Last active
July 24, 2018 13:48
-
-
Save avigail-oron/701a38a5b8f9de7c37151e88b648c04c to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| The deployment is comprised of 3 main components: | |
| ================================================= | |
| 1. Aiakos provider - running in SGX-LKL | |
| 2. MariaDB - running in SGX-LKL | |
| 3. Client application - plain docker compose application (application container + mariadb container) | |
| Setting up MariaDB | |
| ================== | |
| Take the mariadb sgx-lkl image | |
| Create a tap interface called sgxlkl_tap1 with the 10.0.2.254/24 subnet | |
| Run mariadb via the following command (replace <<>> with correct path in your env): | |
| SGXLKL_TAP=sgxlkl_tap1 SGXLKL_IP4=10.0.2.1 SGXLKL_KEY=<<>>/sgx-lkl/build/config/enclave_debug.key SGXLKL_HEAP=220M <<>>/sgx-lkl/build/sgx-lkl-run <<>>/maria-db/sgxlkl-mariadb-fs.img /usr/bin/mysqld --skip-name-resolve --user=mysql | |
| Optional - verify it's running and exposing SSL by connecting a mysql client: | |
| mysql -h 10.0.2.1 -u aiakos | |
| and then run | |
| SHOW VARIABLES LIKE '%ssl%'; | |
| you should see that the first 2 parameters are 'YES' | |
| Aiakos Provider | |
| =============== | |
| Take the 'sgxlkl-aiakos-with-ssl-fs.img' image file | |
| Make sure you have a tap interface called sgxlkl_tap0 with the 10.0.1.254/24 subnet | |
| Run the following commands to allow communication between the 2 tap interfaces: | |
| sudo iptables -I FORWARD -m state -d 10.0.1.0/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT | |
| sudo iptables -I FORWARD -m state -s 10.0.1.0/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT | |
| sudo iptables -I FORWARD -m state -d 10.0.2.0/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT | |
| sudo iptables -I FORWARD -m state -s 10.0.2.0/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT | |
| sudo iptables -t nat -A POSTROUTING -s 10.0.1.0/24 ! -d 10.0.1.0/24 -j MASQUERADE | |
| sudo sysctl -w net.ipv4.ip_forward=1 | |
| In the shell where Aiakos will be launched, set the following env vars: | |
| export PYTHONPATH=/lib/python3.6/site-packages:/bin:/lib/python3.6/site-packages/aiakos | |
| export DJANGO_SETTINGS_MODULE=aiakos.settings | |
| export SECRET_KEY=x | |
| export DATABASE_URL=mysql://[email protected]/accounts | |
| export BASE_URL=https://10.0.1.1:8080 | |
| export INSECURE_END_SESSION_ENDPOINT | |
| export DEBUG=1 | |
| When connecting Aiakos to the DB for the first time, 2 initialization steps are required (that affect the DB only) | |
| 1. Setting up the DB scheme | |
| 2. Filling the relevant DB table with initialization data | |
| Those 2 initialization steps are achieved by running the Aiakos image in sgx-lkl with specific launch commands: | |
| //Initialization step #1: | |
| SGXLKL_TAP=sgxlkl_tap0 SGXLKL_HEAP=200M SGXLKL_KEY=<<>>/sgx-lkl/build/config/enclave_debug.key <<>>/sgx-lkl/build/sgx-lkl-run <<>>/sgx-lkl/apps/miniroot/sgxlkl-aiakos-with-ssl-fs.img /usr/bin/python3 /bin/django-admin migrate | |
| //Initialization step #2: | |
| SGXLKL_TAP=sgxlkl_tap0 SGXLKL_HEAP=200M SGXLKL_KEY=<<>>/sgx-lkl/build/config/enclave_debug.key <<>>/sgx-lkl/build/sgx-lkl-run <<>>/sgx-lkl/apps/miniroot/sgxlkl-aiakos-with-ssl-fs.img /usr/bin/python3 /bin/django-admin loaddata /lib/python3.6/site-packages/aiakos/devdata.yaml | |
| From this point on, as long as it's connected to the same DB, Aiakos can be launched in a regular manner: | |
| //Note - if you omit the cert & key params at the end, the server listens to HTTP only. When they are passed - the server listens to HTTPS only | |
| SGXLKL_TAP=sgxlkl_tap0 SGXLKL_HEAP=200M SGXLKL_KEY=<<>>/sgx-lkl/build/config/enclave_debug.key <<>>/sgx-lkl/build/sgx-lkl-run <<>>/sgx-lkl/apps/miniroot/sgxlkl-aiakos-with-ssl-fs.img /usr/bin/python3 /usr/bin/python3 /bin/chaussette --host 10.0.1.1 --backend gevent aiakos.wsgi.application "/etc/aiakos/rsakeys/client-ssl/aiakos-selfsigned.crt" "/etc/aiakos/rsakeys/client-ssl/aiakos-selfsigned.key" | |
| Client Application | |
| ================== | |
| This is a simple docker-compose based application. It has a Django server and mariadb database. | |
| Make sure you have docker & docker-compose installed on your host. | |
| Take the folder 'some-app' containing the 2 components, extract it, and cd to the root directory (where docker-compose file is located) | |
| to build the docker compose images run: | |
| docker-compose build | |
| when finished, launch the entire app (server+db) with: | |
| docker-compose up | |
| note that it takes some time for the DB to initialize, wait patiently :-) | |
| Initializing the Aiakos application | |
| ==================================== | |
| Connect to aiakos server: | |
| https://10.0.1.1:8080 | |
| login as the admin: root/root | |
| Providing Aiakos with the token signing key | |
| ------------------------------------------- | |
| In the top bar click on 'Admin' | |
| In the menu on the left click RSA keys | |
| In the top right corner click 'ADD RSA KEY' | |
| This will be the key that will sign the open ID connect JWT tokens. | |
| Generate a key using the command: | |
| openssl genrsa -out key.pem 2048 | |
| cat key.pem | |
| Paste the file content (including header and footer lines) in the box on the screen and SAVE. | |
| Testing it works end-to-end | |
| ============================ | |
| in a web browser, go to: | |
| http://localhost:8000 | |
| Note you are redirected to https://10.0.1.1:8080 | |
| you will be asked to login to aiakos. you can use esither of the pre-populated users: | |
| root/root | |
| localhost/dummy | |
| In the consent sreen you'll be asked to agree to pass your details to 'Localhost' app | |
| Click agree | |
| You will be redirected back to the client application, that will identify your user with its ID in the Aiakos DB. | |
| Where are all the keys located? | |
| =============================== | |
| Maria DB | |
| --------- | |
| /etc/mysql/ssl/ | |
| ca_cert.pem | |
| server_cert.pem | |
| server_key.pem | |
| Aiakos Provider | |
| --------------- | |
| /etc/aiakos/rsakeys/ | |
| ca_cert.pem #This is the ca cert of the maria db | |
| /etc/aiakos/rsakeys/client-ssl/ | |
| aiakos-selfsigned.crt #this is the ssl crt the admin is provisioning for client's ssl comm | |
| aiakos-selfsigned.key #this is the ssl key the admin is provisioning for client's ssl comm | |
| The token siging key we have supplied to aiakos is kept in its DB (in the maria db tables). It can be changed via the aiakos admin UI. | |
| Troubleshooting | |
| =============== | |
| If client application (via docker compose) doesn't start: | |
| run 'docker ps' and see how the mysql container is called | |
| in the docker-compose.yml make sure that the 2 services (both 'migration' and 'project') have that name in the DATABASE_URL anv var. | |
| if not - modify, kill docker compose and run 'docker-compose up' again |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I wasn't able to connect to the Aiakos server (https://10.0.1.1:8080) from the local host's browser until I added the following IP table
command: "iptables --policy FORWARD DROP"