About Install
In this deployment, we will be setting up 2 hosts with 1 Virtru Private Keystore instances each in 1 location. Each Virtru Private Keystore will listen on its own designated port per host.
The setup will assume:
- Load Balancer
- Public DNS: cks.example.com
- Public Port: 443
- Host A
- Internal DNS: cksa01.example.com (Optional)
- Internal Port: 443
- Host B
- Internal DNS: cksb01.example.com (Optional)
- Internal Port: 443
Jump To
Install Steps
- Install Docker
- Install Docker Compose
- Download Install Script
- Run Install Script
- Docker Compose Up
Install Commands
Install Docker and Docker Compose
If completed during prerequisites, you can skip to "Download and Execute Installed"
#Install Docker CE
sudo curl -sSL https://get.docker.com/ | sh
#Install Docker Compose
sudo curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
#Confirm working installation
docker-compose --version
Download and Execute Installer
Warning
If SELinux is in use please reference this article.
Shell
mkdir /var/virtru
mkdir /var/virtru/scripts
cd /var/virtru/scripts
wget https://cdn.virtru.com/apps/cks/latest/cks-install.sh -O cks-install-wizard.sh
bash cks-install-wizard.sh
Offline Install
To run the installer in offline mode first follow prerequisites listed here. Then execute:
bash <your-cks-install-script.sh> -o true
Recommended
The installer will create all appropriate directories. The recommended install root directory:
/var/virtru/cks/
Transport Security (TLS Certificate)
During the install, the installer validates the TLS certificate for transport security. When prompted, copy the required file to the appropriate directory.
Shell
cd /var/virtru/cks/ssl
cat [path-to-private-key] [path-to-certificate] [path-to-intermediate-cert-1] ... [path-to-root-cert] > ssl.pem
Note: the order of certs in the ssl.pem matters. The certificate for your CKS FQDN must be before the intermediate certificates for your CA.
CKS Re-Wrap Keys (RSA key pair)
The CKS Re-Wrap keys are used to rewrap/unwrap a message key.
The CKS can use:
- New Generated - Will generate new keys for use with the CKS.
- Existing - Copy existing key keypair
Shell
cd /var/virtru/cks/keys
cp [path-to-public-key] rsa001.pub
cp [path-to-private-key] rsa001.pem
CKS Re-Wrap Key Storage
The CKS Re-Wrap keys are used to rewrap/unwrap a message key. The storage and management options of the keys are:
- In Memory as an Environment Variable
- On disk
- HSM
Logging
The CKS can log directly to:
- The docker standard out
- Remote Syslog server
Finalization
The host of the CKS.
Warning
Only enter the Fully Qualified Domain Name of the host (FQDN).
i.e. cks.example.com
Post Install
Once completed the wizard will create the following:
- The environment variables for the Virtru Private Keystore and its companion containers.
- A token-store/tokens.json that defines the HMAC token used to authenticate to your CKS deployment.
- It is also automatically loaded into the environment variables in env/cks.env.
- A docker-compose.yml file to run the deployment.
- RSA Key Pair if existing keys were not used.
- In the /var/virtru/cks/keys directory verify that rsa001.pem and rsa001.pub have permission 644 applied
-
chmod 644 rsa001.pem
chmod 644 rsa001.pub
- TLS certificate if and an existing certificate was not used.
Email send_to_virtru.tar.gz to Virtru
Once the wizard completed successfully, a file, send_to_virtru.tar.gz will be in your /var/virtru/cks/ directory. This file will contain the required information so that Virtru can communicate with your CKS appliance.
Send the file via Secure Share to the deployment team:
https://secure.virtru.com/secure-share/sharing/dep-sa@virtru.com
Enable
Once the wizard has completed, the Virtru Private Keystore is ready to turn on and verify connectivity.
Shell
cd /var/virtru/cks docker-compose up -d