Setting up the Server Environment

For setup and deployment of the SafeNet IDPrime Virtual Server, you need to setup a containerized based software (Docker/Podman).
The following instructions explain the usage of Docker/Podman as the container technology, and Kubernetes as the orchestration technology.

Docker/Podman

SafeNet IDPrime Virtual Server is provided as a Docker image. To install and run the latest release of the Docker software you can follow the documentation on the Docker website.

The values in <angle brackets> must also be updated. After the update, remove the angle brackets.

1. Unzip the provided image file as a TAR by executing the following command:

   
   gzip -d <image-name.tar.gz>
   
   
   

2. After unzipping, load the image in the Docker registry by executing the following command:

   
   docker load -i <image-name.tar>
   
   
   

   For RHEL 8 or 9 with podman environment, the command is:

   
   podman load -i <image-name.tar>
   
   
   

3. After the above command is successfully executed, it returns an output in the following format:

   
   Loaded image: idprimevirtual_server: 2.x
   
   
   

4. Create a /var/thales/config directory and copy the files downloaded from the delivery package provided with the IDPV package.

   • appsettings.yml
   • policy-configuration.json
   • idp-configuration.json
   • log4net.config
   • IngrianNAE.properties.pfx
   • sws-configuration.json

   This document uses /var/thales/config/ and /var/thales/hsm/ directories for placing configuration files. However, based on requirements, you can use different directory names. If you choose different names, use them with discretion in relation to the names mentioned in this document.

Kubernetes

The following steps are used to deploy IDPrime Virtual Server in Kubernetes:

1. Create a Kubernetes namespace for your project in Kubernetes.

   1. Create a namespace for your project in Kubernetes using the following configuration of the YAML file:

      apiVersion: v1 kind: Namespace metadata: name: idpv-staging

   The namespace created in the above case is idpv-staging.

   Alternatively, you can use the following command to create a namespace:

   
   kubectl create namespace idpv-staging
   
   
   

   The namespace (idpv-staging) can be any name but once defined, the same name must be used in all of the subsequent deployment procedures.

   1. Create a /var/thales/config directory, and copy the files downloaded from the delivery package provided with the IDPV package.

      • appsettings.yml
      • policy-configuration.json
      • idp-configuration.json
      • log4net.config
      • sws-configuration.json
      • IngrianNAE.properties

   This document uses /var/thales/config/ and /var/thales/hsm/ directories for placing configuration files. However, based on requirements, you can use different directory names. If you choose different names, use them with discretion in relation to the names mentioned in this document.

   Refer to step 2 of Installing SafeNet IDPrime Virtual Server to configure the IDPV Server files.

2. Create Secret and ConfigMap for IDPV server and HSM client configuration respectively.

   1. Create a secret using the application-related configuration files prepared in the above step 1.

   2. Copy kustomization.yaml in /var/thales/ directory from the delivery package, and follow the steps provided in the kubectl apply -k file.

      The dot character at the end of the command above represents the current directory.

      The directory must contain the above mentioned files.

   3. Create a ConfigMap for the HSM client related files. For more information, refer to Configuring Luna Client on Host Machine.

      For DPoD and KeySecure, refer to Configuring Data Protection on Demand and Configuring KeySecure respectively.

      
      kubectl create configmap idpv-config-hsm --from-file=/var/thales/hsm/ -n idpv-staging
      
      
      

3. Update the deployment yaml located at /var/thales/ directory given in the deployment package.

   1. Update the deployment Kubernetes-Service.yaml file in the package.

      Update the values in <angle brackets> (after the update, remove the angle brackets) for the following parameters:

      volumes: - name: vol1name secret: secretName: <idpv-configuration-secret> - name: vol2name configMap: name: idpv-config-hsm

      • Volumes vol1name and vol2name can be any names. But once defined, the same name must be used for all the further references.
        * Secret and ConfigMap must be defined as created in step 2 and step 3 above.

   2. If you are having the server Docker image in a Docker registry go to Step-e below. Otherwise, unzip the provided image file as a TAR by executing the following command:

      
      gzip -d <image-name.tar.gz>
      
      
      

   3. After unzipping the file, load the image in the Docker registry by executing the following command:

      
      docker load –i <image-name.tar>
      
      
      

      For RHEL 9 or 8 with podman environment, the command is:

      
      podman load -i <image-name.tar>
      
      
      

   4. Configure a private Docker registry. For setting up the private registry, refer to Official Docker documentation.

      Tag and push the image in the private Docker registry by executing the following commands:

      
      docker tag <image-name> <docker-registry/repository/image-name:tag>
      docker push <docker-registry/repository/image-name:tag>
      
      
      

      In podman environment, use the respective commands for tagging and pushing the image.

   5. In the Kubernetes-Deployment.yaml deployment file, update the value in <angle brackets> (after the update, remove the angle brackets) for the following parameter:
      containers: - name: idpv-server image: <docker-registry/repository/image-name:tag>

   6. Update the following value fields in the deployment file:

      • The values, vol1name and vol2name, must be updated for name fields under the volumeMounts section:

        volumeMounts: - name: <vol1name> mountPath: /publish/Config - name: <vol2name> mountPath: /usr/local/hsm

      • The value field, docker-reg-creds-secret-name, must be updated in the deployment file:

        imagePullSecrets: - name: <docker-reg-creds-secret-name>

   7. Once the above changes are complete, create a deployment in the Kubernetes namespace. This deploys the server in a container pod.

4. Create a service to expose server outside of Kubernetes cluster.

   1. Create a service using the Kubernetes-Service.yaml file (provided in the package).

   2. Update the nodePort value as per the availability.

      nodePort: <nodePort-value>

• When Docker is deployed, manually restart the container after updating the configurations using the following command:
docker restart <container-name or id>
• When Kubernetes is deployed, the server automatically restarts after Secret and ConfigMap are updated. • Instead of Docker, if RHEL 8 or 9 with podman environment is used, run the following command:
podman restart <container-name or id>
• Where Kubernetes is deployed, the server automatically restarts after Secret and ConfigMap are updated.