TrustedInfrastructure APIs

TrustedInfrastructure APIs

The vcenter trusted_infrastructure package provides services that enable a Trusted Infrastructure. They are responsible for ensuring that infrastructure nodes are running trusted software and for releasing encryption keys only to trusted infrastructure nodes.

API Categories
Services

The Services service contains information about the registered instances of the Attestation Service in vCenter.

Tpm

The Tpm interface provides operations to get available Trusted Platform Module (TPM) information on a host.

EndorsementKeys

The EndorsementKeys interface provides operations to get the Trusted Platform Module (TPM) Endorsement Key (EK) on a host.

EventLog

The EventLog interface provides operations to get the Trusted Platform Module (TPM) event log on a host.

Services

The Services service contains information about the registered instances of the Key Provider Service in vCenter.

Principal

The Principal service contains information about the certificates which sign the tokens used by vCenter for authentication.

TrustAuthorityClusters

The TrustAuthorityClusters service manages all the Trust Authority Components on each Trust Authority Host in the cluster. The TrustAuthorityClusters service transforms a ClusterComputeResource into Trust Authority Cluster and vice versa.

BaseImages

The BaseImages service provides operations to manage trusted instances of ESX software on a cluster level.

ServiceStatus

The ServiceStatus service provides operations to get the Attestation Service health status.

CaCertificates

The CaCertificates service provides operations to manage Trusted Platform Module (TPM) CA certificates. Endorsement Keys are typically packaged in a certificate that is signed by a certificate authority (CA). This service allows the CA certificate to be registered with the Attestation Service in order to validate TPM EK certificates when presented at attestation time.

EndorsementKeys

The EndorsementKeys service provides operations to manage Trusted Platform Module (TPM) Endorsement Keys (EK) on a cluster level.

Settings

The Settings interface provides operations to get or update settings related to the TPM 2.0 attestation protocol behavior.

ConsumerPrincipals

The ConsumerPrincipals service configures the token policies and STS trust necessary for the workload vCenter to query the trusted services for their status.

Providers

The Providers interface provides operations to create, update and delete Key Providers that handoff to key servers.

ClientCertificate

The ClientCertificate interface provides operations to add and retrieve client certificate.

Csr

The Csr interface provides operations to create a certificate signing request(CSR).

Credential

The Credential interface provides operations to add a credential for external key management service(s).

CurrentPeerCertificates

Retrieves the list of TLS certificates used by peer key servers. Those are meant for review. Following approval these certificates should be added as trusted certificates in the TrustedPeerCertificates service

TrustedPeerCertificates

Provides management operations for the TLS certificates trusted for communication with peer key servers. To obtain the currently used TLS certificates use the CurrentPeerCertificates service

ServiceStatus

The ServiceStatus service provides operations to get the Key Provider Service health status.

Attestation

The Attestation service contains information necessary to connect to the hosts running Attestation Service.

Kms

The Kms service contains information necessary to connect to the hosts running Key Provider Service.

Services

The Services service manages the Attestation Service instances a Trusted Cluster is configured to use.

ServicesAppliedConfig

The ServicesAppliedConfig service provides information about the aggregate health of the applied Attestation Service configuration on the Trusted Clusters. The desired state of the Attestation Service is stored within vCenter, while the applied configuration is stored on the hosts in the cluster. The ServicesAppliedConfig service is available for all clusters, not only Trusted Clusters. In such cases empty desired state is assumed, e.g. when an applied Attestation Service configuration is found outside of a Trusted Cluster it is considered an ERROR. The ServicesAppliedConfig service is able to put the applied Attestation Service configuration into a consistent state when individual host configurations have diverged from the desired state.

Services

The Services service manages the Key Provider Service instances a Trusted Cluster is configured to use.

ServicesAppliedConfig

The ServicesAppliedConfig service provides information about the aggregate health of the applied Key Provider Service configuration on the Trusted Clusters. The desired state of the Key Provider Service is stored within vCenter, while the applied configuration is stored on the hosts in the cluster. The ServicesAppliedConfig service is available for all clusters, not only Trusted Clusters. In such cases empty desired state is assumed, e.g. when an applied Key Provider Service configuration is found outside of a Trusted Cluster it is considered an ERROR. The ServicesAppliedConfig service is able to put the applied Key Provider Service configuration into a consistent state when individual host configurations have diverged from the desired state.

ServicesAppliedConfig

The ServicesAppliedConfig service provides information about the aggregate health of the applied Trust Authority Component configurations on the Trusted Clusters. The desired state of the Trust Authority Component configurations is stored within vCenter, while the applied configuration is stored on the hosts in the cluster and is a copy of the desired state. The ServicesAppliedConfig service is available for all clusters, not only Trusted Clusters. When an applied Trust Authority Component configuration is found outside of a Trusted Cluster it is considered an ERROR. The ServicesAppliedConfig service is able to make the applied Trust Authority Component configuration consistent with the desired state when individual host configurations have diverged from the desired state.