Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Setting Up

Using a Signed and Verified CCC Container Image

search

Using a Signed and Verified CCC Container Image

Utilizing a signed and verified CCC container image significantly enhances the security and reliability of your system environment. It can help you mitigate security risks, build trust among users, and ensure compliance with industry standards and regulations. Follow these steps to use a signed and verified CCC container image:

Access the CCC package you've downloaded by following the instructions outlined on the Installing Crypto Command Center page.

Transfer the key file (key.pub) to the directory /home/ccc.

Create a directory named thalesdiscpl within the sigstore directory:

mkdir -p /var/lib/containers/sigstore/thalesdiscpl

Place the signature file (ccc@sha256=280dcb42613fbcaa7c3cfc6f38db873802484e96677b7881a1c6c7e51d488dda) in the newly created thalesdiscpl directory.

Open the policy.json file using the command vi /etc/containers/policy.json.

Change the value of type field from insecureAcceptAnything to reject in the policy.json file, implying that container images will be rejected if they do not meet certain security criteria: 

    "default": [
        {
            "type": "insecureAcceptAnything"
        }
    ],

Add the following code snippet above the line "registry.redhat.io": [:

            "docker.io/thalesdiscpl": [
                {
                    "keyType": "GPGKeys",
                    "type": "signedBy",
                    "keyPath": "/home/ccc/key.pub"
                }
            ],

Open the .yaml file using the command vi /etc/containers/registries.d/docker.io-thalesdiscpl.yaml and add the following code to the file:

docker:
  docker.io/thalesdiscpl:
    sigstore: file:///var/lib/containers/sigstore

Pull the CCC image by using podman pull docker.io/thalesdiscpl/ccc:4.2.0 (for Podman) or crictl pull docker.io/thalesdiscpl/ccc:4.2.0 (for Kubernetes or Helm).

Verify that the image pull operation was successful and that the desired container image has been properly loaded into the local environment by using the command podman images (for Podman) and crictl images (for Kubernetes or Helm), and then checking for the confirmation message:

Writing manifest to image destination
Storing signatures
Loaded image: docker.io/thalesdiscpl/ccc:4.2.0

Proceed to complete your CCC installation by referring to the relevant section on the Installing Crypto Command Center page, based on your deployment method. For Podman, follow steps 10 through 20. For Kubernetes, follow steps 11 through 21. For Helm, follow steps 12 through 21.

On this page