summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBogumil Zebek <bogumil.zebek@nokia.com>2020-04-23 06:24:47 +0000
committerGerrit Code Review <gerrit@onap.org>2020-04-23 06:24:47 +0000
commit25f2d8db814436bd941edd4cd7f5f5d09a1a0b00 (patch)
tree88e74a007d232d65cb115ef3153825b7c582c114
parent9262e7eaff6490102662bd8528067f95c40f0cd0 (diff)
parent2e83d548467048fe05cf082c1e9743ad9d972cba (diff)
Merge "Update documentation related to configuration"
-rw-r--r--docs/sections/configuration.rst133
1 files changed, 131 insertions, 2 deletions
diff --git a/docs/sections/configuration.rst b/docs/sections/configuration.rst
index 51c87aa7..baf2d4ac 100644
--- a/docs/sections/configuration.rst
+++ b/docs/sections/configuration.rst
@@ -46,6 +46,135 @@ Certification Service Client image:
docker run --env-file $DOCKER_ENV_FILE --network $NETWORK_CERT_SERVICE --volume $DOCKER_VOLUME $AAFCERT_CLIENT_IMAGE
+Configuring Cert Service
+------------------------
+Cert Service keeps configuration of CMP Servers in file *cmpServers.json*.
+
+Example cmpServers.json file:
+
+.. code-block:: json
+
+ {
+ "cmpv2Servers": [
+ {
+ "caName": "Client",
+ "url": "http://aafcert-ejbca:8080/ejbca/publicweb/cmp/cmp",
+ "issuerDN": "CN=ManagementCA",
+ "caMode": "CLIENT",
+ "authentication": {
+ "iak": "mypassword",
+ "rv": "mypassword"
+ }
+ },
+ {
+ "caName": "RA",
+ "url": "http://aafcert-ejbca:8080/ejbca/publicweb/cmp/cmpRA",
+ "issuerDN": "CN=ManagementCA",
+ "caMode": "RA",
+ "authentication": {
+ "iak": "mypassword",
+ "rv": "mypassword"
+ }
+ }
+ ]
+ }
+
+This contains list of CMP Servers, where each server has following properties:
+
+ - *caName* - name of the external CA server
+ - *url* - Url to CMPv2 server
+ - *issuerDN* - Distinguished Name of the CA that will sign the certificate
+ - *caMode* - Issuer mode
+ - *authentication*
+
+ - *iak* - Initial authentication key, used to authenticate request in CMPv2 server
+ - *rv* - Reference values, used ti authenticate request in CMPv2 server
+
+
+
+This configuration is read on the application start. It can also be reloaded in runtime, by calling HTTP endpoint.
+
+
+Configuring in local(docker-compose) deployment:
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Static:
+"""""""
+
+1. Edit *cmpServers.json* file in certservice/compose-resources
+2. Start containers::
+
+ make start-backend
+
+Dynamic:
+""""""""
+
+1. Find CertService docker container name.
+2. Enter container::
+
+ docker exec -it <certservice-container-name> bash
+
+3. Edit *cmpServers.json* file::
+
+ vim /etc/onap/aaf/certservice/cmpServers.json
+
+4. Save
+5. Reload configuration::
+
+ curl -I https://localhost:8443/reload --cacert /etc/onap/aaf/certservice/certs/root.crt --cert-type p12 --cert /etc/onap/aaf/certservice/certs/certServiceServer-keystore.p12 --pass secret
+
+
+Configuring in OOM deployment:
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Static:
+"""""""
+
+*Note! This must be executed before calling make all or needs remaking aaf Charts*
+
+1. Edit *cmpServers.json* file
+
+ - if it's test deployment - edit *kubernetes/aaf/charts/aaf-cert-service/resources/test/cmpServers.json*
+ - if it's normal deployment - edit *kubernetes/aaf/charts/aaf-cert-service/resources/default/cmpServers.json*
+
+2. Build and start OOM deployment
+
+Dynamic:
+""""""""
+
+1. Encode your configuration to base64 (You can use for example online encoders or command line tool *base64*)
+2. Edit secret::
+
+ kubectl edit secret <cmp-servers-secret-name> # aaf-cert-service-secret by default
+
+3. Replace value for *cmpServers.json* with your base64 encoded configuration. For example:
+
+ .. code-block:: yaml
+
+ apiVersion: v1
+ data:
+ cmpServers.json: <HERE_PLACE_YOUR_BASE64_ENCODED_CONFIG>
+ kind: Secret
+ metadata:
+ creationTimestamp: "2020-04-21T16:30:29Z"
+ name: aaf-cert-service-secret
+ namespace: default
+ resourceVersion: "33892990"
+ selfLink: /api/v1/namespaces/default/secrets/aaf-cert-service-secret
+ uid: 6a037526-83ed-11ea-b731-fa163e2144f6
+ type: Opaque
+
+4. Save and exit
+5. New configuration will be automatically mounted to CertService pod, but reload is needed.
+6. Enter CertService pod::
+
+ kubectl exec -it <cert-service-pod-name> bash
+
+7. Reload configuration::
+
+ curl -I https://localhost:$HTTPS_PORT/reload --cacert $ROOT_CERT --cert-type p12 --cert $KEYSTORE_P12_PATH --pass $KEYSTORE_PASSWORD
+
+
Configuring EJBCA server for testing
------------------------------------
@@ -63,7 +192,7 @@ Default Values:
+---------------------+---------------------------------------------------------------------------------------------------------------------------------+
| Name | Value |
+=====================+=================================================================================================================================+
-| Request URL | http://aaf-ejbca:8080/ejbca/publicweb/cmp/cmpRA |
+| Request URL | http://aaf-ejbca:8080/ejbca/publicweb/cmp/cmpRA |
+---------------------+---------------------------------------------------------------------------------------------------------------------------------+
| Response Type | PKI Response |
+---------------------+---------------------------------------------------------------------------------------------------------------------------------+
@@ -97,7 +226,7 @@ Example deployment:
- image: sample.image
name: sample.name
...
- volumeMounts:
+ volumeMounts
- mountPath: /var/certs #CERTS CAN BE FOUND IN THIS DIRECTORY
name: certs
...