4. Securing the installation
The V-IPU management software provides several ways to enhance security of the software stack. You can secure the communication
between the V-IPU controller and API clients (such as the vipu-admin utility) by using Transport
Layer Security (TLS) and mutual authentication between the server and the clients. In addition, you can decouple the user and the admin API
end-points, provided by the V-IPU controller, so that standard network security and
partitioning mechanisms, such as VLANs, can be used to restrict access of the end-users, depending on their roles.
These mechanisms are described in detail in the following sections.
4.1. Enabling mutual TLS
Mutual TLS (mTLS) is a two-way authentication procedure in which both the server and the client, in this case the
V-IPU controller (vipu-server) and the gRPC client (vipu-admin), authenticate each other and establish
private encrypted communication. The TLS authentication is based on X.509 certificates. In order to ease the use of
TLS certificates, the V-IPU software provides a feature to generate certificates when initialising the V-IPU controller.
You can use the command line option --tls-init to generate certificates.
Both the storage initialisation and certificate generation can be done at the
same time using the --init command-line option together with
--secure. When you initialise the V-IPU controller in secure mode, a default
admin user is also created with your username. The default user can be changed with
the --default-user-id option (see Section 10, Server command line reference):
$ vipu-server --tls-init
Generated server TLS certificates in the directory: vipu-certs/server
Generated client TLS certificates in the directory: vipu-certs/client
$ vipu-server --init --secure
Initialised storage: vipu-server.json
Generated server TLS certificates in the directory: vipu-certs/server
Generated client TLS certificates in the directory: vipu-certs/client
Default user is: john
Access Key is: Y6vMER8j0w_5Ef
Default user configuration wrote: .vipu-cli.hcl
During certificate generation, the V-IPU controller establishes a root certificate authority for self-signing server
and client certificates. The files generated are listed in Table 4.1. Note that you can change the default directory
for the certificates with the command-line option --tls-cert-dir.
File |
Description |
|---|---|
|
Certificate for the Root CA Authority |
|
Private key for the Root CA Authority |
|
Server TLS Certificate |
|
Server private key |
|
Client TLS Certificate |
|
Client private key |
|
Copy of Server TLS Certificate for the client |
Both vipu-server and vipu-admin can use the certificates generated when in secure mode:
$ vipu-server --secure --tls-cert-dir vipu-certs
$ vipu-admin --secure --tls-cert-dir vipu-certs list agents
4.2. Decoupling user and admin API end points
By default, the vipu-server serves both the user and admin APIs on the same end-point. However, you can
change this by using the --listen and --listen-user options to vipu-server. The end-point
given for --listen will serve the admin-level API, while the end-point given for --listen-user will serve
user-level APIs. These end-points can then be segregated and secured using standard network security mechanisms:
$ ./vipu-server --listen localhost:8081 --listen-user localhost:8082
You can also decouple the end-points in secure mode to establish greater security:
$ ./vipu-server --listen localhost:8081 --listen-user localhost:8082 --secure