vSphere Replication hosts display a "Disconnected" status in the Replication Servers management interface.

The hms.log on the vSphere Replication appliance may show repeated entries related to token exchange failures when attempting to authenticate to the host, such as:

com.vmware.hms.net.TokenExchangeService [hms-ping-scheduled-thread-0] (..hms.net.TokenExchangeService) [operation <$UUID>-HMS-PING] | Exchanging SU SAML to JWT token for host < $HOSTNAME>

 Ping session: N/A on server $HOSTNAME:443/hbr failed: (vmodl.fault.SecurityError) {

   faultCause = null,

====

In ESX host's hbr.log:

===

2026-04-22T17:47:42.009Z Db(167) hbrsrv[8132332]: [Originator@6876 sub=Default] CloseSession called for session; <$UUID, <UNIX '/var/run/vmware/proxy-hbr'>, <UNIX '/var/run/vmware/proxy-hbr'>>

2026-04-22T17:47:42.012Z Db(167) hbrsrv[8132636]: [Originator@6876 sub=SessionManager] hbr.replica.ReplicationManager.GetNextInstanceSequenceNumber: not authorized

2026-04-22T17:47:42.012Z Er(163) hbrsrv[8132636]: [Originator@6876 sub=SessionManager] SSL thumbprint login not allowed for UW.

ESX 8.0.3 , vSphere Replication 9.0.2 

This issue occurs due to a stale certificate trust store on the ESXi host. When the vSphere Replication appliance attempts to authenticate to the ESXi host, it presents a JSON Web Token (JWT) issued by the vCenter Server.

If the vCenter Server's root CA or STS signing certificates were recently renewed or altered, but the ESXi host's local trust store (castore.pem) was not synchronized with the updated TRUSTED_ROOTS, the ESXi host will be unable to validate the JWT signature. As a result, the Solution User (SU) token exchange fails, and the host displays as "Disconnected" in the vSphere Replication interface.

To resolve this issue, you must synchronize the certificate trust store on the affected ESXi hosts and restart the management agents.

1. Log in to the vSphere Client.

2. Select the affected ESXi host in the inventory.

3. Navigate to Configure > System > Certificate.

4. Click Refresh CA Certificates to push all certificates currently in the TRUSTED_ROOTS store of the vCenter Server VECS to the host.

5. Open an SSH session to the affected ESXi host.

6. Restart the management agents to apply the new certificate trust chain by running the following command: services.sh restart *

7. Navigate back to the vSphere Replication management interface and verify that the host status changes from "Disconnected" to "Connected".

8. Repeat steps 2-7 for any other ESXi hosts showing as disconnected.

*Impact for Restarting Management Agents in ESX