Public Key Infrastructure

A Public Key Infrastructure (PKI) is used to secure Remote Procedure Calls (RPC) between hosts. In this infrastructure:

  • The Controller host knows which public server keys reside on each Worker host.
  • Each Worker host knows which public keys can contact that host from the Controller host (or Shadow Controller, if platform HA is enabled).

This feature manifests itself in the following ways:

  • Adding a Worker using the Agent: If you are adding a new Worker host using the agent as described in Agent-Based Kubernetes Host Installation, then you must copy the file /opt/bluedata/keys/authorized_keys from the Controller host to the same location on the new Worker host after installing the agent, and with the same owner/group, permissions, and SELinux context. See Kubernetes Worker Installation Overview. This is not needed for Gateway hosts. Copying the authorized_keys file is not necessary for Gateway hosts.
  • Non-agent based Worker installation: /opt/bluedata/keys/authorized_keys will be securely transmitted to the Worker host using the credentials given for the Worker-add process. See Kubernetes Worker Installation Overview, Gateway Installation Tab. No manual action is needed for the keys.
NOTE
When PKI is used, the Details column of the Installation screen will include a Fingerprint column that displays an MD5 sum such as f7:60:1f:45:fb:a7:e4:47:82:e2:38:19:a3:ff:08:bd for each Worker host. This is the MD5 fingerprint contained in the file /opt/bluedata/keys/ssh_host_rsa_key.pub on the Worker host. This allows the Platform Administrator to confirm that they are adding the correct Worker host. You can verify this MD5 fingerprint by logging in to the Worker host and then executing the command ssh-keygen -E md5 -lf /opt/bluedata/keys/ssh_host_rsa_key.pub, followed by comparing the returned value to that displayed in the Details column.
CAUTION
Clicking Install means that you trust that you are installing HPE Ezmeral Runtime Enterprise on the correct, intended worker host.