summaryrefslogtreecommitdiffstats
path: root/tls-init-container/dcae-cert-setup.sh
diff options
context:
space:
mode:
authorJack Lucas <jflucas@research.att.com>2019-09-19 17:31:30 -0400
committerJack Lucas <jflucas@research.att.com>2019-09-20 14:30:51 -0400
commit756430cf7f1a6dad7fe1eb78aeff59c7bfe0ef7c (patch)
treea7c7f004d1fe8a8980f1d6ec305c9e8615afe1de /tls-init-container/dcae-cert-setup.sh
parentbe85050512cb3691417b2b1d2cc373f4ac16ab43 (diff)
Initial tls container for dynamic generation
Issue-ID: DCAEGEN2-917 Change-Id: Ifeae71973f0a8388c70128398dbb356b511dec3e Signed-off-by: Jack Lucas <jflucas@research.att.com>
Diffstat (limited to 'tls-init-container/dcae-cert-setup.sh')
-rwxr-xr-xtls-init-container/dcae-cert-setup.sh72
1 files changed, 72 insertions, 0 deletions
diff --git a/tls-init-container/dcae-cert-setup.sh b/tls-init-container/dcae-cert-setup.sh
new file mode 100755
index 0000000..7f3b601
--- /dev/null
+++ b/tls-init-container/dcae-cert-setup.sh
@@ -0,0 +1,72 @@
+#!/bin/bash
+# ================================================================================
+# Copyright (c) 2019 AT&T Intellectual Property. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+set -e
+set -x
+
+# Set sensible DCAE defaults for environment variables needed by AAF.
+# These can be overriden by setting the environment variables on the container
+export APP_FQI=${APP_FQI:-"dcae@dcae.onap.org"}
+export aaf_locate_url=${aaf_locate_url:-"https://aaf-locate.onap:8095"}
+export aaf_locator_container=${aaf_locator_container:-"oom"}
+export aaf_locator_container_ns=${aaf_locator_container_ns:-"onap"}
+export aaf_locator_app_ns=${aaf_locator_app_ns:-"org.osaaf.aaf"}
+export DEPLOY_FQI=${DEPLOY_FQI:-"deployer@people.osaaf.org"}
+export DEPLOY_PASSWORD=${DEPLOY_PASSWORD:-"demo123456!"}
+export cadi_longitude=${cadi_longitude:-"-72.0"}
+export cadi_latitude=${cadi_latitude:-"38.0"}
+
+# For now, we can deault aaf_locator_fqdn
+# This points to the single DCAE cert with many SANs,
+# as used in previous releases
+# When we have individual certs per component, we will override this
+# by setting the environment variable explicitly in a Helm chart
+# or via the k8s plugin
+export aaf_locator_fqdn=${aaf_locator_fqdn:-"dcae"}
+
+# Directory where AAF agent puts artifacts
+ARTIFACTS=/opt/app/osaaf/local
+# Directory where DCAE apps expect artifacts
+TARGET=/opt/app/osaaf
+
+# AAF namespace for the certs--used in naming artifacts
+AAFNS=org.onap.dcae
+
+# Clean out any existing artifacts
+rm -rf ${ARTIFACTS}
+rm -f ${TARGET}/*
+
+# Get the certificate artifacts from AAF
+/opt/app/aaf_config/bin/agent.sh
+
+# Extract the p12 and JKS passwords
+/opt/app/aaf_config/bin/agent.sh aafcli showpass ${APP_FQI} ${aaf_locator_fqdn} | grep cadi_keystore_password_p12 | cut -d '=' -f 2- > /opt/app/osaaf/p12.pass
+/opt/app/aaf_config/bin/agent.sh aafcli showpass ${APP_FQI} ${aaf_locator_fqdn} | grep cadi_keystore_password_jks= | cut -d '=' -f 2- > /opt/app/osaaf/jks.pass
+# AAF provides a truststore password, but it appears that the truststore is not password-protected
+/opt/app/aaf_config/bin/agent.sh aafcli showpass ${APP_FQI} ${aaf_locator_fqdn} | grep cadi_truststore_password= | cut -d '=' -f 2- > /opt/app/osaaf/trust.pass
+
+# Copy the p12 and JKS artifacts to target directory and rename according to DCAE conventions
+cp ${ARTIFACTS}/${AAFNS}.p12 ${TARGET}/cert.p12
+cp ${ARTIFACTS}/${AAFNS}.jks ${TARGET}/cert.jks
+cp ${ARTIFACTS}/${AAFNS}.trust.jks ${TARGET}/trust.jks
+
+# Break out the cert and key (unencrypted) from the p12
+openssl pkcs12 -in ${TARGET}/cert.p12 -passin file:${TARGET}/p12.pass -nodes -nokeys -out ${TARGET}/cert.pem
+openssl pkcs12 -in ${TARGET}/cert.p12 -passin file:${TARGET}/p12.pass -nodes -nocerts -out ${TARGET}/key.pem
+chmod 644 ${TARGET}/cert.pem ${TARGET}/key.pem
+
+# Get the ONAP AAF CA certificate -- pass in an empty password, since the trust store doesn't have one
+echo "" | keytool -exportcert -rfc -file ${TARGET}/cacert.pem -keystore ${ARTIFACTS}/${AAFNS}.trust.jks -alias ca_local_0