The VMware Data Services Manager service components connect to various third party systems. When these systems are TLS-secured; you may require that VMware Data Services Manager access the systems using trusted certificates.
You can add or update trusted certificates in your VMware Data Services Manager only via the API; this operation is not yet supported through the console.
Best Practices for Certificate Update
When you invoke the API to add or change a trusted certificate after deployment, VMware Data Services Manager replaces the original certificate with the new cert. To ensure that you retain all trusted certificates when updating, follow these best practices:
- Use the
GEToperation on the API endpoint to retrieve the existing certificates. - Add the new trusted certificates to the list of existing certs.
- Invoke the
POSToperation on the API endpoint with the complete set of certificates (original plus new).
When you update a certificate after deployment, you must update the certificate on all running Providers and Agents in your VMware Data Services Manager installation. VMware Data Services Manager will automatically propagate the new/updated certificates to Agents deployed after the certificate update.
Understanding the Impacts of Certificate Updates
Be aware of the following impacts to your VMware Data Services Manager installation when you update certificates:
Updating a certificate on a Provider VM or Agent VM may affect in progress backup, restore, and database template publishing operations.
Updating a certificate on a database may result in a temporary transaction log failure.
Host name verification is mandatory for TLS-based Provider, vCenter, and MinIO URLs:
- If you register the URL using the FQDN, it must match the CN of the certificate.
- If you register the URL using an IP address, the address must be present in the SAN section of the certificate.
Certificate-Related Scenarios
| Scenario | Affected VMs | Action |
|---|---|---|
| The Provider VM has been recovered. | Provider VM | No action required; VMware Data Services Manager automatically copies and trusts all trusted certificates on the new Provider. |
| The Agent VM has been recovered. | Agent VM | Manually upload the certificates to the recovered Agent. |
| Provider High Availability is configured. | Provider VM (Primary and Standbys) | No action required; VMware Data Services Manager automatically synchronizes trusted certificates across the HA cluster. |
| Trusted certificates fail to synchronize to a Provider in an HA cluster. | Provider VM (Standby) | Retrigger the certificate synchronization API as described in Synchronizing Trusted Certificates. |
| The S3 trusted certificate expires. | Provider VM, Agent VM, database | Replace existing certificate with the new certificate. |
| The LDAP trusted certificate expires. | Provider VM | Replace existing certificate with the new certificate. |
| New trusted certificates must be added to the Provider or Agent. | Provider VM, Agent VM | Manually update the certificates. |
| New trusted certificates must be added to the database. | Database | Manually update the certificates. |
| Trust on first use SSL validation occurs. | Provider VM, Agent VM | No action required; VMware Data Services Manager adds the new certificate to the truststore with no impact on already trusted certificates. |
| The Provider Repo and Agent's Local Storage Repo reside on different MinIOs. | Agent VM | The Provider Repo certificate is required by the Agent to download database templates to Local Repo. Provider Administrator must share the certificate of the Provider Repo with the user that is onboarding the Agent. |
