Installing Luna Minimal Client on Linux Using Docker

The following procedure will allow you to install the Luna Minimal Client in a Docker container on Linux. For an overview description of Luna Minimal Client and its prerequisites, see Linux Minimal Luna Client Install - Overview.

NOTE   If SELinux is enabled in Enforcing mode, you must assign proper permissions to any container that needs to access the config directory.

To install the SafeNet Luna Minimal Client software on a Linux 64-bit Docker instance:

This example uses NTLS. The use of STC is optional.

1.Install a full Luna HSM Client software (non-minimal) on your Docker host (see Installing Luna Minimal Client on Linux Using Docker).

2.Create a directory. In this example:

$HOME/luna-docker

The name is not important, only that you use it consistently.

3.Create the following subdirectories under that first directory:

$HOME/luna-docker/config
$HOME/luna-docker/config/certs

additionally, if you are configuring STC:

$HOME/luna-docker/config/stc
$HOME/luna-docker/config/stc/token/001

and create an empty file

$HOME/luna-docker/config/stc/token/001/token.db

The contents of the config directory are needed by the Docker containers.

4.Copy the Luna Minimal Client tarball to $HOME/luna-docker.

5.Untar the Luna Minimal Client tarball.

>tar -xf $HOME/luna-docker/LunaClient-Minimal-<release_version>.x86_64.tar -C $HOME/luna-docker

6.Copy the Chrystoki.conf file from the Minimal Client directory to $HOME/luna-docker/config.

>cp LunaClient-Minimal-<release_version>.x86_64/Chrystoki-template.conf $HOME/luna-docker/config/Chrystoki.conf

7.Define the following environment variable:

>export ChrystokiConfigurationPath=$HOME/luna-docker/config

8.[Optional] If you choose to use STC, review the SafeNet Luna Network HSM documentation and modify the following instructions. The goal is to have an HSM partition created and registered with the full Luna HSM Client before you create the Docker image and containers.

9.Create a Luna HSM Client certificate for the Docker containers.

>/usr/safenet/lunaclient/bin/vtl createCert -n <cert_name>

10.Copy the client certificate to the SafeNet Luna Network HSM appliance.

>scp ./certs/<cert_name>.pem admin@<Network_HSM_IP>:

11.Copy the appliance server certificate (server.pem) to $HOME/luna-docker/config/certs

>scp admin@<Network_HSM_IP>:server.pem ./certs

12.Register the appliance server certificate with the Client.

>/usr/safenet/lunaclient/bin/vtl addServer -c ./certs/server.pem -n <Network_HSM_IP>

13.Connect via SSH to the SafeNet Luna Network HSM appliance and log in to LunaSH.

>ssh admin@<Network_HSM_IP>

14.Create a partition, if one does not already exist on the HSM.

lunash:>partition create -partition <partition_name>

15.Register the full Luna HSM Client with the appliance, and assign the partition to the client (see client register and client assignpartition for full command syntax).

lunash:>client register -client <client_name> {-ip <client_IP> | -hostname <client_hostname>}

lunash:>client assignpartition -client <client_name> -partition <partition_name>

lunash:>ntls ipcheck disable

lunash:>exit

16.On the Client workstation, run LunaCM, set the active slot to the registered partition, and initialize it (see partition init for full command syntax).

lunacm:>slot set -slot <slotnum>

lunacm:>partition init -label <partition_label>

17.Change the path of the runtime libraries in config/Chrystoki.conf.

>sed -i -e 's#\./certs#/usr/local/luna/config/certs#g' -e 's#/usr/safenet/lunaclient/lib/libCryptoki2_64.so#/usr/local/luna/libs/64/libCryptoki2.so#g' -e 's#/usr/safenet/lunaclient/lib/libSoftToken.so#/usr/local/luna/libs/64/libSoftToken.so#g' config/Chrystoki.conf

Create a Luna Client Docker image

The minimal client tarball does not include tools or other files not necessary for basic operation; copy any additional files you want to include in the docker image to $HOME/luna-docker/.

18.Create a file named Dockerfile with the following contents:

FROM ubuntu:xenial
#FROM centos:centos7
ARG MIN_CLIENT
COPY $MIN_CLIENT.tar /tmp
RUN mkdir -p /usr/local/luna
RUN tar xvf /tmp/$MIN_CLIENT.tar --strip 1 -C /usr/local/luna
ENV ChrystokiConfigurationPath=/usr/local/luna/config
COPY lunacm /usr/local/bin
COPY vtl /usr/local/bin
COPY multitoken /usr/local/bin
COPY ckdemo /usr/local/bin
 
ENTRYPOINT  /bin/bash
#End of the Dockerfile

19.Build a Docker image.

>docker build . --build-arg MIN_CLIENT=LunaClient-Minimal-<release_version>.x86_64 -t lunaclient-image

20.Use the following command to verify the Docker image has been created:

>docker images

Run the Docker container

21.Make the contents of the config directory available to the Containers when you create them, by mounting the config directory as a volume.

>docker run -it --name lunaclient -v $PWD/config:/usr/local/luna/config lunaclient-image

22.From the Docker container, verify that the container has a connection to the SafeNet Luna Network HSM partition.

.


Customer Support Portal

SafeNet Luna Network HSM 7.2 Product Documentation  13 December 2019  Copyright 2001-2019 Thales. All rights reserved.