.png){kind=logo}
Enterprise
The nShield Connect HSM sidecar container enables integrating the application container to an Entrust nShield Connect HSM. The following covers how to set up the integration in Kubernetes.
For more general information on the HSM integration with PKCS#11, see HSM Integration.
Prerequisites
Before using this container, you need the following:
-
nShield HSM: A functioning nShield HSM with fully configured secure network access. The SignServer deployment is configured with:
-
IP address/hostname
-
Port
-
Electronic Serial Number (ESN) of the HSM
-
HKNETI (Hash of the KNETI key of the HSM)
-
-
Remote File Server (RFS): A working RFS with secure network access. The SignServer deployment is configured with:
-
IP address/hostname
-
Port
-
Mode
-
HSM Driver Container Deployment Parameters
The following parameters are required for configuring the HSM driver container. Update these values based on your setup.
|
Name |
Description |
Required |
|---|---|---|
|
|
The IP Address or FQDN of the HSM that the client will connect to. |
|
|
|
The port of the HSM. |
|
|
|
Electronic Serial Number (ESN) of the HSM. |
|
|
|
Hash of the KNETI key of the HSM. |
|
|
|
The IP Address or FQDN of the Remote File Server (RFS). |
|
|
|
The port of the Remote File Server. |
|
|
|
The connection mode of the Remote File Server. Accepted values:
|
|
*Depending on your HSM settings, this value may not be supported.
Step 1 - Prepare HSM Configuration
Create a Kubernetes secret to store the HSM and Remote File Server (RFS) parameters:
kubectl create secret generic nshield-secret \
--from-literal=HSM_IP='xxx.xxx.xx.xxx' \
--from-literal=HSM_PORT='xxxx' \
--from-literal=HSM_ESN='xxxx-xxxx-xxxx' \
--from-literal=HSM_HKNETI='dbbcb19108b...' \
--from-literal=RFS_IP='xxx.xxx.xx.xxx' \
--from-literal=RFS_PORT='xxxx' \
--from-literal=RFS_MODE='readonly'
Replace the HSM_IP, HSM_PORT, HSM_ESN, HSM_HKNETI, RFS_IP, RFS_PORT, and RFS_MODE values with your actual configuration.
Step 2 - Configure Deployment
The following provides an example of customizing the deployment using Helm. Configure the sidecarContainers section to use the nShield Connect HSM with the ConfigMap just created.
Note that the Helm chart values file values.yaml describes an example test deployment and does not include:
-
Database connection.
-
Configured
imagePullSecretsthat may be required. -
TLS connection required after the deployment and creation of the CAs.
signserver:
initContainers:
- name: hsm-driver-init
image: repo.keyfactor.com/images/hsm-driver-nshield:0.5.0
command:
[
"sh",
"-c",
"cp --preserve --recursive /opt/keyfactor/p11proxy-client/* /mnt/",
]
volumeMounts:
- name: p11proxy-client
mountPath: /mnt
sidecarContainers:
- name: hsm-nshield
image: repo.keyfactor.com/images/hsm-driver-nshield:0.5.0
imagePullPolicy: IfNotPresent
# configuration parameters provided as secret
envFrom:
- secretRef:
name: nshield-secret
volumes:
- name: p11proxy-client
emptyDir: { }
volumeMounts:
- name: p11proxy-client
mountPath: /opt/keyfactor/p11proxy-client
Step 3 - Create and Verify HSM Crypto Token
After SignServer is running with the nShield Connect HSM sidecar, create the Crypto Token:
-
In the SignServer Admin Web, click the Add… link.
-
Click FROM TEMPLATE button.
-
Select p11ng-crypto.properties from the drop-down menu.
-
Configure the Crypto Worker with the following options:
|
Field |
Value |
|---|---|
|
|
A descriptive name, for example, |
|
|
P11 Proxy |
|
|
|
|
|
Optional password for the slot. If specified, the token is “auto-activated”. |
-
Click APPLY.
Once created, you can generate new key pairs or view any existing key pairs on the HSM.
To verify that communication with the HSM is functional, click on the Crypto Worker and go to the Crypto Token tab, and try to generate a key pair.