diff options
author | Bogumil Zebek <bogumil.zebek@nokia.com> | 2020-04-23 06:24:47 +0000 |
---|---|---|
committer | Gerrit Code Review <gerrit@onap.org> | 2020-04-23 06:24:47 +0000 |
commit | 25f2d8db814436bd941edd4cd7f5f5d09a1a0b00 (patch) | |
tree | 88e74a007d232d65cb115ef3153825b7c582c114 | |
parent | 9262e7eaff6490102662bd8528067f95c40f0cd0 (diff) | |
parent | 2e83d548467048fe05cf082c1e9743ad9d972cba (diff) |
Merge "Update documentation related to configuration"
-rw-r--r-- | docs/sections/configuration.rst | 133 |
1 files changed, 131 insertions, 2 deletions
diff --git a/docs/sections/configuration.rst b/docs/sections/configuration.rst index 51c87aa7..baf2d4ac 100644 --- a/docs/sections/configuration.rst +++ b/docs/sections/configuration.rst @@ -46,6 +46,135 @@ Certification Service Client image: docker run --env-file $DOCKER_ENV_FILE --network $NETWORK_CERT_SERVICE --volume $DOCKER_VOLUME $AAFCERT_CLIENT_IMAGE +Configuring Cert Service +------------------------ +Cert Service keeps configuration of CMP Servers in file *cmpServers.json*. + +Example cmpServers.json file: + +.. code-block:: json + + { + "cmpv2Servers": [ + { + "caName": "Client", + "url": "http://aafcert-ejbca:8080/ejbca/publicweb/cmp/cmp", + "issuerDN": "CN=ManagementCA", + "caMode": "CLIENT", + "authentication": { + "iak": "mypassword", + "rv": "mypassword" + } + }, + { + "caName": "RA", + "url": "http://aafcert-ejbca:8080/ejbca/publicweb/cmp/cmpRA", + "issuerDN": "CN=ManagementCA", + "caMode": "RA", + "authentication": { + "iak": "mypassword", + "rv": "mypassword" + } + } + ] + } + +This contains list of CMP Servers, where each server has following properties: + + - *caName* - name of the external CA server + - *url* - Url to CMPv2 server + - *issuerDN* - Distinguished Name of the CA that will sign the certificate + - *caMode* - Issuer mode + - *authentication* + + - *iak* - Initial authentication key, used to authenticate request in CMPv2 server + - *rv* - Reference values, used ti authenticate request in CMPv2 server + + + +This configuration is read on the application start. It can also be reloaded in runtime, by calling HTTP endpoint. + + +Configuring in local(docker-compose) deployment: +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Static: +""""""" + +1. Edit *cmpServers.json* file in certservice/compose-resources +2. Start containers:: + + make start-backend + +Dynamic: +"""""""" + +1. Find CertService docker container name. +2. Enter container:: + + docker exec -it <certservice-container-name> bash + +3. Edit *cmpServers.json* file:: + + vim /etc/onap/aaf/certservice/cmpServers.json + +4. Save +5. Reload configuration:: + + curl -I https://localhost:8443/reload --cacert /etc/onap/aaf/certservice/certs/root.crt --cert-type p12 --cert /etc/onap/aaf/certservice/certs/certServiceServer-keystore.p12 --pass secret + + +Configuring in OOM deployment: +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Static: +""""""" + +*Note! This must be executed before calling make all or needs remaking aaf Charts* + +1. Edit *cmpServers.json* file + + - if it's test deployment - edit *kubernetes/aaf/charts/aaf-cert-service/resources/test/cmpServers.json* + - if it's normal deployment - edit *kubernetes/aaf/charts/aaf-cert-service/resources/default/cmpServers.json* + +2. Build and start OOM deployment + +Dynamic: +"""""""" + +1. Encode your configuration to base64 (You can use for example online encoders or command line tool *base64*) +2. Edit secret:: + + kubectl edit secret <cmp-servers-secret-name> # aaf-cert-service-secret by default + +3. Replace value for *cmpServers.json* with your base64 encoded configuration. For example: + + .. code-block:: yaml + + apiVersion: v1 + data: + cmpServers.json: <HERE_PLACE_YOUR_BASE64_ENCODED_CONFIG> + kind: Secret + metadata: + creationTimestamp: "2020-04-21T16:30:29Z" + name: aaf-cert-service-secret + namespace: default + resourceVersion: "33892990" + selfLink: /api/v1/namespaces/default/secrets/aaf-cert-service-secret + uid: 6a037526-83ed-11ea-b731-fa163e2144f6 + type: Opaque + +4. Save and exit +5. New configuration will be automatically mounted to CertService pod, but reload is needed. +6. Enter CertService pod:: + + kubectl exec -it <cert-service-pod-name> bash + +7. Reload configuration:: + + curl -I https://localhost:$HTTPS_PORT/reload --cacert $ROOT_CERT --cert-type p12 --cert $KEYSTORE_P12_PATH --pass $KEYSTORE_PASSWORD + + Configuring EJBCA server for testing ------------------------------------ @@ -63,7 +192,7 @@ Default Values: +---------------------+---------------------------------------------------------------------------------------------------------------------------------+ | Name | Value | +=====================+=================================================================================================================================+ -| Request URL | http://aaf-ejbca:8080/ejbca/publicweb/cmp/cmpRA | +| Request URL | http://aaf-ejbca:8080/ejbca/publicweb/cmp/cmpRA | +---------------------+---------------------------------------------------------------------------------------------------------------------------------+ | Response Type | PKI Response | +---------------------+---------------------------------------------------------------------------------------------------------------------------------+ @@ -97,7 +226,7 @@ Example deployment: - image: sample.image name: sample.name ... - volumeMounts: + volumeMounts - mountPath: /var/certs #CERTS CAN BE FOUND IN THIS DIRECTORY name: certs ... |