The Hardserver Container
The hardserver container, nshield-hwsp
, controls communication between the configured nShield Connect/s and application containers.
Only one hardserver container is required per deployment, regardless of the number of nShield Connects or application containers.
Creating nshield-hwsp
make-nshield-hwsp
can be used to create the hardserver container.
The only required argument is the path to a mounted nShield Security World ISO.
For example:
$ mkdir SecWorld-12.60.3
$ sudo mount -o loop SecWorld_Lin64-12.60.3.iso SecWorld-12.60.3 mount: /dev/loop0 is write-protected, mounting read-only
$ make-nshield-hwsp SecWorld-12.60.3
[...]
Successfully tagged nshield-hwsp:12.60.3
The default base image for nShield hardserver containers is
ubuntu:bionic
. The default tag reflects the version of nShield Security World software that the container was built from.
If you want to use a different base image, or specify a different tag,
use the --from
and --tag
options.
See make-nshield-hwsp --help
for more information.
Users and Groups
By default the nfast
user and group in the container will match those on the host machine.
If they do not exist on the host, or if this is a bad fit for deployment, the --uid
and --gid
options should be used to set them.
Configuring nshield-hwsp
make-nshield-hwsp-config
can be used to create the hardserver container’s configuration (the ``config'' component in the Deployment Architecture diagram).
-
Use the
--output
option to specify the filename. -
List IP addresses of network HSMs on the command line.
For example:
$ sudo mkdir -p /opt/nfast/kmdata/config.hwsp $ sudo make-nshield-hwsp-config --output /opt/nfast/kmdata/config.hwsp/config 192.168.0.10 $ cat /opt/nfast/kmdata/config.hwsp/config syntax-version=1 [nethsm_imports] local_module=1 remote_esn=1111-2222-3333 remote_ip=192.168.0.10 remote_port=9004 keyhash=000102030405060708090a0b0c0d0e0f10111213 privileged=0
Module numbers are assigned in order.
Note that key hash values are retrieved from remote HSMs without any trust; the generated configuration file should be compared against values recorded from the front panel, or some other trusted path.
Running nshield-hwsp
To run the hardserver container, you must:
-
Supply the generated hardserver configuration to the container.
-
Expose the container’s client socket.
Both can be done with the -v
option.
For example:
$ sudo mkdir -m755 -p /opt/nfast/sockets.hwsp $ sudo chown -R nfast:nfast /opt/nfast/sockets.hwsp $ docker run \ -v /opt/nfast/kmdata/config.hwsp:/opt/nfast/kmdata/config:ro \ -v /opt/nfast/sockets.hwsp:/opt/nfast/sockets \ nshield-hwsp:12.60.3 Hardserver INIT: Notice: Hardserver using priority class queueing algorithm: 0 classes and 0 modules total. [...]
This makes nshield-hwsp
’s hardserver available via the sockets in
/opt/nfast/sockets.hwsp
. You can test this from the host:
$ NFAST_SERVER=/opt/nfast/sockets.hwsp/nserver enquiry -m0 Server: enquiry reply flags none enquiry reply level Six serial number 1111-2222-3333 mode operational version 12.60.3 [...]