1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
|
.. This work is licensed under a Creative Commons Attribution 4.0 International License.
.. http://creativecommons.org/licenses/by/4.0
Certificates (From AAF)
=======================
DCAE service components will use common certifcates generated from AAF/test instance and made available during deployment of DCAE TLS init container.
DCAE has a generalized process of certificate distribution as documented here - https://docs.onap.org/en/latest/submodules/dcaegen2.git/docs/sections/tls_enablement.html
The updated certificates are located in https://git.onap.org/dcaegen2/deployments/tree/tls-init-container/tls
Certificates (Manual configuration of self-signed certifcates)
==============================================================
Configuration of Certificates in test environment(For FTP over TLS):
DFC supports two protocols: FTPES and SFTP.
For FTPES, it is mutual authentication with certificates.
In our test environment, we use vsftpd to simulate xNF, and we generate self-signed
keys & certificates on both vsftpd server and DFC.
1. Generate key/certificate with openssl for DFC:
-------------------------------------------------
.. code:: bash
openssl genrsa -out dfc.key 2048
openssl req -new -out dfc.csr -key dfc.key
openssl x509 -req -days 365 -in dfc.csr -signkey dfc.key -out dfc.crt
2. Generate key & certificate with openssl for vsftpd:
------------------------------------------------------
.. code:: bash
openssl genrsa -out ftp.key 2048
openssl req -new -out ftp.csr -key ftp.key
openssl x509 -req -days 365 -in ftp.csr -signkey ftp.key -out ftp.crt
3. Configure java keystore in DFC:
----------------------------------
We have two keystore files, one for TrustManager, one for KeyManager.
**For TrustManager:**
1. First, convert your certificate in a DER format :
.. code:: bash
openssl x509 -outform der -in ftp.crt -out ftp.der
2. And after, import it in the keystore :
.. code:: bash
keytool -import -alias ftp -keystore ftp.jks -file ftp.der
**For KeyManager:**
1. First, create a jks keystore:
.. code:: bash
keytool -keystore dfc.jks -genkey -alias dfc
2. Second, import dfc.crt and dfc.key to dfc.jks. This is a bit troublesome.
1). Step one: Convert x509 Cert and Key to a pkcs12 file
.. code:: bash
openssl pkcs12 -export -in dfc.crt -inkey dfc.key -out dfc.p12 -name [some-alias]
Note: Make sure you put a password on the p12 file - otherwise you'll get a null reference exception when you try to import it.
Note 2: You might want to add the -chainoption to preserve the full certificate chain.
2). Step two: Convert the pkcs12 file to a java keystore:
.. code:: bash
keytool -importkeystore -deststorepass [changeit] -destkeypass [changeit] -destkeystore dfc.jks -srckeystore dfc.p12 -srcstoretype PKCS12 -srcstorepass [some-password] -alias [some-alias]
4. Update existing jks.b64 files
---------------------------------
Copy the existing jks from the DFC container to a local environment.
.. code:: bash
docker cp <DFC container>:/opt/app/datafile/config/ftp.jks .
docker cp <DFC container>:/opt/app/datafile/config/dfc.jks .
.. code:: bash
openssl base64 -in ftp.jks -out ftp.jks.b64
openssl base64 -in dfc.jks -out dfc.jks.b64
.. code:: bash
chmod 755 ftp.jks.b64
chmod 755 dfc.jks.b64
Copy the new jks.64 files from local environment to the DFC container.
.. code:: bash
docker cp ftp.jks.b64 <DFC container>:/opt/app/datafile/config/
docker cp dfc.jks.b64 <DFC container>:/opt/app/datafile/config/
Finally
.. code:: bash
docker restart <DFC container>
5. Configure vsftpd:
--------------------
update /etc/vsftpd/vsftpd.conf:
.. code-block:: bash
rsa_cert_file=/etc/ssl/private/ftp.crt
rsa_private_key_file=/etc/ssl/private/ftp.key
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
require_ssl_reuse=NO
ssl_ciphers=HIGH
require_cert=YES
ssl_request_cert=YES
ca_certs_file=/home/vsftpd/myuser/dfc.crt
6. Configure config/datafile_endpoints.json:
--------------------------------------------
Update the file accordingly:
.. code-block:: javascript
"ftpesConfiguration": {
"keyCert": "/config/dfc.jks",
"keyPassword": "[yourpassword]",
"trustedCA": "/config/ftp.jks",
"trustedCAPassword": "[yourpassword]"
}
7. Other conditions
---------------------------------------------------------------------------
This has been tested with vsftpd and dfc, with self-signed certificates.
In real deployment, we should use ONAP-CA signed certificate for DFC, and vendor-CA signed certificate for xNF
|