Quickstart Guide

Prev Next

1.0 Introduction

This article describes the main features of Fortanix Cloud Computing Manager (CCM) Software as a Service (SaaS).

Fortanix CCM enables an application to run in a confidential environment. The solution orchestrates critical security policies such as identity verification, data access control, and code attestation for enclaves that are required for confidential computing.

It also contains the information related to:

  • Signing up and logging in to Fortanix CCM

  • Creating and selecting an account

  • Creating and assigning a group

  • Adding an application

  • Creating an image of the application

  • Domain and image approval

  • Enroll compute node agent

  • Running the application

2.0 Prerequisites

Ensure the following:

  • A private Docker registry to push converted application image(s).

  • An Azure Portal subscription account.

3.0 Fortanix CCM Workflow

3.1 Signup and Log in to Fortanix CCM

  1.  Visit https://ccm.fortanix.com and sign up.

  2. After your account is approved by the Administrator, log in by entering your email address and password.

    CCM_5.png

    Figure 1: Logging in

3.2 Create and Select an Account

  1. Once you log in to your account, you will be taken to the Accounts page. Click ADD ACCOUNT to create a new account.

  2. Enter a name for the new account and optionally add a custom logo for the account.

  3. To allow compute nodes to bypass attestation and successfully enroll regardless of attestation failing, click the check box “This is a test-only deployment”. For more information about Attestation Bypass, refer to the Disable Fortanix CCM Attestation.

  4. Click CREATE ACCOUNT to complete the account creation.

    Quickstart19.png

    Figure 2: Create an account

  5. Once the account is created, click SELECT ACCOUNT to select the newly created account and start enrolling compute nodes and creating applications.

    Quickstart17.png

    Figure 3: Select an account

3.3 Add a Group

  1. Navigate to Groups from the menu list and click + ADD GROUP to add a group.

    group-landing-screen.png

    Figure 4: Add group button

  2. Click the ADD GROUP button to create a new group.

  3. Enter the required Name for the group and add Labels with Key:Value pairs.

  4. Click the CREATE GROUP button.

The group is successfully created.

3.4 Add an Application - Example: Flask Server

  1. Navigate to the Applications menu item from the CCM UI left navigation panel and click + ADD APPLICATION to add an application. In this example, we will add an Enclave OS application running a Python Flask server.  

    Fig-5-application-landing-screen.png

    Figure 5: Create an application

  2. Click the ADD button for the Enclave OS Application.

    add-applications-EnclaveOS.png

    Figure 6: Add an Enclave OS application

    NOTE

    This quickstart guide covers adding an Enclave OS application.

  3. Fill in the relevant details as shown below and click NEXT. You can use Fortanix's public docker registry for the sample app.
    Details:
    Docker Hub: https://hub.docker.com/u/fortanix
    Optional: You can run the app with the following command:

    sudo docker run fortanix/python-flask

    NOTE

    It is recommended to use your private docker registry to store the output image.

    Figure 7: Configure an application

For more details on how to configure an Enclave OS application, refer to the Adding an Enclave OS Application.

3.5 Create an Image

A Fortanix CCM Image is a particular software release or a version of an application. Each image is associated with one enclave hash (MRENCLAVE).

  1. Once you create an Enclave OS application and click the NEXT button, you will see the Add image page where you must configure the image of the Enclave OS application. Click the + IMAGE button to create an image.  

    Figure 8: Create an image

  2. For the Tag field, use “latest” if you want to use the latest image builds.

  3. Enter the REGISTRY CREDENTIALS for the Output image name. Here, the registry credentials are the credentials needed to access the private docker registry where the image will be pushed. Since the input image is stored in a public registry, there is no need to provide credentials for the input image.

    • If you have added these registry credentials in the Settings page of Fortanix CCM, then the check box Use same credential as input image registry will be selected by default and the registry name will be filled automatically for the Add Registry Credentials fields.

      Figure 9: Add saved registry credentials

    • If you have not saved any Registry Credentials in the Settings page, then manually enter the registry credentials for the Output image name.

      Figure 10: Add registry credentials manually

  4. For the Image Type as AWS Nitro Enclaves, enter the following details:

    • Memory size

    • CPU count – CPU count is the number of CPUs to dedicate to an enclave out of all the CPUs available to the host machine.

  5. Click SAVE to proceed.

  6. On successful completion of the image creation, you will see a notification that the image was successfully created and your application will be listed in the Applications screen.

For more details, refer to the following URLs:

3.6 Application Image Approval

  1. On the Tasks screen, click the "Build Whitelist for app: Python Application Server" task.

  2. Click APPROVE to whitelist the image created in the step above.  

    approved-tab.png

    Figure 11: Approve the application image

       

    Figure 12: Approve the application image

3.7 Enroll Compute Node Agent - SGX

  1. Click the Infrastructure → Compute Nodes menu item from the CCM left navigation panel and click the + ENROLL NODE button.

  2. Click COPY to copy the Join Token. This Join Token is used by the compute node to authenticate itself.  

    NitroJoinToken.png

    Figure 13: Copy the generated join token

  3. Visit https://azuremarketplace.microsoft.com/en-us/marketplace/apps/fortanix.rte_node_agent to create the Node Agent VM to register the compute node.

    NOTE

    Alternatively, you can also download the latest node agent software from Fortanix Node Agent and install it on your own machine.

    Quickstart10.png

    Figure 14: Create node agent in Azure

  4. Fill in the information as given below to spin up the node agent on Azure. Paste the Token generated earlier on the "Join Token" field on the Azure portal.

    NOTE

    Information about the available regions and the supported VMs can be found here.

    Createnodeagent.png

    Createnodeagent1.png

    Createnodeagent3.png

    Figure 15: Configure the node agent 

    Createnodeagent4.png

    Figure 16: Configuring the node agent 

  5. After the node agent is created, the compute node will be enrolled in Fortanix CCM, and you will see it under the Compute Nodes overview table.  

    node-enrolled.png

    Figure 17: Node enrolled

For more details on how to enroll compute nodes, refer to CCM Compute Nodes.

3.8 Enroll Compute Node Agent - AWS Nitro

For more information on how to to set up the environment, refer to the User's Guide: Setting up the Environment.

Perform the following steps to obtain the join token from Fortanix CCM:

  1. Log in to https://ccm.fortanix.com/ to generate your Join Token.

  2. On the Infrastructure page, click +ENROLL NODE on the Compute Nodes page. 

    Enroll-AWS-node.png

    Figure 18: Enroll compute node

  3. In the ENROLL NODE window, a Join Token will be generated in the text box for "Get a join token to register an SGX compute node". This Join Token is used by the compute node to authenticate itself.  

    NitroJoinToken.png

    Figure 19: Copy join token

  4. Click COPY to copy the Join Token.  

  5. Download the Amazon Nitro node agent installer.

  6. Extract the contents of the package and open the folder.

  7. Open the readme file which contains the steps to enroll the compute node in Fortanix CCM.

    1. Copy the file installer.sh to your VM.

    2. Run the installer.sh with the join token copied in Step 3.

      sudo bash ./installer.sh <join-token>
  8. Once the compute node is enrolled in Fortanix CCM, you will see it under the Compute Nodes overview table.  

    node-enrolled-AWS.png

    Figure 20: Node enrolled

3.9 Run the Application Image on the Enrolled Compute Node

Perform the following steps":

  1. Run the following command to install docker on the enrolled compute node:

    sudo apt install docker.io
  2. Run the following command to run this application image on the node for AWS Nitro Platform:

    sudo docker run -it --rm --privileged -v /run/nitro_enclaves:/run/nitro_enclaves -e RUST_LOG=debug -e NODE_AGENT_BASE_URL=http://172.31.14.110:9092/v1/ -p 80:80 -p 443:443 513076507034.dkr.ecr.us-west-1.amazonaws.com/development-images/em-test-framework-nginx-9913:nitro

    Where,

    • 9092 is the default port on which Node Agent listens to.

    • 172.31.14.110 is the node agent Host IP.

    • em-test-framework-nginx-9913:nitro is the converted app that can be found in the Images under the Image Name column in the Images table.

    NOTE

    Use your own inputs for Node IP, Port (if you changed it), and Converted Image in the above format. The information in the example above is just a sample.

4.0 Where to go from here

Congratulations, you have just deployed your first confidential computing application using the Fortanix Confidential Computing Manager! To explore more features of Fortanix CCM please visit one of the following guides:

For quick support, please join our Slack community: https://fortanix.com/community Channel: #enclavemanager