In VMware ESXi, I/O filters can gain direct access to the virtual machine I/O path. The I/O filters are independent of the storage topology and is possible to enable the I/O filter for an individual virtual disk level.
VMware offers certain categories of I/O filters, in addition, third-party vendors can create the I/O filters. Typically, they are distributed as packages that provide an installer to deploy the filter components on vCenter Server and ESXi host clusters.
After the I/O filters are deployed, vCenter Server configures and registers an I/O filter storage provider, also called a VASA provider, for each host in the cluster. The storage providers communicate with vCenter Server and make data services offered by the I/O filter visible in the VM Storage Policies interface. You can reference these data services when defining common rules for a VM policy. After you associate virtual disks with this policy, the I/O filters are enabled on the virtual disks.
Each ESXi host has its own storage provider, but vCenter use certificates in order to “talk” with the different VASA providers… and certificates can exprire (or become less secure if are too old)!
The procedure to renew the I/O filter certificate is describe in VMware KB 320568 (https://knowledge.broadcom.com/external/article/320568/how-to-renew-an-iofilter-certificate.html).
Note : Please take valid snapshot of the vCenter before proceeding. If the vCenter is in linked mode, take offline snapshot all the the vCenters in linked mode. And, then proceed with caution.
If ESXi host SSL certificate validity period is fully long more than IOFilter VP Certificate validity period, not need to renew esxi host ssl certificate. Otherwise tou have to renew ESXi host SSL certificate and confirm certificate expiry date.
To renew ESXi certificates from the CLI, connect into each ESXi host with SSH and then enter the SSL directory:
cd /etc/vmware/ssl
Rename the old rui.crt and rui.key files:
mv rui.crt old.rui.crt
mv rui.key old.rui.key
Run the generation command
- /sbin/generate-certificates
Restart all the ESXi services with the command services.sh restart:
services.sh restart
It’s also possible renew the ESXi certificates from the vSphere Client:
After the renew of each ESXi host SSL certificate, disconnect the esxi host from vCenter and re-connect.
If IOFilter storage provider is not online or the IOFilter certificate is not renews, follow VMware KB 318887 (Certain IOFIlter Providers are showing as offline).
Caution :
- Please do not delete sms self-signed certificate, SMS Self-Signed Certificate is used during communication with IOFilter VP and SMS Self-Signed and vp certificate are two different entities.
- Deleting sms_self_signed will make all Vasa Provider offline on restart of SPS service and customer need to unregister all VP ( Vasa Provider ) and re-register again.