Alert "VMware vCenter and all hosts are connected to Key Management Servers" in Native Key Provider (NKP) Environments triggered in vCenter
search cancel

Alert "VMware vCenter and all hosts are connected to Key Management Servers" in Native Key Provider (NKP) Environments triggered in vCenter

book

Article ID: 439095

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Skyline Health Alert "VMware vCenter and all hosts are connected to Key Management Servers" triggers after restarting vCenter services as per KB Stop, Start or Restart Services on vCenter Server 7.x/8.x   
  • Triggered Alarm "VSAN data-at-rest encryption alarm 'vCenter and all hosts are connected to Key Management Servers" is displayed in vCenter  Inventory → Hosts and Cluster→ Select vCenter → Select vSAN cluster → Monitor 
  • ESXi hosts report the issue "Failed to get host encryption health result" (Inventory → Hosts and Cluster → Select vCenter → Select vSAN cluster → Monitor → Click on Issues and Alarms from the breadcrumb trail → locate vSAN from the menu → Click on Skyline Health → Click on View History Details in the vSAN cluster compliance card)
  • The Native Key Provider (NKP) status in vCenter may show as "Active" with a green checkmark, yet the health alarm persists when navigating to Configure → Settings → Security > Key Providers.
  • /var/log/vmware/vsan-health/vmware-vsan-health-service.log in vCenter appliance shows errors similar to:
    2026-05-04T15:15:09.094+03:00 ERROR vsan-mgmt [#######] [VsanWcpUtil::ConnectVapi opID=noopId] Fail to connect VAPI Traceback (most recent call last): File "bora/vsan/health/vpxd/pyMoVsan/VsanWcpUtil.py", line 126, in ConnectVapi File "bora/vaan/health/vpxd/pyMoVaan/VaanWcpUtil.py", line 119, in _doConnectVAPI File "/usr/lib/vmware-vpx/vsan-health/vapi/vapi_common_client-2.100.0.egg/com/vmware/cis_client.py", line 205, in create File "/usr/lib/vmware-vpx/vsan-health/vapi/vapi_runtime-2.100.0.egg/vmware/vapi/bindings/stub.py", line 345, in invoke File "/usr/lib/vmware-vpx/vaan-health/vapi/vapi_runtime-2.100.0.egg/vmware/vapi/bindings/stub.py", line 295, in native_invoke com.vmware.vapi.std.error_client.Unauthenticated: (challenge: None, messages: [LocalizableMessage (id-vapi.security.authentication.invalid', default_message 'Unable to authenticate user', args[], params-None, localized-None)], data: None, error type: UNAUTHENTICATED) 2026-05-01T15:15:09.094+03:00 ERROR vaan-mgmt [3624047] [WcpChecker::CheckHealth opID-noopId] Failed to process WCP health check Traceback (most recent call last): File "bora/vsan/health/vpxd/pyMovsan/WcpChecker.py", line 55, in Checkffealth File "bora/vaan/health/vpxd/pyMoVaan/WcpChecker.py", line 75, in ProcessWcpHealth File "bora/vsan/health/vpxd/pyMoVsan/VsanWcpUtil.py", line 126, in ConnectVapi File "bora/vsan/health/vpxd/pyMovsan/VanWopUtil.py", line 119, in doConnectVAPI File "/usr/lib/vmware-vpx/vsan-health/vapi/vapi_common_client-2.100.0.egg/com/vmware/cis_client.py", line 205, in create File "/usr/lib/vmware-vpx/vsan-health/vapi/vapi_runtime-2.100.0.egg/vmware/vapi/bindings/stub.py", line 345, in invoke File "/usr/lib/vmware-vpx/vsan-health/vapi/vapi_runtime-2.100.0.egg/vmware/vapi/bindings/stub.py", line 295, in native_invoke com.vmware.vapi.atd.error_client.Unauthenticated: [challenge: None, messages: [LocalizableMessage(id='vapi.security.authentication.invalid', default message='Unable to authenticate user', arga=[], parama=None, localized=None)], data: None, error type: UNAUTHENTICATED)
  • Running service-control --status in vCenter SSH session shows "vmware-vapi-endpoint" is not running

Environment

vCenter Server 8.x

Cause

In environments using Native Key Provider (NKP), this alert indicates a failure in the communication or trust bridge between vCenter and ESXi. One of the common reasons is that the vmware-vapi-endpoint service on the vCenter Server Appliance (VCSA) is not running.

Resolution

  1. Connect to VCSA via SSH as root
  2. Enable shell : 
    shell.set --enabled true
  3. Access shell: 
    shell
  4. Restart vmware-vapi-endpoint:
    service-control --restart vmware-vapi-endpoint
  5. Confirm the vmware-vapi-endpoint service is running: 
    service-control --status vmware-vapi-endpoint
  6. Return to the UI and confirm that the issue is resolved

Additional Information

"vCenter and all hosts are connected to Key Management Servers" warning is shown in Skyline Health when machine user privileges are not sufficient 

vCenter and all hosts are connected to Key Management Servers" warning is shown in Skyline Health 

"ESXi cannot connect to the KMS server" error on Skyline Health after vCenter appliance certificate change

 VSAN Health warning "Failed to get host encryption health result" after resetting all certificates with VCenter Certificate Manager, Option 8

 

Powered by Wolken Software