Interconnecting with a User Management Platform

Bidirectional certificate authentication must be performed between the external interfaces of MEF Center and a third-party platform.

1. Exchange the root certificates of MEF Center and a third-party management platform. MEF Center must start cert-manager to exchange certificates.
   Run the following commands to exchange certificates:

   Installation_path/MEF-Center/mef-center/run.sh exchangeca -export_path Path_of_the_MEF_root_certificate_file -import_path Root_certificate_file_path_of_a_management_platform

   

   • If the root certificate of a third-party management platform needs to be updated after the interconnection, MEF Center must restart nginx-manager after running the certificate exchange command. For details, see Restarting MEF Center.
   • It is recommended that the validity period of the root certificate be greater than the value of certificate alarm detection period (the default value is 7).
   • If the root certificate is imported repeatedly, the previously imported certificate is backed up.

   Table 1 exchangeca parameters

   Parameter	Description
   -export_path/--export_path	Path of the MEF root certificate file, which is used by a third-party module to authenticate MEF Center. The path must be specific to the file name. The file path must be an absolute path and cannot be an existing file.
   -import_path/--import_path	Path of the root certificate file of a management platform, which is used by MEF Center to authenticate a third-party module. The path must be specific to the file name. A certificate chain is supported, and a maximum of 10 levels are supported. Also, single-certificate verification is supported. The file path must be an absolute path. The root certificate of a management platform must meet the following requirements: The certificate must be in PEM format. The signature in the root CA certificate is correct. The root CA certificate is valid. The certificate must be an X.509v3 digital certificate. For a root CA, the "Basic Constraints" extensions must be "CA", and the "Key Usage" extensions must contain the "Certificate Signature". The key must be the RSA algorithm and contain at least 3072 bits. The digest algorithm must be SHA256, SHA384, SHA512, or ECDSA with at least 256 bits.

   

   • The directory of export_path does not support soft links. The path length must be less than 4096 characters, the number of directory levels must be less than 99, and users in the same group and other users do not have the write permission. The owner must be root.
   • The owner of the file specified by export_path must be root. Users in the same group and other users do not have the write permission on the file, and the file size cannot exceed 1 MB.
   • The file specified by import_path must exist and the owner must be root. Users in the same group and other users do not have the write permission on the file, and the file size cannot exceed 1 MB.

   • If the following information is displayed or the command output is 0, the operation is successful.

     exchange certs successful

   • If the following information is displayed or the command output is 4, exchange certificates again after cert-manager is initialized.

     the root ca has not yet generated, please start cert manager first
     exchange certs failed

2. Call the version query API to check the interconnection result. If the API is successfully called, the interconnection is successful.

   https://{ip}:{port}/edgemanager/v1/version

   For details about the API, see Querying the edge-manager Version.

   

   After the certificate exchange is successful, wait for one second and check the interconnection result.