System Management

1.0 Introduction

This article describes the Fortanix Confidential Computing Manager (CCM) system administration settings.

2.0 Configure System Administration Settings (Using UI)

After logging in as the system administrator (sysadmin) user, configure platform-level settings such as email, security policies, and account governance. Perform the following steps to go to the Fortanix CCM System Administration Settings:

Log in to Fortanix CCM as a sysadmin user. For more information, refer to Installation Guide - On-premises.
Click System Administration on the Fortanix CCM UI top navigation bar.
Figure 1: System Administration
On the System Administration page, navigate to Settings → System Management.
Figure 2: System Management

NOTE
After updating the System Management settings, the changes are marked as “pending” and take effect only after a rolling restart of the Fortanix CCM IAM (Identity and Access Management) services using the following command:
kubectl rollout restart deploy/bodrum

3.1 External Services Settings

Email Settings:
- From address: The email address used as the sender for system-generated emails.
- Type: The email provider type. Supported values include Amazon SES and SMTP.
Amazon SES Settings:
- SES URL: The endpoint URL of the email service (for example, AWS Simple Email Service (SES) endpoint).
- Region (Optional): The AWS region for the SES service.
- Access key: The access key used to authenticate with AWS SES.
- Secret key (Optional): The secret key used for authentication.
SMTP Settings:
- Host: The hostname or IP address of the SMTP server.
- Port: The port used by the SMTP server (for example: 25, 465, 587, or custom).
- TLS: Defines TLS behavior. Supported values include disabled, starttls, or required.
reCAPTCHA Settings:
- URL: The endpoint used for reCAPTCHA verification.
- Site key: The public site key used for reCAPTCHA validation.
- Secret key (Optional): The secret key used to authenticate reCAPTCHA requests.

3.2 Security Policies Settings

Password Policy
- History size: Number of previous passwords that cannot be reused (maximum: 4).
- Max repetition (Optional): Maximum allowed repetition of characters in a password.
- Max sequential characters (Optional): Maximum allowed sequential characters.
- Minimum length: Minimum number of characters required for user passwords (minimum: 11).
- Use deny list Enables rejection of commonly used or weak passwords.
Account Lockout
- Lockout type: Defines lockout behavior. Default value is Temporary.
- Lockout period (seconds): Duration (in seconds) for which the account remains locked (default: 1800).
- Allowed failed attempts: Number of failed login attempts before the account is locked (default: 10).

3.0 Configure System Administration Settings (Using Script)

After logging in as the system administrator (sysadmin), configure platform-level settings such as email, security policies, and account governance.

3.1 Retrieve Current Sysadmin Configuration

Retrieve the current sysadmin configuration for Fortanix CCM. Reviewing the existing configuration helps you understand the default settings before applying any updates.

Perform the following steps:

Log in to Fortanix CCM as a sysadmin user. For more information, refer to Installation Guide - On-premises.
Open browser Developer Tools:
- Chrome: F12 or CTRL+SHIFT+I
Go to Console tab.

Run the following script:

await fetch('/api/v1/iam/system/config', {
  method: 'GET',
  headers: { 'X-CSRF-Header': 'true' }
}).then(res => res.json());

3.2 Update Sysadmin Configuration

Run the following script to update the settings:

(async () => {
  const configUpdates = {
    external_services: {
      email: {
        from_address: "no-reply@your-domain.com",
        provider: {
          $type: "amazon_ses",
          url: "https://email.us-west-2.amazonaws.com/",
          access_key: "YOUR_AWS_ACCESS_KEY"
        }
      },
      recaptcha: {
        url: "https://www.google.com/recaptcha/api/siteverify",
        site_key: "XXXXX",
        secret_key: "XXXXX"
      }
    },
    policies: {
      password: {
        minimum_length: 12,
        history_size: 4,
        use_denylist: true
      },
      password_auth_lockout: {
        allowed_attempts: 10,
        lockout_behavior: {
          $type: "temporary",
          period: 1800
        }
      }
    }
  };

  await fetch('/api/v1/iam/system/config', {
    method: 'PATCH',
    headers: {
      'Content-Type': 'application/json',
      'X-CSRF-Header': 'true'
    },
    body: JSON.stringify(configUpdates)
  });
})();

Where,

from_address: Specifies the email address used as the sender for system-generated emails.
$type: Specifies the email provider type. Supported values include amazon_ses and smtp.
external_services.email.provider.url: Specifies the endpoint URL of the email service (for example, AWS Simple Email Service (SES) endpoint).
access_key: Specifies the access key used to authenticate with the email provider.
site_key: Specifies the public site key used for reCAPTCHA validation.
secret_key: Specifies the secret key used to authenticate reCAPTCHA requests.
minimum_length: Specifies the minimum number of characters required for user passwords.
history_size: Specifies the number of previous passwords that cannot be reused.
use_denylist: Specifies whether commonly used or weak passwords are rejected.
allowed_attempts: Specifies the number of failed login attempts allowed before the account is locked.
period: Specifies the duration (in seconds) for which the account remains locked.

3.3 Additional Configuration Examples

This section provides sample configuration snippets for commonly used sysadmin settings. These examples can be used as references when customizing Fortanix CCM to meet specific organizational requirements.

SMTP Email Configuration: It configures how Fortanix CCM sends emails, including:
- Account approval notifications
- Account creation alerts
- Pending approval emails
- User-related notifications (for example, password reset, verification if enabled)
```
{
  "from_address": "bodrum@fortanix.com",
  "provider": {
    "$type": "smtp",
    "host": "10.197.184.21",
    "port": 1025,
    "tls": { "mode": "disabled" }
  }
}
```
Where,
- $type: Specifies the email provider type. Supported values include amazon_ses and smtp.
- host: Specifies the hostname or IP address of the SMTP server.
- port: Specifies the port used by the SMTP server (for example: 25, 465, 587, or custom).
- mode: Specifies the TLS behavior. Supported values include disabled, starttls, or required.
Account Approval Policy
Path: policies.account_creation
```
{
  "creation_notification_recipients": ["armor-account-creations@fortanix.com"],
  "pending_approval_notification_recipients": ["em-admin@fortanix.com"],
  "sysadmin_approval_required": "ccm_only"
}
```
Where,
- creation_notification_recipients: Specifies the list of email addresses notified when a new account is created.
- pending_approval_notification_recipients: Specifies the list of email addresses notified when an account is pending approval.
- sysadmin_approval_required: Specifies whether sysadmin approval is required for account creation. Example: ccm_only means sysadmin approval is required only for accounts created within Fortanix CCM.
Email Validation Policy
Path: policies.email_validation
```
{
  "allowed_domains": ["fortanix.com", "example.com"],
  "confirmation": "enabled",
  "maximum_length": "ietf_standard",
  "restricted_characters": ["$", "~", "`"]
}
```
Where,
- allowed_domains: Specifies the list of email domains permitted for user registration.
- confirmation: Specifies the email verification behavior:
  - enabled: Email verification is mandatory.
  - not_enforced: Email verification is optional.
  - disabled: No email verification required.
- maximum_length: Specifies the maximum allowed length for email addresses (for example, ietf_standard).
- restricted_characters: Specifies the list of characters that are not allowed in email addresses.