diff options
author | JerzySzachniewicz <jerzy.szachniewicz@nokia.com> | 2020-11-18 12:31:33 +0100 |
---|---|---|
committer | JerzySzachniewicz <jerzy.szachniewicz@nokia.com> | 2020-12-03 13:12:39 +0100 |
commit | e68df395e8bafc09e390eda1e96827bbf613eb90 (patch) | |
tree | 9d0d89dbe04fd9e9433950e09ea04bcb2af08d15 /docs/sections | |
parent | df0b52ff59932be8333ee31aa7d83b061695f90b (diff) |
Adjustments in DFC certificate documentation
Issue-ID: DCAEGEN2-2456
Signed-off-by: JerzySzachniewicz <jerzy.szachniewicz@nokia.com>
Change-Id: I348a0388327a723bad8c5f49d76c689c7804082c
Signed-off-by: JerzySzachniewicz <jerzy.szachniewicz@nokia.com>
(cherry picked from commit d4b5297c9a4fa360cf81f78fc32654ff68f9f003)
Diffstat (limited to 'docs/sections')
-rw-r--r-- | docs/sections/services/dfc/certificates.rst | 86 | ||||
-rw-r--r-- | docs/sections/services/dfc/consule-certificate-update.png | bin | 0 -> 137126 bytes |
2 files changed, 33 insertions, 53 deletions
diff --git a/docs/sections/services/dfc/certificates.rst b/docs/sections/services/dfc/certificates.rst index 350cda63..9c4d46b2 100644 --- a/docs/sections/services/dfc/certificates.rst +++ b/docs/sections/services/dfc/certificates.rst @@ -47,72 +47,65 @@ We have two keystore files, one for TrustManager, one for KeyManager. openssl x509 -outform der -in ftp.crt -out ftp.der -2. And after, import it in the keystore : +2. And after copy existing keystore and password from container: .. code:: bash - keytool -import -alias ftp -keystore ftp.jks -file ftp.der + kubectl cp <DFC pod>:/opt/app/datafile/etc/cert/trust.jks trust.jks + kubectl cp <DFC pod>:/opt/app/datafile/etc/cert/trust.pass trust.pass -**For KeyManager:** - -1. First, create a jks keystore: +3. Import DER certificate in the keystore : .. code:: bash - keytool -keystore dfc.jks -genkey -alias dfc + keytool -import -alias ftp -keystore trust.jks -file ftp.der + +**For KeyManager:** -2. Second, import dfc.crt and dfc.key to dfc.jks. This is a bit troublesome. +1. Import dfc.crt and dfc.key to dfc.jks. This is a bit troublesome. - 1). Step one: Convert x509 Cert and Key to a pkcs12 file + Convert x509 Cert and Key to a pkcs12 file .. code:: bash - openssl pkcs12 -export -in dfc.crt -inkey dfc.key -out dfc.p12 -name [some-alias] + openssl pkcs12 -export -in dfc.crt -inkey dfc.key -out cert.p12 -name dfc Note: Make sure you put a password on the p12 file - otherwise you'll get a null reference exception when you try to import it. - Note 2: You might want to add the -chainoption to preserve the full certificate chain. - - 2). Step two: Convert the pkcs12 file to a java keystore: +2. Create password files for cert.p12 + .. code:: bash - .. code:: bash + printf "[your password]" > p12.pass - keytool -importkeystore -deststorepass [changeit] -destkeypass [changeit] -destkeystore dfc.jks -srckeystore dfc.p12 -srcstoretype PKCS12 -srcstorepass [some-password] -alias [some-alias] - -4. Update existing jks.b64 files +4. Update existing KeyStore files --------------------------------- -Copy the existing jks from the DFC container to a local environment. +Copy the new trust.jks and cert.p12 and password files from local environment to the DFC container. .. code:: bash - - docker cp <DFC container>:/opt/app/datafile/config/ftp.jks . - docker cp <DFC container>:/opt/app/datafile/config/dfc.jks . - + mkdir mycert + cp cert.p12 mycert/ + cp p12.pass mycert/ + cp trust.jks mycert/ + cp trust.pass mycert/ + kubectl cp mycert/ <DFC pod>:/opt/app/datafile/etc/cert/ + +5. Update configuration in consul +----------------------------------- +Change path in consul: .. code:: bash + dmaap.ftpesConfig.keyCert": "/opt/app/datafile/etc/cert/mycert/cert.p12 + dmaap.ftpesConfig.keyPasswordPath": "/opt/app/datafile/etc/cert/mycert/p12.pass + dmaap.ftpesConfig.trustedCa": "/opt/app/datafile/etc/cert/mycert/trust.jks + dmaap.ftpesConfig.trustedCaPasswordPath": "/opt/app/datafile/etc/cert/mycert/trust.pass - openssl base64 -in ftp.jks -out ftp.jks.b64 - openssl base64 -in dfc.jks -out dfc.jks.b64 - +Consul's address: http://<worker external IP>:<Consul External Port> .. code:: bash + kubectl -n onap get svc | grep consul - chmod 755 ftp.jks.b64 - chmod 755 dfc.jks.b64 - -Copy the new jks.64 files from local environment to the DFC container. +.. image:: ./consule-certificate-update.png - .. code:: bash - - docker cp ftp.jks.b64 <DFC container>:/opt/app/datafile/config/ - docker cp dfc.jks.b64 <DFC container>:/opt/app/datafile/config/ - -Finally - - .. code:: bash - - docker restart <DFC container> - -5. Configure vsftpd: +6. Configure vsftpd: -------------------- update /etc/vsftpd/vsftpd.conf: @@ -136,19 +129,6 @@ Finally ssl_request_cert=YES ca_certs_file=/home/vsftpd/myuser/dfc.crt -6. Configure config/datafile_endpoints.json: --------------------------------------------- - Update the file accordingly: - - .. code-block:: javascript - - "ftpesConfiguration": { - "keyCert": "/config/dfc.jks", - "keyPassword": "[yourpassword]", - "trustedCA": "/config/ftp.jks", - "trustedCAPassword": "[yourpassword]" - } - 7. Other conditions --------------------------------------------------------------------------- This has been tested with vsftpd and dfc, with self-signed certificates. diff --git a/docs/sections/services/dfc/consule-certificate-update.png b/docs/sections/services/dfc/consule-certificate-update.png Binary files differnew file mode 100644 index 00000000..8f7f8c35 --- /dev/null +++ b/docs/sections/services/dfc/consule-certificate-update.png |