vSAN -- Error when enabling vSAN Encryption: "Limit exceeded"
Article ID: 326665
Updated On:
Products
VMware vSAN
Issue/Introduction
Symptoms:
Enabling vSAN Encryption fails due KMS Cluster name being too long (= Provided by User).
Error Message: "A general system error occurred: Failed to add key to KeyCache: Limit exceeded."
( seen in Host log: /var/run/log/vsansystem.log )
Enabling vSAN Encryption fails due KMS Cluster name being too long (= Provided by User).
Error Message: "A general system error occurred: Failed to add key to KeyCache: Limit exceeded."
( seen in Host log: /var/run/log/vsansystem.log )
Environment
VMware vSAN 6.5.x
Cause
The keyId is generated by external KMS and cannot be shortened.
vSAN needs to add keyId to its Key cache along with the kmsClusterName (= KMS Cluster name provided by User).
The field which is being used for that is $kmsClusterName/$keyId .
The max size of this field is 100 bytes.
You will see the error message if $kmsClusterName/$keyId exceeds its maximum size of 100 bytes.
(size is being defined by KEYCACHE_KEYNAME_MAX_LEN )
Example:
The keyId created by the external KMS is 64 bytes long: 5C3AA873097E8AF8AC200B6ED3690B148D9685EC725D3E96730ADC58231FA775
As a result the max size of kmsClusterName can only be 35 bytes (= 100-64-1).
Example: KMIP_Live_Resource_CL_PRE_LN06_0099
Note:
This explanation applies for ASCII characters.
If the Name has non-ASCII codes, please ensure it consumes no more than the aforementioned space limit.
vSAN needs to add keyId to its Key cache along with the kmsClusterName (= KMS Cluster name provided by User).
The field which is being used for that is $kmsClusterName/$keyId .
The max size of this field is 100 bytes.
You will see the error message if $kmsClusterName/$keyId exceeds its maximum size of 100 bytes.
(size is being defined by KEYCACHE_KEYNAME_MAX_LEN )
Example:
The keyId created by the external KMS is 64 bytes long: 5C3AA873097E8AF8AC200B6ED3690B148D9685EC725D3E96730ADC58231FA775
As a result the max size of kmsClusterName can only be 35 bytes (= 100-64-1).
Example: KMIP_Live_Resource_CL_PRE_LN06_0099
Note:
This explanation applies for ASCII characters.
If the Name has non-ASCII codes, please ensure it consumes no more than the aforementioned space limit.
Resolution
This issue is resolved in VMware vSAN 6.7.x, available at VMware Downloads.
Workaround:
To workaround this issue, define a shorter KMS Cluster (= kmsClusterName ) .
Workaround:
To workaround this issue, define a shorter KMS Cluster (= kmsClusterName ) .
Feedback
Yes
No
Powered by
