KMIP for vSphere

Add a KMS to vCenter Server in vSphere Web Client

Create a KMIP client on Akeyless Gateway

  1. From Akeyless CLI - enable the KMIP server:
akeyless kmip-server-setup --hostname <akeyless.gateway.hostname> --gateway-url <Your_Akeyless_GW_URL> --root /kmip/default
  1. Create KMIP client:
akeyless kmip-create-client --name myVCenter --gateway-url <Your_Akeyless_GW_URL>

This returns the client ID, private key and certificate:

$ New client successfully created.
Client ID: Zvzw0...VM2u
Client Key:
-----BEGIN RSA PRIVATE KEY-----
MIIEpA...yRCF8UQ==
-----END RSA PRIVATE KEY-----

Client Certificate:
-----BEGIN CERTIFICATE-----
MIIDSz...0otOEQQ==
-----END CERTIFICATE-----
  1. Save the received certificate and key in a safe place, they will be used to set up the connection.

  2. By default, KMIP clients have no permissions. To grant your KMIP client minimal access permissions, execute the following command:

akeyless kmip-client-set-rule --gateway-url <Your_Akeyless_GW_URL> --client-id <From step 2, kc-TmA3...VM2u> \
  --path "/*" \
  --capability CREATE \
  --capability GET \
  --capability GET_ATTRIBUTES \
  --capability ACTIVATE

vCenter Server setup:

  1. Log in to the vCenter Server system with the vSphere Web Client.

  2. Browse the inventory list and select the vCenter Server instance.

  3. Click Configure and click Key Management Servers.

  1. Click Add KMS, for Server address set your Akeyless Gateway address, for Server port set 5696, and click Add.

  1. Extend the new line and click Make KMS Trusted vCenter:

  1. For a method, choose KMS certificate and private key :

  1. For the KMS Certificate and KMS Private key set the certificate and the Private Key and click Establish Trust:

  1. Extend the new line again and click Make vCenter Trust KMS:

  1. In the dialog, click TRUST:

Verify all statuses are valid:

To Enable Host Encryption Mode Explicitly follow this guide.