Architecture overview
When using IBM Hyper Protect Virtual Servers, you need to prepare a management server (x86 or Linux on IBM Z or LinuxONE, for example, s390x) to run the commands and manage the components of the offering.
Figure 2. IBM Hyper Protect Virtual Servers - Architecture
The IBM Hyper Protect Virtual Servers offering provides a list of commands with the following capabilities across the application lifecycle phases:
- Build
- Build user-provided source code (located in a git repository) into Linux on IBM Z / LinuxONE (i.e. s390x) compatible workloads
- Create Hyper Protect Virtual Server containers on the Secure Service Container partition based on images in the git repository
- Register
- Download a repository definition file template from the hosting appliance
- Encrypt a repository definition file with security keys
- Deploy
- Deploy workloads into Hyper Protect Virtual Server containers on the Secure Service Container partitions
- Manage
- Manage Hyper Protect Virtual Server container images
- Monitor
- Monitor IBM Hyper Protect appliance health such as the usage of CPU, memory, disk, and uptime.
- Crypto
- Provide Enterprise PKCS #11 (EP11) interfaces for crypto operations such as key generation, encryption, decryption, data wrapping and unwrapping in EP11 over gRPC (grep11) client applications.
IBM Hyper Protect Virtual Servers also leverages Docker Content Trust (DCT), which uses digital signatures for data sent to and received from remote Docker registries on the Secure Service Container partitions. For more information about the DCT, see Content trust in Docker.
By using IBM Hyper Protect Virtual Servers, your repository and containerized images are protected with different keys on different stages.
Key Name | Originator / Owner | Location | Function | Lifecycle Phase |
---|---|---|---|---|
IBM Key Pair | IBM |
|
|
|
Repository signing key pair | IBM |
|
|
Application build (First time) |
Image signing key pair | ISV or app developer |
|
|
|
Secure Build initialization key pair |
|
|
|
|
Secure Build manifest key pair | Secure Build container |
|
|
|
Monitoring infrastructure (server-side) key pair | Cloud admin |
|
|
|
Monitoring client key pair | Cloud admin |
|
|
|
GREP11 container key pair | Cloud admin |
|
|
|