Release 0.71.0 - Introducing Ockam Orchestrator

[mrinalwadhwa]

Release 0.71.0 - Introducing Ockam Orchestrator

This release introduces Ockam Orchestrator! A cloud service that helps you orchestrate end-to-end encryption, mutual authentication, key management, credential management & authorization policy enforcement — at scale.

Please try running it and do share it with your friends
https://github.com/build-trust/ockam/releases/tag/ockam_v0.71.0

As a first example. Let's create an end-to-end encrypted, mutually authenticated, secure and private cloud relay:

# Install ockam command
$ brew install build-trust/ockam/ockam

# Create a cryptographic identity and enroll with Ockam Orchestrator.
# This will sign you up for an account with Ockam Orchestrator and setup a
# hobby space and project for you.
$ ockam enroll

# Start our application service, listening on a local ip and port, that clients
# would access through the cloud relay. We'll use a simple http server for our
# first example but this could be some other application service.
$ python3 -m http.server --bind 127.0.0.1 5000

# Setup an ockam node, called blue, as a sidecar next to our application service.
# Create a tcp outlet on the blue node to send raw tcp traffic to the application service.
# Then create a forwarding relay at your default orchestrator project to blue.
$ ockam node create blue
$ ockam tcp-outlet create --at /node/blue --from /service/outlet --to 127.0.0.1:5000
$ ockam forwarder create blue --at /project/default --to /node/blue

# Setup an ockam node, called green, as a sidecar next to our application client.
# Then create an end-to-end encrypted secure channel with blue, through the cloud relay.
# Then tunnel traffic from a local tcp inlet through this end-to-end secure channel.
$ ockam node create green
$ ockam secure-channel create --from /node/green \
    --to /project/default/service/forward_to_blue/service/api \
        | ockam tcp-inlet create --at /node/green --from 127.0.0.1:7000 --to -/service/outlet

# Access the application service though the end-to-end encrypted, secure relay.
$ curl 127.0.0.1:7000

We just created end-to-end encrypted, mutually authenticated, and authorized secure communication between a tcp client and server. This client and server can be running in separate private networks / NATs. We didn't have to expose our server by opening a port on the Internet or punching a hole in our firewall.

The two sides authenticated and authorized each other's known, cryptographically provable identifiers. In later examples we'll see how we can build granular, attribute-based access control with authorization policies.

To learn more, install and run ockam --help

Community Contributors

The following people, from our community, contributed to this release 🥁 🚀

The Ockam Team is extremely thankful for your amazing contributions 🙏

• @anuvratsingh
• @michealkeines
• @neil2468
• @leonzchang
• @chrischiedo
• @Retamogordo
• @pro465
• @raysonkoh
• @justinvzyl
• @Handschrift
• @duttaANI
• @zzztimbo
• @tmuro17
• @PrajwalBorkar
• @sanjayatpilcrow
• @jlucktay
• @SkoogJacob
• @Guileas
• @edbastelli
• @datdhruv

Please try the above examples, we would love your thoughts and feedback.

[sarath3192]

Hi @mrinalwadhwa,

Thank you in advance, while enrolling with Ockam Orchestrator with command ockam enroll I am getting following error fail to load data. Please help me to solve this error.

[sarath3192]

Thank you @mrinalwadhwa for the quick reply. I will try the command update the result here.

[sarath3192]

@mrinalwadhwa

Ockam version

$ ./ockam --version
ockam 0.73.0

When I am trying the command ockam reset I am getting following error

sarathk@sarath:~/RUST/PROJECT_Learning/M_ockam/OCKAM_CLI_TOOL$ ./ockam reset
error: Found argument 'reset' which wasn't expected, or isn't valid in this context

USAGE:
    ockam [OPTIONS] <SUBCOMMAND>

For more information try --help

[mrinalwadhwa]

That makes sense. Things are evolving rapidly with every version.
So please install version 0.76.0

Step 1 - upgrade to 0.76.0

If you used homebrew to install then:

brew update && brew upgrade ockam

or:

you can download the latest binary with

curl --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/build-trust/ockam/develop/install.sh | sh

You'll have to move it to somewhere in your path if you use the curl script.

Now version should be 0.76.0

$ ./ockam --version
ockam 0.76.0

Step 2 - reset and enroll

ockam reset
ockam enroll

This should fix the problem, please let us know how it goes.

[sarath3192]

@mrinalwadhwa, Yes it fixed the problem. I have followed above steps 1 & 2 it worked thank you.

[mrinalwadhwa]

Awesome. Glad it worked. Let us know if you have more questions as you explore.

[sarath3192]

Hi @mrinalwadhwa,

I am trying this example from two different systems which are in two different private networks. I am getting the following Error in one syatem. Can you please help me out.

~/StaticEvenArguments$ ./ockam secure-channel create --from /node/green --to /project/default/service/forward_to_blue/service/api | ockam tcp-inlet create --at /node/green --from 127.0.0.1:7000 --to -/service/outlet
An error occurred while processing the request. Status code: 401 Unauthorized. Message: 401
bash: ockam: command not found

[sarath3192]

Thank you @mrinalwadhwa for the clear steps. I will follow these steps and post if any road blocks.

[sarath3192]

@mrinalwadhwa It is worked.

1. We followed the above steps with two different machines which are in two different private networks. We are able to get files from machine1 to machine2 over the Ockam Orchestrator relay. Thank you very much.

[sarath3192]

Hi @mrinalwadhwa can you please help me with this.

In the example above case we are manually transferring the green_identifier.txt and blue_identifier.txt and project.json from one machine to another machine to make the communication happen.

Is there a way that Ockam provides to automate this identifier exchange ? or is there any other way of doing this ?

[mrinalwadhwa]

@sarath3192 my latest email has an example for how this can be done.

[sarath3192]

Thank you for the detailed answers.