The SSL Certificates in xCAT¶
The xCAT daemon on the management node and service node listens on a SSL socket on port 3001, the communications on the SSL socket include:
- the xCAT requests from xCAT Clients
- the xCAT requests forwarded from other xCAT daemons, for example, the requests forwarded between xCAT daemons on management node and service nodes
- some special xCAT requests from compute nodes, such as
getcredentials
,getpostscript
,litefile
, etc.
xCAT creates 1 CA certificate and 2 credentials (private key and certificate pairs):
- xCAT CA certificate(ca.pem):
- a self-signed certificate used as Certificate Authority in xcatd SSL communication;
- generated by
/opt/xcat/share/xcat/scripts/setup-xcat-ca.sh
script on xCAT installation;
- will be generated (or updated) on xCAT management node when:
- install or update xCAT when “/etc/xcat/ca” directory does not exist
- or run
xcatconfig -f|--force
- or run
xcatconfig -c|--credentials
- files on management node:
/etc/xcat/ca/ca-cert.pem
/etc/xcat/cert/ca.pem
,copied by/opt/xcat/share/xcat/scripts/setup-server-cert.sh
/root/.xcat/ca.pem
,copied by/opt/xcat/share/xcat/scripts/setup-local-client.sh
- file on service node:
/root/.xcat/ca.pem
- distribution path: /etc/xcat/cert/ca.pem (MN) ===(run
xcatconfig
command)===> /install/postscripts/_xcat/ca.pem (MN) ===(node provision/updatenode)==> /xcatpost/_xcat/ca.pem (SN and CN) ==(run “servicenode” postscript)==> /root/.xcat/ca.pem (SN)- xCAT server credential(server-cred.pem):
- a concatenation of server private key and certificate(signed with xCAT CA certificate)
- generated by
/opt/xcat/share/xcat/scripts/setup-server-cert.sh
on xCAT installation;
- will be generated (or updated) on xCAT management node when:
- install or update xCAT when
/etc/xcat/cert
directory does not exist- or run
xcatconfig -f|--force
- or run
xcatconfig -c|--credentials
- file on management node:
/etc/xcat/cert/server-cred.pem
- file on service node:
/etc/xcat/cert/server-cred.pem
- distribution path: /etc/xcat/cert/server-cred.pem (MN) ==(run
xcatserver
script called byservicenode
postscript)===> /etc/xcat/cert/server-cred.pem(SN)- xCAT client credential(client-cred.pem):
- a concatenation of client private key and certificate (signed with xCAT CA certificate)
- generated by
/opt/xcat/share/xcat/scripts/setup-local-client.sh
on xCAT installation
- will be generated (or updated) on xCAT management node when:
- install or update xCAT when
/root/.xcat/client-key.pem
does not exist;- or run
xcatconfig -f|--force
- or run
xcatconfig -c|--credentials
- file on management node:
/root/.xcat/client-cred.pem
- file on service node:
/root/.xcat/client-cred.pem
- distribution path: /root/.xcat/client-cred.pem (MN) ===(run
xcatclient
script called byservicenode
postscript”)===> /root/.xcat/client-cred.pem(SN)
The usage of the credentials in the xCAT SSL communication is: