Connect a vCenter Server System to a Key Management Server (KMS) / Key Provider
search cancel

Connect a vCenter Server System to a Key Management Server (KMS) / Key Provider

book

Article ID: 329104

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSphere ESXi

Issue/Introduction

Before you can use vSphere Virtual Machine Encryption to perform encryption operations, you must connect your vCenter Server to a Key Management Server (KMS) / Key Provider. The exact steps depend on the process that the vendor supports, and on the vendor options.
This KB article explains how to connect to a KMS / Key Provider. Because the process differs for different vendors and product versions, this article gives only an overview.

Prerequisites

Before your start this process, you have to install the KMS / Key Provider in your environment. Follow the instructions from the KMS  / Key Provider vendor.


Environment

VMware vCenter Server 6.5.x
VMware vSphere ESXi 6.7
VMware vCenter Server 6.7.x
VMware vCenter Server Appliance 6.5.x
VMware vCenter Server 7.0.x
VMware vSphere ESXi 7.0.0
VMware vSphere ESXi 6.5

Resolution

vSphere 6.x

Task 1: Create the KMS Cluster / Key Provider

  1. Log in to the vCenter Server with the vSphere Web Client and select the vCenter Server in the inventory list.
  2. Click Configure and click Key Management Servers or Key Providers.
  3. Click Add, specify the following information in the KMS, and click OK.
    KMS/ Key Provider clusterSelect Create new cluster for a new cluster, or select an existing cluster.
    Cluster nameName of the KMS / Key Provider cluster that you want to create
    Server aliasUse this alias to connect to the KMS / Key Provider if your vCenter Server instance becomes unavailable.
    Server address and portIP address or FQDN of the KMS / Key Provider, and port on which vCenter Server connects to the KMS / Key Provider.
    Proxy address and portOptional proxy address and port for connecting to the KMS / Key Provider.
    Username and passwordSome KMS / Key Provider vendors allow users to isolate encryption keys that are used by different users or groups by specifying a user name and password. Specify a user name only if your KMS / Key Provider supports this functionality, and if you intend to use it.
  4. If you want to use that KMS / Key Provider as the default source of keys, click OK when prompted.
  5. If you are using a vCenter Server Appliance, click Trust in the Trust Certificate dialog box to trust the KMS / Key Provider.
    If you are using a vCenter Server Windows installation, you establish the trust from vCenter Server to the KMS / Key Provider in a separate step after you set up the KMS / Key Provider to trust vCenter Server. Task 2 explains the process.

Task 2: Set up the KMS  / Key Provider to Trust vCenter Server

Refer to the VMware Compatibility Guide for certified KMS's  / Key Provider's under Platform and Compute as well as links to partner public facing content for steps to configure a KMS  / Key Provider with VMware vSphere.

Task 3: Verify or Finalize the Trust Setup

If you are running a vCenter Server Appliance, refresh the Key Management Server screen to verify that the trust relationship is now established. The Connection Status for the KMS  / Key Provider server shows Normal (green check mark).

If you are running vCenter Server on Windows, you have to finalize the trust setup. See the vSphere 6.5 Documentation Center for details.

To integrate with vendor Key Management Servers, please follow the certified vendor list at VMware Compatibility Guide.

vSphere 7.0.x

Task 1: Create the Key Provider

  1. Log in to the vCenter Server with the vSphere Web Client and select the vCenter Server in the inventory list.
  2. Click Configure and click Key Management Servers or Key Providers.
  3. Click Add Standard Key Provider, specify the following information, and click Add Key Provider.
    KMS/ Key Provider clusterSelect Create new cluster for a new cluster, or select an existing cluster.
    Cluster nameName of theKey Provider cluster that you want to create
    Server aliasUse this alias to connect to the Key Provider if your vCenter Server instance becomes unavailable.
    Server address and portIP address or FQDN of the KMS / Key Provider, and port on which vCenter Server connects to the Key Provider.
    Proxy address and portOptional proxy address and port for connecting to the Key Provider.
    Username and passwordSome Key Provider vendors allow users to isolate encryption keys that are used by different users or groups by specifying a user name and password. Specify a user name only if your Key Provider supports this functionality, and if you intend to use it.
  4. If you want to use that Key Provider as the default source of keys, click OK when prompted.
  5. If you are using a vCenter Server Appliance, click Trust in the Trust Certificate dialog box to trust the Key Provider.
    If you are using a vCenter Server Windows installation, you establish the trust from vCenter Server to the Key Provider in a separate step after you set up the Key Provider to trust vCenter Server. Task 2 explains the process.

Task 2: Set up the Key Provider to Trust vCenter Server

Refer to the VMware Compatibility Guide for certified Key Provider's under Platform and Compute as well as links to partner public facing content for steps to configure a Key Provider with VMware vSphere.

Task 3: Verify or Finalize the Trust Setup

If you are running a vCenter Server Appliance, refresh the Key Management Server screen to verify that the trust relationship is now established. The Connection Status for the Key Provider server shows Normal (green check mark).

If you are running vCenter Server on Windows, you have to finalize the trust setup. See the vSphere Documentation Center for details.

To integrate with vendor Key Providers, please follow the certified vendor list at VMware Compatibility Guide.
Powered by Wolken Software