aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTaka Cho <takamune.cho@att.com>2019-06-11 17:04:50 -0400
committerTaka Cho <takamune.cho@att.com>2019-06-11 17:06:00 -0400
commitd3f590c87f20a26272cbaf9d6fde1dcc2e7466b8 (patch)
tree2ce0ccd56a31ad1e18749d88995e3a1fec763c67
parente8494752effab43ecd7ffa949e6eb7b30b38c9b2 (diff)
move http to https
use jetty to move to https Issue-ID: APPC-1573 Change-Id: I814e8159d39f7e09cfbfcf5a314a1909774486cc Signed-off-by: Taka Cho <takamune.cho@att.com>
Diffstat
-rw-r--r--docker-compose/docker-compose.yml1
-rw-r--r--installation/appc/pom.xml4
-rw-r--r--installation/appc/src/main/resources/custom.properties88
-rw-r--r--installation/appc/src/main/resources/jetty.xml131
-rw-r--r--installation/appc/src/main/resources/keystorebin0 -> 2219 bytes
-rw-r--r--installation/appc/src/main/scripts/dockerInstall.sh5
6 files changed, 229 insertions, 0 deletions
diff --git a/docker-compose/docker-compose.yml b/docker-compose/docker-compose.yml
index 706465b..b5f0506 100644
--- a/docker-compose/docker-compose.yml
+++ b/docker-compose/docker-compose.yml
@@ -72,6 +72,7 @@ services:
container_name: appc_controller_container
entrypoint: ["/opt/onap/appc/bin/startODL.sh"]
ports:
+ - "8443:8443"
- "8282:8181"
- "1830:1830"
- "9090:9191"
diff --git a/installation/appc/pom.xml b/installation/appc/pom.xml
index 82c3d14..6c5378d 100644
--- a/installation/appc/pom.xml
+++ b/installation/appc/pom.xml
@@ -112,11 +112,13 @@ limitations under the License.
<resource>
<directory>src/main/resources</directory>
<includes>
+ <include>keystore</include>
<include>*.dump</include>
<include>*.sh</include>
<include>*.cfg</include>
<include>*.xml</include>
<include>*.json</include>
+ <include>*.properties</include>
</includes>
<filtering>false</filtering>
</resource>
@@ -359,11 +361,13 @@ limitations under the License.
<resource>
<directory>src/main/resources</directory>
<includes>
+ <include>keystore</include>
<include>*.dump</include>
<include>*.sh</include>
<include>*.cfg</include>
<include>*.xml</include>
<include>*.json</include>
+ <include>*.properties</include>
</includes>
<filtering>false</filtering>
</resource>
diff --git a/installation/appc/src/main/resources/custom.properties b/installation/appc/src/main/resources/custom.properties
new file mode 100644
index 0000000..ebfaf8e
--- /dev/null
+++ b/installation/appc/src/main/resources/custom.properties
@@ -0,0 +1,88 @@
+# Extra packages to import from the boot class loader
+org.osgi.framework.system.packages.extra=org.apache.karaf.branding,sun.reflect,sun.reflect.misc,sun.misc,sun.nio.ch,com.sun.media.sound,sun.net,sun.security.x509,com.sun.management
+
+# https://bugs.eclipse.org/bugs/show_bug.cgi?id=325578
+# Extend the framework to avoid the resources to be presented with
+# a URL of type bundleresource: but to be presented as file:
+osgi.hook.configurators.include=org.eclipse.virgo.kernel.equinox.extensions.hooks.ExtensionsHookConfigurator
+
+# Embedded Tomcat configuration File
+org.eclipse.gemini.web.tomcat.config.path=configuration/tomcat-server.xml
+org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true
+
+# Use Equinox as default OSGi Framework Implementation
+karaf.framework=equinox
+
+# Show a progress bar on startup and start the console when all bundles are up and running.
+# (If you are in a hurry you can still type enter to start the shell faster.)
+karaf.delay.console=true
+
+# Set security provider to BouncyCastle
+org.apache.karaf.security.providers = org.bouncycastle.jce.provider.BouncyCastleProvider
+
+# We set this to false to disable the Aries BlueprintExtender from doing its orderly container
+# shutdown so we can do it after the CSS has shut down all its modules. Otherwise Aries will
+# shutdown blueprint containers when the karaf framework starts shutdown (ie when bundle 0 is
+# stopped) which can cause failures on CSS module shutdown due to the core blueprint containers
+# and services already being shut down. This setting can be removed when/if CSS is removed
+# completely from ODL.
+org.apache.aries.blueprint.preemptiveShutdown=false
+
+netconf.config.persister.active=1
+
+netconf.config.persister.1.storageAdapterClass=org.opendaylight.controller.config.persist.storage.file.xml.XmlFileStorageAdapter
+netconf.config.persister.1.properties.fileStorage=etc/opendaylight/current/controller.currentconfig.xml
+netconf.config.persister.1.properties.numberOfBackups=1
+
+# Container configuration
+container.profile = Container
+
+# Connection manager configuration
+connection.scheme = ANY_CONTROLLER_ONE_MASTER
+
+# TLS configuration
+# To enable TLS, set secureChannelEnabled=true and specify the location of controller Java KeyStore and TrustStore files.
+# The Java KeyStore contains controller's private key and certificate. The Java TrustStore contains the trusted certificate
+# entries, including switches' Certification Authority (CA) certificates. For example,
+# secureChannelEnabled=true
+# controllerKeyStore=./configuration/ctlKeyStore
+# controllerKeyStorePassword=xxxxxxxx (this password should match the password used for KeyStore generation and at least 6 characters)
+# controllerTrustStore=./configuration/ctlTrustStore
+# controllerTrustStorePassword=xxxxxxxx (this password should match the password used for TrustStore generation and at least 6 characters)
+
+secureChannelEnabled=false
+controllerKeyStore=
+controllerKeyStorePassword=
+controllerTrustStore=
+controllerTrustStorePassword=
+
+org.osgi.service.http.secure.enabled=true
+org.osgi.service.http.port.secure=8443
+org.ops4j.pax.web.ssl.keystore=./etc/keystore
+org.ops4j.pax.web.ssl.password=123456
+org.ops4j.pax.web.ssl.keypassword=123456
+
+# User Manager configurations
+enableStrongPasswordCheck = false
+
+#Jolokia configurations
+#org.jolokia.listenForHttpService=false
+
+# Logging configuration for Tomcat-JUL logging
+java.util.logging.config.file=configuration/tomcat-logging.properties
+
+#Hosttracker hostsdb key scheme setting
+hosttracker.keyscheme=IP
+
+# LISP Flow Mapping configuration
+# Enable merging RLOC sets received from different xTR-IDs for the same EID (default: false)
+lisp.mappingMerge = false
+# Enable the Solicit-Map-Request (SMR) mechanism (default: true)
+lisp.smr = true
+# Choose policy for Explicit Locator Path (ELP) handling
+# There are three options:
+# default: don't add or remove locator records, return mapping as-is
+# both: keep the ELP, but add the next hop as a standalone non-LCAF locator with a lower priority
+# replace: remove the ELP, add the next hop as a standalone non-LCAF locator
+lisp.elpPolicy = default
+
diff --git a/installation/appc/src/main/resources/jetty.xml b/installation/appc/src/main/resources/jetty.xml
new file mode 100644
index 0000000..cc80dff
--- /dev/null
+++ b/installation/appc/src/main/resources/jetty.xml
@@ -0,0 +1,131 @@
+<?xml version="1.0"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//
+DTD Configure//EN" "http://jetty.mortbay.org/configure.dtd">
+
+<Configure id="Server" class="org.eclipse.jetty.server.Server">
+
+ <!-- =========================================================== -->
+ <!-- Set connectors -->
+ <!-- =========================================================== -->
+ <!-- One of each type! -->
+ <!-- =========================================================== -->
+
+ <!-- Use this connector for many frequently idle connections and for
+ threadless continuations. -->
+ <New id="http-default" class="org.eclipse.jetty.server.HttpConfiguration">
+ <Set name="secureScheme">https</Set>
+ <Set name="securePort">
+ <Property name="jetty.secure.port" default="8443" />
+ </Set>
+ <Set name="outputBufferSize">32768</Set>
+ <Set name="requestHeaderSize">8192</Set>
+ <Set name="responseHeaderSize">8192</Set>
+
+ <!-- Default security setting: do not leak our version -->
+ <Set name="sendServerVersion">false</Set>
+
+ <Set name="sendDateHeader">false</Set>
+ <Set name="headerCacheSize">512</Set>
+ </New>
+
+ <New id="http-legacy" class="org.eclipse.jetty.server.HttpConfiguration">
+ <Set name="secureScheme">https</Set>
+ <Set name="securePort">
+ <Property name="jetty.secure.port" default="8443" />
+ </Set>
+ <Set name="outputBufferSize">32768</Set>
+ <Set name="requestHeaderSize">8192</Set>
+ <Set name="responseHeaderSize">8192</Set>
+
+ <!-- Default security setting: do not leak our version -->
+ <Set name="sendServerVersion">false</Set>
+
+ <Set name="sendDateHeader">false</Set>
+ <Set name="headerCacheSize">512</Set>
+ </New>
+
+ <Call name="addConnector">
+ <Arg>
+ <New class="org.eclipse.jetty.server.ServerConnector">
+ <Arg name="server">
+ <Ref refid="Server" />
+ </Arg>
+ <Arg name="factories">
+ <Array type="org.eclipse.jetty.server.ConnectionFactory">
+ <Item>
+ <New class="org.eclipse.jetty.server.HttpConnectionFactory">
+ <Arg name="config">
+ <Ref refid="http-default"/>
+ </Arg>
+ </New>
+ </Item>
+ </Array>
+ </Arg>
+ <Set name="host">
+ <Property name="jetty.host"/>
+ </Set>
+ <Set name="port">
+ <Property name="jetty.port" default="8181"/>
+ </Set>
+ <Set name="idleTimeout">
+ <Property name="http.timeout" default="300000"/>
+ </Set>
+ <Set name="name">jetty-default</Set>
+ </New>
+ </Arg>
+ </Call>
+
+ <!-- =========================================================== -->
+ <!-- Configure Authentication Realms -->
+ <!-- Realms may be configured for the entire server here, or -->
+ <!-- they can be configured for a specific web app in a context -->
+ <!-- configuration (see $(jetty.home)/contexts/test.xml for an -->
+ <!-- example). -->
+ <!-- =========================================================== -->
+ <Call name="addBean">
+ <Arg>
+ <New class="org.eclipse.jetty.jaas.JAASLoginService">
+ <Set name="name">karaf</Set>
+ <Set name="loginModuleName">karaf</Set>
+ <Set name="roleClassNames">
+ <Array type="java.lang.String">
+ <Item>org.apache.karaf.jaas.boot.principal.RolePrincipal
+ </Item>
+ </Array>
+ </Set>
+ </New>
+ </Arg>
+ </Call>
+ <Call name="addBean">
+ <Arg>
+ <New class="org.eclipse.jetty.jaas.JAASLoginService">
+ <Set name="name">default</Set>
+ <Set name="loginModuleName">karaf</Set>
+ <Set name="roleClassNames">
+ <Array type="java.lang.String">
+ <Item>org.apache.karaf.jaas.boot.principal.RolePrincipal
+ </Item>
+ </Array>
+ </Set>
+ </New>
+ </Arg>
+ </Call>
+</Configure>
diff --git a/installation/appc/src/main/resources/keystore b/installation/appc/src/main/resources/keystore
new file mode 100644
index 0000000..cd37a73
--- /dev/null
+++ b/installation/appc/src/main/resources/keystore
Binary files differ
diff --git a/installation/appc/src/main/scripts/dockerInstall.sh b/installation/appc/src/main/scripts/dockerInstall.sh
index 264e8d9..a35896d 100644
--- a/installation/appc/src/main/scripts/dockerInstall.sh
+++ b/installation/appc/src/main/scripts/dockerInstall.sh
@@ -70,6 +70,11 @@ echo "" >> $APPC_HOME/data/properties/appc.properties
echo "Copying the aaa shiro configuration into opendaylight"
cp ${APPC_HOME}/data/aaa-app-config.xml ${ODL_HOME}/etc/opendaylight/datastore/initial/config/aaa-app-config.xml
+echo "Copying jetty, keystore for https into opendalight"
+cp ${APPC_HOME}/data/jetty.xml ${ODL_HOME}/etc/jetty.xml
+cp ${APPC_HOME}/data/keystore ${ODL_HOME}/etc/keystore
+cp ${APPC_HOME}/data/custom.properties ${ODL_HOME}/etc/custom.properties
+
echo "Stopping OpenDaylight and waiting for it to stop"
${ODL_HOME}/bin/stop
#The karaf command will exit when odl shuts down. This is the most reliable way to wait for opendaylight to stop