The Data Management for VMware Tanzu service components connect to various third party systems. When these systems are TLS-secured; you may require that Data Management for VMware Tanzu access the systems using trusted certificates.
You can add or update trusted certificates in your Data Management for VMware Tanzu only via the API; this operation is not yet supported through the console.
Best Practices for Certificate Update
When you invoke the API to add or change a trusted certificate after deployment, Data Management for VMware Tanzu replaces the original certificate with the new cert. To ensure that you retain all trusted certificates when updating, follow these best practices:
- Use the
GEToperation on the API endpoint to retrieve the existing certificates. - Add the new trusted certificates to the list of existing certs.
- Invoke the
POSToperation on the API endpoint with the complete set of certificates (original plus new).
When you update a certificate after deployment, you must update the certificate on all running Providers and Agents in your Data Management for VMware Tanzu installation. Data Management for VMware Tanzu will automatically propagate the new/updated certificates to Agents deployed after the certificate update.
Understanding the Impacts of Certificate Updates
Be aware of the following impacts to your Data Management for VMware Tanzu installation when you update certificates:
Updating a certificate on a Provider VM or Agent VM may affect in progress backup, restore, and database template publishing operations.
Updating a certificate on a database may result in a temporary transaction log failure.
Host name verification is mandatory for TLS-based Provider, vCenter, and MinIO URLs:
- If you register the URL using the FQDN, it must match the CN of the certificate.
- If you register the URL using an IP address, the address must be present in the SAN section of the certificate.
Certificate-Related Scenarios
| Scenario | Affected VMs | Action |
|---|---|---|
| The Provider VM has been recovered. | Provider VM | No action required; Data Management for VMware Tanzu automatically copies and trusts all trusted certificates on the new Provider. |
| The Agent VM has been recovered. | Agent VM | Manually upload the certificates to the recovered Agent. |
| Provider High Availability is configured. | Provider VM (Primary and Standbys) | No action required; Data Management for VMware Tanzu automatically synchronizes trusted certificates across the HA cluster. |
| Trusted certificates fail to synchronize to a Provider in an HA cluster. | Provider VM (Standby) | Retrigger the certificate synchronization API as described in Synchronizing Trusted Certificates. |
| The S3 trusted certificate expires. | Provider VM, Agent VM, database | Replace existing certificate with the new certificate. |
| The LDAP trusted certificate expires. | Provider VM | Replace existing certificate with the new certificate. |
| New trusted certificates must be added to the Provider or Agent. | Provider VM, Agent VM | Manually update the certificates. |
| New trusted certificates must be added to the database. | Database | Manually update the certificates. |
| Trust on first use SSL validation occurs. | Provider VM, Agent VM | No action required; Data Management for VMware Tanzu adds the new certificate to the truststore with no impact on already trusted certificates. |
| The Provider Repo and Agent's Local Storage Repo reside on different MinIOs. | Agent VM | The Provider Repo certificate is required by the Agent to download database templates to Local Repo. Provider Administrator must share the certificate of the Provider Repo with the user that is onboarding the Agent. |
