...
The goal of this requirement is to implement new micro-service called CertService which will request certificates signed by external Certificate Authority (CA) using CMP over HTTP protocol. Uses CMPv2 client to send and receive CMPv2 messages.
CertService's client will be also provided so other ONAP components (aka end components) can easily get certificate from CertService. End component is an ONAP component (e.g. DCAE collector or controller) which requires certificate from CMPv2 server to protect external traffic and uses CertService's client to get it.
...
| Gliffy | ||||||
|---|---|---|---|---|---|---|
|
Simplified certificate enrollment flow
...
CertService contains configuration of CMPv2 servers. To enroll certificate at least one CMPv2 server has to be configured. CMPv2 servers configuration is read during CertService startup and to take runtime changes into account CertService's refresh configuration endpoint has to be called.
...
| Parameter name | Required | Syntax | Description | Validation rules |
|---|---|---|---|---|
| CA Name | Yes | String (1-128) | The CA name should include the name of the external CA server and the issuerDN, which is the distinguished name of the CA on the external CA server that will sign our certificate. | String (1-128) |
| URL | Yes | Schema + IPv4/FQDN + port + path | Url to CMPv2 server; includes mandatory parts: scheme (http://) and IPv4/FQDN and optional parts: port and path (alias); e.g. http://127.0.0.1:8080/pkix or http://127.0.0.1/ejbca/publicweb/cmp/cmp NOTE: If FQDN is given ONAP must be able to resolve it without extra manual configuration | Must be correct URL Must start with http:// scheme If port given, port from 1-65535 range |
| Issuer DN | Yes | String (4-256) | Distinguished Name of the CA that will sign the certificate on the CMPv2 server side. When creating an end entity on the external CA server for client mode this IssuerDN will be passed through as the ca to sign for that user. | String (4-256) Correct DN |
| CA Mode | Yes | Enum (CLIENT|RA) | Issuer mode (either Registration Authority (RA) or client mode) | Value from predefined set |
| Authentication data::IAK | Yes | String (1-256) | Initial authentication key, used, together with RV, to authenticate request in CMPv2 server | String (1-256) |
| Authentication data::RV | Yes | String (1-256) | Reference value, used, together with IAK, to authenticate request in CMPv2 server | String (1-256) |
Example
| Code Block |
|---|
# WARNING - work in progress so still can change
{
"cmpv2Servers":[
{
"caName":"TEST",
"url":"http://127.0.0.1/ejbca/publicweb/cmp/cmp",
"issuerDN":"CN=ManagementCA",
"caMode":"CLIENT",
"authentication":{
"iak":"xxx",
"rv":"yyy"
}
},
{
"caName":"TEST2",
"url":"http://127.0.0.1/ejbca/publicweb/cmp/cmpRA",
"issuerDN":"CN=ManagementCA2",
"caMode":"RA",
"authentication":{
"iak":"xxx",
"rv":"yyy"
}
}
]
} |
...
For Kubernetes helm chart is provided. Just overwrite needed values and deploy helm chart using following command: 
TBA
| Code Block |
|---|
helm install --name $NAME --namespace onap $PATH_TO_HELM_CHART --values $PATH_TO_OVERRIDDEN_VALUES |
...
| Parameter name | ENV variable name | Required | Default | Syntax | Validation rules | Description | Origin |
|---|---|---|---|---|---|---|---|
| Url | REQUEST_URL | No | http(s)https://aaf-cert-service-service:80808443/v1/certificate/ | URL | Syntax column | URL to Cert Service. Default value will be aligned with ONAP K8s deployment (Cert Service's K8s service name and port). Needs to be changed for plain docker deployment. | Application helm chart |
| Timeout | REQUEST_TIMEOUT | No | 30000 | Int (0-120000) | Syntax column | Timeout for REST API calls. In miliseconds. A timeout value of zero is interpreted as an infinite timeout. | Application helm chart |
| Path | OUTPUT_PATH | Yes | String (1-256) | Syntax column Path is valid *inx path | Path where client will output generated keystore and truststore. Normally this path should be on a volume which is used to transfer keystore and truststore between CertService's client and end component | Application helm chart | |
| CA name | CA_NAME | Yes | String (1-128) | Syntax column Must contain only alphanumeric characters | Name of CA which will enroll certificate. Must be same as configured on server side. Used in REST API calls | OOM global value | |
| Common Name | COMMON_NAME | Yes | String (1-256) | Syntax column CN can't contain (special characters (?, $, % and so on), IP addresses, Port numbers, or "http:// or https://") | Common name for which certificate from CMPv2 server should be issued | Application helm chart | |
| Organization | ORGANIZATION | Yes | String (1-256) | Syntax column Organization can't contain invalid characters from list "! @ # $ % ^ * ( ) ~ ? > < / \" (without "") | Organization for which certificate from CMPv2 server should be issued | OOM global value | |
| Organization Unit | ORGANIZATION_UNIT | No | Not available in generated certificate | String (0-256) | Syntax column | Organization unit for which certificate from CMPv2 server should be issued | OOM global value |
| Location | LOCATION | No | Not available in generated certificate | String (0-256) | Syntax column | Location for which certificate from CMPv2 server should be issued | OOM global value |
| State | STATE | Yes | String (1-256) | Syntax column | State for which certificate from CMPv2 server should be issued | OOM global value | |
| Country | COUNTRY | Yes | String(2) | C must be a 2-character ISO format country code | Country for which certificate from CMPv2 server should be issued | OOM global value | |
| SANs | SANS | No | Not available in generated certificate | String (0-2048) SAN1[:SAN2] | Syntax column | Subject Alternative Names (SANs) for which certificate from CMPv2 server should be issued. Colon is used as delimiter, e.g. example.com:example.pl. The only supported type of SANs is DNS domain name. | Application helm chart |
...
Run CertService's client as docker via following command: TBA
| Code Block |
|---|
TESTAAFCERT_CLIENT_IMAGE=onap/org.onap.aaf.certservice.aaf-certservice-client DOCKER_ENV_FILE= <path to envfile> NETWORK_CERT_SERVICE= <docker network of cert service> docker run --name aaf-certservice-client --env-file $DOCKER_ENV_FILE --network $NETWORK_CERT_SERVICE $AAFCERT_CLIENT_IMAGE |
Kuberenetes
Cause ONAP is deployed in K8s, CertService's client will be delivered as independent container and should run as init container for end component. Both init container and end component must mount the same volume (persistent or ephemeral) to transfer generated artifacts.
...
For testing purpose EJBCA is set up. It is configured with 2 1 layer CA hierarchy (root CA and intermediate CAonly).
EJBCA Setup Script
| View file | ||||
|---|---|---|---|---|
|