VMAX and Dell EMC Unity: Failed to register VASA Provider due to a certification error (User Correctable)
Summary: This articles describes how to register the Certificate Authority (CA) provisions certificates for VMware ESXi hosts and vSphere vCenter servers for your Unity Storage.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
Failed to register vStorage APIs for Storage Awareness (VASA) Provider due to a certification error.
Error msg:
The "Register new storage provider" operation failed for the entity with the following error message.
A problem was encountered while provisioning a VMware Certificate Authority (VMCA) signed certificate for the provider.
A vCenter session is based on secure HTTPS communication between a vCenter Server and a VP(VASA Provider). The VASA architecture uses SSL certificates and VASA session identifiers to support secure connections.
In VASA 3.0 and VASA 2.0, vCenter Server acts as the VMware certificate authority (VMCA). The VP transmits a self-signed certificate on request, after authorizing the request. It adds the vCenter Server certificate to its truststore, then issues a certificate signing request, and replaces its self-signed certificate with the VMCA signed certificate. Future connections will be authenticated by the server (the VP) using the client (SMS) certificate validated against the previously registered root signing certificate. A VP generates unique identifiers for storage entity objects, and vCenter Server uses the identifier to request data for a specific entity.
Cause
The registration of the VASA Provider was done on a vSphere vCenter running as subordinate CA.
In vSphere 6.0 and later, there are three different modes for how the Certificate Authority (CA) provisions certificates for VMware ESXi hosts and vSphere vCenter servers:
In vSphere 6.0 and later, there are three different modes for how the Certificate Authority (CA) provisions certificates for VMware ESXi hosts and vSphere vCenter servers:
- Using the VMware Certificate Authority (VMCA) is default.
- Using the VMCA as a subordinate CA to a custom certificate authority.
- Using a custom CA as the direct root CA.
Resolution
Workaround:
The storage array supports only the default configuration where the VMCA provisioning certificate as the root certificate authority. VMware ESXi hosts and vCenter servers are authenticated by ensuring that the client certificate, presented to the array, has been signed by a trusted CA, which must be the VMCA for the storage arrays.
It is recommended that you configure your VMCA to provision certificates as the root certificate authority.
Dell EMC Engineering is currently investigating a potential workaround for the Dell EMC Unity product line. Contact your Service Provider referencing this knowledge article for the current status for the Dell EMC Unity product.
Permanent Fix:
An enhancement request has been submitted to allow for subordinate configuration.
The storage array supports only the default configuration where the VMCA provisioning certificate as the root certificate authority. VMware ESXi hosts and vCenter servers are authenticated by ensuring that the client certificate, presented to the array, has been signed by a trusted CA, which must be the VMCA for the storage arrays.
It is recommended that you configure your VMCA to provision certificates as the root certificate authority.
Dell EMC Engineering is currently investigating a potential workaround for the Dell EMC Unity product line. Contact your Service Provider referencing this knowledge article for the current status for the Dell EMC Unity product.
Permanent Fix:
An enhancement request has been submitted to allow for subordinate configuration.
Additional Information
Error msg:
info vvold VasaSession::Initialize url is empty
warning vvold VasaSession::DoSetContext: Empty VP URL for VP
info vvold Initialize: Failed to establish connection
error vvold Initialize: Unable to init session to VP state: 0 "
Unity: VasaSession::Initialize url is empty, VasaSession::DoSetContext: Empty VP URL for VP
warning vvold VasaSession::DoSetContext: Empty VP URL for VP
info vvold Initialize: Failed to establish connection
error vvold Initialize: Unable to init session to VP state: 0 "
Unity: VasaSession::Initialize url is empty, VasaSession::DoSetContext: Empty VP URL for VP
Affected Products
Dell EMC Unity FamilyProducts
Dell EMC Unity Family, VASA Provider, VMAX, VMAX All Flash, VMAX3 SeriesArticle Properties
Article Number: 000168113
Article Type: Solution
Last Modified: 10 May 2021
Version: 3
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.