The vSphere Trust Authority services are packaged and installed as part of the base ESXi image.

Starting and Stopping vSphere Trust Authority Services

In the vSphere Client, you can start, stop, and restart vSphere Trust Authority services that are running on an ESXi host. You can restart services upon a configuration change or if you suspect functional or performance problems. To restart the service on an ESXi Trusted Host, you must log in to the host itself to restart the service. See Start, Stop, and Restart vSphere Trust Authority Services.

Upgrading and Patching vSphere Trust Authority

Each time you upgrade or patch an ESXi Trusted Host, you must update the vSphere Trust Authority Cluster with the new ESXi version information. One way to do so is to upgrade or patch a test ESXi host, export the ESXi base image information, import the image file to the Trust Authority Cluster, then upgrade or patch the ESXi Trusted Hosts.

Best Practices for Upgrading vSphere Trust Authority

Best practice for upgrading a vSphere Trust Authority infrastructure is to upgrade the Trust Authority vCenter Server and Trust Authority Hosts first. In this way, you get the most benefit from the latest vSphere Trust Authority features. However, you can perform separate, standalone upgrades of vCenter Server and ESXi hosts to fit specific business reasons.

In general, follow this order for upgrading your vSphere Trust Authority infrastructure:

  1. Upgrade the Trust Authority Cluster vCenter Server.
  2. Upgrade the Trust Authority Hosts.
  3. Upgrade the Trusted Cluster vCenter Server.
  4. Upgrade the Trusted Hosts.

To ensure a smooth process, upgrade your Trust Authority Hosts and Trusted Hosts gradually, one-by-one.

Upgrading vSphere Trust Authority with Quick Booted ESXi Trusted Hosts

Quick Boot is a setting that you can use with clusters that you manage with vSphere Lifecycle Manager images and vSphere Lifecycle Manager baselines. Using Quick Boot optimizes the ESXi host patching and upgrade operations.

When you upgrade an ESXi host using the Quick Boot optimization, host attestation continues to report the previously booted ESXi version in the root of trust measurement.

Thus, when you upgrade an ESXi trusted host that is enabled for Quick Boot, and that is part of a vSphere Trust Authority deployment, pay attention to the following:

  1. Do not remove the ESXi base image version that you initially trusted from the Attestation Service until all the ESXi hosts have completed a full reboot after upgrade. (If you need to reboot the host, disable Quick Boot.)
  2. If you have used Quick Boot for multiple upgrades, and want to remove an intermediate ESXi version that is no longer trustworthy, use the base-images API to confirm the ESXi version that you last attested.
  3. When you export the ESXi base image of an ESXi host enabled for Quick Boot, a message appears that the host was upgraded by Quick Boot. The resulting file contains the latest metadata of the ESXi base image.

If you upgrade a regular cluster's hosts using Quick Boot, then later add that cluster to vSphere Trust Authority, the hosts do not attest until you reboot them. The attestation failure occurs because the exported ESXi base image file of the hosts contains only the latest metadata, whereas the host attestation is based on the metadata from the last full boot. Thus, if the cluster is not part of vSphere Trust Authority and the ESXi base image metadata is not imported to vSphere Trust Authority for the full boot, attestation fails.

To get the base image, you can use the following PowerCLI commands.

$vTA = Get-TrustAuthorityCluster -name trustedCluster
$bm = Get-TrustAuthorityVMHostBaseImage $vTA
$bm | select *

Troubleshooting vSphere Trust Authority Upgrade Problems

If you encounter an unsuccessful upgrade of a Trust Authority Host, follow these steps.

  1. Remove the Trust Authority Host from the Trusted Cluster.
  2. Revert to the previous version of ESXi.
  3. Re-add the Trust Authority Host to the cluster as described in the VMware knowledge base article at https://kb.vmware.com/s/article/77234.
  4. Verify that the Trust Authority Host's configuration is consistent with the other Trust Authority Hosts in the Trust Authority Cluster. See Check Trusted Cluster Health.

When you upgrade to a new version of ESXi on a Trusted Host, attestation fails until you update the Trust Authority Cluster with the new ESXi base image information. This behavior is to be expected. You can no longer encrypt virtual machines or use existing virtual machines that were encrypted before upgrade until you fix the problem. Attestation error messages appear in the vSphere Client Recent Tasks pane and the attestd.log, kmxa.log, and vpxd.log files.

To correct the problem, follow these steps.

  1. Run the Export-VMHostImageDb cmdlet to re-export the ESXi base images. See Step 5 in Collect Information About ESXi Hosts and vCenter Server to Be Trusted.
  2. Run the New-TrustAuthorityVMHostBaseImage cmdlet to reimport the new base image to the vCenter Server of the Trust Authority Cluster. See Step 8 in Import the Trusted Host Information to the Trust Authority Cluster.
  3. If you no longer must attest the older versions of ESXi (all the Trusted Hosts have been upgraded), run the Remove-TrustAuthorityVMHostBaseImage cmdlet to remove the versions. For example:
    $vTA = Get-TrustAuthorityCluster 'vTA Cluster'
$baseImages = Get-TrustAuthorityVMHostBaseImage -TrustAuthorityCluster $vTA
Remove-TrustAuthorityVMHostBaseImage -VMHostBaseImage $baseImages

Backing Up the vSphere Trust Authority Configuration

Because most vSphere Trust Authority configuration information is stored on the ESXi hosts, the vCenter Server Backup does not back up this vSphere Trust Authority information. See Backing Up the vSphere Trust Authority Configuration.