Cert service
General description
More information about the project and all its functionalities you can find under the wiki page:
https://wiki.onap.org/display/DW/OOM+Certification+Service
Project consists of four submodules: 1. oom-certservice-api 2. deprecated (no longer built) oom-certservice-client 3. oom-certservice-post-processor 4. oom-certservice-k8s-external-provider
Detailed information about submodules can be found in README.md in their directories.
Project building
mvn clean package
Install the packages into the local repository
mvn clean install
Building Docker images and install packages into local repository
mvn clean install -P docker
or
make build
Generating certificates
There are example certificates already generated in certs/ directory. In order to generate new certificates, first remove existing ones. Then execute following command from certs(!) directory:
make
Running Docker containers from docker-compose with EJBCA
Docker-compose uses a local image of certservice-api and make run-client uses a released image of certservice-client Build certservice-api docker image locally before running docker compose command.
1. Build local images
make build
2. Start Cert Service with configured EJBCA
make start-backend
3. Run Cert Service Client
make run-client
4. Stop Cert Service and EJBCA
make stop-backend
Generating certificates via REST Api
Requirements
- OpenSSL
- cURL
- jq (for parseCertServiceResponse.sh script)
Initialization Request
- Create Certificate Signing Request and Private Key
openssl req -new -newkey rsa:2048 -nodes -keyout ./compose-resources/certs-from-curl/ir.key \
-out ./compose-resources/certs-from-curl/ir.csr \
-subj "/C=US/ST=California/L=San-Francisco/O=ONAP/OU=Linux-Foundation/CN=onap.org" \
-addext "subjectAltName = DNS:test.onap.org"
- Send Initialization Request
curl -s https://localhost:8443/v1/certificate/RA -H "PK: $(cat ./compose-resources/certs-from-curl/ir.key | base64 | tr -d \\n)" \
-H "CSR: $(cat ./compose-resources/certs-from-curl/ir.csr | base64 | tr -d \\n)" \
--cert ./certs/cmpv2Issuer-cert.pem \
--key ./certs/cmpv2Issuer-key.pem \
--cacert ./certs/cacert.pem
to parse the response pipe the output to parseCertserviceResponse.sh script, providing prefix as argument
curl -sN https://localhost:8443/v1/certificate/RA -H "PK: $(cat ./compose-resources/certs-from-curl/ir.key | base64 | tr -d \\n)" \
-H "CSR: $(cat ./compose-resources/certs-from-curl/ir.csr | base64 | tr -d \\n)" \
--cert ./certs/cmpv2Issuer-cert.pem \
--key ./certs/cmpv2Issuer-key.pem \
--cacert ./certs/cacert.pem | `pwd`/parseCertServiceResponse.sh "ir"
Update Request
- Create Certificate Signing Request and Private Key - same as for Initialization Request. When CSR data (like Subject and SANS) is unchanged, Key Update Request will be performed. Otherwise Certification Request will be performed. Example for KUR:
openssl req -new -newkey rsa:2048 -nodes -keyout ./compose-resources/certs-from-curl/kur.key \
-out ./compose-resources/certs-from-curl/kur.csr \
-subj "/C=US/ST=California/L=San-Francisco/O=ONAP/OU=Linux-Foundation/CN=onap.org" \
-addext "subjectAltName = DNS:test.onap.org"
Example for CR:
openssl req -new -newkey rsa:2048 -nodes -keyout ./compose-resources/certs-from-curl/cr.key \
-out ./compose-resources/certs-from-curl/cr.csr \
-subj "/C=US/ST=California/L=San-Francisco/O=ONAP/OU=Linux-Foundation/CN=new-onap.org" \
-addext "subjectAltName = DNS:test.onap.org"
- Send Update Request. Example for KUR:
curl -sN https://localhost:8443/v1/certificate-update/RA -H "PK: $(cat ./compose-resources/certs-from-curl/kur.key | base64 | tr -d \\n)" \
-H "CSR: $(cat ./compose-resources/certs-from-curl/kur.csr | base64 | tr -d \\n)" \
-H "OLDPK: $(cat ./compose-resources/certs-from-curl/ir.key | base64 | tr -d \\n)" \
-H "OLDCERT: $(cat ./compose-resources/certs-from-curl/ir-cert.pem | base64 | tr -d \\n)" \
--cert ./certs/cmpv2Issuer-cert.pem \
--key ./certs/cmpv2Issuer-key.pem \
--cacert ./certs/cacert.pem | `pwd`/parseCertServiceResponse.sh "kur"
Example CR:
curl -sN https://localhost:8443/v1/certificate-update/RA -H "PK: $$(cat ./compose-resources/certs-from-curl/cr.key | base64 | tr -d \\n)" \
-H "CSR: $$(cat ./compose-resources/certs-from-curl/cr.csr | base64 | tr -d \\n)" \
-H "OLD_PK: $$(cat ./compose-resources/certs-from-curl/ir.key | base64 | tr -d \\n)" \
-H "OLD_CERT: $$(cat ./compose-resources/certs-from-curl/ir-cert.pem | base64 | tr -d \\n)" \
--cert ./certs/cmpv2Issuer-cert.pem \
--key ./certs/cmpv2Issuer-key.pem \
--cacert ./certs/cacert.pem | `pwd`/parseCertServiceResponse.sh "cr"
Using makefile
- Perform Initialization Request:
make send-initialization-request
- Perform Update Request:
make send-key-update-request
or:
make send-certification-request
To send request to custom CA use make <request> -e CA_NAME=<custom CA> e.g:
make send-initialization-request -e CA_NAME=CUSTOM_CA
OOM CertService CSITs
CSIT repository
https://gerrit.onap.org/r/admin/repos/integration/csit
How to run tests locally
- Checkout CSIT repository
- Configure CSIT local environment
- Inside CSIT directory execute
sudo ./run-csit.sh plans/oom-platform-cert-service/certservice
Jenkins build
https://jenkins.onap.org/view/CSIT/job/oom-platform-cert-service-master-csit-certservice/
Sonar results
https://sonarcloud.io/dashboard?id=onap_oom-platform-cert-service
Maven artifacts
All maven artifacts are deployed under nexus uri:
https://nexus.onap.org/content/repositories/snapshots/org/onap/oom/certservice/
Docker artifacts
All docker images are hosted under nexus3 uri:
https://nexus3.onap.org/repository/docker.snapshot/v2/onap/org.onap.oom.certservice.oom-certservice-api/
How to release containers
https://github.com/lfit/releng-global-jjb/blob/master/docs/jjb/lf-release-jobs.rst