Introduction
This guide describes how to integrate a Red Hat OpenShift cluster with an Entrust nShield Hardware Security Module (HSM), using the nShield Container Option Pack (nCOP).
OpenShift is an application hosting platform by Red Hat. It makes it easy for developers to quickly build, launch, and scale container-based web applications in a public cloud environment. nCOP allows application developers, in the container-based environment of OpenShift, to access the cryptographic functionality of an HSM.
Integration architecture
OpenShift cluster and HSM
In this integration, a Red Hat OpenShift cluster is deployed on a VMware vSphere instance. Container images are used from a third-party cloud registry.
Container images
Two container images were created for the purpose of this integration: a hardserver container, and one application container. These images are stored in an external registry to be deployed to OpenShift:
-
cv-nshield-hwsp-containerA hardserver container image that controls communication between the HSM(s) and the application containers. One or more hardserver containers are required per deployment, depending on the number of HSMs and the number and types of application containers.
Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks. -
cv-nshield-app-containerApplication container image to run nShield commands. It is a Ubuntu Universal Base Image container, in which Security World software is installed.
You can also create containers that contain your application. For instructions, see the nShield Container Option Pack User Guide.
Product configurations
Entrust has successfully tested the integration of an nShield HSM with Red Hat OpenShift in the following configurations:
| Product | Version |
|---|---|
Base OS |
RHEL 8.9 |
OpenShift |
4.14.7 |
VMware |
vSphere 8.0.0.10200 |
Security World Software |
13.4.4 |
nCOP |
1.1.2 |