Introduction
Compute Nodes
Compute nodes are bare metal servers or virtual machines running in the cloud or on-premise.
Users can label compute nodes when registering to Fortanix Confidential Computing Manager (CCM) to provide identity and policy management on the compute nodes. Before running a Compute Node, it must be enrolled in the Fortanix CCM. This is called the Node Enrollment process.
Node Agent
Fortanix Node Agent software enables registration of the compute nodes to Fortanix CCM when installed on a compute node.
The Node Agent assists in the verification of Hardware and Platform software running on the compute nodes.
The Node Agent also assists with application attestation and visibility for Fortanix CCM.
Enroll Compute Nodes
Option 1: Enroll a Compute Node Using Azure Marketplace
- First, generate a Join Token using Fortanix CCM UI. To generate your Join Token, please log in to https://em.fortanix.com and in the Management Console tab, click the + ENROLL NODE button.
Figure 1: Enroll compute node
- In the next screen, a join Token will be generated in the text box for "Get a join token to register an SGX compute node". This Join Token is used by the compute node to authenticate itself.
Figure 2: Copy Join Token
- Click the copy icon to copy the Join Token (Figure 2).
- Now, create the Node Agent to register the compute node using the following URL:
https://azuremarketplace.microsoft.com/en-us/marketplace/apps/fortanix.rte_node_agent. - Click the GET IT NOW button in the “Fortanix Confidential Computing Node Agent” page.
Figure 3: Get the node agent - Click Continue in the pop-up window.
Figure 4: Confirm creating app in Azure - In the Node Agent preview page, click Create.
Figure 5: Proceed to create a node agent
- In the Create Fortanix Confidential Computing Node Agent form (Figure 6), fill all the necessary details.
- In the Region field, select either (US) East US, (UK) South UK, or Central Canada (more regions will be added as Azure adds Confidential Computing support to more regions).
- In the Join Token field, paste the join token that you had generated using the Fortanix CCM UI.
- In the Region field, select either (US) East US, (UK) South UK, or Central Canada (more regions will be added as Azure adds Confidential Computing support to more regions).
- Click the Review + create button to validate the node agent details.
Figure 6: Validate node agent
- Wait for the validation to pass.
- Once the validation is successful, click Create to create the node agent.
Figure 7: Create node agent
Figure 8: node agent created
- Once the node agent is created, the compute node will be enrolled in the Fortanix CCM, you will see it under the Compute Nodes overview table.
Figure 9: Enrolled node
- Add Labels: To control which applications are allowed to run on which nodes, we add Labels for applications and nodes in the form of “Key:Value” pairs. Refer to Application and Compute Node Policy Enforcement for more details.
- Suggested Labels – This field will show the top 10 labels that are frequently used by users of an account.
- Add Labels – Enter the Key and Value pair and click the LABEL button to save the label. The newly created label will appear in the Labels Added field. A user can also choose an existing label from the Suggested Labels field.
Example of a “Key:Value” pairs is – “Location:Location_name” where “Location
” is the Key and “Location_name” is the Value of the key such as “South UK
”.
- If we are adding labels for an application then it is mandatory to add the same labels on the node on which the application will run.
- A node can have multiple labels that belong to different applications. For example:
App1’s label => Location1: Value1
App2’s label => Location2: Value2
Then the Node can have labels => Location1: Value1 , Location2: Value2.Figure 10: Node label
Option 2: Enroll a Compute Node (bare metal or VM)
Download Node Agent Installer - Ubuntu 16.04
Click the following URL to download the Ubuntu Node Agent installer:
Download Ubuntu Node Agent.
Download Node Agent Installer - CentOS 7
Click the following URL to download the CentOS Node Agent installer:
Download CentOS Node Agent.
Enroll Compute Node
- Extract the content of the
Node-Agent-Installer.tar.gz
package and open the folder. - Open the
INSTALLER_README.md
file which contains the steps to enroll the compute node in Fortanix CCM.
Figure 11: INSTALLER_README
The
INSTALLER_README.md
has the steps to enroll a compute node in Fortanix CCM: - Fortanix supports any SGX capable server nodes.
- Ensure that applications on the node are allowed to make local connections to the Node Agent on port 9092.
- Enroll your compute node in Fortanix CCM:
- Copy the file
installer.sh
to your VM. - Run the
installer.sh
using the command:sudo bash installer.sh <join-token> --attestation-type=<attestation-type>
- Copy the file
- To generate your Join Token, please log in to https://em.fortanix.com, and in the Management Console tab, click the + ENROLL NODE button.
Figure 12: Enroll compute node
- In the ENROLL NODE screen, a Join Token will be generated in the text box for "Get a join token to register an SGX compute node". This Join Token is used by the compute node to authenticate itself.
Figure 13: Join token generated
- Click the Copy button to copy the Join Token (Figure 13).
- Run the
installer.sh
with the Join Token that you copied. This will enroll the compute node in Fortanix CCM. - Once the compute node is enrolled in Fortanix CCM, you will see it under the Compute Nodes overview table.
Figure 14: Enrolled node
Manage Nodes using Fortanix Confidential Computing Manager
- Sign in to the Fortanix CCM UI, and navigate to the COMPUTE NODES tab in the Management Console.
- Click the IP address of the node that you want to investigate. An information screen opens.
- On the information screen, you can choose to deactivate/delist the node or download the certificate that is used. To download the certificate, refer to the next section, Download Confidential Computing Manager Node Attestation Certificate.
Download Confidential Computing Manager Node Attestation Certificate
To download the CCM node attestation certificate:
- Go to the COMPUTE NODES tab in the Management Console, and then click the compute node for which you want to download the certificate.
Figure 15: Select node
- You can download the certificate from the Compute Node detailed view using the Download option on the right. This certificate contains Intel SGX details such as CPUSVN (CPU Security Version Number) of the compute node, MRENCLAVE of the node agent software, and so on, as seen from the screenshot below.
Figure 16: Download Certificate