Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

back

Docker Integrations

OpenShift Origin Container Application Integration

search

OpenShift Origin Container Application Integration

OpenShift Origin Container Application Integration

OpenShift Origin is a container application platform for Docker and Kubernetes. OpenShift Origin integrates with DPoD Luna Cloud HSM Service. This section demonstrates configuring DPoD to function in an OpenShift Origin Pod. A pod is one or more containers deployed together on one host, and the smallest compute unit that can be defined, deployed, and managed. Each pod is allocated its own internal IP address, therefore owning its entire port space, and containers within pods can share their local storage and networking.

This integration assumes that an OpenShift Origin Cluster with a configured registry, router, image streams, and default templates is deployed and operating on the host system.

You can deploy the OpenShift Origin Pod using Persistent Volume or a Task File.

Prerequisites

Before proceeding with the integration complete the following:

Provision Luna Cloud HSM service

Create a Luna Cloud HSM service in DPoD and transfer the Luna Cloud HSM service client to your host machine. Do not initialize the service. This step is included as part of the integration process.

Download and install Docker

You need to download and install Docker to use the Docker command line interface (CLI) to complete the integration. Visit the Docker documentation portal for detailed instructions and procedures for installing Docker on your system.

Setup Java Development Kit (JDK)

The example procedure at the end of the Docker Container Integration Guide uses the Java Development Kit (JDK) to demonstrate the Luna Cloud HSM service's functionality within a Docker Container. If you would like to complete this integration guide fully, install the Java Development Kit inside of the Docker Container.

We recommend you familiarize yourself with the Java Development Kit documentation before beginning the integration.

Integration

Method 1 - Deploying Pod Using Persistent Volume

Containers in Openshift don't persist data. Every time you start an application, it is started in a new container with an immutable Docker Image. Any persisted data in the file systems is lost when the Docker Container stops. As a result, if a Docker Container is rebuilt or restarted, then you cannot view previous data.

We recommend using Persistent Volume. You can share this Persistent Volume with multiple pods at a time.

Creating the DPoD Docker Image

To use a Luna Cloud HSM Service with OpenShift Origin you create and run the DPoD Docker Image. Create the Docker file and extract the Luna Cloud HSM Service inside of the Docker container.

Unzip the downloaded Luna Cloud HSM Service Client package and store the files in a directory named /clientfiles excluding certificates and configuration file which have server and client information.

Store the cerficates and configuration file in separate directory named /secrets.

Create the file Dockerfile in the current working directory and add the following:


FROM centos:centos7
RUN mkdir -p /usr/local/dpod
COPY clientfiles /usr/local/dpod
ENV ChrystokiConfigurationPath=/usr/local/dpod/secrets
CMD ["sh", "-c", "tail -f /dev/null"]
#End of the Dockerfile

Build the Docker Image using the Dockerfile.


docker build . -t DPoD-image

Verify the Docker Image was created.


docker images

Log in to Docker Registry. Provide the username and password for Docker Registry when prompted.


docker login

Tag the Luna Cloud HSM Service Client build using the following command. Replace the \<username> with your Docker Registry username.


docker tag DPoD-image <username>/DPoD

Push the image to the docker hub.


docker push <username>/DPoD

Configuring the Luna Cloud HSM Service inside OpenShift Origin

Configure the Luna Cloud HSM Service inside of OpenShift Origin for use with OpenShift Origin.

Create a project in OpenShift.


oc new-project mylunaproject

Create an app within the project.


oc new-app --docker-image=<username>/DPoD --name=mylunaapp

The application automatically deploys on the pod.

List all pods and their status.


oc get pods

Verify the pod on the OpenShift Web Console.

Configuring pod to Run with Root Privileges

On the initial login to the pod console, the default user in non-root. Complete the following procedure to enable root permissions, allowing the user to execute luna client utilities.

Create a service account and associate it with the DPoD project.


oc login -u system:admin
oc create serviceaccount useroot
oc adm policy add-scc-to-user anyuid -z useroot -n mylunaproject

Apply the patch to the application.


oc patch dc/mylunaapp --patch
'{"spec":{"template":{"spec":{"serviceAccountName": "useroot"}}}}'

This applies the patch to all pods. You can now run all pods with root privileges.

Adding Persistent Volume to the pod

Persistent volume is used to share the certificates and configuration files from local to all the pods. You can create the persistent volume using the command line interface or the OpenShift Origin Web portal.

Create persistent volume over the command line interface (CLI)

Run the following command to create a persistent storage and mount it to /usr/local/dpod/secrets.


oc set volume dc/mylunaapp --add --name=tmp-mount --claim-name=mylunastorage --claim-mode="ReadWriteMany" --type pvc --claim-size=1G --mount-path /usr/local/dpod/secrets
Create persistent volume using the web interface

Log in to the OpenShift Origin web portal.

Navigate to the storage section of mylunaproject.

Click Create Storage.

Provide the following field values:


Name=mylunastorage

Access Mode=Shared Access (RWX)

Size=1GiB

Click Create. Persistent storage generates.

Navigate to the application mylunaapp and click Add storage to mylunaapp.

Select Storage as mylunastorage.

Provide following fields values:


Mount Path=/usr/local/dpod/secrets

Leave volume and Subpath name blank.

For this deployment config, do not select "read only" and "pause rollout" options.

Click on Add. All pods will automatically restart.

Copying Secrets to Persistent Volume

Copy the secrets directory to the persistent volume added to the Pods so that it has access to the certificates and configuration file need to run the DPoD service.

Make the following changes to chrystoki.conf file before copying it to the storage:


sed -i -e 's#\./#/usr/local/dpod/#g' Chrystoki.conf
sed -i -e 's#partition-ca-certificate.pem#secrets/partition-cacertificate.pem#g' -e 's#partition-certificate.pem#secrets/partitioncertificate.pem#g' -e 's#server-certificate.pem#secrets/servercertificate.pem#g' Chrystoki.conf

Get the running pod name.


oc get pods

Select any latest running pod name, for example mylunaapp-1-qlfc4. Copy the secrets with following command:


oc rsync /root/secrets mylunaapp-1-v6jh9:/usr/local/dpod/

Since the persistent storage was already mounted on /usr/local/dpod/secrets, so the secrets will copied to the persistent storage and will be available to all the pods.

Configuring the Luna Cloud HSM Service Client Inside pods

Deploy the Luna Cloud HSM Service Client inside of a pod. Execute the following on the terminal of a pod where you want to use the Luna Cloud HSM Service Client.

Open the terminal using the pod name.


oc rsh mylunaapp-1-v6jh9

Run LunaCM and verify the connection to the partition:


cd /usr/local/dpod/bin/64/
./lunacm

Initialize the application partition, to create the partition's Security Officer (SO), and set the initial password and cloning domain.


partition init -label <par_label>

Log in as Partition SO. You can also use the shortcut po.


role login -name Partition SO

Initialize the Crypto Officer role and set the initial password. You can also use the shortcut co.


role init -name Crypto Officer

The Partition SO can create the Crypto Officer, but only the Crypto Officer can create the Crypto User. Log out to allow the Crypto Officer to log in with the newly-set password.


role logout

Once the Crypto Officer logs in and changes the initial credential set by the Partition SO, applications using the CO's challenge secret/password can perform cryptographic operations in the partition. The Crypto Officer can create, modify and delete crypto objects within the partition, and use existing crypto objects (sign/verify). You can also create a limited-capability role called Crypto User that can use the objects created by the Crypto Officer, but cannot modify them. The separation of roles is important in some security regimes and operational situations, and where you might be required to satisfy audit criteria for industry or government oversight.

Log in as the Crypto Officer. You can also use the shortcut co.


role login -name Crypto Officer

The password for the Crypto Officer role is valid for the initial login only. You must change the initial password using the command role changepw during the initial login session, or a subsequent login. Failing to change the password will result in a CKR_PIN_EXPIRED error when you perform role-dependent actions.

If you have not already done so, change the initial password set by the Partition SO.


role changepw -name Crypto Officer

Create the Crypto User. You can also use the shortcut cu.


role init -name Crypto User

The Crypto User can now log in with the credentials provided by the Crypto Officer, and change the initial password. The Crypto User can now use applications to perform cryptographic operations using keys and objects created in the partition by the Crypto Officer.

You can scale up or down for the number of pods you want. To scale up or down use the following command:


oc scale dc mylunaapp --replicas=3
oc get pods
NAME                READY     STATUS    RESTARTS     AGE
mylunaapp-1-v6jh9   1/1       Running   0            5m
mylunaapp-1-qnt5r   1/1       Running   0            18s
mylunaapp-1-rtn4f   1/1       Running   0            18s

This completes the integration of OpenShift Origin with a Luna Cloud HSM Service. To verify the integration with the Luna Cloud HSM Service, run any application in the Pod that uses the HSM. See Using the Luna Cloud HSM Service inside Docker Container for an application demonstration inside of OpenShift Origin pod using the DPoD Luna Cloud HSM Service.

Method 2 - Deploying Pod Using a Task File

Containers in OpenShift Origin can be deployed and configured using a task file. Compile the task file and deploy the OpenShift Origin pods.

Creating the DPoD Docker Image

To use a Luna Cloud HSM Service with OpenShift Origin you create and run the DPoD Docker Image. Create the Docker file and extract the Luna Cloud HSM Service Client inside of the Docker container.

Unzip the downloaded Luna Cloud HSM Service Client package and store the files in a directory named /clientfiles excluding certificates and configuration file which have server and client information.

Store the cerficates and configuration file in separate directory named /secrets.

Create the file Dockerfile in the current working directory and add the following:


FROM centos:centos7
RUN mkdir -p /usr/local/dpod
COPY clientfiles /usr/local/dpod
ENV ChrystokiConfigurationPath=/usr/local/dpod/secrets
CMD ["sh", "-c", "tail -f /dev/null"]
#End of the Dockerfile

Build the Docker Image using the Dockerfile.


docker build . -t DPoD-image

Verify the Docker Image was created.


Docker Images

Log in to Docker Registry. Provide the username and password for Docker Registry when prompted.


docker login

Tag the lunaclient build using the following command. Replace the <username> with your Docker Registry username.


docker tag DPoD-image <username>/DPoD

Push the image to the docker hub.


docker push <username>/DPoD

Configuring the Luna Cloud HSM Service inside OpenShift Origin

Configure the Luna Cloud HSM Service inside of OpenShift Origin for use with OpenShift Origin.

Create a project in OpenShift.


oc new-project mylunaproject

Make changes to the Chrystoki.conf file in the /secrets directory using the following command.


sed -i -e 's#\./#/usr/local/dpod/#g' Chrystoki.conf
sed -i -e 's#partition-ca-certificate.pem#secrets/partition-cacertificate.pem#g' -e 's#partition-certificate.pem#secrets/partitioncertificate.pem#g' -e 's#server-certificate.pem#secrets/servercertificate.pem#g' Chrystoki.conf

Create a generic secret with the following command:


oc create secret generic mysecrets --from-file=/root/secrets/Chrystoki.conf --from-file=/root/secrets/partition-ca-certificate.pem --fromfile=/root/secrets/partition-certificate.pem --from-file=/root/secrets/servercertificate.pem

Verify the secrets.


oc get secrets

Create a configuration file deploypod.yaml and add the following:


apiVersion: v1
kind: Pod
metadata:
name: mylunaapp-pod
spec:
containers:
- image: 'namespace/DPoD'
# Just spin & wait forever
name: mylunaapp
command: [ "/bin/bash", "-c", "--" ]
args: [ "while true; do sleep 30; done;" ]
volumeMounts:
- name: lunasecret
mountPath: /usr/local/dpod/secrets
readOnly: true
volumes:
- name: lunasecret
secret:
secretName: mysecrets

Deploy the application using the new deployment file.


oc create -f deploypod.yaml

List all pods and their status.


oc get pods

Configuring pod to Run with Root Privileges

On the initial login to the pod console, the default user in non-root. Complete the following procedure to enable root permissions, allowing the user to execute luna client utilities.

Create a service account and associate it with the DPoD project.


oc login -u system:admin
oc create serviceaccount useroot
oc adm policy add-scc-to-user anyuid -z useroot -n mylunaproject

Apply the patch to the application.


oc patch dc/mylunaapp --patch
'{"spec":{"template":{"spec":{"serviceAccountName": "useroot"}}}}'

This applies the patch to all pods. You can now run all pods with root privileges.

Configuring the Luna Cloud HSM Service Client inside pods

Deploy the Luna Cloud HSM Service Client inside of a pod. Execute the following on the terminal of a pod where you want to use the Luna Cloud HSM Service.

Open the terminal using the pod name.


oc rsh mylunaapp-1-v6jh9

Run LunaCM and verify the connection to the partition:


cd /usr/local/dpod/bin/64/
./lunacm

Initialize the application partition, to create the partition's Security Officer (SO), and set the initial password and cloning domain.


partition init -label <par_label>

Log in as Partition SO. You can also use the shortcut po.


role login -name Partition SO

Initialize the Crypto Officer role and set the initial password. You can also use the shortcut co.


role init -name Crypto Officer

The Partition SO can create the Crypto Officer, but only the Crypto Officer can create the Crypto User. You must log out to allow the Crypto Officer to log in with the newly-set password.


role logout

Once the Crypto Officer logs in and changes the initial credential set by the Partition SO, applications using the CO's challenge secret/password can perform cryptographic operations in the partition. The Crypto Officer can create, modify and delete crypto objects within the partition, and use existing crypto objects (sign/verify). You can also create a limited-capability role called Crypto User that can use the objects created by the Crypto Officer, but cannot modify them. The separation of roles is important in some security regimes and operational situations, and where you might be required to satisfy audit criteria for industry or government oversight.

Log in as the Crypto Officer. You can also use the shortcut co.


role login -name Crypto Officer

The password for the Crypto Officer role is valid for the initial login only. You must change the initial password using the command role changepw during the initial login session, or a subsequent login. Failing to change the password will result in a CKR_PIN_EXPIRED error when you perform role-dependent actions.

If you have not already done so, change the initial password set by the Partition SO.


role changepw -name Crypto Officer

Create the Crypto User. You can also use the shortcut cu.


role init -name Crypto User

The Crypto User can now log in with the credentials provided by the Crypto Officer, and change the initial password. The Crypto User can now use applications to perform cryptographic operations using keys and objects created in the partition by the Crypto Officer.

You can scale up or down for the number of pods you want. To scale up or down use the following command:


oc scale dc mylunaapp --replicas=3
oc get pods
NAME                READY     STATUS    RESTARTS     AGE
mylunaapp-1-v6jh9   1/1       Running   0            5m
mylunaapp-1-qnt5r   1/1       Running   0            18s
mylunaapp-1-rtn4f   1/1       Running   0            18s

This completes the integration of OpenShift Origin with a Luna Cloud HSM Service. To verify the integration with the Luna Cloud HSM Service, run any application in the Pod that uses the HSM. See Using the Luna Cloud HSM Service inside Docker Container for an application demonstration inside of OpenShift Origin pod using the DPoD Luna Cloud HSM Service.