Skip to content

Installing the Host Verification Service

Installing the Host Verification Service

This section details how to install the Intel® SecL-DC services. For instructions on running these services as containers, see the following section.

Required For

The Host Verification Service is REQUIRED for all use cases.

  • Platform Integrity with Data Sovereignty and Signed Flavors

  • Application Integrity

  • Workload Confidentiality (both VMs and Containers)

Prerequisites

The following must be completed before installing the Verification Service:

  • The Certificate Management Service must be installed and available

  • The Authentication and Authorization Service must be installed and available

  • The Verification Service database must be available

Package Dependencies

The Intel® Security Libraries Verification Service requires the following packages and their dependencies:

  • logback
  • Postgres* client and server 11.6 (server component optional if an external Postgres database is used)
  • unzip
  • zip
  • openssl
  • wget
  • net-tools
  • python3-policycoreutils

If they are not already installed, the Verification Service installer attempts to install these automatically using the package manager. Automatic installation requires access to package repositories (the RHEL subscription repositories, the EPEL repository, or a suitable mirror), which may require an Internet connection. If the packages are to be installed from the package repository, be sure to update the repository package lists before installation.

Supported Operating Systems

The Intel® Security Libraries Verification Service supports:

  • Red Hat Enterprise Linux 8.4

  • Ubuntu 20.04

  • 4 vCPUs

  • RAM: 8 GB

  • 100 GB

  • One network interface with network access to all managed servers

  • (Optional) One network interface for Asset Tag provisioning (only required for “pull” tag provisioning; required to provision Asset Tags to VMware ESXi servers).

Installation

To install the Verification Service, follow these steps:

  • Copy the Verification Service installation binary to the /root directory.

  • Create the hvs.env installation answer file.

A sample minimal hvs.env file is provided below. For all configuration options and their descriptions, refer to the Intel® SecL Configuration section on the Verification Service.

# Authentication URL and service account credentials
AAS_API_URL=https://isecl-aas:8444/aas/v1
HVS_SERVICE_USERNAME=<username>
HVS_SERVICE_PASSWORD=<password>

# CMS URL and CMS webserivce TLS hash for server verification
CMS_BASE_URL=https://isecl-cms:8445/cms/v1
CMS_TLS_CERT_SHA384=<digest>

# TLS Configuration
SAN_LIST=127.0.0.1,192.168.1.1,hvs.server.com #comma-separated list of IP addresses and hostnames for the HVS to be used in the Subject Alternative Names list in the TLS Certificate

# Installation admin bearer token for CSR approval request to CMS
BEARER_TOKEN=eyJhbGciOiJSUzM4NCIsImtpZCI6ImE…

# Database
HVS_DB_NAME=<database name>
HVS_DB_USERNAME=<database username>
HVS_DB_PASSWORD=<database password>
HVS_DB_SSLCERTSRC=/tmp/dbcert.pem  # Not required if VS_DB_SSLCERT is given
  • Execute the installer binary.
./hvs-v4.1.bin

When the installation completes, the Verification Service is available. The services can be verified by running hvs status from the Verification Service command line.

hvs status
Back to top