The Data Management for VMware Tanzu service components connect to various third party systems. When these systems are TLS-secured; you may require that DMS access the systems using trusted certificates.

You can add or update trusted certificates in your Data Management for VMware Tanzu only via the API; this operation is not yet supported through the console.

Best Practices for Certificate Update

When you invoke the Data Management for VMware Tanzu API to add or change a trusted certificate after deployment, DMS replaces the original certificate with the new cert. To ensure that you retain all trusted certificates when updating, follow these best practices:

  • Use the GET operation on the API endpoint to retrieve the existing certificates.
  • Add the new trusted certificates to the list of existing certs.
  • Invoke the POST operation on the API endpoint with the complete set of certificates (original plus new).

When you update a certificate after deployment, you must update the certificate on all running Providers and Agents in your Data Management for VMware Tanzu installation. DMS will automatically propagate the new/updated certificates to Agents deployed after the certificate update.

Understanding the Impacts of Certificate Updates

Be aware of the following impacts to your Data Management for VMware Tanzu installation when you update certificates:

  • Updating a certificate on a Provider VM or Agent VM may affect in progress backup, restore, and template publishing operations.
  • Updating a certificate on a Service Instance VM may result in a temporary transaction log failure.
  • Host name verification is mandatory for TLS-based Provider, vCenter, and MinIO URLs:

    • If you register the URL using the FQDN, it must match the CN of the certificate.
    • If you register the URL using an IP address, the address must be present in the SAN section of the certificate.

Certificate-Related Scenarios

Scenario Affected VMs           Action
The Provider VM has been recovered. Provider VM No action required; Data Management for VMware Tanzu automatically copies and trusts all trusted certificates on the new Provider.
The Agent VM has been recovered. Agent VM Manually upload the certificates to the recovered Agent.
Provider High Availability is configured. Provider VM (Primary and Standbys) No action required; Data Management for VMware Tanzu automatically synchronizes trusted certificates across the HA cluster.
Trusted certificates fail to synchronize to a Provider in an HA cluster. Provider VM (Standby) Retrigger the certificate synchronization API as described in Synchronizing Trusted Certificates.
The S3 trusted certificate expires. Provider VM, Agent VM, Service Instance VM Replace existing certificate with the new certificate.
The LDAP trusted certificate expires. Provider VM Replace existing certificate with the new certificate.
New trusted certificates must be added to the Provider or Agent. Provider VM, Agent VM Manually update the certificates.
New trusted certificates must be added to the Service Instance. Service Instance VM Manually update the certificates.
Trust on first use SSL validation occurs. Provider VM, Agent VM No action required; DMS adds the new certificate to the truststore with no impact on already trusted certificates.
The Provider Repo and Agent's Local Storage Repo reside on different MinIOs. Agent VM The Provider Repo certificate is required by the Agent to download templates to Local Repo. Provider Administrator must share the certificate of the Provider Repo with the user that is onboarding the Agent.
check-circle-line exclamation-circle-line close-line
Scroll to top icon