Procedures
Prerequisites
Before you can use nCOP and run the container images, complete the following steps:
-
Install Docker. For information, see Get Docker in the Docker online documentation.
-
Gain access to the Conjur appliance image. The following command can be used to load the
conjur-appliance
.tar file into the local Docker repository:% docker load -i conjur-appliance-13.2.0.tar.gz
-
Request the nCOP and Security World software from Entrust.
-
Set up the HSM. See the Installation Guide for your HSM.
-
Configure the HSM(s) to use the IP address of your container host machine as a client.
-
Load an existing Security World or create a new one on the HSM.
-
Copy the Security World and module files to your container host machine at a directory of your choice.
-
Create or edit the
cknfastrc
file in/opt/nfast
and add one of the following config settings: -
For OCS or Softcard protection:
CKNFAST_LOADSHARING=1 CKNFAST_NO_ACCELERATOR_SLOTS=1
-
For Module protection:
CKNFAST_FAKE_ACCELERATOR_LOGIN=1
-
Optionally, the following can be added to generate PKCS #11 debug logs at the example location:
CKNFAST_DEBUG=10 CKNFAST_DEBUGFILE=/opt/ncop/pkcs11.log
-
Create a
pkcs11.yml
file with the following content:library: /opt/nfast/toolkits/pkcs11/libcknfast.so wrapping_key: <wrapping_key name> pin: <passphrase of ocs/softcard if required> slot: <slot number for the intended key protection type>
By the default, the slot number for module protection is 0, for softcard protection 1, and for OCS protection 2. This can change depending on your HSM deployment. The pin passphrase is not required if you are using module protection.
For more information on configuring and managing nShield HSMs, Security Worlds, and Remote File Systems, see the User Guide for your HSM(s).
Create and configure the nshield-hwsp container
The nShield hardserver container has to be configured to enable it to communicate with the CyberArk Conjur Master DAP Server in a later step, see Create and configure the Conjur application container and the Master DAP Server.
To deploy an nCOP container image for use with CyberArk Conjur:
-
Log in to the container host machine server with
root
privileges and launch a terminal window. -
Set up the nCOP working directory:
% mkdir -p /opt/ncop % tar xf ncop-1.1.2.tar -C /opt/ncop
-
Mount the Security World:
% mkdir SecWorld-13.4.5 % mount -o loop SecWorld_Lin64-13.4.5.iso SecWorld-13.4.5
-
Set up the hardserver image:
% ./make-nshield-hwsp SecWorld-13.4.5
-
Configure
nshield-hwsp
:-
Set up the hardserver configuration file and directory:
% mkdir -p /opt/ncop/config1 % ./make-nshield-hwsp-config --output /opt/ncop/config1 config <hsm ip address>
-
Check that the configuration file information matches your HSM deployment:
% cat /opt/ncop/config1/config
-
Create a new socket so that application containers can use the hardserver:
% docker volume create socket1
-
Run the
nshield-hwsp
container:% docker run -d -v /opt/ncop/config1:/opt/nfast/kmdata/config:ro -v socket1:/opt/nfast/sockets nshield-hwsp:13.4.5
-
Check the status of
nshield-hwsp
using theenquiry
command:% NFAST_SERVER=/var/lib/docker/volumes/socket1/_data/nserver /opt/nfast/bin/enquiry
-
Create and configure the Conjur application container and the Master DAP Server
-
Extend the
conjur-appliance
image with thenfast
utilities:% ./extend-nshield-application --from registry.tld/conjur-appliance:13.2.2 --pkcs11 SecWorld-13.4.5
-
Tag the generated application image for convenience:
% docker tag <IMAGEID> conjor-appliance-wnfast:13.2.2
-
Run the
conjur-appliance
container with thenfast
container:% docker run --name dap-wnfast -d --restart=unless-stopped --security-opt seccomp=/path/to/conjur-seccomp.json -p "443:443" -p "5432:5432" -p "1999:1999" -v /opt/nfast/kmdata:/opt/nfast/kmdata:rw -v socket1:/opt/nfast/sockets conjur-appliance-wnfast:13.2.2
-
Perform the initial configuration of Conjur. The username is admin. For password requirements, see Configure the Conjur cluster in the CyberArk online documentation.
% docker exec dap-wnfast evoke configure master --accept-eula --hostname dap-wnfast.example.com --admin-password Mypassw0rD1! org1
-
Copy the
cknfastrc
andpkcs11.yml
configuration files into the running container:% docker cp cknfastrc dap-wnfast:/opt/nfast/cknfastrc % docker cp pkcs11.yml dap-wnfast:/opt/conjur/etc/pkcs11.yml
-
Generate a new Key Encryption Key (KEK) for Conjur to be stored on the HSM:
% docker exec dap-wnfast evoke pkcs11 generate
-
Start the
conjur-appliance
container, which will act as the Master DAP Server, in Interactive mode:% docker exec -i -t dap-wnfast /bin/bash
The KEK is now ready for use.
Example commands used with the KEK
% evoke pkcs11 wrap
% evoke keys lock
% evoke keys unlock
For more examples, see Server Key Encryption Methods in the CyberArk online documentation.