Plugin configuration
In this step, you will use the config.json file to configure the Notation plugin
to connect to the Securosys Transaction Security Broker (TSB).
The TSB provides the REST API for interacting with the Primus HSM.
Prerequisites
- Download and extract
the configuration templates, which includes a template for the
config.json. - Obtain the connectivity details of your TSB. This is provided by your administrator or by Securosys during your CloudHSM onboarding.
- Perform the automatic plugin install or manually install the plugin.
Create the plugin configuration file
Copy the Docker Signing Notation Plugin config.json file to the BINARY_PATH.
Edit it with your preferred editor.
cp ./config.json "${BINARY_PATH}/config.json"
nano "${BINARY_PATH}/config.json"
Adapt the config.json file according to your parameters.
Here is an example of the config.json file:
{
"restApi": "https://sbx-rest-api.cloudshsm.com",
"authType": "TOKEN",
"token": "<JWT access token>",
"apiKeys": {
"KeyManagementToken": ["TSB-TOKEN_1...", "TSB-TOKEN_2..."],
"KeyOperationToken": ["TSB-TOKEN_3..", "TSB-TOKEN_4.."],
"ServiceToken": ["TSB-TOKEN_5...", "TSB-TOKEN_6.."]
},
"applicationKeyPair": {
"publicKey": "PUBLIC_KEY",
"privateKey": "PRIVATE_KEY"
},
"metaData": {
"UserMetadata": "example of metaData"
}
}
Parameter Overview
The config.json has the following parameters:
| Configuration Parameters | Description |
|---|---|
"restApi":"https://sbx-rest-api.cloudshsm.com" | Replace the variable with your connection parameter for CloudHSM's REST API service or for the customer's on-prem deployment. |
"authType":"authType" | "authType":"TOKEN":Authentication based on JWT token, standard value for CloudHSM's REST/TSB API service. "authType":"CERT":Authentication based on mutual TLS. Used for CloudHSM Platinum REST/TSB API service or on-premise deployments. |
"token":"TSBtoken" | For "authType":"TOKEN": Replace the variable with your own TSB JWT token. Omit in case of "authType":"CERT". |
"certpath": "PathToCrt" | For "authType":"CERT": Provide the full path of the server certificate file. Omit in case of "authType":"TOKEN". |
"keypath": "PathToKey" | For "authType":"CERT": Provide the full path of the client key file. Omit in case of "authType":"TOKEN". |
"apiKeys": {...} | Additional authentication for TSB, set correct API keys values for specific operations, more than one token can be provided for each field. This is optional and will not break existing deployments. For more information, see the TSB API Key documentation. |
"applicationKeyPair":{...} | Pair of public and private key (base64 encoded) used to calculate the signature. |
"metaData":{"UserMetadata":"example of metaData"} | Optional, add any user metadata, e.g. description. |
Optional: Set the plugin config path variable
The notation-securosys plugin defaults to searching for the config.json file in the BINARY_PATH.
To use a different directory, set the CONFIG_PATH environment variable.
This is useful for having multiple config files for different HSM Partitions.
There are different options for setting the CONFIG_PATH environment variable:
-
Set it globally in your
~/.bashrc,~/.zshrc, or similar. -
Set it for your current shell session:
export CONFIG_PATH="${HOME}/.config/notation/plugins/securosys/config.json" -
Set it for every command invocation:
CONFIG_PATH=/path/to/config.json ./notation-securosys describe-key