Configure
vSphere Trust Authority
Components for Trusted Clusters
Last Updated December 16, 2024

You can use
HTTP requests
to manage Key Provider Service and Attestation Service instances that a Trusted Cluster is configured to use.
  • Verify that you have access to a working
    vSphere Trust Authority
    environment.
  • Verify that you have Trusted Infrastructure administrative privileges.
You can configure, list, remove, and retrieve details about Key Provider Service and Attestation Service instances.
Some operations require you to specify parameters in the body of the HTTP request according to your
vSphere Trust Authority
environment. For details about the syntax of each HTTP request body, see the
API Reference
documentation.
  1. Configure a cluster in a Workload
    vCenter Server
    to use a registered Key Provider Service instance.
    POST https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trusted-clusters/<cluster>/kms/services?vmw-task=true
    You receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.
    GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>
    If the operation is successful, the Key Provider Service instance is propagated to all Trusted
    ESXi
    hosts in the cluster.
  2. Configure a cluster in a Workload
    vCenter Server
    to use a registered Attestation Service instance.
    POST https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trusted-clusters/<cluster>/attestation/services?vmw-task=true
    You receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.
    GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>
    If the operation is successful, the Attestation Service instance is propagated to all Trusted
    ESXi
    hosts in the cluster.
  3. List Key Provider Service instances used by a cluster by using filters.
    POST https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trusted-clusters/<cluster>/kms/services?action=query
    You receive the results that match your criteria in the response body. You can use the filtered list to retrieve the health status of the Key Provider Service instances.
  4. List Attestation Service instances used by a cluster by using filters.
    POST https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trusted-clusters/<cluster>/attestation/services?action=query
    You receive the results that match your criteria in the response body. You can use the filtered list to retrieve the health status of the Attestation Service instances.
  5. Remove a Key Provider Service instance from the configuration of a Trusted Cluster.
    DELETE https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trusted-clusters/<cluster>/kms/services/<service>?vmw-task=true
    You receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.
    GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>
    If the operation is successful, the Trusted
    ESXi
    hosts can no longer retrieve keys by using that Key Provider Service instance.
  6. Remove a registered Attestation Service instance from the configuration of a Trusted Cluster.
    DELETE https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trusted-clusters/<cluster>/attestation/services/<service>?vmw-task=true
    You receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.
    GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>
    If the operation is successful, the Trusted
    ESXi
    hosts can no longer attest that their configuration is secure by using that Attestation Service instance.
  7. Retrieve detailed information, including the certificates, for a configured Key Provider Service instance used by a Trusted Cluster.
    GET https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trusted-clusters/<cluster>/kms/services/<service>
    You receive the details in the response body. You can use the retrieved information to verify the Key Provider Service instance.
  8. Retrieve detailed information, including the certificates, for a registered Attestation Service instance used by a Trusted Cluster.
    GET https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trusted-clusters/<cluster>/attestation/services/<service>
    You receive the details in the response body. You can use the retrieved information to verify the Attestation Service instance.