packages/A-Tune
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
A-Tune/add-FAQ-and-self-signature-certificate-manufacturing.patch

186 lines
7.8 KiB
Diff
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

From d14414365e8fa9590e46b63a29754fb29f81778c Mon Sep 17 00:00:00 2001
From: gaoruoshu <gaoruoshu@huawei.com>
Date: Wed, 16 Feb 2022 14:41:47 +0800
Subject: [PATCH] add FAQ and self signature certificate manufacturing
---
Documentation/UserGuide/A-Tune-User-Guide.md | 70 ++++++++++++++++++
...50\346\210\267\346\214\207\345\215\227.md" | 72 +++++++++++++++++++
2 files changed, 142 insertions(+)
diff --git a/Documentation/UserGuide/A-Tune-User-Guide.md b/Documentation/UserGuide/A-Tune-User-Guide.md
index cd99cd4..cbb9d66 100644
--- a/Documentation/UserGuide/A-Tune-User-Guide.md
+++ b/Documentation/UserGuide/A-Tune-User-Guide.md
@@ -1235,6 +1235,12 @@ Perform tuning.
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
```
+**Q4: The atuned or atune-engine service cannot be started, and the message "Startup failed. Please provide the authentication certificate." is displayed.**
+
+**Cause:** Missing the certificate file during communication. The default communication protocol of REST APIs in the atuned or atune-engine service is HTTPS.
+
+**Solution:** Providing the certificate file issued by the authority and saving it to the corresponding configuration directory. The default certificate directory of the atuned service is /etc/atuned/rest_certs/, and the default certificate directory of the atune-engine service is /etc/atuned/engine_certs/. You can also change the default certificate directory and certificate file name in the atuned.cnf and engine.cnf files under the /etc/atuned/ directory. For the development and commissioning environment, you can also make self-service signature certificate by following section 5.2.
+
# 5 Appendixes
@@ -1248,3 +1254,67 @@ Perform tuning.
| profile | Set of optimization items and optimal parameter configuration. |
+## 5.2 Self-signature Certificate Manufacturing Method
+
+### 5.2.1 Creating a Certificate Directory
+
+```shell
+CERT_PATH=demo
+mkdir $CERT_PATH
+```
+
+### 5.2.2 Generating the RSA Key Pair for the CA
+
+```shell
+openssl genrsa -out $CERT_PATH/ca.key 2048
+```
+
+### 5.2.3 Generating the CA Root Certificate
+
+```shell
+openssl req -new -x509 -days 3650 -subj "/CN=ca" -key $CERT_PATH/ca.key -out $CERT_PATH/ca.crt
+```
+
+### 5.2.4 Generating the Server Certificate
+
+```shell
+# The IP address can be changed according to the actual situation.
+IP_ADDR=localhost
+openssl genrsa -out $CERT_PATH/server.key 2048
+cp /etc/pki/tls/openssl.cnf $CERT_PATH
+if test $IP_ADDR == localhost; then
+ echo "[SAN]\nsubjectAltName=DNS:$IP_ADDR" >> $CERT_PATH/openssl.cnf
+ echo "subjectAltName=DNS:$IP_ADDR" > $CERT_PATH/extfile.cnf
+else
+ echo "[SAN]\nsubjectAltName=IP:$IP_ADDR" >> $CERT_PATH/openssl.cnf
+ echo "subjectAltName=IP:$IP_ADDR" > $CERT_PATH/extfile.cnf
+fi
+openssl req -new -subj "/CN=$IP_ADDR" -config $CERT_PATH/openssl.cnf \
+ -key $CERT_PATH/server.key -out $CERT_PATH/server.csr
+openssl x509 -req -sha256 -CA $CERT_PATH/ca.crt -CAkey $CERT_PATH/ca.key -CAcreateserial -days 3650 \
+ -extfile $CERT_PATH/extfile.cnf -in $CERT_PATH/server.csr -out $CERT_PATH/server.crt
+rm -rf $CERT_PATH/*.srl $CERT_PATH/*.csr $CERT_PATH/*.cnf
+```
+
+### 5.2.5 Generating the Client Certificate
+
+```shell
+# The IP address can be changed according to the actual situation.
+IP_ADDR=localhost
+openssl genrsa -out $CERT_PATH/client.key 2048
+cp /etc/pki/tls/openssl.cnf $CERT_PATH
+if test $IP_ADDR == localhost; then
+ echo "[SAN]\nsubjectAltName=DNS:$IP_ADDR" >> $CERT_PATH/openssl.cnf
+ echo "subjectAltName=DNS:$IP_ADDR" > $CERT_PATH/extfile.cnf
+else
+ echo "[SAN]\nsubjectAltName=IP:$IP_ADDR" >> $CERT_PATH/openssl.cnf
+ echo "subjectAltName=IP:$IP_ADDR" > $CERT_PATH/extfile.cnf
+fi
+openssl req -new -subj "/CN=$IP_ADDR" -config $CERT_PATH/openssl.cnf \
+ -key $CERT_PATH/client.key -out $CERT_PATH/client.csr
+openssl x509 -req -sha256 -CA $CERT_PATH/ca.crt -CAkey $CERT_PATH/ca.key -CAcreateserial -days 3650 \
+ -extfile $CERT_PATH/extfile.cnf -in $CERT_PATH/client.csr -out $CERT_PATH/client.crt
+rm -rf $CERT_PATH/*.srl $CERT_PATH/*.csr $CERT_PATH/*.cnf
+```
+
+
diff --git "a/Documentation/UserGuide/A-Tune\347\224\250\346\210\267\346\214\207\345\215\227.md" "b/Documentation/UserGuide/A-Tune\347\224\250\346\210\267\346\214\207\345\215\227.md"
index 59b25e0..064708c 100644
--- "a/Documentation/UserGuide/A-Tune\347\224\250\346\210\267\346\214\207\345\215\227.md"
+++ "b/Documentation/UserGuide/A-Tune\347\224\250\346\210\267\346\214\207\345\215\227.md"
@@ -1247,6 +1247,15 @@ evaluations :
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
```
+**问题4atuned或atune-engine服务无法启动提示“Startup failed. Please provide the authentication certificate.”。**
+
+**原因:** atuned或atune-engine服务中的REST API默认通信协议为https通信中缺少证书文件
+
+**解决方法:** 用户提供权威机构签发的证书文件并放入对应的配置目录下其中atuned服务的默认证书>目录为/etc/atuned/rest_certs/atune-engine服务的默认证书目录为/etc/atuned/engine_certs/,也可
+以通过/etc/atuned/目录下的atuned.cnf和engine.cnf配置文件修改默认证书目录和证书文件名。对于开发
+调试环境也可以通过5.2节方法制作的自签名证书进行服务通信。
+
+
# 5 附录
## 5.1 术语和缩略语
@@ -1258,3 +1267,66 @@ evaluations :
| profile | 优化项集合,最佳的参数配置 |
+## 5.2 自签名证书制作方法
+
+### 5.2.1 证书目录创建
+
+```shell
+CERT_PATH=demo
+mkdir $CERT_PATH
+```
+
+### 5.2.2 生成CA的RSA密钥对
+
+```shell
+openssl genrsa -out $CERT_PATH/ca.key 2048
+```
+
+### 5.2.3 生成CA根证书
+
+```shell
+openssl req -new -x509 -days 3650 -subj "/CN=ca" -key $CERT_PATH/ca.key -out $CERT_PATH/ca.crt
+```
+
+### 5.2.4 生成服务器证书
+
+```shell
+# ip地址可以根据实际情况修改
+IP_ADDR=localhost
+openssl genrsa -out $CERT_PATH/server.key 2048
+cp /etc/pki/tls/openssl.cnf $CERT_PATH
+if test $IP_ADDR == localhost; then
+ echo "[SAN]\nsubjectAltName=DNS:$IP_ADDR" >> $CERT_PATH/openssl.cnf
+ echo "subjectAltName=DNS:$IP_ADDR" > $CERT_PATH/extfile.cnf
+else
+ echo "[SAN]\nsubjectAltName=IP:$IP_ADDR" >> $CERT_PATH/openssl.cnf
+ echo "subjectAltName=IP:$IP_ADDR" > $CERT_PATH/extfile.cnf
+fi
+openssl req -new -subj "/CN=$IP_ADDR" -config $CERT_PATH/openssl.cnf \
+ -key $CERT_PATH/server.key -out $CERT_PATH/server.csr
+openssl x509 -req -sha256 -CA $CERT_PATH/ca.crt -CAkey $CERT_PATH/ca.key -CAcreateserial -days 3650 \
+ -extfile $CERT_PATH/extfile.cnf -in $CERT_PATH/server.csr -out $CERT_PATH/server.crt
+rm -rf $CERT_PATH/*.srl $CERT_PATH/*.csr $CERT_PATH/*.cnf
+```
+
+### 5.2.5 生成客户端证书
+
+```shell
+# ip地址可以根据实际情况修改
+IP_ADDR=localhost
+openssl genrsa -out $CERT_PATH/client.key 2048
+cp /etc/pki/tls/openssl.cnf $CERT_PATH
+if test $IP_ADDR == localhost; then
+ echo "[SAN]\nsubjectAltName=DNS:$IP_ADDR" >> $CERT_PATH/openssl.cnf
+ echo "subjectAltName=DNS:$IP_ADDR" > $CERT_PATH/extfile.cnf
+else
+ echo "[SAN]\nsubjectAltName=IP:$IP_ADDR" >> $CERT_PATH/openssl.cnf
+ echo "subjectAltName=IP:$IP_ADDR" > $CERT_PATH/extfile.cnf
+fi
+openssl req -new -subj "/CN=$IP_ADDR" -config $CERT_PATH/openssl.cnf \
+ -key $CERT_PATH/client.key -out $CERT_PATH/client.csr
+openssl x509 -req -sha256 -CA $CERT_PATH/ca.crt -CAkey $CERT_PATH/ca.key -CAcreateserial -days 3650 \
+ -extfile $CERT_PATH/extfile.cnf -in $CERT_PATH/client.csr -out $CERT_PATH/client.crt
+rm -rf $CERT_PATH/*.srl $CERT_PATH/*.csr $CERT_PATH/*.cnf
+```
+
--
2.30.0
Reference in New Issue View Git Blame Copy Permalink