From 384b7b14722c5a2e351d61b3779869d680cebf8f Mon Sep 17 00:00:00 2001 From: tkogut Date: Fri, 16 Oct 2020 13:01:29 +0200 Subject: Adjust PNF simulator to use strict hostname checking. Use separate keystore/truststore for ves. Add network for communication between ves and pnfsim. Issue-ID: INT-1744 Signed-off-by: tkogut Change-Id: I6626ac6d6f74e739aeb93879eddfd44f9e9383ea --- pnfsimulator/README.md | 5 +- .../simulator/client/HttpClientAdapterImpl.java | 25 +-- .../client/utils/ssl/CertificateReader.java | 38 ++++ .../client/utils/ssl/HttpClientFactory.java | 104 +++++++++ .../client/utils/ssl/HttpClientFactoryFacade.java | 40 ++++ .../client/utils/ssl/PasswordConverter.java | 32 +++ .../client/utils/ssl/SSLContextFactory.java | 54 +++++ .../client/utils/ssl/SslAuthenticationHelper.java | 3 +- .../client/utils/ssl/SslSupportLevel.java | 125 ----------- .../src/main/resources/application.properties | 1 + .../utils/ssl/HttpClientFactoryFacadeTest.java | 35 +++ .../client/utils/ssl/HttpClientFactoryTest.java | 143 +++++++++++++ .../client/utils/ssl/PasswordConverterTest.java | 44 ++++ .../client/utils/ssl/SSLContextFactoryTest.java | 60 ++++++ .../client/utils/ssl/SslSupportLevelTest.java | 52 ----- sanitycheck/events/vesAddressConfiguration.json | 2 +- sanitycheck/pnfsimulator-secured/Makefile | 57 ----- sanitycheck/pnfsimulator-secured/README.md | 237 +-------------------- sanitycheck/pnfsimulator-secured/certman/Makefile | 8 + sanitycheck/pnfsimulator-secured/certman/README.md | 91 ++++++++ .../certman/docker-compose.yml | 71 ++++++ .../pnfsimulator-secured/certservice/Makefile | 56 +++++ .../pnfsimulator-secured/certservice/README.md | 81 +++++++ .../certservice/certs/Makefile | 109 ---------- .../certservice-resources/cmpServers.json | 24 --- .../client-resources/client-configuration.env | 18 -- .../docker-compose-certservice-clients.yml | 28 +++ .../docker-compose-certservice-ejbca.yml | 47 ++++ .../certservice/docker-compose-pnfsim.yml | 61 ++++++ .../certservice/docker-compose-ves-dmaap.yml | 33 +++ .../ejbca-resources/ejbca-configuration.sh | 19 -- .../certservice/resources/certs/Makefile | 109 ++++++++++ .../client-configuration-for-pnfsim.env | 18 ++ .../client-configuration-for-ves.env | 19 ++ .../resources/certservice/cmpServers.json | 24 +++ .../resources/ejbca/ejbca-configuration.sh | 19 ++ .../docker-compose-certman.yml | 71 ------ .../docker-compose-certservice.yml | 93 -------- .../pnfsimulator-secured/docker-compose-ves.yml | 25 --- 39 files changed, 1233 insertions(+), 848 deletions(-) create mode 100644 pnfsimulator/src/main/java/org/onap/pnfsimulator/simulator/client/utils/ssl/CertificateReader.java create mode 100644 pnfsimulator/src/main/java/org/onap/pnfsimulator/simulator/client/utils/ssl/HttpClientFactory.java create mode 100644 pnfsimulator/src/main/java/org/onap/pnfsimulator/simulator/client/utils/ssl/HttpClientFactoryFacade.java create mode 100644 pnfsimulator/src/main/java/org/onap/pnfsimulator/simulator/client/utils/ssl/PasswordConverter.java create mode 100644 pnfsimulator/src/main/java/org/onap/pnfsimulator/simulator/client/utils/ssl/SSLContextFactory.java delete mode 100644 pnfsimulator/src/main/java/org/onap/pnfsimulator/simulator/client/utils/ssl/SslSupportLevel.java create mode 100644 pnfsimulator/src/test/java/org/onap/pnfsimulator/simulator/client/utils/ssl/HttpClientFactoryFacadeTest.java create mode 100644 pnfsimulator/src/test/java/org/onap/pnfsimulator/simulator/client/utils/ssl/HttpClientFactoryTest.java create mode 100644 pnfsimulator/src/test/java/org/onap/pnfsimulator/simulator/client/utils/ssl/PasswordConverterTest.java create mode 100644 pnfsimulator/src/test/java/org/onap/pnfsimulator/simulator/client/utils/ssl/SSLContextFactoryTest.java delete mode 100644 pnfsimulator/src/test/java/org/onap/pnfsimulator/simulator/client/utils/ssl/SslSupportLevelTest.java delete mode 100644 sanitycheck/pnfsimulator-secured/Makefile create mode 100644 sanitycheck/pnfsimulator-secured/certman/Makefile create mode 100644 sanitycheck/pnfsimulator-secured/certman/README.md create mode 100644 sanitycheck/pnfsimulator-secured/certman/docker-compose.yml create mode 100644 sanitycheck/pnfsimulator-secured/certservice/Makefile create mode 100644 sanitycheck/pnfsimulator-secured/certservice/README.md delete mode 100644 sanitycheck/pnfsimulator-secured/certservice/certs/Makefile delete mode 100644 sanitycheck/pnfsimulator-secured/certservice/certservice-resources/cmpServers.json delete mode 100644 sanitycheck/pnfsimulator-secured/certservice/client-resources/client-configuration.env create mode 100644 sanitycheck/pnfsimulator-secured/certservice/docker-compose-certservice-clients.yml create mode 100644 sanitycheck/pnfsimulator-secured/certservice/docker-compose-certservice-ejbca.yml create mode 100644 sanitycheck/pnfsimulator-secured/certservice/docker-compose-pnfsim.yml create mode 100644 sanitycheck/pnfsimulator-secured/certservice/docker-compose-ves-dmaap.yml delete mode 100755 sanitycheck/pnfsimulator-secured/certservice/ejbca-resources/ejbca-configuration.sh create mode 100644 sanitycheck/pnfsimulator-secured/certservice/resources/certs/Makefile create mode 100644 sanitycheck/pnfsimulator-secured/certservice/resources/certservice-client/client-configuration-for-pnfsim.env create mode 100644 sanitycheck/pnfsimulator-secured/certservice/resources/certservice-client/client-configuration-for-ves.env create mode 100644 sanitycheck/pnfsimulator-secured/certservice/resources/certservice/cmpServers.json create mode 100755 sanitycheck/pnfsimulator-secured/certservice/resources/ejbca/ejbca-configuration.sh delete mode 100644 sanitycheck/pnfsimulator-secured/docker-compose-certman.yml delete mode 100644 sanitycheck/pnfsimulator-secured/docker-compose-certservice.yml delete mode 100644 sanitycheck/pnfsimulator-secured/docker-compose-ves.yml diff --git a/pnfsimulator/README.md b/pnfsimulator/README.md index 25f84da..81e59fc 100644 --- a/pnfsimulator/README.md +++ b/pnfsimulator/README.md @@ -398,7 +398,7 @@ Warning: according to VES implementation which uses certificate with Common Name 1. Generate a private key for the SSL client: ```openssl genrsa -out client.key 2048``` 2. Use the client’s private key to generate a cert request: ```openssl req -new -key client.key -out client.csr``` 3. Issue the client certificate using the cert request and the CA cert/key: ```openssl x509 -req -in client.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out client.crt -days 500 -sha256``` - 4. Convert the client certificate and private key to pkcs#12 format: openssl pkcs12 -export -inkey client.key -in client.cer -out client.p12 + 4. Convert the client certificate and private key to pkcs#12 format: ```openssl pkcs12 -export -inkey client.key -in client.crt -out client.p12``` 5. Copy pkcs file into pnf simulators folder: ```/app/store/``` #### How to generate correct truststore for pnf-simulator @@ -417,8 +417,9 @@ For this purpose: 2. If you want to replace keystore or truststore put them into the /app/store folder. 3. Edit /app/application.properties file as follow: - ssl.clientCertificateEnabled=true (to disable/enable client authentication) +- ssl.strictHostnameVerification=true (to disable/enable hostname verification) - ssl.clientCertificateDir=/app/store/client.p12 (to replace keystore file) - ssl.clientCertificatePassword=collector (to replace password for keystore) - ssl.trustStoreDir=/app/store/trustStore (to replace truststore file) - ssl.trustStorePassword=collector (to replace password for truststore) -4. Refresh configuration by sending simple POST request to correct actuator endpoint at: ```curl http://localhost:5001/refresh -H 'Content-type: application/json' -X POST --data '{}'``` +4. Refresh configuration by sending simple POST request to correct actuator endpoint at: ```curl http://localhost:5000/refresh -H 'Content-type: application/json' -X POST --data '{}'``` diff --git a/pnfsimulator/src/main/java/org/onap/pnfsimulator/simulator/client/HttpClientAdapterImpl.java b/pnfsimulator/src/main/java/org/onap/pnfsimulator/simulator/client/HttpClientAdapterImpl.java index a881698..5d2a024 100644 --- a/pnfsimulator/src/main/java/org/onap/pnfsimulator/simulator/client/HttpClientAdapterImpl.java +++ b/pnfsimulator/src/main/java/org/onap/pnfsimulator/simulator/client/HttpClientAdapterImpl.java @@ -2,7 +2,7 @@ * ============LICENSE_START======================================================= * PNF-REGISTRATION-HANDLER * ================================================================================ - * Copyright (C) 2018 Nokia. All rights reserved. + * Copyright (C) 2020 Nokia. All rights reserved. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -22,12 +22,11 @@ package org.onap.pnfsimulator.simulator.client; import org.apache.http.HttpResponse; import org.apache.http.client.HttpClient; -import org.apache.http.client.config.RequestConfig; import org.apache.http.client.methods.HttpPost; import org.apache.http.entity.StringEntity; import org.apache.http.util.EntityUtils; +import org.onap.pnfsimulator.simulator.client.utils.ssl.HttpClientFactoryFacade; import org.onap.pnfsimulator.simulator.client.utils.ssl.SslAuthenticationHelper; -import org.onap.pnfsimulator.simulator.client.utils.ssl.SslSupportLevel; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.slf4j.MDC; @@ -45,26 +44,16 @@ import static org.onap.pnfsimulator.logging.MdcVariables.X_ONAP_REQUEST_ID; public class HttpClientAdapterImpl implements HttpClientAdapter { - private static final int CONNECTION_TIMEOUT = 1000; private static final Logger LOGGER = LoggerFactory.getLogger(HttpClientAdapterImpl.class); private static final String CONTENT_TYPE = "Content-Type"; private static final String APPLICATION_JSON = "application/json"; - private static final RequestConfig CONFIG = RequestConfig.custom() - .setConnectTimeout(CONNECTION_TIMEOUT) - .setConnectionRequestTimeout(CONNECTION_TIMEOUT) - .setSocketTimeout(CONNECTION_TIMEOUT) - .build(); private static final Marker INVOKE = MarkerFactory.getMarker("INVOKE"); - private SslSupportLevel sslSupportLevel; - private HttpClient client; + private final HttpClient client; private final String targetUrl; public HttpClientAdapterImpl(String targetUrl, SslAuthenticationHelper sslAuthenticationHelper) - throws IOException, GeneralSecurityException { - this.sslSupportLevel = sslAuthenticationHelper.isClientCertificateEnabled() - ? SslSupportLevel.CLIENT_CERT_AUTH - : SslSupportLevel.getSupportLevelBasedOnProtocol(targetUrl); - this.client = sslSupportLevel.getClient(CONFIG, sslAuthenticationHelper); + throws IOException, GeneralSecurityException { + this.client = HttpClientFactoryFacade.create(targetUrl, sslAuthenticationHelper); this.targetUrl = targetUrl; } @@ -84,10 +73,6 @@ public class HttpClientAdapterImpl implements HttpClientAdapter { } } - public SslSupportLevel getSslSupportLevel() { - return sslSupportLevel; - } - private HttpResponse sendAndRetrieve(String content) throws IOException { HttpPost request = createRequest(content); HttpResponse httpResponse = client.execute(request); diff --git a/pnfsimulator/src/main/java/org/onap/pnfsimulator/simulator/client/utils/ssl/CertificateReader.java b/pnfsimulator/src/main/java/org/onap/pnfsimulator/simulator/client/utils/ssl/CertificateReader.java new file mode 100644 index 0000000..e0b8cc2 --- /dev/null +++ b/pnfsimulator/src/main/java/org/onap/pnfsimulator/simulator/client/utils/ssl/CertificateReader.java @@ -0,0 +1,38 @@ +/* + * ============LICENSE_START======================================================= + * PNF-REGISTRATION-HANDLER + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.pnfsimulator.simulator.client.utils.ssl; + +import java.io.FileInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.security.GeneralSecurityException; +import java.security.KeyStore; + +class CertificateReader { + + KeyStore read(String certificate, String password, String type) throws GeneralSecurityException, IOException { + try (InputStream keyStoreStream = new FileInputStream(certificate)) { + KeyStore keyStore = KeyStore.getInstance(type); + keyStore.load(keyStoreStream, PasswordConverter.convert(password)); + return keyStore; + } + } +} diff --git a/pnfsimulator/src/main/java/org/onap/pnfsimulator/simulator/client/utils/ssl/HttpClientFactory.java b/pnfsimulator/src/main/java/org/onap/pnfsimulator/simulator/client/utils/ssl/HttpClientFactory.java new file mode 100644 index 0000000..ca57a64 --- /dev/null +++ b/pnfsimulator/src/main/java/org/onap/pnfsimulator/simulator/client/utils/ssl/HttpClientFactory.java @@ -0,0 +1,104 @@ +/* + * ============LICENSE_START======================================================= + * PNF-REGISTRATION-HANDLER + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.pnfsimulator.simulator.client.utils.ssl; + +import io.vavr.control.Try; +import org.apache.http.client.HttpClient; +import org.apache.http.client.config.RequestConfig; +import org.apache.http.conn.ssl.DefaultHostnameVerifier; +import org.apache.http.conn.ssl.NoopHostnameVerifier; +import org.apache.http.impl.client.HttpClientBuilder; +import org.apache.http.impl.client.HttpClients; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import javax.net.ssl.HostnameVerifier; +import javax.net.ssl.SSLContext; +import java.io.IOException; +import java.net.URL; +import java.security.GeneralSecurityException; +import java.security.KeyManagementException; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; + +class HttpClientFactory { + private static final int CONNECTION_TIMEOUT = 1000; + private static final RequestConfig CONFIG = RequestConfig.custom() + .setConnectTimeout(CONNECTION_TIMEOUT) + .setConnectionRequestTimeout(CONNECTION_TIMEOUT) + .setSocketTimeout(CONNECTION_TIMEOUT) + .build(); + private static final Logger LOGGER = LoggerFactory.getLogger(HttpClientFactory.class); + private final SSLContextFactory sslContextFactory; + + HttpClientFactory(SSLContextFactory sslContextFactory) { + this.sslContextFactory = sslContextFactory; + } + + HttpClient create(String url, SslAuthenticationHelper sslAuthenticationHelper) throws GeneralSecurityException, IOException { + HttpClient client; + if (!sslAuthenticationHelper.isClientCertificateEnabled()) { + client = "https".equals(new URL(url).getProtocol()) ? createForHttps() : createBasic(); + } else if (sslAuthenticationHelper.isStrictHostnameVerification()) { + client = createSecured(sslContextFactory.create(sslAuthenticationHelper), new DefaultHostnameVerifier()); + } else { + client = createSecured(sslContextFactory.create(sslAuthenticationHelper), new NoopHostnameVerifier()); + } + return client; + } + + private HttpClient createForHttps() { + return Try.of(this::createSecuredTrustAlways) + .onFailure(this::logErrorMessage) + .getOrElse(createBasic()); + } + + private void logErrorMessage(Throwable e) { + String message = String.format( + "Could not initialize client due to SSL exception: %s. " + + "Default client without SSL support will be used instead." + + "\nCause: %s", + e.getMessage(), + e.getCause() + ); + LOGGER.error(message, e); + } + + + private HttpClient createBasic() { + return HttpClientBuilder + .create() + .setDefaultRequestConfig(CONFIG) + .build(); + } + + private HttpClient createSecuredTrustAlways() throws NoSuchAlgorithmException, KeyStoreException, KeyManagementException { + return createSecured(sslContextFactory.createTrustAlways(), new NoopHostnameVerifier()); + } + + private HttpClient createSecured(SSLContext trustAlways, HostnameVerifier hostnameVerifier) { + return HttpClients.custom() + .setSSLContext(trustAlways) + .setDefaultRequestConfig(CONFIG) + .setSSLHostnameVerifier(hostnameVerifier) + .build(); + } +} diff --git a/pnfsimulator/src/main/java/org/onap/pnfsimulator/simulator/client/utils/ssl/HttpClientFactoryFacade.java b/pnfsimulator/src/main/java/org/onap/pnfsimulator/simulator/client/utils/ssl/HttpClientFactoryFacade.java new file mode 100644 index 0000000..521b584 --- /dev/null +++ b/pnfsimulator/src/main/java/org/onap/pnfsimulator/simulator/client/utils/ssl/HttpClientFactoryFacade.java @@ -0,0 +1,40 @@ +/* + * ============LICENSE_START======================================================= + * PNF-REGISTRATION-HANDLER + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.pnfsimulator.simulator.client.utils.ssl; + +import org.apache.http.client.HttpClient; + +import java.io.IOException; +import java.security.GeneralSecurityException; + +public class HttpClientFactoryFacade { + + private HttpClientFactoryFacade() { + } + + private static final CertificateReader CERTIFICATE_READER = new CertificateReader(); + private static final SSLContextFactory SSL_CONTEXT_FACTORY = new SSLContextFactory(CERTIFICATE_READER); + private static final HttpClientFactory HTTP_CLIENT_FACTORY = new HttpClientFactory(SSL_CONTEXT_FACTORY); + + public static HttpClient create(String url, SslAuthenticationHelper sslAuthenticationHelper) throws GeneralSecurityException, IOException { + return HTTP_CLIENT_FACTORY.create(url, sslAuthenticationHelper); + } +} diff --git a/pnfsimulator/src/main/java/org/onap/pnfsimulator/simulator/client/utils/ssl/PasswordConverter.java b/pnfsimulator/src/main/java/org/onap/pnfsimulator/simulator/client/utils/ssl/PasswordConverter.java new file mode 100644 index 0000000..7a645ae --- /dev/null +++ b/pnfsimulator/src/main/java/org/onap/pnfsimulator/simulator/client/utils/ssl/PasswordConverter.java @@ -0,0 +1,32 @@ +/* + * ============LICENSE_START======================================================= + * PNF-REGISTRATION-HANDLER + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.pnfsimulator.simulator.client.utils.ssl; + +import java.util.Optional; + +class PasswordConverter { + private PasswordConverter() { + } + + static char[] convert(String password) { + return Optional.ofNullable(password).map(String::toCharArray).orElse(null); + } +} diff --git a/pnfsimulator/src/main/java/org/onap/pnfsimulator/simulator/client/utils/ssl/SSLContextFactory.java b/pnfsimulator/src/main/java/org/onap/pnfsimulator/simulator/client/utils/ssl/SSLContextFactory.java new file mode 100644 index 0000000..c4839fb --- /dev/null +++ b/pnfsimulator/src/main/java/org/onap/pnfsimulator/simulator/client/utils/ssl/SSLContextFactory.java @@ -0,0 +1,54 @@ +/* + * ============LICENSE_START======================================================= + * PNF-REGISTRATION-HANDLER + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ +package org.onap.pnfsimulator.simulator.client.utils.ssl; + +import org.apache.http.conn.ssl.TrustAllStrategy; +import org.apache.http.conn.ssl.TrustSelfSignedStrategy; +import org.apache.http.conn.ssl.TrustStrategy; +import org.apache.http.ssl.SSLContextBuilder; +import org.apache.http.ssl.SSLContexts; + +import javax.net.ssl.SSLContext; +import java.io.IOException; +import java.security.GeneralSecurityException; +import java.security.KeyManagementException; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; + +class SSLContextFactory { + private static final TrustStrategy TRUST_STRATEGY_ALWAYS = new TrustAllStrategy(); + + private final CertificateReader certificateReader; + + SSLContextFactory(CertificateReader certificateReader) { + this.certificateReader = certificateReader; + } + SSLContext create(SslAuthenticationHelper sslAuthenticationHelper) throws GeneralSecurityException, IOException { + return SSLContexts.custom() + .loadKeyMaterial(certificateReader.read(sslAuthenticationHelper.getClientCertificateDir(), sslAuthenticationHelper.getClientCertificatePassword(), "PKCS12"), PasswordConverter.convert(sslAuthenticationHelper.getClientCertificatePassword())) + .loadTrustMaterial(certificateReader.read(sslAuthenticationHelper.getTrustStoreDir(), sslAuthenticationHelper.getTrustStorePassword(), "JKS"), new TrustSelfSignedStrategy()) + .build(); + } + + SSLContext createTrustAlways() throws KeyStoreException, NoSuchAlgorithmException, KeyManagementException { + return SSLContextBuilder.create().loadTrustMaterial(TRUST_STRATEGY_ALWAYS).build(); + } + +} diff --git a/pnfsimulator/src/main/java/org/onap/pnfsimulator/simulator/client/utils/ssl/SslAuthenticationHelper.java b/pnfsimulator/src/main/java/org/onap/pnfsimulator/simulator/client/utils/ssl/SslAuthenticationHelper.java index 1887d37..b785be6 100644 --- a/pnfsimulator/src/main/java/org/onap/pnfsimulator/simulator/client/utils/ssl/SslAuthenticationHelper.java +++ b/pnfsimulator/src/main/java/org/onap/pnfsimulator/simulator/client/utils/ssl/SslAuthenticationHelper.java @@ -2,7 +2,7 @@ * ============LICENSE_START======================================================= * PNF-REGISTRATION-HANDLER * ================================================================================ - * Copyright (C) 2019 Nokia. All rights reserved. + * Copyright (C) 2020 Nokia. All rights reserved. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -37,6 +37,7 @@ import org.springframework.stereotype.Component; public class SslAuthenticationHelper implements Serializable { private boolean clientCertificateEnabled; + private boolean strictHostnameVerification; private String clientCertificateDir; private String clientCertificatePassword; private String trustStoreDir; diff --git a/pnfsimulator/src/main/java/org/onap/pnfsimulator/simulator/client/utils/ssl/SslSupportLevel.java b/pnfsimulator/src/main/java/org/onap/pnfsimulator/simulator/client/utils/ssl/SslSupportLevel.java deleted file mode 100644 index fb3b958..0000000 --- a/pnfsimulator/src/main/java/org/onap/pnfsimulator/simulator/client/utils/ssl/SslSupportLevel.java +++ /dev/null @@ -1,125 +0,0 @@ -/* - * ============LICENSE_START======================================================= - * PNF-REGISTRATION-HANDLER - * ================================================================================ - * Copyright (C) 2018 Nokia. All rights reserved. - * ================================================================================ - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ============LICENSE_END========================================================= - */ - -package org.onap.pnfsimulator.simulator.client.utils.ssl; - -import org.apache.http.client.HttpClient; -import org.apache.http.client.config.RequestConfig; -import org.apache.http.conn.ssl.NoopHostnameVerifier; -import org.apache.http.conn.ssl.TrustAllStrategy; -import org.apache.http.conn.ssl.TrustSelfSignedStrategy; -import org.apache.http.conn.ssl.TrustStrategy; -import org.apache.http.impl.client.HttpClientBuilder; -import org.apache.http.impl.client.HttpClients; -import org.apache.http.ssl.SSLContextBuilder; -import org.apache.http.ssl.SSLContexts; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import javax.net.ssl.SSLContext; -import java.io.FileInputStream; -import java.io.IOException; -import java.io.InputStream; -import java.net.MalformedURLException; -import java.net.URL; -import java.security.GeneralSecurityException; -import java.security.KeyStore; -import java.util.Optional; - -public enum SslSupportLevel { - - NONE { - public HttpClient getClient(RequestConfig requestConfig, SslAuthenticationHelper sslAuthenticationHelper) { - LOGGER.info(""); - return HttpClientBuilder - .create() - .setDefaultRequestConfig(requestConfig) - .build(); - } - }, - ALWAYS_TRUST { - public HttpClient getClient(RequestConfig requestConfig, SslAuthenticationHelper sslAuthenticationHelper) - throws GeneralSecurityException, IOException { - LoggerFactory.getLogger(SslSupportLevel.class).info(""); - HttpClient client; - try { - SSLContext alwaysTrustSslContext = SSLContextBuilder.create().loadTrustMaterial(TRUST_STRATEGY_ALWAYS).build(); - client = HttpClients.custom() - .setSSLContext(alwaysTrustSslContext) - .setSSLHostnameVerifier(new NoopHostnameVerifier()) - .setDefaultRequestConfig(requestConfig) - .build(); - - } catch (GeneralSecurityException e) { - String errorMessage = - String.format( - "Could not initialize client due to SSL exception: %s. " + - "Default client without SSL support will be used instead." + - "\nCause: %s", - e.getMessage(), - e.getCause() - ); - LOGGER.error(errorMessage, e); - client = NONE.getClient(requestConfig, sslAuthenticationHelper); - } - return client; - } - }, - CLIENT_CERT_AUTH { - @Override - public HttpClient getClient(RequestConfig requestConfig, SslAuthenticationHelper sslAuthenticationHelper) - throws GeneralSecurityException, IOException { - - SSLContext sslContext = SSLContexts.custom() - .loadKeyMaterial(readCertificate(sslAuthenticationHelper.getClientCertificateDir(), sslAuthenticationHelper.getClientCertificatePassword(), "PKCS12"), getPasswordAsCharArray(sslAuthenticationHelper.getClientCertificatePassword())) - .loadTrustMaterial(readCertificate(sslAuthenticationHelper.getTrustStoreDir(), sslAuthenticationHelper.getTrustStorePassword(), "JKS"), new TrustSelfSignedStrategy()) - .build(); - - return HttpClients.custom() - .setSSLContext(sslContext) - .setSSLHostnameVerifier(new NoopHostnameVerifier()) - .setDefaultRequestConfig(requestConfig) - .build(); - } - - private KeyStore readCertificate(String certificate, String password, String type) throws GeneralSecurityException, IOException { - try (InputStream keyStoreStream = new FileInputStream(certificate)) { - KeyStore keyStore = KeyStore.getInstance(type); - keyStore.load(keyStoreStream, getPasswordAsCharArray(password)); - return keyStore; - } - } - - private char[] getPasswordAsCharArray(String clientCertificatePassword) { - return Optional.ofNullable(clientCertificatePassword).map(String::toCharArray).orElse(null); - } - }; - - private static final Logger LOGGER = LoggerFactory.getLogger(SslSupportLevel.class); - private static final TrustStrategy TRUST_STRATEGY_ALWAYS = new TrustAllStrategy(); - - public static SslSupportLevel getSupportLevelBasedOnProtocol(String url) throws MalformedURLException { - return "https".equals(new URL(url).getProtocol()) ? SslSupportLevel.ALWAYS_TRUST : SslSupportLevel.NONE; - } - - public abstract HttpClient getClient(RequestConfig config, SslAuthenticationHelper sslAuthenticationHelper) - throws GeneralSecurityException, IOException; - -} diff --git a/pnfsimulator/src/main/resources/application.properties b/pnfsimulator/src/main/resources/application.properties index 6c9ed42..39334d1 100644 --- a/pnfsimulator/src/main/resources/application.properties +++ b/pnfsimulator/src/main/resources/application.properties @@ -11,6 +11,7 @@ management.endpoints.web.base-path=/ management.endpoints.web.exposure.include=refresh,health ssl.clientCertificateEnabled=true +ssl.strictHostnameVerification=${STRICT_HOSTNAME_VERIFICATION:false} ssl.clientCertificateDir=/app/store/cert.p12 ssl.clientCertificatePassword=${CLIENT_CERT_PASS:collector} ssl.trustStoreDir=/app/store/trust.jks diff --git a/pnfsimulator/src/test/java/org/onap/pnfsimulator/simulator/client/utils/ssl/HttpClientFactoryFacadeTest.java b/pnfsimulator/src/test/java/org/onap/pnfsimulator/simulator/client/utils/ssl/HttpClientFactoryFacadeTest.java new file mode 100644 index 0000000..e6d3d03 --- /dev/null +++ b/pnfsimulator/src/test/java/org/onap/pnfsimulator/simulator/client/utils/ssl/HttpClientFactoryFacadeTest.java @@ -0,0 +1,35 @@ +/* + * ============LICENSE_START======================================================= + * PNF-REGISTRATION-HANDLER + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.pnfsimulator.simulator.client.utils.ssl; + +import org.junit.jupiter.api.Test; + +import java.io.IOException; +import java.security.GeneralSecurityException; + +import static org.junit.Assert.assertNotNull; + +class HttpClientFactoryFacadeTest { + @Test + void shouldSuccessfullyCreateHttpClient() throws GeneralSecurityException, IOException { + assertNotNull(HttpClientFactoryFacade.create("http://example.com", new SslAuthenticationHelper())); + } +} diff --git a/pnfsimulator/src/test/java/org/onap/pnfsimulator/simulator/client/utils/ssl/HttpClientFactoryTest.java b/pnfsimulator/src/test/java/org/onap/pnfsimulator/simulator/client/utils/ssl/HttpClientFactoryTest.java new file mode 100644 index 0000000..c213982 --- /dev/null +++ b/pnfsimulator/src/test/java/org/onap/pnfsimulator/simulator/client/utils/ssl/HttpClientFactoryTest.java @@ -0,0 +1,143 @@ +/* + * ============LICENSE_START======================================================= + * PNF-REGISTRATION-HANDLER + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.pnfsimulator.simulator.client.utils.ssl; + +import org.hamcrest.CoreMatchers; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; + +import java.io.IOException; +import java.net.MalformedURLException; +import java.security.GeneralSecurityException; +import java.security.KeyStoreException; + +import static org.hamcrest.MatcherAssert.assertThat; +import static org.junit.Assert.assertNotNull; +import static org.junit.jupiter.api.Assertions.assertThrows; +import static org.mockito.ArgumentMatchers.any; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.times; +import static org.mockito.Mockito.verify; +import static org.mockito.Mockito.when; + +class HttpClientFactoryTest { + private static final String HTTPS_URL = "https://example.com"; + private static final String HTTP_URL = "http://example.com"; + + private SSLContextFactory sslContextFactoryMock; + private HttpClientFactory httpClientFactory; + private SslAuthenticationHelper sslAuthenticationHelper; + + @BeforeEach + public void setup() { + sslContextFactoryMock = mock(SSLContextFactory.class); + httpClientFactory = new HttpClientFactory(sslContextFactoryMock); + sslAuthenticationHelper = new SslAuthenticationHelper(); + } + + @Test + void shouldCreateHttpsClient_whenClientCertificationDisabled() throws GeneralSecurityException, IOException { + // given + sslAuthenticationHelper.setClientCertificateEnabled(false); + + // when + final var httpClient = httpClientFactory.create(HTTPS_URL, sslAuthenticationHelper); + + // then + assertNotNull(httpClient); + verifySslContextFactoryMockCalls(0, 1); + } + + @Test + void shouldCreateHttpsClient_whenClientCertificationDisabled_AndCannotCreateTrustAlwaysSslContext() throws GeneralSecurityException, IOException { + // given + sslAuthenticationHelper.setClientCertificateEnabled(false); + when(sslContextFactoryMock.createTrustAlways()).thenThrow(KeyStoreException.class); + + // when + final var httpClient = httpClientFactory.create(HTTPS_URL, sslAuthenticationHelper); + + // then + assertNotNull(httpClient); + verifySslContextFactoryMockCalls(0, 1); + } + + @Test + void shouldCreateHttpClient_whenClientCertificationDisabled() throws GeneralSecurityException, IOException { + // given + sslAuthenticationHelper.setClientCertificateEnabled(false); + + // when + final var httpClient = httpClientFactory.create(HTTP_URL, sslAuthenticationHelper); + + // then + assertNotNull(httpClient); + verifySslContextFactoryMockCalls(0, 0); + } + + + @Test + void shouldCreateHttpClient_whenClientCertificationAndStrictHostnameVerificationAreEnabled() throws GeneralSecurityException, IOException { + // given + sslAuthenticationHelper.setClientCertificateEnabled(true); + sslAuthenticationHelper.setStrictHostnameVerification(true); + + // when + final var httpClient = httpClientFactory.create(HTTP_URL, sslAuthenticationHelper); + + // then + assertNotNull(httpClient); + verifySslContextFactoryMockCalls(1, 0); + } + + @Test + void shouldCreateHttpClient_whenClientCertificationEnabledAndStrictHostnameVerificationDisabled() throws GeneralSecurityException, IOException { + // given + sslAuthenticationHelper.setClientCertificateEnabled(true); + sslAuthenticationHelper.setStrictHostnameVerification(false); + + // when + final var httpClient = httpClientFactory.create(HTTP_URL, sslAuthenticationHelper); + + // then + assertNotNull(httpClient); + verifySslContextFactoryMockCalls(1, 0); + } + + @Test + void shouldThrowMalformedURLException_whenInvalidUrl() throws GeneralSecurityException, IOException { + // given + var invalidUrl = "invalid"; + + // when + final var exception = assertThrows(MalformedURLException.class, + () -> httpClientFactory.create(invalidUrl, sslAuthenticationHelper)); + + // then + assertThat(exception.getMessage(), CoreMatchers.containsString("invalid")); + } + + private void verifySslContextFactoryMockCalls(int createCalls, int createTrustAlwaysCalls) throws GeneralSecurityException, IOException { + verify(sslContextFactoryMock, times(createCalls)).create(any()); + verify(sslContextFactoryMock, times(createTrustAlwaysCalls)).createTrustAlways(); + } + +} diff --git a/pnfsimulator/src/test/java/org/onap/pnfsimulator/simulator/client/utils/ssl/PasswordConverterTest.java b/pnfsimulator/src/test/java/org/onap/pnfsimulator/simulator/client/utils/ssl/PasswordConverterTest.java new file mode 100644 index 0000000..fddfc5f --- /dev/null +++ b/pnfsimulator/src/test/java/org/onap/pnfsimulator/simulator/client/utils/ssl/PasswordConverterTest.java @@ -0,0 +1,44 @@ +/* + * ============LICENSE_START======================================================= + * PNF-REGISTRATION-HANDLER + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.pnfsimulator.simulator.client.utils.ssl; + +import org.junit.jupiter.api.Test; + +import static org.junit.jupiter.api.Assertions.assertArrayEquals; +import static org.junit.jupiter.api.Assertions.assertNull; + +class PasswordConverterTest { + + @Test + void shouldSuccessfullyConvert() { + // given, when + final char[] result = PasswordConverter.convert("sw ./#%"); + + // then + assertArrayEquals(new char[]{'s', 'w', ' ', '.', '/', '#', '%'}, result); + } + + @Test + void shouldReturnNull_whenNullPasswordUsed() { + // given, when, then + assertNull(PasswordConverter.convert(null)); + } +} diff --git a/pnfsimulator/src/test/java/org/onap/pnfsimulator/simulator/client/utils/ssl/SSLContextFactoryTest.java b/pnfsimulator/src/test/java/org/onap/pnfsimulator/simulator/client/utils/ssl/SSLContextFactoryTest.java new file mode 100644 index 0000000..8e82706 --- /dev/null +++ b/pnfsimulator/src/test/java/org/onap/pnfsimulator/simulator/client/utils/ssl/SSLContextFactoryTest.java @@ -0,0 +1,60 @@ +/* + * ============LICENSE_START======================================================= + * PNF-REGISTRATION-HANDLER + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.pnfsimulator.simulator.client.utils.ssl; + +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; + +import java.io.IOException; +import java.security.GeneralSecurityException; + +import static org.junit.jupiter.api.Assertions.assertNotNull; +import static org.mockito.ArgumentMatchers.any; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.times; +import static org.mockito.Mockito.verify; + +class SSLContextFactoryTest { + private CertificateReader certificateReaderMock; + private SSLContextFactory sslContextFactory; + + @BeforeEach + void setup() { + certificateReaderMock = mock(CertificateReader.class); + sslContextFactory = new SSLContextFactory(certificateReaderMock); + } + + @Test + void shouldSuccessfullyCreateTrustAlwaysSSLContext() throws GeneralSecurityException, IOException { + // given, when, then + assertNotNull(sslContextFactory.createTrustAlways()); + verify(certificateReaderMock, times(0)).read(any(), any(), any()); + } + + @Test + void shouldSuccessfullyCreateSSLContext() throws GeneralSecurityException, IOException { + // given, when, then + assertNotNull(sslContextFactory.create(new SslAuthenticationHelper())); + verify(certificateReaderMock, times(2)).read(any(), any(), any()); + } + +} + diff --git a/pnfsimulator/src/test/java/org/onap/pnfsimulator/simulator/client/utils/ssl/SslSupportLevelTest.java b/pnfsimulator/src/test/java/org/onap/pnfsimulator/simulator/client/utils/ssl/SslSupportLevelTest.java deleted file mode 100644 index 3a7dbf2..0000000 --- a/pnfsimulator/src/test/java/org/onap/pnfsimulator/simulator/client/utils/ssl/SslSupportLevelTest.java +++ /dev/null @@ -1,52 +0,0 @@ -/* - * ============LICENSE_START======================================================= - * PNF-REGISTRATION-HANDLER - * ================================================================================ - * Copyright (C) 2018 Nokia. All rights reserved. - * ================================================================================ - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ============LICENSE_END========================================================= - */ - -package org.onap.pnfsimulator.simulator.client.utils.ssl; - -import org.junit.jupiter.api.Test; - -import java.net.MalformedURLException; - -import static org.junit.jupiter.api.Assertions.assertEquals; -import static org.junit.jupiter.api.Assertions.assertThrows; - -class SslSupportLevelTest { - - private static final String HTTPS_URL = "https://127.0.0.1:8443/"; - private static final String HTTP_URL = "http://127.0.0.1:8080/"; - - @Test - void testShouldReturnAlwaysTrustSupportLevelForHttpsUrl() throws MalformedURLException { - SslSupportLevel actualSupportLevel = SslSupportLevel.getSupportLevelBasedOnProtocol(HTTPS_URL); - assertEquals(SslSupportLevel.ALWAYS_TRUST, actualSupportLevel); - } - - @Test - void testShouldReturnNoneSupportLevelForHttpUrl() throws MalformedURLException { - SslSupportLevel actualSupportLevel = SslSupportLevel.getSupportLevelBasedOnProtocol(HTTP_URL); - assertEquals(SslSupportLevel.NONE, actualSupportLevel); - } - - @Test - void testShouldRaiseExceptionWhenInvalidUrlPassed() { - assertThrows(MalformedURLException.class, () -> SslSupportLevel.getSupportLevelBasedOnProtocol("http://bla:VES-PORT/")); - } - -} diff --git a/sanitycheck/events/vesAddressConfiguration.json b/sanitycheck/events/vesAddressConfiguration.json index 9c6aa22..ad4e3df 100644 --- a/sanitycheck/events/vesAddressConfiguration.json +++ b/sanitycheck/events/vesAddressConfiguration.json @@ -1,3 +1,3 @@ { - "vesServerUrl": "http://172.17.0.1:8080/eventListener/v7" + "vesServerUrl": "https://ves:8443/eventListener/v7" } diff --git a/sanitycheck/pnfsimulator-secured/Makefile b/sanitycheck/pnfsimulator-secured/Makefile deleted file mode 100644 index 3783fbe..0000000 --- a/sanitycheck/pnfsimulator-secured/Makefile +++ /dev/null @@ -1,57 +0,0 @@ -default: - @echo "There is no default target. Use: make " - -start-ejbca: --run-ejbca-container --wait-for-ejbca --configure-ejbca - -start-pnfsim-with-certservice-certs: --create-certservice-internal-certs --create-client-volume --run-certservice-and-pnfsim-containers - -start-local-secured-ves: - docker-compose -f docker-compose-ves.yml up - -start-pnfsim-with-certman-certs: - docker-compose -f docker-compose-certman.yml up - -clean-pnfsim-with-certman-setup: - docker-compose -f docker-compose-certman.yml down - -clean-pnfsim-with-certservice-setup: --clean-certservice-internal-certs --clean-client-volume - docker rm -f oomcert-ejbca || true - docker-compose -f docker-compose-certservice.yml down - docker-compose -f docker-compose-ves.yml down - ---run-ejbca-container: - docker run \ - -d \ - --rm \ - --name oomcert-ejbca \ - --hostname cahostname \ - -p 80:8080 \ - -p 443:8443 \ - --volume `pwd`/certservice/ejbca-resources/ejbca-configuration.sh:/opt/primekey/scripts/ejbca-configuration.sh \ - --health-cmd "curl -kI https://localhost:8443/ejbca/publicweb/healthcheck/ejbcahealth" \ - --health-interval 10s \ - --health-timeout 3s \ - --health-retries 15 \ - primekey/ejbca-ce:6.15.2.5 - ---configure-ejbca: - docker exec oomcert-ejbca /opt/primekey/scripts/ejbca-configuration.sh - ---create-client-volume: - mkdir -p ./certservice/client-resources/client-volume -m 777 - ---run-certservice-and-pnfsim-containers: - docker-compose -f docker-compose-certservice.yml up - ---create-certservice-internal-certs: - make -C certservice/certs all - ---clean-certservice-internal-certs: - make -C certservice/certs clear - ---clean-client-volume: - rm -rf certservice/client-resources/client-volume - ---wait-for-ejbca: - @echo 'Waiting for EJBCA...' - until docker container inspect oomcert-ejbca | grep '"Status": "healthy"'; do sleep 3; done diff --git a/sanitycheck/pnfsimulator-secured/README.md b/sanitycheck/pnfsimulator-secured/README.md index 6a2cb37..3acaf1c 100644 --- a/sanitycheck/pnfsimulator-secured/README.md +++ b/sanitycheck/pnfsimulator-secured/README.md @@ -1,236 +1,11 @@ -Standalone PNF Simulator configuration for HTTPS communication to VES +Standalone PNF Simulator configuration for HTTPS communication with VES ------------------------ -### General description +This directory contains files for secured PNF Simulator deployments, which will use certificates for HTTPS communication with VES. -Makefile in sanitycheck/pnfsimulator-secured is an interface for deployment of PNF simulator with fetching certs from -chosen source. - -Makefile offers functionalities that allows to: - - * Run PNF simulator with fetching certs from AAF Certman - * Run PNF simulator with fetching certs from OOM Certservice (CMPv2) - -## Fetching from AAF Certman -### Description - -docker-compose-certman.yml prepares PNF simulator container for HTTPS communication with VES. - -When docker-compose starts certs-init container fills connected volume with certificates, truststores, keystores, -passwords etc. Next pnf-simulator container starts and connects to the same volume. On startup it should read password -values from proper files and set them in system environment variables. With these variables and files in volume -application is ready to work on HTTPS. - -### Prerequisites - -1. certs-init container works with external AAF on cloud. Due to that fact it must have set correct IPs to workers that -has access to AAF. In docker-compose.yml fields with mentioned IPs are: - - * aaf-locate.onap - * aaf-cm.onap - * aaf-service.onap - -### Start - -**ATTENTION** - -Proper IPs to AAF must be set in the docker-compose-certman.yml before start (as described in prerequisites)! - -``` -make start-pnfsim-with-certman-certs -``` - -### Send event - -**ATTENTION** - -``sanitycheck/events/eventToVes.json`` file which is request for sending event to VES must have correct ``vesServerURL`` -field before sending event. -IP of ``vesServerURL`` should be the same as given in docker-compose-certman.yml in ``aaf-locate.onap`` field. -To use secured connection remember about setting protocol to https:// and port to proper secured port of VES. - -To send event from PNF simulator to VES use this command from ``pnf-simulator/sanitycheck`` directory: - -```` -make generate-event -```` - -Sample ``sanitycheck/events/eventToVes.json`` file content is: - -```json -{ - "vesServerUrl": "https://10.183.35.177:30417/eventListener/v7", - "event": { - "event": { - "commonEventHeader": { - "version": "4.0.1", - "vesEventListenerVersion": "7.0.1", - "domain": "fault", - "eventName": "Fault_Vscf:Acs-Ericcson_PilotNumberPoolExhaustion", - "eventId": "fault0000245", - "sequence": 1, - "priority": "High", - "reportingEntityId": "cc305d54-75b4-431b-adb2-eb6b9e541234", - "reportingEntityName": "ibcx0001vm002oam001", - "sourceId": "de305d54-75b4-431b-adb2-eb6b9e546014", - "sourceName": "scfx0001vm002cap001", - "nfVendorName": "Ericsson", - "nfNamingCode": "scfx", - "nfcNamingCode": "ssc", - "startEpochMicrosec": 1413378172000000, - "lastEpochMicrosec": 1413378172000000, - "timeZoneOffset": "UTC-05:30" - }, - "faultFields": { - "faultFieldsVersion": "4.0", - "alarmCondition": "PilotNumberPoolExhaustion", - "eventSourceType": "other", - "specificProblem": "Calls cannot complete - pilot numbers are unavailable", - "eventSeverity": "CRITICAL", - "vfStatus": "Active", - "alarmAdditionalInformation": { - "PilotNumberPoolSize": "1000" - } - } - } - } -} -``` - -### Stop -To remove pnf-simulator containers use: -``` -make clean-pnfsim-with-certman-setup -``` - -## Fetching certificates from OOM Certservice (CMPv2) -### Description - -Running Makefile with Certservice target will start the following flow: - -1. Create certificates that will be used for internal communication between Certservice and Certservice-client. - Generated internal certificates should be present in sanitycheck/pnfsimulator-secured/certservice/certs directory. - -2. Run docker-compose-certservice.yml that creates: - - 2.1. Certservice container with mounted previously generated certificates. - - 2.2. Certservice-client with mounted internal certificates as well. This containers requests Certservice for - Certificates that will be used by PNF simulator in HTTPS connection. Before closing of container it saves - these certs in locally mounted volume in - sanitycheck/pnfsimulator-secured/certservice/client-resources/client-volume +Currently, there are two ways for PNF Simulator to fetch certificates: +* Using AAF Certman +* Using OOM CertService (CMPv2) - 2.3. PNF simulator that has mounted certificates from client. Before starting the simulator itself, names of certs - files are changed to fit the PNF simulator configuration. - -### Prerequisites - - -##### EJBCA configuration -Certservice container will try to connect to EJBCA on docker-compose-certservice.yml startup to fetch certs. -Whole connection configuration to EJBCA server must be done before start in file -sanitycheck/pnfsimulator-secured/certservice/certservice-resources/cmpServers.json. - -EJBCA might be deployed locally or externally. Described in this README Makefile has a target that runs configured EJBCA -container locally. To run that target use: - -``` -make start-ejbca -``` - - -Configuration of cmpServers.json for this local EJBCA container should be: -```json -{ - "cmpv2Servers": [ - { - "caName": "Client", - "url": "http://:80/ejbca/publicweb/cmp/cmp", - "issuerDN": "CN=ManagementCA", - "caMode": "CLIENT", - "authentication": { - "iak": "mypassword", - "rv": "mypassword" - } - }, - { - "caName": "RA", - "url": "http://:80/ejbca/publicweb/cmp/cmpRA", - "issuerDN": "CN=ManagementCA", - "caMode": "RA", - "authentication": { - "iak": "mypassword", - "rv": "mypassword" - } - } - ] -} -``` -``docker0_network_ip`` might be found when running `ifconfig docker0` next to `inet` field. - -### Start - -**ATTENTION** - -Remember that before starting certservice, the EJBCA server must run, be properly configured and -sanitycheck/pnfsimulator-secured/certservice/certservice-resources/cmpServers.json must be set correctly. - -For more info read _prerequisites_ section. - -``` -make start-pnfsim-with-certservice-certs -``` - -### Send event - -##### VES collector - -Destination VES collector should use certificate generated from the same CMPv2 server for successful HTTPS -communication. There is local deployment of VES (with DMAAP simulator) to be used from Makefile that -uses certificates generated by the same CMPv2 server as PNF simulator uses. - -##### VES collector local deployment prerequisites - -By default the image of VES from Nexus supports only HTTP communication. Local image with enabled HTTPS must be -build to use local VES as PNF simulator destination. - -1. Pull VES repository -2. In `/etc/collector.properties` file set field `auth.method=certBasicAuth` -3. Build local image: `mvn clean install docker:build` from VES project root directory. - -VES deployment from Makefile uses also DMAAP simulator. Its image should be built locally as well. -1. Go to `sanitycheck/dmaap-simulator` directory -2. Run: `make build` - -If you want to use that VES + DMAAP simulator deployment enter: -``` -make start-local-secured-ves -``` - -**ATTENTION** - -Before sending an event to VES, the correct VES server URL must be passed to -``sanitycheck/events/vesAddressConfiguration.json`` file in field ``vesServerURL``. - -For local VES, `vesServerURL` should have value: ``https://:8444/eventListener/v7``. -``docker0_network_ip`` might be found when running `ifconfig docker0` next to `inet` field. - -To reconfigure PNF simulator to use -new URL use this command from ``pnf-simulator/sanitycheck`` directory: -``` -make reconfigure-ves-url -``` - - -To send event from PNF simulator to VES use this command from ``pnf-simulator/sanitycheck`` directory: - -``` -make generate-event -``` - -### Stop +Both ways are described in `certman` and `certservice` directories respectively -To clean all generated certificates, remove pnf-simulator, certservice, ejbca and ves containers use: -``` -make clean-pnfsim-with-certservice-certs -``` \ No newline at end of file diff --git a/sanitycheck/pnfsimulator-secured/certman/Makefile b/sanitycheck/pnfsimulator-secured/certman/Makefile new file mode 100644 index 0000000..b46efda --- /dev/null +++ b/sanitycheck/pnfsimulator-secured/certman/Makefile @@ -0,0 +1,8 @@ +default: + @echo "There is no default target. Use: make " + +start-pnfsim: + docker-compose -f docker-compose.yml up + +clean-pnfsim: + docker-compose -f docker-compose.yml down diff --git a/sanitycheck/pnfsimulator-secured/certman/README.md b/sanitycheck/pnfsimulator-secured/certman/README.md new file mode 100644 index 0000000..c0bab32 --- /dev/null +++ b/sanitycheck/pnfsimulator-secured/certman/README.md @@ -0,0 +1,91 @@ +## Fetching from AAF Certman +This readme describes how to run PNF Simulator with certificates fetched using AAF Certman + +### Description + +docker-compose.yml prepares PNF simulator container for HTTPS communication with VES. + +When docker-compose starts certs-init container fills connected volume with certificates, truststores, keystores, +passwords etc. Next pnf-simulator container starts and connects to the same volume. On startup it should read password +values from proper files and set them in system environment variables. With these variables and files in volume +application is ready to work on HTTPS. + +### Prerequisites + +certs-init container works with external AAF on cloud. Due to that fact it must have set correct IPs to workers that +has access to AAF. In docker-compose.yml fields with mentioned IPs are: + + * aaf-locate.onap + * aaf-cm.onap + * aaf-service.onap + +### Start + +Run PNF Simulator: + +``` +make start-pnfsim +``` + +### Send event + +**ATTENTION** + +``sanitycheck/events/eventToVes.json`` file which is request for sending event to VES must have correct ``vesServerURL`` +field before sending event. +IP of ``vesServerURL`` should be the same as given in docker-compose-certman.yml in ``aaf-locate.onap`` field. +To use secured connection remember about setting protocol to https:// and port to proper secured port of VES. + +To send event from PNF simulator to VES use this command from ``pnf-simulator/sanitycheck`` directory: + +```` +make generate-event +```` + +Sample ``sanitycheck/events/eventToVes.json`` file content is: + +```json +{ + "vesServerUrl": "https://10.183.35.177:30417/eventListener/v7", + "event": { + "event": { + "commonEventHeader": { + "version": "4.0.1", + "vesEventListenerVersion": "7.0.1", + "domain": "fault", + "eventName": "Fault_Vscf:Acs-Ericcson_PilotNumberPoolExhaustion", + "eventId": "fault0000245", + "sequence": 1, + "priority": "High", + "reportingEntityId": "cc305d54-75b4-431b-adb2-eb6b9e541234", + "reportingEntityName": "ibcx0001vm002oam001", + "sourceId": "de305d54-75b4-431b-adb2-eb6b9e546014", + "sourceName": "scfx0001vm002cap001", + "nfVendorName": "Ericsson", + "nfNamingCode": "scfx", + "nfcNamingCode": "ssc", + "startEpochMicrosec": 1413378172000000, + "lastEpochMicrosec": 1413378172000000, + "timeZoneOffset": "UTC-05:30" + }, + "faultFields": { + "faultFieldsVersion": "4.0", + "alarmCondition": "PilotNumberPoolExhaustion", + "eventSourceType": "other", + "specificProblem": "Calls cannot complete - pilot numbers are unavailable", + "eventSeverity": "CRITICAL", + "vfStatus": "Active", + "alarmAdditionalInformation": { + "PilotNumberPoolSize": "1000" + } + } + } + } +} +``` + +### Stop +To remove pnf-simulator containers use: +``` +make clean-pnfsim +``` diff --git a/sanitycheck/pnfsimulator-secured/certman/docker-compose.yml b/sanitycheck/pnfsimulator-secured/certman/docker-compose.yml new file mode 100644 index 0000000..5b40a09 --- /dev/null +++ b/sanitycheck/pnfsimulator-secured/certman/docker-compose.yml @@ -0,0 +1,71 @@ +version: '3' + +networks: + tls-init-network: + +volumes: + certs-volume: + +services: + certs-init: + image: nexus3.onap.org:10001/onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 + extra_hosts: + #set worker IP with access to AAF + aaf-locate.onap: #for example 10.183.35.177 + aaf-cm.onap: #for example 10.183.35.177 + aaf-service.onap: #for example 10.183.35.177 + environment: + - aaf_locate_url=https://aaf-locate.onap:31111 + - aaf_url_cm=https://aaf-cm.onap:31114 + - aaf_url=https://aaf-service.onap:31110 + networks: + - tls-init-network + volumes: + - certs-volume:/opt/app/osaaf + mongo: + image: mongo + restart: always + environment: + MONGO_INITDB_ROOT_USERNAME: root + MONGO_INITDB_ROOT_PASSWORD: zXcVbN123! + MONGO_INITDB_DATABASE: pnf_simulator + networks: + - tls-init-network + volumes: + - ../../../pnfsimulator/db:/docker-entrypoint-initdb.d + ports: + - "27017:27017" + + mongo-express: + image: mongo-express + restart: always + ports: + - 8081:8081 + networks: + - tls-init-network + environment: + ME_CONFIG_MONGODB_ADMINUSERNAME: root + ME_CONFIG_MONGODB_ADMINPASSWORD: zXcVbN123! + + pnf-simulator: + image: nexus3.onap.org:10001/onap/org.onap.integration.simulators.pnfsimulator + ports: + - "5000:5000" + command: bash -c " + while [[ $$(ls -1 /app/store | wc -l) != '10' ]]; do echo 'Waiting for certs...'; sleep 3; done + && export CLIENT_CERT_PASS=$$(cat /app/store/p12.pass) + && export TRUST_CERT_PASS=$$(cat /app/store/trust.pass) + && java -Dspring.config.location=file:/app/application.properties -cp /app/libs/*:/app/pnf-simulator.jar org.onap.pnfsimulator.Main + " + volumes: + - ../../../pnfsimulator/logs:/var/log + - ../../../pnfsimulator/templates:/app/templates + - ../../../pnfsimulator/src/main/resources/application.properties:/app/application.properties + - certs-volume:/app/store + networks: + - tls-init-network + restart: on-failure + depends_on: + - certs-init + - mongo + - mongo-express diff --git a/sanitycheck/pnfsimulator-secured/certservice/Makefile b/sanitycheck/pnfsimulator-secured/certservice/Makefile new file mode 100644 index 0000000..aea8477 --- /dev/null +++ b/sanitycheck/pnfsimulator-secured/certservice/Makefile @@ -0,0 +1,56 @@ +default: + @echo "There is no default target. Use: make " + +setup-env: --start-certservice-and-ejbca --run-certservice-clients --start-local-secured-ves + +start-pnfsim: + docker-compose -f docker-compose-pnfsim.yml up + +restart-pnfsim: --clean-pnfsim start-pnfsim + +clean-all: --clean-pnfsim --clean-env + + + +--start-certservice-and-ejbca: --create-certservice-internal-certs --start-certservice-ejbca-containers --configure-ejbca + +--start-certservice-ejbca-containers: + docker-compose -f docker-compose-certservice-ejbca.yml up -d + +--create-certservice-internal-certs: + make -C resources/certs all + +--configure-ejbca: --wait-for-ejbca --run-ejbca-script + +--wait-for-ejbca: + @echo 'Waiting for EJBCA... It may take a minute or two' + until docker container inspect oomcert-ejbca | grep '"Status": "healthy"'; do sleep 3; done + +--run-ejbca-script: + docker exec oomcert-ejbca /opt/primekey/scripts/ejbca-configuration.sh + +--run-certservice-clients: --create-client-volumes + docker-compose -f docker-compose-certservice-clients.yml up -d + @echo 'Waiting for client certifiactes...' + @until ls -1 ./resources/certservice-client/client-volume-for-pnfsim | grep "store" 1>/dev/null; do sleep 3; done + @until ls -1 ./resources/certservice-client/client-volume-for-ves | grep "store" 1>/dev/null; do sleep 3; done + +--create-client-volumes: + mkdir -p ./resources/certservice-client/client-volume-for-pnfsim -m 777 + mkdir -p ./resources/certservice-client/client-volume-for-ves -m 777 + +--start-local-secured-ves: + docker-compose -f docker-compose-ves-dmaap.yml up + +--clean-pnfsim: + docker-compose -f docker-compose-pnfsim.yml down + rm -rf ./resources/certservice-client/client-volume-for-pnfsim/cert.p12 || true + rm -rf ./resources/certservice-client/client-volume-for-pnfsim/trust.jks || true + +--clean-env: + docker-compose -f docker-compose-ves-dmaap.yml down + docker-compose -f docker-compose-certservice-clients.yml down + rm -rf ./resources/certservice-client/client-volume-for-pnfsim || true + rm -rf ./resources/certservice-client/client-volume-for-ves || true + docker-compose -f docker-compose-certservice-ejbca.yml down + make -C resources/certs clear diff --git a/sanitycheck/pnfsimulator-secured/certservice/README.md b/sanitycheck/pnfsimulator-secured/certservice/README.md new file mode 100644 index 0000000..16a4793 --- /dev/null +++ b/sanitycheck/pnfsimulator-secured/certservice/README.md @@ -0,0 +1,81 @@ +## Fetching certificates from OOM CertService (CMPv2) +This readme describes how to run PNF Simulator with certificates fetched using OOM CertService (CMPv2) + +### Description + +Using Makefile in this directory following can be achieved: + +* Setup environment for PNF Simulator, i.e.: + * Create certificates that will be used for internal communication between CertService and CertService Clients. + Generated internal certificates should be present in `resources/certs` directory. + * Start and configure EJBCA + * Start and configure AAF Cert Service. + * Run Cert Service Clients to fetch certificates for VES and PNF Simulator. Certificates will be stored for the components +in `resources/certservice-client/client-volume-for-ves` and `resources/certservice-client/client-volume-for-pnfsim` accordingly. + * Start VES and DMaaP Simulator. Fetched certificates will be mounted to VES. + +* Start PNF Simulator. Fetched certificates will be mounted to PNF Simulator. +* Clean up. + +### Prerequisites +##### VES collector local deployment prerequisites + +By default, the image of VES from Nexus supports only HTTP communication. A local image with enabled HTTPS must be +build to use local VES as PNF simulator destination. + +1. Pull VES repository +2. In `/etc/collector.properties` file set field `auth.method=certBasicAuth` +3. Build a local image: `mvn clean install docker:build` from VES project root directory. + +Local VES deployment uses also DMaaP simulator. Its image should be built locally as well. +1. Go to `sanitycheck/dmaap-simulator` directory +2. Run: `make build` + + + +### Setup environment +To set up whole environment for PNF Simulator, i.e.: +- deploy and configure EJBCA +- deploy Cert Service +- fetch certificates for VES and PNF Simulator using Cert Service clients +- run DMaaP Simulator +- run VES with fetched certificates + +execute: +```` +make setup-env +```` +Note that this command setups whole environment besides PNF Simulator itself. + +## Run PNF Simulator +To run PNF Simulator execute: +```` +make start-pnfsim +```` +This command starts PNF Simulator with certificates fetched using CertService (certificates are fetched in the previous step) + +### Send event + +Configure PNF simulator to use proper VES URL by executing this command from ``pnf-simulator/sanitycheck`` directory: +``` +make reconfigure-ves-url +``` + + +Send an event from PNF simulator to VES by executing this command from ``pnf-simulator/sanitycheck`` directory: +``` +make generate-event +``` + +### Restart PNF Simulator + +To restart only PNF Simulator execute: +``` +make restart-pnfsim +``` + +### Clean up +To clean all generated certificates, remove PNF Simulator, CertService, EJBCA, VES and DMaaP Simulator containers: +``` +make clean-all +``` diff --git a/sanitycheck/pnfsimulator-secured/certservice/certs/Makefile b/sanitycheck/pnfsimulator-secured/certservice/certs/Makefile deleted file mode 100644 index 507a23c..0000000 --- a/sanitycheck/pnfsimulator-secured/certservice/certs/Makefile +++ /dev/null @@ -1,109 +0,0 @@ -all: clear step_1 step_2 step_3 step_4 step_5 step_6 step_7 step_8 step_9 step_10 step_11 step_12 step_13 step_14 step_15 -.PHONY: all -#Clear certificates -clear: - @echo "Clear certificates" - rm -f certServiceClient-keystore.jks certServiceServer-keystore.jks root.crt truststore.jks certServiceServer-keystore.p12 root-keystore.jks - @echo "#####done#####" - -#Generate root private and public keys -step_1: - @echo "Generate root private and public keys" - keytool -genkeypair -v -alias root -keyalg RSA -keysize 4096 -validity 3650 -keystore root-keystore.jks \ - -dname "CN=root.com, OU=Root Org, O=Root Company, L=Wroclaw, ST=Dolny Slask, C=PL" -keypass secret \ - -storepass secret -ext BasicConstraints:critical="ca:true" - @echo "#####done#####" - -#Export public key as certificate -step_2: - @echo "(Export public key as certificate)" - keytool -exportcert -alias root -keystore root-keystore.jks -storepass secret -file root.crt -rfc - @echo "#####done#####" - -#Self-signed root (import root certificate into truststore) -step_3: - @echo "(Self-signed root (import root certificate into truststore))" - keytool -importcert -alias root -keystore truststore.jks -file root.crt -storepass secret -noprompt - @echo "#####done#####" - -#Generate certService's client private and public keys -step_4: - @echo "Generate certService's client private and public keys" - keytool -genkeypair -v -alias certServiceClient -keyalg RSA -keysize 2048 -validity 730 \ - -keystore certServiceClient-keystore.jks -storetype JKS \ - -dname "CN=certServiceClient.com,OU=certServiceClient company,O=certServiceClient org,L=Wroclaw,ST=Dolny Slask,C=PL" \ - -keypass secret -storepass secret - @echo "####done####" - -#Generate certificate signing request for certService's client -step_5: - @echo "Generate certificate signing request for certService's client" - keytool -certreq -keystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -file certServiceClient.csr - @echo "####done####" - -#Sign certService's client certificate by root CA -step_6: - @echo "Sign certService's client certificate by root CA" - keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceClient.csr \ - -outfile certServiceClientByRoot.crt -rfc -ext bc=0 -ext ExtendedkeyUsage="serverAuth,clientAuth" - @echo "####done####" - -#Import root certificate into client -step_7: - @echo "Import root certificate into intermediate" - cat root.crt >> certServiceClientByRoot.crt - @echo "####done####" - -#Import signed certificate into certService's client -step_8: - @echo "Import signed certificate into certService's client" - keytool -importcert -file certServiceClientByRoot.crt -destkeystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -noprompt - @echo "####done####" - -#Generate certService private and public keys -step_9: - @echo "Generate certService private and public keys" - keytool -genkeypair -v -alias oom-cert-service -keyalg RSA -keysize 2048 -validity 730 \ - -keystore certServiceServer-keystore.jks -storetype JKS \ - -dname "CN=oom-cert-service,OU=certServiceServer company,O=certServiceServer org,L=Wroclaw,ST=Dolny Slask,C=PL" \ - -keypass secret -storepass secret -ext BasicConstraints:critical="ca:false" - @echo "####done####" - -#Generate certificate signing request for certService -step_10: - @echo "Generate certificate signing request for certService" - keytool -certreq -keystore certServiceServer-keystore.jks -alias oom-cert-service -storepass secret -file certServiceServer.csr - @echo "####done####" - -#Sign certService certificate by root CA -step_11: - @echo "Sign certService certificate by root CA" - keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceServer.csr \ - -outfile certServiceServerByRoot.crt -rfc -ext bc=0 -ext ExtendedkeyUsage="serverAuth,clientAuth" \ - -ext SubjectAlternativeName:="DNS:oom-cert-service,DNS:localhost" - @echo "####done####" - -#Import root certificate into server -step_12: - @echo "Import root certificate into intermediate(server)" - cat root.crt >> certServiceServerByRoot.crt - @echo "####done####" - -#Import signed certificate into certService -step_13: - @echo "Import signed certificate into certService" - keytool -importcert -file certServiceServerByRoot.crt -destkeystore certServiceServer-keystore.jks -alias oom-cert-service \ - -storepass secret -noprompt - @echo "####done####" - -#Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12) -step_14: - @echo "Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)" - keytool -importkeystore -srckeystore certServiceServer-keystore.jks -srcstorepass secret -destkeystore certServiceServer-keystore.p12 -deststoretype PKCS12 -deststorepass secret - @echo "#####done#####" - -#Clear unused certificates -step_15: - @echo "Clear unused certificates" - rm certServiceClientByRoot.crt certServiceClient.csr root-keystore.jks certServiceServerByRoot.crt certServiceServer.csr - @echo "#####done#####" diff --git a/sanitycheck/pnfsimulator-secured/certservice/certservice-resources/cmpServers.json b/sanitycheck/pnfsimulator-secured/certservice/certservice-resources/cmpServers.json deleted file mode 100644 index 79b97e6..0000000 --- a/sanitycheck/pnfsimulator-secured/certservice/certservice-resources/cmpServers.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "cmpv2Servers": [ - { - "caName": "Client", - "url": "http://172.17.0.1:80/ejbca/publicweb/cmp/cmp", - "issuerDN": "CN=ManagementCA", - "caMode": "CLIENT", - "authentication": { - "iak": "mypassword", - "rv": "mypassword" - } - }, - { - "caName": "RA", - "url": "http://172.17.0.1:80/ejbca/publicweb/cmp/cmpRA", - "issuerDN": "CN=ManagementCA", - "caMode": "RA", - "authentication": { - "iak": "mypassword", - "rv": "mypassword" - } - } - ] -} diff --git a/sanitycheck/pnfsimulator-secured/certservice/client-resources/client-configuration.env b/sanitycheck/pnfsimulator-secured/certservice/client-resources/client-configuration.env deleted file mode 100644 index cda235d..0000000 --- a/sanitycheck/pnfsimulator-secured/certservice/client-resources/client-configuration.env +++ /dev/null @@ -1,18 +0,0 @@ -#Client envs -REQUEST_URL=https://oom-cert-service:8443/v1/certificate/ -REQUEST_TIMEOUT=10000 -OUTPUT_PATH=/var/certs -CA_NAME=RA -OUTPUT_TYPE=JKS -#Csr config envs -COMMON_NAME=onap.org -ORGANIZATION=Linux-Foundation -ORGANIZATION_UNIT=ONAP -LOCATION=San-Francisco -STATE=California -COUNTRY=US -#Tls config envs -KEYSTORE_PATH=/etc/onap/oom/certservice/certs/certServiceClient-keystore.jks -KEYSTORE_PASSWORD=secret -TRUSTSTORE_PATH=/etc/onap/oom/certservice/certs/truststore.jks -TRUSTSTORE_PASSWORD=secret diff --git a/sanitycheck/pnfsimulator-secured/certservice/docker-compose-certservice-clients.yml b/sanitycheck/pnfsimulator-secured/certservice/docker-compose-certservice-clients.yml new file mode 100644 index 0000000..fdfd6c6 --- /dev/null +++ b/sanitycheck/pnfsimulator-secured/certservice/docker-compose-certservice-clients.yml @@ -0,0 +1,28 @@ +version: "2.1" + +networks: + onap: + external: true + +services: + oom-cert-client-ves: + image: nexus3.onap.org:10001/onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.1.0 + container_name: oomcert-client-for-ves + env_file: ./resources/certservice-client/client-configuration-for-ves.env + networks: + - onap + volumes: + - ./resources/certservice-client/client-volume-for-ves:/var/certs:rw + - ./resources/certs/truststore.jks:/etc/onap/oom/certservice/certs/truststore.jks + - ./resources/certs/certServiceClient-keystore.jks:/etc/onap/oom/certservice/certs/certServiceClient-keystore.jks + + oom-cert-client-pnfsim: + image: nexus3.onap.org:10001/onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.1.0 + container_name: oomcert-client + env_file: ./resources/certservice-client/client-configuration-for-pnfsim.env + networks: + - onap + volumes: + - ./resources/certservice-client/client-volume-for-pnfsim:/var/certs:rw + - ./resources/certs/truststore.jks:/etc/onap/oom/certservice/certs/truststore.jks + - ./resources/certs/certServiceClient-keystore.jks:/etc/onap/oom/certservice/certs/certServiceClient-keystore.jks diff --git a/sanitycheck/pnfsimulator-secured/certservice/docker-compose-certservice-ejbca.yml b/sanitycheck/pnfsimulator-secured/certservice/docker-compose-certservice-ejbca.yml new file mode 100644 index 0000000..38b130f --- /dev/null +++ b/sanitycheck/pnfsimulator-secured/certservice/docker-compose-certservice-ejbca.yml @@ -0,0 +1,47 @@ +version: "2.1" + +networks: + onap: + driver: bridge + name: onap + public: + driver: bridge + name: public + +services: + ejbca: + image: primekey/ejbca-ce:6.15.2.5 + hostname: cahostname + container_name: oomcert-ejbca + ports: + - "80:8080" + - "443:8443" + volumes: + - ./resources/ejbca/ejbca-configuration.sh:/opt/primekey/scripts/ejbca-configuration.sh + healthcheck: + test: [ "CMD-SHELL", "curl -kI https://localhost:8443/ejbca/publicweb/healthcheck/ejbcahealth" ] + interval: 10s + timeout: 3s + retries: 15 + networks: + - onap + + oom-cert-service: + image: nexus3.onap.org:10001/onap/org.onap.oom.platform.cert-service.oom-certservice-api:2.1.0 + volumes: + - ./resources/certservice/cmpServers.json:/etc/onap/oom/certservice/cmpServers.json + - ./resources/certs/truststore.jks:/etc/onap/oom/certservice/certs/truststore.jks + - ./resources/certs/root.crt:/etc/onap/oom/certservice/certs/root.crt + - ./resources/certs/certServiceServer-keystore.jks:/etc/onap/oom/certservice/certs/certServiceServer-keystore.jks + - ./resources/certs/certServiceServer-keystore.p12:/etc/onap/oom/certservice/certs/certServiceServer-keystore.p12 + container_name: oomcert-service + ports: + - "8443:8443" + healthcheck: + test: ["CMD-SHELL", "curl https://localhost:8443/actuator/health --cacert /etc/onap/oom/certservice/certs/root.crt --cert-type p12 --cert /etc/onap/oom/certservice/certs/certServiceServer-keystore.p12 --pass secret"] + interval: 10s + timeout: 3s + retries: 15 + networks: + - onap + - public diff --git a/sanitycheck/pnfsimulator-secured/certservice/docker-compose-pnfsim.yml b/sanitycheck/pnfsimulator-secured/certservice/docker-compose-pnfsim.yml new file mode 100644 index 0000000..f09b0a9 --- /dev/null +++ b/sanitycheck/pnfsimulator-secured/certservice/docker-compose-pnfsim.yml @@ -0,0 +1,61 @@ +version: "2.1" + +networks: + pnfsimulator: + driver: bridge + name: pnfsimulator + public: + external: true + onap: + external: true + +services: + mongo: + image: mongo + restart: always + networks: + - pnfsimulator + environment: + MONGO_INITDB_ROOT_USERNAME: root + MONGO_INITDB_ROOT_PASSWORD: zXcVbN123! + MONGO_INITDB_DATABASE: pnf_simulator + volumes: + - ../../../pnfsimulator/db:/docker-entrypoint-initdb.d + ports: + - "27017:27017" + + mongo-express: + image: mongo-express + restart: always + networks: + - pnfsimulator + ports: + - 8081:8081 + environment: + ME_CONFIG_MONGODB_ADMINUSERNAME: root + ME_CONFIG_MONGODB_ADMINPASSWORD: zXcVbN123! + + pnf-simulator: + image: nexus3.onap.org:10003/onap/org.onap.integration.simulators.pnfsimulator + ports: + - "5000:5000" + networks: + - pnfsimulator + - public + command: bash -c " + while [[ $$(ls -1 /app/store | wc -l) != '4' ]]; do echo 'Waiting for certs...'; sleep 3; done + && cp /app/store/truststore.jks /app/store/trust.jks + && cp /app/store/keystore.jks /app/store/cert.p12 + && export CLIENT_CERT_PASS=$$(cat /app/store/keystore.pass) + && export TRUST_CERT_PASS=$$(cat /app/store/truststore.pass) + && java -Dspring.config.location=file:/app/application.properties -cp /app/libs/*:/app/pnf-simulator.jar org.onap.pnfsimulator.Main + " + volumes: + - ../../../pnfsimulator/logs:/var/log + - ../../../pnfsimulator/templates:/app/templates + - ../../../pnfsimulator/src/main/resources/application.properties:/app/application.properties + - ./resources/certservice-client/client-volume-for-pnfsim/:/app/store/ + restart: on-failure + depends_on: + - mongo + - mongo-express diff --git a/sanitycheck/pnfsimulator-secured/certservice/docker-compose-ves-dmaap.yml b/sanitycheck/pnfsimulator-secured/certservice/docker-compose-ves-dmaap.yml new file mode 100644 index 0000000..86f0202 --- /dev/null +++ b/sanitycheck/pnfsimulator-secured/certservice/docker-compose-ves-dmaap.yml @@ -0,0 +1,33 @@ +version: "2.1" + +networks: + public: + external: true + onap: + external: true + +services: + ves: + container_name: ves + image: nexus3.onap.org:10003/onap/org.onap.dcaegen2.collectors.ves.vescollector:latest + ports: + - "8082:8080" + - "8444:8443" + networks: + - onap + - public + volumes: + - ./resources/certservice-client/client-volume-for-ves/keystore.jks:/opt/app/VESCollector/etc/keystore + - ./resources/certservice-client/client-volume-for-ves/keystore.pass:/opt/app/VESCollector/etc/passwordfile + - ./resources/certservice-client/client-volume-for-ves/truststore.jks:/opt/app/VESCollector/etc/truststore + - ./resources/certservice-client/client-volume-for-ves/truststore.pass:/opt/app/VESCollector/etc/trustpasswordfile + depends_on: + - onap-dmaap + + onap-dmaap: + container_name: dmaap + image: dmaap-simulator + ports: + - "3904:3904" + networks: + - onap diff --git a/sanitycheck/pnfsimulator-secured/certservice/ejbca-resources/ejbca-configuration.sh b/sanitycheck/pnfsimulator-secured/certservice/ejbca-resources/ejbca-configuration.sh deleted file mode 100755 index 77f5c55..0000000 --- a/sanitycheck/pnfsimulator-secured/certservice/ejbca-resources/ejbca-configuration.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/bash - -configureEjbca() { - ejbca.sh config cmp addalias --alias cmpRA - ejbca.sh config cmp updatealias --alias cmpRA --key operationmode --value ra - ejbca.sh ca editca --caname ManagementCA --field cmpRaAuthSecret --value mypassword - ejbca.sh config cmp updatealias --alias cmpRA --key responseprotection --value pbe - ejbca.sh config cmp dumpalias --alias cmpRA - ejbca.sh config cmp addalias --alias cmp - ejbca.sh config cmp updatealias --alias cmp --key allowautomatickeyupdate --value true - ejbca.sh config cmp updatealias --alias cmp --key responseprotection --value pbe - ejbca.sh ra addendentity --username Node123 --dn "CN=Node123" --caname ManagementCA --password mypassword --type 1 --token USERGENERATED - ejbca.sh ra setclearpwd --username Node123 --password mypassword - ejbca.sh config cmp updatealias --alias cmp --key extractusernamecomponent --value CN - ejbca.sh config cmp dumpalias --alias cmp - ejbca.sh ca getcacert --caname ManagementCA -f /dev/stdout > cacert.pem -} - -configureEjbca diff --git a/sanitycheck/pnfsimulator-secured/certservice/resources/certs/Makefile b/sanitycheck/pnfsimulator-secured/certservice/resources/certs/Makefile new file mode 100644 index 0000000..507a23c --- /dev/null +++ b/sanitycheck/pnfsimulator-secured/certservice/resources/certs/Makefile @@ -0,0 +1,109 @@ +all: clear step_1 step_2 step_3 step_4 step_5 step_6 step_7 step_8 step_9 step_10 step_11 step_12 step_13 step_14 step_15 +.PHONY: all +#Clear certificates +clear: + @echo "Clear certificates" + rm -f certServiceClient-keystore.jks certServiceServer-keystore.jks root.crt truststore.jks certServiceServer-keystore.p12 root-keystore.jks + @echo "#####done#####" + +#Generate root private and public keys +step_1: + @echo "Generate root private and public keys" + keytool -genkeypair -v -alias root -keyalg RSA -keysize 4096 -validity 3650 -keystore root-keystore.jks \ + -dname "CN=root.com, OU=Root Org, O=Root Company, L=Wroclaw, ST=Dolny Slask, C=PL" -keypass secret \ + -storepass secret -ext BasicConstraints:critical="ca:true" + @echo "#####done#####" + +#Export public key as certificate +step_2: + @echo "(Export public key as certificate)" + keytool -exportcert -alias root -keystore root-keystore.jks -storepass secret -file root.crt -rfc + @echo "#####done#####" + +#Self-signed root (import root certificate into truststore) +step_3: + @echo "(Self-signed root (import root certificate into truststore))" + keytool -importcert -alias root -keystore truststore.jks -file root.crt -storepass secret -noprompt + @echo "#####done#####" + +#Generate certService's client private and public keys +step_4: + @echo "Generate certService's client private and public keys" + keytool -genkeypair -v -alias certServiceClient -keyalg RSA -keysize 2048 -validity 730 \ + -keystore certServiceClient-keystore.jks -storetype JKS \ + -dname "CN=certServiceClient.com,OU=certServiceClient company,O=certServiceClient org,L=Wroclaw,ST=Dolny Slask,C=PL" \ + -keypass secret -storepass secret + @echo "####done####" + +#Generate certificate signing request for certService's client +step_5: + @echo "Generate certificate signing request for certService's client" + keytool -certreq -keystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -file certServiceClient.csr + @echo "####done####" + +#Sign certService's client certificate by root CA +step_6: + @echo "Sign certService's client certificate by root CA" + keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceClient.csr \ + -outfile certServiceClientByRoot.crt -rfc -ext bc=0 -ext ExtendedkeyUsage="serverAuth,clientAuth" + @echo "####done####" + +#Import root certificate into client +step_7: + @echo "Import root certificate into intermediate" + cat root.crt >> certServiceClientByRoot.crt + @echo "####done####" + +#Import signed certificate into certService's client +step_8: + @echo "Import signed certificate into certService's client" + keytool -importcert -file certServiceClientByRoot.crt -destkeystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -noprompt + @echo "####done####" + +#Generate certService private and public keys +step_9: + @echo "Generate certService private and public keys" + keytool -genkeypair -v -alias oom-cert-service -keyalg RSA -keysize 2048 -validity 730 \ + -keystore certServiceServer-keystore.jks -storetype JKS \ + -dname "CN=oom-cert-service,OU=certServiceServer company,O=certServiceServer org,L=Wroclaw,ST=Dolny Slask,C=PL" \ + -keypass secret -storepass secret -ext BasicConstraints:critical="ca:false" + @echo "####done####" + +#Generate certificate signing request for certService +step_10: + @echo "Generate certificate signing request for certService" + keytool -certreq -keystore certServiceServer-keystore.jks -alias oom-cert-service -storepass secret -file certServiceServer.csr + @echo "####done####" + +#Sign certService certificate by root CA +step_11: + @echo "Sign certService certificate by root CA" + keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceServer.csr \ + -outfile certServiceServerByRoot.crt -rfc -ext bc=0 -ext ExtendedkeyUsage="serverAuth,clientAuth" \ + -ext SubjectAlternativeName:="DNS:oom-cert-service,DNS:localhost" + @echo "####done####" + +#Import root certificate into server +step_12: + @echo "Import root certificate into intermediate(server)" + cat root.crt >> certServiceServerByRoot.crt + @echo "####done####" + +#Import signed certificate into certService +step_13: + @echo "Import signed certificate into certService" + keytool -importcert -file certServiceServerByRoot.crt -destkeystore certServiceServer-keystore.jks -alias oom-cert-service \ + -storepass secret -noprompt + @echo "####done####" + +#Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12) +step_14: + @echo "Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)" + keytool -importkeystore -srckeystore certServiceServer-keystore.jks -srcstorepass secret -destkeystore certServiceServer-keystore.p12 -deststoretype PKCS12 -deststorepass secret + @echo "#####done#####" + +#Clear unused certificates +step_15: + @echo "Clear unused certificates" + rm certServiceClientByRoot.crt certServiceClient.csr root-keystore.jks certServiceServerByRoot.crt certServiceServer.csr + @echo "#####done#####" diff --git a/sanitycheck/pnfsimulator-secured/certservice/resources/certservice-client/client-configuration-for-pnfsim.env b/sanitycheck/pnfsimulator-secured/certservice/resources/certservice-client/client-configuration-for-pnfsim.env new file mode 100644 index 0000000..cda235d --- /dev/null +++ b/sanitycheck/pnfsimulator-secured/certservice/resources/certservice-client/client-configuration-for-pnfsim.env @@ -0,0 +1,18 @@ +#Client envs +REQUEST_URL=https://oom-cert-service:8443/v1/certificate/ +REQUEST_TIMEOUT=10000 +OUTPUT_PATH=/var/certs +CA_NAME=RA +OUTPUT_TYPE=JKS +#Csr config envs +COMMON_NAME=onap.org +ORGANIZATION=Linux-Foundation +ORGANIZATION_UNIT=ONAP +LOCATION=San-Francisco +STATE=California +COUNTRY=US +#Tls config envs +KEYSTORE_PATH=/etc/onap/oom/certservice/certs/certServiceClient-keystore.jks +KEYSTORE_PASSWORD=secret +TRUSTSTORE_PATH=/etc/onap/oom/certservice/certs/truststore.jks +TRUSTSTORE_PASSWORD=secret diff --git a/sanitycheck/pnfsimulator-secured/certservice/resources/certservice-client/client-configuration-for-ves.env b/sanitycheck/pnfsimulator-secured/certservice/resources/certservice-client/client-configuration-for-ves.env new file mode 100644 index 0000000..e06d147 --- /dev/null +++ b/sanitycheck/pnfsimulator-secured/certservice/resources/certservice-client/client-configuration-for-ves.env @@ -0,0 +1,19 @@ +#Client envs +REQUEST_URL=https://oom-cert-service:8443/v1/certificate/ +REQUEST_TIMEOUT=10000 +OUTPUT_PATH=/var/certs +CA_NAME=RA +OUTPUT_TYPE=JKS +#Csr config envs +COMMON_NAME=ves-onap.org +ORGANIZATION=Linux-Foundation +ORGANIZATION_UNIT=ONAP +LOCATION=San-Francisco +STATE=California +COUNTRY=US +SANS=ves +#Tls config envs +KEYSTORE_PATH=/etc/onap/oom/certservice/certs/certServiceClient-keystore.jks +KEYSTORE_PASSWORD=secret +TRUSTSTORE_PATH=/etc/onap/oom/certservice/certs/truststore.jks +TRUSTSTORE_PASSWORD=secret diff --git a/sanitycheck/pnfsimulator-secured/certservice/resources/certservice/cmpServers.json b/sanitycheck/pnfsimulator-secured/certservice/resources/certservice/cmpServers.json new file mode 100644 index 0000000..7256494 --- /dev/null +++ b/sanitycheck/pnfsimulator-secured/certservice/resources/certservice/cmpServers.json @@ -0,0 +1,24 @@ +{ + "cmpv2Servers": [ + { + "caName": "Client", + "url": "http://oomcert-ejbca:8080/ejbca/publicweb/cmp/cmp", + "issuerDN": "CN=ManagementCA", + "caMode": "CLIENT", + "authentication": { + "iak": "mypassword", + "rv": "mypassword" + } + }, + { + "caName": "RA", + "url": "http://oomcert-ejbca:8080/ejbca/publicweb/cmp/cmpRA", + "issuerDN": "CN=ManagementCA", + "caMode": "RA", + "authentication": { + "iak": "mypassword", + "rv": "mypassword" + } + } + ] +} diff --git a/sanitycheck/pnfsimulator-secured/certservice/resources/ejbca/ejbca-configuration.sh b/sanitycheck/pnfsimulator-secured/certservice/resources/ejbca/ejbca-configuration.sh new file mode 100755 index 0000000..77f5c55 --- /dev/null +++ b/sanitycheck/pnfsimulator-secured/certservice/resources/ejbca/ejbca-configuration.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +configureEjbca() { + ejbca.sh config cmp addalias --alias cmpRA + ejbca.sh config cmp updatealias --alias cmpRA --key operationmode --value ra + ejbca.sh ca editca --caname ManagementCA --field cmpRaAuthSecret --value mypassword + ejbca.sh config cmp updatealias --alias cmpRA --key responseprotection --value pbe + ejbca.sh config cmp dumpalias --alias cmpRA + ejbca.sh config cmp addalias --alias cmp + ejbca.sh config cmp updatealias --alias cmp --key allowautomatickeyupdate --value true + ejbca.sh config cmp updatealias --alias cmp --key responseprotection --value pbe + ejbca.sh ra addendentity --username Node123 --dn "CN=Node123" --caname ManagementCA --password mypassword --type 1 --token USERGENERATED + ejbca.sh ra setclearpwd --username Node123 --password mypassword + ejbca.sh config cmp updatealias --alias cmp --key extractusernamecomponent --value CN + ejbca.sh config cmp dumpalias --alias cmp + ejbca.sh ca getcacert --caname ManagementCA -f /dev/stdout > cacert.pem +} + +configureEjbca diff --git a/sanitycheck/pnfsimulator-secured/docker-compose-certman.yml b/sanitycheck/pnfsimulator-secured/docker-compose-certman.yml deleted file mode 100644 index e20f78d..0000000 --- a/sanitycheck/pnfsimulator-secured/docker-compose-certman.yml +++ /dev/null @@ -1,71 +0,0 @@ -version: '3' - -networks: - tls-init-network: - -volumes: - certs-volume: - -services: - certs-init: - image: nexus3.onap.org:10001/onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - extra_hosts: - #set worker IP with access to AAF - aaf-locate.onap: #for example 10.183.35.177 - aaf-cm.onap: #for example 10.183.35.177 - aaf-service.onap: #for example 10.183.35.177 - environment: - - aaf_locate_url=https://aaf-locate.onap:31111 - - aaf_url_cm=https://aaf-cm.onap:31114 - - aaf_url=https://aaf-service.onap:31110 - networks: - - tls-init-network - volumes: - - certs-volume:/opt/app/osaaf - mongo: - image: mongo - restart: always - environment: - MONGO_INITDB_ROOT_USERNAME: root - MONGO_INITDB_ROOT_PASSWORD: zXcVbN123! - MONGO_INITDB_DATABASE: pnf_simulator - networks: - - tls-init-network - volumes: - - ../../pnfsimulator/db:/docker-entrypoint-initdb.d - ports: - - "27017:27017" - - mongo-express: - image: mongo-express - restart: always - ports: - - 8081:8081 - networks: - - tls-init-network - environment: - ME_CONFIG_MONGODB_ADMINUSERNAME: root - ME_CONFIG_MONGODB_ADMINPASSWORD: zXcVbN123! - - pnf-simulator: - image: nexus3.onap.org:10001/onap/org.onap.integration.simulators.pnfsimulator - ports: - - "5000:5000" - command: bash -c " - while [[ $$(ls -1 /app/store | wc -l) != '10' ]]; do echo 'Waiting for certs...'; sleep 3; done - && export CLIENT_CERT_PASS=$$(cat /app/store/p12.pass) - && export TRUST_CERT_PASS=$$(cat /app/store/trust.pass) - && java -Dspring.config.location=file:/app/application.properties -cp /app/libs/*:/app/pnf-simulator.jar org.onap.pnfsimulator.Main - " - volumes: - - ../../pnfsimulator/logs:/var/log - - ../../pnfsimulator/templates:/app/templates - - ../../pnfsimulator/src/main/resources/application.properties:/app/application.properties - - certs-volume:/app/store - networks: - - tls-init-network - restart: on-failure - depends_on: - - certs-init - - mongo - - mongo-express diff --git a/sanitycheck/pnfsimulator-secured/docker-compose-certservice.yml b/sanitycheck/pnfsimulator-secured/docker-compose-certservice.yml deleted file mode 100644 index e7d4cb6..0000000 --- a/sanitycheck/pnfsimulator-secured/docker-compose-certservice.yml +++ /dev/null @@ -1,93 +0,0 @@ -version: "2.1" - -networks: - certservice-network: - driver: bridge - name: certservice-network - pnf-simulator-network: - driver: bridge - name: pnf-simulator-network - -services: - - oom-cert-service: - image: nexus3.onap.org:10001/onap/org.onap.oom.platform.cert-service.oom-certservice-api:2.1.0 - volumes: - - ./certservice/certservice-resources/cmpServers.json:/etc/onap/oom/certservice/cmpServers.json - - ./certservice/certs/truststore.jks:/etc/onap/oom/certservice/certs/truststore.jks - - ./certservice/certs/root.crt:/etc/onap/oom/certservice/certs/root.crt - - ./certservice/certs/certServiceServer-keystore.jks:/etc/onap/oom/certservice/certs/certServiceServer-keystore.jks - - ./certservice/certs/certServiceServer-keystore.p12:/etc/onap/oom/certservice/certs/certServiceServer-keystore.p12 - container_name: oomcert-service - ports: - - "8443:8443" - healthcheck: - test: ["CMD-SHELL", "curl https://localhost:8443/actuator/health --cacert /etc/onap/oom/certservice/certs/root.crt --cert-type p12 --cert /etc/onap/oom/certservice/certs/certServiceServer-keystore.p12 --pass secret"] - interval: 10s - timeout: 3s - retries: 15 - networks: - - certservice-network - - oom-cert-client: - image: nexus3.onap.org:10001/onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.1.0 - container_name: oomcert-client - env_file: ./certservice/client-resources/client-configuration.env - networks: - - certservice-network - volumes: - - ./certservice/client-resources/client-volume:/var/certs:rw - - ./certservice/certs/truststore.jks:/etc/onap/oom/certservice/certs/truststore.jks - - ./certservice/certs/certServiceClient-keystore.jks:/etc/onap/oom/certservice/certs/certServiceClient-keystore.jks - depends_on: - oom-cert-service: - condition: service_healthy - - mongo: - image: mongo - restart: always - networks: - - pnf-simulator-network - environment: - MONGO_INITDB_ROOT_USERNAME: root - MONGO_INITDB_ROOT_PASSWORD: zXcVbN123! - MONGO_INITDB_DATABASE: pnf_simulator - volumes: - - ../../pnfsimulator/db:/docker-entrypoint-initdb.d - ports: - - "27017:27017" - - mongo-express: - image: mongo-express - restart: always - networks: - - pnf-simulator-network - ports: - - 8081:8081 - environment: - ME_CONFIG_MONGODB_ADMINUSERNAME: root - ME_CONFIG_MONGODB_ADMINPASSWORD: zXcVbN123! - - pnf-simulator: - image: nexus3.onap.org:10003/onap/org.onap.integration.simulators.pnfsimulator - ports: - - "5000:5000" - networks: - - pnf-simulator-network - command: bash -c " - while [[ $$(ls -1 /app/store | wc -l) != '4' ]]; do echo 'Waiting for certs...'; sleep 3; done - && cp /app/store/truststore.jks /app/store/trust.jks - && cp /app/store/keystore.jks /app/store/cert.p12 - && export CLIENT_CERT_PASS=$$(cat /app/store/keystore.pass) - && export TRUST_CERT_PASS=$$(cat /app/store/truststore.pass) - && java -Dspring.config.location=file:/app/application.properties -cp /app/libs/*:/app/pnf-simulator.jar org.onap.pnfsimulator.Main - " - volumes: - - ../../pnfsimulator/logs:/var/log - - ../../pnfsimulator/templates:/app/templates - - ../../pnfsimulator/src/main/resources/application.properties:/app/application.properties - - ./certservice/client-resources/client-volume/:/app/store/ - restart: on-failure - depends_on: - - mongo - - mongo-express diff --git a/sanitycheck/pnfsimulator-secured/docker-compose-ves.yml b/sanitycheck/pnfsimulator-secured/docker-compose-ves.yml deleted file mode 100644 index 43d4f63..0000000 --- a/sanitycheck/pnfsimulator-secured/docker-compose-ves.yml +++ /dev/null @@ -1,25 +0,0 @@ -version: '3' -services: - ves: - container_name: ves - image: nexus3.onap.org:10003/onap/org.onap.dcaegen2.collectors.ves.vescollector:latest - ports: - - "8082:8080" - - "8444:8443" - networks: - - vesnetwork - volumes: - - ./certservice/client-resources/client-volume/keystore.jks:/opt/app/VESCollector/etc/keystore - - ./certservice/client-resources/client-volume/keystore.pass:/opt/app/VESCollector/etc/passwordfile - - ./certservice/client-resources/client-volume/trust.jks:/opt/app/VESCollector/etc/truststore - - ./certservice/client-resources/client-volume/truststore.pass:/opt/app/VESCollector/etc/trustpasswordfile - onap-dmaap: - container_name: dmaap - image: dmaap-simulator - ports: - - "3904:3904" - networks: - - vesnetwork -networks: - vesnetwork: - driver: bridge -- cgit 1.2.3-korg