VMware Key Management Server Certification Release Notes

Updated on: 09 November 2021

VMware vSphere 7.0 | Nov 2021 | Release Version: kms-cert70-15964040

What's in the Release Notes

The release notes cover the following topics:

About KMS Certification

The VMware Key Management Server Certification is an offering by VMware to provide a preconfigured and ready-to-use certification testbed on the cloud.

You must run the 7.0 certification using VMware Integration Validation (VIVa). For more information, see the VMware Key Management Server Certification Guide.

What's New

The lab currently is on the agent version 8.0. Do not upgrade it.

Certification Policy

  • For vSphere 7.0, VM Encryption and FCD Encryption are the mandatory base certification to list your product on the VMware Compatibility Guide (VCG). There is no separate VCG listing for FCD.
  • vSAN Data at Rest Encryption and vSphere Trust Authority are optional.
  • IPv6 support is available for both VM and vSAN Data at Rest Encryption, and a separate VCG listing is created for IPv6 supported partner solutions. This is an optional feature and can be ignored if you do not want to list your solutions with IPv6 support.

Important Notes

  • You must register the KeyProvider and KMS in vcsa-01b.corp.local using the same names as in vcsa-01a.corp.local. The names must be entered in lower case. For more information, see the VMware Key Management Server Certification Guide.
  • There must not be more than one Standard Key Provider along with the associated KMS registered to any of the vCenter servers.

Troubleshooting

This section describes some common configuration errors encountered by new partners and solutions.

  • The test vta_certification_kms_test_Encryption001 and vta_certification_kms_test_KmsFailover001 might fail with the following message:
    2020-04-06T09:29:44.145Z INFO c.v.v.LogUtil [printDetailedObject:143] [main] - Message{String} = Trusted Key Provider KeyProvider1 is not compatible with the host esx-10a.corp.local.
    Solution: Ensure that the master keys are created and activated properly before running the test.
  • The vmcrypt_keymanagement_Pos020 test might fail, displaying the error message: "ERROR: Did not find a standalone host in the inventory, returning null."

    Solution: Ensure that there is a standalone ESXi host in the vCenter Server which is not part of any cluster (the host must be connected directly to the datacenter of the vCenter Server).

Resolved Issues

  • Your KMS solution OVA upload was failing due to insufficient vCPUs on the host esx-03a.corp. local. Increased the vCPUS to four in this release.

Known Issues

  • vsan_encryption_shallow_rekey test cleans the testbed removing the ESXi hosts from vCenter. If you want to run any of the VM Encryption tests after this test, ensure that ESXi hosts are added to the vCenter manually as per the Figure 4-1. Testbed topology in VMware Key Management Server Certification Guide. Perform the following steps:
    1. Create a datacenter called vcqaDC followed by a cluster with any name.
    2. Add host esx-01a.corp.local (or esx-04a.ipv6.corp.local in case of IPv6 ) to the cluster.
    3. Add host esx-02a.corp.local (or esx-05a.ipv6.corp.local in case of IPv6) as a standalone ESXi host in the vCenter Server which is not part of any cluster. The host must be connected directly to the vcqaDC datacenter of the vCenter Server.
  • vsan_encryption_shallow_rekey might fail, displays the following error message:

    ERROR: VC Error: .INFO: ESX host esx-01a.corp.local has already been added to VC.

    Workaround: Rename the datacenter as vcqaDC. The test deletes the vcqaDC datacenter and adds the hosts by itself. 

  • FCD tests might fail if the vSAN is not disabled on the vCenter Cluster before running the tests.

    Workaround: Refer to Test Descriptions section in the VMware Key Management Server Certification Guide for steps to disable vSAN. 

  • VMCA test might fail, if the bash shell is not enabled on the vCenter.

    Workaround: Refer to Test Descriptions section in the VMware Key Management Server Certification Guide for steps.

  • Vmcrypt_kmscert_Sec001 test fails to clean up the fake KMS Server fakeServer2.

    Workaround: Remove this fake KMS Server manually from the vCenter before running all other tests.

  • Vmcrypt_kmscert_Sec001 and Vmcrypt_kmscert_Sec002 might fail with the following exception, if the Key Provider and KMS Name are added in upper case, and are not registered in vcsa-01a and vcsa-01b using the same names.

    agent - INFO - com.vmware.vc.InvalidArgument@2d69036<br>
    agent - INFO - 2019-10-24T09:46:47.803Z ERROR c.v.v.e.OutcomePrinter [afterInvocation:40] [main] - exception thrown
    agent - INFO - javax.xml.ws.soap.SOAPFaultException: A specified parameter was not correct: keyProvider.id

    Workaround: The names entered while creating Key Provider Name and KMS Name must be in lower case.