Initialize

Init Nitride and implement custom authentication and authorization mechanisms.

Nitride is built around the Vault core - a popular open-source tool for securely storing and managing secrets. While Vault provides a robust core functionality, its versatility can be extended through the creation of plugins. These plugins allow users to tailor Vault to specific use cases, integrate with external systems, and implement custom authentication and authorization mechanisms.

Nitride extension ratls is an authentication module, adding workload identity methods to the core.

Step-by-step Guide

Note: To view the available plugins you need to login as a root user for vHSM. For more information about using the vHSM CLI to login, see Authentication and Authorization. You need the root token or access token with sufficient privileges that you saved during the installation.

List installed plugins

To verify that the extension is registered, run the following command:

vhsm plugin list

Output:

Name                                 Type        Version
----                                 ----        -------
alicloud                             auth        v0.15.0+builtin
approle                              auth        v1.3.7+builtin.vault
aws                                  auth        v1.3.7+builtin.vault
azure                                auth        v0.16.0+builtin
centrify                             auth        v0.15.1+builtin
cert                                 auth        v1.3.7+builtin.vault
cf                                   auth        v0.15.0+builtin
gcp                                  auth        v0.16.0+builtin
github                               auth        v1.3.7+builtin.vault
jwt                                  auth        v0.16.0+builtin
kerberos                             auth        v0.10.0+builtin
kubernetes                           auth        v0.16.0+builtin
ldap                                 auth        v1.3.7+builtin.vault
oci                                  auth        v0.14.0+builtin
oidc                                 auth        v1.3.7+builtin.vault
okta                                 auth        v1.3.7+builtin.vault
pcf                                  auth        v1.3.7+builtin.vault
radius                               auth        v1.3.7+builtin.vault
ratls                                auth        v1.3.7+builtin.vault
userpass                             auth        v1.3.7+builtin.vault
cassandra-database-plugin            database    v1.3.7+builtin.vault
couchbase-database-plugin            database    v0.9.2+builtin

Look for the presence of the plugin ratls.

Enabling the rATLS Auth Method

Enable the Remote Attestation TLS (RA-TLS) plugin on the vHSM server.

vhsm auth enable -path=ratls ratls

-path=ratls: the mount path where the auth method is enabled.
ratls: the name of the plugin.

Note: To enable ratls auth method with token namespoacing, see Enable Namespacing.

Output:

Success! Enabled ratls auth method at: ratls/

After you enable rATLs authentication method, it allows workloads to authenticate using remote attestation based on platform and firmware identity.

Verify that the authentication method is active.

vhsm auth list

Output:

Path      Type     Accessor               Description                                              Version
----      ----     --------               -----------                                              -------
ratls/    ratls    auth_ratls_70c308c0    Remote attestation plugin for usage with vhsm nitride    n/a
token/    token    auth_token_10743d4c    Token-based credentials                                  n/a

If ratls/ appears in the list, the auth method has been successfully enabled.

You can optionally update the description or settings for the enabled auth method.

vhsm auth tune -description="rATLS auth method for Nitride workloads" ratls/

Last updated 12 days ago

Was this helpful?