Using ECC Workload Certificates (pilot-agent environmental variables) Jacob Delgado / Aspen Mesh #IstioCon ECC workload certificates ● In various environments, the need for x509 certificates that that use Elliptical Curve Cryptography (ECC) is a requirement ● In Istio 1.6, support for workloads to use ECC certificates for mTLS in sidecar-to-sidecar communication was added ○ As of Istio 1.7.7+, 1.8.2+ and 1.9.0+ there is no longer the restriction that a plugged in CA certificate must use ECC cryptography (using ECDSA P-256) to use this feature ● Only ECDSA P-256 is supported #IstioCon pilot-agent

©2021 Aspen Mesh. All rights reserved. Key Platform Requirements Multi-Vendor Real-Time (RAN) Workload Mobility Networking outside CNF Encryption & Authorization between CNFs 5 ©2021 Aspen Mesh. avoid escalated pod privileges ● Integrate with PKI minted Intermediate CA ● Enable ECC certificates ● Configure workload certificate TTLs ● Enable strict mutual TLS (mTLS) instead of auto ● Use dedicated architectural changes ● SPIFFE only certificates ● Configuring workload certificate TTLs ● RSA to ECC migration ● Missing www-authenticate header ● Tuning per-workload proxy concurrency ● Consuming Istio

security-smart-cards-ssh SSH 3 security-apparmor AppArmor 3 security-firewall Firewall 3 security-certificates Certificates 3 security-trust-store CA trust store 3 security-console Console 2 High Availability clear across the network. See LDAP with TLS for details on how to set up OpenLDAP with trusted SSL certificates. 153 Add the new configuration: sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f consumer_simple_sync clear across the network. See LDAP with TLS for details on how to set up OpenLDAP with trusted SSL certificates. Add the new configuration: sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f consumer_sync.ldif

77d2833a1bde2a9899cfc4d0433d64b01d03e79927aa60a40507c5739591b8122ee609cf5636e71b02ce5009f3b8361930ecc3a9abb0 若节点未启动，则直接启动节点，若节点已启动，可直接用脚本reload_whitelist.sh刷新白名单 配置即可（暂不支持动态刷新黑名单）。 # 若节点未启动 $ bash start 77d2833a1bde2a9899cfc4d0433d64b01d03e79927aa60a40507c5739591b8122ee609cf5636e71b02ce5009f3b8361930ecc3a9abb0 38158ef34eb2d58ce1d31c8f3ef9f1fa829d0eb8ed1657f4b2a3ebd3265d44b243c69ffee0519c143dd67e91572 77d2833a1bde2a9899cfc4d0433d64b01d03e79927aa60a40507c5739591b8122ee609cf5636e71b02ce5009f3b8361930ecc3a9abb0 ˓→", "Topic": [] } ] } 配 配 配置 置 置黑 黑 黑名 名 名单 单 单： ： ：node0拒 拒 拒绝 绝 绝node1的 的 的连 连 连接 接 接

77d2833a1bde2a9899cfc4d0433d64b01d03e79927aa60a40507c5739591b8122ee609cf5636e71b02ce5009f3b8361930ecc3a9abb0 若节点未启动，则直接启动节点，若节点已启动，可直接用脚本reload_whitelist.sh刷新白名单 配置即可（暂不支持动态刷新黑名单）。 # 若节点未启动 $ bash start 77d2833a1bde2a9899cfc4d0433d64b01d03e79927aa60a40507c5739591b8122ee609cf5636e71b02ce5009f3b8361930ecc3a9abb0 38158ef34eb2d58ce1d31c8f3ef9f1fa829d0eb8ed1657f4b2a3ebd3265d44b243c69ffee0519c143dd67e91572 77d2833a1bde2a9899cfc4d0433d64b01d03e79927aa60a40507c5739591b8122ee609cf5636e71b02ce5009f3b8361930ecc3a9abb0 ˓→", "Topic": [] } ] } 6.16. CA黑 黑 黑白 白 白名 名 名单 单 单 179 FISCO BCOS Documentation, 发 发 发布

77d2833a1bde2a9899cfc4d0433d64b01d03e79927aa60a40507c5739591b8122ee609cf5636e71b02ce5009f3b8361930ecc3a9abb0 若节点未启动，则直接启动节点，若节点已启动，可直接用脚本reload_whitelist.sh刷新白名单 配置即可（暂不支持动态刷新黑名单）。 # 若节点未启动 $ bash start 77d2833a1bde2a9899cfc4d0433d64b01d03e79927aa60a40507c5739591b8122ee609cf5636e71b02ce5009f3b8361930ecc3a9abb0 38158ef34eb2d58ce1d31c8f3ef9f1fa829d0eb8ed1657f4b2a3ebd3265d44b243c69ffee0519c143dd67e91572 77d2833a1bde2a9899cfc4d0433d64b01d03e79927aa60a40507c5739591b8122ee609cf5636e71b02ce5009f3b8361930ecc3a9abb0 ˓→", "Topic": [] } ] } 配 配 配置 置 置黑 黑 黑名 名 名单 单 单： ： ：node0拒 拒 拒绝 绝 绝node1的 的 的连 连 连接 接 接

77d2833a1bde2a9899cfc4d0433d64b01d03e79927aa60a40507c5739591b8122ee609cf5636e71b02ce5009f3b8361930ecc3a9abb0 若节点未启动，则直接启动节点，若节点已启动，可直接用脚本reload_whitelist.sh刷新白名单 配置即可（暂不支持动态刷新黑名单）。 # 若节点未启动 $ bash start 77d2833a1bde2a9899cfc4d0433d64b01d03e79927aa60a40507c5739591b8122ee609cf5636e71b02ce5009f3b8361930ecc3a9abb0 38158ef34eb2d58ce1d31c8f3ef9f1fa829d0eb8ed1657f4b2a3ebd3265d44b243c69ffee0519c143dd67e91572 77d2833a1bde2a9899cfc4d0433d64b01d03e79927aa60a40507c5739591b8122ee609cf5636e71b02ce5009f3b8361930ecc3a9abb0 ˓→", "Topic": [] } ] } 配 配 配置 置 置黑 黑 黑名 名 名单 单 单： ： ：node0拒 拒 拒绝 绝 绝node1的 的 的连 连 连接 接 接

Generating CA key... ============================================================== Generating keys and certificates ... Processing IP=196.168.0.1 Total=1 Agency=agencyA Groups=1 Processing IP=196.168.0.3 Total=1 v2.7.1 # 更新包索引 sudo apt-get update # 安装基础依赖库 sudo apt-get install \ apt-transport-https \ ca-certificates \ curl \ gnupg-agent \ software-properties-common # 添加Docker官方GPG key curl -fsSL https://download [boolean] -v, --version Show version number [boolean] --caliper-benchconfig Path to the benchmark workload file that describes the ˓→test client(s), test rounds and monitor. [string] --caliper-networkconfig

2 TensorRT 8.0.3 21.08 NVIDIA CUDA 11.4.1 1.10.0a0+3fd9dcf 21.07 NVIDIA CUDA 11.4.0 1.10.0a0+ecc3718 TensorRT 8.0.1.6 21.06 NVIDIA CUDA 11.3.1 1.9.0a0+c3d40fd 21.05 21.04 NVIDIA CUDA 11.3.0 2 TensorRT 8.0.3 21.08 NVIDIA CUDA 11.4.1 1.10.0a0+3fd9dcf 21.07 NVIDIA CUDA 11.4.0 1.10.0a0+ecc3718 TensorRT 8.0.1.6 21.06 NVIDIA CUDA 11.3.1 1.9.0a0+c3d40fd 21.05 21.04 NVIDIA CUDA 11.3.0 2 TensorRT 8.0.3 21.08 NVIDIA CUDA 11.4.1 1.10.0a0+3fd9dcf 21.07 NVIDIA CUDA 11.4.0 1.10.0a0+ecc3718 TensorRT 8.0.1.6 21.06 NVIDIA CUDA 11.3.1 1.9.0a0+c3d40fd 21.05 21.04 NVIDIA CUDA 11.3.0

choose to use to generate the certificates and key material to configure and manage identity in your blockchain network. However, any CA that can generate ECDSA certificates may be used. 8 Chapter 1. Getting participants have known identities. Public Key Infras- tructure is used to generate cryptographic certificates which are tied to organizations, network components, and end users or client applications. As the valid identities for this organization. The default MSP implementation in Fabric uses X.509 certificates as identities, adopting a traditional Public Key Infrastructure (PKI) hierarchical model (more