An Agent connects to the following third party systems:

  • Provider
  • vCenter
  • S3 (Local Repo, Cloud Repo)
  • NTP
  • Telegraf (monitoring)

These systems may require TLS-secured connections. In such cases, you may require that VMware Data Services Manager access the systems using trusted certificates. VMware Data Services Manager automatically copies any Provider certificates to an Agent when the Agent is onboarded. If you add new certificates to the Provider after deployment, you must manually copy these to each Agent VM. You must also manually copy a certificate specific to an Agent to the Agent VM.

Note: All the API, including the APIs to add trusted certificates for a Consolidated Agent, use the following API:
POST https:// :543/onboarding/add-trusted-cert .

Certificate File System Locations

Certificate files are stored in the following file system locations on the Agent VM:

Description File System Location
TrustStore /opt/vmware/tdm-tenant/cert/truststore.jks
TrustStore Password /opt/vmware/tdm-tenant/onboarding-service/config/application.yml
Trusted Certificates .pem /opt/vmware/tdm-tenant/cert/agent-trusted-certs.pem

VMware Data Services Manager adds the file name prefix agent-trusted-cert-<number>- to the <original-cert-filename>.pem of each trusted certificate, and individually copies each cert to the /etc/ssl/certs directory on the Agent VM.

Updating Trusted Certificates

Note: When you update the certificates on an Agent VM, VMware Data Services Manager also updates the certificates on all active databases running in the Onboarded Cluster.

You must use the VMware Data Services Manager API to update the certificates on the Agent VM:

  1. Retrieve the existing trusted certificates:

    GET https://<agent-ip-address>/onboarding/api/tenant/onboarding?action=get-trusted-certificates
    

    A successful response includes a file named agent-trusted-certs.pem that contains the currently trusted certificates.

  2. Add the new trusted certificates to the returned file.

  3. Update the certificates on the Agent VM:

    Note: You must add the PAM Authorization --header as a Bearer token.
    POST https://<agent-ip-address>/onboarding/api/tenant/onboarding?action=add-trusted-certificates
    

    Request parameters:

    certificate: <cert-file>
    

Deleting All Trusted Certificates

Deleting the trusted certificates on an Agent VM is a manual process. You must:

  1. ssh into the Agent VM.
  2. Delete the certificates from the /opt/vmware/tdm-tenant/cert/truststore.jks file.
  3. Delete all of the certificates in the /etc/ssl/certs directory.
  4. Delete the certificates from the /opt/vmware/tdm-tenant/cert/agent-trusted-certs.pem file.
check-circle-line exclamation-circle-line close-line
Scroll to top icon