Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/ibm-hyper-protect/paynow-website

Pay Now Website sample application
https://github.com/ibm-hyper-protect/paynow-website

expressjs hyper-protect-services nodejs

Last synced: 5 months ago
JSON representation

Pay Now Website sample application

Awesome Lists containing this project

README 

          
# Pay Now Website



The Pay Now Website is a simple application, that presents an interface to make payments.

The application shows how sensitive payment related information like e.g. credit card data is used.

It is recommended to run this application in a confidential computing environment where PII data in use is protected from malicious actors.



The website is a node.js Express app, serving

the site itself. The payment page has AJAX calls into the

application. The application processes these

RESTful JSON requests and stores the transaction data in memory.



The application can both be run locally, or in

the IBM Cloud, for example in a [IBM Cloud Hyper Protect

Virtual Server for VPC](https://www.ibm.com/cloud/hyper-protect-virtual-servers).



## Build and Run the Application



### Simple way to run the application

To build and run an application container image, 

run these commands:



```

docker build -t paynow .

docker run -it -p 8443:8443 paynow

```



### Run the application with your SSL certificate

Alternatively, you can create a SSL private key and certificate and pass these to the application:



```

docker build -t paynow .

openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout server.key -out server.crt

CERT=$(base64 -w 0 server.crt)

KEY=$(base64 -w 0 server.key)

docker run -it -p 8443:8443 -e KEY=$KEY -e CERT=$CERT paynow

```



The application will use your private key and certificate for SSL.



## Test the Application



Use a web browser to navigate to

[`locahost:8443`](https://localhost:8443) and confirm that the

donations homepage loads. (Or, of course, whichever host you're

running it on.)



Navigate to the donations page try out that functionality, driving

AJAX calls to issue `GET` and `POST` requests.

You can view the console to check these network calls are

functioning correctly.



Note: If you do not use your own certificate, your web browser may display a warning about a insecure connection and a invalid certificate, as in this case the application uses a simple self signed certificate for `CN=localhost`.



## Run the Application in Hyper Protect Virtual Server for VPC and validate the attestation record



You can run the application in [Hyper Protect Virtual Server for VPC](https://cloud.ibm.com/docs/vpc?topic=vpc-about-se). To do so, follow this [tutorial ](https://cloud.ibm.com/docs/vpc?topic=vpc-financial-transaction-confidential-computing-on-hyper-protect-virtual-server-for-vpc).



You can optionally include the private key and the certificate in the env section of the contract.



### Validate the attestation record

You can then download a zip file containing the [attestation record](https://cloud.ibm.com/docs/vpc?topic=vpc-about-attestation) and the signature file from API URL [`https://ip:8443/api/v1/attestation`](https://ip:8443/api/v1/attestation). This zip file contains the attestation record `se-checksums.txt` or `se-checksums.txt.enc` (the latter if you are using an encrypted attestation record) and the signature file `se-signature.bin`.



To verify the signature, follow these [instructions](https://cloud.ibm.com/docs/vpc?topic=vpc-about-attestation).



To validate the attestation record, compute the checksum of your contract (you may need to remove a potential trailing EOL character at the end of file `contract.yml` first): 

```

perl -p -i -e 'chomp if eof' contract.yml

sha256sum contract.yml

```

and compare this checksum to the value for `cidata/user-data` in file `se-checksums.txt`.