Introduction

This guide describes how to integrate a Red Hat OpenShift cluster with an Entrust nShield Hardware Security Module (HSM), using the nShield Container Option Pack (nCOP).

OpenShift is an application hosting platform by Red Hat. It makes it easy for developers to quickly build, launch, and scale container-based web applications in a public cloud environment. nCOP allows application developers, in the container-based environment of OpenShift, to access the cryptographic functionality of an HSM.

Integration architecture

OpenShift cluster and HSM

In this integration, a Red Hat OpenShift cluster is deployed on a VMware vSphere instance. Container images are used from a third-party cloud registry.

Container images

Two container images were created for the purpose of this integration: a hardserver container, and one application container. These images are stored in an external registry to be deployed to OpenShift:

  • cv-nshield-hwsp-container

    A hardserver container image that controls communication between the HSM(s) and the application containers. One or more hardserver containers are required per deployment, depending on the number of HSMs and the number and types of application containers.

    Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.

  • cv-nshield-app-container

    Application container image to run nShield commands. It is an Ubuntu Universal Base Image container, in which Security World software is installed.

You can also create containers that contain your application. For instructions, see the nShield Container Option Pack User Guide.

Product configurations

Entrust has successfully tested the integration of an nShield HSM with Red Hat OpenShift in the following configurations:

Product Version

Base OS

RHEL 9.7

OpenShift

4.20.6

VMware

vSphere 8.0.0.10200

Security World Software

13.6.14

nCOP

1.1.3

Supported nShield hardware and software versions

Entrust tested with the following nShield hardware and software versions:

Connect XC

Security World Software Firmware Image OCS Softcard Module FIPS Level 3

13.6.14

12.72.4 (FIPS 140-2 certified)

13.6.14

No

nShield 5c

Security World Software Firmware Image OCS Softcard Module FIPS Level 3

13.6.14

13.4.5 (FIPS 140-3 certified)

13.6.14

Yes

nShield 5c 10G

Security World Software Firmware Image OCS Softcard Module FIPS Level 3

13.6.14

13.4.5 (FIPS 140-3 certified)

14.0.4

Yes

Requirements

Before starting the integration process

Familiarize yourself with:

  • The documentation for the nShield HSM.

  • The nShield Container Option Pack User Guide.

  • The documentation and setup process for Red Hat OpenShift.

What changed since the last integration test

  • The deployment server changed from Red Hat 8 to a Red Hat 9.

  • The OpenShift version changed from 4.14.7 to 4.20.6.

  • The Security World Client software version changed from 13.4.4 to 13.6.14.

  • The nShield Container Option Pack (nCOP) version changed from 1.1.2 to 1.1.3.

  • yaml attributes:

    • Affinity attributes
      These attributes were added to the yaml files because OpenShift can deploy pods in different worker nodes. These attributes were added to the yaml files so the application pods deploy on the same node as the hardserver pod.

    • ServiceAccountName attribute
      This attribute was added to resolve security warnings. It contains the service account name that is new and created during the deployment process. All pods run under this service account. The service account name is ncop-sa.

    • Name changes
      The yaml files used the nscop string on some attributes. This string changed to ncop to match the nCOP name.

  • HSMs changes: Connect XC and the nShield 5c continue to be supported, nShield 5c 10G is also supported now.