Introduction
Fortanix Confidential Computing Manager (CCM) enables an application to run in a confidential environment. The solution orchestrates critical security policies such as identity verification, data access control, and code attestation for enclaves that are required for confidential computing.
This quickstart guide will help you get started with Fortanix CCM. For a detailed user guide refer to https://support.fortanix.com/hc/en-us/sections/360008695591-User-Guide
Prerequisites: Getting Started Video
- A private Docker registry to push converted application image(s)
- An Azure Portal subscription account
Step 1: Signup and Log in to Fortanix Confidential Computing Manager
- Visit https://ccm.fortanix.com/ and signup.
- After your account is approved by the Administrator, log in by entering your email address and password.
Figure 1: Logging in
Step 2: Create and Select an Account
- Once you log in to your account, you will be taken to the Accounts page. Click ADD ACCOUNT to create a new account.
- Enter a name for the new account and optionally add a custom logo for the account. Click CREATE ACCOUNT to complete the account creation.
Figure 2: Create an account
- Once the account is created, click SELECT to select the newly created account and start enrolling compute nodes and creating applications.
Figure 3: Select an account
Step 3: Add an Application - Example: Flask Server
- Navigate to the Applications tab and click + APPLICATION to add an application. In this example, we will add an Enclave OS application running a Python Flask server.
Figure 4: Create an application
- Click the ADD button for the Enclave OS Application.
Refer to Application and Compute Node Policy Enforcement before adding an Application.
Figure 5: Add EOS application
- Fill in the relevant details as shown below and click NEXT. You can use Fortanix's public docker registry for the sample app.
Details:
Docker Hub: https://hub.docker.com/u/fortanix/
Optional: You can run the app with the following command:sudo docker run fortanix/python-flask
Figure 6: Configure an application
For more details refer to https://support.fortanix.com/hc/en-us/articles/360043527431-User-s-Guide-Add-and-Edit-an-Application#AddEnclaveOSApplication
Step 4: Create an Image
- A Fortanix CCM Image is a particular software release or a version of an application. Each image is associated with one enclave hash (MRENCLAVE).
- Once you create an Enclave OS application and click NEXT, you will see the Add image page where you have to configure the image of the Enclave OS application. Click the + IMAGES button to create an image.
Figure 7: Create an image
- For the Tag field, use “
latest
” if you want to use the latest image builds. - Enter the REGISTRY CREDENTIALS for the Output image name. Here, the registry credentials are the credentials needed to access the private docker registry where the image will be pushed. Since the input image is stored in a public registry, there is no need to provide credentials for the input image.
- If you have added these registry credentials through the Settings page, then the check box Use saved credentials will be selected by default and the registry name will be filled automatically for the Add Registry Credentials fields.
Figure 8: Add saved registry credentials
- If you have not saved any Registry Credentials in the Settings page of Fortanix CCM, then manually enter the registry credentials for the Output image name.
Figure 9: Add registry credentials manually
- If you have added these registry credentials through the Settings page, then the check box Use saved credentials will be selected by default and the registry name will be filled automatically for the Add Registry Credentials fields.
- Click CREATE to proceed.
- On successful completion of the image creation, you will see a notification that the image was successfully created and your application will be listed in the Applications tab.
For more details refer to the URLs below:
- To add multiple image registries: https://support.fortanix.com/hc/en-us/articles/360048967971-User-s-Guide-Image-Registry
- To create an EOS application image: https://support.fortanix.com/hc/en-us/articles/360043529411-User-s-Guide-Create-an-Image#CreateanImageforEnclaveOSApplications
Step 5: Domain and Image Approval
- An application whose domain is approved will get a TLS Certificate from Fortanix CCM. Similarly, when an application runs from the converted image, the application will try to contact Fortanix CCM and ask for a TLS Certificate.
- On the Tasks Tab, approve the pending requests to approve the domain and image.
Figure 10: Approve the domain and Image
Step 6: Enroll Compute Node Agent
- Navigate to the Compute Nodes tab and click the + ENROLL NODE button.
- Click the Copy
button to copy the Join Token. This Join Token is used by the compute node to authenticate itself.
Figure 11: Copy the generated Join Token
- Visit https://azuremarketplace.microsoft.com/en-us/marketplace/apps/fortanix.rte_node_agent to create the Node Agent VM to register the compute node.
Figure 12: Create node agent in Azure
- Fill the information as given below to spin up the node agent on Azure. Paste the Token generated earlier on the "Join Token" field on the Azure portal.
Figure 13: Configure the node agent
Figure 14: Configuring the node agent
- Once the node agent is created, the compute node will be enrolled in Fortanix CCM, you will see it under the Compute Nodes overview table.
Figure 15: Node enrolled
- Add Labels for the node. To control which applications can run on which nodes, you can optionally add Labels for applications and nodes in the form of “Key:Value” pairs. The attached labels of an application and node will be compared and if all the application labels match with the node labels then the application will run successfully on the node.
Figure 16: Add node labels
For more details refer to https://support.fortanix.com/hc/en-us/articles/360043085652-User-s-Guide-Compute-Nodes
Step 7: Run the application image on the enrolled Compute Node
- Install docker on the enrolled compute node. To install docker, use the command:
sudo apt install docker.io
- Finally, run this application image on the node by using the following command:
For this example application, the command would be:
sudo docker run --device /dev/isgx:/dev/isgx --device /dev/gsgx:/dev/gsgx -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket -e NODE_AGENT_BASE_URL=http://52.152.206.164:9092/v1/ fortanix-private/python-flask-sgx
9092
is the default port on which Node Agent listens to.52.152.206.164
is the node agent Host IP.fortanix-private/python-flask-sgx
is the converted app that can be found in the Images tab under Image Name column in the Images table.
For quick support, please join our slack community: https://fortanix.com/community/
Channel: #enclavemanager