Making an Attested Connection
Overview
This guide presents how to connect to a deployed enclave. If you are the admin that just deployed the application, or a user with permission to connect it, you need to have OBLV Client installed in your local environment. Once you have it installed, you can use our CLI, along with the application's configuration YAML file and URL to securely connect to it.
Install OBLV Client
The OBLV Client is a command-line interface that enables users to interact with the Oblivious service. It provides a convenient way to manage and deploy Oblivious resources from your local machine.
The OBLV Client can be installed on three different operating systems. For installation instructions, please refer to the OBLV Client Installation section.
Once installed, you can use the OBLV Client to perform all operations and configurations related to OBLV Deploy. For more details regarding the options available refer to the OBLV Client Reference page.
Running the Application
With the OBLV Client installed, the application you've deployed can be accessed from anywhere if you have the configuration file created in the Deployment process. With the file, you can access your application by running the following OBLV Client command:
oblv connect --url <application_URL> --config <your_config_file> --auth-passthrough
Where:
<your_config_file>: The path to your config file.<application_URL>: Represents the URL of the application you want to connect to.
Example
oblv connect --url https://fastapi-hello.oblv.com:4455 --config /tmp/fastapi.yaml --auth-passthrough
[2025-04-09 13:06:50] INFO [oblv_cli_lib]: ✅ obtained the configuration for oblv cli
[2025-04-09 13:06:50] INFO [lib_ccli]: ✅ Parsed the enclave url successfully
[2025-04-09 13:06:52] INFO [lib_ccli]: ✅ The enclave is healthy
[2025-04-09 13:06:55] INFO [lib_ccli]: ✅ Obtained the attestation document from the enclave
[2025-04-09 13:06:55] INFO [lib_ccli::attestation]: ✅ using the PCR values from the config
[2025-04-09 13:06:55] INFO [lib_ccli::attestation]: ==> Validating PCR Codes
[2025-04-09 13:06:55] INFO [lib_ccli::attestation]: ---> ✅ PCR16 validated successfully
[2025-04-09 13:06:55] INFO [lib_ccli::attestation]: ---> ✅ PCR0 validated successfully
[2025-04-09 13:06:55] INFO [lib_ccli::attestation]: ---> ✅ PCR1 validated successfully
[2025-04-09 13:06:55] INFO [lib_ccli::attestation]: ---> ✅ PCR2 validated successfully
[2025-04-09 13:06:55] INFO [lib_ccli::attestation]: ✅ PCR codes validated successfully
[2025-04-09 13:06:55] INFO [lib_ccli::attestation]: Extracting SSL certificate
[2025-04-09 13:06:55] INFO [lib_ccli::attestation]: ✅ SSL certificate extracted
[2025-04-09 13:06:55] INFO [lib_ccli::attestation]: Extracting the thumbprint and server name
[2025-04-09 13:06:55] INFO [lib_ccli::attestation]: parsing the cert chain
[2025-04-09 13:06:55] INFO [lib_ccli::attestation]: ✅ Extracted the server name and tls thumbprint successfully
[2025-04-09 13:06:55] INFO [lib_ccli::attestation]: ✅ Parsed the tls certificate successfully
[2025-04-09 13:06:55] INFO [lib_ccli::attestation]: Validating the tls certificate with the thumbprint
[2025-04-09 13:06:55] INFO [lib_ccli::attestation]: ✅ TLS certificate validated successfully with the tls thumbprint
[2025-04-09 13:06:55] INFO [lib_ccli::attestation]: Using this certificate for the communication with the enclave
[2025-04-09 13:06:55] INFO [lib_ccli::attestation]: Calculating the Hash for the manifest
[2025-04-09 13:06:55] INFO [lib_ccli::attestation]: ✅ Calculated the hash for the manifest
[2025-04-09 13:06:55] INFO [lib_ccli::attestation]: Validating the manifest hash
[2025-04-09 13:06:55] INFO [lib_ccli::attestation]: ✅ Manifest hash validated successfully
[2025-04-09 13:06:55] INFO [lib_ccli::attestation]: ✅ overall manifest digest validated successfully
[2025-04-09 13:06:55] INFO [lib_ccli::attestation]: Validating the container digests
[2025-04-09 13:06:55] INFO [lib_ccli::attestation]: ==> public.ecr.aws/oblivious-ai/oblv-sample-fastapi:latest
[2025-04-09 13:06:55] INFO [lib_ccli::attestation]: ✅ Container public.ecr.aws/oblivious-ai/oblv-sample-fastapi:latest validated successfully
[2025-04-09 13:06:55] INFO [lib_ccli::attestation]: ✅ Container digests validated successfully
[2025-04-09 13:06:55] INFO [lib_ccli::attestation]: Validating the plugins
[2025-04-09 13:06:55] INFO [lib_ccli]: ✅ Enclave attestated successfully.
[2025-04-09 13:06:55] INFO [oblv_cli_lib]: host ip not provided, using the default host ip 127.0.0.1
[2025-04-09 13:06:55] INFO [oblv_cli_lib]: local-port not provided, using the default port 3030
[2025-04-09 13:06:55] INFO [oblv_cli_lib]: using the remote port: Some(4455)
[2025-04-09 13:06:55] INFO [oblv_cli_lib]: Connecting to the enclave: hello-fastapi-b8dcf1e27d-6d9d8c9c88-kcpqf
[2025-04-09 13:06:55] INFO [oblv_cli_lib]: ✅ Starting proxy server on: 3030...
[2025-04-09 13:06:55] INFO [warp::server]: Server::run; addr=127.0.0.1:3030
[2025-04-09 13:06:55] INFO [warp::server]: listening on http://127.0.0.1:3030
Connection Modes
The OBLV Client supports multiple connection modes to suit different application requirements:
- http: The default mode. Starts a local HTTP reverse proxy on the specified port and forwards requests to the enclave over a secure TLS tunnel.
- tcp: Starts a local TCP server and relays incoming data to the enclave over TLS. Useful for non-HTTP protocols.
- tcp_passthrough: Starts a local TCP reverse proxy without handling TLS. Use this when your application already manages its own TLS.
For more details on these modes and their usage, see the OBLV Client Modes Guide.
To learn more about OBLV Client, refer to the OBLV Client Reference page.
By default, the application will be available in your local localhost:3030 port. However, you can use the -l flag to specify the desired port to make the application available.
What's Next?
With you connected to an enclave, this tutorial has come to an end. Learn more about confidential computing and all that OBLV Deploy employs to make your application secure in the Core Concepts section of this documentation.