diff options
author | ChrisC <christophe.closset@intl.att.com> | 2020-02-05 13:07:40 +0100 |
---|---|---|
committer | Christophe Closset <christophe.closset@intl.att.com> | 2020-02-05 12:23:12 +0000 |
commit | 504422fe7b93714222ff53b9ee9914a26b74c091 (patch) | |
tree | f0ce898fbbe94c3b67971cb52287970d9ee11277 | |
parent | 8d91398da6162c19643f3f7cae83327dd4e81263 (diff) |
Update SSL Certs and doc
Update SSL certs for Frankfurt (expiry date Feb 2021) + fix clamp env
for compose.
Documentation updated to reflect what to do for cert renewal (readme).
Issue-ID: CLAMP-641
Signed-off-by: ChrisC <christophe.closset@intl.att.com>
Change-Id: I24e24ee88674c3d5b399bc0f1722c61f4c54a937
-rw-r--r-- | README.md | 27 | ||||
-rw-r--r-- | extra/docker/clamp/clamp.env | 2 | ||||
-rw-r--r-- | src/main/resources/clds/aaf/org.onap.clamp.p12 | bin | 4147 -> 4155 bytes | |||
-rw-r--r-- | src/main/resources/clds/aaf/ssl/clamp.key | 54 | ||||
-rw-r--r-- | src/main/resources/clds/aaf/ssl/clamp.pem | 37 |
5 files changed, 66 insertions, 54 deletions
@@ -114,10 +114,10 @@ With the default log settings, all logs will be generated into console and into You can see the swagger definition for the jaxrs apis at `/restservices/clds/v1/openapi.json` -## Clamp AAF +## Clamp AAF - Renew Certificates - Connect to windriver with openvpn - create a folder aaf-renewal and go to it -- create a file aaf.props with that content +- create a file aaf.props with that content (or run the agent.sh script below, it will prompt you for values at first run) VERSION=2.1.13 DOCKER_REPOSITORY=nexus3.onap.org:10001 HOSTNAME= @@ -141,13 +141,24 @@ You can see the swagger definition for the jaxrs apis at `/restservices/clds/v1/ cadi_latitude[0.000]=10.0 cadi_longitude[0.000]=10.0 - Certs should created, you can get them in /var/lib/docker/volumes/clamp_config/_data/local + If you want to recreate the certs, you have to delete the docker volume (otherwise it will be re used) : docker volume rm clamp_config - wget https://nexus.onap.org/content/repositories/releases/org/onap/aaf/authz/aaf-cadi-aaf/2.1.13/aaf-cadi-aaf-2.1.13-full.jar - to encrypt or decrypt the store passwords: java -jar aaf-cadi-aaf-2.1.13-full.jar cadi digest changeit testos.key - +- you can also use the agent.sh script to decrypt the passwords, by running the showpass commands (see wiki below) - Extract private key from P12: 'openssl pkcs12 -in org.onap.clamp.p12 -nocerts -nodes > clamp.key' - Extract public certificate from P12: 'openssl pkcs12 -in org.onap.clamp.p12 -clcerts -nokeys > clamp.pem' - Extract CA certificate from P12: 'openssl pkcs12 -in org.onap.clamp.p12 -cacerts -nokeys -chain > ca-certs.pem' - reference wiki: https://wiki.onap.org/display/DW/AAF+Certificate+Management+for+Dummies +- you need to place new clamp.key, clamp.pem and ca-certs.pem into src/main/resources/clds/aaf/ssl, this will be used by the FrontEnd +- you need to replace the password of the generated keystore (clamp uses the p12 keystore), we want to keep the same demo password across release + to do so, you can use keytool to update the password and set it back to 'China in the Spring' + keytool -storepasswd -keystore ./org.onap.clamp.p12 +- this will prompt for the current keystore password (the one generated by the aaf script that you can get from the above) +- you can then set it to 'China in the Spring' +- once done, you can replace : org.onap.clamp.p12 into src/main/resources/clds/aaf +- rebuild Clamp Docker containers, they should be updated with the renewed certificates + + ## Clamp Credentials There are two mechanisms that can enabled for the authentication, one or the other never both at the same time. @@ -158,17 +169,17 @@ There is a section for SSL enablement and cadi configuration (for AAF) + one spr server.port=8443 server.ssl.key-store=classpath:/clds/aaf/org.onap.clamp.p12 -server.ssl.key-store-password=China in the Spring -server.ssl.key-password=China in the Spring +server.ssl.key-store-password=enc:WWCxchk4WGBNSvuzLq3MLjMs5ObRybJtts5AI0XD1Vc +server.ssl.key-password=enc:WWCxchk4WGBNSvuzLq3MLjMs5ObRybJtts5AI0XD1Vc server.ssl.key-store-type=PKCS12 server.ssl.key-alias=clamp@clamp.onap.org +clamp.config.keyFile=classpath:/clds/aaf/org.onap.clamp.keyfile server.ssl.client-auth=want server.ssl.trust-store=classpath:/clds/aaf/truststoreONAPall.jks -server.ssl.trust-store-password=changeit - +server.ssl.trust-store-password=enc:iDnPBBLq_EMidXlMa1FEuBR8TZzYxrCg66vq_XfLHdJ server.http-to-https-redirection.port=8080 .... -spring.profiles.active=clamp-default,clamp-aaf-authentication,clamp-sdc-controller +spring.profiles.active=clamp-default,clamp-aaf-authentication,clamp-sdc-controller-new,clamp-ssl-config .... clamp.config.cadi.keyFile=classpath:/clds/aaf/org.onap.clamp.keyfile clamp.config.cadi.cadiLoglevel=DEBUG diff --git a/extra/docker/clamp/clamp.env b/extra/docker/clamp/clamp.env index ae6dbec1..06381f94 100644 --- a/extra/docker/clamp/clamp.env +++ b/extra/docker/clamp/clamp.env @@ -1,2 +1,2 @@ ### Be careful, this must be in one line only ### -SPRING_APPLICATION_JSON={"spring.datasource.cldsdb.url":"jdbc:mariadb:sequential://db:3306/cldsdb4?autoReconnect=true&connectTimeout=10000&socketTimeout=10000&retriesAllDown=3","spring.profiles.active":"clamp-default,clamp-default-user,clamp-sdc-controller-new","clamp.config.policy.api.url":"http4://third-party-proxy:8085","clamp.config.policy.pap.url":"http4://third-party-proxy:8085","clamp.config.dcae.inventory.url":"http://third-party-proxy:8085","clamp.config.dcae.deployment.url":"http4://third-party-proxy:8085"} +SPRING_APPLICATION_JSON={"spring.datasource.cldsdb.url":"jdbc:mariadb:sequential://db:3306/cldsdb4?autoReconnect=true&connectTimeout=10000&socketTimeout=10000&retriesAllDown=3","spring.profiles.active":"clamp-default,clamp-default-user,clamp-sdc-controller-new,clamp-ssl-config","clamp.config.policy.api.url":"http4://third-party-proxy:8085","clamp.config.policy.pap.url":"http4://third-party-proxy:8085","clamp.config.dcae.inventory.url":"http://third-party-proxy:8085","clamp.config.dcae.deployment.url":"http4://third-party-proxy:8085"} diff --git a/src/main/resources/clds/aaf/org.onap.clamp.p12 b/src/main/resources/clds/aaf/org.onap.clamp.p12 Binary files differindex dc24567b..268aa1a3 100644 --- a/src/main/resources/clds/aaf/org.onap.clamp.p12 +++ b/src/main/resources/clds/aaf/org.onap.clamp.p12 diff --git a/src/main/resources/clds/aaf/ssl/clamp.key b/src/main/resources/clds/aaf/ssl/clamp.key index af847d59..bcbb9f17 100644 --- a/src/main/resources/clds/aaf/ssl/clamp.key +++ b/src/main/resources/clds/aaf/ssl/clamp.key @@ -1,32 +1,32 @@ Bag Attributes friendlyName: clamp@clamp.onap.org - localKeyID: 54 69 6D 65 20 31 35 37 31 30 36 38 34 31 31 38 30 37 + localKeyID: 54 69 6D 65 20 31 35 38 30 38 32 39 30 36 35 34 37 39 Key Attributes: <No Attributes> -----BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCsuvJ9pjBqjrxI -+5TG2PTVRUob9Cx1uO3cUMzR01mxNodsSRdI3sq6Q2Nr+PenoT7edo8ujru8G79H -BfyUWBkNe3hJikCXzDV62cwavWtGjWIsOZHczJfj8ZrtObJ/uRpeGmbosY38zUwN -cGzT1vm2K67MPe2BazTI4JLxyGcJ0bZEZ0XGBMOup3Hqo2QOy7BaQMOTs20Ww3aB -64h7KAqaqNnblqUOtkLCUBdp6Lxa9oBXqS4Fg+C1eZqzuixLQgmWZs2ED+wl4FZD -DaIkN4gw4YTXhpxr82gauW3ro2sAYrJX63FqIzaj0rj/vqxYSy7fjzbsE1VPBxCH -yUuaHxUTAgMBAAECggEABaPlHy06D4CxrUBpz0RuWjh0/wyuFvn+6l7JEWDxYNQD -AAoy9HIx9HsW2AO9MoAVaXY9nquSfcX6LPuJD98AkmwhtWUKTuqgJG7QN19QDXG4 -bvFCTg9wNkVBZdWoens03TXHfnmtxT9+6EFvjEtMxCIRByJOixdRFe4fXj3I/40H -p6KjzscPhRqmapB5U/lWwteONoq1A4VBoqj1Qbe1NjmNGMhhXqj/d9f6B0DPGqIA -nIDubb1B3YNdbxE8LbY1YiQZEtjjA2uIyW0tRjZyhVVtNwSm814fyjVPp2oRpK43 -2OVBLbHZlxY5sFZwU71lWSyEAHhOL5yY1HORKUyCIQKBgQDwR8POilccu1fczDX7 -7jTHvknrtc5Pm689hOz+iZz8oib5MNHM57YMQJNauAHcUUDc8PEBrU44kJda7zVU -8jVgeV0kvZcmDM4AGrmbBSGLhcmyqJC4wKF20K3rVFFo5exlpTDU7dwnPkMbHeGQ -LmPzk+5BKQa81Mq+cObdJs/LpwKBgQC4B9kf+cex77OluKN9mz8D3MOEWycztDpd -XVeM+RV4cjIMaQl91GovtQDwdy9TbKCsq+sFvqWsmQNkUlDGP2c0y4PFnJt7ahzW -wqZ8bZgNcTNE+KqHUMEOcDGRVoQf65XRWZhjq0mJyCewPMOrdFgHTzva2QYOrZTK -jBIWx84otQKBgQCDjidM7D1pw8EFaOGdv/wx6KO8ZFxDBfBadG71pg7H21gPU4Vq -9OqdprWHE/wgznP/BARQcLzFB5V2+kVu7vX+jjRLK2qYMKaRNBCvKY4GQAgAw34J -SZ6d2P+AOzgfgNN/i4RC8MB61AIV1LRtJpkfAb2O+5Fuzer7fgFI0DkxPQKBgAdq -gYxxU2PPRg0KmMQKCosMTXC6/6RsweFbTpjmvL/C0lN/tBs3ASR1Bdmq4+RXv03W -C72KhkCjVeioDItAqNcO0HuZKQbbKthYtb7T58m64xcHck/LqEv9p3G069QheUMb -ejGiCG+d+kN232e8Y4O/5KiYEE9tHU7gQCZc3Oj1AoGBAI2QyoAJlM0jREsEft7c -L+5kcV+VulyMYEFycSy6KziUKxVh+VMk5Eo6UhXo6m4x37tg/D8uK/tkeJdWw00N -dXLsUcDEacZyF8UfRsrscmiBURu0+9S/5+ncSX6s18HHGL7n2io+PX/ie2neO7q1 -fj50Aj03dg1TrgMTx2g6e85Y +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCTB30nMh0hczIk +vWJo7Omg7cAHhz50NBhLB7u+60oXRGCya4SqssqqxNnNqNQQP9MmflW2q/bZepWn +8Rk23X6CLmoIUlrj8BMPkUCRqzgvlaWPSNAK5QcOp6GUvXTuX4EsaWxJhbs9Ujz2 ++qi137iNOqfAx1sUygah1kjALrqHkXDqJGvIfxU5ES0akBi/lB7A3WpE52KTioSF +JS5Kbnpj1ogffGNKyAiNqU61LcF1FjWmINat2z3ZMk/3Xm+HCDg/GLPnbh4E1KoE +10O22AMys6YGEyPvgRfrTF13DsDX52PmmUHbkSB6kwS/CeV5Uu++8b6T2IWpPyZ2 ++5ptmL+tAgMBAAECggEBAIUplzRUswWEq7mSvPqC9+YE7pLi7rGYLRhnXKdBuszv +5RQzROjFHcEkoI8fhVFiPP70FPVpMh0uZTTBrDCA0v9cwjPfQuqGmPzUdUJ5bF3M +jzICpEn5vDaNpE5ueOUcIoXyxVyhfj+/p++YfgybHy7qHN0AsYFWqEMTLLjCmbYF +pZozbAcGQoAR8PSfwuvgusuEezrhYertHsdFwlfZhDtJvnm/4YKRUVEBzuaaA7B9 +sUhnQFS8ScqiUbkAGdjfY9wOYRHnQgjtqiP8poIzLkqCNSoVctgh5Pdv4jp4HO90 +J5QC+f7m7rOoWUw8EYbRo/4C4Mckh0GQQ+oP4xzrtZECgYEA3DYALFgOEY+0RR1K +61HAKqdNy1YbeuidpCBEJEwmIbzdgO1DcJdNznbfdRlmS7VB9orwRfNbf7Hxm2w/ +/xn9USENXWx7fvDoISqSDegvEsBSq5hSEMVl3f7CfQZrYl1f6gxfe7L/jtmbn0eQ +avsr9RaUCWP794DEXKuA9pC8hVsCgYEAquy5I4hO4jNBQ6v5+omjsEgk4513/RNs +f47Md8bsDHKJMbCMKCdqM1D3J1xbgV3DgSv0yNlKdU2wenWdgQAyBtz18NBgno85 +YNanFhp1CymgLFHdLJHSOqAkzutSuCNnGTT6AKspOQvy+cuj7XsnbsxtYK3Cgw5h +Mom3RnUy9ZcCgYAnForHVEYDBgAYuI9g39z9dT8Q1dMA6SN6S6Ps0Xt/R5gF15e9 +941/FYiqr3yB+cWgrp7hu8XFD9/0F63waTuW2AgYSjZNnROHN5g/UbRxXqQOA3al +tXRUiHEbYjVTe4GX+ORF/8rvH19JUZmn87ekxII4fH/wOfIhBOxaV+yuuwKBgHtz +5Tizz/3y9TWSdkgtt6uwP+yipLKGn/v1wNrWM1G+PDdGg8TQyxTrasfkHjdu6LFY +dUHIJ85X4ZphbvRolrl8SKq5Zr+/RLsb7qy5SUZZt1Wrfysc25H6bvuA3ksfTuzW +5acr+Oc6KTGgkvMI229cebe1aONNtIhTDav3JGpbAoGAX5DQvNreqnP8qSAvUN2I +TAHXIzawR3f6vgGgVIdkHkiS2eKzs/fgP3VAK80TbrGSR8HvBcPEcR/icOn1u/e6 +tDp0j6mGt5aPKK9VQkBn94bW35T12FUbdB+L8FWWTUrfiVWJtEW8tEsKil5ac8U4 +Bn3vC5WUeKhW6v6kD4AigqE= -----END PRIVATE KEY----- diff --git a/src/main/resources/clds/aaf/ssl/clamp.pem b/src/main/resources/clds/aaf/ssl/clamp.pem index 22f4541a..a01b587a 100644 --- a/src/main/resources/clds/aaf/ssl/clamp.pem +++ b/src/main/resources/clds/aaf/ssl/clamp.pem @@ -1,32 +1,33 @@ Bag Attributes friendlyName: clamp@clamp.onap.org - localKeyID: 54 69 6D 65 20 31 35 37 31 30 36 38 34 31 31 38 30 37 + localKeyID: 54 69 6D 65 20 31 35 38 30 38 32 39 30 36 35 34 37 39 subject=CN = clamp, emailAddress = mark.d.manager@people.osaaf.com, OU = clamp@clamp.onap.org:DEV, OU = OSAAF, O = ONAP, C = US issuer=C = US, O = ONAP, OU = OSAAF, CN = intermediateCA_9 -----BEGIN CERTIFICATE----- -MIIETDCCAzSgAwIBAgIIGF6ukzqwlGIwDQYJKoZIhvcNAQELBQAwRzELMAkGA1UE +MIIEWDCCA0CgAwIBAgIILw1zyDGqB5IwDQYJKoZIhvcNAQELBQAwRzELMAkGA1UE BhMCVVMxDTALBgNVBAoMBE9OQVAxDjAMBgNVBAsMBU9TQUFGMRkwFwYDVQQDDBBp -bnRlcm1lZGlhdGVDQV85MB4XDTE5MTAxNDE1NTM0MVoXDTIwMTAxNDE1NTM0MVow +bnRlcm1lZGlhdGVDQV85MB4XDTIwMDIwNDEyMjM1MloXDTIxMDIwNDEyMjM1Mlow gY8xDjAMBgNVBAMMBWNsYW1wMS4wLAYJKoZIhvcNAQkBFh9tYXJrLmQubWFuYWdl ckBwZW9wbGUub3NhYWYuY29tMSEwHwYDVQQLDBhjbGFtcEBjbGFtcC5vbmFwLm9y ZzpERVYxDjAMBgNVBAsMBU9TQUFGMQ0wCwYDVQQKDARPTkFQMQswCQYDVQQGEwJV -UzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKy68n2mMGqOvEj7lMbY -9NVFShv0LHW47dxQzNHTWbE2h2xJF0jeyrpDY2v496ehPt52jy6Ou7wbv0cF/JRY -GQ17eEmKQJfMNXrZzBq9a0aNYiw5kdzMl+Pxmu05sn+5Gl4aZuixjfzNTA1wbNPW -+bYrrsw97YFrNMjgkvHIZwnRtkRnRcYEw66nceqjZA7LsFpAw5OzbRbDdoHriHso -Cpqo2duWpQ62QsJQF2novFr2gFepLgWD4LV5mrO6LEtCCZZmzYQP7CXgVkMNoiQ3 -iDDhhNeGnGvzaBq5beujawBislfrcWojNqPSuP++rFhLLt+PNuwTVU8HEIfJS5of -FRMCAwEAAaOB8jCB7zAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIF4DAgBgNVHSUB +UzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJMHfScyHSFzMiS9Ymjs +6aDtwAeHPnQ0GEsHu77rShdEYLJrhKqyyqrE2c2o1BA/0yZ+Vbar9tl6lafxGTbd +foIuaghSWuPwEw+RQJGrOC+VpY9I0ArlBw6noZS9dO5fgSxpbEmFuz1SPPb6qLXf +uI06p8DHWxTKBqHWSMAuuoeRcOoka8h/FTkRLRqQGL+UHsDdakTnYpOKhIUlLkpu +emPWiB98Y0rICI2pTrUtwXUWNaYg1q3bPdkyT/deb4cIOD8Ys+duHgTUqgTXQ7bY +AzKzpgYTI++BF+tMXXcOwNfnY+aZQduRIHqTBL8J5XlS777xvpPYhak/Jnb7mm2Y +v60CAwEAAaOB/jCB+zAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIF4DAgBgNVHSUB Af8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwVAYDVR0jBE0wS4AUgfeZWxC5yIze 81Je6k5poEM+rN2hMKQuMCwxDjAMBgNVBAsMBU9TQUFGMQ0wCwYDVQQKDARPTkFQ -MQswCQYDVQQGEwJVU4IBBzAdBgNVHQ4EFgQUicMoQoxguo6qFb7YZ2gZn8X0BV4w -OwYDVR0RBDQwMoIFY2xhbXCCHWNsYW1wLmFwaS5zaW1wbGVkZW1vLm9uYXAub3Jn -ggpjbGFtcC5vbmFwMA0GCSqGSIb3DQEBCwUAA4IBAQCMDZrqzL/orHH3WoLKj/JJ -+QOt89CTYJqX5rS2TbQgX/JdjXJzJsmY21dTHxg0+AdRmAUATHBFAOg/nLEfDUOh -NX0+OshoaTYjrI2ZH4j24UsoXzGffpjqPbLMZJ1uzxy4qTTvzeJJM1NsfKD4Er0B -KDgN66pzywJrxOXkTQZpmkgGeB9FwmBoLFKP2XJjXXT9c9Wol8ttrSqu/sy5e6/Y -SZLco8lXx0isxGgG5PfF9WSuikFRlC5LCmcSn9EfxQIOeGjzJQpuB8yqN/ojE8wY -ZBhaUM/+NETQNzsh4dZxq7ErSknND60NYit8rz9lWDDrNNKVF+8iFpoTb17V8e3C +MQswCQYDVQQGEwJVU4IBBzAdBgNVHQ4EFgQUzfIed+18wgFs7E6q0b6BbMICtfsw +RwYDVR0RBEAwPoIFY2xhbXCCCmNsYW1wLW9uYXCCHWNsYW1wLmFwaS5zaW1wbGVk +ZW1vLm9uYXAub3JnggpjbGFtcC5vbmFwMA0GCSqGSIb3DQEBCwUAA4IBAQBizhsW +XrJ9wQy3PrBxgh90sOF15tayXPRZSFYPoQb5LhRh3IY/PvXLaSHlkgPHlCLLx36S +0/DiVf86/83ABvyaq9gJIyg/m4ntNae23OKH1AkA1aN+JCKA8yhsAzDBcRF6Aj7E +VJ+vQlSzz5oh+efP1e/8DUMd1/WwbTXvRd0Iqv/fyZunbjb82qNMrsK1mQ2q+87A +0jx9u1EdeMihP6vWiuKzlwy4mKoNT573SPpvaOkjX3yDlmf2CTQZ9vdAvjmFmVsH +1wyrNZOIgW4VjluiZfAk3mOEskrZiP/7aUXnxmNnYTpgZMbhiouLbRrTc4lLEyhx +G7A61/KGTsLZlvxb -----END CERTIFICATE----- |