Background
The cutover steps described in this article will go over how to migrate your existing CKS deployment method. Currently, your CKS application includes 3 containers: haproxy, rsyslog, and the CKS. With this migration to the new method of deployment, the 3 containers will be condensed into a single container, making the deployment much more seamless, and future maintenance easier.
Prerequisites
Note:
With this deployment update, docker-compose will no longer be supported.
Same as original CKS deployment method: Virtru Private Keystore (for Virtru Solutions) - Standard Linux Server
Install Steps
Backup your existing CKS working directory, default is /var/virtru/cks
cd /var/virtru
mkdir backup
cd backup
cp -r /var/virtru/cks .
-
Navigate to your CKS working directory, default is
/var/virtru/cks
-
Update your
cks.env
with the below values:
##Change the two existing variables below:
LOG_RSYSLOG_ENABLED=false
LOG_CONSOLE_ENABLED=true
##Add the two new variables below:
HTTPS_KEY_PATH=/app/ssl/<your-cks-server-endpoint.com>.key
HTTPS_CERT_PATH=/app/ssl/<your-cks-server-endpoint.com>.crt
Two of the new values in your .env
file will be your original .pem
certificate broken, found in /var/virtru/cks/ssl
into two parts:
-
HTTPS_KEY_PATH
is the private key, which begins and ends with-----BEGIN RSA PRIVATE KEY-----
and-----END RSA PRIVATE KEY-----
or-----BEGIN PRIVATE KEY-----
and-----END PRIVATE KEY-----
. Private keys are secret and care should be taken in their security. -
HTTPS_CERT_PATH
is the customer’s certificate, and certificate chain bundle, containing multiple-----BEGIN CERTIFICATE-----
and-----END CERTIFICATE----
Note:
To prevent decryption errors, the order of cert chain in the .crt file must be formatted correctly. The certificate for your CKS FQDN must come before the intermediate and/or root certificates within the .crt file.
-
Next, create a new shell script file called
run.sh
in the/var/virtru/cks
directory:
nano run.sh
Input the following contents in the new shell script to pick up the new CKS values.
For the CKS version in the run script, use the latest version found at the link here below:
Release Notes: Virtru Private Keystore (for Virtru Solutions) (Formerly Virtru Customer Key Server (CKS)
docker run \
--name Virtru_CKS \
--interactive --tty --detach \
--env-file /var/virtru/cks/env/cks.env \
-v /var/virtru/cks/keys/:/app/keys \
-v /var/virtru/cks/ssl/:/app/ssl \
-p 443:9000 \
--restart unless-stopped \
containers.virtru.com/cks:v<latestCKSVersion>
- Stop and remove all containers
docker stop $(docker ps -aq)
docker rm $(docker ps -aq)
- Run your run.sh script to create new CKS container with updated .env values to the latest version
sh run.sh
Validate your CKS Server
Check that your CKS container started successfully with the below command
docker ps -a
View the logs from the container to ensure the process started successfully
docker logs <containerID> -f