Using CLI
Fetch a Bearer Token
Using the credentials used for signing up a new user, fetch the bearer token.
BEARER_TOKEN=$(curl -s -u $username:$password -X POST https://em.fortanix.com/v1/sys/auth | jq -r .access_token)
Get all Accounts
After fetching the bearer token, select the account using the bearer token. To select an account, use the GET command to get all the accounts and select the account using the account_id.
curl -H "Authorization: Bearer <Bearer Token>" -X GET https://em.fortanix.com/v1/accounts
Select the Account
Note the account_id of the account you want to select.
curl -H "Authorization: Bearer <Bearer Token>" -X POST https://em.fortanix.com/v1/accounts/select_account/<account-id>
Create an Application
Create an Nginx application using the configuration provided in the app.json file below.
Create Application
curl -s -H "Content-Type: application/json" -d @app.json -H "Authorization: Bearer <Bearer token>" -X POST https://em.fortanix.com/v1/apps
Create the App.json config file that Contains the Application Details
{
"name":"nginx-1",
"description":"",
"input_image_name":"library/nginx",
"output_image_name":"fortanix-manager.eastus.cloudapp.azure.com:5050/nginx-1",
"isvprodid":1,
"isvsvn":1,
"mem_size":1024,
"threads":80,
"allowed_domains":["fortanix"],
"advanced_settings":
{
"certificate":
{
"issuer":"MANAGER_CA",
"subject":"fortanix",
"keyType":"RSA",
"keyParam":{"size":2048},
"keyPath":"/etc/nginx/nginx-key.pem",
"certPath":"/etc/nginx/nginx-cert.pem"
},
}
}
Where advanced_settings is optional.
Fetch the Domain Whitelisting Tasks
curl -s -H "Authorization: Bearer <Bearer Token>" -X GET https://em.fortanix.com/v1/tasks?task_type=DOMAIN_WHITELIST > all_domain_tasks.json
All the tasks fetched will be stored in all_domain_tasks.json file. Select the task_id to approve the task in the next step.
Approve a Task
Among the tasks fetched in the previous step, approve the application-specific task using the task_id.
curl -s -H "Content-Type: application/json" -d '{"status":"APPROVED"}' -H "Authorization: Bearer <Bearer Token>" -X PATCH https://em.fortanix.com/v1/tasks/<task_id>
Create an Image
Create an image of the application.
curl -s -H "Content-Type: application/json" -d @build.json -H "Authorization: Bearer <Bearer token>" -X POST https://em.fortanix.com/v1/builds/convert-app
The build.json is as below.
{
"app_id": "${app_id}",
"inputAuthConfig":
{
"username": "AWS",
"password": "${aws_password}"
},
"input_docker_version": "latest",
"outputAuthConfig":
{
"username": "AWS",
"password": "${aws_password}"
}
"output_docker_version": "sgx"
}
Where docker_version is the tag that the image will have after conversion. The docker_version becomes the input_docker_version for the input image and the output_docker_version for the output image.
Fetch all the Image Whitelist Tasks
curl -s -H "Authorization: Bearer <Bearer token>" -X GET https://em.fortanix.com/v1/tasks?task_type=BUILD_WHITELIST > all_build_tasks.json
All the image whitelist tasks will be stored in all_build_tasks.json file. Select the image whitelist task ID to approve the image in the next step.
Approve the Image Whitelist Task
curl -s -H "Content-Type: application/json" -d '{"status":"APPROVED"}' -H "Authorization: Bearer <Bearer token>" -X PATCH https://em.fortanix.com/v1/tasks/<task_id>
The image is created and whitelisted.
Next, run the following command on a machine running the node agent to run the application.
Run the Application
docker run -it --device /dev/isgx:/dev/isgx --device /dev/gsgx:/dev/gsgx -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket -e NODE_AGENT_BASE_URL=http://<node-agent-ip>:9092/v1/ -p <Port-mapping> <converted-image-id>
Where,
- <node-agent-ip> is the IP address of the compute node registered on Fortanix Confidential Computing Manager (CCM).
- 9092 is the port on which Node Agent listens up
- converted-image-id is the converted app that can be found in the Images tab under Image Name column in the Images table.
NOTE:
- Please use your own inputs for Node IP, Port, and Converted Image in the above format. The information in the example above is just a sample.
Using Fortanix Confidential Computing Manager UI
Fetch a Bearer Token
- Sign in to Fortanix CCM using the URL: https://em.fortanix.com/.
Figure 1: Log in to Fortanix CCM - In the Accounts page, right-click on the page and click the Inspect option from the context menu. Select the Application ->Storage->Local Storage->https://em.fortanix.com. You will see the auth token displayed.
Figure 2: Fetch auth token
Get all Accounts
To get the accounts using Fortanix CCM UI, log in to Fortanix CCM to see the available accounts.
Figure 3: Get the accounts
Select the Account
To select an account using Fortanix CCM UI, click the SELECT button, and then click the GO TO ACCOUNT button to enter the account.
Figure 4: Select accounts
Create an Application
Create an Nginx application using the configuration provided in the app.json file below.
To create an application using Fortanix CCM UI, click the +APPLICATION button.
Figure 5: Create an application
To create an application using Fortanix CCM UI, go to the Add application form and add the details of the application.
Fetch the Domain Whitelisting Tasks
To fetch the domain whitelisting tasks using Fortanix CCM UI, click the Tasks tab.
Approve a Task
To approve the domain whitelisting task for the "nginx-1" application using Fortanix CCM UI, click the APPROVE button in Figure 7 above.
Create an Image
To create an image of the "nginx-1" application using Fortanix CCM UI, click the +IMAGES button.
To create an image of an application using Fortanix CCM UI, go to the Create image form and add the details of the image.
Fetch all the Image Whitelist Tasks
To fetch the image whitelisting tasks using Fortanix CCM UI, click the Tasks tab.
Approve the Image Whitelist Task
To approve the image whitelisting task for the "nginx-1" application using Fortanix CCM UI, click the APPROVE button in Figure 10 above.
Next, run the following command on a machine running the node agent to run the application.
Run the Application
docker run -it --device /dev/isgx:/dev/isgx --device /dev/gsgx:/dev/gsgx -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket -e NODE_AGENT_BASE_URL=http://<node-agent-ip>:9092/v1/ -p <Port-mapping> <converted-image-id>
Where,
- <node-agent-ip> is the IP address of the compute node registered on Fortanix CCM.
- 9092 is the port on which Node Agent listens up
- converted-image-id is the converted app that can be found in the Images tab under Image Name column in the Images table.
NOTE:
- Please use your own inputs for Node IP, Port, and Converted Image in the above format. The information in the example above is just a sample.
To verify and monitor the application, click the Applications tab, and verify that there is a running application image associated with it and displayed with the application in the detailed view of the application.
