KMIP for vSphere
Add a KMS to vCenter Server in vSphere Web Client
Create a KMIP client on Akeyless Gateway
- From Akeyless CLI - enable the KMIP server:
akeyless kmip-server-setup --hostname <akeyless.gateway.hostname> --gateway-url <Akeyless GW URL> --root /kmip/default
- Create KMIP client:
akeyless kmip-create-client --name myVCenter --gateway-url <Akeyless GW URL>
This returns the client ID, private key and certificate:
$ New client successfully created.
Client ID: Zvzw0...VM2u
Client Key:
-----BEGIN RSA PRIVATE KEY-----
MIIEpA...yRCF8UQ==
-----END RSA PRIVATE KEY-----
Client Certificate:
-----BEGIN CERTIFICATE-----
MIIDSz...0otOEQQ==
-----END CERTIFICATE-----
-
Save the received certificate and key in a safe place, they will be used to setup the connection.
-
By default, KMIP clients have no permissions. To grant your KMIP client minimal access permissions, execute the following command:
akeyless kmip-client-set-rule --gateway-url <Akeyless GW URL> --client-id <From step 2, kc-TmA3...VM2u> \
--path "/*" \
--capability CREATE \
--capability GET \
--capability GET_ATTRIBUTES \
--capability ACTIVATE
vCenter Server setup:
-
Log in to the vCenter Server system with the vSphere Web Client.
-
Browse the inventory list and select the vCenter Server instance.
-
Click Configure and click Key Management Servers.

- Click Add KMS, for Server address set your Akeyless Gateway address, for Server port set 5696, and click Add.

- Extend the new line and click Make KMS Trusted VCenter:

- For a method, choose KMS certificate and private key :

- For the KMS Certificate and KMS Private key set the certificate and the Private Key and click Establish Trust:

- Extend the new line again and click Make Center Trust KMS:

- In the dialog, click TRUST:

Verify all status are valid:

To Enable Host Encryption Mode Explicitly follow this guide.
Updated 3 days ago