The SSL Certificates in xCAT
The xCAT daemon on the management node and service node listens on a SSL socket on port 3001, the communications on the SSL socket include:
the xCAT requests from xCAT Clients
the xCAT requests forwarded from other xCAT daemons, for example, the requests forwarded between xCAT daemons on management node and service nodes
some special xCAT requests from compute nodes, such as
getcredentials
,getpostscript
,litefile
, etc.
xCAT creates 1 CA certificate and 2 credentials (private key and certificate pairs):
xCAT CA certificate(ca.pem):
a self-signed certificate used as Certificate Authority in xcatd SSL communication;
generated by
/opt/xcat/share/xcat/scripts/setup-xcat-ca.sh
script on xCAT installation;
- will be generated (or updated) on xCAT management node when:
install or update xCAT when “/etc/xcat/ca” directory does not exist
or run
xcatconfig -f|--force
or run
xcatconfig -c|--credentials
- files on management node:
/etc/xcat/ca/ca-cert.pem
/etc/xcat/cert/ca.pem
,copied by/opt/xcat/share/xcat/scripts/setup-server-cert.sh
/root/.xcat/ca.pem
,copied by/opt/xcat/share/xcat/scripts/setup-local-client.sh
file on service node:
/root/.xcat/ca.pem
distribution path: /etc/xcat/cert/ca.pem (MN) ===(run
xcatconfig
command)===> /install/postscripts/_xcat/ca.pem (MN) ===(node provision/updatenode)==> /xcatpost/_xcat/ca.pem (SN and CN) ==(run “servicenode” postscript)==> /root/.xcat/ca.pem (SN)xCAT server credential(server-cred.pem):
a concatenation of server private key and certificate(signed with xCAT CA certificate)
generated by
/opt/xcat/share/xcat/scripts/setup-server-cert.sh
on xCAT installation;
- will be generated (or updated) on xCAT management node when:
install or update xCAT when
/etc/xcat/cert
directory does not existor run
xcatconfig -f|--force
or run
xcatconfig -c|--credentials
file on management node:
/etc/xcat/cert/server-cred.pem
file on service node:
/etc/xcat/cert/server-cred.pem
distribution path: /etc/xcat/cert/server-cred.pem (MN) ==(run
xcatserver
script called byservicenode
postscript)===> /etc/xcat/cert/server-cred.pem(SN)xCAT client credential(client-cred.pem):
a concatenation of client private key and certificate (signed with xCAT CA certificate)
generated by
/opt/xcat/share/xcat/scripts/setup-local-client.sh
on xCAT installation
- will be generated (or updated) on xCAT management node when:
install or update xCAT when
/root/.xcat/client-key.pem
does not exist;or run
xcatconfig -f|--force
or run
xcatconfig -c|--credentials
file on management node:
/root/.xcat/client-cred.pem
file on service node:
/root/.xcat/client-cred.pem
distribution path: /root/.xcat/client-cred.pem (MN) ===(run
xcatclient
script called byservicenode
postscript”)===> /root/.xcat/client-cred.pem(SN)
The usage of the credentials in the xCAT SSL communication is: