summaryrefslogtreecommitdiffstats
path: root/docs/sections/configuration.rst
diff options
context:
space:
mode:
Diffstat (limited to 'docs/sections/configuration.rst')
-rw-r--r--docs/sections/configuration.rst59
1 files changed, 35 insertions, 24 deletions
diff --git a/docs/sections/configuration.rst b/docs/sections/configuration.rst
index 43de0e43..b325712e 100644
--- a/docs/sections/configuration.rst
+++ b/docs/sections/configuration.rst
@@ -3,7 +3,7 @@
.. Copyright 2020 NOKIA
Configuration
-=============
+==============
Configuring Cert Service
@@ -41,7 +41,7 @@ Example cmpServers.json file:
This contains list of CMP Servers, where each server has following properties:
- - *caName* - name of the external CA server. It's used to match *CA_NAME* sent by client in order to match proper configuration.
+ - *caName* - name of the external CA server. It's used to match *CA_NAME* sent by CertService client in order to match proper configuration.
- *url* - URL to CMPv2 server
- *issuerDN* - Distinguished Name of the CA that will sign the certificate
- *caMode* - Issuer mode. Allowed values are *CLIENT* and *RA*
@@ -57,8 +57,8 @@ This configuration is read on the application start. It can also be reloaded in
Next sections explain how to configure Cert Service in local (docker-compose) and OOM Deployments.
-Configuring in local(docker-compose) deployment:
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+Configuring in local (docker-compose) deployment:
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Before application start:
"""""""""""""""""""""""""
@@ -76,6 +76,9 @@ When application is running:
docker exec -it <certservice-container-name> bash
+ e.g.
+ docker exec -it aafcert-service bash
+
3. Edit *cmpServers.json* file::
vim /etc/onap/aaf/certservice/cmpServers.json
@@ -83,7 +86,7 @@ When application is running:
4. Save the file. Note that this file is mounted as volume, so change will be persistent.
5. Reload configuration::
- curl -I https://localhost:8443/reload --cacert /etc/onap/aaf/certservice/certs/root.crt --cert-type p12 --cert /etc/onap/aaf/certservice/certs/certServiceServer-keystore.p12 --pass secret
+ curl -I https://localhost:8443/reload --cacert /etc/onap/aaf/certservice/certs/root.crt --cert-type p12 --cert /etc/onap/aaf/certservice/certs/certServiceServer-keystore.p12 --pass $KEYSTORE_PASSWORD
6. Exit container::
@@ -96,7 +99,7 @@ Configuring in OOM deployment:
Before OOM installation:
""""""""""""""""""""""""
-Note! This must be executed before calling *make all* (from OOM Installation) or needs remaking aaf Charts.
+Note! This must be executed before calling *make all* (from OOM Installation) or needs remaking AAF charts.
1. Edit *cmpServers.json* file. If OOM *global.addTestingComponents* flag is set to:
@@ -109,15 +112,20 @@ Note! This must be executed before calling *make all* (from OOM Installation) or
When CertService is deployed:
"""""""""""""""""""""""""""""
-1. Encode your configuration to base64::
+1. Create file with configuration
+
+2. Encode your configuration to base64::
- echo "CONFIGURATION_TO_ENCODE" | base64
+ cat <configuration_file> | base64
-2. Edit secret::
+3. Edit secret::
- kubectl edit secret <cmp-servers-secret-name> # aaf-cert-service-secret by default
+ kubectl -n onap edit secret <cmp-servers-secret-name>
-3. Replace value for *cmpServers.json* with your base64 encoded configuration. For example:
+ e.g.
+ kubectl -n onap edit secret aaf-cert-service-secret
+
+4. Replace value for *cmpServers.json* with your base64 encoded configuration. For example:
.. code-block:: yaml
@@ -134,17 +142,20 @@ When CertService is deployed:
uid: 6a037526-83ed-11ea-b731-fa163e2144f6
type: Opaque
-4. Save and exit
-5. New configuration will be automatically mounted to CertService pod, but application configuration reload is needed.
-6. To reload configuration enter CertService pod::
+5. Save and exit
+6. New configuration will be automatically mounted to CertService pod, but application configuration reload is needed.
+7. To reload configuration enter CertService pod::
+
+ kubectl -n onap exec -it <cert-service-pod-name> bash
- kubectl exec -it <cert-service-pod-name> bash
+ e.g.
+ kubectl -n onap exec -it $(kubectl -n onap get pods | grep cert-service | awk '{print $1}') bash
-7. Reload configuration::
+8. Reload configuration::
curl -I https://localhost:$HTTPS_PORT/reload --cacert $ROOT_CERT --cert-type p12 --cert $KEYSTORE_P12_PATH --pass $KEYSTORE_PASSWORD
-8. Exit container::
+9. Exit container::
exit
@@ -185,19 +196,19 @@ This section describes how to use custom, external certificates for CertService
1. Set *tls.certificateExternalSecret* flag to true in *kubernetes/aaf/charts/aaf-cert-service/values.yaml*
2. Prepare secret for CertService. It must be provided before OOM installation. It must contain four files:
- - *certServiceServer-keystore.jks* - keystore in jks format. Signed by some Root CA
- - *certServiceServer-keystore.p12* - same keystore in p12 format
- - *truststore.jks* - truststore in jks format, containing certificates of the Root CA that signed CertService Client certificate
- - *root.crt* - certificate of the RootCA that signed Client certificate in crt format
+ - *certServiceServer-keystore.jks* - keystore in JKS format. Signed by some Root CA
+ - *certServiceServer-keystore.p12* - same keystore in PKCS#12 format
+ - *truststore.jks* - truststore in JKS format, containing certificates of the Root CA that signed CertService Client certificate
+ - *root.crt* - certificate of the RootCA that signed Client certificate in CRT format
3. Name the secret properly - the name should match *tls.server.secret.name* value from *kubernetes/aaf/charts/aaf-cert-service/values.yaml* file
4. Prepare secret for CertService Client. It must be provided before OOM installation. It must contain two files:
- - *certServiceClient-keystore.jks* - keystore in jks format. Signed by some Root CA
- - *truststore.jks* - truststore in jks format, containing certificates of the RootCA that signed CertService certificate
+ - *certServiceClient-keystore.jks* - keystore in JKS format. Signed by some Root CA
+ - *truststore.jks* - truststore in JKS format, containing certificates of the RootCA that signed CertService certificate
-5. Name the secret properly - the name should match *global.aaf.certService.client.secret.name*
+5. Name the secret properly - the name should match *global.aaf.certService.client.secret.name* value from *kubernetes/onap/values.yaml* file
6. Provide keystore and truststore passwords for CertService. It can be done in two ways: