Quickstart Guide

1.0 Introduction

This article describes how to deploy and run applications using Fortanix Confidential Computing Manager (CCM) Software as a Service (SaaS).

Fortanix CCM enables an application to run in a confidential computing environment. The solution orchestrates critical security policies such as identity verification, data access control, and code attestation for enclaves that are required for confidential computing.

It also contains the information related to:

• Signing up and logging in to Fortanix CCM

• Creating and selecting an account

• Creating a group to organize resources

• Adding an application

• Creating and approving an application image

• Enrolling compute node agents

• Running the application on enrolled compute nodes

2.0 Prerequisites

Ensure the following:

• A private Docker registry to push converted application image(s).

• An Azure Portal subscription account.

3.0 Getting Started with Fortanix CCM

3.1 Sign Up and Log In

Perform the following steps to access Fortanix CCM:

1. Visit https://ccm.fortanix.com and sign up.

2. After your account is approved by the Administrator, log in by entering your email address and password.

   

3.2 Create and Select an Account

Perform the following steps to create and select an account in Fortanix CCM:

1. Once you log in to your account, you will be taken to the Accounts page. Click ADD ACCOUNT to create a new account.

2. Enter a name for the new account and optionally add a custom logo for the account.

3. To allow compute nodes to bypass attestation and successfully enroll regardless of attestation failing, click “This is a test-only deployment” check box. For more information about Attestation Bypass, refer to Disable Fortanix CCM Attestation.

4. Click CREATE ACCOUNT to complete the account creation.

   

5. Once the account is created, click SELECT ACCOUNT to select the newly created account and start enrolling compute nodes and creating applications.

   

3.3 Create a Group

Perform the following steps to create a group:

1. In the CCM left navigation panel, click the Groups menu item, and then click + ADD GROUP to add a group.

   

2. In the GROUP dialog box, do the following:

   1. Name: Enter a required name for the group.

   2. Labels (Optional): Assign one or more key-value labels to the group.

3. Click SAVE to create a group.

The group is successfully created.

3.4 Add an Application

Perform the following steps to add an application:

1. In the CCM left navigation panel, click the Applications menu item, and then click + ADD APPLICATION to add an application.

   In this example, an Enclave OS application running a Python Flask server is used.

   

2. In the APPLICATION dialog box, select Enclave OS Application and click PROCEED.

   

   NOTE

   This article covers an example of running an Enclave OS application.

   • For more information on Enclave Development Platform (EDP) applications, refer to Add EDP Application.

   • For more information on Application Configuration Instance (ACI) applications, refer to Add ACI Application.

   • For more information on Azure Confidential Virtual Machine (CVM) applications, refer to Add Azure CVM Application.

3. On the Application details form, fill in the relevant details and click SAVE. You can use Fortanix's public Docker registry for the sample application (app).
   Details:
   Docker Hub: https://hub.docker.com/u/fortanix/
   Optional: You can run the app with the following command:

   sudo docker run fortanix/python-flask

   NOTE

   It is recommended to use your private docker registry to store the output image.

   

For more information on how to configure an Enclave OS application, refer to Add Enclave OS Application.

3.5 Create an Image

A Fortanix CCM Image is a particular software release or a version of an application. Each image is associated with one enclave hash (MRENCLAVE).

Perform the following steps to create an image:

1. Once you create an Enclave OS application, the Images page appears.

2. Click + ADD IMAGE to create an image for the Enclave OS application.

   

3. In the Image form, do the following:

   1. Tag: Enter a tag for the image. Use “latest” if you want to use the latest image builds.

   2. ADD REGISTRY CREDENTIALS: Enter registry credentials for the Output image name. This is required to access the private Docker registry where the output image is pushed. Since the input image is stored in a public registry, credentials for the input image are not required.

      • If registry credentials are already configured on the Settings page of Fortanix CCM, then the Use same credential as input image registry check box is selected by default, and the registry details are populated automatically.

        

      • If no registry credentials are saved on the Settings page, manually enter the registry credentials for the Output image name.

        

   3. For the Image Type as AWS Nitro Enclaves, enter the following details:

      • Memory size

      • CPU count: CPU count is the number of CPUs to dedicate to an enclave out of all the CPUs available to the host machine.

4. Click SAVE to create the image.

After successful image creation, Fortanix CCM displays a confirmation notification, and the application is listed on the Applications page.

For more information, refer to the following guides:

• To add multiple image registries, refer to Image Registry

• To create an EOS application image, refer to Create an Image for Enclave OS Applications

• To create an EDP application image, refer to Create an Image for EDP Applications

• To create an ACI application image, refer to Deploy the ACI Application Using Azure Portal

• To create an Azure CVM application image, refer to Create an Image for Azure CVM Applications

3.6 Application Image Approval

Perform the following steps to approve the application image:

1. On the Tasks page, click the "Build Whitelist for app: Python Application Server" task.

2. Click APPROVE to whitelist the image.

   

      

   

3.7 Enroll Compute Node Agent - SGX

Perform the following steps to enroll the Fortanix CCM node agent:

1. In the CCM left navigation panel, click Infrastructure → Compute Nodes, and then click + ADD NODE.

   

2. In the ENROL COMPUTE NODE dialog box, click COPY to copy the Join Token. This token is used by the compute node to authenticate itself.

   

3. Go to Fortanix Confidential Computing Node Agent create the Node Agent Virtual Machine (VM) and register the compute node.

   NOTE

   Alternatively, you can download the latest node agent software from Fortanix Node Agent and install it on your own machine.

   

4. Enter the required details to deploy the node agent on Azure. Paste the previously generated Join Token into the Join Token field.

   NOTE

   Information about supported regions and VM types is available here.

   

   

   

   

5. After the node agent is created, the compute node is enrolled in Fortanix CCM and listed in the Compute Nodes overview table.

   

      For more information on how to enroll compute nodes, refer to Supported Platforms.

3.8 Enroll Compute Node Agent - AWS Nitro

This section describes how to enroll a compute node using AWS Nitro Enclaves on Amazon Linux in Fortanix CCM.

For more information on how to set up the environment, refer to the Enroll a Compute Node Using AWS Nitro on Amazon Linux.

Perform the following steps to generate a join token from Fortanix CCM:

1. In the CCM left navigation panel, click Infrastructure → Compute Nodes, and then click + NODE.

   

2. In the ENROLL COMPUTE NODE dialog box, Fortanix CCM generates a Join Token in the Get a join token to register an SGX compute node field. This token authenticates the compute node with Fortanix CCM.

   

3. Click COPY to copy the Join Token.  

4. Download the Amazon Nitro node agent installer.

5. Extract the contents of the package and open the extracted folder.

6. Open the README file, which provides instructions to enroll the compute node in Fortanix CCM, and perform the following steps:

   1. Copy the file installer.sh to your Amazon Linux VM.

   2. Run the installer script using the join token copied in Step 3:

      sudo bash ./installer.sh <join-token>

7. After successful enrollment, the compute node appears in the Compute Nodes overview table in Fortanix CCM.

   

3.9 Run the Application Image on the Enrolled Compute Node

After enrolling the compute node, perform the following steps to run the application image on the AWS Nitro enrolled compute node:

1. Run the following command to install Docker on the enrolled compute node:

   sudo apt install docker.io

2. Run the following command to run this application image on the node for AWS Nitro Platform:

   sudo docker run -it --rm --privileged -v /run/nitro_enclaves:/run/nitro_enclaves -e RUST_LOG=debug -e NODE_AGENT_BASE_URL=http://172.31.14.110:9092/v1/ -p 80:80 -p 443:443 513076507034.dkr.ecr.us-west-1.amazonaws.com/development-images/em-test-framework-nginx-9913:nitro

   Where,

   • 9092 is the default port on which Node Agent listens to.

   • 172.31.14.110 is the Node Agent Host IP.

   • em-test-framework-nginx-9913:nitro is the converted app that can be found in the Images under the Image Name column in the Images table.

   NOTE

   Replace the Node Agent IP address, port number (if modified), and application image name with values specific to your environment. The example shown above is for reference only.

3.10 Azure Confidential VM - Setup and Attestation

For detailed steps on how to configure a Fortanix CCM deployment with an Azure Confidential Virtual Machine (CVM) environment, refer to the following guides:

• Linux-based Azure CVM

  • Azure Confidential VM Setup - Linux

  • Azure Confidential VM Attestation - Linux

• Windows-based Azure CVM

  • Azure Confidential VM Setup - Windows

  • Azure Confidential VM Attestation - Windows

4.0 Where to go from here

Congratulations, you have just deployed your first confidential computing application using the Fortanix Confidential Computing Manager!

After completing the setup, you can explore additional features of Fortanix CCM using the following resources:

• Provision a TLS certificate using CCM: Certificate Configuration

• Manage identities and enforce policies for applications and compute nodes

  • Application and compute node policy enforcement

  • Compute node labels

• Build and deploy confidential computing applications in RUST using the Fortanix EDP platform: EDP applications on CCM.

For quick support, please join our Slack community: https://fortanix.com/community/ Channel: #enclavemanager