Using CCM-CLI with Fortanix Confidential Computing Manager

Configuring Fortanix Confidential Computing Manager (CCM) using CCM-CLI

The following configuration method is explained with an example that uses an open-source CLI application that can be installed using the following command:

cargo install em-cli 

The Github open source link for ccm-cli is: https://github.com/fortanix/em-client-rust

1. Log in to Fortanix CCM.

   em-cli user login https://ccm.fortanix.com email password
   Logged in.

2. List the accounts.

   em-cli account list
   {
     "items": [
       {
         "name": "test1",
         "acct_id": "a1778656-c417-4ac2-8d47-619376e8662d",
         "created_at": 1591960977000,
         "roles": [
           "MANAGER"
         ],
         "status": "ACTIVE"
       },
       {
         "name": "account",
         "acct_id": "d58a3556-9a72-44e2-b6b1-ec9dff736ef9",
         "created_at": 1591642064000,
         "roles": [
           "MANAGER"
         ],
         "status": "ACTIVE"
       }
     ]
   }

3. Create an account if not already present.
   

   em-cli account create test3
   {
     "name": "test3",
     "acct_id": "d8d65623-c563-485a-ae34-749902557565",
     "created_at": 1592565979000,
     "roles": [
       "MANAGER"
     ],
     "status": "ACTIVE"
   }

4. Select an account.
   The UUID is one of the 'acct_id' from the output returned in step 1 or step 2 above. For example:
   

   em-cli account select a1778656-c417-4ac2-8d47-619376e8662d
   Account selected.

5. Create an application (if not already present).
   

   em-cli app create "app_name" 0 0 example.org
   {
       "allowed_domains": [
           "example.org"
       ],
       "app_id": "353983f3-a3eb-4461-b892-498fa45a5176",
       "created_at": 1592146487000,
       "domains_added": [
           "example.org"
       ],
       "domains_removed": [],
       "input_image_name": "unused",
       "isvprodid": 0,
       "isvsvn": 0,
       "mem_size": 262144,
       "name": "app_name",
       "nodes": [],
       "output_image_name": "unused",
       "pending_domain_whitelist_tasks": 0,
       "threads": 1,
       "updated_at": 1592146487000,
       "whitelisted_domains": []
   }

   OR
   List Applications

   em-cli app list
   ...
       {
         "created_at": 1591961035000,
         "updated_at": 1591961035000,
         "name": "Application",
         "app_id": "d12455fe-e678-4111-a4be-297fa187b90a",
         "input_image_name": "Input-Image",
         "output_image_name": "Output-Image",
         "isvprodid": 0,
         "isvsvn": 0,
         "mem_size": 40960,
         "threads": 1,
         "allowed_domains": [],
         "whitelisted_domains": [],
         "nodes": [],
         "pending_domain_whitelist_tasks": 0,
         "domains_added": [],
         "domains_removed": []
       }
   ...

6. Create an image of the application.

   em-cli build create d12455fe-e678-4111-a4be-297fa187b90a ./sigstruct.bin 
   {
     "build_id": "90a43ded-6934-4a1d-8757-ec20e90b02e5",
     "created_at": 1592147616000,
     "updated_at": 1592147616000,
     "app_id": "d12455fe-e678-4111-a4be-297fa187b90a",
     "app_name": "Application",
     "status": {
       "status": "PENDING",
       "status_updated_at": 1592147616000
     },
     "deployment_status": {
       "status": "UNDEPLOYED",
       "status_updated_at": 1592147616000
     },
     "enclave_info": {
       "mrenclave": "c8a20a113fab3ed23c42bd44ed67ddec1adecc00452f4444ca5822821c09c839",
       "mrsigner": "ead6b106311614ab8cf26606e2583b61be82a43109e14d4fc91609286a58ab10",
       "isvprodid": 0,
       "isvsvn": 0
     },
     "build_name": "Application-image"
   }

7. Approve tasks:
   

   There are two tasks that need to be approved - one for the image and one for the domain. Once both are approved, the application may get the certificates for the given domain.

   1. Find the build whitelist task:

      export build_id=160b771a-4260-4194-af5c-5c8d059e7c11
      em-cli task list | jq -r ".items[] | select(.entity_id==\"$build_id\" and .task_type==\"BUILD_WHITELIST\")"
      {
        "task_id": "a960d9cb-83ac-4890-b7f8-efe5d6281a32",
        "requester_info": {
          "user_id": "1a99975f-6c01-42d5-89e4-f97b858461e6",
          "user_name": "1 1",
          "requester_type": "USER"
        },
        "entity_id": "160b771a-4260-4194-af5c-5c8d059e7c11",
        "task_type": "BUILD_WHITELIST",
        "status": {
          "created_at": 1592147456000,
          "status_updated_at": 1592147456000,
          "status": "INPROGRESS"
        },
        "description": "Build Whitelist for app: Application",
        "approvals": []
      }

   2. Find the domain whitelist task.
      

      em-cli task list | jq -r ".items[] | select(.task_type==\"DOMAIN_WHITELIST\" and .domains_added==[\"example.org\"])"
      {
        "task_id": "bd6d506d-2032-4d04-bbc3-138a662c3b23",
        "requester_info": {
          "user_id": "1a99975f-6c01-42d5-89e4-f97b858461e6",
          "user_name": "1 1",
          "requester_type": "USER"
        },
        "entity_id": "87661bb5-1706-422e-96d5-cd48fd0992a4",
        "task_type": "DOMAIN_WHITELIST",
        "status": {
          "created_at": 1592146699000,
          "status_updated_at": 1592146699000,
          "status": "INPROGRESS"
        },
        "description": "Domain Whitelist for app: app_name3, domains added - example.org, domains removed - ",
        "approvals": [],
        "domains_added": [
          "example.org"
        ],
        "domains_removed": []
      }

   3. Approve the tasks using the task UUID in step a and step b above

      em-cli task update bd6d506d-2032-4d04-bbc3-138a662c3b23 approved
      {
        "task_id": "bd6d506d-2032-4d04-bbc3-138a662c3b23",
        "task_type": "DOMAIN_WHITELIST",
        "task_status": {
          "created_at": 1592146699000,
          "status_updated_at": 1592146699000,
          "status": "SUCCESS"
        }
      }