Fiware 在本地主机上安装Cosmos
我试着在本地主机上安装cosmos,但我发现了一个问题,我不知道该怎么做。 首先,我创建了一个certs和pem,但在第4步中移动。pem我不知道要移动的pem我有两个pem。我尝试验证openssl verify-CApath/etc/pki/tls/certs.pem这两个pem,但不起作用Fiware 在本地主机上安装Cosmos,fiware,fiware-cygnus,Fiware,Fiware Cygnus,我试着在本地主机上安装cosmos,但我发现了一个问题,我不知道该怎么做。 首先,我创建了一个certs和pem,但在第4步中移动。pem我不知道要移动的pem我有两个pem。我尝试验证openssl verify-CApath/etc/pki/tls/certs.pem这两个pem,但不起作用 Step 3: generating and installing the master node's certificate The platform requires a certificate
Step 3: generating and installing the master node's certificate
The platform requires a certificate for the master node, signed by a valid CA, is installed in order to be shown as an authentication proof. Thus, this certificate must be created by generating a Certificate Signing Request (CSR); do it once in the master node:
$ openssl req -newkey rsa:2048 -new -keyout newkey.pem -out newreq.pem
The above command will prompt for certain information; the most important information regarding the Cosmos platform is the name of the server (whichever hostname was chosen for the cosmos master node) where the certificate is going to be installed, and that the challenge password must be empty. Althought the PEM pass phrase must be empty (otherwise, the httpd server will not be automatically started), it has to be filled in this step and removed later by performing:
$ openssl rsa -in newkey.pem -out newkey.pem
Reached this point, you may choose among two options for signing the certificate:
Use a valid CA in the Internet. The content of the generated SCR (newreq.pem file) must be used within the CA in order to retrieve the final certificate, which will be typically called certnew.cer. The way each CA manages the CSR varies from one to another.
Self-signing the certificate. In this case, you have to perform this command:
$ openssl req -new -x509 -key newkey.pem -out certnew.cer
In any case, once the certificate (certnew.cer), key (newkey.pem) and CSR (newreq.pem) have been got, rename the files according to this (do it in all the machines):
$ cp newkey.pem [COSMOS_TMP_PATH]/puppet/modules/cosmos/files/environments/<my_environment>/certs/<cosmos-master-node>_key.pem
$ cp cernew.cer [COSMOS_TMP_PATH]/puppet/modules/cosmos/files/environments/<my_environment>/certs/<cosmos-master-node>_cer.pem
$ cp newreq.pem [COSMOS_TMP_PATH]/puppet/modules/cosmos/files/environments/<my_environment>/certs/<cosmos-master-node>_req.pem
Step 4: CA's certificate installation
The CA's certificate itself must be installed. Download it from the appropiate link (if you self-signed the master node's certificates, then such certificate is the CA's certificate as well) and do the following in the Cosmos master node:
Copy the CA's certificate (generic name <ca_cert>.pem) to the local certificates store and change directory to it:
$ mv <ca_cert>.pem /etc/pki/tls/certs
$ cd /etc/pki/tls/certs
Create a symbolic link for the CA's certificate. An 8-digit-number-based file will be created. It is very important the extension of this file is '.0':
$ ln -s <ca_cert>.pem `openssl x509 -hash -noout -in <ca_cert>.pem`.0
Verify the certificate has ben successfully installed:
$ openssl verify -CApath /etc/pki/tls/certs <ca_cert>.pem
xxxxxxxx.0: OK
You must see a 8-digit hash .0 file followed by "OK".
步骤3:生成和安装主节点的证书
平台要求主节点安装由有效CA签名的证书,以便显示为身份验证证明。因此,必须通过生成证书签名请求(CSR)来创建此证书;在主节点中执行一次:
$openssl req-newkey rsa:2048-new-keyout newkey.pem-out newreq.pem
上述命令将提示某些信息;有关Cosmos平台的最重要信息是要安装证书的服务器名称(为Cosmos主节点选择的主机名),以及质询密码必须为空。尽管PEM密码短语必须为空(否则,httpd服务器将不会自动启动),但必须在此步骤中填写该短语,然后通过执行以下操作将其删除:
$openssl rsa-输入newkey.pem-输出newkey.pem
至此,您可以从两个选项中选择签名证书:
在Internet中使用有效的CA。生成的SCR(newreq.pem文件)的内容必须在CA中使用,以便检索最终证书,该证书通常称为certnew.cer。每个CA管理CSR的方式各不相同。
自签名证书。在这种情况下,您必须执行以下命令:
$openssl req-new-x509-key newkey.pem-out certnew.cer
在任何情况下,一旦获得证书(certnew.cer)、密钥(newkey.pem)和CSR(newreq.pem),请根据此重命名文件(在所有计算机中执行此操作):
$cp newkey.pem[COSMOS\u TMP\u PATH]/puppet/modules/COSMOS/files/environments//certs/\u key.pem
$cp cernew.cer[COSMOS\u TMP\u PATH]/puppet/modules/COSMOS/files/environments//certs/\u cer.pem
$cp newreq.pem[COSMOS\u TMP\u PATH]/puppet/modules/COSMOS/files/environments//certs/\u req.pem
步骤4:CA的证书安装
必须安装CA的证书本身。从appropiate链接下载它(如果您对主节点的证书进行了自签名,那么该证书也是CA的证书),并在Cosmos主节点中执行以下操作:
将CA的证书(generic name.pem)复制到本地证书存储并将目录更改为:
$mv.pem/etc/pki/tls/certs
$cd/etc/pki/tls/certs
为CA的证书创建符号链接。将创建一个基于8位数字的文件。此文件的扩展名为“.0”非常重要:
$ln-s.pem`opensslx509-hash-noout-in.pem`.0
验证证书是否已成功安装:
$openssl验证-CApath/etc/pki/tls/certs.pem
xxxxxxxx.0:好的
您必须看到一个8位哈希.0文件,后跟“OK”。