Specification

REQ - 140 Create Client, Plugin using Client and mechanisms for using CMPv2 as a CA

Team

Project details

• Location: https://gerrit.onap.org/r/admin/repos/aaf/certservice
• Information for developers (README.md): https://gerrit.onap.org/r/gitweb?p=aaf/certservice.git;a=blob;f=certService/README.md;h=db96fa98661586015935c05ac222ef83ca779ff5;hb=HEAD

Requirements for developers

• Follow Google Java Style Guide
  • https://google.github.io/styleguide/javaguide.html
  • https://plugins.jetbrains.com/plugin/8527-google-java-format
• Follow SONAR rules
  • SONAR is available at https://sonarcloud.io/dashboard?id=onap_aaf-certservice
  • Code Coverage MUST be at >= 80% level
  • No new violation in the NEW code
• New libraries
  • Before you add a new JAVA library contact with Specificator and Commiter to get confirmation that library can be used in the project!
• Remember to update README.md file (https://gerrit.onap.org/r/gitweb?p=aaf/certservice.git;a=blob;f=certService/README.md;h=db96fa98661586015935c05ac222ef83ca779ff5;hb=HEAD)

Licenses

assertj-core

3.15.0

mockito-core

3.2.4

spring-core

5.2.3.RELEASE

spring-boot-starter

2.2.4.RELEASE

maven-javadoc-plugin

3.1.1

maven-surefire-plugin

3.0.0-M4

spring-boot-starter-actuator

2.2.4.RELEASE

spring-boot-starter-log4j2

2.1.5.RELEASE

spring-cloud-starter-config

springdoc-openapi-ui

1.2.30

bouncycastle

1.60

docker-maven-plugin

0.33.0

Tips & Tricks

How to run Jenkins Builds

• Development Procedures and Policies#MagicWords

How to create a new project in ONAP

1. Create a repository in gerrit
   1. Create a ticket at https://jira.linuxfoundation.org/servicedesk/customer/portal/2/create/102?q=create%20repository&q_time=1581674068823
2. Configure pom.xml in project
   1.  An example: https://gerrit.onap.org/r/gitweb?p=aaf/certservice.git;a=blob;f=certService/pom.xml;h=3f17f3904b45f48007c7cf10cb54b2b814447226;hb=HEAD
3. Configure Jenkins Jobs
   
   1. https://gerrit.onap.org/r/c/ci-management/ /101668
   2. Contact person:
      1. jwagantall@linuxfoundation.org
4. Documentation
   1. An example:  https://gerrit.onap.org/r/#/c/cli/ /101293/
   2. Contact person:
      1. sofia.wallin@est.tech
      2. jwagantall@linuxfoundation.org

Records

• CertService with TLS installation Poc <Polish> 

How to create CSR and PK for certificate endpoint

1. Create CSR and PK using openssl;

   1. create configuration file : 

      csr.config

      [ req ]
      default_bits       = 2048
      distinguished_name = req_distinguished_name
      req_extensions     = req_ext
      [ req_distinguished_name ]
      countryName                     = Country Name (2 letter code)
      countryName_default                     = US
      stateOrProvinceName             = State or Province Name (full name)
      stateOrProvinceName_default             = California
      localityName                    = Locality Name (eg, city)
      localityName_default                    = San-Francisco
      organizationName                = Organization Name (eg, company)
      organizationName_default                = Linux-Foundation
      organizationalUnitName          = Organizational Unit Name (eg, section)
      organizationalUnitName_default          = ONAP
      commonName                      = Common Name (e.g. server FQDN or YOUR name)
      commonName_default                      = onap.org
      emailAddress                    = Email Address
      emailAddress_default                    = tester@onap.org
      [ req_ext ]
      subjectAltName = @alt_names
      [ alt_names ]
      DNS.1   = onap.org
      DNS.2   = test.onap.org
      
      

   2. run openssl command that will generate CSR (onap.csr) and private key (onap.key), using csr.config :

      openssl req -out onap.csr -newkey rsa:2048 -nodes -keyout onap.key -config csr.config

2. Encode CSR and private key in Base64. You can use this  java code to create onap.csr.b64 and onap.key.b64 :

       private static void encodeCsrAndPkInBase64() throws IOException {
           String csr = Files.readString(Paths.get(PATH_TO_CSR));
           String pk = Files.readString(Paths.get(PATH_TO_PK));
   
           String encodedCsr = new String(Base64.getEncoder().encode(csr.getBytes()));
           String encodedPk = new String(Base64.getEncoder().encode(pk.getBytes()));
   
           Files.writeString(Paths.get(PATH_TO_CSR ".b64"), encodedCsr);
           Files.writeString(Paths.get(PATH_TO_PK ".b64"), encodedPk);
       }

3. Paste  onap.csr.b64 content in to CSR header, and onap.key.b64 content in to PK header in certifcate request

How to run CertService Client

As standalone docker:

You need certificate and trust anchors to connect to CertService API via HTTPS. Information how to generate truststore and keystore files you can find in project repository README Gerrit GitWeb

Create certificate for HTTPS connection.

Create file with environments as in example below.

#Client envs
REQUEST_URL=<URL to CertService API>
REQUEST_TIMEOUT=10000
OUTPUT_PATH=/var/certs
CA_NAME=RA
OUTPUT_TYPE=P12

#CSR config envs
COMMON_NAME=onap.org
ORGANIZATION=Linux-Foundation
ORGANIZATION_UNIT=ONAP
LOCATION=San-Francisco
STATE=California
COUNTRY=US
SANS=test.onap.org:onap.com

#TLS config envs
KEYSTORE_PATH=/etc/onap/aaf/certservice/certs/certServiceClient-keystore.jks
KEYSTORE_PASSWORD=<password to certServiceClient-keystore.jks>
TRUSTSTORE_PATH=/etc/onap/aaf/certservice/certs/certServiceClient-truststore.jks
TRUSTSTORE_PASSWORD=<password to certServiceClient-truststore.jks>

Run docker container with environments file and docker network (API and client must be running in same network).

docker run \
   --rm \
   --name aafcert-client \
   --env-file <path to client env> \
   --network <docker network of cert service> \
   --mount type=bind,src=<path to local host directory where certificate and trust anchor will be created>,dst=<OUTPUT_PATH (same as in step 1)> \
   --volume <local path to keystore in JKS format>:<KEYSTORE_PATH> \
   --volume <local path to truststore in JKS format>:<TRUSTSTORE_PATH> \
   nexus3.onap.org:10001/onap/org.onap.aaf.certservice.aaf-certservice-client:$VERSION

As init container for K8s:

  ...
kind: Deployment
metadata:
  ...
spec:
...
  template:
  ...
    spec:
      containers:
        - image: sample.image
          name: sample.name
          ...
          volumeMounts:
            - mountPath: /var/certs #CERTS CAN BE FOUND IN THIS DIRECTORY
              name: certs
          ...
      initContainers:
        - name: cert-service-client
          image: nexus3.onap.org:10001/onap/org.onap.aaf.certservice.aaf-certservice-client:latest
          imagePullPolicy: Always
          env:
            - name: REQUEST_URL
              value: https://aaf-cert-service:8443/v1/certificate/
            - name: REQUEST_TIMEOUT
              value: "1000"
            - name: OUTPUT_PATH
              value: /var/certs
            - name: CA_NAME
              value: RA
            - name: OUTPUT_TYPE
              value: P12
            - name: COMMON_NAME
              value: onap.org
            - name: ORGANIZATION
              value: Linux-Foundation
            - name: ORGANIZATION_UNIT
              value: ONAP
            - name: LOCATION
              value: San-Francisco
            - name: STATE
              value: California
            - name: COUNTRY
              value: US
            - name: SANS
              value: test.onap.org:onap.com
            - name: KEYSTORE_PATH
              value: /etc/onap/aaf/certservice/certs/certServiceClient-keystore.jks
            - name: KEYSTORE_PASSWORD
              value: secret
            - name: TRUSTSTORE_PATH
              value: /etc/onap/aaf/certservice/certs/truststore.jks
            - name: TRUSTSTORE_PASSWORD
              value: secret
          volumeMounts:
            - mountPath: /var/certs
              name: certs
            - mountPath: /etc/onap/aaf/certservice/certs/
              name: tls-volume
        ...
      volumes:
      - name: certs
        emptyDir: {}
      - name tls-volume
        secret:
          secretName: aaf-cert-service-client-tls-secret  # Value of global.aaf.certService.client.secret.name
      ...

Client's exiting codes: