Deploy CRDP as a Standalone Container
This article covers the steps involved in deploying CRDP as a standalone container in Docker. Refer to Alternative Deployment Methods for other methods of deploying CRDP.
Prerequisites
This deployment scenario assumes that:
Docker version 24.0.1 or higher should be installed.
CipherTrust Manager 2.14 or higher is up and running. Refer to CipherTrust Manager Deployment for details.
On the CipherTrust Manager, a CRDP application is defined.
A registration token is generated. This registration token will be used to register the CRDP clients with CipherTrust Manager.
Refer to Defining applications in the Application Data Protection Administration document for details.
CRDP image repository, thalesciphertrust/ciphertrust-restful-data-protection, is accessible. This repository contains images for CRDP.
The path for CRDP 1.1.0 is
thalesciphertrust/ciphertrust-restful-data-protection:1.1.0.Note
The image path with the latest tag (
thalesciphertrust/ciphertrust-restful-data-protection:latest) always points to the latest release.
Steps to deploy CRDP as standalone container
Pull the CRDP image to the container environment.
docker pull thalesciphertrust/ciphertrust-restful-data-protection:1.1.0Run CRDP in the container environment. The deployment command slightly varies based on the communication protocol used between the customer application and CRDP. The default protocol is
tls-cert-opt.docker run -e KEY_MANAGER_HOST=<IP address or host name> -e REGISTRATION_TOKEN=<registration token> -p <host port>:8090 -e SERVER_MODE=no-tls <crdp image name>Here,
<host port>: Any available port on the host machine, for example,<8080>.<crdp image name>: Name of the CRDP image pulled earlier.
docker run -e KEY_MANAGER_HOST=<IP address or host name> -e REGISTRATION_TOKEN=<registration token> -p <host port>:8090 -e SERVER_MODE=tls-cert-opt -e CERT_VALUE="<certificate value>" -e KEY_VALUE="<key value>" <crdp image name>Here,
<host port>: Any available port on the host machine, for example,<8080>.<certificate value>: Value of the server certificate.<key value>: Value of the key.<crdp image name>: Name of the CRDP image pulled earlier.
docker run -e KEY_MANAGER_HOST=<IP address or host name> -e REGISTRATION_TOKEN=<registration token> -p <host port>:8090 -e SERVER_MODE=tls-cert -e CERT_VALUE="<certificate value>" -e KEY_VALUE="<key value>" -e TRUSTED_CA="<trusted ca>" <crdp image name>Here,
<host port>: Any available port on the host machine, for example,<8080>.<certificate value>: Value of the server certificate.<key value>: Value of the key.<trusted ca>: Value of the trusted CA.Note
The client must have the certificate and key signed by the
TRUSTED_CA.<crdp image name>: Name of the CRDP image pulled earlier.
Note
For more information about environment variables used in CRDP, refer to Environment Variables.
It is not recommended to run CRDP container in the privileged mode.
Verify your deployment
Call the following APIs to verify your deployment:
curl http://localhost:<host port>/healthz -H 'Content-Type: application/json' -X GET
curl -k https://localhost:<host port>/healthz -H 'Content-Type: application/json' -X GET
curl --cert <cert.pem> --key <key.pem> -k https://localhost:<host port>/healthz -H 'Content-Type: application/json' -X GET
Here,
<cert.pem>: Path of the client certificate.<key.pem>: Path of the key associated with the client certificate.
Note
The key file and the client certificate file should be in the pem format.
Next steps
After the CRDP container is up and running, you can explore any of the following topics:
