POFIT
Enthusiast
Enthusiast

KMS Server - Cannot established the trust connection

Jump to solution

Dear All,

I am going to configure KMS server. When i given the details of KMS server and click ok the following error came. The snapshot is also attached. I have tried to solve this issue by creating the root CA but how how will i generate the private key.

Tags (1)
0 Kudos
1 Solution

Accepted Solutions
jameseydoyle
VMware Employee
VMware Employee

Hi POFIT,

In this scenario, I can see from the screenshot that you have not yet properly configured the Client certificate by using the 'Establish Trust with KMS' wizard. The certificate requirements for KMIP clients are very specific to each KMS vendor and you cannot just pick any option of your choosing.

For example, when establishing trust with a HyTrust server, HyTrust will not establish communication with any client that does not present a certificate created by the HyTrust server itself. Therefore, you would need to use the last option of 'Upload certificate and private key'. In this case, it would require you to download the certificate that was created by the HyTrust appliance, which will include both the public certificate and the private key, and use the wizard to import it into vCenter.

Other vendors may wish to sign the certificate presented by the KMIP client, but are not too concerned about the other fields in the certificate, such as Subject Names, etc. In that case, you would use the 'New Certificate Signing Request'. In this case, the vCenter KMIP Client will generate a CSR, which you can copy to your CA, whether that's an enterprise CA such as Microsoft CA, or the CA on your KMS, and have it digitally signed with the CA as the root of trust.

In both of the above cases, the certificate you are provided by the CA or the KMS will include the private key. You should store these securely.

The other 2 wizard options, 'Root CA certificate' and 'Certificate' both invoke APIs that create a self-signed certificate on the KMIP Client, this is the least secure method but means that the private key and the certificate are both created by vCenter. The private key will be stored in the VECS store on the vCenter node. You won't need to access this under normal circumstances.

By the way, which KMS vendor are you using? They should provide details in their documentation as to how set up the KMIP client in vCener with their solution.

View solution in original post

4 Replies
TheBobkin
VMware Employee
VMware Employee

Hello POFIT,

Does the KMS have an IPv6 address?

If so then the following may be your issue and workaround:

"vCenter Server system cannot connect to a KMS using the IPv6 address

vCenter Server can connect to a Key Management Server (KMS) only if the KMS has an IPv4 address or a host name that resolves to an IPv4 address. If the KMS has an IPv6 address, the following error occurs when you add the KMS to the vCenter Server system.

Cannot establish trust connection

Workaround: Configure an IPv4 address for the KMS."

https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-esxi-vcenter-server-65-release-notes.html

What have you tried for resolving the trust issue?

Do you get an error when you click the 'Establish Trust with KMS' button? Try that and then upload the cert and private key:

Creating the KMS Cluster in vSphere

Have you tried the followin steps or something else?:

https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.virtualsan.doc/GUID-F9905586-AFA4-4...

If the above is not applicable - anything that could be blocking port 5696 and/or any other settings such as proxy on the vCenter that could be preventing connection?

Just an FYI: might have more luck posting this in vSphere sub-communities as I this may not be a vSAN-specific issue.

Bob

broreg
VMware Employee
VMware Employee

If you're just doing some testing William Lam has a good article on spinning up a KIMP server on docker for some quick test driving.

https://www.virtuallyghetto.com/2016/12/kmip-server-docker-container-for-evaluating-vm-encryption-in...

https://www.virtuallyghetto.com/2017/04/easily-try-out-vsan-6-6-encryption-feature-using-kmip-docker...

Cheers Brian
TheBobkin
VMware Employee
VMware Employee

Hello POFIT​,

Did you manage to resolve this issue and if so what was the cause and solution?

Bob

0 Kudos
jameseydoyle
VMware Employee
VMware Employee

Hi POFIT,

In this scenario, I can see from the screenshot that you have not yet properly configured the Client certificate by using the 'Establish Trust with KMS' wizard. The certificate requirements for KMIP clients are very specific to each KMS vendor and you cannot just pick any option of your choosing.

For example, when establishing trust with a HyTrust server, HyTrust will not establish communication with any client that does not present a certificate created by the HyTrust server itself. Therefore, you would need to use the last option of 'Upload certificate and private key'. In this case, it would require you to download the certificate that was created by the HyTrust appliance, which will include both the public certificate and the private key, and use the wizard to import it into vCenter.

Other vendors may wish to sign the certificate presented by the KMIP client, but are not too concerned about the other fields in the certificate, such as Subject Names, etc. In that case, you would use the 'New Certificate Signing Request'. In this case, the vCenter KMIP Client will generate a CSR, which you can copy to your CA, whether that's an enterprise CA such as Microsoft CA, or the CA on your KMS, and have it digitally signed with the CA as the root of trust.

In both of the above cases, the certificate you are provided by the CA or the KMS will include the private key. You should store these securely.

The other 2 wizard options, 'Root CA certificate' and 'Certificate' both invoke APIs that create a self-signed certificate on the KMIP Client, this is the least secure method but means that the private key and the certificate are both created by vCenter. The private key will be stored in the VECS store on the vCenter node. You won't need to access this under normal circumstances.

By the way, which KMS vendor are you using? They should provide details in their documentation as to how set up the KMIP client in vCener with their solution.

View solution in original post