Using CCM-CLI with Fortanix Confidential Computing Manager

Configuring Fortanix Confidential Computing Manager (CCM) using CCM-CLI

The following configuration method is explained with an example that uses an open-source CLI application that can be installed using the following command:

cargo install em-cli 

The Github open source link for ccm-cli is: https://github.com/fortanix/em-client-rust

  1. Log in to Fortanix CCM.
    em-cli user login https://ccm.fortanix.com email password
    Logged in.
  2. List the accounts.
    em-cli account list
    {
    "items": [
    {
    "name": "test1",
    "acct_id": "a1778656-c417-4ac2-8d47-619376e8662d",
    "created_at": 1591960977000,
    "roles": [
    "MANAGER"
    ],
    "status": "ACTIVE"
    },
    {
    "name": "account",
    "acct_id": "d58a3556-9a72-44e2-b6b1-ec9dff736ef9",
    "created_at": 1591642064000,
    "roles": [
    "MANAGER"
    ],
    "status": "ACTIVE"
    }
    ]
    }
  3. Create an account if not already present.
    em-cli account create test3
    {
    "name": "test3",
    "acct_id": "d8d65623-c563-485a-ae34-749902557565",
    "created_at": 1592565979000,
    "roles": [
    "MANAGER"
    ],
    "status": "ACTIVE"
    }
  4. Select an account.
    The UUID is one of the 'acct_id' from the output returned in step 1 or step 2 above. For example:
    em-cli account select a1778656-c417-4ac2-8d47-619376e8662d
    Account selected.
  5. Create an application (if not already present).
    em-cli app create "app_name" 0 0 example.org
    {
    "allowed_domains": [
    "example.org"
    ],
    "app_id": "353983f3-a3eb-4461-b892-498fa45a5176",
    "created_at": 1592146487000,
    "domains_added": [
    "example.org"
    ],
    "domains_removed": [],
    "input_image_name": "unused",
    "isvprodid": 0,
    "isvsvn": 0,
    "mem_size": 262144,
    "name": "app_name",
    "nodes": [],
    "output_image_name": "unused",
    "pending_domain_whitelist_tasks": 0,
    "threads": 1,
    "updated_at": 1592146487000,
    "whitelisted_domains": []
    }
    OR
    List Applications
    em-cli app list
    ...
    {
    "created_at": 1591961035000,
    "updated_at": 1591961035000,
    "name": "Application",
    "app_id": "d12455fe-e678-4111-a4be-297fa187b90a",
    "input_image_name": "Input-Image",
    "output_image_name": "Output-Image",
    "isvprodid": 0,
    "isvsvn": 0,
    "mem_size": 40960,
    "threads": 1,
    "allowed_domains": [],
    "whitelisted_domains": [],
    "nodes": [],
    "pending_domain_whitelist_tasks": 0,
    "domains_added": [],
    "domains_removed": []
    }
    ...
  6. Create an image of the application.
    em-cli build create d12455fe-e678-4111-a4be-297fa187b90a ./sigstruct.bin 
    {
    "build_id": "90a43ded-6934-4a1d-8757-ec20e90b02e5",
    "created_at": 1592147616000,
    "updated_at": 1592147616000,
    "app_id": "d12455fe-e678-4111-a4be-297fa187b90a",
    "app_name": "Application",
    "status": {
    "status": "PENDING",
    "status_updated_at": 1592147616000
    },
    "deployment_status": {
    "status": "UNDEPLOYED",
    "status_updated_at": 1592147616000
    },
    "enclave_info": {
    "mrenclave": "c8a20a113fab3ed23c42bd44ed67ddec1adecc00452f4444ca5822821c09c839",
    "mrsigner": "ead6b106311614ab8cf26606e2583b61be82a43109e14d4fc91609286a58ab10",
    "isvprodid": 0,
    "isvsvn": 0
    },
    "build_name": "Application-image"
    }
  7. Approve tasks:

    There are two tasks that need to be approved - one for the image and one for the domain. Once both are approved, the application may get the certificates for the given domain.

    1. Find the build whitelist task:
      export build_id=160b771a-4260-4194-af5c-5c8d059e7c11
      em-cli task list | jq -r ".items[] | select(.entity_id==\"$build_id\" and .task_type==\"BUILD_WHITELIST\")"
      {
      "task_id": "a960d9cb-83ac-4890-b7f8-efe5d6281a32",
      "requester_info": {
      "user_id": "1a99975f-6c01-42d5-89e4-f97b858461e6",
      "user_name": "1 1",
      "requester_type": "USER"
      },
      "entity_id": "160b771a-4260-4194-af5c-5c8d059e7c11",
      "task_type": "BUILD_WHITELIST",
      "status": {
      "created_at": 1592147456000,
      "status_updated_at": 1592147456000,
      "status": "INPROGRESS"
      },
      "description": "Build Whitelist for app: Application",
      "approvals": []
      }
    2. Find the domain whitelist task.
      em-cli task list | jq -r ".items[] | select(.task_type==\"DOMAIN_WHITELIST\" and .domains_added==[\"example.org\"])"
      {
      "task_id": "bd6d506d-2032-4d04-bbc3-138a662c3b23",
      "requester_info": {
      "user_id": "1a99975f-6c01-42d5-89e4-f97b858461e6",
      "user_name": "1 1",
      "requester_type": "USER"
      },
      "entity_id": "87661bb5-1706-422e-96d5-cd48fd0992a4",
      "task_type": "DOMAIN_WHITELIST",
      "status": {
      "created_at": 1592146699000,
      "status_updated_at": 1592146699000,
      "status": "INPROGRESS"
      },
      "description": "Domain Whitelist for app: app_name3, domains added - example.org, domains removed - ",
      "approvals": [],
      "domains_added": [
      "example.org"
      ],
      "domains_removed": []
      }
    3. Approve the tasks using the task UUID in step a and step b above
      em-cli task update bd6d506d-2032-4d04-bbc3-138a662c3b23 approved
      {
      "task_id": "bd6d506d-2032-4d04-bbc3-138a662c3b23",
      "task_type": "DOMAIN_WHITELIST",
      "task_status": {
      "created_at": 1592146699000,
      "status_updated_at": 1592146699000,
      "status": "SUCCESS"
      }
      }

       

Was this article helpful?
0 out of 0 found this helpful