You can use the Services interface from the com.vmware.vcenter.trusted_infrastructure.trusted_clusters.kms and com.vmware.vcenter.trusted_infrastructure.trusted_clusters.attestation packages to manage Key Provider Service and Attestation Service instances that a Trusted Cluster is configured to use.

You can configure, list, remove, and retrieve details about Key Provider Service and Attestation Service instances.

Prerequisites

  • Verify that you have access to a working vSphere Trust Authority environment.
  • Verify that you have Trusted Infrastructure administrative privileges.

Procedure

  1. Configure a cluster in a Workload vCenter Server to use a registered Key Provider Service instance by calling the create_Task(java.lang.String cluster, ServicesTypes.CreateSpec spec) method of the Services interface from the com.vmware.vcenter.trusted_infrastructure.trusted_clusters.kms package.

    You receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.

    If the operation is successful, the Key Provider Service instance is propagated to all Trusted ESXi hosts in the cluster.

  2. Configure a cluster in a Workload vCenter Server to use a registered Attestation Service instance by calling the create_Task(java.lang.String cluster, ServicesTypes.CreateSpec spec) method of the Services interface from the com.vmware.vcenter.trusted_infrastructure.trusted_clusters.attestation package.

    You receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.

    If the operation is successful, the Attestation Service instance is propagated to all Trusted ESXi hosts in the cluster.

  3. List Key Provider Service instances used by a cluster by using filters by calling the list(java.lang.String cluster, ServicesTypes.FilterSpec spec) method of the Services interface from the com.vmware.vcenter.trusted_infrastructure.trusted_clusters.kms package.
  4. List Attestation Service instances used by a cluster by using filters by calling the list(java.lang.String cluster, ServicesTypes.FilterSpec spec) method of the Services interface from the com.vmware.vcenter.trusted_infrastructure.trusted_clusters.attestation package.
  5. Remove a Key Provider Service instance from the configuration of a Trusted Cluster by calling the delete_Task(java.lang.String cluster, java.lang.String service) method of the Services interface from the com.vmware.vcenter.trusted_infrastructure.trusted_clusters.kms package.

    If the operation is successful, the Trusted ESXi hosts can no longer retrieve keys by using that Key Provider Service instance.

  6. Remove a registered Attestation Service instance from the configuration of a Trusted Cluster by calling the delete_Task(java.lang.String cluster, java.lang.String service) method of the Services interface from the com.vmware.vcenter.trusted_infrastructure.trusted_clusters.attestation package.

    If the operation is successful, the Trusted ESXi hosts can no longer attest that their configuration is secure by using that Attestation Service instance.

  7. Retrieve detailed information, including the certificates, for a configured Key Provider Service instance used by a Trusted Cluster by calling the get(java.lang.String cluster, java.lang.String service) method of the Services interface from the com.vmware.vcenter.trusted_infrastructure.trusted_clusters.kms package.
  8. Retrieve detailed information, including the certificates, for a registered Attestation Service instance used by a Trusted Cluster by calling the get(java.lang.String cluster, java.lang.String service) method of the Services interface from the com.vmware.vcenter.trusted_infrastructure.trusted_clusters.attestation package.