Starting with VMware Cloud Director 10.0, you can use separate VMware Cloud Director OpenAPI login endpoints for the service provider and tenant access to VMware Cloud Director.
You can use two new OpenAPI endpoints to increase the security by restricting the access to VMware Cloud Director.
/cloudapi/1.0.0/sessions/provider- OpenAPI endpoint for the service provider login. Tenants cannot access VMware Cloud Director by using this endpoint.
/cloudapi/1.0.0/sessions/- OpenAPI endpoint for the tenant login. Service providers cannot access VMware Cloud Director by using this endpoint.
By default, provider administrators and organization users can access VMware Cloud Director by logging into the
/api/sessions API endpoint.
By using the
manage-config subcommand of the cell management tool, you can disable the service provider access to the
/api/sessions API endpoint and, as a result, limit the provider login to the new
/cloudapi/1.0.0/sessions/provider OpenAPI endpoint that is accessible only to service providers.
/api/sessionsAPI endpoint, service provider requests that supply only a SAML token in the authorization header will fail for all legacy API endpoints.
- Log in or SSH as root to the OS of any of the VMware Cloud Director cells.
- To block the provider access to the
/api/sessionsAPI endpoint, use the cell management tool and run the following command:
/opt/vmware/vcloud-director/bin/cell-management-tool manage-config -n vcloud.api.legacy.nonprovideronly -v true
/api/sessionsAPI endpoint is no longer accessible to service providers. Service providers can use the new OpenAPI endpoint
/cloudapi/1.0.0/sessions/providerto access VMware Cloud Director. Tenants can access VMware Cloud Director by using both the
/api/sessionsAPI endpoint and the new
What to do next
/api/sessionsAPI endpoint, run the following command:
/opt/vmware/vcloud-director/bin/cell-management-tool manage-config -n vcloud.api.legacy.nonprovideronly -v false