From b7a057e8017b7899de26f977fa3841882035200b Mon Sep 17 00:00:00 2001 From: Pawel Date: Fri, 7 Aug 2020 14:53:48 +0200 Subject: Move csits form aaf to oom create csit folder under oom move csits from aaf to oom reconfigure csits: remove aaf word, use new image Issue-ID: OOM-2526 Signed-off-by: Pawel Change-Id: I7b1f010fe46420cb734c67133f038bdadffd5ecc --- plans/aaf/certservice/certs/Makefile | 110 --------------------- plans/aaf/certservice/cmpServers.json | 24 ----- plans/aaf/certservice/docker-compose.yml | 47 --------- .../aaf/certservice/scripts/ejbca-configuration.sh | 19 ---- plans/aaf/certservice/setup.sh | 109 -------------------- plans/aaf/certservice/teardown.sh | 25 ----- plans/aaf/certservice/testplan.txt | 3 - .../certservice/certs/Makefile | 110 +++++++++++++++++++++ .../certservice/cmpServers.json | 24 +++++ .../certservice/docker-compose.yml | 47 +++++++++ .../certservice/scripts/ejbca-configuration.sh | 19 ++++ .../oom-platform-cert-service/certservice/setup.sh | 109 ++++++++++++++++++++ .../certservice/teardown.sh | 25 +++++ .../certservice/testplan.txt | 3 + 14 files changed, 337 insertions(+), 337 deletions(-) delete mode 100644 plans/aaf/certservice/certs/Makefile delete mode 100644 plans/aaf/certservice/cmpServers.json delete mode 100644 plans/aaf/certservice/docker-compose.yml delete mode 100755 plans/aaf/certservice/scripts/ejbca-configuration.sh delete mode 100644 plans/aaf/certservice/setup.sh delete mode 100644 plans/aaf/certservice/teardown.sh delete mode 100755 plans/aaf/certservice/testplan.txt create mode 100644 plans/oom-platform-cert-service/certservice/certs/Makefile create mode 100644 plans/oom-platform-cert-service/certservice/cmpServers.json create mode 100644 plans/oom-platform-cert-service/certservice/docker-compose.yml create mode 100755 plans/oom-platform-cert-service/certservice/scripts/ejbca-configuration.sh create mode 100644 plans/oom-platform-cert-service/certservice/setup.sh create mode 100644 plans/oom-platform-cert-service/certservice/teardown.sh create mode 100755 plans/oom-platform-cert-service/certservice/testplan.txt (limited to 'plans') diff --git a/plans/aaf/certservice/certs/Makefile b/plans/aaf/certservice/certs/Makefile deleted file mode 100644 index 126e0533..00000000 --- a/plans/aaf/certservice/certs/Makefile +++ /dev/null @@ -1,110 +0,0 @@ -all: step_1 step_2 step_3 step_4 step_5 step_6 step_7 step_8 step_9 step_10 step_11 step_12 step_13 step_14 step_15 -.PHONY: all -#Clear certificates -clear: - @echo "Clear certificates" - rm -f certServiceClient-keystore.jks certServiceServer-keystore.jks root.crt truststore.jks certServiceServer-keystore.p12 - @echo "#####done#####" - -#Generate root private and public keys -step_1: - @echo "Generate root private and public keys" - keytool -genkeypair -v -alias root -keyalg RSA -keysize 4096 -validity 3650 -keystore root-keystore.jks \ - -dname "CN=root.com, OU=Root Org, O=Root Company, L=Wroclaw, ST=Dolny Slask, C=PL" -keypass secret \ - -storepass secret -ext BasicConstraints:critical="ca:true" - @echo "#####done#####" - -#Export public key as certificate -step_2: - @echo "(Export public key as certificate)" - keytool -exportcert -alias root -keystore root-keystore.jks -storepass secret -file root.crt -rfc - @echo "#####done#####" - -#Self-signed root (import root certificate into truststore) -step_3: - @echo "(Self-signed root (import root certificate into truststore))" - keytool -importcert -alias root -keystore truststore.jks -file root.crt -storepass secret -noprompt - @echo "#####done#####" - -#Generate certService's client private and public keys -step_4: - @echo "Generate certService's client private and public keys" - keytool -genkeypair -v -alias certServiceClient -keyalg RSA -keysize 2048 -validity 730 \ - -keystore certServiceClient-keystore.jks -storetype JKS \ - -dname "CN=certServiceClient.com,OU=certServiceClient company,O=certServiceClient org,L=Wroclaw,ST=Dolny Slask,C=PL" \ - -keypass secret -storepass secret - @echo "####done####" - -#Generate certificate signing request for certService's client -step_5: - @echo "Generate certificate signing request for certService's client" - keytool -certreq -keystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -file certServiceClient.csr - @echo "####done####" - -#Sign certService's client certificate by root CA -step_6: - @echo "Sign certService's client certificate by root CA" - keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceClient.csr \ - -outfile certServiceClientByRoot.crt -rfc -ext bc=0 -ext ExtendedkeyUsage="serverAuth,clientAuth" - @echo "####done####" - -#Import root certificate into client -step_7: - @echo "Import root certificate into intermediate" - cat root.crt >> certServiceClientByRoot.crt - @echo "####done####" - -#Import signed certificate into certService's client -step_8: - @echo "Import signed certificate into certService's client" - keytool -importcert -file certServiceClientByRoot.crt -destkeystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -noprompt - @echo "####done####" - -#Generate certService private and public keys -step_9: - @echo "Generate certService private and public keys" - keytool -genkeypair -v -alias aaf-cert-service -keyalg RSA -keysize 2048 -validity 730 \ - -keystore certServiceServer-keystore.jks -storetype JKS \ - -dname "CN=aaf-cert-service,OU=certServiceServer company,O=certServiceServer org,L=Wroclaw,ST=Dolny Slask,C=PL" \ - -keypass secret -storepass secret -ext BasicConstraints:critical="ca:false" - @echo "####done####" - -#Generate certificate signing request for certService -step_10: - @echo "Generate certificate signing request for certService" - keytool -certreq -keystore certServiceServer-keystore.jks -alias aaf-cert-service -storepass secret -file certServiceServer.csr - @echo "####done####" - -#Sign certService certificate by root CA -step_11: - @echo "Sign certService certificate by root CA" - keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceServer.csr \ - -outfile certServiceServerByRoot.crt -rfc -ext bc=0 -ext ExtendedkeyUsage="serverAuth,clientAuth" \ - -ext SubjectAlternativeName:="DNS:aaf-cert-service,DNS:localhost" - @echo "####done####" - -#Import root certificate into server -step_12: - @echo "Import root certificate into intermediate(server)" - cat root.crt >> certServiceServerByRoot.crt - @echo "####done####" - -#Import signed certificate into certService -step_13: - @echo "Import signed certificate into certService" - keytool -importcert -file certServiceServerByRoot.crt -destkeystore certServiceServer-keystore.jks -alias aaf-cert-service \ - -storepass secret -noprompt - @echo "####done####" - -#Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12) -step_14: - @echo "Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)" - keytool -importkeystore -srckeystore certServiceServer-keystore.jks -srcstorepass secret \ - -destkeystore certServiceServer-keystore.p12 -deststoretype PKCS12 -deststorepass secret - @echo "#####done#####" - -#Clear unused certificates -step_15: - @echo "Clear unused certificates" - rm -f certServiceClientByRoot.crt certServiceClient.csr root-keystore.jks certServiceServerByRoot.crt certServiceServer.csr - @echo "#####done#####" diff --git a/plans/aaf/certservice/cmpServers.json b/plans/aaf/certservice/cmpServers.json deleted file mode 100644 index d6557c52..00000000 --- a/plans/aaf/certservice/cmpServers.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "cmpv2Servers": [ - { - "caName": "Client", - "url": "http://aafcert-ejbca:8080/ejbca/publicweb/cmp/cmp", - "issuerDN": "CN=ManagementCA", - "caMode": "CLIENT", - "authentication": { - "iak": "mypassword", - "rv": "mypassword" - } - }, - { - "caName": "RA", - "url": "http://aafcert-ejbca:8080/ejbca/publicweb/cmp/cmpRA", - "issuerDN": "CN=ManagementCA", - "caMode": "RA", - "authentication": { - "iak": "mypassword", - "rv": "mypassword" - } - } - ] -} diff --git a/plans/aaf/certservice/docker-compose.yml b/plans/aaf/certservice/docker-compose.yml deleted file mode 100644 index dcac7df0..00000000 --- a/plans/aaf/certservice/docker-compose.yml +++ /dev/null @@ -1,47 +0,0 @@ -version: "2.1" - -services: - ejbca: - image: primekey/ejbca-ce:6.15.2.5 - hostname: cahostname - container_name: aafcert-ejbca - ports: - - "80:8080" - - "443:8443" - volumes: - - $SCRIPTS_PATH:/opt/primekey/scripts - healthcheck: - test: ["CMD-SHELL", "curl -kI https://localhost:8443/ejbca/publicweb/healthcheck/ejbcahealth"] - interval: 20s - timeout: 3s - retries: 9 - networks: - - certservice - - aaf-cert-service: - image: nexus3.onap.org:10001/onap/org.onap.aaf.certservice.aaf-certservice-api:latest - volumes: - - $CONFIGURATION_PATH:/etc/onap/aaf/certservice/cmpServers.json - - ./certs/truststore.jks:/etc/onap/aaf/certservice/certs/truststore.jks - - ./certs/root.crt:/etc/onap/aaf/certservice/certs/root.crt - - ./certs/certServiceServer-keystore.jks:/etc/onap/aaf/certservice/certs/certServiceServer-keystore.jks - - ./certs/certServiceServer-keystore.p12:/etc/onap/aaf/certservice/certs/certServiceServer-keystore.p12 - container_name: aafcert-service - ports: - - "8443:8443" - depends_on: - ejbca: - condition: service_healthy - healthcheck: - test: ["CMD-SHELL", "curl https://localhost:8443/actuator/health --cacert /etc/onap/aaf/certservice/certs/root.crt --cert-type p12 --cert /etc/onap/aaf/certservice/certs/certServiceServer-keystore.p12 --pass secret"] - interval: 10s - timeout: 3s - retries: 15 - networks: - - certservice - - -networks: - certservice: - driver: bridge - diff --git a/plans/aaf/certservice/scripts/ejbca-configuration.sh b/plans/aaf/certservice/scripts/ejbca-configuration.sh deleted file mode 100755 index 77f5c555..00000000 --- a/plans/aaf/certservice/scripts/ejbca-configuration.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/bash - -configureEjbca() { - ejbca.sh config cmp addalias --alias cmpRA - ejbca.sh config cmp updatealias --alias cmpRA --key operationmode --value ra - ejbca.sh ca editca --caname ManagementCA --field cmpRaAuthSecret --value mypassword - ejbca.sh config cmp updatealias --alias cmpRA --key responseprotection --value pbe - ejbca.sh config cmp dumpalias --alias cmpRA - ejbca.sh config cmp addalias --alias cmp - ejbca.sh config cmp updatealias --alias cmp --key allowautomatickeyupdate --value true - ejbca.sh config cmp updatealias --alias cmp --key responseprotection --value pbe - ejbca.sh ra addendentity --username Node123 --dn "CN=Node123" --caname ManagementCA --password mypassword --type 1 --token USERGENERATED - ejbca.sh ra setclearpwd --username Node123 --password mypassword - ejbca.sh config cmp updatealias --alias cmp --key extractusernamecomponent --value CN - ejbca.sh config cmp dumpalias --alias cmp - ejbca.sh ca getcacert --caname ManagementCA -f /dev/stdout > cacert.pem -} - -configureEjbca diff --git a/plans/aaf/certservice/setup.sh b/plans/aaf/certservice/setup.sh deleted file mode 100644 index 1200e964..00000000 --- a/plans/aaf/certservice/setup.sh +++ /dev/null @@ -1,109 +0,0 @@ -#!/bin/bash -# -# Copyright 2020 Nokia. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -# ------------------------------------ -# Resolve path to script's directory and cmp servers configuration - -SCRIPT=`realpath $0` -CURRENT_WORKDIR_PATH=`dirname $SCRIPT` -PROJECT_DIRECTORY="plans/aaf/certservice" - -SCRIPTS_DIRECTORY="scripts" - -JENKINS_SCRIPTS_PATH="$CURRENT_WORKDIR_PATH/$PROJECT_DIRECTORY/$SCRIPTS_DIRECTORY" -LOCAL_SCRIPTS_PATH="$CURRENT_WORKDIR_PATH/$SCRIPTS_DIRECTORY" - -# ------------------------------------ -#Prepare enviroment for client -#install docker sdk -echo "Uninstall docker-py and reinstall docker." -pip uninstall -y docker-py -pip uninstall -y docker -pip install -U docker==2.7.0 - -#reinstall pyopenssl library -echo "Reinstall pyopenssl library." -pip uninstall pyopenssl -y -pip install pyopenssl==17.5.0 - -#install pyjks for .jks files management -pip install pyjks - -#Disable proxy - for local run -unset http_proxy https_proxy - -#export container name -export ClientContainerName=CertServiceClient -# ------------------------------------ - -if test -d "$JENKINS_SCRIPTS_PATH"; then - SCRIPTS_PATH=$JENKINS_SCRIPTS_PATH -else test -f "$LOCAL_SCRIPTS_PATH"; - SCRIPTS_PATH=$LOCAL_SCRIPTS_PATH -fi -echo "Use scripts from: $SCRIPTS_PATH" - -CONFIGURATION_FILE="cmpServers.json" - -JENKINS_CONFIGURATION_PATH="$CURRENT_WORKDIR_PATH/$PROJECT_DIRECTORY/$CONFIGURATION_FILE" -LOCAL_CONFIGURATION_PATH="$CURRENT_WORKDIR_PATH/$CONFIGURATION_FILE" - -if test -f "$JENKINS_CONFIGURATION_PATH"; then - CONFIGURATION_PATH="$JENKINS_CONFIGURATION_PATH" -else test -f "$LOCAL_CONFIGURATION_PATH"; - CONFIGURATION_PATH=$LOCAL_CONFIGURATION_PATH -fi -echo "Use configuration from: $CONFIGURATION_PATH" - -# ------------------------------------- - -export CONFIGURATION_PATH=${CONFIGURATION_PATH} -export SCRIPTS_PATH=${SCRIPTS_PATH} - -#Generate keystores, truststores, certificates and keys -mkdir -p ${WORKSPACE}/tests/aaf/certservice/assets/certs/ -make all -C ./certs/ -cp ${WORKSPACE}/plans/aaf/certservice/certs/root.crt ${WORKSPACE}/tests/aaf/certservice/assets/certs/root.crt -echo "Generated keystores" -openssl pkcs12 -in ${WORKSPACE}/plans/aaf/certservice/certs/certServiceServer-keystore.p12 -clcerts -nokeys -password pass:secret | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ${WORKSPACE}/tests/aaf/certservice/assets/certs/certServiceServer.crt -echo "Generated server certificate" -openssl pkcs12 -in ${WORKSPACE}/plans/aaf/certservice/certs/certServiceServer-keystore.p12 -nocerts -nodes -password pass:secret| sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > ${WORKSPACE}/tests/aaf/certservice/assets/certs/certServiceServer.key -echo "Generated server key" - -docker-compose up -d - -AAFCERT_IP='none' -# Wait container ready -for i in {1..9} -do - AAFCERT_IP=`get-instance-ip.sh aafcert-service` - RESP_CODE=$(curl -s https://localhost:8443/actuator/health --cacert ./certs/root.crt --cert-type p12 --cert ./certs/certServiceServer-keystore.p12 --pass secret | \ - python2 -c 'import json,sys;obj=json.load(sys.stdin);print obj["status"]') - if [[ "$RESP_CODE" == "UP" ]]; then - echo 'AAF Cert Service is ready' - export AAFCERT_IP=${AAFCERT_IP} - docker exec aafcert-ejbca /opt/primekey/scripts/ejbca-configuration.sh - break - fi - echo 'Waiting for AAF Cert Service to start up...' - sleep 30s -done - -if [ "$AAFCERT_IP" == 'none' -o "$AAFCERT_IP" == '' ]; then - echo "AAF Cert Service is not ready!" - exit 1 # Return error code -fi diff --git a/plans/aaf/certservice/teardown.sh b/plans/aaf/certservice/teardown.sh deleted file mode 100644 index 71e20b7c..00000000 --- a/plans/aaf/certservice/teardown.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash -# -# Copyright 2017 ZTE, Inc. and others. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -docker-compose down - -make clear -C ./certs/ -echo "Removed old keystores" -rm -rf ${WORKSPACE}/tests/aaf/certservice/assets/certs -echo "Removed old certificates" - -kill-instance.sh ${ClientContainerName} \ No newline at end of file diff --git a/plans/aaf/certservice/testplan.txt b/plans/aaf/certservice/testplan.txt deleted file mode 100755 index 270fc6d4..00000000 --- a/plans/aaf/certservice/testplan.txt +++ /dev/null @@ -1,3 +0,0 @@ -# Test suites are relative paths under [integration/csit.git]/tests/. -# Place the suites in run order. -aaf/certservice diff --git a/plans/oom-platform-cert-service/certservice/certs/Makefile b/plans/oom-platform-cert-service/certservice/certs/Makefile new file mode 100644 index 00000000..ea90c5c7 --- /dev/null +++ b/plans/oom-platform-cert-service/certservice/certs/Makefile @@ -0,0 +1,110 @@ +all: step_1 step_2 step_3 step_4 step_5 step_6 step_7 step_8 step_9 step_10 step_11 step_12 step_13 step_14 step_15 +.PHONY: all +#Clear certificates +clear: + @echo "Clear certificates" + rm -f certServiceClient-keystore.jks certServiceServer-keystore.jks root.crt truststore.jks certServiceServer-keystore.p12 + @echo "#####done#####" + +#Generate root private and public keys +step_1: + @echo "Generate root private and public keys" + keytool -genkeypair -v -alias root -keyalg RSA -keysize 4096 -validity 3650 -keystore root-keystore.jks \ + -dname "CN=root.com, OU=Root Org, O=Root Company, L=Wroclaw, ST=Dolny Slask, C=PL" -keypass secret \ + -storepass secret -ext BasicConstraints:critical="ca:true" + @echo "#####done#####" + +#Export public key as certificate +step_2: + @echo "(Export public key as certificate)" + keytool -exportcert -alias root -keystore root-keystore.jks -storepass secret -file root.crt -rfc + @echo "#####done#####" + +#Self-signed root (import root certificate into truststore) +step_3: + @echo "(Self-signed root (import root certificate into truststore))" + keytool -importcert -alias root -keystore truststore.jks -file root.crt -storepass secret -noprompt + @echo "#####done#####" + +#Generate certService's client private and public keys +step_4: + @echo "Generate certService's client private and public keys" + keytool -genkeypair -v -alias certServiceClient -keyalg RSA -keysize 2048 -validity 730 \ + -keystore certServiceClient-keystore.jks -storetype JKS \ + -dname "CN=certServiceClient.com,OU=certServiceClient company,O=certServiceClient org,L=Wroclaw,ST=Dolny Slask,C=PL" \ + -keypass secret -storepass secret + @echo "####done####" + +#Generate certificate signing request for certService's client +step_5: + @echo "Generate certificate signing request for certService's client" + keytool -certreq -keystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -file certServiceClient.csr + @echo "####done####" + +#Sign certService's client certificate by root CA +step_6: + @echo "Sign certService's client certificate by root CA" + keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceClient.csr \ + -outfile certServiceClientByRoot.crt -rfc -ext bc=0 -ext ExtendedkeyUsage="serverAuth,clientAuth" + @echo "####done####" + +#Import root certificate into client +step_7: + @echo "Import root certificate into intermediate" + cat root.crt >> certServiceClientByRoot.crt + @echo "####done####" + +#Import signed certificate into certService's client +step_8: + @echo "Import signed certificate into certService's client" + keytool -importcert -file certServiceClientByRoot.crt -destkeystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -noprompt + @echo "####done####" + +#Generate certService private and public keys +step_9: + @echo "Generate certService private and public keys" + keytool -genkeypair -v -alias oom-cert-service -keyalg RSA -keysize 2048 -validity 730 \ + -keystore certServiceServer-keystore.jks -storetype JKS \ + -dname "CN=oom-cert-service,OU=certServiceServer company,O=certServiceServer org,L=Wroclaw,ST=Dolny Slask,C=PL" \ + -keypass secret -storepass secret -ext BasicConstraints:critical="ca:false" + @echo "####done####" + +#Generate certificate signing request for certService +step_10: + @echo "Generate certificate signing request for certService" + keytool -certreq -keystore certServiceServer-keystore.jks -alias oom-cert-service -storepass secret -file certServiceServer.csr + @echo "####done####" + +#Sign certService certificate by root CA +step_11: + @echo "Sign certService certificate by root CA" + keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceServer.csr \ + -outfile certServiceServerByRoot.crt -rfc -ext bc=0 -ext ExtendedkeyUsage="serverAuth,clientAuth" \ + -ext SubjectAlternativeName:="DNS:oom-cert-service,DNS:localhost" + @echo "####done####" + +#Import root certificate into server +step_12: + @echo "Import root certificate into intermediate(server)" + cat root.crt >> certServiceServerByRoot.crt + @echo "####done####" + +#Import signed certificate into certService +step_13: + @echo "Import signed certificate into certService" + keytool -importcert -file certServiceServerByRoot.crt -destkeystore certServiceServer-keystore.jks -alias oom-cert-service \ + -storepass secret -noprompt + @echo "####done####" + +#Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12) +step_14: + @echo "Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)" + keytool -importkeystore -srckeystore certServiceServer-keystore.jks -srcstorepass secret \ + -destkeystore certServiceServer-keystore.p12 -deststoretype PKCS12 -deststorepass secret + @echo "#####done#####" + +#Clear unused certificates +step_15: + @echo "Clear unused certificates" + rm -f certServiceClientByRoot.crt certServiceClient.csr root-keystore.jks certServiceServerByRoot.crt certServiceServer.csr + @echo "#####done#####" diff --git a/plans/oom-platform-cert-service/certservice/cmpServers.json b/plans/oom-platform-cert-service/certservice/cmpServers.json new file mode 100644 index 00000000..72564949 --- /dev/null +++ b/plans/oom-platform-cert-service/certservice/cmpServers.json @@ -0,0 +1,24 @@ +{ + "cmpv2Servers": [ + { + "caName": "Client", + "url": "http://oomcert-ejbca:8080/ejbca/publicweb/cmp/cmp", + "issuerDN": "CN=ManagementCA", + "caMode": "CLIENT", + "authentication": { + "iak": "mypassword", + "rv": "mypassword" + } + }, + { + "caName": "RA", + "url": "http://oomcert-ejbca:8080/ejbca/publicweb/cmp/cmpRA", + "issuerDN": "CN=ManagementCA", + "caMode": "RA", + "authentication": { + "iak": "mypassword", + "rv": "mypassword" + } + } + ] +} diff --git a/plans/oom-platform-cert-service/certservice/docker-compose.yml b/plans/oom-platform-cert-service/certservice/docker-compose.yml new file mode 100644 index 00000000..b281101a --- /dev/null +++ b/plans/oom-platform-cert-service/certservice/docker-compose.yml @@ -0,0 +1,47 @@ +version: "2.1" + +services: + ejbca: + image: primekey/ejbca-ce:6.15.2.5 + hostname: cahostname + container_name: oomcert-ejbca + ports: + - "80:8080" + - "443:8443" + volumes: + - $SCRIPTS_PATH:/opt/primekey/scripts + healthcheck: + test: ["CMD-SHELL", "curl -kI https://localhost:8443/ejbca/publicweb/healthcheck/ejbcahealth"] + interval: 20s + timeout: 3s + retries: 9 + networks: + - certservice + + oom-cert-service: + image: nexus3.onap.org:10001/onap/org.onap.oom.platform.cert-service.oom-certservice-api:latest + volumes: + - $CONFIGURATION_PATH:/etc/onap/oom/certservice/cmpServers.json + - ./certs/truststore.jks:/etc/onap/oom/certservice/certs/truststore.jks + - ./certs/root.crt:/etc/onap/oom/certservice/certs/root.crt + - ./certs/certServiceServer-keystore.jks:/etc/onap/oom/certservice/certs/certServiceServer-keystore.jks + - ./certs/certServiceServer-keystore.p12:/etc/onap/oom/certservice/certs/certServiceServer-keystore.p12 + container_name: oomcert-service + ports: + - "8443:8443" + depends_on: + ejbca: + condition: service_healthy + healthcheck: + test: ["CMD-SHELL", "curl https://localhost:8443/actuator/health --cacert /etc/onap/oom/certservice/certs/root.crt --cert-type p12 --cert /etc/onap/oom/certservice/certs/certServiceServer-keystore.p12 --pass secret"] + interval: 10s + timeout: 3s + retries: 15 + networks: + - certservice + + +networks: + certservice: + driver: bridge + diff --git a/plans/oom-platform-cert-service/certservice/scripts/ejbca-configuration.sh b/plans/oom-platform-cert-service/certservice/scripts/ejbca-configuration.sh new file mode 100755 index 00000000..77f5c555 --- /dev/null +++ b/plans/oom-platform-cert-service/certservice/scripts/ejbca-configuration.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +configureEjbca() { + ejbca.sh config cmp addalias --alias cmpRA + ejbca.sh config cmp updatealias --alias cmpRA --key operationmode --value ra + ejbca.sh ca editca --caname ManagementCA --field cmpRaAuthSecret --value mypassword + ejbca.sh config cmp updatealias --alias cmpRA --key responseprotection --value pbe + ejbca.sh config cmp dumpalias --alias cmpRA + ejbca.sh config cmp addalias --alias cmp + ejbca.sh config cmp updatealias --alias cmp --key allowautomatickeyupdate --value true + ejbca.sh config cmp updatealias --alias cmp --key responseprotection --value pbe + ejbca.sh ra addendentity --username Node123 --dn "CN=Node123" --caname ManagementCA --password mypassword --type 1 --token USERGENERATED + ejbca.sh ra setclearpwd --username Node123 --password mypassword + ejbca.sh config cmp updatealias --alias cmp --key extractusernamecomponent --value CN + ejbca.sh config cmp dumpalias --alias cmp + ejbca.sh ca getcacert --caname ManagementCA -f /dev/stdout > cacert.pem +} + +configureEjbca diff --git a/plans/oom-platform-cert-service/certservice/setup.sh b/plans/oom-platform-cert-service/certservice/setup.sh new file mode 100644 index 00000000..bee54cde --- /dev/null +++ b/plans/oom-platform-cert-service/certservice/setup.sh @@ -0,0 +1,109 @@ +#!/bin/bash +# +# Copyright 2020 Nokia. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +# ------------------------------------ +# Resolve path to script's directory and cmp servers configuration + +SCRIPT=`realpath $0` +CURRENT_WORKDIR_PATH=`dirname $SCRIPT` +PROJECT_DIRECTORY="plans/oom-platform-cert-service/certservice" + +SCRIPTS_DIRECTORY="scripts" + +JENKINS_SCRIPTS_PATH="$CURRENT_WORKDIR_PATH/$PROJECT_DIRECTORY/$SCRIPTS_DIRECTORY" +LOCAL_SCRIPTS_PATH="$CURRENT_WORKDIR_PATH/$SCRIPTS_DIRECTORY" + +# ------------------------------------ +#Prepare enviroment for client +#install docker sdk +echo "Uninstall docker-py and reinstall docker." +pip uninstall -y docker-py +pip uninstall -y docker +pip install -U docker==2.7.0 + +#reinstall pyopenssl library +echo "Reinstall pyopenssl library." +pip uninstall pyopenssl -y +pip install pyopenssl==17.5.0 + +#install pyjks for .jks files management +pip install pyjks + +#Disable proxy - for local run +unset http_proxy https_proxy + +#export container name +export ClientContainerName=CertServiceClient +# ------------------------------------ + +if test -d "$JENKINS_SCRIPTS_PATH"; then + SCRIPTS_PATH=$JENKINS_SCRIPTS_PATH +else test -f "$LOCAL_SCRIPTS_PATH"; + SCRIPTS_PATH=$LOCAL_SCRIPTS_PATH +fi +echo "Use scripts from: $SCRIPTS_PATH" + +CONFIGURATION_FILE="cmpServers.json" + +JENKINS_CONFIGURATION_PATH="$CURRENT_WORKDIR_PATH/$PROJECT_DIRECTORY/$CONFIGURATION_FILE" +LOCAL_CONFIGURATION_PATH="$CURRENT_WORKDIR_PATH/$CONFIGURATION_FILE" + +if test -f "$JENKINS_CONFIGURATION_PATH"; then + CONFIGURATION_PATH="$JENKINS_CONFIGURATION_PATH" +else test -f "$LOCAL_CONFIGURATION_PATH"; + CONFIGURATION_PATH=$LOCAL_CONFIGURATION_PATH +fi +echo "Use configuration from: $CONFIGURATION_PATH" + +# ------------------------------------- + +export CONFIGURATION_PATH=${CONFIGURATION_PATH} +export SCRIPTS_PATH=${SCRIPTS_PATH} + +#Generate keystores, truststores, certificates and keys +mkdir -p ${WORKSPACE}/tests/oom-platform-cert-service/certservice/assets/certs/ +make all -C ./certs/ +cp ${WORKSPACE}/plans/oom-platform-cert-service/certservice/certs/root.crt ${WORKSPACE}/tests/oom-platform-cert-service/certservice/assets/certs/root.crt +echo "Generated keystores" +openssl pkcs12 -in ${WORKSPACE}/plans/oom-platform-cert-service/certservice/certs/certServiceServer-keystore.p12 -clcerts -nokeys -password pass:secret | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ${WORKSPACE}/tests/oom-platform-cert-service/certservice/assets/certs/certServiceServer.crt +echo "Generated server certificate" +openssl pkcs12 -in ${WORKSPACE}/plans/oom-platform-cert-service/certservice/certs/certServiceServer-keystore.p12 -nocerts -nodes -password pass:secret| sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > ${WORKSPACE}/tests/oom-platform-cert-service/certservice/assets/certs/certServiceServer.key +echo "Generated server key" + +docker-compose up -d + +OOMCERT_IP='none' +# Wait container ready +for i in {1..9} +do + OOMCERT_IP=`get-instance-ip.sh oomcert-service` + RESP_CODE=$(curl -s https://localhost:8443/actuator/health --cacert ./certs/root.crt --cert-type p12 --cert ./certs/certServiceServer-keystore.p12 --pass secret | \ + python2 -c 'import json,sys;obj=json.load(sys.stdin);print obj["status"]') + if [[ "$RESP_CODE" == "UP" ]]; then + echo 'OOM Cert Service is ready' + export OOMCERT_IP=${OOMCERT_IP} + docker exec oomcert-ejbca /opt/primekey/scripts/ejbca-configuration.sh + break + fi + echo 'Waiting for OOM Cert Service to start up...' + sleep 30s +done + +if [ "$OOMCERT_IP" == 'none' -o "$OOMCERT_IP" == '' ]; then + echo "OOM Cert Service is not ready!" + exit 1 # Return error code +fi diff --git a/plans/oom-platform-cert-service/certservice/teardown.sh b/plans/oom-platform-cert-service/certservice/teardown.sh new file mode 100644 index 00000000..f531180e --- /dev/null +++ b/plans/oom-platform-cert-service/certservice/teardown.sh @@ -0,0 +1,25 @@ +#!/bin/bash +# +# Copyright 2017 ZTE, Inc. and others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +docker-compose down + +make clear -C ./certs/ +echo "Removed old keystores" +rm -rf ${WORKSPACE}/tests/oom-platform-cert-service/certservice/assets/certs +echo "Removed old certificates" + +kill-instance.sh ${ClientContainerName} \ No newline at end of file diff --git a/plans/oom-platform-cert-service/certservice/testplan.txt b/plans/oom-platform-cert-service/certservice/testplan.txt new file mode 100755 index 00000000..ed9ee127 --- /dev/null +++ b/plans/oom-platform-cert-service/certservice/testplan.txt @@ -0,0 +1,3 @@ +# Test suites are relative paths under [integration/csit.git]/tests/. +# Place the suites in run order. +oom-platform-cert-service/certservice -- cgit 1.2.3-korg