Security
WARNING: After upgrading to version 10.1, VMware Cloud Director will always verify certificates for any infrastructure endpoints connected to it. This is due to a change in the way VMware Cloud Director manages SSL certificates. If you do not import your certificates into VMware Cloud Director before the upgrade, the vCenter Server and NSX connections might show failed connection errors due to SSL verification issues. In this case, after upgrading, you have two options:
Run the cell management tool trust-infra-certs command to automatically connect and retrieve certificates of all infrastructure endpoints for vCenter Server and NSX Manager instances into the centralized certificate store. See Import Endpoints Certificates from vSphere Resources.
In the Service Provider Admin Portal UI, select each vCenter Server and NSX instance and reenter the credentials while accepting the certificate.
Starting with version 10.1, service providers and tenants can use the VMware Cloud Director API to test connections to remote servers and to verify server identity as part of an SSL handshake. To protect VMware Cloud Director network connections, configure a deny list of internal hosts that are unreachable to tenants who are using the VMware Cloud Director API for connection testing. Configure the deny list after а VMware Cloud Director installation or upgrade and before granting tenants access to VMware Cloud Director. See Configure a Test Connection Deny List.
VMware Cloud Director 10.1 deprecates the behavior to trust all SSL certificates. In this release, vCenter Server and NSX connections do not support this option. For all other connections, trusting all certificates is also deprecated and will become unsupported after VMware Cloud Director 10.1. System Administrators must prepare for this transition.If you use the LDAP for your VMware Cloud Director system organization, you can use the trust-on-first-use dialog in the UI or upload certificates by using the API.
Аudit all uses of this option and supply appropriate certificates by using the UI or the API.
Communicate the changes to the tenants. All tenants that are using custom LDAP with enabled Accept all certificates option must transition away from this configuration. Tenants can either use the trust-on-first-use dialog in the UI or upload certificates through the API.