Skip to content

Installing the Workload Policy Manager

Installing the Workload Policy Manager

The Workload Policy Manager is a lightweight application that assists in encrypting workload images. Because of the way this utility is used, it is not part of the Helm deployment for the rest of the ISecL application, and can be deployed on any machine with a supported OS for authoring encrypted workload images.

Required For

The WPM is REQUIRED for the following use cases.

  • Workload Confidentiality (both VMs and Containers)

Supported Operating Systems

The Intel® Security Libraries Workload Policy Manager supports:

  • Red Hat Enterprise Linux 8.4

  • Ubuntu 20.04

  • 2 vCPUs

  • RAM: 8 GB

  • 100 GB

  • One network interface with network access to the Key Broker and Workload Service

  • Additional memory and disk space may be required depending on the size of images to be encrypted

Installation

  • Copy the WPM installer to the /root directory

  • Create the wpm.env answer file:

KBS_BASE_URL=https://<IP address or hostname of the KBS>:<KBS port>/kbs/v1/
WPM_SERVICE_USERNAME=<WPM_Service username mentioned in values.yaml>
WPM_SERVICE_PASSWORD=<WPM Service password mentioned in values.yaml>
CMS_TLS_CERT_SHA384=<Sha384 hash of the CMS TLS certificate>
CMS_BASE_URL=https://<IP address or hostname for CMS>:<CMS port>/cms/v1/
AAS_API_URL=https://<Hostname or IP address of the AAS>:<AAS port>/aas/v1
WPM_WITH_CONTAINER_SECURITY_CRIO=yes
  • Steps to get sha384 hash of cms tls certificate
kubectl exec -it <cms_pod_name> -n <namespace> -- cms tlscertsha384
  • Execute the WPM installer:
./wpm-v5.1.0.bin