When attempting to migrate a Virtual Machine (VM) between two different vCenter Servers using Cross-vCenter vMotion, or when performing a cloning or other storage-related operation that relies on the Profile-Driven Storage (PDS) service (also known as the Storage Policy Based Management or SPBM service), the operation fails.

The following error message is displayed:

Cannot connect to profile-driven storage service.

VMware vCenter server 8.x

The "Cannot connect to profile-driven storage service" error most frequently stems from an issue with the security and trust chain between the vCenter Servers. The Profile-Driven Storage (SPBM) service requires a secure, trusted SSL/TLS connection to operate.

The primary cause is typically an expired, invalid, or untrusted machine SSL certificate on the vCenter Server Appliance (VCSA). If the machine certificate is compromised or expired, the secure handshake necessary for inter-vCenter communication fails, causing the service to be unreachable.

To confirm if the issue is certificate-related, run the VCF Diagnostic Tool for vSphere (VDT). This tool can check the health and validity of the vCenter's certificates:

• Reference for VDT: For instructions on how to download, install, and run the tool, refer to the Broadcom KB article:

  • KB 344917: Using the VCF Diagnostic Tool for vSphere (VDT)

If the VDT reports certificate issues (e.g., SAN contains neither hostname nor IP! ), proceed with the resolution steps below.

                   [FAIL]    Certificate SAN Check
                                SAN contains neither hostname nor IP!

The solution is to regenerate and replace the machine SSL certificates on the vCenter Server Appliance (VCSA) to re-establish a trusted communication channel for all services, including the Profile-Driven Storage service.

Follow these steps to resolve the issue:

1. Access the VCSA: Use SSH to connect to the vCenter Server Appliance.

2. Launch Certificate Manager: Execute the vSphere Certificate Manager utility:

   /usr/lib/vmware-vmafd/bin/vmafd-server-certificate-mgmt
   

3. Select Replacement Option: Choose the appropriate option to replace the machine SSL certificate. For general renewal where the internal VMCA is the root, you typically select the option that uses the VMCA to replace all certificates.

   • Note: If your environment uses a Custom CA, you would select the option to import those certificates.

4. Complete the Workflow: Follow the utility's prompts to generate new certificates and apply them.

5. Restart VCSA: After the certificate replacement is complete, a full reboot of the VCSA is highly recommended to ensure all dependent services (SPBM, vpxd, etc.) correctly load and utilize the new, trusted certificates.

For the detailed, step-by-step guidance on using the vSphere Certificate Manager utility, please refer to the following Broadcom KB article:

• KB 318946: How to use the vSphere Certificate Manager utility to replace the VMware Machine SSL certificate

• Post-Resolution Test: After the VCSA has successfully rebooted, re-run the VCF Diagnostic Tool for vSphere (VDT) to confirm that the certificate health checks now pass before attempting the Cross-vCenter vMotion again.

• Network Considerations: While less common than certificate failure in this specific scenario, ensure that network ports (especially 443 and ports used for vMotion) are open and not blocked by any firewalls between the source and destination vCenter Servers.