Documentation

Interconnection Programming

AI-VAULT provides the key service, which needs to be integrated by the ISV platform into its own services. AI-VAULT provides the CLI and RESTful APIs. For details, see AI-VAULT APIs. The CLI is used to apply for AI-VAULT certificates, import certificates, and configure common parameters. These operations are performed by the O&M personnel before the deployment. AI-VAULT can be started after the certificate is configured.

Background AI-VAULT Integration

  • AI-VAULT provides users with RESTful APIs that can be integrated by the ISV into the authentication module of the service interface, so that AI-VAULT APIs can be called properly.
  • All AI-VAULT API headers must contain the DomainID field, which is used to distinguish organizations, applications, or models. A maximum of 500 domains are supported. A domain ID is an integer ranging from 1 to 500. Other values are invalid, upon which errors are reported. A maximum of 10 master keys can be created for each domain ID.
  • The ISV CA issued certificated is required to export the CSR from AI-VAULT. Before the certificate is imported, the key service is not available.
  1. The AI-VAULT provided API is added to the APIGW of the user's service to complete route forwarding and API authentication.
  2. Add the DomainID header to each AI-VAULT API (for details, see AI-VAULT APIs). The domain ID is used to classify keys and distinguish organizations, applications, or models.

Frontend AI-VAULT Integration

  • After the master key or the pre-shared key is created, the key content will be returned. The key content needs to be saved but cannot be queried later. Prepare the frontend prompt message.
  • Deleting the master key or the pre-shared key is highly risky. Provide foolproof messages to prevent accidental deletion.
  • AI-VAULT has the design to limit traffic. If requests are frequently sent, error code 31000022 is displayed (for details, see Error Codes in the API Reference). The frontend page should display a message indicating that the system is busy and suggest users to retry later.

Add operations related to the master key and pre-shared key to the frontend pages based on the AI-VAULT key control function. The following functions are included:

  • Add the master key.

    This API is used to add a master key. You need to input a unique key name, usage, and remarks. The key is automatically downloaded to the local PC once created, and cannot be retrieved later.

  • Delete the master key.

    A button can be provided for deleting the master key. When the deletion button is clicked, the frontend should notify the user of the risk and ask the user to re-confirm the deletion.

  • Query and display the master key information.

    For the query of the master key, filtering by name, status query, and query result sorting are supported. For details about the query parameters, see the API Reference. The query result can be displayed on the frontend.

  • Create a pre-shared key.

    To create a pre-shared key, you need to enter the name, remarks, and the name of the bound master key. Then enter the password for encryption. Once created, the pre-shared key is returned to the frontend and the user is prompted to properly keep the pre-shared key.

  • Delete the pre-shared key.

    A button can be provided for deleting the pre-shared key. When the deletion button is clicked, the frontend should notify the user of the risk and ask the user to re-confirm the deletion.

  • Query and display the information of the pre-shared key.

    For the query of the pre-shared key, filtering by name, status query, and query result sorting are supported. For details about the query parameters, see the API Reference. The query result can be displayed on the frontend.

Interconnection Between AI-VAULT and O&M

For details, see section "Installation and Deployment" in the MindX DL AI Model Protection User Guide.

  • Installation and Deployment > AI-VAULT Installation > Configuring Certificates
  • Installation and Deployment > AI-VAULT Installation > Deploying AI-VAULT
  • Installation and Deployment > AI-VAULT Installation > Network Deployment Scheme

AI-VAULT Specifications

  • KMSAgent can be deployed on a maximum of 128 compute nodes.
  • Each KMSAgent supports concurrent encryption and decryption of a maximum of 32 training or inference services.
  • A maximum of 12 concurrent API requests are supported. That is, a maximum of 12 user operation requests can be processed at the same time. When the number of user operation requests exceeds 12, they will be queued. If the queuing time exceeds 10 seconds, the requests are discarded and the error code 31000022 is returned. For details, see the section about error codes in the API Reference.