Anjuna Policy Manager configuration tool

Name

anjuna-policy-manager

Description

The Anjuna Policy Manager configuration utility.

The anjuna-policy-manager tool manages secret keys, including creating them, deleting them, and providing access to them for Intel® SGX enclaves.

Synopsis

# Help
anjuna-policy-manager --help
anjuna-policy-manager SUBCOMMAND --help

# Start the policy manager server
anjuna-policy-manager server start [--timeout [seconds]]

# Stop the policy manager server
anjuna-policy-manager server stop

# Check the status of the policy manager server
anjuna-policy-manager server status

# Reset the policy manager server (delete all its data)
anjuna-policy-manager server reset

# Create a secret using a file's contents for the secret value
anjuna-policy-manager secret create SECRET_NAME --file FILENAME

# Create a secret with a generated cryptographically random value
anjuna-policy-manager secret create SECRET_NAME --random LENGTH

# Create a secret specifying the value on the command line
anjuna-policy-manager secret create SECRET_NAME --value VALUE

# Deleting secrets
anjuna-policy-manager secret delete SECRET_NAME

# Grant an enclave access to a secret (2nd method extracts measurements from a signature file)
anjuna-policy-manager authorize enclave SECRET_NAME --signer MRSIGNER --enclave MRENCLAVE
anjuna-policy-manager authorize enclave SECRET_NAME --sig-file SIG_FILE

# Grant all enclaves with a specific signer access to a secret
anjuna-policy-manager authorize signer SECRET_NAME --signer MRSIGNER
anjuna-policy-manager authorize signer SECRET_NAME --sig-file SIG_FILE

# Revoke a secret from an enclave
anjuna-policy-manager revoke enclave SECRET_NAME --signer MRSIGNER --enclave MRENCLAVE
anjuna-policy-manager revoke enclave SECRET_NAME --sig-file SIG_FILE

# Revoke a secret from a signer
anjuna-policy-manager revoke signer SECRET_NAME --signer MRSIGNER
anjuna-policy-manager revoke signer SECRET_NAME --sig-file SIG_FILE

# List all secrets
anjuna-policy-manager list secrets all

# List secrets for enclave
anjuna-policy-manager list secrets enclave --signer MRSIGNER --enclave MRENCLAVE
anjuna-policy-manager list secrets enclave --sig-file SIGFILE

# List secrets for signer
anjuna-policy-manager list secrets signer --signer MRSIGNER
anjuna-policy-manager list secrets signer --sig-file SIGFILE

# List enclaves or signers
anjuna-policy-manager list enclaves
anjuna-policy-manager list signers

# List enclaves or signers for a single secret
anjuna-policy-manager list enclaves --secret SECRET_NAME
anjuna-policy-manager list signers --secret SECRET_NAME

# Display a signature file
anjuna-policy-manager inspect SIG_FILE

Global flags

anjuna-policy-manager must know the address, management token, and CA certificate (when using HTTPS) of the Anjuna Policy Manager server. You can specify these parameters using either environment variables or command line flags.

Following is an example of how to specify these parameters using environment variables:

$ export ANJUNA_ADDR="https://apm-server.test:1337"
$ export ANJUNA_TOKEN="root-token"
$ export ANJUNA_CACERT="/opt/anjuna/anjuna-policy-manager/dev/conf/https/cert/cert.pem"

To specify these parameters on the command line, use the following flags:

--addr: The address of the Anjuna Policy Manager (for example, https://127.0.0.1:1337)
--token: The management token of the Anjuna Policy Manager (for example, root-token)
--ca-cert: The path to the PEM-encoded CA certificate used to verify the Policy Manager’s TLS certificate (for example, /opt/anjuna/anjuna-policy-manager/dev/conf/https/cert/cert.pem)
--dev: Run the Anjuna Policy Manager in development mode (allowing debug enclaves)
--engine-path: Set alternative path for the secret engine (default is "anjuna")

If the token parameter is not specified, then the Policy Manager uses the following default value:

--token

~/.anjuna-token

Running the server

anjuna-policy-manager manages the Anjuna Policy Manager server. Use it to start, stop, and check the running status of the server, and to reset the server (delete all of its data).

anjuna-policy-manager configures the server when it starts to use the HTTPS protocol. During installation, the installer automatically generates self-signed certificates using apm-server.test as the host name. Because the certificate is self-signed, you must:

Get a copy of the certificate public key (For development purposes, one may be located at /opt/anjuna/anjuna-policy-manager/dev/conf/https/cert/cert.pem)
Insert an entry in the /etc/hosts file (replace <server-ip-address> with the correct value):

  <server-ip-address>	   apm-server.test

For the following commands, you can also pass a --dev flag for running in development mode. This flag should not be used for production.

Start the Policy Manager server using the following command:

$ anjuna-policy-manager server start

You can specify a different timeout period for starting the Policy Manager Server using the --timeout [seconds] flag. You can also specify a different Anjuna license path using the ANJUNA_LICENSE_PATH environment variable.

Stop the Anjuna Policy Manager server using the following command:

$ anjuna-policy-manager server stop

You can run anjuna-policy-manager server status to display the configuration text that should be inserted in the manifest.template.yaml file, to configure Anjuna Enterprise Enclaves to use the Policy Manager. The command displays text similar to the following example:

The Anjuna Policy Manager server is up and running
- Address: https://apm-server.test:8201
- Certificate: /opt/anjuna/anjuna-policy-manager/dev/conf/https/cert/cert.pem

Add the following entries to your application's manifest
to connect to the Anjuna Policy Manager server:

  policy_manager:
    socket: apm-broker
    url: https://apm-server.test:8201
    ca_cert: |
      -----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----

The section of text that starts with policy_manager: can be pasted unchanged into the manifest.template.yaml for the enclave to configure it to connect to the Anjuna Policy Manager server.

Exit status

0 upon success
1 upon failure

Example: Starting and stopping the server

To start the Anjuna Policy Manager server, execute the following command:

$ anjuna-policy-manager server start

To stop it, use:

$ anjuna-policy-manager server stop

Example: Creating and deleting a secret

To create a secret called redis/backup with a cryptographically secure random value sized for use with AES128:

$ anjuna-policy-manager secret create redis/backup --random 16

To delete the same secret, use:

$ anjuna-policy-manager secret delete redis/backup

Example: Grant an enclave access to a secret

You can specify an Intel® SGX enclave’s measurements on the command line, but the easiest way to grant access is by letting the tool extract the measurements automatically from an enclave signature file. The following example authorizes the enclave whose signature file is redis.sig for access to the secret named redis/backup.

$ anjuna-policy-manager authorize enclave redis/backup --sig-file redis.sig

To revoke access, use:

$ anjuna-policy-manager revoke enclave redis/backup --sig-file redis.sig

Example: Grant any enclave with a specific signer access to a secret

In the previous example, you granted an enclave access to redis/backup. You can instead grant all enclaves with a particular signer access to a secret. To grant these enclaves access to a secret, use authorize signer.

In the following example, you pass the MRSIGNER (026c…) value on the command line, but you can also extract it from a signature file as in the previous example.

$ anjuna-policy-manager authorize signer redis/backup \
    --signer 026c65400e8fdf02e9de0481e41ff8cada3ff966241817928859386e30ff6d4f

Example: Display enclave attributes from a signature file

The example below displays the enclave attributes from the signature file openssl.sig.

$ anjuna-policy-manager inspect openssl.sig