KMS is disconnected from vCenter Server with connectivity status as "Server trusts client" after KMS-side certificate update.
search cancel

KMS is disconnected from vCenter Server with connectivity status as "Server trusts client" after KMS-side certificate update.

book

Article ID: 428518

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

The connection status for the KMS shows "Server trusts client".

In the vCenter Server vpxd.log, we see the following error snippets.

YYYY-MM-DDTHH:MM:SS.199Z error vpxd[2786322] [Originator@6876 sub=CryptoManagerKmipWrapper opID=###] Failed to connect to KMS <KMS-IP>:5696 - Err:QLC_ERR_NEED_AUTH Failed to establish the connection, authorisation needed
-->
YYYY-MM-DDTHH:MM:SS.199Z warning vpxd[2786322] [Originator@6876 sub=CryptoManager opID=###] DiscoverVersions failed: Err:QLC_ERR_NEED_AUTH Failed to establish the connection, authorisation needed
-->

Environment

VMware vCenter Server

Cause

KMS-side certificate updates cause KMS disconnection from vCenter Server, which invalidates the existing trust relationship.

When KMS certificates are:

  • Renewed
  • Replaced
  • Re-signed by a different CA
  • Rotated without re-establishing trust

vCenter Server no longer trusts the KMS identity, causing authentication to fail.

Resolution

To resolve the issue, re-establish the trust between the vCenter Server and KMS.

  1. Navigate to the vCenter Server.
  2. Click Configure and select Key Providers under Security.
  3. Select the key provider.
    The KMS for the key provider is displayed.
  4. Select the KMS.
  5. From the Establish Trust drop-down menu, select "Make KMS trust vCenter".
  6. Select the option appropriate for your server and follow the steps.

Additional Information

Refer to the document below for detailed steps to establish trust between vCenter and KMs.

Establish a Standard Key Provider Trusted Connection by Exchanging Certificates

Powered by Wolken Software