diff options
Diffstat (limited to 'plans/oom-platform-cert-service/certservice')
7 files changed, 337 insertions, 0 deletions
diff --git a/plans/oom-platform-cert-service/certservice/certs/Makefile b/plans/oom-platform-cert-service/certservice/certs/Makefile new file mode 100644 index 00000000..ea90c5c7 --- /dev/null +++ b/plans/oom-platform-cert-service/certservice/certs/Makefile @@ -0,0 +1,110 @@ +all: step_1 step_2 step_3 step_4 step_5 step_6 step_7 step_8 step_9 step_10 step_11 step_12 step_13 step_14 step_15 +.PHONY: all +#Clear certificates +clear: + @echo "Clear certificates" + rm -f certServiceClient-keystore.jks certServiceServer-keystore.jks root.crt truststore.jks certServiceServer-keystore.p12 + @echo "#####done#####" + +#Generate root private and public keys +step_1: + @echo "Generate root private and public keys" + keytool -genkeypair -v -alias root -keyalg RSA -keysize 4096 -validity 3650 -keystore root-keystore.jks \ + -dname "CN=root.com, OU=Root Org, O=Root Company, L=Wroclaw, ST=Dolny Slask, C=PL" -keypass secret \ + -storepass secret -ext BasicConstraints:critical="ca:true" + @echo "#####done#####" + +#Export public key as certificate +step_2: + @echo "(Export public key as certificate)" + keytool -exportcert -alias root -keystore root-keystore.jks -storepass secret -file root.crt -rfc + @echo "#####done#####" + +#Self-signed root (import root certificate into truststore) +step_3: + @echo "(Self-signed root (import root certificate into truststore))" + keytool -importcert -alias root -keystore truststore.jks -file root.crt -storepass secret -noprompt + @echo "#####done#####" + +#Generate certService's client private and public keys +step_4: + @echo "Generate certService's client private and public keys" + keytool -genkeypair -v -alias certServiceClient -keyalg RSA -keysize 2048 -validity 730 \ + -keystore certServiceClient-keystore.jks -storetype JKS \ + -dname "CN=certServiceClient.com,OU=certServiceClient company,O=certServiceClient org,L=Wroclaw,ST=Dolny Slask,C=PL" \ + -keypass secret -storepass secret + @echo "####done####" + +#Generate certificate signing request for certService's client +step_5: + @echo "Generate certificate signing request for certService's client" + keytool -certreq -keystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -file certServiceClient.csr + @echo "####done####" + +#Sign certService's client certificate by root CA +step_6: + @echo "Sign certService's client certificate by root CA" + keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceClient.csr \ + -outfile certServiceClientByRoot.crt -rfc -ext bc=0 -ext ExtendedkeyUsage="serverAuth,clientAuth" + @echo "####done####" + +#Import root certificate into client +step_7: + @echo "Import root certificate into intermediate" + cat root.crt >> certServiceClientByRoot.crt + @echo "####done####" + +#Import signed certificate into certService's client +step_8: + @echo "Import signed certificate into certService's client" + keytool -importcert -file certServiceClientByRoot.crt -destkeystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -noprompt + @echo "####done####" + +#Generate certService private and public keys +step_9: + @echo "Generate certService private and public keys" + keytool -genkeypair -v -alias oom-cert-service -keyalg RSA -keysize 2048 -validity 730 \ + -keystore certServiceServer-keystore.jks -storetype JKS \ + -dname "CN=oom-cert-service,OU=certServiceServer company,O=certServiceServer org,L=Wroclaw,ST=Dolny Slask,C=PL" \ + -keypass secret -storepass secret -ext BasicConstraints:critical="ca:false" + @echo "####done####" + +#Generate certificate signing request for certService +step_10: + @echo "Generate certificate signing request for certService" + keytool -certreq -keystore certServiceServer-keystore.jks -alias oom-cert-service -storepass secret -file certServiceServer.csr + @echo "####done####" + +#Sign certService certificate by root CA +step_11: + @echo "Sign certService certificate by root CA" + keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceServer.csr \ + -outfile certServiceServerByRoot.crt -rfc -ext bc=0 -ext ExtendedkeyUsage="serverAuth,clientAuth" \ + -ext SubjectAlternativeName:="DNS:oom-cert-service,DNS:localhost" + @echo "####done####" + +#Import root certificate into server +step_12: + @echo "Import root certificate into intermediate(server)" + cat root.crt >> certServiceServerByRoot.crt + @echo "####done####" + +#Import signed certificate into certService +step_13: + @echo "Import signed certificate into certService" + keytool -importcert -file certServiceServerByRoot.crt -destkeystore certServiceServer-keystore.jks -alias oom-cert-service \ + -storepass secret -noprompt + @echo "####done####" + +#Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12) +step_14: + @echo "Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)" + keytool -importkeystore -srckeystore certServiceServer-keystore.jks -srcstorepass secret \ + -destkeystore certServiceServer-keystore.p12 -deststoretype PKCS12 -deststorepass secret + @echo "#####done#####" + +#Clear unused certificates +step_15: + @echo "Clear unused certificates" + rm -f certServiceClientByRoot.crt certServiceClient.csr root-keystore.jks certServiceServerByRoot.crt certServiceServer.csr + @echo "#####done#####" diff --git a/plans/oom-platform-cert-service/certservice/cmpServers.json b/plans/oom-platform-cert-service/certservice/cmpServers.json new file mode 100644 index 00000000..72564949 --- /dev/null +++ b/plans/oom-platform-cert-service/certservice/cmpServers.json @@ -0,0 +1,24 @@ +{ + "cmpv2Servers": [ + { + "caName": "Client", + "url": "http://oomcert-ejbca:8080/ejbca/publicweb/cmp/cmp", + "issuerDN": "CN=ManagementCA", + "caMode": "CLIENT", + "authentication": { + "iak": "mypassword", + "rv": "mypassword" + } + }, + { + "caName": "RA", + "url": "http://oomcert-ejbca:8080/ejbca/publicweb/cmp/cmpRA", + "issuerDN": "CN=ManagementCA", + "caMode": "RA", + "authentication": { + "iak": "mypassword", + "rv": "mypassword" + } + } + ] +} diff --git a/plans/oom-platform-cert-service/certservice/docker-compose.yml b/plans/oom-platform-cert-service/certservice/docker-compose.yml new file mode 100644 index 00000000..b281101a --- /dev/null +++ b/plans/oom-platform-cert-service/certservice/docker-compose.yml @@ -0,0 +1,47 @@ +version: "2.1" + +services: + ejbca: + image: primekey/ejbca-ce:6.15.2.5 + hostname: cahostname + container_name: oomcert-ejbca + ports: + - "80:8080" + - "443:8443" + volumes: + - $SCRIPTS_PATH:/opt/primekey/scripts + healthcheck: + test: ["CMD-SHELL", "curl -kI https://localhost:8443/ejbca/publicweb/healthcheck/ejbcahealth"] + interval: 20s + timeout: 3s + retries: 9 + networks: + - certservice + + oom-cert-service: + image: nexus3.onap.org:10001/onap/org.onap.oom.platform.cert-service.oom-certservice-api:latest + volumes: + - $CONFIGURATION_PATH:/etc/onap/oom/certservice/cmpServers.json + - ./certs/truststore.jks:/etc/onap/oom/certservice/certs/truststore.jks + - ./certs/root.crt:/etc/onap/oom/certservice/certs/root.crt + - ./certs/certServiceServer-keystore.jks:/etc/onap/oom/certservice/certs/certServiceServer-keystore.jks + - ./certs/certServiceServer-keystore.p12:/etc/onap/oom/certservice/certs/certServiceServer-keystore.p12 + container_name: oomcert-service + ports: + - "8443:8443" + depends_on: + ejbca: + condition: service_healthy + healthcheck: + test: ["CMD-SHELL", "curl https://localhost:8443/actuator/health --cacert /etc/onap/oom/certservice/certs/root.crt --cert-type p12 --cert /etc/onap/oom/certservice/certs/certServiceServer-keystore.p12 --pass secret"] + interval: 10s + timeout: 3s + retries: 15 + networks: + - certservice + + +networks: + certservice: + driver: bridge + diff --git a/plans/oom-platform-cert-service/certservice/scripts/ejbca-configuration.sh b/plans/oom-platform-cert-service/certservice/scripts/ejbca-configuration.sh new file mode 100755 index 00000000..77f5c555 --- /dev/null +++ b/plans/oom-platform-cert-service/certservice/scripts/ejbca-configuration.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +configureEjbca() { + ejbca.sh config cmp addalias --alias cmpRA + ejbca.sh config cmp updatealias --alias cmpRA --key operationmode --value ra + ejbca.sh ca editca --caname ManagementCA --field cmpRaAuthSecret --value mypassword + ejbca.sh config cmp updatealias --alias cmpRA --key responseprotection --value pbe + ejbca.sh config cmp dumpalias --alias cmpRA + ejbca.sh config cmp addalias --alias cmp + ejbca.sh config cmp updatealias --alias cmp --key allowautomatickeyupdate --value true + ejbca.sh config cmp updatealias --alias cmp --key responseprotection --value pbe + ejbca.sh ra addendentity --username Node123 --dn "CN=Node123" --caname ManagementCA --password mypassword --type 1 --token USERGENERATED + ejbca.sh ra setclearpwd --username Node123 --password mypassword + ejbca.sh config cmp updatealias --alias cmp --key extractusernamecomponent --value CN + ejbca.sh config cmp dumpalias --alias cmp + ejbca.sh ca getcacert --caname ManagementCA -f /dev/stdout > cacert.pem +} + +configureEjbca diff --git a/plans/oom-platform-cert-service/certservice/setup.sh b/plans/oom-platform-cert-service/certservice/setup.sh new file mode 100644 index 00000000..bee54cde --- /dev/null +++ b/plans/oom-platform-cert-service/certservice/setup.sh @@ -0,0 +1,109 @@ +#!/bin/bash +# +# Copyright 2020 Nokia. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +# ------------------------------------ +# Resolve path to script's directory and cmp servers configuration + +SCRIPT=`realpath $0` +CURRENT_WORKDIR_PATH=`dirname $SCRIPT` +PROJECT_DIRECTORY="plans/oom-platform-cert-service/certservice" + +SCRIPTS_DIRECTORY="scripts" + +JENKINS_SCRIPTS_PATH="$CURRENT_WORKDIR_PATH/$PROJECT_DIRECTORY/$SCRIPTS_DIRECTORY" +LOCAL_SCRIPTS_PATH="$CURRENT_WORKDIR_PATH/$SCRIPTS_DIRECTORY" + +# ------------------------------------ +#Prepare enviroment for client +#install docker sdk +echo "Uninstall docker-py and reinstall docker." +pip uninstall -y docker-py +pip uninstall -y docker +pip install -U docker==2.7.0 + +#reinstall pyopenssl library +echo "Reinstall pyopenssl library." +pip uninstall pyopenssl -y +pip install pyopenssl==17.5.0 + +#install pyjks for .jks files management +pip install pyjks + +#Disable proxy - for local run +unset http_proxy https_proxy + +#export container name +export ClientContainerName=CertServiceClient +# ------------------------------------ + +if test -d "$JENKINS_SCRIPTS_PATH"; then + SCRIPTS_PATH=$JENKINS_SCRIPTS_PATH +else test -f "$LOCAL_SCRIPTS_PATH"; + SCRIPTS_PATH=$LOCAL_SCRIPTS_PATH +fi +echo "Use scripts from: $SCRIPTS_PATH" + +CONFIGURATION_FILE="cmpServers.json" + +JENKINS_CONFIGURATION_PATH="$CURRENT_WORKDIR_PATH/$PROJECT_DIRECTORY/$CONFIGURATION_FILE" +LOCAL_CONFIGURATION_PATH="$CURRENT_WORKDIR_PATH/$CONFIGURATION_FILE" + +if test -f "$JENKINS_CONFIGURATION_PATH"; then + CONFIGURATION_PATH="$JENKINS_CONFIGURATION_PATH" +else test -f "$LOCAL_CONFIGURATION_PATH"; + CONFIGURATION_PATH=$LOCAL_CONFIGURATION_PATH +fi +echo "Use configuration from: $CONFIGURATION_PATH" + +# ------------------------------------- + +export CONFIGURATION_PATH=${CONFIGURATION_PATH} +export SCRIPTS_PATH=${SCRIPTS_PATH} + +#Generate keystores, truststores, certificates and keys +mkdir -p ${WORKSPACE}/tests/oom-platform-cert-service/certservice/assets/certs/ +make all -C ./certs/ +cp ${WORKSPACE}/plans/oom-platform-cert-service/certservice/certs/root.crt ${WORKSPACE}/tests/oom-platform-cert-service/certservice/assets/certs/root.crt +echo "Generated keystores" +openssl pkcs12 -in ${WORKSPACE}/plans/oom-platform-cert-service/certservice/certs/certServiceServer-keystore.p12 -clcerts -nokeys -password pass:secret | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ${WORKSPACE}/tests/oom-platform-cert-service/certservice/assets/certs/certServiceServer.crt +echo "Generated server certificate" +openssl pkcs12 -in ${WORKSPACE}/plans/oom-platform-cert-service/certservice/certs/certServiceServer-keystore.p12 -nocerts -nodes -password pass:secret| sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > ${WORKSPACE}/tests/oom-platform-cert-service/certservice/assets/certs/certServiceServer.key +echo "Generated server key" + +docker-compose up -d + +OOMCERT_IP='none' +# Wait container ready +for i in {1..9} +do + OOMCERT_IP=`get-instance-ip.sh oomcert-service` + RESP_CODE=$(curl -s https://localhost:8443/actuator/health --cacert ./certs/root.crt --cert-type p12 --cert ./certs/certServiceServer-keystore.p12 --pass secret | \ + python2 -c 'import json,sys;obj=json.load(sys.stdin);print obj["status"]') + if [[ "$RESP_CODE" == "UP" ]]; then + echo 'OOM Cert Service is ready' + export OOMCERT_IP=${OOMCERT_IP} + docker exec oomcert-ejbca /opt/primekey/scripts/ejbca-configuration.sh + break + fi + echo 'Waiting for OOM Cert Service to start up...' + sleep 30s +done + +if [ "$OOMCERT_IP" == 'none' -o "$OOMCERT_IP" == '' ]; then + echo "OOM Cert Service is not ready!" + exit 1 # Return error code +fi diff --git a/plans/oom-platform-cert-service/certservice/teardown.sh b/plans/oom-platform-cert-service/certservice/teardown.sh new file mode 100644 index 00000000..f531180e --- /dev/null +++ b/plans/oom-platform-cert-service/certservice/teardown.sh @@ -0,0 +1,25 @@ +#!/bin/bash +# +# Copyright 2017 ZTE, Inc. and others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +docker-compose down + +make clear -C ./certs/ +echo "Removed old keystores" +rm -rf ${WORKSPACE}/tests/oom-platform-cert-service/certservice/assets/certs +echo "Removed old certificates" + +kill-instance.sh ${ClientContainerName}
\ No newline at end of file diff --git a/plans/oom-platform-cert-service/certservice/testplan.txt b/plans/oom-platform-cert-service/certservice/testplan.txt new file mode 100755 index 00000000..ed9ee127 --- /dev/null +++ b/plans/oom-platform-cert-service/certservice/testplan.txt @@ -0,0 +1,3 @@ +# Test suites are relative paths under [integration/csit.git]/tests/. +# Place the suites in run order. +oom-platform-cert-service/certservice |