Establish a Trusted Connection by Exchanging Certificates

There are four ways to establish trust between a KMS and vCenter Server. Different KMS vendors require different ways.

Java examples for these four ways follow.

Upload your Root CA Certificate to the KMS. Obtain it manually and upload with the self-signed call.
Upload a self-signed vCenter Certificate to the KMS.
Have vCenter Server generate a certificate signing request (CSR), which the KMS signs and returns.
Download a security certificate and private key generated by the KMS to vCenter Server.

CryptoManager Java program to add KMS and set default cluster

package com.vmware.general;
import com.vmware.common.annotations.Action;
import com.vmware.common.annotations.Option;
import com.vmware.common.annotations.Sample;
import com.vmware.connection.ConnectedVimServiceBase;
import com.vmware.vim25.CryptoKeyId;
import com.vmware.vim25.CryptoKeyResult;
import com.vmware.vim25.CryptoManagerKmipServerCertInfo;
import com.vmware.vim25.KeyProviderId;
import com.vmware.vim25.KmipServerInfo;
import com.vmware.vim25.KmipServerSpec;
import com.vmware.vim25.ManagedObjectReference;
import com.vmware.vim25.RuntimeFaultFaultMsg;
/**
 * CryptoManager. Demonstrates uses of the CryptoManager API. Parameters:
 * url      [required] : web service url, for example https://10.9.8.7/sdk
 * username [required] : username for the authentication
 * password [required] : corresponding password
 * Command line to run CryptoManager code:
 * run.bat com.vmware.general.CryptoManager ^
 *         --url webserviceurl --username name --password pass ^
 *         --kmsname kms --kmsip ipaddr --kmsclusterid providerId
 */
@Sample(name = "CryptoManager", description = "Demonstrates uses of the CryptoManager API")
public class CryptoManager extends ConnectedVimServiceBase {
  private ManagedObjectReference cryptoManager = null;
  private KmipServerSpec kmipSpec = null;
  private String kmsName;
  private String kmsIp;
  private int kmsPort = 5696; // default 
  private String kmsClusterId;

   public void initCryptoManager() throws RuntimeFaultFaultMsg {
      if (serviceContent != null) {
         cryptoManager = serviceContent.getCryptoManager();
         if (cryptoManager == null) {
            throw new RuntimeFaultFaultMsg("CryptoManager could not be obtained", null);
         }
      } else {
         throw new RuntimeFaultFaultMsg("ServiceContent could not be obtained", null);
      }
   }
   public void registerKmipServer() throws RuntimeFaultFaultMsg {
      KmipServerInfo serverInfo = new KmipServerInfo(); // Create KMS info 
      serverInfo.setName(kmsName); // Set the name of your KMS here 
      serverInfo.setAddress(kmsIp); // Set the IP addr of your KMS 
      serverInfo.setPort(kmsPort); // Set KMS port, if different from default 
      KeyProviderId providerId = new KeyProviderId(); // Set the name of KMS cluster here 
      providerId.setId("KMScluster"); 
      kmipSpec = new KmipServerSpec(); 
      kmipSpec.setInfo(serverInfo); // KMS spec with server and cluster ID 
      kmipSpec.setClusterId(providerId);
      vimPort.registerKmipServer(cryptoManager, kmipSpec); // Register server 
   }
   public void trustKmip() throws RuntimeFaultFaultMsg { // Get KMS certificate 
      CryptoManagerKmipServerCertInfo certInfo = vimPort.retrieveKmipServerCert(
            cryptoManager, kmipSpec.getClusterId(), kmipSpec.getInfo());
      // Upload retrieved certificate to vCenter Server and trust it 
      vimPort.uploadKmipServerCert(
            cryptoManager, kmipSpec.getClusterId(), certInfo.getCertificate());
   }
   public void establishTrust() throws RuntimeFaultFaultMsg {
      // Make KMS trust vCenter Server by uncommenting and calling one of these lines 
      // - establishTrustUsingSelfSignedCert() - see Example 12-2 for source code 
      // - establishTrustUsingSignedCsr() - see Example 12-3 for source code 
      // - establishTrustUsingCertAndKey() - see Example 12-4 for source code 
      trustKmip(); // Now make the vCenter Server trust KMS 
   }
   public void setDefaultKmipCluster() throws RuntimeFaultFaultMsg {
      vimPort.markDefault(cryptoManager, kmipSpec.getClusterId()); // Mark cluster as default 
   }
   public void generateNewKey() throws RuntimeFaultFaultMsg {
      CryptoKeyResult keyResult = vimPort.generateKey(cryptoManager, kmipSpec.getClusterId());
      CryptoKeyId keyId = keyResult.getKeyId(); // Generate new key for encryption 
   }
   @Action
   public void action() throws RuntimeFaultFaultMsg {
      initCryptoManager();
      registerKmipServer();
      establishTrust();
      setDefaultKmipCluster();
      generateNewKey();
   }
   @Option(name = "kmsname", description = "Name of the KMS", required = true)
   public void setKMSName(String name) {
      this.kmsName = name;
   }
   @Option(name = "kmsip", description = "IP address of the KMS", required = true)
   public void setKMSIp(String ip) {
      this.kmsIp = ip;
   }
   @Option(name = "kmsport", description = "KMS port", required = false)
   public void setKMSPort(String port) {
      this.kmsPort = Integer.parseInt(port); 
   }
   @Option(name = "kmsclusterid", description = "KMS cluster Id", required = true)
   public void setKMSClusterId(String clusterId) {
      this.kmsClusterId = clusterId;
   }
}

Trust with self-signed certificate or Root CA certificate

This example method uploads a self-signed vCenter certificate, or the Root CA certificate, to the KMS.

public void establishTrustUsingSelfSignedCert() throws RuntimeFaultFaultMsg {
   // Generate self-signed cert, or obtain the Root CA certificate
   String selfSignedCert = vimPort.generateSelfSignedClientCert(
         cryptoManager, kmipSpec.getClusterId());
   // Follow steps for KMS to trust self-signed or Root CA cert, update vCenter to use it
   vimPort.updateSelfSignedClientCert(
         cryptoManager, kmipSpec.getClusterId(), selfSignedCert);
}

Trust with CSR then downloading KMS signed certificate

This example method generates a CSR and downloads the KMS signed certificate onto vCenter Server.

public void establishTrustUsingSignedCsr() throws RuntimeFaultFaultMsg {
   // Generate a Certificate Signing Request
   String csr = vimPort.generateClientCsr(cryptoManager, kmipSpec.getClusterId());
   String signedCert = null;
   // Follow steps for your KMS to sign CSR and get the signedCert to update on vCenter 
   vimPort.updateKmsSignedCsrClientCert(
         cryptoManager, kmipSpec.getClusterId(), signedCert);
}

Trust by downloading KMS certificate and private key

This example method downloads a certificate and private key generated by the KMS to vCenter Server.

public void establishTrustUsingCertAndKey() throws RuntimeFaultFaultMsg {
   String certFromKms = null;
   String privateKeyKms = null;
   // Follow steps for KMS to generate certificate and private key (certFromKms, privateKeyKms) 
   vimPort.uploadClientCert(
         cryptoManager, kmipSpec.getClusterId(), certFromKms, privateKeyKms);
}