From b06189e0c1f15237519d3727aeab007fadd952cb Mon Sep 17 00:00:00 2001 From: Michal Banka Date: Wed, 3 Jun 2020 10:51:51 +0200 Subject: Add deployment for fetching certs from CertService Change-Id: Icb59854a88e83b799781c227e465bfb98ed502b6 Signed-off-by: Michal Banka Issue-ID: INT-1612 --- sanitycheck/pnfsimulator-secured/Makefile | 57 +++++ sanitycheck/pnfsimulator-secured/README.md | 236 +++++++++++++++++++++ .../certservice/certs/Makefile | 109 ++++++++++ .../certservice-resources/cmpServers.json | 24 +++ .../client-resources/client-configuration.env | 18 ++ .../ejbca-resources/ejbca-configuration.sh | 19 ++ .../docker-compose-certman.yml | 71 +++++++ .../docker-compose-certservice.yml | 93 ++++++++ .../pnfsimulator-secured/docker-compose-ves.yml | 31 +++ sanitycheck/tools/README.md | 93 -------- sanitycheck/tools/docker-compose.yml | 71 ------- 11 files changed, 658 insertions(+), 164 deletions(-) create mode 100644 sanitycheck/pnfsimulator-secured/Makefile create mode 100644 sanitycheck/pnfsimulator-secured/README.md create mode 100644 sanitycheck/pnfsimulator-secured/certservice/certs/Makefile create mode 100644 sanitycheck/pnfsimulator-secured/certservice/certservice-resources/cmpServers.json create mode 100644 sanitycheck/pnfsimulator-secured/certservice/client-resources/client-configuration.env create mode 100755 sanitycheck/pnfsimulator-secured/certservice/ejbca-resources/ejbca-configuration.sh create mode 100644 sanitycheck/pnfsimulator-secured/docker-compose-certman.yml create mode 100644 sanitycheck/pnfsimulator-secured/docker-compose-certservice.yml create mode 100644 sanitycheck/pnfsimulator-secured/docker-compose-ves.yml delete mode 100644 sanitycheck/tools/README.md delete mode 100644 sanitycheck/tools/docker-compose.yml diff --git a/sanitycheck/pnfsimulator-secured/Makefile b/sanitycheck/pnfsimulator-secured/Makefile new file mode 100644 index 0000000..92a9e1e --- /dev/null +++ b/sanitycheck/pnfsimulator-secured/Makefile @@ -0,0 +1,57 @@ +default: + @echo "There is no default target. Use: make " + +start-ejbca: --run-ejbca-container --wait-for-ejbca --configure-ejbca + +start-pnfsim-with-certservice-certs: --create-certservice-internal-certs --create-client-volume --run-certservice-and-pnfsim-containers + +start-local-secured-ves: + docker-compose -f docker-compose-ves.yml up + +start-pnfsim-with-certman-certs: + docker-compose -f docker-compose-certman.yml up + +clean-pnfsim-with-certman-setup: + docker-compose -f docker-compose-certman.yml down + +clean-pnfsim-with-certservice-setup: --clean-certservice-internal-certs --clean-client-volume + docker rm -f aafcert-ejbca || true + docker-compose -f docker-compose-certservice.yml down + docker-compose -f docker-compose-ves.yml down + +--run-ejbca-container: + docker run \ + -d \ + --rm \ + --name aafcert-ejbca \ + --hostname cahostname \ + -p 80:8080 \ + -p 443:8443 \ + --volume `pwd`/certservice/ejbca-resources/ejbca-configuration.sh:/opt/primekey/scripts/ejbca-configuration.sh \ + --health-cmd "curl -kI https://localhost:8443/ejbca/publicweb/healthcheck/ejbcahealth" \ + --health-interval 10s \ + --health-timeout 3s \ + --health-retries 15 \ + primekey/ejbca-ce:6.15.2.5 + +--configure-ejbca: + docker exec aafcert-ejbca /opt/primekey/scripts/ejbca-configuration.sh + +--create-client-volume: + mkdir -p ./certservice/client-resources/client-volume -m 777 + +--run-certservice-and-pnfsim-containers: + docker-compose -f docker-compose-certservice.yml up + +--create-certservice-internal-certs: + make -C certservice/certs all + +--clean-certservice-internal-certs: + make -C certservice/certs clear + +--clean-client-volume: + rm -rf certservice/client-resources/client-volume + +--wait-for-ejbca: + @echo 'Waiting for EJBCA...' + until docker container inspect aafcert-ejbca | grep '"Status": "healthy"'; do sleep 3; done diff --git a/sanitycheck/pnfsimulator-secured/README.md b/sanitycheck/pnfsimulator-secured/README.md new file mode 100644 index 0000000..661806b --- /dev/null +++ b/sanitycheck/pnfsimulator-secured/README.md @@ -0,0 +1,236 @@ +Standalone PNF Simulator configuration for HTTPS communication to VES +------------------------ + +### General description + +Makefile in sanitycheck/pnfsimulator-secured is an interface for deployment of PNF simulator with fetching certs from +chosen source. + +Makefile offers functionalities that allows to: + + * Run PNF simulator with fetching certs from AAF Certman + * Run PNF simulator with fetching certs from AAF Certservice (CMPv2) + +## Fetching from AAF Certman +### Description + +docker-compose-certman.yml prepares PNF simulator container for HTTPS communication with VES. + +When docker-compose starts certs-init container fills connected volume with certificates, truststores, keystores, +passwords etc. Next pnf-simulator container starts and connects to the same volume. On startup it should read password +values from proper files and set them in system environment variables. With these variables and files in volume +application is ready to work on HTTPS. + +### Prerequisites + +1. certs-init container works with external AAF on cloud. Due to that fact it must have set correct IPs to workers that +has access to AAF. In docker-compose.yml fields with mentioned IPs are: + + * aaf-locate.onap + * aaf-cm.onap + * aaf-service.onap + +### Start + +**ATTENTION** + +Proper IPs to AAF must be set in the docker-compose-certman.yml before start (as described in prerequisites)! + +``` +make start-pnfsim-with-certman-certs +``` + +### Send event + +**ATTENTION** + +``sanitycheck/events/eventToVes.json`` file which is request for sending event to VES must have correct ``vesServerURL`` +field before sending event. +IP of ``vesServerURL`` should be the same as given in docker-compose-certman.yml in ``aaf-locate.onap`` field. +To use secured connection remember about setting protocol to https:// and port to proper secured port of VES. + +To send event from PNF simulator to VES use this command from ``pnf-simulator/sanitycheck`` directory: + +```` +make generate-event +```` + +Sample ``sanitycheck/events/eventToVes.json`` file content is: + +```json +{ + "vesServerUrl": "https://10.183.35.177:30417/eventListener/v7", + "event": { + "event": { + "commonEventHeader": { + "version": "4.0.1", + "vesEventListenerVersion": "7.0.1", + "domain": "fault", + "eventName": "Fault_Vscf:Acs-Ericcson_PilotNumberPoolExhaustion", + "eventId": "fault0000245", + "sequence": 1, + "priority": "High", + "reportingEntityId": "cc305d54-75b4-431b-adb2-eb6b9e541234", + "reportingEntityName": "ibcx0001vm002oam001", + "sourceId": "de305d54-75b4-431b-adb2-eb6b9e546014", + "sourceName": "scfx0001vm002cap001", + "nfVendorName": "Ericsson", + "nfNamingCode": "scfx", + "nfcNamingCode": "ssc", + "startEpochMicrosec": 1413378172000000, + "lastEpochMicrosec": 1413378172000000, + "timeZoneOffset": "UTC-05:30" + }, + "faultFields": { + "faultFieldsVersion": "4.0", + "alarmCondition": "PilotNumberPoolExhaustion", + "eventSourceType": "other", + "specificProblem": "Calls cannot complete - pilot numbers are unavailable", + "eventSeverity": "CRITICAL", + "vfStatus": "Active", + "alarmAdditionalInformation": { + "PilotNumberPoolSize": "1000" + } + } + } + } +} +``` + +### Stop +To remove pnf-simulator containers use: +``` +make clean-pnfsim-with-certman-setup +``` + +## Fetching certificates from AAF Certservice (CMPv2) +### Description + +Running Makefile with Certservice target will start the following flow: + +1. Create certificates that will be used for internal communication between Certservice and Certservice-client. + Generated internal certificates should be present in sanitycheck/pnfsimulator-secured/certservice/certs directory. + +2. Run docker-compose-certservice.yml that creates: + + 2.1. Certservice container with mounted previously generated certificates. + + 2.2. Certservice-client with mounted internal certificates as well. This containers requests Certservice for + Certificates that will be used by PNF simulator in HTTPS connection. Before closing of container it saves + these certs in locally mounted volume in + sanitycheck/pnfsimulator-secured/certservice/client-resources/client-volume + + 2.3. PNF simulator that has mounted certificates from client. Before starting the simulator itself, names of certs + files are changed to fit the PNF simulator configuration. + +### Prerequisites + + +##### EJBCA configuration +Certservice container will try to connect to EJBCA on docker-compose-certservice.yml startup to fetch certs. +Whole connection configuration to EJBCA server must be done before start in file +sanitycheck/pnfsimulator-secured/certservice/certservice-resources/cmpServers.json. + +EJBCA might be deployed locally or externally. Described in this README Makefile has a target that runs configured EJBCA +container locally. To run that target use: + +``` +make start-ejbca +``` + + +Configuration of cmpServers.json for this local EJBCA container should be: +```json +{ + "cmpv2Servers": [ + { + "caName": "Client", + "url": "http://:80/ejbca/publicweb/cmp/cmp", + "issuerDN": "CN=ManagementCA", + "caMode": "CLIENT", + "authentication": { + "iak": "mypassword", + "rv": "mypassword" + } + }, + { + "caName": "RA", + "url": "http://:80/ejbca/publicweb/cmp/cmpRA", + "issuerDN": "CN=ManagementCA", + "caMode": "RA", + "authentication": { + "iak": "mypassword", + "rv": "mypassword" + } + } + ] +} +``` +``docker0_network_ip`` might be found when running `ifconfig docker0` next to `inet` field. + +### Start + +**ATTENTION** + +Remember that before starting certservice, the EJBCA server must run, be properly configured and +sanitycheck/pnfsimulator-secured/certservice/certservice-resources/cmpServers.json must be set correctly. + +For more info read _prerequisites_ section. + +``` +make start-pnfsim-with-certservice-certs +``` + +### Send event + +##### VES collector + +Destination VES collector should use certificate generated from the same CMPv2 server for successful HTTPS +communication. There is local deployment of VES (with DMAAP simulator) to be used from Makefile that +uses certificates generated by the same CMPv2 server as PNF simulator uses. + +##### VES collector local deployment prerequisites + +By default the image of VES from Nexus supports only HTTP communication. Local image with enabled HTTPS must be +build to use local VES as PNF simulator destination. + +1. Pull VES repository +2. In `/etc/collector.properties` file set field `auth.method=certBasicAuth` +3. Build local image: `mvn clean install docker:build` from VES project root directory. + +VES deployment from Makefile uses also DMAAP simulator. Its image should be built locally as well. +1. Go to `sanitycheck/dmaap-simulator` directory +2. Run: `make build` + +If you want to use that VES + DMAAP simulator deployment enter: +``` +make start-local-secured-ves +``` + +**ATTENTION** + +Before sending an event to VES, the correct VES server URL must be passed to +``sanitycheck/events/vesAddressConfiguration.json`` file in field ``vesServerURL``. + +For local VES, `vesServerURL` should have value: ``https://:8444/eventListener/v7``. +``docker0_network_ip`` might be found when running `ifconfig docker0` next to `inet` field. + +To reconfigure PNF simulator to use +new URL use this command from ``pnf-simulator/sanitycheck`` directory: +``` +make reconfigure-ves-url +``` + + +To send event from PNF simulator to VES use this command from ``pnf-simulator/sanitycheck`` directory: + +``` +make generate-event +``` + +### Stop + +To clean all generated certificates, remove pnf-simulator, certservice, ejbca and ves containers use: +``` +make clean-pnfsim-with-certservice-certs +``` \ No newline at end of file diff --git a/sanitycheck/pnfsimulator-secured/certservice/certs/Makefile b/sanitycheck/pnfsimulator-secured/certservice/certs/Makefile new file mode 100644 index 0000000..d6c3855 --- /dev/null +++ b/sanitycheck/pnfsimulator-secured/certservice/certs/Makefile @@ -0,0 +1,109 @@ +all: clear step_1 step_2 step_3 step_4 step_5 step_6 step_7 step_8 step_9 step_10 step_11 step_12 step_13 step_14 step_15 +.PHONY: all +#Clear certificates +clear: + @echo "Clear certificates" + rm -f certServiceClient-keystore.jks certServiceServer-keystore.jks root.crt truststore.jks certServiceServer-keystore.p12 root-keystore.jks + @echo "#####done#####" + +#Generate root private and public keys +step_1: + @echo "Generate root private and public keys" + keytool -genkeypair -v -alias root -keyalg RSA -keysize 4096 -validity 3650 -keystore root-keystore.jks \ + -dname "CN=root.com, OU=Root Org, O=Root Company, L=Wroclaw, ST=Dolny Slask, C=PL" -keypass secret \ + -storepass secret -ext BasicConstraints:critical="ca:true" + @echo "#####done#####" + +#Export public key as certificate +step_2: + @echo "(Export public key as certificate)" + keytool -exportcert -alias root -keystore root-keystore.jks -storepass secret -file root.crt -rfc + @echo "#####done#####" + +#Self-signed root (import root certificate into truststore) +step_3: + @echo "(Self-signed root (import root certificate into truststore))" + keytool -importcert -alias root -keystore truststore.jks -file root.crt -storepass secret -noprompt + @echo "#####done#####" + +#Generate certService's client private and public keys +step_4: + @echo "Generate certService's client private and public keys" + keytool -genkeypair -v -alias certServiceClient -keyalg RSA -keysize 2048 -validity 730 \ + -keystore certServiceClient-keystore.jks -storetype JKS \ + -dname "CN=certServiceClient.com,OU=certServiceClient company,O=certServiceClient org,L=Wroclaw,ST=Dolny Slask,C=PL" \ + -keypass secret -storepass secret + @echo "####done####" + +#Generate certificate signing request for certService's client +step_5: + @echo "Generate certificate signing request for certService's client" + keytool -certreq -keystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -file certServiceClient.csr + @echo "####done####" + +#Sign certService's client certificate by root CA +step_6: + @echo "Sign certService's client certificate by root CA" + keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceClient.csr \ + -outfile certServiceClientByRoot.crt -rfc -ext bc=0 -ext ExtendedkeyUsage="serverAuth,clientAuth" + @echo "####done####" + +#Import root certificate into client +step_7: + @echo "Import root certificate into intermediate" + cat root.crt >> certServiceClientByRoot.crt + @echo "####done####" + +#Import signed certificate into certService's client +step_8: + @echo "Import signed certificate into certService's client" + keytool -importcert -file certServiceClientByRoot.crt -destkeystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -noprompt + @echo "####done####" + +#Generate certService private and public keys +step_9: + @echo "Generate certService private and public keys" + keytool -genkeypair -v -alias aaf-cert-service -keyalg RSA -keysize 2048 -validity 730 \ + -keystore certServiceServer-keystore.jks -storetype JKS \ + -dname "CN=aaf-cert-service,OU=certServiceServer company,O=certServiceServer org,L=Wroclaw,ST=Dolny Slask,C=PL" \ + -keypass secret -storepass secret -ext BasicConstraints:critical="ca:false" + @echo "####done####" + +#Generate certificate signing request for certService +step_10: + @echo "Generate certificate signing request for certService" + keytool -certreq -keystore certServiceServer-keystore.jks -alias aaf-cert-service -storepass secret -file certServiceServer.csr + @echo "####done####" + +#Sign certService certificate by root CA +step_11: + @echo "Sign certService certificate by root CA" + keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceServer.csr \ + -outfile certServiceServerByRoot.crt -rfc -ext bc=0 -ext ExtendedkeyUsage="serverAuth,clientAuth" \ + -ext SubjectAlternativeName:="DNS:aaf-cert-service,DNS:localhost" + @echo "####done####" + +#Import root certificate into server +step_12: + @echo "Import root certificate into intermediate(server)" + cat root.crt >> certServiceServerByRoot.crt + @echo "####done####" + +#Import signed certificate into certService +step_13: + @echo "Import signed certificate into certService" + keytool -importcert -file certServiceServerByRoot.crt -destkeystore certServiceServer-keystore.jks -alias aaf-cert-service \ + -storepass secret -noprompt + @echo "####done####" + +#Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12) +step_14: + @echo "Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)" + keytool -importkeystore -srckeystore certServiceServer-keystore.jks -srcstorepass secret -destkeystore certServiceServer-keystore.p12 -deststoretype PKCS12 -deststorepass secret + @echo "#####done#####" + +#Clear unused certificates +step_15: + @echo "Clear unused certificates" + rm certServiceClientByRoot.crt certServiceClient.csr root-keystore.jks certServiceServerByRoot.crt certServiceServer.csr + @echo "#####done#####" diff --git a/sanitycheck/pnfsimulator-secured/certservice/certservice-resources/cmpServers.json b/sanitycheck/pnfsimulator-secured/certservice/certservice-resources/cmpServers.json new file mode 100644 index 0000000..79b97e6 --- /dev/null +++ b/sanitycheck/pnfsimulator-secured/certservice/certservice-resources/cmpServers.json @@ -0,0 +1,24 @@ +{ + "cmpv2Servers": [ + { + "caName": "Client", + "url": "http://172.17.0.1:80/ejbca/publicweb/cmp/cmp", + "issuerDN": "CN=ManagementCA", + "caMode": "CLIENT", + "authentication": { + "iak": "mypassword", + "rv": "mypassword" + } + }, + { + "caName": "RA", + "url": "http://172.17.0.1:80/ejbca/publicweb/cmp/cmpRA", + "issuerDN": "CN=ManagementCA", + "caMode": "RA", + "authentication": { + "iak": "mypassword", + "rv": "mypassword" + } + } + ] +} diff --git a/sanitycheck/pnfsimulator-secured/certservice/client-resources/client-configuration.env b/sanitycheck/pnfsimulator-secured/certservice/client-resources/client-configuration.env new file mode 100644 index 0000000..bc62f1f --- /dev/null +++ b/sanitycheck/pnfsimulator-secured/certservice/client-resources/client-configuration.env @@ -0,0 +1,18 @@ +#Client envs +REQUEST_URL=https://aaf-cert-service:8443/v1/certificate/ +REQUEST_TIMEOUT=10000 +OUTPUT_PATH=/var/certs +CA_NAME=RA +#Csr config envs +COMMON_NAME=onap.org +ORGANIZATION=Linux-Foundation +ORGANIZATION_UNIT=ONAP +LOCATION=San-Francisco +STATE=California +COUNTRY=US +SANS=example.org +#Tls config envs +KEYSTORE_PATH=/etc/onap/aaf/certservice/certs/certServiceClient-keystore.jks +KEYSTORE_PASSWORD=secret +TRUSTSTORE_PATH=/etc/onap/aaf/certservice/certs/truststore.jks +TRUSTSTORE_PASSWORD=secret diff --git a/sanitycheck/pnfsimulator-secured/certservice/ejbca-resources/ejbca-configuration.sh b/sanitycheck/pnfsimulator-secured/certservice/ejbca-resources/ejbca-configuration.sh new file mode 100755 index 0000000..77f5c55 --- /dev/null +++ b/sanitycheck/pnfsimulator-secured/certservice/ejbca-resources/ejbca-configuration.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +configureEjbca() { + ejbca.sh config cmp addalias --alias cmpRA + ejbca.sh config cmp updatealias --alias cmpRA --key operationmode --value ra + ejbca.sh ca editca --caname ManagementCA --field cmpRaAuthSecret --value mypassword + ejbca.sh config cmp updatealias --alias cmpRA --key responseprotection --value pbe + ejbca.sh config cmp dumpalias --alias cmpRA + ejbca.sh config cmp addalias --alias cmp + ejbca.sh config cmp updatealias --alias cmp --key allowautomatickeyupdate --value true + ejbca.sh config cmp updatealias --alias cmp --key responseprotection --value pbe + ejbca.sh ra addendentity --username Node123 --dn "CN=Node123" --caname ManagementCA --password mypassword --type 1 --token USERGENERATED + ejbca.sh ra setclearpwd --username Node123 --password mypassword + ejbca.sh config cmp updatealias --alias cmp --key extractusernamecomponent --value CN + ejbca.sh config cmp dumpalias --alias cmp + ejbca.sh ca getcacert --caname ManagementCA -f /dev/stdout > cacert.pem +} + +configureEjbca diff --git a/sanitycheck/pnfsimulator-secured/docker-compose-certman.yml b/sanitycheck/pnfsimulator-secured/docker-compose-certman.yml new file mode 100644 index 0000000..e20f78d --- /dev/null +++ b/sanitycheck/pnfsimulator-secured/docker-compose-certman.yml @@ -0,0 +1,71 @@ +version: '3' + +networks: + tls-init-network: + +volumes: + certs-volume: + +services: + certs-init: + image: nexus3.onap.org:10001/onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 + extra_hosts: + #set worker IP with access to AAF + aaf-locate.onap: #for example 10.183.35.177 + aaf-cm.onap: #for example 10.183.35.177 + aaf-service.onap: #for example 10.183.35.177 + environment: + - aaf_locate_url=https://aaf-locate.onap:31111 + - aaf_url_cm=https://aaf-cm.onap:31114 + - aaf_url=https://aaf-service.onap:31110 + networks: + - tls-init-network + volumes: + - certs-volume:/opt/app/osaaf + mongo: + image: mongo + restart: always + environment: + MONGO_INITDB_ROOT_USERNAME: root + MONGO_INITDB_ROOT_PASSWORD: zXcVbN123! + MONGO_INITDB_DATABASE: pnf_simulator + networks: + - tls-init-network + volumes: + - ../../pnfsimulator/db:/docker-entrypoint-initdb.d + ports: + - "27017:27017" + + mongo-express: + image: mongo-express + restart: always + ports: + - 8081:8081 + networks: + - tls-init-network + environment: + ME_CONFIG_MONGODB_ADMINUSERNAME: root + ME_CONFIG_MONGODB_ADMINPASSWORD: zXcVbN123! + + pnf-simulator: + image: nexus3.onap.org:10001/onap/org.onap.integration.simulators.pnfsimulator + ports: + - "5000:5000" + command: bash -c " + while [[ $$(ls -1 /app/store | wc -l) != '10' ]]; do echo 'Waiting for certs...'; sleep 3; done + && export CLIENT_CERT_PASS=$$(cat /app/store/p12.pass) + && export TRUST_CERT_PASS=$$(cat /app/store/trust.pass) + && java -Dspring.config.location=file:/app/application.properties -cp /app/libs/*:/app/pnf-simulator.jar org.onap.pnfsimulator.Main + " + volumes: + - ../../pnfsimulator/logs:/var/log + - ../../pnfsimulator/templates:/app/templates + - ../../pnfsimulator/src/main/resources/application.properties:/app/application.properties + - certs-volume:/app/store + networks: + - tls-init-network + restart: on-failure + depends_on: + - certs-init + - mongo + - mongo-express diff --git a/sanitycheck/pnfsimulator-secured/docker-compose-certservice.yml b/sanitycheck/pnfsimulator-secured/docker-compose-certservice.yml new file mode 100644 index 0000000..4548f04 --- /dev/null +++ b/sanitycheck/pnfsimulator-secured/docker-compose-certservice.yml @@ -0,0 +1,93 @@ +version: "2.1" + +networks: + certservice-network: + driver: bridge + name: certservice-network + pnf-simulator-network: + driver: bridge + name: pnf-simulator-network + +services: + + aaf-cert-service: + image: nexus3.onap.org:10003/onap/org.onap.aaf.certservice.aaf-certservice-api:latest + volumes: + - ./certservice/certservice-resources/cmpServers.json:/etc/onap/aaf/certservice/cmpServers.json + - ./certservice/certs/truststore.jks:/etc/onap/aaf/certservice/certs/truststore.jks + - ./certservice/certs/root.crt:/etc/onap/aaf/certservice/certs/root.crt + - ./certservice/certs/certServiceServer-keystore.jks:/etc/onap/aaf/certservice/certs/certServiceServer-keystore.jks + - ./certservice/certs/certServiceServer-keystore.p12:/etc/onap/aaf/certservice/certs/certServiceServer-keystore.p12 + container_name: aafcert-service + ports: + - "8443:8443" + healthcheck: + test: ["CMD-SHELL", "curl https://localhost:8443/actuator/health --cacert /etc/onap/aaf/certservice/certs/root.crt --cert-type p12 --cert /etc/onap/aaf/certservice/certs/certServiceServer-keystore.p12 --pass secret"] + interval: 10s + timeout: 3s + retries: 15 + networks: + - certservice-network + + aaf-cert-client: + image: nexus3.onap.org:10003/onap/org.onap.aaf.certservice.aaf-certservice-client:latest + container_name: aafcert-client + env_file: ./certservice/client-resources/client-configuration.env + networks: + - certservice-network + volumes: + - ./certservice/client-resources/client-volume:/var/certs:rw + - ./certservice/certs/truststore.jks:/etc/onap/aaf/certservice/certs/truststore.jks + - ./certservice/certs/certServiceClient-keystore.jks:/etc/onap/aaf/certservice/certs/certServiceClient-keystore.jks + depends_on: + aaf-cert-service: + condition: service_healthy + + mongo: + image: mongo + restart: always + networks: + - pnf-simulator-network + environment: + MONGO_INITDB_ROOT_USERNAME: root + MONGO_INITDB_ROOT_PASSWORD: zXcVbN123! + MONGO_INITDB_DATABASE: pnf_simulator + volumes: + - ../../pnfsimulator/db:/docker-entrypoint-initdb.d + ports: + - "27017:27017" + + mongo-express: + image: mongo-express + restart: always + networks: + - pnf-simulator-network + ports: + - 8081:8081 + environment: + ME_CONFIG_MONGODB_ADMINUSERNAME: root + ME_CONFIG_MONGODB_ADMINPASSWORD: zXcVbN123! + + pnf-simulator: + image: nexus3.onap.org:10003/onap/org.onap.integration.simulators.pnfsimulator + ports: + - "5000:5000" + networks: + - pnf-simulator-network + command: bash -c " + while [[ $$(ls -1 /app/store | wc -l) != '4' ]]; do echo 'Waiting for certs...'; sleep 3; done + && mv /app/store/truststore.jks /app/store/trust.jks + && mv /app/store/keystore.jks /app/store/cert.p12 + && export CLIENT_CERT_PASS=$$(cat /app/store/keystore.pass) + && export TRUST_CERT_PASS=$$(cat /app/store/truststore.pass) + && java -Dspring.config.location=file:/app/application.properties -cp /app/libs/*:/app/pnf-simulator.jar org.onap.pnfsimulator.Main + " + volumes: + - ../../pnfsimulator/logs:/var/log + - ../../pnfsimulator/templates:/app/templates + - ../../pnfsimulator/src/main/resources/application.properties:/app/application.properties + - ./certservice/client-resources/client-volume/:/app/store/ + restart: on-failure + depends_on: + - mongo + - mongo-express diff --git a/sanitycheck/pnfsimulator-secured/docker-compose-ves.yml b/sanitycheck/pnfsimulator-secured/docker-compose-ves.yml new file mode 100644 index 0000000..85e4286 --- /dev/null +++ b/sanitycheck/pnfsimulator-secured/docker-compose-ves.yml @@ -0,0 +1,31 @@ +version: '3' +services: + ves: + container_name: ves + image: nexus3.onap.org:10003/onap/org.onap.dcaegen2.collectors.ves.vescollector:latest + ports: + - "8082:8080" + - "8444:8443" + networks: + - vesnetwork + command: bash -c " + rm -f /opt/app/VESCollector/etc/keystore + && echo $$(cat /opt/app/VESCollector/etc/trustpasswordfile) + && keytool -importkeystore -srckeystore /opt/app/VESCollector/etc/cert.p12 -srcstorepass $$(cat /opt/app/VESCollector/etc/passwordfile) -srcstoretype pkcs12 -destkeystore /opt/app/VESCollector/etc/keystore -deststoretype jks -deststorepass $$(cat /opt/app/VESCollector/etc/passwordfile) + && bin/docker-entry.sh + " + volumes: + - ./certservice/client-resources/client-volume/cert.p12:/opt/app/VESCollector/etc/cert.p12 + - ./certservice/client-resources/client-volume/keystore.pass:/opt/app/VESCollector/etc/passwordfile + - ./certservice/client-resources/client-volume/trust.jks:/opt/app/VESCollector/etc/truststore + - ./certservice/client-resources/client-volume/truststore.pass:/opt/app/VESCollector/etc/trustpasswordfile + onap-dmaap: + container_name: dmaap + image: dmaap-simulator + ports: + - "3904:3904" + networks: + - vesnetwork +networks: + vesnetwork: + driver: bridge diff --git a/sanitycheck/tools/README.md b/sanitycheck/tools/README.md deleted file mode 100644 index 2d6b3d0..0000000 --- a/sanitycheck/tools/README.md +++ /dev/null @@ -1,93 +0,0 @@ -Standalone PNF Simulator configuration for HTTPS communication with VES ------------------------- - -### Description - -docker-compose.yml prepares PNF simulator container for HTTPS communication with VES. - -When docker-compose starts certs-init container fills connected volume with certificates, truststores, keystores, -passwords etc. Next pnf-simulator container starts and connects to the same volume. On startup it should read password -values from proper files and set them in system environment variables. With these variables and files in volume -application is ready to work on HTTPS. - -### Prerequisites - -1. certs-init container works with external AAF on cloud. Due to that fact it must have set correct IPs to workers that -has access to AAF. In docker-compose.yml fields with mentioned IPs are: - - * aaf-locate.onap - * aaf-cm.onap - * aaf-service.onap - -### Start - -**ATTENTION** - -Proper IPs to AAF must be set in the docker-compose.yml before start (as described in prerequisites)! - -``` -docker-compose up -``` - -### Send event - -**ATTENTION** - -``sanitycheck/events/eventToVes.json`` file which is request for sending event to VES must have correct ``vesServerURL`` -field before sending event. -IP of ``vesServerURL`` should be the same as given in docker-compose.yml in ``aaf-locate.onap`` field. -To use secured connection remember about setting protocol to https:// and port to proper secured port of VES. - -To send event from PNF simulator to VES use this command from ``pnf-simulator/sanitycheck`` directory: - -```` -make generate-event -```` - -Sample ``sanitycheck/events/eventToVes.json`` file content is: - -```json -{ - "vesServerUrl": "https://10.183.35.177:30417/eventListener/v7", - "event": { - "event": { - "commonEventHeader": { - "version": "4.0.1", - "vesEventListenerVersion": "7.0.1", - "domain": "fault", - "eventName": "Fault_Vscf:Acs-Ericcson_PilotNumberPoolExhaustion", - "eventId": "fault0000245", - "sequence": 1, - "priority": "High", - "reportingEntityId": "cc305d54-75b4-431b-adb2-eb6b9e541234", - "reportingEntityName": "ibcx0001vm002oam001", - "sourceId": "de305d54-75b4-431b-adb2-eb6b9e546014", - "sourceName": "scfx0001vm002cap001", - "nfVendorName": "Ericsson", - "nfNamingCode": "scfx", - "nfcNamingCode": "ssc", - "startEpochMicrosec": 1413378172000000, - "lastEpochMicrosec": 1413378172000000, - "timeZoneOffset": "UTC-05:30" - }, - "faultFields": { - "faultFieldsVersion": "4.0", - "alarmCondition": "PilotNumberPoolExhaustion", - "eventSourceType": "other", - "specificProblem": "Calls cannot complete - pilot numbers are unavailable", - "eventSeverity": "CRITICAL", - "vfStatus": "Active", - "alarmAdditionalInformation": { - "PilotNumberPoolSize": "1000" - } - } - } - } -} - -``` - -### Stop -``` -docker-compose down -``` \ No newline at end of file diff --git a/sanitycheck/tools/docker-compose.yml b/sanitycheck/tools/docker-compose.yml deleted file mode 100644 index 3016189..0000000 --- a/sanitycheck/tools/docker-compose.yml +++ /dev/null @@ -1,71 +0,0 @@ -version: '3' - -networks: - tls-init-network: - -volumes: - certs-volume: - -services: - certs-init: - image: nexus3.onap.org:10001/onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - extra_hosts: - #set worker IP with access to AAF - aaf-locate.onap: 10.183.35.177 - aaf-cm.onap: 10.183.35.177 - aaf-service.onap: 10.183.35.177 - environment: - - aaf_locate_url=https://aaf-locate.onap:31111 - - aaf_url_cm=https://aaf-cm.onap:31114 - - aaf_url=https://aaf-service.onap:31110 - networks: - - tls-init-network - volumes: - - certs-volume:/opt/app/osaaf - mongo: - image: mongo - restart: always - environment: - MONGO_INITDB_ROOT_USERNAME: root - MONGO_INITDB_ROOT_PASSWORD: zXcVbN123! - MONGO_INITDB_DATABASE: pnf_simulator - networks: - - tls-init-network - volumes: - - ../../pnfsimulator/db:/docker-entrypoint-initdb.d - ports: - - "27017:27017" - - mongo-express: - image: mongo-express - restart: always - ports: - - 8081:8081 - networks: - - tls-init-network - environment: - ME_CONFIG_MONGODB_ADMINUSERNAME: root - ME_CONFIG_MONGODB_ADMINPASSWORD: zXcVbN123! - - pnf-simulator: - image: nexus3.onap.org:10001/onap/org.onap.integration.simulators.pnfsimulator - ports: - - "5000:5000" - command: bash -c " - while [[ $$(ls -1 /app/store | wc -l) != '10' ]]; do echo 'Waiting for certs...'; sleep 3; done - && export CLIENT_CERT_PASS=$$(cat /app/store/p12.pass) - && export TRUST_CERT_PASS=$$(cat /app/store/trust.pass) - && java -Dspring.config.location=file:/app/application.properties -cp /app/libs/*:/app/pnf-simulator.jar org.onap.pnfsimulator.Main - " - volumes: - - ../../pnfsimulator/logs:/var/log - - ../../pnfsimulator/templates:/app/templates - - ../../pnfsimulator/src/main/resources/application.properties:/app/application.properties - - certs-volume:/app/store - networks: - - tls-init-network - restart: on-failure - depends_on: - - certs-init - - mongo - - mongo-express -- cgit 1.2.3-korg