OBLV Client

Overview

OBLV Client (Oblivious Command Line Interface) is a reverse proxy designed to forward client HTTP requests to the enclave using a secure TLS connection.

CLI Command Reference

OBLV Client provides several commands for managing configurations, attesting and establishing connections with enclaves. Here is an overview of each command and its functionality:

`oblv attest`

Synopsis
Usage
Options

Attestation is the most important feature of an enclave. It is a process to verify that the software running in the enclave is exactly the same that is required by the user.

oblv attest requires a config file which contains the PCR codes and the digests of the containers used by the application running in the enclave.

oblv attest [OPTIONS] --url <URL> --config <CONFIG>

-u, --url <URL>

URL of the enclave to connect to.

-c, --config <CONFIG>

Path to the configuration file.

-P, --peer-config <PEER_CONFIG>

Peer configuration file (optional argument).

--oblv-services-port <OBLV_SERVICES_PORT>

Port for OBLV services. Default: 12002 (optional argument).

-i, --ingress-proxy <INGRESS_PROXY>

Flag to determine if the enclave uses an ingress proxy. Default: true [possible values: true, false].

-h, --help

Print help.

`oblv configure`

Synopsis
Usage
Options
Flags

oblv configure is a command used to manage and update the YAML configuration file containing the information to validate the enclave and configuration settings required by the CLI itself.

It supports subcommands for updating specific configuration aspects like PCR codes, plugin configuration, log settings, and authentication details.

oblv configure [OPTIONS] --config <CONFIG> [COMMAND]

--config <CONFIG>

Path to the configuration file.

--oblv-enclave-version <OBLV_ENCLAVE_VERSION>

OBLV API version (optional argument).

--pcr0 <PCR0>

Value for PCR0 (hash of the enclave image file) (optional argument).

--pcr1 <PCR1>

Value for PCR1 (hash of Linux kernel and bootstrap) (optional argument).

--pcr2 <PCR2>

Value for PCR2 (hash of the application) (optional argument).

--pcr16 <PCR16>

Value for PCR16 (hash of the OBLV manifest file) (optional argument).

--pcr-check <PCR_CHECK>

Flag to disable PCR validation (not recommended for production). [possible values: true, false] (optional argument).

--pcr-server <PCR_SERVER>

URL for the PCR server (optional argument).

--use-pcr-server <USE_PCR_SERVER>

Flag to use the PCR server for validation. Default: false [possible values: true, false] (optional argument).

--max-retries <MAX_RETRIES>

Maximum retries for health check and attestation requests (optional argument).

--retry-timeout <RETRY_TIMEOUT>

Retry timeout in seconds for health check and attestation requests (optional argument).

-h, --help

Print help.

Subcommands include:

oblv configure image Update the image to reflect what is running inside the enclave.
oblv configure plugin Update the plugin to reflect what is running inside the enclave.
oblv configure auth Configure the auth details in the configuration file.
oblv configure log Configure the logging details in the configuration file.

`oblv configure image`

Synopsis
Usage
Options

Update the image to reflect what is running inside the enclave.

Note: oblv configure image just updates the image name and the digest for a given image.
It does not update the other configuration details in the configuration file.
If a new image name is provided, it creates a new entry for that image with empty/default values in the configuration file.

oblv configure --config <CONFIG> image --image <IMAGE> --digest <DIGEST>

-i, --image <IMAGE>

Image name.

-d, --digest <DIGEST>

Digest for the Docker image.

-h, --help

Print help.

`oblv configure plugin`

Synopsis
Usage
Options

Update the plugin to reflect what is running inside the enclave.

Note: oblv configure plugin just updates the plugin name and the digest for a given plugin.
It does not update the other configuration details in the configuration file.
If a new plugin name is provided, it creates a new entry for that plugin with empty/default values in the configuration file.

oblv configure --config <CONFIG> plugin --name <NAME> --config-digest <CONFIG_DIGEST>

-n, --name <NAME>

Plugin name.

-c, --config-digest <CONFIG_DIGEST>

Plugin config digest.

-h, --help

Print help.

`oblv configure auth`

Synopsis
Usage
Options

Configure the auth details in the configuration file.

The oblv configure auth command allows you to set up authentication details required for the enclave.

oblv configure --config <CONFIG> auth [OPTIONS] --url <URL> --client-id <CLIENT_ID> --client-secret <CLIENT_SECRET>

-u, --url <URL>

Auth server URL.

-c, --client-id <CLIENT_ID>

Client ID.

-s, --client-secret <CLIENT_SECRET>

Client secret.

-g, --grant-type <GRANT_TYPE>

Grant type (optional argument).

-S, --scope <SCOPE>

Scope (optional argument).

-h, --help

Print help.

`oblv configure log`

Synopsis
Usage
Options

Configure the logging details in the configuration file.

The oblv configure log command allows you to set the verbosity, size, and retention period of log files.

oblv configure --config <CONFIG> log [OPTIONS]

-l, --log-level <LOG_LEVEL>

Verbosity of the logs (optional argument).
[possible values: "info", "error", "debug", "warn", "trace", ""].

-m, --max-size-in-mb <MAX_SIZE_IN_MB>

The maximum size of a single log file in MB (optional argument).

-r, --retention-period-in-days <RETENTION_PERIOD_IN_DAYS>

The maximum period for which the log file would be retained in days (optional argument).

-h, --help

Print help.

`oblv connect`

Synopsis
Usage
Options

Connects to the OBLV Deploy enclave.

In this process, the OBLV CLI:

Performs the health check on the enclave.
Performs the attestation using the details provided in the config file.
Upon successful attestation, the CLI starts the reverse proxy or operates in the specified mode.

oblv connect [OPTIONS] --url <URL>

-u, --url <URL>

URL of the enclave to connect to.

--config <CONFIG>

Path to the configuration file (optional argument).

-c, --controller

Flag to determine whether to operate in controller mode. Default: false (optional argument).
(Deprecated: use --mode controller instead).

-m, --manifest <MANIFEST>

Path to the manifest file (used in controller mode).

-H, --host <HOST>

IP address on which the OBLV Client listens (used in user mode). Default: "127.0.0.1" (optional argument).

-l, --local-port <LOCAL_PORT>

Local port used to launch the OBLV Client (used in user mode). Default: 3030 (optional argument).

-p, --pcr16 <PCR16> Location of the file where PCR16 value is stored (used in controller mode).

-a, --auth-passthrough

Flag to determine whether to bypass authentication.

-M, --mode <MODE>

The mode in which OBLV Client operates. Default: "http".
[possible values: tcp, tcp_passthrough, http, controller]. refer to the Modes section for more details.

-r, --remote-port <REMOTE_PORT>

Remote port of the enclave to connect to (used in the http, tcp, and tcp_passthrough modes) (optional argument).

-P, --peer-config <PEER_CONFIG>

File consisting of configuration of the peer enclaves (optional argument).

--oblv-services-port <OBLV_SERVICES_PORT>

Port to perform attestation and health check. Default: 12002 (optional argument).

--manifest-upload-port <MANIFEST_UPLOAD_PORT>

Port for manifest upload (used in controller mode). Default: 12003 (optional argument).

-i, --ingress-proxy <INGRESS_PROXY>

Flag to determine if the enclave uses an ingress proxy. Default: true [possible values: true, false].

-h, --help

Print help.

`oblv get-config`

Synopsis
Usage
Options
Flags

To handwrite the config file required to connect to the enclave is a tedious task. OBLV CLI provides a way to make it easy.

The oblv get-config command generates a config.yaml file from the enclave's manifest file. This is the template config file which contains all of the information about the enclave, but it needs to be updated for user-specific details such as:

auth credentials
Users' preference for logging etc.

oblv get-config [OPTIONS] --manifest <MANIFEST> --config <CONFIG>

--manifest <MANIFEST>

manifest file

-c, --config <CONFIG>

The YAML configuration file used to validate the enclave.

--log-level <LOG_LEVEL>

log level

`oblv get-peer-config`

Synopsis
Usage
Options

The oblv get-peer-config command generates the peer configuration file from the given input directory.

A peer enclave is an enclave that another enclave is permitted to communicate with after successful attestation.

Below is a sample peer config, which includes the hash for the enclave configuration along with the list of enclaves that share the same config:

{
  "fastapi.yaml": {
    "enclave_config": "62382adea2b537437a7ab1e987a0f56ae9a43922e934366fac5acd5ac707fde45be38c29d52ed96334d86163eaca7eef",
    "enclaves": [
      "localhost",
      "fastapi2"
    ]
  },
  "websocket.yaml": {
    "enclave_config": "49338f279752cf0356e413b1c05228201ac8612f8fcec20eeb6a7d2716aba10b53c3e55d1770fa343ad6aece8a4e0f1b",
    "enclaves": [
      "websocket1",
      "websocket2"
    ]
  }
}

oblv get-peer-config --peer-config-dir <PEER_CONFIG_DIR> --peer-config-file <PEER_CONFIG_FILE> --outbound-json <OUTBOUND_JSON>

-p, --peer-config-dir <PEER_CONFIG_DIR>

Peer-config directory.

-P, --peer-config-file <PEER_CONFIG_FILE>

Peer-config file.

-o, --outbound-json <OUTBOUND_JSON>

Outbound JSON file.

-h, --help

Print help.

What's Next?

For additional information on how to install OBLV CLI, refer to the Installing the CLI Proxy page.

Overview​

CLI Command Reference​

oblv attest​

oblv configure​

oblv configure image​

oblv configure plugin​

oblv configure auth​

oblv configure log​

oblv connect​

oblv get-config​

oblv get-peer-config​

What's Next?​

Overview

CLI Command Reference

`oblv attest`

`oblv configure`

`oblv configure image`

`oblv configure plugin`

`oblv configure auth`

`oblv configure log`

`oblv connect`

`oblv get-config`

`oblv get-peer-config`

What's Next?