Introduction
In this example, we will create a simple Spring Server application using Tomcat that stores information in a Mysql DB. The MySQL DB and the Spring Server Application will both be run in SGX environments making use of Fortanix Confidential Computing Manager (CCM) and the Compute Node.
Spring Server Application
Authenticate to Fortanix CCM
Before you can issue any requests, you first need to authenticate to Fortanix CCM using the following commands:
cpath=$(mktemp -p "/tmp" -t "fortanix_ccm_cookie.XXXXX")
curl -u <username>:<password> -c $cpath -X POST https://ccm.fortanix.com/v1/sys/authGet all Accounts
After authenticating, get all the accounts present using the following command:
curl -b $cpath -c $cpath -H "X-CSRF-Header:true" https://ccm.fortanix.com/v1/accountsSelect the Account
Note the account_id of the account you want to select.
curl -b $cpath -c $cpath -H "X-CSRF-Header:true" -X POST https://ccm.fortanix.com/v1/sys/session/select_account/<account_id>Create an Application
Create a Spring Server application using the configuration provided in the app.json file below.
Create Application
curl -b $cpath -c $cpath -H "X-CSRF-Header:true" -H "Content-Type: application/json" -d @app.json -X POST https://ccm.fortanix.com/v1/appsCreate App.json Config File that Contains the Application Details
{
"name": "spring-mysql-db",
"description": "",
"input_image_name": "fortanix/spring-mysql-db",
"output_image_name": "/spring-mysql-db-converted",
"isvprodid": 1,
"isvsvn": 1,
"mem_size": 2048,
"threads": 80,
"advanced_settings": {
"rw_dirs":["/etc","/var/lib/_mysql","/var/lib/mysql","/tmp","/run/mysqld"],
"manifestEnv":["MALLOC_ARENA_MAX=1"],
}
}Create an Image
Create an image of the application.
curl -b $cpath -c $cpath -H "X-CSRF-Header:true" -H "Content-Type: application/json" -d @build.json -X POST https://ccm.fortanix.com/v1/builds/convert-appThe build.json is as below.
{
"app_id": <app_id>,
"docker_version": <tag>,
"inputAuthConfig":
{"username": <username>,
"password": <password>
},
"outputAuthConfig":
{"username": <username>,
"password": <password>
}
}This returns the output that shows the <task_id>(f0d815b6-9520-4ce4-b4f4-6a82a718bb7e in this example), among other information:
Finally, you can approve the image using it's <task_id> and the following command:
curl -b $cpath -c $cpath -H "X-CSRF-Header:true" -H "Content-Type: application/json" -d '{"status":"APPROVED"}' -X PATCH https://ccm.fortanix.com/v1/tasks/<task_id>The image is created and whitelisted.
Next, run the following command on a machine running the compute node to run the application.
Run the Application
If the node attestation type is Enhanced Privacy ID (EPID), use the command:
docker run -d -it --device /dev/isgx:/dev/isgx --device /dev/gsgx:/dev/gsgx -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket -e NODE_AGENT_BASE_URL=http://<node-agent-ip>:9092/v1/ --network=host <spring mysql converted image>If the node attestation type is Data Center Attestation Primitives (DCAP), use the command:
docker run -d -it --device /dev/sgx/enclave:/dev/sgx/enclave -e NODE_AGENT_BASE_URL=http://<node-agent-ip>:9092/v1/ --network=host <spring mysql converted image>Where,
<node-agent-ip>is the IP address of the compute node registered on Fortanix Confidential Computing Manager (CCM).9092is the port on which Compute Node listens on.converted-image-idis the converted app that can be found in the Images tab under Image Name column in the Images table.
- Please use your own inputs for Node IP, Port, and Converted Image in the above format. The information in the example above is just a sample.
Spring MySQL Application
Authenticate to Fortanix CCM
Before you can issue any requests, you first need to authenticate to Fortanix CCM using the following commands:
cpath=$(mktemp -p "/tmp" -t "fortanix_ccm_cookie.XXXXX")
curl -u <username>:<password> -c $cpath -X POST https://ccm.fortanix.com/v1/sys/authGet all Accounts
After authenticating, get all the accounts present using the following command
curl -b $cpath -c $cpath -H "X-CSRF-Header:true" https://ccm.fortanix.com/v1/accountsSelect the Account
Note the account_id of the account you want to select.
curl -b $cpath -c $cpath -H "X-CSRF-Header:true" -X POST https://ccm.fortanix.com/v1/sys/session/select_account/<account_id>Create an Application
Create a Spring MySQL application using the configuration provided in the app.json file below.
Create Application
curl -b $cpath -c $cpath -H "X-CSRF-Header:true" -H "Content-Type: application/json" -d @app.json -X POST https://ccm.fortanix.com/v1/appsCreate App.json Config File that Contains the Application Details
{
"name": "spring-mysql-app",
"description": "",
"input_image_name": "fortanix/spring-mysql-app",
"output_image_name": "/spring-mysql-app-converted",
"isvprodid": 1,
"isvsvn": 1,
"mem_size": 2048,
"threads": 80,
"advanced_settings": {
"java_runtime":"OPENJDK",
"rw_dirs":["/tmp","/etc","/usr/lib","/root/gs-accessing-data-mysql"],
}
}Create an Image
Create an image of the application.
curl -b $cpath -c $cpath -H "X-CSRF-Header:true" -H "Content-Type: application/json" -d @build.json -X POST https://ccm.fortanix.com/v1/builds/convert-appThe build.json is as below.
{
"app_id": <app_id>,
"docker_version": <tag>,
"inputAuthConfig":
{"username": <username>,
"password": <password>
},
"outputAuthConfig":
{"username": <username>,
"password": <password>
}
}This returns the output that shows the <task_id>(f0d815b6-9520-4ce4-b4f4-6a82a718bb7e in this example), among other information:
Finally, you can approve the image using it's <task_id> and the following command:
Approve the Image Whitelist Task
curl -b $cpath -c $cpath -H "X-CSRF-Header:true" -H "Content-Type: application/json" -d '{"status":"APPROVED"}' -X PATCH https://ccm.fortanix.com/v1/tasks/<task_id>The image is created and whitelisted.
Next, run the following command on a machine running the compute node to run the application.
Run the Application
If the node attestation type is Enhanced Privacy ID (EPID), use the command:
docker run -d -it --device /dev/isgx:/dev/isgx --device /dev/gsgx:/dev/gsgx -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket -e DB_URL=<URL-Of-MySQL-DB> -e NODE_AGENT_BASE_URL=http://<node agent ip>:9092/v1/ --network=host <converted spring app image>If the node attestation type is Data Center Attestation Primitives (DCAP), use the command:
docker run -d -it --device /dev/sgx/enclave:/dev/sgx/enclave -e DB_URL=<URL-Of-MySQL-DB> -e NODE_AGENT_BASE_URL=http://<node agent ip>:9092/v1/ --network=host <converted spring app image>Where,
<URL-Of-MySQL-DB>is the URL of the server on which the Spring MySQL converted application is running.<node-agent-ip>is the IP address of the compute node registered on Fortanix CCM.9092is the port on which Compute Node listens on.converted-image-idis the converted app that can be found in the Images tab under Image Name column in the Images table.
- Please use your own inputs for Node IP, Port, and Converted Image in the above format. The information in the example above is just a sample.
Once both the Spring Server application and Spring MySQL application are running, run the following commands to verify the functionality of TomCat.
- Enter some data in DB using TomCat:
curl 'http://<node agent IP>:8080/demo/add?name=test&email=test@test.com' - Fetch all the data entered:
curl http://<node agent IP>:8080/demo/all