Creating SecurityServer/CP5 with NGINX Container Image Dockerfile to run NGINX as Non-Root User

Create a new file Dockerfile to build the CP5 image.

›_ Console
`# vi /root/hsm/Dockerfile`

Copy the following lines into the file Dockerfile.

›_ Console
`FROM redhat/ubi8:latest LABEL version="1"` `#==========Install NGINX,OpenSC,OpenSSL-Devel & Other packages===========` `RUN dnf install openssl-pkcs11 nginx -y` `#==================Create required Folders and Config Paths ========== RUN mkdir /hsm && cd /hsm` `RUN mkdir -p /etc/utimaco/ && \` `mkdir -p /opt/utimaco/bin && \ mkdir -p /opt/utimaco/lib && \ mkdir -p /opt/utimaco/certs && \ mkdir -p /opt/utimaco/logs` `#==================Copying Files and Changing Permission ========== COPY hsm/cs_pkcs11_R2.cfg /etc/utimaco/` `COPY hsm/libcs_pkcs11_R2.so /opt/utimaco/lib COPY hsm/p11tool2 /opt/utimaco/bin` `COPY hsm/cxitool /opt/utimaco/bin COPY hsm/csadm /opt/utimaco/bin` `#==================Configure PKCS11 Engine============================` `RUN ls -l /etc/pki/tls/` `RUN sed -i '1 i\openssl_conf=openssl_init' /etc/pki/tls/openssl.cnf RUN sed -e '/openssl_conf = default_modules/s/^/#/g' -i/etc/pki/tls/openssl.cnf` RUN echo " [openssl_init]" >> /etc/pki/tls/openssl.cnf && \echo " engines=engine_section" >> /etc/pki/tls/openssl.cnf && \ echo "" >> /etc/pki/tls/openssl.cnf && \echo " [engine_section]">> /etc/pki/tls/openssl.cnf && \echo " pkcs11 = pkcs11_section" >> /etc/pki/tls/openssl.cnf && \ echo "" >> /etc/pki/tls/openssl.cnf && \echo " [pkcs11_section]" >> /etc/pki/tls/openssl.cnf && \ echo " engine_id = pkcs11" >> /etc/pki/tls/openssl.cnf && \ echo " dynamic_path = /usr/lib64/engines-1.1/pkcs11.so" >>/etc/pki/tls/openssl.cnf && \echo " MODULE_PATH =/opt/utimaco/lib/libcs_pkcs11_R2.so" >>/etc/pki/tls/openssl.cnf && \echo " PIN=123456" >> /etc/pki/tls/openssl.cnf && \ echo " init = 0" >> /etc/pki/tls/openssl.cnf `#==================Configure CP5 and Perform Key Initilization and Authorization========` `RUN /opt/utimaco/bin/csadm Dev=3001@20.197.4.217 GetHSMAuthKey >/opt/utimaco/certs/HSMauth.key && \chmod 777 /opt/utimaco/certs/HSMauth.key` `ENV CS_AUTH_KEYS=/opt/utimaco/certs/HSMauth.key` `RUN /opt/utimaco/bin/p11tool2 slot=9 LoginUser=123456 GetSlotInfo RUN /opt/utimaco/bin/p11tool2 slot=9 LoginUser=123456 PubKeyAttr=CKA_LABEL="RSAKey",CKA_ID=0x45` `PrvKeyAttr=CKA_LABEL="RSAKey",CKA_ID=0x45 GenerateKeyPair=RSA` `RUN /opt/utimaco/bin/cxitool dev=3001@20.197.4.217 LogonPass=USR_0009,123456 listkeys` `RUN /opt/utimaco/bin/cxitool dev=3001@20.197.4.217 LogonPass=USR_0009,123456 group="SLOT_0009" Spec=2 Keyinfo` `RUN /opt/utimaco/bin/csadm dev=3001@20.197.4.217 genkey=/opt/utimaco/certs/ka.key,2048,"USR_0009" && chmod 777/opt/utimaco/certs/ka.key` `RUN /opt/utimaco/bin/cxitool dev=3001@20.197.4.217 LogonPass=USR_0009,123456 group="SLOT_0009" Spec=2 KeyFile=/opt/utimaco/certs/ka.key InitializeKey` `RUN /opt/utimaco/bin/cxitool dev=3001@20.197.4.217 LogonPass=USR_0009,123456 group="SLOT_0009" Spec=2 KeyFile=/opt/utimaco/certs/ka.key AuthorizeKey=1000000` `RUN /opt/utimaco/bin/cxitool dev=3001@20.197.4.217 LogonPass=USR_0009,123456 group="SLOT_0009" Spec=2 Keyinfo` `#==================Generate Keys and Certificate for SSL==============` `RUN openssl version -a && openssl engine pkcs11 -v` `RUN /opt/utimaco/bin/p11tool2 slot=9 LoginUser=123456 listobjects && \ openssl req -engine pkcs11 -new -x509 -days 365 -key` `"pkcs11:token=Openshift;object=RSAKey?pin-value=123456" -keyform engine -out` `/opt/utimaco/certs/SSL.cert -subj "/CN=test.utimaco.com"` `#==================Configure Nginx to use Utimaco HSM================= RUN ls -l /etc/nginx/nginx.conf && cp /etc/nginx/nginx.conf` `/etc/nginx/nginx.conf.org && cat /etc/nginx/nginx.conf` `RUN sed '/^$/d' /etc/nginx/nginx.conf > /etc/nginx/nginx.conf.int && \` `sed -e '$d' /etc/nginx/nginx.conf.int > /etc/nginx/nginx.conf && rm -rf` `/etc/nginx/nginx.conf.int && \` `sed -i '1 i\ssl_engine pkcs11;' /etc/nginx/nginx.conf && \ sed -i 's/80/8080/g' /etc/nginx/nginx.conf && \sed -i '/worker_processes auto;/c\worker_processes 1;'/etc/nginx/nginx.conf && \` `echo " server {" >> /etc/nginx/nginx.conf && \` `echo " listen 8443 ssl;" >> /etc/nginx/nginx.conf && \ echo "" >> /etc/nginx/nginx.conf && \` `echo " server_name localhost;" >> /etc/nginx/nginx.conf && \ echo " ssl_certificate /opt/utimaco/certs/SSL.cert;" >>/etc/nginx/nginx.conf && \` `echo " ssl_certificate_key engine:pkcs11:slot_9-id_45;" >>/etc/nginx/nginx.conf && \` `echo "" >> /etc/nginx/nginx.conf && \` `echo " access_log /tmp/sslparams.log;" >> /etc/nginx/nginx.conf && \ echo " location / {" >> /etc/nginx/nginx.conf && \echo " root html;" >> /etc/nginx/nginx.conf && \` `echo " index index.html index.htm;" >> /etc/nginx/nginx.conf && \ echo " }" >> /etc/nginx/nginx.conf && \echo "}" >> /etc/nginx/nginx.conf && \ echo "}" >> /etc/nginx/nginx.conf` `#==================Configure to run Nginx as Non-root user============` `RUN /usr/sbin/nginx && \chmod 777 /usr/sbin/nginx && \ chmod -R 777 /var/log/nginx/ && \` `chmod 755 /etc/nginx/nginx.conf && \chmod -R 777 /var/lib/nginx/ && \chmod -R 777 /tmp/ && \ ls -l /run/ && \chmod 777 /run/nginx.pid && \ chmod -R 777 /opt/utimaco/ && \ chmod -R 755 /etc/utimaco/` `#==================Start the Nginx Server=============================` `CMD ["/usr/sbin/nginx", "-g", "daemon off;"]`

›_ Console

FROM redhat/ubi8:latest LABEL version="1"

#==========Install NGINX,OpenSC,OpenSSL-Devel & Other packages===========

RUN dnf install openssl-pkcs11 nginx -y

#==================Create required Folders and Config Paths ========== RUN mkdir /hsm && cd /hsm

RUN mkdir -p /etc/utimaco/ && \

mkdir -p /opt/utimaco/bin && \ mkdir -p /opt/utimaco/lib && \ mkdir -p /opt/utimaco/certs && \ mkdir -p /opt/utimaco/logs

#==================Copying Files and Changing Permission ========== COPY hsm/cs_pkcs11_R2.cfg /etc/utimaco/

COPY hsm/libcs_pkcs11_R2.so /opt/utimaco/lib COPY hsm/p11tool2 /opt/utimaco/bin

COPY hsm/cxitool /opt/utimaco/bin COPY hsm/csadm /opt/utimaco/bin

#==================Configure PKCS11 Engine============================

RUN ls -l /etc/pki/tls/

RUN sed -i '1 i\openssl_conf=openssl_init' /etc/pki/tls/openssl.cnf RUN sed -e '/openssl_conf = default_modules/s/^/#/g' -i/etc/pki/tls/openssl.cnf

RUN echo " [openssl_init]" >> /etc/pki/tls/openssl.cnf && \echo " engines=engine_section" >> /etc/pki/tls/openssl.cnf && \ echo "" >> /etc/pki/tls/openssl.cnf && \echo " [engine_section]">> /etc/pki/tls/openssl.cnf && \echo " pkcs11 = pkcs11_section" >> /etc/pki/tls/openssl.cnf && \ echo "" >> /etc/pki/tls/openssl.cnf && \echo " [pkcs11_section]" >> /etc/pki/tls/openssl.cnf && \ echo " engine_id = pkcs11" >> /etc/pki/tls/openssl.cnf && \ echo " dynamic_path = /usr/lib64/engines-1.1/pkcs11.so" >>/etc/pki/tls/openssl.cnf && \echo " MODULE_PATH =/opt/utimaco/lib/libcs_pkcs11_R2.so" >>/etc/pki/tls/openssl.cnf && \echo " PIN=123456" >> /etc/pki/tls/openssl.cnf && \ echo " init = 0" >> /etc/pki/tls/openssl.cnf

#==================Configure CP5 and Perform Key Initilization and Authorization========

RUN /opt/utimaco/bin/csadm Dev=3001@20.197.4.217 GetHSMAuthKey >/opt/utimaco/certs/HSMauth.key && \chmod 777 /opt/utimaco/certs/HSMauth.key

ENV CS_AUTH_KEYS=/opt/utimaco/certs/HSMauth.key

RUN /opt/utimaco/bin/p11tool2 slot=9 LoginUser=123456 GetSlotInfo RUN /opt/utimaco/bin/p11tool2 slot=9 LoginUser=123456 PubKeyAttr=CKA_LABEL="RSAKey",CKA_ID=0x45

PrvKeyAttr=CKA_LABEL="RSAKey",CKA_ID=0x45 GenerateKeyPair=RSA

RUN /opt/utimaco/bin/cxitool dev=3001@20.197.4.217 LogonPass=USR_0009,123456 listkeys

RUN /opt/utimaco/bin/cxitool dev=3001@20.197.4.217 LogonPass=USR_0009,123456 group="SLOT_0009" Spec=2 Keyinfo

RUN /opt/utimaco/bin/csadm dev=3001@20.197.4.217 genkey=/opt/utimaco/certs/ka.key,2048,"USR_0009" && chmod 777/opt/utimaco/certs/ka.key

RUN /opt/utimaco/bin/cxitool dev=3001@20.197.4.217 LogonPass=USR_0009,123456 group="SLOT_0009" Spec=2 KeyFile=/opt/utimaco/certs/ka.key InitializeKey

RUN /opt/utimaco/bin/cxitool dev=3001@20.197.4.217 LogonPass=USR_0009,123456 group="SLOT_0009" Spec=2 KeyFile=/opt/utimaco/certs/ka.key AuthorizeKey=1000000

RUN /opt/utimaco/bin/cxitool dev=3001@20.197.4.217 LogonPass=USR_0009,123456 group="SLOT_0009" Spec=2 Keyinfo

#==================Generate Keys and Certificate for SSL==============

RUN openssl version -a && openssl engine pkcs11 -v

RUN /opt/utimaco/bin/p11tool2 slot=9 LoginUser=123456 listobjects && \ openssl req -engine pkcs11 -new -x509 -days 365 -key

"pkcs11:token=Openshift;object=RSAKey?pin-value=123456" -keyform engine -out

/opt/utimaco/certs/SSL.cert -subj "/CN=test.utimaco.com"

#==================Configure Nginx to use Utimaco HSM================= RUN ls -l /etc/nginx/nginx.conf && cp /etc/nginx/nginx.conf

/etc/nginx/nginx.conf.org && cat /etc/nginx/nginx.conf

RUN sed '/^$/d' /etc/nginx/nginx.conf > /etc/nginx/nginx.conf.int && \

sed -e '$d' /etc/nginx/nginx.conf.int > /etc/nginx/nginx.conf && rm -rf

/etc/nginx/nginx.conf.int && \

sed -i '1 i\ssl_engine pkcs11;' /etc/nginx/nginx.conf && \ sed -i 's/80/8080/g' /etc/nginx/nginx.conf && \sed -i '/worker_processes auto;/c\worker_processes 1;'/etc/nginx/nginx.conf && \

echo " server {" >> /etc/nginx/nginx.conf && \

echo " listen 8443 ssl;" >> /etc/nginx/nginx.conf && \ echo "" >> /etc/nginx/nginx.conf && \

echo " server_name localhost;" >> /etc/nginx/nginx.conf && \ echo " ssl_certificate /opt/utimaco/certs/SSL.cert;" >>/etc/nginx/nginx.conf && \

echo " ssl_certificate_key engine:pkcs11:slot_9-id_45;" >>/etc/nginx/nginx.conf && \

echo "" >> /etc/nginx/nginx.conf && \

echo " access_log /tmp/sslparams.log;" >> /etc/nginx/nginx.conf && \ echo " location / {" >> /etc/nginx/nginx.conf && \echo " root html;" >> /etc/nginx/nginx.conf && \

echo " index index.html index.htm;" >> /etc/nginx/nginx.conf && \ echo " }" >> /etc/nginx/nginx.conf && \echo "}" >> /etc/nginx/nginx.conf && \ echo "}" >> /etc/nginx/nginx.conf

#==================Configure to run Nginx as Non-root user============

RUN /usr/sbin/nginx && \chmod 777 /usr/sbin/nginx && \ chmod -R 777 /var/log/nginx/ && \

chmod 755 /etc/nginx/nginx.conf && \chmod -R 777 /var/lib/nginx/ && \chmod -R 777 /tmp/ && \ ls -l /run/ && \chmod 777 /run/nginx.pid && \ chmod -R 777 /opt/utimaco/ && \ chmod -R 755 /etc/utimaco/

#==================Start the Nginx Server=============================

CMD ["/usr/sbin/nginx", "-g", "daemon off;"]

Change the Utimaco HSM version="1" appropriately. You can also modify the Dockerfile as per your requirement.
Change the IP Address of the HSM Accordingly. Change the appropriate value of Spec.
Change the appropriate value of Spec.