After you have imported the vSphere Trust Authority Cluster information to the Trusted Cluster, the Trusted Hosts start the attestation process with the Trust Authority Cluster.

Prerequisites

Procedure

  1. Ensure that you are connected as the Trust Authority administrator to the vCenter Server of the Trusted Cluster.
    For example, you can enter $global:defaultviservers to show all the connected servers.
  2. (Optional) If necessary, you can run the following commands to ensure that you are connected to the vCenter Server of the Trusted Cluster.
    Disconnect-VIServer -server * -Confirm:$false
    Connect-VIServer -server TrustedCluster_VC_ip_address -User trust_admin_user -Password 'password'
    Note: Alternatively, you can start another PowerCLI session to connect to the vCenter Server of the Trusted Cluster.
  3. Verify that the state of the Trusted Cluster is disabled.
    Get-TrustedCluster
    The State is shown as Disabled.
  4. Assign the Get-TrustedCluster information to a variable.
    For example, this command assigns information for the cluster Trusted Cluster to the variable $TC.
    $TC = Get-TrustedCluster -Name 'Trusted Cluster'
  5. Verify the value of the variable by echoing it.
    For example:
    $TC
    The Get-TrustedCluster information is displayed.
  6. To import the Trust Authority Cluster information to the vCenter Server, run the Import-TrustAuthorityServicesInfo cmdlet.
    For example, this command imports the service information from the clsettings.json file previously exported in Export the Trust Authority Cluster Information.
    Import-TrustAuthorityServicesInfo -FilePath C:\vta\clsettings.json
    The system responds with a confirmation prompt.
    Confirmation
    Importing the TrustAuthorityServicesInfo into Server 'ip_address'. Do you want to proceed?
    
    [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"):
  7. At the confirmation prompt, press Enter. (The default is Y.)
    The service information for the hosts in the Trust Authority Cluster is displayed.
  8. To enable the Trusted Cluster, run the Set-TrustedCluster cmdlet.
    For example:
    Set-TrustedCluster -TrustedCluster $TC -State Enabled
    The system responds with a confirmation prompt.
    Confirmation
    Setting TrustedCluster 'cluster' with new TrustedState 'Enabled'. Do you want to proceed?
    [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"):
    If the Trusted Cluster is not in a healthy state, the following warning message is displayed before the confirmation message:
    WARNING: The TrustedCluster 'cluster' is not healthy in its TrustedClusterAppliedStatus. This cmdlet will automatically remediate the TrustedCluster.
  9. At the confirmation prompt, press Enter. (The default is Y.)
    The Trusted Cluster is enabled.
    Note: You can also enable the Trusted Cluster by enabling the Attestation Service and the Key Provider Service individually. Use the Add-TrustedClusterAttestationServiceInfo and Add-TrustedClusterKeyProviderServiceInfo commands. For example, the following commands enable the services one at a time for the cluster Trusted Cluster that has two Key Provider Services and two Attestation Services.
    Add-TrustedClusterAttestationServiceInfo -TrustedCluster 'Trusted Cluster' -AttestationServiceInfo (Get-AttestationServiceInfo | Select-Object -index 0,1)
    Add-TrustedClusterKeyProviderServiceInfo  -TrustedCluster 'Trusted Cluster' -KeyProviderServiceInfo (Get-KeyProviderServiceInfo | Select-Object -index 0,1)
  10. Verify that the Attestation Service and the Key Provider Service are configured in the Trusted Cluster.
    1. Assign the Get-TrustedCluster information to a variable.
      For example, this command assigns information for the cluster Trusted Cluster to the variable $TC.
      $TC = Get-TrustedCluster -Name 'Trusted Cluster'
    2. Verify that the Attestation Service is configured.
      $tc.AttestationServiceInfo
      The Attestation Service information is displayed.
    3. Verify that the Key Provider Service is configured.
      $tc.KeyProviderServiceInfo
      The Key Provider Service information is displayed.

Results

The ESXi Trusted Hosts in the Trusted Cluster begin the attestation process with the Trust Authority Cluster.

Example: Import the Trust Authority Cluster Information to the Trusted Hosts

This example shows how to import the Trust Authority Cluster service information to the Trusted Cluster. The following table shows the example components and values that are used.

Table 1. Example vSphere Trust Authority Setup
Component Value
vCenter Server of the Trusted Cluster 192.168.110.22
Trust Authority administrator trustedadmin@vsphere.local
Trusted Cluster name Trusted Cluster
ESXi hosts in the Trust Authority Cluster 192.168.210.51 and 192.168.210.52
Variable $TC Get-TrustedCluster -Name 'Trusted Cluster'
PS C:\Users\Administrator.CORP> Disconnect-VIServer -server * -Confirm:$false
PS C:\Users\Administrator.CORP> Connect-VIServer -server 192.168.110.22 -User trustedadmin@vsphere.local -Password 'VMware1!'

Name                           Port  User
----                           ----  ----
192.168.110.22                 443   VSPHERE.LOCAL\trustedadmin

PS C:\Users\Administrator.CORP> Get-TrustedCluster

Name                  State             Id
----                  -----             --
Trusted Cluster       Disabled          TrustedCluster-domain-c8

PS C:\Users\Administrator.CORP> $TC = Get-TrustedCluster -Name 'Trusted Cluster'
PS C:\Users\Administrator.CORP> $TC

Name                  State             Id
----                  -----             --
Trusted Cluster       Disabled          TrustedCluster-domain-c8

PS C:\Users\Administrator.CORP> Import-TrustAuthorityServicesInfo -FilePath C:\vta\clsettings.json

Confirmation
Importing the TrustAuthorityServicesInfo into Server '192.168.110.22'. Do you want to proceed?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y

ServiceAddress                 ServicePort          ServiceGroup
--------------                 -----------          ------------
192.168.210.51                 443                  host-13:86f7ab6c-ad6f-4606-...
192.168.210.52                 443                  host-16:86f7ab6c-ad6f-4606-...
192.168.210.51                 443                  host-13:86f7ab6c-ad6f-4606-...
192.168.210.52                 443                  host-16:86f7ab6c-ad6f-4606-...

PS C:\Users\Administrator.CORP> Set-TrustedCluster -TrustedCluster $TC -State Enabled

Confirmation
Setting TrustedCluster 'Trusted Cluster' with new TrustedState 'Enabled'. Do you want to proceed?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"):

Name                  State             Id
----                  -----             --
Trusted Cluster       Enabled           TrustedCluster-domain-c8

PS C:\Users\Administrator.CORP> $TC = Get-TrustedCluster -Name 'Trusted Cluster'
PS C:\Users\Administrator.CORP> $tc.AttestationServiceInfo

ServiceAddress                 ServicePort          ServiceGroup
--------------                 -----------          ------------
192.168.210.51                 443                  host-13:dc825986-73d2-463c-...
192.168.210.52                 443                  host-16:dc825986-73d2-463c-...

PS C:\Users\Administrator.CORP> $tc.KeyProviderServiceInfo

ServiceAddress                 ServicePort          ServiceGroup
--------------                 -----------          ------------
192.168.210.51                 443                  host-13:dc825986-73d2-463c-...
192.168.210.52                 443                  host-16:dc825986-73d2-463c-...

What to do next

Continue with Configure the Trusted Key Provider for Trusted Hosts Using the vSphere Client or Configure the Trusted Key Provider for Trusted Hosts Using the Command Line.