The VMware Data Services Manager service components connect to various third party systems. When these systems are TLS-secured; you may require that VMware Data Services Manager access the systems using trusted certificates.

You can add or update trusted certificates in your VMware Data Services Manager only via the API; this operation is not yet supported through the console.

Best Practices for Certificate Update

When you invoke the API to add or change a trusted certificate after deployment, VMware Data Services Manager replaces the original certificate with the new cert. To ensure that you retain all trusted certificates when updating, follow these best practices:

• Use the GET operation on the API endpoint to retrieve the existing certificates.
• Add the new trusted certificates to the list of existing certs.
• Invoke the POST operation on the API endpoint with the complete set of certificates (original plus new).

Understanding the Impacts of Certificate Updates

In general, certificate change is not a safe operation. Only vCenter and LDAP certificate updates are supported.

Be aware of the following impacts to your VMware Data Services Manager installation when you update certificates:

• Updating a certificate on a Provider VM may affect in progress backup and restore operations.

• Updating a certificate on a database may result in a temporary transaction log failure.

• Host name verification is mandatory for TLS-based Provider, vCenter, and S3 Object Storage URLs:

  • Common Name or CN must be same as the FQDN or IP address of the S3 storage endpoint.
  • The FQDN or IP address of the S3 storage endpoint must match the FQDN or IP address in one of the Domain Name Server (DNS). IP address and DNS in Subject Alternative Name (SAN) must not be empty.

Certificate-Related Scenarios