Add deployment for fetching certs from CertService

Change-Id: Icb59854a88e83b799781c227e465bfb98ed502b6 Signed-off-by: Michal Banka <michal.banka@nokia.com> Issue-ID: INT-1612
author: Michal Banka <michal.banka@nokia.com> 2020-06-03 10:51:51 +0200
committer: Michal Banka <michal.banka@nokia.com> 2020-06-04 13:08:34 +0200
commit: b06189e0c1f15237519d3727aeab007fadd952cb (patch)
tree: eb9765ace8e647a21cf8ec8eccbebfca53193f58
parent: e775c31a8b8efd55796cdf4fa049e72587ea6088 (diff)
10 files changed, 590 insertions, 96 deletions
diff --git a/sanitycheck/pnfsimulator-secured/Makefile b/sanitycheck/pnfsimulator-secured/Makefile
new file mode 100644
index 0000000..92a9e1e
--- /dev/null
+++ b/sanitycheck/pnfsimulator-secured/Makefile
@@ -0,0 +1,57 @@
+default:
+	@echo "There is no default target. Use: make <specific_target>"
+
+start-ejbca: --run-ejbca-container --wait-for-ejbca --configure-ejbca
+
+start-pnfsim-with-certservice-certs: --create-certservice-internal-certs --create-client-volume --run-certservice-and-pnfsim-containers
+
+start-local-secured-ves:
+	docker-compose -f docker-compose-ves.yml up
+
+start-pnfsim-with-certman-certs:
+	docker-compose -f docker-compose-certman.yml up
+
+clean-pnfsim-with-certman-setup:
+	docker-compose -f docker-compose-certman.yml down
+
+clean-pnfsim-with-certservice-setup: --clean-certservice-internal-certs --clean-client-volume
+	docker rm -f aafcert-ejbca || true
+	docker-compose -f docker-compose-certservice.yml down
+	docker-compose -f docker-compose-ves.yml down
+
+--run-ejbca-container:
+	docker run \
+		-d \
+		--rm \
+		--name aafcert-ejbca \
+		--hostname cahostname \
+ 		-p 80:8080 \
+ 		-p 443:8443 \
+ 		--volume `pwd`/certservice/ejbca-resources/ejbca-configuration.sh:/opt/primekey/scripts/ejbca-configuration.sh \
+ 		--health-cmd "curl -kI https://localhost:8443/ejbca/publicweb/healthcheck/ejbcahealth" \
+ 		--health-interval 10s \
+ 		--health-timeout 3s \
+ 		--health-retries 15 \
+		primekey/ejbca-ce:6.15.2.5
+
+--configure-ejbca:
+	docker exec aafcert-ejbca /opt/primekey/scripts/ejbca-configuration.sh
+
+--create-client-volume:
+	mkdir -p ./certservice/client-resources/client-volume -m 777
+
+--run-certservice-and-pnfsim-containers:
+	docker-compose -f docker-compose-certservice.yml up
+
+--create-certservice-internal-certs:
+	make -C certservice/certs all
+
+--clean-certservice-internal-certs:
+	make -C certservice/certs clear
+
+--clean-client-volume:
+	rm -rf certservice/client-resources/client-volume
+
+--wait-for-ejbca:
+	@echo 'Waiting for EJBCA...'
+	until docker container inspect aafcert-ejbca | grep '"Status": "healthy"'; do sleep 3; done
diff --git a/sanitycheck/pnfsimulator-secured/README.md b/sanitycheck/pnfsimulator-secured/README.md
new file mode 100644
index 0000000..661806b
--- /dev/null
+++ b/sanitycheck/pnfsimulator-secured/README.md
@@ -0,0 +1,236 @@
+Standalone PNF Simulator configuration for HTTPS communication to VES
+------------------------
+
+### General description
+
+Makefile in sanitycheck/pnfsimulator-secured is an interface for deployment of PNF simulator with fetching certs from 
+chosen source. 
+
+Makefile offers functionalities that allows to:    
+
+    * Run PNF simulator with fetching certs from AAF Certman
+    * Run PNF simulator with fetching certs from AAF Certservice (CMPv2)
+
+## Fetching from AAF Certman
+### Description
+
+docker-compose-certman.yml prepares PNF simulator container for HTTPS communication with VES.
+
+When docker-compose starts certs-init container fills connected volume with certificates, truststores, keystores, 
+passwords etc. Next pnf-simulator container starts and connects to the same volume. On startup it should read password
+values from proper files and set them in system environment variables. With these variables and files in volume 
+application is ready to work on HTTPS.
+
+### Prerequisites
+
+1. certs-init container works with external AAF on cloud. Due to that fact it must have set correct IPs to workers that
+has access to AAF. In docker-compose.yml fields with mentioned IPs are:
+    
+    * aaf-locate.onap
+    * aaf-cm.onap
+    * aaf-service.onap
+
+### Start
+
+**ATTENTION** 
+
+Proper IPs to AAF must be set in the docker-compose-certman.yml before start (as described in prerequisites)!
+
+```
+make start-pnfsim-with-certman-certs
+```
+
+### Send event
+
+**ATTENTION**
+
+``sanitycheck/events/eventToVes.json`` file which is request for sending event to VES must have correct ``vesServerURL`` 
+field before sending event. 
+IP of ``vesServerURL`` should be the same as given in docker-compose-certman.yml in ``aaf-locate.onap`` field.
+To use secured connection remember about setting protocol to https:// and port to proper secured port of VES.
+
+To send event from PNF simulator to VES use this command from ``pnf-simulator/sanitycheck`` directory:
+
+````
+make generate-event
+````
+
+Sample ``sanitycheck/events/eventToVes.json`` file content is:
+
+```json
+{
+  "vesServerUrl": "https://10.183.35.177:30417/eventListener/v7",
+  "event": {
+    "event": {
+      "commonEventHeader": {
+        "version": "4.0.1",
+        "vesEventListenerVersion": "7.0.1",
+        "domain": "fault",
+        "eventName": "Fault_Vscf:Acs-Ericcson_PilotNumberPoolExhaustion",
+        "eventId": "fault0000245",
+        "sequence": 1,
+        "priority": "High",
+        "reportingEntityId": "cc305d54-75b4-431b-adb2-eb6b9e541234",
+        "reportingEntityName": "ibcx0001vm002oam001",
+        "sourceId": "de305d54-75b4-431b-adb2-eb6b9e546014",
+        "sourceName": "scfx0001vm002cap001",
+        "nfVendorName": "Ericsson",
+        "nfNamingCode": "scfx",
+        "nfcNamingCode": "ssc",
+        "startEpochMicrosec": 1413378172000000,
+        "lastEpochMicrosec": 1413378172000000,
+        "timeZoneOffset": "UTC-05:30"
+      },
+      "faultFields": {
+        "faultFieldsVersion": "4.0",
+        "alarmCondition": "PilotNumberPoolExhaustion",
+        "eventSourceType": "other",
+        "specificProblem": "Calls cannot complete - pilot numbers are unavailable",
+        "eventSeverity": "CRITICAL",
+        "vfStatus": "Active",
+        "alarmAdditionalInformation": {
+          "PilotNumberPoolSize": "1000"
+        }
+      }
+    }
+  }
+}
+```
+
+### Stop
+To remove pnf-simulator containers use:
+```
+make clean-pnfsim-with-certman-setup
+```
+
+## Fetching certificates from AAF Certservice (CMPv2)
+### Description
+
+Running Makefile with Certservice target will start the following flow:
+
+1. Create certificates that will be used for internal communication between Certservice and Certservice-client. 
+    Generated internal certificates should be present in sanitycheck/pnfsimulator-secured/certservice/certs directory.
+
+2. Run docker-compose-certservice.yml that creates:
+    
+    2.1. Certservice container with mounted previously generated certificates.
+    
+    2.2. Certservice-client with mounted internal certificates as well. This containers requests Certservice for
+        Certificates that will be used by PNF simulator in HTTPS connection. Before closing of container it saves
+        these certs in locally mounted volume in 
+        sanitycheck/pnfsimulator-secured/certservice/client-resources/client-volume 
+    
+    2.3. PNF simulator that has mounted certificates from client. Before starting the simulator itself, names of certs 
+        files are changed to fit the PNF simulator configuration.
+        
+### Prerequisites
+
+
+##### EJBCA configuration
+Certservice container will try to connect to EJBCA on docker-compose-certservice.yml startup to fetch certs. 
+Whole connection configuration to EJBCA server must be done before start in file 
+sanitycheck/pnfsimulator-secured/certservice/certservice-resources/cmpServers.json.
+
+EJBCA might be deployed locally or externally. Described in this README Makefile has a target that runs configured EJBCA
+container locally. To run that target use:
+
+```
+make start-ejbca
+```
+
+
+Configuration of cmpServers.json for this local EJBCA container should be:
+```json
+{
+  "cmpv2Servers": [
+    {
+      "caName": "Client",
+      "url": "http://<docker0_network_ip>:80/ejbca/publicweb/cmp/cmp",
+      "issuerDN": "CN=ManagementCA",
+      "caMode": "CLIENT",
+      "authentication": {
+        "iak": "mypassword",
+        "rv": "mypassword"
+      }
+    },
+    {
+      "caName": "RA",
+      "url": "http://<docker0_network_ip>:80/ejbca/publicweb/cmp/cmpRA",
+      "issuerDN": "CN=ManagementCA",
+      "caMode": "RA",
+      "authentication": {
+        "iak": "mypassword",
+        "rv": "mypassword"
+      }
+    }
+  ]
+}
+```
+``docker0_network_ip`` might be found when running `ifconfig docker0` next to `inet` field.
+
+### Start
+
+**ATTENTION**
+
+Remember that before starting certservice, the EJBCA server must run, be properly configured and 
+sanitycheck/pnfsimulator-secured/certservice/certservice-resources/cmpServers.json must be set correctly. 
+
+For more info read _prerequisites_ section.
+ 
+```
+make start-pnfsim-with-certservice-certs
+```
+
+### Send event
+
+##### VES collector
+
+Destination VES collector should use certificate generated from the same CMPv2 server for successful HTTPS 
+communication. There is local deployment of VES (with DMAAP simulator) to be used from Makefile that 
+uses certificates generated by the same CMPv2 server as PNF simulator uses. 
+
+##### VES collector local deployment prerequisites
+
+By default the image of VES from Nexus supports only HTTP communication. Local image with enabled HTTPS must be 
+build to use local VES as PNF simulator destination.
+
+1. Pull VES repository
+2. In `<VES_PROJECT_ROOT>/etc/collector.properties` file set field `auth.method=certBasicAuth`
+3. Build local image: `mvn clean install docker:build` from VES project root directory.
+
+VES deployment from Makefile uses also DMAAP simulator. Its image should be built locally as well.
+1. Go to `sanitycheck/dmaap-simulator` directory
+2. Run: `make build`
+
+If you want to use that VES + DMAAP simulator deployment enter:
+```
+make start-local-secured-ves
+```
+
+**ATTENTION**
+
+Before sending an event to VES, the correct VES server URL must be passed to 
+``sanitycheck/events/vesAddressConfiguration.json`` file in field ``vesServerURL``.
+
+For local VES, `vesServerURL` should have value: ``https://<docker0_network_ip>:8444/eventListener/v7``.
+``docker0_network_ip`` might be found when running `ifconfig docker0` next to `inet` field.
+
+To reconfigure PNF simulator to use
+new URL use this command from ``pnf-simulator/sanitycheck`` directory:
+```
+make reconfigure-ves-url
+```
+
+ 
+To send event from PNF simulator to VES use this command from ``pnf-simulator/sanitycheck`` directory:
+
+```
+make generate-event
+```
+
+### Stop
+
+To clean all generated certificates, remove pnf-simulator, certservice, ejbca and ves containers use:
+```
+make clean-pnfsim-with-certservice-certs
+```
+\ No newline at end of file
diff --git a/sanitycheck/pnfsimulator-secured/certservice/certs/Makefile b/sanitycheck/pnfsimulator-secured/certservice/certs/Makefile
new file mode 100644
index 0000000..d6c3855
--- /dev/null
+++ b/sanitycheck/pnfsimulator-secured/certservice/certs/Makefile
@@ -0,0 +1,109 @@
+all: clear step_1 step_2 step_3 step_4 step_5 step_6 step_7 step_8 step_9 step_10 step_11 step_12 step_13 step_14 step_15
+.PHONY: all
+#Clear certificates
+clear:
+	@echo "Clear certificates"
+	rm -f certServiceClient-keystore.jks certServiceServer-keystore.jks root.crt truststore.jks certServiceServer-keystore.p12 root-keystore.jks
+	@echo "#####done#####"
+
+#Generate root private and public keys
+step_1:
+	@echo "Generate root private and public keys"
+	keytool -genkeypair -v -alias root -keyalg RSA -keysize 4096 -validity 3650 -keystore root-keystore.jks \
+    -dname "CN=root.com, OU=Root Org, O=Root Company, L=Wroclaw, ST=Dolny Slask, C=PL" -keypass secret \
+    -storepass secret -ext BasicConstraints:critical="ca:true"
+	@echo "#####done#####"
+
+#Export public key as certificate
+step_2:
+	@echo "(Export public key as certificate)"
+	keytool -exportcert -alias root -keystore root-keystore.jks -storepass secret -file root.crt -rfc
+	@echo "#####done#####"
+
+#Self-signed root (import root certificate into truststore)
+step_3:
+	@echo "(Self-signed root (import root certificate into truststore))"
+	keytool -importcert -alias root -keystore truststore.jks -file root.crt -storepass secret -noprompt
+	@echo "#####done#####"
+
+#Generate certService's client private and public keys
+step_4:
+	@echo "Generate certService's client private and public keys"
+	keytool -genkeypair -v -alias certServiceClient -keyalg RSA -keysize 2048 -validity 730 \
+    -keystore certServiceClient-keystore.jks -storetype JKS \
+    -dname "CN=certServiceClient.com,OU=certServiceClient company,O=certServiceClient org,L=Wroclaw,ST=Dolny Slask,C=PL" \
+    -keypass secret -storepass secret
+	@echo "####done####"
+
+#Generate certificate signing request for certService's client
+step_5:
+	@echo "Generate certificate signing request for certService's client"
+	keytool -certreq -keystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -file certServiceClient.csr
+	@echo "####done####"
+
+#Sign certService's client certificate by root CA
+step_6:
+	@echo "Sign certService's client certificate by root CA"
+	keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceClient.csr \
+    -outfile certServiceClientByRoot.crt -rfc -ext bc=0  -ext ExtendedkeyUsage="serverAuth,clientAuth"
+	@echo "####done####"
+
+#Import root certificate into client
+step_7:
+	@echo "Import root certificate into intermediate"
+	cat root.crt >> certServiceClientByRoot.crt
+	@echo "####done####"
+
+#Import signed certificate into certService's client
+step_8:
+	@echo "Import signed certificate into certService's client"
+	keytool -importcert -file certServiceClientByRoot.crt -destkeystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -noprompt
+	@echo "####done####"
+
+#Generate certService private and public keys
+step_9:
+	@echo "Generate certService private and public keys"
+	keytool -genkeypair -v -alias aaf-cert-service -keyalg RSA -keysize 2048 -validity 730 \
+    -keystore certServiceServer-keystore.jks -storetype JKS \
+    -dname "CN=aaf-cert-service,OU=certServiceServer company,O=certServiceServer org,L=Wroclaw,ST=Dolny Slask,C=PL" \
+    -keypass secret -storepass secret -ext BasicConstraints:critical="ca:false"
+	@echo "####done####"
+
+#Generate certificate signing request for certService
+step_10:
+	@echo "Generate certificate signing request for certService"
+	keytool -certreq -keystore certServiceServer-keystore.jks -alias aaf-cert-service -storepass secret -file certServiceServer.csr
+	@echo "####done####"
+
+#Sign certService certificate by root CA
+step_11:
+	@echo "Sign certService certificate by root CA"
+	keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceServer.csr \
+    -outfile certServiceServerByRoot.crt -rfc -ext bc=0  -ext ExtendedkeyUsage="serverAuth,clientAuth" \
+    -ext SubjectAlternativeName:="DNS:aaf-cert-service,DNS:localhost"
+	@echo "####done####"
+
+#Import root certificate into server
+step_12:
+	@echo "Import root certificate into intermediate(server)"
+	cat root.crt >> certServiceServerByRoot.crt
+	@echo "####done####"
+
+#Import signed certificate into certService
+step_13:
+	@echo "Import signed certificate into certService"
+	keytool -importcert -file certServiceServerByRoot.crt -destkeystore certServiceServer-keystore.jks -alias aaf-cert-service \
+    -storepass secret -noprompt
+	@echo "####done####"
+
+#Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)
+step_14:
+	@echo "Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)"
+	keytool -importkeystore -srckeystore certServiceServer-keystore.jks -srcstorepass secret -destkeystore certServiceServer-keystore.p12 -deststoretype PKCS12 -deststorepass secret
+	@echo "#####done#####"
+
+#Clear unused certificates
+step_15:
+	@echo "Clear unused certificates"
+	rm certServiceClientByRoot.crt certServiceClient.csr root-keystore.jks certServiceServerByRoot.crt  certServiceServer.csr
+	@echo "#####done#####"
diff --git a/sanitycheck/pnfsimulator-secured/certservice/certservice-resources/cmpServers.json b/sanitycheck/pnfsimulator-secured/certservice/certservice-resources/cmpServers.json
new file mode 100644
index 0000000..79b97e6
--- /dev/null
+++ b/sanitycheck/pnfsimulator-secured/certservice/certservice-resources/cmpServers.json
@@ -0,0 +1,24 @@
+{
+  "cmpv2Servers": [
+    {
+      "caName": "Client",
+      "url": "http://172.17.0.1:80/ejbca/publicweb/cmp/cmp",
+      "issuerDN": "CN=ManagementCA",
+      "caMode": "CLIENT",
+      "authentication": {
+        "iak": "mypassword",
+        "rv": "mypassword"
+      }
+    },
+    {
+      "caName": "RA",
+      "url": "http://172.17.0.1:80/ejbca/publicweb/cmp/cmpRA",
+      "issuerDN": "CN=ManagementCA",
+      "caMode": "RA",
+      "authentication": {
+        "iak": "mypassword",
+        "rv": "mypassword"
+      }
+    }
+  ]
+}
diff --git a/sanitycheck/pnfsimulator-secured/certservice/client-resources/client-configuration.env b/sanitycheck/pnfsimulator-secured/certservice/client-resources/client-configuration.env
new file mode 100644
index 0000000..bc62f1f
--- /dev/null
+++ b/sanitycheck/pnfsimulator-secured/certservice/client-resources/client-configuration.env
@@ -0,0 +1,18 @@
+#Client envs
+REQUEST_URL=https://aaf-cert-service:8443/v1/certificate/
+REQUEST_TIMEOUT=10000
+OUTPUT_PATH=/var/certs
+CA_NAME=RA
+#Csr config envs
+COMMON_NAME=onap.org
+ORGANIZATION=Linux-Foundation
+ORGANIZATION_UNIT=ONAP
+LOCATION=San-Francisco
+STATE=California
+COUNTRY=US
+SANS=example.org
+#Tls config envs
+KEYSTORE_PATH=/etc/onap/aaf/certservice/certs/certServiceClient-keystore.jks
+KEYSTORE_PASSWORD=secret
+TRUSTSTORE_PATH=/etc/onap/aaf/certservice/certs/truststore.jks
+TRUSTSTORE_PASSWORD=secret
diff --git a/sanitycheck/pnfsimulator-secured/certservice/ejbca-resources/ejbca-configuration.sh b/sanitycheck/pnfsimulator-secured/certservice/ejbca-resources/ejbca-configuration.sh
new file mode 100755
index 0000000..77f5c55
--- /dev/null
+++ b/sanitycheck/pnfsimulator-secured/certservice/ejbca-resources/ejbca-configuration.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+configureEjbca() {
+    ejbca.sh config cmp addalias --alias cmpRA
+    ejbca.sh config cmp updatealias --alias cmpRA --key operationmode --value ra
+    ejbca.sh ca editca --caname ManagementCA --field cmpRaAuthSecret --value mypassword
+    ejbca.sh config cmp updatealias --alias cmpRA --key responseprotection --value pbe
+    ejbca.sh config cmp dumpalias --alias cmpRA
+    ejbca.sh config cmp addalias --alias cmp
+    ejbca.sh config cmp updatealias --alias cmp --key allowautomatickeyupdate --value true
+    ejbca.sh config cmp updatealias --alias cmp --key responseprotection --value pbe
+    ejbca.sh ra addendentity --username Node123 --dn "CN=Node123" --caname ManagementCA --password mypassword --type 1 --token USERGENERATED
+    ejbca.sh ra setclearpwd --username Node123 --password mypassword
+    ejbca.sh config cmp updatealias --alias cmp --key extractusernamecomponent --value CN
+    ejbca.sh config cmp dumpalias --alias cmp
+    ejbca.sh ca getcacert --caname ManagementCA -f /dev/stdout > cacert.pem
+}
+
+configureEjbca
diff --git a/sanitycheck/tools/docker-compose.yml b/sanitycheck/pnfsimulator-secured/docker-compose-certman.yml
index 3016189..e20f78d 100644
--- a/sanitycheck/tools/docker-compose.yml
+++ b/sanitycheck/pnfsimulator-secured/docker-compose-certman.yml
@@ -11,9 +11,9 @@ services:
     image: nexus3.onap.org:10001/onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0
     extra_hosts:
       #set worker IP with access to AAF
-      aaf-locate.onap: 10.183.35.177
-      aaf-cm.onap: 10.183.35.177
-      aaf-service.onap: 10.183.35.177
+      aaf-locate.onap: <WORKER_IP> #for example 10.183.35.177
+      aaf-cm.onap: <WORKER_IP> #for example 10.183.35.177
+      aaf-service.onap: <WORKER_IP> #for example 10.183.35.177
     environment:
       - aaf_locate_url=https://aaf-locate.onap:31111
       - aaf_url_cm=https://aaf-cm.onap:31114
diff --git a/sanitycheck/pnfsimulator-secured/docker-compose-certservice.yml b/sanitycheck/pnfsimulator-secured/docker-compose-certservice.yml
new file mode 100644
index 0000000..4548f04
--- /dev/null
+++ b/sanitycheck/pnfsimulator-secured/docker-compose-certservice.yml
@@ -0,0 +1,93 @@
+version: "2.1"
+
+networks:
+  certservice-network:
+    driver: bridge
+    name: certservice-network
+  pnf-simulator-network:
+    driver: bridge
+    name: pnf-simulator-network
+
+services:
+
+  aaf-cert-service:
+    image: nexus3.onap.org:10003/onap/org.onap.aaf.certservice.aaf-certservice-api:latest
+    volumes:
+      - ./certservice/certservice-resources/cmpServers.json:/etc/onap/aaf/certservice/cmpServers.json
+      - ./certservice/certs/truststore.jks:/etc/onap/aaf/certservice/certs/truststore.jks
+      - ./certservice/certs/root.crt:/etc/onap/aaf/certservice/certs/root.crt
+      - ./certservice/certs/certServiceServer-keystore.jks:/etc/onap/aaf/certservice/certs/certServiceServer-keystore.jks
+      - ./certservice/certs/certServiceServer-keystore.p12:/etc/onap/aaf/certservice/certs/certServiceServer-keystore.p12
+    container_name: aafcert-service
+    ports:
+      - "8443:8443"
+    healthcheck:
+      test: ["CMD-SHELL", "curl https://localhost:8443/actuator/health --cacert /etc/onap/aaf/certservice/certs/root.crt --cert-type p12 --cert /etc/onap/aaf/certservice/certs/certServiceServer-keystore.p12 --pass secret"]
+      interval: 10s
+      timeout: 3s
+      retries: 15
+    networks:
+      - certservice-network
+
+  aaf-cert-client:
+    image: nexus3.onap.org:10003/onap/org.onap.aaf.certservice.aaf-certservice-client:latest
+    container_name: aafcert-client
+    env_file: ./certservice/client-resources/client-configuration.env
+    networks:
+      - certservice-network
+    volumes:
+    - ./certservice/client-resources/client-volume:/var/certs:rw
+    - ./certservice/certs/truststore.jks:/etc/onap/aaf/certservice/certs/truststore.jks
+    - ./certservice/certs/certServiceClient-keystore.jks:/etc/onap/aaf/certservice/certs/certServiceClient-keystore.jks
+    depends_on:
+      aaf-cert-service:
+        condition: service_healthy
+
+  mongo:
+    image: mongo
+    restart: always
+    networks:
+      - pnf-simulator-network
+    environment:
+      MONGO_INITDB_ROOT_USERNAME: root
+      MONGO_INITDB_ROOT_PASSWORD: zXcVbN123!
+      MONGO_INITDB_DATABASE: pnf_simulator
+    volumes:
+      - ../../pnfsimulator/db:/docker-entrypoint-initdb.d
+    ports:
+      - "27017:27017"
+
+  mongo-express:
+    image: mongo-express
+    restart: always
+    networks:
+      - pnf-simulator-network
+    ports:
+      - 8081:8081
+    environment:
+      ME_CONFIG_MONGODB_ADMINUSERNAME: root
+      ME_CONFIG_MONGODB_ADMINPASSWORD: zXcVbN123!
+
+  pnf-simulator:
+    image: nexus3.onap.org:10003/onap/org.onap.integration.simulators.pnfsimulator
+    ports:
+      - "5000:5000"
+    networks:
+      - pnf-simulator-network
+    command: bash -c "
+      while [[ $$(ls -1 /app/store | wc -l) != '4' ]]; do echo 'Waiting for certs...'; sleep 3; done
+      && mv /app/store/truststore.jks /app/store/trust.jks
+      && mv /app/store/keystore.jks /app/store/cert.p12
+      && export CLIENT_CERT_PASS=$$(cat /app/store/keystore.pass)
+      && export TRUST_CERT_PASS=$$(cat /app/store/truststore.pass)
+      && java -Dspring.config.location=file:/app/application.properties  -cp /app/libs/*:/app/pnf-simulator.jar org.onap.pnfsimulator.Main
+      "
+    volumes:
+      - ../../pnfsimulator/logs:/var/log
+      - ../../pnfsimulator/templates:/app/templates
+      - ../../pnfsimulator/src/main/resources/application.properties:/app/application.properties
+      - ./certservice/client-resources/client-volume/:/app/store/
+    restart: on-failure
+    depends_on:
+      - mongo
+      - mongo-express
diff --git a/sanitycheck/pnfsimulator-secured/docker-compose-ves.yml b/sanitycheck/pnfsimulator-secured/docker-compose-ves.yml
new file mode 100644
index 0000000..85e4286
--- /dev/null
+++ b/sanitycheck/pnfsimulator-secured/docker-compose-ves.yml
@@ -0,0 +1,31 @@
+version: '3'
+services:
+  ves:
+    container_name: ves
+    image: nexus3.onap.org:10003/onap/org.onap.dcaegen2.collectors.ves.vescollector:latest
+    ports:
+      - "8082:8080"
+      - "8444:8443"
+    networks:
+      - vesnetwork
+    command: bash -c "
+      rm -f /opt/app/VESCollector/etc/keystore
+      && echo $$(cat /opt/app/VESCollector/etc/trustpasswordfile)
+      && keytool -importkeystore -srckeystore /opt/app/VESCollector/etc/cert.p12 -srcstorepass $$(cat /opt/app/VESCollector/etc/passwordfile) -srcstoretype pkcs12 -destkeystore /opt/app/VESCollector/etc/keystore -deststoretype jks -deststorepass $$(cat /opt/app/VESCollector/etc/passwordfile)
+      && bin/docker-entry.sh
+      "
+    volumes:
+    - ./certservice/client-resources/client-volume/cert.p12:/opt/app/VESCollector/etc/cert.p12
+    - ./certservice/client-resources/client-volume/keystore.pass:/opt/app/VESCollector/etc/passwordfile
+    - ./certservice/client-resources/client-volume/trust.jks:/opt/app/VESCollector/etc/truststore
+    - ./certservice/client-resources/client-volume/truststore.pass:/opt/app/VESCollector/etc/trustpasswordfile
+  onap-dmaap:
+    container_name: dmaap
+    image: dmaap-simulator
+    ports:
+      - "3904:3904"
+    networks:
+      - vesnetwork
+networks:
+  vesnetwork:
+    driver: bridge
diff --git a/sanitycheck/tools/README.md b/sanitycheck/tools/README.md
deleted file mode 100644
index 2d6b3d0..0000000
--- a/sanitycheck/tools/README.md
+++ /dev/null
@@ -1,93 +0,0 @@
-Standalone PNF Simulator configuration for HTTPS communication with VES
-------------------------
-
-### Description
-
-docker-compose.yml prepares PNF simulator container for HTTPS communication with VES.
-
-When docker-compose starts certs-init container fills connected volume with certificates, truststores, keystores, 
-passwords etc. Next pnf-simulator container starts and connects to the same volume. On startup it should read password
-values from proper files and set them in system environment variables. With these variables and files in volume 
-application is ready to work on HTTPS.
-
-### Prerequisites
-
-1. certs-init container works with external AAF on cloud. Due to that fact it must have set correct IPs to workers that
-has access to AAF. In docker-compose.yml fields with mentioned IPs are:
-    
-    * aaf-locate.onap
-    * aaf-cm.onap
-    * aaf-service.onap
-
-### Start
-
-**ATTENTION** 
-
-Proper IPs to AAF must be set in the docker-compose.yml before start (as described in prerequisites)!
-
-```
-docker-compose up
-```
-
-### Send event
-
-**ATTENTION**
-
-``sanitycheck/events/eventToVes.json`` file which is request for sending event to VES must have correct ``vesServerURL`` 
-field before sending event. 
-IP of ``vesServerURL`` should be the same as given in docker-compose.yml in ``aaf-locate.onap`` field.
-To use secured connection remember about setting protocol to https:// and port to proper secured port of VES.
-
-To send event from PNF simulator to VES use this command from ``pnf-simulator/sanitycheck`` directory:
-
-````
-make generate-event
-````
-
-Sample ``sanitycheck/events/eventToVes.json`` file content is:
-
-```json
-{
-  "vesServerUrl": "https://10.183.35.177:30417/eventListener/v7",
-  "event": {
-    "event": {
-      "commonEventHeader": {
-        "version": "4.0.1",
-        "vesEventListenerVersion": "7.0.1",
-        "domain": "fault",
-        "eventName": "Fault_Vscf:Acs-Ericcson_PilotNumberPoolExhaustion",
-        "eventId": "fault0000245",
-        "sequence": 1,
-        "priority": "High",
-        "reportingEntityId": "cc305d54-75b4-431b-adb2-eb6b9e541234",
-        "reportingEntityName": "ibcx0001vm002oam001",
-        "sourceId": "de305d54-75b4-431b-adb2-eb6b9e546014",
-        "sourceName": "scfx0001vm002cap001",
-        "nfVendorName": "Ericsson",
-        "nfNamingCode": "scfx",
-        "nfcNamingCode": "ssc",
-        "startEpochMicrosec": 1413378172000000,
-        "lastEpochMicrosec": 1413378172000000,
-        "timeZoneOffset": "UTC-05:30"
-      },
-      "faultFields": {
-        "faultFieldsVersion": "4.0",
-        "alarmCondition": "PilotNumberPoolExhaustion",
-        "eventSourceType": "other",
-        "specificProblem": "Calls cannot complete - pilot numbers are unavailable",
-        "eventSeverity": "CRITICAL",
-        "vfStatus": "Active",
-        "alarmAdditionalInformation": {
-          "PilotNumberPoolSize": "1000"
-        }
-      }
-    }
-  }
-}
-
-```
-
-### Stop
-```
-docker-compose down
-```
-\ No newline at end of file
author	Michal Banka <michal.banka@nokia.com>	2020-06-03 10:51:51 +0200
committer	Michal Banka <michal.banka@nokia.com>	2020-06-04 13:08:34 +0200
commit	b06189e0c1f15237519d3727aeab007fadd952cb (patch)
tree	eb9765ace8e647a21cf8ec8eccbebfca53193f58
parent	e775c31a8b8efd55796cdf4fa049e72587ea6088 (diff)