Architecture overview

When using IBM Hyper Protect Virtual Servers, you need to prepare a management server (x86 or Linux on IBM Z or LinuxONE, for example, s390x) to run the commands and manage the components of the offering.

IBM Hyper Protect Virtual Servers - Architecture

Figure 2. IBM Hyper Protect Virtual Servers - Architecture

The IBM Hyper Protect Virtual Servers offering provides a list of commands with the following capabilities across the application lifecycle phases:

  • Build
    • Build user-provided source code (located in a git repository) into Linux on IBM Z / LinuxONE (i.e. s390x) compatible workloads
    • Create Hyper Protect Virtual Server containers on the Secure Service Container partition based on images in the git repository
  • Register
    • Download a repository definition file template from the hosting appliance
    • Encrypt a repository definition file with security keys
  • Deploy
    • Deploy workloads into Hyper Protect Virtual Server containers on the Secure Service Container partitions
  • Manage
    • Manage Hyper Protect Virtual Server container images
  • Monitor
    • Monitor IBM Hyper Protect appliance health such as the usage of CPU, memory, disk, and uptime.
  • Crypto
    • Provide Enterprise PKCS #11 (EP11) interfaces for crypto operations such as key generation, encryption, decryption, data wrapping and unwrapping in EP11 over gRPC (grep11) client applications.

IBM Hyper Protect Virtual Servers also leverages Docker Content Trust (DCT), which uses digital signatures for data sent to and received from remote Docker registries on the Secure Service Container partitions. For more information about the DCT, see Content trust in Docker.

By using IBM Hyper Protect Virtual Servers, your repository and containerized images are protected with different keys on different stages.

Key Name Originator / Owner Location Function Lifecycle Phase
IBM Key Pair IBM
  • Public key or certificate: CLI tool
  • Private key: Hosting appliance
  • Public key or certificate: Encrypt repository definition files
  • Private key: Decrypt repository definition files
  • Public key or certificate: Application registration
  • Private key: Application deployment
Repository signing key pair IBM
  • Public key or certificate: Remote Docker repository
  • Private key: Hosting appliance
  • Public key or certificate: Verify images built by Secure Build
  • Private key: Sign images built by Secure Build
 Application build (First time)
Image signing key pair ISV or app developer
  • Public key or certificate: Sent to cloud admin(dev)
  • Private key: Hosting appliance
  • Public key or certificate: Cloud admin verifies signature of the repository definition file and images built by the Secure Build
  • Private key: Sign the repository definition file and images built by Secure Build
  • Public key or certificate: Application registration
  • Private key: Application Registration
Secure Build initialization key pair
  • ISV or app developer
  • Cloud admin
  • Public key or certificate: Sent to cloud admin(dev)
  • Private key: Local file system
  • Public key or certificate: Creates the Secure Build container on the Secure Service Container partition
  • Private key: initialize the Secure Build container so that the Secure Build container only accepts the API calls encrypted with this private key.
  • Public key or certificate: Secure Build initialization
  • Private key: Secure Build invocation
Secure Build manifest key pair Secure Build container
  • Public key or certificate: Sent to audit(dev)
  • Private key: Hosting appliance
  • Public key or certificate: can be retrieved from the Secure Build container to audit the manifest
  • Private key: Sign the manifest during the Secure Build
  • Public key or certificate: Manifest audit
  • Private key: Manifest signature
Monitoring infrastructure (server-side) key pair Cloud admin
  • Public key or certificate: Local file system
  • Private key: Local file system
  • Public key or certificate: Enable TLS encryption for monitoring infrastructure
  • Private key: Enable TLS encryption for monitoring infrastructure
  • Public key or certificate: Collecting monitoring metrics
  • Private key: N/A
Monitoring client key pair Cloud admin
  • Public key or certificate: Local file system
  • Private key: Local file system
  • Public key or certificate: Enable mutual TLS communication
  • Private key: Enable TLS encryption for the client tool
  • Public key or certificate: Collecting monitoring metrics only if client authentication is enabled
  • Private key: N/A
GREP11 container key pair Cloud admin
  • Public key or certificate: Hosting appliance
  • Private key: Local file system
  • Public key or certificate: Authenticate secure communication between GREP11 container and client apps
  • Private key: Encrypt the requests from GREP11 client apps
  • Public key or certificate: Invoking GREP11 calls
  • Private key: N/A