Fortanix CCM - Quickstart

1.0 Introduction

This article describes how to deploy and run applications using Fortanix Confidential Computing Manager (CCM) on the Fortanix Armor platform.

Fortanix CCM enables applications to run in a confidential computing environment. It manages application deployment, code attestation, identity verification, and access control to help ensure that applications run only on trusted infrastructure.

This guide describes the basic workflow for setting up and running an application in Fortanix CCM, including:

• Signing up and logging in to the Fortanix Armor

• Creating and selecting an account in Fortanix Armor

• Creating groups in Armor Identity and Access Management (IAM) to organize resources and manage access

• Adding an application

• Creating and approving an application build

• Enrolling compute nodes

• Running the application on enrolled compute nodes

By the end of this article, you will deploy an application build and run it on an enrolled compute node using Fortanix CCM.

2.0 Prerequisites

Ensure the following:

• Access to the Fortanix Armor platform.

• A private Docker registry to push converted application build(s).

• An active Microsoft Azure subscription account.

3.0 Log in and Create an Account

Fortanix CCM is a solution on the Fortanix Armor platform. Therefore, you must create an account on the Fortanix Armor platform to get started.

3.1 Sign Up and Log In to Fortanix Armor Platform - New Users

If you are accessing Fortanix CCM for the first time, you must sign up for Fortanix Armor before you can access CCM.

For detailed instructions to sign up, and log in to Fortanix Armor, refer to Getting Started with Fortanix Armor.

3.2 Log In to Fortanix Armor Platform - Existing Users

If you already have a Fortanix Armor account, log in to the Fortanix Armor platform to access CCM.

For detailed instructions to log in to Fortanix Armor, refer to Getting Started with Fortanix Armor.

3.3 Create an Account

After you log in, you must add a new Fortanix Armor account to access the Fortanix CCM solution.

For detailed instructions to create a Fortanix Armor account, refer to Getting Started with Fortanix Armor.

4.0 Create a Group

Groups are used in Fortanix CCM to organize users and manage access to CCM resources such as applications, datasets, workflows, scripts, connectors, and application configurations. You must create a group using the Fortanix Armor Identity and Access Management user interface (UI).

For more information on how to create a group in Fortanix Armor, refer to Fortanix Armor Identity and Access Management (IAM).

5.0 Getting Started with Fortanix CCM

This section describes the steps to deploy and run an application using Fortanix CCM.

The workflow begins with signing up for the Fortanix Armor platform and accessing the Fortanix CCM solution. After creating a Fortanix Armor account and a group, create an application, create and approve an application build, and deploy the approved build to compute nodes enrolled with Fortanix CCM.

The following sections provide step-by-step instructions for each stage of the process.

5.1 Add an Application

Perform the following steps to add an application:

1. In the CCM left navigation panel, click Applications, and then on the ACTIVE APPLICATIONS tab, click ADD APPLICATION to add an application.

   In this example, an Enclave OS application running a Python Flask server is used.

2. In the App Application form, select Enclave OS, and click NEXT.

   

   NOTE

   This document covers an example of deploying and running an EnclaveOS (Operating System) application using Fortanix CCM.

3. In the Add Application form, enter the required details and click ADD APPLICATION. For this example, use a sample application image from the Fortanix public Docker registry
   Details:
   Docker Hub: https://hub.docker.com/u/fortanix/
   Optional: To run the sample application, use the following command:

   sudo docker run fortanix/python-flask

   NOTE

   It is recommended to use a private Docker registry to store the output image.

For detailed instructions, refer to the following guides:

• To create an Enclave OS application, refer to Add Enclave OS Application.

• To create an Enclave Development Platform (EDP) application, refer to Add EDP Application.

• To create an Application Configuration Instance (ACI) application, refer to Add ACI Application.

• To create an Intel TDX application, refer to Add InteI TDX Application.

• To create an Azure Confidential Virtual Machine (CVM) application, refer to Add Azure CVM Application.

• To create an Advanced Micro Devices (AMD) Secure Encrypted Virtualization (SEV) - Secure Nested Paging (SNP) application, refer to Add AMD-SEV SNP Application.

3.5 Create an Application Build

A Fortanix CCM build represents a specific version of an application. Each build contains platform-specific verification information that Fortanix CCM uses during attestation and workload validation.

Perform the following steps to create an application build:

1. After you create an Enclave OS application, go to the application details page.

2. Click ADD BUILD to create a build for the Enclave OS application.

3. In the Add Build form, enter the required details and click ADD BUILD.

After the application build is created successfully, Fortanix CCM displays a confirmation notification, and the build appears on the BUILDS page.

For detailed instructions, refer to the following guides:

• To add multiple application build registries, refer to Application Build Registry.

• To create an Enclave OS application build, refer to Create an Application Build for Enclave OS Applications.

• To create an EDP application build, refer to Create an Application Build for EDP Applications.

• To create an ACI application build, refer to Create an Application Build for ACI Application.

• To create an Intel TDX application build, refer to Create an Application Build for Intel TDX Applications.

• To create an Azure CVM application build, refer to Create an Application Build for Azure CVM Applications.

• To create an AMD SEV-SNP application build, refer to Create an Application Build for AMD SEV-SNP Applications.

3.6 Approve the Application Build

Perform the following steps to approve the application build:

1. On the Tasks page, click the Build Whitelist for app: Enclave OS Application task in the Pending tab.

   

2. Click APPROVE to whitelist the build.

For detailed instructions to approve or decline application domain and build whitelist tasks in Fortanix CCM, refer to Domain and Application Build Approval.

3.7 Enroll Compute Node Agent

This section describes how to enroll a compute node using AWS Nitro Enclaves on Amazon Linux in Fortanix CCM. After successful enrollment, approved application builds can run on the compute node.

For detailed instructions to set up the environment and enroll an AWS Nitro compute node, refer to Enroll a Compute Node Using AWS Nitro on Amazon Linux.

• For detailed instructions to deploy confidential VM applications on Intel TDX using Fortanix CCM, refer to Deploy Confidential VM Applications on Intel TDX Using Fortanix CCM.

• For detailed instructions to deploy confidential VM applications on AMD SEV-SNP using Fortanix CCM, refer to Deploy Confidential VM Applications on AMD SEV-SNP Using Fortanix CCM.

• For detailed instructions to configure a Fortanix CCM deployment with an Azure Confidential Virtual Machine (CVM) Linux environment, refer to Azure Confidential VM Attestation - Linux.

• For detailed instructions to configure a Fortanix CCM deployment with an Azure Confidential Virtual Machine (CVM) Windows environment, refer to Azure Confidential VM Attestation - Windows.

3.9 Run the Application Build

After enrolling the compute node, perform the following steps to run the application build on the AWS Nitro enrolled compute node:

1. Run the following command to install Docker on the enrolled compute node:

   sudo apt install docker.io

2. Run the following command to run this application build on the node for AWS Nitro Platform:

   sudo docker run -it --rm --privileged -v /run/nitro_enclaves:/run/nitro_enclaves -e RUST_LOG=debug -e NODE_AGENT=http://172.31.14.110:9092/v1/ -p 80:80 -p 443:443 513076507034.dkr.ecr.us-west-1.amazonaws.com/development-images/em-test-framework-nginx-9913:nitro

   Where,

   • 9092 is the default port on which the Node Agent listens.

   • 172.31.14.110 is the Node Agent Host IP address.

   • em-test-framework-nginx-9913:nitro is the converted application build displayed in the BUILDS table.

   NOTE

   Replace the Node Agent IP address, port number (if modified), and application build name with values specific to your environment. The example shown above is for reference only.

3.10 Azure Confidential VM - Setup and Attestation

For detailed steps on how to configure a Fortanix CCM deployment with an Azure Confidential Virtual Machine (CVM) environment, refer to the following guides:

• Linux-based Azure CVM

  • Azure Confidential VM Setup - Linux

  • Azure Confidential VM Attestation - Linux

• Windows-based Azure CVM

  • Azure Confidential VM Setup - Windows

  • Azure Confidential VM Attestation - Windows

3.11 Enroll Compute Node - Intel TDX

This section describes how to enroll a compute node using bare metal on an Intel TDX platform in Fortanix CCM.

For more information on how to set up the environment, refer to Enroll a Compute Node (bare meta)- Intel TDX.

For detailed steps on how to deploy confidential VM applications on Intel TDX using Fortanix CCM, click here.

3.12 Enroll Compute Node - AMD SEV-SNP

This section describes how to enroll a compute node using bare metal on an AMD SEV-SNP platform in Fortanix CCM.

For more information on how to set up the environment, refer to Enroll a Compute Node (bare meta) - AMD SEV-SNP.

For detailed steps on how to deploy confidential VM applications on AMD SEV-SNP using Fortanix CCM, click here.

4.0 Where to go from here

Congratulations, you have just deployed your first confidential computing application using the Fortanix Confidential Computing Manager!

After completing the setup, you can explore additional features of Fortanix CCM using the following resources:

• Provision a TLS certificate using CCM: Add Application

• Manage identities and enforce policies for applications and compute nodes

  • Application and Compute Node Policy Enforcement

  • Compute Nodes

• Build and deploy confidential computing applications in RUST using the Fortanix EDP platform: Bringing EDP Rust Apps to Confidential Computing Manager.

For quick support, please join our Slack community: https://fortanix.com/community/ Channel: #enclavemanager