vSphere Replication (Embedded Server) shows as disconnected in Site Recovery UI after applying a CA-signed certificate
search cancel

vSphere Replication (Embedded Server) shows as disconnected in Site Recovery UI after applying a CA-signed certificate

book

Article ID: 418168

calendar_today

Updated On:

Products

VMware Live Recovery

Issue/Introduction

Issue Verification:

  • The embedded replication server shows as disconnected in the Site Recovery UI.
  • VM replications continue to show as Active.
  • The Site Pair for vSphere Replication appears as Not Connected.

Environment

  • VMware Live Recovery 9.x

Cause

  • The issue occurs because the CA-signed certificate is generated without including the “Client Authentication” property in its Enhanced Key Usage (EKU) section.
  • Client Authentication is required for secure TLS communication. Without this property, the connection handshake fails, and the server cannot authenticate properly.
  • The /var/log/vmware/hms/hms.0000*.log file will show repeated authentication and connection errors. The log entries indicate that the vSphere Replication service could not complete client certificate validation during the connection attempt.

2025-11-10 14:31:51.145 WARN  impl.hms.ServerImplHms [hms-main-thread-5763] (..net.impl.VmomiConnectionBase) {operationID=pgrhz-HMS-12645} [] | Failed to init vmomi client for HMS@2059504922
java.util.concurrent.CompletionException: com.vmware.vim.binding.vmodl.RuntimeFault: The client did not supply a certificate, or the server is not configured to support client certificates
        at java.util.concurrent.CompletableFuture.encodeRelay(Unknown Source) ~[?:?]

2025-11-10 14:31:51.146 WARN  impl.hms.ServerImplHms [hms-main-thread-5763] (..net.impl.CreateVlsiClientFlow) {operationID=pgrhz-HMS-12645} [] | HMS@2059504922:Failed to init client
java.util.concurrent.CompletionException: com.vmware.vim.binding.vmodl.RuntimeFault: The client did not supply a certificate, or the server is not configured to support client certificates

2025-11-10 14:31:51.148 INFO  impl.hms.ServerImplHms [tcweb-12] (..net.impl.VmomiConnection) {operationID=pgrhz-HMS-12645} [] | Stopping connection to HMS@2059504922.
2025-11-10 14:31:51.149 INFO  security.authentication.sm [tcweb-12] (..security.authentication.SessionManagerInternal) {operationID=pgrhz-HMS-12645} [] | Authentication failed against unknown : 8fd5966a-dcca-4df4-bb17-267fdb55da8e. VC session  '<saml2:A...sertion>' was not recognized as active for user N/A
com.vmware.vim.binding.vim.fault.InvalidLogin: VC session  '<saml2:A...sertion>' was not recognized as active for user N/A
2025-11-10 14:31:51.149 INFO  response.filter.I18nActivationResponseFilter [tcweb-12] (..response.filter.I18nActivationResponseFilter) {operationID=pgrhz-HMS-12645} [] | The localized message is: Cannot complete login due to an incorrect user name or password.

  • These errors confirm that the client authentication handshake fails because the certificate is missing the required Client Authentication capability.
  • To verify this, open the CA-signed certificate on the vSphere Replication appliance and check the Enhanced Key Usage (EKU) field under Details. Only Server Authentication will be listed, and Client Authentication will be missing.

Resolution

Regenerate a new CA-signed certificate for the vSphere Replication appliance, ensuring that the certificate includes both of the following under Enhanced Key Usage (EKU):

  • Server Authentication

  • Client Authentication

Once the new certificate is generated and applied, reconfigure the VMware Live Recovery Appliance, then verify connectivity from the Site Recovery UI.

Powered by Wolken Software