diff options
Diffstat (limited to 'docs/sections/services/dfc/certificates.rst')
-rw-r--r-- | docs/sections/services/dfc/certificates.rst | 44 |
1 files changed, 25 insertions, 19 deletions
diff --git a/docs/sections/services/dfc/certificates.rst b/docs/sections/services/dfc/certificates.rst index 9c4d46b2..d272dd8e 100644 --- a/docs/sections/services/dfc/certificates.rst +++ b/docs/sections/services/dfc/certificates.rst @@ -21,7 +21,7 @@ keys & certificates on both vsftpd server and DFC. 1. Generate key/certificate with openssl for DFC: ------------------------------------------------- -.. code:: bash +.. code-block:: bash openssl genrsa -out dfc.key 2048 openssl req -new -out dfc.csr -key dfc.key @@ -29,7 +29,7 @@ keys & certificates on both vsftpd server and DFC. 2. Generate key & certificate with openssl for vsftpd: ------------------------------------------------------ -.. code:: bash +.. code-block:: bash openssl genrsa -out ftp.key 2048 openssl req -new -out ftp.csr -key ftp.key @@ -43,20 +43,20 @@ We have two keystore files, one for TrustManager, one for KeyManager. 1. First, convert your certificate in a DER format : - .. code:: bash + .. code-block:: bash openssl x509 -outform der -in ftp.crt -out ftp.der 2. And after copy existing keystore and password from container: - .. code:: bash + .. code-block:: bash kubectl cp <DFC pod>:/opt/app/datafile/etc/cert/trust.jks trust.jks kubectl cp <DFC pod>:/opt/app/datafile/etc/cert/trust.pass trust.pass 3. Import DER certificate in the keystore : - .. code:: bash + .. code-block:: bash keytool -import -alias ftp -keystore trust.jks -file ftp.der @@ -66,42 +66,48 @@ We have two keystore files, one for TrustManager, one for KeyManager. Convert x509 Cert and Key to a pkcs12 file - .. code:: bash + .. code-block:: bash openssl pkcs12 -export -in dfc.crt -inkey dfc.key -out cert.p12 -name dfc Note: Make sure you put a password on the p12 file - otherwise you'll get a null reference exception when you try to import it. 2. Create password files for cert.p12 - .. code:: bash - printf "[your password]" > p12.pass + .. code-block:: bash + + printf "[your password]" > p12.pass 4. Update existing KeyStore files --------------------------------- Copy the new trust.jks and cert.p12 and password files from local environment to the DFC container. - .. code:: bash - mkdir mycert - cp cert.p12 mycert/ - cp p12.pass mycert/ - cp trust.jks mycert/ - cp trust.pass mycert/ - kubectl cp mycert/ <DFC pod>:/opt/app/datafile/etc/cert/ + .. code-block:: bash + + mkdir mycert + cp cert.p12 mycert/ + cp p12.pass mycert/ + cp trust.jks mycert/ + cp trust.pass mycert/ + kubectl cp mycert/ <DFC pod>:/opt/app/datafile/etc/cert/ 5. Update configuration in consul ----------------------------------- Change path in consul: - .. code:: bash + +.. code-block:: bash + dmaap.ftpesConfig.keyCert": "/opt/app/datafile/etc/cert/mycert/cert.p12 dmaap.ftpesConfig.keyPasswordPath": "/opt/app/datafile/etc/cert/mycert/p12.pass dmaap.ftpesConfig.trustedCa": "/opt/app/datafile/etc/cert/mycert/trust.jks dmaap.ftpesConfig.trustedCaPasswordPath": "/opt/app/datafile/etc/cert/mycert/trust.pass Consul's address: http://<worker external IP>:<Consul External Port> - .. code:: bash - kubectl -n onap get svc | grep consul + + .. code-block:: bash + + kubectl -n onap get svc | grep consul .. image:: ./consule-certificate-update.png @@ -132,4 +138,4 @@ Consul's address: http://<worker external IP>:<Consul External Port> 7. Other conditions --------------------------------------------------------------------------- This has been tested with vsftpd and dfc, with self-signed certificates. - In real deployment, we should use ONAP-CA signed certificate for DFC, and vendor-CA signed certificate for xNF + In real deployment, we should use ONAP-CA signed certificate for DFC, and vendor-CA signed certificate for xNF. |