Application Containers
An nShield application container is a container with the nShield Security World software installed.
Two strategies for creating nShield application containers are supported:
-
Create an nShield base container, and derive application containers from it.
-
Derive a container with nShield Security World software from an existing application container.
nShield base container
The base container can be created using make-nshield-application
.
The only required argument is the path to a mounted Security World ISO.
$ make-nshield-application SecWorld-12.70.4
[...]
Successfully tagged nshield-ubi7:12.70.4
To run the base application container, you must:
-
Supply a kmdata folder (if you wish to perform operations that require a Security World).
-
Mount a volume for the sockets folder.
Both can be done with the -v option. Different application containers can use different kmdata folders. For example, you could create a new folder:
$ mkdir -p /opt/ncop/app1/kmdata/local
You can then copy the desired Security world and module files for your application into this folder.
Using this folder and the Docker volume created for the hardserver container in section 5.3 above, this container can be run directly:
$ docker run -it \
-v /opt/ncop/app1/kmdata:/opt/nfast/kmdata:ro \
-v socket1.hwsp:/opt/nfast/sockets \
nshield-ubi7:12.70.4
[root@075c41761e0f /]# /opt/nfast/bin/enquiry
Server:
enquiry reply flags none
enquiry reply level Six
serial number 1111-2222-3333
[...]
It can also be used as the base for an application container. (See examples/nfkminfo.)
The default base image for nShield application containers is RedHat UBI7. The default tag reflects the version of nShield Security World software that the container was built from.
If you want to use a different base image, or specify a different tag, use the --from
and --tag
options.
See make-nshield-application --help
for more information.
nShield application containers have been tested with the following base images:
-
RedHat UBI 7/8 (including "minimal")
-
CentOS 7
-
Ubuntu Bionic 18.04
-
Ubuntu Focal 20.04
-
Debian Stretch 9 (including slim)
-
Debian Buster 10 (including slim)
-
OpenSUSE 15.1/2
-
Alpine (frolvlad-glibc)
-
Nginx 1.18
-
Apache 2.4.43
Other base images may work but are untested.
API Support (Java)
Depending on the application’s requirements, the additional Java component may be installed with option --java
.
$ make-nshield-application --java SecWorld-12.70.4
[...]
Successfully tagged nshield-ubi7:12.70.4-java
The supported API is appended to the nShield software version in the container tag.
Note that with Security World v12.60 and later:
-
PKCS11 is included by default and is not configurable with the nCOP scripts.
-
CHIL is not supported.
Java applications expect to connect to localhost:9000.
This must therefore be forwarded to the hardserver socket using the /opt/nfast/sbin/nshield-forward
utility.
-
This utility is included in any container built using the
make-nshield-application
orextend-nshield-application
scripts. -
This utility depends on
socat
being installed in the application container. The nShield base container includessocat
butextend-nshield-application
will not install it. You must install it yourself.
Deriving from application containers
The alternative strategy is to build the application container and then install the nShield support software into it.
This can be done with extend-nshield-application
.
This strategy might be preferred if the application container already exists or if it supports many cryptographic backends with nShield being just one choice.
See examples/nfkmverify for an example use of extend-nshield-application
.
Example applications
A set of example application containers are provided within the examples directory.
For further information on building and running the examples, see the Readme within each example directory.
Example | Description |
---|---|
|
Simple example of running an nShield application in an application container created using |
|
Example Java application where the application container is derived from the nShield Java container using |
|
Example where the application container is extended from an existing container to add nShield Container using |
|
Example web server exposing basic information about the connected nShield modules |