Run an IAS Proxy

This page describes how to run an Intel Attestation Service (IAS) Proxy node on the Oasis Network.

This guide will cover setting up an Intel Attestation Service (IAS) Proxy node for the Oasis Network. This guide assumes some basic knowledge on the use of command line tools.

Prerequisites

Before following this guide, make sure you've followed the Prerequisites section and have the Oasis Node binary installed on your system. The IAS Proxy connects to an Oasis Node, so make sure you have a running node first. For more details, see the instructions on how to Run a Non-validator Node.

Obtaining IAS Service Provider ID (SPID) and API Key

Running the Intel Attestation Service (IAS) Proxy requires access to the IAS API. Go to IAS Enhanced Privacy ID (EPID) attestation page and signup for the Production Access. As a service provider, you will register your TLS certificate and obtain your Service Provider ID (SPID) and API key. The SPID and API key will be used by the IAS Proxy to communicate with the IAS.

Basic understanding of SGX Remote attestation is recommended. See Intel's Remote Attestation End-to-End Example for a short practical introduction.

Creating a Working Directory

We will be using the following working directory /node/ias (feel free to name your directory however you wish).

  • The directory permissions should be rwx------.

To create the directory, use the following command:

mkdir -m700 -p /node/ias

Configuration

To avoid specifying the IAS Service Provider ID (SPID) and API key in the Oasis Node configuration directly, IAS Proxy supports reading the SPID and API key from environment variables. Make sure you have the following environment variables set:

OASIS_IAS_SPID="<your-SPID>"
OASIS_IAS_APIKEY="<your-API-key>"

In order to configure the IAS proxy create the /node/ias/config.yml file with the following content:

datadir: /node/ias
log:
level:
default: info
format: JSON
address: unix:{{ oasis_node_socket }}
grpc:
port: 8650

Before using this configuration you should collect the following information to replace the variables present in the configuration file:

  • {{ oasis_node_socket }}: Path to a running client Oasis Node socket.

Starting the IAS Proxy

You can start the IAS Proxy using the following command:

oasis-node ias proxy --config /node/ias/config.yml

IAS Proxy Public Key

The TLS public key required for connecting to the IAS Proxy is located in the configured datadir (e.g./node/ias ).

Share IAS Proxy address

ParaTime nodes can now use your IAS Proxy by specifying it in configuration, e.g.:

--ias.proxy.address <IAS_PROXY_PUBLIC_KEY>@<EXTERNAL_IP>:8650