---
title: "DSM Accelerator Webservice Deployment on SGX"
slug: "dsm-accelerator-webservice-deployment-on-sgx"
updated: 2026-06-11T09:40:25Z
published: 2026-06-11T09:40:25Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.fortanix.com/llms.txt
> Use this file to discover all available pages before exploring further.

# DSM Accelerator Webservice Deployment on SGX

## 1.0 Introduction

This article explains the procedure for **configuring the Fortanix-Data-Security-Manager (DSM) Accelerator Webservice on Intel® Software Guard Extensions (SGX) enclave** using the **Fortanix Confidential Computing Manager (CCM)**.

Configuring the Fortanix DSM Accelerator Webservice for SGX with Fortanix CCM provides the following:

- **Key Export Control**: To ensure that only the Fortanix DSM Accelerator Webservice can export the key, an authenticated Fortanix DSM Accelerator application (app) is created in Fortanix DSM, and a quorum policy will be established in each relevant group requiring this app’s approval for key exports. Users without the app’s approval will encounter errors. If necessary, additional apps can be included in the quorum policy.
- **Transport Layer Security (TLS) Certificate Management**: The Fortanix DSM Accelerator Webservice internally manages TLS keys and certificates to comply with enclave security in the Trusted Execution Environment (TEE). At startup, the Fortanix DSM Accelerator Webservice either retrieves credentials from Fortanix DSM or uses a self-signed certificate if none are available. The Fortanix DSM Accelerator Webservice APIs will facilitate the generation and secure storage of TLS keys and certificates, while Fortanix CCM uses remote attestation to dynamically obtain a signed certificate from a CCM zone CA for enhanced security.

## 2.0 Fortanix DSM Accelerator Webservice SGX Authentication with Fortanix DSM

The following diagram explains the Fortanix DSM Accelerator Webservice authentication process with Fortanix DSM:

1. Fortanix CCM provides the Fortanix DSM Accelerator Webservice with a certificate that enables it to securely authenticate with Fortanix DSM and authorize export requests, ensuring that key exports are restricted only to the Fortanix DSM Accelerator Webservice.
2. The Fortanix DSM Accelerator Webservice SGX enclave initially sends its enclave measurements to Fortanix CCM through the SGX Node Agent.
3. Fortanix CCM then validates these measurements to confirm their correctness and compliance.
4. After successful validation, Fortanix CCM issues an application certificate to the Fortanix DSM Accelerator Webservice SGX enclave. This certificate is essential for authenticating the Fortanix DSM Accelerator Webservice SGX enclave when connecting to the Fortanix DSM.

This process ensures that the Fortanix DSM Accelerator Webservice SGX enclave is verified and authorized, allowing for secure interactions with Fortanix DSM.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DSMA-SGX.png)

**Figure 1: Fortanix DSM Accelerator SGX authentication with Fortanix DSM**

## 3.0 Prerequisites

The following sections describe the prerequisites for running the Fortanix DSM Accelerator Webservice on SGX:

### 3.1 Prepare an SGX Machine for Running Fortanix DSM Accelerator Webservice

*Perform the instructions in*[*Enroll a Compute Node (bare metal or VM) - SGX*](/v1/docs/users-guide-enroll-a-compute-node-bare-metal-or-vm-sgx)*to enroll the compute node into the Fortanix Confidential Computing Manager (CCM) infrastructure.*

The installer script will automatically install the required drivers along with the Fortanix Node agent enclave. The node agent enclave helps Fortanix DSM Accelerator Webservice enclave to communicate with the Fortanix CCM Software-as-a-Service (SaaS).

### 3.2 Create an EDP Application and Whitelist the Build in Fortanix CCM

Perform the following steps to whitelist the enclave identity of the Fortanix DSM Accelerator Webservice SGX image in your CCM account:

1. [Download](https://fortanix.zendesk.com/hc/en-us/articles/40688608680852-DSM-Accelerator-Webservice-on-SGX) the latest Fortanix DSM Accelerator Webservice SGX package.
2. Run the following command to extract the downloaded tarball: For example, `dsma-sgx.tgz`.

```bash
tar -zxf dsma-sgx.tgz
ls
dsma-sgx_1.27.15.tar  dsma.sig  package.README.md  tls_configuration_utility.sh
```
3. Log in to Fortanix CCM user interface (UI). *For more information, refer to*[*Logging in*](/v1/docs/users-guide-logging-in)*.*
4. Click **Applications** from the left navigation panel.
5. On the top right corner of the **Applications** page, click **ADD APPLICATION**.
6. In the **Application** dialog box, select **EDP Application** and click **ADD**. Skip the above steps if you have already created an app.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DSM A SGX Add an App.png)

**Figure 2: Add an EDP app**
7. In the **Add application** form:
  1. **Application name**: Enter a name for your application.
  2. **Description** (optional): Enter a description.
  3. **Group**: Select a Fortanix CCM group for the application.
  4. Click **ADD A CERTIFICATE** in the **CertificateConfiguration** section.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DSM A SGX Add an App Details.png)

**Figure 3: Add the EDP details**
  5. In the **Certificate Configuration** section, set the **Domain** to `fortanix.com`.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DSM A WS on SGX Add A Certificate.png)

**Figure 4: Add a Certificate domain**
  6. Click **SAVE** to add the app.
8. After the app is created, a task will be created seeking approval to whitelist the domain. Approve the request and proceed.
9. Open the app and click **ADD IMAGE** to add and whitelist the application image.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DSM A SGX Add image.png)

**Figure 5: Add an image**
10. In the **Add Image** form:

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DSM A SGX Add Image Details(1).png)

**Figure 6: Add an image version**
  1. **Image Version**: Enter the image version. For example, **1.27.1**.
  2. **Image Type**: Select **Intel SGX.**
  3. Click **UPLOAD** to upload the `dsma.sig` file from the `dsma-sgx.tgz` package. The parameters will be auto-populated.
  4. Click **SAVE**.
11. Another task will be created seeking approval to whitelist the application image. Approve and proceed.

### 3.3 Get a Zone Certificate from Fortanix CCM

Run the following commands to display the zone CA that issues the app certificate to the Fortanix DSM Accelerator Webservice SGX:

- Log in to the Fortanix CCM production cluster.

```bash
curl -c /dev/shm/ccm-cookies --request POST -u '<username>:<password>''https://ccm.fortanix.com/v1/sys/auth'
```
- Select the account. Here, `&lt;acct-id&gt;` is the Fortanix CCM account ID.

```bash
curl -b /dev/shm/ccm-cookies -c /dev/shm/ccm-cookies --header 'X-CSRF-Header: 1' --header 'Content-Type: application/json' -X POST https://ccm.fortanix.com/v1/sys/session/select_account/<acct-id>
```
- Get the zone certificate.

```bash
curl --request GET -b /dev/shm/ccm-cookies --header 'X-CSRF-Header: 1' --header 'Content-Type: application/json' 'https://ccm.fortanix.com/v1/zones' | jq .
```
- Escape the new line characters in the certificate.

```bash
 echo $(curl --request GET -b /dev/shm/ccm-cookies --header 'X-CSRF-Header: 1' --header 'Content-Type: application/json' 'https://ccm.fortanix.com/v1/zones'| jq '.[0].certificate')
```

### 3.4 Create an App in Fortanix DSM with Trusted CA Authentication

In the Fortanix DSM UI, configure an application (for example, **dsma-sgx-app**) with authentication using **Trusted CA**. *For more information on how to create an app in Fortanix DSM, refer to*[*Getting Started with Fortanix DSM - UI*](/v1/docs/users-guide-getting-started-with-fortanix-data-security-manager-ui)*.*

- Fortanix DSM Accelerator Webservice will use this application to interact with Fortanix DSM independently. Ensure to record the app ID for future reference.
- Fortanix DSM Accelerator Webservice will present the signed certificate issued by the Fortanix CCM zone CA (with the domain `fortanix.com`) to authenticate the app and enable these interactions.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DSM A SGX Add a DSM App.png)

**Figure 7: Add a Fortanix DSM app**

### 3.5 Create a Group with the TLS Key and Certificates

Create a group that is accessible only by the **dsma-sgx-app**. This group will be used to store the TLS certificate and private key for client connections. Ensure that this group is set as the default group for the application.

*For more information on how to create a group in Fortanix DSM, refer to*[*Getting Started with Fortanix DSM - UI*](/v1/docs/users-guide-getting-started-with-fortanix-data-security-manager-ui)*.*

### 3.6 Enable Controlled Exports

Add the **dsma-sgx-app** to all groups whose keys need to be accessed through Fortanix DSM Accelerator Webservice, designating it as a quorum approver. This ensures that client applications cannot export the keys independently.

*For more information on adding an app as an approver in Quorum policy, refer to*[*Group Quorum Policy*](/v1/docs/users-guide-group-quorum-policy)*.*

### 3.7 Configure TLS on Fortanix DSM Accelerator Webservice SGX

*For configuring TLS in the Fortanix DSM Accelerator Webservice enclave, refer to*[*DSM Accelerator Webservice for Nitro with CCM Setup*](/v1/docs/dsm-accelerator-webservice-for-nitro-with-ccm-setup-guide).

## 4.0 Run Fortanix DSM Accelerator Webservice on SGX with Docker

Run the following command to start the Fortanix Accelerator Webservice inside an Intel® SGX–enabled Docker container. Replace the placeholder values (`&lt;...&gt;`) with your actual configuration details.

```bash
 docker run \
 -e FORTANIX_API_ENDPOINT=<dsm-endpoint> \
 -e SGX_ENABLED=true \
 -e DSMA_APP_ID=<dsma-app-uuid> \
 -e TLS_KEY_ID=<tls-private-key-uuid> \
 -v /dev:/dev --device=/dev:/dev \
 -v /var/run/aesmd:/var/run/aesmd \
 dsma_sgx:latest
```

The following are essential for the proper functioning of the Fortanix DSM Accelerator Webservice:

- `FORTANIX_API_ENDPOINT` refers to the URL endpoint for the Fortanix DSM ( `&lt;dsm-endpoint&gt;`. For example, `https://amer.fortanix.com`.
- `SGX_ENABLED` is set to `true`.
- `DSMA_APP_ID` refers to the app UUID (`&lt;dsma-app-uuid&gt;`) obtained in [*Section 3.4: Create an App in Fortanix DSM with Trusted CA Authentication.*](/v1/docs/dsm-accelerator-webservice-deployment-on-sgx#34-create-an-app-in-fortanix-dsm-with-trusted-ca-authentication)
- `TLS_KEY_ID` refers to the TLS key ID (`&lt;tls-private-key-uuid&gt;`) obtained in [*Section 3.5: Create a Group with the TLS Key and Certificates.*](/v1/docs/dsm-accelerator-webservice-deployment-on-sgx#35-create-a-group-with-the-tls-key-and-certificates)

Example:

```bash
 docker run \
 -e FORTANIX_API_ENDPOINT=<dsm-endpoint> \
 -e SGX_ENABLED=true \
 -e DSMA_APP_ID=0a96x4b9-4e36-430b-985a-8cc5f6164e16 \
 -e TLS_KEY_ID=b96b8e2c-7cfb-402b-a9dc-3e7342c8d46b \
 -v /dev:/dev --device=/dev:/dev \
 -v /var/run/aesmd:/var/run/aesmd \
 dsma_sgx:latest
```

*For more configuration options, refer to the*[*DSM Accelerator Webservice Developer Guide*](/v1/docs/dsm-accelerator-webservice-developer-guide)*.*

## 5.0 Additional References

- [*DSM Accelerator - Concepts*](/v1/docs/dsm-accelerator-concepts)
- [*DSM Accelerator Webservice for Nitro with CCM Setup*](/v1/docs/dsm-accelerator-webservice-for-nitro-with-ccm-setup-guide)

Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface.