CAS Self-Provisioning
Usually, the SCONE CLI
is the primary tool to provision the CAS' owner configuration, using the scone cas provision --config-file <...>
command. This command ties attestation and configuration provisioning together.
For a more streamlined CAS provisioning procedure, CAS can provision itself, eliminating the need for manual CLI interaction. This comes with certain security implications. Read these implications carefully before deciding to enable self-provisioning, especially when running CAS in production mode.
Limitations of Self-Provisioning
Warning
Enabling CAS self-provisioning allows attackers to compromise the confidentiality, integrity, and availability of configuration-affected services.
- Confidentiality: The CAS owner configuration must be provided as a file in the CAS image. Attackers can read this file, and extract credentials (IAS/DCAP).
- Integrity: Attackers can manipulate the stored configuration file, remove credentials, disable audit logging, etc. They can also manipulate the CAS owner identity (substituting it with their own).
- Availability: By modifying the configuration file or changing the CAS owner identity, attackers can instigate Denial-of-Service attacks. They can prevent future updates of the CAS owner configuration, prevent the registration of CAS backups, prevent CAS upgrades, or prevent audit log verification.
- Freshness: A Man-in-the-Middle attacker can present a previously provisioned CAS as a fresh CAS, as attestation is decoupled from provisioning. In addition to the availability implications listed above, this can cause sessions and secrets to be stored on an unexpected CAS.
If all of these security issues are not relevant for your particular use case, you can enable self-provisioning through the cas provision
command:
cas -c "/etc/cas/availability-config.toml" provision --owner-config "/etc/cas/owner-config.toml" --skip-if-already-provisioned --owner-identity "/etc/cas/owner-certificate.pem"
This may be used as a Dockerfile CMD
for images derived from the main CAS image. Ensure to ADD
the relevant configuration files to the image.
Pre-Provisioned CAS Images
We provide container image for self-provisioned, production CAS instance: registry.scontain.com/scone.cloud/cas-preprovisioned:latest
. The main usages of such self-provisioned CAS instances are:
- simplify development and testing: one can quickly spawn a local CAS instance to run some tests,
- to spawn a transient CAS instances which do not need to be upgraded, and
- for the air-gapped deployment of confidential applications.
A self-provisioned CAS instances can run in debug and production mode. If you use a self-provisioned CAS instance for production, please always attest the instance such that this instance runs in production mode and that no database key was injected. You can attest a self-provisioned CAS as any other CAS using the SCONE CLI.