Troubleshooting

Key Generation Error During Encryption

If vSphere Virtual Machine encryption or VMware VSAN encryption fails with the error "Cannot generate key", check the following:

  • The Entrust Cryptographic Security Platform Vault appliance must be powered on and operational. To verify this, log into the appliance using the Cryptographic Security Platform Vault webGUI.
  • The Entrust KMIP server must be enabled as described in Configuring a KMIP Server.
  • The Cryptographic Security Platform Vault nodes must be able to communicate with one another. Make sure the server status is not shown as Degraded in the Cryptographic Security Platform Vault webGUI.
  • The KMIP client certificate and private key must be valid and current. You can verify the certificate status in the Cryptographic Security Platform Vault webGUI on the KMIP Servers Users tab or in the vCenter Web Client on the KMS tab. For details about creating a new certificate and key, see Establishing a Trusted Connection with a Cryptographic Security Platform Vault-Generated CSR.
  • If the vCenter Web Client reports that the KMIP connection status is Normal (green) but encryption fails, the KMS cluster could have been added with a user name and password. To verify this:
    1. Check the Entrust Cryptographic Security Platform Vault Audit log for the message "KMIP response rate OperationFailed DENIED".
    2. If you find that message, edit the properties of the Entrust KMS cluster in the vCenter Web Client and remove any user name or password.

  • If the Cryptographic Security Platform Vault cluster is functioning properly and the certificates are valid but the vCenter Web Client reports that the Entrust KMS is not connected, log into the vCenter Web Client and navigate to the KMS tab. Select the Entrust KMS, then select All Actions > Refresh KMS certificate.

    If that does not work, you may need to remove the KMS instance and re-add it to vCenter in order to restore the Trusted connection. Select the Entrust KMS in vSphere Web Client and select All Actions > Remove KMS. Then add the KMS back as described in Adding a KMS Cluster in vSphere.

  • If you are using VM encryption and everything shows as connected but encryption still fails, use the vCenter Web Client to verify that encryption is enabled for the ESXi host using ESXi-server-name > Configure > Security Profile > Host Encryption Mode.

  • If KMIP key creation fails when KMIP KEK is enabled, check if the audit log shows "KMIP Response: Create OperationFailed DB_GENERAL”. If so, retry the create operation after enabling KEK cache timeout.

  • If you are attempting to encrypt VM or vSAN storage and see errors such as “Create OperationFailed DB_GENERAL” and "Admin Key Regeneration failed" in the Cryptographic Security Platform Vault webGUI and an operation failed message with “RuntimeFault.summary” status in ESXi, check your alerts to see if your KMIP license entitlement is disabled or the license has expired.

Certificate Update Errors

If you try to update the KMS certificate for a Cryptographic Security Platform Vault KMIP Server and vSphere responds with the error message:

The "Update KMS Certificate" operation failed for the entity with the following error message.

Database temporarily unavailable or has network problems.

There may be too many certificates for the KMS Cluster in the vCenter Certificate database. Use the PSC Certificate Store to remove any stale certificates for the KMIP server. Please contact VMware Support for assistance with this action, as this is not an activity that Entrust support can provide.