User's Guide: Deploy the Workflow - Manual

1.0 Deploy the Workflow - Manual

After a Workflow is approved by all the users, the Applications will have the Workflow Application Configurations provided to them. This configuration has information such as which Datasets or Apps they are connected to, any user-provided files or values to be provided within an enclave, and so on.

We provide a configuration to applications using an identifier passed as an input argument.

This identifier is a sha256sum of items that you need to secure from the configuration and workflow. 

Fortanix CCM will also embed this identifier inside the certificates it issues so that it is clear what configuration is used for the KMS to allow access to credentials.

It embeds this inside a subject alternate name:


With the identifier above, the KMS that stores the dataset credentials will authenticate and give credentials only to applications that present a proper certificate. When the application starts, CCM will keep track of which applications are allowed to access which configurations using the identifier.

To view the Application Identifier:

  1. Click the application in the approved Workflow graph. Screenshot 2023-10-19 235407.png
    Figure 1: View the app identifier
  2. In the detailed view of the Workflow application, copy the value of Runtime configuration hash. This ID is used to run the application. Screenshot 2023-10-19 235424.png
    Figure 2: Copy the app identifier
  3. To run the application, execute the following command depending on the type of node agent attestation:
    For the node attestation type Enhanced Privacy ID (EPID)/Data Center Attestation Primitives (DCAP), use the command:
    docker run --privileged -d -v /var/run/aesmd:/var/run/aesmd --volume /dev:/dev -p 8085:8080 --net="host" --env NODE_AGENT_BASE_URL="http://<COMPUTE_NODE_IP>:9092/v1" --env APPCONFIG_ID="de7f0cd0a293e8a9a38877d853dd0d94f7b67a09c48c7a520327de4ef87aa9f5"
    APPCONFIG_ID is the Application identifier.
    • Use your own inputs for Node IP, Port, and Converted Image in the above format. The information in the example above is just a sample.
    • Add the following flag along with the command to get more details:
      • -e ENCLAVEOS_LOG_LEVEL=debug - to get debug log
      • -p 7622:80 -p 8038:443 - to map the application's custom port to 80 or 443

When the App Owner starts the application with the application config identifier:

  1. Applications will request an attestation certificate from the NodeAgent with the identifier as part of the report data.
  2. The application requests an application certificate from NodeAgent.
  3. The CCM verifies that the application is allowed to access the configuration.
  4. The application requests from CCM its configuration by providing its certificate provisioned above as an authentication mechanism.
  5. The CCM does certificate authentication, extracts the application identifier from the certificate, and sends back the configuration corresponding to that identifier.
  6. The application verifies and applies the configuration hash.
  7. The application gets the credentials from URLs in the config.
  8. The application authenticates and reads/writes data from the datasets.


Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful