Export and Import vSphere Native Key Provider Configuration

You can use the Providers interface from the com.vmware.vcenter.crypto_manager.kms package to export and import vSphere Native Key Provider configuration.

You can set a vSphere Native Key Provider as the default for a vCenter Server instance by using the SetDefaultKmsCluster method of the CryptoManagerKmip managed object from the vSphere Мanagement SDK.

The code snippets in the following procedure are from the ManageNativeKeyProviders.java sample file.

Note: For a complete and up-to-date version of the Java sample code, see the vsphere-automation-sdk-java VMware repository at GitHub.

Procedure

Export a vSphere Native Key Provider configuration by calling the export(ProvidersTypes.ExportSpec spec) method of the Providers interface.

Note: You must export the vSphere Native Key Provider configuration at least once before you can use a vSphere Native Key Provider.

Back up vSphere Native Key Provider data.

This is a two-stage process. First, you request a backup. In the second step, you download the backup by using a token and address that are returned from the first step.

private byte[] backupKeyProvider(String name, char[] pwd) {
    // Step 1: request backup
    ExportSpec spec = new ExportSpec.Builder(name)
        .setPassword(pwd)
        .build();
    ExportResult res = nativeKeyProviders.export(spec);
    log("Backup step one: export result is {0}", res);

    // Step 2: download the backup
    URI url = res.getLocation().getUrl();
    char[] token = res.getLocation().getDownloadToken().getToken();
    return downloadBackupData(url, token);
}

Download the backup data from an online location.

This method uses the Java Apache HTTP client to download the back up data. The download is performed by making a POST request to the URL with an authorization bearer header carrying the supplied token.

private byte[] downloadBackupData(URI url, char[] token) {
    HttpPost request = new HttpPost(url);
    request.addHeader("Authorization", MessageFormat.format("Bearer {0}", new String(token)));

    log("Backup request {0}", request);
    try (CloseableHttpClient client = createHttpClient();
            CloseableHttpResponse resp = client.execute(request)) {
        int statusCode = resp.getStatusLine().getStatusCode();
        if (statusCode != 200) {
            log("Backup failed. HTTP status code {0}", statusCode);
            throw new RuntimeException("Cannot backup");
        }
        HttpEntity body = resp.getEntity();

        byte[] backup = new byte[body.getContent().available()];
        body.getContent().read(backup);
        log("Backup received {0} bytes. Backup completed.", backup.length);
        return backup;
    } catch (IOException e) {
        log("IO Exception during backup: {0}", e);
        throw new RuntimeException(e);
    }
}

Import a vSphere Native Key Provider configuration by calling the importProvider(ProvidersTypes.ImportSpec spec) method of the Providers interface.

private void restoreKeyProvider(byte[] backup, char[] pwd) {
    ImportSpec spec = new ImportSpec.Builder().setConfig(backup).setPassword(pwd).build();
    ImportResult res = nativeKeyProviders.importProvider(spec);
    log("Restored Native Key Provider {0}", res);
}