AAI Certificate Generator Automation

References

• onap-seccom list: https://lists.onap.org/g/onap-seccom/message/1368

• aaf-hello demonstration application

  • DDF event https://wiki.lfnetworking.org/display/LN/2019+June+Event+Topic+Proposals

  • https://wiki.lfnetworking.org/download/attachments/15630468/Cert%20mgmt%20and%20secure%20storage%20ONAP%20F2F%20Kista.pptx?version=1&modificationDate=1560418135343&api=v2

  • https://wiki.lfnetworking.org/download/attachments/15630468/Certificate%20handling%20and%20secure%20key%20storage%20discussion%20Kista%20ONAP%20F2F%202019-06-12.mp4?version=1&modificationDate=1560417944352&api=v2

• JIRA

  • AAI-2476: Automatically generate/renew AAF certificates for AAI servicesClosed

  • TSC-120: Emergency Casablanca Release to address the certification expirationClosed

  • AAI-2282: Update certificate for Casablanca 3.0.2Closed

  • AAI-2286: Update certificate for DublinClosed

  • AAI-2474: AAF healthcheck passes but AAI receives 403 error during authentication and certificate_unknownClosed

  • AAI-2489: Update sparky AAF certificateClosed

  • and many others:

    Getting issues...

• AAF Repository

  • aaf/authz/auth/docker/drun.sh

  • aaf/authz/auth/helm/aaf-hello/Chart.yaml

  • aaf/authz/auth/helm/aaf-hello/templates/aaf-hello.yaml

  • aaf/authz/auth/helm/aaf-hello/values.yaml

  • aaf/authz/auth/sample/cass_data/artifact.dat

Discussion

• Between Amsterdam release and Dublin release, certificates have been replaced at least 4 times.

• One of those was in the emergency Casablanca Maintenance Release because the certificate expiry date was very soon after the Casablanca Release date.

• ONAP is moving towards a higher-security system, e.g. adding more encryption by replacing HTTP with HTTPS, resulting in more certificates being required.

• Current process is for each ONAP project to manually generate certificates for their own microservices.

• The aaf-hello demonstration application shows how certificates can be automatically generated when the pod is deployed.

• Goal is to understand how this works and how to integrate similar techniques into other pods, such as AAI-Resources, AAI-Traversal, etc.

• tbc

Analysis

• aaf-hello application

  • aaf/authz/auth/auth-hello/src/main/java/org/onap/aaf/auth/hello/

    • GET,"/hello/:perm*"

    • POST,"/resthello/:id"

    • GET,"/resthello/:id"

    • PUT,"/resthello/:id"

    • DELETE,"/resthello/:id"

  • Prints out simple message including actual authorisation information e.g.

    • req.getUserPrincipal().getName()

    • req.isUserInRole(perm)

    • trans.getUserPrincipal().getClass().getSimpleName()

  • Provides simple proof that application is authorised through AAF

• aaf-hello Docker

  • aaf/authz/auth/docker/Dockerfile.hello

    • COPY bin/pod_wait.sh /opt/app/aaf/bin/ (shell scripts apparently from aaf/authz/auth/sample/bin/pod_wait.sh)

    • COPY etc /opt/app/osaaf/etc (property files apparently from aaf/authz/auth/sample/etc/)

    • RUN mkdir -p /opt/app/aaf/status (used by pod_wait.sh to communicate between processes in the pod)

    • based on aaf/authz/auth/docker/Dockerfile.core

      • COPY lib /opt/app/aaf/lib

      • COPY bin /opt/app/aaf/bin

      • COPY theme /opt/app/aaf/theme

      • based on aaf/authz/auth/docker/Dockerfile.base

        • add bash, openssl, curl

        • based on openjdk:8-jre-alpine

• aaf Helm charts

  • aaf/authz/auth/helm/aaf-hello/

    • values.yaml

    • Chart.yaml

    • aaf.sh

  • tbc

• It has been documented in the wiki now as Application Config & Cert Documentation (Temporary)