Add Application

1.0 Introduction

This article describes how to add and edit applications in Fortanix Confidential Computing Manager (CCM). Users can use the CCM interface to create, configure, and manage containerized applications.

A Fortanix CCM application is a program or service protected using Runtime Encryption. In a microservices architecture, you can create a separate application in CCM for each microservice.

Since application code is typically updated over time, an application definition in CCM is not associated with a specific application version. Instead, an application can be associated with one or more builds, where each build represents a specific version of the application. Each build contains platform-specific verification information that Fortanix CCM uses during attestation and workload validation.

The application record in Fortanix CCM defines the general characteristics of the application, including the domain name(s) assigned to the application and, if the application uses Enclave OS, the parameters required for processing the application using the Enclave OS converter. Applications can also be configured with labels and other settings that Fortanix CCM uses for workload placement, attestation, and policy enforcement.

2.0 Prerequisites

Ensure the following:

A Fortanix Armor Identity and Access Management (IAM) group must already be created. For more information, refer to Add a Group.
The name of the input Docker build from the input registry must be available.
The output build location must be available.

3.0 Add an Application

Fortanix CCM allows you to convert, deploy, and approve applications from a single interface.

Perform the following steps to add an application:

In the CCM user interface (UI) left navigation panel, click Applications.
On the Applications page, click ADD APPLICATION to add a new application.
Figure 1: Add New Application
In the Add Application form, select any of the following supported application types:
- Enclave OS (Operating System) application
- Enclave Development Platform (EDP) application
- Application Configuration Instance (ACI) application
- Advanced Micro Devices (AMD) Secure Encrypted Virtualization (SEV) – Secure Nested Paging (SNP) application
- Intel TDX (Trust Domain Extensions) application
- Azure Confidential Virtual Machine (VM) application
Figure 2: Add application form
Click NEXT.

4.0 Add Enclave OS Application

This example demonstrates how to add a Flask server application in Fortanix CCM. For this example, use a sample application build from the Fortanix public Docker registry

Details:

Docker Hub: https://hub.docker.com/u/fortanix/

App: fortanix/python-flask

Optionally, to run the sample application, use the following command:

sudo docker run fortanix/python-flask

A screenshot of a cell phone Description automatically generated — **Figure 3: Run the Application**

NOTE
Fortanix recommends using a private Docker registry to store the output image.

Perform the following steps:

In the Add Application form, select Enclave OS, and then click NEXT.
In the Add Application form:
1. Application name: Enter the name of the application.
2. Description (optional): Enter the application’s description.
3. Input Image name: Enter the fully qualified docker image name for the application.
4. Output Image name: Enter the fully qualified docker image name for the converted application image.
5. Group: Select the required group from the drop down menu.
6. Label Details: To control which applications are allowed to run on specific nodes, add labels for applications and nodes in the form of “Key:Value” pairs. For more information, refer to Application and Compute Node Policy Enforcement.
  - ADD LABELS – Enter the key-value pair and click ADD LABEL to save the label. You can also select an existing label from the Suggested Labels field.
  - Suggested Labels – This field displays the top 10 labels frequently used by users of an account.
  An example of a Key:Value pair is Location:Location_name.
  Where, Location is the key and Location_name is the value, for example, South UK.
  NOTE
  - A label’s key and value can have a maximum of 256 characters and is case-sensitive.
  - Some keys are reserved for internal use which are referred to as system-defined labels.
    - Such as: 'Fortanix', 'fortanix', ‘CCM, ‘ccm, confidentialcomputingmanager.
      Or
    - {Fortanix|Fortanix|CCM|cm|confidentialcomputingmanager|Confidentialcomputingmanager}<Any_Non-Alphanumeric-Char><Any-Char>.
  - Adding labels to applications is optional and Applications can still run on nodes without labels. However, if labels are added to an application, the same labels must also be added to the node on which the application will run.
  - A node can have multiple labels that belong to different applications. For example:
    - App1’s label => Location1: Value1
    - App2’s label => Location2: Value2
      Then the node can contain the following labels:
      Location1: Value1
      Location2: Value2.
7. Platform Configuration: Fortanix CCM allows confidential computing workloads to run on the AWS Nitro Enclave platform.
  - Enclave Memory size – Select the memory size from the drop down menu to change the memory size of the enclave.
  - Enclave CPU count – Enter the number of vCPUs to allocate to the enclave. The number of vCPUs that you can allocate to an enclave depends on the size and configuration of the parent instance. If the parent instance is enabled for multithreading, you must leave at least 2 vCPUs for the parent instance. If multithreading is not enabled, you must leave at least 1 vCPU for the parent instance. For example, if your parent instance has 4 vCPUs and it is enabled for multithreading, you can allocate up to 2 vCPUs to the enclave.
  - File persistence – This option is enabled by default. This feature allows filesystem changes to be saved to an encrypted container mount. It allows the Nitro system to access a managed security object in Fortanix DSM to encrypt and decrypt the Linux Unified Key Setup (LUKS) overlay file system. For more information, refer to AWS Nitro File Persistence.
    NOTE
    For the File Persistence feature to function correctly, you must configure the app certificate as described below, since when a Nitro image runs, it must be preconfigured to receive a certificate, which will authorize access to Fortanix DSM to obtain the keys for the Linux Unified Key Setup (LUKS) volume. Without the app certificate, this feature will not work.
8. Certificate Configuration: Add any certificate using ADD CERTIFICATE. A converted application can request a certificate from the Fortanix CCM when the application starts. The certificates are signed by the Fortanix CCM Certificate Authority, which issues certificates only to trusted workloads presenting a valid attestation.
  - Domain: Enter the allowed domain for the application. This is the domain that appears in the TLS certificate issued by Fortanix CCM.
  - Type: Select Certificate Issued by Confidential Computing Manager from the drop down menu.
  - Key path: Enter the key path that will be accessible by the application.
  - Key Type: Select the type of key from the drop down menu that you want to generate.
  - RSA Key Size: Select the size of the RSA keys in bits from the drop down menu.
  - Certificate Path: Enter the certificate path that will be accessible by the application.
  - Chain Path (optional): Enter the chain path for the complete certificate chain.
9. Edit any Additional settings as required.
  - Environment variables – Enter any environment variables that will be set at runtime. The variables need to be comma-separated values.
  - Encrypted directories - Enter comma-separated absolute paths of file system directories that should be encrypted by the application. Data written to these directories will be transparently encrypted and decrypted using Fortanix DSM-managed keys. Use this option to protect sensitive data at rest.
  - Read/Write directories – Enter comma-separated absolute paths of file system directories to allow read and write access by the application, without encryption or integrity protection. Use this only if you understand the security implications. For more information, refer to Section 4.1: Directory Protection for Enclave OS Applications.
  - Java runtime – Select the appropriate Java runtime values. When Java Runtime is selected for an application, the converted Docker image will run with the specified options for the chosen JVM (Java Virtual Machine).
```
OPENJDK / ORACLE - 
-XX:CompressedClassSpaceSize=16m
-XX:-UsePerfData 
-XX:ReservedCodeCacheSize=16m 
-XX:-UseCompiler 
-XX:+UseSerialGC
OPENJ9 / LIBERTY - 
-Xnojit
-Xnoaot
-Xdump:none
```
  - CA Cert Path – Enter the path where the Fortanix CCM CA certificate will be stored.
  As an optional step, you can install the CA certificate in the system trust store where system certificates are stored. The following are the three options given:
  - Yes, install and continue image conversion even if the installation fails – select this option if image conversion should continue even if the CA Certificate installation fails.
  - Yes, install and fail image conversion if the installation fails – select this option if image conversion should fail when the CA Certificate installation fails.
  - No, do not install – select this option if you do not want to install the CA Certificate.
Click ADD APPLICATION to configure the application image.

The application is added for approval and appears on the Applications page. You can approve the request from the Tasks page.

NOTE
Creating an application does not automatically create and push a Nitro-ready image. The application build is converted and pushed to the specified location once a build of the application is created.

For more information on how to create a build for the Enclave OS application, refer to Create Application Build.

4.1 Directory Protection for Enclave OS Applications

Enclave OS provides file system integrity protection. The following directory configurations are supported within an enclave:

Read-only (integrity protected, not encrypted, and not writable) – This is the default configuration.
Encrypted (integrity protected and encrypted, but initial contents are unencrypted).
Read-write (unprotected).

For files in read-only directories, if Enclave OS detects that a file has been modified, it halts enclave execution. Enclave OS ensures that the complete root tree (all directories under "/") has read-only permissions, except for the following directories: /etc, /run, /tmp, and /opt/fortanix/enclave-os/app-config/rw/, since these directories have read-write permissions. Except for /etc, the other directories are encrypted to prevent tampering from outside the enclave.

NOTE
During Enclave OS application creation, you can configure additional directories with read-write permissions.

The following example describes a typical use case:

An enclaved Python Flask application loads the myapp.py file when the enclave starts. If this file is located in a read-only directory and is modified outside the enclave, Enclave OS detects the tampering during runtime when Flask loads the file and halts execution. Similarly, if the myapp.py file is located in an encrypted directory and is modified outside the enclave, Enclave OS detects the tampering and halts execution.

NOTE
If you are using the API to create the application, the read-write directories can be specified in the JSON configuration. For example: “rw_dirs": ["/var/cache/nginx", "/etc/ssl"].

4.2 Edit an Enclave OS Application

Perform the following steps to edit the Enclave OS application:

In the CCM UI left navigation panel, click the Applications menu item.
Click the name of the application that you want to edit.
Click EDIT.
Modify the configuration settings as required.
NOTE
Ensure that you understand the impact of changes to the additional settings before proceeding.
Click UPDATE APPLICATION to apply the changes.
NOTE
- The Application Name field cannot be edited.
- The Domain field can be edited only if there are no pending domain approval tasks for the application.

5.0 Add EDP Application

Perform the following steps to add an EDP application:

In the Add Application form, select EDP, and then click NEXT.
In the Add Application form:
1. Application name: Enter the name of the application.
2. Description (optional): Enter the application’s description.
3. Group: Select the required group from the drop down menu.
4. Label Details: To control which applications are allowed to run on specific nodes, add labels for applications and nodes in the form of “Key:Value” pairs. For more information, refer to Application and Compute Node Policy Enforcement.
  - Add Labels – Enter the key-value pair and click ADD LABEL to save the label. You can also select an existing label from the Suggested Labels field.
  - Suggested Labels – This field displays the top 10 labels frequently used by users of an account.
  NOTE
  - A label’s key and value can have a maximum of 256 characters and is case-sensitive.
  - Some keys are reserved for internal use and are referred to as system-defined labels.
    - Such as: 'Fortanix', 'fortanix', ‘CCM, ‘ccm’, confidentialcomputingmanager.
      Or
    - {Fortanix|Fortanix|CCM|ccm|confidentialcomputingmanager|Confidentialcomputingmanager}<Any_Non-Alphanumeric-Char><Any-Char>.
  - Adding labels to applications is optional and applications can still run on nodes without labels. However, if labels are added to an application, the same labels must also be added to the node on which the application will run.
  - A node can have multiple labels that belong to different applications. For example:
    - App1’s label => Location1: Value1
    - App2’s label => Location2: Value2
      Then the node can contain the following labels:
      Location1: Value1
      Location2: Value2
  An example of a Key:Value pair is Location:Location_name.
  Where, Location is the key and Location_name is the value, for example, South UK.
5. Certificate Configuration: Add one or multiple certificates using ADD CERTIFICATE. The em-app RUST library can be used by EDP application to obtain signed CCM certificates for enclave-generated certificates.
  - Domain: Enter the allowed domain for the application. This is the domain that appears in the TLS certificate issued by Fortanix CCM.
  - Type: Select the certificate type for the application from the drop down menu.
Click ADD APPLICATION to configure the application.

The application is added for approval and appears on the Applications page. You can approve the request from the Tasks page.

For more information on how to create an image for the EDP application, refer to Create Application Build.

5.1 Edit an EDP Application

Perform the following steps to edit an EDP application:

In the CCM UI left navigation panel, click the Applications menu item.
Click the name of the application that you want to edit.
Click EDIT.
Modify the configuration settings as required.
Click UPDATE APPLICATION to apply the changes.

6.0 Add ACI Application

Perform the following steps to add an ACI application:

In the Add Application form, select ACI, and then click NEXT.
In the Add Application form:
1. Application name: Enter the name of the application.
2. Description (optional): Enter the application’s description.
3. Image name: Enter the fully qualified docker image name for the application. Ensure that the Image name does not include a container image tag.
4. Group: Select the required group from the drop down menu.
5. Certificate Configuration: Add certificates using ADD CERTIFICATE. An application can request a certificate from Fortanix CCM when the application starts. The certificates are signed by the Fortanix CCM Certificate Authority, which issues certificates only to trusted workloads presenting a valid attestation.
  - Domain: Enter the allowed domain for the application. This is the domain that appears in the TLS certificate issued by Fortanix CCM.
  - Type: Select the certificate type for the application from the drop down menu.
Click ADD APPLICATION to configure the application.

The application is added for approval and appears on the Applications page. You can approve the request from the Tasks page.

For more information on how to create an image for the ACI application, refer to Create Application Build.

6.1 Edit an ACI Application

Perform the following steps to edit an ACI application:

In the CCM UI left navigation panel, click the Applications menu item.
Click the name of the application that you want to edit.
Modify the configuration settings as required.
Click UPDATE APPLICATION to apply the changes.

7.0 Add AMD SEV-SNP Application

Perform the following steps to add an AMD SEV-SNP application:

In the Add Application form, select AMD SEV-SNP, and then click NEXT.
In the Add Application form:
1. Application name: Enter the name of the application.
2. Description (optional): Enter the application’s description.
3. Group: Select the required group from the drop down menu.
4. Certificate Configuration: Add certificates using ADD CERTIFICATE. An application can request a certificate from Fortanix CCM when the application starts. The certificates are signed by the Fortanix CCM Certificate Authority, which issues certificates only to trusted workloads presenting a valid attestation.
  - Domain: Enter the allowed domain for the application. This is the domain that appears in the TLS certificate issued by Fortanix CCM.
  - Type: Select the certificate type for the application from the drop down menu.
Click ADD APPLICATION to configure the application.

The application is added for approval and appears on the Applications page. You can approve the request from the Tasks page.

After the application is created, deploy the workload on a platform that supports AMD SEV-SNP and obtain the required attestation measurements. These values are used when creating the application image in Fortanix CCM. For more information on obtaining the measurement values required for creating the application image, refer to Deploy Confidential VM Applications on AMD SEV-SNP Using Fortanix CCM.

Once the required measurements are available, create an image for the application. For more information on how to create an image for the AMD SEV-SNP application, refer to Create Application Build.

7.1 Edit an AMD SEV-SNP Application

Perform the following steps to edit an AMD SEV-SNP application:

In the CCM UI left navigation panel, click the Applications menu item.
Click the name of the application that you want to edit.
Click EDIT.
Modify the configuration settings as required.
Click UPDATE APPLICATION to apply the changes.

8.0 Add Intel TDX Application

Perform the following steps to add an Intel TDX application:

In the Add Application form, select Intel TDX, and then click NEXT.
In the Add Application form:
1. Application name: Enter the name of the application.
2. Description (optional): Enter the application’s description.
3. Group: Select the required group from the drop down menu.
4. Certificate Configuration: Add certificates using ADD CERTIFICATE. An application can request a certificate from Fortanix CCM when the application starts. The certificates are signed by the Fortanix CCM Certificate Authority, which issues certificates only to trusted workloads presenting a valid attestation.
  - Domain: Enter the allowed domain for the application. This is the domain that appears in the TLS certificate issued by Fortanix CCM.
  - Type: Select the certificate type for the application from the drop down menu.
Click ADD APPLICATION to configure the application.

The application is added for approval and appears on the Applications page. You can approve the request from the Tasks page.

After the application is created, deploy the workload on a platform that supports Intel TDX and obtain the required attestation measurements. These values are used when creating the application build in Fortanix CCM. For more information on obtaining the VM attributes value for creating the application build, refer to Deploy Confidential VM Applications on Intel TDX Using Fortanix CCM.

Once the required measurements are available, create a build for the application. For more information on how to create a build for the Intel TDX application, refer to Create Application Build.

8.1 Edit an Intel TDX Application

Perform the following steps to edit an Intel TDX application:

In the CCM UI left navigation panel, click the Applications menu item.
Click the name of the application that you want to edit.
Click EDIT.
Modify the configuration settings as required.
Click UPDATE APPLICATION to apply the changes.

9.0 Add Azure Confidential Virtual Machine (CVM) Application

Perform the following steps to add an Azure Confidential VM application:

In the Add Application form, select Azure Confidential VM, and then click NEXT.
In the Add Application form:
1. Application name: Enter the name of the application.
2. Description (optional): Enter the application’s description.
3. Group: Select the required group from the drop down menu.
4. Certificate Configuration: Add certificates using ADD CERTIFICATE. An application can request a certificate from Fortanix CCM when the application starts. The certificates are signed by the Fortanix CCM Certificate Authority, which issues certificates only to trusted workloads presenting a valid attestation.
  - Domain: Enter the allowed domain for the application. This is the domain that appears in the TLS certificate issued by Fortanix CCM.
  - Type: Select the certificate type for the application from the drop down menu.
Click ADD APPLICATION to configure the application.

The application is added for approval and appears on the Applications page. You can approve the request from the Tasks page.

After the application is created, deploy a Confidential VM on Azure and collect the required PCR values. For more information on obtaining the measurement values required for creating the application build, refer to the following guides:

Once the PCR values are available, create the build for the Azure Confidential VM application. For more information on how to create a build for the Azure Confidential VM application, refer to Create Application Build.

9.1 Edit an Azure CVM Application

Perform the following steps to edit an Azure Confidential VM application:

In the CCM UI left navigation panel, click the Applications menu item.
Click the name of the application that you want to edit.
Click EDIT.
Modify the configuration settings as required.
Click UPDATE APPLICATION to apply the changes.

10.0 Setting Environment Variables for your Application

Many applications can be configured by using environment variables such as a container image, a Kubernetes pod specification, or a container entrypoint script. The {site.data.keyword.datashield_short} conversion process transfers any environment variables that are specified by the input container image to a configuration file in the output container, where they are covered by the enclave signature. This freezes the values of the environment variables at conversion time. If variables are supplied after the conversion takes place, they are not seen by the application. Since the variables are not seen, your application is not protected from any maliciously set environment variables at runtime.

By default, the only environment variable passed to the binaries in library OSes is PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin. If the host environment variables specifies a HOSTNAME then it is also included in the list of default environment variables.

Syntax 1: loader.env.[ENVIRON]=[VALUE]

This syntax specifies the environment variable value that is customized for the enclaves. This syntax can be used multiple times to specify more than one environment variable.

The list of environment variables passed to the binaries in enclaves will include a merged list of default environment variables and environment variables specified with this syntax. If there are any conflicting variables, the default environment variable will be overwritten.

Syntax 2: loader.env.allow_all_env.all = 1

This syntax passes all the host environment variables to the binaries in the enclaves.

The list of environment variables passed to the binaries in enclaves will include a merged list of host environment variables and variables specified with syntax 1. If there are any conflicting variables, the host environment variables will be overwritten with the value specified by syntax 1. For example, if the manifest specifies loader.env.X = Z and the host specifies X=Y then the value of X=Z.

Syntax 3: loader.env.allow_some_env.[ENVIRON] = 1

This syntax specifies the environment variable that will be passed from the host environment variable to the binaries in the enclaves. This syntax can be used multiple times to specify more than one environment variable.

The list of environment variables passed to the binaries in enclaves will include a merged list of a subset of host environment variables as specified by Syntax 3 and variables specified with Syntax 1. If there are any conflicting variables, the host environment variables will be overwritten with the value specified by Syntax 1. For example, if the manifest specifies loader.env.X = Z and the host specifies X=Y then the value of X=Z.