vCenter Certificate Status Alarm in KMS for each key provider
search cancel

vCenter Certificate Status Alarm in KMS for each key provider

book

Article ID: 415846

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

vCenter Certificate Shows Warning Status in KMS

Environment

VMware vCenter Server
Key Management Server (KMS)

Cause

Authorization to the KMS server is required, but vCenter cannot provide it due to the missing client key in the VECS store. Please note that you may observe logs similar to the ones below for each KMS server corresponding to the added Key Provider.

vpxd.log

YYYY-MM-DD HH:MM:SS.ms error vpxd[07013] [Originator@#### sub=CryptoManagerKmipWrapper opID=6726c297] Failed to connect to KMS KMSSERVER1.DOMAIN.com:5696 - Err:QLC_ERR_NEED_AUTH Failed to establish the connection, authorisation needed
YYYY-MM-DD HH:MM:SS.ms error vpxd[07047] [Originator@#### sub=CryptoManagerKmipWrapper opID=14dbfecd] Failed to connect to KMS KMSSERVER2.DOMAIN.com:5696 - Err:QLC_ERR_NEED_AUTH Failed to establish the connection, authorisation needed
YYYY-MM-DD HH:MM:SS.ms error vpxd[07058] [Originator@#### sub=CryptoManagerKmipWrapper opID=77e08b28] Failed to connect to KMS KMSSERVER3.DOMAIN.com:5696 - Err:QLC_ERR_NEED_AUTH Failed to establish the connection, authorisation needed
YYYY-MM-DD HH:MM:SS.ms error vpxd[07391] [Originator@#### sub=CryptoManagerKmipWrapper opID=5c9c3d6] Failed to connect to KMS KMSSERVER4.DOMAIN.com:5696 - Err:QLC_ERR_NEED_AUTH Failed to establish the connection, authorisation needed
YYYY-MM-DD HH:MM:SS.ms error vpxd[06989] [Originator@#### sub=CryptoManagerKmipWrapper opID=7e3495f6] Failed to connect to KMS KMSSERVER5.DOMAIN.com:5696 - Err:QLC_ERR_NEED_AUTH Failed to establish the connection, authorisation needed

If you review the logs for one of the KMS servers in specific, you may see entries similar to the ones shown below.

vpxd.log

YYYY-MM-DD HH:MM:SS.ms info vpxd[07364] [Originator@#### sub=vpxLro opID=########] [VpxLRO] -- BEGIN lro-######## -- CryptoManager -- vim.encryption.CryptoManagerKmip.retrieveKmipKMSSERVERCert -- 528c2df8-####-####-####-a2be6846cec9(528b271c-####-####-####-9a017c036843)
YYYY-MM-DD HH:MM:SS.ms info vpxd[07364] [Originator@#### sub=CryptoManager opID=########] The certificate entry 'clientKey-CUSTOMERSKEYPROVIDER' does not exist in VECS
YYYY-MM-DD HH:MM:SS.ms info vpxd[07364] [Originator@#### sub=CryptoManager opID=########] The Vecs string entry 'clientKey-CUSTOMERSKEYPROVIDER' does not exist in VECS
YYYY-MM-DD HH:MM:SS.ms error vpxd[07364] [Originator@#### sub=CryptoManagerKmipWrapper opID=########] Failed to connect to KMS KMSSERVER1.DOMAIN.com:5696 - Err:QLC_ERR_NEED_AUTH Failed to establish the connection, authorisation needed
-->
YYYY-MM-DD HH:MM:SS.ms info vpxd[07364] [Originator@#### sub=CryptoManager opID=########] The certificate entry 'clientKey-CUSTOMERSKEYPROVIDER' does not exist in VECS
YYYY-MM-DD HH:MM:SS.ms info vpxd[07364] [Originator@#### sub=vpxLro opID=########] [VpxLRO] -- FINISH lro-########
YYYY-MM-DD HH:MM:SS.ms info vpxd[06987] [Originator@#### sub=vpxLro opID=########] [VpxLRO] -- BEGIN lro-######## -- CryptoManager -- vim.encryption.CryptoManagerKmip.uploadKmipKMSSERVERCert -- 528c2df8-####-####-####-a2be6846cec9(528b271c-####-####-####-9a017c036843)
YYYY-MM-DD HH:MM:SS.ms error vpxd[06987] [Originator@#### sub=CryptoManager opID=########] Cannot accept empty cert
YYYY-MM-DD HH:MM:SS.ms error vpxd[06987] [Originator@#### sub=CryptoManager opID=########] Cannot accept empty cert
YYYY-MM-DD HH:MM:SS.ms info vpxd[06987] [Originator@#### sub=CryptoManager opID=########] The certificate entry 'trustedCert_0-CUSTOMERSKEYPROVIDER' does not exist in VECS
YYYY-MM-DD HH:MM:SS.ms error vpxd[06987] [Originator@#### sub=CryptoManager opID=########] Could not add the ending certificate.The error is: 90017
YYYY-MM-DD HH:MM:SS.ms info vpxd[06987] [Originator@#### sub=CryptoManager opID=########] Schecule next KMS cert expiry check task to run after 0 ms
YYYY-MM-DD HH:MM:SS.ms info vpxd[06987] [Originator@#### sub=vpxLro opID=########] [VpxLRO] -- FINISH lro-########

Note: The above log snippets may appear multiple times in the logs. For clarity and readability, we have shown them only a few times in this KB.

Resolution

During KMS trust configuration, verify that the correct setup method and the matching certificate/key pair are used. If an incorrect certificate or key was initially configured, repeat the process with the correct pair to successfully establish the trust relationship.

For more information on adding a KMS Key Provider, please refer to the following document: Add a Standard Key Provider Using the vSphere Client

For more information on establishing a trusted connection for a Standard Key Provider by exchanging certificates, please refer to the following document: Establish a Standard Key Provider Trusted Connection by Exchanging Certificates

Additional Information

For detailed information on configuring and managing a Standard Key Provider, please refer to the following document and its related subtopics: Configuring and Managing a Standard Key Provider

Powered by Wolken Software