User's Guide: Compute Nodes

  • Last updated:
  • access_time Reading time:

Introduction

Compute Nodes

Compute nodes are bare metal servers or virtual machines running in cloud or on-premise.

Users can label compute nodes when registering to Enclave Manager to provide identity and policy management on the compute nodes​. Before running a Compute Node, it must be enrolled in the Fortanix Enclave Manager. This is called the Node Enrollment process. 

Node Agent

Fortanix Node Agent software enables registration of the compute nodes to Fortanix Enclave Manager when installed on a compute node​.

The Node Agent assists in the verification of Hardware and Platform software running on the compute nodes.

The Node Agent also assists with application attestation and visibility for Enclave Manager

Enroll Compute Nodes

Option 1: Enroll a Compute Node Using Azure Marketplace

  1. First, generate a Join Token using Enclave Manager UI. To generate your Join Token, please log in to https://em.fortanix.com and in the Compute Nodes tab, click the ENROLL COMPUTE NODE button. Node.png
                                                                        Figure 1: Enroll compute node
  2. In the next screen click the GENERATE TOKEN button to generate Join Token. This Join Token is used by the compute node to authenticate itself. Node01.png
                                                                        Figure 2: Generate token
  3. A join Token will be generated in the text box for "Get a join token to register an SGX compute node".
  4. Click the copy icon to copy the Join Token (Figure 3). Node02.png
                                                                    Figure 3: Copy Join Token
  5. Now, create the Node Agent to register the compute node using the following URL:
    https://azuremarketplace.microsoft.com/en-us/marketplace/apps/fortanix.rte_node_agent
  6. Click the GET IT NOW button in the “Fortanix Confidential Computing Node Agent” page. azure_1.png
                                                               Figure 4: Get the node agent
  7. Click Continue in the pop-up window. azure_2.png
                                                               Figure 5: Confirm creating app in Azure
  8. In the Node Agent preview page, click Create. azure_3.png
                                                          Figure 6: Proceed to create a node agent
  9. In the Create Fortanix Confidential Computing Node Agent form (Figure 7), fill all the necessary details.
    1. In the Region field, select either (US) East US, (UK) South UK, or Central Canada (more regions will be added as Azure adds Confidential Computing support to more regions).
      Note.pngNOTE: Fortanix Enclave Manager service is currently available in the above regions.
    2. In the Join Token field, paste the join token that you had generated using the Fortanix Enclave Manager UI.
  10. Click the Review + create button to validate the node agent details. mceclip0.png
                                                                         Figure 7: Validate node agent
  11. Wait for the validation to pass.
  12. Once the validation is successful, click Create to create the node agent. 20.1.png
                                                                          Figure 8: Create node agent
      22.1.png
                                                                        Figure 9: node agent created
  13. Once the node agent is created, the compute node will be enrolled in the Enclave Manager, you will see it under the Compute Nodes overview table. mceclip7.png
                                                                        Figure 10: Enrolled node

Option 2: Enroll a Compute Node Using a Confidential Computing VM

  1. Click the following URL to download the Node Agent:
    Download Node Agent
  2. Extract the content of the Node-Agent_Installer.tar package and open the folder.
  3. Open the READ_ME.txt file which contains the steps to enroll the compute node in Enclave Manager. Readme.png
                                                           Figure 11: READ_ME.txt
      The READ_ME.txt has the following steps to enroll a compute node in Enclave Manager:
  4. This script assumes that you already have a DCsV2 series VM. For more information, visit https://docs.microsoft.com/en-us/azure/virtual-machines/dcv2-series
  5. The Node Agent listens on port 9092, so please open the port 9092 on your VM if not done already.
  6. Enroll your compute node in Enclave Manager:
    1. Copy the files em-agent.conf, em-agent.deb, sgx-installer.bin, and installer.sh to your VM.
    2. Run the installer.sh using the command: 
      -bash installer.sh <join_token>
  7. To generate your Join Token, please log in to https://em.fortanix.com and in the Compute Nodes tab, click the ENROLL COMPUTE NODE button. Node.png
                                                                         Figure 12: Enroll compute node
  8. In the following screen click the GENERATE TOKEN button to generate Join Token. This Join Token is used by the compute node to authenticate itself. Node01.png
                                                                         Figure 13: Generate token
  9. A join Token will be generated in the text box for "Get a join token to register an SGX compute node".
  10. Click the copy icon to copy the Join Token (Figure 14). Node02.png
                                                                         Figure 14: Copy Join Token
  11. Run the installer.sh with the Join Token that you copied. This will enroll the compute node in Enclave Manager.
  12. Once the compute node is enrolled in Enclave Manager, you will see it under the Compute Nodes overview table. mceclip7.png                                                                           Figure 15: Enrolled node

Manage Nodes using Fortanix Enclave Manager

  1. Sign in to the Fortanix Enclave Manager UI, and navigate to the Compute Nodes tab.
  2. Click the IP address of the node that you want to investigate. An information screen opens.
  3. On the information screen, you can choose to deactivate/delist the node or download the certificate that is used. To download the certificate, refer to the next section, Download Enclave Manager certificate.

Download Enclave Manager Node Attestation Certificate

To download the EM node attestation certificate:

  1. Go to the Compute Nodes tab, and then click the compute node for which you want to download the certificate. mceclip7.png                                                                        Figure 16: Select node
  2. You can download the certificate from the Compute Node detailed view using the Download option on the right. This certificate contains Intel SGX details such as CPUSVN (CPU Security Version Number) of the compute node, MRENCLAVE of the node agent software, and so on, as seen from the screenshot below. user8.png
                                                                     Figure 17: Download Certificate