By default, backups of SDDC Manager and NSX Manager are stored in the SDDC Manager appliance. Change the destination of the backups to an external SFTP server.

Prerequisites

  • Only a user with the ADMIN role can perform this task. See Managing Users and Groups in VMware Cloud Foundation.
  • The external SFTP server must support a 256-bit length ECDSA SSH public key.
  • The external SFTP server must support a 2048-bit length RSA SSH public key
  • You will need the SHA256 fingerprint of RSA key of the SFTP server.
  • Host Key algorithms: At least one of rsa-sha2-512 or rsa-sha2-256 and one of ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, or ecdsa-sha2-nistp521.
  • Additional pre-requisites when FIPS Security Mode is enabled on SDDC Manager:
    Algorithms and Ciphers Required when FIPS Security Mode is Enabled
    Kex Algorithms
    At least one of:
    • diffie-hellman-group-exchange-sha256
    • ecdh-sha2-nistp256
    • ecdh-sha2-nistp384
    • ecdh-sha2-nistp521
    Message Authentication Key (MAC) Algorithms

    hmac-sha2-256
    Ciphers
    At least one of:
    • TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
    • TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    • TLS_RSA_WITH_AES_128_CBC_SHA256
    • TLS_RSA_WITH_AES_256_CBC_SHA256
    • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_AES_128_GCM_SHA256
    • TLS_AES_256_GCM_SHA384
Note: SHA1 algorithms are not supported.

Procedure

  1. In the navigation pane, click Administration > Backup.
  2. On the Backup page, click the Site Settings tab and then click Register External.
  3. On the Backup page, enter the settings and click Save.

    To obtain the SSH Fingerprint of the target system to verify, connect to the SDDC Manager Appliance over ssh and run the following command:

    ssh-keygen -lf <(ssh-keyscan -p 22 -t rsa sftp_server_fqdn 2> /dev/null) | cut -d' ' -f2

    Setting

    Value

    Host FQDN or IP

    The FQDN or IP Address of the SFTP server.

    Port

    22

    Transfer Protocol

    SFTP

    Username

    A service account with privileges to the SFTP server.

    For example: svc-vcf-bck.

    Password

    The password for the username provided.

    Backup Directory

    The directory on the SFTP server where backups are saved.

    For example: /backups/.

    SSH Fingerprint

    The SSH Fingerprint is automatically retreived from the SFTP server, verify the SSH Fingerprint.

    Confirm Fingerprint

    Selected

    Encryption Passphrase

    The encryption passphrase used to encrypt the backup data.

    Note:

    The encryption passphrase should be stored safely as it is required during the restore process.
  4. In the Confirm your changes to backup settings dialog box, click Confirm.