Anjuna Policy Manager Configuration Tool
Description
The Anjuna Policy Manager configuration utility.
The anjuna-policy-manager tool manages secret keys, including creating them, deleting them, and providing access to them for Intel® SGX enclaves.
Synopsis
# Help
anjuna-policy-manager --help
anjuna-policy-manager SUBCOMMAND --help
# Start the policy manager server
anjuna-policy-manager server start [--timeout [seconds]]
# Stop the policy manager server
anjuna-policy-manager server stop
# Check the status of the policy manager server
anjuna-policy-manager server status
# Reset the policy manager server (delete all its data)
anjuna-policy-manager server reset
# Create a secret using a file's contents for the secret value
anjuna-policy-manager secret create SECRET_NAME --file FILENAME
# Create a secret with a generated cryptographically random value
anjuna-policy-manager secret create SECRET_NAME --random LENGTH
# Create a secret specifying the value on the command line
anjuna-policy-manager secret create SECRET_NAME --value VALUE
# Deleting secrets
anjuna-policy-manager secret delete SECRET_NAME
# Grant an enclave access to a secret (2nd method extracts measurments from a signature file)
anjuna-policy-manager authorize enclave SECRET_NAME --signer MRSIGNER --enclave MRENCLAVE
anjuna-policy-manager authorize enclave SECRET_NAME --sig-file SIG_FILE
# Grant all enclaves with a specific signer access to a secret
anjuna-policy-manager authorize signer SECRET_NAME --signer MRSIGNER
anjuna-policy-manager authorize signer SECRET_NAME --sig-file SIG_FILE
# Revoke a secret from an enclave
anjuna-policy-manager revoke enclave SECRET_NAME --signer MRSIGNER --enclave MRENCLAVE
anjuna-policy-manager revoke enclave SECRET_NAME --sig-file SIG_FILE
# Revoke a secrets from a signer
anjuna-policy-manager revoke signer SECRET_NAME --signer MRSIGNER
anjuna-policy-manager revoke signer SECRET_NAME --sig-file SIG_FILE
# List all secrets
anjuna-policy-manager list secrets all
# List secrets for enclave
anjuna-policy-manager list secrets enclave --signer MRSIGNER --enclave MRENCLAVE
anjuna-policy-manager list secrets enclave --sig-file SIGFILE
# List secrets for signer
anjuna-policy-manager list secrets signer --signer MRSIGNER
anjuna-policy-manager list secrets signer --sig-file SIGFILE
# List enclaves or signers
anjuna-policy-manager list enclaves
anjuna-policy-manager list signers
# List enclaves or signers for a single secret
anjuna-policy-manager list enclaves --secret SECRET_NAME
anjuna-policy-manager list signers --secret SECRET_NAME
# Display a signature file
anjuna-policy-manager inspect SIG_FILEGlobal Flags
anjuna-policy-manager must know the address, management token, and CA certificate (when using HTTPS) of the Anjuna Policy Manager server. You can specify these parameters using either environment variables or command line flags.
Following is an example of how to specify these parameters using environment variables:
export ANJUNA_ADDR="https://apm-server.test:1337"
export ANJUNA_TOKEN="root-token"
export ANJUNA_CACERT="/opt/anjuna/anjuna-policy-manager/dev/conf/https/cert/cert.pem"
To specify these parameters on the command line, use the following flags:
--addr-
The address of the Anjuna Policy Manager (for example,
https://127.0.0.1:1337) --token-
The management token of the Anjuna Policy Manager (for example,
root-token) --ca-cert-
The path to the PEM-encoded CA certificate used to verify the Policy Manager’s TLS certificate (for example,
/opt/anjuna/anjuna-policy-manager/dev/conf/https/cert/cert.pem) --dev-
Run the Anjuna Policy Manager in development mode (allowing debug enclaves)
--engine-path-
Set alternative path for the secret engine (default is "anjuna")
|
If the token parameter is not specified then the Policy Manager uses the following default value:
|
Running the Server
anjuna-policy-manager manages the Anjuna Policy Manager Server. Use it to start, stop, check the running status of the server, and to reset the server (delete all of its data).
anjuna-policy-manager configures the server when it starts to use the HTTPS protocol. During installation, the installer automatically generates self-signed certificates using apm-server.test as the host name. Because the certificate is self-signed, you must:
-
Get a copy of the certificate public key (For development purposes, one may be located at
/opt/anjuna/anjuna-policy-manager/dev/conf/https/cert/cert.pem) -
Insert an entry in the
/etc/hostsfile (replace<server-ip-address>with the correct value):
<server-ip-address> apm-server.test
For the following commands, you can also pass a --dev flag for running in development mode. This flag should not be used for production.
|
Start the Policy Manager server using the following command:
$ anjuna-policy-manager server startYou can also specify a different timeout period for starting the Policy Manager Server using the --timeout [seconds] flag.
You can stop the Anjuna Policy Manager Server using the following command:
$ anjuna-policy-manager server stopYou can run anjuna-policy-manager server status to display the configuration text that should be inserted in the manifest.template.yaml file, to configure Anjuna Enterprise Enclaves to use the Policy Manager. The command displays text similar to the following example:
The Anjuna Policy Manager server is up and running
- Address: https://apm-server.test:8201
- Certificate: /opt/anjuna/anjuna-policy-manager/dev/conf/https/cert/cert.pem
Add the following entries to your application's manifest
to connect to the Anjuna Policy Manager Server:
policy_manager:
socket: apm-broker
url: https://apm-server.test:8201
ca_cert: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
The section of text that starts with policy_manager: can be pasted unchanged into the manifest.template.yaml for the enclave to configure it to connect to the Anjuna Policy Manager server.
Example: Starting and Stopping the Server
To start the Anjuna Policy Manager server, execute the following command:
$ anjuna-policy-manager server startTo stop it, use:
$ anjuna-policy-manager server stopExample: Creating and Deleting a Secret
To create a secret called redis/backup with a cryptographically secure random value sized for use with AES128:
$ anjuna-policy-manager secret create redis/backup --random 16To delete the same secret, use:
$ anjuna-policy-manager secret delete redis/backupExample: Grant an Enclave Access to a Secret
You can specify an enclave’s SGX measurements on the command line, but the easiest way to grant access is by letting the tool extract the measurements automatically from an enclave signature file. The following example authorizes the enclave whose signature file is redis.sig for access to the secret named redis/backup.
$ anjuna-policy-manager authorize enclave redis/backup --sig-file redis.sigTo revoke access, use:
$ anjuna-policy-manager revoke enclave redis/backup --sig-file redis.sigExample: Grant any Enclave with a Specific Signer Access to a Secret
In the previous example we granted an enclave access to redis/backup. We can instead grant all enclaves with a particular signer access to a secret. To grant all such enclaves access to a secret, use authorize signer.
In the following example we pass the MRSIGNER (026c…) value on the command line, but we can also extract it from a signature file as in the previous example.
$ anjuna-policy-manager authorize signer redis/backup \
--signer 026c65400e8fdf02e9de0481e41ff8cada3ff966241817928859386e30ff6d4f