unregister all IOFilter VP (Vasa Provider) and re-register again.

Additional Information

  • The IOFilter, also known as the VASA provider, is automatically registered for every ESXi host in a cluster. It serves as an ESXi framework that enables the interception of VM I/Os at the virtual SCSI (VSCSI) layer.

    At a high level, the VSCSI layer resides in ESXi between the VM and the VMFS file system. The IOFilter framework empowers developers—both VMware and third-party vendors—to create filters that implement advanced services leveraging VM I/Os, such as encryption, caching, and replication.

    Key Features of IOFilter:

    1. User-Space Implementation:
      The framework operates entirely in user space. This design ensures that VM I/Os are cleanly isolated from the core architecture of ESXi. Consequently, any issues arising from the framework affect only the specific VM in question and do not compromise the hypervisor's core functionality.

    2. Custom Filter Development:
      VMware partners can develop I/O filters using the vSphere APIs for I/O Filtering (VAIO) developer program, enabling tailored solutions to meet specific use cases.

    3. Certificate Behavior:

      • The IOFilter VP (Vendor Provider) certificate is identical to the ESXi host certificate.
      • If discrepancies are observed between the certificate validity displayed in the vCenter Provider UI and on the ESXi host, they can be safely ignored.
      • Certificate information is updated only after the IOFilter VP is unregistered and then re-registered.

    By providing this modular and isolated framework, the IOFilter framework significantly enhances the flexibility and functionality of VMware environments while maintaining stability and reliability.

 

Powered by Wolken Software