Specification
REQ - 140 Create Client, Plugin using Client and mechanisms for using CMPv2 as a CA
Team
Role | Name | |
---|---|---|
Specificator | Pawel Baniewski | pawel.baniewski@nokia.com |
Commiter | Bogumil Zebek | bogumil.zebek@nokia.com |
Project details
- Location: https://gerrit.onap.org/r/admin/repos/aaf/certservice
- Information for developers (README.md): https://gerrit.onap.org/r/gitweb?p=aaf/certservice.git;a=blob;f=certService/README.md;h=db96fa98661586015935c05ac222ef83ca779ff5;hb=HEAD
Requirements for developers
- Follow Google Java Style Guide
- Follow SONAR rules
- SONAR is available at https://sonarcloud.io/dashboard?id=onap_aaf-certservice
- Code Coverage MUST be at >= 80% level
- No new violation in the NEW code
- New libraries
- Before you add a new JAVA library contact with Specificator and Commiter to get confirmation that library can be used in the project!
- Remember to update README.md file (https://gerrit.onap.org/r/gitweb?p=aaf/certservice.git;a=blob;f=certService/README.md;h=db96fa98661586015935c05ac222ef83ca779ff5;hb=HEAD)
Licenses
https://wiki.onap.org/plugins/servlet/mobile?contentId=8228646#content/view/8228646
Tips & Tricks
How to run Jenkins Builds
How to create a new project in ONAP
- Create a repository in gerrit
- Configure pom.xml in project
- Configure Jenkins Jobs
- Documentation
- An example: https://gerrit.onap.org/r/#/c/cli/ /101293/
- Contact person:
How to create CSR and PK for certificate endpoint
- Create CSR and PK using openssl;
create configuration file :
csr.config[ req ] default_bits = 2048 distinguished_name = req_distinguished_name req_extensions = req_ext [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = US stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = California localityName = Locality Name (eg, city) localityName_default = San-Francisco organizationName = Organization Name (eg, company) organizationName_default = Linux-Foundation organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = ONAP commonName = Common Name (e.g. server FQDN or YOUR name) commonName_default = onap.org emailAddress = Email Address emailAddress_default = tester@onap.org [ req_ext ] subjectAltName = @alt_names [ alt_names ] DNS.1 = onap.org DNS.2 = test.onap.org
run openssl command that will generate CSR (onap.csr) and private key (onap.key), using csr.config :
openssl req -out onap.csr -newkey rsa:2048 -nodes -keyout onap.key -config csr.config
Encode CSR and private key in Base64. You can use this java code to create onap.csr.b64 and onap.key.b64 :
private static void encodeCsrAndPkInBase64() throws IOException { String csr = Files.readString(Paths.get(PATH_TO_CSR)); String pk = Files.readString(Paths.get(PATH_TO_PK)); String encodedCsr = new String(Base64.getEncoder().encode(csr.getBytes())); String encodedPk = new String(Base64.getEncoder().encode(pk.getBytes())); Files.writeString(Paths.get(PATH_TO_CSR ".b64"), encodedCsr); Files.writeString(Paths.get(PATH_TO_PK ".b64"), encodedPk); }
- Paste onap.csr.b64 content in to CSR header, and onap.key.b64 content in to PK header in certifcate request
How to run CertService Client
As standalone docker:
Create file with environments as in example below.
client_docker.env
#Client envs REQUEST_URL=http://aaf-cert-service-service:8080/v1/certificate/ REQUEST_TIMEOUT=1000 OUTPUT_PATH=/var/certs CA_NAME=RA #Csr config envs COMMON_NAME=onap.org ORGANIZATION=Linux-Foundation ORGANIZATION_UNIT=ONAP LOCATION=San-Francisco STATE=California COUNTRY=US SANS=test.onap.org:onap.com
Run docker container with environments file and docker network (API and client must be running in same network).
AAFCERT_CLIENT_IMAGE=nexus3.onap.org:10001/onap/org.onap.aaf.certservice.aaf-certservice-client:latest DOCKER_ENV_FILE= <path to environment file> NETWORK_CERT_SERVICE= <docker network of cert service> DOCKER_VOLUME="<absolute path to local dir>:<output path>" docker run --env-file $DOCKER_ENV_FILE --network $NETWORK_CERT_SERVICE --volume $DOCKER_VOLUME $AAFCERT_CLIENT_IMAGE
As init container for K8s:
Sample deployment
... kind: Deployment metadata: ... spec: ... template: ... spec: initContainers: - name: cert-service-client image: nexus3.onap.org:10001/onap/org.onap.aaf.certservice.aaf-certservice-client:latest imagePullPolicy: Always env: - name: REQUEST_URL value: http://aaf-cert-service-service:8080/v1/certificate/ - name: REQUEST_TIMEOUT value: "1000" - name: OUTPUT_PATH value: /var/certs - name: CA_NAME value: RA - name: COMMON_NAME value: onap.org - name: ORGANIZATION value: Linux-Foundation - name: ORGANIZATION_UNIT value: ONAP - name: LOCATION value: San-Francisco - name: STATE value: California - name: COUNTRY value: US - name: SANS value: test.onap.org:onap.com volumeMounts: - mountPath: /var/certs name: certs ...
Client's exiting codes:
Code | Information |
---|---|
0 | Success |
1 | Invalid client configuration |
2 | Invalid CSR configuration |
3 | Fail in key pair generation |
4 | Fail in CSR generation |
5 | CertService HTTP unsuccessful response |
6 | Internal HTTP Client connection problem |
7 | Fail in PKCS12 conversion |
8 | Fail in Private Key to PEM Encoding |