KMIP for Vsphere

Add a KMS to vCenter Server in vSphere Web Client

Create a KMIP client on Akeyless Gateway

  1. From Akeyless CLI - enable the KMIP server:
akeyless kmip-server-setup --hostname <akeyless.gateway.hostname>  --gateway-url <Akeyless GW URL> --root /kmip/default
  1. Create KMIP client:
akeyless kmip-create-client --name myVCenter --gateway-url <Akeyless GW URL>

This returns the client ID, private key and certificate:

New client successfully created.
Client ID: Zvzw0...VM2u
Client Key:
-----BEGIN RSA PRIVATE KEY-----
MIIEpA...yRCF8UQ==
-----END RSA PRIVATE KEY-----

Client Certificate:
-----BEGIN CERTIFICATE-----
MIIDSz...0otOEQQ==
-----END CERTIFICATE-----
  1. Save the received certificate and key in a safe place, they will be used to setup the connection.

  2. By default, KMIP clients have no permissions. To grant your KMIP client minimal access permissions, execute the following command:

akeyless kmip-client-set-rule --gateway-url <Akeyless GW URL> --client-id <From step 2 Zvzw0...VM2u> \
  --path "/*" \
  --capability CREATE \
  --capability GET \
  --capability GET_ATTRIBUTES

vCenter Server setup:

  1. Log in to the vCenter Server system with the vSphere Web Client.

  2. Browse the inventory list and select the vCenter Server instance.

  3. Click Configure and click Key Management Servers.

  1. Click Add KMS, for Server address set your Akeyless Gateway address, for Server port set 5696, and click Add.
  1. Extend the new line and click Make KMS Trusted VCenter:
  1. For a method, choose KMS certificate and private key :
  1. For the KMS Certificate and KMS Private key set the certificate and the Private Key and click Establish Trust:
  1. Extend the new line again and click Make Center Trust KMS:
  1. In the dialog, click TRUST:

Verify all status are valid:

To Enable Host Encryption Mode Explicitly follow this guide.


Did this page help you?