A database may connect to the following third party systems:

  • S3 (Agent Local Repo)
  • NTP
  • Telgraf (monitoring)
  • Backup Tools

These systems may require TLS-secured connections. In such cases, you may require that Data Management for VMware Tanzu access the systems using trusted certificates.

Data Management for VMware Tanzu automatically copies updated Agent certificates to all databases provisioned in the Onboarded Cluster. If Data Management for VMware Tanzu is unable to synchronize the certificates with a database, you must manually trigger an API endpoint to update the certs on the database.

Certificate File System Locations

Certificate files are stored in the following file system locations on the database VM:

Description File System Location
TrustStore /opt/vmware/dbaas/cert/truststore.jks
TrustStore Password /opt/vmware/dbaas/dbagent-service/config/application.yml
Trusted Certificates .pem /opt/vmware/dbaas/cert/resource-trusted-certs.pem

Data Management for VMware Tanzu adds the file name prefix resource-trusted-cert-<number>- to the <original-cert-filename>.pem of each trusted certificate, and individually copies each cert to the /etc/ssl/certs directory on the database VM.

Updating Trusted Certificates

When you update the certificates on an Agent VM, Data Management for VMware Tanzu also updates the certificates on all active databases running in the Onboarded Cluster. If this operation fails for a database, you are required to update the certificates using the Data Management for VMware Tanzu API:

  1. Identify the database VM for which you want to update the certificates. You can obtain the identifier by invoking the /provider/databases endpoint of the Data Management for VMware Tanzu API, locating the database in the output, and extracting the id.

    GET https://<provider-ip-address>/provider/databases
    

    Sample response excerpt:

    ...
      {
        "id": "b97b4b71-bb32-4fd7-a34f-1e9b13a231f5",
        "instanceName": "lisa-mysq1-inst-1",
        ...
        "dbType": "MYSQL",
        ...
      }
    ...
    
  2. Invoke the API endpoint to refresh the certificates:

    POST https://<provider-ip-address>/provider/databases/<db-id>?action=refresh-trusted-certificates
    

Deleting All Trusted Certificates

Deleting the trusted certificates on a database VM is a manual process. You must:

  1. ssh into the database VM.
  2. Delete the certificates from the /opt/vmware/dbaas/cert/truststore.jks file.
  3. Delete all of the certificates in the /etc/ssl/certs directory.
  4. Delete the certificates from the /opt/vmware/dbaas/cert/resource-trusted-certs.pem file.
check-circle-line exclamation-circle-line close-line
Scroll to top icon