Create a Luna HSM Client Docker image for use with Functionality Modules

The example Installing Luna Minimal Client on Linux Using Docker uses the Luna Minimal Client to gain connection to a Luna Network HSM 7 partition. This section explores some additional steps to sign a Functionality Module (FM) from a Docker container, and also execute a Host Application in order to communicate with the Functionality Module in the Luna Network HSM 7.

NOTE   This feature requires minimum Luna HSM Client 7.4.0.

FMs consist of two components - the FM itself, that resides in the HSM, extending its functionality, and the Host Application component that resides with the clients that need to connect with that FM.

Due to the size of the FM SDK and ELDK, those have not been included in the Minimal Client as they would greatly expand the size of the minimal client. The assumption is that you installed the full Luna HSM Client with HSM Software Development Kit, FM Software Development Kit and other components, and then created and compiled your Functionality Modules elsewhere, and that you would be importing FM components and using FMs, but not developing and compiling them inside a Docker container.

But the above-mentioned use-cases should help in common tasks such as signing Functionality Modules or Communicating with them via Host Applications.

1.On a Linux client with the Functionality Module SDK Component installed (which also installs the Embedded Linux Development Kit (ELDK)), compile the sample FMs and Host application binaries.

>make -C /usr/safenet/lunafmsdk/samples/pinenc all

>make -C /usr/safenet/lunafmsdk/samples/skeleton all

>make -C /usr/safenet/lunafmsdk/samples/wrap-comp all

2.Create a directory on the shared volume to store the Host applications and unsigned FM binaries.

>mkdir $HOME/luna-docker/config/fm  

3.Copy the generated files over.

>cp /usr/safenet/lunafmsdk/samples/pinenc/fm/bin-ppc/* $HOME/luna-docker/config/fm/  

>cp /usr/safenet/lunafmsdk/samples/skeleton/fm/bin-ppc/* $HOME/luna-docker/config/fm/  

>cp /usr/safenet/lunafmsdk/samples/wrap-comp/fm/bin-ppc/* $HOME/luna-docker/config/fm/  

>cp /usr/safenet/lunafmsdk/samples/pinenc/host/output/bin/* $HOME/luna-docker/config/fm/  

>cp /usr/safenet/lunafmsdk/samples/skeleton/host/output/bin/* $HOME/luna-docker/config/fm/  

>cp /usr/safenet/lunafmsdk/samples/wrap-comp/host/output/bin/* $HOME/luna-docker/config/fm/  

4.Go back to the Docker container. If it is stopped you must start the container first.

>docker ps -a

>docker start <container_id>

>docker attach <container_id>

5. If you have not already done so, enable LoginAllowedOnFMEnabledHSMs=1 in the Chrystoki.conf file, else you will be prompted on your first partition init or role login attempt to do so in LunaCM.

>configurator setValue -s Misc -e LoginAllowedOnFMEnabledHSMs -v 1

6.Ensure that the “Partition SO” and “Crypto Officer” users are initialized via LunaCM (see Initializing an Application Partition and Initializing Crypto Officer and Crypto User Roles for an Application Partition).

7.Generate a key pair and Self-Signed Certificate, then sign the FM binary using mkfm and export the Self-Signed Certificate.

>cmu generatekeypair -labelpublic=fmpub -labelprivate=fmpri -sign=1 -verify=1 -keytype=rsa -mech=pkcs -publicexponent=3 -modulusbits=2048 -slot <slotnum>  

>cmu list -slot <slotnum>

>cmu selfsigncertificate -publichandle=<public_key_handle> -privatehandle=<private_key_handle> -label=FmSign -serialnumber=1 -cn=FmSign -startdate=20180606 -enddate=20201231 -slot <slotnum>

>mkfm -f /usr/local/luna/config/fm/pinenc.bin -o /usr/local/luna/config/fm/pinenc.fm -kSLOTID=<slotnum>/fmpri

>mkfm -f /usr/local/luna/config/fm/skeleton.bin -o /usr/local/luna/config/fm/skeleton.fm -kSLOTID=<slotnum>/fmpri

>mkfm -f /usr/local/luna/config/fm/wrap-comp.bin -o /usr/local/luna/config/fm/wrapcomp.fm -kSLOTID=<slotnum>/fmpri

>cmu export -slot <slotnum> -label FmSign -outputfile=/usr/local/luna/config/fm/FmSign.cert

8.Copy the signed FMs and Self-Signed Certificate to the Luna Network HSM 7 appliance. If your Docker container supports scp, then use that. If you’ve uncommented the pre-requisites in the Dockerfile regarding pscp and plink, then you could use that as well. If the above two scenarios are not applicable, you can always copy the files from the shared fm directory volume:

>pscp $HOME/luna-docker/config/fm/pinenc.fm admin@<Network_HSM_IP>:

>pscp $HOME/luna-docker/config/fm/skeleton.fm admin@<Network_HSM_IP>:

>pscp $HOME/luna-docker/config/fm/wrapcomp.fm admin@<Network_HSM_IP>:

>pscp $HOME/luna-docker/config/fm/FmSign.cert admin@<Network_HSM_IP>:

9. Connect via SSH to the Luna Network HSM 7 appliance and log in to LunaSH.

>ssh admin@<Network_HSM_IP>

10.Login as the HSM Admin (SO), then load the Functionality Modules.

lunash:> hsm login

lunash:> hsm fm load -fmFile pinenc.fm -certFile FmSign.cert  

lunash:> hsm fm load -fmFile skeleton.fm -certFile FmSign.cert  

lunash:> hsm fm load -fmFile wrapcomp.fm -certFile FmSign.cert  

lunash:> hsm fm status

11.If the hsm fm status command, in the previous step, mentioned “reboot HSM to activate” on any of the FMs, then you must reboot the HSM. Upon restarting the HSM, SO login status will be reset, thus you will have to login as SO later.

lunash:> hsm restart

lunash:> hsm login

12.Activate Secure Memory File System (SMFS); you must be logged in as the HSM Admin. If you check the status of the FMs, they should all be “Enabled” status now.

lunash:> hsm fm smfs activate

lunash:> hsm fm status

13.Verify that the Host Application can interact with the FM. If you have trouble loading the shared libraries, you can set the LD_LIBRARY_PATH environment variable.

>export LD_LIBRARY_PATH="/usr/local/luna/libs/64"  

>/usr/local/luna/config/fm/pinenctest -s<slotnum> gen 

>/usr/local/luna/config/fm/pinenctest -d<slotnum> test

>/usr/local/luna/config/fm/skeleton -s<slotnum> -t "Hello all"  

>/usr/local/luna/config/fm/wrapcomptest -s<slotnum>