Configuring Automatic Certificate Generation

If TLS authentication (HTTPS or gRPC) of Server is enabled, the communication client needs to verify the IP address of the server certificate. Due to the dynamic nature of PodIP, a service certificate with a PodIP alias needs to be generated when the pod is started to implement communication between the prefill and decode nodes of Server, and certificate authentication and verification of Server by the cluster management component. MindIE offers the capability to generate certificates. The procedure is as follows.

You are advised to prepare and configure certificates on each compute node in the operating environment to improve service security.

Procedure

This method applies only to the scenario where a self-signed CA certificate is used to issue certificates.

Prepare the Server, Controller, and Coordinator certificates as follows.

Prepare a self-signed CA certificate and encrypted private key.
1. Create a configuration file.
```
cat > ca.conf <<-EOF
```
  The following is an example of the ca.conf file. The fields under req_distinguished_name need to be configured as required.
```
[ req ]
distinguished_name    = req_distinguished_name
prompt                = no

[ req_distinguished_name ]
C                     = CN
ST                    = Sichuan
L                     = Chengdu
O                     = Huawei
OU                    = Ascend
CN                    = MindIE

[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
EOF
```
2. Create a PKI private key (ca.key.pem) in PKCS#1 format.
```
openssl genrsa -aes256 -out ca.key.pem 4096
```
3. Enter the private key password as prompted and press Enter.
  1 2
  Enter pass phrase for ca.key.pem: Verifying - Enter pass phrase for ca.key.pem:
  To ensure security and proper certificate import, the private key password must adhere to the following complexity requirements:
  - Contain at least 8 characters.
  - Contain at least two types of the following characters:
    - Lowercase letters (at least one)
    - Uppercase letters (at least one)
    - Numbers (at least one)
    - Special characters (at least one)
4. Grant the read permission on the ca.key.pem private key file.
```
chmod 400 ca.key.pem
```
5. Check whether the ca.key.pem file exists and view the private key content.
```
openssl rsa -in ca.key.pem
```
  Enter the private key password set in 1.c based on the command output and press Enter. If the private key content is printed, ca.key.pem is generated successfully.
6. Create a CSR file, enter the private key password set in 1.c based on the command output, and press Enter.
```
openssl req -out ca.csr -key ca.key.pem -new -config ca.conf -batch
```
7. Grant the read and write permissions on the ca.csr file.
```
chmod 600 ca.csr
```
8. Check whether the ca.csr file exists. If the content of the ca.csr file is printed, the ca.csr file is generated successfully.
```
openssl req -in ca.csr -noout -text
```
9. Generate the CA certificate ca.pem.
```
openssl x509 -req -in ca.csr -out ca.pem -sha256 -days 7300 -extfile ca.conf -extensions v3_ca -signkey ca.key.pem
```
10. Check whether the ca.pem file exists. If the command output is displayed, the ca.pem file is generated successfully.
```
openssl x509 -in ca.pem -noout -text
```
11. Grant the read permission on the ca.pem file.
```
chmod 400 ca.pem
```
Import a self-signed CA certificate and encrypted private key.
Run the following command to go to the directory where MindIE Motor is installed.
```
cd /{MindIE installation directory}/mindie-service/
```
Import the CA certificate and private key through the import_cert interface of the MindIE certificate management tool, enter the certificate private key password, and generate the KMC-encrypted password file and KMC keystore file. For details about the MindIE certificate management tool, see config_mindie_server_tls_cert.py.
```
python3 ./scripts/config_mindie_server_tls_cert.py ./security/ca import_cert  {Certificate file path}  {Path of the encrypted private key file}
```
Parameters:
- {Certificate file path}: source path of the CA certificate
- {Path of the encrypted private key file}: source path of the CA private key
In the command output, enter the password set when the CA key is generated.
1 2
Password for private key file: Retype password for private key file:

Prepare the configuration file for generating certificates.

gen_cert.json:

{
    "ca_cert": "./security/ca/ca.pem",
    "ca_key": "./security/ca/ca.key.pem",
    "ca_key_pwd": "./security/ca/ca_passwd.txt",
    "cert_config": "./cert_info.json",
    "output_path": "./gen_cert_output",
    "kmc_ksf_master": "./tools/pmt/master/ksfa",
    "kmc_ksf_standby": "./tools/pmt/standby/ksfb"
}

Information about the certificate to be generated in cert_config: cert_info.json:

{
    "subject": "subject_name",
    "expired_time": 3650,
    "serial_number": 123,
    "req_distinguished_name": {
        "C": "***",
        "ST": "***",
        "L": "***",
        "O": "***",
        "OU": "***",
        "CN": "***"
    },
    "alt_names": {
        "IP": [],
        "DNS": []
    }
}

In the mindie_server.yaml, mindie_ms_controller.yaml, and mindie_ms_coordinator.yaml files in Script Description, mount the preceding self-signed CA certificate file and configuration file to the /mnt/security directory in the container, and set the permission to read-only.

Add certificate generation commands to the container startup script boot.sh in Script Description. The following uses the Server certificate as an example. Add the following commands to the if [ $exit_code -eq 2 ]; then branch:

cp /mnt/security/ca.pem $MIES_INSTALL_PATH/security/ca
cp /mnt/security/ca.key.pem $MIES_INSTALL_PATH/security/ca
cp /mnt/security/ca_passwd.txt $MIES_INSTALL_PATH/security/ca
cp /mnt/security/gen_cert.json $MIES_INSTALL_PATH
cp /mnt/security/cert_info.json $MIES_INSTALL_PATH
cp -r /mnt/security/tools $MIES_INSTALL_PATH/
chmod 500 ./bin/gen_cert
mkdir gen_cert_output
python3 ./scripts/config_mindie_server_tls_cert.py  ./  gen_cert ./gen_cert.json  --ip=$MIES_CONTAINER_IP,{host_ip}
chmod 400 ./gen_cert_output/*
// Copy the generated certificate to a specified path.
cp ./gen_cert_output/cert.pem /home/{User name}/Ascend/mindie/latest/mindie-service/security/certs/server.pem
cp ./gen_cert_output/cert.key.pem /home/{User name}/Ascend/mindie/latest/mindie-service/security/keys/server.key.pem
cp ./gen_cert_output/cert_passwd.txt /home/{User name}/Ascend/mindie/latest/mindie-service/security/pass/mindie_server_key_pwd.txt
rm -rf ./gen_cert_output/*
// Use other certificate configurations (gen_cert_xxx.json, cert_info_xxx.json) and repeat the preceding steps to import certificates.
// cp /mnt/security/gen_cert_xxx.json $MIES_INSTALL_PATH
// cp /mnt/security/cert_info_xxx.json $MIES_INSTALL_PATH
// python3 ./scripts/config_mindie_server_tls_cert.py  ./  gen_cert ./gen_cert_xxx.json  --ip=$MIES_CONTAINER_IP,{host_ip}

{host_ip}: IP address of the physical machine that provides the inference API. This parameter needs to be configured only for Coordinator.

After the Server, Controller, and Coordinator certificates are prepared, copy them to the specified paths by referring to "Core Concepts and Configurations" > "Configuration Parameters (Serving)" in MindIE LLM Development Guide, Controller Configurations, and Coordinator Configurations.
If the error message "failed to read random number from system." is reported when the Server pod calls the certificate generation interface, there is a high probability that the environment entropy is insufficient. To fix this, install haveged on the compute node to increase the entropy to 4096. For details, see Starting the haveged Service.

Parent topic: Installation and Deployment