Table of Contents |
---|
Note: For Frankfurt, the certificates are no longer preloaded into DCAE tls-init-container. The newer version of org.onap.dcaegen2.deployments.tls-init-container:1.2.2 (build off onap/aaf/aaf_agent:2.1.15) generates the DCAE certificate during component deployments.
For DUBLIN - DCAE service components will use common certifcates generated from AAF/test instance and made available during deployment of DCAE TLS init container.
...
DCAE has generalized process of certificate distribution as documented here - https://docs.onap.org/en/latest/submodules/dcaegen2.git/docs/sections/tls_enablement.html
...
Setup of AAF based certificate
Note: Check validity of cert is at least 1 year from date of generation
Request Access to AAF test instance:
- Create a task ticket with components name “Multi-geo LAB” on ONAP OPENLABS JIRA requesting access to POD-ONAP-01 and OpenVPN credentials.
- Assign the ticket to Stephen Gooch (stephen.gooch@windriver.com)
...
Once the VPN is set up, you can access the AAF gui at https://aaf-onap-test.osaaf.org:8200/gui/home, use the following credentials to login:
- username:
aaf_adminmmanager - password: demo123456!
Once there, click My Namespaces > org.onap.dcae > Cred Details > Expand > View All > Details:
...
Now you are finished with the AAF gui.
For the Frankfurt release, this is all that needs to be done. The manual steps described below have been replaced by automatic actions performed at the time a component is deployed.
Translation of the generated certificate into TLS container artifacts
Once you have updated the certificate on the AAF gui, you can create the required artifacts.
...
- org.onap.dcae.jks
- org.onap.dcae.key
- org.onap.dcae.p12
- org.onap.dcae.trust.jks
Following steps are specific to DCAE to load the generated certificate into org.onap.dcaegen2.deployments.tls-init-container
Rename these files as follows:
...
Code Block | ||
---|---|---|
| ||
keytool -exportcert -rfc -file cacert.pem -keystore trust.jks -alias ca_local_0
Enter keystore password: <enter cadi_truststore_password here>
openssl pkcs12 -in org.onap.dcae.cert.p12 -out cert.pem
Enter import password: <enter cadi_keystore_password_p12 here>
Enter PEM pass phrase: <enter cadi_keystore_password_p12 here>
Verifying - Enter PEM pass phrase: <enter cadi_keystore_password_p12 here> |
...
These artifacts must be uploaded to the TLS Container repo https://git.onap.org/dcaegen2/deployments/tree/tls-init-container/tls
Blueprint updates
Once the updated artifacts have been placed in the TLS Container repo, you will need to update your components blueprint by adding a new node_template, the cert_directory parameter is the location on your container in which you expect to find the certificates
Code Block | ||
---|---|---|
| ||
tls_info:
cert_directory: '/opt/app/component-name/etc/cert/'
use_tls: true |
(Note that the cert_directory entry does not have a trailing /.)
Current SAN Listing
...
Code Block |
---|
config-binding-service, config-binding-service.onap, config-binding-service.onap.svc.cluster.local, dcae-cloudify-manager, dcae-cloudify-manager.onap, dcae-cloudify-manager.onap.svc.cluster.local, dcae-tca-analytics, dcae-tca-analytics.onap, dcae-tca-analytics.onap.svc.cluster.local, dcae-ves-collector, dcae-ves-collector.onap, dcae-ves-collector.onap.svc.cluster.local, deployment-handler, deployment-handler.onap, deployment-handler.onap.svc.cluster.local, holmes-engine-mgmt, holmes-engine-mgmt.onap, holmes-engine-mgmt.onap.svc.cluster.local, holmes-rule-mgmt, holmes-rules-mgmt.onap, holmes-rules-mgmt.onap.svc.cluster.local, inventory, inventory.onap, inventory.onap.svc.cluster.local, policy-handler, policy-handler.onap, policy-handler.onap.svc.cluster.local,dcae-hv-ves-collector, dcae-hv-ves-collector.onap, dcae-hv-ves-collector.onap.svc.cluster.local, dcae-prh, dcae-prh.onap, dcae-prh.onap.svc.cluster.local, dcae-datafile-collector, dcae-datafile-collector.onap, dcae-datafile-collector.onap.svc.cluster.local, dcae-pm-mapper, dcae-pm-mapper.onap, dcae-pm-mapper.onap.svc.cluster.local, bbs-event-processor, bbs-event-processor.onap, bbs-event-processor.onap.svc.cluster.local |