Importing a TLS Certificate

You can configure TLS key certificates through the tft_start_controller and tft_init_processor APIs to set up a TLS connection. The security option is enabled by default, which is recommended to ensure communication security. If you need to disable the encryption function, see the following example.
After the system is started, you are advised to delete sensitive files such as local key certificates.
When this API is called, the input file path cannot contain semicolons (;), commas (,), or colons (:).
You can configure the certificate check period and certificate expiration warning time through the environment variables TTP_ACCLINK_CHECK_PERIOD_HOURS and TTP_ACCLINK_CERT_CHECK_AHEAD_DAYS.

TLS API Call Examples

When TLS is disabled (enable_tls = False), tls_info is invalid and does not need to be set. This operation does not affect MindIO TFT functions.
```
from mindio_ttp.framework_ttp import tft_start_controller, tft_init_processor

tft_start_controller(bind_ip: str, port: int, enable_tls=False, tls_info='')
tft_init_processor(rank: int, world_size: int, enable_local_copy: bool, enable_tls=False, tls_info='', enable_uce=True, enable_arf=False)
```
- If TLS is disabled (enable_tls = False), high network security risks exist.
- The enable_tls state of tft_start_controller and tft_init_processor must be the same. If enable_tls has different values, the following problems may occur:
  - TLS links fail to be established between modules.
  - MindIO TFT cannot run normally, and the training job fails to be started.

When TLS is enabled (enable_tls = True), the certificate information must be input as tls_info for the following APIs:

from mindio_ttp.framework_ttp import tft_start_controller, tft_init_processor, tft_register_decrypt_handler

#In tls_info, use semicolons (;) to separate different fields and commas (,) to separate files.
tls_info = r"(
tlsCert: /etc/ssl/certs/cert.pem;
tlsCrlPath: /etc/ssl/crl/;
tlsCaPath: /etc/ssl/ca/;
tlsCaFile: ca_cert_1.pem, ca_cert_2.pem;
tlsCrlFile: crl_1.pem, crl_2.pem;
tlsPk: private key;
tlsPkPwd: private key pwd;
packagePath: /etc/ssl/
)"

# If the tlsPkPwd password is in ciphertext, register a password decryption function.
tft_register_decrypt_handler(user_decrypt_callback)
tft_start_controller(bind_ip: str, port: int, enable_tls=True, tls_info=tls_info)
tft_init_processor(rank: int, world_size: int, enable_local_copy: bool, enable_tls=True, tls_info=tls_info, enable_uce=True, enable_arf=False)

Fields in tls_info

Field	Description	Required or Not
tlsCert	Server certificate	Yes
tlsCaPath	Path for storing the CA certificate	Yes
tlsCaFile	CA certificate list	Yes
tlsCrlPath	Path for storing the CRL	No
tlsCrlFile	CRL	No
tlsPk	Private key	Yes
tlsPkPwd	Private key password	Yes
packagePath	OpenSSL library path	Yes

Certificate security requirements:

Use industry-recognized secure and reliable asymmetric encryption algorithms, key exchange algorithms, key lengths, hash algorithms, and certificate formats.
Certificates must be within their valid periods.

Parent topic: TLS Authentication