Introduction
This KB article addresses an issue encountered when integrating Vault's KMIP (Key Management Interoperability Protocol) with VMware or other KMIP-compatible applications. Despite a successful TLS handshake between Vault and the KMIP client, encryption operations fail. This typically manifests when the Vault KMIP license is either missing or not correctly applied.
Issue Summary
When attempting to use Vault’s KMIP Secrets Engine to manage encryption keys for VMware or other third-party clients, the KMIP TLS handshake completes successfully, but the actual encryption or key management operations do not execute.
This is often due to Vault rejecting KMIP requests after the TLS handshake because the Enterprise license check fails.
Observed Logs (from Vault Server)
Root Cause
Vault Enterprise’s KMIP secrets engine requires a valid Enterprise license with KMIP capabilities. In this scenario:
-
The client initiates a KMIP connection.
-
TLS handshake completes successfully.
-
However, Vault fails the KMIP license validation and logs a warning:
Vault KMIP license check failed, rejecting request -
As a result, KMIP requests are not processed, and no encryption operations occur.
Workaround / Solution
-
Verify Vault Enterprise License: Ensure your Vault instance is running with a valid Enterprise license that supports the KMIP secrets engine.
-
You can check the license status via the Vault API:
Example output of license read containing KMIP capability :
-
vault read /sys/license/status | grep -i kmip
autoloaded map[expiration_time:2025-09-21T00:00:00Z features:[***** KMIP **** Secrets Sync] license_id:******* performance_standby_count:9999 start_time:****** termination_time:*****]
-
Apply or Update License (if missing or invalid):
-
Obtain a valid license from HashiCorp.
-
Apply the license following the steps from the mentioned link.
-
- Test Encryption Operation from VMware or External Client: After license validation, KMIP requests should succeed, and encryption operations should be processed.