Deploy the Workflow - Manual - ACI Applications

1.0 Introduction

This article describes how to manually deploy an approved workflow for Azure Container Instances (ACI) applications in Fortanix Confidential Computing Manager (CCM).

After a workflow is approved, Fortanix CCM generates a secure workflow application configuration that ACI applications retrieve and use at  runtime. This configuration defines how applications interact with datasets, other applications, and user-provided inputs within the approved workflow.

2.0 Manual Deployment of an Approved Workflow for ACI Application

After all users approve a workflow, Fortanix CCM provides Workflow Application Configuration to the applications included in the workflow. This configuration contains information, such as the datasets or applications connected in the workflow, along with any user-provided files or values that must be supplied to the enclave at runtime.

Fortanix CCM delivers the workflow application configuration to applications through a workflow application configuration identifier, which the application passes as an input argument during startup.

The identifier is a SHA-256 hash of workflow configuration elements that must be secured. Fortanix CCM embeds this identifier into the certificates it issues enabling the Key Management Service (KMS) to determine which configuration is authorized to access credentials.

Fortanix CCM embeds the identifier in the certificate Subject Alternative Name (SAN) using the following format:

<identifier>.<mrenclave>.id.fortanix.cloud 

Using this identifier, the KMS that stores dataset credentials authenticates requests and provides credentials only to applications that present a valid certificate corresponding to the approved workflow configuration. When an application starts, Fortanix CCM tracks which applications are authorized to access specific configurations based on this identifier.

2.1 Copy the Workflow Application Configuration Identifier

Perform the following steps to retrieve the workflow application configuration identifier:

1. Click the application node in the approved workflow graph.

   

2. In the detailed view of the workflow application, copy the value of the Runtime configuration hash. This value is the workflow application configuration identifier used to run the application.

   

2.2 Run the ACI Application

To run an ACI application in a Fortanix CCM workflow, you must first deploy the Confidential ACI group using the Azure portal as described in Step 5 of the Deploying the ACI Application Using Azure Portal guide. During this deployment, you provide the workflow application configuration identifier (Runtime configuration hash) copied from the approved workflow in Section 2.1: Copy the Workflow Application Configuration Identifier.

During startup, the application uses this identifier to authenticate with Fortanix CCM and securely retrieve the approved workflow configuration.

2.3 Application Startup and Configuration Retrieval Flow

When the ACI application starts with the workflow application configuration identifier:

1. The application requests an attestation certificate from the NodeAgent, including the workflow application configuration identifier as part of the attestation data.

2. The application requests an application certificate from the NodeAgent.

3. Fortanix CCM verifies that the application is authorized to access the workflow application configuration associated with the identifier.

4. The application requests the workflow application configuration from Fortanix CCM by presenting the issued certificate for authentication.

5. Fortanix CCM validates the certificate, extracts the workflow application configuration identifier, and returns the corresponding configuration.

6. The application verifies and applies the configuration hash.

7. The application retrieves credentials from the URLs specified in the configuration.

8. The application authenticates and reads or writes data to the datasets as defined in the approved workflow.