From Linux Minimal Client Create a Docker Container to Access a DPOD Luna Cloud HSM Service

This section describes steps to view Thales Data Protection on Demand (DPoD) Luna Cloud HSM services from a Luna Minimal Client. This example assumes that you have followed the steps in Installing Luna Minimal Client on Linux Using Docker, or have otherwise created the appropriate directories and Dockerfile. This section assumes you have purchased a Luna Cloud HSM service.

NOTE   This feature requires minimum client version 10.1. See Version Dependencies by Feature for more information.

1.Download the Luna Cloud HSM service client configuration zip file.

2.Unzip the Luna Cloud HSM service client configuration zip file.

>cd $HOME/luna-docker  

>mkdir $HOME/luna-docker/dpod  

>unzip </path/to/luna-cloud-hsm-client>.zip -d $HOME/luna-docker/dpod  

3.Copy the Luna Cloud HSM service certificates into the certificate directory on the shared volume so that the Docker container can use them.

>cp $HOME/luna-docker/dpod/server-certificate.pem $HOME/luna-docker/config/certs/  

>cp $HOME/luna-docker/dpod/partition-ca-certificate.pem $HOME/luna-docker/config/certs/  

>cp $HOME/luna-docker/dpod/partition-certificate.pem $HOME/luna-docker/config/certs/  

4.Copy over the entire REST and XTC sections from the unzipped Chrystoki.conf located at $HOME/luna-docker/dpod/Chrystoki.conf:

>cat $HOME/luna-docker/dpod/Chrystoki.conf  

>vi $HOME/luna-docker/config/Chrystoki.conf  

5.Update $HOME/luna-docker/config/Chrystoki.conf with the expected paths that will be used by the Docker container.

>export ChrystokiConfigurationPath=$HOME/luna-docker/config  

>MIN_CLIENT_DIR=$HOME/luna-docker/LunaClient-Minimal-<release_version>.x86_64  

>$MIN_CLIENT_DIR/bin/64/configurator setValue -s XTC -e PartitionCAPath -v /usr/local/luna/config/certs/partition-ca-certificate.pem  

>$MIN_CLIENT_DIR/bin/64/configurator setValue -s XTC -e PartitionCertPath00 -v /usr/local/luna/config/certs/partition-certificate.pem  

>$MIN_CLIENT_DIR/bin/64/configurator setValue -s REST -e SSLClientSideVerifyFile -v /usr/local/luna/config/certs/server-certificate.pem  

6.The Luna Minimal Client now includes a Luna Cloud HSM service plugin which allows the LUNA client to be able to communicate with a Luna Cloud HSM service. That file can be located under $HOME/luna-docker/LunaClient-Minimal-<release_version>.x86_64/plugins/libdpod.plugin. This example uses the Dockerfile mentioned above which extracts the Luna Minimal Client tarball into the Docker image.

>$MIN_CLIENT_DIR/bin/64/configurator setValue -s Misc -e PluginModuleDir -v /usr/local/luna/plugins  

7.Attach the Docker container. If it is stopped you must start the container first.

>docker ps -a  

>docker start <container_id>  

>docker attach <container_id>  

8.At this point you should be able to see the Luna Cloud HSM service

>lunacm