Posting a Session
We show how to interact with CAS s with the help of
curl - this might be helpful during development since it simplifies quick tests.
We provide a
scone command line interface that can be executed inside of an enclave itself.
It can perform an attestation of CAS as well as creating and verifying policies. Hence, we recommend to use the
We assume that you already started a CAS instance and a LAS instance on your local host. Alternatively, you can use our public CAS instance at domain
scone-cas.cf. Hence, we set the address of CAS as follows:
If you use one of our public CAS instance, set it as follows:
To interact with CAS, we need to create a client certificate. When we create a session, it is associated with the client certificate of the creator. Any access to this session requires that the client knows the private key of the client certificate.
Let's create a client certificate without a password. Note that you would typically add a password!
mkdir -p conf if [[ ! -f conf/client.crt || ! -f conf/client-key.key ]] ; then openssl req -x509 -newkey rsa:4096 -out conf/client.crt -keyout conf/client-key.key \ -days 31 -nodes -sha256 \ -subj "/C=US/ST=Dresden/L=Saxony/O=Scontain/OU=Org/CN=www.scontain.com" \ -reqexts SAN -extensions SAN \ -config <(cat /etc/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:www.scontain.com')) fi
Hello World Session
Let's create a minimal session:
cat > session.yml <<EOF name: blender digest: create services: - name: application image_name: registry.scontain.com:5050/sconecuratedimages/iexec:blender mrenclaves: [96936b6760d1f59b18f2c1a3fa2be205a91d6667dfc6635e8d0bbc1687bc03f2] command: blender -b /encryptedInputs/iexec-rlc.blend -o /encryptedOutputs/ -f 1 pwd: / environment: SCONE_MODE: hw images: - name: registry.scontain.com:5050/sconecuratedimages/iexec:blender mrenclaves: [96936b6760d1f59b18f2c1a3fa2be205a91d6667dfc6635e8d0bbc1687bc03f2] tags: [demo] EOF
We can now upload the session as follows:
curl -k -s --cert conf/client.crt --key conf/client-key.key --data-binary @session.yml -X POST https://$SCONE_CAS_ADDR:8081/session
This results in an output similar like this:
Created Session[id=00ed7ade-bba6-4d43-9135-51d0ca2da9ba, name=blender, status=Pending]
Session already exists
If the session with name "blender" already exists - which will be the case when you use
scone-cas.cf - the following error message is issued:
Could not create successor session. Invalid previous session digest: ...
In case the session with name
blender already exists, you must chose a different session name.
We can read the session as follows:
curl -k -s --cert conf/client.crt --key conf/client-key.key https://$SCONE_CAS_ADDR:8081/session/blender
This will result in an output like this:
--- name: blender digest: 313c6c3b824f0a560c445c8ef0cf69781345aae753bdbeaedbfff15c5a348099 board_members:  board_policy: minimum: 0 timeout: 30 images: - name: "registry.scontain.com:5050/sconecuratedimages/iexec:blender" mrenclaves: - 96936b6760d1f59b18f2c1a3fa2be205a91d6667dfc6635e8d0bbc1687bc03f2 tags: - demo services: - name: application image_name: "registry.scontain.com:5050/sconecuratedimages/iexec:blender" mrenclaves: - 96936b6760d1f59b18f2c1a3fa2be205a91d6667dfc6635e8d0bbc1687bc03f2 environment: SCONE_MODE: hw command: blender -b /encryptedInputs/iexec-rlc.blend -o /encryptedOutputs/ -f 1 pwd: /