To allow an SGX application to access outside services, we need the certificate authority (CA) public key.
Each account has its own certificate authority, so applications will have different parent CA based on which their respective accounts.
How to obtain account CA public key
High-level steps include:
- Log in to Fortanix Confidential Computing Manager (CCM)
- List accounts
- Select account
- List zones
This can be obtained using CLI or CURL.
1. Using CLI:
$ em-cli zone list | sed -e 's/\\n/\n/g'
[
{
"acct_id": "61c18b4b-3697-40e3-a066-4f94d759a16f",
"certificate": "-----BEGIN CERTIFICATE-----
MIIEOjCCAqKgAwIBAgIUPt99zo/afCg/X0M8tzzdqU6EY3wwDQYJKoZIhvcNAQEL
BQAwJDEiMCAGA1UEAwwZRGVmYXVsdCBFbmNsYXZlIFpvbmUgUm9vdDAeFw0yMDA2
MTgxOTIyMDZaFw0yNTA2MTgxOTIyMDZaMCQxIjAgBgNVBAMMGURlZmF1bHQgRW5j
bGF2ZSBab25lIFJvb3QwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQC/
F/YGktM3jKhSKce9aUIxuLGpGWKsvHll4H2vzUeZy67QyXKqSUB7YNoz4ykJAlB8
OiYKqC2zd/KFecyd4t5jCHLDsFPBa7nLsZ4aiY/L3pVLuCAoi79O0M6asipuk15W
l9dzmF8ElN+wPWg5Ty9ri1v/wGPAqX8KFCm6cTGXBCGAt5or4szj4cmd4Ce4qvPj
pkdX9PPcYeX0cmJiMHbS9M8zFLCV+psuNoKlEKlqPWrcB+5jLpwSoj/vuDCP1lJe
mn5aIRZhrB+Uh0H5/LSUysy79NB+9dN+lJ+cbGOISY2LqpG0gO8J8ob2An/ysiDk
82SpZqHegZ5yYQHqvrdOEllio1fmSrjLijpyctg3jrcpTY3af7AMFr/bmDVPlqZA
cJjEzJFcqVaIBOkauF4nn5SaJNTCzCXFYSIiWO66dbMd4f/muhsOSAntw/WVVyMh
UvoFBJxLkIAHCNrDRRk7gNy5nkSiSC7bL6laA8hrq00AAg52QdNe3yirNDoPDWcC
AwEAAaNkMGIwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDB4YAMB8GA1Ud
IwQYMBaAFIvengUNazFGiT70ighQmwm+K03SMB0GA1UdDgQWBBSL3p4FDWsxRok+
9IoIUJsJvitN0jANBgkqhkiG9w0BAQsFAAOCAYEAeFFbHAydwHdPkRjkrncXSfJa
G3KEv09BYLLuyEv7qVExilOjo7BGsF7SdHDfMDF0+6Y64XKRgz3HmuRnpP0g2PRO
MvqZcTmXoeIYZWov7mYS+gnPO+p4Sl5N/fwjaJg1B9WpjtT6HnPcCLmPYtRC0m/D
a9apSNUNvmAqltwAs4YhBRwrN6wB4rggMGb7qYPM2PbduGQa0jhzTGBq0ehDmThr
vNqncc3OfDazLFy/L/7t8q0XnDjjZ2ih4MT0E7iZpZXLL6K9a2T46eV9Bf4HgU7i
d8pI5Wr62UVYxaWAjhMbzejlWui8XVJglH3rlb5CYgbDryYJQJ7wkJhDIdgXIqMZ
082/gc7ZzSMLrGi376/y2DrYTp+0EmtAPXnrQtTv1vKDWjTlnEbDgscgiQiKqQB6
BqEB8EfxEzW/wgqMolETU0ar2UhdVQWujB1j7SNIOv/yQjgZhVQs/EEEiKvV1hbw
sxh7BegjRAtvMfm42TQtlkDGGiOtywUK4uHRWg7P
-----END CERTIFICATE-----
",
"zone_id": "30e627ad-7d2b-4bb8-9285-807197020338",
"name": "Default"
}
]
OR
2. Using curl:
$ curl -fsS -X GET -H "Content-Type: application/json" -H "Authorization: Bearer $token" -d '' "https://ccm.fortanix.com/v1/zones" | python -m json.tool | sed -e 's/\\n/\n/g'
[
{
"acct_id": "61c18b4b-3697-40e3-a066-4f94d759a16f",
"certificate": "-----BEGIN CERTIFICATE-----
MIIEOjCCAqKgAwIBAgIUPt99zo/afCg/X0M8tzzdqU6EY3wwDQYJKoZIhvcNAQEL
BQAwJDEiMCAGA1UEAwwZRGVmYXVsdCBFbmNsYXZlIFpvbmUgUm9vdDAeFw0yMDA2
MTgxOTIyMDZaFw0yNTA2MTgxOTIyMDZaMCQxIjAgBgNVBAMMGURlZmF1bHQgRW5j
bGF2ZSBab25lIFJvb3QwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQC/
F/YGktM3jKhSKce9aUIxuLGpGWKsvHll4H2vzUeZy67QyXKqSUB7YNoz4ykJAlB8
OiYKqC2zd/KFecyd4t5jCHLDsFPBa7nLsZ4aiY/L3pVLuCAoi79O0M6asipuk15W
l9dzmF8ElN+wPWg5Ty9ri1v/wGPAqX8KFCm6cTGXBCGAt5or4szj4cmd4Ce4qvPj
pkdX9PPcYeX0cmJiMHbS9M8zFLCV+psuNoKlEKlqPWrcB+5jLpwSoj/vuDCP1lJe
mn5aIRZhrB+Uh0H5/LSUysy79NB+9dN+lJ+cbGOISY2LqpG0gO8J8ob2An/ysiDk
82SpZqHegZ5yYQHqvrdOEllio1fmSrjLijpyctg3jrcpTY3af7AMFr/bmDVPlqZA
cJjEzJFcqVaIBOkauF4nn5SaJNTCzCXFYSIiWO66dbMd4f/muhsOSAntw/WVVyMh
UvoFBJxLkIAHCNrDRRk7gNy5nkSiSC7bL6laA8hrq00AAg52QdNe3yirNDoPDWcC
AwEAAaNkMGIwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDB4YAMB8GA1Ud
IwQYMBaAFIvengUNazFGiT70ighQmwm+K03SMB0GA1UdDgQWBBSL3p4FDWsxRok+
9IoIUJsJvitN0jANBgkqhkiG9w0BAQsFAAOCAYEAeFFbHAydwHdPkRjkrncXSfJa
G3KEv09BYLLuyEv7qVExilOjo7BGsF7SdHDfMDF0+6Y64XKRgz3HmuRnpP0g2PRO
MvqZcTmXoeIYZWov7mYS+gnPO+p4Sl5N/fwjaJg1B9WpjtT6HnPcCLmPYtRC0m/D
a9apSNUNvmAqltwAs4YhBRwrN6wB4rggMGb7qYPM2PbduGQa0jhzTGBq0ehDmThr
vNqncc3OfDazLFy/L/7t8q0XnDjjZ2ih4MT0E7iZpZXLL6K9a2T46eV9Bf4HgU7i
d8pI5Wr62UVYxaWAjhMbzejlWui8XVJglH3rlb5CYgbDryYJQJ7wkJhDIdgXIqMZ
082/gc7ZzSMLrGi376/y2DrYTp+0EmtAPXnrQtTv1vKDWjTlnEbDgscgiQiKqQB6
BqEB8EfxEzW/wgqMolETU0ar2UhdVQWujB1j7SNIOv/yQjgZhVQs/EEEiKvV1hbw
sxh7BegjRAtvMfm42TQtlkDGGiOtywUK4uHRWg7P
-----END CERTIFICATE-----
",
"name": "Default",
"zone_id": "30e627ad-7d2b-4bb8-9285-807197020338"
}
]
How to configure external services
Services that support 'Trusted CA' , for example, Fortanix Data Security Manager (DSM), can be configured by copy-pasting the certificate obtained from section above to the service and configuring a 'Common Name'. Figure 1: Adding trusted CA to Fortanix DSM
Comments
Please sign in to leave a comment.