If you want to deploy your application on an Elastic Compute Service (ECS) instance
or in a Container Service for Kubernetes (ACK) cluster, you can use Dedicated KMS
to encrypt data during the deployment of the application. This topic describes how
to use Dedicated Key Management Service (KMS) to encrypt data when you deploy your
application by using an image.
Deploy an application on an ECS instance
In this example, a Linux operating system is used, and a Java application is deployed.
Prerequisites
A dedicated KMS instance is purchased. An application access point (AAP) is created
for the dedicated KMS instance. The client key file is downloaded and saved. The certificate
authority (CA) certificate of the dedicated KMS instance is obtained. For more information,
see
Getting started with Dedicated KMS of the Standard edition.
Note By default, the downloaded client key file is named in the ClientKey_******.json format.
Procedure
- Purchase an ECS instance based on which you want to create a custom image. For more
information, see Quick start for Linux instances.
- Install the CA certificate of the dedicated KMS instance on the ECS instance.
Note If you want to deploy a non-Java application, you do not need to install a CA certificate.
You need to only save the CA certificate to the specified configuration directory
of the application.
- Split the CA certificate into two files.
A CA certificate consists of two files, and each file starts with ------BEGIN CERTIFICATE --------
and ends with ------END CERTIFICATE --------
. The first file is rootca.pem and the second file is subca.pem.
- Run the following code to install OpenJDK:
In this example, java-1.8.0-openjdk is installed. You can select a different version
of OpenJDK based on your business requirements.
yum install java-1.8.0-openjdk -y
- Import the two files to the
$JAVA_HOME/jre/lib/security/cacerts
directory by using keytool commands.
- Import File 1 rootca.pem
keytool -importcert -alias PrivateKmsCA_RootCA -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -file rootca.pem
- Import File 2 subca.pem
keytool -importcert -alias PrivateKmsCA_SubCA -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -file subca.pem
- Run the following code to check whether the CA certificate is installed:
URL serviceUrl = new URL("https://<service_id>.cryptoservice.kms.aliyuncs.com");
serviceUrl.openConnection().connect();
Note If javax.net.ssl.SSLHandshakeException is not reported, the CA certificate is installed.
- Upload the client key file to the specified configuration directory of the application,
and use an environment variable of the application to configure the password of the
AAP.
- Create a custom image. For more information, see Create a custom image on the Images page.
You must select the ECS instance on which the CA certificate is installed for Instance. After the custom image is created, you can view the custom image on the Images page.
Deploy an application in an ACK cluster
In this example, a CentOS 7.1 operating system is used, and a Java application is
deployed.
Prerequisites
- A dedicated KMS instance is purchased. An AAP is created for the dedicated KMS instance.
The client key file is downloaded and saved. The CA certificate of the dedicated KMS
instance is obtained. For more information, see Getting started with Dedicated KMS of the Standard edition.
Note By default, the downloaded client key file is named in the ClientKey_******.json format.
- ACK is activated and authorized to access other cloud resources. An ACK cluster is
created. For more information, see Getting started with ACK using the ACK console.
- Docker is installed. For more information, see Install Docker.
Procedure
- Save the CA certificate in the working directory of the Docker image that you want
to create.
Note If you want to deploy a non-Java application, you do not need to split a CA certificate.
You need to only save the CA certificate to the specified configuration directory
of the application.
- Split the CA certificate into two files.
A CA certificate consists of two files, and each file starts with ------BEGIN CERTIFICATE --------
and ends with ------END CERTIFICATE --------
. The first file is rootca.pem and the second file is subca.pem.
- Create the working directory of the Docker image and create the cacerts subdirectory
in the working directory.
- Save the files rootca.pem and subca.pem in the cacerts subdirectory.
- Create a Dockerfile in the working directory of the Docker image and add the following
content to the Dockerfile:
## Replace {regionId} with the ID of the region in which the dedicated KMS instance resides.
FROM alibaba-cloud-linux-3-registry.{regionId}.cr.aliyuncs.com/alinux3/alinux3
## If you want to deploy a non-Java application, copy the extracted files of the CA certificate to the specified directory.
COPY ./cacerts/rootca.pem /etc/dkms/certs/
COPY ./cacerts/subca.pem /etc/dkms/certs/
## Copy the client key file to the specified directory.
COPY ./cacerts/ClientKey_xxxxxxxxxxx.json /etc/dkms/certs/
RUN dnf -y update && \
dnf install findutils -y && \
dnf clean all && \
yum install java-1.8.0-openjdk -y && \
yum clean all
RUN export JRE_HOME=$(find "/usr/lib/jvm" -type d -name "jre") && \
keytool -importcert -alias PrivateKmsCA_RootCA -keystore $JRE_HOME/lib/security/cacerts -storepass changeit -file /etc/dkms/certs/rootca.pem -noprompt && \
keytool -importcert -alias PrivateKmsCA_SubCA -keystore $JRE_HOME/lib/security/cacerts -storepass changeit -file /etc/dkms/certs/subca.pem -noprompt && \
rm -f /etc/dkms/certs/rootca.pem &&\
rm -f /etc/dkms/certs/subca.pem
- Run the following code to create a Docker image:
You can use the image as the dependent base image of the application.
docker build -t dkmsca:v1 .
- In the Container Registry console, create a namespace and an image repository. For
more information, see Use Container Registry Enterprise Edition instances to build images.
- Run the following code to push the Docker image to the image repository that you created:
In the following code, the namespace is dkms and the image repository is dkmsca. You
can modify the code based on your business requirements.
docker login --username=xxxxxxx {instanceId}-registry.{regionId}.cr.aliyuncs.com
docker tag dkmsca:v1 {instanceId}-registry.{regionId}.cr.aliyuncs.com/dkms/dkmsca:v1
docker push {instanceId}-registry.{regionId}.cr.aliyuncs.com/dkms/dkmsca:v1
- Use a Secret to store the password of the AAP in the ACK cluster. Your application
uses the Secret as an environment variable or data volume. For more information, see
Configure a pod to use a Secret.