IBM Cloud Docs
Deploying a sample application on Hyper Protect Virtual Server for VPC

Deploying a sample application on Hyper Protect Virtual Server for VPC

This tutorial walks you through the steps to deploy a sample application on Hyper Protect Virtual Server for VPC, which highlights how Confidential Computing can help protect Personally Identifiable Information (PII).

Introduction

Confidential Computing is the protection of data-in-use through a hardware-based technique. The sample application "PayNow" obtains and processes PII and credit card information for a financial transaction.

You can provision Hyper Protect Virtual Servers with the advantage of IBM Secure Execution for Linux on IBM Cloud Virtual Private Cloud (VPC) or On-Premises. In this tutorial, we use Hyper Protect Virtual Servers for VPC.

Data in financial transactions are protected by Confidential Computing on Hyper Protect Virtual Server for VPC.
Figure 1. Data in financial transactions are protected by Confidential Computing on Hyper Protect Virtual Server for VPC

Before you begin

To complete this tutorial, you need to meet the following prerequisites:

  1. Create an IBM Cloud account.
  2. Create an API key for your user identity.
  3. Install IBM Cloud CLI and the container registry CLI plug-in.
  4. Create a VPC and a subnet with a public gateway and a security group with rules that allow at least inbound IP connections on port 8443 and all outbound IP connections.
  5. Create a Log Analysis instance on IBM Cloud. Make a note of the ingestion host and the ingestion key.
  6. Install Git.

Estimated time

Completing this tutorial takes approximately 60 minutes.

Steps

Step 1. Build the PayNow application container image

  1. Use Git to clone the repo.

  2. Build the PayNow container image for the linux/s390x platform and tag the container image with the following command:

    docker buildx build --platform linux/s390x -t us.icr.io/hpvs-sample/paynow-website .

  3. Log in to the IBM Cloud Container Registry with the following commands:

    ibmcloud login

    ibmcloud target -r us-south

    ibmcloud cr login --client docker

  4. Create a namespace and push the container image by running the following commands:

    ibmcloud cr namespace-add hpvs-sample

    docker push us.icr.io/hpvs-sample/paynow-website

  5. Display the container image digest. You can view and note the container image digest in your container registry, or alternatively use the following command:

    docker inspect us.icr.io/hpvs-sample/paynow-website | grep -A 1 RepoDigests

Step 2. Create the contract for the PayNow application with Terraform

  1. Prepare for contract creation:

    1. Make sure to have the OpenSSL binary installed. For more information, see OpenSSL.
    2. Install the Terraform CLI for your environment with the Terraform documentation.

  2. Create the contract:

    1. Use Git to clone the repo.
    2. Move to the following directory with the command:
      cd linuxone-vsi-automation-samples\terraform-hpvs\create-contract-dynamic-registry

  3. Update the docker-compose.yml file in the compose folder. You need to specify your container image digest and the exposed ports. See the following example of a docker-compose.yml file:

    version: "3"
services:
  paynow:
    image: ${REGISTRY}/hpvs-sample/paynow-website@sha256:<sha256>
    ports:
      - "8080:8080"
      - "8443:8443"

  4. Set the required Terraform variables. To do so, you need to copy the file my-settings.auto.tfvars-template to my-settings.auto.tfvars, edit the copied file, and adapt the variable values. See the following example:

    registry="<your container registry, e.g. us.icr.io>"
pull_username="iamapikey"
pull_password="<your API key>"
logdna_ingestion_key="<the ingestion key of your log instance>"
logdna_ingestion_hostname="<the rsyslog endpoint of your log instance without theport, e.g. syslog-a.<log_region>.logging.cloud.ibm.com>"

  5. To initialize Terraform, run the following command:

    terraform init

  6. Create the contract by using Terraform:

    terraform apply

  7. Display the contract that is created with the Terraform script by running the following command:

    cat build/contract.yml

    Copy the displayed contract. You need to paste the copied contract into an input field in the subsequent steps.

Step 3. Enable Confidential Computing through IBM Cloud with Hyper Protect Virtual Server for VPC

  1. Log in to IBM Cloud.
  2. Go to the provisoning page for Hyper Protect Virtual Server for VPC on the IBM Cloud catalog.
  3. Name the virtual server instance.
  4. Paste the created contract information into User data.
  5. Under the Networking, select your VPC and subnet.
  6. Click Create virtual server.
  7. View the logs in the Log Analysis instance dashboard.
  8. Assign a floating IP address to the Hyper Protect Virtual Server for VPC instance and click Save.
  9. To open the PayNow website, copy and paste the floating IP address and use your browser to open the PayNow website under the URL https://<floatingip>:8443/index.html.

Now, by using Confidential Computing with IBM Cloud Hyper Protect Virtual Server for VPC, you can ensure that you have a level of data security that is unmatched in the industry.

Next steps

Check out the demo video that demonstrates the data protection that is provided by Confidential Computing by comparision between two servers:

  • One without Confidential Computing, where a malicious root user can dump contents of the server memory that's not protected to steal PII and credit card data.
  • One with Confidential Computing, where even the root user can’t access the server memory as it's protected by the Hyper Protect platform.