You can use HTTP requests to export and import vSphere Native Key Provider configuration.
You can set a vSphere Native Key Provider as the default for a vCenter Server instance by using the SetDefaultKmsCluster method of the CryptoManagerKmip managed object from the vSphere Мanagement SDK.
The operations require you to specify parameters in the body of the HTTP request according to your environment. For details about the syntax of each HTTP request body, see the API Reference documentation.
Procedure
- Export a vSphere Native Key Provider configuration by specifying the provider you want to export in the request body.
Note: You must export the vSphere Native Key Provider configuration at least once before you can use a vSphere Native Key Provider.
- Initiate the export by providing the name identifier of the key provider and a password to encrypt the export data in the request body.
POST https://<vcenter_ip_address_or_fqdn>/api/vcenter/crypto-manager/kms/providers?action=export
The following request body contains example syntax.
{
"password": <your_password>,
"provider": Test_Provider
}
In the response body, you receive the URL of the exported configuration and an authentication token. The following response body contains example syntax.
{
"location": {
"download_token": {
"expiry": 2023-09-20T21:04:50.000Z,
"token": eyJhbGciOiJIUzI1NjKXn21y01CM
},
"url": https://vc8.home/cryptomanager/kms/test
},
"type": LOCATION
}
- Send an HTTP request to the URL with the authentication token to fetch the exported PKCS12 data by providing the URL and token values received in the response body of the previous step.
POST <url>
Authorization: Bearer <token>
The following example HTTP request contains the values from the example response in the previous step.
POST https://vc8.home/cryptomanager/kms/test
Authorization: Bearer eyJhbGciOiJIUzI1NjKXn21y01CM
- Import a vSphere Native Key Provider configuration by specifying the configuration you want to import in the request body.
POST https://<vcenter_ip_address_or_fqdn>/api/vcenter/crypto-manager/kms/providers?action=import
The following request body contains example syntax.
Note: You must provide a Base64-encoded string that is a representation of the PKCS12 data exported in the previous step as the value of the
config parameter. The other parameters are optional.
{
"config": <string>,
"constraints": {
"tpm_required": false
},
"dry_run": false,
"password": <your_password>
}
In the response body, you receive information about the imported provider and the time when that provider was exported.