VMware vSphere SDKs and Tools 8.0

8.0 7.0 6.7 6.5

Establish Trust Between Key Provider and Key Server

You can use
interfaces from the
com.vmware.vcenter.trusted_infrastructure.trust_authority_clusters.kms.providers
 package
 to perform trust management operations.
  • Verify that you have access to a working
    vSphere Trust Authority
     environment.
  • Verify that you have Trusted Infrastructure administrative privileges.
You can list and update server certificates, retrieve, generate, and update client certificates, generate a CSR, and set the key server credential.
  1. List the remote server certificates on the configured key servers to verify the trusted key servers
    by calling the
    list_Task(java.lang.String cluster, java.lang.String provider, CurrentPeerCertificatesTypes.FilterSpec spec)
     method of the
    CurrentPeerCertificates
     interface
    .
  2. Retrieve the list of trusted server certificates
    by calling the
    get_Task(java.lang.String cluster, java.lang.String provider)
     method of the
    TrustedPeerCertificates
     interface
    .
  3. Update the trusted server certificates
    by calling the
    update_Task(java.lang.String cluster, java.lang.String provider, TrustedPeerCertificatesTypes.UpdateSpec spec)
     method of the
    TrustedPeerCertificates
     interface
    .
    This operation overwrites the existing list of trusted certificates.
  4. Retrieve the existing client certificate
    by calling the
    get_Task(java.lang.String cluster, java.lang.String provider)
     method of the
    ClientCertificate
     interface
    .
    If the operation is successful, you receive the client certificate in PEM format.
  5. Generate a new self-signed client certificate, used to establish a secure connection to the key server
    by calling the
    create_Task(java.lang.String cluster, java.lang.String provider)
     method of the
    ClientCertificate
     interface
    .
    This operation overwrites the existing client certificate.
    If the operation is successful, you can provide the newly generated self-signed client certificate to the key server to establish trust with the Key Provider.
  6. Update the client certificate to specify what Key Provider should use to authenticate with the key server
    by calling the
    update_Task(java.lang.String cluster, java.lang.String provider, ClientCertificateTypes.UpdateSpec spec)
     method of the
    ClientCertificate
     interface
    .
    If a client certificate exists, this operation overwrites it.
  7. Generate a certificate signing request (CSR) for the client certificate
    by calling the
    create_Task(java.lang.String cluster, java.lang.String provider)
     method of the
    ClientCertificate
     interface
    .
    If a CSR exists, this operation overwrites it.
    If the operation is successful, you receive the client CSR in PEM format and the host ID which issued it. The generated CSR can later be signed by a third party. The signed CSR should be replicated and set on each host.
  8. Set the key server credential for key servers that require a password
    by calling the
    set_Task(java.lang.String cluster, java.lang.String provider, char[] credential)
     method of the
    Credential
     interface
    .

Content feedback and comments