Configuring Certificates

AI-VAULT requires the certificate to access other interfaces. Import the certificate before deploying AI-VAULT.

AI-VAULT provides CLI, through which you can deliver requests to apply for certificates and import certificates.

The Procedure for configuring certification is as follows:

• If a certificate is generated for the first time in a container, log in to the host as user AiVault and run the commands on the host to request AI-VAULT to generate a certificate import the certificate. Then mount the generated configuration directory (~/.ai-vault/) to the container as a volume. Perform security hardening to ensure that the mounted volume can be used only by AI-VAULT. For security purposes, the AiVault account must be set to nologin after the certificate is imported or upgraded.
• The certificate import API allows the client and server to use different CAs to issue certificates. As a result, it does not verify the issuing relationship between the peer CA and the service certificate.
• If an incorrect CA file (with a correct format) is imported, the client may fail to verify the certificate issued by the CA. As a result, the server cannot be accessed. In this case, you can execute the certificate signing request (CSR) again and import the certificate again.

1. Use the password to log in as the AiVault user, go to the AiVault directory, create the aivault directory, place the AI-VAULT installation package in the aivault directory, and decompress the package. After the decompression, ensure that all SO dynamic library files in the lib directory are owned by the current user or the root user, and the permission meets the security requirements of the user's organization.

   cd /home/AiVault
   mkdir aivault
   chmod 700 /home/AiVault/aivault
   cd /home/AiVault/aivault
   unzip Ascend-mindxdl-aivault_{version}_linux-{arch}.zip
   tar --no-same-owner --no-same-permission -zxf Ascend-mindxdl-aivault_{version}_linux-{arch}.tar.gz

2. Export the CSR certificate.

   export LD_LIBRARY_PATH=/home/AiVault/aivault/lib
   /home/AiVault/aivault/ai-vault req -type MGMT -subject "CN|SiChuan|ChengDu|Huawei|Ascend"
   /home/AiVault/aivault/ai-vault req -type SVC -subject "CN|SiChuan|ChengDu|Huawei|Ascend"

   As shown in Figure 1, the information in the red box is the content of the generated CSR certificate. You can also view the content of the CSR file.

   

   The CSR file path:

   • The MGMT CSR file path is ~/.ai-vault/cert/mgmt/mgmt.csr.
   • The SVC CSR file path is ~/.ai-vault/cert/svc/svc.csr.

   Figure 1 CSR certificate content
   
3. You can issue related certificate files through the PKI system that meets the security requirements of your organization.
4. Obtain the issued TLS certificates (TLS certificates rsa.MGMT.pem and rsa.SVC.pem and the root certificate chain rsa.trust.pem are used as examples in this step), save the downloaded certificates to a private directory, for example, /home/AiVault/cert_tmp, and modify the permissions on the certificates.

   chmod 400 rsa.trust.pem
   chmod 400 rsa.SVC.pem
   chmod 400 rsa.MGMT.pem

5. Import the certificate file.

   cd /home/AiVault/cert_tmp
   /home/AiVault/aivault/ai-vault x509 -type MGMT -caFile rsa.trust.pem -certFile rsa.MGMT.pem
   /home/AiVault/aivault/ai-vault x509 -type SVC -caFile rsa.trust.pem -certFile rsa.SVC.pem

   To add a CRL, use the -crlFile parameter in the import command to supplement the CRL path, for example, -crlFile cert.crl.

   Once the certificate is imported, delete the cert_tmp directory.

   rm -rf /home/AiVault/cert_tmp

6. When the AiVault user logs out, notify the root user to confirm that the AiVault user is logged out, clear the user password, and reset the AiVault user to nologin.