Quickstart Guide

  • Last updated:
  • access_time Reading time:

Introduction

Fortanix Confidential Computing Manager (CCM) enables an application to run in a confidential environment. The solution orchestrates critical security policies such as identity verification, data access control, and code attestation for enclaves that are required for confidential computing. 

This quick-start guide will help you get started. For a detailed user guide refer to https://support.fortanix.com/hc/en-us/sections/360008695591-User-Guide 

Prerequisites: Getting Started Video: 

  • A private Docker registry to push converted application image(s)
  • An Azure Portal subscription account

Step 1: Signup and Log in to Fortanix Confidential Computing Manager

  •  Visit https://em.fortanix.com/ and signup.
  • After your account is approved by the administrator, log in by entering your email id and password.

CCM_5.png

Figure 1: Logging in
 

Step 2: Create and Select an Account

  • Once you sign up and log in, you will be taken to the Accounts page. Click ADD ACCOUNT to create a new account. 
  • Enter a name for the new account and optionally add a custom logo for the account. Click CREATE ACCOUNT to complete the account creation.

CCM_79.png

Figure 2: Create an account
 
  • Once the account is created, click SELECT to select the newly created account. Click GO TO ACCOUNT to enter the account and start enrolling the compute nodes and creating applications.

CCM_80.png

Figure 3: Select an account
 

Step 3: Add an Application - Example : Flask Server

  • Click the + APPLICATION button to add an application. In this example, let us add a Flask Server Enclave OS application.

CCM_14.png

Figure 4: Create an application
 
  • Click the ADD button for the Enclave OS Application.

Refer to Application and Compute Node Policy Enforcement before adding an Application.

NOTE
This quickstart guide covers adding Enclave OS application, Please refer this link for EDP application: https://support.fortanix.com/hc/en-us/articles/360044746932-Bringing-EDP-Rust-Apps-to-Confidential-Computing-Manager

EOS1.png

Fill in the relevant details as shown below and click NEXT. You can use Fortanix's docker registry for the sample app. 

CCM_15.pngAppCreateNew_Quickstart1.png

Figure 5: Configure an application
 

For more details refer to https://support.fortanix.com/hc/en-us/articles/360043527431-User-s-Guide-Add-and-Edit-an-Application#AddEnclaveOSApplication 

Step 4: Create an Image

  • A Fortanix CCM Image is a particular software release or a version of an application. Each image is associated with one enclave hash (MRENCLAVE).
  • Once you create an Enclave OS application and click NEXT , you will see the Add image page where you have to configure the image of the Enclave OS application. Click the + IMAGES button to create an image.

CCM_22.png

Figure 6: Create an image
 
  • Enter the REGISTRY CREDENTIALS for  Output image name. The Registry Credentials are the credentials to access the private docker registry where the image will be pushed. Also, provide the image tag. 
    • If you have added a registry in a particular account using the Settings page of Fortanix CCM, then the check box Use saved credentials will be selected by default and the registry names for input image and output image will be filled automatically for the Add Registry Credentials fields.
        CCM_23.png                                                            Figure 7: Add saved registry credentials  
       
    • If you have not saved any Registry Credentials in the Settings page of Fortanix CCM, then manually enter the registry credentials for the Input image name and Output image name. If the private docker registry is the same for the input image and the output image, then select the check box Use same credential as input image registry in the Output image name.
        CCM_24.png                                                            Figure 8: Add registry credentials manually
       
  • Click CREATE to proceed.

For more details refer to the URLs below:

- To add multiple image registries: https://support.fortanix.com/hc/en-us/articles/360048967971-User-s-Guide-Image-Registry
- To create an EOS application image: https://support.fortanix.com/hc/en-us/articles/360043529411-User-s-Guide-Create-an-Image#CreateanImageforEnclaveOSApplications 

Step 5: Domain and Image Approval

  • An application whose domain is approved will get a TLS Certificate from Fortanix CCM. Similarly, when an application runs from the converted image, the application will try to contact Fortanix CCM and ask for a TLS Certificate.
  • On the Tasks Tab, approve the pending requests to approve the domain and image.

CCM_81.png

Figure 9: Approve the domain and Image
 

Step 6: Enroll Compute Node Agent

  • In the Management Console, click the + ENROLL NODE button
  • Click GENERATE TOKEN to generate the Join Token. This Join Token is used by the compute node to authenticate itself.

CNode3.png

                       Figure 10: Copy the generated Join Token
 

NOTE
Alternatively, you can also download the latest node agent from https://support.fortanix.com/hc/en-us/articles/360043407012-Fortanix-Node-Agent

azure_3.png

                                                             Figure 11: Create node agent in Azure
 

  • Fill the information as given below to spin up the node agent on Azure. Paste the Token generated earlier on the "Join Token" field on the Azure portal.
    NOTE
    Fortanix CCM service is currently available in  (US) East US(UK) South UK,  or Central Canada regions only.

CCM_60.png

                              Figure 12: Configure the node agent 
 

CCM_58.png

                                         Figure 13: Configuring the node agent 
 

  • Once the node agent is created, the compute node will be enrolled in Fortanix CCM, you will see it under the Compute Nodes overview table.

CCM_55.png

Figure 14: Node enrolled
 
  • Add Labels for the node. To control which applications can run on which nodes, we add Labels for applications and nodes in the form of “Key:Value” pairs. The attached labels of an application and node will be compared and if all the application labels match with the node labels then the application will run successfully on the node. 

    CCM_56.png

    Figure 15: Add node labels
     

For more details refer to https://support.fortanix.com/hc/en-us/articles/360043085652-User-s-Guide-Compute-Nodes

Step 7: Run the application image on the Compute Node

  • Run this application image on the node by using the following command:

For this example Application, the command would be

sudo docker run --device /dev/isgx:/dev/isgx --device /dev/gsgx:/dev/gsgx -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket -e NODE_AGENT_BASE_URL=http://52.152.206.164:9092/v1/ fortanix-private/python-flask-sgx

Where,

  • 9092 is the port on which Node Agent listens up

  • 52.152.206.164 is the Node Agent Host IP

  • fortanix-private/python-flask-sgx is the converted app that can be found in the Images tab under Image Name column in the Images table.

mceclip5.png

NOTE
  • Please use your own inputs for Node IP, Port, and Converted Image in the above format. The information in the example above is just a sample.

For quick support, please join our slack community: https://fortanix.com/community/
Channel: #enclavemanager