Skip to content

Trust Agent

Available Setup Tasks

    all                         Runs all setup tasks to provision the trust agent. This command can be omitted with running only tagent setup
    download-ca-cert            Fetches the latest CMS Root CA Certificates, overwriting existing files.
    download-cert               Downloads a signed TLS Certificate from CMS.
    download-credential         Fetches Credential from AAS
    download-api-token          Fetches Custom Claims Token from AAS
    update-certificates         Runs 'download-ca-cert' and 'download-cert'
    provision-attestation       Runs setup tasks associated with HVS/TPM provisioning.
    create-host                 Registers the trust agent with the verification service.
    create-host-unique-flavor   Populates the verification service with the host unique flavor
    update-service-config       Updates service configuration
    define-tag-index            Allocates nvram in the TPM for use by asset tags.

Variables for Setup Tasks

Below are the variables that can be used to configure the setup tasks:

download-ca-cert

    CMS_BASE_URL=<url>                                 CMS API URL
    CMS_TLS_CERT_SHA384=<CMS TLS cert sha384 hash>     to ensure that TA is communicating with the right CMS instance

download-cert: Fetches a signed TLS Certificate from CMS, overwriting existing files.

    CMS_BASE_URL=<url>                                 CMS API URL
    BEARER_TOKEN=<token>                               for authenticating with CMS and VS

create-host: Registers the trust agent with the verification service

Mandatory:

    HVS_URL             VS API URL
    BEARER_TOKEN        JWT token for authenticating with VS
    CURRENT_IP          IP Address of TA deployed host for http service mode
    TA_HOST_ID          Host ID of TA for outbound mode(NATS Connection). Host ID of TA should be unique.

Optional:

    TPM_OWNER_SECRET    When provided, setup uses the 40 character hex string for the TPM owner password. Uses empty password when not provided

create-host-unique-flavor: Populates the verification service with the host unique flavor

    HVS_URL=<url>                           VS API URL
    BEARER_TOKEN=<token>                    for authenticating with VS
    CURRENT_IP=<ip address of host>         Used to associate the flavor with the host

update-service-config: Updates service configuration

    TRUSTAGENT_PORT=<port>                             Trust Agent Listener Port
    TA_SERVER_READ_TIMEOUT                             Trustagent Server Read Timeout
    TA_SERVER_READ_HEADER_TIMEOUT                      Trustagent Read Header Timeout
    TA_SERVER_WRITE_TIMEOUT                            Tustagent Write Timeout
    TA_SERVER_IDLE_TIMEOUT                             Trustagent Idle Timeout
    TA_SERVER_MAX_HEADER_BYTES                         Trustagent Max Header Bytes Timeout
    TRUSTAGENT_LOG_LEVEL                               Logging Level
    TA_ENABLE_CONSOLE_LOG                              Trustagent Enable standard output
    LOG_ENTRY_MAXLENGTH                                Maximum length of each entry in a log

provision-attestation: Runs setup tasks associated with HVS/TPM provisioning

Mandatory:

    HVS_URL=<url>                                   VS API URL
    BEARER_TOKEN=<token>                            for authenticating with VS
Optional:
    TPM_OWNER_SECRET=<40 byte hex>                     When provided, setup uses the 40 character hex string for the TPM owner password. Auto-generated when not provided.

Configuration Options

The Trust Agent configuration settings are managed in /etc/trustagent/configuration/config.yml

Setting Description
tpmquoteipv4: true When enabled, the Trust Agent will perform an additional hash of the nonce using the bytes from the Trust Agent server IP when returning TPM quotes. This should always be set to True.
logging:
loglevel: info Defines the Trust Agent logging level
logenablestdout: false If set to True, the Trust Agent will log to stdout. By default this is False and the logs are sent to /var/log/trustagent/trustagent.log
logentrymaxlength: 300 Defines the maximum length of a single log entry
webservice:
port: 1443 Defines the port on which the Trust Agent API server will listen
readtimeout: 30s
readheadertimeout: 10s
writetimeout: 10s
idletimeout: 10s
maxheaderbytes: 1048576
hvs:
url: https://0.0.0.0:30443/hvs/v2 Defines the baseurl for the Verification Service
tpm:
aas:
baseurl: https://0.0.0.0:30444/aas/v1/ Defines the base URL for the AAS
cms:
baseurl: https://0.0.0.0:30445/cms/v1 Defines the base URL for the CMS
tlscertdigest: 330086b3...ae477c8502 Defines the SHA383 hash of the CMS TLS certificate
tls:
certsan: 10.1.2.3,server.domain.com,localhost Comma-separated list of hostnames and IP addresses for the Trust Agent. Used in the Agent TLS certificate.
certcn: Trust Agent TLS Certificate Common Name for the Trust Agent TLS certificate

Directory Layout

The Linux Trust Agent installs by default to /etc/trustagent, with the following subfolders:

v5.1.0

Contains the config.yml configuration file, as well as certificates and keystores. This includes the AIK public key blob after provitioning.

cacerts

Contains ca certificate file generated from CMS.