Export and Import vSphere Native Key Provider
Configuration
You can use
the
to export and
import vSphere Native Key Provider configuration.Providers
interface from the
com.vmware.vcenter.crypto_manager.kms
packageYou can set a vSphere Native Key Provider
as the default for a
vCenter Server
instance by using the SetDefaultKmsCluster
method of the
CryptoManagerKmip
managed object from the vSphere Мanagement
SDK.The code
snippets in the following procedure are from the
ManageNativeKeyProviders.java
sample file.For a complete and up-to-date version of the Java
sample code, see the
vsphere-automation-sdk-java
VMware
repository at GitHub. - Export a vSphere Native Key Provider configurationby calling the.export(ProvidersTypes.ExportSpec spec)method of theProvidersinterfaceYou must export the vSphere Native Key Provider configuration at least once before you can use a vSphere Native Key Provider.
- Back up vSphere Native Key Provider data.This is a two-stage process. First, you request a backup. In the second step, you download the backup by using a token and address that are returned from the first step.private byte[] backupKeyProvider(String name, char[] pwd) { // Step 1: request backup ExportSpec spec = new ExportSpec.Builder(name) .setPassword(pwd) .build(); ExportResult res = nativeKeyProviders.export(spec); log("Backup step one: export result is {0}", res); // Step 2: download the backup URI url = res.getLocation().getUrl(); char[] token = res.getLocation().getDownloadToken().getToken(); return downloadBackupData(url, token); }
- Download the backup data from an online location.This method uses the Java Apache HTTP client to download the back up data. The download is performed by making a POST request to the URL with an authorization bearer header carrying the supplied token.private byte[] downloadBackupData(URI url, char[] token) { HttpPost request = new HttpPost(url); request.addHeader("Authorization", MessageFormat.format("Bearer {0}", new String(token))); log("Backup request {0}", request); try (CloseableHttpClient client = createHttpClient(); CloseableHttpResponse resp = client.execute(request)) { int statusCode = resp.getStatusLine().getStatusCode(); if (statusCode != 200) { log("Backup failed. HTTP status code {0}", statusCode); throw new RuntimeException("Cannot backup"); } HttpEntity body = resp.getEntity(); byte[] backup = new byte[body.getContent().available()]; body.getContent().read(backup); log("Backup received {0} bytes. Backup completed.", backup.length); return backup; } catch (IOException e) { log("IO Exception during backup: {0}", e); throw new RuntimeException(e); } }
- Import a vSphere Native Key Provider configurationby calling the.importProvider(ProvidersTypes.ImportSpec spec)method of theProvidersinterfaceprivate void restoreKeyProvider(byte[] backup, char[] pwd) { ImportSpec spec = new ImportSpec.Builder().setConfig(backup).setPassword(pwd).build(); ImportResult res = nativeKeyProviders.importProvider(spec); log("Restored Native Key Provider {0}", res); }