Documentation

KMSAgent Related Parameters

Table 1 KMSAgent configuration file information

Level-1 Parameter

Level-2 Parameter

Description of Level-2 Parameter

SCENARIO

Position

The value should be aivault, indicating that the key is managed by AI-VAULT.

SERVER_FOR_CFS

IP

IP address for KMSAgent to connect to Crypto_fs for communication. The value can only be 127.0.0.1 or within 172.0.0.0-172.255.255.255.

Port

Communication port for KMSAgent to connect to Crypto_fs. Port range: 1024 to 65535.

CaPath

Path of the server root certificate used by KMSAgent to connect to Crypto_fs for communication. The path must exist and can be accessed by user HwHiAiUser.

TlsVersion

Version of the TLS communication protocol. This parameter can only be set to TLSv1.3.

SslCipherSuites

Security cipher suite name. The value can be TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, or TLS_CHACHA20_POLY1305_SHA256.

TlsCertPath

Path of the TLS communication protocol certificate. The directory must exist and can be accessed by user HwHiAiUser.

TlsBackupCertPath

Path backup of the TLS communication protocol certificate. The directory must exist and can be accessed by user HwHiAiUser.

CheckCertPeriod

Interval for checking certificates. The unit is day. The default period is 7 days. The value range is [1,180].

LastTimeForAlarm

Remaining validity period of the certificate before the alarm is generated. The unit is day. The default value is 90 days. The value range is [7,180].

CLIENT_FOR_AIVAULT

ConnectIP

IP address for the KMSAgent to connect to the AI-VAULT. The IP address can be a class A, B, or C address.

ConnectPort

Communication port for KMSAgent to connect to AI-VAULT. Port range: 1024 to 65535.

CaPath

Path of the server root certificate used by KMSAgent to connect to AI-VAULT for communication. The path must exist and can be accessed by user HwHiAiUser.

TlsVersion

Version of the TLS communication protocol. This parameter can only be set to TLSv1.3.

SslCipherSuites

Security cipher suite name. The value can be TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, or TLS_CHACHA20_POLY1305_SHA256.

TlsCertPath

Path of the TLS communication protocol certificate. The directory must exist and can be accessed by user HwHiAiUser.

TlsBackupCertPath

Path backup of the TLS communication protocol certificate. The directory must exist and can be accessed by user HwHiAiUser.

CheckCertPeriod

Interval for checking certificates. The unit is day. The default period is 7 days. The value range is [1,180].

LastTimeForAlarm

Remaining validity period of the certificate before the alarm is generated. The unit is day. The default value is 90 days. The value range is [7,180].

KMSAGENT_KEYSTORE

KmcMainPath

kmc keystorefilea used when KMSAgent is running. The configured file may not exist, but the upper-level directory of the file must exist and can be accessed by user HwHiAiUser.

KmcBackupPath

kmc keystorefileb used when KMSAgent is running. The configured file may not exist, but the upper-level directory of the file must exist and can be accessed by user HwHiAiUser.

KMSAGENT_PERFORMANCE

AcceptCfsFrequency

Number of CFS encryption and decryption connection requests received by KMSAgent per second. The value ranges from 1 to 128, and the default value is 32.

MaxMem

KMSAgent memory limit. The minimum value is 40 MB. 0 indicates that the memory is not limited. The default value is 0.

WarnFdNums

Alarm threshold for the number of FDs opened by the KMSAgent and CFS. When the number of FDs opened by the KMSAgent and CFS reaches the configured value, an alarm is generated. The value is greater than 500.

MaxFdNums

Maximum number of FDs opened by the KMSAgent and CFS. When the number of FDs opened by the KMSAgent and CFS reaches the configured value, a log alarm is generated and the process sleeps for 5 minutes. The value is greater than 500.

KMSAGENT_LOG

UseSyslog

1 indicates that syslog is used. The path is /var/log/syslog (default) or /var/log/messages (when the default path does not exist). 0 indicates that the configuration directories (RunLogPath, SecLogPath, and OpLogPath) are used. Default value: 1.

MaxLogSize

Size of a KMSAgent log file. The default value is 10 x 1024 x 1024. The minimum value is 512, and the maximum value is 20 x 1024 x 1024. (unit: byte)

MaxLogFileNum

Number of KMSAgent logs. The default value is 10. Value range: 1–20

RunLogPath

Directory for storing KMSAgent run log files. The path must exist and can be read and written by user HwHiAiUser. The default path is the working directory.

SecLogPath

Directory for storing KMSAgent security log files. The path must exist and can be read and written by user HwHiAiUser. The default path is the working directory.

OpLogPath

Directory for storing KMSAgent operation log files. The path must exist and can be read and written by user HwHiAiUser. The default path is the working directory.

VERIFICATION

FileCheckData

Verification code of the configuration file, which cannot be changed by users.
  • You can modify AcceptCfsFrequency, MaxMem of KMSAGENT_PERFORMANCE, and MaxMem of CFS_PERFORMANCE in kmsagent.conf to limit CFS traffic so that KMSAgent can defend against DoS attacks.
    /usr/local/Ascend/driver/tools/kmsagent -c /var/kmsagentd/kmsagent.conf -k /var/kmsagentd/kmsconf.ksf -s KMSAGENT_PERFORMANCE -n AcceptCfsFrequency
 -v $CfsReceiveFrequency
/usr/local/Ascend/driver/tools/kmsagent -c /var/kmsagentd/kmsagent.conf -k /var/kmsagentd/kmsconf.ksf -s KMSAGENT_PERFORMANCE -n MaxMem-v $KmsMaxMem
/usr/local/Ascend/driver/tools/kmsagent -c /var/kmsagentd/kmsagent.conf -k /var/kmsagentd/kmsconf.ksf -s CFS_PERFORMANCE -n MaxMem-v $CfsMaxMem

    Command:

    After running the preceding command, restart the KMSAgent service by referring to step 4 in Modifying the Configuration File.

  • Name of the security cipher suite.
    • TLSv1.3 is recommended.
      • TLS_AES_128_GCM_SHA256
      • TLS_AES_256_GCM_SHA384
      • TLS_CHACHA20_POLY1305_SHA256
Table 2 KMSAgent command and parameter description

Syntax

Function

Parameter and Options

kmsagent <config_path> <config_ksf_path>

Starts the KMSAgent.
  • config_path: Configuration file path.
  • config_ksf_path: Keystore file path, which is used to verify the integrity of the configuration file.

kmsagent <-c config_path> <-k ksf_path> <-s section> <-n name> <-v value>

Modifies the KMSAgent configuration file.
  • -c, --config_path: Configuration file.
  • -k, --ksf_path: Keystore path.
  • -s, --section: Section to which a configuration item belongs.
  • -n, --name: Configuration item to be modified.
  • -v, --value: Modified value.

kmsagent ${tls} get-csr <keyAndsignAlg_param> <cert_op_param> <config_path> <config_ksf_path>

Generates the CSR.
  • tls: Certificate operation ID. The value can be tls-client or tls-cfs. tls-client indicates the operation flag of the two-way communication certificate between KMSAgent and AI-VAULT, and tls-cfs indicates the operation flag of the two-way communication certificate between KMSAgent and Crypto_fs.
  • get-csr: Generates a CSR identifier.
  • keyAndsignAlg_param: Key and signature algorithm parameter for generating the CSR file, for example, rsa:4096:sha256.
  • cert_op_param: User information parameter, for example, CN|sichuan|chengdu|Huawei|yanfabu.
  • config_path: Configuration file path.
  • config_ksf_path: Keystore file path, which is used to verify the integrity of the configuration file.

kmsagent ${tls} set-cert <cert_op_param> <config_path> <config_ksf_path>

Imports a certificate.
  • tls: Certificate operation ID. The value can be tls-client or tls-cfs. tls-client indicates the operation flag of the two-way communication certificate between KMSAgent and AI-VAULT, and tls-cfs indicates the operation flag of the two-way communication certificate between KMSAgent and Crypto_fs.
  • set-cert: Imports the certificate ID.
  • cert_op_param: User information parameter, for example, server.pem, root_ca.pem, other_ca.pem, wherein server.pem is the imported certificate, and root_ca.pem is used to verify the service certificate.
  • config_path: Configuration file path.
  • config_ksf_path: Keystore file path, which is used to verify the integrity of the configuration file.

kmsagent ${tls} cert-info <config_path> <config_ksf_path>

Queries a certificate.
  • tls: Certificate operation ID. The value can be tls-client or tls-cfs. tls-client indicates the operation flag of the two-way communication certificate between KMSAgent and AI-VAULT, and tls-cfs indicates the operation flag of the two-way communication certificate between KMSAgent and Crypto_fs.
  • cert-info: Queries the certificate ID.
  • config_path: Configuration file path.
  • config_ksf_path: Keystore file path, which is used to verify the integrity of the configuration file.

kmsagent ${tls} set-crl <crl_path> <config_path> <config_ksf_path>

Imports a CRL.
  • tls: Certificate operation ID. The value can be tls-client or tls-cfs. tls-client indicates the operation flag of the two-way communication certificate between KMSAgent and AI-VAULT, and tls-cfs indicates the operation flag of the two-way communication certificate between KMSAgent and Crypto_fs.
  • set-crl: Flag for importing a CRL.
  • crl_path: Path of the CRL file.
  • config_path: Configuration file path.
  • config_ksf_path: Keystore file path, which is used to verify the integrity of the configuration file.

kmsagent [options]

Queries versions and help information.
  • -h, --help: Prints the help information.
  • -V, --version: Displays the version information.
Parent topic: References