LabMasterBeta
Enthusiast
Enthusiast

CANNOT backup vSphere 7.0 U3 Native Key Provider NKP as required to activate it per KB 84068

Testing and failing on CLEAN INSTALL.

 

I can create the new VMware Native Key Provider (NKP) in vSphere 7.0 U3g Web UI, but CANNOT back it up using IP-Only setup (that does not use FQDN or DNS for secured Air-Gap environments).

 

KB article 84068 says VMware has Fixed the IP-Only use-case in vSphere 7.0 Update 3, and NO LONGER requires FQDN for Backups of NKP to work, but it is NOT fixed (or, its broken again, or, I'm missing an undocumented required step..??).

NOTE: Backups are CRITICAL to not lose encrypted VM or vTPM, and the 1st Backup is REQUIRED to enable the NKP service.

 

Official VMware KB Article 84068 says, "This issue is caused because of the Browser security. The browser is checking the origin of the code that generates the backup file and compares it with the URL. This does not match because one uses FQDN, and the other uses an IP. This is a known issue affecting VMware vSphere 7.0 U2.  Resolved in 7.0 U3."

https://kb.vmware.com/s/article/84068

 

But, this does NOT seem to be resolved in 7.0 U3??

Or... Are there some other requirements?

We're just doing a clean-install of ESXi 7.0u3f and vCenter 7.0u3g (latest as of 7/23/22)?

 

ATTEMPT #1: WEB UI

I've tried downloading and installing the IP-Only root CA certs to my Firefox web browser (which show in keystore as "localhost" of the vCenter), and tested disabling in Firefox and Chrome as much security as I could find, but none of that helped. 

Error is always the same in the vCenter Web UI (pops-up error, instead of prompting me where to save the p12 file..):

 

 

Back up of Native Key Provider has failed. 

 

 

 

ATTEMPT #2: POWERCLI

I tried working-around the whole Web UI browser issue, by doing the following:

Installed PowerCLI version 12.7 (latest as of 7/23/22), and using the new cmdlet called Export-KeyProvider added in PowerCLI v12.3, but no luck:

1. Disable all certificate (set to IGNORE)

2. Disable the Proxy (set to NOproxy)

3. Disable all PowerShell signing requirements.

4. PLUGGED THE VCENTER HOST DIRECTLY INTO SAME VLAN AS ESXI AND MY WORKSTATION, THERE IS NO FIREWALL.

 

No matter what I try, I get an error and a 0-byte file, following this guide:

https://blogs.vmware.com/PowerCLI/2021/04/new-release-powercli-12-3.html

 

Example:
In the Web UI we create a Native Key Provider called "NKPNAME" and have an empty folder c:\vcsa-keystore-backup, after installing PowerCLI, and disabling scripted security or signing the ps1 etc etc, this PowerShell as logged in to vCenter as Admin (using IP-Address), it is supposed to backup/save "mykeyfile.p12" but I get an error and the mykeyfile is 0 bytes:

 

 

Export-KeyProvider -KeyProvider NKPNAME -FilePath c:\vcsa-keystore-backup\mykeyfile -Force

 

 

 

Here is the full error:

 

 

Export-KeyProvider : 7/23/2022 6:10:02 PM Export-KeyProvider An error occurred while sending the request.
At line:1 char:1
+ Export-KeyProvider -KeyProvider NKPNAME -FilePath c:\...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Export-KeyProvider], VimException
+ FullyQualifiedErrorId : Core_BaseCmdlet_UnknownError,VMware.VimAutomation.Security.Commands.Cmdlets.KeyProvider.ExportKeyProvider

 

 

 

This confounds me, because after trying 2 methods (and skipping the web browser issue entirely), the VMware KB Article 84068 says this is supposed to work now in 7.0 U3.

But, maybe I'm missing some kind of OTHER digital signature procedure besides just root CA's, because in our IP-only for the vCenter and ESXi hosts, we are TESTING WITH A CLEAN-INSTALL????

 

Basically, has anyone gotten this to work and HOW, and are there pre-requsites for this??

EDIT/UPDATE 9/5/22: Patched both ESXi and vCenter to 7.0.3g (aka Update-3G), still does not work.

Any suggestions welcome!!

7 Replies
rdeadwyler
Contributor
Contributor

I am experiencing the same issue specifically using the UI, running 7.0.3 and via the FQDN.  Were you able to find a solution?

0 Kudos
acartwright
Contributor
Contributor

If you're connecting via FQDN check whether you have a CNAME for vCenter as this can lead to some cross-site request issues in the browser.

If you connect to vCenter on the CNAME FQDN you may (as I did) hit an issue due to CORS which prevents the XMLHttpRequest to allow the certificate backup to download which causes this error message. You can view this error in the web inspector console.

Workaround - connect to vCenter via IP to backup and activate the Native KMS (vmware addresses direct IP connections in 7u2 I believe)

0 Kudos
Kinnison
Enthusiast
Enthusiast

Hi,


The question posed by @LabMasterBeta is completely different, if a vCenter object is set to use an IP address instead a FQDN name, because a DNS server is not available in a completely isolated context or because this involves adding more or less critical dependencies (IMHO inappropriate in certain operational contexts), then the backup of "the native key provider object" will fail.


Maybe in the meantime the OP has managed to solve the problem, but I haven't.
In my specific case it was just an experiment and therefore without any concrete impact, so I didn't spend much of my time on it.


Regards,
Ferdinando

0 Kudos
rdeadwyler
Contributor
Contributor

I will verify CNAME records, but I didn't have any luck using an IP rather than the FQDN. 

0 Kudos
LabMasterBeta
Enthusiast
Enthusiast

To clarify a few posts:

1. No I'm not using CNAME or any DNS at all, but I did try a few common work-arounds to no avail (still fails to backup or activate):

-(a) Tried the built-in Alias Name feature in vCenter (which is totally different than CNAME) - Didnt help.

-(b) Tried using Hosts file in ESXi *AND* My local admin workstation - Didnt help.

-(c) Tried to download certificate into Web Browser so dont get the warning when login - Didnt help.

-(d) Tried disabling all security and cross-site blocking etc etc in both FIrefox and Chrome - Didnt help.

2. Native Key Provider for IP-Only (no DNS or FQDN at all), was not EVER supported in earlier builds of vSphere 7.0...  However, there were so many customers who complained, VMware claims to have added support for this in 7.0 U3 (as per the official KB article I cited - but I cannot make it work...).

3. I've now patched ESXi and vCenter both to 7.0 Update-3G, but the problem persists (it simply will NOT backup the Native Key Provider in my IP-Only configuration as advertised by VMware that now it should).

 

Any best-guess ideas would be really appreciated.

0 Kudos
LabMasterBeta
Enthusiast
Enthusiast

@acartwright  regarding, "...hit an issue due to CORS which prevents the XMLHttpRequest to allow the certificate backup to download which causes this error message..." - Can you please elaborate in detail?

I did find a VMware KB article that blames the web browser security on inability to do the NKP backup, but I was also unable to do a NKP backup with PowerCLI using its new NKP commands that I cited in my original post.

 

I'd be grateful for your details on what you're referring to and how to try it with the browser.

Note:  I am not using DNS or CNAMES. Just basic "IP-Only" now supported in U3.

Thanks for any suggestions!!

0 Kudos
acartwright
Contributor
Contributor

My issue may have been different to yours but I can let you know how I diagnosed it in my case on the off chance it helps.

We access our vCenter via a FQDN CNAME for the actual FQDN of the vCenter server. This doesn't normally cause any issues with management however was causing an issue with the p12 backup download of the native key data.

I opened the web inspector in the browser I was using (Firefox) and in the Console noticed that there was a failed CORS request to the A record for our vCenter server (i.e. not the CNAME) which was resulting in a CORS violation and preventing the download. My error could also been seen in the Network tab as a blocked (failed) xhr request due to CORS.

I was able to work around the issue by logging into vCenter via IP instead of FQDN but I don't think this is working for you. I see you've already tried the powercli method (I'm not familiar with powercli), however you may be able to try copying the failed CORS request from the Network tab of the inspector and use this with curl or Postman to workaround your issue and download a backup of your native key provider data. Given you have had difficulties with powercli this workaround method may not work either.

Andrew

0 Kudos