diff --git a/docs/source/advanced/security/certs.rst b/docs/source/advanced/security/certs.rst index f23fe1a83..ee6e98b01 100644 --- a/docs/source/advanced/security/certs.rst +++ b/docs/source/advanced/security/certs.rst @@ -10,47 +10,47 @@ The xCAT daemon on the management node and service node listens on a SSL socket xCAT creates 1 CA certificate and 2 credentials (private key and certificate pairs): - 1. xCAT CA certificate(ca.pem): + 1. xCAT CA certificate(ca.pem): * a self-signed certificate used as Certificate Authority in xcatd SSL communication; - * generated by ``/opt/xcat/share/xcat/scripts/setup-xcat-ca.sh`` script on xCAT installation; + * generated by ``/opt/xcat/share/xcat/scripts/setup-xcat-ca.sh`` script on xCAT installation; * will be generated (or updated) on xCAT management node when: - * install or update xCAT when "/etc/xcat/ca" directory does not exist - * or run ``xcatconfig -f|--force`` + * install or update xCAT when "/etc/xcat/ca" directory does not exist + * or run ``xcatconfig -f|--force`` * or run ``xcatconfig -c|--credentials`` - * files on management node: + * files on management node: * ``/etc/xcat/ca/ca-cert.pem`` * ``/etc/xcat/cert/ca.pem`` ,copied by ``/opt/xcat/share/xcat/scripts/setup-server-cert.sh`` * ``/root/.xcat/ca.pem`` ,copied by ``/opt/xcat/share/xcat/scripts/setup-local-client.sh`` * file on service node: ``/root/.xcat/ca.pem`` - * distribution path: + * distribution path: **/etc/xcat/cert/ca.pem (MN)** ===(run ``xcatconfig`` command)===> **/install/postscripts/_xcat/ca.pem (MN)** ===(node provision/updatenode)==> **/xcatpost/_xcat/ca.pem (SN and CN)** ==(run "servicenode" postscript)==> **/root/.xcat/ca.pem (SN)** - 2. xCAT server credential(server-cred.pem): + 2. xCAT server credential(server-cred.pem): * a concatenation of server private key and certificate(signed with xCAT CA certificate) * generated by ``/opt/xcat/share/xcat/scripts/setup-server-cert.sh`` on xCAT installation; * will be generated (or updated) on xCAT management node when: - * install or update xCAT when ``/etc/xcat/cert`` directory does not exist - * or run ``xcatconfig -f|--force`` + * install or update xCAT when ``/etc/xcat/cert`` directory does not exist + * or run ``xcatconfig -f|--force`` * or run ``xcatconfig -c|--credentials`` * file on management node: ``/etc/xcat/cert/server-cred.pem`` - * file on service node: ``/etc/xcat/cert/server-cred.pem`` - * distribution path: + * file on service node: ``/etc/xcat/cert/server-cred.pem`` + * distribution path: **/etc/xcat/cert/server-cred.pem (MN)** ==(run ``xcatserver`` script called by ``servicenode`` postscript)===> **/etc/xcat/cert/server-cred.pem(SN)** 3. xCAT client credential(client-cred.pem): * a concatenation of client private key and certificate (signed with xCAT CA certificate) * generated by ``/opt/xcat/share/xcat/scripts/setup-local-client.sh`` on xCAT installation - * will be generated (or updated) on xCAT management node when: - * install or update xCAT when ``/root/.xcat/client-key.pem`` does not exist; - * or run ``xcatconfig -f|--force`` + * will be generated (or updated) on xCAT management node when: + * install or update xCAT when ``/root/.xcat/client-key.pem`` does not exist; + * or run ``xcatconfig -f|--force`` * or run ``xcatconfig -c|--credentials`` * file on management node: ``/root/.xcat/client-cred.pem`` - * file on service node: ``/root/.xcat/client-cred.pem`` - * distribution path: - **/root/.xcat/client-cred.pem (MN)** ===(run ``xcatclient`` script called by ``servicenode`` postscript")===> **/root/.xcat/client-cred.pem(SN)** + * file on service node: ``/root/.xcat/client-cred.pem`` + * distribution path: + **/root/.xcat/client-cred.pem (MN)** ===(run ``xcatclient`` script called by ``servicenode`` postscript")===> **/root/.xcat/client-cred.pem(SN)** The usage of the credentials in the xCAT SSL communication is: