The Data Management for VMware Tanzu service components connect to various third party systems. When these systems are TLS-secured; you may require that DMS access the systems using trusted certificates.
You can add or update trusted certificates in your Data Management for VMware Tanzu only via the API; this operation is not yet supported through the console.
When you invoke the Data Management for VMware Tanzu API to add or change a trusted certificate after deployment, DMS replaces the original certificate with the new cert. To ensure that you retain all trusted certificates when updating, follow these best practices:
GEToperation on the API endpoint to retrieve the existing certificates.
POSToperation on the API endpoint with the complete set of certificates (original plus new).
When you update a certificate after deployment, you must update the certificate on all running Providers and Agents in your Data Management for VMware Tanzu installation. DMS will automatically propagate the new/updated certificates to Agents deployed after the certificate update.
Be aware of the following impacts to your Data Management for VMware Tanzu installation when you update certificates:
Host name verification is mandatory for TLS-based Provider, vCenter, and MinIO URLs:
|The Provider VM has been recovered.||Provider VM||No action required; Data Management for VMware Tanzu automatically copies and trusts all trusted certificates on the new Provider.|
|The Agent VM has been recovered.||Agent VM||Manually upload the certificates to the recovered Agent.|
|Provider High Availability is configured.||Provider VM (Primary and Standbys)||No action required; Data Management for VMware Tanzu automatically synchronizes trusted certificates across the HA cluster.|
|Trusted certificates fail to synchronize to a Provider in an HA cluster.||Provider VM (Standby)||Retrigger the certificate synchronization API as described in Synchronizing Trusted Certificates.|
|The S3 trusted certificate expires.||Provider VM, Agent VM, Service Instance VM||Replace existing certificate with the new certificate.|
|The LDAP trusted certificate expires.||Provider VM||Replace existing certificate with the new certificate.|
|New trusted certificates must be added to the Provider or Agent.||Provider VM, Agent VM||Manually update the certificates.|
|New trusted certificates must be added to the Service Instance.||Service Instance VM||Manually update the certificates.|
|Trust on first use SSL validation occurs.||Provider VM, Agent VM||No action required; DMS adds the new certificate to the truststore with no impact on already trusted certificates.|
|The Provider Repo and Agent's Local Storage Repo reside on different MinIOs.||Agent VM||The Provider Repo certificate is required by the Agent to download templates to Local Repo. Provider Administrator must share the certificate of the Provider Repo with the user that is onboarding the Agent.|