Control Service

Port table

Description	Transport	Port	Application protocol
Service resolution	UDP/SCION	30252	Resolution protobufs
Control-plane (inter-AS) Discovery API	UDP/SCION	random	QUIC + gRPC with HTTP/2
Control-plane (intra-AS) Health API	TCP	30252	gRPC with HTTP/2
Monitoring	TCP	30452	HTTP/2

Metrics

Warning

The list of control service metrics is incomplete.

Renewal

Renewal requests

Name: renewal_received_requests_total

Type: Counter

Description: Total number of certificate renewal requests served. Only for control services with CA functionality enabled.

Labels: result.

Renewal requests per handler type

Name: renewal_handled_requests_total

Type: Counter

Description: Total number of renewal requests served by each handler type (legacy, in-process, delegating).

Labels: type and result.

Note

The sum of all renewal_handled_requests_total is not necessarily equal to the sum of all renewal_received_requests_total. This is because renewal_received_requests_total counts all incoming request and renewal_handled_requests_total only counts requests that could have been parsed and delegated to a handler.

Renewal request registered handlers

Name: renewal_registered_handlers

Type: Gauge

Description: Exposes which handler type (legacy, in-process, delegating) is registered.

Labels: type.

TRC local filesystem writes

Name: trustengine_trc_file_writes_total

Type: Counter

Description: Total number of TRC local filesystem write results. A result can be one of (ok_success, err_write, err_stat).

Labels: result.

HTTP API

The HTTP API is exposed by the control application on the IP address and port of the metrics.prometheus configuration setting.

The HTTP API does not support user authentication or HTTPS. Applications will want to firewall this port or bind to a loopback address.

In addition to the common HTTP API, the control application supports the following API calls:

• /topology (EXPERIMENTAL)

  • Method GET. Prints a JSON representation of current topology state, displayed in a format that is similar to the topology file. Note that there are slight differences between the output format and the topology file format, which means the output cannot be copy/pasted and used as a topology file.

• /signer (EXPERIMENTAL)

  • Method GET. Prints JSON data about the Subject Key (i.e., the key used by the application to sign messages) and the TRC in use, in addition to other miscellaneous data that is relevant for signing. Private keys are not printed. Example output:

    {
      "subject": {
        "isd_as": "1-ff00:0:110"
      },
      "subject_key_id": "21 36 9B 82 D3 B9 90 58 16 D0 90 C0 15 66 C3 DC 0E 46 A5 9B",
      "expiration": "2021-09-28T13:19:16Z",
      "trc_id": {
        "isd": 1,
        "base_number": 1,
        "serial_number": 1
      },
      "chain_validity": {
        "not_before": "2020-09-28T13:19:16Z",
        "not_after": "2021-09-28T13:19:16Z"
      },
      "in_grace_period": false
    }
    

For ASes that operate as CAs, the following API calls are also exposed:

• /ca (EXPERIMENTAL)

  • Method GET. Prints JSON data about the Subject Key (i.e., the key used by the CA to sign certificates) and the CA policy. Example output:

    {
      "subject": {
        "isd_as": "1-ff00:0:110"
      },
      "subject_key_id": "8C 5A 07 FF 83 F7 C8 69 0A 28 01 4F CF 0F BF AB FF D5 E6 FF",
      "policy": {
        "chain_lifetime": "72h0m0s"
      },
      "cert_validity": {
        "not_before": "2020-09-28T13:19:16Z",
        "not_after": "2022-09-28T13:19:16Z"
      }
    }