You add a KMS to your vCenter Server system from the vSphere Web Client or by using the public API.
About this task
vCenter Server creates a KMS cluster when you add the first KMS instance.
When you add the KMS, you are prompted to set this cluster as a default. You can later change the default cluster explicitly.
After vCenter Server creates the first cluster, you can add KMS instances from the same vendor to the cluster.
You can set up the cluster with only one KMS instance.
If your environment supports KMS solutions from different vendors, you can add multiple KMS clusters.
If your environment includes multiple KMS clusters, and you delete the default cluster, you must set another default explicitly. See Set the Default KMS Cluster.
Verify that the key server is in the VMware Compatibility Guide for Key Management Servers (KMS) and is KMIP 1.1 compliant, and that it can be a symmetric key foundry and server.
Verify that you have the required privileges:.
You can configure the KMS with IPv6 addresses.
Both vCenter Server and the KMS can be configured with only IPv6 addresses.
- Log in to the vCenter Server system with the vSphere Web Client.
- Browse the inventory list and select the vCenter Server instance.
- Click Configure and click Key Management Servers.
- Click Add KMS, specify the KMS information in the wizard, and click OK.
Select Create new cluster for a new cluster. If a cluster exists, you can select that cluster.
Name for the KMS cluster. If your vCenter Server instance becomes unavailable, you might need this name to connect to the KMS.
Alias for the KMS. You might need this alias to connect to the KMS if your vCenter Server instance becomes unavailable.
IP address or FQDN of the KMS.
Port on which vCenter Server connects to the KMS.
Optional proxy address for connecting to the KMS.
Optional proxy port for connecting to the KMS.
Some KMS vendors allow users to isolate encryption keys that are used by different users or groups by specifying a user name and password. Specify a user name only if your KMS supports this functionality, and if you intend to use it.
Some KMS vendors allow users to isolate encryption keys that are used by different users or groups by specifying a user name and password. Specify a password only if your KMS supports this functionality, and if you intend to use it.