{"id":3999,"date":"2018-08-06T17:04:11","date_gmt":"2018-08-06T22:04:11","guid":{"rendered":"http:\/\/www.jasemccarty.com\/blog\/?p=3999"},"modified":"2020-02-16T17:04:40","modified_gmt":"2020-02-16T23:04:40","slug":"kms-profile-addressing","status":"publish","type":"post","link":"https:\/\/www.jasemccarty.com\/blog\/kms-profile-addressing\/","title":{"rendered":"Understanding vSAN Encryption \u2013 KMS Profile Addressing"},"content":{"rendered":"<p>When using vSAN Encryption, one of the vSAN Health Check tests will show the health of the connection between the vSAN Hosts and the KMS Cluster as well as vCenter and the KMS Cluster.<\/p>\n<p>One scenario came up a few weeks ago where the vSAN Health Check indicated that the vSAN Hosts could properly communicate with the KMS Cluster, but the vCenter server had intermittent connectivity to the KMS Cluster.<\/p>\n<p>Troubleshooting indicated that there were no blocked ports between the vCenter Server and the KMS Cluster as well as they were able to properly ping each other. vSAN Hosts could properly ping the KMS Cluster as well, and no ports were blocked.<\/p>\n<p>Here is the vSAN Health Check&#8217;s reported error for the <strong>vCenter KMS Status<\/strong>.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-12847 size-full\" src=\"http:\/\/blogs.vmware.com\/virtualblocks\/files\/2018\/08\/KMS-VC-STATUS-e1533832300967.png\" alt=\"vSAN Encryption\" width=\"650\" height=\"217\" \/><\/p>\n<p>Notice that the certificate status is valid, but the connection and trust statuses are not.<\/p>\n<p>Looking at the <strong>Host KMS Status<\/strong> it can be seen that the hosts are properly communicating with the KMS Server.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-12849 size-full\" src=\"http:\/\/blogs.vmware.com\/virtualblocks\/files\/2018\/08\/HOST-KMS-STATUS-e1533832346722.png\" alt=\"vSAN Encryption\" width=\"650\" height=\"208\" \/><\/p>\n<p>The process of enabling vSAN Encryption includes the following steps:<\/p>\n<ol>\n<li>A KMS Connection Profile is created in vCenter and the trust is established.<\/li>\n<li>vSAN Encryption is enabled in the Configuration&gt;Data Services menu in the vSAN UI.<\/li>\n<li>The KMS Connection Profile is pushed to each of the ESXi hosts, they use the kekId and hostkeyId in this profile to retrieve the KEK and HostKey for the vSAN Cluster.<\/li>\n<\/ol>\n<p>The connection has to be correct in vCenter Server before it can be correct\/pushed to vSAN Hosts. Something must have changed in the environment to cause this issue.<\/p>\n<p>Further investigation indicated that the connectivity to the KMS Cluster was intermittent. Sometimes the <strong>vCenter KMS Status<\/strong> reported <span style=\"color: #339966;\"><strong>green<\/strong><\/span> and other times reported <span style=\"color: #ff0000;\"><strong>red<\/strong><\/span>. So maybe nothing changed.<\/p>\n<p>Careful review of the <strong>vCenter KMS Status<\/strong> and <strong>Host KMS Status<\/strong> health checks, the <strong>KMS Alias<\/strong> is a &#8220;short name&#8221;.<\/p>\n<p>Maybe there is an issue where the short name is intermittently resolved from DNS&#8230; But the vSAN Hosts were not showing any intermittent connectivity, only the VCSA.<\/p>\n<p>The <strong>Key Management Servers<\/strong> configuration Profile in the vCenter&#8217;s settings shows that the trust cannot be established. The <strong>KMS Address<\/strong> is the same value as the <strong>KMS Alias <\/strong>in the vSAN Health Check.<\/p>\n<p><a href=\"http:\/\/blogs.vmware.com\/virtualblocks\/files\/2018\/08\/KMS-ISSUE.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-12866 size-full\" src=\"http:\/\/blogs.vmware.com\/virtualblocks\/files\/2018\/08\/KMS-ISSUE-e1533832377680.png\" alt=\"vSAN Encryption\" width=\"650\" height=\"246\" \/><\/a><\/p>\n<p>When using a short name, the default TCP\/IP stack of a vSAN host uses designated search domains in the name resolution process. In the case of this cluster, <strong>demo.local<\/strong> and <strong>demo.central<\/strong> can be used in short name resolution.<\/p>\n<p><a href=\"http:\/\/blogs.vmware.com\/virtualblocks\/files\/2018\/08\/HOST-TCPIP-INFO.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-12855 size-full\" src=\"http:\/\/blogs.vmware.com\/virtualblocks\/files\/2018\/08\/HOST-TCPIP-INFO-e1533832409342.png\" alt=\"vSAN Encryption\" width=\"650\" height=\"417\" \/><\/a><\/p>\n<p>The VCSA, on the other hand, does not have any search domains:<\/p>\n<p><a href=\"http:\/\/blogs.vmware.com\/virtualblocks\/files\/2018\/08\/VCSA-TCPIP-INFO.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-12861 size-full\" src=\"http:\/\/blogs.vmware.com\/virtualblocks\/files\/2018\/08\/VCSA-TCPIP-INFO-e1533832452923.png\" alt=\"vSAN Encryption\" width=\"650\" height=\"557\" \/><\/a><\/p>\n<p>Without search domains to assist with the short name, vCenter would rely on the DNS server for name resolution.<\/p>\n<p>The suggestion was made to change the <strong>KMS Address<\/strong> value for each KMS Cluster node to either an IP address or the Fully Qualified Domain Name (FQDN). Changing one of the two KMS entries showed some success.<\/p>\n<p><a href=\"http:\/\/blogs.vmware.com\/virtualblocks\/files\/2018\/08\/KMSISSUE2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-12865 size-full\" src=\"http:\/\/blogs.vmware.com\/virtualblocks\/files\/2018\/08\/KMSISSUE2-e1533832493693.png\" alt=\"vSAN Encryption\" width=\"650\" height=\"181\" \/><\/a><\/p>\n<p>Adjusting the <strong>KMS Address <\/strong>for the alternate KMS Cluster node cleared the issue up entirely.<\/p>\n<p><a href=\"http:\/\/blogs.vmware.com\/virtualblocks\/files\/2018\/08\/KMSISSUE3.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-12867 size-full\" src=\"http:\/\/blogs.vmware.com\/virtualblocks\/files\/2018\/08\/KMSISSUE3-e1533832522355.png\" alt=\"vSAN Encryption\" width=\"650\" height=\"142\" \/><\/a><\/p>\n<p>In the case that this was brought up, an alternate vCenter had no issues connecting to the KMS Cluster, but an IP address was used instead of a short name. Without digging into DNS configurations of the environment, setting the Fully Qualified Domain Name (FQDN) resolved the issue.<\/p>\n<p>&nbsp;<\/p>\n<p>In short, when configuring the <strong>Key Management Server<\/strong> connection profile for a <strong>KMS Cluster<\/strong>, ensure that the <strong>KMS Address<\/strong> is one that vCenter and vSAN hosts can correctly resolve. Using a Fully Qualified Domain Name or IP address can prevent &#8220;short name&#8221; related issues.<\/p>\n<p>This was originally posted on the VMware Virtual Blocks site: https:\/\/blogs.vmware.com\/virtualblocks\/2018\/08\/06\/kms-profile-addressing\/<\/p>\n","protected":false},"excerpt":{"rendered":"<p>When using vSAN Encryption, one of the vSAN Health Check tests will show the health of the connection between the vSAN Hosts and the KMS &hellip; <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-3999","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/www.jasemccarty.com\/blog\/wp-json\/wp\/v2\/posts\/3999","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jasemccarty.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jasemccarty.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jasemccarty.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jasemccarty.com\/blog\/wp-json\/wp\/v2\/comments?post=3999"}],"version-history":[{"count":2,"href":"https:\/\/www.jasemccarty.com\/blog\/wp-json\/wp\/v2\/posts\/3999\/revisions"}],"predecessor-version":[{"id":4001,"href":"https:\/\/www.jasemccarty.com\/blog\/wp-json\/wp\/v2\/posts\/3999\/revisions\/4001"}],"wp:attachment":[{"href":"https:\/\/www.jasemccarty.com\/blog\/wp-json\/wp\/v2\/media?parent=3999"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jasemccarty.com\/blog\/wp-json\/wp\/v2\/categories?post=3999"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jasemccarty.com\/blog\/wp-json\/wp\/v2\/tags?post=3999"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}