Deploy the Workflow - Manual - AWS Nitro Applications

1.0 Introduction

This article describes how to manually deploy an approved workflow for Enclave OS applications in Fortanix Confidential Computing Manager (CCM).

After a workflow is approved, Fortanix CCM generates a secure workflow application configuration that Enclave OS applications retrieve and use at runtime. This configuration defines how applications interact with datasets, other applications, and user-provided inputs within the approved workflow.

2.0 Manual Deployment of an Approved Workflow for AWS Nitro Application

After all users approve a workflow, Fortanix CCM provides Workflow Application Configuration to the applications included in the workflow. This configuration contains information, such as the datasets or applications connected in the workflow, along with any user-provided files or values that must be supplied to the enclave at runtime.

Fortanix CCM delivers the workflow application configuration to applications through a workflow application configuration identifier, which the application passes as an input argument during startup.

The identifier is a SHA-256 hash of workflow configuration elements that must be secured. Fortanix CCM embeds this identifier into the certificates it issues enabling the Key Management Service (KMS) to determine which configuration is authorized to access credentials.

Fortanix CCM embeds the identifier in the certificate Subject Alternative Name (SAN) using the following format:

<identifier>.<mrenclave>.id.fortanix.cloud 

Using this identifier, the KMS that stores dataset credentials authenticates requests and provides credentials only to applications that present a valid certificate corresponding to the approved workflow configuration. When an application starts, Fortanix CCM tracks which applications are authorized to access specific configurations based on this identifier.

2.1 Copy the Workflow Application Configuration Identifier

Perform the following steps to retrieve the workflow application configuration identifier:

1. Click the application node in the approved workflow graph.

   

2. In the detailed view of the workflow application, copy the value of the Runtime configuration hash. This value is the workflow application configuration identifier used to run the application.

   

2.2 Run the AWS Nitro Application

To run the Enclave OS application image on the node for AWS Nitro Platform, use the following command:

docker run --privileged -v /run/nitro_enclaves:/run/nitro_enclaves -e RUST_LOG=debug -e APPCONFIG_ID={runtime_config_hash} -e NODE_AGENT=http://{node_ip_to_run}:9092/v1/ -p {http_port}:80 {build_name}

Where,

• RUST_LOG=debug enables debug logging.

• APPCONFIG_ID is the workflow application configuration identifier copied in Section 2.1: Copy the Workflow Application Configuration Identifier.

• node_ip_to_run is the Node Agent Host IP.

2.3 Application Startup and Configuration Retrieval Flow

When the Enclave OS application starts with the workflow application configuration identifier:

1. The application requests an attestation certificate from the NodeAgent, including the workflow application configuration identifier as part of the attestation data.

2. The application requests an application certificate from the NodeAgent.

3. Fortanix CCM verifies that the application is authorized to access the workflow application configuration associated with the identifier.

4. The application requests the workflow application configuration from Fortanix CCM by presenting the issued certificate for authentication.

5. Fortanix CCM validates the certificate, extracts the workflow application configuration identifier, and returns the corresponding configuration.

6. The application verifies and applies the configuration hash.

7. The application retrieves credentials from the URLs specified in the configuration.

8. The application authenticates and reads or writes data to the datasets as defined in the approved workflow.