summaryrefslogtreecommitdiffstats
path: root/docs/sections
diff options
context:
space:
mode:
authorJerzySzachniewicz <jerzy.szachniewicz@nokia.com>2020-11-18 12:31:33 +0100
committerJerzySzachniewicz <jerzy.szachniewicz@nokia.com>2020-12-03 13:12:39 +0100
commite68df395e8bafc09e390eda1e96827bbf613eb90 (patch)
tree9d0d89dbe04fd9e9433950e09ea04bcb2af08d15 /docs/sections
parentdf0b52ff59932be8333ee31aa7d83b061695f90b (diff)
Adjustments in DFC certificate documentation
Issue-ID: DCAEGEN2-2456 Signed-off-by: JerzySzachniewicz <jerzy.szachniewicz@nokia.com> Change-Id: I348a0388327a723bad8c5f49d76c689c7804082c Signed-off-by: JerzySzachniewicz <jerzy.szachniewicz@nokia.com> (cherry picked from commit d4b5297c9a4fa360cf81f78fc32654ff68f9f003)
Diffstat (limited to 'docs/sections')
-rw-r--r--docs/sections/services/dfc/certificates.rst86
-rw-r--r--docs/sections/services/dfc/consule-certificate-update.pngbin0 -> 137126 bytes
2 files changed, 33 insertions, 53 deletions
diff --git a/docs/sections/services/dfc/certificates.rst b/docs/sections/services/dfc/certificates.rst
index 350cda63..9c4d46b2 100644
--- a/docs/sections/services/dfc/certificates.rst
+++ b/docs/sections/services/dfc/certificates.rst
@@ -47,72 +47,65 @@ We have two keystore files, one for TrustManager, one for KeyManager.
openssl x509 -outform der -in ftp.crt -out ftp.der
-2. And after, import it in the keystore :
+2. And after copy existing keystore and password from container:
.. code:: bash
- keytool -import -alias ftp -keystore ftp.jks -file ftp.der
+ kubectl cp <DFC pod>:/opt/app/datafile/etc/cert/trust.jks trust.jks
+ kubectl cp <DFC pod>:/opt/app/datafile/etc/cert/trust.pass trust.pass
-**For KeyManager:**
-
-1. First, create a jks keystore:
+3. Import DER certificate in the keystore :
.. code:: bash
- keytool -keystore dfc.jks -genkey -alias dfc
+ keytool -import -alias ftp -keystore trust.jks -file ftp.der
+
+**For KeyManager:**
-2. Second, import dfc.crt and dfc.key to dfc.jks. This is a bit troublesome.
+1. Import dfc.crt and dfc.key to dfc.jks. This is a bit troublesome.
- 1). Step one: Convert x509 Cert and Key to a pkcs12 file
+ Convert x509 Cert and Key to a pkcs12 file
.. code:: bash
- openssl pkcs12 -export -in dfc.crt -inkey dfc.key -out dfc.p12 -name [some-alias]
+ openssl pkcs12 -export -in dfc.crt -inkey dfc.key -out cert.p12 -name dfc
Note: Make sure you put a password on the p12 file - otherwise you'll get a null reference exception when you try to import it.
- Note 2: You might want to add the -chainoption to preserve the full certificate chain.
-
- 2). Step two: Convert the pkcs12 file to a java keystore:
+2. Create password files for cert.p12
+ .. code:: bash
- .. code:: bash
+ printf "[your password]" > p12.pass
- keytool -importkeystore -deststorepass [changeit] -destkeypass [changeit] -destkeystore dfc.jks -srckeystore dfc.p12 -srcstoretype PKCS12 -srcstorepass [some-password] -alias [some-alias]
-
-4. Update existing jks.b64 files
+4. Update existing KeyStore files
---------------------------------
-Copy the existing jks from the DFC container to a local environment.
+Copy the new trust.jks and cert.p12 and password files from local environment to the DFC container.
.. code:: bash
-
- docker cp <DFC container>:/opt/app/datafile/config/ftp.jks .
- docker cp <DFC container>:/opt/app/datafile/config/dfc.jks .
-
+ mkdir mycert
+ cp cert.p12 mycert/
+ cp p12.pass mycert/
+ cp trust.jks mycert/
+ cp trust.pass mycert/
+ kubectl cp mycert/ <DFC pod>:/opt/app/datafile/etc/cert/
+
+5. Update configuration in consul
+-----------------------------------
+Change path in consul:
.. code:: bash
+ dmaap.ftpesConfig.keyCert": "/opt/app/datafile/etc/cert/mycert/cert.p12
+ dmaap.ftpesConfig.keyPasswordPath": "/opt/app/datafile/etc/cert/mycert/p12.pass
+ dmaap.ftpesConfig.trustedCa": "/opt/app/datafile/etc/cert/mycert/trust.jks
+ dmaap.ftpesConfig.trustedCaPasswordPath": "/opt/app/datafile/etc/cert/mycert/trust.pass
- openssl base64 -in ftp.jks -out ftp.jks.b64
- openssl base64 -in dfc.jks -out dfc.jks.b64
-
+Consul's address: http://<worker external IP>:<Consul External Port>
.. code:: bash
+ kubectl -n onap get svc | grep consul
- chmod 755 ftp.jks.b64
- chmod 755 dfc.jks.b64
-
-Copy the new jks.64 files from local environment to the DFC container.
+.. image:: ./consule-certificate-update.png
- .. code:: bash
-
- docker cp ftp.jks.b64 <DFC container>:/opt/app/datafile/config/
- docker cp dfc.jks.b64 <DFC container>:/opt/app/datafile/config/
-
-Finally
-
- .. code:: bash
-
- docker restart <DFC container>
-
-5. Configure vsftpd:
+6. Configure vsftpd:
--------------------
update /etc/vsftpd/vsftpd.conf:
@@ -136,19 +129,6 @@ Finally
ssl_request_cert=YES
ca_certs_file=/home/vsftpd/myuser/dfc.crt
-6. Configure config/datafile_endpoints.json:
---------------------------------------------
- Update the file accordingly:
-
- .. code-block:: javascript
-
- "ftpesConfiguration": {
- "keyCert": "/config/dfc.jks",
- "keyPassword": "[yourpassword]",
- "trustedCA": "/config/ftp.jks",
- "trustedCAPassword": "[yourpassword]"
- }
-
7. Other conditions
---------------------------------------------------------------------------
This has been tested with vsftpd and dfc, with self-signed certificates.
diff --git a/docs/sections/services/dfc/consule-certificate-update.png b/docs/sections/services/dfc/consule-certificate-update.png
new file mode 100644
index 00000000..8f7f8c35
--- /dev/null
+++ b/docs/sections/services/dfc/consule-certificate-update.png
Binary files differ