Managing Certificates on a Database

A database may connect to the following third party systems:

S3 (Agent Local Repo)
NTP
Telgraf (monitoring)
Backup Tools

These systems may require TLS-secured connections. In such cases, you may require that VMware Data Services Manager access the systems using trusted certificates.

VMware Data Services Manager automatically copies updated Agent certificates to all databases provisioned in the Onboarded Cluster. If VMware Data Services Manager is unable to synchronize the certificates with a database, you must manually trigger an API endpoint to update the certs on the database.

Certificate File System Locations

Certificate files are stored in the following file system locations on the database VM:

Description	File System Location
TrustStore	/opt/vmware/dbaas/cert/truststore.jks
TrustStore Password	/opt/vmware/dbaas/dbagent-service/config/application.yml
Trusted Certificates .pem	/opt/vmware/dbaas/cert/resource-trusted-certs.pem

VMware Data Services Manager adds the file name prefix resource-trusted-cert-<number>- to the <original-cert-filename>.pem of each trusted certificate, and individually copies each cert to the /etc/ssl/certs directory on the database VM.

Updating Trusted Certificates

When you update the certificates on an Agent VM, VMware Data Services Manager also updates the certificates on all active databases running in the Onboarded Cluster. If this operation fails for a database, you are required to update the certificates using the VMware Data Services Manager API:

Identify the database VM for which you want to update the certificates. You can obtain the identifier by invoking the /provider/databases endpoint of the VMware Data Services Manager API, locating the database in the output, and extracting the id.
```
GET https://<provider-ip-address>/provider/databases
```
Sample response excerpt:
```
...
  {
    "id": "b97b4b71-bb32-4fd7-a34f-1e9b13a231f5",
    "instanceName": "lisa-mysq1-inst-1",
    ...
    "dbType": "MYSQL",
    ...
  }
...
```

Invoke the API endpoint to refresh the certificates:

POST https://<provider-ip-address>/provider/databases/<db-id>?action=refresh-trusted-certificates

Deleting All Trusted Certificates

Deleting the trusted certificates on a database VM is a manual process. You must:

ssh into the database VM.
Delete the certificates from the /opt/vmware/dbaas/cert/truststore.jks file.
Delete all of the certificates in the /etc/ssl/certs directory.
Delete the certificates from the /opt/vmware/dbaas/cert/resource-trusted-certs.pem file.