OBLV Client
Overview
OBLV Client (Oblivious Command Line Interface) is a reverse proxy designed to forward client HTTP requests to the enclave using a secure TLS connection.
CLI Command Reference
OBLV Client provides several commands for managing configurations, attesting and establishing connections with enclaves. Here is an overview of each command and its functionality:
oblv attest
oblv attest
- Synopsis
- Usage
- Options
Attestation is the most important feature of an enclave. It is a process to verify that the software running in the enclave is exactly the same that is required by the user.
oblv attest
requires a config
file which contains the PCR
codes and the digests of the containers used by the application running in the enclave.
oblv attest [OPTIONS] --url <URL> --config <CONFIG>
-u, --url <URL>
URL of the enclave to connect to.
-c, --config <CONFIG>
Path to the configuration file.
-P, --peer-config <PEER_CONFIG>
Peer configuration file (optional argument).
--oblv-services-port <OBLV_SERVICES_PORT>
Port for OBLV services. Default: 12002 (optional argument).
-i, --ingress-proxy <INGRESS_PROXY>
Flag to determine if the enclave uses an ingress proxy. Default: true [possible values: true, false].
-h, --help
Print help.
oblv configure
oblv configure
- Synopsis
- Usage
- Options
- Flags
oblv configure
is a command used to manage and update the YAML
configuration file containing the information to validate the enclave and configuration settings required by the CLI itself.
It supports subcommands for updating specific configuration aspects like PCR codes, plugin configuration, log settings, and authentication details.
oblv configure [OPTIONS] --config <CONFIG> [COMMAND]
--config <CONFIG>
Path to the configuration file.
--oblv-enclave-version <OBLV_ENCLAVE_VERSION>
OBLV API version (optional argument).
--pcr0 <PCR0>
Value for PCR0 (hash of the enclave image file) (optional argument).
--pcr1 <PCR1>
Value for PCR1 (hash of Linux kernel and bootstrap) (optional argument).
--pcr2 <PCR2>
Value for PCR2 (hash of the application) (optional argument).
--pcr16 <PCR16>
Value for PCR16 (hash of the OBLV manifest file) (optional argument).
--pcr-check <PCR_CHECK>
Flag to disable PCR validation (not recommended for production). [possible values: true, false] (optional argument).
--pcr-server <PCR_SERVER>
URL for the PCR server (optional argument).
--use-pcr-server <USE_PCR_SERVER>
Flag to use the PCR server for validation. Default: false [possible values: true, false] (optional argument).
--max-retries <MAX_RETRIES>
Maximum retries for health check and attestation requests (optional argument).
--retry-timeout <RETRY_TIMEOUT>
Retry timeout in seconds for health check and attestation requests (optional argument).
-h, --help
Print help.
Subcommands include:
oblv configure image
Update the image to reflect what is running inside the enclave.oblv configure plugin
Update the plugin to reflect what is running inside the enclave.oblv configure auth
Configure the auth details in the configuration file.oblv configure log
Configure the logging details in the configuration file.
oblv configure image
oblv configure image
- Synopsis
- Usage
- Options
Update the image to reflect what is running inside the enclave.
Note: oblv configure image
just updates the image name and the digest for a given image.
It does not update the other configuration details in the configuration file.
If a new image name is provided, it creates a new entry for that image with empty/default values in the configuration file.
oblv configure --config <CONFIG> image --image <IMAGE> --digest <DIGEST>
-i, --image <IMAGE>
Image name.
-d, --digest <DIGEST>
Digest for the Docker image.
-h, --help
Print help.
oblv configure plugin
oblv configure plugin
- Synopsis
- Usage
- Options
Update the plugin to reflect what is running inside the enclave.
Note: oblv configure plugin
just updates the plugin name and the digest for a given plugin.
It does not update the other configuration details in the configuration file.
If a new plugin name is provided, it creates a new entry for that plugin with empty/default values in the configuration file.
oblv configure --config <CONFIG> plugin --name <NAME> --config-digest <CONFIG_DIGEST>
-n, --name <NAME>
Plugin name.
-c, --config-digest <CONFIG_DIGEST>
Plugin config digest.
-h, --help
Print help.
oblv configure auth
oblv configure auth
- Synopsis
- Usage
- Options
Configure the auth details in the configuration file.
The oblv configure auth
command allows you to set up authentication details required for the enclave.
oblv configure --config <CONFIG> auth [OPTIONS] --url <URL> --client-id <CLIENT_ID> --client-secret <CLIENT_SECRET>
-u, --url <URL>
Auth server URL.
-c, --client-id <CLIENT_ID>
Client ID.
-s, --client-secret <CLIENT_SECRET>
Client secret.
-g, --grant-type <GRANT_TYPE>
Grant type (optional argument).
-S, --scope <SCOPE>
Scope (optional argument).
-h, --help
Print help.
oblv configure log
oblv configure log
- Synopsis
- Usage
- Options
Configure the logging details in the configuration file.
The oblv configure log
command allows you to set the verbosity, size, and retention period of log files.
oblv configure --config <CONFIG> log [OPTIONS]
-l, --log-level <LOG_LEVEL>
Verbosity of the logs (optional argument).
[possible values: "info", "error", "debug", "warn", "trace", ""].
-m, --max-size-in-mb <MAX_SIZE_IN_MB>
The maximum size of a single log file in MB (optional argument).
-r, --retention-period-in-days <RETENTION_PERIOD_IN_DAYS>
The maximum period for which the log file would be retained in days (optional argument).
-h, --help
Print help.
oblv connect
oblv connect
- Synopsis
- Usage
- Options
Connects to the OBLV Deploy enclave.
In this process, the OBLV CLI:
- Performs the health check on the enclave.
- Performs the attestation using the details provided in the config file.
- Upon successful attestation, the CLI starts the reverse proxy or operates in the specified mode.
oblv connect [OPTIONS] --url <URL>
-u, --url <URL>
URL of the enclave to connect to.
--config <CONFIG>
Path to the configuration file (optional argument).
-c, --controller
Flag to determine whether to operate in controller mode. Default: false (optional argument).
(Deprecated: use --mode controller
instead).
-m, --manifest <MANIFEST>
Path to the manifest file (used in controller mode).
-H, --host <HOST>
IP address on which the OBLV Client listens (used in user mode). Default: "127.0.0.1" (optional argument).
-l, --local-port <LOCAL_PORT>
Local port used to launch the OBLV Client (used in user mode). Default: 3030 (optional argument).
-p, --pcr16 <PCR16>
Location of the file where PCR16 value is stored (used in controller mode).
-a, --auth-passthrough
Flag to determine whether to bypass authentication.
-M, --mode <MODE>
The mode in which OBLV Client operates. Default: "http".
[possible values: tcp
, tcp_passthrough
, http
, controller
].
refer to the Modes section for more details.
-r, --remote-port <REMOTE_PORT>
Remote port of the enclave to connect to (used in the http
, tcp
, and tcp_passthrough
modes) (optional argument).
-P, --peer-config <PEER_CONFIG>
File consisting of configuration of the peer enclaves (optional argument).
--oblv-services-port <OBLV_SERVICES_PORT>
Port to perform attestation and health check. Default: 12002 (optional argument).
--manifest-upload-port <MANIFEST_UPLOAD_PORT>
Port for manifest upload (used in controller mode). Default: 12003 (optional argument).
-i, --ingress-proxy <INGRESS_PROXY>
Flag to determine if the enclave uses an ingress proxy. Default: true [possible values: true, false].
-h, --help
Print help.
oblv get-config
oblv get-config
- Synopsis
- Usage
- Options
- Flags
To handwrite the config file required to connect to the enclave is a tedious task. OBLV CLI provides a way to make it easy.
The oblv get-config
command generates a config.yaml
file from the enclave's manifest file.
This is the template config file which contains all of the information about the enclave, but it needs to be updated for user-specific details such as:
- auth credentials
- Users' preference for logging etc.
oblv get-config [OPTIONS] --manifest <MANIFEST> --config <CONFIG>
--manifest <MANIFEST>
manifest file
-c, --config <CONFIG>
The YAML
configuration file used to validate the enclave.
--log-level <LOG_LEVEL>
log level
-h, --help
Print help
oblv get-peer-config
oblv get-peer-config
- Synopsis
- Usage
- Options
The oblv get-peer-config
command generates the peer configuration file from the given input directory.
A peer enclave is an enclave that another enclave is permitted to communicate with after successful attestation.
Below is a sample peer config, which includes the hash for the enclave configuration along with the list of enclaves that share the same config:
{
"fastapi.yaml": {
"enclave_config": "62382adea2b537437a7ab1e987a0f56ae9a43922e934366fac5acd5ac707fde45be38c29d52ed96334d86163eaca7eef",
"enclaves": [
"localhost",
"fastapi2"
]
},
"websocket.yaml": {
"enclave_config": "49338f279752cf0356e413b1c05228201ac8612f8fcec20eeb6a7d2716aba10b53c3e55d1770fa343ad6aece8a4e0f1b",
"enclaves": [
"websocket1",
"websocket2"
]
}
}
oblv get-peer-config --peer-config-dir <PEER_CONFIG_DIR> --peer-config-file <PEER_CONFIG_FILE> --outbound-json <OUTBOUND_JSON>
-p, --peer-config-dir <PEER_CONFIG_DIR>
Peer-config directory.
-P, --peer-config-file <PEER_CONFIG_FILE>
Peer-config file.
-o, --outbound-json <OUTBOUND_JSON>
Outbound JSON file.
-h, --help
Print help.
What's Next?
For additional information on how to install OBLV CLI, refer to the Installing the CLI Proxy page.