Classifications

• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F9/00—Arrangements for program control, e.g. control units
  • G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
  • G06F9/44—Arrangements for executing specific programs
  • G06F9/4401—Bootstrapping
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F9/00—Arrangements for program control, e.g. control units
  • G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
  • G06F9/44—Arrangements for executing specific programs
  • G06F9/4401—Bootstrapping
  • G06F9/4416—Network booting; Remote initial program loading [RIPL]
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
  • H04L41/08—Configuration management of networks or network elements
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L61/00—Network arrangements, protocols or services for addressing or naming
  • H04L61/50—Address allocation
  • H04L61/5007—Internet protocol [IP] addresses
  • H04L61/5014—Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
  • H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates

Definitions

• the invention relates to "high performance" type computers (or supercomputers), and more specifically to the control of the provision of authentication certificates to service nodes that include such high performance computers.
• One of these steps is to configure each of the service nodes with a configuration tool after an initialization phase.
• This configuration step requires the authentication of each service node by at least one authentication certificate that has been previously installed in a specific location of a storage area of the service node considered.
• Different methods for installing authentication certificates for a service node have been proposed. But these methods are generally all implemented once the service node is running, which adds an extra step when operating its supercomputer.
• the purpose of the invention is notably to improve the situation, and in particular to allow the service nodes to authenticate with their server just after the end of the initialization phase.
• a first step (i) in which one defines for each node of service a set of at least one authentication certificate, then integrating each set defined for a service node into a configuration file associated with an identifier of this service node,
• each service node transmits to a predefined server a start request intended to retrieve its identifier and a command file containing the set included in the associated configuration file, and
• each service node extracts from the command file the set it contains to store each authentication certificate it contains in an associated location in a corresponding storage area.
• the method according to the invention may comprise other characteristics that can be taken separately or in combination, and in particular:
• each set can be integrated in a configuration file of the "pxelinux.cfg" type;
• each service node identifier may be an IP address
• the first step (i) can be performed in the predefined server
• each service node can extract from the recovered command file each authentication certificate in order to place it in an authentication certificate file (s).
• the invention also proposes a computer program product comprising a set of instructions which, when executed by processing means, is adapted to implement a control method of the type of that presented above to control the provision of authentication certificates to nodes of service of a high performance calculator.
• the invention also proposes a control device intended to equip a high performance computer comprising a server coupled to service nodes, and comprising:
• first control means arranged to define for each service node a set of at least one authentication certificate, then to integrate each set defined for a service node into a configuration file associated with an identifier of this node of service. service, and, in case of reception of a start request sent by a service node, for generating a command file containing the set included in the configuration file associated with the identifier of this service node, and to trigger the transmission of this command file to the latter, and
• second control means located in each of the service nodes and each arranged to extract from a transmitted command file the set it contains in order to store each authentication certificate of this extracted set in an associated location in a corresponding storage area of the relevant service node.
• the invention also proposes a high performance computer comprising a server coupled to service nodes, and a control device of the type of that presented above.
• the server may include the first control means.
• FIG. 1 schematically and functionally illustrates a high performance computer equipped with an exemplary embodiment of a control device according to the invention
• FIG. 2 illustrates an example of an algorithm implementing a method control system according to the invention.
• the object of the invention is in particular to propose a control method, and an associated control device D, intended to allow the control of the provision of authentication certificates to service nodes Nij of a high performance computer CHP.
• FIG. 1 diagrammatically illustrates a nonlimiting example of a high performance computer CHP comprising a server SC coupled to service nodes Ny, for example via a communication network (such as for example the Internet).
• N is equal to 10 and M (i) is equal to 500 regardless of the group Gi considered (and therefore whatever the value of the index i).
• the number of nodes Ny could vary from one group Gi to the other Gr.
• the number N of groups Gi can take any value greater than or equal to one (1).
• the number M (i) of nodes Ny of a group Gi can take any value greater than or equal to three (3).
• Each node Ny has resources that are generally shared with the other nodes Ny (j ' ⁇ j) of its group Gi, under the control of a software of high availability (or HA ("High Availability")). These resources can be of any type as long as they are configurable services that are useful to the CHP calculator or to an application running in this CHP calculator.
• the SC server provides several services related to the boot (or "boot”) network nodes Ny.
• DHCP Dynamic Host Configuration Protocol
• tftp and "boot pxe” services for the transfer of hexadecimal files with the variables necessary for the authentication of Ny nodes after the initialization phase and the transfer of the operating system image before be used by Ny nodes.
• OC configuration tool intended to configure resources. N nodes.
• the configuration tool OC is Kconf® (marketed by BULL SAS).
• the invention proposes a method for enabling the control of the provision of authentication certificates to service nodes Ny of a high performance computer CHP.
• This method comprises first (i), second (ii) and third (iii) steps, which can be implemented at least partially by a control device D according to the invention.
• a control device D comprises at least first MC1 and second MC2 control means.
• the second control means MC2 are installed in each of the service nodes Ny.
• the first control means MC1 are installed in the server SC, and more precisely in the configuration tool OC. But this is not obligatory. They could indeed be equipment that is external to the SC server but accessible by the latter (SC), for example because of a computer connection, or that is part of the SC server but not its tool of OC configuration.
• control device D can be realized, either in the form of software modules (or computer, or “software”); it is then in the presence of a computer program product comprising a set of instructions which, when executed by processing means such as electronic circuits (or “hardware”), is adapted to implement the method control system, either in the form of a combination of software modules and electronic circuits.
• each set defined for a node Ny is integrated in a file of configuration associated with an identifier of the node Ny.
• This first step (i) is performed by the first control means MC1, possibly under the control of a person authorized by the administrator of the CHP computer. It can be triggered automatically as part of a Ny node contact process for network boot, or manually at the initiative of the CHP supercomputer administrator.
• This first step (i) is referenced in the exemplary algorithm of FIG.
• Each set may include one, two, three, or four authentication certificates, or even more if needed.
• the first control means MC1 may be arranged to generate each authentication certificate intended for a node Ny from information that is stored in a database BD of the server SC and that defines all the characteristics of the Ny nodes. This generation can be done by means of a first script.
• the authentication certificates thus generated can be stored in the SC server as primary files in a predefined tree.
• the authentication certificates of the nodes Ny are already generated and the first control means MC1 only retrieve them for storage in the server SC in the form of primary files in a predefined tree.
• the first control means MC1 can be arranged to recover the contents of each primary file associated with a node Ny in order to format it and integrate it into a variable (s) of a file.
• configuration associated with an identifier of the node Ny pre-existing and for example stored in first MS storage means of the SC server, such as a memory. It will be understood that each variable corresponds to an authentication certificate.
• Each node identifier Ny is for example an address I P which is stored in the database BD among all the information defining this node Ny.
• each configuration file can be of the type "pxelinux.cfg".
• the associated configuration file can be "/tftpboot/pxelinux.cfg/OAOOOOOD", where 0A00000D is the name of the configuration file in hexadecimal form, which corresponds to the IP address of this node Ny in hexadecimal format.
• This IP address of the node is defined by the DHCP service.
• the contents of a file configuration is standard text that contains N node boot instructions over the network.
• the integration of the values of the authentication certificate variables can be done by means of a second script of the first control means MC1.
• each node Ny transmits to the predefined SC server a start request which is intended to retrieve its identifier (here its IP address) and a command file which contains the set of authentication certificates included in the associated configuration file (that is, containing its IP address).
• This second step (ii) is referenced in the exemplary algorithm of FIG.
• the administrator of the CHP supercomputer wishes to start the N nodes, he triggers the sending of start requests by these nodes Ny. For this purpose, it orders the Ny nodes to start (or boot) via the network. The sequence is done automatically for each node Ny by sending to the SC server a boot request preferably type "PXE network boot". This triggers a contact with the SC server by virtue of the IP address of the node Ny obtained via the DHCP service, then the recovery by this node Ny of its hexadecimal configuration file on the service pxe of the server SC, and obtaining by this Ny node of its SC operating system via tftp transfer service of the SC server.
• a boot request preferably type "PXE network boot”.
• the first control means MC1 On receipt of a start request transmitted by a node Ny, the first control means MC1 will determine in the storage means MS the configuration file which contains the address I P of this node Ny. Then, they will extract from this configuration file the value of each authentication certificate variable in order to integrate it into a command file, and finally they will order the server SC to transmit this command file to the requesting node Ny.
• this command file can be of type "/ proc / cmdline".
• each node Ny extracts from the command file that it has recovered (consecutively to sending its start request) the set of authentication certificate (s) it contains in order to store each authentication certificate it contains in an associated location in a corresponding storage area MS '.
• This storage area MS ' is for example a memory of a node Nij which is used to store essential data throughout the operating phase of this node N.
• This third step (iii) is referenced in the exemplary algorithm of FIG.
• each node Nij which perform the extraction of the value of each authentication certificate variable, then convert each extracted value in a format understandable by its node Ny, and finally which place each value. converted to the associated location of the storage area MS '.
• This place includes for example a predefined tree and at least one predefined file.
• the second control means MC2 of a node Ny before they can extract from the command file retrieved each authentication certificate in order to place it ( after its possible conversion to the correct format) into an authentication certificate file (s).
• the node Ny already comprises an original file of authentication certificate (s) when it receives a command file
• its second control means MC2 can either store the original file in another predefined storage area and the new authentication certificate file (s) at the location where the original file was stored (ie in MS storage means), or simply replace (or overwrite) the original file with the new certificate file (s) ) authentication in the storage means MS '. In the absence of difference, it preserves the original file at the location where it is stored (namely in the storage means MS ').

Landscapes

• Engineering & Computer Science (AREA)
• Computer Security & Cryptography (AREA)
• Software Systems (AREA)
• General Engineering & Computer Science (AREA)
• Signal Processing (AREA)
• Computer Networks & Wireless Communication (AREA)
• Theoretical Computer Science (AREA)
• Computer Hardware Design (AREA)
• Computing Systems (AREA)
• Physics & Mathematics (AREA)
• General Physics & Mathematics (AREA)
• Computer And Data Communications (AREA)
• Debugging And Monitoring (AREA)

Applications Claiming Priority (2)

Publications (1)

Family

ID=52450274

Family Applications (1)

Country Status (4)

Families Citing this family (3)

Family Cites Families (2)

• 2014
  • 2014-09-09 FR FR1458437A patent/FR3025632B1/fr active Active
• 2015
  • 2015-09-02 WO PCT/FR2015/052321 patent/WO2016038278A1/fr active Application Filing
  • 2015-09-02 EP EP15766912.8A patent/EP3192228A1/de not_active Withdrawn
  • 2015-09-02 US US15/509,913 patent/US20170318056A1/en not_active Abandoned

Non-Patent Citations (2)

Also Published As

Similar Documents

Legal Events