Deploying the Confidencial Key Server in your environment
These instructions cover how to provision the Confidencial Key Server (CKS) in your server hosting environment and include the following primary steps:
Instantiating a database (DB) for the CKSPulling the CKS image from Confidencial’s container registryPushing the CKS to your container registryConfiguring your container hosting environment to allow access to the CKS
- Instantiate a MySQL database to serve as the CKS DB. There are multiple options to host the CKS DB, including:
- An existing MySQL server
- A MySQL server running in a Docker container
- A MySQL server running in an AWS Relational Database Service (RDS) instance
The CKS DB instance must be accessible from the CKS web server, which you will configure in the subsequent sections of this document.
- Once your CKS DB instance is running, create a database within the server. Do this by logging in to your MySQL DB server and executing the command below.
CREATE DATABASE dbname;
dbnamein the command above with the name you wish to use for the CKS DB
- After the DB has been created, make sure you create a DB account that has full access to the database (the ability to create and alter tables and the ability to read data from and write data to tables). This can be done by executing the MySQL command below.
GRANT ALL PRIVILEGES ON dbname.* TO 'username'@'%';
dbnamewith the DB name you assigned above and replace
usernamewith the user name of the DB account to which you want to grant full access
Next, Confidencial will provide you with a script to create the necessary tables and relationships in the database. This is referred to as a database migration. See Running a database migration
- If not already installed, download the AWS command line tools
- Obtain a token to access Confidencial’s container registry using the ID and secret provided by Confidencial. Replace
<your key ID>and
<your secret>in the shell commands below with the Confidencial-provided ID and secret, respectively. Execute the commands below.
export AWS_ACCESS_KEY_ID=<your key ID> export AWS_SECRET_ACCESS_KEY=<your secret> ECR_REPOSITORY_NAME=c11-opkss-private AWS_ACCOUNT_URL=192115554401.dkr.ecr.us-west-1.amazonaws.com REPOSITORY_URL=$AWS_ACCOUNT_URL/$ECR_REPOSITORY_NAME aws ecr get-login-password --region us-west-1 | docker login --username AWS --password-stdin $AWS_ACCOUNT_URL docker pull $REPOSITORY_URL:latest
Executing the commands above will result in the CKS docker image being pulled into your current directory. You will now proceed to push this image to your preferred container hosting environment (described in the next section).
- Push the CKS container image to your container hosting environment. There are multiple options for hosting docker images, including:
- A Kubernetes cluster
- Within an AWS Elastic Compute Cloud (EC2) instance
If you are hosting your own AWS container registry (AWS ECR), see Pushing a container image to your AWS container registry for how to push the pulled key server image to your registry
- Set the following environment variables for the CKS container. Replace
<your DB URI>,
<your DB port>,
<your DB username>,
<your DB password>, and
<your DB name>with the values necessary to connect to the database instantiated above.
PORT=8000 JWT_AUDIENCE=<get from your IDP> ; e.g. api://confidencial.io/opkss JWT_ISSUER=<get from your IDP> ; e.g. https://dev-02584710.okta.com/oauth2/default JWKS_URI=<get from your IDP> ; e.g. https://dev-02584710.okta.com/oauth2/default/v1/keys JWT_TOKEN_ENDPOINT=<get from your IDP> ; e.g https://dev-02584710.okta.com/oauth2/default/v1/token ENABLE_TOKEN_PROXY = true KNEX_CLIENT = mysql2 KNEX_VERSION = 8.0 KNEX_HOST = <your DB URI> KNEX_PORT = <your DB port> KNEX_USER = '<your DB username>' KNEX_PASSWORD = '<your DB password>' KNEX_DB_NAME = '<your DB name>' KNEX_CHARSET = utf8mb4
Note that values for
KNEX_DB_NAMEare wrapped in single quotes. This is done to ensure that special characters and spaces are handled properly.
- Launch the CKS container.
While users in your enterprise need to be able to reach the CKS web server (port 443) from their client machines, users do not need direct access the the CKS DB. The CKS DB need only be accessible from the CKS web server.
You may choose to make the CKS web server available outside your enterprise’s firewall. This permits users to use Confidencial from external networks without the use of a VPN. However, doing so increases the exposure of the CKS, making it more susceptible to attack.
- Configure your container hosting environment to route inbound requests from port 443 (TLS) of an enterprise-accessible URI to port 8000 of the CKS web server container.
Configuring an AWS Elastic Container Service (ESC) instance
This completes your portion of CKS set up. Confidencial will ask you to provide the URI of the CKS web server to complete the deployment.