Export and Import vSphere Native Key Provider
Configuration
You can use
HTTP requests
to export and
import vSphere Native Key Provider configuration.You can set a vSphere Native Key Provider
as the default for a
vCenter Server
instance by using the SetDefaultKmsCluster
method of the
CryptoManagerKmip
managed object from the vSphere Мanagement
SDK.The operations require you to specify parameters in
the body of the HTTP request according to your environment. For details about the
syntax of each HTTP request body, see the
API Reference
documentation.- Export a vSphere Native Key Provider configurationby specifying the provider you want to export in the request body.You must export the vSphere Native Key Provider configuration at least once before you can use a vSphere Native Key Provider.
- Initiate the export by providing the name identifier of the key provider and a password to encrypt the export data in the request body.POST https://<vcenter_ip_address_or_fqdn>/api/vcenter/crypto-manager/kms/providers?action=exportThe following request body contains example syntax.{ "password": <your_password>, "provider": Test_Provider }In the response body, you receive the URL of the exported configuration and an authentication token. The following response body contains example syntax.{ "location": { "download_token": { "expiry": 2023-09-20T21:04:50.000Z, "token": eyJhbGciOiJIUzI1NjKXn21y01CM }, "url": https://vc8.home/cryptomanager/kms/test }, "type": LOCATION }
- Send an HTTP request to the URL with the authentication token to fetch the exported PKCS12 data by providing the URL and token values received in the response body of the previous step.POST <url> Authorization: Bearer <token>The following example HTTP request contains the values from the example response in the previous step.POST https://vc8.home/cryptomanager/kms/test Authorization: Bearer eyJhbGciOiJIUzI1NjKXn21y01CM
- Import a vSphere Native Key Provider configurationby specifying the configuration you want to import in the request body.POST https://<vcenter_ip_address_or_fqdn>/api/vcenter/crypto-manager/kms/providers?action=importThe following request body contains example syntax.You must provide a Base64-encoded string that is a representation of the PKCS12 data exported in the previous step as the value of theconfigparameter. The other parameters are optional.{ "config": <string>, "constraints": { "tpm_required": false }, "dry_run": false, "password": <your_password> }In the response body, you receive information about the imported provider and the time when that provider was exported.