OpenShift Container Platform
Red Hat® OpenShift® is a CNCF-certified Kubernetes platform and distribution solution, providing a consistent hybrid cloud infrastructure for building and scaling containerized applications. Luna HSMs enhance the security of OpenShift environments by enabling secure key storage and cryptographic operations, ensuring the protection of containerized applications.
The key benefits of integrating Luna HSMs with OpenShift container-based applications include:
-
Secure generation, storage, and protection of the identity signing private keys using either FIPS 140-2 or FIPS 140-3 Level 3 validated hardware.
-
Full life cycle management of the keys to ensure their integrity and reliability throughout their usage.
-
Maintenance of a comprehensive HSM audit trail for transparency and accountability in key operations. It's important to note that Luna Cloud HSM service does not have access to this secure audit trail.
-
Significant performance enhancements by offloading cryptographic operations from application servers.
Supported Platforms
This integration has been tested and verified on the following platforms:
| HSM Type | OpenShift Container Platform |
|---|---|
| Luna HSM | 4.6 |
| Luna Cloud HSM | 4.6 |
Prerequisites
The prerequisites for this integration are:
Configure OpenShift Container Platform
For installation and deployment instructions, consult the official OpenShift Documentation.
Set up Luna HSM
Choose your setup option: On-Premise Luna HSM or Luna Cloud HSM, and follow the corresponding steps to get started.
Set up On-Premise Luna HSM
The steps provided here use LunaClient-Minimal-10.3.0-275 as an example. However, this integration is version-independent and can be used with any version of OpenShift and the Luna Client to connect to the Luna HSM in OpenShift containers.
To configure Luna HSM with the OpenShift Container Platform, follow these steps:
Ensure the HSM is set up, initialized, provisioned, and ready for deployment.
Connect to a Red Hat Enterprise Linux (RHEL) system (RHEL7/RHEL8/RHEL CoreOS) as a user with administrative privileges.
Copy the LunaClient Minimal tar file to a suitable location.
Create a directory where you will extract the file. For example:
mkdir -p /var/usrlocal/luna
Extract the LunaClient Minimal tar file into /var/usrlocal/luna:
tar xvf LunaClient-Minimal-10.3.0-275.x86_64.tar --strip 1 -C /var/usrlocal/luna
Navigate to the Luna directory:
cd /var/usrlocal/luna/
Create a directory for certificates and configuration files:
mkdir -p /var/usrlocal/luna/config/certs
Copy the configuration template file to the config directory:
cp /var/usrlocal/luna/Chrystoki-template.conf /var/usrlocal/luna/config/Chrystoki.conf
Set the ChrystokiConfigurationPath environment variable:
export ChrystokiConfigurationPath=/var/usrlocal/luna/config
Update the PATH environment variable to include LunaClient utilities:
export PATH="/var/usrlocal/luna/bin/64:${PATH}"
Modify the Chrystoki.conf file using the configurator utility:
configurator setValue -s Chrystoki2 -e LibUNIX -v /var/usrlocal/luna/libs/64/libCryptoki2.so configurator setValue -s Chrystoki2 -e LibUNIX64 -v /var/usrlocal/luna/libs/64/libCryptoki2_64.so configurator setValue -s Misc -e ToolsDir -v /var/usrlocal/luna/bin/64 configurator setValue -s "LunaSA Client" -e SSLConfigFile -v /var/usrlocal/luna/openssl.cnf configurator setValue -s "LunaSA Client" -e ClientPrivKeyFile -v /var/usrlocal/luna/config/certs/dockerclientKey.pem configurator setValue -s "LunaSA Client" -e ClientCertFile -v /var/usrlocal/luna/config/certs/dockerclient.pem configurator setValue -s "LunaSA Client" -e ServerCAFile -v /var/usrlocal/luna/config/certs/CAFile.pem configurator removeSection -s "Secure Trusted Channel"
You can alternatively use any text editor to manually modify the Chrystoki.conf file.
Create a Luna HSM Client certificate for the containers:
vtl createCert -n dockerclient
Here, dockerclient is the name of the client certificate.
Copy the client certificate to the Luna Network HSM appliance:
scp /var/usrlocal/luna/config/certs/dockerclient.pem admin@10.124.143.158:
Here, 10.124.143.158 is the HSM appliance's IP address.
Copy the Luna HSM server certificate (server.pem) to the config directory:
scp admin@10.124.143.158:server.pem /var/usrlocal/luna/config/certs/
Register the Luna HSM server certificate with the client:
vtl addServer -c /var/usrlocal/luna/config/certs/server.pem -n 10.124.143.158
Connect to the Luna Network HSM appliance via SSH and log in to LunaSH:
ssh admin@10.124.143.158
Provide the admin password when prompted.
Register the client with the Luna HSM:
client register -client dockerclient -hostname dockerclient
Create a partition on the HSM (if none exists):
partition create -partition
Assign the partition to the client:
client assignPartition -partition-client dockerclient
To use multiple containers with the same IP address, disable the ntls ipcheck to avoid the containers appearing as the same client to the HSM:
ntls ipcheck disable
For multiple containers with unique IP addresses, enable ntls ipcheck since each container is treated as a separate client and requires its own configuration file and unique certificates:
ntls ipcheck enable
Exit the HSM SSH session:
exit
On the client workstation, start LunaCM:
lunacm
You should see an output similar to the following:
lunacm (64-bit) v10.3.0-275. Copyright (c) 2020 SafeNet. All rights reserved.
Available HSMs:
Slot Id -> 0
Label ->
Serial Number -> 1238686731875
Model -> LunaSA 7.7.1
Firmware Version -> 7.7.1
Bootloader Version -> 1.1.2
Configuration -> Luna User Partition With SO (PW) Key Export
With Cloning Mode
Slot Description -> Net Token Slot
FM HW Status -> Non-FM
Current Slot Id: 0
Initialize the Crypto Officer and Crypto User roles for the registered partition:
For detailed steps on partition initialization and role management, refer to the Luna Network HSM documentation.
Create a Dockerfile in the /var/usrlocal/ directory:
FROM registry.access.redhat.com/ubi8/ubi:latest
# For UBI 7, use:
# FROM registry.access.redhat.com/ubi7/ubi:latest
RUN mkdir -p /var/usrlocal/luna
COPY luna /var/usrlocal/luna
ENV ChrystokiConfigurationPath=/var/usrlocal/luna/config
ENV PATH="/var/usrlocal/luna/bin/64:${PATH}"
ENTRYPOINT /bin/bash
You can store the configuration files and certificates located in /var/usrlocal/luna/config on a secure NFS server and mount them when running the pod.
Set up Luna Cloud HSM
Follow these steps to set up your Luna Cloud HSM:
Log in to any RHEL 7, RHEL 8, or RHEL CoreOS host as a user with administrative privileges.
Use pscp, scp, or another secure method to transfer the downloaded .zip file to your Client workstation.
Choose a directory where the file will be extracted. For example:
mkdir -p /var/usrlocal/luna
Extract the contents of the .zip file into /var/usrlocal/luna:
unzip setup-.zip -d /var/usrlocal/luna
Change to the directory where the files were extracted:
cd /var/usrlocal/luna/
Untar the cvclient-min.tar file to extract the necessary client files:
tar xvf cvclient-min.tar
Execute the setenv script to generate a new configuration file containing the information required for connecting to the Luna Cloud HSM service:
source ./setenv
Run the LunaCM utility to ensure that the Cloud HSM service is listed:
bin/64/lunacm
You should see the available HSMs listed in the output.
Initialize the Crypto Officer and Crypto User roles: Follow the detailed instructions in the Luna Cloud HSM documentation for initializing these roles and managing user access for the registered partition.
In the /var/usrlocal/ directory, create a Dockerfile to set up the Luna environment within a container:
FROM registry.access.redhat.com/ubi8/ubi:latest
# For UBI 7, use:
# FROM registry.access.redhat.com/ubi7/ubi:latest
RUN mkdir -p /var/usrlocal/luna
COPY luna /var/usrlocal/luna
ENV ChrystokiConfigurationPath=/var/usrlocal/luna
ENV PATH="/var/usrlocal/luna/bin/64:${PATH}"
ENTRYPOINT /bin/bash
You can store the configuration files and certificates located in the /var/usrlocal/luna directory on a secured NFS server and mount it when running the pod for easier management.
Deploy Luna HSM or Luna Cloud HSM pod in OpenShift Container Platform
For deploying the Luna HSM or Luna Cloud HSM pod in OpenShift:
Use podman or docker to build the Luna client container image:
podman build . -t lunaclient-image
Check if the container image was built successfully:
podman images
Tag the container image and push it to your private registry. Replace <registry_ip> with the actual IP address of your registry:
podman tag localhost/lunaclient-image:5000/lunaclient-image podman push :5000/lunaclient-image
It’s recommended to store the image in a private registry that is accessible from your OpenShift cluster nodes. After pushing it to your registry, you can delete the local container image.
Authenticate into the OpenShift platform:
oc login
Choose an existing project or create a new one where you want to deploy the Luna client pod. For example:
oc project lunaproject
Create a file named deployment.yaml with the following configuration:
apiVersion: v1
kind: Pod
metadata:
name: luna-client-pod
labels:
openshift.io/name: luna-client-pod
spec:
hostNetwork: true
restartPolicy: Always
containers:
- name: luna-client-pod
image: "[registry_ip]:5000/lunaclient-image"
imagePullPolicy: IfNotPresent
# Keeps the container running
command: [ "/bin/bash", "-c", "--" ]
args: [ "while true; do sleep 30; done;" ]
Replace [registry_ip] with your actual registry IP address. This configuration is minimal, so feel free to modify it as per your needs.
Deploy the pod using the following command:
oc apply -f deployment.yaml
Verify that the pod is running:
oc get pods
Log in to the pod and verify it can access the Luna HSM partition:
oc rsh luna-client-pod sh-4.2$ lunacm
