Starting and Stopping the Policy Manager

Once the Anjuna Policy Manager has been installed, you can use the anjuna-policy-manager tool to start and stop the server:

Starting the Anjuna Policy Manager

First ensure that the Anjuna Policy Manager is properly installed. See Installing the Policy Manager for more information about installing it.

Before you follow the instructions in this section, make sure that your shell environment has definitions for the variables needed by the Anjuna SGX Runtime. To learn more about how to set up your shell environment for use with the Anjuna SGX Runtime, see the section Setting up the Shell Environment.

To start the Anjuna Policy Manager, run:

$ anjuna-policy-manager server start --dev

This command starts the Policy Manager Server, which is then available for Anjuna SGX Runtime connections.

For the sake of simplicity we use the --dev flag. The --dev flag starts the policy manager in development mode. This is insecure and should not be used for production purposes.

On some systems, the Policy Manager Server requires more time to start than on others. To increase the timeout period for the Policy Manager Server, add the --timeout [seconds] flag to the server start command.

When the Anjuna Policy Manager starts, it displays the following message:

Anjuna Policy Manager server is up and running
- Address: https://apm-server.test:8201
- Certificate: /opt/anjuna/anjuna-policy-manager/dev/conf/https/cert/cert.pem

Add the following entries to your application's manifest to connect to the Anjuna Policy Manager Server:

policy_manager: (1)
  socket: apm-broker (2)
  url: https://apm-server.test:8201 (3)
  ca_cert: |  (4)
    -----BEGIN CERTIFICATE----- (5)
    ... (6)
    -----END CERTIFICATE----- (7)

The end of this message contains important configuration information. To configure the Anjuna SGX Runtime to connect to the Anjuna Policy Manager server, you must configure the Anjuna SGX Runtime with the information in lines 1-7 of the output shown above.

To use it, you must add those lines to the manifest template for the Anjuna SGX Runtime. The manifest template is a file that is automatically created by the Anjuna SGX Runtime when you configure an application to run in a secure enclave. For more information about the manifest template and how to use it, see Configure Applications for Anjuna.

The manifest template is a file named manifest.template.yaml. If you don’t have this file, either because you have not configured the Anjuna SGX Runtime before, or because the file has been moved or deleted, you can create a new one by running

$ anjuna-sgxrun --setup

You can then add the referenced lines of the output shown above to the manifest template to configure the Anjuna SGX Runtime to connect to the Anjuna Policy Manager.

Stopping the Anjuna Policy Manager

To stop the Anjuna Policy Manager, run:

$ anjuna-policy-manager server stop --dev

To find out whether the Anjuna Policy Manager is running, run:

$ anjuna-policy-manager server status --dev

If Anjuna Policy Manager is running, you will see the following message:

$ anjuna-policy-manager server status --dev
The Anjuna Policy Manager server is up and running
- Address: https://apm-server.test:8201
- Certificate: /opt/anjuna/anjuna-policy-manager/dev/conf/https/cert/cert.pem

Add the following entries to your application's manifest to connect to the Anjuna Policy Manager Server:

policy_manager:
  socket: apm-broker
  url: https://apm-server.test:8201
  ca_cert: |
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----

Otherwise, you will see this message:

$ anjuna-policy-manager server status --dev
The Anjuna Policy Manager server is not running