How to Load Applications into SEE

The following walks you through how to deploy a critical application in a safe environment without any kind of dependencies of the underlying hardware platform.

The guide uses the HashiCorp Vault application to demonstrate how to load an application into the Secure Execution Environment (SEE). The HashiCorp Vault secret management solution allows encryption of application data using a key encryption concept and can be installed on a Virtual Machine (VM) image.

The following instructions assume that you have created and tested a Virtual disk image containing the HashiCorp Vault application that can then be uploaded to the SEE and deployed and run in a safe environment within FIPS 140-2 Level 3 a secure boundary.

Prerequisites

  • Secure Execution Environment (SEE)
  • Virtual disk image containing the HashiCorp Vault application. We recommend using the disk image file type format qcow2. For more information, see Install Virtual Machines - Create Disk Image.

Step 1 - Access SEE Management

To access the SEE and the WebConf management interface, do the following:

  1. Power on you SEE.
  2. Once the FIPS integrity and self-tests are successfully completed, the SEE is connected to the Trust Anchor (TA) and the PiLO displays the main management page, displaying FIPS 140-2 Level 3 Validated.

  3. Select Power On Platform to power on the SFP hypervisor.
  4. Wait for the Trust Anchor to verify the integrity of the boot image used to boot the SFP. When done, the SEE is in operational state OEM (level 1), and SEE is connected to SFP is displayed.
  5. To configure the network to access the SFP over SSH, click Config to toggle to the Config Platform menu and click Network to display the SEE Network Configuration page.
    The network setting of the ports Eth0 and Etho1 are pre-configured. For more information on the SEE network ports, see Network Ports.

  6. Click the eth0 and eth1 buttons to view the default configuration and update the network configuration according to your environment, then click OK to save your changes. For detailed information on SEE network configuration, see Modify Default Network Address.

You now have SSH access in the OEM stage and additional access to the WebConf management interface. WebConf is the SEE web management interface with the same functionality as the text-based VM Admin wizard. For more information on the different states that the SEE operates within, see SEE Operational States.

Step 2 - Upload VM Image

Follow these steps to use WebConf to upload your VM image containing your HashiCorp Vault application to the SEE:

  1. In WebConf, click VW Admin to open the VM Administration.
  2. Click Upload VM Image.
  3. Click Browse to select your VM image application.
  4. Specify a Destination Filename where you want your file to be stored on the SEE, in this example, /cos/vmImages/org/vault/vault.qcow2.
  5. Click Start Upload to upload your VM image containing the HashiCorp Vault application to the SEE.

For more information on storing your original VM image file, see Install Virtual Machines - Store VM Image.

Step 3 - Configure VM

With your VM image uploaded to the SEE, do the following to register the VM image and configure the VM:

  1. In WebConf, click VW Admin > Create new VM.
  2. Specify the following in the Virtual Machine Creation Form:
    • VM Name: Specify the name of the VM, in this example vault.
    • Disk Image Path: Specify the path to your disk image, in this example: /cos/vmImages/org/vault/.
    • Primary Snapshot Path: Specify the path to the primary snapshot, in this example: /cos/vmImages/base/vault/.
    • Secondary Snapshot Path: Specify the path to the secondary snapshot, in this example: /cos/vmImages/work/vault/.
    • VNC Port: Ensure that the correct port is specified.

  3. Click Save to create the VM.

The VM Administration page now displays the VM vault application in the sidebar menu.

Step 4 - Start and Verify Access to VM

To start the VM and verify that you can access the application, do the following:

  1. In WebConf, click VW Admin and select the VM vault application in the sidebar.
  2. Click Start to start up the VM.
  3. The VM vault is now displayed as running and indicated in green in the sidebar menu.
  4. In WebConf, click VM Viewer to view the desktop of the VM vault. 
  5. Start a command prompt and run the following command to get the network address of the VM:

    ip a
  6. In your browser, enter the network address to verify that you can access the VM vault application from the outside.

Your VM vault application is now running and can be accessed from outside of the SEE.

Step 5 - Deploy Application

To deploy the application you need to increase the level of security of the SEE to the End User state. This is the highest level of restriction and the SFP will only provide access to executing the virtual machine(s) via their configured network ports. For more information, see SEE Operational States.

To deploy the application and increase the security level, do the following:

  1. First, to verify the current operational state, click the PiLO menu option Config > Config Platform > Operational State to display the SEE Operational State Configuration page, currently displaying the Current Operational Level: OEM.
  2. Next, to shut down the SFP and the VM: 
    • Go back to WebConf and select VM Admin.
    • Select the VM vault application in the sidebar.
    • Click Shutdown to shut it down.
  3. Then, to change the operational level, do the following:
    • Go back to the PiLO and click Increase Operational Level.
    • Confirm that you want to continue and increase the operational level.
    • The operational level is increased and the SFP hypervisor is forced to shut down.
    • Wait until the SFP has powered off and click Power On Platform to start the SEE again.
    • Go to SEE Operational State Configuration and confirm that the Current Operational Level is End User. This means that you cannot access the VM application using the WebConf web interface but you can access the vault application.
  4. To unseal and sign in to the Vault application, go to your vault application and do the following:
    • Enter the Master Key Portion, and then click Unseal to unseal the vault.
    • Sign in to the vault by entering the Token and click Sign In.

Your application is now up and running in a safe environment and you can use the PiLO to monitor your SEE in a secure state. For more information on displaying status details, see PiLO Management. The secrets are protected within FIPS 140-2 Level 3 and it is all contained within the epoxy resin.

If you need to maintain or update the firmware of the SEE or if you need to update the application itself, you can decrease the operational level while performing the maintenance and then go back to the increased security level.