In this deployment, we will be setting up 2 hosts with 1 Customer Key Server (CKS) instances each in 1 location. Each CKS will listen on its own designated port per host.
The setup will assume:
- Load Balancer
- Public DNS: cks.example.com
- Public Port: 443
- Host A
- Internal DNS: cksa01.example.com (Optional)
- Internal Port: 443
- Host B
- Internal DNS: cksb01.example.com (Optional)
- Internal Port: 443
- Install Docker
- Install Docker Compose
- Download Install Script
- Run Install Script
- Docker Compose Up
Install Docker and Docker Compose
If completed during prerequisites, you can skip to "Download and Execute Installed"
#Install Docker CE
sudo curl -sSL https://get.docker.com/ | sh
#Install Docker Compose
sudo curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
#Confirm working installation
Download and Execute Installer
If SELinux is in use please reference this article.
wget https://cdn.virtru.com/apps/cks/latest/cks-install.sh -O cks-install-wizard.sh
To run the installer in offline mode first follow prerequisites listed here. Then execute:
bash <your-cks-install-script.sh> -o true
The installer will create all appropriate directories. The recommended install root directory:
Transport Security (TLS Certificate)
During the install, the installer validates the TLS certificate for transport security. When prompted, copy the required file to the appropriate directory.
cat [path-to-private-key] [path-to-certificate] [path-to-intermediate-cert-1] ... [path-to-root-cert] > ssl.pem
Note: the order of certs in the ssl.pem matters. The certificate for your CKS FQDN must be before the intermediate certificates for your CA.
CKS Re-Wrap Keys (RSA key pair)
The CKS Re-Wrap keys are used to rewrap/unwrap a message key.
The CKS can use:
- New Generated - Will generate new keys for use with the CKS.
- Existing - Copy existing key keypair
cp [path-to-public-key] rsa001.pub
cp [path-to-private-key] rsa001.pem
CKS Re-Wrap Key Storage
The CKS Re-Wrap keys are used to rewrap/unwrap a message key. The storage and management options of the keys are:
- In Memory as an Environment Variable
- On disk
The CKS can log directly to:
- The docker standard out
- Remote Syslog server
The host of the CKS.
Only enter the Fully Qualified Domain Name of the host (FQDN).
Once completed the wizard will create the following:
- The environment variables for the CKS and its companion containers.
- A token-store/tokens.json that defines the HMAC token used to authenticate to your CKS deployment.
- It is also automatically loaded into the environment variables in env/cks.env.
- A docker-compose.yml file to run the deployment.
- RSA Key Pair if existing keys were not used.
- TLS certificate if and an existing certificate was not used.
Email send_to_virtru.tar.gz to Virtru
Once the wizard completed successfully, a file, send_to_virtru.tar.gz will be in your /var/virtru/cks/ directory. This file will contain the required information so that Virtru can communicate with your CKS appliance.
Send the file via Secure Share to the deployment team:
Once the wizard has completed, the CKS is ready to turn on and verify connectivity.
cd /var/virtru/cks docker-compose up -d