VMS provides the option of authenticating VMS clients with mutual TLS authentication (mTLS).
To enable mTLS authentication for all clients making REST API calls to VMS, which includes all access to the VAST Web UI, obtain a root X.590 mTLS certificate and key from a CA and upload it to VMS as the mTLS certificate.
When mTLS authentication is enabled, clients invoking the VMS REST API must present a certificate that was signed by the uploaded root certificate or they must present the same certificate that was uploaded.
-
From the left navigation menu, select Settings and then Certificates to open the Certificates tab.
-
From the Certificate for dropdown, select mTLS.
-
Either paste the certificate file contents into the Certificate field or use the Upload button to upload the file, and paste or upload the key file content into the Key field.
When pasting the file content, include the BEGIN CERTIFICATE / BEGIN PRIVATE KEY and END CERTIFICATE / END PRIVATE KEY lines, like this:
-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
-
Click Update.
-
Obtain mTLS certificate and key file issued by a CA.
-
Open the VAST CLI and run the command vms set_client_certificate command:
vcli: admin> vms set_client_certificate --id 1 Please enter certificate AND private key (ALT+ENTER/option+ENTER to finish):
-
Enter the certificate and key content one after the other, including the "BEGIN CERTIFICATE", "END CERTIFICATE", "BEGIN PRIVATE KEY" and "END PRIVATE KEY" lines:
-----BEGIN CERTIFICATE----- <Certificate file content> -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- <Key file content> -----END PRIVATE KEY-----
To remove an mTLS certificate from the VAST CLI, run the vms remove_client_certificate command.
vcli: admin> vms remove_client_certificate This action will remove the client certificate from vms, vms will no longer verify client requests after that. Are you sure you want to proceed? [y/N] y client certificate has been removed, please reconnect.
Comments
0 comments
Article is closed for comments.