Trusted Infrastructure APIs
The vcenter trusted_infrastructure package provides services that enable a Trusted Infrastructure. They are responsible for ensuring that infrastructure nodes are running trusted software and for releasing encryption keys only to trusted infrastructure nodes.
The Principal service contains information about the certificates which sign the tokens used by vCenter for authentication.
The TrustAuthorityClusters service manages all the Trust Authority Components on each Trust Authority Host in the cluster. The TrustAuthorityClusters service transforms a ClusterComputeResource into Trust Authority Cluster and vice versa.
The Services service contains information about the registered instances of the Attestation Service in vCenter.
The Services service contains information about the registered instances of the Key Provider Service in vCenter.
The ConsumerPrincipals service configures the token policies and STS trust necessary for the workload vCenter to query the trusted services for their status.
The ServiceStatus service provides operations to get the Attestation Service health status.
The BaseImages service provides operations to manage trusted instances of ESX software on a cluster level.
The CaCertificates service provides operations to manage Trusted Platform Module (TPM) CA certificates. Endorsement Keys are typically packaged in a certificate that is signed by a certificate authority (CA). This service allows the CA certificate to be registered with the Attestation Service in order to validate TPM EK certificates when presented at attestation time.
The EndorsementKeys service provides operations to manage Trusted Platform Module (TPM) Endorsement Keys (EK) on a cluster level.
The Settings interface provides operations to get or update settings related to the TPM 2.0 attestation protocol behavior.
The Providers interface provides operations to create, update and delete Key Providers that handoff to key servers.
The ServiceStatus service provides operations to get the Key Provider Service health status.
The ClientCertificate interface provides operations to add and retrieve client certificate.
The Credential interface provides operations to add a credential for external key management service(s).
Retrieves the list of TLS certificates used by peer key servers. Those are meant for review. Following approval these certificates should be added as trusted certificates in the TrustedPeerCertificates service
Provides management operations for the TLS certificates trusted for communication with peer key servers. To obtain the currently used TLS certificates use the CurrentPeerCertificates service
The Csr interface provides operations to create a certificate signing request(CSR).
The Attestation service contains information necessary to connect to the hosts running Attestation Service.
The Kms service contains information necessary to connect to the hosts running Key Provider Service.
The ServicesAppliedConfig service provides information about the aggregate health of the applied Trust Authority Component configurations on the Trusted Clusters. The desired state of the Trust Authority Component configurations is stored within vCenter, while the applied configuration is stored on the hosts in the cluster and is a copy of the desired state. The ServicesAppliedConfig service is available for all clusters, not only Trusted Clusters. When an applied Trust Authority Component configuration is found outside of a Trusted Cluster it is considered an ERROR. The ServicesAppliedConfig service is able to make the applied Trust Authority Component configuration consistent with the desired state when individual host configurations have diverged from the desired state.
The Services service manages the Attestation Service instances a Trusted Cluster is configured to use.
The ServicesAppliedConfig service provides information about the aggregate health of the applied Attestation Service configuration on the Trusted Clusters. The desired state of the Attestation Service is stored within vCenter, while the applied configuration is stored on the hosts in the cluster. The ServicesAppliedConfig service is available for all clusters, not only Trusted Clusters. In such cases empty desired state is assumed, e.g. when an applied Attestation Service configuration is found outside of a Trusted Cluster it is considered an ERROR. The ServicesAppliedConfig service is able to put the applied Attestation Service configuration into a consistent state when individual host configurations have diverged from the desired state.
The Services service manages the Key Provider Service instances a Trusted Cluster is configured to use.
The ServicesAppliedConfig service provides information about the aggregate health of the applied Key Provider Service configuration on the Trusted Clusters. The desired state of the Key Provider Service is stored within vCenter, while the applied configuration is stored on the hosts in the cluster. The ServicesAppliedConfig service is available for all clusters, not only Trusted Clusters. In such cases empty desired state is assumed, e.g. when an applied Key Provider Service configuration is found outside of a Trusted Cluster it is considered an ERROR. The ServicesAppliedConfig service is able to put the applied Key Provider Service configuration into a consistent state when individual host configurations have diverged from the desired state.