Starting with vCloud Director 10.0, you can use separate vCloud Director OpenAPI login endpoints for the service provider and tenant access to vCloud Director.

vCloud Director 10.0 introduces two new OpenAPI endpoints that you can use to increase the security by restricting the access to vCloud Director.

  • /cloudapi/1.0.0/sessions/provider - OpenAPI endpoint for the service provider login. Tenants cannot access vCloud Director by using this endpoint.
  • /cloudapi/1.0.0/sessions/ - OpenAPI endpoint for the tenant login. Service providers cannot access vCloud Director by using this endpoint.

By default, provider administrators and organization users can access vCloud Director by logging into the /api/sessions API endpoint.

By using the manage-config subcommand of the cell management tool, you can disable the service provider access to the /api/sessions API endpoint and, as a result, limit the provider login to the new /cloudapi/1.0.0/sessions/provider OpenAPI endpoint that is accessible only to service providers.

Procedure

  1. Log in or SSH as root to the OS of any of the vCloud Director cells.
  2. To block the provider access to the /api/sessions API endpoint, use the cell management tool and run the following command:
    /opt/vmware/vcloud-director/bin/cell-management-tool manage-config -n vcloud.api.legacy.nonprovideronly -v true

Results

The /api/sessions API endpoint is no longer accessible to service providers. Service providers can use the new OpenAPI endpoint /cloudapi/1.0.0/sessions/provider to access vCloud Director. Tenants can access vCloud Director by using both the /api/sessions API endpoint and the new /cloudapi/1.0.0/sessions/ OpenAPI endpoint.

What to do next

To enable the provider access to the /api/sessions API endpoint, run the following command:
/opt/vmware/vcloud-director/bin/cell-management-tool manage-config -n vcloud.api.legacy.nonprovideronly -v false