To manage replications on remote cloud sites, extend your session to that site by accepting an authentication token or by providing credentials for the local VMware Cloud Director. Any replication operation to remote cloud sites and specific replication operations from remote cloud sites require an extended session.

Extending Session Authentication from Cloud to Cloud

VMware Cloud Director user logins create a session and receive a bearer JSON Web Token (JWT) used for authenticating future requests.

The Cloud Service manages its own session that is not directly tied to the VMware Cloud Director session. Create a local Cloud Service session by using either of the following two authentication methods:
  • Provide a local VMware Cloud Director user and password for authentication for creating the Cloud Service session. Internally, the Cloud Service uses those credentials for creating a brand new VMware Cloud Director session that results in a brand new JWT.
  • Alternatively, use an existing JWT without providing credentials for the Cloud Service which uses the existing VMware Cloud Director session for performing the necessary operations. The VMware Cloud Director Availability plug-in in the local VMware Cloud Director automatically uses that existing JWT for authentication.

Locally for your cloud site, by creating a Cloud Service session, you can use the local site replications, tasks, and others. As your current Cloud Service session associated a JWT for the local VMware Cloud Director, you can also browse the local VMware Cloud Director. While the JWT has not expired, you can perform replication operations that require accessing the local VMware Cloud Director.

To perform replication operations on remote cloud sites, you must extend your local Cloud Service session to the remote cloud site by using either of the following two authentication methods:

  • When the remote VMware Cloud Director organization uses local users, provide the user credentials.
  • When the local and the remote VMware Cloud Director and their organizations are associated, click Use Multisite. As one organization can be associated with multiple remote organizations, select the organization for authentication.
  • For VMware Cloud Director Availability 4.3, when multiple cloud sites use a single VMware Cloud Director instance click Use Multisite. The drop-down menu for selecting an organization contains only the current organization.

Extending your Cloud Service session from the local to the remote VMware Cloud Director without providing local user credentials for the remote VMware Cloud Director uses the JWT for authenticating the extended session to the remote site.

After authenticating to the remote site, the Cloud Service keeps the newly created extended session and for the replication operations in the remote site uses the extended session without requiring credentials.

On-Premises Authentication to the Cloud

For versions of VMware Cloud Director Availability earlier than 4.3 or earlier than vCenter Server 7.0, the on-premises tenants have the following two options for performing disaster recovery operations that require authentication to the cloud site.
  • When the VMware Cloud Director Availability vSphere Client Plug-In prompts for credentials, provide a local VMware Cloud Director user credentials for authentication. This option allows restricting the access to the on-premises infrastructure but does not allow using a dedicated identity management solution for authentication.
  • Alternatively, use the VMware Cloud Director Availability plug-in in VMware Cloud Director for replication management operations. This option allows using a dedicated identity management solution for authentication but does not allow restricting access to the local on-premises infrastructure as during pairing requires selecting Allow Access from Cloud.
With vCenter Server 7.0 or later, VMware Cloud Director Availability 4.3 provides one new authentication mechanism for the on-premises tenants for performing disaster recovery operations in the VMware Cloud Director Availability vSphere Client Plug-In that require authentication to the cloud site, for example, configuring a new replication or falling over.
  • When the VMware Cloud Director organization uses an external identity provider, for example, SAML, the on-premises tenants can now use that method for authentication.
  1. When performing a replication operation requiring authentication, the VMware Cloud Director Availability vSphere Client Plug-In prompts for providing the remote site credentials. In that prompt, clicking Use API token authentication generates and displays a temporary token for authentication that requires acceptance in the VMware Cloud Director Availability plug-in in VMware Cloud Director.
  2. Clicking Login opens a new browser window with the VMware Cloud Director Availability plug-in in VMware Cloud Director.
    1. The tenant can select their typical authentication method for authenticating to VMware Cloud Director, such as single-sign-on or multi-factor authentication.
    2. After they authenticate in VMware Cloud Director, a prompt requests verifying and accepting that the temporary token matches the one displayed in the VMware Cloud Director Availability vSphere Client Plug-In.
  3. Accepting the temporary token associates it with the existing JWT of the VMware Cloud Director session. This association grants the VMware Cloud Director Availability vSphere Client Plug-In access to the cloud site for the duration of the session and the tenant can resume the disaster recovery workflow that requested credentials.
Note:
  • The token acceptance interval is 5 minutes. After this timeframe expires, VMware Cloud Director Availability requires generating a new token.
  • A single token allows accepting or rejecting only once.
  • Accepting the token creates a regular session that is active for up to 24 hours, or 30 minutes of inactivity.
  • Logging out from vSphere invalidates the accepted token. After re-authenticating, when performing a replication operation requiring authentication you must generate a new token and then accept it.
  • The tenant must ensure logging into the correct VMware Cloud Director organization for the on-premises site, or they cannot accept the token.
  • On-premises authentication with a token requires vCenter Server 7.0 or later in the on-premises site and in each site VMware Cloud Director Availability 4.3 or later and is available only by using the VMware Cloud Director Availability vSphere Client Plug-In.

Session Expiration

  • The local Cloud Service session has a soft time limit reached due to inactivity. By default, the soft session lifespan expires after your session is idle for over 30 minutes and you are not viewing a dynamically refreshing management interface page.
  • The local Cloud Service session also has a hard time limit that you cannot prolong without re-authenticating. By default, the hard session lifespan expires after 24 hours. During this time, you can perform all operations, until you log out of the management interface, or in the Peer Sites page you select the site and you click Logout. In the Security Guide document, for more information about the two types of lifespans of the session, see Security Configuration Properties, and for more information about the user sessions, see Users and Sessions.
  • The extended Cloud Service session to a remote cloud site expires when the remote JWT becomes invalid, due to expiry or due to manual logout. By default, the lifespan of VMware Cloud Director JWT also expires in 24 hours. When modifying the lifespan of the JWT, for example, reducing to one hour, the extended session expires after one hour. When extending the lifespan of JWT over 24 hours, the extended session expires according to either of the Cloud Service session lifespans, meaning after 24 hours or after 30 minutes of inactivity.

Replication Operations Requiring Extended Session Authentication

Extend the session to the remote site for the following replication operations, depending on where the replications reside.
Incoming Replications from Cloud
To manage the replications on the remote site you can perform some replication operations without authenticating and providing the remote site credentials, while you must authenticate and provide the remote site credentials for performing the remaining replication operations.
Replication Operations Not Requiring Authentication: No Credentials Needed Replication Operations Requiring Authentication: Provide Credentials for the Remote Site
Migrate New protection
Failover New migration
Test failover Network settings
Replication settings Disk settings
Change owner
Change storage policy
Sync
Pause
Resume
Delete replication
Outgoing Replications to Cloud
To manage the replications on the remote cloud site for all replication operations you must authenticate and provide the remote site credentials.
Replication Operations Requiring Authentication: Provide Credentials for the Remote Site
Migrate
Failover
Test failover
New protection
New migration
Replication settings
Network settings
Disk settings
Change storage policy
Sync
Pause
Resume
Delete replication

Tenant Organization Impersonation

For information about impersonating as a tenant, see Log In by Using the VMware Cloud Director™ Provider Admin Portal.