Mirantis Kubernetes Engine nShield HSM Integration Guide

- Industries
- Solutions
  - Our Expertise
  - Strong Identities
  - Secure Payments
  - Protected Data
- Featured Products
  - As a Service Products
- Enterprise ID & Issuance
  - Instant ID as a Service
    Learn More
  - Instant Issuance
- Financial ID & Issuance
  - Digital Card Solution
    Learn More
  - Digital Banking
    1. Digital Account Opening
    2. Digital Card Solution
  - Instant Issuance
  - Central Issuance
- Government ID & Issuance
  - Digital Citizen
    1. Seamless Travel as a Service
    2. ePassport as a Service
  - Instant Issuance
    1. Other citizen IDs and licenses.
    2. System Software
    3. Supplies
    4. Services
  - Central Issuance
    1. Passports, national IDs and driver licenses.
    2. Passport Issuance Systems
    3. National ID and Driver License Systems
    4. Inline Delivery & Insertion
    5. Standalone Delivery & Insertion
    6. System Software
    7. Supplies
    8. Services
  - Identity Verification as a Service
    Our IDVaaS solution allows remote verification of an individual’s claimed identity for immigration, border management, or digital services delivery.
    Learn More
- Cloud Security Posture Management
  - CloudControl 30-Day Free Trial
    Entrust CloudControl offers comprehensive security and automated compliance across virtualization, public cloud, and container platforms while increasing visibility and decreasing risks that can lead to unintended downtime or security exposure.
    Start Free Trial
- Key Management and Encryption
  - KeyControl for VM Encryption
  - KeyControl 30-Day Free Trial
    VMware vSphere and vSAN encryption require an external key manager, and KeyControl is VMware Ready certified and recommended. KeyControl enables enterprises to easily manage all their encryption keys at scale, including how often keys are rotated, and how they are shared securely.
    Start Free Trial
- Hardware Security Modules (HSM)
  - 1. nShield as a Service
  - nShield HSMs
  - Why you need an HSM
    Learn about all the details related to what hardware security modules offer you in security and cost savings...
    Learn More
- Digital Certificates
  - 1. Buy Certificates
    2. Renew Certificates
  - TLS/SSL Certificates
  - Qualified Certificates
    1. QWAC eIDAS Certificates
    2. QWAC PSD2 Certificates
  - Sales and Services
- Identity and Access Management (IAM)
  - Products
    1. Identity as a Service
      Cloud-Based IAM
    2. Identity Enterprise
      On-prem IAM
    3. Identity Essentials
      On-prem MFA solution for Windows users
    4. APIs and SDKs
  - Get Entrust Identity as a Service Free for 60 Days
    Explore the Identity as a Service platform that gives you access to best-in-class MFA, SSO, adaptive risk-based authentication, and a multitude of advanced features that not only keep users secure, but also contribute to an optimal experience.
    Start Free Trial
- Electronic and Digital Signing
  - Digital Signing as a Service
  - Digital Signing Certificates
  - Digital Signing Infrastructure
  - EU Qualified Trust Services
    In addition to our long-standing Adobe Approved Trust List (AATL) membership, we are a European Qualified Trust Service Provider for the issuance of eIDAS qualified certificates for qualified signatures and advanced seals, for PSD2 certificates and for QWACs
    Learn More
- Public Key Infrastructure (PKI)
  - PKI Products
  - Managed Services
  - Cryptographic Center of Excellence
  - Try Post-Quantum PKI as a Service Now
    Get PQ Ready. PKIaaS PQ provides customers with composite and pure quantum Certificate Authority hierarchies.
    Try Now
- Resources
  - Issuance Systems Knowledge Base
    Learn More
  - Digital Security Knowledge Base
    Learn More
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- Partners
  - Partner with Entrust
    Join one or more of our partner programs and we’ll help you increase profitability, expand your brand, and target strategic customers.
    Learn More
  - Partner Directory
    Search for partners based on location, offerings, channel or technology.
    Search for a Partner
  - Programs
  - Partner Logins
- Buy
  - Shop Certificate Services
    Shop for new single certificate purchases.
    Learn More
  - Certificate Services Customer Portal
    Existing Entrust Certificate Services customers can login to issue and manage certificates or buy additional services.
    Learn More
  - Certificate Services Partner Portal
    Existing partners can provision new customers and manage inventory.
    Learn More
  - Instant Financial Card Issuance Supplies
    1. Registered Customer Login
    2. Request Access
- About Entrust
  - Securing a World in Motion Since 1969
    We’ve established secure connections across the planet and even into outer space. We’ve enabled reliable debit and credit card purchases with our card printing and issuance technologies. Protected international travel with our border control solutions. Created secure experiences on the internet with our SSL technologies. And safeguarded networks and devices with our suite of authentication products.
    Explore Our History
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- Search Entrust
  - Search:

Introduction

This guide describes the steps to integrate the nShield Container Option Pack (nSCOP) with Mirantis Kubernetes Engine. The nSCOP provides application developers, within a container-based Mirantis Kubernetes Engine environment, the ability to access the cryptographic functionality of an nShield Hardware Security Module (HSM).

Product configurations

We have successfully tested nShield HSM integration with Mirantis Kubernetes Engine in the following configurations:

Software	Version
nSCOP	1.1.1
Operating System	CentOS 8
Mirantis Kubernetes Engine	3.4.5
Mirantis Container Runtime	20.10.7

Supported nShield hardware and software versions

We have successfully tested with the following nShield hardware and software versions:

Connect XC

Security World Software	Firmware	Image	OCS	Softcard	Module
12.71.0	12.50.11	12.60.10	✓	✓	✓

Connect +

Security World Software	Firmware	Image	OCS	Softcard	Module
12.71.0	12.50.8	12.60.10	✓	✓	✓

Supported nShield HSM functionality

Feature	Support
Module-only key	Yes
OCS cards	Yes
Softcards	Yes
nSaaS	Yes
FIPS 140-2 Level 3	Yes

Requirements

Before installing these products, read the associated documentation:

For the nShield HSM: Installation Guide and User Guide .
If nShield Remote Administration is to be used: nShield Remote Administration User Guide .
nShield Container Option Pack User Guide .
MCR documentation ( https://docs.mirantis.com/mcr/20.10/install/mcr-linux.html )
MKE documentation ( https://docs.mirantis.com/mke/3.4/index.html ).
kubectl documentation ( https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/ )

Furthermore, the following design decisions have an impact on how the HSM is installed and configured:

Whether your Security World must comply with FIPS 140-2 Level 3 standards.
- If using FIPS Restricted mode, it is advisable to create an OCS for FIPS authorization. The OCS can also provide key protection for the Vault master key. For information about limitations on FIPS authorization, see the Installation Guide of the nShield HSM.
Whether to instantiate the Security World as recoverable or not.

More information

For more information about OS support, contact your Mirantis sales representative or Entrust nShield Support, https://nshieldsupport.entrust.com .

Procedures

Prerequisites

Before you can use nSCOP and pull the nSCOP container images to the external registry, complete the following steps:

Install the Mirantis Container Runtime on the host machine. This can be a VM running CentOS 8 or other compatible Operating Systems.
Install the Mirantis Kubernetes Engine on the host machine.
Install kubectl on the host machine.
Set up the HSM. See the Installation Guide for your HSM.
Configure the HSM(s) to have the IP address of your container host machine as a client.
Load an existing Security World or create a new one on the HSM. Copy the Security World and module files to your container host machine at a directory of your choice. Instructions on how to copy these two files into a persistent volume accessible by the application containers are given when you create the persistent volume during the deployment of MKE.
Install nSCOP and create the containers that contain your application. For the purpose of this guide you will need the nSCOP hardserver container and your application container. In this guide they are referred to as the nshield-hwsp and nshield-app containers. For instructions, see the nShield Container Option Pack User Guide .

For more information on configuring and managing nShield HSMs, Security Worlds, and Remote File Systems, see the User Guide for your HSM(s).

Push the nSCOP container images to an internal Docker registry

You will need to register the nSCOP container images you created to a Docker registry so they can be used when you deploy the Kubernetes pods later. In this guide, the external registry is <docker-registry-address>. Distribution of the nSCOP container image is not permitted because the software components are under strict export controls.

To deploy an nSCOP container images for use with Mirantis Kubernetes Engine:

Log in to the container host machine server as root, and launch a terminal window. We assume that you have built the nSCOP container images in this host and that they are available locally in Docker. They are: nshield-hwsp:12.71.0 and nshield-app:12.71.0.

% docker login -u YOURUSERID https://<docker-registry-address>

Tag the images:

% sudo docker tag nshield-hwsp:12.71.0 <docker-registry-address>/nshield-hwsp
% sudo docker tag nshield-app:12.71.0 <docker-registry-address>/nshield-app

Push the images to the registry:

% sudo docker push <docker-registry-address>/nshield-hwsp
% sudo docker push <docker-registry-address>/nshield-app

Remove the local images:

% sudo docker rmi <docker-registry-address>/nshield-hwsp
% sudo docker rmi <docker-registry-address>/nshield-app

List the images:
```
% sudo docker images
```

Pull the images from the registry:

% sudo docker pull <docker-registry-address>/nshield-hwsp
% sudo docker pull <docker-registry-address>/nshield-app

List the images:
```
% sudo docker images
```

Create the registry secrets

At the beginning of our process, we created nSCOP Docker containers and we pushed them to our internal Docker registry. Now it is necessary to let MKE know about how to authenticate to that registry.

Create the secret.

% kubectl create secret generic regcred --from-file= dockerconfigjson=/home/<YOUR USER ID>/.docker/config.json --type=kubernetes.io/dockerconfigjson

Check if the secret was created.

% kubectl get secret regcred --output=yaml

Create the Configuration Map for the HSM details

We have created a .yaml file that can be modified according to the HSM you are using. Edit the file accordingly.

Note	This integration was tested using kubectl commands for generating kubernetes objects with yaml files. The MKE web ui provides an alternative interface that can be used to generate these objects, and view them. See MKE documentation for more information.

For example:

apiVersion: v1
kind: ConfigMap
metadata:
  name: config
data:
  config: |
    syntax-version=1

    [nethsm_imports]
    local_module=1
    remote_esn=BD10-03E0-D947
    remote_ip=10.194.148.36
    remote_port=9004
    keyhash=2dd7c10c73a3c5346d1246e6a8cf6766a7088e41
    privileged=0

Create the Config Map.

% kubectl apply -f configmap.yaml

configmap/config created

Verify the config map was created successfully.

% kubectl describe configmap/config

Name:         config
Namespace:    default
Labels:       <none>
Annotations:
Data
====
config:

syntax-version=1

[nethsm_imports]
local_module=1
remote_esn=BD10-03E0-D947
remote_ip=10.194.148.36
remote_port=9004
keyhash=2dd7c10c73a3c5346d1246e6a8cf6766a7088e41
privileged=0

Events:  <none>

Create the MKE persistent Volumes

This section describes how the persistent volumes is created in MKE.

Note	Before you proceed with the creation of the persistent volume, you must create the directory `/opt/nfast/kmdata/local` in your host machine and copy the Security World and module files to it.

The example YAML files below are used to create and claim the persistent volume.

The persistent_volume_kmdata_definition.yaml file:

apiVersion: v1
kind: PersistentVolume
metadata:
  name: nfast-kmdata
  labels:
    type: local
spec:
  storageClassName: manual
  capacity:
    storage: 1G
  accessModes:
    - ReadWriteMany
  persistentVolumeReclaimPolicy: Retain
  hostPath:
    path: /opt/nfast/kmdata

The persistent_volume_kmdata_claim.yaml file:

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name : nfast-kmdata
spec:
  accessModes:
    - ReadWriteMany
  storageClassName: local-storage
  resources:
    requests:
      storage: 1G
  storageClassName: manual

Apply the definition file to MKE.

% kubectl apply -f persistent_volume_kmdata_definition.yaml

persistentvolume/nfast-kmdata created

Verify the persistent volume has been created.

% kubectl get pv

NAME CAPACITY   ACCESS MODES   RECLAIM   POLICY STATUS    CLAIM        STORAGECLASS   REASON   AGE
nfast-kmdata    1G             RWO       Retain           Available    manual                  43m

Create the claim.

% kubectl apply -f persistent_volume_kmdata_claim.yaml

persistentvolumeclaim/nfast-kmdata created

Verify the claim has been created.

% kubectl get pvc

NAME            STATUS   VOLUME          CAPACITY   ACCESS MODES   STORAGECLASS   AGE
nfast-kmdata    Bound    nfast-kmdata    1G         RWO            manual         61m

% kubectl get pv

NAME            CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS   CLAIM                   STORAGECLASS   REASON   AGE
nfast-kmdata    1G         RWO            Retain           Bound    default/nfast-kmdata    manual                  67m

Deploy the nSCOP Pod with your application

You will need to create a .yaml file that defines how to launch the hardserver and your application container into MKE. The examples below were created to show how you can talk to the HSM from inside the Kubernetes pod. Each example shows how to execute the following commands: enquiry and nfkminfo .

Populating the persistent volume with the world and module file

Before running any of the applications, /opt/nfast/kmdata/local in the persistent volume needs to be updated with the latest world and module files. To do this, create a yaml file to run a pod that gives access to the persistent volume so these files can be copied.

For example, the following persistent_volume_kmdata_populate.yaml file shows how to get access to the persistent volume:

kind: Pod
apiVersion: v1
metadata:
  name: nscop-populate-kmdata
  labels:
    app: nshield
spec:
  imagePullSecrets:
    - name: regcred
  containers:
    - name: nscop-kmdata
      command:
        - sh
        - '-c'
        - sleep 3600
      image: <docker-registry-address>/nshield-app
      ports:
        - containerPort: 8080
          protocol: TCP
      resources: {}
      volumeMounts:
        - name: nscop-kmdata
          mountPath: /opt/nfast/kmdata
        - name: nscop-sockets
          mountPath: /opt/nfast/sockets
  securityContext: {}
  volumes:
    - name: nscop-config
      configMap:
        name: config
        defaultMode: 420
    - name: nscop-hardserver
      emptyDir: {}
    - name: nscop-kmdata
      persistentVolumeClaim:
        claimName: nfast-kmdata
    - name: nscop-sockets
      emptyDir: {}

Deploy the pod

% kubectl apply -f persistent_volume_kmdata_populate.yaml

Check if the Pod is running
```
% kubectl get pods
```
You should see the deployment taking place. Wait 10 seconds and run the command again until the status is Running. This will also let you know if there are any errors. If there are errors, run the following command:
```
% kubectl describe pod nscop-populate-kmdata
```

Copy the module file to /opt/nfast/kmdata/local in the pod.

% kubectl cp /opt/nfast/kmdata/local/module_BD10-03E0-D947 nscop-populate-kmdata:/opt/nfast/kmdata/local/.

Copy the world file to /opt/nfast/kmdata/local in the pod.

% kubectl cp /opt/nfast/kmdata/local/world nscop-populate-kmdata:/opt/nfast/kmdata/local/.

Check if the files are in the persistent volume.

% kubectl exec nscop-populate-kmdata -- ls -al /opt/nfast/kmdata/local

total 68
drwxr-xr-x 2 root root  4096 Sep 20 18:40 .
drwxr-xr-x 3 root root  4096 Dec 16  2020 ..
-rwxrwxrwx 1 root 1001  3488 Sep 20 18:40 module_BD10-03E0-D947
-rwxrwxrwx 1 root 1001 39968 Sep 20 18:40 world

Running the enquiry command

To run the enquiry command, which prints enquiry data from the module, use the following pod_enquiry_app.yaml file.

kind: Pod
apiVersion: v1
metadata:
  name: nscop-test-enquiry
  labels:
    app: nshield
spec:
  imagePullSecrets:
    - name: regcred
  containers:
    - name: nscop
      command:
        - sh
        - '-c'
        - /opt/nfast/bin/enquiry && sleep 3600
      image: <docker-registry-address>/nshield-app
      ports:
        - containerPort: 8080
          protocol: TCP
      resources: {}
      volumeMounts:
        - name: nscop-kmdata
          mountPath: /opt/nfast/kmdata
        - name: nscop-sockets
          mountPath: /opt/nfast/sockets
    - name: nscop-hwsp
      image: <docker-registry-address>/nshield-hwsp
      ports:
        - containerPort: 8080
          protocol: TCP
      resources: {}
      volumeMounts:
        - name: nscop-config
          mountPath: /opt/nfast/kmdata/config
        - name: nscop-hardserver
          mountPath: /opt/nfast/kmdata/hardserver.d
        - name: nscop-sockets
          mountPath: /opt/nfast/sockets
  volumes:
    - name: nscop-config
      configMap:
        name: config
        defaultMode: 420
    - name: nscop-hardserver
      emptyDir: {}
    - name: nscop-kmdata
      persistentVolumeClaim:
        claimName: nfast-kmdata
    - name: nscop-sockets
      emptyDir: {}

In this example, <docker_registry-address> is the address of your internal docker registry server.

Deploy the pod.
```
% kubectl apply -f pod_enquiry_app.yaml
```
Check if the Pod is running.
```
% kubectl get pods
```
You should see the deployment taking place. Wait 10 seconds and run the command again until the status is Running. This will also let you know if there are any errors. If there are errors, run the following command:
```
% kubectl describe pod nscop-test-enquiry
```

Check if the enquiry command ran successfully.

% kubectl logs pod/nscop-test-enquiry nscop

Server:
 enquiry reply flags  none
 enquiry reply level  Six
 serial number        BD10-03E0-D947
 mode                 operational
 version              12.71.0
 speed index          478
 rec. queue           110..208
 level one flags      Hardware HasTokens SupportsCommandState
 version string       12.71.0-353-f63c551, 12.50.11-270-fb3b87dd465b6f6e53d9f829fc034f8be2dafd13 2019/05/16 22:02:33 BST, Bootloader: 1.2.3, Security Processor: 12.50.11 , 12.60.10-708-ea4dc41d
 checked in           000000006053229a Thu Mar 18 09:51:22 2021
 level two flags      none
 max. write size      8192
 level three flags    KeyStorage
 level four flags     OrderlyClearUnit HasRTC HasNVRAM HasNSOPermsCmd ServerHasPollCmds FastPollSlotList HasSEE HasKLF HasShareACL HasFeatureEnable HasFileOp HasLongJobs ServerHasLongJobs AESModuleKeys NTokenCmds JobFragmentation LongJobsPreferred Type2Smartcard
 module type code     0
 product name         nFast server
 device name
 EnquirySix version   4
 impath kx groups
 feature ctrl flags   none
 features enabled     none
 version serial       0
 level six flags      none
 remote server port   9004
 kneti hash           5ebd9844cd9896ed40829c3bafa91a5bbba7a886

Module #1:
 enquiry reply flags  UnprivOnly
 enquiry reply level  Six
 serial number        BD10-03E0-D947
 mode                 operational
 version              12.50.11
 speed index          478
 rec. queue           22..50
 level one flags      Hardware HasTokens SupportsCommandState
 version string       12.50.11-270-fb3b87dd465b6f6e53d9f829fc034f8be2dafd13 2019/05/16 22:02:33 BST, Bootloader: 1.2.3, Security Processor: 12.50.11 , 12.60.10-708-ea4dc41d
 checked in           000000005cddcfe9 Thu May 16 21:02:33 2019
 level two flags      none
 max. write size      8192
 level three flags    KeyStorage
 level four flags     OrderlyClearUnit HasRTC HasNVRAM HasNSOPermsCmd ServerHasPollCmds FastPollSlotList HasSEE HasKLF HasShareACL HasFeatureEnable HasFileOp HasLongJobs ServerHasLongJobs AESModuleKeys NTokenCmds JobFragmentation LongJobsPreferred Type2Smartcard ServerHasCreateClient HasInitialiseUnitEx AlwaysUseStrongPrimes Type3Smartcard HasKLF2
module type code     12
 product name         nC3025E/nC4035E/nC4335N
 device name          Rt1
 EnquirySix version   7
 impath kx groups     DHPrime1024 DHPrime3072 DHPrime3072Ex
 feature ctrl flags   LongTerm
 features enabled     StandardKM EllipticCurve ECCMQV AcceleratedECC HSMBaseSpeed
 version serial       37
 connection status    OK
 connection info      esn = BD10-03E0-D947; addr = INET/10.194.148.36/9004; ku hash = 383666ac8d0a8062519b9baa964d0af8014e5d8d, mech = Any
 image version        12.60.10-507-ea4dc41d
 level six flags      none
 max exported modules 100
 rec. LongJobs queue  21
 SEE machine type     PowerPCELF
 supported KML types  DSAp1024s160 DSAp3072s256
 using impath kx grp  DHPrime3072Ex
 active modes         UseFIPSApprovedInternalMechanisms AlwaysUseStrongPrimes FIPSLevel3Enforcedv2
 hardware status      OK

nfkminfo

The following pod_nfkminfo_app.yaml file shows how to run the nfkminfo command which shows information about the current security world.

kind: Pod
apiVersion: v1
metadata:
  name: nscop-test-nfkminfo
  labels:
    app: nshield
spec:
  imagePullSecrets:
    - name: regcred
  containers:
    - name: nscop
      command:
        - sh
        - '-c'
        - /opt/nfast/bin/nfkminfo && sleep 3600
      image: <docker-registry-address>/nshield-app
      ports:
        - containerPort: 8080
          protocol: TCP
      resources: {}
      volumeMounts:
        - name: nscop-kmdata
          mountPath: /opt/nfast/kmdata
        - name: nscop-sockets
          mountPath: /opt/nfast/sockets
    - name: nscop-hwsp
      image: <docker-registry-address>/nshield-hwsp
      ports:
        - containerPort: 8080
          protocol: TCP
      resources: {}
      volumeMounts:
        - name: nscop-config
          mountPath: /opt/nfast/kmdata/config
        - name: nscop-hardserver
          mountPath: /opt/nfast/kmdata/hardserver.d
        - name: nscop-sockets
          mountPath: /opt/nfast/sockets
  volumes:
    - name: nscop-config
      configMap:
        name: config
        defaultMode: 420
    - name: nscop-hardserver
      emptyDir: {}
    - name: nscop-kmdata
      persistentVolumeClaim:
        claimName: nfast-kmdata
    - name: nscop-sockets
      emptyDir: {}