Deploying the Confidencial Key Server in your environment

Instantiating a database (DB) for the CKS

1. Instantiate a MySQL database to serve as the CKS DB. There are multiple options to host the CKS DB, including:
• An existing MySQL server
• A MySQL server running in a Docker container
• A MySQL server running in an AWS Relational Database Service (RDS) instance
ℹ️
The CKS DB instance must be accessible from the CKS web server, which you will configure in the subsequent sections of this document.

2. Once your CKS DB instance is running, create a database within the server. Do this by logging in to your MySQL DB server and executing the command below.

CREATE DATABASE dbname;

Replace dbname in the command above with the name you wish to use for the CKS DB

3. After the DB has been created, make sure you create a DB account that has full access to the database (the ability to create and alter tables and the ability to read data from and write data to tables). This can be done by executing the MySQL command below.

GRANT ALL PRIVILEGES ON dbname.* TO 'username'@'%';

Replace dbname with the DB name you assigned above and replace username with the user name of the DB account to which you want to grant full access

➡️

Next, Confidencial will provide you with a script to create the necessary tables and relationships in the database. This is referred to as a database migration. See

Running a database migration

Pulling the CKS image from Confidencial’s container registry

1. If not already installed, download the AWS command line tools

2. Obtain a token to access Confidencial’s container registry using the ID and secret provided by Confidencial. Replace <your key ID> and <your secret> in the shell commands below with the Confidencial-provided ID and secret, respectively. Execute the commands below.

export AWS_ACCESS_KEY_ID=<your key ID>
export AWS_SECRET_ACCESS_KEY=<your secret>
ECR_REPOSITORY_NAME=c11-opkss-private
AWS_ACCOUNT_URL=192115554401.dkr.ecr.us-west-1.amazonaws.com
REPOSITORY_URL=$AWS_ACCOUNT_URL/$ECR_REPOSITORY_NAME
aws ecr get-login-password --region us-west-1 | docker login --username AWS --password-stdin $AWS_ACCOUNT_URL
docker pull $REPOSITORY_URL:latest

Pushing the CKS to your container registry

1. Push the CKS container image to your container hosting environment. There are multiple options for hosting docker images, including:
• A Kubernetes cluster
• AWS’s Elastic Container Service (ECS)
• Within an AWS Elastic Compute Cloud (EC2) instance
ℹ️
If you are hosting your own AWS container registry (AWS ECR), see
⬆️
Pushing a container image to your AWS container registry for how to push the pulled key server image to your registry

2. Set the following environment variables for the CKS container. Replace <your DB URI>, <your DB port>, <your DB username>, <your DB password>, and <your DB name> with the values necessary to connect to the database instantiated above.

PORT=8000

JWT_AUDIENCE=<get from your IDP>       ; e.g. api://confidencial.io/opkss
JWT_ISSUER=<get from your IDP>         ; e.g. https://dev-02584710.okta.com/oauth2/default
JWKS_URI=<get from your IDP>           ; e.g. https://dev-02584710.okta.com/oauth2/default/v1/keys
JWT_TOKEN_ENDPOINT=<get from your IDP> ; e.g https://dev-02584710.okta.com/oauth2/default/v1/token
ENABLE_TOKEN_PROXY = true

KNEX_CLIENT = mysql2
KNEX_VERSION = 8.0
KNEX_HOST = <your DB URI> 
KNEX_PORT = <your DB port>
KNEX_USER = '<your DB username>'
KNEX_PASSWORD = '<your DB password>'
KNEX_DB_NAME = '<your DB name>'
KNEX_CHARSET = utf8mb4

⚠️
Note that values for KNEX_USER, KNEX_PASSWORD, and KNEX_DB_NAME are wrapped in single quotes. This is done to ensure that special characters and spaces are handled properly.

3. Launch the CKS container.

Configuring your container hosting environment to allow access to the CKS

1. Configure your container hosting environment to route inbound requests from port 443 (TLS) of an enterprise-accessible URI to port 8000 of the CKS web server container.