OpenShift Container Platform
Red Hat® OpenShift® is a CNCF-certified Kubernetes platform and distribution solution, providing a consistent hybrid cloud infrastructure for building and scaling containerized applications. Luna HSMs enhance the security of OpenShift environments by enabling secure key storage and cryptographic operations, ensuring the protection of containerized applications.
The key benefits of integrating Luna HSMs with OpenShift container-based applications include:
-
Secure generation, storage, and protection of the identity signing private keys using either FIPS 140-2 or FIPS 140-3 Level 3 validated hardware.
-
Full life cycle management of the keys to ensure their integrity and reliability throughout their usage.
-
Maintenance of a comprehensive HSM audit trail for transparency and accountability in key operations. It's important to note that Luna Cloud HSM service does not have access to this secure audit trail.
-
Significant performance enhancements by offloading cryptographic operations from application servers.
Supported Platforms
This integration has been tested and verified on the following platforms:
| HSM Type | OpenShift Container Platform |
|---|---|
| Luna HSM | 4.6 |
| Luna Cloud HSM | 4.6 |
Prerequisites
The prerequisites for this integration are:
Configure OpenShift Container Platform
For installation and deployment instructions, consult the official OpenShift Documentation.
Set up Luna HSM
Choose your setup option: On-Premise Luna HSM or Luna Cloud HSM, and follow the corresponding steps to get started.
Set up On-Premise Luna HSM
Note
The steps provided here use LunaClient-Minimal-10.3.0-275 as an example. However, this integration is version-independent and can be used with any version of OpenShift and the Luna Client to connect to the Luna HSM in OpenShift containers.
To configure Luna HSM with the OpenShift Container Platform, follow these steps:
1Ensure the HSM is set up, initialized, provisioned, and ready for deployment.
2Connect to a Red Hat Enterprise Linux (RHEL) system (RHEL7/RHEL8/RHEL CoreOS) as a user with administrative privileges.
3Copy the LunaClient Minimal tar file to a suitable location.
4Create a directory where you will extract the file. For example:
mkdir -p /var/usrlocal/luna
5Extract the LunaClient Minimal tar file into /var/usrlocal/luna:
tar xvf LunaClient-Minimal-10.3.0-275.x86_64.tar --strip 1 -C /var/usrlocal/luna
6Navigate to the Luna directory:
cd /var/usrlocal/luna/
7Create a directory for certificates and configuration files:
mkdir -p /var/usrlocal/luna/config/certs
8Copy the configuration template file to the config directory:
cp /var/usrlocal/luna/Chrystoki-template.conf /var/usrlocal/luna/config/Chrystoki.conf
9Set the ChrystokiConfigurationPath environment variable:
export ChrystokiConfigurationPath=/var/usrlocal/luna/config
10Update the PATH environment variable to include LunaClient utilities:
export PATH="/var/usrlocal/luna/bin/64:${PATH}"
11Modify the Chrystoki.conf file using the configurator utility:
configurator setValue -s Chrystoki2 -e LibUNIX -v /var/usrlocal/luna/libs/64/libCryptoki2.so configurator setValue -s Chrystoki2 -e LibUNIX64 -v /var/usrlocal/luna/libs/64/libCryptoki2_64.so configurator setValue -s Misc -e ToolsDir -v /var/usrlocal/luna/bin/64 configurator setValue -s "LunaSA Client" -e SSLConfigFile -v /var/usrlocal/luna/openssl.cnf configurator setValue -s "LunaSA Client" -e ClientPrivKeyFile -v /var/usrlocal/luna/config/certs/dockerclientKey.pem configurator setValue -s "LunaSA Client" -e ClientCertFile -v /var/usrlocal/luna/config/certs/dockerclient.pem configurator setValue -s "LunaSA Client" -e ServerCAFile -v /var/usrlocal/luna/config/certs/CAFile.pem configurator removeSection -s "Secure Trusted Channel"
Note
You can alternatively use any text editor to manually modify the Chrystoki.conf file.
12Create a Luna HSM Client certificate for the containers:
vtl createCert -n dockerclient
Here, dockerclient is the name of the client certificate.
13Copy the client certificate to the Luna Network HSM appliance:
scp /var/usrlocal/luna/config/certs/dockerclient.pem admin@10.124.143.158:
Here, 10.124.143.158 is the HSM appliance's IP address.
14Copy the Luna HSM server certificate (server.pem) to the config directory:
scp admin@10.124.143.158:server.pem /var/usrlocal/luna/config/certs/
15Register the Luna HSM server certificate with the client:
vtl addServer -c /var/usrlocal/luna/config/certs/server.pem -n 10.124.143.158
16Connect to the Luna Network HSM appliance via SSH and log in to LunaSH:
ssh admin@10.124.143.158
Provide the admin password when prompted.
17Register the client with the Luna HSM:
client register -client dockerclient -hostname dockerclient
18Create a partition on the HSM (if none exists):
partition create -partition
19Assign the partition to the client:
client assignPartition -partition-client dockerclient
20To use multiple containers with the same IP address, disable the ntls ipcheck to avoid the containers appearing as the same client to the HSM:
ntls ipcheck disable
21For multiple containers with unique IP addresses, enable ntls ipcheck since each container is treated as a separate client and requires its own configuration file and unique certificates:
ntls ipcheck enable
22Exit the HSM SSH session:
exit
23On the client workstation, start LunaCM:
lunacm
You should see an output similar to the following:
lunacm (64-bit) v10.3.0-275. Copyright (c) 2020 SafeNet. All rights reserved.
Available HSMs:
Slot Id -> 0
Label ->
Serial Number -> 1238686731875
Model -> LunaSA 7.7.1
Firmware Version -> 7.7.1
Bootloader Version -> 1.1.2
Configuration -> Luna User Partition With SO (PW) Key Export
With Cloning Mode
Slot Description -> Net Token Slot
FM HW Status -> Non-FM
Current Slot Id: 0
24Initialize the Crypto Officer and Crypto User roles for the registered partition:
Note
For detailed steps on partition initialization and role management, refer to the Luna Network HSM documentation.
25Create a Dockerfile in the /var/usrlocal/ directory:
FROM registry.access.redhat.com/ubi8/ubi:latest
# For UBI 7, use:
# FROM registry.access.redhat.com/ubi7/ubi:latest
RUN mkdir -p /var/usrlocal/luna
COPY luna /var/usrlocal/luna
ENV ChrystokiConfigurationPath=/var/usrlocal/luna/config
ENV PATH="/var/usrlocal/luna/bin/64:${PATH}"
ENTRYPOINT /bin/bash
Note
You can store the configuration files and certificates located in /var/usrlocal/luna/config on a secure NFS server and mount them when running the pod.
Set up Luna Cloud HSM
Follow these steps to set up your Luna Cloud HSM:
1Log in to any RHEL 7, RHEL 8, or RHEL CoreOS host as a user with administrative privileges.
2Use pscp, scp, or another secure method to transfer the downloaded .zip file to your Client workstation.
3Choose a directory where the file will be extracted. For example:
mkdir -p /var/usrlocal/luna
4Extract the contents of the .zip file into /var/usrlocal/luna:
unzip setup-.zip -d /var/usrlocal/luna
5Change to the directory where the files were extracted:
cd /var/usrlocal/luna/
6Untar the cvclient-min.tar file to extract the necessary client files:
tar xvf cvclient-min.tar
7Execute the setenv script to generate a new configuration file containing the information required for connecting to the Luna Cloud HSM service:
source ./setenv
8Run the LunaCM utility to ensure that the Cloud HSM service is listed:
bin/64/lunacm
You should see the available HSMs listed in the output.
9Initialize the Crypto Officer and Crypto User roles: Follow the detailed instructions in the Luna Cloud HSM documentation for initializing these roles and managing user access for the registered partition.
10In the /var/usrlocal/ directory, create a Dockerfile to set up the Luna environment within a container:
FROM registry.access.redhat.com/ubi8/ubi:latest
# For UBI 7, use:
# FROM registry.access.redhat.com/ubi7/ubi:latest
RUN mkdir -p /var/usrlocal/luna
COPY luna /var/usrlocal/luna
ENV ChrystokiConfigurationPath=/var/usrlocal/luna
ENV PATH="/var/usrlocal/luna/bin/64:${PATH}"
ENTRYPOINT /bin/bash
Note
You can store the configuration files and certificates located in the /var/usrlocal/luna directory on a secured NFS server and mount it when running the pod for easier management.
Deploy Luna HSM or Luna Cloud HSM pod in OpenShift Container Platform
For deploying the Luna HSM or Luna Cloud HSM pod in OpenShift:
1Use podman or docker to build the Luna client container image:
podman build . -t lunaclient-image
2Check if the container image was built successfully:
podman images
3Tag the container image and push it to your private registry. Replace <registry_ip> with the actual IP address of your registry:
podman tag localhost/lunaclient-image:5000/lunaclient-image podman push :5000/lunaclient-image
Note
It’s recommended to store the image in a private registry that is accessible from your OpenShift cluster nodes. After pushing it to your registry, you can delete the local container image.
4Authenticate into the OpenShift platform:
oc login
5Choose an existing project or create a new one where you want to deploy the Luna client pod. For example:
oc project lunaproject
6Create a file named deployment.yaml with the following configuration:
apiVersion: v1
kind: Pod
metadata:
name: luna-client-pod
labels:
openshift.io/name: luna-client-pod
spec:
hostNetwork: true
restartPolicy: Always
containers:
- name: luna-client-pod
image: "[registry_ip]:5000/lunaclient-image"
imagePullPolicy: IfNotPresent
# Keeps the container running
command: [ "/bin/bash", "-c", "--" ]
args: [ "while true; do sleep 30; done;" ]
Note
Replace [registry_ip] with your actual registry IP address. This configuration is minimal, so feel free to modify it as per your needs.
7Deploy the pod using the following command:
oc apply -f deployment.yaml
8Verify that the pod is running:
oc get pods
9Log in to the pod and verify it can access the Luna HSM partition:
oc rsh luna-client-pod sh-4.2$ lunacm
