IBM Hyper Protect Virtual Servers Everything you need to get started quickly. Get started

Welcome to the IBM® Hyper Protect Virtual Servers content solution, your homepage for technical resources.

IBM® Hyper Protect Virtual Servers are designed to protect mission critical Linux workloads throughout the DevSecOps lifecycle—even from privileged administrators. Hyper Protect Virtual Servers allow developers to leverage their modern application development skills, while securely building their workloads in a confidential computing environment. Their solutions are signed, encrypted, and deployed while administrators manage the underlying infrastructure, without access to the data. Hyper Protect Virtual Servers are designed to uniquely protect workloads that are deployed on IBM Z and LinuxONE servers in hybrid multi-cloud environments.

See what IBM Hyper Protect Virtual Servers can do for your business.
Related solution Hyper Protect Data Controller

Protect your data as it moves throughout the enterprise and beyond.

Big picture 1. The system administrator and cloud administrator prepare the environment. 2. The cloud administrator and application developer can register and deploy their application with one of the following methods:

  • secure build
  • bring your own image
3. The cloud administrator configures monitoring and security.
How to get started
Overview

IBM Hyper Protect Virtual Servers is a software solution built on the IBM Secure Service Container framework, which enables users to securely run containerized Linux workloads on IBM Z and LinuxONE.

Secure Service Container is a software appliance infrastructure that combines an operating system, middleware, and application components into a single software image. Software images deployed to a Secure Service Container partition can exploit the underlying security capabilities of the IBM Z and LinuxONE infrastructure.

Hyper Protect Virtual Servers provides an encrypted environment (data at rest, data in flight), with peer to peer and peer to host isolation protecting container applications from access via privileged credentials, whether access is accidental or malicious, internal or external to an organization. IBM Hyper Protect Virtual Servers also ensures your applications can be deployed and managed from trusted sources without the infrastructure team being able to access the data, secrets or application.

Overview Hyper Protect Virtual Servers components System requirements
Planning and setup

To plan for the environment, ensure that you meet all the system requirements, and that you have gathered all the required information for the x86 or Linux on IBM Z/LinuxONE (s390x architecture) management server.

Once you have all the requirements, download the installation package to get all of the Hyper Protect Virtual Servers components.

Before you begin setting up the environment, follow the user guide to create and configure the Secure Service Container LPAR on your IBM Z or LinuxONE server.

Planning for the environment Learn more about how to download the installation package Secure Service Container User's Guide Learn more about how to create the Secure Service Container LPAR
Steps

To set up the Hyper Protect Virtual Servers environment, the cloud administrator completes the following steps, under the directory with root user authority, on the x86 or Linux on IBM Z/LinuxONE (s390x architecture) management server:

  1. Run the envcheck.sh shell script to verify that all the prerequisites are met to set up the Hyper Protect Virtual Servers environment on the management server.
  2. Run the setup.sh shell script to complete the environment preparation on the management server.
  3. When the script is executing the setup of the Docker registry list, enter the Docker Registry Name, Username, and Password.
  4. When the script is executing the setup of the hosts config, enter the SSC LPAR (Host) IP Address, Name, and Username.
Learn more about how to set up the environment
Overview

Cloud administrators and application developers can use the Secure Build Virtual Server to build source code stored in the GitHub repository, deploy it into the IBM Hyper Protect Virtual Servers as a Virtual Server instance, and publish the built image to a remote Docker repository.

Prerequisites

A Hyper Protection Virtual Server instance can be provisioned on the Secure Service Container partition by using the hpvs-op-ssh base image that is provided in the IBM Hyper Protect Virtual Servers download package, or by using the yaml configuration files.

Learn more about how to create a Hyper Protect Virtual Server instance
Steps

To build an application with the secure build virtual server, complete the following steps on your x86 or Linux on IBM Z/LinuxONE (s390x architecture) management server, under the directory with root user authority:

  1. Create the certificate and key to securely communicate with the secure build server.
  2. Create a Secure Build Virtual Server.
  3. Generate the signing keys.
  4. Build the application by using the Secure Build
  5. Deploy the application
Learn more about how to build your application with the secure build virtual server
Overview

Cloud administrators and application developers can bring their own Linux-based container image as a Virtual Server on IBM Hyper Protect Virtual Servers. The application developer customizes the image, then the cloud administrator registers the repository for them, so that the application developer can deploy the images into the IBM Hyper Protect Virtual Servers.

Planning and setup

Before you begin, ensure your linux-based container image is built for the IBM LinuxONE and IBM Z platform (s390x), and available either on DockerHub or IBM Container Registry. Also, ensure your linux-based container images are signed using Docker Content Trust.

Docker Hub IBM Container Registry Docker Content Trust
Steps

To deploy your own Linux-based container image as a Hyper Protect Virtual Server, complete the following steps under the directory with root user authority:

  1. Sign your image by using Docker Content Trust.
  2. Add the registry.
  3. Generate the signing keys.
  4. Prepare the configuration.
  5. Deploy your image.
Learn more about how to deploy your applications securely
Overview

The cloud administrator can monitor a wide range of components with the monitoring infrastructure provided by IBM Hyper Protect Virtual Servers, and the monitoring metrics are collected from Secure Service Container partitions.

Creating monitoring virtual servers Metrics collected by the monitoring infrastructure
Planning and setup

You can connect to your (Enterprise PKCS #11) EP11 instantiation using a gRPC (GREP11) container on the Secure Service Container partition, and then use the Hardware Security Module (HSM) to perform numerous cryptographic operations, such as generating asymmetric (public and private) key pairs for digital signing and verification, or generating symmetric keys for encrypting data as needed by the deployed applications.

Creating GREP11 virtual servers
Steps

You can use the Enterprise PKCS #11 (EP11) API over gRPC (also referred to as GREP11 API) to remotely access the GREP11 container on the Secure Service Container partition for data encryption and management.

Accessing the GREP11 virtual servers within your code
Documentation IBM Hyper Protect Virtual Servers Documentation

Learn more about about how to get started with IBM Hyper Protect Virtual Servers.

IBM Documentation
Technical resources

Learn about securing your critical workloads with IBM Hyper Protect Services.

Read the Redbook

Find product information including features, requirements, and pricing of Hyper Protect Virtual Servers.

Explore the product page

Learn about how to configure an IBM Secure Service Container partition, then install and run supported firmware or software appliances in that partition.

Read the user's guide
Overview

Learn how IBM® Hyper Protect Virtual Servers are designed to protect mission critical Linux workloads throughout the DevSecOps lifecycle.

Watch the video (4:53)
How to bring your own image

Learn how to bring your own image on IBM® Hyper Protect Virtual Servers.

Watch the video (5:20)
How to use the secure build virtual server

Learn how to use the secure build virtual server to build source code stored in a GitHub repository, deploy it into IBM® Hyper Protect Virtual Servers, and publish to a remote Docker repository.

Watch the video (6:59)
How to set up a Grep11 container

Learn how to set up a Grep11 container while creating your Hyper Protect Virtual Server environment.

Watch the video (4:22)
Running the Trusted Key Entry Workstation Setup Wizard

Learn how to initialize your new Trusted Key Entry, using the Trusted Key Entry Workstation Setup Wizard.

Watch the video (10:28)
Initializing Smart Cards

Learn how to use Trusted Key Entry to initialize smart cards for Trusted Key Entry Workstation and CCA normal-mode module management.

Watch the video (17:01)
Creating the Profiles Used for Logging onto the Trusted Key Entry Workstation

Learn how to create Trusted Key Entry local crypto adapter profiles by using the Trusted Key Entry Workstation Log-on Profile Wizard. These profiles are used when you open TKE applications and utilities.

Watch the video (12:52)
Creating Host Definitions

Learn how to create and open Trusted Key Entry host definition objects, which are used to access the logical partitions or systems running the Trusted Key Entry host transaction program.

Watch the video (11:03)
Creating CCA Domain Groups

Learn how to create and open Trusted Key Entry CCA Domain groups, which are collections of modules and domains with the same administrative settings. From a domain group, every module-wide command is sent to every module included in the group. Every domain-specific command is sent to every domain in the group.

Watch the video (14:38)
Related solutions Hyper Protect Data Controller

Protect your data as it moves throughout the enterprise and beyond.

z/OS Trusted Key Entry Workstation

Manage IBM Z host cryptographic modules.

Journey to hybrid cloud with IBM Z

Build your hybrid cloud with IBM Z® for data privacy, security, cyber resiliency and speed to modernization.

What's new

Added the Journey to hybrid cloud with IBM Z content solution to the Content Solutions tab in the Technical Resources section.

Rate this content solution