Creating the environment section of the contract

This step must be performed by the Data Owner.

Prerequisites

You have public.pem from the Auditor.

Procedure

Connect to IBM Cloud Logs instance
1. Create an IBM Cloud Log instance in the following link: https://cloud.ibm.com/observe/logging.
2. Open the IBM Cloud Log instance that you created, click Endpoints on the left sidebar.
3. Make note of the Public Ingress endpoint API, which is used to connect to that instance.
  For example, 09d36408-9cae-485e-a4f8-6476b5575ab4.ingress.us-south.logs.cloud.ibm.com.
4. Create a service ID for the instance that you created and assign IAM access to it.
5. Create and download API key for the service ID.
  Note: For more information on creating service IDs and creating API keys, see Creating a service ID by using the IBM Cloud Private management console.
If you are creating the contract with the environment sealed secret you must perform the Additional steps for the env sealed secret contract.

Set the signing key value by running the following command:

export SIGNING_KEY=$(awk -vRS="\n" -vORS="\\\n" '1' public.pem)

Set the public ingress endpoint value by running the following command:
```
export PUBLIC_INGRESS_ENDPOINT=<your_public_ingress_endpoint>
```
Set the iamapikey value by running the following command:
```
export IAMAPIKEY=<your_ibm_cloud_iamapikey>
```
Download the Host Key Document (HKD) certificate.
1. Download the Host Key Document (HKD) from the machine where the workload is running.
2. Create a machine.sh manifest file according to the following example:
```
MACHINE_TYPE="$(awk '/^Type:/ { print $NF }' /proc/sysinfo)"
echo "machine type is $MACHINE_TYPE"
MACHINE_PLANT="$(awk '/^Plant:/ { print $NF }' /proc/sysinfo)"
echo "machine plant is $MACHINE_PLANT"
MACHINE_SERIAL="$(awk '/^Sequence Code:/ { sub(/^0+/, "", $NF) ; print $NF }' /proc/sysinfo)"
echo "machine serial is $MACHINE_SERIAL"
echo "Formatted hkd is HKD-$MACHINE_TYPE-$MACHINE_PLANT$MACHINE_SERIAL.crt"
```
3. Make the machine.sh script executable by running the following command:
```
chmod +x machine.sh
```
4. Run the script:
```
./machine.sh
```
  Example output
```
HKD-3931-0275D38.crt
```
5. Download the IBM Secure Execution Host Key Document (HKD) from : https://www.ibm.com/docs/en/linux-on-systems?topic=execution-obtain-host-key-document .
  Note: Currently, downloading directly from the portal is unavailable. Perform the following alternative steps to download HKD.
  1. Login to the portal.
  2. In a new tab enter the following link https://www.ibm.com/support/resourcelink/api/content/raw/hkd-public/<HKD>.crt with the HKD cert value you obtained by running ./machine.sh script.
6. Create a directory 'hkds' for the Host Key Document (HKD) certificate by running the following command:
```
mkdir -p kbs/data/hkds
```
7. Copy your HKD certificate to the hkds directory by running the following command::
```
cp ${DOWLOAD_FOLDER}/HKD.crt kbs/data/hkds/HKD.crt
```
Encode the HKD certificate in Base64 format and store it in the HKDVALUE environment variable:
```
export HKDVALUE=$(cat /path/to/your/hkd.crt | base64 -w0)
```

Give a name for the HKD and store the name in the HKDNAME environment variable:

export HKDNAME=<name-of-HKD>

Example HKDVALUE and HKDNAME is shown below:

host-attestation:
  HKD-9175-02C8508:
    description: KEY-1
    host-key-doc: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlGQ1RDQ0F2R2dBd0lCQWdJSk1zSkZUZll6S1RveE1BMEdDU3FHU0liM0RRRUJEUVVBTUlIUU1Rc3dDUVlEDQpWUVFHRXdKVlV6RTBNRElHQTFVRUNnd3JTVzUwWlhKdVlYUnBiMjVoYkNCQ2RYTnBibVZ6Y3lCTllXTm9hVzVsDQpjeUJEYjNKd2IzSmhkR2x2Ymp...........

Create an env.yaml according to the following example:

For basic contract/contract with attestation encryption/contract with cosign verified container images/contract with workload sealed secret

cat << EOF > env.yaml
type: env
logging:
  logRouter:
    hostname: ${PUBLIC_INGRESS_ENDPOINT}
    iamApiKey: ${IAMAPIKEY}
    port: 443
host-attestation:
  ${HKDNAME}:
    description: KEY-1
    host-key-doc: ${HKDVALUE}
signingKey: "${SIGNING_KEY}"
EOF

For the contract with env sealed secret

cat << EOF > env.yaml
type: env
logging:
  logRouter:
    hostname: ${PUBLIC_INGRESS_ENDPOINT}
    iamApiKey: ${IAMAPIKEY}
    port: 443
host-attestation:
  ${HKDNAME}:
    description: KEY-1
    host-key-doc: ${HKDVALUE}
signingKey: "${SIGNING_KEY}"
confidential-containers:
  secret:
    verificationKey: "${SECRET_VERIFICATION_KEY}"
    decryptionKey: "${SECRET_DECRYPTION_KEY}"
EOF

Note: If you want to add encrypted persistent volumes to your contract, see Configuring volumes in the environment section for detailed instructions on adding volume configurations.

Create the encryption-env.sh script with the following content:

export ENV="env.yaml"
export CONTRACT_KEY="ibm-confidential-computing-container-encrypt.crt"
export PASSWORD="$(openssl rand 32 | base64 -w0)"
export ENCRYPTED_PASSWORD="$(echo -n "$PASSWORD" | base64 -d | openssl pkeyutl -encrypt -inkey $CONTRACT_KEY  -certin | base64 -w0)"
export ENCRYPTED_ENV="$(echo -n "$PASSWORD" | base64 -d | openssl enc -aes-256-cbc -pbkdf2 -pass stdin -in "$ENV" | base64 -w0)"
echo "env: hyper-protect-basic.${ENCRYPTED_PASSWORD}.${ENCRYPTED_ENV}" > encrypted-env.yaml

Make the encryption-env.sh script executable by running the following command:
```
chmod +x encryption-env.sh
```
Run the following script to create encrypted-env.yaml:
```
./encryption-env.sh
```

Run the following command to view encrypted-env.yaml:

cat encrypted-env.yaml

Example output:

env: hyper-protect-basic.jV8dP1V7IX+IY6cjYeIBQc5xtAjR2jnMksQD8JLeswAR5YBPT1DnwwPfo
k2vQveXph5QkHoeWSqBajmmPrGbTXo3nKhos8I4uED0S........

Share the encrypted-env.yaml with the Auditor.
Create a contract signature.