The Hardserver Container

The hardserver container nshield-hwsp controls communication between the configured nShield Connect/s and application containers. Only one hardserver container is required per deployment, regardless of the number of nShield Connects or application containers.

Creating nshield-hwsp

Create the hardserver container using make-nshield-hwsp. The only required argument is the path to a mounted nShield Security World ISO.

For example:

$ mkdir SecWorld-12.70.4
$ sudo mount -o loop SecWorld_Lin64-12.70.4.iso SecWorld-12.70.4
mount: /dev/loop0 is write-protected, mounting read-only
$ make-nshield-hwsp SecWorld-12.70.4
[...]
Successfully tagged nshield-hwsp:12.70.4

The default base image for nShield hardserver containers is RedHat UBI7. The default tag reflects the version of nShield Security World software that the container was built from.

If you want to use a different base image, or specify a different tag, use the --from and --tag options. See make-nshield-hwsp --help for more information.

Users and Groups

By default the nfast user and group in the container will match those on the host machine. If the nfast user and group do not exist on the host, either:

  • create the nfast user and group on the host, or

  • if this is a bad fit for deployment, use the --uid and --gid options to set them instead.

Configuring nshield-hwsp

Create the hardserver container’s configuration using make-nshield-hwsp-config. The hardserver container’s configuration is the "config" component in the Deployment Architecture diagram.

  • Use the --output option to specify the filename.

  • List IP addresses of network HSMs on the command line.

Different configuration files can be used for different container deployments.

Running the following example requires the nShield support software installed on the host. You can also create the config file based on the template below by filling in the esn/ip/port/keyhash values in the nethsm_imports section.

For example:

$ sudo mkdir -p /opt/ncop/config1
$ sudo make-nshield-hwsp-config --output /opt/ncop/config1/config 192.168.0.10
$ cat /opt/ncop/config1/config

[nethsm_imports]
local_module=1
remote_esn=1111-2222-3333
remote_ip=192.168.0.10
remote_port=9004
keyhash=000102030405060708090a0b0c0d0e0f10111213
privileged=0

Module numbers are assigned in order.

Note that key hash values are retrieved from remote HSMs without any trust. The generated configuration file should be checked against values recorded from the front panel, or some other trusted path.

Running nshield-hwsp

To run the hardserver container, you must:

  1. Supply the generated hardserver configuration to the container.

  2. Mount a volume for the /opt/nfast/sockets folder.

  3. Mount a volume for the /opt/nfast/sockets-priv folder, if required.

This can be done with the -v option.

For example, using a Docker volume for the /opt/nfast/sockets folder:

$ docker volume create socket1
$ docker run \
    -v /opt/ncop/config1:/opt/nfast/kmdata/config:ro \
    -v socket1:/opt/nfast/sockets \
    nshield-hwsp:12.70.4
Hardserver INIT: Notice: Hardserver using priority class queueing algorithm: 0 classes and 0 modules total.
[...]

This makes the hardserver in nshield-hwsp available via the sockets in the Docker volume socket1. If the nShield support software is installed, this can be tested from the host:

First obtain the mount point for the Docker volume and use this for the NFAST_SERVER environment variable:

$ docker volume inspect --format '{{ .Mountpoint }}' socket1
/var/lib/docker/volumes/socket1/_data

$ NFAST_SERVER=/var/lib/docker/volumes/socket1/_data/nserver /opt/nfast/bin/enquiry -m0
Server:
    enquiry reply flags  none
    enquiry reply level  Six
    serial number        1111-2222-3333
    mode                 operational
    version              12.70.4
[...]