As a cloud provider, refer to the content in this chapter to learn how to set up VMware Cloud Director Encryption Management for your tenants.
Before you begin
Before you install and configure the VMware Cloud Director Encryption Management solution, you must first prepare your environment.
The VMware Cloud Director Encryption Management appliance requires your VMware Cloud Director environment to be configured in a specific way. To prepare all components in your environment, ensure you satisfy the requirements in the following table.
Product | Requirements |
---|---|
vSphere |
|
VMware Cloud Director |
|
Key Provider |
|
VMware Cloud Director Encryption Management |
Installing VMware Cloud Director Encryption Management
You install VMware Cloud Director Encryption Management on a configured VMware Cloud Director solution landing zone.
Prerequisites
Procedure
- Open the VMware Cloud Director provider portal.
- On the top navigation bar, click .
- Click UPLOAD.
- Click Browse Files and select the VMware Cloud Director Encryption Management ISO on your local drive.
- Make sure Create add-on instance after upload is completed is checked.
- Click UPLOAD.
- Once the upload is completed, click Finish.
- Accept the VMware license agreement.
- Enter the solution input parameters.
- Enter a name for the VMware Cloud Director Encryption Management add-on instance.
- Select the deployment configuration.
- (Optional) Enter the name of an existing global role which will be granted full access to VMware Cloud Director Encryption Management.
The default global role is the built-in Organization Administrator. If the specified global role does not exist in the system, the solution will still operate but no access is granted to tenants. In order to grant access, follow these steps after the installation is complete.
- Click Next.
- On the final step of the wizard, review the details and click Finish.
Results
The solution is being installed with a PENDING installation status. Wait until the installation status is READY and reload the browser page, before proceeding with configuring VMware Cloud Director Encryption Management.
Register key provider with VMware Cloud Director Encryption Management
You register a key provider with VMware Cloud Director Encryption Management and associate it with a vCenter Server.
Prerequisites
- Verify that VMware Cloud Director Encryption Management is installed in your environment.
- Obtain the IP address and port of the key provider you are registering. The default port is 5696.
Procedure
Publish key provider to tenant organization
To grant tenant access to a key provider, you publish a key provider registered in VMware Cloud Director Encryption Management to a tenant organization.
Procedure
- On the top navigation bar, click .
- Next to the key provider you want to publish, click the .
- From the list of organizations, select the ones you want to publish the key provider to.
- Click PUBLISH.
Unpublish key provider from a tenant
If you want to revoke a tenant organization's access to a key provider, you can unpublish the key provider from their organization.
Prerequisites
To unpublish a key provider, vSphere must be configured with a default key provider or there must be no tenant objects encrypted with the key provider you want to unpublish.
Procedure
- On the top navigation bar, click .
- Click the name of the key provider you want to unpublish.
- Next to the organization you want to unpublish the key provider from, click the vertical-ellipsis icon () and click Unpublish.
- Move the slider to the right, review the information and if you agree, select the check box, and click UNPUBLISH.
Results
The unpublish process runs in the background. The organization is revoked access to the key provider and all affected objects are re-encrypted with vSphere's default key provider.
Edit key provider
You can edit a registered key provider's details and network configuration.
If you edit the network configuration of a key provider, all tenants with access to the key provider must re-authenticate to it before they can use it again. Failiure to authenticate after changing the network configuration may prevent tenants from performing operations on existing encrypted objects as well as create new encrypted ones. You are responsible of notifying your tenants about this change.
Procedure
- On the top navigation bar, click .
- Click the name of the key provider you want to edit.
- Click Edit.
- Edit the key provider details.
- Enter a key provider name.
- (Optional) Enter a description.
- (Optional) To upload an icon from your local drive, click Browse.
- Enter the key provider's IP address and port.
- (Optional) To set up a proxy, expand PROXY SETTINGS and enter the proxy address and port.
- Click SUBMIT.