Configuration of native key provider cannot be completed and fails with the error "Backup of Native Key Provider Failed"
search cancel

Configuration of native key provider cannot be completed and fails with the error "Backup of Native Key Provider Failed"

book

Article ID: 417441

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

When attempting to configure a Native Key Provider  in vCenter Server, the process may fail with the following error message:

“Backup of native key provider failed.”



Running the following command confirms that the Primary Network Identifier (PNID) and hostname are correctly configured:

/usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost

However, when listing the key providers, the health status of the native key provider appears as ERROR:

dcli com vmware vcenter cryptomanager kms providers list

|---------|------|------|
|provider |health|type  |
|---------|------|------|
|PRGX-NKP1|ERROR |NATIVE|


This issue prevents the completion of the Native Key Provider configuration and interrupts the backup process.

Environment

VMware vCenter Server 8.x

Cause

The following checks verified a healthy vCenter environment:

  • Hostname and PNID were correctly aligned.

  • The vpxd.conf endpoint configuration was valid and free from syntax or permission errors.

  • Ownership and permissions for relevant configuration files (e.g., /etc/vmware-rhttpproxy/endpoints.conf.d/vpxd.conf) were properly set.

  • vCenter services and dependencies were functioning as expected.

The issue is caused by browser-level security restrictions.

Root Cause Explanation

Modern browsers enforce strict same-origin and security policies that can block or restrict the download of dynamically generated files, including the backup file created during the Native Key Provider export process.

When the backup operation is initiated from the vSphere Client UI, the browser validates the source of the operation. Cached session data or outdated authentication tokens may cause the browser to block or fail to recognize the backup file correctly. This behavior leads to the “Backup of native key provider failed” error.

This finding was confirmed through multiple validation steps:

  • Verification via CLI, VAMI, and vSphere UI confirmed proper configuration.

  • Logging in using the SSO administrator account eliminated permission-related causes.

  • System health checks and service statuses were normal.

These tests ruled out configuration or service-level issues, confirming the root cause was related to browser cache or session security behavior.

Resolution

To resolve the issue:

  1. Access the vSphere Client in Incognito (Private Browsing) mode.

    • Open a new Incognito/Private window in the web browser.

    • Log in to the vCenter Server UI.

  2. Reattempt the Native Key Provider backup.

    • Navigate to Security > Key Providers in the vSphere Client.

    • Perform the Backup Native Key Provider operation again.

  3. The backup should now complete successfully without errors.

This confirms that the browser’s cache and stored session data were preventing the operation from completing during standard browsing sessions.

Additional Information

  • Accessing the vSphere Client in Incognito mode bypasses existing browser cache, stored cookies, and session data. This helps prevent conflicts with cached authentication or stale session tokens.

  • No mismatches or configuration issues were found within vCenter Server or its components.

  • The issue was entirely browser-related and did not require any vCenter configuration changes.

Recommendations

To prevent similar issues in the future:

  • Perform sensitive operations, such as Native Key Provider backup or restore, in a private browsing session.

  • Clear browser cache and cookies periodically before performing administrative actions.

  • Ensure that browsers used to access vSphere Client are updated to the latest stable version.

Powered by Wolken Software