vSAN Health - VMware vCenter and all hosts are connected to Key Management Services
Article ID: 326514
Updated On:
Products
VMware vSAN
Issue/Introduction
This article explains the VMware vCenter and all hosts are connected to Key Management Services check in the vSAN Health Service and provides details on why it might report an error or warning.
Resolution
Q: What does the 'VMware vCenter and all hosts are connected to Key Management Services' check do?
This health check verifies
- Whether vCenter Server and ESXi hosts can connect to the Key Management Server (KMS).
- Whether the Key encryption key and host encryption key stored in the KMIP KMS has expired or are going to expire in a few days as of version 8.0U2.
Q: What does it mean when it is in an error or warning state?
vCenter Server and ESXi host - KMS connection issues mean that the vCenter Server and/or any of the ESXi hosts are experiencing problems when connecting to the KMS.
Key deactivation issues mean that the Key has expired or is going to expire in a few days.
Q: How does one troubleshoot and fix the error or warning state?
| Issue | Remediation |
|---|---|
| Key status is unhealthy | Check the key state from the KMS server (may need the assistance of the KMS vendor as well) and make sure the key is available. |
| KMS server connectivity issue | Check if your network is reachable and the KMS cluster is accessible. |
| Client certificate is invalid | Regenerate a client certificate for the KMS provider. Navigate to VC → Configure → Key Providers (See Image 1) Select the KMS provider and click "Make KMS trust vCenter" from the "ESTABLISH TRUST" dropdown list Select "vCenter Root CA Certificate" or "vCenter Certificate" and click "Next" Copy or download the certificate, then click "Done" Select "Upload Signed CSR Certificate" from "ESTABLISH TRUST" dropdown list Paste the certificate and click "UPLOAD" |
| Client certificate has been expired | Update the KMS client certificate. Navigate to VC → Configure → Key Providers (See Image 1) Select the KMS provider and click "Make KMS trust vCenter" The process of making a KMS trust VMware vCenter will be dependent on the KMS vendor solution that is being used. Using the HyTrust KeyControl appliance as an example, choose the method of "KMS certificate and private key" and click "Next" Uploading the new KMS certificate and private key file and click "ESTABLISH TRUST" |
| Client certificate is going to be expired | Refer to 'Client certificate has been expired' |
| KMS server trust issue | Refer to 'Client certificate has been expired' |
| Key is expired (only available in 8.0U2 and higher) | Click the button 'GENERATE NEW ENCRYPTION KEYS' to generate new encryption keys (See Image 2) |
| Key is going to expire (only available in 8.0U2 and higher) | Click the button 'GENERATE NEW ENCRYPTION KEYS' to generate new encryption keys (See Image 2) |
Image 2
Feedback
Yes
No
Powered by
