Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 38 Next »

Specification

REQ - 140 Create Client, Plugin using Client and mechanisms for using CMPv2 as a CA

Team

RoleNameE-mail
SpecificatorPawel Baniewskipawel.baniewski@nokia.com
CommiterBogumil Zebekbogumil.zebek@nokia.com


Project details

Requirements for developers

Licenses


LibraryVersionLink to maven repoLicense
assertj-core
3.15.0
https://mvnrepository.com/artifact/org.assertj/assertj-coreApache 2.0
mockito-core
3.2.4
https://mvnrepository.com/artifact/org.mockito/mockito-coreMIT
spring-core
5.2.3.RELEASE
https://mvnrepository.com/artifact/org.springframework/spring-coreApache 2.0
spring-boot-starter
2.2.4.RELEASE
https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starterApache 2.0
maven-javadoc-plugin
3.1.1
https://mvnrepository.com/artifact/org.apache.maven.plugins/maven-javadoc-pluginApache 2.0
maven-surefire-plugin
3.0.0-M4
https://mvnrepository.com/artifact/org.apache.maven.plugins/maven-surefire-pluginApache 2.0
spring-boot-starter-actuator
2.2.4.RELEASE
https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-actuatorApache 2.0
spring-boot-starter-log4j2
2.1.5.RELEASE
https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-log4j2Apache 2.0
spring-cloud-starter-config
2.2.1.RELEASEhttps://mvnrepository.com/artifact/org.springframework.cloud/spring-cloud-starter-config/Apache 2.0
springdoc-openapi-ui
1.2.30
https://mvnrepository.com/artifact/org.springdoc/springdoc-openapi-uiApache 2.0
bouncycastle
1.60
https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15onMIT
docker-maven-plugin
0.33.0
https://mvnrepository.com/artifact/io.fabric8/docker-maven-pluginApache 2.0
springdoc-openapi-maven-plugin0.2https://mvnrepository.com/artifact/org.springdoc/springdoc-openapi-maven-pluginApache 2.0
gson2.8.6https://mvnrepository.com/artifact/com.google.code.gson/gson/Apache 2.0
Apache httpclient4.5.6https://mvnrepository.com/artifact/org.apache.httpcomponents/httpclientApache 2.0
Apache Commons Lang3.9https://mvnrepository.com/artifact/org.apache.commons/commons-lang3Apache 2.0
Apache Commons IO2.6https://mvnrepository.com/artifact/commons-io/commons-ioApache 2.0
JUnit Jupiter5.5.2https://mvnrepository.com/artifact/org.junit.jupiter/junit-jupiterEPL 2.0
Mockito JUnit Jupiter2.17.0https://mvnrepository.com/artifact/org.mockito/mockito-junit-jupiterMIT


Tips & Tricks

How to run Jenkins Builds

How to create a new project in ONAP

  1. Create a repository in gerrit
    1. Create a ticket at https://jira.linuxfoundation.org/servicedesk/customer/portal/2/create/102?q=create%20repository&q_time=1581674068823
  2. Configure pom.xml in project
    1.  An example: https://gerrit.onap.org/r/gitweb?p=aaf/certservice.git;a=blob;f=certService/pom.xml;h=3f17f3904b45f48007c7cf10cb54b2b814447226;hb=HEAD
  3. Configure Jenkins Jobs
    1. https://gerrit.onap.org/r/c/ci-management/ /101668
    2. Contact person:
      1. jwagantall@linuxfoundation.org
  4. Documentation
    1. An example:  https://gerrit.onap.org/r/#/c/cli/ /101293/
    2. Contact person:
      1. sofia.wallin@est.tech
      2. jwagantall@linuxfoundation.org

Records

  • CertService with TLS installation Poc <Polish> 

How to create CSR and PK for certificate endpoint

  1. Create CSR and PK using openssl;
    1. create configuration file : 

      csr.config
      [ req ]
      default_bits       = 2048
      distinguished_name = req_distinguished_name
      req_extensions     = req_ext
      [ req_distinguished_name ]
      countryName                     = Country Name (2 letter code)
      countryName_default                     = US
      stateOrProvinceName             = State or Province Name (full name)
      stateOrProvinceName_default             = California
      localityName                    = Locality Name (eg, city)
      localityName_default                    = San-Francisco
      organizationName                = Organization Name (eg, company)
      organizationName_default                = Linux-Foundation
      organizationalUnitName          = Organizational Unit Name (eg, section)
      organizationalUnitName_default          = ONAP
      commonName                      = Common Name (e.g. server FQDN or YOUR name)
      commonName_default                      = onap.org
      emailAddress                    = Email Address
      emailAddress_default                    = tester@onap.org
      [ req_ext ]
      subjectAltName = @alt_names
      [ alt_names ]
      DNS.1   = onap.org
      DNS.2   = test.onap.org
      
      
    2. run openssl command that will generate CSR (onap.csr) and private key (onap.key), using csr.config :

      openssl req -out onap.csr -newkey rsa:2048 -nodes -keyout onap.key -config csr.config
  2. Encode CSR and private key in Base64. You can use this  java code to create onap.csr.b64 and onap.key.b64 :

        private static void encodeCsrAndPkInBase64() throws IOException {
            String csr = Files.readString(Paths.get(PATH_TO_CSR));
            String pk = Files.readString(Paths.get(PATH_TO_PK));
    
            String encodedCsr = new String(Base64.getEncoder().encode(csr.getBytes()));
            String encodedPk = new String(Base64.getEncoder().encode(pk.getBytes()));
    
            Files.writeString(Paths.get(PATH_TO_CSR ".b64"), encodedCsr);
            Files.writeString(Paths.get(PATH_TO_PK ".b64"), encodedPk);
        }
  3. Paste  onap.csr.b64 content in to CSR header, and onap.key.b64 content in to PK header in certifcate request

How to run CertService Client

As standalone docker:

You need certificate and trust anchors to connect to CertService API via HTTPS. Information how to generate truststore and keystore files you can find in project repository README Gerrit GitWeb

Create certificate for HTTPS connection.

Create file with environments as in example below.

client_docker.env
#Client envs
REQUEST_URL=<URL to CertService API>
REQUEST_TIMEOUT=10000
OUTPUT_PATH=/var/certs
CA_NAME=RA
OUTPUT_TYPE=P12

#CSR config envs
COMMON_NAME=onap.org
ORGANIZATION=Linux-Foundation
ORGANIZATION_UNIT=ONAP
LOCATION=San-Francisco
STATE=California
COUNTRY=US
SANS=test.onap.org:onap.com

#TLS config envs
KEYSTORE_PATH=/etc/onap/aaf/certservice/certs/certServiceClient-keystore.jks
KEYSTORE_PASSWORD=<password to certServiceClient-keystore.jks>
TRUSTSTORE_PATH=/etc/onap/aaf/certservice/certs/certServiceClient-truststore.jks
TRUSTSTORE_PASSWORD=<password to certServiceClient-truststore.jks>

Run docker container with environments file and docker network (API and client must be running in same network).

docker run \
   --rm \
   --name aafcert-client \
   --env-file <path to client env> \
   --network <docker network of cert service> \
   --mount type=bind,src=<path to local host directory where certificate and trust anchor will be created>,dst=<OUTPUT_PATH (same as in env file)> \
   --volume <local path to keystore in JKS format>:<KEYSTORE_PATH> \
   --volume <local path to truststore in JKS format>:<TRUSTSTORE_PATH> \
   nexus3.onap.org:10001/onap/org.onap.aaf.certservice.aaf-certservice-client:$VERSION

As init container for K8s:

Sample deployment
  ...
kind: Deployment
metadata:
  ...
spec:
...
  template:
  ...
    spec:
      containers:
        - image: sample.image
          name: sample.name
          ...
          volumeMounts:
            - mountPath: /var/certs #CERTS CAN BE FOUND IN THIS DIRECTORY
              name: certs
          ...
      initContainers:
        - name: cert-service-client
          image: nexus3.onap.org:10001/onap/org.onap.aaf.certservice.aaf-certservice-client:latest
          imagePullPolicy: Always
          env:
            - name: REQUEST_URL
              value: https://aaf-cert-service:8443/v1/certificate/
            - name: REQUEST_TIMEOUT
              value: "1000"
            - name: OUTPUT_PATH
              value: /var/certs
            - name: CA_NAME
              value: RA
            - name: OUTPUT_TYPE
              value: P12
            - name: COMMON_NAME
              value: onap.org
            - name: ORGANIZATION
              value: Linux-Foundation
            - name: ORGANIZATION_UNIT
              value: ONAP
            - name: LOCATION
              value: San-Francisco
            - name: STATE
              value: California
            - name: COUNTRY
              value: US
            - name: SANS
              value: test.onap.org:onap.com
            - name: KEYSTORE_PATH
              value: /etc/onap/aaf/certservice/certs/certServiceClient-keystore.jks
            - name: KEYSTORE_PASSWORD
              value: secret
            - name: TRUSTSTORE_PATH
              value: /etc/onap/aaf/certservice/certs/truststore.jks
            - name: TRUSTSTORE_PASSWORD
              value: secret
          volumeMounts:
            - mountPath: /var/certs
              name: certs
            - mountPath: /etc/onap/aaf/certservice/certs/
              name: tls-volume
        ...
      volumes:
      - name: certs
        emptyDir: {}
      - name tls-volume
        secret:
          secretName: aaf-cert-service-client-tls-secret  # Value of global.aaf.certService.client.secret.name
      ...


Client's exiting codes:

CodeInformation
0

Success

1Invalid client configuration
2Invalid CSR configuration
3Fail in key pair generation
4Fail in CSR generation
5CertService HTTP unsuccessful response
6Internal HTTP Client connection problem
7Fail in PEM conversion
8Fail in Private Key to PEM Encoding
9Wrong TLS configuration
10File could not be created







  • No labels