VMware vSphere SDKs and Tools 8.0

8.0 7.0 6.7 6.5

Export and Import vSphere Native Key Provider Configuration

You can use
the
Providers
 interface from the
com.vmware.vcenter.crypto_manager.kms
 package
 to export and import vSphere Native Key Provider configuration.
You can set a vSphere Native Key Provider as the default for a
vCenter Server
 instance by using the
SetDefaultKmsCluster
 method of the
CryptoManagerKmip
 managed object from the vSphere Мanagement SDK.
The code snippets in the following procedure are from the
ManageNativeKeyProviders.java
 sample file.
For a complete and up-to-date version of the Java sample code, see the
vsphere-automation-sdk-java
 VMware repository at GitHub.
  1. Export a vSphere Native Key Provider configuration
    by calling the
    export(ProvidersTypes.ExportSpec spec)
     method of the
    Providers
     interface
    .
    You must export the vSphere Native Key Provider configuration at least once before you can use a vSphere Native Key Provider.
    1. Back up vSphere Native Key Provider data.
      This is a two-stage process. First, you request a backup. In the second step, you download the backup by using a token and address that are returned from the first step.
      private byte[] backupKeyProvider(String name, char[] pwd) {
    // Step 1: request backup
    ExportSpec spec = new ExportSpec.Builder(name)
        .setPassword(pwd)
        .build();
    ExportResult res = nativeKeyProviders.export(spec);
    log("Backup step one: export result is {0}", res);

    // Step 2: download the backup
    URI url = res.getLocation().getUrl();
    char[] token = res.getLocation().getDownloadToken().getToken();
    return downloadBackupData(url, token);
}
    2. Download the backup data from an online location.
      This method uses the Java Apache HTTP client to download the back up data. The download is performed by making a POST request to the URL with an authorization bearer header carrying the supplied token.
      private byte[] downloadBackupData(URI url, char[] token) {
    HttpPost request = new HttpPost(url);
    request.addHeader("Authorization", MessageFormat.format("Bearer {0}", new String(token)));

    log("Backup request {0}", request);
    try (CloseableHttpClient client = createHttpClient();
            CloseableHttpResponse resp = client.execute(request)) {
        int statusCode = resp.getStatusLine().getStatusCode();
        if (statusCode != 200) {
            log("Backup failed. HTTP status code {0}", statusCode);
            throw new RuntimeException("Cannot backup");
        }
        HttpEntity body = resp.getEntity();

        byte[] backup = new byte[body.getContent().available()];
        body.getContent().read(backup);
        log("Backup received {0} bytes. Backup completed.", backup.length);
        return backup;
    } catch (IOException e) {
        log("IO Exception during backup: {0}", e);
        throw new RuntimeException(e);
    }
}
  2. Import a vSphere Native Key Provider configuration
    by calling the
    importProvider(ProvidersTypes.ImportSpec spec)
     method of the
    Providers
     interface
    .
    private void restoreKeyProvider(byte[] backup, char[] pwd) {
    ImportSpec spec = new ImportSpec.Builder().setConfig(backup).setPassword(pwd).build();
    ImportResult res = nativeKeyProviders.importProvider(spec);
    log("Restored Native Key Provider {0}", res);
}

Content feedback and comments