.. This work is licensed under a Creative Commons Attribution 4.0 International License. .. http://creativecommons.org/licenses/by/4.0 .. Copyright 2020 NOKIA How to use functionality ========================= Common information to docker and Kubernetes modes described below Basic information ----------------- CertService client needs the following configuration parameters to work properly: 1. Parameters for connection to CertService API to obtain certificate and trust anchors - REQUEST_URL *(default: https://aaf-cert-service:8443/v1/certificate/)* - URL to CertService API - REQUEST_TIMEOUT *(default: 30000[ms])* - Timeout in milliseconds for REST API calls - OUTPUT_PATH *(required)* - Path where client will output generated certificate and trust anchor - CA_NAME *(required)* - Name of CA which will enroll certificate. Must be same as configured on server side. Used in REST API calls 2. Parameters to generate Certificate Signing Request (CSR): - COMMON_NAME *(required)* - Common name for which certificate from CMPv2 server should be issued - ORGANIZATION *(required)* - Organization for which certificate from CMPv2 server should be issued - ORGANIZATION_UNIT *(optional)* - Organization unit for which certificate from CMPv2 server should be issued - LOCATION *(optional)* - Location for which certificate from CMPv2 server should be issued - STATE *(required)* - State for which certificate from CMPv2 server should be issued - COUNTRY *(required)* - Country for which certificate from CMPv2 server should be issued - SANS *(optional)(SANS's should be separated by a colon e.g. test.onap.org:onap.com)* - Subject Alternative Names (SANs) for which certificate from CMPv2 server should be issued. 3. Parameters to establish secure communication to CertService: - KEYSTORE_PATH *(required)* - KEYSTORE_PASSWORD *(required)* - TRUSTSTORE_PATH *(required)* - TRUSTSTORE_PASSWORD *(required)* CertService client image can be found on Nexus repository : .. code-block:: bash nexus3.onap.org:10001/onap/org.onap.aaf.certservice.aaf-certservice-client:$VERSION As standalone docker container ------------------------------ You need certificate and trust anchors to connect to CertService API via HTTPS. Information how to generate truststore and keystore files you can find in project repository README `Gerrit GitWeb `__ To run CertService client as standalone docker container execute following steps: 1. Create file '*$PWD/client.env*' with environments as in example below: .. code-block:: bash #Client envs REQUEST_URL= REQUEST_TIMEOUT=10000 OUTPUT_PATH=/var/certs CA_NAME=RA #CSR config envs COMMON_NAME=onap.org ORGANIZATION=Linux-Foundation ORGANIZATION_UNIT=ONAP LOCATION=San-Francisco STATE=California COUNTRY=US SANS=test.onap.org:onap.com #TLS config envs KEYSTORE_PATH=/etc/onap/aaf/certservice/certs/certServiceClient-keystore.jks KEYSTORE_PASSWORD= TRUSTSTORE_PATH=/etc/onap/aaf/certservice/certs/certServiceClient-truststore.jks TRUSTSTORE_PASSWORD= 2. Run docker container as in following example (API and client must be running in same network): .. code-block:: bash docker run \ --rm \ --name aafcert-client \ --env-file <$PWD/client.env (same as in step1)> \ --network \ --mount type=bind,src=,dst= \ --volume : \ --volume : \ nexus3.onap.org:10001/onap/org.onap.aaf.certservice.aaf-certservice-client:$VERSION After successful creation of certifications, container exits with exit code 0, expected log looks like: .. code-block:: bash INFO 1 [ main] o.o.a.c.c.c.f.ClientConfigurationFactory : Successful validation of Client configuration. Configuration data: REQUEST_URL: https://aaf-cert-service:8443/v1/certificate/, REQUEST_TIMEOUT: 10000, OUTPUT_PATH: /var/certs, CA_NAME: RA INFO 1 [ main] o.o.a.c.c.c.f.CsrConfigurationFactory : Successful validation of CSR configuration. Configuration data: COMMON_NAME: onap.org, COUNTRY: US, STATE: California, ORGANIZATION: Linux-Foundation, ORGANIZATION_UNIT: ONAP, LOCATION: San-Francisco, SANS: test.onap.org:onap.org INFO 1 [ main] o.o.a.c.c.c.KeyPairFactory : KeyPair generation started with algorithm: RSA and key size: 2048 INFO 1 [ main] o.o.a.c.c.c.CsrFactory : Creation of CSR has been started with following parameters: COMMON_NAME: onap.org, COUNTRY: US, STATE: California, ORGANIZATION: Linux-Foundation, ORGANIZATION_UNIT: ONAP, LOCATION: San-Francisco, SANS: test.onap.org:onap.org INFO 1 [ main] o.o.a.c.c.c.CsrFactory : Creation of CSR has been completed successfully INFO 1 [ main] o.o.a.c.c.c.CsrFactory : Conversion of CSR to PEM has been started INFO 1 [ main] o.o.a.c.c.c.PrivateKeyToPemEncoder : Attempt to encode private key to PEM INFO 1 [ main] o.o.a.c.c.h.HttpClient : Attempt to send request to API, on url: https://aaf-cert-service:8443/v1/certificate/RA INFO 1 [ main] o.o.a.c.c.h.HttpClient : Received response from API INFO 1 [ main] o.o.a.c.c.c.c.PemToPKCS12Converter : Conversion of PEM certificates to PKCS12 keystore DEBUG 1 [ main] o.o.a.c.c.c.c.PKCS12FilesCreator : Attempt to create PKCS12 keystore files and saving data. Keystore path: /var/certs/keystore.jks INFO 1 [ main] o.o.a.c.c.c.c.PemToPKCS12Converter : Conversion of PEM certificates to PKCS12 truststore DEBUG 1 [ main] o.o.a.c.c.c.c.PKCS12FilesCreator : Attempt to create PKCS12 truststore files and saving data. Truststore path: /var/certs/truststore.jks INFO 1 [ main] o.o.a.c.c.AppExitHandler : Application exits with following exit code: 0 and message: Success If container exits with non 0 exit code, you can find more information in logs, see :ref:`cert_logs` page. As init container for Kubernetes -------------------------------- In order to run CertService client as init container for ONAP component you need to: - define an init container and use CerService Client image - provide client configuration through ENV variables in the init container - define two volumes: - first for generated certificates - it will be mounted in the init container and in the component container - second with secret containing keys and certificates for secure communication between CertService Client and CertService - it will be mounted only in the init container - mount both volumes to the init container - mount first volume to the component container You can use the following deployment example as a reference: .. code-block:: yaml ... kind: Deployment metadata: ... spec: ... template: ... spec: containers: - image: sample.image name: sample.name ... volumeMounts: - mountPath: /var/certs #CERTS CAN BE FOUND IN THIS DIRECTORY name: certs ... initContainers: - name: cert-service-client image: nexus3.onap.org:10001/onap/org.onap.aaf.certservice.aaf-certservice-client:latest imagePullPolicy: Always env: - name: REQUEST_URL value: http://aaf-cert-service:8080/v1/certificate/ - name: REQUEST_TIMEOUT value: "1000" - name: OUTPUT_PATH value: /var/certs - name: CA_NAME value: RA - name: COMMON_NAME value: onap.org - name: ORGANIZATION value: Linux-Foundation - name: ORGANIZATION_UNIT value: ONAP - name: LOCATION value: San-Francisco - name: STATE value: California - name: COUNTRY value: US - name: SANS value: test.onap.org:onap.com - name: KEYSTORE_PATH value: /etc/onap/aaf/certservice/certs/certServiceClient-keystore.jks - name: KEYSTORE_PASSWORD value: secret - name: TRUSTSTORE_PATH value: /etc/onap/aaf/certservice/certs/truststore.jks - name: TRUSTSTORE_PASSWORD value: secret volumeMounts: - mountPath: /var/certs name: certs - mountPath: /etc/onap/aaf/certservice/certs/ name: tls-volume ... volumes: - name: certs emptyDir: {} - name tls-volume secret: secretName: aaf-cert-service-client-tls-secret # Value of global.aaf.certService.client.secret.name ...