Configure Tessera enclave

You must configure an enclave in the Tessera configuration file. Enclave configuration depends on the enclave type used.

Local enclave

To configure a local enclave, in the configuration file:

Do not configure an ENCLAVE server.
Configure the enclave's keys.

Local enclave configuration
{
  "keys": {
    "keyData": [{
      "privateKey": "yAWAJjwPqUtNVlqGjSrBmr1/iIkghuOh1803Yzx9jLM=",
      "publicKey": "/+UuD63zItL1EbjxkKUljMgG8Z1w0AJ8pNOR4iq2yQc="
    }]
  },
  "alwaysSendTo": [],
  ...
}

Starting the transaction manager starts the local enclave as part of the same process:

# start the transaction manager and enclave
tessera --configfile /path/to/tm-config.json

Remote HTTP enclave

To configure a remote HTTP enclave, you must configure the enclave and transaction manager in separate configuration files.

In the remote HTTP enclave configuration file:

Configure an ENCLAVE server. Include TLS configuration as appropriate, with the transaction manager as a client of the enclave.
Configure the enclave's keys.

Remote HTTP enclave configuration file
{
  "serverConfigs": [
    {
      "app": "ENCLAVE",
      "serverAddress": "http://localhost:8080",
      "bindingAddress": "http://0.0.0.0:8080"
    }
  ],
  "keys": {
    "keyData": [
      {
        "privateKey": "yAWAJjwPqUtNVlqGjSrBmr1/iIkghuOh1803Yzx9jLM=",
        "publicKey": "/+UuD63zItL1EbjxkKUljMgG8Z1w0AJ8pNOR4iq2yQc="
      }
    ]
  },
  "alwaysSendTo": []
}

In the transaction manager configuration file:

Configure an ENCLAVE server. Include TLS configuration as appropriate.
Do not configure any keys.

Remote HTTP enclave configuration in the transaction manager configuration file
{
  "serverConfigs": [
    {
      "app": "ENCLAVE",
      "serverAddress": "http://localhost:8080",
    },
    {
      "app": "Q2T",
      ...
    },
    ...
  ],
  ...
}

The remote HTTP enclave must be started before the transaction manager:

# start the enclave
enclave-jaxrs/bin/enclave-jaxrs --configfile /path/to/enclave-config.json

# start the transaction manager
tessera --configfile /path/to/tm-config.json

If using vault-stored keys, the corresponding key vault JAR must be included on the classpath:

# start the enclave
cp hashicorp-key-vault/lib/* path/to/enclave-jaxrs-[version]/lib
path/to/enclave-jaxrs-[version]/bin/enclave-jaxrs -configfile /path/to/enclave-config.json

Configure Tessera enclave

Local enclave​

Remote HTTP enclave​

Local enclave

Remote HTTP enclave