To establish trust, the vSphere Trust Authority Cluster requires information about the Trusted Cluster's ESXi hosts and vCenter Server. You export this information as files for importing into the Trust Authority Cluster. You must ensure to keep these files confidential and transport them securely.
You use vSphere Trust Authority PowerCLI cmdlets to export the following information as files from the ESXi hosts in the Trusted Cluster for the Trust Authority Cluster to know what software and hardware to trust.
- ESXi version
- TPM manufacturer (CA certificate)
- (Optional) Individual TPM (EK certificate)
If you have hosts of the same type and vendor, and manufactured during the same timeframe and location, you might be able to trust all TPMs by obtaining the CA certificate of only one of the TPMs. To trust an individual TPM, you obtain the EK certificate of the TPM.
You must also obtain the principal information from the Trusted Cluster's vCenter Server. The principal information contains the vpxd solution user and its certificate chain. The principal information enables the Trusted Cluster's vCenter Server to discover the available trusted key providers configured on the Trust Authority Cluster.
To configure vSphere Trust Authority initially, you must collect the ESXi version and TPM information. Also, you must collect the ESXi version each time after you deploy a new version of ESXi, including when you upgrade or apply a patch.
You collect the vCenter Server principal information only one time per vCenter Server system.
Prerequisites
- Identify the ESXi versions and TPM hardware types that are in the Trusted Cluster, and whether you want to trust all TPM hardware types, only certain ones, or individual hosts.
- On the machine from which you run the PowerCLI cmdlets, create a local folder in which to save the information you export as files.
- Enable the Trust Authority Administrator.
- Enable the Trust Authority State.
Procedure
Results
The following files are created:
- TPM CA certificate file (.zip file extension)
- ESXi image file (.tgz file extension)
- vCenter Server principal file (.json file extension)
Example: Collecting Information About ESXi Hosts and vCenter Server to Be Trusted
This example shows how to use PowerCLI to export the ESXi host information and the vCenter Server Principal. The following table shows the example components and values that are used.
Component | Value |
---|---|
ESXi host in Trusted Cluster | 192.168.110.51 |
vCenter Server for Trusted Cluster | 192.168.110.22 |
Variable $vmhost |
Get-VMHost |
Variable $tpm2 |
Get-Tpm2EndorsementKey -VMHost $vmhost |
Trust Authority administrator | trustedadmin@vsphere.local |
Local directory to contain output files | C:\vta |
PS C:\Users\Administrator.CORP> Connect-VIServer -server 192.168.110.51 -User root -Password 'VMware1!' Name Port User ---- ---- ---- 192.168.110.51 443 root PS C:\Users\Administrator.CORP> Get-VMHost Name ConnectionState PowerState NumCpu CpuUsageMhz CpuTotalMhz MemoryUsageGB MemoryTotalGB Version ---- --------------- ---------- ------ ----------- ----------- ------------- ------------- ------- 192.168.110.51 Connected PoweredOn 4 200 9576 1.614 7.999 7.0.0 PS C:\Users\Administrator.CORP> $vmhost = Get-VMHost PS C:\Users\Administrator.CORP> $tpm2 = Get-Tpm2EndorsementKey -VMHost $vmhost PS C:\> Export-Tpm2CACertificate -Tpm2EndorsementKey $tpm2 -FilePath C:\vta\cacert.zip Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 10/8/2019 6:55 PM 1004 cacert.zip PS C:\Users\Administrator.CORP> Export-VMHostImageDb -VMHost $vmhost -FilePath C:\vta\image.tgz Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 10/8/2019 11:02 PM 2391 image.tgz PS C:\Users\Administrator.CORP> Disconnect-VIServer -server * -Confirm:$false PS C:\Users\Administrator.CORP> Connect-VIServer -server 192.168.110.22 -User trustedadmin@vsphere.local -Password 'VMware1!' Name Port User ---- ---- ---- 192.168.110.22 443 VSPHERE.LOCAL\trustedadmin PS C:\Users\Administrator.CORP> Export-TrustedPrincipal -FilePath C:\vta\principal.json Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 10/8/2019 11:14 PM 1873 principal.json
What to do next
Continue with Import the Trusted Host Information to the Trust Authority Cluster.