xCAT/xcat-core
2
0
Fork 0
mirror of https://github.com/xcat2/xcat-core.git synced 2025-08-11 22:10:14 +00:00
Code Issues Releases Wiki Activity
Files
build-utils
docs
java-xCAT
perl-xCAT
src
xCAT
xCAT-IBMhpc
xCAT-OpenStack
xCAT-OpenStack-baremetal
xCAT-OpenStack-ironic
xCAT-SoftLayer
xCAT-UI
xCAT-buildkit
xCAT-client
xCAT-confluent
xCAT-csm
xCAT-genesis-builder
xCAT-genesis-scripts
xCAT-probe
xCAT-rmc
xCAT-server
xCAT-test
xCAT-vlan
xCATsn
.gitignore
README.rst
Release
Version
build-ubunturepo
buildcore.sh
builddep.sh
buildlocal.sh
comps.xml
create_man_pages.py
makegenesisbuilderrpm
makerpm
57b10b57bd859b18cf3d0adc16005b31eaf7c15c
xcat-core/docs/source/advanced/security/certs.rst

64 lines
3.5 KiB
ReStructuredText
Raw Blame History

The SSL Certificates in xCAT
----------------------------
The xCAT daemon on the management node and service node listens on a SSL socket on port 3001, the communications on the SSL socket include:
1. the xCAT requests from xCAT Clients
2. the xCAT requests forwarded from other xCAT daemons, for example, the requests forwarded between xCAT daemons on management node and service nodes
3. some special xCAT requests from compute nodes, such as ``getcredentials``, ``getpostscript``, ``litefile``, etc.
xCAT creates 1 CA certificate and 2 credentials (private key and certificate pairs):
1. xCAT CA certificate(ca.pem):
* a self-signed certificate used as Certificate Authority in xcatd SSL communication;
* generated by ``/opt/xcat/share/xcat/scripts/setup-xcat-ca.sh`` script on xCAT installation;
* will be generated (or updated) on xCAT management node when:
* install or update xCAT when "/etc/xcat/ca" directory does not exist
* or run ``xcatconfig -f|--force``
* or run ``xcatconfig -c|--credentials``
* files on management node:
* ``/etc/xcat/ca/ca-cert.pem``
* ``/etc/xcat/cert/ca.pem`` ,copied by ``/opt/xcat/share/xcat/scripts/setup-server-cert.sh``
* ``/root/.xcat/ca.pem`` ,copied by ``/opt/xcat/share/xcat/scripts/setup-local-client.sh``
* file on service node: ``/root/.xcat/ca.pem``
* distribution path:
**/etc/xcat/cert/ca.pem (MN)** ===(run ``xcatconfig`` command)===> **/install/postscripts/_xcat/ca.pem (MN)** ===(node provision/updatenode)==> **/xcatpost/_xcat/ca.pem (SN and CN)** ==(run "servicenode" postscript)==> **/root/.xcat/ca.pem (SN)**
2. xCAT server credential(server-cred.pem):
* a concatenation of server private key and certificate(signed with xCAT CA certificate)
* generated by ``/opt/xcat/share/xcat/scripts/setup-server-cert.sh`` on xCAT installation;
* will be generated (or updated) on xCAT management node when:
* install or update xCAT when ``/etc/xcat/cert`` directory does not exist
* or run ``xcatconfig -f|--force``
* or run ``xcatconfig -c|--credentials``
* file on management node: ``/etc/xcat/cert/server-cred.pem``
* file on service node: ``/etc/xcat/cert/server-cred.pem``
* distribution path:
**/etc/xcat/cert/server-cred.pem (MN)** ==(run ``xcatserver`` script called by ``servicenode`` postscript)===> **/etc/xcat/cert/server-cred.pem(SN)**
3. xCAT client credential(client-cred.pem):
* a concatenation of client private key and certificate (signed with xCAT CA certificate)
* generated by ``/opt/xcat/share/xcat/scripts/setup-local-client.sh`` on xCAT installation
* will be generated (or updated) on xCAT management node when:
* install or update xCAT when ``/root/.xcat/client-key.pem`` does not exist;
* or run ``xcatconfig -f|--force``
* or run ``xcatconfig -c|--credentials``
* file on management node: ``/root/.xcat/client-cred.pem``
* file on service node: ``/root/.xcat/client-cred.pem``
* distribution path:
**/root/.xcat/client-cred.pem (MN)** ===(run ``xcatclient`` script called by ``servicenode`` postscript")===> **/root/.xcat/client-cred.pem(SN)**
The usage of the credentials in the xCAT SSL communication is:
.. image:: ./imgs/certs.png
:height: 500 px
:width: 600 px
:scale: 100 %
:alt: alternate text
:align: center
Reference in New Issue View Git Blame Copy Permalink