VMware Cloud Community
Raudi
Expert
Expert

VMware native Key Provider shows "Warning" status

Hi,

 

i have created a Native Key Provider, it seems to be working, because i can create a Windows 11 VM with TPM and was able to install it.

 

But the status is "warning" and at "Active" it isn't green.

 

Where can i see, why it is showing a warning?

 

Kind regards

Stefan

Reply
0 Kudos
4 Replies
Raudi
Expert
Expert

I tested something...

 

When creating a native key provider it become "Active" only when i let the option "Use key provider only with TPM protected ESXi hosts (Recommended)" checked.

 

When removing that option during creating, the the entry don't bevome "Active" and has a permanent "Warning".

 

Is here something changed in U3?

Reply
0 Kudos
Raudi
Expert
Expert

I watched some videos regarding creating of a native key provider. This has changed in U3!

 

In U2 the option "Use key provider only with TPM protected ESXi hosts (Recommended)" isn't checked by default. In U3 this options is checked by default.

 

And in the videos the Native Key Provider changes the status to Active right after the backup.

 

Perhaps the warning should tell me that the Native Key Provider don't use a hardware TPM from the ESXi host, so it is less secure. But this is only a guess...

Reply
0 Kudos
Raudi
Expert
Expert

o.k.

The warning is regarding two of my four hosts. When removing the two hosts, i have connected via VPN, the warning is gone.

When adding them again to the vCenter, the warning came again.

In the vpxd.log i found some errors:

error vpxd[08748] [Originator@6876 sub=CryptoManager opId=caf96fb2-8c63-4d2d-9090-154e9a73616b-e9] Failed to call com.vmware.esx.authentication.token.create on host [vim.HostSystem:host-23921329,vmsrv06.xxxx.local]
[...]
--> "N7Vmacore15SystemExceptionE(Connection refused: The remote service is not running, OR is overloaded, OR a firewall is rejecting connections.)\n[context]
[...]
-->  "id": "vapi.send.failed"
[...]
error vpxd[08748] [Originator@6876 sub=CryptoManager opId=caf96fb2-8c63-4d2d-9090-154e9a73616b-e9] Failed to get key providers vSphere Native Key Provider status on [vim.HostSystem:host-23921329,vmsrv06.xxxx.local]:
-->   vapi.send.failed.
error vpxd[08748] [Originator@6876 sub=CryptoManager opId=caf96fb2-8c63-4d2d-9090-154e9a73616b-e9] Failed to query key providers vSphere Native Key Provider status on host-23921329: internal error.

The error is for both hosts the same, they are Dell R720 servers with vSphere 7.0.3, o.k. not supported, but i don't think that this is related to the host hardware. And i created the Key Provider for using "without" a TPM in the host hardware...

And more confusing is, that when i create one for using with TPM host hardware, that the state is active and it shows no problems.

The complete network is open through the VPN and i never had issues in the past. This is the first service which makes problems.

Anny ideas what can cause such problems?

I think i deploy a vCenter on one of the problematic hosts to see if the problem is local too, and then i can add one of my working hosts via VPN from the other side to test...

Or i ignore that error, for my two local SuperMicro hosts i have orderes two TPM 2.0 modules, so i can configure it with host hardware and then it didn't show a error...

Reply
0 Kudos
Raudi
Expert
Expert

The problem was the ESXi installation on the both Dell R720 hosts, after reinstalling the host the error was gone...

Perhaps i made to often upgrades...

Reply
0 Kudos