Application Containers

An nShield application container is a container with the nShield Security World software installed.

Two strategies for creating nShield application containers are supported:

  • Create an nShield base container, and derive application containers from it.

  • Derive a container with nShield Security World software from an existing application container.

nShield base container

The base container can be created using make-nshield-application. The only required argument is the path to a mounted Security World ISO.

$ make-nshield-application SecWorld-12.60.3
Successfully tagged nshield-centos7:12.60.3

This container can be run directly:

$ docker run -it \
    -v /opt/nfast/kmdata:/opt/nfast/kmdata:ro \
    -v /opt/nfast/sockets.hwsp:/opt/nfast/sockets \
[root@075c41761e0f /]# /opt/nfast/bin/enquiry
 enquiry reply flags  none
 enquiry reply level  Six
 serial number        1111-2222-3333

It can also be used as the base for an application container, see examples/nfkminfo in Example applications.

The default base image for nShield application containers is centos:centos7. The default tag reflects the version of nShield Security World software that the container was built from.

If you want to use a different base image, or specify a different tag, use the --from and --tag options. See make-nshield-application --help for more information. nShield application containers have been tested with the following base images:

  • RedHat UBI 7

  • CentOS 7

  • Ubuntu Bionic

  • frolvlad/alpine-glibc

  • Debian Stretch

  • nginx 1.17.4

  • Apache 2.4.41

Other base images may work but are untested.

API Support (CHIL, Java, PKCS#11)

Depending on the application’s requirements, additional components may be installed. The possible options are --chil, --java and --pkcs11. Any combination is allowed.

$ make-nshield-application --java SecWorld-12.60.3
Successfully tagged nshield-centos7:12.60.3-java

The set of supported APIs is appended to the nShield software version in the container tag.

API support is dependant on the version of nShield software used. Note that with Security World v12.60, PKCS11 is included by default and is not configurable with the nSCOP scripts, and CHIL is not supported. With earlier versions you can configure any combination of APIs.

Java applications

Java applications expect to connect to localhost:9000. This must therefore be forwarded to the hardserver socket.

/opt/nfast/sbin/nshield-forward implements this forwarding and is included in any container built using the make-nshield-application or extend-nshield-application scripts. This utility depends on socat being installed in the application container. The nShield base container includes socat but extend-nshield-application will not install it. You must install it yourself.

Java Archictural diagram

Deriving from application containers

The alternative strategy is to build the application container and then install the nShield support software into it. This can be done with extend-nshield-application. This strategy might be preferred if the application container already exists or if it supports many cryptographic backends with nShield being just one choice.

For an example use of extend-nshield-application, see examples/nfkmverify in Example applications.

Example applications

A set of example application containers are provided within the examples directory.

For further information on building and running each example, see the Readme file within its directory.

Directory Description


Simple example of running an nShield application in an application container created using make-nshield-application.


Example Java application where the the application container is derived from the nShield Java container using make-nshield-application.


Example where the application container is extended from an existing container to add nShield Container using extend-nshield-application.


Example web server exposing basic information about the connected nShield modules.