diff options
Diffstat (limited to 'sanitycheck/pnfsimulator-secured/certservice')
11 files changed, 327 insertions, 2 deletions
diff --git a/sanitycheck/pnfsimulator-secured/certservice/Makefile b/sanitycheck/pnfsimulator-secured/certservice/Makefile new file mode 100644 index 0000000..aea8477 --- /dev/null +++ b/sanitycheck/pnfsimulator-secured/certservice/Makefile @@ -0,0 +1,56 @@ +default: + @echo "There is no default target. Use: make <specific_target>" + +setup-env: --start-certservice-and-ejbca --run-certservice-clients --start-local-secured-ves + +start-pnfsim: + docker-compose -f docker-compose-pnfsim.yml up + +restart-pnfsim: --clean-pnfsim start-pnfsim + +clean-all: --clean-pnfsim --clean-env + + + +--start-certservice-and-ejbca: --create-certservice-internal-certs --start-certservice-ejbca-containers --configure-ejbca + +--start-certservice-ejbca-containers: + docker-compose -f docker-compose-certservice-ejbca.yml up -d + +--create-certservice-internal-certs: + make -C resources/certs all + +--configure-ejbca: --wait-for-ejbca --run-ejbca-script + +--wait-for-ejbca: + @echo 'Waiting for EJBCA... It may take a minute or two' + until docker container inspect oomcert-ejbca | grep '"Status": "healthy"'; do sleep 3; done + +--run-ejbca-script: + docker exec oomcert-ejbca /opt/primekey/scripts/ejbca-configuration.sh + +--run-certservice-clients: --create-client-volumes + docker-compose -f docker-compose-certservice-clients.yml up -d + @echo 'Waiting for client certifiactes...' + @until ls -1 ./resources/certservice-client/client-volume-for-pnfsim | grep "store" 1>/dev/null; do sleep 3; done + @until ls -1 ./resources/certservice-client/client-volume-for-ves | grep "store" 1>/dev/null; do sleep 3; done + +--create-client-volumes: + mkdir -p ./resources/certservice-client/client-volume-for-pnfsim -m 777 + mkdir -p ./resources/certservice-client/client-volume-for-ves -m 777 + +--start-local-secured-ves: + docker-compose -f docker-compose-ves-dmaap.yml up + +--clean-pnfsim: + docker-compose -f docker-compose-pnfsim.yml down + rm -rf ./resources/certservice-client/client-volume-for-pnfsim/cert.p12 || true + rm -rf ./resources/certservice-client/client-volume-for-pnfsim/trust.jks || true + +--clean-env: + docker-compose -f docker-compose-ves-dmaap.yml down + docker-compose -f docker-compose-certservice-clients.yml down + rm -rf ./resources/certservice-client/client-volume-for-pnfsim || true + rm -rf ./resources/certservice-client/client-volume-for-ves || true + docker-compose -f docker-compose-certservice-ejbca.yml down + make -C resources/certs clear diff --git a/sanitycheck/pnfsimulator-secured/certservice/README.md b/sanitycheck/pnfsimulator-secured/certservice/README.md new file mode 100644 index 0000000..16a4793 --- /dev/null +++ b/sanitycheck/pnfsimulator-secured/certservice/README.md @@ -0,0 +1,81 @@ +## Fetching certificates from OOM CertService (CMPv2) +This readme describes how to run PNF Simulator with certificates fetched using OOM CertService (CMPv2) + +### Description + +Using Makefile in this directory following can be achieved: + +* Setup environment for PNF Simulator, i.e.: + * Create certificates that will be used for internal communication between CertService and CertService Clients. + Generated internal certificates should be present in `resources/certs` directory. + * Start and configure EJBCA + * Start and configure AAF Cert Service. + * Run Cert Service Clients to fetch certificates for VES and PNF Simulator. Certificates will be stored for the components +in `resources/certservice-client/client-volume-for-ves` and `resources/certservice-client/client-volume-for-pnfsim` accordingly. + * Start VES and DMaaP Simulator. Fetched certificates will be mounted to VES. + +* Start PNF Simulator. Fetched certificates will be mounted to PNF Simulator. +* Clean up. + +### Prerequisites +##### VES collector local deployment prerequisites + +By default, the image of VES from Nexus supports only HTTP communication. A local image with enabled HTTPS must be +build to use local VES as PNF simulator destination. + +1. Pull VES repository +2. In `<VES_PROJECT_ROOT>/etc/collector.properties` file set field `auth.method=certBasicAuth` +3. Build a local image: `mvn clean install docker:build` from VES project root directory. + +Local VES deployment uses also DMaaP simulator. Its image should be built locally as well. +1. Go to `sanitycheck/dmaap-simulator` directory +2. Run: `make build` + + + +### Setup environment +To set up whole environment for PNF Simulator, i.e.: +- deploy and configure EJBCA +- deploy Cert Service +- fetch certificates for VES and PNF Simulator using Cert Service clients +- run DMaaP Simulator +- run VES with fetched certificates + +execute: +```` +make setup-env +```` +Note that this command setups whole environment besides PNF Simulator itself. + +## Run PNF Simulator +To run PNF Simulator execute: +```` +make start-pnfsim +```` +This command starts PNF Simulator with certificates fetched using CertService (certificates are fetched in the previous step) + +### Send event + +Configure PNF simulator to use proper VES URL by executing this command from ``pnf-simulator/sanitycheck`` directory: +``` +make reconfigure-ves-url +``` + + +Send an event from PNF simulator to VES by executing this command from ``pnf-simulator/sanitycheck`` directory: +``` +make generate-event +``` + +### Restart PNF Simulator + +To restart only PNF Simulator execute: +``` +make restart-pnfsim +``` + +### Clean up +To clean all generated certificates, remove PNF Simulator, CertService, EJBCA, VES and DMaaP Simulator containers: +``` +make clean-all +``` diff --git a/sanitycheck/pnfsimulator-secured/certservice/docker-compose-certservice-clients.yml b/sanitycheck/pnfsimulator-secured/certservice/docker-compose-certservice-clients.yml new file mode 100644 index 0000000..fdfd6c6 --- /dev/null +++ b/sanitycheck/pnfsimulator-secured/certservice/docker-compose-certservice-clients.yml @@ -0,0 +1,28 @@ +version: "2.1" + +networks: + onap: + external: true + +services: + oom-cert-client-ves: + image: nexus3.onap.org:10001/onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.1.0 + container_name: oomcert-client-for-ves + env_file: ./resources/certservice-client/client-configuration-for-ves.env + networks: + - onap + volumes: + - ./resources/certservice-client/client-volume-for-ves:/var/certs:rw + - ./resources/certs/truststore.jks:/etc/onap/oom/certservice/certs/truststore.jks + - ./resources/certs/certServiceClient-keystore.jks:/etc/onap/oom/certservice/certs/certServiceClient-keystore.jks + + oom-cert-client-pnfsim: + image: nexus3.onap.org:10001/onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.1.0 + container_name: oomcert-client + env_file: ./resources/certservice-client/client-configuration-for-pnfsim.env + networks: + - onap + volumes: + - ./resources/certservice-client/client-volume-for-pnfsim:/var/certs:rw + - ./resources/certs/truststore.jks:/etc/onap/oom/certservice/certs/truststore.jks + - ./resources/certs/certServiceClient-keystore.jks:/etc/onap/oom/certservice/certs/certServiceClient-keystore.jks diff --git a/sanitycheck/pnfsimulator-secured/certservice/docker-compose-certservice-ejbca.yml b/sanitycheck/pnfsimulator-secured/certservice/docker-compose-certservice-ejbca.yml new file mode 100644 index 0000000..38b130f --- /dev/null +++ b/sanitycheck/pnfsimulator-secured/certservice/docker-compose-certservice-ejbca.yml @@ -0,0 +1,47 @@ +version: "2.1" + +networks: + onap: + driver: bridge + name: onap + public: + driver: bridge + name: public + +services: + ejbca: + image: primekey/ejbca-ce:6.15.2.5 + hostname: cahostname + container_name: oomcert-ejbca + ports: + - "80:8080" + - "443:8443" + volumes: + - ./resources/ejbca/ejbca-configuration.sh:/opt/primekey/scripts/ejbca-configuration.sh + healthcheck: + test: [ "CMD-SHELL", "curl -kI https://localhost:8443/ejbca/publicweb/healthcheck/ejbcahealth" ] + interval: 10s + timeout: 3s + retries: 15 + networks: + - onap + + oom-cert-service: + image: nexus3.onap.org:10001/onap/org.onap.oom.platform.cert-service.oom-certservice-api:2.1.0 + volumes: + - ./resources/certservice/cmpServers.json:/etc/onap/oom/certservice/cmpServers.json + - ./resources/certs/truststore.jks:/etc/onap/oom/certservice/certs/truststore.jks + - ./resources/certs/root.crt:/etc/onap/oom/certservice/certs/root.crt + - ./resources/certs/certServiceServer-keystore.jks:/etc/onap/oom/certservice/certs/certServiceServer-keystore.jks + - ./resources/certs/certServiceServer-keystore.p12:/etc/onap/oom/certservice/certs/certServiceServer-keystore.p12 + container_name: oomcert-service + ports: + - "8443:8443" + healthcheck: + test: ["CMD-SHELL", "curl https://localhost:8443/actuator/health --cacert /etc/onap/oom/certservice/certs/root.crt --cert-type p12 --cert /etc/onap/oom/certservice/certs/certServiceServer-keystore.p12 --pass secret"] + interval: 10s + timeout: 3s + retries: 15 + networks: + - onap + - public diff --git a/sanitycheck/pnfsimulator-secured/certservice/docker-compose-pnfsim.yml b/sanitycheck/pnfsimulator-secured/certservice/docker-compose-pnfsim.yml new file mode 100644 index 0000000..f09b0a9 --- /dev/null +++ b/sanitycheck/pnfsimulator-secured/certservice/docker-compose-pnfsim.yml @@ -0,0 +1,61 @@ +version: "2.1" + +networks: + pnfsimulator: + driver: bridge + name: pnfsimulator + public: + external: true + onap: + external: true + +services: + mongo: + image: mongo + restart: always + networks: + - pnfsimulator + environment: + MONGO_INITDB_ROOT_USERNAME: root + MONGO_INITDB_ROOT_PASSWORD: zXcVbN123! + MONGO_INITDB_DATABASE: pnf_simulator + volumes: + - ../../../pnfsimulator/db:/docker-entrypoint-initdb.d + ports: + - "27017:27017" + + mongo-express: + image: mongo-express + restart: always + networks: + - pnfsimulator + ports: + - 8081:8081 + environment: + ME_CONFIG_MONGODB_ADMINUSERNAME: root + ME_CONFIG_MONGODB_ADMINPASSWORD: zXcVbN123! + + pnf-simulator: + image: nexus3.onap.org:10003/onap/org.onap.integration.simulators.pnfsimulator + ports: + - "5000:5000" + networks: + - pnfsimulator + - public + command: bash -c " + while [[ $$(ls -1 /app/store | wc -l) != '4' ]]; do echo 'Waiting for certs...'; sleep 3; done + && cp /app/store/truststore.jks /app/store/trust.jks + && cp /app/store/keystore.jks /app/store/cert.p12 + && export CLIENT_CERT_PASS=$$(cat /app/store/keystore.pass) + && export TRUST_CERT_PASS=$$(cat /app/store/truststore.pass) + && java -Dspring.config.location=file:/app/application.properties -cp /app/libs/*:/app/pnf-simulator.jar org.onap.pnfsimulator.Main + " + volumes: + - ../../../pnfsimulator/logs:/var/log + - ../../../pnfsimulator/templates:/app/templates + - ../../../pnfsimulator/src/main/resources/application.properties:/app/application.properties + - ./resources/certservice-client/client-volume-for-pnfsim/:/app/store/ + restart: on-failure + depends_on: + - mongo + - mongo-express diff --git a/sanitycheck/pnfsimulator-secured/certservice/docker-compose-ves-dmaap.yml b/sanitycheck/pnfsimulator-secured/certservice/docker-compose-ves-dmaap.yml new file mode 100644 index 0000000..86f0202 --- /dev/null +++ b/sanitycheck/pnfsimulator-secured/certservice/docker-compose-ves-dmaap.yml @@ -0,0 +1,33 @@ +version: "2.1" + +networks: + public: + external: true + onap: + external: true + +services: + ves: + container_name: ves + image: nexus3.onap.org:10003/onap/org.onap.dcaegen2.collectors.ves.vescollector:latest + ports: + - "8082:8080" + - "8444:8443" + networks: + - onap + - public + volumes: + - ./resources/certservice-client/client-volume-for-ves/keystore.jks:/opt/app/VESCollector/etc/keystore + - ./resources/certservice-client/client-volume-for-ves/keystore.pass:/opt/app/VESCollector/etc/passwordfile + - ./resources/certservice-client/client-volume-for-ves/truststore.jks:/opt/app/VESCollector/etc/truststore + - ./resources/certservice-client/client-volume-for-ves/truststore.pass:/opt/app/VESCollector/etc/trustpasswordfile + depends_on: + - onap-dmaap + + onap-dmaap: + container_name: dmaap + image: dmaap-simulator + ports: + - "3904:3904" + networks: + - onap diff --git a/sanitycheck/pnfsimulator-secured/certservice/certs/Makefile b/sanitycheck/pnfsimulator-secured/certservice/resources/certs/Makefile index 507a23c..507a23c 100644 --- a/sanitycheck/pnfsimulator-secured/certservice/certs/Makefile +++ b/sanitycheck/pnfsimulator-secured/certservice/resources/certs/Makefile diff --git a/sanitycheck/pnfsimulator-secured/certservice/client-resources/client-configuration.env b/sanitycheck/pnfsimulator-secured/certservice/resources/certservice-client/client-configuration-for-pnfsim.env index cda235d..cda235d 100644 --- a/sanitycheck/pnfsimulator-secured/certservice/client-resources/client-configuration.env +++ b/sanitycheck/pnfsimulator-secured/certservice/resources/certservice-client/client-configuration-for-pnfsim.env diff --git a/sanitycheck/pnfsimulator-secured/certservice/resources/certservice-client/client-configuration-for-ves.env b/sanitycheck/pnfsimulator-secured/certservice/resources/certservice-client/client-configuration-for-ves.env new file mode 100644 index 0000000..e06d147 --- /dev/null +++ b/sanitycheck/pnfsimulator-secured/certservice/resources/certservice-client/client-configuration-for-ves.env @@ -0,0 +1,19 @@ +#Client envs +REQUEST_URL=https://oom-cert-service:8443/v1/certificate/ +REQUEST_TIMEOUT=10000 +OUTPUT_PATH=/var/certs +CA_NAME=RA +OUTPUT_TYPE=JKS +#Csr config envs +COMMON_NAME=ves-onap.org +ORGANIZATION=Linux-Foundation +ORGANIZATION_UNIT=ONAP +LOCATION=San-Francisco +STATE=California +COUNTRY=US +SANS=ves +#Tls config envs +KEYSTORE_PATH=/etc/onap/oom/certservice/certs/certServiceClient-keystore.jks +KEYSTORE_PASSWORD=secret +TRUSTSTORE_PATH=/etc/onap/oom/certservice/certs/truststore.jks +TRUSTSTORE_PASSWORD=secret diff --git a/sanitycheck/pnfsimulator-secured/certservice/certservice-resources/cmpServers.json b/sanitycheck/pnfsimulator-secured/certservice/resources/certservice/cmpServers.json index 79b97e6..7256494 100644 --- a/sanitycheck/pnfsimulator-secured/certservice/certservice-resources/cmpServers.json +++ b/sanitycheck/pnfsimulator-secured/certservice/resources/certservice/cmpServers.json @@ -2,7 +2,7 @@ "cmpv2Servers": [ { "caName": "Client", - "url": "http://172.17.0.1:80/ejbca/publicweb/cmp/cmp", + "url": "http://oomcert-ejbca:8080/ejbca/publicweb/cmp/cmp", "issuerDN": "CN=ManagementCA", "caMode": "CLIENT", "authentication": { @@ -12,7 +12,7 @@ }, { "caName": "RA", - "url": "http://172.17.0.1:80/ejbca/publicweb/cmp/cmpRA", + "url": "http://oomcert-ejbca:8080/ejbca/publicweb/cmp/cmpRA", "issuerDN": "CN=ManagementCA", "caMode": "RA", "authentication": { diff --git a/sanitycheck/pnfsimulator-secured/certservice/ejbca-resources/ejbca-configuration.sh b/sanitycheck/pnfsimulator-secured/certservice/resources/ejbca/ejbca-configuration.sh index 77f5c55..77f5c55 100755 --- a/sanitycheck/pnfsimulator-secured/certservice/ejbca-resources/ejbca-configuration.sh +++ b/sanitycheck/pnfsimulator-secured/certservice/resources/ejbca/ejbca-configuration.sh |