For the Key Provider Service to connect to a key provider, you must create a trusted key provider then configure a trust setup between the vSphere Trust Authority Cluster and the key server (KMS). For most KMIP-compliant key servers, this configuration involves setting up client and server certificates.
What was previously called a KMS Cluster in vSphere 6.7 is now called a key provider in vSphere 7.0 and later. For more information about key providers, see What Is the vSphere Trust Authority Key Provider Service.
In a production environment, you can create multiple key providers. By creating multiple key providers, you can address how to manage your deployment based on company organization, different business units or customers, and so on.
If you are following these tasks in order, you are still connected to the vCenter Server of the vSphere Trust Authority Cluster.
Prerequisites
- Enable the Trust Authority Administrator.
- Enable the Trust Authority State.
- Collect Information About ESXi Hosts and vCenter Server to Be Trusted.
- Import the Trusted Host Information to the Trust Authority Cluster.
- Create and activate a key on the key server to be the primary key for the trusted key provider. This key wraps other keys and secrets used by this trusted key provider. See your key server vendor documentation for more information about creating keys.
Procedure
Results
The trusted key provider is created and has established trust with the key server.
Example: Create the Key Provider on the Trust Authority Cluster
This example shows how to use PowerCLI to create the trusted key provider on the Trust Authority Cluster. It assumes that you are connected to the vCenter Server of the Trust Authority Cluster as the Trust Authority administrator. It also uses a certificate signed by the key server vendor after submitting a CSR to the vendor.
The following table shows the example components and values that are used.
Component | Value |
---|---|
Variable $vTA |
Get-TrustAuthorityCluster 'vTA Cluster' |
Variable $kp |
Get-TrustAuthorityKeyProvider -TrustAuthorityCluster $vTA |
Variable $cert |
Get-TrustAuthorityKeyProviderServerCertificate -KeyProviderServer $kp.KeyProviderServers |
vCenter Server for Trust Authority Cluster | 192.168.210.22 |
KMIP-compliant key server | 192.168.110.91 |
KMIP-compliant key server user | vcqekmip |
Trust Authority Cluster name | vTA Cluster |
Trust Authority administrator | trustedadmin@vsphere.local |
PS C:\Users\Administrator.CORP> Disconnect-VIServer -server * -Confirm:$false PS C:\Users\Administrator.CORP> Connect-VIServer -server 192.168.210.22 -User trustedadmin@vsphere.local -Password 'VMware1!' PS C:\Users\Administrator.CORP> New-TrustAuthorityKeyProvider -TrustAuthorityCluster $vTA -PrimaryKeyId 8 -Name clkp -KmipServerAddress 192.168.110.91 Name PrimaryKeyId Type TrustAuthorityClusterId ---- ------------ ---- ----------------------- clkp 8 KMIP TrustAuthorityCluster-domain-c8 PS C:\Users\Administrator.CORP> New-TrustAuthorityKeyProviderClientCertificate -KeyProvider $kp <Export the client certificate when you need to use it.> PS C:\Users\Administrator.CORP> Export-TrustAuthorityKeyProviderClientCertificate -KeyProvider $kp -FilePath clientcert.pem PS C:\Users\Administrator.CORP> $kp = Get-TrustAuthorityKeyProvider -TrustAuthorityCluster $vTA PS C:\Users\Administrator.CORP> Get-TrustAuthorityKeyProviderServerCertificate -KeyProviderServer $kp.KeyProviderServers Certificate Trusted KeyProviderServerId KeyProviderId ----------- ------- ------------------- ------------- [Subject]... False domain-c8-clkp:192.16.... domain-c8-clkp PS C:\WINDOWS\system32> $cert.Certificate.ToString() [Subject] E=<domain>, CN=<IP address>, OU=VMware Engineering, O=VMware, L=Palo Alto, S=California, C=US [Issuer] O=<host>.eng.vmware.com, C=US, DC=local, DC=vsphere, CN=CA [Serial Number] 00CEF192BBF9D80C9F [Not Before] 8/10/2015 4:16:12 PM [Not After] 8/9/2020 4:16:12 PM [Thumbprint] C44068C124C057A3D07F51DCF18720E963604B70 PS C:\Users\Administrator.CORP> $cert = Get-TrustAuthorityKeyProviderServerCertificate -KeyProviderServer $kp.KeyProviderServers PS C:\Users\Administrator.CORP> Add-TrustAuthorityKeyProviderServerCertificate -ServerCertificate $cert Certificate Trusted KeyProviderServerId KeyProviderId ----------- ------- ------------------- ------------- [Subject]... True domain-c8-clkp PS C:\Users\Administrator.CORP> $kp = Get-TrustAuthorityKeyProvider -TrustAuthorityCluster $vTA PS C:\Users\Administrator.CORP> $kp.Status KeyProviderId Health HealthDetails ServerStatus ------------- ------ ------------- ------------ domain-c8-kp4 Ok {} {192.168.210.22}
What to do next
Continue with Export the Trust Authority Cluster Information.