Announcing IBM Cloud Hyper Protect Crypto Services protected routes in Red Hat OpenShift on IBM Cloud with the IBM Cloud HPCS Router Operator.
By default, Red Hat OpenShift on IBM Cloud provides the OpenShift Ingress controller and OpenShift routes to expose the services running in your cluster. To secure OpenShift routes with TLS, you need to configure a server certificate and the corresponding private key in the route data. In some use cases, such an exposure of the private key may be undesirable and can be considered an insecure place to store sensitive data.
In order to achieve a more secure TLS configuration for routes, Red Hat OpenShift on IBM Cloud provides an alternative router solution — the IBM Cloud HPCS Router and the corresponding router manager, the IBM Cloud HPCS Router Operator.
What is IBM Cloud Hyper Protect Crypto Services?
IBM Cloud Hyper Protect Crypto Services is a key management service backed by hardware security modules (HSM) built on FIPS 140-2 Level 4-certified hardware. IBM Cloud Hyper Protect Crypto Services provides a set of Enterprise PKCS #11 over gRPC (GREP11) APIs, with which all the cryptographic functions are executed in the cloud HSM of Hyper Protect Crypto Services.
One of the prominent use cases of the IBM Cloud Hyper Protect Crypto Services is to offload the cryptographic operations that are performed by a web server during the TLS session establishment, while keeping the TLS/SSL private key securely stored in the dedicated HSM. The IBM Cloud HPCS Router is configured to use this feature by accessing a private key that is stored in an IBM Cloud Hyper Protect Crypto Services instance.
How does it work?
IBM is pleased to announce a new Router — the IBM Cloud HPCS Router — that provides Hyper Protect Crypto TLS Offload for Red Hat OpenShift on IBM Cloud.
The IBM Cloud HPCS Router is based on the default OpenShift Router but is enhanced with an IBM Cloud-specific OpenSSL engine. The OpenSSL engine uses the IBM Cloud Hyper Protect Services GREP11 API during TLS session establishment. Whenever an operation of the TLS session establishment requires the server-side private key, the OpenSSL engine uses the GREP11 API to execute that operation in your IBM Cloud Hyper Protect Crypto Services instance:
You do not have to add the real private key to a route configuration with this solution. Instead, you add only a reference to the private key in the route configuration, while the private key is kept safe in your IBM Cloud Hyper Protect Crypto Services instance.
There is another challenge regarding private TLS keys — to obtain a matching certificate and private key pair, the private key in the IBM Cloud Hyper Protect Crypto Services instance must be used to sign the Certificate Signing Request (CSR). The CSR is sent to a certificate authority to obtain the certificates that can be configured on routes.
For this purpose, the IBM Cloud HPCS Router solution can generate a CSR based on certificate parameters that you configure and sign the CSR with the private key in IBM Cloud Hyper Protect Service.
To get started, you can enable the IBM Cloud HPCS Router Operator cluster add-on in Red Hat OpenShift on IBM Cloud clusters that run OpenShift version 4.5.
You can enable the add-on in the console or CLI. In the IBM Cloud OpenShift Service console, click your cluster and click the Add-ons tab. On the IBM Cloud HPCS Router Operator card, click Install:
From the IBM Cloud CLI, run the following command:
The add-on creates a new OpenShift OperatorHub Catalog Source, and as a result a new Provider Type appears in the OperatorHub:
You can then install the IBM Cloud HPCS Router Operator from the OperatorHub.
Next, to use the IBM Cloud HPCS Router Operator to create a new IBM Cloud HPCS Router, you create a custom resource instance of the HPCSIngressController custom resource definition.
After the new IBM Cloud HPCS Router is created, you might want the IBM Cloud HPCS Router to process some of your routes and your cluster's default router to process other routes. You can use standard OpenShift Ingress Controller sharding to define which route should be processed by which router. You can define route labels in the HPCSIngressController custom resources, as well as in the default IngressController custom resources.
To configure secure routes for your new IBM Cloud HPCS Routers, you need a certificate and the corresponding private key reference that you can add to the route definition. To obtain a certificate, you create a Certificate Signing Request (CSR) that includes the public key and is signed with your private key that is stored in your IBM Cloud Hyper Protect Crypto Services instance. This process requires a tool that can do the following:
- Generate a public-private key pair with the relevant GREP11 API and get the private key reference for you.
- Generate a CSR that includes your new public key.
- Sign the CSR with the private key that is stored in your IBM Cloud Hyper Protect Crypto Services instance.
The IBM Cloud HPCS Router Operator solution provides this tool for you through a Certificate API. When you create a new Certificate resource, the IBM Cloud HPCS Router Operator solution completes the tasks listed above. As a result, the following are created in a Kubernetes Secret:
- A CSR that you can send to your certificate authority to obtain a route certificate.
- The private key reference that points to a new private key in your IBM Cloud Hyper Protect Crypto Service instance.
- The public key.
You can use the certificate that you get from your certificate authority and the private key reference to configure a secure route for your IBM Cloud HPCS Router instances.
For detailed information about the usage of this feature, check out the official documentation.