Procedures

Prerequisites

Before you can use nCOP and run the container images, complete the following steps:

  1. Install Docker. For information, see Get Docker in the Docker online documentation.

  2. Gain access to the Conjur appliance image. The following command can be used to load the conjur-appliance .tar file into the local Docker repository:

    % docker load -i conjur-appliance-13.2.0.tar.gz
  3. Request the nCOP and Security World software from Entrust.

  4. Set up the HSM. See the Installation Guide for your HSM.

  5. Configure the HSM(s) to use the IP address of your container host machine as a client.

  6. Load an existing Security World or create a new one on the HSM.

  7. Copy the Security World and module files to your container host machine at a directory of your choice.

  8. Create or edit the cknfastrc file in /opt/nfast and add one of the following config settings:

  9. For OCS or Softcard protection:

    CKNFAST_LOADSHARING=1
    CKNFAST_NO_ACCELERATOR_SLOTS=1
  10. For Module protection:

    CKNFAST_FAKE_ACCELERATOR_LOGIN=1
  11. Optionally, the following can be added to generate PKCS #11 debug logs at the example location:

    CKNFAST_DEBUG=10
    CKNFAST_DEBUGFILE=/opt/ncop/pkcs11.log
  12. Create a pkcs11.yml file with the following content:

    library: /opt/nfast/toolkits/pkcs11/libcknfast.so
    wrapping_key: <wrapping_key name>
    pin: <passphrase of ocs/softcard if required>
    slot: <slot number for the intended key protection type>
    By the default, the slot number for module protection is 0, for softcard protection 1, and for OCS protection 2. This can change depending on your HSM deployment. The pin passphrase is not required if you are using module protection.

For more information on configuring and managing nShield HSMs, Security Worlds, and Remote File Systems, see the User Guide for your HSM(s).

Create and configure the nshield-hwsp container

The nShield hardserver container has to be configured to enable it to communicate with the CyberArk Conjur Master DAP Server in a later step, see Create and configure the Conjur application container and the Master DAP Server.

To deploy an nCOP container image for use with CyberArk Conjur:

  1. Log in to the container host machine server with root privileges and launch a terminal window.

  2. Set up the nCOP working directory:

    % mkdir -p /opt/ncop
    
    % tar xf ncop-1.1.2.tar -C /opt/ncop
  3. Mount the Security World:

    % mkdir SecWorld-13.4.5
    
    % mount -o loop SecWorld_Lin64-13.4.5.iso SecWorld-13.4.5
  4. Set up the hardserver image:

    % ./make-nshield-hwsp SecWorld-13.4.5
  5. Configure nshield-hwsp:

    1. Set up the hardserver configuration file and directory:

      % mkdir -p /opt/ncop/config1
      
      % ./make-nshield-hwsp-config --output /opt/ncop/config1 config <hsm ip address>
    2. Check that the configuration file information matches your HSM deployment:

      % cat /opt/ncop/config1/config
    3. Create a new socket so that application containers can use the hardserver:

      % docker volume create socket1
    4. Run the nshield-hwsp container:

      % docker run -d -v /opt/ncop/config1:/opt/nfast/kmdata/config:ro -v socket1:/opt/nfast/sockets nshield-hwsp:13.4.5
    5. Check the status of nshield-hwsp using the enquiry command:

      % NFAST_SERVER=/var/lib/docker/volumes/socket1/_data/nserver /opt/nfast/bin/enquiry

Create and configure the Conjur application container and the Master DAP Server

  1. Extend the conjur-appliance image with the nfast utilities:

    % ./extend-nshield-application --from registry.tld/conjur-appliance:13.2.2 --pkcs11 SecWorld-13.4.5
  2. Tag the generated application image for convenience:

    % docker tag <IMAGEID> conjor-appliance-wnfast:13.2.2
  3. Run the conjur-appliance container with the nfast container:

    % docker run --name dap-wnfast -d --restart=unless-stopped --security-opt seccomp=/path/to/conjur-seccomp.json -p "443:443" -p "5432:5432" -p "1999:1999" -v /opt/nfast/kmdata:/opt/nfast/kmdata:rw -v socket1:/opt/nfast/sockets conjur-appliance-wnfast:13.2.2
  4. Perform the initial configuration of Conjur. The username is admin. For password requirements, see Configure the Conjur cluster in the CyberArk online documentation.

    % docker exec dap-wnfast evoke configure master --accept-eula --hostname dap-wnfast.example.com --admin-password Mypassw0rD1! org1
  5. Copy the cknfastrc and pkcs11.yml configuration files into the running container:

    % docker cp cknfastrc dap-wnfast:/opt/nfast/cknfastrc
    
    % docker cp pkcs11.yml dap-wnfast:/opt/conjur/etc/pkcs11.yml
  6. Generate a new Key Encryption Key (KEK) for Conjur to be stored on the HSM:

    % docker exec dap-wnfast evoke pkcs11 generate
  7. Start the conjur-appliance container, which will act as the Master DAP Server, in Interactive mode:

    % docker exec -i -t dap-wnfast /bin/bash

The KEK is now ready for use.

Example commands used with the KEK

% evoke pkcs11 wrap
% evoke keys lock
% evoke keys unlock

For more examples, see Server Key Encryption Methods in the CyberArk online documentation.