Using Fortanix Confidential Computing Manager to Build an Enclave OS Spring Application

1.0 Introduction

This article describes how to deploy a Spring application that stores data in a MySQL database using Apache Tomcat. The MySQL database and Spring application run in AWS Nitro Enclaves using Fortanix Confidential Computing Manager (CCM) and a compute node.

2.0 Deploy the Spring MySQL Database Application

2.1 Authenticate to Fortanix Armor

Before you can issue any requests, you must authenticate to Fortanix Armor using the following commands:

cpath=$(mktemp -p "/tmp" -t "fortanix_ccm_cookie.XXXXX")
curl -u : -c $cpath -X POST https://ccm.fortanix.com/v1/sys/auth

2.2 List Available Accounts

After authenticating, retrieve the list of available accounts:

curl -b $cpath -c $cpath -H "X-CSRF-Header:true" https://ccm.fortanix.com/v1/accounts

2.3 Select the Account

Identify the account_id of the account you want to use and select it using the following command:

curl -b $cpath -c $cpath -H "X-CSRF-Header:true" -X POST https://ccm.fortanix.com/v1/sys/session/select_account/<account_id>

2.4 Create an Application

Create a Spring MySQL database application using the configuration provided in the app.json file.

curl -b $cpath -c $cpath -H "X-CSRF-Header:true" -H "Content-Type: application/json" -d @app.json -X POST https://ccm.fortanix.com/v1/apps

2.4.1 Create an app.json File

Create an app.json file with the following contents:

{
    "name":"spring-mysql-db",
    "description":"",
    "input_image_name":"fortanix/spring-mysql-db",
    "output_image_name":"/spring-mysql-db-converted",
    "default_build_settings": {
        "sgx": {},
        "nitro_enclaves": {
            "cpu_count": 2,
            "mem_size": 1024,
            "enable_overlay_filesystem_persistence": true
        }
    },
    "group_id": "a8e8395e-096d-4eb8-9017-2098f2ab8327",
    "allowed_domains": [],
    "advanced_settings": {
        "entrypoint": [],
        "manifestEnv": ["MALLOC_ARENA_MAX=1"],
        "encryptedDirs": [],
        "rw_dirs": ["/etc","/var/lib/_mysql","/var/lib/mysql","/tmp","/run/mysqld"],
        "certificate": {}
    },
    "custom_metadata": {
        "app_type": "ENCLAVE_OS"
    }
}

2.5 Create an Application Build

Create a build for the application using the following command:

curl -b $cpath -c $cpath -H "X-CSRF-Header:true" -H "Content-Type: application/json" -d @build.json -X POST https://ccm.fortanix.com/v1/builds/convert-app

Create a build.json file with the following contents:

{
        "app_id": <app_id>,
        "docker_version": <tag>,
        "inputAuthConfig":
            {"username": <username>,
             "password": <password>
            },
        "outputAuthConfig":
           {"username": <username>,
            "password": <password>
           }
}

The command returns information about the build, including the <task_id>.

Approve the build using the <task_id>:

curl -b $cpath -c $cpath -H "X-CSRF-Header:true" -H "Content-Type: application/json" -d '{"status":"APPROVED"}' -X PATCH https://ccm.fortanix.com/v1/tasks/<task_id>

2.6 Run the Application

Run the converted application image using the following command:

docker run --privileged --volume /dev:/dev -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket -e NODE_AGENT=http://<node agent ip>:9092/v1/ --network=host <spring mysql converted image>

Where:

<node-agent-ip> is the IP address of the compute node enrolled with Fortanix CCM.
9092 is the port on which the compute node listens.
<spring-mysql-db-converted-image> is the converted application image available in the Builds table.

NOTE
Replace the Node IP address, port, and converted image with your own values. The values shown above are examples.
Add the following flags to the command for additional details:
-e ENCLAVEOS_LOG_LEVEL=debug to enable debug logging.
-p 7622:80 -p 8038:443 to map the application custom ports to ports 80 and 443.

3.0 Deploy the Spring MySQL Application

3.1 Authenticate to Fortanix Armor

Before you can issue any requests, you must authenticate to Fortanix Armor using the following commands:

cpath=$(mktemp -p "/tmp" -t "fortanix_ccm_cookie.XXXXX")
curl -u : -c $cpath -X POST https://ccm.fortanix.com/v1/sys/auth

3.2 List Available Accounts

Retrieve the list of available accounts:

curl -b $cpath -c $cpath -H "X-CSRF-Header:true" https://ccm.fortanix.com/v1/accounts

3.3 Select the Account

Identify the account_id of the account you want to use and select it:

curl -b $cpath -c $cpath -H "X-CSRF-Header:true" -X POST https://ccm.fortanix.com/v1/sys/session/select_account/<account_id>

3.4 Create an Application

Create a Spring MySQL application using the configuration provided in the app.json file.

curl -b $cpath -c $cpath -H "X-CSRF-Header:true" -H "Content-Type: application/json" -d @app.json -X POST https://ccm.fortanix.com/v1/apps

3.4.1 Create an app.json File

Create an app.json file with the following contents:

{
     "name": "spring-mysql-app",
     "description": "",
     "input_image_name": "fortanix/spring-mysql-app",
     "output_image_name": "/spring-mysql-app-converted",
     "isvprodid": 1,
     "isvsvn": 1,
     "mem_size": 2048,
     "threads": 80,
     "advanced_settings": {
         "java_runtime":"OPENJDK",
         "rw_dirs":["/tmp","/etc","/usr/lib","/root/gs-accessing-data-mysql"],
     }
}

3.5 Create an Application Build

Create a build using the following command:

curl -b $cpath -c $cpath -H "X-CSRF-Header:true" -H "Content-Type: application/json" -d @build.json -X POST https://ccm.fortanix.com/v1/builds/convert-app

Create a build.json file with the following contents:

{
        "app_id": <app_id>,
        "docker_version": <tag>,
        "inputAuthConfig":
            {"username": <username>,
             "password": <password>
            },
        "outputAuthConfig":
           {"username": <username>,
            "password": <password>
           }
}

For more information about configuring registry credentials without including credentials in this file, refer to Fortanix CCM - Quickstart.