diff options
| author |   Bogumil Zebek <bogumil.zebek@nokia.com> | 2020-08-21 12:07:57 +0200 |
|---|---|---|
| committer | Zebek Bogumil <bogumil.zebek@nokia.com> | 2020-08-21 12:07:57 +0200 |
| commit | fe4c4957e2dd09ab09cd0486424416470c9d1730 (patch) | |
| tree | 0f402361049424b7e41936e9034c3087d658ffc5 | |
| parent | 9c93bea8d63794a1d82ad3743bc713b3fbbb3967 (diff) | |
Remove documentation
Project was abandon since release G.
Issue-ID: OOM-2526
Signed-off-by: Zebek Bogumil <bogumil.zebek@nokia.com>
Change-Id: I711ffb123af71917bf4d58aad5fb14b2f696dd68
| -rw-r--r-- | README.md | 4 | ||||
| -rw-r--r-- | docs/index.rst | 18 | ||||
| -rw-r--r-- | docs/sections/architecture.rst | 32 | ||||
| -rw-r--r-- | docs/sections/build.rst | 61 | ||||
| -rw-r--r-- | docs/sections/configuration.rst | 261 | ||||
| -rw-r--r-- | docs/sections/installation.rst | 26 | ||||
| -rw-r--r-- | docs/sections/introduction.rst | 38 | ||||
| -rw-r--r-- | docs/sections/logging.rst | 124 | ||||
| -rw-r--r-- | docs/sections/offeredapis.rst | 171 | ||||
| -rw-r--r-- | docs/sections/release-notes.rst | 176 | ||||
| -rw-r--r-- | docs/sections/resources/OpenAPI.yaml | 162 | ||||
| -rw-r--r-- | docs/sections/resources/certService_cert_enrollment_flow.png | bin | 143610 -> 0 bytes | |||
| -rw-r--r-- | docs/sections/resources/certservice_high_level.png | bin | 20276 -> 0 bytes | |||
| -rw-r--r-- | docs/sections/resources/cmpv2_context_view.png | bin | 20201 -> 0 bytes | |||
| -rw-r--r-- | docs/sections/troubleshooting.rst | 9 | ||||
| -rw-r--r-- | docs/sections/usage.rst | 211 |
16 files changed, 8 insertions, 1285 deletions
@@ -1,4 +1,8 @@ # Cert service +21-08-2020 +THIS PROJECT WAS ABANDON IN RELEASE Guilin! +New version of CertService is developed begin release Guilin in https://gerrit.onap.org/r/admin/repos/oom/platform/cert-service +repository. ### General description diff --git a/docs/index.rst b/docs/index.rst index 43ea942d..fb2c3a62 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -6,20 +6,10 @@ AAF Certification Service ========================================== -.. toctree:: - :maxdepth: 2 - :caption: Contents: - - sections/introduction.rst - sections/architecture.rst - sections/build.rst - sections/offeredapis.rst - sections/usage.rst - sections/logging.rst - sections/installation.rst - sections/configuration.rst - sections/release-notes.rst - sections/troubleshooting.rst +21-08-2020 +THIS PROJECT WAS ABANDON IN RELEASE Guilin! +New version of CertService is developed begin release Guilin in https://gerrit.onap.org/r/admin/repos/oom/platform/cert-service +repository. Indices and tables ================== diff --git a/docs/sections/architecture.rst b/docs/sections/architecture.rst deleted file mode 100644 index 9166aa39..00000000 --- a/docs/sections/architecture.rst +++ /dev/null @@ -1,32 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 International License. -.. http://creativecommons.org/licenses/by/4.0 -.. Copyright 2020 NOKIA -.. _architecture: - -Architecture -============ - -Interaction between components ------------------------------- - -.. image:: resources/certservice_high_level.png - :width: 855px - :height: 223px - :alt: Interaction between components - -The micro-service called CertService is designed for requesting certificates signed by external Certificate Authority (CA) using CMP over HTTP protocol. It uses CMPv2 client to send and receive CMPv2 messages. - -CertService's client is also provided so other ONAP components (aka end components) can easily get certificate from CertService. End component is an ONAP component (e.g. DCAE collector or controller) which requires certificate from CMPv2 server to protect external traffic and uses CertService's client to get it. - -CertService's client communicates with CertService via REST API over HTTPS, while CertService with CMPv2 server via CMP over HTTP. - -To proof that CertService works Open Source CMPv2 server (EJBCA) is deployed and used in E2E tests. - - -Simplified certificate enrollment flow --------------------------------------- - -.. image:: resources/certService_cert_enrollment_flow.png - :width: 1191px - :height: 893px - :alt: Simplified certificate enrollment flow diff --git a/docs/sections/build.rst b/docs/sections/build.rst deleted file mode 100644 index 44c38c46..00000000 --- a/docs/sections/build.rst +++ /dev/null @@ -1,61 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 International License. -.. http://creativecommons.org/licenses/by/4.0 -.. Copyright 2020 NOKIA - -Build -====== - -Jenkins -------- -#. JJB Master - - https://jenkins.onap.org/view/aaf/job/aaf-certservice-master-merge-java/ - -#. JJB Stage - - https://jenkins.onap.org/view/aaf/job/aaf-certservice-maven-docker-stage-master/ - -#. JJB Release - - https://jenkins.onap.org/view/aaf/job/aaf-certservice-maven-stage-master/ - https://jenkins.onap.org/view/aaf/job/aaf-certservice-release-merge/ - -#. JJB CSIT - - https://jenkins.onap.org/view/CSIT/job/aaf-master-csit-certservice/ - -Environment ------------ - -* Java 11 -* Apache Maven 3.6.0 -* Linux -* Docker 18.09.5 -* Python 2.7.x - -How to build images? --------------------- - -#. Checkout the project from https://gerrit.onap.org/r/#/admin/projects/aaf/certservice -#. Read information stored in README.md file -#. Use a Makefile to build images:: - - make build - -How to start service locally? ------------------------------------------------ -#. Start Cert Service with configured EJBCA:: - - make start-backend - -#. Run Cert Service Client:: - - make run-client - -#. Remove client container:: - - make stop-client - -#. Stop Cert Service and EJBCA:: - - make stop-backend diff --git a/docs/sections/configuration.rst b/docs/sections/configuration.rst deleted file mode 100644 index b325712e..00000000 --- a/docs/sections/configuration.rst +++ /dev/null @@ -1,261 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 International License. -.. http://creativecommons.org/licenses/by/4.0 -.. Copyright 2020 NOKIA - -Configuration -============== - - -Configuring Cert Service ------------------------- -Cert Service keeps configuration of CMP Servers in file *cmpServers.json*. - -Example cmpServers.json file: - -.. code-block:: json - - { - "cmpv2Servers": [ - { - "caName": "Client", - "url": "http://aafcert-ejbca:8080/ejbca/publicweb/cmp/cmp", - "issuerDN": "CN=ManagementCA", - "caMode": "CLIENT", - "authentication": { - "iak": "mypassword", - "rv": "mypassword" - } - }, - { - "caName": "RA", - "url": "http://aafcert-ejbca:8080/ejbca/publicweb/cmp/cmpRA", - "issuerDN": "CN=ManagementCA", - "caMode": "RA", - "authentication": { - "iak": "mypassword", - "rv": "mypassword" - } - } - ] - } - -This contains list of CMP Servers, where each server has following properties: - - - *caName* - name of the external CA server. It's used to match *CA_NAME* sent by CertService client in order to match proper configuration. - - *url* - URL to CMPv2 server - - *issuerDN* - Distinguished Name of the CA that will sign the certificate - - *caMode* - Issuer mode. Allowed values are *CLIENT* and *RA* - - *authentication* - - - *iak* - Initial authentication key, used to authenticate request in CMPv2 server - - *rv* - Reference value, used to authenticate request in CMPv2 server - - - -This configuration is read on the application start. It can also be reloaded in runtime, by calling HTTPS endpoint. - -Next sections explain how to configure Cert Service in local (docker-compose) and OOM Deployments. - - -Configuring in local (docker-compose) deployment: -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -Before application start: -""""""""""""""""""""""""" - -1. Edit *cmpServers.json* file in certservice/compose-resources -2. Start containers:: - - make start-backend - -When application is running: -"""""""""""""""""""""""""""" - -1. Find CertService docker container name. -2. Enter container:: - - docker exec -it <certservice-container-name> bash - - e.g. - docker exec -it aafcert-service bash - -3. Edit *cmpServers.json* file:: - - vim /etc/onap/aaf/certservice/cmpServers.json - -4. Save the file. Note that this file is mounted as volume, so change will be persistent. -5. Reload configuration:: - - curl -I https://localhost:8443/reload --cacert /etc/onap/aaf/certservice/certs/root.crt --cert-type p12 --cert /etc/onap/aaf/certservice/certs/certServiceServer-keystore.p12 --pass $KEYSTORE_PASSWORD - -6. Exit container:: - - exit - - -Configuring in OOM deployment: -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -Before OOM installation: -"""""""""""""""""""""""" - -Note! This must be executed before calling *make all* (from OOM Installation) or needs remaking AAF charts. - - -1. Edit *cmpServers.json* file. If OOM *global.addTestingComponents* flag is set to: - - - *true* - edit *kubernetes/aaf/charts/aaf-cert-service/resources/test/cmpServers.json* - - *false* - edit *kubernetes/aaf/charts/aaf-cert-service/resources/default/cmpServers.json* - -2. Build and start OOM deployment - -When CertService is deployed: -""""""""""""""""""""""""""""" - -1. Create file with configuration - -2. Encode your configuration to base64:: - - cat <configuration_file> | base64 - -3. Edit secret:: - - kubectl -n onap edit secret <cmp-servers-secret-name> - - e.g. - kubectl -n onap edit secret aaf-cert-service-secret - -4. Replace value for *cmpServers.json* with your base64 encoded configuration. For example: - - .. code-block:: yaml - - apiVersion: v1 - data: - cmpServers.json: <HERE_PLACE_YOUR_BASE64_ENCODED_CONFIG> - kind: Secret - metadata: - creationTimestamp: "2020-04-21T16:30:29Z" - name: aaf-cert-service-secret - namespace: default - resourceVersion: "33892990" - selfLink: /api/v1/namespaces/default/secrets/aaf-cert-service-secret - uid: 6a037526-83ed-11ea-b731-fa163e2144f6 - type: Opaque - -5. Save and exit -6. New configuration will be automatically mounted to CertService pod, but application configuration reload is needed. -7. To reload configuration enter CertService pod:: - - kubectl -n onap exec -it <cert-service-pod-name> bash - - e.g. - kubectl -n onap exec -it $(kubectl -n onap get pods | grep cert-service | awk '{print $1}') bash - -8. Reload configuration:: - - curl -I https://localhost:$HTTPS_PORT/reload --cacert $ROOT_CERT --cert-type p12 --cert $KEYSTORE_P12_PATH --pass $KEYSTORE_PASSWORD - -9. Exit container:: - - exit - - -Generating certificates for CertService and CertService Client --------------------------------------------------------------- -CertService and CertService client use mutual TLS for communication. Certificates are generated during CertService installation. - -Docker mode: -^^^^^^^^^^^^ - -Certificates are mounted to containers by docker volumes: - - - CertService volumes are defined in certservice/docker-compose.yaml - - CertService Client volumes are defined in certservice/Makefile - -All certificates are stored in *certservice/certs* directory. To recreate certificates go to *certservice/certs* directory and execute:: - - make clear all - -This will clear existing certs and generate new ones. - -ONAP OOM installation: -^^^^^^^^^^^^^^^^^^^^^^ - -Certificates are stored in secrets, which are mounted to pods as volumes. Both secrets are stored in *kubernetes/aaf/charts/aaf-cert-service/templates/secret.yaml*. -Secrets take certificates from *kubernetes/aaf/charts/aaf-cert-service/resources* directory. Certificates are generated automatically during building (using Make) OOM repository. - -*kubernetes/aaf/charts/aaf-cert-service/Makefile* is similar to the one stored in certservice repository. It actually generates certificates. -This Makefile is executed by *kubernetes/aaf/Makefile*, which is automatically executed during OOM build. - - -Using external certificates for CertService and CertService Client ------------------------------------------------------------------- - -This section describes how to use custom, external certificates for CertService and CertService Client communication in OOM installation. - -1. Set *tls.certificateExternalSecret* flag to true in *kubernetes/aaf/charts/aaf-cert-service/values.yaml* -2. Prepare secret for CertService. It must be provided before OOM installation. It must contain four files: - - - *certServiceServer-keystore.jks* - keystore in JKS format. Signed by some Root CA - - *certServiceServer-keystore.p12* - same keystore in PKCS#12 format - - *truststore.jks* - truststore in JKS format, containing certificates of the Root CA that signed CertService Client certificate - - *root.crt* - certificate of the RootCA that signed Client certificate in CRT format - -3. Name the secret properly - the name should match *tls.server.secret.name* value from *kubernetes/aaf/charts/aaf-cert-service/values.yaml* file - -4. Prepare secret for CertService Client. It must be provided before OOM installation. It must contain two files: - - - *certServiceClient-keystore.jks* - keystore in JKS format. Signed by some Root CA - - *truststore.jks* - truststore in JKS format, containing certificates of the RootCA that signed CertService certificate - -5. Name the secret properly - the name should match *global.aaf.certService.client.secret.name* value from *kubernetes/onap/values.yaml* file - -6. Provide keystore and truststore passwords for CertService. It can be done in two ways: - - - by inlining them into *kubernetes/aaf/charts/aaf-cert-service/values.yaml*: - - - override *credentials.tls.keystorePassword* value with keystore password - - override *credentials.tls.truststorePassword* value with truststore password - - - or by providing them as secrets: - - - uncomment *credentials.tls.keystorePasswordExternalSecret* value and provide keystore password - - uncomment *credentials.tls.truststorePasswordExternalSecret* value and provide truststore password - -7. Override default keystore and truststore passwords for CertService Client in *kubernetes/onap/values.yaml* file: - - - override *global.aaf.certServiceClient.envVariables.keystorePassword* value with keystore password - - override *global.aaf.certServiceClient.envVariables.truststorePassword* value with truststore password - - -Configuring EJBCA server for testing ------------------------------------- - -To instantiate an EJBCA server for testing purposes with an OOM deployment, cmpv2Enabled and cmpv2Testing have to be changed to true in oom/kubernetes/aaf/values.yaml. - -cmpv2Enabled has to be true to enable aaf-cert-service to be instantiated and used with an external Certificate Authority to get certificates for secure communication. - -If cmpv2Testing is enabled then an EJBCA test server will be instantiated in the OOM deployment as well, and will come pre-configured with a test CA to request a certificate from. - -Currently the recommended mode is single-layer RA mode. - - -Default Values: - -+---------------------+---------------------------------------------------------------------------------------------------------------------------------+ -| Name | Value | -+=====================+=================================================================================================================================+ -| Request URL | http://aaf-ejbca:8080/ejbca/publicweb/cmp/cmpRA | -+---------------------+---------------------------------------------------------------------------------------------------------------------------------+ -| Response Type | PKI Response | -+---------------------+---------------------------------------------------------------------------------------------------------------------------------+ -| caMode | RA | -+---------------------+---------------------------------------------------------------------------------------------------------------------------------+ -| alias | cmpRA | -+---------------------+---------------------------------------------------------------------------------------------------------------------------------+ - - -If you wish to configure the EJBCA server, you can find Documentation for EJBCA here: https://doc.primekey.com/ejbca/ - -If you want to understand how CMP works on EJBCA in more detail, you can find Details here: https://download.primekey.com/docs/EJBCA-Enterprise/6_14_0/CMP.html - diff --git a/docs/sections/installation.rst b/docs/sections/installation.rst deleted file mode 100644 index c41c0fca..00000000 --- a/docs/sections/installation.rst +++ /dev/null @@ -1,26 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 International License. -.. http://creativecommons.org/licenses/by/4.0 -.. Copyright 2020 NOKIA - -Installation -============= - - -When enabling CMPv2, *kubernetes/onap/resources/overrides/aaf-cert-service-environment.yaml* file with override values need to be used during OOM installation. -CertService can be easily installed with OOM installation, simply by setting proper flag. -It's possible to also install EJBCA server for testing purposes. It also can be done by setting proper flag. - - - -Enabling CertService --------------------- - -In order to install CertService during OOM deployment, global flag *global.cmpv2Enabled* in *kubernetes/onap/resources/overrides/aaf-cert-service-environment.yaml* file must be set to true. - - -Enabling EJBCA - testing CMPV2 server -------------------------------------- - -In order to install EJBCA server, global flag *global.addTestingComponents* in *kubernetes/onap/values.yaml* file or other file with override values must be set to true. - -Setting this flag, will also cause CertService to load test configuration from *kubernetes/aaf/charts/aaf-cert-service/resources/test/cmpServers.json* diff --git a/docs/sections/introduction.rst b/docs/sections/introduction.rst deleted file mode 100644 index 9d6c7816..00000000 --- a/docs/sections/introduction.rst +++ /dev/null @@ -1,38 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 International License. -.. http://creativecommons.org/licenses/by/4.0 -.. Copyright 2020 NOKIA -.. _introduction: - - -Introduction -============= - -Overview --------- - -In Frankfurt release AAF was enhanced by Certificate Management Protocol ver. 2 (CMPv2) support. Such support is handled by new AAF's microservice called CertService. CertService provides certificates signed by external CMPv2 server - further on such certificates are called operators certificates. Operators certificates are meant to secure external ONAP traffic - traffic between network functions (xNFs) and ONAP. - - -Context View ------------- - -.. image:: resources/cmpv2_context_view.png - :width: 533px - :height: 315px - :alt: CMPV2 Context View - -It is planned that Network Functions (aka xNFs) will get certificates from the same CMPv2 server and the same CA hierarchy, but will use own means to get such certificates. Cause xNFs and ONAP will get certificates signed by the same root CA and will trust such root CA, both parties will automatically trust each other and can communicate with each other. - - -Functionality -------------- - -In Frankfurt release only `Initialization Request <https://tools.ietf.org/html/rfc4210#section-5.3.1>`_ with `ImplicitConfirm <https://tools.ietf.org/html/rfc4210#section-5.1.1.1>`_ is supported. - -Request sent to CMPv2 server is authenticated by secret value (initial authentication key) and reference value (used to identify the secret value) as described in `RFC-4210 <https://tools.ietf.org/html/rfc4210#section-4.2.1.2>`_. - - -Security considerations ------------------------ - -CertService's REST API is protected by mutual HTTPS, meaning server requests client's certificate and **authenticate** only requests with trusted certificate. After ONAP default installation only certificate from CertService's client is trusted. **Authorization** isn't supported in Frankfurt release.
\ No newline at end of file diff --git a/docs/sections/logging.rst b/docs/sections/logging.rst deleted file mode 100644 index dba8f3e6..00000000 --- a/docs/sections/logging.rst +++ /dev/null @@ -1,124 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 International License. -.. http://creativecommons.org/licenses/by/4.0 -.. Copyright 2020 NOKIA - - -Logging -======= - -CertService API ---------------- -To see CertService console logs use: - -- Docker: - -.. code-block:: bash - - docker logs <cert-service-container-name> - - e.g. - docker logs aafcert-service - -- Kubernetes: - -.. code-block:: bash - - kubectl -n onap logs <cert-service-pod-name> - - e.g. - kubectl -n onap logs $(kubectl -n onap get pods | grep cert-service | awk '{print $1}') - -Console logs contains logs for logging levels from **DEBUG** to **ERROR**. - -CertService logs for different logging levels are available in the container: - -- Docker: - -.. code-block:: bash - - docker exec -it <cert-service-container-name> bash - - e.g. - docker exec -it aafcert-service bash - -- Kubernetes: - -.. code-block:: bash - - kubectl -n onap exec -it <cert-service-pod-name> bash - - e.g. - kubectl -n onap exec -it $(kubectl -n onap get pods | grep cert-service | awk '{print $1}') bash - -Path to logs: - - /var/log/onap/aaf/certservice - -Available log files: - - - audit.log - contains logs for **INFO** logging level - - debug.log - contains logs for logging levels from **DEBUG** to **ERROR** - - error.log - contains logs for **ERROR** logging level - -User cannot change logging levels. - -.. _cert_logs: - -CertService client ------------------- -To see CertService client console logs use : - -- Docker: - -.. code-block:: bash - - docker logs <cert-service-client-container-name> - - e.g. - docker logs aafcert-client - -- Kubernetes: - CertService client is used as init container in other components. In the following example: - - *<some-component-pod-name>* refers to the component that uses CertService client as init container - - *<cert-service-client-init-container-name>* refers to name of init container used by the mentioned component. It can be found by executing *'kubectl -n onap descrine pod <some-component-pod-name>'* and looking into 'Init Containers section' - -.. code-block:: bash - - kubectl -n onap logs <some-component-pod-name> -c <cert-service-client-init-container-name> - - e.g. - kubectl -n onap logs <some-component-pod-name> -c cert-service-client - - - -| Container stops after execution, so all available logs are printed on console. -| User cannot change logging levels. - -Client application exits with following exit codes: - - -+-------+------------------------------------------------+ -| Code | Information | -+=======+================================================+ -| 0 | Success | -+-------+------------------------------------------------+ -| 1 | Invalid client configuration | -+-------+------------------------------------------------+ -| 2 | Invalid CSR configuration | -+-------+------------------------------------------------+ -| 3 | Fail in key pair generation | -+-------+------------------------------------------------+ -| 4 | Fail in CSR generation | -+-------+------------------------------------------------+ -| 5 | CertService HTTP unsuccessful response | -+-------+------------------------------------------------+ -| 6 | Internal HTTP Client connection problem | -+-------+------------------------------------------------+ -| 7 | Fail in PEM conversion | -+-------+------------------------------------------------+ -| 8 | Fail in Private Key to PEM Encoding | -+-------+------------------------------------------------+ -| 9 | Wrong TLS configuration | -+-------+------------------------------------------------+ -| 10 | File could not be created | -+-------+------------------------------------------------+ diff --git a/docs/sections/offeredapis.rst b/docs/sections/offeredapis.rst deleted file mode 100644 index b757b3bd..00000000 --- a/docs/sections/offeredapis.rst +++ /dev/null @@ -1,171 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 International License. -.. http://creativecommons.org/licenses/by/4.0 -.. Copyright 2020 NOKIA -.. _offeredapis: - -Offered APIs -============= - -AAF Cert Service Api --------------------- - -.. code-block:: yaml - - openapi: 3.0.1 - info: - title: CertService Documentation - description: Certification service API documentation - version: 1.0.0 - servers: - - url: http://localhost:8080 - description: Generated server url - tags: - - name: Actuator - description: Monitor and interact - externalDocs: - description: Spring Boot Actuator Web API Documentation - url: https://docs.spring.io/spring-boot/docs/current/actuator-api/html/ - paths: - /v1/certificate/{caName}: - get: - tags: - - CertificationService - summary: sign certificate - description: Web endpoint for requesting certificate signing. Used by system - components to gain certificate signed by CA. - operationId: signCertificate - parameters: - - name: caName - in: path - description: Name of certification authority that will sign CSR. - required: true - schema: - type: string - - name: CSR - in: header - description: Certificate signing request in form of PEM object encoded in - Base64 (with header and footer). - required: true - schema: - type: string - - name: PK - in: header - description: Private key in form of PEM object encoded in Base64 (with header - and footer). - required: true - schema: - type: string - responses: - "200": - description: certificate successfully signed - content: - application/json; charset=utf-8: - schema: - $ref: '#/components/schemas/CertificationModel' - "500": - description: something went wrong during connecting to cmp client - content: - application/json; charset=utf-8: - schema: - $ref: '#/components/schemas/ErrorResponseModel' - "404": - description: CA not found for given name - content: - application/json; charset=utf-8: - schema: - $ref: '#/components/schemas/ErrorResponseModel' - "400": - description: given CSR or/and PK is incorrect - content: - application/json; charset=utf-8: - schema: - $ref: '#/components/schemas/ErrorResponseModel' - /ready: - get: - tags: - - CertificationService - summary: check is container is ready - description: Web endpoint for checking if service is ready to be used. - operationId: checkReady - responses: - "200": - description: configuration is loaded and service is ready to use - content: - application/json; charset=utf-8: - schema: - type: string - "503": - description: configuration loading failed and service is unavailable - content: - application/json; charset=utf-8: - schema: - type: string - /reload: - get: - tags: - - CertificationService - summary: reload service configuration from file - description: Web endpoint for performing configuration reload. Used to reload - configuration file from file. - operationId: reloadConfiguration - responses: - "200": - description: configuration has been successfully reloaded - content: - application/json; charset=utf-8: - schema: - type: string - "500": - description: something went wrong during configuration loading - content: - application/json; charset=utf-8: - schema: - $ref: '#/components/schemas/ErrorResponseModel' - /actuator/health: - get: - tags: - - Actuator - summary: Actuator web endpoint 'health' - operationId: handle_0 - responses: - "200": - description: default response - content: {} - /actuator/health/**: - get: - tags: - - Actuator - summary: Actuator web endpoint 'health-path' - operationId: handle_1 - responses: - "200": - description: default response - content: {} - /actuator: - get: - tags: - - Actuator - summary: Actuator root web endpoint - operationId: links_2 - responses: - "200": - description: default response - content: {} - components: - schemas: - ErrorResponseModel: - type: object - properties: - errorMessage: - type: string - CertificationModel: - type: object - properties: - certificateChain: - type: array - items: - type: string - trustedCertificates: - type: array - items: - type: string diff --git a/docs/sections/release-notes.rst b/docs/sections/release-notes.rst deleted file mode 100644 index daeab0f2..00000000 --- a/docs/sections/release-notes.rst +++ /dev/null @@ -1,176 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 International License. -.. http://creativecommons.org/licenses/by/4.0 -.. Copyright 2020 NOKIA - - -Release Notes -============== - -Version: 1.2.0 --------------- - -:Release Date: - -**New Features** - - - Client creates subdirectories in given OUTPUT_PATH and place certificate into it. - -**Bug Fixes** - - N/A - -**Known Issues** - - N/A - -**Security Notes** - - N/A - -*Fixed Security Issues* - - N/A - -*Known Security Issues* - - N/A - -*Known Vulnerabilities in Used Modules* - - N/A - -**Upgrade Notes** - -**Deprecation Notes** - -**Other** - -=========== - -Version: 1.1.0 --------------- - -:Release Date: 2020-06-29 - -**New Features** - - - Added property to CertService Client to allow selection of output certificates type (One of: PEM, JKS, P12). - -**Bug Fixes** - - - Resolved issue where created PKCS12 certificates had jks extension. - -**Known Issues** - - N/A - -**Security Notes** - - N/A - -*Fixed Security Issues* - - N/A - -*Known Security Issues* - - N/A - -*Known Vulnerabilities in Used Modules* - - N/A - -**Upgrade Notes** - -**Deprecation Notes** - -**Other** - -=========== - -Version: 1.0.1 --------------- - -:Release Date: 2020-05-22 - -**New Features** - -The Frankfurt Release is the first release of the Certification Service. - - -**Bug Fixes** - - - `AAF-1132 <https://jira.onap.org/browse/AAF-1132>`_ - CertService Client returns exit status 5 when TLS configuration fails - -**Known Issues** - - - PKCS12 certificates have jks extension - -**Security Notes** - - N/A - -*Fixed Security Issues* - - N/A - -*Known Security Issues* - - N/A - -*Known Vulnerabilities in Used Modules* - - N/A - -**Upgrade Notes** - -**Deprecation Notes** - -**Other** - -=========== - -Version: 1.0.0 --------------- - -:Release Date: 2020-04-16 - -**New Features** - -The Frankfurt Release is the first release of the Certification Service. - -**Bug Fixes** - - - No new fixes were implemented for this release - -**Known Issues** - - - `AAF-1132 <https://jira.onap.org/browse/AAF-1132>`_ - CertService Client returns exit status 5 when TLS configuration fails - - - PKCS12 certificates have jks extension - -**Security Notes** - - N/A - -*Fixed Security Issues* - - N/A - -*Known Security Issues* - - N/A - -*Known Vulnerabilities in Used Modules* - - N/A - -**Upgrade Notes** - -**Deprecation Notes** - -**Other** - -=========== - -End of Release Notes diff --git a/docs/sections/resources/OpenAPI.yaml b/docs/sections/resources/OpenAPI.yaml deleted file mode 100644 index 14f8b6bc..00000000 --- a/docs/sections/resources/OpenAPI.yaml +++ /dev/null @@ -1,162 +0,0 @@ -# ============LICENSE_START======================================================= -# aaf-certservice -# ================================================================================ -# Copyright (C) 2020 Nokia. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -openapi: 3.0.1 -info: - title: CertService Documentation - description: Certification service API documentation - version: 1.0.0 -servers: - - url: http://localhost:8080 - description: Generated server url -tags: - - name: Actuator - description: Monitor and interact - externalDocs: - description: Spring Boot Actuator Web API Documentation - url: https://docs.spring.io/spring-boot/docs/current/actuator-api/html/ -paths: - /v1/certificate/{caName}: - get: - tags: - - CertificationService - summary: Sign certificate - description: Web endpoint for requesting certificate signing. Used by system - components to gain certificate signed by CA. - operationId: signCertificate - parameters: - - name: caName - in: path - description: Name of certification authority that will sign CSR. - required: true - schema: - type: string - example: "RA_TEST" - - name: CSR - in: header - description: Certificate signing request in form of PEM object encoded in - Base64 (with header and footer). - required: true - schema: - type: string - example: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJREVqQ0NBZm9DQVFBd2daY3hDekFKQmdOVkJBWVRBbFZUTVJNd0VRWURWUVFJREFwRFlXeHBabTl5Ym1saApNUll3RkFZRFZRUUhEQTFUWVc0dFJuSmhibU5wYzJOdk1Sa3dGd1lEVlFRS0RCQk1hVzUxZUMxR2IzVnVaR0YwCmFXOXVNUTB3Q3dZRFZRUUxEQVJQVGtGUU1SRXdEd1lEVlFRRERBaHZibUZ3TG05eVp6RWVNQndHQ1NxR1NJYjMKRFFFSkFSWVBkR1Z6ZEdWeVFHOXVZWEF1YjNKbk1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQgpDZ0tDQVFFQXpRekpQTmhrRURhL3JnUmhJUmpLVDF2RC84Wk9scXA3UmRuYTEybXFIU2FqQ0hHeGR0K1JPZk0vCkpINk9NczZNSjlwNXRJVE5VUWVDUEQ5cE44WkpzMCtOaWQvRE1Nb1B3MW94NnZyNFc5Rnh4K3NGN2hnK05nYjEKNGxvZVZob2EwajlKd1hlc2krSThNbFBObGRMRXlGYnZubDgyNzl0Qjg2dmRpR2g3blFjek8rbnY5elBqZllVcQpIaGlRK1ptMEZjbWFxblVJOG54aWJQNmFMMS9uWFQ3aHlwY0VzOCtpenNZVktqdVdwSjhlZHN0T1NBYTlkWXkrCkVhYTFPTlo5RFRDQzArZmM4S0pBNGJjWVE0T2tPYXFmcnhxY0xMOXZJL1BROWZtYThTUXBmcXVTbmQvbjNOazMKK1NoYnVCclorVnNQRWhsWnBJb2lXdS9scjlrdnp3SURBUUFCb0RVd013WUpLb1pJaHZjTkFRa09NU1l3SkRBaQpCZ05WSFJFRUd6QVpnZ2h2Ym1Gd0xtOXlaNElOZEdWemRDNXZibUZ3TG05eVp6QU5CZ2txaGtpRzl3MEJBUXNGCkFBT0NBUUVBV0N2QlJzTmZ5S0F1NWhIWldWUm8xd2VWSVJvbHQyRWdsSUkzbHI4d0ZlN1hobUtZVlhESzJ3aHEKc2hCakNNQUJHNW90MlBXUE8yK1JLSmsveEh2RXRoQzMybityQlhOS2hHUUJMY3dyeFNBbjVUMHFNa0xzTGJiRAphTU1nTnRiYWxmOC9mVmNWWDY1WTVVb052Y2FScEpvVUdYY1ovZ3kvMG5aWnNXbURkejk1Rys2MXFnY0s3RlhOClB1bENxLy9YNUZkK2NkQy9TTnNxaGtqdlgyd3hYMUZRVVYwcFp0akcwenl3b3JwNE9HSkRiUUxtaWFZSlQ2Ym8KNjAyZ21zWFNTQlJzVWFCOEsxeWMzalRkS043QjYxcjhwYW05NlBxQjdXME13MVRJVFAzQnhJTk5kN1hhNlI5VAo5T3BTcDhFcUZ5R043M3NJN0svbDdNZVJvUm1PUUE9PQotLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0K" - - name: PK - in: header - description: Private key in form of PEM object encoded in Base64 (with header - and footer). - required: true - schema: - type: string - example: "LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2d0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktrd2dnU2xBZ0VBQW9JQkFRRE5ETWs4MkdRUU5yK3UKQkdFaEdNcFBXOFAveGs2V3FudEYyZHJYYWFvZEpxTUljYkYyMzVFNTh6OGtmbzR5em93bjJubTBoTTFSQjRJOApQMmszeGttelQ0MkozOE13eWcvRFdqSHErdmhiMFhISDZ3WHVHRDQyQnZYaVdoNVdHaHJTUDBuQmQ2eUw0and5ClU4MlYwc1RJVnUrZVh6YnYyMEh6cTkySWFIdWRCek03NmUvM00rTjloU29lR0pENW1iUVZ5WnFxZFFqeWZHSnMKL3BvdlgrZGRQdUhLbHdTeno2TE94aFVxTzVha254NTJ5MDVJQnIxMWpMNFJwclU0MW4wTk1JTFQ1OXp3b2tEaAp0eGhEZzZRNXFwK3ZHcHdzdjI4ajg5RDErWnJ4SkNsK3E1S2QzK2ZjMlRmNUtGdTRHdG41V3c4U0dWbWtpaUphCjcrV3YyUy9QQWdNQkFBRUNnZ0VBZkN5cUVYYlo0aGZGckpScVhhaXRtN0Z1Mkk0M09YYTBnSENWM3EzV255Q3UKeW9aUGVqV1p0UVpoenEvMVhUOUlFVHAxU2FUQzBiZENYMG5uWmlkbXFuZ2F0c3dUWUpCOVMwaHJ3bW1KemREZwpucmp0Tm1yb0FiL2xWOVpMV01rbVJQeWVwZExiWXpyMlNXUUd0QnlYbnR0RzhSbW9JMGtjZjN3dEJGYUJ4VzFwClFzRUNXUFBpdjNZRDh2SzlSRG9wdmxCMnFZVWxCTm1kQ3AxWEJXMU9OZm5wckUwZFhiYTJxVzB3M3lqU2dJdGYKUWJBSTJZQzJEWlpIK3liRGFMZWVtb0p3dDdPK1F6NWp4SkgwWkFpSnVaNzNpSTVocFBJQlhLamRkU1p1bjRpRwpEOFZaaCtYWE9yQWJxVURXdlN4UW9kdFhYeGNSSS9aWUx5WWR1OHdhd1FLQmdRRHA3UEhwdWFDSk50MlBLV3d6Cll4SDhIYlB1L0pTS2R3UytZek5SNzJaYlUwSmQxWTdPc1JCR1Bvd24zOW55WDlJYzJINXBLc2VJYnpsK1lJS1MKQW9BKy9nbFZZUGpIZ2RmVHF6R01QMm5meVh0dVpFQzdicVBLSVlzL0Qwb0pGQzFkUThwUjFxcXp6NjJEMEUvawpSS1MrVFhpSlkvMlJiQVhDckFDVnNwVmQzUUtCZ1FEZ1prZE45SkhIMjYyRWdLQ3p1Q0NHMXlYa3IrcWVHZ3ozCldWbUtMaGVveitHVXlvVDVuaGlvUTJxNlllYTJ1ODlVYUdGZFk4Y0hIQVdhUy9UdU9FYzdBRHV4eTZsVWpKWkQKU3V0YU80cWk3eXh6UGxNN2w5alVpejV5MldZZGRnWEhLOG82M0pOSHdwd0FYaDgycytTbm9STUZSd1JOTGsyWQp4WmxxRm55WG13S0JnUUNkdEkrWEtmMHY1SnhVUXZIZVp3RWQvb3hySnoraFpnSDl0UFZKWE9PZDJERGEvL25xCklQYysxRFk3UDdBNHRoNzZNWDV2dWxhUkJhTTJMeXgzOFZXeW9pTjZ1d2lkd0V6WU9BY01iVWdjaGtJL3R6am8KNC90cWIxam9KNCtiTlU0c0hXTE43N0pmelRoR3NHN2NEdWNlSVM2Tk9hc2VtanY3OVdmamhHVXN4UUtCZ1FETQpwbHFYVE5uNjlHek9MK1Rmb3FmL2NZMjhmM2N3VXovS0FYRzRwSXF0U1ZGSXVsNEZyTnA5OG1ZT3J5U1RPTHRBCkZxWGRYeGJ2Yysza0p5dXNhaVVFT1JVMzlDNXN6bjVueHBiWHh2K0wweWF0djRSM0QrZ1BCeUtmNlliSWpZOTkKY29GUHAwU21xR1JQclljNEExNGdSclVyRmZabFVUb3hmdHlJTlJQUnl3S0JnUURoSFkvT24vRTNodmo4aHBKRQplMWNuQ2ZsV2VKWlZSdnBPQm96NCtwMVltMzZZZEQ0azBpSEh6anZUUGlBSnNGTFB5VXVTZXI0T3hpN2cvcmYvCklPVjN4bHZyNXdSRmxLYWxvWjY5azkxNm5qdWM0d2lXVzdMbGt1YWptVDhlSUszTU05MU9SL1VFcE16dFMyMHEKZ3hRMEVieTFaMlh6TWlkMEhZZTlVcTJaSmc9PQotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tCg==" - responses: - "200": - description: Certificate successfully signed - content: - application/json: - schema: - $ref: '#/components/schemas/CertificationModel' - "400": - description: Given CSR or/and PK is incorrect - content: - application/json: - schema: - $ref: '#/components/schemas/ErrorResponseModel' - "404": - description: CA not found for given name - content: - application/json: - schema: - $ref: '#/components/schemas/ErrorResponseModel' - "500": - description: Something went wrong during connectiion to CMPv2 server - content: - application/json: - schema: - $ref: '#/components/schemas/ErrorResponseModel' - /ready: - get: - tags: - - CertificationService - summary: Check if CertService application is ready - description: Web endpoint for checking if service is ready to be used. - operationId: checkReady - responses: - "200": - description: Configuration is loaded and service is ready to use - content: {} - "503": - description: Configuration loading failed and service is unavailable - content: {} - /reload: - get: - tags: - - CertificationService - summary: Reload CMPv2 servers configuration from configuration file - description: Web endpoint for performing configuration reload. Used to reload - configuration from file. - operationId: reloadConfiguration - responses: - "200": - description: Configuration has been successfully reloaded - content: {} - "500": - description: Something went wrong during configuration loading - content: - string: - schema: - type: string - example: "can't parse JSON. Raw result: Exception occurred during CMP Servers configuration loading" - /actuator/health: - get: - tags: - - Actuator - summary: Actuator web endpoint 'health' - operationId: healthCheck - responses: - "200": - description: Service is healthy - content: - string: - schema: - $ref: '#/components/schemas/StatusResponseModel' -components: - schemas: - StatusResponseModel: - type: object - properties: - status: - type: string - example: "UP" - ErrorResponseModel: - type: object - properties: - errorMessage: - type: string - example: "Internal server error" - CertificationModel: - type: object - properties: - certificateChain: - type: array - items: - type: string - example: "-----BEGIN CERTIFICATE-----\nMIIErDCCAxSgAwIBAgIUfYvpzoT6WTxiu2KtxDwdvB56iVUwDQYJKoZIhvcNAQEL\nBQAwYTEjMCEGCgmSJomT8ixkAQEME2MtMGI1YzFhYTBkNzA4NjVjNGUxFTATBgNV\nBAMMDE1hbmFnZW1lbnRDQTEjMCEGA1UECgwaRUpCQ0EgQ29udGFpbmVyIFF1aWNr\nc3RhcnQwHhcNMjAwNDAxMTAyNzAwWhcNMjIwNDAxMTAyNDEyWjCBlzEeMBwGCSqG\nSIb3DQEJARYPdGVzdGVyQG9uYXAub3JnMREwDwYDVQQDDAhvbmFwLm9yZzENMAsG\nA1UECwwET05BUDEZMBcGA1UECgwQTGludXgtRm91bmRhdGlvbjEWMBQGA1UEBwwN\nU2FuLUZyYW5jaXNjbzETMBEGA1UECAwKQ2FsaWZvcm5pYTELMAkGA1UEBhMCVVMw\nggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNDMk82GQQNr+uBGEhGMpP\nW8P/xk6WqntF2drXaaodJqMIcbF235E58z8kfo4yzown2nm0hM1RB4I8P2k3xkmz\nT42J38Mwyg/DWjHq+vhb0XHH6wXuGD42BvXiWh5WGhrSP0nBd6yL4jwyU82V0sTI\nVu+eXzbv20Hzq92IaHudBzM76e/3M+N9hSoeGJD5mbQVyZqqdQjyfGJs/povX+dd\nPuHKlwSzz6LOxhUqO5aknx52y05IBr11jL4RprU41n0NMILT59zwokDhtxhDg6Q5\nqp+vGpwsv28j89D1+ZrxJCl+q5Kd3+fc2Tf5KFu4Gtn5Ww8SGVmkiiJa7+Wv2S/P\nAgMBAAGjgaQwgaEwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBQ4TWsw5NCfgMjt\nc6sLNV008AniSjAiBgNVHREEGzAZgghvbmFwLm9yZ4INdGVzdC5vbmFwLm9yZzAd\nBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFAMyW8sAIjOG\n4qiMVEWuBfliFNeyMA4GA1UdDwEB/wQEAwIF4DANBgkqhkiG9w0BAQsFAAOCAYEA\nCviGRpVZgd4Vr3R3pslegH9GRa1TmCVP8wTD6CUA84VqMzVatcdWbaDFNoCVv54v\nUCYPsN8REx/I53R1jbQ5tralj8JMublrdDaKDQY7OdfjL53nGS4OGl76ZLMt50cF\nnXreoSixCdv3OkPO7+P5szzfnwcCQEa235GfHOxAKv2DIhI8+aFMdi1vTJMYmROs\nYA/6DuJAFjfjPM6T4hzKdW8FPyyUw4kWSNRtt+cxN1JxGDYRt1bnjj7u7nMA5Mge\noWn5oeHLO8rkWgMy0BPxL+YVJhqhdD1fiSek99vmWNUKqmui/4TOXf06SjuMgPgL\nOdp/e2+unwOw+TfdQ/Vu1736IRuWKgLxXOXoOHq2RCZpMgfol2wOFdWSeHWnOag2\nstKD9mmxUaq3wactkVQEkljo3vOgw3D829jC5BOVASxoYoiNzRQlpXrP+kj9QPt0\nZN6haQCgjejHOVpKeuUNoZTUyH+2MwpANLiaJjQcZrwt8N9bAN7WilY+f7CHwMK+\n-----END CERTIFICATE-----\n" - trustedCertificates: - type: array - items: - type: string - example: "-----BEGIN CERTIFICATE-----\nMIIEszCCAxugAwIBAgIUK3BbY7jXBtQfSMhob3Ls9BoorbYwDQYJKoZIhvcNAQEL\nBQAwYTEjMCEGCgmSJomT8ixkAQEME2MtMGI1YzFhYTBkNzA4NjVjNGUxFTATBgNV\nBAMMDE1hbmFnZW1lbnRDQTEjMCEGA1UECgwaRUpCQ0EgQ29udGFpbmVyIFF1aWNr\nc3RhcnQwHhcNMjAwNDAxMTAyNzAwWhcNMzAwNDAxMTAyNzAwWjBhMSMwIQYKCZIm\niZPyLGQBAQwTYy0wYjVjMWFhMGQ3MDg2NWM0ZTEVMBMGA1UEAwwMTWFuYWdlbWVu\ndENBMSMwIQYDVQQKDBpFSkJDQSBDb250YWluZXIgUXVpY2tzdGFydDCCAaIwDQYJ\nKoZIhvcNAQEBBQADggGPADCCAYoCggGBAJ5UAlOGkFyyjyDfFBADJrVzce5/wvNC\nDzL8OoB5CRa22NxHZqPL6fNpqexH1alE7ko/g+vvu1BLHnjKzglVMVV880jjG/tq\ngUf9syfmRdRcgPUrF71dOTNw52ZGB23e8es7VQNYca5QH0mfjaw2AxKf4pNzScTi\nbYXw/KxuoeBHP2ybKhSCxau1k6eePUEkpzHlu33XjtTKGRklCo4lDslLtMOV0gWm\nJj2pd9v+/qY9AMio1XkqczGmnGrSRDD7fp+3WpBI2Q4ZaDZZHnzg/9TXmpBGWhwi\n5Ca5e9Cmb9WGjE8W4uICyvaBSmvsGqB2nBjLC0rBUyJxkMxaxZYxoWbegCqlnwgo\naG2OMbGq1qO/U5ArW9WppovA9y540j49CuYWgvf2pH21GzQX2uCtiHDge01exko/\np7c8/20B0rNjyvBFM9s2NOQ4wCIrLVKPClX3mpzuIGliRpnXnC6FQMrC4yNvyO7s\nB2PwzesXaBdD07AfXpYtSaHeqLZafMtqRwIDAQABo2MwYTAPBgNVHRMBAf8EBTAD\nAQH/MB8GA1UdIwQYMBaAFDhNazDk0J+AyO1zqws1XTTwCeJKMB0GA1UdDgQWBBQ4\nTWsw5NCfgMjtc6sLNV008AniSjAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQEL\nBQADggGBAImYiKkQfR52L2NzjuHI6y8darhBNpZSNf5Hhzv5MOs6yKJSFxh6mQFg\nRfF860AbxgxAfE8bvK2IX+W6b193ecFXAOrRc+UcEyqTg2efqp2zuCdQpnA4nopf\n+474iRkAHdlwdeI0FTE931AOCMfKaQAiEn40Xo3xB09xvMhK7ce2xkxFp90uqbyZ\nwXPRORUj5rKhCiL10jkgXmTfGGlzgQfpHxQxnwQzuAPcv31l+0YVZpDpkSP8A2ts\nmS/yGFfBylyPnGa/+mChZoI7AAKUZ0QWSTDVQLFW6RIs0ByX9zPZqQx0ncGzXH++\nmLu/33YpyjfcjFzvhFVRJCNpELTa0aCElDcD+LIiz80fFP3bxbI42ifYXbt+k/8w\nAB8Ffh1GOneWnaOl42mghNs6ve9e+PjOphYS1sQI74b0liXQdI4tmobAyPoACpgR\ncJ9DAfYtkpMQjxkV/FUM92m76WQpFnIRNQl6C5XLzWHCAVvS+MxEydtINsl4FCvw\nPDdu3P8UkA==\n-----END CERTIFICATE-----\n" diff --git a/docs/sections/resources/certService_cert_enrollment_flow.png b/docs/sections/resources/certService_cert_enrollment_flow.png Binary files differdeleted file mode 100644 index 87d15adc..00000000 --- a/docs/sections/resources/certService_cert_enrollment_flow.png +++ /dev/null diff --git a/docs/sections/resources/certservice_high_level.png b/docs/sections/resources/certservice_high_level.png Binary files differdeleted file mode 100644 index 7cab5e88..00000000 --- a/docs/sections/resources/certservice_high_level.png +++ /dev/null diff --git a/docs/sections/resources/cmpv2_context_view.png b/docs/sections/resources/cmpv2_context_view.png Binary files differdeleted file mode 100644 index 85570cbe..00000000 --- a/docs/sections/resources/cmpv2_context_view.png +++ /dev/null diff --git a/docs/sections/troubleshooting.rst b/docs/sections/troubleshooting.rst deleted file mode 100644 index 192a9d6a..00000000 --- a/docs/sections/troubleshooting.rst +++ /dev/null @@ -1,9 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 International License. -.. http://creativecommons.org/licenses/by/4.0 -.. Copyright 2020 NOKIA - -Troubleshooting -================ - - - diff --git a/docs/sections/usage.rst b/docs/sections/usage.rst deleted file mode 100644 index 759284bd..00000000 --- a/docs/sections/usage.rst +++ /dev/null @@ -1,211 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 International License. -.. http://creativecommons.org/licenses/by/4.0 -.. Copyright 2020 NOKIA - -How to use functionality -========================= -Common information to docker and Kubernetes modes described below - -Basic information ------------------ -CertService client needs the following configuration parameters to work properly: - -1. Parameters for generating certification artifacts and connecting to CertService API to obtain certificate and trust anchors - - - REQUEST_URL *(default: https://aaf-cert-service:8443/v1/certificate/)* - URL to CertService API - - REQUEST_TIMEOUT *(default: 30000[ms])* - Timeout in milliseconds for REST API calls - - OUTPUT_PATH *(required)* - Path where client will output generated certificate and trust anchor - - CA_NAME *(required)* - Name of CA which will enroll certificate. Must be same as configured on server side. Used in REST API calls - - OUTPUT_TYPE *(default: P12)* - Type of certificate which will be generated. Supported types: - - - JKS - Java KeyStore (JKS) - - P12 - Public Key Cryptography Standard #12 (PKCS#12) - - PEM - Privacy-Enhanced Mail (PEM) - - -2. Parameters to generate Certificate Signing Request (CSR): - - - COMMON_NAME *(required)* - Common name for which certificate from CMPv2 server should be issued - - ORGANIZATION *(required)* - Organization for which certificate from CMPv2 server should be issued - - ORGANIZATION_UNIT *(optional)* - Organization unit for which certificate from CMPv2 server should be issued - - LOCATION *(optional)* - Location for which certificate from CMPv2 server should be issued - - STATE *(required)* - State for which certificate from CMPv2 server should be issued - - COUNTRY *(required)* - Country for which certificate from CMPv2 server should be issued - - SANS *(optional)(SANS's should be separated by a colon e.g. test.onap.org:onap.com)* - Subject Alternative Names (SANs) for which certificate from CMPv2 server should be issued. - -3. Parameters to establish secure communication to CertService: - - - KEYSTORE_PATH *(required)* - - KEYSTORE_PASSWORD *(required)* - - TRUSTSTORE_PATH *(required)* - - TRUSTSTORE_PASSWORD *(required)* - -CertService client image can be found on Nexus repository : - -.. code-block:: bash - - nexus3.onap.org:10001/onap/org.onap.aaf.certservice.aaf-certservice-client:$VERSION - - -As standalone docker container ------------------------------- -You need certificate and trust anchors to connect to CertService API via HTTPS. Information how to generate truststore and keystore files you can find in project repository README `Gerrit GitWeb <https://gerrit.onap.org/r/gitweb?p=aaf%2Fcertservice.git;a=summary>`__ - -To run CertService client as standalone docker container execute following steps: - -1. Create file '*$PWD/client.env*' with environment variables as in example below: - -.. code-block:: bash - - #Client envs - REQUEST_URL=<URL to CertService API> - REQUEST_TIMEOUT=10000 - OUTPUT_PATH=/var/certs - CA_NAME=RA - OUTPUT_TYPE=P12 - - #CSR config envs - COMMON_NAME=onap.org - ORGANIZATION=Linux-Foundation - ORGANIZATION_UNIT=ONAP - LOCATION=San-Francisco - STATE=California - COUNTRY=US - SANS=test.onap.org:onap.com - - #TLS config envs - KEYSTORE_PATH=/etc/onap/aaf/certservice/certs/certServiceClient-keystore.jks - KEYSTORE_PASSWORD=<password to certServiceClient-keystore.jks> - TRUSTSTORE_PATH=/etc/onap/aaf/certservice/certs/certServiceClient-truststore.jks - TRUSTSTORE_PASSWORD=<password to certServiceClient-truststore.jks> - -2. Run docker container as in following example (API and client must be running in same network): - -.. code-block:: bash - - docker run \ - --rm \ - --name aafcert-client \ - --env-file <$PWD/client.env (same as in step1)> \ - --network <docker network of cert service> \ - --mount type=bind,src=<path to local host directory where certificate and trust anchor will be created>,dst=<OUTPUT_PATH (same as in step 1)> \ - --volume <local path to keystore in JKS format>:<KEYSTORE_PATH> \ - --volume <local path to truststore in JKS format>:<TRUSTSTORE_PATH> \ - nexus3.onap.org:10001/onap/org.onap.aaf.certservice.aaf-certservice-client:$VERSION - - - -After successful creation of certifications, container exits with exit code 0, expected log looks like: - -.. code-block:: bash - - INFO 1 [ main] o.o.a.c.c.c.f.ClientConfigurationFactory : Successful validation of Client configuration. Configuration data: REQUEST_URL: https://aaf-cert-service:8443/v1/certificate/, REQUEST_TIMEOUT: 10000, OUTPUT_PATH: /var/certs, CA_NAME: RA, OUTPUT_TYPE: P12 - INFO 1 [ main] o.o.a.c.c.c.f.CsrConfigurationFactory : Successful validation of CSR configuration. Configuration data: COMMON_NAME: onap.org, COUNTRY: US, STATE: California, ORGANIZATION: Linux-Foundation, ORGANIZATION_UNIT: ONAP, LOCATION: San-Francisco, SANS: test.onap.org:onap.org - INFO 1 [ main] o.o.a.c.c.c.KeyPairFactory : KeyPair generation started with algorithm: RSA and key size: 2048 - INFO 1 [ main] o.o.a.c.c.c.CsrFactory : Creation of CSR has been started with following parameters: COMMON_NAME: onap.org, COUNTRY: US, STATE: California, ORGANIZATION: Linux-Foundation, ORGANIZATION_UNIT: ONAP, LOCATION: San-Francisco, SANS: test.onap.org:onap.org - INFO 1 [ main] o.o.a.c.c.c.CsrFactory : Creation of CSR has been completed successfully - INFO 1 [ main] o.o.a.c.c.c.CsrFactory : Conversion of CSR to PEM has been started - INFO 1 [ main] o.o.a.c.c.c.PrivateKeyToPemEncoder : Attempt to encode private key to PEM - INFO 1 [ main] o.o.a.c.c.h.HttpClient : Attempt to send request to API, on url: https://aaf-cert-service:8443/v1/certificate/RA - INFO 1 [ main] o.o.a.c.c.h.HttpClient : Received response from API - DEBUG 1 [ main] o.o.a.c.c.c.c.ConvertedArtifactsCreator : Attempt to create keystore files and saving data. File names: keystore.p12, keystore.pass - INFO 1 [ main] o.o.a.c.c.c.c.PemConverter : Conversion of PEM certificates to PKCS12 keystore - DEBUG 1 [ main] o.o.a.c.c.c.w.CertFileWriter : Attempt to save file keystore.p12 in path /var/certs - DEBUG 1 [ main] o.o.a.c.c.c.w.CertFileWriter : Attempt to save file keystore.pass in path /var/certs - DEBUG 1 [ main] o.o.a.c.c.c.c.ConvertedArtifactsCreator : Attempt to create truststore files and saving data. File names: truststore.p12, truststore.pass - INFO 1 [ main] o.o.a.c.c.c.c.PemConverter : Conversion of PEM certificates to PKCS12 truststore - DEBUG 1 [ main] o.o.a.c.c.c.w.CertFileWriter : Attempt to save file truststore.p12 in path /var/certs - DEBUG 1 [ main] o.o.a.c.c.c.w.CertFileWriter : Attempt to save file truststore.pass in path /var/certs - INFO 1 [ main] o.o.a.c.c.AppExitHandler : Application exits with following exit code: 0 and message: Success - - - - -If container exits with non 0 exit code, you can find more information in logs, see :ref:`cert_logs` page. - -As init container for Kubernetes --------------------------------- - -In order to run CertService client as init container for ONAP component you need to: - - - define an init container and use CerService Client image - - provide client configuration through ENV variables in the init container - - define two volumes: - - - first for generated certificates - it will be mounted in the init container and in the component container - - second with secret containing keys and certificates for secure communication between CertService Client and CertService - it will be mounted only in the init container - - mount both volumes to the init container - - mount first volume to the component container - -You can use the following deployment example as a reference: - -.. code-block:: yaml - - ... - kind: Deployment - metadata: - ... - spec: - ... - template: - ... - spec: - containers: - - image: sample.image - name: sample.name - ... - volumeMounts: - - mountPath: /var/certs #CERTS CAN BE FOUND IN THIS DIRECTORY - name: certs - ... - initContainers: - - name: cert-service-client - image: nexus3.onap.org:10001/onap/org.onap.aaf.certservice.aaf-certservice-client:latest - imagePullPolicy: Always - env: - - name: REQUEST_URL - value: https://aaf-cert-service:8443/v1/certificate/ - - name: REQUEST_TIMEOUT - value: "1000" - - name: OUTPUT_PATH - value: /var/certs - - name: CA_NAME - value: RA - - name: OUTPUT_TYPE - value: P12 - - name: COMMON_NAME - value: onap.org - - name: ORGANIZATION - value: Linux-Foundation - - name: ORGANIZATION_UNIT - value: ONAP - - name: LOCATION - value: San-Francisco - - name: STATE - value: California - - name: COUNTRY - value: US - - name: SANS - value: test.onap.org:onap.com - - name: KEYSTORE_PATH - value: /etc/onap/aaf/certservice/certs/certServiceClient-keystore.jks - - name: KEYSTORE_PASSWORD - value: secret - - name: TRUSTSTORE_PATH - value: /etc/onap/aaf/certservice/certs/truststore.jks - - name: TRUSTSTORE_PASSWORD - value: secret - volumeMounts: - - mountPath: /var/certs - name: certs - - mountPath: /etc/onap/aaf/certservice/certs/ - name: tls-volume - ... - volumes: - - name: certs - emptyDir: {} - - name tls-volume - secret: - secretName: aaf-cert-service-client-tls-secret # Value of global.aaf.certService.client.secret.name - ... - |
