xCAT/xcat-core
2
0
Fork 0
mirror of https://github.com/xcat2/xcat-core.git synced 2025-10-31 19:32:31 +00:00
Code Issues Releases Wiki Activity
Files
df0cbdec9138a6894192275b49e6d1429378d5be
xcat-core/docs/source/advanced/security/certs.rst

64 lines
3.5 KiB
ReStructuredText
Raw Blame History

The SSL Certificates in xCAT
----------------------------
The xCAT daemon on the management node and service node listens on a SSL socket on port 3001, the communications on the SSL socket include:
1. the xCAT requests from xCAT Clients
2. the xCAT requests forwarded from other xCAT daemons, for example, the requests forwarded between xCAT daemons on management node and service nodes
3. some special xCAT requests from compute nodes, such as ``getcredentials``, ``getpostscript``, ``litefile``, etc.
xCAT creates 1 CA certificate and 2 credentials (private key and certificate pairs):
1. xCAT CA certificate(ca.pem):
* a self-signed certificate used as Certificate Authority in xcatd SSL communication;
* generated by ``/opt/xcat/share/xcat/scripts/setup-xcat-ca.sh`` script on xCAT installation;
* will be generated (or updated) on xCAT management node when:
* install or update xCAT when "/etc/xcat/ca" directory does not exist
* or run ``xcatconfig -f|--force``
* or run ``xcatconfig -c|--credentials``
* files on management node:
* ``/etc/xcat/ca/ca-cert.pem``
* ``/etc/xcat/cert/ca.pem`` ,copied by ``/opt/xcat/share/xcat/scripts/setup-server-cert.sh``
* ``/root/.xcat/ca.pem`` ,copied by ``/opt/xcat/share/xcat/scripts/setup-local-client.sh``
* file on service node: ``/root/.xcat/ca.pem``
* distribution path:
**/etc/xcat/cert/ca.pem (MN)** ===(run ``xcatconfig`` command)===> **/install/postscripts/_xcat/ca.pem (MN)** ===(node provision/updatenode)==> **/xcatpost/_xcat/ca.pem (SN and CN)** ==(run "servicenode" postscript)==> **/root/.xcat/ca.pem (SN)**
2. xCAT server credential(server-cred.pem):
* a concatenation of server private key and certificate(signed with xCAT CA certificate)
* generated by ``/opt/xcat/share/xcat/scripts/setup-server-cert.sh`` on xCAT installation;
* will be generated (or updated) on xCAT management node when:
* install or update xCAT when ``/etc/xcat/cert`` directory does not exist
* or run ``xcatconfig -f|--force``
* or run ``xcatconfig -c|--credentials``
* file on management node: ``/etc/xcat/cert/server-cred.pem``
* file on service node: ``/etc/xcat/cert/server-cred.pem``
* distribution path:
**/etc/xcat/cert/server-cred.pem (MN)** ==(run ``xcatserver`` script called by ``servicenode`` postscript)===> **/etc/xcat/cert/server-cred.pem(SN)**
3. xCAT client credential(client-cred.pem):
* a concatenation of client private key and certificate (signed with xCAT CA certificate)
* generated by ``/opt/xcat/share/xcat/scripts/setup-local-client.sh`` on xCAT installation
* will be generated (or updated) on xCAT management node when:
* install or update xCAT when ``/root/.xcat/client-key.pem`` does not exist;
* or run ``xcatconfig -f|--force``
* or run ``xcatconfig -c|--credentials``
* file on management node: ``/root/.xcat/client-cred.pem``
* file on service node: ``/root/.xcat/client-cred.pem``
* distribution path:
**/root/.xcat/client-cred.pem (MN)** ===(run ``xcatclient`` script called by ``servicenode`` postscript")===> **/root/.xcat/client-cred.pem(SN)**
The usage of the credentials in the xCAT SSL communication is:
.. image:: ./imgs/certs.png
:height: 500 px
:width: 600 px
:scale: 100 %
:alt: alternate text
:align: center
Reference in New Issue View Git Blame Copy Permalink