Creating SecurityServer/CP5 with NGINX Container Image Dockerfile to run NGINX as Root User

It is highly recommended to run containers/pods as a non-root user in a production environment.

Create a new file Dockerfile to build the CP5 image.

›_ Console
`# vi /root/hsm/Dockerfile`

Copy the following lines into the file Dockerfile.

›_ Console
`FROM redhat/ubi8:latest LABEL version="1"` `#==========Install NGINX,OpenSC,OpenSSL-Devel & Other packages===========` `RUN dnf install openssl-pkcs11 nginx -y` `#==================Create required Folders and Config Paths ========== RUN mkdir /hsm && cd /hsm` `RUN mkdir -p /etc/utimaco/ && \ mkdir -p /opt/utimaco/bin && \ mkdir -p /opt/utimaco/lib && \ mkdir -p /opt/utimaco/certs && \ mkdir -p /opt/utimaco/logs` `#==================Copying Files and Changing Permission ========== COPY hsm/cs_pkcs11_R2.cfg /etc/utimaco/` `COPY hsm/libcs_pkcs11_R2.so /opt/utimaco/lib COPY hsm/p11tool2 /opt/utimaco/bin` `COPY hsm/cxitool /opt/utimaco/bin COPY hsm/csadm /opt/utimaco/bin` `RUN chmod -R 550 /opt/utimaco/bin && \ chmod -R 440 /opt/utimaco/lib && \` `chmod 600 /etc/utimaco/cs_pkcs11_R2.cfg #==================Configure PKCS11 Engine============================` `RUN ls -l /etc/pki/tls/` `RUN sed -i '1 i\openssl_conf=openssl_init' /etc/pki/tls/openssl.cnf RUN sed -e '/openssl_conf = default_modules/s/^/#/g' -i` `/etc/pki/tls/openssl.cnf` `RUN echo " [openssl_init]" >> /etc/pki/tls/openssl.cnf && \` echo " engines=engine_section" >> /etc/pki/tls/openssl.cnf && \ echo "" >> /etc/pki/tls/openssl.cnf && \echo " [engine_section]">> /etc/pki/tls/openssl.cnf && \echo " pkcs11 = pkcs11_section" >> /etc/pki/tls/openssl.cnf && \ echo "" >> /etc/pki/tls/openssl.cnf && \echo " [pkcs11_section]" >> /etc/pki/tls/openssl.cnf && \ echo " engine_id = pkcs11" >> /etc/pki/tls/openssl.cnf && \ echo " dynamic_path = /usr/lib64/engines-1.1/pkcs11.so" >>/etc/pki/tls/openssl.cnf && \echo " MODULE_PATH = /opt/utimaco/lib/libcs_pkcs11_R2.so" >>/etc/pki/tls/openssl.cnf && \echo " PIN=123456" >> /etc/pki/tls/openssl.cnf && \ echo " init = 0" >> /etc/pki/tls/openssl.cnf `#===Configure CP5 and Perform Key Initilization and Authorization=== RUN /opt/utimaco/bin/csadm Dev=3001@20.197.4.217 GetHSMAuthKey >/tmp/HSMauth.key && \chmod 777 /tmp/HSMauth.key` `ENV CS_AUTH_KEYS=/tmp/HSMauth.key` `RUN /opt/utimaco/bin/p11tool2 slot=9 LoginUser=123456 GetSlotInfo RUN /opt/utimaco/bin/p11tool2 slot=9 LoginUser=123456 PubKeyAttr=CKA_LABEL="RSAKey",CKA_ID=0x45` `PrvKeyAttr=CKA_LABEL="RSAKey",CKA_ID=0x45 GenerateKeyPair=RSA` `RUN /opt/utimaco/bin/cxitool dev=3001@20.197.4.217 LogonPass=USR_0009,123456 listkeys` `RUN /opt/utimaco/bin/cxitool dev=3001@20.197.4.217 LogonPass=USR_0009,123456 group="SLOT_0009" Spec=2 Keyinfo` `RUN /opt/utimaco/bin/csadm dev=3001@20.197.4.217 genkey=/opt/utimaco/certs/ka.key,2048,"USR_0009" && chmod 777` `/opt/utimaco/certs/ka.key` `RUN /opt/utimaco/bin/cxitool dev=3001@20.197.4.217 LogonPass=USR_0009,123456 group="SLOT_0009" Spec=2 KeyFile=/opt/utimaco/certs/ka.key InitializeKey` `RUN /opt/utimaco/bin/cxitool dev=3001@20.197.4.217 LogonPass=USR_0009,123456 group="SLOT_0009" Spec=2 KeyFile=/opt/utimaco/certs/ka.key AuthorizeKey=1000000` `RUN /opt/utimaco/bin/cxitool dev=3001@20.197.4.217 LogonPass=USR_0009,123456 group="SLOT_0009" Spec=2 Keyinfo` `#==================Generate Keys and Certificate for SSL============== RUN openssl version -a && openssl engine pkcs11 -v` `RUN /opt/utimaco/bin/p11tool2 slot=9 LoginUser=123456 listobjects && \ openssl req -engine pkcs11 -new -x509 -days 365 -key` `"pkcs11:token=Openshift;object=RSAKey?pin-value=123456" -keyform engine -out` `/opt/utimaco/certs/SSL.cert -subj "/CN=test.utimaco.com"` `#==================Configure Nginx to use Utimaco HSM================= RUN ls -l /etc/nginx/nginx.conf && cp /etc/nginx/nginx.conf/etc/nginx/nginx.conf.org && cat /etc/nginx/nginx.conf` `RUN sed '/^$/d' /etc/nginx/nginx.conf > /etc/nginx/nginx.conf.int && \` `sed -e '$d' /etc/nginx/nginx.conf.int > /etc/nginx/nginx.conf && rm -rf/etc/nginx/nginx.conf.int && \` `sed -i '1 i\ssl_engine pkcs11;' /etc/nginx/nginx.conf && \ sed -i 's/80/8080/g' /etc/nginx/nginx.conf && \sed -i '/worker_processes auto;/c\worker_processes 1;'/etc/nginx/nginx.conf && \` `echo " server {" >> /etc/nginx/nginx.conf && \` `echo " listen 8443 ssl;" >> /etc/nginx/nginx.conf && \ echo "" >> /etc/nginx/nginx.conf && \` `echo " server_name localhost;" >> /etc/nginx/nginx.conf && \ echo " ssl_certificate /opt/utimaco/certs/SSL.cert;" >>/etc/nginx/nginx.conf && \` `echo " ssl_certificate_key engine:pkcs11:slot_9-id_45;" >>/etc/nginx/nginx.conf && \` `echo "" >> /etc/nginx/nginx.conf && \echo " access_log /tmp/sslparams.log;" >> /etc/nginx/nginx.conf && \ echo " location / {" >> /etc/nginx/nginx.conf && \` `echo " root html;" >> /etc/nginx/nginx.conf && \echo " index index.html index.htm;" >> /etc/nginx/nginx.conf && \ echo " }" >> /etc/nginx/nginx.conf && \` `echo "}" >> /etc/nginx/nginx.conf && \ echo "}" >> /etc/nginx/nginx.conf` `#==================Start the Nginx Server=============================` `CMD ["/usr/sbin/nginx", "-g", "daemon off;"]`

›_ Console

FROM redhat/ubi8:latest LABEL version="1"

#==========Install NGINX,OpenSC,OpenSSL-Devel & Other packages===========

RUN dnf install openssl-pkcs11 nginx -y

#==================Create required Folders and Config Paths ========== RUN mkdir /hsm && cd /hsm

RUN mkdir -p /etc/utimaco/ && \ mkdir -p /opt/utimaco/bin && \ mkdir -p /opt/utimaco/lib && \ mkdir -p /opt/utimaco/certs && \ mkdir -p /opt/utimaco/logs

#==================Copying Files and Changing Permission ========== COPY hsm/cs_pkcs11_R2.cfg /etc/utimaco/

COPY hsm/libcs_pkcs11_R2.so /opt/utimaco/lib COPY hsm/p11tool2 /opt/utimaco/bin

COPY hsm/cxitool /opt/utimaco/bin COPY hsm/csadm /opt/utimaco/bin

RUN chmod -R 550 /opt/utimaco/bin && \ chmod -R 440 /opt/utimaco/lib && \

chmod 600 /etc/utimaco/cs_pkcs11_R2.cfg #==================Configure PKCS11 Engine============================

RUN ls -l /etc/pki/tls/

RUN sed -i '1 i\openssl_conf=openssl_init' /etc/pki/tls/openssl.cnf RUN sed -e '/openssl_conf = default_modules/s/^/#/g' -i

/etc/pki/tls/openssl.cnf

RUN echo " [openssl_init]" >> /etc/pki/tls/openssl.cnf && \

echo " engines=engine_section" >> /etc/pki/tls/openssl.cnf && \ echo "" >> /etc/pki/tls/openssl.cnf && \echo " [engine_section]">> /etc/pki/tls/openssl.cnf && \echo " pkcs11 = pkcs11_section" >> /etc/pki/tls/openssl.cnf && \ echo "" >> /etc/pki/tls/openssl.cnf && \echo " [pkcs11_section]" >> /etc/pki/tls/openssl.cnf && \ echo " engine_id = pkcs11" >> /etc/pki/tls/openssl.cnf && \ echo " dynamic_path = /usr/lib64/engines-1.1/pkcs11.so" >>/etc/pki/tls/openssl.cnf && \echo " MODULE_PATH = /opt/utimaco/lib/libcs_pkcs11_R2.so" >>/etc/pki/tls/openssl.cnf && \echo " PIN=123456" >> /etc/pki/tls/openssl.cnf && \ echo " init = 0" >> /etc/pki/tls/openssl.cnf

#===Configure CP5 and Perform Key Initilization and Authorization=== RUN /opt/utimaco/bin/csadm Dev=3001@20.197.4.217 GetHSMAuthKey >/tmp/HSMauth.key && \chmod 777 /tmp/HSMauth.key

ENV CS_AUTH_KEYS=/tmp/HSMauth.key

RUN /opt/utimaco/bin/p11tool2 slot=9 LoginUser=123456 GetSlotInfo RUN /opt/utimaco/bin/p11tool2 slot=9 LoginUser=123456 PubKeyAttr=CKA_LABEL="RSAKey",CKA_ID=0x45

PrvKeyAttr=CKA_LABEL="RSAKey",CKA_ID=0x45 GenerateKeyPair=RSA

RUN /opt/utimaco/bin/cxitool dev=3001@20.197.4.217 LogonPass=USR_0009,123456 listkeys

RUN /opt/utimaco/bin/cxitool dev=3001@20.197.4.217 LogonPass=USR_0009,123456 group="SLOT_0009" Spec=2 Keyinfo

RUN /opt/utimaco/bin/csadm dev=3001@20.197.4.217 genkey=/opt/utimaco/certs/ka.key,2048,"USR_0009" && chmod 777

/opt/utimaco/certs/ka.key

RUN /opt/utimaco/bin/cxitool dev=3001@20.197.4.217 LogonPass=USR_0009,123456 group="SLOT_0009" Spec=2 KeyFile=/opt/utimaco/certs/ka.key InitializeKey

RUN /opt/utimaco/bin/cxitool dev=3001@20.197.4.217 LogonPass=USR_0009,123456 group="SLOT_0009" Spec=2 KeyFile=/opt/utimaco/certs/ka.key AuthorizeKey=1000000

RUN /opt/utimaco/bin/cxitool dev=3001@20.197.4.217 LogonPass=USR_0009,123456 group="SLOT_0009" Spec=2 Keyinfo

#==================Generate Keys and Certificate for SSL============== RUN openssl version -a && openssl engine pkcs11 -v

RUN /opt/utimaco/bin/p11tool2 slot=9 LoginUser=123456 listobjects && \ openssl req -engine pkcs11 -new -x509 -days 365 -key

"pkcs11:token=Openshift;object=RSAKey?pin-value=123456" -keyform engine -out

/opt/utimaco/certs/SSL.cert -subj "/CN=test.utimaco.com"

#==================Configure Nginx to use Utimaco HSM================= RUN ls -l /etc/nginx/nginx.conf && cp /etc/nginx/nginx.conf/etc/nginx/nginx.conf.org && cat /etc/nginx/nginx.conf

RUN sed '/^$/d' /etc/nginx/nginx.conf > /etc/nginx/nginx.conf.int && \

sed -e '$d' /etc/nginx/nginx.conf.int > /etc/nginx/nginx.conf && rm -rf/etc/nginx/nginx.conf.int && \

sed -i '1 i\ssl_engine pkcs11;' /etc/nginx/nginx.conf && \ sed -i 's/80/8080/g' /etc/nginx/nginx.conf && \sed -i '/worker_processes auto;/c\worker_processes 1;'/etc/nginx/nginx.conf && \

echo " server {" >> /etc/nginx/nginx.conf && \

echo " listen 8443 ssl;" >> /etc/nginx/nginx.conf && \ echo "" >> /etc/nginx/nginx.conf && \

echo " server_name localhost;" >> /etc/nginx/nginx.conf && \ echo " ssl_certificate /opt/utimaco/certs/SSL.cert;" >>/etc/nginx/nginx.conf && \

echo " ssl_certificate_key engine:pkcs11:slot_9-id_45;" >>/etc/nginx/nginx.conf && \

echo "" >> /etc/nginx/nginx.conf && \echo " access_log /tmp/sslparams.log;" >> /etc/nginx/nginx.conf && \ echo " location / {" >> /etc/nginx/nginx.conf && \

echo " root html;" >> /etc/nginx/nginx.conf && \echo " index index.html index.htm;" >> /etc/nginx/nginx.conf && \ echo " }" >> /etc/nginx/nginx.conf && \

echo "}" >> /etc/nginx/nginx.conf && \ echo "}" >> /etc/nginx/nginx.conf

#==================Start the Nginx Server=============================

CMD ["/usr/sbin/nginx", "-g", "daemon off;"]

Change the Utimaco HSM version="1" appropriately. You can also modify the Dockerfile as per your requirement.