How to renew an IOFilter Certificate
search cancel

How to renew an IOFilter Certificate

book

Article ID: 320568

calendar_today

Updated On: 04-01-2025

Products

VMware Live Recovery VMware vSphere ESXi VMware vCenter Server VMware vCenter Server 7.0 VMware vCenter Server 8.0

Issue/Introduction

This article explains how to fix the IOfiler certificates on the vCenter Server Appliance.

  • IOFilter certificate expired
  • ESXi host IOFilter certificate nearing expiration and needs to be renewed 
  • After disconnect and reconnect expiration date is still the same.
  • Delete IOFilter and create new certificate but still the same expiration data.
     

In the VC logs you will see below error messagesm,

sps.log: 

yyyy-dd-mmT00:11:34.197Z [Thread-17] ERROR opId=sps-Main-605481-414 com.vmware.vim.sms.client.VasaClientImpl - Setcontext() was interrupted
java.lang.InterruptedException: org.apache.axis2.AxisFault: self signed certificate
        at com.vmware.vim.sms.client.VasaClientImpl.executeWithTimeout(VasaClientImpl.java:240)
               at com.sun.proxy.$Proxy114.setContext(Unknown Source)

yyyy-dd-mmT00:11:34.197Z [Thread-17] ERROR opId=sps-Main-605481-414 com.vmware.vim.sms.provider.vasa.VasaProviderImpl - SetContext failed!
com.vmware.vim.sms.fault.VasaServiceException
        at com.vmware.vim.sms.client.VasaClientImpl.setContext(VasaClientImpl.java:191)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at com.vmware.vim.sms.StorageManagerImpl$ProviderLoader.run(StorageManagerImpl.java:289)

yyyy-dd-mmT00:11:34.197Z [Thread-17] ERROR opId=sps-Main-605481-414 com.vmware.vim.sms.provider.vasa.VasaProviderImpl - [load] Provider loading failed
com.vmware.vim.sms.fault.VasaServiceException
        at com.vmware.vim.sms.client.VasaClientImpl.setContext(VasaClientImpl.java:191)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at com.vmware.vim.sms.client.VasaClientHandler.invoke(VasaClientHandler.java:27)
        at com.sun.proxy.$Proxy114.setContext(Unknown Source)
        at com.vmware.vim.sms.provider.vasa.VasaProviderImpl.setContext(VasaProviderImpl.java:1462)

Environment

  • VMware vCenter Server 8.x
  • VMware vCenter Server 7.x
  • VMware vCenter Server 6.x

Resolution

Note : Please take valid snapshot of the vCenter before proceeding. If the vCenter is in linked mode, take offline snapshot all the the vCenters in linked mode. And, then proceed with caution.

1. renew esxi host ssl certificate and confirm certificate expiry date.
  Note: if esxi host ssl certificate validity period is fully long more than IOFilter VP Certificate validity period, not need to renew esxi host ssl certificate.

  [CLI Step]
  a. SSH Into each ESXi Host
     cd /etc/vmware/ssl
 
  b. Rename the old rui.crt and rui.key file
     mv rui.crt old.rui.crt
     mv rui.key old.rui.key
 
  c. Run the generation command
    /sbin/generate-certificates 
 
  d. Restart services.sh restart
     services.sh restart

   [GUI Step]
   following official document, execute [renew]

   vsphere 7.0 Renew or Refresh ESXi Certificates 
   vsphere 8.0 Renew or Refresh ESXi Certificates
   

2.After renew esxi host ssl certificate, disconnect the esxi host from vCenter and re-connect.

3.after following above 2 steps, If IOFilter vp is not online or not renewed IOFilter vp certificate, once unregister and register IOFilter vp  following KB 318887.

  Certain IOFIlter Providers are showing as offline
     

Note : For customers who wish to see updated certificate information in the vCenter Storage Provider UI, they need to de-register iofilter vp first and restarting SPS service will do automatically re-register iofilter vp(follow KB 318887).

Caution :

  • Please do not delete sms self-signed certificate, SMS Self-Signed Certificate is used during communication with IOFilter VP and SMS Self-Signed and vp certificate are two different entities.
  • Deleting sms_self_signed will make all Vasa Provider offline on restart  of SPS service and customer need to unregister all VP  ( Vasa Provider ) and re-register again.

Additional Information

  • The IOFilter, also known as the VASA provider, is automatically registered for every ESXi host in a cluster. It serves as an ESXi framework that enables the interception of VM I/Os at the virtual SCSI (VSCSI) layer.

    At a high level, the VSCSI layer resides in ESXi between the VM and the VMFS file system. The IOFilter framework empowers developers—both VMware and third-party vendors—to create filters that implement advanced services leveraging VM I/Os, such as encryption, caching, and replication.

    Key Features of IOFilter:

    1. User-Space Implementation:
      The framework operates entirely in user space. This design ensures that VM I/Os are cleanly isolated from the core architecture of ESXi. Consequently, any issues arising from the framework affect only the specific VM in question and do not compromise the hypervisor's core functionality.

    2. Custom Filter Development:
      VMware partners can develop I/O filters using the vSphere APIs for I/O Filtering (VAIO) developer program, enabling tailored solutions to meet specific use cases.

    3. Certificate Behavior:

      • The IOFilter VP (Vendor Provider) certificate is identical to the ESXi host certificate.
      • If discrepancies are observed between the certificate validity displayed in the vCenter Provider UI and on the ESXi host, they can be safely ignored.
      • Certificate information is updated only after the IOFilter VP is unregistered and then re-registered.

    By providing this modular and isolated framework, the IOFilter framework significantly enhances the flexibility and functionality of VMware environments while maintaining stability and reliability.

 

Powered by Wolken Software