Key Manager
安装rust,openssl
curl --proto  =https  --tlsv1.2 -sSf https:  sh.rustup.rs | shsource $HOME .cargo envdnf install openssl openssl-devel
      
安装OpenBao
   wget "https:  github.com openbao openbao releases download v2.2.0 bao_2.2.0_linux_riscv64.rpm"   rpm -ivh --nodeps bao_2.2.0_linux_riscv64.rpm
      
修改配置文件 etc openbao openbao.hcl:
   ui = true  storage "file" {         path = " opt openbao data"     }        #HTTP listener     listener "tcp" {      address = "127.0.0.1:8200"         tls_disable = 1     }  
      
尝试启动openBao失败：
[root@localhost global-trust-authority]# systemctl start openbao.serviceJob for openbao.service failed because the control process exited with error code.See "systemctl status openbao.service" and "journalctl -xeu openbao.service" for details.
      
需要把 etc openbao openbao.hcl文件中http下方的https相关行注释掉重启即可（这里的Unseal Key和Root Token都需要记录好，后面要用）：
   [root@localhost ~]# systemctl restart openbao.service[root@localhost ~]# export BAO_ADDR=http:  127.0.0.1:8200    [root@localhost ~]# bao operator init   Unseal Key 1: GBPl8ZQZxZ poXG5MxgH9BB3L4NXEKxWUQejCVN5Tfku   Unseal Key 2: 0FiK1ApUwbb074WpnXfniWpb 4jdQRcGeV9bMnTmKayp   Unseal Key 3: 993Q4+K0oPvKanfQSKezuY966zL5pazHvF xW8s22JhXUnseal Key 4: 2lN8Cpsq12oqkfdkrU6vQIGo2DopeQ471sEYuAPs+eYQ   Unseal Key 5: C4oGC0f1YfhdZliPOneaAqVScQvb8j9aX64dbQO0I5pe   Initial Root Token: s.83GgH5N1X2YGjnqdizMC54mc      Vault initialized with 5 key shares and a key threshold of 3. Please securelydistribute the key shares printed above. When the Vault is re-sealed,   restarted, or stopped, you must supply at least 3 of these keys to unseal it   before it can start servicing requests.      Vault does not store the generated root key. Without at least 3 keys to   reconstruct the root key, Vault will remain permanently sealed!      It is possible to generate new unseal keys, provided you have a quorum of   existing unseal keys shares. See "vault operator rekey" for more information.
      
通过rpm部署
安装依赖：
sudo yum install -y gcc rpm-build openssl-develsudo dnf install -y rpmdevtoolsrpmdev-setuptree
      
在global-trust-authority目录下构建rpm包（需要较长时间）：
sh key_manager script rpm_build.sh[Result] RPM package path:  root rpmbuild RPMS riscv64 global-trust-authority-key-manager-0.1.0-1.riscv64.rpm
      
安装Key Manager：
sudo rpm -ivh  root rpmbuild RPMS riscv64 global-trust-authority-key-manager-0.1.0-1.riscv64.rpm	Verifying...                          ################################# [100%]Preparing...                          ################################# [100%]Updating   installing...    1:global-trust-authority-key-manage################################# [100%]
      
生成证书，global-trust-authority key_manager script目录下执行脚本，我生成的证书在~ pem目录：
[root@localhost script]# . test_certificate_generation.sh -p ~ pem -i 10.0.2.15证书将生成到:  root pem=== 生成根CA证书 ====== 生成服务端证书 ===Certificate request self-signature oksubject=CN = key_manager=== 生成RA客户端证书 ===Certificate request self-signature oksubject=CN = RA-Service=== 验证证书 ===证书生成完成！生成的证书位于:  root pem文件列表: root pem key_manager_server_cert.pem root pem key_manager_server.csr root pem key_manager_server_key.pem root pem km_cert.pem root pem km_key.pem root pem ra_client_cert.pem root pem ra_client.csr root pem ra_client_key.pem
      
修改配置：
ROOT_CA_CERT_PATH= root pem km_cert.pemKEY_MANAGER_CERT_FILE_PATH= root pem key_manager_server_cert.pemKEY_MANAGER_KEY_FILE_PATH= root pem key_manager_server_key.pemKEY_MANAGER_ROOT_TOKEN=s.83GgH5N1X2YGjnqdizMC54mcKEY_MANAGER_SECRET_ADDR=http:  127.0.0.1:8200 
      
开启服务报错：
[root@localhost ~]#  usr local key_manager bin key_managerd &[2] 15900[root@localhost ~]# 2025-07-23T15:38:56.094 15900 [INFO] key_managerd::utils::logger - init logger successfully2025-07-23T15:38:56.621 15900 [ERROR] key_managerd::key_manager::openbao::openbao_manager - select secrets error, err: Error listing secrets engines: Error making API request.URL: GET http:  127.0.0.1:8200 v1 sys mountsCode: 503. Errors:* Vault is sealed2025-07-23T15:38:56.622 15900 [ERROR] key_managerd - OpenBao init config error: openbao command execute error, please check openbao.Error: Custom { kind: Other, error: "openbao command execute error, please check openbao." }[2]-  Exit 1                   usr local key_manager bin key_managerd
      
openbao相关错误，仔细阅读key_manager安装手册发现要使用3个unseal key使openbao解除Sealed状态：
[root@localhost ~]# bao operator unseal GBPl8ZQZxZ poXG5MxgH9BB3L4NXEKxWUQejCVN5TfkuKey                Value---                -----Seal Type          shamirInitialized        trueSealed             trueTotal Shares       5Threshold          3Unseal Progress    1 3Unseal Nonce       c4c3d805-78a1-11e1-c989-667ccac04931Version            2.0.0Build Date         2024-07-17T22:05:43ZStorage Type       fileHA Enabled         f[root@localhost ~]# bao[root@localhost ~]# bao operator unseal 0FiK1ApUwbb074WpnXfniWpb 4jdQRcGeV9bMnTmKaypKey                Value---                -----Seal Type          shamirInitialized        trueSealed             trueTotal Shares       5Threshold          3Unseal Progress    2 3Unseal Nonce       c4c3d805-78a1-11e1-c989-667ccac04931Version            2.0.0Build Date         2024-07-17T22:05:43ZStorage Type       fileHA Enabled         false[root@localhost ~]# [root@localhost ~]# 0FiK1ApUwbb074WpnXfniWpb 4jdQRcGeV9bMnTmKayp[root@localhost ~]# bao operator unseal 993Q4+K0oPvKanfQSKezuY966zL5pazHvF xW8s22JhXKey             Value---             -----Seal Type       shamirInitialized     trueSealed          falseTotal Shares    5Threshold       3Version         2.0.0Build Date      2024-07-17T22:05:43ZStorage Type    fileCluster Name    vault-cluster-f2754bd5Cluster ID      16983dee-d5fd-08ca-3977-808ff9f7b829HA Enabled      false
      
再次启动key_manager成功：
[root@localhost ~]#  usr local key_manager bin key_managerd &[2] 15930[root@localhost ~]# 2025-07-23T15:43:52.462 15930 [INFO] key_managerd::utils::logger - init logger successfully2025-07-23T15:43:56.218 15930 [INFO] actix_server::builder - starting 4 workers2025-07-23T15:43:56.219 15930 [INFO] actix_server::server - Actix runtime found; starting in Actix runtime2025-07-23T15:43:56.220 15930 [INFO] actix_server::server - starting service: "actix-web-service-0.0.0.0:8082", workers: 4, listening on: 0.0.0.0:8082
      
attestation_server
创建 etc attestation_server certs目录，将ra_client_key.pem, ra_client_cert.pem and km_cert.pem放入该文件夹：
[root@localhost pem]# cp ra_client_cert.pem ra_client_key.pem km_cert.pem  etc attestation_server certs 
      
安装librdkafka：
sudo dnf install -y git gcc gcc-c++ make cmake openssl-devel zlib-devel python3 && git clone --branch v2.3.0 https:  gitee.com mirrors librdkafka.git && cd librdkafka && . configure --prefix= usr local && make -j$(nproc) && sudo make install && sudo ldconfigexport PKG_CONFIG_PATH= usr local lib pkgconfig:$PKG_CONFIG_PATHexport LD_LIBRARY_PATH= usr local lib:$LD_LIBRARY_PATH安装成功：[root@localhost ~]# pkg-config --modversion rdkafka2.3.0
      
global-trust-authority rpm下运行，构建rpm包：
sh rpm script rpm_build.sh -s
      
报错编译rdkafka失败，上一步已成功安装rdkafka2.3.0，错误信息说明需要rdkafka>=2.10.0：
error: failed to run custom build command for `rdkafka-sys v4.9.0+2.10.0`Caused by:  process didn t exit successfully: ` root rpmbuild BUILD global-trust-authority target release build rdkafka-sys-f6e47c08790c5b68 build-script-build` (exit status: 1)  --- stdout  cargo:rerun-if-env-changed=RDKAFKA_NO_PKG_CONFIG  cargo:rerun-if-env-changed=PKG_CONFIG_riscv64gc-unknown-linux-gnu  cargo:rerun-if-env-changed=PKG_CONFIG_riscv64gc_unknown_linux_gnu  cargo:rerun-if-env-changed=HOST_PKG_CONFIG  cargo:rerun-if-env-changed=PKG_CONFIG  cargo:rerun-if-env-changed=RDKAFKA_STATIC  cargo:rerun-if-env-changed=RDKAFKA_DYNAMIC  cargo:rerun-if-env-changed=PKG_CONFIG_ALL_STATIC  cargo:rerun-if-env-changed=PKG_CONFIG_ALL_DYNAMIC  cargo:rerun-if-env-changed=PKG_CONFIG_PATH_riscv64gc-unknown-linux-gnu  cargo:rerun-if-env-changed=PKG_CONFIG_PATH_riscv64gc_unknown_linux_gnu  cargo:rerun-if-env-changed=HOST_PKG_CONFIG_PATH  cargo:rerun-if-env-changed=PKG_CONFIG_PATH  cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR_riscv64gc-unknown-linux-gnu  cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR_riscv64gc_unknown_linux_gnu  cargo:rerun-if-env-changed=HOST_PKG_CONFIG_LIBDIR  cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR  cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR_riscv64gc-unknown-linux-gnu  cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR_riscv64gc_unknown_linux_gnu  cargo:rerun-if-env-changed=HOST_PKG_CONFIG_SYSROOT_DIR  cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR  --- stderr  librdkafka will be linked dynamically  librdkafka 2.10.0 cannot be found on the system:   pkg-config exited with status code 1  > PKG_CONFIG_PATH= usr local lib pkgconfig:: usr lib64 pkgconfig: usr share pkgconfig PKG_CONFIG_ALLOW_SYSTEM_LIBS=1 PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1 pkg-config --libs --cflags rdkafka  rdkafka >= 2.10.0   The system library `rdkafka` required by crate `rdkafka-sys` was not found.  The file `rdkafka.pc` needs to be installed and the PKG_CONFIG_PATH environment variable must contain its parent directory.  PKG_CONFIG_PATH contains the following:      -  usr local lib pkgconfig      -       -  usr lib64 pkgconfig      -  usr share pkgconfig  HINT: you may need to install a package such as rdkafka, rdkafka-dev or rdkafka-devel.  Dynamic linking failed. Exiting.warning: build failed, waiting for other jobs to finish...error: Bad exit status from  var tmp rpm-tmp.W7S2at (%build)RPM build errors:    Bad exit status from  var tmp rpm-tmp.W7S2at (%build)
      
重新下载rdkafka2.10.0：
git clone --branch v2.10.0 https:  gitee.com mirrors librdkafka.git && cd librdkafka && . configure --prefix= usr local && make -j$(nproc) && sudo make install && sudo ldconfigexport PKG_CONFIG_PATH= usr local lib pkgconfig:$PKG_CONFIG_PATHexport LD_LIBRARY_PATH= usr local lib:$LD_LIBRARY_PATH安装成功：[root@localhost ~]# pkg-config --modversion rdkafka2.10.0
      
重新构建成功在 root rpmbuild RPMS riscv64目录下：
[root@localhost riscv64]# lsglobal-trust-authority-key-manager-0.1.0-1.riscv64.rpmra-server-0.0.1-1.riscv64.rpm
      
安装rpm包：
[root@localhost riscv64]# rpm -ivh --nodeps ra-server-0.0.1-1.riscv64.rpm Verifying...                          ################################# [100%]Preparing...                          ################################# [100%]Updating   installing...   1:ra-server-0.0.1-1                ################################# [100%]
      
部署attestation_server：
需要安装并运行mysql，redis，zookeeper（ZooKeeper ≥3.6 uses port 8080），kafka
sudo systemctl start mysqldsudo systemctl start redissudo systemctl start zookeeper启动kafka（需要先启动zookeeper）：cd  opt kafka bin kafka-server-start.sh config server.properties
      
启动attestation_service失败，连接Mysql错误：
[root@localhost ~]# attestation_serviceProgram started!thread  main  panicked at  root rpmbuild BUILD global-trust-authority attestation_common rdb src connection.rs:65:29:Failed to create MySQL connection: Failed to connect to database: Connection Error: error returned from database: 1045 (28000): Access denied for user  abcd @ localhost  (using password: YES)note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
      
在使用手册中找了很久没有找到mysql相关的配置文件，最后在源码发现init.sql：
-- Create a user as root and grant permissionsCREATE USER IF NOT EXISTS  abcd @ %  IDENTIFIED WITH mysql_native_password BY  abcd ;GRANT ALL PRIVILEGES ON *.* TO  abcd @ %  WITH GRANT OPTION;FLUSH PRIVILEGES;
      
在Mysql执行后，再次启动出现新的报错，没有数据库：
[root@localhost ~]# attestation_serviceProgram started!thread  main  panicked at  root rpmbuild BUILD global-trust-authority attestation_common rdb src connection.rs:65:29:Failed to create MySQL connection: Failed to connect to database: Connection Error: error returned from database: 1049 (42000): Unknown database  RA note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
      
再次查找配置文件，原来database相关配置在.env文件，于是创建一个数据库：
DB_NAME=RADB_USER=abcdDB_PASSWORD=abcdDB_ROOT_PASSWORD=abcdREDIS_PASSWORD=CREATE DATABASE RA CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;EXIT;
      
重新启动出现key_manager相关错误：
[root@localhost ~]# attestation_serviceProgram started!thread  main  panicked at attestation_server server_config src init_chain handlers key_init_handle.rs:32:27:called `Result::unwrap()` on an `Err` value: KeyManagerError { message: "Failed to send GET request: error sending request for url (https:  127.0.0.1:8082 v1 vault get_signing_keys): error trying to connect: invalid peer certificate: NotValidForName" }note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
      
应该是之前生成的证书IP地址是10.0.2.15，修改 etc attestation_server server_config_rpm.yaml配置文件：
attestation_service:  key_management:    vault_get_key_url: "https:  10.0.2.15:8082 v1 vault get_signing_keys"    is_require_sign: true    key_ca_cert_path: " etc attestation_server certs km_cert.pem"    key_cli_key_path: " etc attestation_server certs ra_client_key.pem"    key_cli_cert_path: " etc attestation_server certs ra_client_cert.pem"
      
再次启动，应该是密钥缺失：
[root@localhost attestation_server]# attestation_serviceProgram started!2025-07-24T12:51:27.903 1386 [INFO] key_managerd::key_manager::openbao::openbao_command - start check openbao status2025-07-24T12:51:31.588 1386 [INFO] key_managerd::key_manager::openbao::openbao_command - openbao is healthy2025-07-24T12:51:31.589 1386 [INFO] key_managerd::key_manager::openbao::openbao_manager - start get FSK private key2025-07-24T12:51:32.292 1386 [INFO] key_managerd::key_manager::openbao::openbao_manager - start get NSK private key2025-07-24T12:51:32.869 1386 [INFO] key_managerd::key_manager::openbao::openbao_manager - start get TSK private keythread  main  panicked at  root rpmbuild BUILD global-trust-authority attestation_server key src key_manager lifecycle key_subject.rs:138:65:called `Option::unwrap()` on a `None` valuenote: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
      
生成密钥，将global-trust-authority目录下的脚本复制到 usr local key_manager bin：
cp key_manager script generate_test_data.sh  usr local key_manager bincd  usr local key_manager bin执行脚本：[root@localhost bin]# bash generate_test_data.sh rsa_3072 2success to handle commandsuccess to handle commandsuccess to handle commandsuccess to handle commandsuccess to handle commandsuccess to handle command生成成功
      
再次启动，kafka相关报错：
[root@localhost bin]# attestation_serviceProgram started!2025-07-24T13:51:45.809 1386 [INFO] key_managerd::key_manager::openbao::openbao_command - start check openbao status2025-07-24T13:51:46.215 1386 [INFO] key_managerd::key_manager::openbao::openbao_command - openbao is healthy2025-07-24T13:51:46.216 1386 [INFO] key_managerd::key_manager::openbao::openbao_manager - start get FSK private key2025-07-24T13:51:47.667 1386 [INFO] key_managerd::key_manager::openbao::openbao_manager - start get NSK private key2025-07-24T13:51:49.006 1386 [INFO] key_managerd::key_manager::openbao::openbao_manager - start get TSK private keythread  main  panicked at attestation_server api src middlewares mq.rs:17:42:create topic failed, please check!: KafkaError (Admin operation error: OperationTimedOut (Local: Timed out))note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
      
重新启动下kafka：
bin kafka-server-start.sh config server.properties
      
发现报错，该目录下只有jre，没有bin目录：
 opt kafka bin kafka-run-class.sh: line 330:  usr lib jvm java-1.8.0-openjdk-1.8.0.452.b09-2.oe2403sp2.riscv64 bin java: No such file or directory
      
上网搜索是没有相应版本的JDK导致，只有JRE，于是下载JDK，再次启动kafka:
sudo dnf install java-1.8.0-openjdk-devel[root@localhost kafka]# bin kafka-server-start.sh config server.properties# A fatal error has been detected by the Java Runtime Environment:##  Internal Error (cppInterpreter_zero.cpp:835), pid=29705, tid=0x00007fff9ffa5180#  Error: Unimplemented()## JRE version:  (8.0_452-b09) (build )# Java VM: OpenJDK 64-Bit Zero VM (25.452-b09 interpreted mode linux-riscv64 )# Core dump will be written, saved as:#   opt kafka core or core.29705        #  or  var lib systemd coredump * (process core dumps by systemd-coredump)        #  or  var lib apport coredump * (process core dumps by apport)        #  or  var spool abrt * (process core dumps by abrt-hook-ccpp)        #  or other name defined in  proc sys kernel core_pattern## An error report file with more information is saved as:#  opt kafka hs_err_pid29705.log## If you would like to submit a bug report, please visit:#   https:  gitee.com src-openeuler openjdk-1.8.0 issues 
      
尝试切换到java11版本并下载JDK：
[root@localhost kafka]# sudo update-alternatives --config javaThere are 2 programs which provide  java .  Selection    Command-----------------------------------------------*+ 1           java-1.8.0-openjdk.riscv64 ( usr lib jvm java-1.8.0-openjdk-1.8.0.452.b09-2.oe2403sp2.riscv64 jre bin java)   2           java-11-openjdk.riscv64 ( usr lib jvm java-11-openjdk-11.0.27.6-1.oe2403sp2.riscv64 bin java)Enter to keep the current selection[+], or type selection number: 2[root@localhost kafka]# sudo dnf install java-11-openjdk-devel
      
再次启动kafka，依然报一样的错误，这次看下java版本发现java11仅支持sv48:
[root@localhost kafka]# java --versionError occurred during initialization of VMUnsupported satp mode: sv57. Only satp modes up to sv48 are supported for now.
      
暂时没有更多进展