diff options
| author |   awudzins <adam.wudzinski@nokia.com> | 2020-03-13 16:54:18 +0100 |
|---|---|---|
| committer | awudzins <adam.wudzinski@nokia.com> | 2020-04-03 11:29:59 +0200 |
| commit | b81c681cb6be761a2abb5e2f5af1b923bef1f6b4 (patch) | |
| tree | 9e0712775bee897d3c0156a8fa6bf9d69846f2ed | |
| parent | fa33d3f9cf9b613968bf277284841164d392fc21 (diff) | |
Switch client and server to communicate over TLS
Issue-ID: AAF-1084
Signed-off-by: Adam WudziĆski <adam.wudzinski@nokia.com>
Change-Id: I7f11b27c7dcdf4fc3eba2d5e64b6dc775c80dd74
40 files changed, 735 insertions, 47 deletions
@@ -23,6 +23,8 @@ run-client: --env-file ./compose-resources/client-configuration.env \ --network certservice_certservice \ --mount type=bind,src=`pwd`/compose-resources/client-volume/,dst=/var/certs \ + --volume `pwd`/certs/truststore.jks:/etc/onap/aaf/certservice/certs/truststore.jks \ + --volume `pwd`/certs/certServiceClient-keystore.jks:/etc/onap/aaf/certservice/certs/certServiceClient-keystore.jks \ onap/org.onap.aaf.certservice.aaf-certservice-client:latest stop-client: @@ -30,6 +30,14 @@ or make build ``` +### Generating certificates +There are example certificates already generated in certs/ directory. +In order to generate new certificates, first remove existing ones. +Then execute following command from certs(!) directory: +``` + make +``` + ### Running Docker containers from docker-compose with EJBCA Docker-compose uses a local image of certservice-api and make run-client uses a local image of certservice-client Build docker images locally before running docker compose command. diff --git a/certService/helm/aaf-cert-service/resources/certServiceClient-keystore.jks b/certService/helm/aaf-cert-service/resources/certServiceClient-keystore.jks Binary files differnew file mode 100644 index 00000000..f24908c5 --- /dev/null +++ b/certService/helm/aaf-cert-service/resources/certServiceClient-keystore.jks diff --git a/certService/helm/aaf-cert-service/resources/certServiceServer-keystore.jks b/certService/helm/aaf-cert-service/resources/certServiceServer-keystore.jks Binary files differnew file mode 100644 index 00000000..89605b6b --- /dev/null +++ b/certService/helm/aaf-cert-service/resources/certServiceServer-keystore.jks diff --git a/certService/helm/aaf-cert-service/resources/certServiceServer-keystore.p12 b/certService/helm/aaf-cert-service/resources/certServiceServer-keystore.p12 Binary files differnew file mode 100644 index 00000000..2106c817 --- /dev/null +++ b/certService/helm/aaf-cert-service/resources/certServiceServer-keystore.p12 diff --git a/certService/helm/aaf-cert-service/resources/root.crt b/certService/helm/aaf-cert-service/resources/root.crt new file mode 100644 index 00000000..faeee813 --- /dev/null +++ b/certService/helm/aaf-cert-service/resources/root.crt @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFlDCCA3ygAwIBAgIETsAy8jANBgkqhkiG9w0BAQwFADByMQswCQYDVQQGEwJQ
+TDEUMBIGA1UECBMLRG9sbnkgU2xhc2sxEDAOBgNVBAcTB1dyb2NsYXcxFTATBgNV
+BAoTDFJvb3QgQ29tcGFueTERMA8GA1UECxMIUm9vdCBPcmcxETAPBgNVBAMTCHJv
+b3QuY29tMB4XDTIwMDQwMzA5MTYxNloXDTMwMDQwMTA5MTYxNlowcjELMAkGA1UE
+BhMCUEwxFDASBgNVBAgTC0RvbG55IFNsYXNrMRAwDgYDVQQHEwdXcm9jbGF3MRUw
+EwYDVQQKEwxSb290IENvbXBhbnkxETAPBgNVBAsTCFJvb3QgT3JnMREwDwYDVQQD
+Ewhyb290LmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAImm68wu
+rtdkVrC5JI2y53+DoVE4al7NxC2yHeVW0PRD3CgW1xba6dlSQoDQQKkDkxtuNhlU
+IQxU1bbKR6syqJgpJXwSDx4sl4J5lQGWN+iuNA72C1IyXATOgowGq6PbOVVTkApy
+3+ZZGBCmweTjhvddAO7k5p8v+ePt17VvBTxSt6rSvrkGMbpCxBGAPfGpL9xykm9Z
+okVSlA42gGhbra499QTT0Yc/WPPFotKkDKFGaDrLW3NYX1Lio11myYNvLOMwfSEV
+Xy9vkwxcdqFJpHjx+EVLLQXwkudZP+D53N4bk8nP3SacbZSQ/A85mZpWNtw+r9QL
+fZGecY1YIR0udLj66CIG3ybl3gSXX7TSRERTIMR6Um1lt+039FSa18mRBpQTCDXV
+tSL58Qs5BHFkCe0sGpY+XiSEypc6oYPf/7YjiTvMT/mHhDffrvFjhK+wP/oCIg8u
+vuPRoPWuyw41bBeFGitJgDn7E8p9B4K/1DCO/ZcjXiYMgn5Hwb3ojablYUeiXs99
+2AAV8gCceUCdgcP8d6wdAydOVljavkgHPG0IMbiVG1WT57oM3HQpejgpujlKDDsI
+bi9/lbcC/U0JoN9yAaJZFr7CXJrxRv8DWeTwzMTo203KHNu9roQiERd38P8Dp6AQ
+ivmqf0+0VZM3IpjWBYKM68tclHJcG+7wyFjvAgMBAAGjMjAwMB0GA1UdDgQWBBSN
+lFyR56zh67mnvYTmmgJQVxEJrjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEB
+DAUAA4ICAQBczmFY0kmr1FK50glkT282ur0vukNtwXQNJONof3rYRqP2W98jID6D
+ayma0B4/H1EqCa0d66wRBxFdwW+MqOc4uWD3uUwgazrYD/Bv+V3aumaw8yX6vbyL
+hLNfpd4pViAEGtzYxYfMfFR6uzInF3NMpvt8OXCSGKiQjDMnMs0ekvUZLJm7yxwT
+Qr9aAEFYQYM/GstUC6qFfuUa4MaGvmyKWhZ10JoKXYbGGeFU4wI7Kzifh3VvawTg
+r314ZvQ3zpEwzNJpdvT5ZKuPvyN+drAKFpSPfOTFmmb3uF95FgYq33OFPpo7SR43
+tnw5u5YqKnsHmqCIRMctWiYZc8rBJ3+eBGmke6z/AN6FraG6Ejc8e4WPclrB8STb
++oB3a4Cvri1VHyodkm50Sb/d1FAMDXvzEPBfu2D0dVvOwOcISSN/MQUom8NN4YeI
+aEATdAPNkokgehOzZ1OPRv47FKYEVPCXjaZEWAC7NNmNiRn4RQOti0DlNrLL7Nx9
+vK09G0EnW01MO2ARRkZ3dog+Ph7orJQV3sd7TO4EEortqWtbegSH75ylyYw6rt/j
+uBzYtMOnEtnQKhxj4Wj7PO+StCgspoOByn0d+iSgDd2TlpWm4naP2pfFZT0R+TOH
+wzSH0F47TSfRd0++uEz/QhViybrvQK7yMt1G1YwZp2im+imuWwUC8Q== +-----END CERTIFICATE----- diff --git a/certService/helm/aaf-cert-service/resources/truststore.jks b/certService/helm/aaf-cert-service/resources/truststore.jks Binary files differnew file mode 100644 index 00000000..c32d37fd --- /dev/null +++ b/certService/helm/aaf-cert-service/resources/truststore.jks diff --git a/certService/helm/aaf-cert-service/templates/deployment.yaml b/certService/helm/aaf-cert-service/templates/deployment.yaml index f8b2d43f..f4a28f46 100644 --- a/certService/helm/aaf-cert-service/templates/deployment.yaml +++ b/certService/helm/aaf-cert-service/templates/deployment.yaml @@ -16,27 +16,52 @@ spec: - name: {{ .Values.volume.name }} secret: secretName: {{ .Values.secret.name }} + - name: {{ .Values.tls.server.volume.name }} + secret: + secretName: {{ .Values.tls.server.secret.name }} containers: - name: aaf-cert-service image: {{ .Values.repository }}/{{ .Values.image }} imagePullPolicy: {{ .Values.pullPolicy }} ports: - containerPort: {{ .Values.containerPort }} + env: + - name: HTTPS_PORT + value: "{{ .Values.containerPort }}" + - name: KEYSTORE_PATH + value: "{{ .Values.tls.server.volume.mountPath }}/{{ .Values.envs.keystore.jksName }}" + - name: KEYSTORE_P12_PATH + value: "{{ .Values.tls.server.volume.mountPath }}/{{ .Values.envs.keystore.p12Name }}" + - name: TRUSTSTORE_PATH + value: "{{ .Values.tls.server.volume.mountPath }}/{{ .Values.envs.truststore.jksName }}" + - name: ROOT_CERT + value: "{{ .Values.tls.server.volume.mountPath }}/{{ .Values.envs.truststore.crtName }}" + - name: KEYSTORE_PASSWORD + value: "{{ .Values.envs.keystore.password }}" + - name: TRUSTSTORE_PASSWORD + value: "{{ .Values.envs.truststore.password }}" livenessProbe: - httpGet: - port: {{ .Values.containerPort }} - path: {{ .Values.liveness.path }} + exec: + command: + - /bin/bash + - -c + - {{ .Values.liveness.command }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} readinessProbe: - httpGet: - port: {{ .Values.containerPort }} - path: {{ .Values.readiness.path }} + exec: + command: + - /bin/bash + - -c + - {{ .Values.readiness.command }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: - name: {{ .Values.volume.name }} mountPath: {{ .Values.volume.mountPath }} readOnly: true + - name: {{ .Values.tls.server.volume.name }} + mountPath: {{ .Values.tls.server.volume.mountPath }} + readOnly: true resources: {{ toYaml .Values.resources }} diff --git a/certService/helm/aaf-cert-service/templates/secret_client_tls.yaml b/certService/helm/aaf-cert-service/templates/secret_client_tls.yaml new file mode 100644 index 00000000..b80a4af4 --- /dev/null +++ b/certService/helm/aaf-cert-service/templates/secret_client_tls.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.tls.client.secret.name }} +type: Opaque +data: + certServiceClient-keystore.jks: + {{ (.Files.Glob "resources/certServiceClient-keystore.jks").AsSecrets }} + truststore.jks: + {{ (.Files.Glob "resources/truststore.jks").AsSecrets }} diff --git a/certService/helm/aaf-cert-service/templates/secret_server_tls.yaml b/certService/helm/aaf-cert-service/templates/secret_server_tls.yaml new file mode 100644 index 00000000..535e3dbd --- /dev/null +++ b/certService/helm/aaf-cert-service/templates/secret_server_tls.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.tls.server.secret.name }} +type: Opaque +data: + certServiceServer-keystore.jks: + {{ (.Files.Glob "resources/certServiceServer-keystore.jks").AsSecrets }} + certServiceServer-keystore.p12: + {{ (.Files.Glob "resources/certServiceServer-keystore.p12").AsSecrets }} + truststore.jks: + {{ (.Files.Glob "resources/truststore.jks").AsSecrets }} + root.crt: + {{ (.Files.Glob "resources/root.crt").AsSecrets }}
\ No newline at end of file diff --git a/certService/helm/aaf-cert-service/templates/service.yaml b/certService/helm/aaf-cert-service/templates/service.yaml index fba7e5fa..f3c0ee0c 100644 --- a/certService/helm/aaf-cert-service/templates/service.yaml +++ b/certService/helm/aaf-cert-service/templates/service.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: Service metadata: - name: {{ .Chart.Name }}-service + name: {{ .Chart.Name }} spec: type: {{ .Values.service.type }} selector: diff --git a/certService/helm/aaf-cert-service/values.yaml b/certService/helm/aaf-cert-service/values.yaml index 0dab1e32..efb16a5a 100644 --- a/certService/helm/aaf-cert-service/values.yaml +++ b/certService/helm/aaf-cert-service/values.yaml @@ -3,17 +3,17 @@ replicaCount: 1 repository: nexus3.onap.org:10001 image: onap/org.onap.aaf.certservice.aaf-certservice-api:1.0.0 pullPolicy: Always -containerPort: 8080 +containerPort: 8443 service: type: ClusterIP liveness: initialDelaySeconds: 60 periodSeconds: 10 - path: /actuator/health + command: curl https://localhost:$HTTPS_PORT/actuator/health --cacert $ROOT_CERT --cert-type p12 --cert $KEYSTORE_P12_PATH --pass $KEYSTORE_PASSWORD readiness: initialDelaySeconds: 30 periodSeconds: 10 - path: /ready + command: curl https://localhost:$HTTPS_PORT/ready --cacert $ROOT_CERT --cert-type p12 --cert $KEYSTORE_P12_PATH --pass $KEYSTORE_PASSWORD volume: name: aaf-cert-service-volume mountPath: /etc/onap/aaf/certservice @@ -28,3 +28,25 @@ resources: secret: name: aaf-cert-service-secret + +tls: + server: + secret: + name: aaf-cert-service-server-tls-secret + volume: + name: aaf-cert-service-server-tls-volume + mountPath: /etc/onap/aaf/certservice/certs/ + client: + secret: + name: aaf-cert-service-client-tls-secret + +envs: + keystore: + jksName: certServiceServer-keystore.jks + p12Name: certServiceServer-keystore.p12 + password: secret + truststore: + jksName: truststore.jks + crtName: root.crt + password: secret + diff --git a/certService/src/main/resources/application.properties b/certService/src/main/resources/application.properties index 9ccdd326..c5d14370 100644 --- a/certService/src/main/resources/application.properties +++ b/certService/src/main/resources/application.properties @@ -9,3 +9,14 @@ springdoc.swagger-ui.path=/docs # AAF CertService app specific configuration app.config.path=/etc/onap/aaf/certservice + +# Mutual TLS configuration +server.ssl.enabled=true +server.ssl.client-auth=need +server.port=${HTTPS_PORT:8443} + +server.ssl.key-store=${KEYSTORE_PATH:/etc/onap/aaf/certservice/certs/certServiceServer-keystore.jks} +server.ssl.key-store-password=${KEYSTORE_PASSWORD:secret} + +server.ssl.trust-store=${TRUSTSTORE_PATH:/etc/onap/aaf/certservice/certs/truststore.jks} +server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD:secret} diff --git a/certService/src/test/resources/application.properties b/certService/src/test/resources/application.properties index 39001571..b70ab3b4 100644 --- a/certService/src/test/resources/application.properties +++ b/certService/src/test/resources/application.properties @@ -1,2 +1,13 @@ # AAF CertService app specific configuration app.config.path=./src/test/resources + +# Mutual TLS configuration +server.ssl.enabled=true +server.ssl.client-auth=need +server.port=${HTTPS_PORT:8443} + +server.ssl.key-store=${KEYSTORE_PATH:/etc/onap/aaf/certservice/certs/certServiceServer-keystore.jks} +server.ssl.key-store-password=${KEYSTORE_PASSWORD:secret} + +server.ssl.trust-store=${TRUSTSTORE_PATH:/etc/onap/aaf/certservice/certs/truststore.jks} +server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD:secret}
\ No newline at end of file diff --git a/certServiceClient/README.md b/certServiceClient/README.md index 7748b29b..43d732c8 100644 --- a/certServiceClient/README.md +++ b/certServiceClient/README.md @@ -43,6 +43,10 @@ LOCATION=San-Francisco STATE=California COUNTRY=US SANS=example.com:example2.com +KEYSTORE_PATH=/etc/onap/aaf/certservice/certs/certServiceClient-keystore.jks +KEYSTORE_PASSWORD=secret +TRUSTSTORE_PATH=/etc/onap/aaf/certservice/certs/truststore.jks +TRUSTSTORE_PASSWORD=secret ``` ### Logs locally diff --git a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/CertServiceClient.java b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/CertServiceClient.java index 0916bb8a..1b5b8ee3 100644 --- a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/CertServiceClient.java +++ b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/CertServiceClient.java @@ -19,26 +19,30 @@ package org.onap.aaf.certservice.client; -import java.security.KeyPair; import org.onap.aaf.certservice.client.api.ExitableException; -import org.onap.aaf.certservice.client.certification.PrivateKeyToPemEncoder; import org.onap.aaf.certservice.client.certification.CsrFactory; import org.onap.aaf.certservice.client.certification.KeyPairFactory; +import org.onap.aaf.certservice.client.certification.PrivateKeyToPemEncoder; import org.onap.aaf.certservice.client.certification.conversion.KeystoreTruststoreCreator; import org.onap.aaf.certservice.client.certification.conversion.KeystoreTruststoreCreatorFactory; import org.onap.aaf.certservice.client.common.Base64Encoder; import org.onap.aaf.certservice.client.configuration.EnvsForClient; import org.onap.aaf.certservice.client.configuration.EnvsForCsr; +import org.onap.aaf.certservice.client.configuration.EnvsForTls; import org.onap.aaf.certservice.client.configuration.factory.ClientConfigurationFactory; import org.onap.aaf.certservice.client.configuration.factory.CsrConfigurationFactory; +import org.onap.aaf.certservice.client.configuration.factory.SslContextFactory; import org.onap.aaf.certservice.client.configuration.model.ClientConfiguration; import org.onap.aaf.certservice.client.configuration.model.CsrConfiguration; -import org.onap.aaf.certservice.client.httpclient.CloseableHttpClientProvider; +import org.onap.aaf.certservice.client.httpclient.CloseableHttpsClientProvider; import org.onap.aaf.certservice.client.httpclient.HttpClient; import org.onap.aaf.certservice.client.httpclient.model.CertServiceResponse; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import javax.net.ssl.SSLContext; +import java.security.KeyPair; + import static org.onap.aaf.certservice.client.api.ExitStatus.SUCCESS; import static org.onap.aaf.certservice.client.certification.EncryptionAlgorithmConstants.KEY_SIZE; import static org.onap.aaf.certservice.client.certification.EncryptionAlgorithmConstants.RSA_ENCRYPTION_ALGORITHM; @@ -62,9 +66,10 @@ public class CertServiceClient { CsrConfiguration csrConfiguration = new CsrConfigurationFactory(new EnvsForCsr()).create(); KeyPair keyPair = keyPairFactory.create(); CsrFactory csrFactory = new CsrFactory(csrConfiguration); + SSLContext sslContext = new SslContextFactory(new EnvsForTls()).create(); - CloseableHttpClientProvider provider = new CloseableHttpClientProvider( - clientConfiguration.getRequestTimeout()); + CloseableHttpsClientProvider provider = new CloseableHttpsClientProvider( + sslContext, clientConfiguration.getRequestTimeout()); HttpClient httpClient = new HttpClient(provider, clientConfiguration.getUrlToCertService()); CertServiceResponse certServiceData = @@ -74,7 +79,7 @@ public class CertServiceClient { base64Encoder.encode(pkEncoder.encodePrivateKeyToPem(keyPair.getPrivate()))); KeystoreTruststoreCreator filesCreator = new KeystoreTruststoreCreatorFactory( - clientConfiguration.getCertsOutputPath()).create(); + clientConfiguration.getCertsOutputPath()).create(); filesCreator.createKeystore(certServiceData.getCertificateChain(), keyPair.getPrivate()); filesCreator.createTruststore(certServiceData.getTrustedCertificates()); } catch (ExitableException e) { diff --git a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/api/ExitStatus.java b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/api/ExitStatus.java index c474fd03..78ecc778 100644 --- a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/api/ExitStatus.java +++ b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/api/ExitStatus.java @@ -28,7 +28,8 @@ public enum ExitStatus { CERT_SERVICE_API_CONNECTION_EXCEPTION(5,"CertService HTTP unsuccessful response"), HTTP_CLIENT_EXCEPTION(6,"Internal HTTP Client connection problem"), PKCS12_CONVERSION_EXCEPTION(7,"Fail in PKCS12 conversion"), - PK_TO_PEM_ENCODING_EXCEPTION(8,"Fail in Private Key to PEM Encoding"); + PK_TO_PEM_ENCODING_EXCEPTION(8,"Fail in Private Key to PEM Encoding"), + TLS_CONFIGURATION_EXCEPTION(9, "Invalid TLS configuration"); private final int value; private final String message; diff --git a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/EnvsForTls.java b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/EnvsForTls.java new file mode 100644 index 00000000..b2f782c2 --- /dev/null +++ b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/EnvsForTls.java @@ -0,0 +1,47 @@ +/* + * ============LICENSE_START======================================================= + * aaf-certservice-client + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.aaf.certservice.client.configuration; + +import java.util.Optional; + +public class EnvsForTls { + private final EnvProvider envProvider = new EnvProvider(); + + public Optional<String> getKeystorePath() { + return readEnv(TlsConfigurationEnvs.KEYSTORE_PATH); + } + + public Optional<String> getKeystorePassword() { + return readEnv(TlsConfigurationEnvs.KEYSTORE_PASSWORD); + } + + public Optional<String> getTruststorePath() { + return readEnv(TlsConfigurationEnvs.TRUSTSTORE_PATH); + } + + public Optional<String> getTruststorePassword() { + return readEnv(TlsConfigurationEnvs.TRUSTSTORE_PASSWORD); + } + + private Optional<String> readEnv(TlsConfigurationEnvs envName) { + return envProvider.readEnvVariable(envName.toString()); + } +} diff --git a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/TlsConfigurationEnvs.java b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/TlsConfigurationEnvs.java new file mode 100644 index 00000000..4009a088 --- /dev/null +++ b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/TlsConfigurationEnvs.java @@ -0,0 +1,28 @@ +/* + * ============LICENSE_START======================================================= + * aaf-certservice-client + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.aaf.certservice.client.configuration; + +public enum TlsConfigurationEnvs { + KEYSTORE_PATH, + KEYSTORE_PASSWORD, + TRUSTSTORE_PATH, + TRUSTSTORE_PASSWORD +} diff --git a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/exception/TlsConfigurationException.java b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/exception/TlsConfigurationException.java new file mode 100644 index 00000000..a10185b2 --- /dev/null +++ b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/exception/TlsConfigurationException.java @@ -0,0 +1,36 @@ +/* + * ============LICENSE_START======================================================= + * aaf-certservice-client + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.aaf.certservice.client.configuration.exception; + +import org.onap.aaf.certservice.client.api.ExitStatus; +import org.onap.aaf.certservice.client.api.ExitableException; + +public class TlsConfigurationException extends ExitableException { + private static final ExitStatus EXIT_STATUS = ExitStatus.CERT_SERVICE_API_CONNECTION_EXCEPTION; + + public TlsConfigurationException(String message) { + super(message); + } + + public ExitStatus applicationExitStatus() { + return EXIT_STATUS; + } +} diff --git a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/factory/CsrConfigurationFactory.java b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/factory/CsrConfigurationFactory.java index a94c906f..1d4cf2b2 100644 --- a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/factory/CsrConfigurationFactory.java +++ b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/factory/CsrConfigurationFactory.java @@ -27,12 +27,12 @@ import org.onap.aaf.certservice.client.configuration.model.CsrConfiguration; import org.slf4j.Logger; import org.slf4j.LoggerFactory; + public class CsrConfigurationFactory extends AbstractConfigurationFactory<CsrConfiguration> { private static final Logger LOGGER = LoggerFactory.getLogger(CsrConfigurationFactory.class); private final EnvsForCsr envsForCsr; - public CsrConfigurationFactory(EnvsForCsr envsForCsr) { this.envsForCsr = envsForCsr; } diff --git a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/factory/SslContextFactory.java b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/factory/SslContextFactory.java new file mode 100644 index 00000000..ef74d830 --- /dev/null +++ b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/factory/SslContextFactory.java @@ -0,0 +1,85 @@ +/*============LICENSE_START======================================================= + * aaf-certservice-client + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.aaf.certservice.client.configuration.factory; + +import org.apache.http.ssl.SSLContexts; +import org.onap.aaf.certservice.client.configuration.EnvsForTls; +import org.onap.aaf.certservice.client.configuration.TlsConfigurationEnvs; +import org.onap.aaf.certservice.client.configuration.exception.TlsConfigurationException; + +import javax.net.ssl.SSLContext; +import java.io.File; +import java.io.FileInputStream; +import java.io.IOException; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.cert.CertificateException; + +public class SslContextFactory { + + private static final String JKS = "jks"; + + private EnvsForTls envsForTls; + + public SslContextFactory(EnvsForTls envsForTls) { + this.envsForTls = envsForTls; + } + + public SSLContext create() throws TlsConfigurationException { + String keystorePath = envsForTls.getKeystorePath() + .orElseThrow(() -> new TlsConfigurationException(createEnvMissingMessage(TlsConfigurationEnvs.KEYSTORE_PATH))); + String keystorePassword = envsForTls.getKeystorePassword() + .orElseThrow(() -> new TlsConfigurationException(createEnvMissingMessage(TlsConfigurationEnvs.KEYSTORE_PASSWORD))); + String truststorePath = envsForTls.getTruststorePath() + .orElseThrow(() -> new TlsConfigurationException(createEnvMissingMessage(TlsConfigurationEnvs.TRUSTSTORE_PATH))); + String truststorePassword = envsForTls.getTruststorePassword() + .orElseThrow(() -> new TlsConfigurationException(createEnvMissingMessage(TlsConfigurationEnvs.TRUSTSTORE_PASSWORD))); + + return createSSLContext(keystorePath, keystorePassword, truststorePath, truststorePassword); + } + + private String createEnvMissingMessage(TlsConfigurationEnvs keystorePath) { + return String.format("%s env is missing.", keystorePath); + } + + private KeyStore setupKeystore(String keystorePath, String certPassword) + throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException { + KeyStore keyStore = KeyStore.getInstance(JKS); + FileInputStream identityKeyStoreFile = new FileInputStream(new File( + keystorePath)); + keyStore.load(identityKeyStoreFile, certPassword.toCharArray()); + return keyStore; + } + + private SSLContext createSSLContext(String keystorePath, String keystorePassword, String truststorePath, String truststorePassword) throws TlsConfigurationException { + try { + KeyStore identityKeystore = setupKeystore(keystorePath, keystorePassword); + KeyStore trustKeystore = setupKeystore(truststorePath, truststorePassword); + + return SSLContexts.custom() + .loadKeyMaterial(identityKeystore, keystorePassword.toCharArray()) + .loadTrustMaterial(trustKeystore, null) + .build(); + } catch (Exception e) { + throw new TlsConfigurationException("TLS configuration exception: " + e); + } + } +} diff --git a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/model/ClientConfiguration.java b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/model/ClientConfiguration.java index ff2db831..2ac481dc 100644 --- a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/model/ClientConfiguration.java +++ b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/model/ClientConfiguration.java @@ -25,7 +25,7 @@ import org.onap.aaf.certservice.client.configuration.ClientConfigurationEnvs; public class ClientConfiguration implements ConfigurationModel { private static final Integer DEFAULT_TIMEOUT_MS = 30000; - private static final String DEFAULT_REQUEST_URL = "http://aaf-cert-service-service:8080/v1/certificate/"; + private static final String DEFAULT_REQUEST_URL = "https://aaf-cert-service:8443/v1/certificate/"; private String urlToCertService; private Integer requestTimeout; diff --git a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/httpclient/CloseableHttpClientProvider.java b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/httpclient/CloseableHttpsClientProvider.java index 5ad933ff..3b7a46ab 100644 --- a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/httpclient/CloseableHttpClientProvider.java +++ b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/httpclient/CloseableHttpsClientProvider.java @@ -24,11 +24,15 @@ import org.apache.http.client.config.RequestConfig; import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.HttpClientBuilder; -public class CloseableHttpClientProvider { +import javax.net.ssl.SSLContext; + +public class CloseableHttpsClientProvider { private final int timeout; + private final SSLContext sslContext; - public CloseableHttpClientProvider(int timeout) { + public CloseableHttpsClientProvider(SSLContext sslContext, int timeout) { + this.sslContext = sslContext; this.timeout = timeout; } @@ -39,6 +43,9 @@ public class CloseableHttpClientProvider { .setConnectTimeout(timeout) .setSocketTimeout(timeout) .build(); - return HttpClientBuilder.create().setDefaultRequestConfig(config).build(); + + return HttpClientBuilder.create() + .setSSLContext(sslContext) + .setDefaultRequestConfig(config).build(); } } diff --git a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/httpclient/HttpClient.java b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/httpclient/HttpClient.java index 7512830d..0780afad 100644 --- a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/httpclient/HttpClient.java +++ b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/httpclient/HttpClient.java @@ -44,10 +44,10 @@ public class HttpClient { private static final String CHARSET_UTF_8 = "UTF-8"; private final Gson gson = new Gson(); - private final CloseableHttpClientProvider httpClientProvider; + private final CloseableHttpsClientProvider httpClientProvider; private final String certServiceAddress; - public HttpClient(CloseableHttpClientProvider httpClientProvider, String certServiceAddress) { + public HttpClient(CloseableHttpsClientProvider httpClientProvider, String certServiceAddress) { this.httpClientProvider = httpClientProvider; this.certServiceAddress = certServiceAddress; } diff --git a/certServiceClient/src/test/java/org/onap/aaf/certservice/client/configuration/factory/SslContextFactoryTest.java b/certServiceClient/src/test/java/org/onap/aaf/certservice/client/configuration/factory/SslContextFactoryTest.java new file mode 100644 index 00000000..e71e9895 --- /dev/null +++ b/certServiceClient/src/test/java/org/onap/aaf/certservice/client/configuration/factory/SslContextFactoryTest.java @@ -0,0 +1,197 @@ +/* + * ============LICENSE_START======================================================= + * aaf-certservice-client + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.aaf.certservice.client.configuration.factory; + +import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.extension.ExtendWith; +import org.mockito.Mock; +import org.mockito.junit.jupiter.MockitoExtension; +import org.onap.aaf.certservice.client.configuration.EnvsForTls; +import org.onap.aaf.certservice.client.configuration.exception.TlsConfigurationException; + +import javax.net.ssl.SSLContext; +import java.util.Optional; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.junit.jupiter.api.Assertions.assertNotNull; +import static org.junit.jupiter.api.Assertions.assertThrows; +import static org.mockito.Mockito.when; + + +@ExtendWith(MockitoExtension.class) +public class SslContextFactoryTest { + + public static final String INVALID_KEYSTORE_PATH = "nonexistent/keystore"; + public static final String VALID_KEYSTORE_NAME = "keystore.jks"; + public static final String VALID_KEYSTORE_PASSWORD = "secret"; + public static final String INVALID_KEYSTORE_PASSWORD = "wrong_secret"; + public static final String INVALID_TRUSTSTORE_PATH = "nonexistent/truststore"; + public static final String VALID_TRUSTSTORE_PASSWORD = "secret"; + public static final String INVALID_TRUSTSTORE_PASSWORD = "wrong_secret"; + public static final String VALID_TRUSTSTORE_NAME = "truststore.jks"; + @Mock + private EnvsForTls envsForTls; + + @Test + public void shouldThrowExceptionWhenKeystorePathEnvIsMissing() { + // Given + when(envsForTls.getKeystorePath()).thenReturn(Optional.empty()); + SslContextFactory sslContextFactory = new SslContextFactory(envsForTls); + + // When, Then + Exception exception = assertThrows( + TlsConfigurationException.class, sslContextFactory::create + ); + assertThat(exception.getMessage()).contains("KEYSTORE_PATH"); + } + + @Test + public void shouldThrowExceptionWhenKeystorePasswordEnvIsMissing() { + // Given + when(envsForTls.getKeystorePath()).thenReturn(Optional.of("keystore")); + when(envsForTls.getKeystorePassword()).thenReturn(Optional.empty()); + SslContextFactory sslContextFactory = new SslContextFactory(envsForTls); + + // When, Then + Exception exception = assertThrows( + TlsConfigurationException.class, sslContextFactory::create + ); + assertThat(exception.getMessage()).contains("KEYSTORE_PASSWORD"); + } + + @Test + public void shouldThrowExceptionWhenTruststorePathEnvIsMissing() { + // Given + when(envsForTls.getKeystorePath()).thenReturn(Optional.of("keystore")); + when(envsForTls.getKeystorePassword()).thenReturn(Optional.of("password")); + when(envsForTls.getTruststorePath()).thenReturn(Optional.empty()); + SslContextFactory sslContextFactory = new SslContextFactory(envsForTls); + + // When, Then + Exception exception = assertThrows( + TlsConfigurationException.class, sslContextFactory::create + ); + assertThat(exception.getMessage()).contains("TRUSTSTORE_PATH"); + } + + @Test + public void shouldThrowExceptionWhenTruststorePasswordEnvIsMissing() { + // Given + when(envsForTls.getKeystorePath()).thenReturn(Optional.of("keystore")); + when(envsForTls.getKeystorePassword()).thenReturn(Optional.of("password")); + when(envsForTls.getTruststorePath()).thenReturn(Optional.of("truststore")); + when(envsForTls.getTruststorePassword()).thenReturn(Optional.empty()); + SslContextFactory sslContextFactory = new SslContextFactory(envsForTls); + + // When, Then + Exception exception = assertThrows( + TlsConfigurationException.class, sslContextFactory::create + ); + assertThat(exception.getMessage()).contains("TRUSTSTORE_PASSWORD"); + } + + @Test + public void shouldThrowExceptionWhenKeystoreIsMissing() { + // Given + when(envsForTls.getKeystorePath()).thenReturn(Optional.of(INVALID_KEYSTORE_PATH)); + when(envsForTls.getKeystorePassword()).thenReturn(Optional.of("secret")); + when(envsForTls.getTruststorePath()).thenReturn(Optional.of("truststore.jks")); + when(envsForTls.getTruststorePassword()).thenReturn(Optional.of("secret")); + SslContextFactory sslContextFactory = new SslContextFactory(envsForTls); + + // When, Then + assertThrows( + TlsConfigurationException.class, sslContextFactory::create + ); + } + + @Test + public void shouldThrowExceptionWhenKeystorePasswordIsWrong() { + // Given + String keystorePath = getResourcePath(VALID_KEYSTORE_NAME); + when(envsForTls.getKeystorePath()).thenReturn(Optional.of(keystorePath)); + when(envsForTls.getKeystorePassword()).thenReturn(Optional.of(INVALID_KEYSTORE_PASSWORD)); + when(envsForTls.getTruststorePath()).thenReturn(Optional.of(VALID_TRUSTSTORE_NAME)); + when(envsForTls.getTruststorePassword()).thenReturn(Optional.of(VALID_TRUSTSTORE_PASSWORD)); + SslContextFactory sslContextFactory = new SslContextFactory(envsForTls); + + // When, Then + assertThrows( + TlsConfigurationException.class, sslContextFactory::create + ); + } + + @Test + public void shouldThrowExceptionWhenTruststoreIsMissing() { + // Given + String keystorePath = getResourcePath(VALID_KEYSTORE_NAME); + when(envsForTls.getKeystorePath()).thenReturn(Optional.of(keystorePath)); + when(envsForTls.getKeystorePassword()).thenReturn(Optional.of(VALID_KEYSTORE_PASSWORD)); + when(envsForTls.getTruststorePath()).thenReturn(Optional.of(INVALID_TRUSTSTORE_PATH)); + when(envsForTls.getTruststorePassword()).thenReturn(Optional.of(VALID_TRUSTSTORE_PASSWORD)); + SslContextFactory sslContextFactory = new SslContextFactory(envsForTls); + + // When, Then + assertThrows( + TlsConfigurationException.class, sslContextFactory::create + ); + } + + @Test + public void shouldThrowExceptionWhenTruststorePasswordIsWrong() { + // Given + String keystorePath = getResourcePath(VALID_KEYSTORE_NAME); + String truststorePath = getResourcePath(VALID_TRUSTSTORE_NAME); + when(envsForTls.getKeystorePath()).thenReturn(Optional.of(keystorePath)); + when(envsForTls.getKeystorePassword()).thenReturn(Optional.of(VALID_KEYSTORE_PASSWORD)); + when(envsForTls.getTruststorePath()).thenReturn(Optional.of(truststorePath)); + when(envsForTls.getTruststorePassword()).thenReturn(Optional.of(INVALID_TRUSTSTORE_PASSWORD)); + SslContextFactory sslContextFactory = new SslContextFactory(envsForTls); + + // When, Then + assertThrows( + TlsConfigurationException.class, sslContextFactory::create + ); + } + + @Test + public void shouldReturnSSLContext() throws TlsConfigurationException { + // Given + String keystorePath = getResourcePath(VALID_KEYSTORE_NAME); + String truststorePath = getResourcePath(VALID_TRUSTSTORE_NAME); + when(envsForTls.getKeystorePath()).thenReturn(Optional.of(keystorePath)); + when(envsForTls.getKeystorePassword()).thenReturn(Optional.of(VALID_KEYSTORE_PASSWORD)); + when(envsForTls.getTruststorePath()).thenReturn(Optional.of(truststorePath)); + when(envsForTls.getTruststorePassword()).thenReturn(Optional.of(VALID_TRUSTSTORE_PASSWORD)); + SslContextFactory sslContextFactory = new SslContextFactory(envsForTls); + + // When + SSLContext sslContext = sslContextFactory.create(); + + // Then + assertNotNull(sslContext); + } + + private String getResourcePath(String resource) { + return getClass().getClassLoader().getResource(resource).getFile(); + } +} + diff --git a/certServiceClient/src/test/java/org/onap/aaf/certservice/client/configuration/model/ClientConfigurationFactoryTest.java b/certServiceClient/src/test/java/org/onap/aaf/certservice/client/configuration/model/ClientConfigurationFactoryTest.java index c936ef52..f4f92495 100644 --- a/certServiceClient/src/test/java/org/onap/aaf/certservice/client/configuration/model/ClientConfigurationFactoryTest.java +++ b/certServiceClient/src/test/java/org/onap/aaf/certservice/client/configuration/model/ClientConfigurationFactoryTest.java @@ -38,8 +38,8 @@ public class ClientConfigurationFactoryTest { private final String CA_NAME_VALID = "caaaftest2"; private final String TIME_OUT_VALID = "30000"; private final String OUTPUT_PATH_VALID = "/opt/app/osaaf"; - private final String URL_TO_CERT_SERVICE_VALID = "http://cert-service:8080/v1/certificate/"; - private final String URL_TO_CERT_SERVICE_DEFAULT = "http://aaf-cert-service-service:8080/v1/certificate/"; + private final String URL_TO_CERT_SERVICE_VALID = "https://cert-service:8443/v1/certificate/"; + private final String URL_TO_CERT_SERVICE_DEFAULT = "https://aaf-cert-service:8443/v1/certificate/"; private final String CA_NAME_INVALID = "caaaftest2#$"; private final String OUTPUT_PATH_INVALID = "/opt//app/osaaf"; diff --git a/certServiceClient/src/test/java/org/onap/aaf/certservice/client/httpclient/HttpClientTest.java b/certServiceClient/src/test/java/org/onap/aaf/certservice/client/httpclient/HttpClientTest.java index 2a539414..60c2e93d 100644 --- a/certServiceClient/src/test/java/org/onap/aaf/certservice/client/httpclient/HttpClientTest.java +++ b/certServiceClient/src/test/java/org/onap/aaf/certservice/client/httpclient/HttpClientTest.java @@ -66,7 +66,7 @@ class HttpClientTest { statusLine = mock(StatusLine.class); httpResponse = mock(CloseableHttpResponse.class); - CloseableHttpClientProvider httpClientProvider = mock(CloseableHttpClientProvider.class); + CloseableHttpsClientProvider httpClientProvider = mock(CloseableHttpsClientProvider.class); when(httpClientProvider.getClient()).thenReturn(closeableHttpClient); String testCertServiceAddress = ""; diff --git a/certServiceClient/src/test/resources/keystore.jks b/certServiceClient/src/test/resources/keystore.jks Binary files differnew file mode 100644 index 00000000..0de9a18d --- /dev/null +++ b/certServiceClient/src/test/resources/keystore.jks diff --git a/certServiceClient/src/test/resources/truststore.jks b/certServiceClient/src/test/resources/truststore.jks Binary files differnew file mode 100644 index 00000000..2686690e --- /dev/null +++ b/certServiceClient/src/test/resources/truststore.jks diff --git a/certs/Makefile b/certs/Makefile new file mode 100644 index 00000000..6d90f65f --- /dev/null +++ b/certs/Makefile @@ -0,0 +1,110 @@ +all: step_1 step_2 step_3 step_4 step_5 step_6 step_7 step_8 step_9 step_10 step_11 step_12 step_13 step_14 step_15 +.PHONY: all +#Clear certificates +clear: + @echo "Clear certificates" + rm certServiceClient-keystore.jks certServiceServer-keystore.jks root.crt truststore.jks certServiceServer-keystore.p12 + @echo "#####done#####" + +#Generate root private and public keys +step_1: + @echo "Generate root private and public keys" + keytool -genkeypair -v -alias root -keyalg RSA -keysize 4096 -validity 3650 -keystore root-keystore.jks \ + -dname "CN=root.com, OU=Root Org, O=Root Company, L=Wroclaw, ST=Dolny Slask, C=PL" -keypass secret \ + -storepass secret -ext BasicConstraints:critical="ca:true" + @echo "#####done#####" + +#Export public key as certificate +step_2: + @echo "(Export public key as certificate)" + keytool -exportcert -alias root -keystore root-keystore.jks -storepass secret -file root.crt -rfc + @echo "#####done#####" + +#Self-signed root (import root certificate into truststore) +step_3: + @echo "(Self-signed root (import root certificate into truststore))" + keytool -importcert -alias root -keystore truststore.jks -file root.crt -storepass secret -noprompt + @echo "#####done#####" + +#Generate certService's client private and public keys +step_4: + @echo "Generate certService's client private and public keys" + keytool -genkeypair -v -alias certServiceClient -keyalg RSA -keysize 2048 -validity 730 \ + -keystore certServiceClient-keystore.jks -storetype JKS \ + -dname "CN=certServiceClient.com,OU=certServiceClient company,O=certServiceClient org,L=Wroclaw,ST=Dolny Slask,C=PL" \ + -keypass secret -storepass secret + @echo "####done####" + +#Generate certificate signing request for certService's client +step_5: + @echo "Generate certificate signing request for certService's client" + keytool -certreq -keystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -file certServiceClient.csr + @echo "####done####" + +#Sign certService's client certificate by root CA +step_6: + @echo "Sign certService's client certificate by root CA" + keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceClient.csr \ + -outfile certServiceClientByRoot.crt -rfc -ext bc=0 -ext ExtendedkeyUsage="serverAuth,clientAuth" + @echo "####done####" + +#Import root certificate into client +step_7: + @echo "Import root certificate into intermediate" + cat root.crt >> certServiceClientByRoot.crt + @echo "####done####" + +#Import signed certificate into certService's client +step_8: + @echo "Import signed certificate into certService's client" + keytool -importcert -file certServiceClientByRoot.crt -destkeystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -noprompt + @echo "####done####" + +#Generate certService private and public keys +step_9: + @echo "Generate certService private and public keys" + keytool -genkeypair -v -alias aaf-cert-service -keyalg RSA -keysize 2048 -validity 730 \ + -keystore certServiceServer-keystore.jks -storetype JKS \ + -dname "CN=aaf-cert-service,OU=certServiceServer company,O=certServiceServer org,L=Wroclaw,ST=Dolny Slask,C=PL" \ + -keypass secret -storepass secret -ext BasicConstraints:critical="ca:false" + @echo "####done####" + +#Generate certificate signing request for certService +step_10: + @echo "Generate certificate signing request for certService" + keytool -certreq -keystore certServiceServer-keystore.jks -alias aaf-cert-service -storepass secret -file certServiceServer.csr + @echo "####done####" + +#Sign certService certificate by root CA +step_11: + @echo "Sign certService certificate by root CA" + keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceServer.csr \ + -outfile certServiceServerByRoot.crt -rfc -ext bc=0 -ext ExtendedkeyUsage="serverAuth,clientAuth" \ + -ext SubjectAlternativeName:="DNS:aaf-cert-service,DNS:localhost" + @echo "####done####" + +#Import root certificate into server +step_12: + @echo "Import root certificate into intermediate(server)" + cat root.crt >> certServiceServerByRoot.crt + @echo "####done####" + +#Import signed certificate into certService +step_13: + @echo "Import signed certificate into certService" + keytool -importcert -file certServiceServerByRoot.crt -destkeystore certServiceServer-keystore.jks -alias aaf-cert-service \ + -storepass secret -noprompt + @echo "####done####" + +#Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12) +step_14: + @echo "Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)" + keytool -importkeystore -srckeystore certServiceServer-keystore.jks -srcstorepass secret \ + -destkeystore certServiceServer-keystore.p12 -deststoretype PKCS12 -deststorepass secret + @echo "#####done#####" + +#Clear unused certificates +step_15: + @echo "Clear unused certificates" + rm certServiceClientByRoot.crt certServiceClient.csr root-keystore.jks certServiceServerByRoot.crt certServiceServer.csr + @echo "#####done#####" diff --git a/certs/certServiceClient-keystore.jks b/certs/certServiceClient-keystore.jks Binary files differnew file mode 100644 index 00000000..f24908c5 --- /dev/null +++ b/certs/certServiceClient-keystore.jks diff --git a/certs/certServiceServer-keystore.jks b/certs/certServiceServer-keystore.jks Binary files differnew file mode 100644 index 00000000..89605b6b --- /dev/null +++ b/certs/certServiceServer-keystore.jks diff --git a/certs/certServiceServer-keystore.p12 b/certs/certServiceServer-keystore.p12 Binary files differnew file mode 100644 index 00000000..2106c817 --- /dev/null +++ b/certs/certServiceServer-keystore.p12 diff --git a/certs/root.crt b/certs/root.crt new file mode 100644 index 00000000..faeee813 --- /dev/null +++ b/certs/root.crt @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFlDCCA3ygAwIBAgIETsAy8jANBgkqhkiG9w0BAQwFADByMQswCQYDVQQGEwJQ
+TDEUMBIGA1UECBMLRG9sbnkgU2xhc2sxEDAOBgNVBAcTB1dyb2NsYXcxFTATBgNV
+BAoTDFJvb3QgQ29tcGFueTERMA8GA1UECxMIUm9vdCBPcmcxETAPBgNVBAMTCHJv
+b3QuY29tMB4XDTIwMDQwMzA5MTYxNloXDTMwMDQwMTA5MTYxNlowcjELMAkGA1UE
+BhMCUEwxFDASBgNVBAgTC0RvbG55IFNsYXNrMRAwDgYDVQQHEwdXcm9jbGF3MRUw
+EwYDVQQKEwxSb290IENvbXBhbnkxETAPBgNVBAsTCFJvb3QgT3JnMREwDwYDVQQD
+Ewhyb290LmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAImm68wu
+rtdkVrC5JI2y53+DoVE4al7NxC2yHeVW0PRD3CgW1xba6dlSQoDQQKkDkxtuNhlU
+IQxU1bbKR6syqJgpJXwSDx4sl4J5lQGWN+iuNA72C1IyXATOgowGq6PbOVVTkApy
+3+ZZGBCmweTjhvddAO7k5p8v+ePt17VvBTxSt6rSvrkGMbpCxBGAPfGpL9xykm9Z
+okVSlA42gGhbra499QTT0Yc/WPPFotKkDKFGaDrLW3NYX1Lio11myYNvLOMwfSEV
+Xy9vkwxcdqFJpHjx+EVLLQXwkudZP+D53N4bk8nP3SacbZSQ/A85mZpWNtw+r9QL
+fZGecY1YIR0udLj66CIG3ybl3gSXX7TSRERTIMR6Um1lt+039FSa18mRBpQTCDXV
+tSL58Qs5BHFkCe0sGpY+XiSEypc6oYPf/7YjiTvMT/mHhDffrvFjhK+wP/oCIg8u
+vuPRoPWuyw41bBeFGitJgDn7E8p9B4K/1DCO/ZcjXiYMgn5Hwb3ojablYUeiXs99
+2AAV8gCceUCdgcP8d6wdAydOVljavkgHPG0IMbiVG1WT57oM3HQpejgpujlKDDsI
+bi9/lbcC/U0JoN9yAaJZFr7CXJrxRv8DWeTwzMTo203KHNu9roQiERd38P8Dp6AQ
+ivmqf0+0VZM3IpjWBYKM68tclHJcG+7wyFjvAgMBAAGjMjAwMB0GA1UdDgQWBBSN
+lFyR56zh67mnvYTmmgJQVxEJrjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEB
+DAUAA4ICAQBczmFY0kmr1FK50glkT282ur0vukNtwXQNJONof3rYRqP2W98jID6D
+ayma0B4/H1EqCa0d66wRBxFdwW+MqOc4uWD3uUwgazrYD/Bv+V3aumaw8yX6vbyL
+hLNfpd4pViAEGtzYxYfMfFR6uzInF3NMpvt8OXCSGKiQjDMnMs0ekvUZLJm7yxwT
+Qr9aAEFYQYM/GstUC6qFfuUa4MaGvmyKWhZ10JoKXYbGGeFU4wI7Kzifh3VvawTg
+r314ZvQ3zpEwzNJpdvT5ZKuPvyN+drAKFpSPfOTFmmb3uF95FgYq33OFPpo7SR43
+tnw5u5YqKnsHmqCIRMctWiYZc8rBJ3+eBGmke6z/AN6FraG6Ejc8e4WPclrB8STb
++oB3a4Cvri1VHyodkm50Sb/d1FAMDXvzEPBfu2D0dVvOwOcISSN/MQUom8NN4YeI
+aEATdAPNkokgehOzZ1OPRv47FKYEVPCXjaZEWAC7NNmNiRn4RQOti0DlNrLL7Nx9
+vK09G0EnW01MO2ARRkZ3dog+Ph7orJQV3sd7TO4EEortqWtbegSH75ylyYw6rt/j
+uBzYtMOnEtnQKhxj4Wj7PO+StCgspoOByn0d+iSgDd2TlpWm4naP2pfFZT0R+TOH
+wzSH0F47TSfRd0++uEz/QhViybrvQK7yMt1G1YwZp2im+imuWwUC8Q== +-----END CERTIFICATE----- diff --git a/certs/truststore.jks b/certs/truststore.jks Binary files differnew file mode 100644 index 00000000..c32d37fd --- /dev/null +++ b/certs/truststore.jks diff --git a/compose-resources/client-configuration.env b/compose-resources/client-configuration.env index e79aa618..bc62f1f7 100644 --- a/compose-resources/client-configuration.env +++ b/compose-resources/client-configuration.env @@ -1,6 +1,6 @@ #Client envs -REQUEST_URL=http://aafcert-service:8080/v1/certificate/ -REQUEST_TIMEOUT=1000 +REQUEST_URL=https://aaf-cert-service:8443/v1/certificate/ +REQUEST_TIMEOUT=10000 OUTPUT_PATH=/var/certs CA_NAME=RA #Csr config envs @@ -11,4 +11,8 @@ LOCATION=San-Francisco STATE=California COUNTRY=US SANS=example.org - +#Tls config envs +KEYSTORE_PATH=/etc/onap/aaf/certservice/certs/certServiceClient-keystore.jks +KEYSTORE_PASSWORD=secret +TRUSTSTORE_PATH=/etc/onap/aaf/certservice/certs/truststore.jks +TRUSTSTORE_PASSWORD=secret diff --git a/docker-compose.yml b/docker-compose.yml index 851ad317..1ce8ed48 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -18,16 +18,25 @@ services: networks: - certservice - certservice: + aaf-cert-service: image: onap/org.onap.aaf.certservice.aaf-certservice-api:latest - container_name: aafcert-service volumes: - ./certService/helm/aaf-cert-service/resources/cmpServers.json:/etc/onap/aaf/certservice/cmpServers.json + - ./certs/truststore.jks:/etc/onap/aaf/certservice/certs/truststore.jks + - ./certs/root.crt:/etc/onap/aaf/certservice/certs/root.crt + - ./certs/certServiceServer-keystore.jks:/etc/onap/aaf/certservice/certs/certServiceServer-keystore.jks + - ./certs/certServiceServer-keystore.p12:/etc/onap/aaf/certservice/certs/certServiceServer-keystore.p12 + container_name: aafcert-service ports: - - "8080:8080" + - "8443:8443" depends_on: ejbca: condition: service_healthy + healthcheck: + test: ["CMD-SHELL", "curl https://localhost:8443/actuator/health --cacert /etc/onap/aaf/certservice/certs/root.crt --cert-type p12 --cert /etc/onap/aaf/certservice/certs/certServiceServer-keystore.p12 --pass secret"] + interval: 10s + timeout: 3s + retries: 15 networks: - certservice diff --git a/docs/sections/configuration.rst b/docs/sections/configuration.rst index d49c86bd..d77a2da0 100644 --- a/docs/sections/configuration.rst +++ b/docs/sections/configuration.rst @@ -20,7 +20,7 @@ Certification Service Client image: .. code-block:: #Client envs - REQUEST_URL=http://aaf-cert-service-service:8080/v1/certificate/ + REQUEST_URL=http://aaf-cert-service:8080/v1/certificate/ REQUEST_TIMEOUT=1000 OUTPUT_PATH=/var/certs CA_NAME=RA @@ -77,7 +77,7 @@ Example deployment: imagePullPolicy: Always env: - name: REQUEST_URL - value: http://aaf-cert-service-service:8080/v1/certificate/ + value: http://aaf-cert-service:8080/v1/certificate/ - name: REQUEST_TIMEOUT value: "1000" - name: OUTPUT_PATH @@ -114,18 +114,6 @@ <goal>repackage</goal> </goals> </execution> - <execution> - <id>pre-integration-test</id> - <goals> - <goal>start</goal> - </goals> - </execution> - <execution> - <id>post-integration-test</id> - <goals> - <goal>stop</goal> - </goals> - </execution> </executions> </plugin> <plugin> |