summaryrefslogtreecommitdiffstats
path: root/cm-container/scripts/configure-tls.sh
diff options
context:
space:
mode:
Diffstat (limited to 'cm-container/scripts/configure-tls.sh')
-rw-r--r--cm-container/scripts/configure-tls.sh31
1 files changed, 10 insertions, 21 deletions
diff --git a/cm-container/scripts/configure-tls.sh b/cm-container/scripts/configure-tls.sh
index a4b817b..d7c9cc8 100644
--- a/cm-container/scripts/configure-tls.sh
+++ b/cm-container/scripts/configure-tls.sh
@@ -3,6 +3,7 @@
# org.onap.dcae
# ================================================================================
# Copyright (c) 2019 AT&T Intellectual Property. All rights reserved.
+# Copyright (c) 2020-2021 J. F. Lucas. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -17,26 +18,14 @@
# limitations under the License.
# ============LICENSE_END=========================================================
#
-# Set up configuration files so that CM uses TLS on its external API
-# Change the nginx configuration -- this is what actually makes it work
-SSLCONFPATTERN="^include \"/etc/nginx/conf.d/http-external-rest-server.cloudify\""
-SSLCONFREPLACE="include \"/etc/nginx/conf.d/https-external-rest-server.cloudify\""
-sed -i -e "s#${SSLCONFPATTERN}#${SSLCONFREPLACE}#" /etc/nginx/conf.d/cloudify.conf
-
-# Set certificate and key locations
-sed -i -e "s# ssl_certificate .*;# ssl_certificate /opt/onap/certs/cert.pem;#" /etc/nginx/conf.d/https-external-rest-server.cloudify
-sed -i -e "s# ssl_certificate_key .*;# ssl_certificate_key /opt/onap/certs/key.pem;#" /etc/nginx/conf.d/https-external-rest-server.cloudify
-
-# Change the cloudify config file, just to be safe
-# Someone might run cfy_manager configure on the CM container for some reason
-# and we don't want them to overwrite the TLS configuration
-# (Running cfy_manager configure is a bad idea, though, because it often fails.)
+# Set tls to "enabled"
sed -i -e "s#^ ssl_enabled: false# ssl_enabled: true#" /etc/cloudify/config.yaml
-
-# The Cloudify command line tool ('cfy') needs to be configured for TLS as well
-# (The readiness check script uses 'cfy status')
-sed -i -e "s#^rest_port: 80#rest_port: 443#" /root/.cloudify/profiles/localhost/context
-sed -i -e "s/^rest_protocol: http$/rest_protocol: https/" /root/.cloudify/profiles/localhost/context
-sed -i -e "s#^rest_certificate: !!python/unicode '/etc/cloudify/ssl/cloudify_external_cert.pem'#rest_certificate: !!python/unicode '/opt/onap/certs/cacert.pem'#" /root/.cloudify/profiles/localhost/context
-sed -i -e "s#^manager_ip: !!python/unicode 'localhost'#manager_ip: !!python/unicode 'dcae-cloudify-manager'#" /root/.cloudify/profiles/localhost/context
+# Set up paths for our certificates
+sed -i -e "s|external_cert_path: .*$|external_cert_path: '/opt/onap/certs/cert.pem'|" /etc/cloudify/config.yaml
+sed -i -e "s|external_key_path: .*$|external_key_path: '/opt/onap/certs/key.pem'|" /etc/cloudify/config.yaml
+sed -i -e "s|external_ca_cert_path: .*$|external_ca_cert_path: '/opt/onap/certs/cacert.pem'|" /etc/cloudify/config.yaml
+# Set the host name for the local profile
+# Otherwise, the CM startup process will use 'localhost' and will fail
+# because the TLS certificate does not have 'localhost' as a CN or SAN
+sed -i -e 's/ cli_local_profile_host_name: .*$/ cli_local_profile_host_name: dcae-cloudify-manager/' /etc/cloudify/config.yaml