DSM Accelerator Webservice Deployment on SGX

1.0 Introduction

This article explains the procedure for configuring the Fortanix-Data-Security-Manager (DSM) Accelerator Webservice on Intel® Software Guard Extensions (SGX) enclave using the Fortanix Confidential Computing Manager (CCM).

Configuring the Fortanix DSM Accelerator Webservice for SGX with Fortanix CCM provides the following:

• Key Export Control: To ensure that only the Fortanix DSM Accelerator Webservice can export the key, an authenticated Fortanix DSM Accelerator application (app) is created in Fortanix DSM, and a quorum policy will be established in each relevant group requiring this app’s approval for key exports. Users without the app’s approval will encounter errors. If necessary, additional apps can be included in the quorum policy.

• Transport Layer Security (TLS) Certificate Management: The Fortanix DSM Accelerator Webservice internally manages TLS keys and certificates to comply with enclave security in the Trusted Execution Environment (TEE). At startup, the Fortanix DSM Accelerator Webservice either retrieves credentials from Fortanix DSM or uses a self-signed certificate if none are available. The Fortanix DSM Accelerator Webservice APIs will facilitate the generation and secure storage of TLS keys and certificates, while Fortanix CCM uses remote attestation to dynamically obtain a signed certificate from a CCM zone CA for enhanced security.

2.0 Fortanix DSM Accelerator Webservice SGX Authentication with Fortanix DSM

The following diagram explains the Fortanix DSM Accelerator Webservice authentication process with Fortanix DSM:

1. Fortanix CCM provides the Fortanix DSM Accelerator Webservice with a certificate that enables it to securely authenticate with Fortanix DSM and authorize export requests, ensuring that key exports are restricted only to the Fortanix DSM Accelerator Webservice.

2. The Fortanix DSM Accelerator Webservice SGX enclave initially sends its enclave measurements to Fortanix CCM through the SGX Node Agent.

3. Fortanix CCM then validates these measurements to confirm their correctness and compliance.

4. After successful validation, Fortanix CCM issues an application certificate to the Fortanix DSM Accelerator Webservice SGX enclave. This certificate is essential for authenticating the Fortanix DSM Accelerator Webservice SGX enclave when connecting to the Fortanix DSM.

This process ensures that the Fortanix DSM Accelerator Webservice SGX enclave is verified and authorized, allowing for secure interactions with Fortanix DSM.

3.0 Prerequisites

The following sections describe the prerequisites for running the Fortanix DSM Accelerator Webservice on SGX:

3.1 Prepare an SGX Machine for Running Fortanix DSM Accelerator Webservice

Perform the instructions in Enroll a Compute Node (bare metal or VM) - SGX to enroll the compute node into the Fortanix Confidential Computing Manager (CCM) infrastructure.

The installer script will automatically install the required drivers along with the Fortanix Node agent enclave. The node agent enclave helps Fortanix DSM Accelerator Webservice enclave to communicate with the Fortanix CCM Software-as-a-Service (SaaS).

3.2 Create an EDP Application and Whitelist the Build in Fortanix CCM

Perform the following steps to whitelist the enclave identity of the Fortanix DSM Accelerator Webservice SGX image in your CCM account:

1. Download the latest Fortanix DSM Accelerator Webservice SGX package.

2. Run the following command to extract the downloaded tarball: For example, dsma-sgx.tgz.

   tar -zxf dsma-sgx.tgz
   ls
   dsma-sgx_1.27.15.tar  dsma.sig  package.README.md  tls_configuration_utility.sh

3. Log in to Fortanix CCM user interface (UI). For more information, refer to Logging in.

4. Click Applications from the left navigation panel.

5. On the top right corner of the Applications page, click ADD APPLICATION.

6. In the Application dialog box, select EDP Application and click ADD. Skip the above steps if you have already created an app.

   

7. In the Add application form:

   1. Application name: Enter a name for your application.

   2. Description (optional): Enter a description.

   3. Group: Select a Fortanix CCM group for the application.

   4. Click ADD A CERTIFICATE in the CertificateConfiguration section.

      

   5. In the Certificate Configuration section, set the Domain to fortanix.com.

      

   6. Click SAVE to add the app.

8. After the app is created, a task will be created seeking approval to whitelist the domain. Approve the request and proceed.

9. Open the app and click ADD IMAGE to add and whitelist the application image.

   

10. In the Add Image form:

    1. Image Version: Enter the image version. For example, 1.27.1.

    2. Image Type: Select Intel SGX.

    3. Click UPLOAD to upload the dsma.sig file from the dsma-sgx.tgz package. The parameters will be auto-populated.

    4. Click SAVE.

    

11. Another task will be created seeking approval to whitelist the application image. Approve and proceed.

3.3 Get a Zone Certificate from Fortanix CCM

Run the following commands to display the zone CA that issues the app certificate to the Fortanix DSM Accelerator Webservice SGX:

• Log in to the Fortanix CCM production cluster.

  curl -c /dev/shm/ccm-cookies --request POST -u '<username>:<password>''https://ccm.fortanix.com/v1/sys/auth'

• Select the account. Here, <acct-id> is the Fortanix CCM account ID.

  curl -b /dev/shm/ccm-cookies -c /dev/shm/ccm-cookies --header 'X-CSRF-Header: 1' --header 'Content-Type: application/json' -X POST https://ccm.fortanix.com/v1/sys/session/select_account/<acct-id>

• Get the zone certificate.

  curl --request GET -b /dev/shm/ccm-cookies --header 'X-CSRF-Header: 1' --header 'Content-Type: application/json' 'https://ccm.fortanix.com/v1/zones' | jq .

• Escape the new line characters in the certificate.

   echo $(curl --request GET -b /dev/shm/ccm-cookies --header 'X-CSRF-Header: 1' --header 'Content-Type: application/json' 'https://ccm.fortanix.com/v1/zones'| jq '.[0].certificate')

3.4 Create an App in Fortanix DSM with Trusted CA Authentication

In the Fortanix DSM UI, configure an application (for example, dsma-sgx-app) with authentication using Trusted CA. For more information on how to create an app in Fortanix DSM, refer to Getting Started with Fortanix DSM - UI.

• Fortanix DSM Accelerator Webservice will use this application to interact with Fortanix DSM independently. Ensure to record the app ID for future reference.

• Fortanix DSM Accelerator Webservice will present the signed certificate issued by the Fortanix CCM zone CA (with the domain fortanix.com) to authenticate the app and enable these interactions.

3.5 Create a Group with the TLS Key and Certificates

Create a group that is accessible only by the dsma-sgx-app. This group will be used to store the TLS certificate and private key for client connections. Ensure that this group is set as the default group for the application.

For more information on how to create a group in Fortanix DSM, refer to Getting Started with Fortanix DSM - UI.

3.6 Enable Controlled Exports

Add the dsma-sgx-app to all groups whose keys need to be accessed through Fortanix DSM Accelerator Webservice, designating it as a quorum approver. This ensures that client applications cannot export the keys independently.

For more information on adding an app as an approver in Quorum policy, refer to Group Quorum Policy.

3.7 Configure TLS on Fortanix DSM Accelerator Webservice SGX

For configuring TLS in the Fortanix DSM Accelerator Webservice enclave, refer to DSM Accelerator Webservice for Nitro with CCM Setup.

4.0 Run Fortanix DSM Accelerator Webservice on SGX with Docker

Run the following command to start the Fortanix Accelerator Webservice inside an Intel® SGX–enabled Docker container. Replace the placeholder values (<...>) with your actual configuration details.

 docker run \
 -e FORTANIX_API_ENDPOINT=<dsm-endpoint> \
 -e SGX_ENABLED=true \
 -e DSMA_APP_ID=<dsma-app-uuid> \
 -e TLS_KEY_ID=<tls-private-key-uuid> \
 -v /dev:/dev --device=/dev:/dev \
 -v /var/run/aesmd:/var/run/aesmd \
 dsma_sgx:latest

The following are essential for the proper functioning of the Fortanix DSM Accelerator Webservice:

• FORTANIX_API_ENDPOINT refers to the URL endpoint for the Fortanix DSM ( <dsm-endpoint>. For example, https://amer.fortanix.com.

• SGX_ENABLED is set to true.

• DSMA_APP_ID refers to the app UUID (<dsma-app-uuid>) obtained in Section 3.4: Create an App in Fortanix DSM with Trusted CA Authentication.

• TLS_KEY_ID refers to the TLS key ID (<tls-private-key-uuid>) obtained in Section 3.5: Create a Group with the TLS Key and Certificates.

Example:

 docker run \
 -e FORTANIX_API_ENDPOINT=<dsm-endpoint> \
 -e SGX_ENABLED=true \
 -e DSMA_APP_ID=0a96x4b9-4e36-430b-985a-8cc5f6164e16 \
 -e TLS_KEY_ID=b96b8e2c-7cfb-402b-a9dc-3e7342c8d46b \
 -v /dev:/dev --device=/dev:/dev \
 -v /var/run/aesmd:/var/run/aesmd \
 dsma_sgx:latest

For more configuration options, refer to the DSM Accelerator Webservice Developer Guide.

5.0 Additional References

• DSM Accelerator - Concepts

• DSM Accelerator Webservice for Nitro with CCM Setup