com.vmware.vcenter.trusted_infrastructure.trust_authority_clusters.attestation package

Submodules

com.vmware.vcenter.trusted_infrastructure.trust_authority_clusters.attestation.tpm2_client module

The com.vmware.vcenter.trusted_infrastructure.trust_authority_clusters.attestation.tpm2_client module provides classes to manage remote attestation configuration for TPM trust.

class com.vmware.vcenter.trusted_infrastructure.trust_authority_clusters.attestation.tpm2_client.CaCertificates(config)

Bases: vmware.vapi.bindings.stub.VapiInterface

The CaCertificates class provides methods to manage Trusted Platform Module (TPM) CA certificates.

Endorsement Keys are typically packaged in a certificate that is signed by a certificate authority (CA). This class allows the CA certificate to be registered with the Attestation Service in order to validate TPM EK certificates when presented at attestation time.. This class was added in vSphere API 7.0.0.

Parameters

config (vmware.vapi.bindings.stub.StubConfiguration) – Configuration to be used for creating the stub.

class CreateSpec(name=None, cert_chain=None)

Bases: vmware.vapi.bindings.struct.VapiStruct

The CaCertificates.CreateSpec class contains information that describes a TPM CA certificate. This class was added in vSphere API 7.0.0.

Tip

The arguments are used to initialize data attributes with the same names.

Parameters
  • name (str) – A unique name for the TPM CA certificate. This attribute was added in vSphere API 7.0.0. When clients pass a value of this class as a parameter, the attribute must be an identifier for the resource type: com.vmware.vcenter.trusted_infrastructure.trust_authority_clusters.attestation.tpm2.CaCertificate. When methods return a value of this class as a return value, the attribute will be an identifier for the resource type: com.vmware.vcenter.trusted_infrastructure.trust_authority_clusters.attestation.tpm2.CaCertificate.

  • cert_chain (com.vmware.vcenter.trusted_infrastructure_client.X509CertChain or None) –

    The CA certificate chain.

    Certificates may either be added one at a time, or as a chain. Adding the certificates as a chain allows the group to be managed as a whole. For example, an entire chain can be deleted in one CaCertificates.delete() operation.

    When certificates are added one at a time, the order must be root first, followed by any intermediates. The intermediates certificates must also be ordered in the direction from root to leaf.

    Similarly, when added as a chain the list must be ordered in the direction from root to leaf.. This attribute was added in vSphere API 7.0.0. If None creation will fail.

class Health(string)

Bases: vmware.vapi.bindings.enum.Enum

The CaCertificates.Health class is indicator for the consistency of the hosts status in the cluster. This enumeration was added in vSphere API 7.0.0.

Note

This class represents an enumerated type in the interface language definition. The class contains class attributes which represent the values in the current version of the enumerated type. Newer versions of the enumerated type may contain new values. To use new values of the enumerated type in communication with a server that supports the newer version of the API, you instantiate this class. See enumerated type description page.

Parameters

string (str) – String value for the Health instance.

ERROR = Health(string='ERROR')

Not all hosts in the cluster are in consistent state. This class attribute was added in vSphere API 7.0.0.

NONE = Health(string='NONE')

No status available. This class attribute was added in vSphere API 7.0.0.

OK = Health(string='OK')

Each host in the cluster is in consistent state with the rest hosts in the cluster. This class attribute was added in vSphere API 7.0.0.

WARNING = Health(string='WARNING')

Attestation is funtioning, however there is an issue that requires attention. This class attribute was added in vSphere API 7.0.0.

class Info(cert_chain=None, health=None, details=None)

Bases: vmware.vapi.bindings.struct.VapiStruct

The CaCertificates.Info class contains information that describes a TPM CA certificate. This class was added in vSphere API 7.0.0.

Tip

The arguments are used to initialize data attributes with the same names.

Parameters
RESOURCE_TYPE = 'com.vmware.vcenter.trusted_infrastructure.trust_authority_clusters.attestation.tpm2.CaCertificate'

Resource type for TPM 2.0 CA certificates. This class attribute was added in vSphere API 7.0.0.

class Summary(name=None, health=None)

Bases: vmware.vapi.bindings.struct.VapiStruct

The CaCertificates.Summary class contains information that summarizes a TPM CA certificate. This class was added in vSphere API 7.0.0.

Tip

The arguments are used to initialize data attributes with the same names.

Parameters
  • name (str) – A unique name for the TPM CA certificate. This attribute was added in vSphere API 7.0.0. When clients pass a value of this class as a parameter, the attribute must be an identifier for the resource type: com.vmware.vcenter.trusted_infrastructure.trust_authority_clusters.attestation.tpm2.CaCertificate. When methods return a value of this class as a return value, the attribute will be an identifier for the resource type: com.vmware.vcenter.trusted_infrastructure.trust_authority_clusters.attestation.tpm2.CaCertificate.

  • health (CaCertificates.Health) – A health indicator which indicates whether each host in the cluster has the same CA certs. This attribute was added in vSphere API 7.0.0.

create_task(cluster, spec)

Add a new TPM CA certificate on a cluster. This method was added in vSphere API 7.0.0.

Parameters
  • cluster (str) – The id of the cluster on which the operation will be executed. The parameter must be an identifier for the resource type: ClusterComputeResource.

  • spec (CaCertificates.CreateSpec) – The new CA certificate details.

Raise

com.vmware.vapi.std.errors_client.AlreadyExists if the certificate name exists.

Raise

com.vmware.vapi.std.errors_client.Error if there is a generic error.

Raise

com.vmware.vapi.std.errors_client.InvalidArgument if the configuration is invalid or the cluster id is empty.

Raise

com.vmware.vapi.std.errors_client.NotFound if cluster doesn’t match to any cluster in the vCenter.

Raise

com.vmware.vapi.std.errors_client.Unauthenticated if the caller is not authenticated.

delete_task(cluster, name)

Remove a TPM CA certificate on a cluster. This method was added in vSphere API 7.0.0.

Parameters
  • cluster (str) – The id of the cluster on which the operation will be executed. The parameter must be an identifier for the resource type: ClusterComputeResource.

  • name (str) – The CA certificate name. The parameter must be an identifier for the resource type: com.vmware.vcenter.trusted_infrastructure.trust_authority_clusters.attestation.tpm2.CaCertificate.

Raise

com.vmware.vapi.std.errors_client.Error if there is a generic error.

Raise

com.vmware.vapi.std.errors_client.InvalidArgument if the name is invalid or cluster id is empty.

Raise

com.vmware.vapi.std.errors_client.NotFound if the cluster doesn’t match to any cluster in the vCenter or given name is not found.

Raise

com.vmware.vapi.std.errors_client.Unauthenticated if the caller is not authenticated.

get_task(cluster, name)

Get the TPM CA certificate details on a cluster. This method was added in vSphere API 7.0.0.

Parameters
  • cluster (str) – The id of the cluster on which the operation will be executed. The parameter must be an identifier for the resource type: ClusterComputeResource.

  • name (str) – The CA certificate name. The parameter must be an identifier for the resource type: com.vmware.vcenter.trusted_infrastructure.trust_authority_clusters.attestation.tpm2.CaCertificate.

Return type

class

vmware.vapi.stdlib.client.task.Task

Returns

Task instance

Raise

com.vmware.vapi.std.errors_client.Error if there is a generic error.

Raise

com.vmware.vapi.std.errors_client.InvalidArgument if the name is invalid or cluster id is empty.

Raise

com.vmware.vapi.std.errors_client.NotFound if the CA certificate is not found or cluster doesn’t match to any cluster in the vCenter.

Raise

com.vmware.vapi.std.errors_client.Unauthenticated if the caller is not authenticated.

list_task(cluster)

Return a list of configured TPM CA certificates on a cluster. This method was added in vSphere API 7.0.0.

Parameters

cluster (str) – The id of the cluster on which the operation will be executed. The parameter must be an identifier for the resource type: ClusterComputeResource.

Return type

class

vmware.vapi.stdlib.client.task.Task

Returns

Task instance

Raise

com.vmware.vapi.std.errors_client.Error if there is a generic error.

Raise

com.vmware.vapi.std.errors_client.InvalidArgument if cluster id is empty.

Raise

com.vmware.vapi.std.errors_client.NotFound if the cluster doesn’t match to any cluster in the vCenter or given name is not found.

Raise

com.vmware.vapi.std.errors_client.Unauthenticated if the caller is not authenticated.

class com.vmware.vcenter.trusted_infrastructure.trust_authority_clusters.attestation.tpm2_client.EndorsementKeys(config)

Bases: vmware.vapi.bindings.stub.VapiInterface

The EndorsementKeys class provides methods to manage Trusted Platform Module (TPM) Endorsement Keys (EK) on a cluster level. This class was added in vSphere API 7.0.0.

Parameters

config (vmware.vapi.bindings.stub.StubConfiguration) – Configuration to be used for creating the stub.

class CreateSpec(name=None, public_key=None, certificate=None)

Bases: vmware.vapi.bindings.struct.VapiStruct

The EndorsementKeys.CreateSpec class contains information that describes a TPM endorsement key.

Only one of EndorsementKeys.CreateSpec.public_key or EndorsementKeys.CreateSpec.certificate must be specified.. This class was added in vSphere API 7.0.0.

Tip

The arguments are used to initialize data attributes with the same names.

Parameters
  • name (str) –

    A unique name for the TPM endorsement key.

    The unique name should be something that an administrator can use to easily identify the remote system. For example, the hostname, or hardware UUID.. This attribute was added in vSphere API 7.0.0. When clients pass a value of this class as a parameter, the attribute must be an identifier for the resource type: com.vmware.vcenter.trusted_infrastructure.trust_authority_clusters.attestation.tpm2.EndorsementKey. When methods return a value of this class as a return value, the attribute will be an identifier for the resource type: com.vmware.vcenter.trusted_infrastructure.trust_authority_clusters.attestation.tpm2.EndorsementKey.

  • public_key (str or None) – TPM public endorsement key in PEM format. This attribute was added in vSphere API 7.0.0. If None EndorsementKeys.CreateSpec.certificate must be set.

  • certificate (str or None) –

    TPM endorsement key certificate in PEM format.

    When a endorsement key certificate is provided, it will be verified against the CA certificate list. Endorsement key certificates that are not signed by one of the CA certificates will be rejected.

    Using this format allows for failures to be caught during configuration rather than later during attestation.. This attribute was added in vSphere API 7.0.0. If None EndorsementKeys.CreateSpec.public_key must be set.

class Health(string)

Bases: vmware.vapi.bindings.enum.Enum

The EndorsementKeys.Health class is indicator for the consistency of the hosts status in the cluster. This enumeration was added in vSphere API 7.0.0.

Note

This class represents an enumerated type in the interface language definition. The class contains class attributes which represent the values in the current version of the enumerated type. Newer versions of the enumerated type may contain new values. To use new values of the enumerated type in communication with a server that supports the newer version of the API, you instantiate this class. See enumerated type description page.

Parameters

string (str) – String value for the Health instance.

ERROR = Health(string='ERROR')

Not all hosts in the cluster are in consistent state. This class attribute was added in vSphere API 7.0.0.

NONE = Health(string='NONE')

No status available. This class attribute was added in vSphere API 7.0.0.

OK = Health(string='OK')

Each host in the cluster is in consistent state with the rest hosts in the cluster. This class attribute was added in vSphere API 7.0.0.

WARNING = Health(string='WARNING')

Attestation is functioning, however there is an issue that requires attention. This class attribute was added in vSphere API 7.0.0.

class Info(public_key=None, health=None, details=None)

Bases: vmware.vapi.bindings.struct.VapiStruct

The EndorsementKeys.Info class contains information that describes a TPM endorsement key. This class was added in vSphere API 7.0.0.

Tip

The arguments are used to initialize data attributes with the same names.

Parameters
  • public_key (str) – TPM public endorsement key in PEM format. This attribute was added in vSphere API 7.0.0.

  • health (EndorsementKeys.Health) – A health indicator which indicates whether each host in the cluster has the same endorsement key. This attribute was added in vSphere API 7.0.0.

  • details (list of com.vmware.vapi.std_client.LocalizableMessage) –

    Details regarding the health.

    When the EndorsementKeys.Health is not EndorsementKeys.Health.OK or EndorsementKeys.Health.NONE, this member will provide an actionable description of the issues present.. This attribute was added in vSphere API 7.0.0.

RESOURCE_TYPE = 'com.vmware.vcenter.trusted_infrastructure.trust_authority_clusters.attestation.tpm2.EndorsementKey'

Resource type for TPM 2.0 endorsement keys. This class attribute was added in vSphere API 7.0.0.

class Summary(name=None, health=None)

Bases: vmware.vapi.bindings.struct.VapiStruct

The EndorsementKeys.Summary class contains information that summarizes a TPM endorsement key. This class was added in vSphere API 7.0.0.

Tip

The arguments are used to initialize data attributes with the same names.

Parameters
  • name (str) – A unique name for the TPM endorsement key. This attribute was added in vSphere API 7.0.0. When clients pass a value of this class as a parameter, the attribute must be an identifier for the resource type: com.vmware.vcenter.trusted_infrastructure.trust_authority_clusters.attestation.tpm2.EndorsementKey. When methods return a value of this class as a return value, the attribute will be an identifier for the resource type: com.vmware.vcenter.trusted_infrastructure.trust_authority_clusters.attestation.tpm2.EndorsementKey.

  • health (EndorsementKeys.Health) – A health indicator which indicates whether each host in the cluster has the same endorsement key. This attribute was added in vSphere API 7.0.0.

create_task(cluster, spec)

Add a new TPM endorsement key on a cluster. This method was added in vSphere API 7.0.0.

Parameters
  • cluster (str) – The id of the cluster on which the operation will be executed. The parameter must be an identifier for the resource type: ClusterComputeResource.

  • spec (EndorsementKeys.CreateSpec) – The configuration.

Raise

com.vmware.vapi.std.errors_client.AlreadyExists if the endorsement key name exists.

Raise

com.vmware.vapi.std.errors_client.Error if there is a generic error.

Raise

com.vmware.vapi.std.errors_client.InvalidArgument if the configuration is invalid or cluster id is empty.

Raise

com.vmware.vapi.std.errors_client.NotFound if cluster doesn’t match to any cluster in the vCenter.

Raise

com.vmware.vapi.std.errors_client.Unauthenticated if the caller is not authenticated.

delete_task(cluster, name)

Remove a TPM endorsement key on a cluster. This method was added in vSphere API 7.0.0.

Parameters
  • cluster (str) – The id of the cluster on which the operation will be executed. The parameter must be an identifier for the resource type: ClusterComputeResource.

  • name (str) – The endorsement key name. The parameter must be an identifier for the resource type: com.vmware.vcenter.trusted_infrastructure.trust_authority_clusters.attestation.tpm2.EndorsementKey.

Raise

com.vmware.vapi.std.errors_client.Error if there is a generic error.

Raise

com.vmware.vapi.std.errors_client.InvalidArgument if the name is invalid or cluster id is empty.

Raise

com.vmware.vapi.std.errors_client.NotFound if the name is not found or cluster doesn’t match to any cluster in the vCenter.

Raise

com.vmware.vapi.std.errors_client.Unauthenticated if the caller is not authenticated.

get_task(cluster, name)

Get the TPM endorsement key details on a cluster. This method was added in vSphere API 7.0.0.

Parameters
  • cluster (str) – The id of the cluster on which the operation will be executed. The parameter must be an identifier for the resource type: ClusterComputeResource.

  • name (str) – The endorsement key name. The parameter must be an identifier for the resource type: com.vmware.vcenter.trusted_infrastructure.trust_authority_clusters.attestation.tpm2.EndorsementKey.

Return type

class

vmware.vapi.stdlib.client.task.Task

Returns

Task instance

Raise

com.vmware.vapi.std.errors_client.Error if there is a generic error.

Raise

com.vmware.vapi.std.errors_client.InvalidArgument if the name is invalid or cluster id is empty.

Raise

com.vmware.vapi.std.errors_client.NotFound if the endorsement key is not found or cluster doesn’t match to any cluster in the vCenter.

Raise

com.vmware.vapi.std.errors_client.Unauthenticated if the caller is not authenticated.

list_task(cluster)

Return a list of configured TPM endorsement keys in a cluster. This method was added in vSphere API 7.0.0.

Parameters

cluster (str) – The id of the cluster on which the operation will be executed. The parameter must be an identifier for the resource type: ClusterComputeResource.

Return type

class

vmware.vapi.stdlib.client.task.Task

Returns

Task instance

Raise

com.vmware.vapi.std.errors_client.Error if there is a generic error.

Raise

com.vmware.vapi.std.errors_client.InvalidArgument if the cluster id is empty.

Raise

com.vmware.vapi.std.errors_client.NotFound if the cluster is not found.

Raise

com.vmware.vapi.std.errors_client.Unauthenticated if the caller is not authenticated.

class com.vmware.vcenter.trusted_infrastructure.trust_authority_clusters.attestation.tpm2_client.Settings(config)

Bases: vmware.vapi.bindings.stub.VapiInterface

The Settings interface provides methods to get or update settings related to the TPM 2.0 attestation protocol behavior. This class was added in vSphere API 7.0.0.

Parameters

config (vmware.vapi.bindings.stub.StubConfiguration) – Configuration to be used for creating the stub.

class Health(string)

Bases: vmware.vapi.bindings.enum.Enum

The Settings.Health class is indicator for the consistency of the hosts status in the cluster. This enumeration was added in vSphere API 7.0.0.

Note

This class represents an enumerated type in the interface language definition. The class contains class attributes which represent the values in the current version of the enumerated type. Newer versions of the enumerated type may contain new values. To use new values of the enumerated type in communication with a server that supports the newer version of the API, you instantiate this class. See enumerated type description page.

Parameters

string (str) – String value for the Health instance.

ERROR = Health(string='ERROR')

Not all hosts in the cluster are in consistent state. This class attribute was added in vSphere API 7.0.0.

NONE = Health(string='NONE')

No status available. This class attribute was added in vSphere API 7.0.0.

OK = Health(string='OK')

Each host in the cluster is in consistent state with the rest hosts in the cluster. This class attribute was added in vSphere API 7.0.0.

WARNING = Health(string='WARNING')

Attestation is functioning, however there is an issue that requires attention. This class attribute was added in vSphere API 7.0.0.

class Info(require_endorsement_keys=None, require_certificate_validation=None, health=None, details=None)

Bases: vmware.vapi.bindings.struct.VapiStruct

The Settings.Info class contains information that describes the TPM 2.0 protocol settings. This class was added in vSphere API 7.0.0.

Tip

The arguments are used to initialize data attributes with the same names.

Parameters
  • require_endorsement_keys (bool) –

    Require registered TPM endorsement keys.

    During attestation, the attested host will always send its endorsement key to the Attestation Service. With this option is set, the Attestation Service will only proceed with attestation if the endorsement key has been added to the list of configured trusted endorsement keys.. This attribute was added in vSphere API 7.0.0.

  • require_certificate_validation (bool) –

    Require TPM endorsement key certificate validation.

    During attestation, the attested host will send its endorsement key certificate if one is available. With this option set, the Attestation Service will validate the endorsement key certificate against the list of configured trusted TPM CA certificates. Only endorsement key certificates that are signed by a trusted TPM CA certificate will be able to successfully attest.. This attribute was added in vSphere API 7.0.0.

  • health (Settings.Health) – A health indicator which indicates whether each host in the cluster has the same attestation settings. This attribute was added in vSphere API 7.0.0.

  • details (list of com.vmware.vapi.std_client.LocalizableMessage) –

    Details regarding the health.

    When the Settings.Health is not Settings.Health.OK or Settings.Health.NONE, this member will provide an actionable description of the issues present.. This attribute was added in vSphere API 7.0.0.

class UpdateSpec(require_endorsement_keys=None, require_certificate_validation=None)

Bases: vmware.vapi.bindings.struct.VapiStruct

The Settings.UpdateSpec class contains information that describes changes to the TPM 2.0 protocol settings. This class was added in vSphere API 7.0.0.

Tip

The arguments are used to initialize data attributes with the same names.

Parameters
  • require_endorsement_keys (bool or None) – Require registered TPM endorsement keys. This attribute was added in vSphere API 7.0.0. If None the current state will remain unchanged.

  • require_certificate_validation (bool or None) – Require TPM endorsement key certificate validation. This attribute was added in vSphere API 7.0.0. If None the current state will remain unchanged.

get_task(cluster)

Return the TPM 2.0 protocol settings. This method was added in vSphere API 7.0.0.

Parameters

cluster (str) – The id of the cluster on which the operation will be executed. The parameter must be an identifier for the resource type: ClusterComputeResource.

Return type

class

vmware.vapi.stdlib.client.task.Task

Returns

Task instance

Raise

com.vmware.vapi.std.errors_client.Error if there is a generic error.

Raise

com.vmware.vapi.std.errors_client.InvalidArgument if the cluster id is empty.

Raise

com.vmware.vapi.std.errors_client.NotFound if cluster doesn’t match to any cluster in the vCenter.

Raise

com.vmware.vapi.std.errors_client.Unauthenticated if the caller is not authenticated.

update_task(cluster, spec)

Set the TPM 2.0 protocol settings. This method was added in vSphere API 7.0.0.

Parameters
  • cluster (str) – The id of the cluster on which the operation will be executed. The parameter must be an identifier for the resource type: ClusterComputeResource.

  • spec (Settings.UpdateSpec) – The settings.

Raise

com.vmware.vapi.std.errors_client.Error if there is a generic error.

Raise

com.vmware.vapi.std.errors_client.InvalidArgument if the spec is invalid or cluster id is empty.

Raise

com.vmware.vapi.std.errors_client.NotFound if cluster doesn’t match to any cluster in the vCenter.

Raise

com.vmware.vapi.std.errors_client.Unauthenticated if the caller is not authenticated.

class com.vmware.vcenter.trusted_infrastructure.trust_authority_clusters.attestation.tpm2_client.StubFactory(stub_config)

Bases: vmware.vapi.bindings.stub.StubFactoryBase

Initialize StubFactoryBase

Parameters

stub_config (vmware.vapi.bindings.stub.StubConfiguration) – Stub config instance