Configuring Fortanix Confidential Computing Manager (CCM) using CCM-CLI
The following configuration method is explained with an example that uses an open-source CLI application that can be installed using the following command:
cargo install ccm-cli
The Github open source link for ccm-cli is: https://github.com/fortanix/ccm-client-rust
- Log in to Fortanix CCM.
ccm-cli user login https://ccm.fortanix.com email password
Logged in. - List the accounts.
ccm-cli account list
{
"items": [
{
"name": "test1",
"acct_id": "a1778656-c417-4ac2-8d47-619376e8662d",
"created_at": 1591960977000,
"roles": [
"MANAGER"
],
"status": "ACTIVE"
},
{
"name": "account",
"acct_id": "d58a3556-9a72-44e2-b6b1-ec9dff736ef9",
"created_at": 1591642064000,
"roles": [
"MANAGER"
],
"status": "ACTIVE"
}
]
} - Create an account if not already present.
ccm-cli account create test3
{
"name": "test3",
"acct_id": "d8d65623-c563-485a-ae34-749902557565",
"created_at": 1592565979000,
"roles": [
"MANAGER"
],
"status": "ACTIVE"
} - Select an account.
The UUID is one of the 'acct_id' from the output returned in step 1 or step 2 above. For example:
ccm-cli account select a1778656-c417-4ac2-8d47-619376e8662d
Account selected. - Create an application (if not already present).
ORccm-cli app create "app_name" 0 0 example.org
{
"allowed_domains": [
"example.org"
],
"app_id": "353983f3-a3eb-4461-b892-498fa45a5176",
"created_at": 1592146487000,
"domains_added": [
"example.org"
],
"domains_removed": [],
"input_image_name": "unused",
"isvprodid": 0,
"isvsvn": 0,
"mem_size": 262144,
"name": "app_name",
"nodes": [],
"output_image_name": "unused",
"pending_domain_whitelist_tasks": 0,
"threads": 1,
"updated_at": 1592146487000,
"whitelisted_domains": []
}
List Applicationsccm-cli app list
...
{
"created_at": 1591961035000,
"updated_at": 1591961035000,
"name": "Application",
"app_id": "d12455fe-e678-4111-a4be-297fa187b90a",
"input_image_name": "Input-Image",
"output_image_name": "Output-Image",
"isvprodid": 0,
"isvsvn": 0,
"mem_size": 40960,
"threads": 1,
"allowed_domains": [],
"whitelisted_domains": [],
"nodes": [],
"pending_domain_whitelist_tasks": 0,
"domains_added": [],
"domains_removed": []
}
... - Create an image of the application.
ccm-cli build create d12455fe-e678-4111-a4be-297fa187b90a ./sigstruct.bin
{
"build_id": "90a43ded-6934-4a1d-8757-ec20e90b02e5",
"created_at": 1592147616000,
"updated_at": 1592147616000,
"app_id": "d12455fe-e678-4111-a4be-297fa187b90a",
"app_name": "Application",
"status": {
"status": "PENDING",
"status_updated_at": 1592147616000
},
"deployment_status": {
"status": "UNDEPLOYED",
"status_updated_at": 1592147616000
},
"enclave_info": {
"mrenclave": "c8a20a113fab3ed23c42bd44ed67ddec1adecc00452f4444ca5822821c09c839",
"mrsigner": "ead6b106311614ab8cf26606e2583b61be82a43109e14d4fc91609286a58ab10",
"isvprodid": 0,
"isvsvn": 0
},
"build_name": "Application-image"
} - Approve tasks:
There are two tasks that need to be approved - one for the image and one for the domain. Once both are approved, the application may get the certificates for the given domain.
- Find the build whitelist task:
export build_id=160b771a-4260-4194-af5c-5c8d059e7c11
ccm-cli task list | jq -r ".items[] | select(.entity_id==\"$build_id\" and .task_type==\"BUILD_WHITELIST\")"
{
"task_id": "a960d9cb-83ac-4890-b7f8-efe5d6281a32",
"requester_info": {
"user_id": "1a99975f-6c01-42d5-89e4-f97b858461e6",
"user_name": "1 1",
"requester_type": "USER"
},
"entity_id": "160b771a-4260-4194-af5c-5c8d059e7c11",
"task_type": "BUILD_WHITELIST",
"status": {
"created_at": 1592147456000,
"status_updated_at": 1592147456000,
"status": "INPROGRESS"
},
"description": "Build Whitelist for app: Application",
"approvals": []
} - Find the domain whitelist task.
ccm-cli task list | jq -r ".items[] | select(.task_type==\"DOMAIN_WHITELIST\" and .domains_added==[\"example.org\"])"
{
"task_id": "bd6d506d-2032-4d04-bbc3-138a662c3b23",
"requester_info": {
"user_id": "1a99975f-6c01-42d5-89e4-f97b858461e6",
"user_name": "1 1",
"requester_type": "USER"
},
"entity_id": "87661bb5-1706-422e-96d5-cd48fd0992a4",
"task_type": "DOMAIN_WHITELIST",
"status": {
"created_at": 1592146699000,
"status_updated_at": 1592146699000,
"status": "INPROGRESS"
},
"description": "Domain Whitelist for app: app_name3, domains added - example.org, domains removed - ",
"approvals": [],
"domains_added": [
"example.org"
],
"domains_removed": []
} - Approve the tasks using the task UUID in step a and step b above
ccm-cli task update bd6d506d-2032-4d04-bbc3-138a662c3b23 approved
{
"task_id": "bd6d506d-2032-4d04-bbc3-138a662c3b23",
"task_type": "DOMAIN_WHITELIST",
"task_status": {
"created_at": 1592146699000,
"status_updated_at": 1592146699000,
"status": "SUCCESS"
}
}
- Find the build whitelist task:
Comments
Please sign in to leave a comment.