Application Containers

An nShield application container is a container with the nShield Security World software installed.

Two strategies for creating nShield application containers are supported:

Create an nShield base container, and derive application containers from it.
Derive a container with nShield Security World software from an existing application container.

nShield base container

The base container can be created using make-nshield-application. The only required argument is the path to a mounted Security World ISO.

$ make-nshield-application SecWorld-12.70.4
[...]
Successfully tagged nshield-ubi7:12.70.4

To run the base application container, you must:

Supply a kmdata folder (if you wish to perform operations that require a Security World).
Mount a volume for the sockets folder.

Both can be done with the -v option. Different application containers can use different kmdata folders. For example, you could create a new folder:

$ mkdir -p /opt/ncop/app1/kmdata/local

You can then copy the desired Security world and module files for your application into this folder.

Using this folder and the Docker volume created for the hardserver container in section 5.3 above, this container can be run directly:

$ docker run -it \
    -v /opt/ncop/app1/kmdata:/opt/nfast/kmdata:ro \
    -v socket1.hwsp:/opt/nfast/sockets \
    nshield-ubi7:12.70.4
[root@075c41761e0f /]# /opt/nfast/bin/enquiry
Server:
    enquiry reply flags  none
    enquiry reply level  Six
    serial number        1111-2222-3333
[...]

It can also be used as the base for an application container. (See examples/nfkminfo.)

The default base image for nShield application containers is RedHat UBI7. The default tag reflects the version of nShield Security World software that the container was built from.

If you want to use a different base image, or specify a different tag, use the --from and --tag options. See make-nshield-application --help for more information. nShield application containers have been tested with the following base images:

RedHat UBI 7/8 (including "minimal")
CentOS 7
Ubuntu Bionic 18.04
Ubuntu Focal 20.04
Debian Stretch 9 (including slim)
Debian Buster 10 (including slim)
OpenSUSE 15.1/2
Alpine (frolvlad-glibc)
Nginx 1.18
Apache 2.4.43

Other base images may work but are untested.

API Support (Java)

Depending on the application’s requirements, the additional Java component may be installed with option --java.

$ make-nshield-application --java SecWorld-12.70.4
[...]
Successfully tagged nshield-ubi7:12.70.4-java

The supported API is appended to the nShield software version in the container tag.

Note that with Security World v12.60 and later:

PKCS11 is included by default and is not configurable with the nCOP scripts.
CHIL is not supported.

Java applications expect to connect to localhost:9000. This must therefore be forwarded to the hardserver socket using the /opt/nfast/sbin/nshield-forward utility.

This utility is included in any container built using the make-nshield-application or extend-nshield-application scripts.
This utility depends on socat being installed in the application container. The nShield base container includes socat but extend-nshield-application will not install it. You must install it yourself.

Deriving from application containers

The alternative strategy is to build the application container and then install the nShield support software into it. This can be done with extend-nshield-application. This strategy might be preferred if the application container already exists or if it supports many cryptographic backends with nShield being just one choice.

See examples/nfkmverify for an example use of extend-nshield-application.

Example applications

A set of example application containers are provided within the examples directory.

For further information on building and running the examples, see the Readme within each example directory.

Example Description

Example	Description
`nfkminfo`	Simple example of running an nShield application in an application container created using `make-nshield-application`
`javaenquiry`	Example Java application where the the application container is derived from the nShield Java container using `make-nshield-application`
`nfkmverify`	Example where the application container is extended from an existing container to add nShield Container using `extend-nshield-application`
`nfweb`	Example web server exposing basic information about the connected nShield modules

nfkminfo

Simple example of running an nShield application in an application container created using make-nshield-application

javaenquiry

Example Java application where the the application container is derived from the nShield Java container using make-nshield-application

nfkmverify

Example where the application container is extended from an existing container to add nShield Container using extend-nshield-application

nfweb

Example web server exposing basic information about the connected nShield modules