Versions Compared

Old Version 36

changes.mady.by.user Bogumil Zebek

Saved on

compared with

New Version 37

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

How to run CertService Client

As standalone docker:

You need certificate and trust anchors to connect to CertService API via HTTPS. Information how to generate truststore and keystore files you can find in project repository README Gerrit GitWeb

Create certificate for HTTPS connection.

Create file with environments as in example below.

Code Block
titleclient_docker.env
#Client envs
REQUEST_URL=http://aaf-cert-service-service:8080/v1/certificate/
<URL to CertService API>
REQUEST_TIMEOUT=100010000
OUTPUT_PATH=/var/certs
CA_NAME=RA
#CsrOUTPUT_TYPE=P12

#CSR config envs
COMMON_NAME=onap.org
ORGANIZATION=Linux-Foundation
ORGANIZATION_UNIT=ONAP
LOCATION=San-Francisco
STATE=California
COUNTRY=US
SANS=test.onap.org:onap.com

Run docker container with environments file and docker network (API and client must be running in same network).

Code Block
AAFCERT_CLIENT_IMAGE=nexus3.onap.org:10001/onap/org.onap.aaf.certservice.aaf-certservice-client:latest
DOCKER_ENV_FILE= <path to environment file>
NETWORK_CERT_SERVICE= <docker network of cert service>
DOCKER_VOLUME="<absolute path to local dir>:<output path>"

docker run --env-file $DOCKER_ENV_FILE --network $NETWORK_CERT_SERVICE --volume $DOCKER_VOLUME $AAFCERT_CLIENT_IMAGE

As init container for K8s:

Code Block
titleSample deployment
... 
kind: Deployment
metadata:
  ...
spec:
...
  template:
  ...
    spec:
      initContainers:


#TLS config envs
KEYSTORE_PATH=/etc/onap/aaf/certservice/certs/certServiceClient-keystore.jks
KEYSTORE_PASSWORD=<password to certServiceClient-keystore.jks>
TRUSTSTORE_PATH=/etc/onap/aaf/certservice/certs/certServiceClient-truststore.jks
TRUSTSTORE_PASSWORD=<password to certServiceClient-truststore.jks>

Run docker container with environments file and docker network (API and client must be running in same network).

Code Block
docker run \
   --rm \
   --name aafcert-client \
   --env-file <path to client env> \
   --network <docker network of cert service> \
   --mount type=bind,src=<path to local host directory where certificate and trust anchor will be created>,dst=<OUTPUT_PATH (same as in step 1)> \
   --volume <local path to keystore in JKS format>:<KEYSTORE_PATH> \
   --volume <local path to truststore in JKS format>:<TRUSTSTORE_PATH> \
   nexus3.onap.org:10001/onap/org.onap.aaf.certservice.aaf-certservice-client:$VERSION

As init container for K8s:

Code Block
titleSample deployment
  ...
kind: Deployment
metadata:
  ...
spec:
...
  template:
  ...
    spec:
      containers:
        - image: sample.image
          name: sample.name
          ...
          volumeMounts:
            - mountPath: /var/certs #CERTS CAN BE FOUND IN THIS DIRECTORY
              name: certs
          ...
      initContainers:
        - name: cert-service-client
          image: nexus3.onap.org:10001/onap/org.onap.aaf.certservice.aaf-certservice-client:latest
          imagePullPolicy: Always
          env:
            - name: REQUEST_URL
              value: https://aaf-cert-service:8443/v1/certificate/
            - name: REQUEST_TIMEOUT
              value: "1000"
            - name: OUTPUT_PATH
              value: /var/certs
            - name: CA_NAME
              value: RA
            - name: OUTPUT_TYPE
              value: P12
            - name: COMMON_NAME
              value: onap.org
            - name: cert-service-client ORGANIZATION
              imagevalue: nexus3.onap.org:10001/onap/org.onap.aaf.certservice.aaf-certservice-client:latestLinux-Foundation
            - imagePullPolicyname: Always ORGANIZATION_UNIT
              envvalue: ONAP
            - name: REQUEST_URLLOCATION
              value: http://aaf-cert-service-service:8080/v1/certificate/San-Francisco
            - name: REQUEST_TIMEOUTSTATE
              value: "1000"California
            - name: OUTPUT_PATHCOUNTRY
              value: /var/certsUS
            - name: CA_NAMESANS
              value: RAtest.onap.org:onap.com
            - name: COMMONKEYSTORE_NAMEPATH
              value: onap.org /etc/onap/aaf/certservice/certs/certServiceClient-keystore.jks
            - name: ORGANIZATIONKEYSTORE_PASSWORD
              value: Linux-Foundationsecret
            - name: ORGANIZATIONTRUSTSTORE_UNITPATH
              value: ONAP/etc/onap/aaf/certservice/certs/truststore.jks
            - name: LOCATIONTRUSTSTORE_PASSWORD
              value: San-Francisco secret
          volumeMounts:
            - name: STATEmountPath: /var/certs
              valuename: Californiacerts
            - namemountPath: COUNTRY/etc/onap/aaf/certservice/certs/
              valuename: UStls-volume
        ...
   -   namevolumes:
SANS      - name: certs
       value: test.onap.org:onap.com
 emptyDir: {}
      - name tls-volume
volumeMounts:        secret:
    - mountPath: /var/certs    secretName: aaf-cert-service-client-tls-secret  # Value of global.aaf.certService.client.secret.name
    name: certs 		...


Client's exiting codes:

CodeInformation
0

Success

1Invalid client configuration
2Invalid CSR configuration
3Fail in key pair generation
4Fail in CSR generation
5CertService HTTP unsuccessful response
6Internal HTTP Client connection problem
7Fail in PKCS12 PEM conversion
8Fail in Private Key to PEM Encoding
9Wrong TLS configuration
10File could not be created