Configuring the certificates and keys

You must configure the IBM Secure Execution (SE) certificates and keys for your worker nodes.

1. Change to the root directory:

   $ cd /root

2. Create your key by running the following commands:
   1. Create a directory kbs-storage to store your key by running the following command:

      mkdir -p kbs/data/kbs-storage
      cd kbs/data/kbs-storage

   2. Create your key by running the following command:

      echo "mykey" > key
      Return to root directory
      cd /root

3. Generate the user auth key pair by running the following commands:
   1. Create a kbs.key key by running the following command:

      $ openssl genpkey -algorithm ed25519 > kbs/kbs.key

   2. Create a kbs.pem key by running the following command:

      $ openssl pkey -in kbs/kbs.key -pubout -out kbs/kbs.pem

      Note: These user auth key pair is used to perform admin operations on a Trustee using KBS Client.
4. Generate the RSA keys:
   1. Create a directory for the RSA keys by running the following command:

      $ mkdir -p kbs/data/rsa

   2. Go to the rsa directory:

      $ pushd kbs/data/rsa

      Note: The Verifier uses this RSA key pair to decrypt additional request blobs sent by the Attestation Agent.
   3. Generate an RSA key pair by running the following command:

      $ openssl genrsa -aes256 -passout pass:<password> -out encrypt_key-psw.pem 4096 (1)
                        

      1. Specify the RSA key password.
   4. Create an encrypt_key.pub key by running the following command:

      $ openssl rsa -in encrypt_key-psw.pem -passin pass:<password> -pubout -out encrypt_key.pub

   5. Create an encrypt_key.pem key by running the following command:

      $ openssl rsa -in encrypt_key-psw.pem -out encrypt_key.pem

   6. Exit the rsa directory:

      $ popd

5. Download the Host Key Document (HKD) certificate.
   1. Download the Host Key Document (HKD) from the machine where the SE PeerPod VM is deployed.
   2. Create a machine.sh manifest file according to the following example:

      MACHINE_TYPE="$(awk '/^Type:/ { print $NF }' /proc/sysinfo)"
      echo "machine type is $MACHINE_TYPE"
      MACHINE_PLANT="$(awk '/^Plant:/ { print $NF }' /proc/sysinfo)"
      echo "machine plant is $MACHINE_PLANT"
      MACHINE_SERIAL="$(awk '/^Sequence Code:/ { sub(/^0+/, "", $NF) ; print $NF }' /proc/sysinfo)"
      echo "machine serial is $MACHINE_SERIAL"
      echo "Formatted hkd is HKD-$MACHINE_TYPE-$MACHINE_PLANT$MACHINE_SERIAL.crt"

   3. Make the machine.sh script executable by running the following command:

      $ chmod +x machine.sh

   4. Run the script:

      $ ./machine.sh

      Example output

      HKD-3931-0275D38.crt

   5. Download the IBM Secure Execution Host Key Document (HKD) from : https://www.ibm.com/docs/en/linux-on-systems?topic=execution-obtain-host-key-document .
      Note: Currently, downloading directly from the portal is unavailable. Perform the following alternative steps to download HKD.
      1. Login to the portal.
      2. In a new tab enter the following link https://www.ibm.com/support/resourcelink/api/content/raw/hkd-public/<HKD>.crt with the HKD cert value you obtained by running ./machine.sh script.
   6. Create a directory 'hkds' for the Host Key Document (HKD) certificate by running the following command:

      $ mkdir -p kbs/data/hkds

   7. Copy your HKD certificate to the hkds directory by running the following command::

      $ cp ${DOWLOAD_FOLDER}/HKD.crt kbs/data/hkds/HKD.crt