summaryrefslogtreecommitdiffstats
path: root/tls-init-container/dcae-cert-setup.sh
blob: e3b5dbe596b81465d379be128243a94a43dc6b6e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
#!/bin/bash
# ================================================================================
# Copyright (c) 2019 AT&T Intellectual Property. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# ============LICENSE_END=========================================================
set -e
set -x

# Set sensible DCAE defaults for environment variables needed by AAF.
# These can be overriden by setting the environment variables on the container
export APP_FQI=${APP_FQI:-"dcae@dcae.onap.org"}
export aaf_locate_url=${aaf_locate_url:-"https://aaf-locate.onap:8095"}
export aaf_locator_container=${aaf_locator_container:-"oom"}
export aaf_locator_container_ns=${aaf_locator_container_ns:-"onap"}
export aaf_locator_app_ns=${aaf_locator_app_ns:-"org.osaaf.aaf"}
export DEPLOY_FQI=${DEPLOY_FQI:-"deployer@people.osaaf.org"}
export DEPLOY_PASSWORD=${DEPLOY_PASSWORD:-"demo123456!"}
export cadi_longitude=${cadi_longitude:-"-72.0"}
export cadi_latitude=${cadi_latitude:-"38.0"}

# For now, we can default aaf_locator_fqdn
# This points to the single DCAE cert with many SANs,
# as used in previous releases
# When we have individual certs per component, we will override this
# by setting the environment variable explicitly in a Helm chart
# or via the k8s plugin
export aaf_locator_fqdn=${aaf_locator_fqdn:-"dcae"}

# Our own environment variable to signal that the tls-init-container
# is being run for a component that is a TLS server
export TLS_SERVER=${TLS_SERVER:-"true"}

# Directory where AAF agent puts artifacts
ARTIFACTS=/opt/app/osaaf/local
# Directory where DCAE apps expect artifacts
TARGET=/opt/app/osaaf

# AAF namespace for the certs--used in naming artifacts
AAFNS=org.onap.dcae

# Dummy certificate FQDN for client-only components
# Must be set up in AAF, but won't actually be used
DUMMY_FQDN=dcae

# Clean out any existing artifacts
rm -rf ${ARTIFACTS}
rm -f ${TARGET}/*

# Set the dummy FQDN for a client-only component
if [ "${TLS_SERVER}" == "false" ]
then
    export aaf_locator_fqdn=${DUMMY_FQDN}
fi

# Get the certificate artifacts from AAF
/opt/app/aaf_config/bin/agent.sh

# Extract the p12 and JKS passwords
/opt/app/aaf_config/bin/agent.sh aafcli showpass ${APP_FQI} ${aaf_locator_fqdn} | grep cadi_keystore_password_p12 | cut -d '=' -f 2- | tr -d '\n' > /opt/app/osaaf/p12.pass
/opt/app/aaf_config/bin/agent.sh aafcli showpass ${APP_FQI} ${aaf_locator_fqdn} | grep cadi_keystore_password_jks= | cut -d '=' -f 2- | tr -d '\n' > /opt/app/osaaf/jks.pass
# AAF provides a truststore password, but it appears that the truststore is not password-protected
/opt/app/aaf_config/bin/agent.sh aafcli showpass ${APP_FQI} ${aaf_locator_fqdn} | grep cadi_truststore_password= | cut -d '=' -f 2- | tr -d '\n' > /opt/app/osaaf/trust.pass

# Copy the p12 and JKS artifacts to target directory and rename according to DCAE conventions
cp ${ARTIFACTS}/${AAFNS}.p12 ${TARGET}/cert.p12
cp ${ARTIFACTS}/${AAFNS}.jks ${TARGET}/cert.jks
cp ${ARTIFACTS}/${AAFNS}.trust.jks ${TARGET}/trust.jks

# Break out the cert and key (unencrypted) from the p12
openssl pkcs12 -in ${TARGET}/cert.p12 -passin file:${TARGET}/p12.pass -nodes -nokeys -out ${TARGET}/cert.pem
openssl pkcs12 -in ${TARGET}/cert.p12 -passin file:${TARGET}/p12.pass -nodes -nocerts -out ${TARGET}/key.pem
chmod 644 ${TARGET}/cert.pem ${TARGET}/key.pem

# Get the ONAP AAF CA certificate -- pass in an empty password, since the trust store doesn't have one
echo "" | keytool -exportcert -rfc -file ${TARGET}/cacert.pem -keystore ${ARTIFACTS}/${AAFNS}.trust.jks -alias ca_local_0

# Remove server-related files for client-only components
if [ "${TLS_SERVER}" == "false" ]
then
    rm ${TARGET}/cert.p12 ${TARGET}/cert.jks ${TARGET}/cert.pem ${TARGET}/key.pem ${TARGET}/p12.pass ${TARGET}/jks.pass
    rm ${ARTIFACTS}/${AAFNS}.p12 ${ARTIFACTS}/${AAFNS}.jks
fi