You add a KMS to your vCenter Server system from the vSphere Web Client or by using the public API.

Before you begin

  • Verify that the key server is in the vSphere Compatibility Matrixes and is KMIP 1.1 compliant, and that it can be a symmetric key foundry and server.

  • Verify that you have the required privileges: Cryptographic operations > Manage key servers.

  • Connecting to a KMS by using only an IPv6 address is not supported.

About this task

vCenter Server creates a KMS cluster when you add the first KMS instance.

  • When you add the KMS, you are prompted to set this cluster as a default. You can later change the default cluster explicitly.

  • After vCenter Server creates the first cluster, you can add KMS instances from the same vendor to the cluster.

  • You can set up the cluster with only one KMS instance.

  • If your environment supports KMS solutions from different vendors, you can add multiple KMS clusters.

  • If your environment includes multiple KMS clusters, and you delete the default cluster, you must set the default explicitly. See Set the Default KMS Cluster.

Procedure

  1. Log in to the vCenter Server system with the vSphere Web Client.
  2. Browse the inventory list and select the vCenter Server instance.
  3. Click Configure and click Key Management Servers.
  4. Click Add KMS, specify the KMS information in the wizard, and click OK.

    Option

    Value

    KMS cluster

    Select Create new cluster for a new cluster. If a cluster exists, you can select that cluster.

    Cluster name

    Name for the KMS cluster. You might need this name to connect to the KMS if your vCenter Server instance becomes unavailable.

    Server alias

    Alias for the KMS. You might need this alias to connect to the KMS if your vCenter Server instance becomes unavailable.

    Server address

    IP address or FQDN of the KMS.

    Server port

    Port on which vCenter Server connects to the KMS.

    Proxy address

    Optional proxy address for connecting to the KMS.

    Proxy port

    Optional proxy port for connecting to the KMS.

    User name

    Some KMS vendors allow users to isolate encryption keys that are used by different users or groups by specifying a user name and password. Specify a user name only if your KMS supports this functionality, and if you intend to use it.

    Password

    Some KMS vendors allow users to isolate encryption keys that are used by different users or groups by specifying a user name and password. Specify a password only if your KMS supports this functionality, and if you intend to use it.