Deploy CRDP as a Standalone Container
This article covers the steps involved in deploying CRDP as a standalone container in Docker. Refer to Alternative Deployment Methods for other methods of deploying CRDP.
Prerequisites
This deployment scenario assumes that:
Docker version 24.0.1 or higher should be installed.
CipherTrust Manager 2.14 or higher is up and running. Refer to CipherTrust Manager Deployment for details.
The "web" interface port of CipherTrust Manager should be open to allow communication with the host where you want to deploy CRDP.
On the CipherTrust Manager, a CRDP application is defined.
A registration token is generated. This registration token will be used to register the CRDP clients with CipherTrust Manager.
Refer to Defining applications in the Application Data Protection Administration document for details.
CRDP image repository, thalesciphertrust/ciphertrust-restful-data-protection, is accessible. This repository contains images for CRDP.
The path for CRDP 1.2.1 is
thalesciphertrust/ciphertrust-restful-data-protection:1.2.1.Note
The image path with the latest tag (
thalesciphertrust/ciphertrust-restful-data-protection:latest) always points to the latest release.
Steps to Deploy CRDP as Standalone Container
Pull the CRDP image to the container environment.
docker pull thalesciphertrust/ciphertrust-restful-data-protection:1.2.1Run CRDP in the container environment. The deployment command slightly varies based on the communication protocol used between the customer application and CRDP. The default protocol is
tls-cert-opt.docker run -e KEY_MANAGER_HOST=<IP address or host name> -e REGISTRATION_TOKEN=<registration token> -p <host port>:8090 -p <probes port>:8080 -e SERVER_MODE=no-tls <crdp image name>Here,
<host port>: Any available port on the host machine, for example,<8080>.<crdp image name>: Name of the CRDP image pulled earlier.
docker run -e KEY_MANAGER_HOST=<IP address or host name> -e REGISTRATION_TOKEN=<registration token> -p <host port>:8090 -p <probes port>:8080 -e SERVER_MODE=tls-cert-opt -e CERT_VALUE="<certificate value>" -e KEY_VALUE="<key value>" <crdp image name>Here,
<host port>: Any available port on the host machine, for example,<8080>.<certificate value>: Value of the server certificate.<key value>: Value of the key.<crdp image name>: Name of the CRDP image pulled earlier.
docker run -e KEY_MANAGER_HOST=<IP address or host name> -e REGISTRATION_TOKEN=<registration token> -p <host port>:8090 -p <probes port>:8080 -e SERVER_MODE=tls-cert -e CERT_VALUE="<certificate value>" -e KEY_VALUE="<key value>" -e TRUSTED_CA="<trusted ca>" <crdp image name>Here,
<host port>: Any available port on the host machine, for example,<8080>.<certificate value>: Value of the server certificate.<key value>: Value of the key.<trusted ca>: Value of the trusted CA.Note
The client must have the certificate and key signed by the
TRUSTED_CA.<crdp image name>: Name of the CRDP image pulled earlier.
Note
For more information about environment variables used in CRDP, refer to Environment Variables.
It is not recommended to run CRDP container in the privileged mode.
Verify your Deployment
To verify your deployment, you can call the healtz API.
curl http://localhost:<probes port>/healthz -H 'Content-Type: application/json' -X GET
Next Steps
After the CRDP container is up and running, you can explore any of the following topics:
