A Service Instance may connect to the following third party systems:

  • S3 (Agent Local Repo)
  • NTP
  • Telgraf (monitoring)
  • Backup Tools

These systems may require TLS-secured connections. In such cases, you may require that DMS access the systems using trusted certificates.

Data Management for VMware Tanzu automatically copies updated Agent certificates to all Service Instances provisioned in the Onboarded Cluster. If DMS is unable to synchronize the certificates with a Service Instance, you must manually trigger an API endpoint to update the certs on the instance.

Certificate File System Locations

Certificate files are stored in the following file system locations on the Service Instance VM:

Description File System Location
TrustStore /opt/vmware/dbaas/cert/truststore.jks
TrustStore Password /opt/vmware/dbaas/dbagent-service/config/application.yml
Trusted Certificates .pem /opt/vmware/dbaas/cert/resource-trusted-certs.pem

Data Management for VMware Tanzu adds the file name prefix resource-trusted-cert-<number>- to the <original-cert-filename>.pem of each trusted certificate, and individually copies each cert to the /etc/ssl/certs directory on the Service Instance VM.

Updating Trusted Certificates

When you update the certificates on an Agent VM, Data Management for VMware Tanzu also updates the certificates on all active Service Instances running in the Onboarded Cluster. If this operation fails for a Service Instance, you are required to update the certificates using the Data Management for VMware Tanzu API:

  1. Identify the Service Instance VM for which you want to update the certificates. You can obtain the identifier by invoking the /provider/databases endpoint of the Data Management for VMware Tanzu API, locating the instance in the output, and extracting the id.

    GET https://<provider-ip-address>/provider/databases
    

    Sample response excerpt:

    ...
      {
        "id": "b97b4b71-bb32-4fd7-a34f-1e9b13a231f5",
        "instanceName": "lisa-mysq1-inst-1",
        ...
        "dbType": "MYSQL",
        ...
      }
    ...
    
  2. Invoke the API endpoint to refresh the certificates:

    POST https://<provider-ip-address>/provider/databases/<db-id>?action=refresh-trusted-certificates
    

Deleting All Trusted Certificates

Deleting the trusted certificates on a Service Instance VM is a manual process. You must:

  1. ssh into the Service Instance VM.
  2. Delete the certificates from the /opt/vmware/dbaas/cert/truststore.jks file.
  3. Delete all of the certificates in the /etc/ssl/certs directory.
  4. Delete the certificates from the /opt/vmware/dbaas/cert/resource-trusted-certs.pem file.
check-circle-line exclamation-circle-line close-line
Scroll to top icon