Starting with vCloud Director 10.0, you can use separate vCloud Director OpenAPI login endpoints for the service provider and tenant access to vCloud Director.
vCloud Director 10.0 introduces two new OpenAPI endpoints that you can use to increase the security by restricting the access to vCloud Director.
/cloudapi/1.0.0/sessions/provider- OpenAPI endpoint for the service provider login. Tenants cannot access vCloud Director by using this endpoint.
/cloudapi/1.0.0/sessions/- OpenAPI endpoint for the tenant login. Service providers cannot access vCloud Director by using this endpoint.
By default, provider administrators and organization users can access vCloud Director by logging into the
/api/sessions API endpoint.
By using the
manage-config subcommand of the cell management tool, you can disable the service provider access to the
/api/sessions API endpoint and, as a result, limit the provider login to the new
/cloudapi/1.0.0/sessions/provider OpenAPI endpoint that is accessible only to service providers.
- Log in or SSH as root to the OS of any of the vCloud Director cells.
- To block the provider access to the
/api/sessionsAPI endpoint, use the cell management tool and run the following command:
/opt/vmware/vcloud-director/bin/cell-management-tool manage-config -n vcloud.api.legacy.nonprovideronly -v true
/api/sessionsAPI endpoint is no longer accessible to service providers. Service providers can use the new OpenAPI endpoint
/cloudapi/1.0.0/sessions/providerto access vCloud Director. Tenants can access vCloud Director by using both the
/api/sessionsAPI endpoint and the new
What to do next
/api/sessionsAPI endpoint, run the following command:
/opt/vmware/vcloud-director/bin/cell-management-tool manage-config -n vcloud.api.legacy.nonprovideronly -v false