4. Securing the installation

The V-IPU management software provides several ways to enhance security of the software stack. You can secure the communication between the V-IPU controller and API clients (such as the vipu-admin utility) by using Transport Layer Security (TLS) and mutual authentication between the server and the clients. In addition, you can decouple the user and the admin API end-points, provided by the V-IPU controller, so that standard network security and partitioning mechanisms, such as VLANs, can be used to restrict access of the end-users, depending on their roles.

These mechanisms are described in detail in the following sections.

4.1. Enabling mutual TLS

Mutual TLS (mTLS) is a two-way authentication procedure in which both the server and the client, in this case the V-IPU controller (vipu-server) and the gRPC client (vipu-admin), authenticate each other and establish private encrypted communication. The TLS authentication is based on X.509 certificates. In order to ease the use of TLS certificates, the V-IPU software provides a feature to generate certificates when initialising the V-IPU controller.

You can use the command line option --tls-init to generate certificates.

Both the storage initialisation and certificate generation can be done at the same time using the --init command-line option together with --secure. When you initialise the V-IPU controller in secure mode, a default admin user is also created with your username. The default user can be changed with the --default-user-id option (see Section 10, Server command line reference):

$ vipu-server --tls-init
Generated server TLS certificates in the directory: vipu-certs/server
Generated client TLS certificates in the directory: vipu-certs/client
$ vipu-server --init --secure
Initialised storage: vipu-server.json
Generated server TLS certificates in the directory: vipu-certs/server
Generated client TLS certificates in the directory: vipu-certs/client
Default user is: john
Access Key is: Y6vMER8j0w_5Ef
Default user configuration wrote: .vipu-cli.hcl

During certificate generation, the V-IPU controller establishes a root certificate authority for self-signing server and client certificates. The files generated are listed in Table 4.1. Note that you can change the default directory for the certificates with the command-line option --tls-cert-dir.

Table 4.1 Generated TLS Certificates




Certificate for the Root CA Authority


Private key for the Root CA Authority


Server TLS Certificate


Server private key


Client TLS Certificate


Client private key


Copy of Server TLS Certificate for the client

Both vipu-server and vipu-admin can use the certificates generated when in secure mode:

$ vipu-server --secure --tls-cert-dir vipu-certs
$ vipu-admin --secure --tls-cert-dir vipu-certs list agents

4.2. Decoupling user and admin API end points

By default, the vipu-server serves both the user and admin APIs on the same end-point. However, you can change this by using the --listen and --listen-user options to vipu-server. The end-point given for --listen will serve the admin-level API, while the end-point given for --listen-user will serve user-level APIs. These end-points can then be segregated and secured using standard network security mechanisms:

$ ./vipu-server --listen localhost:8081 --listen-user localhost:8082

You can also decouple the end-points in secure mode to establish greater security:

$ ./vipu-server --listen localhost:8081 --listen-user localhost:8082 --secure