Starting with VMware Cloud Director 10.0, you can use separate VMware Cloud Director OpenAPI login endpoints for the service provider and tenant access to VMware Cloud Director.

You can use two new OpenAPI endpoints to increase the security by restricting the access to VMware Cloud Director.

  • /cloudapi/1.0.0/sessions/provider - OpenAPI endpoint for the service provider login. Tenants cannot access VMware Cloud Director by using this endpoint.

  • /cloudapi/1.0.0/sessions/ - OpenAPI endpoint for the tenant login. Service providers cannot access VMware Cloud Director by using this endpoint.

By default, provider administrators and organization users can access VMware Cloud Director by logging into the /api/sessions API endpoint.

By using the manage-config subcommand of the cell management tool, you can deactivate the service provider access to the /api/sessions API endpoint and, as a result, limit the provider login to the new /cloudapi/1.0.0/sessions/provider OpenAPI endpoint that is accessible only to service providers.

Note:

When you deactivate the service provider access to the /api/sessions API endpoint, service provider requests that supply only a SAML token in the authorization header will fail for all legacy API endpoints.

Procedure

  1. Log in or SSH as root to the OS of any of the VMware Cloud Director cells.
  2. To block the provider access to the /api/sessions API endpoint, use the cell management tool and run the following command:
    /opt/vmware/vcloud-director/bin/cell-management-tool manage-config -n vcloud.api.legacy.nonprovideronly -v true

Results

The /api/sessions API endpoint is no longer accessible to service providers. Service providers can use the new OpenAPI endpoint /cloudapi/1.0.0/sessions/provider to access VMware Cloud Director. Tenants can access VMware Cloud Director by using both the /api/sessions API endpoint and the new /cloudapi/1.0.0/sessions/ OpenAPI endpoint.

What to do next

To enable the provider access to the /api/sessions API endpoint, run the following command:

/opt/vmware/vcloud-director/bin/cell-management-tool manage-config -n vcloud.api.legacy.nonprovideronly -v false