Truststore Maintenance for Organizations

You can use the VMware Cloud Director API to upload and manage SSL certificates, keystores, and Kerberos keytabs for your organization's LDAP service. You can also use the VMware Cloud Director API to configure SSPI, the Microsoft Security Support Provider Interface, for use with Active Directory.

The OrgLdapSettings element includes links that enable an organization administrator to maintain certificates and truststores for the organization's LDAP service. 

<AdminOrg ... >
   ...
   <OrgLdapSettings ... >
      ...
      <Link
         rel="certificate:update"
         type="application/vnd.vmware.admin.certificateUpdateParams+xml"
         href="https://vcloud.example.com/api/admin/org/26/settings/ldap/action/updateLdapCertificate"/>
      <Link
         rel="certificate:reset"
         href="https://vcloud.example.com/api/admin/org/26/settings/ldap/action/resetLdapCertificate"/>
      <Link
         rel="keystore:update"
         type="application/vnd.vmware.admin.keystoreUpdateParams+xml"
         href="https://vcloud.example.com/api/admin/org/26/settings/ldap/action/updateLdapKeyStore"/>
      <Link
         rel="keystore:reset"
         href="https://vcloud.example.com/api/admin/org/26/settings/ldap/action/resetLdapKeyStore"/>
      <Link
         rel="keytab:update"
         type="application/vnd.vmware.admin.sspiKeytabUpdateParams+xml"
         href="https://vcloud.example.com/api/admin/org/26/settings/ldap/action/updateLdapSspiKeytab"/>
      <Link
         rel="keytab:reset"
         href="https://vcloud.example.com/api/admin/org/26/settings/ldap/action/resetLdapSspiKeytab"/>
      ...
   </OrgLdapSettings>
</AdminOrg>

All of these links implement similar operations. They either upload a new certificate, keytab, or keystore, or reset or remove an existing one. VMware Cloud Director imposes limits on upload sizes.

Table 1. Truststore, Certificate, and Keytab Upload Limits
Upload Type Maximum Size in Megabytes
LDAP certificate 2
LDAP keystore 2
LDAP SSPI keytab 2

Prerequisites

This operation requires the rights included in the predefined Organization Administrator role or an equivalent set of rights.

Procedure

  1. Determine whether the request requires a body.
    Requests whose rel value includes the string reset do not require a body. For details about other request bodies, see the schema reference.
  2. POST the request to the request URL.
    Include the request body if one is required.
  3. Take any action required by the response.
    The response to an update request includes an uploadLocation parameter whose value is a URL to which you can upload the certificate, keytab, or keystore with a PUT request. Requests whose rel value includes the string reset return a No Content response and require no further action.

Example: Upload an SSL Certificate for an Organization LDAP Service

This example uploads an SSL certificate whose size is 892 bytes. The first step obtains an upload URL by POSTing a CertificateUpdateParams element to the organization's settings/ldap/action/updateLdapCertificate URL.

Request: 
POST: https://vcloud.example.com/api/admin/org/26/settings/ldap/action/updateLdapCertificate
Content-type: application/vnd.vmware.admin.certificateUpdateParams+xml
...
<?xml version="1.0" encoding="UTF-8"?>
<CertificateUpdateParams
   fileSize="892"
   xmlns="http://www.vmware.com/vcloud/v1.5">
</CertificateUpdateParams>

The response contains an uploadLocation parameter whose value is a URL to which you can upload the certificate.

Response: 
<CertificateUploadSocket
   xmlns="http://www.vmware.com/vcloud/v1.5"
   uploadLocation="https://vcloud.example.com/transfer/53bc1/ldapCertificate">
   <Task
      ...
      status="running"
      operation="Updating LDAP certificate Organization (7)"  
      ...
   </Task>
</CertificateUploadSocket>

To upload the certificate, make a PUT request to the uploadLocation URL and supply the certificate in the request body.

Request: 
PUT https://vcloud.example.com/transfer/53bc1/ldapCertificate
Content-length: 892
  ...serialized contents of certificate...

EOF
Response: 
200 OK