Configure vSphere Trust Authority Components for Trusted Clusters
vSphere Trust Authority
Components for Trusted ClustersYou can use
HTTP requests
to manage Key Provider Service and Attestation Service instances that a
Trusted Cluster is configured to use.- Verify that you have access to a workingvSphere Trust Authorityenvironment.
- Verify that you have Trusted Infrastructure administrative privileges.
You can configure, list, remove, and retrieve
details about Key Provider Service and Attestation Service instances.
Some operations require you to specify parameters
in the body of the HTTP request according to your
vSphere Trust Authority
environment.
For details about the syntax of each HTTP request body, see the API Reference
documentation.- Configure a cluster in a WorkloadvCenter Serverto use a registered Key Provider Service instance.POST https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trusted-clusters/<cluster>/kms/services?vmw-task=trueYou receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>If the operation is successful, the Key Provider Service instance is propagated to all TrustedESXihosts in the cluster.
- Configure a cluster in a WorkloadvCenter Serverto use a registered Attestation Service instance.POST https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trusted-clusters/<cluster>/attestation/services?vmw-task=trueYou receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>If the operation is successful, the Attestation Service instance is propagated to all TrustedESXihosts in the cluster.
- List Key Provider Service instances used by a cluster by using filters.POST https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trusted-clusters/<cluster>/kms/services?action=queryYou receive the results that match your criteria in the response body. You can use the filtered list to retrieve the health status of the Key Provider Service instances.
- List Attestation Service instances used by a cluster by using filters.POST https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trusted-clusters/<cluster>/attestation/services?action=queryYou receive the results that match your criteria in the response body. You can use the filtered list to retrieve the health status of the Attestation Service instances.
- Remove a Key Provider Service instance from the configuration of a Trusted Cluster.DELETE https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trusted-clusters/<cluster>/kms/services/<service>?vmw-task=trueYou receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>If the operation is successful, the TrustedESXihosts can no longer retrieve keys by using that Key Provider Service instance.
- Remove a registered Attestation Service instance from the configuration of a Trusted Cluster.DELETE https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trusted-clusters/<cluster>/attestation/services/<service>?vmw-task=trueYou receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>If the operation is successful, the TrustedESXihosts can no longer attest that their configuration is secure by using that Attestation Service instance.
- Retrieve detailed information, including the certificates, for a configured Key Provider Service instance used by a Trusted Cluster.GET https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trusted-clusters/<cluster>/kms/services/<service>You receive the details in the response body. You can use the retrieved information to verify the Key Provider Service instance.
- Retrieve detailed information, including the certificates, for a registered Attestation Service instance used by a Trusted Cluster.GET https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trusted-clusters/<cluster>/attestation/services/<service>You receive the details in the response body. You can use the retrieved information to verify the Attestation Service instance.