master

分支 (12)

标签 (14)

管理

管理

master

openEuler-22.03-LTS-Next

openEuler-22.03-LTS

openEuler-20.03-LTS-SP3

openEuler-20.03-LTS-SP1

openEuler-22.09

openEuler-20.03-LTS

openEuler-20.03-LTS-SP2

openEuler-20.09

openEuler-20.03-LTS-Next

openEuler-21.09

openEuler-21.03

openEuler-22.09-release

openEuler-22.09-rc5

openEuler-22.09-20220829

openEuler-22.03-LTS-20220331

openEuler-22.03-LTS-round5

openEuler-22.03-LTS-round3

openEuler-22.03-LTS-round2

openEuler-22.03-LTS-round1

openEuler-20.03-LTS-SP3-release

openEuler-20.03-LTS-SP2-20210624

openEuler-21.03-20210330

openEuler-20.09-20200929

openEuler-20.03-LTS-20200606

openEuler-20.03-LTS-tag

A-Tune
/
add-FAQ-and-self-signature-certificat...

From d14414365e8fa9590e46b63a29754fb29f81778c Mon Sep 17 00:00:00 2001
From: gaoruoshu <gaoruoshu@huawei.com>
Date: Wed, 16 Feb 2022 14:41:47 +0800
Subject: [PATCH] add FAQ and self signature certificate manufacturing

---
 Documentation/UserGuide/A-Tune-User-Guide.md  | 70 ++++++++++++++++++
 ...50\346\210\267\346\214\207\345\215\227.md" | 72 +++++++++++++++++++
 2 files changed, 142 insertions(+)

diff --git a/Documentation/UserGuide/A-Tune-User-Guide.md b/Documentation/UserGuide/A-Tune-User-Guide.md
index cd99cd4..cbb9d66 100644
--- a/Documentation/UserGuide/A-Tune-User-Guide.md
+++ b/Documentation/UserGuide/A-Tune-User-Guide.md
@@ -1235,6 +1235,12 @@ Perform tuning.
 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
 ```

+**Q4: The atuned or atune-engine service cannot be started, and the message "Startup failed. Please provide the authentication certificate." is displayed.**
+
+**Cause:** Missing the certificate file during communication. The default communication protocol of REST APIs in the atuned or atune-engine service is HTTPS.
+
+**Solution:** Providing the certificate file issued by the authority and saving it to the corresponding configuration directory. The default certificate directory of the atuned service is /etc/atuned/rest_certs/, and the default certificate directory of the atune-engine service is /etc/atuned/engine_certs/. You can also change the default certificate directory and certificate file name in the atuned.cnf and engine.cnf files under the /etc/atuned/ directory. For the development and commissioning environment, you can also make self-service signature certificate by following section 5.2.
+


 # 5 Appendixes
@@ -1248,3 +1254,67 @@ Perform tuning.
 | profile | Set of optimization items and optimal  parameter configuration. |


+## 5.2 Self-signature Certificate Manufacturing Method
+
+### 5.2.1 Creating a Certificate Directory
+
+```shell
+CERT_PATH=demo
+mkdir $CERT_PATH
+```
+
+### 5.2.2 Generating the RSA Key Pair for the CA
+
+```shell
+openssl genrsa -out $CERT_PATH/ca.key 2048
+```
+
+### 5.2.3 Generating the CA Root Certificate
+
+```shell
+openssl req -new -x509 -days 3650 -subj "/CN=ca" -key $CERT_PATH/ca.key -out $CERT_PATH/ca.crt
+```
+
+### 5.2.4 Generating the Server Certificate
+
+```shell
+# The IP address can be changed according to the actual situation.
+IP_ADDR=localhost
+openssl genrsa -out $CERT_PATH/server.key 2048
+cp /etc/pki/tls/openssl.cnf $CERT_PATH
+if test $IP_ADDR == localhost; then
+    echo "[SAN]\nsubjectAltName=DNS:$IP_ADDR" >> $CERT_PATH/openssl.cnf
+    echo "subjectAltName=DNS:$IP_ADDR" > $CERT_PATH/extfile.cnf
+else
+    echo "[SAN]\nsubjectAltName=IP:$IP_ADDR" >> $CERT_PATH/openssl.cnf
+    echo "subjectAltName=IP:$IP_ADDR" > $CERT_PATH/extfile.cnf
+fi
+openssl req -new -subj "/CN=$IP_ADDR" -config $CERT_PATH/openssl.cnf \
+                -key $CERT_PATH/server.key -out $CERT_PATH/server.csr
+openssl x509 -req -sha256 -CA $CERT_PATH/ca.crt -CAkey $CERT_PATH/ca.key -CAcreateserial -days 3650 \
+                -extfile $CERT_PATH/extfile.cnf -in $CERT_PATH/server.csr -out $CERT_PATH/server.crt
+rm -rf $CERT_PATH/*.srl $CERT_PATH/*.csr $CERT_PATH/*.cnf
+```
+
+### 5.2.5 Generating the Client Certificate
+
+```shell
+# The IP address can be changed according to the actual situation.
+IP_ADDR=localhost
+openssl genrsa -out $CERT_PATH/client.key 2048
+cp /etc/pki/tls/openssl.cnf $CERT_PATH
+if test $IP_ADDR == localhost; then
+    echo "[SAN]\nsubjectAltName=DNS:$IP_ADDR" >> $CERT_PATH/openssl.cnf
+    echo "subjectAltName=DNS:$IP_ADDR" > $CERT_PATH/extfile.cnf
+else
+    echo "[SAN]\nsubjectAltName=IP:$IP_ADDR" >> $CERT_PATH/openssl.cnf
+    echo "subjectAltName=IP:$IP_ADDR" > $CERT_PATH/extfile.cnf
+fi
+openssl req -new -subj "/CN=$IP_ADDR" -config $CERT_PATH/openssl.cnf \
+                -key $CERT_PATH/client.key -out $CERT_PATH/client.csr
+openssl x509 -req -sha256 -CA $CERT_PATH/ca.crt -CAkey $CERT_PATH/ca.key -CAcreateserial -days 3650 \
+                -extfile $CERT_PATH/extfile.cnf -in $CERT_PATH/client.csr -out $CERT_PATH/client.crt
+rm -rf $CERT_PATH/*.srl $CERT_PATH/*.csr $CERT_PATH/*.cnf
+```
+
+
diff --git "a/Documentation/UserGuide/A-Tune\347\224\250\346\210\267\346\214\207\345\215\227.md" "b/Documentation/UserGuide/A-Tune\347\224\250\346\210\267\346\214\207\345\215\227.md"
index 59b25e0..064708c 100644
--- "a/Documentation/UserGuide/A-Tune\347\224\250\346\210\267\346\214\207\345\215\227.md"
+++ "b/Documentation/UserGuide/A-Tune\347\224\250\346\210\267\346\214\207\345\215\227.md"
@@ -1247,6 +1247,15 @@ evaluations :
 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
 ```

+**问题4：atuned或atune-engine服务无法启动，提示“Startup failed. Please provide the authentication certificate.”。**
+
+**原因：** atuned或atune-engine服务中的REST API默认通信协议为https，通信中缺少证书文件
+
+**解决方法：** 用户提供权威机构签发的证书文件并放入对应的配置目录下，其中atuned服务的默认证书>目录为/etc/atuned/rest_certs/，atune-engine服务的默认证书目录为/etc/atuned/engine_certs/，也可
+以通过/etc/atuned/目录下的atuned.cnf和engine.cnf配置文件修改默认证书目录和证书文件名。对于开发
+调试环境也可以通过5.2节方法制作的自签名证书进行服务通信。
+
+
 # 5 附录

 ## 5.1 术语和缩略语
@@ -1258,3 +1267,66 @@ evaluations :
 | profile | 优化项集合，最佳的参数配置 |


+## 5.2 自签名证书制作方法
+
+### 5.2.1 证书目录创建
+
+```shell
+CERT_PATH=demo
+mkdir $CERT_PATH
+```
+
+### 5.2.2 生成CA的RSA密钥对
+
+```shell
+openssl genrsa -out $CERT_PATH/ca.key 2048
+```
+
+### 5.2.3 生成CA根证书
+
+```shell
+openssl req -new -x509 -days 3650 -subj "/CN=ca" -key $CERT_PATH/ca.key -out $CERT_PATH/ca.crt
+```
+
+### 5.2.4 生成服务器证书
+
+```shell
+# ip地址可以根据实际情况修改
+IP_ADDR=localhost
+openssl genrsa -out $CERT_PATH/server.key 2048
+cp /etc/pki/tls/openssl.cnf $CERT_PATH
+if test $IP_ADDR == localhost; then
+    echo "[SAN]\nsubjectAltName=DNS:$IP_ADDR" >> $CERT_PATH/openssl.cnf
+    echo "subjectAltName=DNS:$IP_ADDR" > $CERT_PATH/extfile.cnf
+else
+    echo "[SAN]\nsubjectAltName=IP:$IP_ADDR" >> $CERT_PATH/openssl.cnf
+    echo "subjectAltName=IP:$IP_ADDR" > $CERT_PATH/extfile.cnf
+fi
+openssl req -new -subj "/CN=$IP_ADDR" -config $CERT_PATH/openssl.cnf \
+                -key $CERT_PATH/server.key -out $CERT_PATH/server.csr
+openssl x509 -req -sha256 -CA $CERT_PATH/ca.crt -CAkey $CERT_PATH/ca.key -CAcreateserial -days 3650 \
+                -extfile $CERT_PATH/extfile.cnf -in $CERT_PATH/server.csr -out $CERT_PATH/server.crt
+rm -rf $CERT_PATH/*.srl $CERT_PATH/*.csr $CERT_PATH/*.cnf
+```
+
+### 5.2.5 生成客户端证书
+
+```shell
+# ip地址可以根据实际情况修改
+IP_ADDR=localhost
+openssl genrsa -out $CERT_PATH/client.key 2048
+cp /etc/pki/tls/openssl.cnf $CERT_PATH
+if test $IP_ADDR == localhost; then
+    echo "[SAN]\nsubjectAltName=DNS:$IP_ADDR" >> $CERT_PATH/openssl.cnf
+    echo "subjectAltName=DNS:$IP_ADDR" > $CERT_PATH/extfile.cnf
+else
+    echo "[SAN]\nsubjectAltName=IP:$IP_ADDR" >> $CERT_PATH/openssl.cnf
+    echo "subjectAltName=IP:$IP_ADDR" > $CERT_PATH/extfile.cnf
+fi
+openssl req -new -subj "/CN=$IP_ADDR" -config $CERT_PATH/openssl.cnf \
+                -key $CERT_PATH/client.key -out $CERT_PATH/client.csr
+openssl x509 -req -sha256 -CA $CERT_PATH/ca.crt -CAkey $CERT_PATH/ca.key -CAcreateserial -days 3650 \
+                -extfile $CERT_PATH/extfile.cnf -in $CERT_PATH/client.csr -out $CERT_PATH/client.crt
+rm -rf $CERT_PATH/*.srl $CERT_PATH/*.csr $CERT_PATH/*.cnf
+```
+
--
2.30.0