summaryrefslogtreecommitdiffstats
path: root/tls-init-container/dcae-cert-setup.sh
blob: 7f3b6010f3c645e91d417d37d08214da6bf106a3 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
#!/bin/bash
# ================================================================================
# Copyright (c) 2019 AT&T Intellectual Property. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# ============LICENSE_END=========================================================
set -e
set -x

# Set sensible DCAE defaults for environment variables needed by AAF.
# These can be overriden by setting the environment variables on the container
export APP_FQI=${APP_FQI:-"dcae@dcae.onap.org"}
export aaf_locate_url=${aaf_locate_url:-"https://aaf-locate.onap:8095"}
export aaf_locator_container=${aaf_locator_container:-"oom"}
export aaf_locator_container_ns=${aaf_locator_container_ns:-"onap"}
export aaf_locator_app_ns=${aaf_locator_app_ns:-"org.osaaf.aaf"}
export DEPLOY_FQI=${DEPLOY_FQI:-"deployer@people.osaaf.org"}
export DEPLOY_PASSWORD=${DEPLOY_PASSWORD:-"demo123456!"}
export cadi_longitude=${cadi_longitude:-"-72.0"}
export cadi_latitude=${cadi_latitude:-"38.0"}

# For now, we can deault aaf_locator_fqdn
# This points to the single DCAE cert with many SANs,
# as used in previous releases
# When we have individual certs per component, we will override this
# by setting the environment variable explicitly in a Helm chart
# or via the k8s plugin
export aaf_locator_fqdn=${aaf_locator_fqdn:-"dcae"}

# Directory where AAF agent puts artifacts
ARTIFACTS=/opt/app/osaaf/local
# Directory where DCAE apps expect artifacts
TARGET=/opt/app/osaaf

# AAF namespace for the certs--used in naming artifacts
AAFNS=org.onap.dcae

# Clean out any existing artifacts
rm -rf ${ARTIFACTS}
rm -f ${TARGET}/*

# Get the certificate artifacts from AAF
/opt/app/aaf_config/bin/agent.sh

# Extract the p12 and JKS passwords
/opt/app/aaf_config/bin/agent.sh aafcli showpass ${APP_FQI} ${aaf_locator_fqdn} | grep cadi_keystore_password_p12 | cut -d '=' -f 2- > /opt/app/osaaf/p12.pass
/opt/app/aaf_config/bin/agent.sh aafcli showpass ${APP_FQI} ${aaf_locator_fqdn} | grep cadi_keystore_password_jks= | cut -d '=' -f 2- > /opt/app/osaaf/jks.pass
# AAF provides a truststore password, but it appears that the truststore is not password-protected
/opt/app/aaf_config/bin/agent.sh aafcli showpass ${APP_FQI} ${aaf_locator_fqdn} | grep cadi_truststore_password= | cut -d '=' -f 2- > /opt/app/osaaf/trust.pass

# Copy the p12 and JKS artifacts to target directory and rename according to DCAE conventions
cp ${ARTIFACTS}/${AAFNS}.p12 ${TARGET}/cert.p12
cp ${ARTIFACTS}/${AAFNS}.jks ${TARGET}/cert.jks
cp ${ARTIFACTS}/${AAFNS}.trust.jks ${TARGET}/trust.jks

# Break out the cert and key (unencrypted) from the p12
openssl pkcs12 -in ${TARGET}/cert.p12 -passin file:${TARGET}/p12.pass -nodes -nokeys -out ${TARGET}/cert.pem
openssl pkcs12 -in ${TARGET}/cert.p12 -passin file:${TARGET}/p12.pass -nodes -nocerts -out ${TARGET}/key.pem
chmod 644 ${TARGET}/cert.pem ${TARGET}/key.pem

# Get the ONAP AAF CA certificate -- pass in an empty password, since the trust store doesn't have one
echo "" | keytool -exportcert -rfc -file ${TARGET}/cacert.pem -keystore ${ARTIFACTS}/${AAFNS}.trust.jks -alias ca_local_0