Documentation

Modifying the Configuration File

  • In the Altas 500 environment, the KMSAgent executable file is stored in /home/data/miniD/driver/tools/kmsagent. In other environments, the KMSAgent executable file is stored in /usr/local/Ascend/driver/tools/kmsagent.
  • The default path of the kmsagent.conf file is /var/kmsagentd/kmsagent.conf.
  • If you want to modify the /var/kmsagentd/kmsagent.conf configuration file, modify it through the CLI.
  • The values of TlsCertPath and TlsBackupCertPath for Crypto_fs and AI-VAULT must be different.
  1. Run the following commands to create an independent virtual network (for example, aiguard) for running the container and query the gateway address of the network:
    docker network create aiguard
docker network inspect aiguard |grep Gateway
  2. Use the HwHiAiUser to modify the configuration file.
    1. Change the value of IP address in the kmsagent.conf file to the gateway address of the AI-GUARD network queried by running the preceding command. Optionally, you can run the following command to configure the port (1024 by default) used by the Crypto_fs service.
      /usr/local/Ascend/driver/tools/kmsagent -c /var/kmsagentd/kmsagent.conf -k /var/kmsagentd/kmsconf.ksf -s SERVER_FOR_CFS -n IP -v ${ip}
/usr/local/Ascend/driver/tools/kmsagent -c /var/kmsagentd/kmsagent.conf -k /var/kmsagentd/kmsconf.ksf -s SERVER_FOR_CFS -n Port -v ${port}
    2. Change the paths of TlsCertPath and TlsBackupCertPath under SERVER_FOR_CFS in the configuration file. (Skip this step if the directories specified by TlsCertPath and TlsBackupCertPath already exist and the directory owner is HwHiAiUser.)
      /usr/local/Ascend/driver/tools/kmsagent -c /var/kmsagentd/kmsagent.conf -k /var/kmsagentd/kmsconf.ksf -s SERVER_FOR_CFS -n TlsCertPath -v ${directory of HwHiAiUser}
/usr/local/Ascend/driver/tools/kmsagent -c /var/kmsagentd/kmsagent.conf -k /var/kmsagentd/kmsconf.ksf -s SERVER_FOR_CFS -n TlsBackupCertPath -v ${directory of HwHiAiUser}
    3. Download the CA certificate of the device certificate used by Crypto_fs. The path cannot be in any TlsCertPath directory. {path-to-rsa.trust.pem} is used as an example. The file path can be accessed only by the KMSAgent running user (for example, HwHiAiUser) and unreadable and unwritable by other users. Run the following command to configure the path:
      /usr/local/Ascend/driver/tools/kmsagent -c /var/kmsagentd/kmsagent.conf -k /var/kmsagentd/kmsconf.ksf -s SERVER_FOR_CFS -n CaPath -v {path-to-rsa.trust.pem}
      Example:
      # /usr/local/Ascend/driver/tools/kmsagent -c /var/kmsagentd/kmsagent.conf -k /var/kmsagentd/kmsconf.ksf -s SERVER_FOR_CFS -n CaPath -v /home/HwHiAiUser/cfs_ca_path/cfsca.pem
Modify config successfully.
    4. Run the following command to configure the IP address and port number used by the AI-VAULT service:
      /usr/local/Ascend/driver/tools/kmsagent -c /var/kmsagentd/kmsagent.conf -k /var/kmsagentd/kmsconf.ksf -s CLIENT_FOR_AIVAULT -n ConnectIP -v ${ip}
/usr/local/Ascend/driver/tools/kmsagent -c /var/kmsagentd/kmsagent.conf -k /var/kmsagentd/kmsconf.ksf -s CLIENT_FOR_AIVAULT -n ConnectPort -v ${port}
    5. Change the paths of TlsCertPath and TlsBackupCertPath under CLIENT_FOR_AIVAULT in the configuration file. (Skip this step if the directories specified by TlsCertPath and TlsBackupCertPath already exist and the directory owner is HwHiAiUser.)
      /usr/local/Ascend/driver/tools/kmsagent -c /var/kmsagentd/kmsagent.conf -k /var/kmsagentd/kmsconf.ksf -s CLIENT_FOR_AIVAULT -n TlsCertPath -v ${directory of HwHiAiUser}
/usr/local/Ascend/driver/tools/kmsagent -c /var/kmsagentd/kmsagent.conf -k /var/kmsagentd/kmsconf.ksf -s CLIENT_FOR_AIVAULT -n TlsBackupCertPath -v ${directory of HwHiAiUser}
    6. Configure the path of the CA certificate corresponding to the device certificate used by AI-VAULT. The path cannot be in any TlsCertPath directory. {path-to-rsa.trust.pem} is used as an example. The file path can be accessed only by the KMSAgent running user (for example, HwHiAiUser) and unreadable and unwritable by other users. Run the following command:
      /usr/local/Ascend/driver/tools/kmsagent -c /var/kmsagentd/kmsagent.conf -k /var/kmsagentd/kmsconf.ksf -s CLIENT_FOR_AIVAULT -n CaPath -v {path-to-rsa.trust.pem}
  3. Start the KMSAgent service to make the configuration file take effect.
    npu-smi set -t key-manage -s start
Parent topic: KMSAgent Configuration