Configuring the Global Cache TLS

Go to the certificate script directory.

cd /opt/certtool/certificate

The KMC encryption and decryption libraries are required. Ensure that the related RPM packages have been installed on the server or client.

Install the following Global Cache RPM package on the server:

            
                 rpm -ivh boostkit-globalcache-release-1.3.15.oe1.aarch64.rpm

Install the following Global Cache RPM package on the client:

In the ARM environment:

             
                  rpm -ivh boostkit-globalcache-ceph-adaptor-release-1.3.15.oe1.aarch64.rpm

In the x86 environment:

             
                  rpm -ivh boostkit-globalcache-ceph-adaptor-release-1.3.15.oe1.x86_64.rpm

Modify the agent_node_list file and delete the comments in the file.
The content format in the agent_node_list file is as follows:
```
IPaddress globalcacheop
```
If there are multiple server and client nodes, enter one IP address and the user (globalcacheop) in each line. Note that all nodes must be covered.
Example:
```
1.1.1.1 globalcacheop
1.1.1.2 globalcacheop
1.1.1.3 globalcacheop
1.1.1.4 globalcacheop
```
Modify the CA_node_list file and delete the comments in the file.
The CA_node_list file contains only CA node information. Its format is as follows:
```
IPaddress globalcacheop
```
Example:
```
1.1.1.5 globalcacheop
```

View the common_var.sh file and modify the variable values based on the features of the CA server. Pay attention to the following variables:

Variable	Description
CERT_BASE_DIR	Root directory of the CA certificate.
PRIVATE_KEY_DIR	Directory of the CA private key.
PUBLIC_KEY_DIR	Directory of the CA public key.
CERT_DIR	Directory of the CA server device certificate.
CSR_DIR	Directory of CA server certificate requests.
CA_CERT_FILE	File name of the root certificate.
AGENT_CERT_FILE	File name of the device certificate.

Run cert_manager.sh.

sh cert_manager.sh [ops_type] [ops_user] [run_user] [agent_node_list] [CA_node_list] [make_req/fetch_cert]

Parameters in the command are described as follows:

Parameter	Description
ops_type	create_cert indicates that a certificate is created. update_key indicates that no certificate is created and only the KMC key is updated.
ops_user	Operation user.
run_user	Run user.
agent_node_list	Creates a certificate node list.
CA_node_list	Creates a root certificate node list.
make_req/fetch_cert	The make_req option indicates that the node generates a certificate request and sends it to the specified directory on the CA server. The fetch_cert option indicates that the node obtains the device certificate and root certificate from the CA server.

Generate a certificate request for the device node (perform this step on the selected server).

sh cert_manager.sh create_cert globalcacheop globalcacheop agent_node_list CA_node_list make_req

Enter the passwords of the operation user, agent, and CA account and the encryption password. The password must contain a minimum of six characters, including letters, digits, and special characters.

Enter OPS user password: # Password of the operation user
Enter Agent password: # Password of the agent node account (must be the same password)
Enter CA password: # Password of the CA node account
Enter Password: # Encryption password (enter for the first time)
******
Verifying - Enter Password: # Encryption password (enter for the second time)
******

On the CA node, issue the device node certificate based on the CSR file of the device node. (Perform this step on your root certificate server.)
If the test is performed based on Configuring the Certificate Authority, run the following command on the CA server to generate a certificate.
```
openssl ca -in /opt/gcache/secure/CACerts/csr/${agentip}.agent.csr -out /opt/gcache/secure/CACerts/certs/${agentip}.agent.crt -days 3650 -config /opt/gcache/secure/CACerts/openssl.cnf
# Replace ${agentip} with the actual agent IP address.
```
You need to generate a certificate for each node IP address. The password is that generated in 3.

Obtain the device certificate and root certificate from the root certificate node, and enter the passwords of the operation user, agent, and CA O&M account.

sh cert_manager.sh create_cert globalcacheop globalcacheop agent_node_list CA_node_list fetch_cert

Enter the passwords of the operation user, agent, and CA account and the encryption password. The password requirement is the same as that in step 7. After the execution is complete, the files required for security purposes are generated.

The /opt/gcache/secure/Certs directory is generated on the nodes listed in the agent_node_list file. The directory has the following files:

File	Description
agent.crt	Node certificate file
agent.self	Private key of the node
agent.common	Public key of the node
ca.crt	CA certificate file
identity.ks	Private key password of the node

The /opt/gcache/secure/kmc directory is generated on the nodes listed in the agent_node_list file. The directory has the following files:

File	Description
kmc.primary.ks	Primary root key of KMC
kmc.standby.ks	Standby root key of KMC

The passwords and public/private keys generated using the certificate tool meet Huawei security requirements. However, to ensure long-term security of the user environment, you are advised to periodically update related files.
By default, the TLS function is enabled in the configuration file. If the TLS function is disabled, security risks arise.
The certificate tool is not responsible for generating and issuing the root certificate. You need to process the root certificate by yourself.
Certificate management is based on the default OpenSSL version of openEuler. You need to pay attention to certificate-related vulnerabilities of OpenSSL.

Parent topic: Configuring TLS