You can use the vCloud API to upload and manage SSL certificates, keystores, and Kerberos keytabs for the system LDAP and AMQP services. You can also use the vCloud API to configure SSPI, the Microsoft Security Support Provider Interface, for use with Active Directory.
Valid SSL certificates and truststores are required if the system LDAP and AMQP services use the secure sockets layer (https).
The SystemSettings element contains several elements that enable the system administrator to maintain certificates and truststores for the system LDAP and AMQP services. Links in the LdapSettings element allow the system administrator to manage the system LDAP truststore and keystore.
<SystemSettings ... > ... <LdapSettings ... > ... <vcloud:Link rel="certificate:update" href="https://vcloud.example.com/api/admin/extension/settings/ldapSettings/action/updateLdapCertificate" type="application/vnd.vmware.admin.certificateUpdateParams+xml"/> <vcloud:Link rel="certificate:reset" href="https://vcloud.example.com/api/admin/extension/settings/ldapSettings/action/resetLdapCertificate"/> <vcloud:Link rel="keystore:update" href="https://vcloud.example.com/api/admin/extension/settings/ldapSettings/action/updateLdapKeyStore" type="application/vnd.vmware.admin.keystoreUpdateParams+xml"/> <vcloud:Link rel="keystore:reset" href="https://vcloud.example.com/api/admin/extension/settings/ldapSettings/action/resetLdapKeyStore"/> <vcloud:Link rel="keytab:update" href="https://vcloud.example.com/api/admin/extension/settings/ldapSettings/action/updateLdapSspiKeytab" type="application/vnd.vmware.admin.sspiKeytabUpdateParams+xml"/> <vcloud:Link rel="keytab:reset" href="https://vcloud.example.com/api/admin/extension/settings/ldapSettings/action/resetLdapSspiKeytab"/> ... </LdapSettings> ... </SystemSettings>
The AmqpSettings element includes links that allow the system administrator to manage the system AMQP truststore and certificate.
<SystemSettings ... > ... <AmqpSettings> ... <vcloud:Link rel="certificate:update" href="https://vcloud.example.com/api/admin/extension/settings/amqp/action/updateAmqpCertificate" type="application/vnd.vmware.admin.certificateUpdateParams+xml"/> <vcloud:Link rel="certificate:reset" href="https://vcloud.example.com/api/admin/extension/settings/amqp/action/resetAmqpCertificate"/> <vcloud:Link rel="truststore:update" href="https://vcloud.example.com/api/admin/extension/settings/amqp/action/updateAmqpTruststore" type="application/vnd.vmware.admin.trustStoreUpdateParams+xml"/> <vcloud:Link rel="truststore:reset" href="https://vcloud.example.com/api/admin/extension/settings/amqp/action/resetAmqpTruststore"/> ... </AmqpSettings> ... </SystemSettings>
All of these links implement similar operations. They either upload a new certificate, keytab, or keystore, or reset or remove an existing one. vCloud Director imposes limits on upload sizes.
This example uploads an SSL certificate whose size is 892 bytes. The first step obtains an upload URL by POSTing a CertificateUpdateParams element to the organization's settings/ldap/action/updateLdapCertificate URL.
POST: https://vcloud.example.com/api/admin/extension/settings/ldap/action/updateLdapCertificate Content-type: application/vnd.vmware.admin.certificateUpdateParams+xml ... <?xml version="1.0" encoding="UTF-8"?> <CertificateUpdateParams fileSize="892" xmlns="http://www.vmware.com/vcloud/v1.5"> </CertificateUpdateParams>
The response contains an uploadLocation parameter whose value is a URL to which you can upload the certificate.
<CertificateUploadSocket xmlns="http://www.vmware.com/vcloud/v1.5" uploadLocation="https://vcloud.example.com/transfer/53bc1/ldapCertificate"> <Task ... status="running" operation="Updating LDAP certificate" ... </Task> </CertificateUploadSocket>
To upload the certificate, make a PUT request to the uploadLocation URL and supply the certificate in the request body.
PUT https://vcloud.example.com/transfer/53bc1/ldapCertificate Content-length: 892 ...serialized contents of certificate... EOF
200 OK