Documentation
Rate This Document
Findability
Accuracy
Completeness
Readability
SubmitClose

Enabling TLS Authentication on the Client

  • This procedure is required only in separated deployment mode and needs to be performed on compute nodes where BoostIO is deployed. To enable TLS authentication, enable it for all compute nodes in the BoostIO cluster.
  • TLS authentication must be enabled or disabled on all clients and servers in the cluster. Otherwise, the connection fails.
  • When multiple users access the BoostIO service, they can use different certificates, but the certificates must be issued by the same CA.

Prerequisites

BoostIO has been installed. This section uses the installation directory /opt as an example. Ensure that the required files listed in Table 1 are ready.

Table 1 Files required for enabling TLS authentication on the client

File

Description

CA file

Self-signed certificate in PEM (*.pem) format. It can be used to issue other certificates.

CRL file

Lists revoked certificates. This file is in PEM (*.crl) format and is optional. If there is no revoked certificate, this file is not required.

Client certificate

A certificate in PEM chain (*.pem) format issued by the CA. It must be within the validity period.

Private key file of the client certificate

This file must correspond to the client certificate and be in PEM encrypted (*.pem) format. The installation user needs to know the password of the private key file.

seceasy_encrypt file

Encryption tool. This file is in the /opt/boostio/bin directory.

Procedure

  1. Create a directory for the encrypted repository.

    A user can use multiple certificates. This step is required when the first client certificate is prepared and is not required for later certificate preparations by the same user.

    1. Each user requires a private directory for the encrypted repository. You can create a directory in the home directory and set the permission on the new directory to 0700 to prevent access from other users.
      mkdir ~/crypt_repo
chmod 0700 ~/crypt_repo
    2. Copy the seceasy_encrypt file to the created directory, set the permission to 0500, and ensure that you have the execute permission.
      cp /opt/boostio/bin/seceasy_encrypt ~/crypt_repo/
chmod 0500 ~/crypt_repo/seceasy_encrypt
  2. Generate an encrypted password file.

    To prevent the leakage of the private key password of the client certificate, encrypt the password and save the encrypted password in a file for the client process to use.

    1. Go to the encrypted repository directory and run the following commands:
      cd ~/crypt_repo/
./seceasy_encrypt --encrypt 1 2
    2. Input the private key password.
      please input the password to encrypt {Private key password}
please input the password to encrypt again {Private key password}
encrypted: {Base64-Encoded-Data}

      After you input the same private key password for two consecutive times, the encryption tool outputs Base64-coded data.

    3. Save the encrypted password file.

      Copy the generated data and save it to a new file as the password ciphertext file.

      echo "{Base64-Encoded-Data}" > clientkeypass.path
    4. After the encryption is complete, the root key file is generated. The tools directory under the current directory contains the master root key file ksfa and standby root key file ksfb. The paths to the two files are required in 4.
      Figure 1 Root key files
  3. Save the prepared CA file, CRL file (optional), client certificate file, and private key file of the client certificate to a user directory, for example, ~/certs.
  4. Invoke the initialization interface. For details, see "API Reference > BioInitialize" in the Kunpeng BoostKit 24.0.RC5 Big Data BoostIO API Reference.
    Parameters related to TLS:
uint8_t enableTls;                      /* Security option. If this parameter is set to a value other than 0, TLS authentication is enabled. */
char certificationPath[PATH_MAX + 1];   /* Client certificate path, for example, ~/certs/clientcert.pem */
char caCerPath[PATH_MAX + 1];           /* CA certificate path, for example, ~/certs/cacert.pem */
char caCrlPath[PATH_MAX + 1];           /* CRL file path, for example, ~/certs/cacrl.crl */
char privateKeyPath[PATH_MAX + 1];      /* Path to the private key of the client certificate, for example, ~/certs/clientkey.pem */
char privateKeyPassword[PATH_MAX + 1];  /* Path to the private key password file of the client certificate, for example, ~/crypt_repo/clientkeypass.path */
char hseKfsMasterPath[PATH_MAX + 1];    /* Path to the master root key of the private key password of the client certificate, for example, ~/crypt_repo/tools/pmt/master/ksfa */
char hseKfsStandbyPath[PATH_MAX + 1];   /* Path to the standby root key of the private key password of the client certificate, for example, ~/crypt_repo/tools/pmt/standby/ksfb */
  5. Set the environment variable.

    The following environment variable is required for the client to use the TLS function. Set it before starting the client process.

    export HSECEASY_PATH=/opt/boostio/lib