Intermittent Alarm: "ESXi VASA client certificate provision failure" with Native Platform Error 4312
search cancel

Intermittent Alarm: "ESXi VASA client certificate provision failure" with Native Platform Error 4312

book

Article ID: 440835

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

vCenter intermittently triggers a critical severity alarm: "ESXi VASA client certificate provision has failed" on one or more ESXi hosts. The alarm may clear automatically or persist, preventing storage provisioning operations in some environments.

  • vCenter Server reports the critical alarm for multiple hosts.
  • /var/log/vmware/vmware-sps/sps.log shows failures during the certificate provisioning workflow: 

    ERROR opId=sps-Main-244535-688 com.vmware.vim.sms.provider.ProviderFactory - provisionCASignedEsxClientCertificate failed
com.vmware.provider.VecsException: Native platform error [code: 4312][Native platform error [code: 4312][Deleting entry by alias '##############' from store 'SMS' failed. [Server: __localhost__, User: __localuser__]]]
        at com.vmware.provider.VecsKeyStoreEngine.engineDeleteEntry(VecsKeyStoreEngine.java:121)
        at java.security.KeyStore.deleteEntry(KeyStore.java:1218)
        at com.vmware.vim.sms.util.KeyStoreHelper.removeCertFromSmsStore(KeyStoreHelper.java:112)
        at com.vmware.vim.sms.util.KeyStoreHelper.addCertToSmsTruststore(KeyStoreHelper.java:85)
        at com.vmware.vim.sms.provider.ProviderFactory.provisionAndAddCASignedEsxClientCertificate(ProviderFactory.java:1124)
        at com.vmware.vim.sms.provider.ProviderFactory$3.call(ProviderFactory.java:1282)
        at com.vmware.vim.sms.provider.ProviderFactory$3.call(ProviderFactory.java:1278)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:750)
Caused by: com.vmware.identity.vecs.VecsGenericException: Native platform error [code: 4312][Deleting entry by alias '##############' from store 'SMS' failed. [Server: __localhost__, User: __localuser__]]
  • /var/log/vmware/vmaffd/vmafdd.log reports errors communicating with VECS:

    ERROR! [VecsIpcGetEntryByAlias] is returning [4312] and GetEntryByAlias (alias from store ID 13) returned error: 4312.

Environment

vCenter 8.x

Cause

The error code 4312 indicates that VECS store was not initialized as expected and hence, the entry retrieval failed.

Resolution

Restarting the management services on the vCenter Server Appliance (VCSA) re-initializes the VECS store:

1. Log in to the vCenter Server Appliance via SSH as root.

2. Restart all management services using the following command: service-control --stop --all && service-control --start --all

3. Monitor the vSphere Client to ensure that the alarm is not seen again.

Note: Incase issue continue to exist, please collect the vCenter Server and ESXi host log bundles and open a support request with Broadcom Technical Support for further investigation.

The following KB provides instructions for collecting the required diagnostic logs:

Collecting diagnostic information for VMware vCenter Server 7.x and 8.x (330178)
Collecting diagnostic information for ESXi/ESX hosts and vCenter Server using the vSphere Web Client (326299)

Once the logs have been collected, please attach them to the support case to assist with detailed analysis.

Powered by Wolken Software