Configure

Configure Nitride to integrate with external systems, and implement custom authentication and authorization mechanisms.

Nitride is built around the Vault core - a popular open-source tool for securely storing and managing secrets. While Vault provides a robust core functionality, its versatility can be extended through the creation of plugins. These plugins allow users to tailor Vault to specific use cases, integrate with external systems, and implement custom authentication and authorization mechanisms.

Note: To view the available plugins you need to login as a root user for vHSM. For more information about using the vHSM CLI to login, see Authentication and Authorization. You need the root token that you saved during the installation.

Nitride extension ratls is an authentication module, adding workload identity methods to the core.

To verify that the extension is registered, run the following command:

vhsm plugin list

Output is similar to:

Name                                 Type        Version
----                                 ----        -------
alicloud                             auth        v0.15.0+builtin
approle                              auth        v1.3.7+builtin.vault
aws                                  auth        v1.3.7+builtin.vault
azure                                auth        v0.16.0+builtin
centrify                             auth        v0.15.1+builtin
cert                                 auth        v1.3.7+builtin.vault
cf                                   auth        v0.15.0+builtin
gcp                                  auth        v0.16.0+builtin
github                               auth        v1.3.7+builtin.vault
jwt                                  auth        v0.16.0+builtin
kerberos                             auth        v0.10.0+builtin
kubernetes                           auth        v0.16.0+builtin
ldap                                 auth        v1.3.7+builtin.vault
oci                                  auth        v0.14.0+builtin
oidc                                 auth        v1.3.7+builtin.vault
okta                                 auth        v1.3.7+builtin.vault
pcf                                  auth        v1.3.7+builtin.vault
radius                               auth        v1.3.7+builtin.vault
ratls                                auth        v1.3.7+builtin.vault
userpass                             auth        v1.3.7+builtin.vault
cassandra-database-plugin            database    v1.3.7+builtin.vault
couchbase-database-plugin            database    v0.9.2+builtin

Enable Remote Attestation through TLS

Enable remote attestation using the vhsm nitride init command.

Note:

This performs a series of operations to configure and secure your environment:

Creates essential Nitride identities, including: platform, firmware, and workload
Creates and attaches a Nitride policy from an embedded policy configuration.
Generates attestation objects based on your setup.
Bootstraps the environment to allow secure workload attestation and the issuance of access tokens with the appropriate permissions.

To enable token namespacing, add the -namespacing flag: vhsm nitride init -namespacing @policy.hcl

Verify that the endpoint has been enabled correctly:

vhsm auth list

Output:

Path      Type     Accessor               Description                                              Version
----      ----     --------               -----------                                              -------
ratls/    ratls    auth_ratls_70c308c0    Remote attestation plugin for usage with vhsm nitride    n/a
token/    token    auth_token_10743d4c    Token-based credentials                                  n/a

Fore more information about creating identities, policies, and other tasks, see using CLI.

Last updated 21 days ago

Was this helpful?