System requirements
Section titled “System requirements”To run Network Identity Attestor: Network Identity Attestor is an Aembit Edge component deployed in VMware vSphere environments that verifies VM identity through the vCenter API and issues signed attestation documents for workload authentication.Learn more you must have the following:
- Operating System: Ubuntu 24.04 or later.
- Root Privileges: Execute the installation with the
rootuser or equivalent privileges.
Certificate requirements
Section titled “Certificate requirements”Attestation signing certificate
Section titled “Attestation signing certificate”The attestation signing certificate has specific requirements that differ from standard TLS certificates:
- Key type: Must be an RSA key pair (ECDSA and Ed25519 aren’t supported in the initial release)
- Key usage: Must support digital signatures
- CA constraint: Must NOT be a Certificate Authority (CA) certificate
- Chain: Single certificate only (no chain required)
- Common Name: Doesn’t need to match a DNS name
- Subject Alternative Name (SAN): Not required
TLS certificate
Section titled “TLS certificate”The TLS certificate functions like a standard TLS certificate:
- Common Name (CN): Required, should match the NIA hostname
- Subject Alternative Name (SAN): Required
- Chain: Full certificate chain required (leaf certificate first, followed by intermediates)
Environment variables
Section titled “Environment variables”The following are environment variables associated with setting up Network Identity Attestor:
TLS_PEM_PATH Required
Section titled “TLS_PEM_PATH ”Default - not set
OS-LinuxPath to the TLS certificate file (PEM format) used for HTTPS connections.
You must manually provide a valid TLS certificate file on the NIA VM. The installer copies this file to a secure location; it doesn’t generate the certificate for you. After installation, you may remove the original file.
Example:/tmp/tls.crt
TLS_KEY_PATH Required
Section titled “TLS_KEY_PATH ”Default - not set
OS-LinuxPath to the TLS private key file (PEM format) corresponding to the certificate you set in the TLS_PEM_PATH variable.
The Network Identity Attestor installer uses systemd-creds to copy and encrypt sensitive values from environment
variables to a secure systemd-managed location.
This ensures secrets are never stored in plain text and are only accessible to the attestor service at runtime.
Example:/tmp/tls.key
AEMBIT_ATTESTATION_SIGNING_KEY_PATH Required
Section titled “AEMBIT_ATTESTATION_SIGNING_KEY_PATH ”Default - not set
OS-LinuxThe private key used for signing attestation documents.
Example:/tmp/signing.key
AEMBIT_ATTESTATION_SIGNING_CERTIFICATE_PATH Required
Section titled “AEMBIT_ATTESTATION_SIGNING_CERTIFICATE_PATH ”Default - not set
OS-LinuxThe path to the attestation signing certificate.
This is the certificate corresponding to the signing key set as the value for AEMBIT_ATTESTATION_SIGNING_KEY_PATH.
Example:/tmp/signing.crt
AEMBIT_VCENTER_URL Required
Section titled “AEMBIT_VCENTER_URL ”Default - not set
OS-LinuxThe URL to the vCenter: VMware vCenter Server is a centralized management platform for VMware vSphere environments that provides VM lifecycle management, monitoring, and APIs for querying VM metadata such as UUIDs and MAC addresses.Learn more(opens in new tab) server. This is the endpoint the Network Identity Attestor uses to communicate with vCenter.
Example:https://vcenter.example.com
AEMBIT_VCENTER_CREDENTIALS_FILE
Section titled “AEMBIT_VCENTER_CREDENTIALS_FILE”Default - not set (installer prompts for credentials)
OS-LinuxThe path to the vCenter credentials file. The file should contain credentials in the format username:password.
If not provided, the installer prompts for credentials during installation.
The service uses this file to authenticate with the vCenter database.
Example:/tmp/vcenter_credentials
AEMBIT_VCENTER_HTTP_CACHE_EXPIRATION_SECS
Section titled “AEMBIT_VCENTER_HTTP_CACHE_EXPIRATION_SECS”Default - 30
The number of seconds the NIA caches vCenter API responses before discarding them.
Set to 0 to disable caching (useful for debugging).
Example:60
AEMBIT_LOG_LEVEL
Section titled “AEMBIT_LOG_LEVEL”Default - info
The service log level.
Controls the verbosity of logs. Typical values: debug, info, warn, error.
Example:debug
AEMBIT_NETID_LISTENER_IP
Section titled “AEMBIT_NETID_LISTENER_IP”Default - 0.0.0.0
Specifies the IP address that the Network Identity Attestor binds to and listen for incoming connections.
By setting this variable, you can restrict the NIA to listen only on a specific network interface. This is useful in environments with multiple Network Interface Cards (NICs). For example, VMware VMs with more than one network segment can benefit from this setting. To make Network Identity Attestor reachable from a particular subnet or network only, set this to the desired IP address assigned to the relevant NIC.
Example:192.168.1.100
AEMBIT_NETID_LISTENER_PORT
Section titled “AEMBIT_NETID_LISTENER_PORT”Default - 443
Specifies the TCP port that the Network Identity Attestor service listens on for incoming HTTPS connections.
Change this if you need the service to listen on a non-standard port. For example, you might want to avoid conflicts or comply with network policies.
Example:8443
AEMBIT_LOG_NAMESPACE
Section titled “AEMBIT_LOG_NAMESPACE”Default - aembit_netid_attestor
Specifies the namespace under which systemd’s journald logging system records logs from the Network Identity Attestor
service.
By default, journald groups all logs from the Network Identity Attestor under the aembit_netid_attestor namespace.
If you set AEMBIT_LOG_NAMESPACE to a custom value, journald records logs under that custom namespace instead.
This is useful if you run multiple instances of the attestor on the same host.
It also helps if you want to segregate logs for easier searching and analysis.
Example:my_custom_namespace