diff options
author | Krzysztof Opasiak <k.opasiak@samsung.com> | 2021-04-02 08:56:15 +0200 |
---|---|---|
committer | Sylvain Desbureaux <sylvain.desbureaux@orange.com> | 2021-04-06 12:36:55 +0000 |
commit | 588079420a5c225db6131cc166e75f1fe026c79e (patch) | |
tree | 153d8fee3b4466e0ccc1b05ea3f8c28fbd1c01bd | |
parent | 58516015120dfad3aa6bd3ad251879b060ec640b (diff) |
[AAI] Fix truststore password to avoid exceptions
Deployment of aai-resources sometimes fails with exception:
org.springframework.expression.ParseException:
Expression [BH#{XS@*#xoUULIO)eQkxaBA] @2: No ending suffix
'}' for expression starting at character 2: #{XS@*#xoUULIO)eQkxaBA
which basically means that aai-resources (and probably aai-traversal)
are unable to handle special characters that AAF is putting into cert
passwords. To avoid random AAI failures let's use a know method
proposed by Sylvain Desbureaux and just set passwords that contains
only alphanumeric characters.
Issue-ID: OOM-1
Change-Id: I248c2de6e59e4fc073b5a06f6409802634b254cf
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
-rw-r--r-- | kubernetes/aai/components/aai-resources/values.yaml | 21 | ||||
-rw-r--r-- | kubernetes/aai/components/aai-traversal/values.yaml | 21 |
2 files changed, 36 insertions, 6 deletions
diff --git a/kubernetes/aai/components/aai-resources/values.yaml b/kubernetes/aai/components/aai-resources/values.yaml index b1d8a0ad7b..7509cb3bd6 100644 --- a/kubernetes/aai/components/aai-resources/values.yaml +++ b/kubernetes/aai/components/aai-resources/values.yaml @@ -137,9 +137,24 @@ certInitializer: credsPath: /opt/app/osaaf/local fqi_namespace: org.onap.aai-resources aaf_add_config: | - echo "*** writing passwords into prop file" - echo "KEYSTORE_PASSWORD=${cadi_keystore_password_p12}" > {{ .Values.credsPath }}/mycreds.prop - echo "TRUSTSTORE_PASSWORD=${cadi_truststore_password}" >> {{ .Values.credsPath }}/mycreds.prop + echo "*** changing them into shell safe ones" + export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) + export TRUSTSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) + cd {{ .Values.credsPath }} + keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \ + -storepass "${cadi_keystore_password_p12}" \ + -keystore {{ .Values.fqi_namespace }}.p12 + keytool -storepasswd -new "${TRUSTSTORE_PASSWORD}" \ + -storepass "${cadi_truststore_password}" \ + -keystore {{ .Values.fqi_namespace }}.trust.jks + echo "*** set key password as same password as keystore password" + keytool -keypasswd -new "${KEYSTORE_PASSWORD}" \ + -keystore {{ .Values.fqi_namespace }}.p12 \ + -keypass "${cadi_keystore_password_p12}" \ + -storepass "${KEYSTORE_PASSWORD}" -alias {{ .Values.fqi }} + echo "*** save the generated passwords" + echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop + echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> mycreds.prop echo "*** change ownership of certificates to targeted user" chown -R 1000 {{ .Values.credsPath }} diff --git a/kubernetes/aai/components/aai-traversal/values.yaml b/kubernetes/aai/components/aai-traversal/values.yaml index 8a063c2ba4..253f9b9e93 100644 --- a/kubernetes/aai/components/aai-traversal/values.yaml +++ b/kubernetes/aai/components/aai-traversal/values.yaml @@ -123,9 +123,24 @@ certInitializer: credsPath: /opt/app/osaaf/local fqi_namespace: org.onap.aai-traversal aaf_add_config: | - echo "*** writing passwords into prop file" - echo "KEYSTORE_PASSWORD=${cadi_keystore_password_p12}" > {{ .Values.credsPath }}/mycreds.prop - echo "TRUSTSTORE_PASSWORD=${cadi_truststore_password}" >> {{ .Values.credsPath }}/mycreds.prop + echo "*** changing them into shell safe ones" + export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) + export TRUSTSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) + cd {{ .Values.credsPath }} + keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \ + -storepass "${cadi_keystore_password_p12}" \ + -keystore {{ .Values.fqi_namespace }}.p12 + keytool -storepasswd -new "${TRUSTSTORE_PASSWORD}" \ + -storepass "${cadi_truststore_password}" \ + -keystore {{ .Values.fqi_namespace }}.trust.jks + echo "*** set key password as same password as keystore password" + keytool -keypasswd -new "${KEYSTORE_PASSWORD}" \ + -keystore {{ .Values.fqi_namespace }}.p12 \ + -keypass "${cadi_keystore_password_p12}" \ + -storepass "${KEYSTORE_PASSWORD}" -alias {{ .Values.fqi }} + echo "*** save the generated passwords" + echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop + echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> mycreds.prop echo "*** change ownership of certificates to targeted user" chown -R 1000 {{ .Values.credsPath }} |