Installing Luna Minimal Client on Linux Using Docker

The following procedure allows you to install the Luna Minimal Client in a Docker container on Linux, so that applications in that container can access Luna Network HSM partitions. For an overview description of Luna Minimal Client and its prerequisites, see Luna Minimal Client Install for Linux - Overview.

NOTE   This feature requires minimum HSM Client 7.2.0.

If SELinux is enabled in Enforcing mode, you must assign proper permissions to any container that needs to access the config directory.

To install the Luna Minimal Client software on a Linux 64-bit Docker instance:

This example uses NTLS. The use of STC is optional. This example is based on CentOS 7; other operating systems might require adjustments to the commands and to the docker file.

1.Create a directory. In this example:

$HOME/luna-docker

The name is not important, only that you use it consistently.

2.Create the following subdirectories under that first directory:

$HOME/luna-docker/config
$HOME/luna-docker/config/certs

additionally, if you are configuring STC:

$HOME/luna-docker/config/stc
$HOME/luna-docker/config/stc/client_identities
$HOME/luna-docker/config/stc/partition_identities
$HOME/luna-docker/config/stc/token/001

and create an empty file:

for Luna HSM Firmware 7.4.2 and older:

$HOME/luna-docker/config/stc/token/001/token.db

for Luna HSM Firmware 7.7.0 and newer:

$HOME/luna-docker/config/stc/token/001/token_v2.db

The contents of the config directory are needed by the Docker containers.

3.Copy the Luna Minimal Client tarball to $HOME/luna-docker.

4.Untar the Luna Minimal Client tarball.

>tar -xf $HOME/luna-docker/LunaClient-Minimal-<release_version>.x86_64.tar -C $HOME/luna-docker

5.Copy the Chrystoki.conf file from the Minimal Client directory to $HOME/luna-docker/config.

>cp $HOME/luna-docker/LunaClient-Minimal-<release_version>.x86_64/Chrystoki-template.conf $HOME/luna-docker/config/Chrystoki.conf

6.Define the following environment variable:

>export ChrystokiConfigurationPath=$HOME/luna-docker/config

7.Update the Chrystoki.conf file paths so the tools work as expected

>MIN_CLIENT_DIR=$HOME/luna-docker/LunaClient-Minimal-<release_version>.x86_64  

>$MIN_CLIENT_DIR/bin/64/configurator setValue -s Chrystoki2 -e LibUNIX -v $MIN_CLIENT_DIR/libs/64/libCryptoki2.so  

>$MIN_CLIENT_DIR/bin/64/configurator setValue -s Chrystoki2 -e LibUNIX64 -v $MIN_CLIENT_DIR/libs/64/libCryptoki2_64.so  

>$MIN_CLIENT_DIR/bin/64/configurator setValue -s Misc -e ToolsDir -v $MIN_CLIENT_DIR/bin/64  

>$MIN_CLIENT_DIR/bin/64/configurator setValue -s "LunaSA Client" -e SSLConfigFile -v $MIN_CLIENT_DIR/openssl.cnf  

>$MIN_CLIENT_DIR/bin/64/configurator setValue -s "LunaSA Client" -e ClientPrivKeyFile -v $HOME/luna-docker/config/certs/dockerlunaclientKey.pem  

>$MIN_CLIENT_DIR/bin/64/configurator setValue -s "LunaSA Client" -e ClientCertFile -v $HOME/luna-docker/config/certs/dockerlunaclient.pem  

>$MIN_CLIENT_DIR/bin/64/configurator setValue -s "LunaSA Client" -e ServerCAFile -v $HOME/luna-docker/config/certs/CAFile.pem  

>$MIN_CLIENT_DIR/bin/64/configurator setValue -s "Secure Trusted Channel" -e ClientTokenLib -v $MIN_CLIENT_DIR/libs/64/libSoftToken.so  

>$MIN_CLIENT_DIR/bin/64/configurator setValue -s "Secure Trusted Channel" -e SoftTokenDir -v $HOME/luna-docker/config/stc/token  

>$MIN_CLIENT_DIR/bin/64/configurator setValue -s "Secure Trusted Channel" -e ClientIdentitiesDir -v $HOME/luna-docker/config/stc/client_identities  

>$MIN_CLIENT_DIR/bin/64/configurator setValue -s "Secure Trusted Channel" -e PartitionIdentitiesDir -v $HOME/luna-docker/config/stc/partition_identities  

8.Create a HSM Client certificate for the Docker containers.

>$MIN_CLIENT_DIR/bin/64/vtl createCert -n <cert_name>

9.Copy the client certificate to the Luna Network HSM appliance.

>scp $HOME/luna-docker/config/certs/<cert_name>.pem admin@<Network_HSM_IP>:

10.Copy the appliance server certificate (server.pem) to $HOME/luna-docker/config/certs

>scp admin@<Network_HSM_IP>:server.pem $HOME/luna-docker/config/certs

11.Register the appliance server certificate with the Client.

>$MIN_CLIENT_DIR/bin/64/vtl addServer -c $HOME/luna-docker/config/certs/server.pem -n <Network_HSM_IP>

12.Update the paths of the libraries, certs and general fields to their future Docker image locations within the $ChrystokiConfigurationPath/Chrystoki.conf.

>sed -i -e 's#'$HOME'/luna-docker/config#/usr/local/luna/config#g' -e 's#'$HOME'/luna-docker/LunaClient-Minimal-\([0-9\.-]\+\)x86_64#/usr/local/luna#g' $ChrystokiConfigurationPath/Chrystoki.conf

Create a HSM Client Docker image

The minimal client tarball includes files necessary for basic operation, and some tools; copy any additional files you want to include in the docker image to $HOME/luna-docker/. This example includes the entire Luna Minimal Client.

1.Create a file named Dockerfile with the following contents:

FROM ubuntu:xenial
#FROM centos:centos7

ARG MIN_CLIENT
COPY $MIN_CLIENT.tar /tmp
RUN mkdir -p /usr/local/luna
RUN tar xvf /tmp/$MIN_CLIENT.tar --strip 1 -C /usr/local/luna
ENV ChrystokiConfigurationPath=/usr/local/luna/config
ENV PATH="/usr/local/luna/bin/64:${PATH}"

# The package below is necessary for One-Step NTLS if you want to setup NTLS within the Docker container.
# The only requirement beyond glibc.i686 (required by plink and pscp) would be a configured Chrystoki.conf
# The minimal client documentation section 8 has example commands, you should modify the value parameter ("-v")
#    to point to desired files/directories.
# One-Step NTLS uses the section “Misc” entry “ToolsDir” to find the plink/pscp binaries,
# The Chrystoki.conf needs the following entries to be updated for One-Step NTLS to work:
# Section         | Entry
# --------------------------
# Chrystoki2      | LibUNIX
# Chrystoki2      | LibUNIX64
# Misc            | ToolsDir
# "LunaSA Client" | SSLConfigFile
# "LunaSA Client" | ClientPrivKeyFile
# "LunaSA Client" | ClientCertFile
# "LunaSA Client" | ServerCAFile
# Syntax: configurator setValue –s <Section> -e <Entry> -v <value>
# Example: configurator setValue -s Misc -e ToolsDir -v /usr/local/luna/bin/64
# Ubuntu:
#RUN dpkg --add-architecture i386
#RUN apt-get update
#RUN apt-get -y install libc6:i386
# Centos:
#RUN yum install -y glibc.i686

ENTRYPOINT  /bin/bash
#End of the Dockerfile

2.Build a Docker image.

>docker build . --build-arg MIN_CLIENT=LunaClient-Minimal-<release_version>.x86_64 -t lunaclient-image

3.Use the following command to verify the Docker image has been created:

>docker images

Run the Docker container

1.Make the contents of the config directory available to the Containers when you create them, by mounting the config directory as a volume.

>docker run -it --name lunaclient -v $PWD/config:/usr/local/luna/config lunaclient-image

2.From the Docker container, verify that the container has a connection to the Luna Network HSM partition.

Thales Data Protection on Demand Luna Cloud HSM Service with Luna Minimal Client

To connect to Thales Data Protection on Demand (DPoD) Luna Cloud HSM services with the minimal client, see From Linux Minimal Client Create a Docker Container to Access a DPOD Luna Cloud HSM Service.