Configuring NVSM Security

This chapter explains shows how to secure the NVSM API installation.

Overview of NVSM Security

NVSM APIs are served using the HTTPS protocol. HTTPS requires the NVSM API server to possess a public-private key pair as well as a certificate that it presents to connecting clients. The certificate also needs to be signed by a certificate authority (CA) using the private key of that CA.

For proper security, this certificate+key should be provided by users. It cannot be provided by NVIDIA because

The private key should be known only to the user, and should not be known to NVIDIA, and
NVIDIA is not a Certificate Authority

To allow the NVSM software stack to work right out of the box, the installation process creates some sample key pairs and certificates. These certificates are created with dummy values for country, organization, organization unit, etc. because the installation does not include these details. Also, the generated CA certificate is self signed. These sample certificates must NOT be used in a production environment.

NVSM allows you to provide your own key-pairs and certificates with correct values that are properly signed by a trusted CA. Details of key generation and certificate chains is beyond the scope of this document. However, an example setup is shown below to show how NVSM can be configured with customer provided/generated keys and certificates.

What You Need to Configure NVSM Security

To configure NVSM security, you need the following, either copied from a CA provider or generated locally and copied to a location on the system.

X.509 certificate for the NVSM REST server

Example path and filename: /pki/node1.crt
Private key file corresponding to the above certificate

Example path and filename: /pki/node1.key
The certificate of the CA who issued the above certificate

Example path and filename: /pki/ca.crt

An explanation of how to generate or obtain these certificates and keys is beyond the scope of this document since these have to be in compliance with the overall security architecture of the data center. In the most simplest form, users might use commands such as OpensSSL to generate their own certificate chain and keys. You may prefer to use free services such as https://letsencrypt.org/ to acquire them.

How to Configure NVSM Security

Edit the NVSM configuration file to use the paths and filenames of your certificate files and key file.

Edit the ca_cert, https_cert, and https_priv_key configuration parameters to specify the path and filenames that NVSM shall use. The following use the example path and filenames.
```
"ca_cert":"/pki/ca.crt",
```
```
"https_cert":"/pki/node1.crt",
```
```
"https_priv_key":"/pki/node1.key",
```
Restart the NVSM service.
```
$ sudo systemctl restart nvsm
```