Monitor Network Identity Attestor

This page describes how to monitor a running Network Identity AttestorNetwork Identity Attestor: Network Identity Attestor is an Aembit Edge component deployed in VMware vSphere environments that verifies VM identity through the vCenter API and issues signed attestation documents for workload authentication.Learn more (NIA) instance using the built-in health endpoint and Prometheus-compatible metrics endpoint.

Before you begin

• Network Identity Attestor must be deployed and running in your VMware vSphere environment.
• You need shell access to the NIA host (or network access to the NIA ports).

Check NIA health

The NIA exposes a /health endpoint on the same port as the main API. This endpoint is always enabled and requires no configuration.

To check health status:

curl -k "https://<nia-host>/health"

Replace <nia-host> with the hostname or IP address of the NIA host.

A healthy response looks like:

{"status":"Healthy","version":"1.29.100"}

An unhealthy response indicates the NIA can’t communicate with the vCenter API:

{"status":"Unhealthy","version":"1.29.100"}

The most common cause of an unhealthy status is an expired or invalid vCenter API session.

HTTP status code 200 is NOT an indicator of health

The HTTP status code is always 200 regardless of health status. Check the status field in the JSON response body to determine whether the NIA is healthy or unhealthy.

Enable the Prometheus-compatible metrics endpoint

The metrics endpoint is off by default. After you enable it, the NIA exposes Prometheus-compatible metrics on a separate HTTP port.

Enable at install time

Set the AEMBIT_METRICS_ENABLED environment variable before running the NIA installer:

export AEMBIT_METRICS_ENABLED=true

Enable after installation

To enable metrics on an existing NIA installation, update the systemd unit environment and restart the service:

sudo systemctl edit aembit-netid-attestor.service

Add the following in the editor:

[Service]
Environment="AEMBIT_METRICS_ENABLED=true"

Then reload and restart:

sudo systemctl daemon-reload
sudo systemctl restart aembit-netid-attestor.service

Change the metrics port

By default, the metrics endpoint listens on port 9099. To use a different port, set the AEMBIT_METRICS_PORT environment variable. For example:

export AEMBIT_METRICS_PORT=9100

For the full list of metrics environment variables, see the Network Identity Attestation reference.

Configure Prometheus to scrape NIA metrics

Add the NIA as a scrape target in your Prometheus configuration. Edit your prometheus.yml file and add a job under scrape_configs:

scrape_configs:
  - job_name: 'aembit-nia'
    static_configs:
      - targets: ['<nia-host>:9099']

Replace <nia-host> with the hostname or IP address of the NIA VM.

If you changed the metrics port with AEMBIT_METRICS_PORT, use your configured port instead of 9099.

Verify metrics are working

After enabling metrics, confirm the endpoint is responding and that counters increment correctly.

1. Confirm the metrics endpoint is responding:

   curl "http://<nia-host>:9099/metrics"

   If you’ve enabled metrics, you’ll see Prometheus text format output similar to:

   # HELP request_count Total requests by endpoint, method, status.
   # TYPE request_count_total counter
   request_count_total{endpoint="/health",method="GET",status="200"} 1
   
   # HELP request_error_count Total request errors by endpoint, method, status.
   # TYPE request_error_count_total counter
   
   # HELP active_connections Current HTTP connections.
   # TYPE active_connections gauge
   active_connections 0
   
   # HELP vcenter_api_errors_count vCenter API errors.
   # TYPE vcenter_api_errors_count counter
   vcenter_api_errors_count 0

   If the connection refuses, you haven’t enabled metrics.

2. Generate some request traffic by hitting the health endpoint a few times:

   curl -k "https://<nia-host>/health"
   curl -k "https://<nia-host>/health"
   curl -k "https://<nia-host>/health"

3. Query the metrics endpoint and check that request_count_total reflects the requests:

   curl -s "http://<nia-host>:9099/metrics" | grep request_count_total

   You should see output like:

   # HELP request_count Total requests by endpoint, method, status.
   # TYPE request_count_total counter
   request_count_total{endpoint="/health",method="GET",status="200"} 3

4. Confirm error counting by requesting a non-existent endpoint:

   curl -k "https://<nia-host>/nonexistent"
   curl -s "http://<nia-host>:9099/metrics" | grep request_error_count_total

   You should see an entry with a 404 status.

For the full list of available metrics and their descriptions, see the Prometheus-compatible metrics reference.