Deploying ProtectToolkit 7 in a Docker container on Linux
The following section describes how to deploy ProtectToolkit in a Docker container on a Linux host system.
Prerequisites
Ensure that you have met the following prerequisites before proceeding:
-
Download the latest version of Docker from https://docs.docker.com/get-docker/ and install it on the host.
-
Download the ProtectToolkit software .tar archive from the Thales Customer Support Portal.
-
If ProtectToolkit will be used in network mode, install and configure the ProtectServer 3 HSM(s) that the client will access over the TCP/IP network. For more information about network operating mode, see Operating modes.
Note
Thales does not recommend attempting to deploy PTK in a container if you intend to operate it in PCI mode.
To deploy ProtectToolkit 7 in a Docker container on Linux
-
Unpack the ProtectToolkit software .tar archive.
-
Configure the Docker image.
In the Dockerfile shown below, the Docker image has been configured to do the following:
-
Install the PTK-C Runtime and Network Access Provider packages in the container.
-
Load PTK automatically.
-
Run the hsmstate command. For more information about this command, refer to hsmstate.
ARG CENTOS_VERSION=7 ARG PTK_VERSION=<PTK version> ARG PTK_ARCH=x86_64 FROM centos:${CENTOS_VERSION} LABEL maintainer=<user_id> ARG PTK_VERSION ARG PTK_ARCH COPY PTK*.rpm /tmp/ RUN cd /tmp/ && \ rpm -U \ PTKnethsm-${PTK_VERSION}.${PTK_ARCH}.rpm \ PTKcprt-${PTK_VERSION}.${PTK_ARCH}.rpm RUN ln -sf /opt/safenet/protecttoolkit7/ptk/setvars.sh /etc/profile.d/ ENV CPROVDIR /opt/safenet/protecttoolkit7/ptk ENV PATH=$PATH:$CPROVDIR/bin ENV LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$CPROVDIR/lib ENTRYPOINT [ "hsmstate" ]
Note
You cannot configure the Docker image to install packages using the Unix Installation Utility (safeNet-install.sh). You must instead configure the image to install specific Access Provider and PTK component packages. For more information about available packages and changing the cryptoki provider (to switch between network and software emulation operating modes after deployment) on Linux, refer to Installing ProtectToolkit 7 on Unix/Linux manually.
-
-
Build the container image.
docker build . -t ptk_container
-
Run the container while specifying the network server to connect the client to the HSM. For more information about specifying the network server, see Specifying the Network Server(s).
docker run --rm -it \ -e ET_HSM_NETCLIENT_SERVERLIST=<HSM_IP> \ ptk_container
-
Configure the containerized PTK instance in one of three ways:
-
Pass the value of configuration items, such as ET_HSM_NETCLIENT_SERVERLIST, on the docker run call, as shown in step 4.
-
Embed system configuration files, such as /etc/default/et_hsm, in the container by inserting the following line into the Dockerfile:
RUN echo ET_HSM_NETCLIENT_SERVERLIST=<HSM_IP> > /etc/default/et_hsm
or
COPY <config-file> /etc/default/et_hsm
-
Hardcode environment variables into the container by inserting the following line into the Dockerfile:
ENV ET_HSM_NETCLIENT_SERVERLIST <HSM_IP>
Note
If the ET_HSM_NETCLIENT_SERVERLIST configuration item is embedded or hardcoded into the container, the containerized PTK instance automatically connects to the specified HSM each time it is run.
-