summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChrisC <christophe.closset@intl.att.com>2020-02-05 13:07:40 +0100
committerChristophe Closset <christophe.closset@intl.att.com>2020-02-05 12:23:12 +0000
commit504422fe7b93714222ff53b9ee9914a26b74c091 (patch)
treef0ce898fbbe94c3b67971cb52287970d9ee11277
parent8d91398da6162c19643f3f7cae83327dd4e81263 (diff)
Update SSL Certs and doc
Update SSL certs for Frankfurt (expiry date Feb 2021) + fix clamp env for compose. Documentation updated to reflect what to do for cert renewal (readme). Issue-ID: CLAMP-641 Signed-off-by: ChrisC <christophe.closset@intl.att.com> Change-Id: I24e24ee88674c3d5b399bc0f1722c61f4c54a937
-rw-r--r--README.md27
-rw-r--r--extra/docker/clamp/clamp.env2
-rw-r--r--src/main/resources/clds/aaf/org.onap.clamp.p12bin4147 -> 4155 bytes
-rw-r--r--src/main/resources/clds/aaf/ssl/clamp.key54
-rw-r--r--src/main/resources/clds/aaf/ssl/clamp.pem37
5 files changed, 66 insertions, 54 deletions
diff --git a/README.md b/README.md
index 148ff959..65fc0530 100644
--- a/README.md
+++ b/README.md
@@ -114,10 +114,10 @@ With the default log settings, all logs will be generated into console and into
You can see the swagger definition for the jaxrs apis at `/restservices/clds/v1/openapi.json`
-## Clamp AAF
+## Clamp AAF - Renew Certificates
- Connect to windriver with openvpn
- create a folder aaf-renewal and go to it
-- create a file aaf.props with that content
+- create a file aaf.props with that content (or run the agent.sh script below, it will prompt you for values at first run)
VERSION=2.1.13
DOCKER_REPOSITORY=nexus3.onap.org:10001
HOSTNAME=
@@ -141,13 +141,24 @@ You can see the swagger definition for the jaxrs apis at `/restservices/clds/v1/
cadi_latitude[0.000]=10.0
cadi_longitude[0.000]=10.0
- Certs should created, you can get them in /var/lib/docker/volumes/clamp_config/_data/local
+ If you want to recreate the certs, you have to delete the docker volume (otherwise it will be re used) : docker volume rm clamp_config
- wget https://nexus.onap.org/content/repositories/releases/org/onap/aaf/authz/aaf-cadi-aaf/2.1.13/aaf-cadi-aaf-2.1.13-full.jar
- to encrypt or decrypt the store passwords: java -jar aaf-cadi-aaf-2.1.13-full.jar cadi digest changeit testos.key
-
+- you can also use the agent.sh script to decrypt the passwords, by running the showpass commands (see wiki below)
- Extract private key from P12: 'openssl pkcs12 -in org.onap.clamp.p12 -nocerts -nodes > clamp.key'
- Extract public certificate from P12: 'openssl pkcs12 -in org.onap.clamp.p12 -clcerts -nokeys > clamp.pem'
- Extract CA certificate from P12: 'openssl pkcs12 -in org.onap.clamp.p12 -cacerts -nokeys -chain > ca-certs.pem'
- reference wiki: https://wiki.onap.org/display/DW/AAF+Certificate+Management+for+Dummies
+- you need to place new clamp.key, clamp.pem and ca-certs.pem into src/main/resources/clds/aaf/ssl, this will be used by the FrontEnd
+- you need to replace the password of the generated keystore (clamp uses the p12 keystore), we want to keep the same demo password across release
+ to do so, you can use keytool to update the password and set it back to 'China in the Spring'
+ keytool -storepasswd -keystore ./org.onap.clamp.p12
+- this will prompt for the current keystore password (the one generated by the aaf script that you can get from the above)
+- you can then set it to 'China in the Spring'
+- once done, you can replace : org.onap.clamp.p12 into src/main/resources/clds/aaf
+- rebuild Clamp Docker containers, they should be updated with the renewed certificates
+
+
## Clamp Credentials
There are two mechanisms that can enabled for the authentication, one or the other never both at the same time.
@@ -158,17 +169,17 @@ There is a section for SSL enablement and cadi configuration (for AAF) + one spr
server.port=8443
server.ssl.key-store=classpath:/clds/aaf/org.onap.clamp.p12
-server.ssl.key-store-password=China in the Spring
-server.ssl.key-password=China in the Spring
+server.ssl.key-store-password=enc:WWCxchk4WGBNSvuzLq3MLjMs5ObRybJtts5AI0XD1Vc
+server.ssl.key-password=enc:WWCxchk4WGBNSvuzLq3MLjMs5ObRybJtts5AI0XD1Vc
server.ssl.key-store-type=PKCS12
server.ssl.key-alias=clamp@clamp.onap.org
+clamp.config.keyFile=classpath:/clds/aaf/org.onap.clamp.keyfile
server.ssl.client-auth=want
server.ssl.trust-store=classpath:/clds/aaf/truststoreONAPall.jks
-server.ssl.trust-store-password=changeit
-
+server.ssl.trust-store-password=enc:iDnPBBLq_EMidXlMa1FEuBR8TZzYxrCg66vq_XfLHdJ
server.http-to-https-redirection.port=8080
....
-spring.profiles.active=clamp-default,clamp-aaf-authentication,clamp-sdc-controller
+spring.profiles.active=clamp-default,clamp-aaf-authentication,clamp-sdc-controller-new,clamp-ssl-config
....
clamp.config.cadi.keyFile=classpath:/clds/aaf/org.onap.clamp.keyfile
clamp.config.cadi.cadiLoglevel=DEBUG
diff --git a/extra/docker/clamp/clamp.env b/extra/docker/clamp/clamp.env
index ae6dbec1..06381f94 100644
--- a/extra/docker/clamp/clamp.env
+++ b/extra/docker/clamp/clamp.env
@@ -1,2 +1,2 @@
### Be careful, this must be in one line only ###
-SPRING_APPLICATION_JSON={"spring.datasource.cldsdb.url":"jdbc:mariadb:sequential://db:3306/cldsdb4?autoReconnect=true&connectTimeout=10000&socketTimeout=10000&retriesAllDown=3","spring.profiles.active":"clamp-default,clamp-default-user,clamp-sdc-controller-new","clamp.config.policy.api.url":"http4://third-party-proxy:8085","clamp.config.policy.pap.url":"http4://third-party-proxy:8085","clamp.config.dcae.inventory.url":"http://third-party-proxy:8085","clamp.config.dcae.deployment.url":"http4://third-party-proxy:8085"}
+SPRING_APPLICATION_JSON={"spring.datasource.cldsdb.url":"jdbc:mariadb:sequential://db:3306/cldsdb4?autoReconnect=true&connectTimeout=10000&socketTimeout=10000&retriesAllDown=3","spring.profiles.active":"clamp-default,clamp-default-user,clamp-sdc-controller-new,clamp-ssl-config","clamp.config.policy.api.url":"http4://third-party-proxy:8085","clamp.config.policy.pap.url":"http4://third-party-proxy:8085","clamp.config.dcae.inventory.url":"http://third-party-proxy:8085","clamp.config.dcae.deployment.url":"http4://third-party-proxy:8085"}
diff --git a/src/main/resources/clds/aaf/org.onap.clamp.p12 b/src/main/resources/clds/aaf/org.onap.clamp.p12
index dc24567b..268aa1a3 100644
--- a/src/main/resources/clds/aaf/org.onap.clamp.p12
+++ b/src/main/resources/clds/aaf/org.onap.clamp.p12
Binary files differ
diff --git a/src/main/resources/clds/aaf/ssl/clamp.key b/src/main/resources/clds/aaf/ssl/clamp.key
index af847d59..bcbb9f17 100644
--- a/src/main/resources/clds/aaf/ssl/clamp.key
+++ b/src/main/resources/clds/aaf/ssl/clamp.key
@@ -1,32 +1,32 @@
Bag Attributes
friendlyName: clamp@clamp.onap.org
- localKeyID: 54 69 6D 65 20 31 35 37 31 30 36 38 34 31 31 38 30 37
+ localKeyID: 54 69 6D 65 20 31 35 38 30 38 32 39 30 36 35 34 37 39
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCsuvJ9pjBqjrxI
-+5TG2PTVRUob9Cx1uO3cUMzR01mxNodsSRdI3sq6Q2Nr+PenoT7edo8ujru8G79H
-BfyUWBkNe3hJikCXzDV62cwavWtGjWIsOZHczJfj8ZrtObJ/uRpeGmbosY38zUwN
-cGzT1vm2K67MPe2BazTI4JLxyGcJ0bZEZ0XGBMOup3Hqo2QOy7BaQMOTs20Ww3aB
-64h7KAqaqNnblqUOtkLCUBdp6Lxa9oBXqS4Fg+C1eZqzuixLQgmWZs2ED+wl4FZD
-DaIkN4gw4YTXhpxr82gauW3ro2sAYrJX63FqIzaj0rj/vqxYSy7fjzbsE1VPBxCH
-yUuaHxUTAgMBAAECggEABaPlHy06D4CxrUBpz0RuWjh0/wyuFvn+6l7JEWDxYNQD
-AAoy9HIx9HsW2AO9MoAVaXY9nquSfcX6LPuJD98AkmwhtWUKTuqgJG7QN19QDXG4
-bvFCTg9wNkVBZdWoens03TXHfnmtxT9+6EFvjEtMxCIRByJOixdRFe4fXj3I/40H
-p6KjzscPhRqmapB5U/lWwteONoq1A4VBoqj1Qbe1NjmNGMhhXqj/d9f6B0DPGqIA
-nIDubb1B3YNdbxE8LbY1YiQZEtjjA2uIyW0tRjZyhVVtNwSm814fyjVPp2oRpK43
-2OVBLbHZlxY5sFZwU71lWSyEAHhOL5yY1HORKUyCIQKBgQDwR8POilccu1fczDX7
-7jTHvknrtc5Pm689hOz+iZz8oib5MNHM57YMQJNauAHcUUDc8PEBrU44kJda7zVU
-8jVgeV0kvZcmDM4AGrmbBSGLhcmyqJC4wKF20K3rVFFo5exlpTDU7dwnPkMbHeGQ
-LmPzk+5BKQa81Mq+cObdJs/LpwKBgQC4B9kf+cex77OluKN9mz8D3MOEWycztDpd
-XVeM+RV4cjIMaQl91GovtQDwdy9TbKCsq+sFvqWsmQNkUlDGP2c0y4PFnJt7ahzW
-wqZ8bZgNcTNE+KqHUMEOcDGRVoQf65XRWZhjq0mJyCewPMOrdFgHTzva2QYOrZTK
-jBIWx84otQKBgQCDjidM7D1pw8EFaOGdv/wx6KO8ZFxDBfBadG71pg7H21gPU4Vq
-9OqdprWHE/wgznP/BARQcLzFB5V2+kVu7vX+jjRLK2qYMKaRNBCvKY4GQAgAw34J
-SZ6d2P+AOzgfgNN/i4RC8MB61AIV1LRtJpkfAb2O+5Fuzer7fgFI0DkxPQKBgAdq
-gYxxU2PPRg0KmMQKCosMTXC6/6RsweFbTpjmvL/C0lN/tBs3ASR1Bdmq4+RXv03W
-C72KhkCjVeioDItAqNcO0HuZKQbbKthYtb7T58m64xcHck/LqEv9p3G069QheUMb
-ejGiCG+d+kN232e8Y4O/5KiYEE9tHU7gQCZc3Oj1AoGBAI2QyoAJlM0jREsEft7c
-L+5kcV+VulyMYEFycSy6KziUKxVh+VMk5Eo6UhXo6m4x37tg/D8uK/tkeJdWw00N
-dXLsUcDEacZyF8UfRsrscmiBURu0+9S/5+ncSX6s18HHGL7n2io+PX/ie2neO7q1
-fj50Aj03dg1TrgMTx2g6e85Y
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCTB30nMh0hczIk
+vWJo7Omg7cAHhz50NBhLB7u+60oXRGCya4SqssqqxNnNqNQQP9MmflW2q/bZepWn
+8Rk23X6CLmoIUlrj8BMPkUCRqzgvlaWPSNAK5QcOp6GUvXTuX4EsaWxJhbs9Ujz2
++qi137iNOqfAx1sUygah1kjALrqHkXDqJGvIfxU5ES0akBi/lB7A3WpE52KTioSF
+JS5Kbnpj1ogffGNKyAiNqU61LcF1FjWmINat2z3ZMk/3Xm+HCDg/GLPnbh4E1KoE
+10O22AMys6YGEyPvgRfrTF13DsDX52PmmUHbkSB6kwS/CeV5Uu++8b6T2IWpPyZ2
++5ptmL+tAgMBAAECggEBAIUplzRUswWEq7mSvPqC9+YE7pLi7rGYLRhnXKdBuszv
+5RQzROjFHcEkoI8fhVFiPP70FPVpMh0uZTTBrDCA0v9cwjPfQuqGmPzUdUJ5bF3M
+jzICpEn5vDaNpE5ueOUcIoXyxVyhfj+/p++YfgybHy7qHN0AsYFWqEMTLLjCmbYF
+pZozbAcGQoAR8PSfwuvgusuEezrhYertHsdFwlfZhDtJvnm/4YKRUVEBzuaaA7B9
+sUhnQFS8ScqiUbkAGdjfY9wOYRHnQgjtqiP8poIzLkqCNSoVctgh5Pdv4jp4HO90
+J5QC+f7m7rOoWUw8EYbRo/4C4Mckh0GQQ+oP4xzrtZECgYEA3DYALFgOEY+0RR1K
+61HAKqdNy1YbeuidpCBEJEwmIbzdgO1DcJdNznbfdRlmS7VB9orwRfNbf7Hxm2w/
+/xn9USENXWx7fvDoISqSDegvEsBSq5hSEMVl3f7CfQZrYl1f6gxfe7L/jtmbn0eQ
+avsr9RaUCWP794DEXKuA9pC8hVsCgYEAquy5I4hO4jNBQ6v5+omjsEgk4513/RNs
+f47Md8bsDHKJMbCMKCdqM1D3J1xbgV3DgSv0yNlKdU2wenWdgQAyBtz18NBgno85
+YNanFhp1CymgLFHdLJHSOqAkzutSuCNnGTT6AKspOQvy+cuj7XsnbsxtYK3Cgw5h
+Mom3RnUy9ZcCgYAnForHVEYDBgAYuI9g39z9dT8Q1dMA6SN6S6Ps0Xt/R5gF15e9
+941/FYiqr3yB+cWgrp7hu8XFD9/0F63waTuW2AgYSjZNnROHN5g/UbRxXqQOA3al
+tXRUiHEbYjVTe4GX+ORF/8rvH19JUZmn87ekxII4fH/wOfIhBOxaV+yuuwKBgHtz
+5Tizz/3y9TWSdkgtt6uwP+yipLKGn/v1wNrWM1G+PDdGg8TQyxTrasfkHjdu6LFY
+dUHIJ85X4ZphbvRolrl8SKq5Zr+/RLsb7qy5SUZZt1Wrfysc25H6bvuA3ksfTuzW
+5acr+Oc6KTGgkvMI229cebe1aONNtIhTDav3JGpbAoGAX5DQvNreqnP8qSAvUN2I
+TAHXIzawR3f6vgGgVIdkHkiS2eKzs/fgP3VAK80TbrGSR8HvBcPEcR/icOn1u/e6
+tDp0j6mGt5aPKK9VQkBn94bW35T12FUbdB+L8FWWTUrfiVWJtEW8tEsKil5ac8U4
+Bn3vC5WUeKhW6v6kD4AigqE=
-----END PRIVATE KEY-----
diff --git a/src/main/resources/clds/aaf/ssl/clamp.pem b/src/main/resources/clds/aaf/ssl/clamp.pem
index 22f4541a..a01b587a 100644
--- a/src/main/resources/clds/aaf/ssl/clamp.pem
+++ b/src/main/resources/clds/aaf/ssl/clamp.pem
@@ -1,32 +1,33 @@
Bag Attributes
friendlyName: clamp@clamp.onap.org
- localKeyID: 54 69 6D 65 20 31 35 37 31 30 36 38 34 31 31 38 30 37
+ localKeyID: 54 69 6D 65 20 31 35 38 30 38 32 39 30 36 35 34 37 39
subject=CN = clamp, emailAddress = mark.d.manager@people.osaaf.com, OU = clamp@clamp.onap.org:DEV, OU = OSAAF, O = ONAP, C = US
issuer=C = US, O = ONAP, OU = OSAAF, CN = intermediateCA_9
-----BEGIN CERTIFICATE-----
-MIIETDCCAzSgAwIBAgIIGF6ukzqwlGIwDQYJKoZIhvcNAQELBQAwRzELMAkGA1UE
+MIIEWDCCA0CgAwIBAgIILw1zyDGqB5IwDQYJKoZIhvcNAQELBQAwRzELMAkGA1UE
BhMCVVMxDTALBgNVBAoMBE9OQVAxDjAMBgNVBAsMBU9TQUFGMRkwFwYDVQQDDBBp
-bnRlcm1lZGlhdGVDQV85MB4XDTE5MTAxNDE1NTM0MVoXDTIwMTAxNDE1NTM0MVow
+bnRlcm1lZGlhdGVDQV85MB4XDTIwMDIwNDEyMjM1MloXDTIxMDIwNDEyMjM1Mlow
gY8xDjAMBgNVBAMMBWNsYW1wMS4wLAYJKoZIhvcNAQkBFh9tYXJrLmQubWFuYWdl
ckBwZW9wbGUub3NhYWYuY29tMSEwHwYDVQQLDBhjbGFtcEBjbGFtcC5vbmFwLm9y
ZzpERVYxDjAMBgNVBAsMBU9TQUFGMQ0wCwYDVQQKDARPTkFQMQswCQYDVQQGEwJV
-UzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKy68n2mMGqOvEj7lMbY
-9NVFShv0LHW47dxQzNHTWbE2h2xJF0jeyrpDY2v496ehPt52jy6Ou7wbv0cF/JRY
-GQ17eEmKQJfMNXrZzBq9a0aNYiw5kdzMl+Pxmu05sn+5Gl4aZuixjfzNTA1wbNPW
-+bYrrsw97YFrNMjgkvHIZwnRtkRnRcYEw66nceqjZA7LsFpAw5OzbRbDdoHriHso
-Cpqo2duWpQ62QsJQF2novFr2gFepLgWD4LV5mrO6LEtCCZZmzYQP7CXgVkMNoiQ3
-iDDhhNeGnGvzaBq5beujawBislfrcWojNqPSuP++rFhLLt+PNuwTVU8HEIfJS5of
-FRMCAwEAAaOB8jCB7zAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIF4DAgBgNVHSUB
+UzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJMHfScyHSFzMiS9Ymjs
+6aDtwAeHPnQ0GEsHu77rShdEYLJrhKqyyqrE2c2o1BA/0yZ+Vbar9tl6lafxGTbd
+foIuaghSWuPwEw+RQJGrOC+VpY9I0ArlBw6noZS9dO5fgSxpbEmFuz1SPPb6qLXf
+uI06p8DHWxTKBqHWSMAuuoeRcOoka8h/FTkRLRqQGL+UHsDdakTnYpOKhIUlLkpu
+emPWiB98Y0rICI2pTrUtwXUWNaYg1q3bPdkyT/deb4cIOD8Ys+duHgTUqgTXQ7bY
+AzKzpgYTI++BF+tMXXcOwNfnY+aZQduRIHqTBL8J5XlS777xvpPYhak/Jnb7mm2Y
+v60CAwEAAaOB/jCB+zAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIF4DAgBgNVHSUB
Af8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwVAYDVR0jBE0wS4AUgfeZWxC5yIze
81Je6k5poEM+rN2hMKQuMCwxDjAMBgNVBAsMBU9TQUFGMQ0wCwYDVQQKDARPTkFQ
-MQswCQYDVQQGEwJVU4IBBzAdBgNVHQ4EFgQUicMoQoxguo6qFb7YZ2gZn8X0BV4w
-OwYDVR0RBDQwMoIFY2xhbXCCHWNsYW1wLmFwaS5zaW1wbGVkZW1vLm9uYXAub3Jn
-ggpjbGFtcC5vbmFwMA0GCSqGSIb3DQEBCwUAA4IBAQCMDZrqzL/orHH3WoLKj/JJ
-+QOt89CTYJqX5rS2TbQgX/JdjXJzJsmY21dTHxg0+AdRmAUATHBFAOg/nLEfDUOh
-NX0+OshoaTYjrI2ZH4j24UsoXzGffpjqPbLMZJ1uzxy4qTTvzeJJM1NsfKD4Er0B
-KDgN66pzywJrxOXkTQZpmkgGeB9FwmBoLFKP2XJjXXT9c9Wol8ttrSqu/sy5e6/Y
-SZLco8lXx0isxGgG5PfF9WSuikFRlC5LCmcSn9EfxQIOeGjzJQpuB8yqN/ojE8wY
-ZBhaUM/+NETQNzsh4dZxq7ErSknND60NYit8rz9lWDDrNNKVF+8iFpoTb17V8e3C
+MQswCQYDVQQGEwJVU4IBBzAdBgNVHQ4EFgQUzfIed+18wgFs7E6q0b6BbMICtfsw
+RwYDVR0RBEAwPoIFY2xhbXCCCmNsYW1wLW9uYXCCHWNsYW1wLmFwaS5zaW1wbGVk
+ZW1vLm9uYXAub3JnggpjbGFtcC5vbmFwMA0GCSqGSIb3DQEBCwUAA4IBAQBizhsW
+XrJ9wQy3PrBxgh90sOF15tayXPRZSFYPoQb5LhRh3IY/PvXLaSHlkgPHlCLLx36S
+0/DiVf86/83ABvyaq9gJIyg/m4ntNae23OKH1AkA1aN+JCKA8yhsAzDBcRF6Aj7E
+VJ+vQlSzz5oh+efP1e/8DUMd1/WwbTXvRd0Iqv/fyZunbjb82qNMrsK1mQ2q+87A
+0jx9u1EdeMihP6vWiuKzlwy4mKoNT573SPpvaOkjX3yDlmf2CTQZ9vdAvjmFmVsH
+1wyrNZOIgW4VjluiZfAk3mOEskrZiP/7aUXnxmNnYTpgZMbhiouLbRrTc4lLEyhx
+G7A61/KGTsLZlvxb
-----END CERTIFICATE-----