1 person found this helpful
Does the KMS have an IPv6 address?
If so then the following may be your issue and workaround:
"vCenter Server system cannot connect to a KMS using the IPv6 address
vCenter Server can connect to a Key Management Server (KMS) only if the KMS has an IPv4 address or a host name that resolves to an IPv4 address. If the KMS has an IPv6 address, the following error occurs when you add the KMS to the vCenter Server system.
Cannot establish trust connection
Workaround: Configure an IPv4 address for the KMS."
What have you tried for resolving the trust issue?
Do you get an error when you click the 'Establish Trust with KMS' button? Try that and then upload the cert and private key:
Have you tried the followin steps or something else?:
If the above is not applicable - anything that could be blocking port 5696 and/or any other settings such as proxy on the vCenter that could be preventing connection?
Just an FYI: might have more luck posting this in vSphere sub-communities as I this may not be a vSAN-specific issue.
If you're just doing some testing William Lam has a good article on spinning up a KIMP server on docker for some quick test driving.
In this scenario, I can see from the screenshot that you have not yet properly configured the Client certificate by using the 'Establish Trust with KMS' wizard. The certificate requirements for KMIP clients are very specific to each KMS vendor and you cannot just pick any option of your choosing.
For example, when establishing trust with a HyTrust server, HyTrust will not establish communication with any client that does not present a certificate created by the HyTrust server itself. Therefore, you would need to use the last option of 'Upload certificate and private key'. In this case, it would require you to download the certificate that was created by the HyTrust appliance, which will include both the public certificate and the private key, and use the wizard to import it into vCenter.
Other vendors may wish to sign the certificate presented by the KMIP client, but are not too concerned about the other fields in the certificate, such as Subject Names, etc. In that case, you would use the 'New Certificate Signing Request'. In this case, the vCenter KMIP Client will generate a CSR, which you can copy to your CA, whether that's an enterprise CA such as Microsoft CA, or the CA on your KMS, and have it digitally signed with the CA as the root of trust.
In both of the above cases, the certificate you are provided by the CA or the KMS will include the private key. You should store these securely.
The other 2 wizard options, 'Root CA certificate' and 'Certificate' both invoke APIs that create a self-signed certificate on the KMIP Client, this is the least secure method but means that the private key and the certificate are both created by vCenter. The private key will be stored in the VECS store on the vCenter node. You won't need to access this under normal circumstances.
By the way, which KMS vendor are you using? They should provide details in their documentation as to how set up the KMIP client in vCener with their solution.
KMS_Trust_Wizard.PNG 49.2 K