How to use Dedicated KMS when you deploy an application by using an image - Key Management Service

If you want to deploy your application on an Elastic Compute Service (ECS) instance or in a Container Service for Kubernetes (ACK) cluster, you can use Dedicated Key Management Service (KMS) to encrypt data during the deployment of the application. This topic describes how to use Dedicated KMS to encrypt data when you deploy your application by using an image.

Deploy an application on an ECS instance

In this example, a Linux operating system is used, and a Java application is deployed.

Prerequisites

A dedicated KMS instance is purchased. An application access point (AAP) is created for the dedicated KMS instance. The client key file is downloaded and saved. The certificate authority (CA) certificate of the dedicated KMS instance is obtained. For more information, see Connect applications to the dedicated KMS instance of the Standard edition.

Note

By default, the downloaded client key file is named in the ClientKey_******.json format.

Procedure

Purchase an ECS instance based on which you want to create a custom image. For more information, see Get started with Linux instances.
Install the CA certificate of the dedicated KMS instance on the ECS instance.
Note
If you want to deploy a non-Java application, you do not need to install a CA certificate. You need to only save the CA certificate to the specified configuration directory of the application.
1. Split the CA certificate into two files.
  A CA certificate consists of two files, and each file starts with ------BEGIN CERTIFICATE -------- and ends with ------END CERTIFICATE --------. The first file is rootca.pem and the second file is subca.pem.
  - File 1: rootca.pem
```
-----BEGIN CERTIFICATE-----
<Root CA Certificate BASE64 Content>
-----END CERTIFICATE-----
```
  - File 2: subca.pem
```
-----BEGIN CERTIFICATE-----
<Sub CA Certificate BASE64 Content>
-----END CERTIFICATE-----
```
2. Run the following code to install OpenJDK.
  In this example, java-1.8.0-openjdk is installed. You can select a different version of OpenJDK based on your business requirements.
```
yum install java-1.8.0-openjdk -y
```
3. Import the two files to the $JAVA_HOME/jre/lib/security/cacerts directory by using keytool commands.
  - Import File 1 rootca.pem
```
keytool -importcert -alias PrivateKmsCA_RootCA -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -file rootca.pem
```
  - Import File 2 subca.pem
```
keytool -importcert -alias PrivateKmsCA_SubCA -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -file subca.pem
```
4. Run the following code to check whether the CA certificate is installed:
```
URL serviceUrl = new URL("https://<service_id>.cryptoservice.kms.aliyuncs.com");
serviceUrl.openConnection().connect();
```
  Note
  If javax.net.ssl.SSLHandshakeException is not reported, the CA certificate is installed.
Upload the client key file to the specified configuration directory of the application and configure the password of the client key file in the environment variable of the application. The method that is used to configure environment variables varies based on the operating system. For more information, see Configure environment variables in Linux, macOS, and Windows.
Create a custom image. For more information, see Create a custom image from an instance.
You must select the ECS instance on which the CA certificate is installed for Instance. After the custom image is created, you can view the custom image on the Images page.

Deploy an application in an ACK cluster

In this example, a CentOS 7.1 operating system is used, and a Java application is deployed.

Prerequisites

A dedicated KMS instance is purchased. An AAP is created for the dedicated KMS instance. The client key file is downloaded and saved. The CA certificate of the dedicated KMS instance is obtained. For more information, see Connect applications to the dedicated KMS instance of the Standard edition.
Note
By default, the downloaded client key file is named in the ClientKey_******.json format.
ACK is activated and authorized to access other cloud resources. An ACK cluster is created. For more information, see Use the ACK console to deploy a magic cube game.
Docker is installed. For more information, see Install Docker.

Procedure

Save the CA certificate in the working directory of the Docker image that you want to create.
Note
If you want to deploy a non-Java application, you do not need to split a CA certificate. You need to only save the CA certificate to the specified configuration directory of the application.
1. Split the CA certificate into two files.
  A CA certificate consists of two files, and each file starts with ------BEGIN CERTIFICATE -------- and ends with ------END CERTIFICATE --------. The first file is rootca.pem and the second file is subca.pem.
  - File 1: rootca.pem
```
-----BEGIN CERTIFICATE-----
<Root CA Certificate BASE64 Content>
-----END CERTIFICATE-----
```
  - File 2: subca.pem
```
-----BEGIN CERTIFICATE-----
<Sub CA Certificate BASE64 Content>
-----END CERTIFICATE-----
```
2. Create the working directory of the Docker image and create the cacerts subdirectory in the working directory.
3. Save the rootca.pem and subca.pem files in the cacerts subdirectory.

Create a file named Dockerfile in the working directory of the Docker image and add the following content to the file:

## Replace {regionId} with the ID of the region where the dedicated KMS instance resides. 
FROM alibaba-cloud-linux-3-registry.{regionId}.cr.aliyuncs.com/alinux3/alinux3

## If you want to deploy a non-Java application, copy the extracted files of the CA certificate to the specified directory.
COPY ./cacerts/rootca.pem /etc/dkms/certs/
COPY ./cacerts/subca.pem /etc/dkms/certs/

## Copy the client key file to the specified directory.
COPY ./cacerts/ClientKey_xxxxxxxxxxx.json /etc/dkms/certs/

RUN dnf -y update && \
        dnf install findutils -y && \
        dnf clean all && \
        yum install java-1.8.0-openjdk -y && \
        yum clean all

RUN export JRE_HOME=$(find "/usr/lib/jvm" -type d -name "jre") && \
    keytool -importcert -alias PrivateKmsCA_RootCA -keystore $JRE_HOME/lib/security/cacerts -storepass changeit -file /etc/dkms/certs/rootca.pem -noprompt && \
    keytool -importcert -alias PrivateKmsCA_SubCA -keystore $JRE_HOME/lib/security/cacerts -storepass changeit -file /etc/dkms/certs/subca.pem -noprompt && \
    rm -f /etc/dkms/certs/rootca.pem &&\
    rm -f /etc/dkms/certs/subca.pem

Run the following code to create a Docker image.
You can use the image as the dependent base image of the application.
```
docker build -t dkmsca:v1 .
```
In the Container Registry console, create a namespace and an image repository. For more information, see Use Container Registry Enterprise Edition instances to build images.

Run the following code to push the Docker image to the image repository that you created.

In the following code, the namespace is dkms and the image repository is dkmsca. You can modify the code based on your business requirements.

docker login --username=xxxxxxx {instanceId}-registry.{regionId}.cr.aliyuncs.com
docker tag  dkmsca:v1 {instanceId}-registry.{regionId}.cr.aliyuncs.com/dkms/dkmsca:v1
docker push {instanceId}-registry.{regionId}.cr.aliyuncs.com/dkms/dkmsca:v1

Use a Secret to store the password of the client key file in the ACK cluster. Your application uses the Secret as an environment variable or data volume. For more information, see Configure a pod to use a Secret.
The method that is used to configure environment variables varies based on the operating system. For more information, see Configure environment variables in Linux, macOS, and Windows.