Configuring NVSM Security
This chapter explains shows how to secure the NVSM API installation.
Overview of NVSM Security
NVSM APIs are served using the HTTPS protocol. HTTPS requires the NVSM API server to possess a public-private key pair as well as a certificate that it presents to connecting clients. The certificate also needs to be signed by a certificate authority (CA) using the private key of that CA.
For proper security, this certificate+key should be provided by users. It cannot be provided by NVIDIA because
The private key should be known only to the user, and should not be known to NVIDIA, and
NVIDIA is not a Certificate Authority
To allow the NVSM software stack to work right out of the box, the installation process creates some sample key pairs and certificates. These certificates are created with dummy values for country, organization, organization unit, etc. because the installation does not include these details. Also, the generated CA certificate is self signed. These sample certificates must NOT be used in a production environment.
NVSM allows you to provide your own key-pairs and certificates with correct values that are properly signed by a trusted CA. Details of key generation and certificate chains is beyond the scope of this document. However, an example setup is shown below to show how NVSM can be configured with customer provided/generated keys and certificates.
What You Need to Configure NVSM Security
To configure NVSM security, you need the following, either copied from a CA provider or generated locally and copied to a location on the system.
X.509 certificate for the NVSM REST server
Example path and filename:
/pki/node1.crt
Private key file corresponding to the above certificate
Example path and filename:
/pki/node1.key
The certificate of the CA who issued the above certificate
Example path and filename:
/pki/ca.crt
An explanation of how to generate or obtain these certificates and keys is beyond the scope of this document since these have to be in compliance with the overall security architecture of the data center. In the most simplest form, users might use commands such as OpensSSL to generate their own certificate chain and keys. You may prefer to use free services such as https://letsencrypt.org/ to acquire them.
How to Configure NVSM Security
Edit the NVSM configuration file to use the paths and filenames of your certificate files and key file.
Edit the
ca_cert
,https_cert
, andhttps_priv_key
configuration parameters to specify the path and filenames that NVSM shall use. The following use the example path and filenames."ca_cert":"/pki/ca.crt",
"https_cert":"/pki/node1.crt",
"https_priv_key":"/pki/node1.key",
Restart the NVSM service.
$ sudo systemctl restart nvsm