Configure Trusted TPMs of Attested ESXi Hosts on a Cluster Level
ESXi
Hosts on a Cluster LevelYou can use
HTTP requests
to manage remote attestation configuration for TPM trust.- Verify that you have access to a workingvSphere Trust Authorityenvironment.
- Verify that you have Trusted Infrastructure administrative privileges.
You can add, list, remove, and retrieve details
about TPM CA certificates and TPM endorsement keys. You can also set and retrieve
TPM 2.0 attestation settings.
Some operations
require you to specify parameters in the body of the HTTP request according to
your
vSphere Trust Authority
environment. For details about the syntax of each HTTP request body, see the
API Reference
documentation.- Add a new TPM CA certificate to a Trusted Cluster to specify a trusted platform OEM.POST https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<cluster>/attestation/tpm2/ca-certificates?vmw-task=trueYou receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>
- Retrieve a list of configured TPM CA certificates on a Trusted Cluster to identify the trusted platform OEMs.GET https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<cluster>/attestation/tpm2/ca-certificates?vmw-task=trueYou receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>
- Remove a TPM CA certificate from a Trusted Cluster because a platform OEM is no longer trusted.DELETE https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<cluster>/attestation/tpm2/ca-certificates/<name>?vmw-task=trueYou receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>
- Retrieve details about a specific TPM CA certificate on a Trusted Cluster to get more information about the trusted platform OEM.GET https://<vcenter_ip_address_or_fqdn>//api/vcenter/trusted-infrastructure/trust-authority-clusters/<cluster>/attestation/tpm2/ca-certificates/<name>?vmw-task=trueYou receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>
- Add a new TPM endorsement key to a Trusted Cluster to specify a trustedESXihost.POST https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<cluster>/attestation/tpm2/endorsement-keys?vmw-task=trueYou receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>
- Retrieve a list of configured TPM endorsement keys in a Trusted Cluster to identify the trustedESXihosts.GET https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<cluster>/attestation/tpm2/endorsement-keys?vmw-task=trueYou receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>
- Remove a TPM endorsement key from a Trusted Cluster because anESXihost is no longer trusted.DELETE https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<cluster>/attestation/tpm2/endorsement-keys/<name>?vmw-task=trueYou receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>
- Retrieve details about a specific TPM endorsement key on a Trusted Cluster to get more information about the trustedESXihost.GET https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<cluster>/attestation/tpm2/endorsement-keys/<name>?vmw-task=trueYou receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>
- Set the TPM 2.0 attestation settings by specifying that TPM endorsement keys on a Trusted Cluster do not need to be signed because the trusted OEM does not sign endorsement keys.PATCH https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<cluster>/attestation/tpm2/settings?vmw-task=true { "require_endorsement_keys" : false, "require_certificate_validation" : true }You receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>
- Determine the TPM 2.0 attestation settings in a Trusted Cluster.GET https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<cluster>/attestation/tpm2/settings?vmw-task=trueYou receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>