By default, VMware Data Services Manager manages the certificates for the Provider VM. These certificates are not certified by any public certificate authority. If your organization employs more restrictive certificate policies, you can replace the default VMware Data Services Manager certificate with your own custom certificate.

As a DSM administrator, you can configure custom certificates, including certificate chain along with its associated private key and a certificate authority (CA).

When you update the VMware Data Services Manager certificates, the following considerations apply:
Important:
  • If you choose to configure a custom certificate, you are responsible for renewing it when it approaches an expiration date. You must also update the Kubernetes TLS Secret. For more information, see TLS Secrets in the Kubernetes Documentation.

    If the certificate expires, you might experience problems, for example, lose access to the DSM console, might not be able to upgrade or restart database clusters, database clusters metrics might become unavailable, and so on.

  • Updating VMware Data Services Manager certificates causes a restart of the DSM UI service.
  • Updating the Provider VM CA causes a restart of all database clusters in the environment. While this change is being applied, database metrics might not be available. It is recommended to set up the Provider VM CA before you add any database clusters to VMware Data Services Manager.

Prerequisites

  • Make sure that your environment meets these prerequisites:
    • VMware Data Services Manager version 2.1 and later.
    • All database clusters must be created in VMware Data Services Manager version 2.1 and later. Upgrade older database clusters, created in VMware Data Services Manager 2.0 to version 2.1 and later.

      Note:

      You can keep the database clusters version 2.0 created in VMware Data Services Manager 2.1.

  • Use the VMware Data Services Manager API to perform this task. For more information, see Access the VMware Data Services Manager API.
  • To manage the certificates, you can use Kubernetes cert-manager. It manages various certificate and issuer types and outputs a Kubernetes TLS Secret in the required format. For information, see the cert-manager web site at https://cert-manager.io/. Other certificate management tools are also supported.

Procedure

  1. Create a Kubernetes TLS Secret containing the certificate data in the dsm-system namespace.
    Make sure to include the following properties:
    • tls.crt: Base64-encoded PEM signed certificate chain
    • tls.key: Base64-encoded PEM private key
    • ca.crt: Base64-encoded PEM CA certificate
    When creating a certificate, follow these guidelines:
    • Encode the Provider VM IP in the Subject Alternative Name (SAN) field of the certificate as an IP Address.

      To obtain the Provider VM IP, click Settings, and click System Settings in DSM console. Locate the IP address in the System Config section.

    • Make sure that the Provider VM certificate has non-empty Subject and Issuer.

      The supported private key algorithms are RSA and ECDSA (key sizes 256 and 384).

  2. Update the Provider VM certificate using the VMware Data Services Manager API.
    Update the DSM Kubernetes Custom Resource with name dsm-system-config of type DsmSystemConfig to set its spec.tls.secretName property to the name of the Kubernetes TLS Secret.