Breadcrumbs

Dockerfile to run NGINX as a Non-Root User

  1. Create a new file Dockerfile to build the CP5 image.

›_ Console

# vi /root/hsm/Dockerfile

  1. Copy the following lines into the file Dockerfile.

›_ Console

FROM redhat/ubi9:latest LABEL version="1"

#==========Install NGINX,OpenSC,OpenSSL-Devel & Other packages===========

RUN dnf install openssl-pkcs11 nginx -y

#==================Create required Folders and Config Paths ========== RUN mkdir /hsm && cd /hsm

RUN mkdir -p /etc/utimaco/ && \

mkdir -p /opt/utimaco/bin && \ mkdir -p /opt/utimaco/lib && \ mkdir -p /opt/utimaco/certs && \ mkdir -p /opt/utimaco/logs

#==================Copying Files and Changing Permission ========== COPY hsm/cs_pkcs11_R2.cfg /etc/utimaco/

COPY hsm/libcs_pkcs11_R2.so /opt/utimaco/lib COPY hsm/p11tool2 /opt/utimaco/bin

COPY hsm/cxitool /opt/utimaco/bin COPY hsm/csadm /opt/utimaco/bin

#==================Configure PKCS11 Engine============================

RUN ls -l /etc/pki/tls/

RUN sed -i '1 i\openssl_conf=openssl_init' /etc/pki/tls/openssl.cnf RUN sed -e '/openssl_conf = default_modules/s/^/#/g' -i

/etc/pki/tls/openssl.cnf

RUN echo " [openssl_init]" >> /etc/pki/tls/openssl.cnf && \

echo " engines=engine_section" >> /etc/pki/tls/openssl.cnf && \ echo "" >> /etc/pki/tls/openssl.cnf && \

echo " [engine_section]">> /etc/pki/tls/openssl.cnf && \

echo " pkcs11 = pkcs11_section" >> /etc/pki/tls/openssl.cnf && \ echo "" >> /etc/pki/tls/openssl.cnf && \

echo " [pkcs11_section]" >> /etc/pki/tls/openssl.cnf && \ echo " engine_id = pkcs11" >> /etc/pki/tls/openssl.cnf && \ echo " dynamic_path = /usr/lib64/engines-3/pkcs11.so" >>

/etc/pki/tls/openssl.cnf && \

echo " MODULE_PATH = /opt/utimaco/lib/libcs_pkcs11_R2.so" >>

/etc/pki/tls/openssl.cnf && \

echo " PIN=123456" >> /etc/pki/tls/openssl.cnf && \ echo " init = 0" >> /etc/pki/tls/openssl.cnf

#==================Configure CP5 and Perform Key Initilization and Authorization========

RUN /opt/utimaco/bin/csadm Dev=3001@20.197.4.217 GetHSMAuthKey >

/tmp/HSMauth.key && \

chmod 777 /tmp/HSMauth.key

ENV CS_AUTH_KEYS=/tmp/HSMauth.key

RUN /opt/utimaco/bin/p11tool2 slot=9 LoginUser=123456 GetSlotInfo RUN /opt/utimaco/bin/p11tool2 slot=9 LoginUser=123456 PubKeyAttr=CKA_LABEL="RSAKey",CKA_ID=0x45

PrvKeyAttr=CKA_LABEL="RSAKey",CKA_ID=0x45 GenerateKeyPair=RSA

RUN /opt/utimaco/bin/cxitool dev=3001@20.197.4.217 LogonPass=USR_0009,123456 listkeys

RUN /opt/utimaco/bin/cxitool dev=3001@20.197.4.217 LogonPass=USR_0009,123456 group="SLOT_0009" Spec=2 Keyinfo

RUN /opt/utimaco/bin/csadm dev=3001@20.197.4.217 genkey=/opt/utimaco/certs/ka.key,2048,"USR_0009" && chmod 777

/opt/utimaco/certs/ka.key

RUN /opt/utimaco/bin/cxitool dev=3001@20.197.4.217 LogonPass=USR_0009,123456 group="SLOT_0009" Spec=2 KeyFile=/opt/utimaco/certs/ka.key InitializeKey

RUN /opt/utimaco/bin/cxitool dev=3001@20.197.4.217 LogonPass=USR_0009,123456 group="SLOT_0009" Spec=2 KeyFile=/opt/utimaco/certs/ka.key AuthorizeKey=1000000

RUN /opt/utimaco/bin/cxitool dev=3001@20.197.4.217 LogonPass=USR_0009,123456 group="SLOT_0009" Spec=2 Keyinfo

#==================Generate Keys and Certificate for SSL==============

RUN openssl version -a && openssl engine pkcs11 -v

RUN /opt/utimaco/bin/p11tool2 slot=9 LoginUser=123456 listobjects && \ openssl req -engine pkcs11 -new -x509 -days 365 -key

"pkcs11:token=Openshift;object=RSAKey?pin-value=123456" -keyform engine -out

/opt/utimaco/certs/SSL.cert -subj "/CN=test.utimaco.com"

#==================Configure Nginx to use Utimaco HSM================= RUN ls -l /etc/nginx/nginx.conf && cp /etc/nginx/nginx.conf

/etc/nginx/nginx.conf.org && cat /etc/nginx/nginx.conf

RUN sed '/^$/d' /etc/nginx/nginx.conf > /etc/nginx/nginx.conf.int && \

sed -e '$d' /etc/nginx/nginx.conf.int > /etc/nginx/nginx.conf && rm -rf

/etc/nginx/nginx.conf.int && \

sed -i '1 i\ssl_engine pkcs11;' /etc/nginx/nginx.conf && \ sed -i 's/80/8080/g' /etc/nginx/nginx.conf && \

sed -i '/worker_processes auto;/c\worker_processes 1;'

/etc/nginx/nginx.conf && \

echo " server {" >> /etc/nginx/nginx.conf && \

echo " listen 8443 ssl;" >> /etc/nginx/nginx.conf && \ echo "" >> /etc/nginx/nginx.conf && \

echo " server_name localhost;" >> /etc/nginx/nginx.conf && \ echo " ssl_certificate /opt/utimaco/certs/SSL.cert;" >>

/etc/nginx/nginx.conf && \

echo " ssl_certificate_key engine:pkcs11:slot_9-id_45;" >>

/etc/nginx/nginx.conf && \

echo "" >> /etc/nginx/nginx.conf && \

echo " access_log /tmp/sslparams.log;" >> /etc/nginx/nginx.conf && \ echo " location / {" >> /etc/nginx/nginx.conf && \

echo " root html;" >> /etc/nginx/nginx.conf && \

echo " index index.html index.htm;" >> /etc/nginx/nginx.conf && \ echo " }" >> /etc/nginx/nginx.conf && \

echo "}" >> /etc/nginx/nginx.conf && \ echo "}" >> /etc/nginx/nginx.conf

#==================Configure to run Nginx as Non-root user============

RUN /usr/sbin/nginx && \

chmod 777 /usr/sbin/nginx && \ chmod -R 777 /var/log/nginx/ && \

chmod 755 /etc/nginx/nginx.conf && \

chmod -R 777 /var/lib/nginx/ && \

chmod -R 777 /tmp/ && \ ls -l /run/ && \

chmod 777 /run/nginx.pid && \ chmod -R 777 /opt/utimaco/ && \ chmod -R 755 /etc/utimaco/

#==================Start the Nginx Server=============================

CMD ["/usr/sbin/nginx", "-g", "daemon off;"]

  1. Change the Utimaco HSM version="1" appropriately. You can also modify the Dockerfile as per your requirement.

  2. Change the IP Address of the HSM Accordingly.

  3. Change the appropriate value of Spec.