Using CCM-CURL APIs with Fortanix Confidential Computing Manager

Configuring Fortanix Confidential Computing Manager (CCM) Using CCM-CURL APIs

The following configuration method is explained using an example.

  1. Log in to Fortanix CCM.
    basic_token=`echo -n 'email:password' | base64 -w 0`
    curl -fsS -H "Content-Type: application/json" -H "Authorization: Basic $basic_token" -d '' "https://ccm.fortanix.com/v1/sys/auth"
    {"access_token":"Hq0kg0Qr5IeSXdkevCanGLmqmIfaFKdTh1H4JNSCz7d9thv_XbZC4t3DH2U266E4iPGRvY821aOR0f8a7KqiWw"}
    The access token will be used later.
     
  2. List the accounts.
    curl -fsS -X GET -H "Content-Type: application/json" -H "Authorization: Bearer $token" -d '' "https://ccm.fortanix.com/v1/accounts" | python -m json.tool
    {
    "items": [
    {
    "acct_id": "a1778656-c417-4ac2-8d47-619376e8662d",
    "created_at": 1591960977000,
    "name": "test1",
    "roles": [
    "MANAGER"
    ],
    "status": "ACTIVE"
    },
    {
    "acct_id": "d58a3556-9a72-44e2-b6b1-ec9dff736ef9",
    "created_at": 1591642064000,
    "name": "account",
    "roles": [
    "MANAGER"
    ],
    "status": "ACTIVE"
    }
    ]
    }
  3. Create an account if not already present.
    curl -fsS -X POST -H "Content-Type: application/json" -H "Authorization: Bearer $token" -d '{ "name": "account name", "custom_logo": "" }' "https://ccm.fortanix.com/v1/accounts" | python -m json.tool
    {
    "acct_id": "be409247-fbef-4d43-824d-b2a86aed8ea2",
    "created_at": 1592566201000,
    "custom_logo": "",
    "name": "account name",
    "roles": [
    "MANAGER"
    ],
    "status": "ACTIVE"
    }
  4. Select an account.
    The UUID is one of the 'acct_id' from the output returned in step 2 or step 3 above.
    curl -fsS -X POST -H "Content-Type: application/json" -H "Authorization: Bearer $token" -d '' "https://ccm.fortanix.com/v1/accounts/select_account/a1778656-c417-4ac2-8d47-619376e8662d"
  5. Create an application (if not already present).
    curl -v -fsS -X POST -H "Content-Type: application/json" -H "Authorization: Bearer $token" -d '{ "name": "app_name", "input_image_name": "EDP ENCLAVE APP - 5f42a1ee280cf158490a8", "output_image_name": "EDP ENCLAVE APP - 5f42a1ee280cf158490a8", "isvprodid": 0, "isvsvn": 0, "mem_size": 1024, "threads": 128, "allowed_domains": [ "example.org" ]}' "https://ccm.fortanix.com/v1/apps" | python -m json.tool
    {
    "allowed_domains": [
    "example.org"
    ],
    "app_id": "353983f3-a3eb-4461-b892-498fa45a5176",
    "created_at": 1592146487000,
    "domains_added": [
    "example.org"
    ],
    "domains_removed": [],
    "input_image_name": "EDP ENCLAVE APP - 5f42a1ee280cf158490a8",
    "isvprodid": 0,
    "isvsvn": 0,
    "mem_size": 1024,
    "name": "app_name",
    "nodes": [],
    "output_image_name": "EDP ENCLAVE APP - 5f42a1ee280cf158490a8",
    "pending_domain_whitelist_tasks": 0,
    "threads": 128,
    "updated_at": 1592146487000,
    "whitelisted_domains": []
    }
    NOTE
    • Image name convention for EDP apps is: "EDP ENCLAVE APP - 5f42a1ee280cf158490a8".
    • mem_size and threads are not used but must be specified.
    OR
    List the Applications:
    curl -v -fsS -X GET -H "Content-Type: application/json" -H "Authorization: Bearer $token" -d '' "https://ccm.fortanix.com/v1/apps" | python -m json.tool
    ...
    {
    "allowed_domains": [],
    "app_id": "d12455fe-e678-4111-a4be-297fa187b90a",
    "created_at": 1591961035000,
    "domains_added": [],
    "domains_removed": [],
    "input_image_name": "Input-Image",
    "isvprodid": 0,
    "isvsvn": 0,
    "mem_size": 40960,
    "name": "Application",
    "nodes": [],
    "output_image_name": "Output-Image",
    "pending_domain_whitelist_tasks": 0,
    "threads": 1,
    "updated_at": 1591961035000,
    "whitelisted_domains": []
    }
    ...
    And use one of the existing applications.
  6. To get SIGSTRUCT data, see the article Decoding SIGSTRUCT
    You will obtain - "mrenclave", "mrsigner", "isvsvn", and "isvprodid"
  7. Create an image of the application.
    curl -fsS -X POST -H "Content-Type: application/json" -H "Authorization: Bearer $token" -d '{"app_id":"d12455fe-e678-4111-a4be-297fa187b90a","mrenclave":"2c146ec51e1a8ba5f5f42a1ee280cf158490a83a922cbf93d7515c91d60b3400","mrsigner":"6854f0e10ac2369354e6193a20ce7221d4ee99d9cb93c8a97b85862309580e00","isvprodid":1,"isvsvn":1}' "https://ccm.fortanix.com/v1/builds" | python -m json.tool
    {
    "app_id": "d12455fe-e678-4111-a4be-297fa187b90a",
    "app_name": "Application",
    "build_id": "160b771a-4260-4194-af5c-5c8d059e7c11",
    "build_name": "Application-image",
    "created_at": 1592147456000,
    "deployment_status": {
    "status": "UNDEPLOYED",
    "status_updated_at": 1592147456000
    },
    "enclave_info": {
    "isvprodid": 1,
    "isvsvn": 1,
    "mrenclave": "2c146ec51e1a8ba5f5f42a1ee280cf158490a83a922cbf93d7515c91d60b3400",
    "mrsigner": "6854f0e10ac2369354e6193a20ce7221d4ee99d9cb93c8a97b85862309580e00"
    },
    "status": {
    "status": "PENDING",
    "status_updated_at": 1592147456000
    },
    "updated_at": 1592147456000
    }
  8. Approve tasks:

    There are two tasks that need to be approved - one for the image and one for the domain. Once both are approved, the application may get the certificates for the given domain.

    1. Find the build whitelist task:
      export build_id=160b771a-4260-4194-af5c-5c8d059e7c11
      curl -fsS -X GET -H "Content-Type: application/json" -H "Authorization: Bearer $token" -d '' "https://ccm.fortanix.com/v1/tasks" | jq -r ".items[] | select(.entity_id==\"$build_id\" and .task_type==\"BUILD_WHITELIST\")"
      "task_id": "a960d9cb-83ac-4890-b7f8-efe5d6281a32",
      "requester_info": {
      "user_id": "1a99975f-6c01-42d5-89e4-f97b858461e6",
      "user_name": "1 1",
      "requester_type": "USER"
      },
      "entity_id": "160b771a-4260-4194-af5c-5c8d059e7c11",
      "task_type": "BUILD_WHITELIST",
      "status": {
      "created_at": 1592147456000,
      "status_updated_at": 1592147456000,
      "status": "INPROGRESS"
      },
      "description": "Build Whitelist for app: Application",
      "approvals": []
      }
    2. Find the domain whitelist task.
      curl -fsS -X GET -H "Content-Type: application/json" -H "Authorization: Bearer $token" -d '' "https://ccm.fortanix.com/v1/tasks" | jq -r ".items[] | select(.task_type==\"DOMAIN_WHITELIST\")"
      {
      "task_id": "2d217e13-492f-43dc-b178-31fea217a0cf",
      "requester_info": {
      "user_id": "1a99975f-6c01-42d5-89e4-f97b858461e6",
      "user_name": "1 1",
      "requester_type": "USER"
      },
      "entity_id": "2d7abfea-84b0-40e8-8253-c65f079e4c13",
      "task_type": "DOMAIN_WHITELIST",
      "status": {
      "created_at": 1592146699000,
      "status_updated_at": 1592146699000,
      "status": "INPROGRESS"
      },
      "description": "Domain Whitelist for app: app_name5, domains added - example.org, domains removed - ",
      "approvals": [],
      "domains_added": [
      "example.org"
      ],
      "domains_removed": []
      }
    3. Approve the tasks using the task UUID in step a and step b above
      curl -fsS -X PATCH -H "Content-Type: application/json" -H "Authorization: Bearer $token" -d '{"status": "APPROVED"}' "https://ccm.fortanix.com/v1/tasks/2d217e13-492f-43dc-b178-31fea217a0cf" | python -m json.tool
      {
      "task_id": "2d217e13-492f-43dc-b178-31fea217a0cf",
      "task_status": {
      "created_at": 1592146699000,
      "status": "SUCCESS"
      "status_updated_at": 1592146699000,
      },
      "task_type": "DOMAIN_WHITELIST"
      }
Was this article helpful?
0 out of 0 found this helpful