Using Fortanix Confidential Computing Manager to Build an Enclave OS Nginx Application - Using API

  • Last updated:
  • access_time Reading time:

Using CLI

Fetch a Bearer Token

Using the credentials used for signing up a new user, fetch the bearer token.

BEARER_TOKEN=$(curl -s -u $username:$password -X POST https://em.fortanix.com/v1/sys/auth | jq -r .access_token)

Get all Accounts

After fetching the bearer token, select the account using the bearer token. To select an account, use the GET command to get all the accounts and select the account using the account_id.

curl -H 'Authorization: Bearer <Bearer Token>'  -X GET https://em.fortanix.com/v1/accounts

Select the Account

Note the account_id of the account you want to select.

curl -H 'Authorization: Bearer <Bearer Token>' -X POST https://em.fortanix.com/v1/accounts/select_account/<account-id>

Create an Application

Create an Nginx application using the configuration provided in the app.json file below.

Create Application

curl -s -H 'Content-Type: application/json' -d @app.json -H "Authorization: Bearer <Bearer token>" -X POST https://em.fortanix.com/v1/apps

Create the App.json  config file that Contains the Application Details

{
        "name":"nginx-1",
        "description":"",
        "input_image_name":"library/nginx",
        "output_image_name":"fortanix-manager.eastus.cloudapp.azure.com:5050/nginx-1",
        "isvprodid":1,
        "isvsvn":1,
        "mem_size":1024,
        "threads":80,
        "allowed_domains":["fortanix"],
        "advanced_settings":
        {
                "certificate":
                {
                        "issuer":"MANAGER_CA",
                        "subject":"fortanix",
                        "keyType":"RSA",
                        "keyParam":{"size":2048},
                        "keyPath":"/etc/nginx/nginx-key.pem",
                        "certPath":"/etc/nginx/nginx-cert.pem"
                },
        }
}

Fetch the Domain Whitelisting Tasks

curl -s -H "Authorization: Bearer <Bearer Token>" -X GET https://em.fortanix.com/v1/tasks?task_type=DOMAIN_WHITELIST > all_domain_tasks.json

All the tasks fetched will be stored in all_domain_tasks.json file. Select the task_id to approve the task in the next step.

Approve a Task

Among the tasks fetched in the previous step, approve the application-specific task using the task_id.

curl -s -H 'Content-Type: application/json' -d '{"status":"APPROVED"}' -H "Authorization: Bearer <Bearer Token>" -X PATCH https://em.fortanix.com/v1/tasks/<task_id>

Create an Image

Create an image of the application.

curl -s -H 'Content-Type: application/json' -d @build.json -H "Authorization: Bearer <Bearer token>" -X POST https://em.fortanix.com/v1/builds/convert-app

The build.json is as below.

{
        "app_id": <app_id>,
        "docker_version": <tag>,
        "inputAuthConfig":
            {"username": <username>,
             "password": <password>
            },
        "outputAuthConfig":
           {"username": <username>,
            "password": <password>
           }
}

Fetch all the Image Whitelist Tasks

curl -s -H "Authorization: Bearer <Bearer token>" -X GET https://em.fortanix.com/v1/tasks?task_type=BUILD_WHITELIST > all_build_tasks.json

All the image whitelist tasks will be stored in all_build_tasks.json file. Select the image whitelist task ID to approve the image in the next step.

Approve the Image Whitelist Task

curl -s -H 'Content-Type: application/json' -d '{"status":"APPROVED"}' -H "Authorization: Bearer <Bearer token>" -X PATCH https://em.fortanix.com/v1/tasks/<task_id>

The image is created and whitelisted.

Next, run the following command on a machine running the node agent to run the application.

Run the Application

docker run -it --device /dev/isgx:/dev/isgx --device /dev/gsgx:/dev/gsgx -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket -e NODE_AGENT_BASE_URL=http://<node-agent-ip>:9092/v1/ -p <Port-mapping> <converted-image-id>

 Where, 

  • <node-agent-ip> is the IP address of the compute node registered on Fortanix Confidential Computing Manager (CCM).
  • 9092 is the port on which Node Agent listens up
  • converted-image-id is the converted app that can be found in the Images tab under Image Name column in the Images table.

Note.pngNOTE:

  • Please use your own inputs for Node IP, Port, and Converted Image in the above format. The information in the example above is just a sample.

Using Fortanix Confidential Computing Manager UI

Fetch a Bearer Token

  • Sign in to Fortanix CCM using the URL: https://em.fortanix.com/.
      logging.jpg                                                           Figure 1: Log in to Fortanix CCM
  • In the Accounts page, right-click on the page and click the Inspect option from the context menu. Select the Application ->Storage->Local Storage->https://em.fortanix.com. You will see the auth token displayed.
    Inspect1.png                                                              Figure 2: Fetch auth token

Get all Accounts

To get the accounts using Fortanix CCM UI, log in to Fortanix CCM to see the available accounts.

Get_account1.png                                                              Figure 3: Get the accounts

Select the Account

To select an account using Fortanix CCM UI, click the SELECT button, and then click the GO TO ACCOUNT button to enter the account.

Select_Account1.png                                                             Figure 4: Select accounts

Create an Application

Create an Nginx application using the configuration provided in the app.json file below.

To create an application using Fortanix CCM UI, click the +APPLICATION button.

EM_App_Scratch6.png                                                              Figure 5: Create an application

To create an application using Fortanix CCM UI, go to the Add application form and add the details of the application.

Figure 6: Create an application

Fetch the Domain Whitelisting Tasks

To fetch the domain whitelisting tasks using Fortanix CCM UI, click the Tasks tab.

Figure 7: View and approve domain whitelisting task

Approve a Task

To approve the domain whitelisting task for the "nginx-1" application using Fortanix CCM UI, click the APPROVE button in Figure 7 above.

Create an Image

To create an image of the "nginx-1" application using Fortanix CCM UI, click the +IMAGES button.

Figure 8: Create an image of an application

To create an image of an application using Fortanix CCM UI, go to the Create image form and add the details of the image.

Figure 9: Create an image of an application

Fetch all the Image Whitelist Tasks

To fetch the image whitelisting tasks using Fortanix CCM UI, click the Tasks tab.

Figure 10: View and approve image whitelisting task

Approve the Image Whitelist Task

To approve the image whitelisting task for the "nginx-1" application using Fortanix CCM UI, click the APPROVE button in Figure 10 above.

Next, run the following command on a machine running the node agent to run the application.

Run the Application

docker run -it --device /dev/isgx:/dev/isgx --device /dev/gsgx:/dev/gsgx -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket -e NODE_AGENT_BASE_URL=http://<node-agent-ip>:9092/v1/ -p <Port-mapping> <converted-image-id>

 Where, 

  • <node-agent-ip> is the IP address of the compute node registered on Fortanix CCM.
  • 9092 is the port on which Node Agent listens up
  • converted-image-id is the converted app that can be found in the Images tab under Image Name column in the Images table.

Note.pngNOTE:

  • Please use your own inputs for Node IP, Port, and Converted Image in the above format. The information in the example above is just a sample.

To verify and monitor the application, click the Applications tab, and verify that there is a running application image associated with it and displayed with the application in the detailed view of the application.

Figure 11: Deployed application