Docker Container
Configure your Docker Container to access a Luna Cloud HSM Service for cryptographic operations required by applications running in the Docker Container. The Luna Cloud HSM Service provides full key life-cycle management with FIPS-certified hardware and reduces the cryptographic load on the host server CPU.
We recommend you use the Luna Cloud HSM service for this integration.
This integration is supported on the following operating systems:
- RHEL7
- Windows 2016 Server
Prerequisites
Before proceeding with the integration complete the following:
Provision Luna Cloud HSM service
Create a Luna Cloud HSM service in DPoD and transfer the Luna Cloud HSM service client to your host machine. Do not initialize the service. This step is included as part of the integration process.
Download and install Docker
You need to download and install Docker to use the Docker command line interface (CLI) to complete the integration. Visit the Docker documentation portal for detailed instructions and procedures for installing Docker on your system.
Setup Java Development Kit (JDK)
The example procedure at the end of the Docker Container Integration Guide uses the Java Development Kit (JDK) to demonstrate the Luna Cloud HSM service's functionality within a Docker Container. If you would like to complete this integration guide fully, install the Java Development Kit inside of the Docker Container.
We recommend you familiarize yourself with the Java Development Kit documentation before beginning the integration.
This integration covers the necessary steps to configure a Luna Cloud HSM Service for use inside of a Docker Container, and demonstrates using the Luna Cloud HSM Service to secure JDK operations within the Docker Container.
Integration
Integrate your Luna Cloud HSM Service with Docker Container.
Configuring the Luna Cloud HSM Service Client in Docker Container
To use a Luna Cloud HSM Service with a Docker Container you create and run a DPoD Docker Image. To create and run a DPoD Docker image, create the Docker file and extract and initialize the Luna Cloud HSM Service Client inside of the Docker Container.
Create the file Dockerfile
with the following contents in the current working directory.
If you want to complete the Java Demo, described in the section Using the Luna Cloud HSM Service inside Docker Container Java Demo, uncomment line 3 # RUN yum -y install java
to install Java inside of the Docker container.
FROM centos:centos7
RUN yum -y install unzip
#RUN yum -y install java
RUN mkdir -p /usr/local/dpod
COPY <service_client_name>.zip /usr/local/dpod
ENTRYPOINT /bin/bash
#End of the Dockerfile
Copy the <service_client_name>.zip
file into the Docker project directory where the Dockerfile
is stored. Update line 5 in the Dockerfile
to use the Luna Cloud HSM Service Client zip name that you have downloaded to your system.
Build a Docker Image.
docker build . -t dpod-in-docker
Verify the Docker Image was created
docker images
Mount the config directory as a volume. This makes the contents of the configuration directory available to the Docker Containers when you create them.
docker run -it dpod-in-docker --name dpod-in-docker
This opens the Docker Container.
Navigate to the Luna Cloud HSM Service Client directory.
cd /usr/local/dpod
Unzip the Luna Cloud HSM Service Client.
unzip <service_client_name>.zip
Untar the cvclient-min.tar
.
tar xvf cvclient-min.tar
Set the environment variables.
source ./setenv
Launch LunaCM.
./bin/64/lunacm
Initialize the Luna Cloud HSM Service Client. Complete the procedure Initialize service partition.
Using the Luna Cloud HSM Service inside Docker Container (Java Demo)
This section demonstrates using the Java keytool utility to generate signing keys and certificates on a Luna Cloud HSM Service operating within a Docker container and then using the application to sign a .jar
file inside of the Docker Container.
Configure the java.security file
Open the Java Security Configuration File, java.security
, in a text editor. The file is available at <JDK_installation_directory/jre/lib/security>
.
Add the Luna Provider to the java.security
file, so that the file appears as follows:
security.provider.1=sun.security.provider.Sun
security.provider.2=sun.security.rsa.SunRsaSign
security.provider.3=com.sun.net.ssl.internal.ssl.Provider
security.provider.4=com.sun.crypto.provider.SunJCE
security.provider.5=sun.security.jgss.SunProvider
security.provider.6=com.sun.security.sasl.Provider
security.provider.7=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.8=sun.security.smartcardio.SunPCSC
security.provider.9=com.safenetinc.luna.provider.LunaProvider
Save the changes to the java.security
file.
Configure the Java keytool utility to use the Luna Cloud HSM Service
Copy the LunaProvider.jar
and libLunaAPI.so
(UNIX) or the LunaAPI.dll
(Windows) from the <service_client_installation_directory>/jsp/lib
folder to the JAVA extension folder under <JDK_installation_directory>/jre/lib/ext
.
Set the environment variable for JAVA_HOME
and PATH
.
export JAVA_HOME=<JDK Installation directory>
export PATH=$JAVA_HOME/bin:$PATH
Create a blank file named <keystore_name> and add the following. Where <service_label>
is your Luna Cloud HSM Service label.
tokenlabel:<service_label>
Save the file in the current working directory.
Create a key pair and sign the .jar file
Generate a key pair using the Java Keytool utility in the keystore. This command generates a key pair on the Luna Cloud HSM Service.
keytool -genkeypair -alias lunakey -keyalg RSA -sigalg SHA256withRSA -keypass <CO_password> -keysize 2048 -keystore <keystore_name> -storepass <CO_password> -storetype luna
What is your first and last name?
[Unknown]: HSM
What is the name of your organizational unit?
[Unknown]: HSM
What is the name of your organization?
[Unknown]: Thales
What is the name of your City or Locality?
[Unknown]: MyCity
What is the name of your State or Province?
[Unknown]: MyState
What is the two-letter country code for this unit?
[Unknown]: IN
Is CN=HSM, OU=HSM, O=Thales, L=MyCity, ST=MyState, C=IN correct?
[no]: yes
Verify the private key is in the Luna Cloud HSM Service.
keytool -list -v -storetype luna -keystore <keystore_name>
The system prompts you to enter the keystore password:
Enter keystore password:
Keystore type: LUNA
Keystore provider: LunaProvider
Your keystore contains 1 entry
Alias name: lunakey
Creation date: Apr 16, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=HSM, OU=HSM, O=Thales, L=MyCity, ST=MyState, C=IN
Issuer: CN=HSM, OU=HSM, O=Thales, L=MyCity, ST=MyState, C=IN
Serial number: 1353bc67
Valid from: Mon Apr 16 12:01:45 PDT 2018 until: Sun Jul 15 12:01:45 PDT 2018
Certificate fingerprints:
MD5: 90:D9:4A:25:DD:C4:9E:7F:55:60:3D:ED:D0:84:18:C1
SHA1: 01:FF:94:6B:24:3C:FB:5F:05:F9:7F:AC:3A:3B:4D:AB:0D:9A:69:36
SHA256: FD:09:09:3A:71:1C:69:A1:24:5E:78:AB:BB:7C:0C:D9:81:02:64:D2:AE:7C:A1:00:91:21:EA:41:9E:3D:FA:0D
Signature algorithm name: SHA256withRSA
Version: 3
Generate a certificate request from a key in the keystore. When prompted for the password, provide the keystore password.
keytool -certreq -alias lunakey -sigalg SHA256withRSA -file certreq_file -storetype luna -keystore <keystore_name>
File certreq_file
generates in the current directory.
After creating the Certificate Signing Request (CSR), ensure you keep track of your keystore file, as it contains your private key. Additionally, you require the keystore file to install your Code Signing Certificate.
Copy the certificate request file generated to host machine to submit it to your Certification Authority (CA) by executing following command on host machine.
docker cp <container-id>:<certreq_file> .
For example:
docker cp d34fd7f4bc51:/usr/local/certreq_file .
The CA authenticates the request and returns a signed certificate or a certificate chain. Save the reply and the root certificate of the CA. Copy both certificates to Docker container.
docker cp <root-ca-cert> <container-id>:<directory to place cert>
docker cp <signed-cert-chain> <container-id>:<directory to place cert>
For example:
docker cp root.cer d34fd7f4bc51:/usr/local/
docker cp signing.p7b d34fd7f4bc51:/usr/local/
In this example, root.cer
is the CA Root Certificate, and signing.p7b
is the certificate chain.
Import the CA's root certificate and signed certificate chain into the keystore.
To import the CA root certificate execute the following:
keytool -trustcacerts -importcert -alias rootca -file root.cer -keystore <keystore_name> -storetype luna
To import the signed certificate reply or certificate chain execute the following:
keytool -trustcacerts -importcert -alias lunakey -file signing.p7b -keystore <keystore_name> -storetype luna
Copy the .jar
file from host machine to docker container's current working directory. Execute the following command on host machine:
docker cp <jar-to-be-signed> <container-id>:<directory to place jar file>
For example:
docker cp sample.jar d34fd7f4bc51:/usr/local/
Sign the .jar
using the jarsigner tool. The system will prompt you for the keystore password.
jarsigner -keystore <keystore_name> -storetype luna -signedjar <name-of-signedjar-to-be-generated> <jar-to-be-signed> <alias-of-private-key> -tsa <time-stamping-authority-url>
For example:
jarsigner -keystore -storetype luna -signedjar signedsample.jar sample.jar lunakey -tsa http://timestamp.globalsign.com/scripts/timestamp.dll
Verify the signed .jar
. Execute the following command and it will display the Jar Verified message if the Luna Cloud HSM Service is configured properly.
jarsigner -verify signedsample.jar -verbose -certs
s 565 Tue Apr 17 09:42:36 PDT 2018 META-INF/MANIFEST.MF
[entry was signed on 4/16/18 9:12 PM]
X.509, CN=Administrator, CN=Users, DC=CA, DC=com
[certificate is valid from 4/16/18 12:02 PM to 4/16/19 12:02 PM]
X.509, CN=my-CA, DC=CA, DC=com
[certificate is valid from 4/5/18 10:25 AM to 4/5/23 10:35 AM]
647 Tue Apr 17 09:42:36 PDT 2018 META-INF/LUNAKEY.SF
5869 Tue Apr 17 09:42:36 PDT 2018 META-INF/LUNAKEY.RSA
0 Thu Dec 02 10:41:40 PST 2010 META-INF/
m 506 Mon May 21 00:09:04 PDT 2007 JSmoothPropertiesDisplayer$1.class
m 533 Mon May 21 00:09:04 PDT 2007 JSmoothPropertiesDisplayer$2.class
m 1567 Mon May 21 00:09:04 PDT 2007 JSmoothPropertiesDisplayer$3.class
m 3905 Mon May 21 00:09:04 PDT 2007 JSmoothPropertiesDisplayer.class
s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope
-Signed by "CN=Administrator, CN=Users, DC=CA, DC=com"
Digest algorithm: SHA256
Signature algorithm: SHA256withRSA, 2048-bit key
Timestamped by "CN=GlobalSign TSA for Standard - G2, O=GMO GlobalSign Pte Ltd, C=SG" on Tue
Apr 17 04:12:52 UTC 2018
Timestamp digest algorithm: SHA-256
Timestamp signature algorithm: SHA1withRSA, 2048-bit key
jar verified.
The .jar
file is signed and verified in the Docker Container while storing the private key and certificate on a Luna Cloud HSM Service.