You add a KMS to your vCenter Server system from the vSphere Web Client or by using the public API.

vCenter Server creates a KMS cluster when you add the first KMS instance.

  • When you add the KMS, you are prompted to set this cluster as a default. You can later change the default cluster explicitly.
  • After vCenter Server creates the first cluster, you can add KMS instances from the same vendor to the cluster.
  • You can set up the cluster with only one KMS instance.
  • If your environment supports KMS solutions from different vendors, you can add multiple KMS clusters.
  • If your environment includes multiple KMS clusters, and you delete the default cluster, you must set another default explicitly. See Set the Default KMS Cluster.

Prerequisites

  • Verify that the key server is in the VMware Compatibility Guide for Key Management Servers (KMS) and is KMIP 1.1 compliant, and that it can be a symmetric key foundry and server.
  • Verify that you have the required privileges: Cryptographic operations.Manage key servers.
  • You can configure the KMS with IPv6 addresses.
    • Both vCenter Server and the KMS can be configured with only IPv6 addresses.

Procedure

  1. Log in to the vCenter Server system with the vSphere Web Client.
  2. Browse the inventory list and select the vCenter Server instance.
  3. Click Configure and click Key Management Servers.
  4. Click Add KMS, specify the KMS information in the wizard, and click OK.
    Option Value
    KMS cluster Select Create new cluster for a new cluster. If a cluster exists, you can select that cluster.
    Cluster name Name for the KMS cluster. If your vCenter Server instance becomes unavailable, you might need this name to connect to the KMS.
    Server alias Alias for the KMS. You might need this alias to connect to the KMS if your vCenter Server instance becomes unavailable.
    Server address IP address or FQDN of the KMS.
    Server port Port on which vCenter Server connects to the KMS.
    Proxy address Optional proxy address for connecting to the KMS.
    Proxy port Optional proxy port for connecting to the KMS.
    User name Some KMS vendors allow users to isolate encryption keys that are used by different users or groups by specifying a user name and password. Specify a user name only if your KMS supports this functionality, and if you intend to use it.
    Password Some KMS vendors allow users to isolate encryption keys that are used by different users or groups by specifying a user name and password. Specify a password only if your KMS supports this functionality, and if you intend to use it.