The status of the Native Key Provider could not be changed to "Active" and remained in "Warning" after backing up the Key Provider.
Article ID: 398491
Updated On:
Products
Issue/Introduction
When configuring a Native Key Provider, the status could not be changed to "Active" and instead remained in "Warning" after backing up the Key Provider.
The process of adding the Native Key Provider and backing up the Key Provider was completed without any issues, but the status failed to change to "Active".
In /var/log/vmware/vpxd/vpxd.log on vCenter Server, it shows error messages below :
YYYY-MM-DDThh:mm:dd:ss.XXXZ error vpxd[XXXXX] [Originator@XXXX sub=CryptoManager opID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX-XX] Failed to invoke kmxa vAPI "Providers.Delete" on host <hostname>.
--> JWT Error:
--> {
--> "ERROR": {
--> "com.vmware.vapi.std.errors.unauthorized": {
--> "data": {
--> "OPTIONAL": null
--> },
--> "error_type": {
--> "OPTIONAL": "UNAUTHORIZED"
--> },
--> "messages": []
--> }
--> }
--> }
YYYY-MM-DDThh:mm:ss.XXXZ error vpxd[XXXXX] [Originator@XXXX sub=CryptoManager opID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX-XX] Failed to delete native key provider on host-XXXX :
--> N4Vpxd7Clients21UnauthorizedExceptionE(Error:
--> com.vmware.vapi.std.errors.unauthorized
--> No messages!
--> )
In /var/run/log/kmxa.log on ESX host, it shows error messages below :
YYYY-MM-DDThh:mm:ss.XXXZ Er(163) kmxa[131542]: [Originator@XXXX sub=Default opID=opId-vmcrypt-vapi-YYYY-MM-DDThh:mm:ss.XXXXXXX-XX] MethodResult [FAIL] (MethodId:com.vmware.esx.trusted_infrastructure.kms.providers.create),Error:
YYYY-MM-DDThh:mm:ss.XXXZ Er(163) kmxa[131524]: --> com.vmware.vapi.std.errors.unauthorized
YYYY-MM-DDThh:mm:ss.XXXZ Er(163) kmxa[131524]: --> No messages!
YYYY-MM-DDThh:mm:ss.XXXZ Er(163) kmxa[131524]: -->
Environment
VMware vSphere ESXi 8.x
Cause
This issue may occur in ESXi 8.0U2 or later. If the "apiForwarder" service is not running on the ESXi host, the vCenter Server Native Key Provider enablement operation will fail. The "apiForwarder" service is required for this operation.
Resolution
- Ensure that the "apiForwarder" service is running and that its startup policy is set to "Start and stop with host".
This can be changed from ESXi UI:
https://<IP_of_ESXi>/ui/#/host/manage/services
Select apiForwarder service, right click on it and change Policy to "Start and stop with host" and start the apiForwarder service.
- If you are configuring the Native Key Provider, ensure the above steps are followed, then reconnect the ESXi host by performing the following steps:
1. Log in to the vSphere Client.
2. Right-click on the ESXi host in the Inventory.
3. Under the "Connection" menu, select "Disconnect."
Note: A "Disconnect host" task will appear in the Recent Tasks pane.
4. Wait until the task status changes to "Completed."
5. Right-click on the ESXi host in the Inventory again.
6. Under the "Connection" menu, select "Connect."
Note: A "Reconnect host" task will appear in the Recent Tasks pane.
7. Wait until the task status changes to "Completed."
NOTE: To ensure safety when reconnecting the ESXi host, please place the host into maintenance mode before proceeding.
Feedback
