add description of xCAT certs and their usage in xCAT SSL communication

2025-05-22 03:32:04 +00:00 · 2017-02-23 09:24:43 +08:00 · 2017-02-23 09:24:43 +08:00 · 7b4fd3a4be
commit 7b4fd3a4be
parent b24e92316c
3 changed files with 66 additions and 16 deletions
--- a/docs/source/advanced/security/certs.rst
+++ b/docs/source/advanced/security/certs.rst
@ -0,0 +1,63 @@
+The SSL Certificates in xCAT
+----------------------------
+
+
+The xCAT daemon on the management node and service node listens on a SSL socket on port 3001, the communications on the SSL socket include:
+
+   1. the xCAT requests from xCAT Clients
+   2. the xCAT requests forwarded from other xCAT daemons, for example, the requests forwarded between xCAT daemons on management node and service nodes
+   3. some special xCAT requests from compute nodes, such as ``getcredentials``, ``getpostscript``, ``litefile``, etc.
+
+xCAT creates 1 CA certificate and 2 credentials (private key and certificate pairs):
+
+   1. xCAT CA certificate(ca.pem): 
+
+      * a self-signed certificate used as Certificate Authority in xcatd SSL communication;
+      * generated by ``/opt/xcat/share/xcat/scripts/setup-xcat-ca.sh`` script on xCAT installation; 
+      * will be generated (or updated) on xCAT management node when:
+         * install or update xCAT when "/etc/xcat/ca" directory does not exist 
+         * or run ``xcatconfig -f|--force`` 
+         * or run ``xcatconfig -c|--credentials``
+      * files on management node: 
+         * ``/etc/xcat/ca/ca-cert.pem``
+         * ``/etc/xcat/cert/ca.pem`` ,copied by ``/opt/xcat/share/xcat/scripts/setup-server-cert.sh``
+         * ``/root/.xcat/ca.pem`` ,copied by ``/opt/xcat/share/xcat/scripts/setup-local-client.sh``
+      * file on service node: ``/root/.xcat/ca.pem``
+      * distribution path: 
+        **/etc/xcat/cert/ca.pem (MN)** ===(run ``xcatconfig`` command)===> **/install/postscripts/_xcat/ca.pem (MN)** ===(node provision/updatenode)==> **/xcatpost/_xcat/ca.pem (SN and CN)** ==(run "servicenode" postscript)==> **/root/.xcat/ca.pem (SN)**
+
+   2. xCAT server credential(server-cred.pem): 
+
+      * a concatenation of server private key and certificate(signed with xCAT CA certificate)
+      * generated by ``/opt/xcat/share/xcat/scripts/setup-server-cert.sh`` on xCAT installation;
+      * will be generated (or updated) on xCAT management node when:
+         * install or update xCAT when ``/etc/xcat/cert`` directory does not exist 
+         * or run ``xcatconfig -f|--force`` 
+         * or run ``xcatconfig -c|--credentials``
+      * file on management node: ``/etc/xcat/cert/server-cred.pem``
+      * file on service node: ``/etc/xcat/cert/server-cred.pem`` 
+      * distribution path: 
+        **/etc/xcat/cert/server-cred.pem (MN)** ==(run ``xcatserver`` script called by ``servicenode`` postscript)===> **/etc/xcat/cert/server-cred.pem(SN)**
+
+   3. xCAT client credential(client-cred.pem):
+
+      * a concatenation of client private key and certificate (signed with xCAT CA certificate)
+      * generated by ``/opt/xcat/share/xcat/scripts/setup-local-client.sh`` on xCAT installation
+      * will be generated (or updated) on xCAT management node when: 
+         * install or update xCAT when ``/root/.xcat/client-key.pem``  does not exist; 
+         * or run ``xcatconfig -f|--force`` 
+         * or run ``xcatconfig -c|--credentials``
+      * file on management node: ``/root/.xcat/client-cred.pem``
+      * file on service node: ``/root/.xcat/client-cred.pem`` 
+      * distribution path: 
+        **/root/.xcat/client-cred.pem (MN)** ===(run ``xcatclient`` script called by ``servicenode`` postscript")===> **/root/.xcat/client-cred.pem(SN)** 
+
+The usage of the credentials in the xCAT SSL communication is:
+
+          .. image:: ./imgs/certs.png
+             :height: 500 px
+             :width:  600 px
+             :scale: 100 %
+             :alt: alternate text
+             :align: center
+
--- a/docs/source/advanced/security/imgs/certs.png
+++ b/docs/source/advanced/security/imgs/certs.png
--- a/docs/source/advanced/security/security.rst
+++ b/docs/source/advanced/security/security.rst
@ -4,23 +4,10 @@ Transmission Channel
 The xCAT daemon uses SSL to only allow authorized users to run xCAT commands. All xCAT commands are initiated as an xCAT **client**, even when run commands from the xCAT management node. This **client** opens an SSL socket to the xCAT daemon, sends the command and receives responses through this one socket. xCAT has configured the certificate for root, if you nee to authorize other users, refer to the section below.


-Create SSL Certificate So That User Can Be Authenticated By xCAT
-````````````````````````````````````````````````````````````````
-
-Running the following command on the Management node as root:  ::
-
-    /opt/xcat/share/xcat/scripts/setup-local-client.sh <username>
-
-By running this command you'll see SSL certificates are creating, enter ``yes`` where prompted and take the defaults.
-
-This will create the following files in the <username> 's ``$HOME/.xcat`` directory: ::
-
-    ca.pem
-    client-cert.pem
-    client-cred.pem
-    client-key.pem
-    client-req.pem
+.. toctree::
+   :maxdepth: 2

+   certs.rst

 Commands Access Control
 -----------------------