You can use the Services interface from the com.vmware.vcenter.trusted_infrastructure.kms and com.vmware.vcenter.trusted_infrastructure.attestation packages to perform Key Provider Service and Attestation Service management operations.

You can register, list, remove, and retrieve details about Key Provider Service and Attestation Service instances.

Prerequisites

  • Verify that you have access to a working vSphere Trust Authority environment.
  • Verify that you have Trusted Infrastructure administrative privileges.

Procedure

  1. Register a Key Provider Service instance in a Workload vCenter Server by calling the create(ServicesTypes.CreateSpec spec) method of the Services interface from the com.vmware.vcenter.trusted_infrastructure.kms package.

    The Key Provider Service instance is propagated to all Workload ESXi hosts that the Workload vCenter Server manages.

  2. Register an Attestation Service instance in a Workload vCenter Server by calling the create(ServicesTypes.CreateSpec spec) method of the Services interface from the com.vmware.vcenter.trusted_infrastructure.attestation package.

    The Attestation Service instance is propagated to all Workload ESXi hosts that the Workload vCenter Server manages.

  3. List Key Provider Service instances registered in a Workload vCenter Server by using filters by calling the list(ServicesTypes.FilterSpec spec) method of the Services interface from the com.vmware.vcenter.trusted_infrastructure.kms package.
  4. List Attestation Service instances registered in a Workload vCenter Server by using filters by calling the list(ServicesTypes.FilterSpec spec) method of the Services interface from the com.vmware.vcenter.trusted_infrastructure.attestation package.
  5. Remove a registered Key Provider Service instance by calling the delete(java.lang.String service) method of the Services interface from the com.vmware.vcenter.trusted_infrastructure.kms package.

    The Workload ESXi hosts can no longer retrieve keys by using that Key Provider Service instance.

  6. Remove a registered Attestation Service instance by calling the delete(java.lang.String service) method of the Services interface from the com.vmware.vcenter.trusted_infrastructure.attestation package.

    The Workload ESXi hosts can no longer attest that their configuration is secure by using that Attestation Service instance.

  7. Retrieve detailed information, including the certificates, for a registered Key Provider Service instance by calling the get(java.lang.String service) method of the Services interface from the com.vmware.vcenter.trusted_infrastructure.kms package.
  8. Retrieve detailed information, including the certificates, for a registered Attestation Service instance by calling the get(java.lang.String service) method of the Services interface from the com.vmware.vcenter.trusted_infrastructure.attestation package.