The Hardserver Container

The hardserver container, nshield-hwsp, controls communication between the configured nShield Connect/s and application containers. Only one hardserver container is required per deployment, regardless of the number of nShield Connects or application containers.

Creating nshield-hwsp

make-nshield-hwsp can be used to create the hardserver container. The only required argument is the path to a mounted nShield Security World ISO.

For example:

$ mkdir SecWorld-12.60.3
$ sudo mount -o loop SecWorld_Lin64-12.60.3.iso SecWorld-12.60.3 mount: /dev/loop0 is write-protected, mounting read-only
$ make-nshield-hwsp SecWorld-12.60.3
[...]
Successfully tagged nshield-hwsp:12.60.3

The default base image for nShield hardserver containers is ubuntu:bionic. The default tag reflects the version of nShield Security World software that the container was built from.

If you want to use a different base image, or specify a different tag, use the --from and --tag options. See make-nshield-hwsp --help for more information.

Users and Groups

By default the nfast user and group in the container will match those on the host machine. If they do not exist on the host, or if this is a bad fit for deployment, the --uid and --gid options should be used to set them.

Configuring nshield-hwsp

make-nshield-hwsp-config can be used to create the hardserver container’s configuration (the ``config'' component in the Deployment Architecture diagram).

  • Use the --output option to specify the filename.

  • List IP addresses of network HSMs on the command line.

For example:

$ sudo mkdir -p /opt/nfast/kmdata/config.hwsp
$ sudo make-nshield-hwsp-config --output /opt/nfast/kmdata/config.hwsp/config 192.168.0.10
$ cat /opt/nfast/kmdata/config.hwsp/config syntax-version=1

[nethsm_imports]
local_module=1
remote_esn=1111-2222-3333
remote_ip=192.168.0.10
remote_port=9004
keyhash=000102030405060708090a0b0c0d0e0f10111213
privileged=0

Module numbers are assigned in order.

Note that key hash values are retrieved from remote HSMs without any trust; the generated configuration file should be compared against values recorded from the front panel, or some other trusted path.

Running nshield-hwsp

To run the hardserver container, you must:

  • Supply the generated hardserver configuration to the container.

  • Expose the container’s client socket.

Both can be done with the -v option. For example:

$ sudo mkdir -m755 -p /opt/nfast/sockets.hwsp
$ sudo chown -R nfast:nfast /opt/nfast/sockets.hwsp
$ docker run \
    -v /opt/nfast/kmdata/config.hwsp:/opt/nfast/kmdata/config:ro \
    -v /opt/nfast/sockets.hwsp:/opt/nfast/sockets \
    nshield-hwsp:12.60.3
Hardserver INIT: Notice: Hardserver using priority class queueing algorithm: 0 classes and 0 modules total.
[...]

This makes nshield-hwsp’s hardserver available via the sockets in /opt/nfast/sockets.hwsp. You can test this from the host:

$ NFAST_SERVER=/opt/nfast/sockets.hwsp/nserver enquiry -m0
Server:
 enquiry reply flags  none
 enquiry reply level  Six
 serial number        1111-2222-3333
 mode                 operational
 version              12.60.3
[...]