Deploying HCL SafeLinx in a Container Environment

You can deploy HCL SafeLinx using either Docker Compose for orchestrated management or standard Docker commands for standalone deployments.

Before you begin

  • Directories: Create data and cert-mount directories on your host to ensure data persistence.
  • Certificates: Place all *.p12 and LTPA key files in the cert-mount directory before starting the container.
  • Database: Ensure your target database (PostgreSQL, MySQL, etc.) is reachable.

About this task

Method A: Using Docker Compose

This method is recommended if you have the docker-compose.yaml file from the SafeLinx Docker kit.
  1. Configure the Environment Edit the .env file in your project directory: VERSION=1450 DB_TYPE=postgres
  2. Start the Service Run the following command from your project directory: docker-compose up -d

Method B: Using Docker Run Commands

Use this method if you pulled the image from hclcr.io and do not have the orchestration files.
  1. Standard Server Deployment: Use this command for standard Nomad, Verse, or HTTP proxy deployments:
    docker run -d \
  --name hcl-safelinx \
  --restart unless-stopped \
  -e DB_TYPE=postgres \
  -v $(pwd)/cert-mount:/cert-mount:z \
  -v $(pwd)/data:/opt/hcl/SafeLinx/datastore:z \
  -p 443:443 \
  -p 8885:8885 \
  -p 9555:9555 \
  -p 9559:9559 \
  hclcr.io/hcl-safelinx/safelinx-server:1450
  2. VPN Server Deployment (Host Network): If deploying SafeLinx as a VPN server, the container requires privileged access to manage network interfaces on the host:
    docker run -d \
  --name hcl-safelinx-vpn \
  --restart unless-stopped \
  --privileged \
  --network host \
  --device /dev/net/tun \
  -e DB_TYPE=postgres \
  -v $(pwd)/cert-mount:/cert-mount:z \
  -v $(pwd)/data:/opt/hcl/SafeLinx/datastore:z \
  hclcr.io/hcl-safelinx/safelinx-server:1450

Configuration & Management

Administrator Interface

Regardless of the deployment method, SafeLinx must be configured via the Administrator Client:
  1. Connect to the server at <host>:9555.
  2. Perform your configuration (LDAP, OIDC, VPN Routes, etc.).
  3. Restart the container to apply changes:
    • Compose: docker-compose restart
    • Docker: docker restart hcl-safelinx
Common Parameters Explained
  • -e DB_TYPE: Defines the database backend (e.g., postgres, mysql, mssql).
  • -v .../data:/opt/hcl/SafeLinx/datastore:z: Maps the persistent configuration data to the host.
  • --privileged & --device /dev/net/tun: Grants the container permission to create the tunnels required for VPN traffic.
  • --network host: Required for VPN servers to ensure the container shares the host's IP stack for routing.
Monitor the start process and errors using the logs command:docker logs -f hcl-safelinx