Virtual HSM
Home
  • Virtual HSM
  • Documentation
    • What is Virtual HSM?
    • Use Case: Attested Secret Provisioning in the Cloud
    • Setup
      • Install
      • vHSM Server Configuration
        • Parameters
        • vHSM Telemetry Parameters
      • vHSM Agent
        • Agent Configuration
      • vHSM Proxy
        • Proxy Configuration
    • Get Started
      • Start the Vault server
      • MariaDB root admin password provisioning on Azure DCXas_v5 VM
    • Supported Cloud Configurations
  • Tutorials
    • Deploying the vhsm Container on an EC2 Instance
    • CLI quickstart
    • vHSM Agent quickstart
    • vHSM Proxy quickstart
    • Passing vHSM secrets using ConfigMaps
    • Provisioning MariaDB Password on Azure DCXas_v5 VM
    • Registering a buckypaper plugin
    • Monitoring vHSM with Grafana
  • Integration with Utimaco SecurityServer
    • Integrate enclaive vHSM with Utimaco HSM
  • API
    • Auth
    • Default
    • Secrets
    • System
    • Identity
    • Models
  • vHSM CLI
    • Server and Infrastructure Management
      • vhsm server
      • vhsm proxy
      • vhsm monitor
      • vhsm status
      • vhsm agent
    • Secret Management
      • vhsm read
      • vhsm write
      • vhsm delete
      • vhsm list
      • vhsm secrets
        • vhsm secrets enable
        • vhsm secrets disable
        • vhsm secrets list
        • vhsm secrets move
        • vhsm secrets tune
      • vhsm unwrap
    • Configuration and Management
      • vhsm plugin
        • vhsm plugin info
        • vhsm plugin deregister
        • vhsm plugin list
        • vhsm plugin register
        • vhsm plugin reload
        • vhsm plugin reload-status
      • vhsm namespace
      • vhsm operator
      • vhsm print
      • vhsm path-help
      • vhsm lease
    • Auditing and Debugging
      • vhsm audit
      • vhsm debug
    • Attestation
    • Security and Encryption
      • vhsm pki
        • vhsm pki health-check
        • vhsm pki issue
        • vhsm pki list-intermediates
        • vhsm pki reissue
        • vhsm pki verify-sign
      • vhsm transit
      • vhsm ssh
      • vhsm transform
    • Authentication and Authorization
      • vhsm login
      • vhsm auth
      • vhsm token
      • vhsm policy
    • Storage and Data Mangement
      • vhsm kv
      • vhsm patch
    • vhsm version
      • vhsm version-history
  • Troubleshooting
    • CA Validity Period
    • CRL Validity Period
    • Root Certificate Issued Non-CA Leaves
    • Role Allows Implicit Localhost Issuance
    • Role Allows Glob-Based Wildcard Issuance
    • Performance Impact
    • Accessibility of Audit Information
    • Allow If-Modified-Since Requests
    • Auto-Tidy Disabled
    • Tidy Hasn't Run
    • Too Many Certificates
    • Enable ACME Issuance
    • ACME Response Headers Configuration
  • Resources
    • Community
    • GitHub
    • Youtube
    • CCx101 wiki
Powered by GitBook
On this page
  • General Configuration Options
  • Vault Stanza
  • Retry Stanza (Inside vault stanza)
  • Listener Stanza
  • Agent API Stanza (Inside listener)
  • Telemetry Stanza

Was this helpful?

  1. Documentation
  2. Setup
  3. vHSM Agent

Agent Configuration

Learn about configuring an Agent for vHSM

General Configuration Options

Option
Description

vault

Specifies the remote Vault server the Agent connects to.

auto_auth

Specifies the method and other options used for Auto-Auth functionality.

api_proxy

Specifies options used for API Proxy functionality.

cache

Specifies options used for Caching functionality.

listener

Specifies the addresses and ports on which the Agent will respond to requests.

pid_file

Path to the file in which the agent's Process ID (PID) should be stored.

exit_after_auth

If true, the agent exits with code 0 after a single successful auth.

disable_idle_connections

List of features (auto-auth, caching, proxying, templating) for which idle connections are disabled. Can be overridden by VAULT_AGENT_DISABLE_IDLE_CONNECTIONS.

disable_keep_alives

List of features (auto-auth, caching, proxying, templating) for which keep-alives are disabled. Can be overridden by VAULT_AGENT_DISABLE_KEEP_ALIVES.

template

Specifies options used for templating Vault secrets to files.

template_config

Specifies templating engine behavior.

exec

Options for the Vault agent to run a child process that injects secrets via env_template.

env_template

Multiple blocks accepted for templating Vault secrets as environment variables.

telemetry

Specifies the telemetry reporting system.

log_level

Equivalent to -log-level CLI flag.

log_format

Equivalent to -log-format CLI flag.

log_file

Equivalent to -log-file CLI flag.

log_rotate_duration

Equivalent to -log-rotate-duration CLI flag.

log_rotate_bytes

Equivalent to -log-rotate-bytes CLI flag.

log_rotate_max_files

Equivalent to -log-rotate-max-files CLI flag.

Note: On SIGHUP, vHSM Agent reloads TLS and log level configurations.

Vault Stanza

Option
Description

address

Vault server address (FQDN or IP). Overridable via VAULT_ADDR.

ca_cert

Path to a PEM-encoded CA certificate. Overridable via VAULT_CACERT.

ca_path

Directory of CA certificates. Overridable via VAULT_CAPATH.

client_cert

Path to PEM-encoded client certificate. Overridable via VAULT_CLIENT_CERT.

client_key

Path to matching private key for client_cert. Overridable via VAULT_CLIENT_KEY.

tls_skip_verify

Disable TLS certificate verification (not recommended). Overridable via VAULT_SKIP_VERIFY.

tls_server_name

TLS SNI server name. Overridable via VAULT_TLS_SERVER_NAME.

Retry Stanza (Inside vault stanza)

Option
Description

num_retries

Number of retries for failing requests. Default: 12. Set -1 to disable retries. Overridable via VAULT_MAX_RETRIES.

Note: Templating and caching subsystems may use different retry and backoff logic.

Listener Stanza

Option
Description

require_request_header

If true, requires X-Vault-Request: true header on all incoming HTTP requests.

role

Role of listener. Values: default (all APIs) or metrics_only.

agent_api

Optional stanza for managing agent-specific API endpoints.

Agent API Stanza (Inside listener)

Option
Description

enable_quit

Enables the quit API if set to true.

Telemetry Stanza

Metric
Description
Type

vault.agent.auth.failure

Number of authentication failures.

Counter

vault.agent.auth.success

Number of authentication successes.

Counter

vault.agent.proxy.success

Number of successfully proxied requests.

Counter

vault.agent.proxy.client_error

Vault returned errors during requests.

Counter

vault.agent.proxy.error

Failed proxy attempts by the agent.

Counter

vault.agent.cache.hit

Number of cache hits.

Counter

vault.agent.cache.miss

Number of cache misses.

PreviousvHSM AgentNextvHSM Proxy

Last updated 2 months ago

Was this helpful?