|
FROM redhat/ubi9:latest LABEL version="1"
#==========Install NGINX,OpenSC,OpenSSL-Devel & Other packages===========
RUN dnf install openssl-pkcs11 nginx -y
#==================Create required Folders and Config Paths ========== RUN mkdir /hsm && cd /hsm
RUN mkdir -p /etc/utimaco/ && \
mkdir -p /opt/utimaco/bin && \ mkdir -p /opt/utimaco/lib && \ mkdir -p /opt/utimaco/certs && \ mkdir -p /opt/utimaco/logs
#==================Copying Files and Changing Permission ========== COPY hsm/cs_pkcs11_R3.cfg /etc/utimaco/
COPY hsm/libcs_pkcs11_R3.so /opt/utimaco/lib
COPY hsm/p11tool2 /opt/utimaco/bin COPY hsm/cxitool /opt/utimaco/bin COPY hsm/csadm /opt/utimaco/bin
RUN chmod -R 550 /opt/utimaco/bin && \ chmod -R 440 /opt/utimaco/lib && \ chmod 600 /etc/utimaco/cs_pkcs11_R3.cfg
#==================Configure PKCS11 Engine============================
RUN ls -l /etc/pki/tls/
RUN sed -i '1 i\openssl_conf=openssl_init' /etc/pki/tls/openssl.cnf RUN sed -e '/openssl_conf = default_modules/s/^/#/g' -i
/etc/pki/tls/openssl.cnf
RUN echo " [openssl_init]" >> /etc/pki/tls/openssl.cnf
RUN echo " engines=engine_section" >> /etc/pki/tls/openssl.cnf RUN echo "" >> /etc/pki/tls/openssl.cnf
RUN echo " [engine_section]">> /etc/pki/tls/openssl.cnf && \
echo " pkcs11 = pkcs11_section" >> /etc/pki/tls/openssl.cnf && \ echo "" >> /etc/pki/tls/openssl.cnf && \
echo " [pkcs11_section]" >> /etc/pki/tls/openssl.cnf && \ echo " engine_id = pkcs11" >> /etc/pki/tls/openssl.cnf && \ echo " dynamic_path /usr/lib64/engines-3/pkcs11.so" >>
/etc/pki/tls/openssl.cnf && \
echo " MODULE_PATH = /opt/utimaco/lib/libcs_pkcs11_R3.so" >>
/etc/pki/tls/openssl.cnf && \
echo " PIN=123456" >> /etc/pki/tls/openssl.cnf && \ echo " init = 0" >> /etc/pki/tls/openssl.cnf
#==================Generate Keys and Certificate for SSL============== RUN openssl version -a && openssl engine pkcs11 -v
RUN /opt/utimaco/bin/p11tool2 slot=9 LoginUser=123456 PubKeyAttr=CKA_LABEL="RSAKey",CKA_ID=0x45
PrvKeyAttr=CKA_LABEL="RSAKey",CKA_ID=0x45 GenerateKeyPair=RSA && \
/opt/utimaco/bin/p11tool2 slot=9 LoginUser=123456 listobjects RUN openssl req -engine pkcs11 -new -x509 -days 365 -key
"pkcs11:token=Openshift;object=RSAKey?pin-value=123456" -keyform engine -out
/opt/utimaco/certs/SSL.cert -subj "/CN=test.utimaco.com"
#==================Configure Nginx to use Utimaco HSM================= RUN ls -l /etc/nginx/nginx.conf && cp /etc/nginx/nginx.conf
/etc/nginx/nginx.conf.org && cat /etc/nginx/nginx.conf
RUN sed '/^$/d' /etc/nginx/nginx.conf > /etc/nginx/nginx.conf.int && \
sed -e '$d' /etc/nginx/nginx.conf.int > /etc/nginx/nginx.conf && rm -rf
/etc/nginx/nginx.conf.int && \
sed -i '1 i\ssl_engine pkcs11;' /etc/nginx/nginx.conf && \ echo " server {" >> /etc/nginx/nginx.conf && \
echo " listen 443 ssl;" >> /etc/nginx/nginx.conf && \ echo "" >> /etc/nginx/nginx.conf && \
echo " server_name localhost;" >> /etc/nginx/nginx.conf && \ echo " ssl_certificate /opt/utimaco/certs/SSL.cert;" >>
/etc/nginx/nginx.conf && \
echo " ssl_certificate_key engine:pkcs11:slot_9-id_45;" >>
/etc/nginx/nginx.conf && \
echo "" >> /etc/nginx/nginx.conf && \
echo " access_log /tmp/sslparams.log;" >> /etc/nginx/nginx.conf && \ echo " location / {" >> /etc/nginx/nginx.conf && \
echo " root html;" >> /etc/nginx/nginx.conf && \
echo " index index.html index.htm;" >> /etc/nginx/nginx.conf && \ echo " }" >> /etc/nginx/nginx.conf && \
echo "}" >> /etc/nginx/nginx.conf && \ echo "}" >> /etc/nginx/nginx.conf
#==================Start the Nginx Server=============================
CMD ["/usr/sbin/nginx", "-g", "daemon off;"]
|
