diff options
50 files changed, 730 insertions, 250 deletions
@@ -23,6 +23,8 @@ run-client: --env-file ./compose-resources/client-configuration.env \ --network certservice_certservice \ --mount type=bind,src=`pwd`/compose-resources/client-volume/,dst=/var/certs \ + --volume `pwd`/certs/truststore.jks:/etc/onap/aaf/certservice/certs/truststore.jks \ + --volume `pwd`/certs/certServiceClient-keystore.jks:/etc/onap/aaf/certservice/certs/certServiceClient-keystore.jks \ onap/org.onap.aaf.certservice.aaf-certservice-client:latest stop-client: @@ -30,6 +30,14 @@ or make build ``` +### Generating certificates +There are example certificates already generated in certs/ directory. +In order to generate new certificates, first remove existing ones. +Then execute following command from certs(!) directory: +``` + make +``` + ### Running Docker containers from docker-compose with EJBCA Docker-compose uses a local image of certservice-api and make run-client uses a local image of certservice-client Build docker images locally before running docker compose command. @@ -45,13 +53,6 @@ make stop-client 4. Stop Cert Service and EJBCA make stop-backend ``` - -### Running API with Helm -1. Use environment/server with installed kubernetes and helm. -2. Copy certService/helm/aaf-cert-service directory to that environment. -3. Enter that environment -4. Run ```helm install ./aaf-cert-service``` - ### AAF CertService CSITs #### CSIT repository diff --git a/certService/OpenAPI.yaml b/certService/OpenAPI.yaml index cee5a402..14f8b6bc 100644 --- a/certService/OpenAPI.yaml +++ b/certService/OpenAPI.yaml @@ -1,3 +1,20 @@ +# ============LICENSE_START======================================================= +# aaf-certservice +# ================================================================================ +# Copyright (C) 2020 Nokia. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= openapi: 3.0.1 info: title: CertService Documentation @@ -17,7 +34,7 @@ paths: get: tags: - CertificationService - summary: sign certificate + summary: Sign certificate description: Web endpoint for requesting certificate signing. Used by system components to gain certificate signed by CA. operationId: signCertificate @@ -28,6 +45,7 @@ paths: required: true schema: type: string + example: "RA_TEST" - name: CSR in: header description: Certificate signing request in form of PEM object encoded in @@ -35,6 +53,7 @@ paths: required: true schema: type: string + example: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJREVqQ0NBZm9DQVFBd2daY3hDekFKQmdOVkJBWVRBbFZUTVJNd0VRWURWUVFJREFwRFlXeHBabTl5Ym1saApNUll3RkFZRFZRUUhEQTFUWVc0dFJuSmhibU5wYzJOdk1Sa3dGd1lEVlFRS0RCQk1hVzUxZUMxR2IzVnVaR0YwCmFXOXVNUTB3Q3dZRFZRUUxEQVJQVGtGUU1SRXdEd1lEVlFRRERBaHZibUZ3TG05eVp6RWVNQndHQ1NxR1NJYjMKRFFFSkFSWVBkR1Z6ZEdWeVFHOXVZWEF1YjNKbk1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQgpDZ0tDQVFFQXpRekpQTmhrRURhL3JnUmhJUmpLVDF2RC84Wk9scXA3UmRuYTEybXFIU2FqQ0hHeGR0K1JPZk0vCkpINk9NczZNSjlwNXRJVE5VUWVDUEQ5cE44WkpzMCtOaWQvRE1Nb1B3MW94NnZyNFc5Rnh4K3NGN2hnK05nYjEKNGxvZVZob2EwajlKd1hlc2krSThNbFBObGRMRXlGYnZubDgyNzl0Qjg2dmRpR2g3blFjek8rbnY5elBqZllVcQpIaGlRK1ptMEZjbWFxblVJOG54aWJQNmFMMS9uWFQ3aHlwY0VzOCtpenNZVktqdVdwSjhlZHN0T1NBYTlkWXkrCkVhYTFPTlo5RFRDQzArZmM4S0pBNGJjWVE0T2tPYXFmcnhxY0xMOXZJL1BROWZtYThTUXBmcXVTbmQvbjNOazMKK1NoYnVCclorVnNQRWhsWnBJb2lXdS9scjlrdnp3SURBUUFCb0RVd013WUpLb1pJaHZjTkFRa09NU1l3SkRBaQpCZ05WSFJFRUd6QVpnZ2h2Ym1Gd0xtOXlaNElOZEdWemRDNXZibUZ3TG05eVp6QU5CZ2txaGtpRzl3MEJBUXNGCkFBT0NBUUVBV0N2QlJzTmZ5S0F1NWhIWldWUm8xd2VWSVJvbHQyRWdsSUkzbHI4d0ZlN1hobUtZVlhESzJ3aHEKc2hCakNNQUJHNW90MlBXUE8yK1JLSmsveEh2RXRoQzMybityQlhOS2hHUUJMY3dyeFNBbjVUMHFNa0xzTGJiRAphTU1nTnRiYWxmOC9mVmNWWDY1WTVVb052Y2FScEpvVUdYY1ovZ3kvMG5aWnNXbURkejk1Rys2MXFnY0s3RlhOClB1bENxLy9YNUZkK2NkQy9TTnNxaGtqdlgyd3hYMUZRVVYwcFp0akcwenl3b3JwNE9HSkRiUUxtaWFZSlQ2Ym8KNjAyZ21zWFNTQlJzVWFCOEsxeWMzalRkS043QjYxcjhwYW05NlBxQjdXME13MVRJVFAzQnhJTk5kN1hhNlI5VAo5T3BTcDhFcUZ5R043M3NJN0svbDdNZVJvUm1PUUE9PQotLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0K" - name: PK in: header description: Private key in form of PEM object encoded in Base64 (with header @@ -42,109 +61,92 @@ paths: required: true schema: type: string + example: "LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2d0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktrd2dnU2xBZ0VBQW9JQkFRRE5ETWs4MkdRUU5yK3UKQkdFaEdNcFBXOFAveGs2V3FudEYyZHJYYWFvZEpxTUljYkYyMzVFNTh6OGtmbzR5em93bjJubTBoTTFSQjRJOApQMmszeGttelQ0MkozOE13eWcvRFdqSHErdmhiMFhISDZ3WHVHRDQyQnZYaVdoNVdHaHJTUDBuQmQ2eUw0and5ClU4MlYwc1RJVnUrZVh6YnYyMEh6cTkySWFIdWRCek03NmUvM00rTjloU29lR0pENW1iUVZ5WnFxZFFqeWZHSnMKL3BvdlgrZGRQdUhLbHdTeno2TE94aFVxTzVha254NTJ5MDVJQnIxMWpMNFJwclU0MW4wTk1JTFQ1OXp3b2tEaAp0eGhEZzZRNXFwK3ZHcHdzdjI4ajg5RDErWnJ4SkNsK3E1S2QzK2ZjMlRmNUtGdTRHdG41V3c4U0dWbWtpaUphCjcrV3YyUy9QQWdNQkFBRUNnZ0VBZkN5cUVYYlo0aGZGckpScVhhaXRtN0Z1Mkk0M09YYTBnSENWM3EzV255Q3UKeW9aUGVqV1p0UVpoenEvMVhUOUlFVHAxU2FUQzBiZENYMG5uWmlkbXFuZ2F0c3dUWUpCOVMwaHJ3bW1KemREZwpucmp0Tm1yb0FiL2xWOVpMV01rbVJQeWVwZExiWXpyMlNXUUd0QnlYbnR0RzhSbW9JMGtjZjN3dEJGYUJ4VzFwClFzRUNXUFBpdjNZRDh2SzlSRG9wdmxCMnFZVWxCTm1kQ3AxWEJXMU9OZm5wckUwZFhiYTJxVzB3M3lqU2dJdGYKUWJBSTJZQzJEWlpIK3liRGFMZWVtb0p3dDdPK1F6NWp4SkgwWkFpSnVaNzNpSTVocFBJQlhLamRkU1p1bjRpRwpEOFZaaCtYWE9yQWJxVURXdlN4UW9kdFhYeGNSSS9aWUx5WWR1OHdhd1FLQmdRRHA3UEhwdWFDSk50MlBLV3d6Cll4SDhIYlB1L0pTS2R3UytZek5SNzJaYlUwSmQxWTdPc1JCR1Bvd24zOW55WDlJYzJINXBLc2VJYnpsK1lJS1MKQW9BKy9nbFZZUGpIZ2RmVHF6R01QMm5meVh0dVpFQzdicVBLSVlzL0Qwb0pGQzFkUThwUjFxcXp6NjJEMEUvawpSS1MrVFhpSlkvMlJiQVhDckFDVnNwVmQzUUtCZ1FEZ1prZE45SkhIMjYyRWdLQ3p1Q0NHMXlYa3IrcWVHZ3ozCldWbUtMaGVveitHVXlvVDVuaGlvUTJxNlllYTJ1ODlVYUdGZFk4Y0hIQVdhUy9UdU9FYzdBRHV4eTZsVWpKWkQKU3V0YU80cWk3eXh6UGxNN2w5alVpejV5MldZZGRnWEhLOG82M0pOSHdwd0FYaDgycytTbm9STUZSd1JOTGsyWQp4WmxxRm55WG13S0JnUUNkdEkrWEtmMHY1SnhVUXZIZVp3RWQvb3hySnoraFpnSDl0UFZKWE9PZDJERGEvL25xCklQYysxRFk3UDdBNHRoNzZNWDV2dWxhUkJhTTJMeXgzOFZXeW9pTjZ1d2lkd0V6WU9BY01iVWdjaGtJL3R6am8KNC90cWIxam9KNCtiTlU0c0hXTE43N0pmelRoR3NHN2NEdWNlSVM2Tk9hc2VtanY3OVdmamhHVXN4UUtCZ1FETQpwbHFYVE5uNjlHek9MK1Rmb3FmL2NZMjhmM2N3VXovS0FYRzRwSXF0U1ZGSXVsNEZyTnA5OG1ZT3J5U1RPTHRBCkZxWGRYeGJ2Yysza0p5dXNhaVVFT1JVMzlDNXN6bjVueHBiWHh2K0wweWF0djRSM0QrZ1BCeUtmNlliSWpZOTkKY29GUHAwU21xR1JQclljNEExNGdSclVyRmZabFVUb3hmdHlJTlJQUnl3S0JnUURoSFkvT24vRTNodmo4aHBKRQplMWNuQ2ZsV2VKWlZSdnBPQm96NCtwMVltMzZZZEQ0azBpSEh6anZUUGlBSnNGTFB5VXVTZXI0T3hpN2cvcmYvCklPVjN4bHZyNXdSRmxLYWxvWjY5azkxNm5qdWM0d2lXVzdMbGt1YWptVDhlSUszTU05MU9SL1VFcE16dFMyMHEKZ3hRMEVieTFaMlh6TWlkMEhZZTlVcTJaSmc9PQotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tCg==" responses: "200": - description: certificate successfully signed + description: Certificate successfully signed content: - application/json; charset=utf-8: + application/json: schema: $ref: '#/components/schemas/CertificationModel' - "500": - description: something went wrong during connecting to cmp client + "400": + description: Given CSR or/and PK is incorrect content: - application/json; charset=utf-8: + application/json: schema: $ref: '#/components/schemas/ErrorResponseModel' "404": description: CA not found for given name content: - application/json; charset=utf-8: + application/json: schema: $ref: '#/components/schemas/ErrorResponseModel' - "400": - description: given CSR or/and PK is incorrect + "500": + description: Something went wrong during connectiion to CMPv2 server content: - application/json; charset=utf-8: + application/json: schema: $ref: '#/components/schemas/ErrorResponseModel' /ready: get: tags: - CertificationService - summary: check is container is ready + summary: Check if CertService application is ready description: Web endpoint for checking if service is ready to be used. operationId: checkReady responses: "200": - description: configuration is loaded and service is ready to use - content: - application/json; charset=utf-8: - schema: - type: string + description: Configuration is loaded and service is ready to use + content: {} "503": - description: configuration loading failed and service is unavailable - content: - application/json; charset=utf-8: - schema: - type: string + description: Configuration loading failed and service is unavailable + content: {} /reload: get: tags: - CertificationService - summary: reload service configuration from file + summary: Reload CMPv2 servers configuration from configuration file description: Web endpoint for performing configuration reload. Used to reload - configuration file from file. + configuration from file. operationId: reloadConfiguration responses: "200": - description: configuration has been successfully reloaded - content: - application/json; charset=utf-8: - schema: - type: string + description: Configuration has been successfully reloaded + content: {} "500": - description: something went wrong during configuration loading + description: Something went wrong during configuration loading content: - application/json; charset=utf-8: + string: schema: - $ref: '#/components/schemas/ErrorResponseModel' + type: string + example: "can't parse JSON. Raw result: Exception occurred during CMP Servers configuration loading" /actuator/health: get: tags: - Actuator summary: Actuator web endpoint 'health' - operationId: handle_0 + operationId: healthCheck responses: "200": - description: default response - content: {} - /actuator/health/**: - get: - tags: - - Actuator - summary: Actuator web endpoint 'health-path' - operationId: handle_1 - responses: - "200": - description: default response - content: {} - /actuator: - get: - tags: - - Actuator - summary: Actuator root web endpoint - operationId: links_2 - responses: - "200": - description: default response - content: {} + description: Service is healthy + content: + string: + schema: + $ref: '#/components/schemas/StatusResponseModel' components: schemas: + StatusResponseModel: + type: object + properties: + status: + type: string + example: "UP" ErrorResponseModel: type: object properties: errorMessage: type: string + example: "Internal server error" CertificationModel: type: object properties: @@ -152,7 +154,9 @@ components: type: array items: type: string + example: "-----BEGIN CERTIFICATE-----\nMIIErDCCAxSgAwIBAgIUfYvpzoT6WTxiu2KtxDwdvB56iVUwDQYJKoZIhvcNAQEL\nBQAwYTEjMCEGCgmSJomT8ixkAQEME2MtMGI1YzFhYTBkNzA4NjVjNGUxFTATBgNV\nBAMMDE1hbmFnZW1lbnRDQTEjMCEGA1UECgwaRUpCQ0EgQ29udGFpbmVyIFF1aWNr\nc3RhcnQwHhcNMjAwNDAxMTAyNzAwWhcNMjIwNDAxMTAyNDEyWjCBlzEeMBwGCSqG\nSIb3DQEJARYPdGVzdGVyQG9uYXAub3JnMREwDwYDVQQDDAhvbmFwLm9yZzENMAsG\nA1UECwwET05BUDEZMBcGA1UECgwQTGludXgtRm91bmRhdGlvbjEWMBQGA1UEBwwN\nU2FuLUZyYW5jaXNjbzETMBEGA1UECAwKQ2FsaWZvcm5pYTELMAkGA1UEBhMCVVMw\nggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNDMk82GQQNr+uBGEhGMpP\nW8P/xk6WqntF2drXaaodJqMIcbF235E58z8kfo4yzown2nm0hM1RB4I8P2k3xkmz\nT42J38Mwyg/DWjHq+vhb0XHH6wXuGD42BvXiWh5WGhrSP0nBd6yL4jwyU82V0sTI\nVu+eXzbv20Hzq92IaHudBzM76e/3M+N9hSoeGJD5mbQVyZqqdQjyfGJs/povX+dd\nPuHKlwSzz6LOxhUqO5aknx52y05IBr11jL4RprU41n0NMILT59zwokDhtxhDg6Q5\nqp+vGpwsv28j89D1+ZrxJCl+q5Kd3+fc2Tf5KFu4Gtn5Ww8SGVmkiiJa7+Wv2S/P\nAgMBAAGjgaQwgaEwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBQ4TWsw5NCfgMjt\nc6sLNV008AniSjAiBgNVHREEGzAZgghvbmFwLm9yZ4INdGVzdC5vbmFwLm9yZzAd\nBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFAMyW8sAIjOG\n4qiMVEWuBfliFNeyMA4GA1UdDwEB/wQEAwIF4DANBgkqhkiG9w0BAQsFAAOCAYEA\nCviGRpVZgd4Vr3R3pslegH9GRa1TmCVP8wTD6CUA84VqMzVatcdWbaDFNoCVv54v\nUCYPsN8REx/I53R1jbQ5tralj8JMublrdDaKDQY7OdfjL53nGS4OGl76ZLMt50cF\nnXreoSixCdv3OkPO7+P5szzfnwcCQEa235GfHOxAKv2DIhI8+aFMdi1vTJMYmROs\nYA/6DuJAFjfjPM6T4hzKdW8FPyyUw4kWSNRtt+cxN1JxGDYRt1bnjj7u7nMA5Mge\noWn5oeHLO8rkWgMy0BPxL+YVJhqhdD1fiSek99vmWNUKqmui/4TOXf06SjuMgPgL\nOdp/e2+unwOw+TfdQ/Vu1736IRuWKgLxXOXoOHq2RCZpMgfol2wOFdWSeHWnOag2\nstKD9mmxUaq3wactkVQEkljo3vOgw3D829jC5BOVASxoYoiNzRQlpXrP+kj9QPt0\nZN6haQCgjejHOVpKeuUNoZTUyH+2MwpANLiaJjQcZrwt8N9bAN7WilY+f7CHwMK+\n-----END CERTIFICATE-----\n" trustedCertificates: type: array items: type: string + example: "-----BEGIN CERTIFICATE-----\nMIIEszCCAxugAwIBAgIUK3BbY7jXBtQfSMhob3Ls9BoorbYwDQYJKoZIhvcNAQEL\nBQAwYTEjMCEGCgmSJomT8ixkAQEME2MtMGI1YzFhYTBkNzA4NjVjNGUxFTATBgNV\nBAMMDE1hbmFnZW1lbnRDQTEjMCEGA1UECgwaRUpCQ0EgQ29udGFpbmVyIFF1aWNr\nc3RhcnQwHhcNMjAwNDAxMTAyNzAwWhcNMzAwNDAxMTAyNzAwWjBhMSMwIQYKCZIm\niZPyLGQBAQwTYy0wYjVjMWFhMGQ3MDg2NWM0ZTEVMBMGA1UEAwwMTWFuYWdlbWVu\ndENBMSMwIQYDVQQKDBpFSkJDQSBDb250YWluZXIgUXVpY2tzdGFydDCCAaIwDQYJ\nKoZIhvcNAQEBBQADggGPADCCAYoCggGBAJ5UAlOGkFyyjyDfFBADJrVzce5/wvNC\nDzL8OoB5CRa22NxHZqPL6fNpqexH1alE7ko/g+vvu1BLHnjKzglVMVV880jjG/tq\ngUf9syfmRdRcgPUrF71dOTNw52ZGB23e8es7VQNYca5QH0mfjaw2AxKf4pNzScTi\nbYXw/KxuoeBHP2ybKhSCxau1k6eePUEkpzHlu33XjtTKGRklCo4lDslLtMOV0gWm\nJj2pd9v+/qY9AMio1XkqczGmnGrSRDD7fp+3WpBI2Q4ZaDZZHnzg/9TXmpBGWhwi\n5Ca5e9Cmb9WGjE8W4uICyvaBSmvsGqB2nBjLC0rBUyJxkMxaxZYxoWbegCqlnwgo\naG2OMbGq1qO/U5ArW9WppovA9y540j49CuYWgvf2pH21GzQX2uCtiHDge01exko/\np7c8/20B0rNjyvBFM9s2NOQ4wCIrLVKPClX3mpzuIGliRpnXnC6FQMrC4yNvyO7s\nB2PwzesXaBdD07AfXpYtSaHeqLZafMtqRwIDAQABo2MwYTAPBgNVHRMBAf8EBTAD\nAQH/MB8GA1UdIwQYMBaAFDhNazDk0J+AyO1zqws1XTTwCeJKMB0GA1UdDgQWBBQ4\nTWsw5NCfgMjtc6sLNV008AniSjAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQEL\nBQADggGBAImYiKkQfR52L2NzjuHI6y8darhBNpZSNf5Hhzv5MOs6yKJSFxh6mQFg\nRfF860AbxgxAfE8bvK2IX+W6b193ecFXAOrRc+UcEyqTg2efqp2zuCdQpnA4nopf\n+474iRkAHdlwdeI0FTE931AOCMfKaQAiEn40Xo3xB09xvMhK7ce2xkxFp90uqbyZ\nwXPRORUj5rKhCiL10jkgXmTfGGlzgQfpHxQxnwQzuAPcv31l+0YVZpDpkSP8A2ts\nmS/yGFfBylyPnGa/+mChZoI7AAKUZ0QWSTDVQLFW6RIs0ByX9zPZqQx0ncGzXH++\nmLu/33YpyjfcjFzvhFVRJCNpELTa0aCElDcD+LIiz80fFP3bxbI42ifYXbt+k/8w\nAB8Ffh1GOneWnaOl42mghNs6ve9e+PjOphYS1sQI74b0liXQdI4tmobAyPoACpgR\ncJ9DAfYtkpMQjxkV/FUM92m76WQpFnIRNQl6C5XLzWHCAVvS+MxEydtINsl4FCvw\nPDdu3P8UkA==\n-----END CERTIFICATE-----\n" diff --git a/certService/README.md b/certService/README.md index 61506e79..645ca061 100644 --- a/certService/README.md +++ b/certService/README.md @@ -96,3 +96,7 @@ API is described by Swagger ( OpenAPI 3.0 ) on endpoint /docs ``` http://localchost:8080/docs ``` + +### OpenAPI +during project building yaml file with openAPI 3.0 documentation is generated in target directory with name api-docs.yaml +file OpenAPI.yaml located in certService directory must be update be hand if needed diff --git a/certService/helm/aaf-cert-service/.helmignore b/certService/helm/aaf-cert-service/.helmignore deleted file mode 100644 index 50af0317..00000000 --- a/certService/helm/aaf-cert-service/.helmignore +++ /dev/null @@ -1,22 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/certService/helm/aaf-cert-service/Chart.yaml b/certService/helm/aaf-cert-service/Chart.yaml deleted file mode 100644 index 37c7d148..00000000 --- a/certService/helm/aaf-cert-service/Chart.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -appVersion: "1.0" -description: A Helm chart for AAF Cert Service -name: aaf-cert-service -version: 0.1.0 diff --git a/certService/helm/aaf-cert-service/templates/deployment.yaml b/certService/helm/aaf-cert-service/templates/deployment.yaml deleted file mode 100644 index f8b2d43f..00000000 --- a/certService/helm/aaf-cert-service/templates/deployment.yaml +++ /dev/null @@ -1,42 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ .Chart.Name }}-deployment -spec: - selector: - matchLabels: - app: {{ .Values.appLabel }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ .Values.appLabel }} - spec: - volumes: - - name: {{ .Values.volume.name }} - secret: - secretName: {{ .Values.secret.name }} - containers: - - name: aaf-cert-service - image: {{ .Values.repository }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.containerPort }} - livenessProbe: - httpGet: - port: {{ .Values.containerPort }} - path: {{ .Values.liveness.path }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - readinessProbe: - httpGet: - port: {{ .Values.containerPort }} - path: {{ .Values.readiness.path }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: - - name: {{ .Values.volume.name }} - mountPath: {{ .Values.volume.mountPath }} - readOnly: true - resources: - {{ toYaml .Values.resources }} diff --git a/certService/helm/aaf-cert-service/templates/secret.yaml b/certService/helm/aaf-cert-service/templates/secret.yaml deleted file mode 100644 index 77b25f4e..00000000 --- a/certService/helm/aaf-cert-service/templates/secret.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.secret.name }} -type: Opaque -data: - {{ (.Files.Glob "resources/cmpServers.json").AsSecrets }}
\ No newline at end of file diff --git a/certService/helm/aaf-cert-service/templates/service.yaml b/certService/helm/aaf-cert-service/templates/service.yaml deleted file mode 100644 index fba7e5fa..00000000 --- a/certService/helm/aaf-cert-service/templates/service.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ .Chart.Name }}-service -spec: - type: {{ .Values.service.type }} - selector: - app: {{ .Values.appLabel }} - ports: - - protocol: TCP - port: {{ .Values.containerPort }}
\ No newline at end of file diff --git a/certService/helm/aaf-cert-service/values.yaml b/certService/helm/aaf-cert-service/values.yaml deleted file mode 100644 index 0dab1e32..00000000 --- a/certService/helm/aaf-cert-service/values.yaml +++ /dev/null @@ -1,30 +0,0 @@ -appLabel: aaf-cert-service -replicaCount: 1 -repository: nexus3.onap.org:10001 -image: onap/org.onap.aaf.certservice.aaf-certservice-api:1.0.0 -pullPolicy: Always -containerPort: 8080 -service: - type: ClusterIP -liveness: - initialDelaySeconds: 60 - periodSeconds: 10 - path: /actuator/health -readiness: - initialDelaySeconds: 30 - periodSeconds: 10 - path: /ready -volume: - name: aaf-cert-service-volume - mountPath: /etc/onap/aaf/certservice - -resources: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 1 - memory: 1Gi - -secret: - name: aaf-cert-service-secret diff --git a/certService/src/main/java/org/onap/aaf/certservice/api/CertificationController.java b/certService/src/main/java/org/onap/aaf/certservice/api/CertificationController.java index bf51e49e..c440ec34 100644 --- a/certService/src/main/java/org/onap/aaf/certservice/api/CertificationController.java +++ b/certService/src/main/java/org/onap/aaf/certservice/api/CertificationController.java @@ -64,14 +64,14 @@ public class CertificationController { * @param encodedPrivateKey Private key for CSR, needed for PoP, encoded in Base64 form * @return JSON containing trusted certificates and certificate chain */ - @GetMapping(value = "v1/certificate/{caName}", produces = "application/json; charset=utf-8") + @GetMapping(value = "v1/certificate/{caName}", produces = "application/json") @ApiResponses(value = { - @ApiResponse(responseCode = "200", description = "certificate successfully signed"), - @ApiResponse(responseCode = "400", description = "given CSR or/and PK is incorrect", + @ApiResponse(responseCode = "200", description = "Certificate successfully signed"), + @ApiResponse(responseCode = "400", description = "Given CSR or/and PK is incorrect", content = @Content(schema = @Schema(implementation = ErrorResponseModel.class))), @ApiResponse(responseCode = "404", description = "CA not found for given name", content = @Content(schema = @Schema(implementation = ErrorResponseModel.class))), - @ApiResponse(responseCode = "500", description = "something went wrong during connecting to cmp client", + @ApiResponse(responseCode = "500", description = "Something went wrong during connectiion to CMPv2 server", content = @Content(schema = @Schema(implementation = ErrorResponseModel.class))) }) @Operation( diff --git a/certService/src/main/java/org/onap/aaf/certservice/api/ReadinessController.java b/certService/src/main/java/org/onap/aaf/certservice/api/ReadinessController.java index f900edf9..9c8e1bf0 100644 --- a/certService/src/main/java/org/onap/aaf/certservice/api/ReadinessController.java +++ b/certService/src/main/java/org/onap/aaf/certservice/api/ReadinessController.java @@ -42,13 +42,13 @@ public final class ReadinessController { this.cmpServersConfig = cmpServersConfig; } - @GetMapping(value = "/ready", produces = "application/json; charset=utf-8") + @GetMapping(value = "/ready", produces = "application/json") @ApiResponses(value = { - @ApiResponse(responseCode = "200", description = "configuration is loaded and service is ready to use"), - @ApiResponse(responseCode = "503", description = "configuration loading failed and service is unavailable") + @ApiResponse(responseCode = "200", description = "Configuration is loaded and service is ready to use"), + @ApiResponse(responseCode = "503", description = "Configuration loading failed and service is unavailable") }) @Operation( - summary = "check is container is ready", + summary = "Check if CertService application is ready", description = "Web endpoint for checking if service is ready to be used.", tags = {"CertificationService"}) public ResponseEntity<String> checkReady() { diff --git a/certService/src/main/java/org/onap/aaf/certservice/api/ReloadConfigController.java b/certService/src/main/java/org/onap/aaf/certservice/api/ReloadConfigController.java index e812ce0d..14bff8dd 100644 --- a/certService/src/main/java/org/onap/aaf/certservice/api/ReloadConfigController.java +++ b/certService/src/main/java/org/onap/aaf/certservice/api/ReloadConfigController.java @@ -46,15 +46,15 @@ public final class ReloadConfigController { this.cmpServersConfig = cmpServersConfig; } - @GetMapping(value = "/reload", produces = "application/json; charset=utf-8") + @GetMapping(value = "/reload", produces = "application/json") @ApiResponses(value = { - @ApiResponse(responseCode = "200", description = "configuration has been successfully reloaded"), - @ApiResponse(responseCode = "500", description = "something went wrong during configuration loading", + @ApiResponse(responseCode = "200", description = "Configuration has been successfully reloaded"), + @ApiResponse(responseCode = "500", description = "Something went wrong during configuration loading", content = @Content(schema = @Schema(implementation = ErrorResponseModel.class))) }) @Operation( - summary = "reload service configuration from file", - description = "Web endpoint for performing configuration reload. Used to reload configuration file from file.", + summary = "Reload CMPv2 servers configuration from configuration file", + description = "Web endpoint for performing configuration reload. Used to reload configuration from file.", tags = {"CertificationService"}) public ResponseEntity<String> reloadConfiguration() throws CmpServersConfigLoadingException { cmpServersConfig.reloadConfiguration(); diff --git a/certService/src/main/resources/application.properties b/certService/src/main/resources/application.properties index 9ccdd326..c5d14370 100644 --- a/certService/src/main/resources/application.properties +++ b/certService/src/main/resources/application.properties @@ -9,3 +9,14 @@ springdoc.swagger-ui.path=/docs # AAF CertService app specific configuration app.config.path=/etc/onap/aaf/certservice + +# Mutual TLS configuration +server.ssl.enabled=true +server.ssl.client-auth=need +server.port=${HTTPS_PORT:8443} + +server.ssl.key-store=${KEYSTORE_PATH:/etc/onap/aaf/certservice/certs/certServiceServer-keystore.jks} +server.ssl.key-store-password=${KEYSTORE_PASSWORD:secret} + +server.ssl.trust-store=${TRUSTSTORE_PATH:/etc/onap/aaf/certservice/certs/truststore.jks} +server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD:secret} diff --git a/certService/src/test/resources/application.properties b/certService/src/test/resources/application.properties index 39001571..b70ab3b4 100644 --- a/certService/src/test/resources/application.properties +++ b/certService/src/test/resources/application.properties @@ -1,2 +1,13 @@ # AAF CertService app specific configuration app.config.path=./src/test/resources + +# Mutual TLS configuration +server.ssl.enabled=true +server.ssl.client-auth=need +server.port=${HTTPS_PORT:8443} + +server.ssl.key-store=${KEYSTORE_PATH:/etc/onap/aaf/certservice/certs/certServiceServer-keystore.jks} +server.ssl.key-store-password=${KEYSTORE_PASSWORD:secret} + +server.ssl.trust-store=${TRUSTSTORE_PATH:/etc/onap/aaf/certservice/certs/truststore.jks} +server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD:secret}
\ No newline at end of file diff --git a/certServiceClient/README.md b/certServiceClient/README.md index 7748b29b..43d732c8 100644 --- a/certServiceClient/README.md +++ b/certServiceClient/README.md @@ -43,6 +43,10 @@ LOCATION=San-Francisco STATE=California COUNTRY=US SANS=example.com:example2.com +KEYSTORE_PATH=/etc/onap/aaf/certservice/certs/certServiceClient-keystore.jks +KEYSTORE_PASSWORD=secret +TRUSTSTORE_PATH=/etc/onap/aaf/certservice/certs/truststore.jks +TRUSTSTORE_PASSWORD=secret ``` ### Logs locally diff --git a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/CertServiceClient.java b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/CertServiceClient.java index 0916bb8a..1b5b8ee3 100644 --- a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/CertServiceClient.java +++ b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/CertServiceClient.java @@ -19,26 +19,30 @@ package org.onap.aaf.certservice.client; -import java.security.KeyPair; import org.onap.aaf.certservice.client.api.ExitableException; -import org.onap.aaf.certservice.client.certification.PrivateKeyToPemEncoder; import org.onap.aaf.certservice.client.certification.CsrFactory; import org.onap.aaf.certservice.client.certification.KeyPairFactory; +import org.onap.aaf.certservice.client.certification.PrivateKeyToPemEncoder; import org.onap.aaf.certservice.client.certification.conversion.KeystoreTruststoreCreator; import org.onap.aaf.certservice.client.certification.conversion.KeystoreTruststoreCreatorFactory; import org.onap.aaf.certservice.client.common.Base64Encoder; import org.onap.aaf.certservice.client.configuration.EnvsForClient; import org.onap.aaf.certservice.client.configuration.EnvsForCsr; +import org.onap.aaf.certservice.client.configuration.EnvsForTls; import org.onap.aaf.certservice.client.configuration.factory.ClientConfigurationFactory; import org.onap.aaf.certservice.client.configuration.factory.CsrConfigurationFactory; +import org.onap.aaf.certservice.client.configuration.factory.SslContextFactory; import org.onap.aaf.certservice.client.configuration.model.ClientConfiguration; import org.onap.aaf.certservice.client.configuration.model.CsrConfiguration; -import org.onap.aaf.certservice.client.httpclient.CloseableHttpClientProvider; +import org.onap.aaf.certservice.client.httpclient.CloseableHttpsClientProvider; import org.onap.aaf.certservice.client.httpclient.HttpClient; import org.onap.aaf.certservice.client.httpclient.model.CertServiceResponse; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import javax.net.ssl.SSLContext; +import java.security.KeyPair; + import static org.onap.aaf.certservice.client.api.ExitStatus.SUCCESS; import static org.onap.aaf.certservice.client.certification.EncryptionAlgorithmConstants.KEY_SIZE; import static org.onap.aaf.certservice.client.certification.EncryptionAlgorithmConstants.RSA_ENCRYPTION_ALGORITHM; @@ -62,9 +66,10 @@ public class CertServiceClient { CsrConfiguration csrConfiguration = new CsrConfigurationFactory(new EnvsForCsr()).create(); KeyPair keyPair = keyPairFactory.create(); CsrFactory csrFactory = new CsrFactory(csrConfiguration); + SSLContext sslContext = new SslContextFactory(new EnvsForTls()).create(); - CloseableHttpClientProvider provider = new CloseableHttpClientProvider( - clientConfiguration.getRequestTimeout()); + CloseableHttpsClientProvider provider = new CloseableHttpsClientProvider( + sslContext, clientConfiguration.getRequestTimeout()); HttpClient httpClient = new HttpClient(provider, clientConfiguration.getUrlToCertService()); CertServiceResponse certServiceData = @@ -74,7 +79,7 @@ public class CertServiceClient { base64Encoder.encode(pkEncoder.encodePrivateKeyToPem(keyPair.getPrivate()))); KeystoreTruststoreCreator filesCreator = new KeystoreTruststoreCreatorFactory( - clientConfiguration.getCertsOutputPath()).create(); + clientConfiguration.getCertsOutputPath()).create(); filesCreator.createKeystore(certServiceData.getCertificateChain(), keyPair.getPrivate()); filesCreator.createTruststore(certServiceData.getTrustedCertificates()); } catch (ExitableException e) { diff --git a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/api/ExitStatus.java b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/api/ExitStatus.java index c474fd03..78ecc778 100644 --- a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/api/ExitStatus.java +++ b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/api/ExitStatus.java @@ -28,7 +28,8 @@ public enum ExitStatus { CERT_SERVICE_API_CONNECTION_EXCEPTION(5,"CertService HTTP unsuccessful response"), HTTP_CLIENT_EXCEPTION(6,"Internal HTTP Client connection problem"), PKCS12_CONVERSION_EXCEPTION(7,"Fail in PKCS12 conversion"), - PK_TO_PEM_ENCODING_EXCEPTION(8,"Fail in Private Key to PEM Encoding"); + PK_TO_PEM_ENCODING_EXCEPTION(8,"Fail in Private Key to PEM Encoding"), + TLS_CONFIGURATION_EXCEPTION(9, "Invalid TLS configuration"); private final int value; private final String message; diff --git a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/certification/KeyPairFactory.java b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/certification/KeyPairFactory.java index 85b85ff3..e7d63e2f 100644 --- a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/certification/KeyPairFactory.java +++ b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/certification/KeyPairFactory.java @@ -28,7 +28,7 @@ import java.security.NoSuchAlgorithmException; public class KeyPairFactory { - private final static Logger LOGGER = LoggerFactory.getLogger(KeyPairFactory.class); + private static final Logger LOGGER = LoggerFactory.getLogger(KeyPairFactory.class); private final String encryptionAlgorithm; private final int keySize; diff --git a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/certification/conversion/KeystoreTruststoreCreator.java b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/certification/conversion/KeystoreTruststoreCreator.java index 6dc2ef87..43784609 100644 --- a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/certification/conversion/KeystoreTruststoreCreator.java +++ b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/certification/conversion/KeystoreTruststoreCreator.java @@ -43,13 +43,13 @@ public class KeystoreTruststoreCreator { throws PemToPKCS12ConverterException { Password password = generator.generate(PASSWORD_LENGTH); creator.saveKeystoreData(converter.convertKeystore(data, password, CERTIFICATE_ALIAS, privateKey), - password.getPassword()); + password.getCurrentPassword()); } public void createTruststore(List<String> data) throws PemToPKCS12ConverterException { Password password = generator.generate(PASSWORD_LENGTH); creator.saveTruststoreData(converter.convertTruststore(data, password, TRUSTED_CERTIFICATE_ALIAS), - password.getPassword()); + password.getCurrentPassword()); } } diff --git a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/certification/conversion/Password.java b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/certification/conversion/Password.java index 09c65ca6..9275817d 100644 --- a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/certification/conversion/Password.java +++ b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/certification/conversion/Password.java @@ -21,22 +21,25 @@ package org.onap.aaf.certservice.client.certification.conversion; class Password { - private static final String PASSWORD_PATTERN = "[\\w$#]{16,}"; - private final String password; + // We are excluding this line in Sonar due to fact that + // PASSWORD_PATTERN does not contain password. This solution + // is safe. + private static final String PASSWORD_PATTERN = "[\\w$#]{16,}"; // NOSONAR + private final String currentPassword; - Password(String password) { - this.password = password; + Password(String currentPassword) { + this.currentPassword = currentPassword; } - String getPassword() { - return password; + String getCurrentPassword() { + return currentPassword; } char[] toCharArray() { - return password.toCharArray(); + return currentPassword.toCharArray(); } boolean isCorrectPasswordPattern() { - return password.matches(PASSWORD_PATTERN); + return currentPassword.matches(PASSWORD_PATTERN); } } diff --git a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/certification/conversion/RandomPasswordGenerator.java b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/certification/conversion/RandomPasswordGenerator.java index 5db7b26f..6515ea54 100644 --- a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/certification/conversion/RandomPasswordGenerator.java +++ b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/certification/conversion/RandomPasswordGenerator.java @@ -20,6 +20,7 @@ package org.onap.aaf.certservice.client.certification.conversion; import java.security.SecureRandom; + import org.apache.commons.lang3.RandomStringUtils; class RandomPasswordGenerator { @@ -33,15 +34,19 @@ class RandomPasswordGenerator { private static final boolean USE_LETTERS_ONLY = false; private static final boolean USE_NUMBERS_ONLY = false; + // We are excluding this line in Sonar due to fact that + //we are using new SecureRandom which provides + //cryptographic security Password generate(int passwordLength) { - return new Password(RandomStringUtils.random( - passwordLength, - START_POSITION_IN_ASCII_CHARS, - END_POSITION_IN_ASCII_CHARS, - USE_LETTERS_ONLY, - USE_NUMBERS_ONLY, - SET_OF_CHARS, - new SecureRandom())); + return new Password(RandomStringUtils.random(//NOSONAR + passwordLength, + START_POSITION_IN_ASCII_CHARS, + END_POSITION_IN_ASCII_CHARS, + USE_LETTERS_ONLY, + USE_NUMBERS_ONLY, + SET_OF_CHARS, + new SecureRandom()) + ); } } diff --git a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/EnvsForTls.java b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/EnvsForTls.java new file mode 100644 index 00000000..b2f782c2 --- /dev/null +++ b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/EnvsForTls.java @@ -0,0 +1,47 @@ +/* + * ============LICENSE_START======================================================= + * aaf-certservice-client + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.aaf.certservice.client.configuration; + +import java.util.Optional; + +public class EnvsForTls { + private final EnvProvider envProvider = new EnvProvider(); + + public Optional<String> getKeystorePath() { + return readEnv(TlsConfigurationEnvs.KEYSTORE_PATH); + } + + public Optional<String> getKeystorePassword() { + return readEnv(TlsConfigurationEnvs.KEYSTORE_PASSWORD); + } + + public Optional<String> getTruststorePath() { + return readEnv(TlsConfigurationEnvs.TRUSTSTORE_PATH); + } + + public Optional<String> getTruststorePassword() { + return readEnv(TlsConfigurationEnvs.TRUSTSTORE_PASSWORD); + } + + private Optional<String> readEnv(TlsConfigurationEnvs envName) { + return envProvider.readEnvVariable(envName.toString()); + } +} diff --git a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/TlsConfigurationEnvs.java b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/TlsConfigurationEnvs.java new file mode 100644 index 00000000..4009a088 --- /dev/null +++ b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/TlsConfigurationEnvs.java @@ -0,0 +1,28 @@ +/* + * ============LICENSE_START======================================================= + * aaf-certservice-client + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.aaf.certservice.client.configuration; + +public enum TlsConfigurationEnvs { + KEYSTORE_PATH, + KEYSTORE_PASSWORD, + TRUSTSTORE_PATH, + TRUSTSTORE_PASSWORD +} diff --git a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/exception/TlsConfigurationException.java b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/exception/TlsConfigurationException.java new file mode 100644 index 00000000..a10185b2 --- /dev/null +++ b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/exception/TlsConfigurationException.java @@ -0,0 +1,36 @@ +/* + * ============LICENSE_START======================================================= + * aaf-certservice-client + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.aaf.certservice.client.configuration.exception; + +import org.onap.aaf.certservice.client.api.ExitStatus; +import org.onap.aaf.certservice.client.api.ExitableException; + +public class TlsConfigurationException extends ExitableException { + private static final ExitStatus EXIT_STATUS = ExitStatus.CERT_SERVICE_API_CONNECTION_EXCEPTION; + + public TlsConfigurationException(String message) { + super(message); + } + + public ExitStatus applicationExitStatus() { + return EXIT_STATUS; + } +} diff --git a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/factory/CsrConfigurationFactory.java b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/factory/CsrConfigurationFactory.java index a94c906f..1d4cf2b2 100644 --- a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/factory/CsrConfigurationFactory.java +++ b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/factory/CsrConfigurationFactory.java @@ -27,12 +27,12 @@ import org.onap.aaf.certservice.client.configuration.model.CsrConfiguration; import org.slf4j.Logger; import org.slf4j.LoggerFactory; + public class CsrConfigurationFactory extends AbstractConfigurationFactory<CsrConfiguration> { private static final Logger LOGGER = LoggerFactory.getLogger(CsrConfigurationFactory.class); private final EnvsForCsr envsForCsr; - public CsrConfigurationFactory(EnvsForCsr envsForCsr) { this.envsForCsr = envsForCsr; } diff --git a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/factory/SslContextFactory.java b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/factory/SslContextFactory.java new file mode 100644 index 00000000..ef74d830 --- /dev/null +++ b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/factory/SslContextFactory.java @@ -0,0 +1,85 @@ +/*============LICENSE_START======================================================= + * aaf-certservice-client + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.aaf.certservice.client.configuration.factory; + +import org.apache.http.ssl.SSLContexts; +import org.onap.aaf.certservice.client.configuration.EnvsForTls; +import org.onap.aaf.certservice.client.configuration.TlsConfigurationEnvs; +import org.onap.aaf.certservice.client.configuration.exception.TlsConfigurationException; + +import javax.net.ssl.SSLContext; +import java.io.File; +import java.io.FileInputStream; +import java.io.IOException; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.cert.CertificateException; + +public class SslContextFactory { + + private static final String JKS = "jks"; + + private EnvsForTls envsForTls; + + public SslContextFactory(EnvsForTls envsForTls) { + this.envsForTls = envsForTls; + } + + public SSLContext create() throws TlsConfigurationException { + String keystorePath = envsForTls.getKeystorePath() + .orElseThrow(() -> new TlsConfigurationException(createEnvMissingMessage(TlsConfigurationEnvs.KEYSTORE_PATH))); + String keystorePassword = envsForTls.getKeystorePassword() + .orElseThrow(() -> new TlsConfigurationException(createEnvMissingMessage(TlsConfigurationEnvs.KEYSTORE_PASSWORD))); + String truststorePath = envsForTls.getTruststorePath() + .orElseThrow(() -> new TlsConfigurationException(createEnvMissingMessage(TlsConfigurationEnvs.TRUSTSTORE_PATH))); + String truststorePassword = envsForTls.getTruststorePassword() + .orElseThrow(() -> new TlsConfigurationException(createEnvMissingMessage(TlsConfigurationEnvs.TRUSTSTORE_PASSWORD))); + + return createSSLContext(keystorePath, keystorePassword, truststorePath, truststorePassword); + } + + private String createEnvMissingMessage(TlsConfigurationEnvs keystorePath) { + return String.format("%s env is missing.", keystorePath); + } + + private KeyStore setupKeystore(String keystorePath, String certPassword) + throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException { + KeyStore keyStore = KeyStore.getInstance(JKS); + FileInputStream identityKeyStoreFile = new FileInputStream(new File( + keystorePath)); + keyStore.load(identityKeyStoreFile, certPassword.toCharArray()); + return keyStore; + } + + private SSLContext createSSLContext(String keystorePath, String keystorePassword, String truststorePath, String truststorePassword) throws TlsConfigurationException { + try { + KeyStore identityKeystore = setupKeystore(keystorePath, keystorePassword); + KeyStore trustKeystore = setupKeystore(truststorePath, truststorePassword); + + return SSLContexts.custom() + .loadKeyMaterial(identityKeystore, keystorePassword.toCharArray()) + .loadTrustMaterial(trustKeystore, null) + .build(); + } catch (Exception e) { + throw new TlsConfigurationException("TLS configuration exception: " + e); + } + } +} diff --git a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/model/ClientConfiguration.java b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/model/ClientConfiguration.java index ff2db831..2ac481dc 100644 --- a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/model/ClientConfiguration.java +++ b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/model/ClientConfiguration.java @@ -25,7 +25,7 @@ import org.onap.aaf.certservice.client.configuration.ClientConfigurationEnvs; public class ClientConfiguration implements ConfigurationModel { private static final Integer DEFAULT_TIMEOUT_MS = 30000; - private static final String DEFAULT_REQUEST_URL = "http://aaf-cert-service-service:8080/v1/certificate/"; + private static final String DEFAULT_REQUEST_URL = "https://aaf-cert-service:8443/v1/certificate/"; private String urlToCertService; private Integer requestTimeout; diff --git a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/httpclient/CloseableHttpClientProvider.java b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/httpclient/CloseableHttpsClientProvider.java index 5ad933ff..3b7a46ab 100644 --- a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/httpclient/CloseableHttpClientProvider.java +++ b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/httpclient/CloseableHttpsClientProvider.java @@ -24,11 +24,15 @@ import org.apache.http.client.config.RequestConfig; import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.HttpClientBuilder; -public class CloseableHttpClientProvider { +import javax.net.ssl.SSLContext; + +public class CloseableHttpsClientProvider { private final int timeout; + private final SSLContext sslContext; - public CloseableHttpClientProvider(int timeout) { + public CloseableHttpsClientProvider(SSLContext sslContext, int timeout) { + this.sslContext = sslContext; this.timeout = timeout; } @@ -39,6 +43,9 @@ public class CloseableHttpClientProvider { .setConnectTimeout(timeout) .setSocketTimeout(timeout) .build(); - return HttpClientBuilder.create().setDefaultRequestConfig(config).build(); + + return HttpClientBuilder.create() + .setSSLContext(sslContext) + .setDefaultRequestConfig(config).build(); } } diff --git a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/httpclient/HttpClient.java b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/httpclient/HttpClient.java index 7512830d..0780afad 100644 --- a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/httpclient/HttpClient.java +++ b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/httpclient/HttpClient.java @@ -44,10 +44,10 @@ public class HttpClient { private static final String CHARSET_UTF_8 = "UTF-8"; private final Gson gson = new Gson(); - private final CloseableHttpClientProvider httpClientProvider; + private final CloseableHttpsClientProvider httpClientProvider; private final String certServiceAddress; - public HttpClient(CloseableHttpClientProvider httpClientProvider, String certServiceAddress) { + public HttpClient(CloseableHttpsClientProvider httpClientProvider, String certServiceAddress) { this.httpClientProvider = httpClientProvider; this.certServiceAddress = certServiceAddress; } diff --git a/certServiceClient/src/test/java/org/onap/aaf/certservice/client/certification/conversion/KeystoreTruststoreCreatorTest.java b/certServiceClient/src/test/java/org/onap/aaf/certservice/client/certification/conversion/KeystoreTruststoreCreatorTest.java index 04bccf0b..5921c316 100644 --- a/certServiceClient/src/test/java/org/onap/aaf/certservice/client/certification/conversion/KeystoreTruststoreCreatorTest.java +++ b/certServiceClient/src/test/java/org/onap/aaf/certservice/client/certification/conversion/KeystoreTruststoreCreatorTest.java @@ -54,7 +54,7 @@ class KeystoreTruststoreCreatorTest { // then verify(passwordGenerator, times(1)).generate(passwordLength); verify(converter, times(1)).convertKeystore(certificates, password, alias, privateKey); - verify(filesCreator, times(1)).saveKeystoreData(keystoreBytes, password.getPassword()); + verify(filesCreator, times(1)).saveKeystoreData(keystoreBytes, password.getCurrentPassword()); } @Test @@ -75,6 +75,6 @@ class KeystoreTruststoreCreatorTest { // then verify(passwordGenerator, times(1)).generate(passwordLength); verify(converter, times(1)).convertTruststore(certificates, password, alias); - verify(filesCreator, times(1)).saveTruststoreData(truststoreBytes, password.getPassword()); + verify(filesCreator, times(1)).saveTruststoreData(truststoreBytes, password.getCurrentPassword()); } }
\ No newline at end of file diff --git a/certServiceClient/src/test/java/org/onap/aaf/certservice/client/configuration/factory/SslContextFactoryTest.java b/certServiceClient/src/test/java/org/onap/aaf/certservice/client/configuration/factory/SslContextFactoryTest.java new file mode 100644 index 00000000..e71e9895 --- /dev/null +++ b/certServiceClient/src/test/java/org/onap/aaf/certservice/client/configuration/factory/SslContextFactoryTest.java @@ -0,0 +1,197 @@ +/* + * ============LICENSE_START======================================================= + * aaf-certservice-client + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.aaf.certservice.client.configuration.factory; + +import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.extension.ExtendWith; +import org.mockito.Mock; +import org.mockito.junit.jupiter.MockitoExtension; +import org.onap.aaf.certservice.client.configuration.EnvsForTls; +import org.onap.aaf.certservice.client.configuration.exception.TlsConfigurationException; + +import javax.net.ssl.SSLContext; +import java.util.Optional; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.junit.jupiter.api.Assertions.assertNotNull; +import static org.junit.jupiter.api.Assertions.assertThrows; +import static org.mockito.Mockito.when; + + +@ExtendWith(MockitoExtension.class) +public class SslContextFactoryTest { + + public static final String INVALID_KEYSTORE_PATH = "nonexistent/keystore"; + public static final String VALID_KEYSTORE_NAME = "keystore.jks"; + public static final String VALID_KEYSTORE_PASSWORD = "secret"; + public static final String INVALID_KEYSTORE_PASSWORD = "wrong_secret"; + public static final String INVALID_TRUSTSTORE_PATH = "nonexistent/truststore"; + public static final String VALID_TRUSTSTORE_PASSWORD = "secret"; + public static final String INVALID_TRUSTSTORE_PASSWORD = "wrong_secret"; + public static final String VALID_TRUSTSTORE_NAME = "truststore.jks"; + @Mock + private EnvsForTls envsForTls; + + @Test + public void shouldThrowExceptionWhenKeystorePathEnvIsMissing() { + // Given + when(envsForTls.getKeystorePath()).thenReturn(Optional.empty()); + SslContextFactory sslContextFactory = new SslContextFactory(envsForTls); + + // When, Then + Exception exception = assertThrows( + TlsConfigurationException.class, sslContextFactory::create + ); + assertThat(exception.getMessage()).contains("KEYSTORE_PATH"); + } + + @Test + public void shouldThrowExceptionWhenKeystorePasswordEnvIsMissing() { + // Given + when(envsForTls.getKeystorePath()).thenReturn(Optional.of("keystore")); + when(envsForTls.getKeystorePassword()).thenReturn(Optional.empty()); + SslContextFactory sslContextFactory = new SslContextFactory(envsForTls); + + // When, Then + Exception exception = assertThrows( + TlsConfigurationException.class, sslContextFactory::create + ); + assertThat(exception.getMessage()).contains("KEYSTORE_PASSWORD"); + } + + @Test + public void shouldThrowExceptionWhenTruststorePathEnvIsMissing() { + // Given + when(envsForTls.getKeystorePath()).thenReturn(Optional.of("keystore")); + when(envsForTls.getKeystorePassword()).thenReturn(Optional.of("password")); + when(envsForTls.getTruststorePath()).thenReturn(Optional.empty()); + SslContextFactory sslContextFactory = new SslContextFactory(envsForTls); + + // When, Then + Exception exception = assertThrows( + TlsConfigurationException.class, sslContextFactory::create + ); + assertThat(exception.getMessage()).contains("TRUSTSTORE_PATH"); + } + + @Test + public void shouldThrowExceptionWhenTruststorePasswordEnvIsMissing() { + // Given + when(envsForTls.getKeystorePath()).thenReturn(Optional.of("keystore")); + when(envsForTls.getKeystorePassword()).thenReturn(Optional.of("password")); + when(envsForTls.getTruststorePath()).thenReturn(Optional.of("truststore")); + when(envsForTls.getTruststorePassword()).thenReturn(Optional.empty()); + SslContextFactory sslContextFactory = new SslContextFactory(envsForTls); + + // When, Then + Exception exception = assertThrows( + TlsConfigurationException.class, sslContextFactory::create + ); + assertThat(exception.getMessage()).contains("TRUSTSTORE_PASSWORD"); + } + + @Test + public void shouldThrowExceptionWhenKeystoreIsMissing() { + // Given + when(envsForTls.getKeystorePath()).thenReturn(Optional.of(INVALID_KEYSTORE_PATH)); + when(envsForTls.getKeystorePassword()).thenReturn(Optional.of("secret")); + when(envsForTls.getTruststorePath()).thenReturn(Optional.of("truststore.jks")); + when(envsForTls.getTruststorePassword()).thenReturn(Optional.of("secret")); + SslContextFactory sslContextFactory = new SslContextFactory(envsForTls); + + // When, Then + assertThrows( + TlsConfigurationException.class, sslContextFactory::create + ); + } + + @Test + public void shouldThrowExceptionWhenKeystorePasswordIsWrong() { + // Given + String keystorePath = getResourcePath(VALID_KEYSTORE_NAME); + when(envsForTls.getKeystorePath()).thenReturn(Optional.of(keystorePath)); + when(envsForTls.getKeystorePassword()).thenReturn(Optional.of(INVALID_KEYSTORE_PASSWORD)); + when(envsForTls.getTruststorePath()).thenReturn(Optional.of(VALID_TRUSTSTORE_NAME)); + when(envsForTls.getTruststorePassword()).thenReturn(Optional.of(VALID_TRUSTSTORE_PASSWORD)); + SslContextFactory sslContextFactory = new SslContextFactory(envsForTls); + + // When, Then + assertThrows( + TlsConfigurationException.class, sslContextFactory::create + ); + } + + @Test + public void shouldThrowExceptionWhenTruststoreIsMissing() { + // Given + String keystorePath = getResourcePath(VALID_KEYSTORE_NAME); + when(envsForTls.getKeystorePath()).thenReturn(Optional.of(keystorePath)); + when(envsForTls.getKeystorePassword()).thenReturn(Optional.of(VALID_KEYSTORE_PASSWORD)); + when(envsForTls.getTruststorePath()).thenReturn(Optional.of(INVALID_TRUSTSTORE_PATH)); + when(envsForTls.getTruststorePassword()).thenReturn(Optional.of(VALID_TRUSTSTORE_PASSWORD)); + SslContextFactory sslContextFactory = new SslContextFactory(envsForTls); + + // When, Then + assertThrows( + TlsConfigurationException.class, sslContextFactory::create + ); + } + + @Test + public void shouldThrowExceptionWhenTruststorePasswordIsWrong() { + // Given + String keystorePath = getResourcePath(VALID_KEYSTORE_NAME); + String truststorePath = getResourcePath(VALID_TRUSTSTORE_NAME); + when(envsForTls.getKeystorePath()).thenReturn(Optional.of(keystorePath)); + when(envsForTls.getKeystorePassword()).thenReturn(Optional.of(VALID_KEYSTORE_PASSWORD)); + when(envsForTls.getTruststorePath()).thenReturn(Optional.of(truststorePath)); + when(envsForTls.getTruststorePassword()).thenReturn(Optional.of(INVALID_TRUSTSTORE_PASSWORD)); + SslContextFactory sslContextFactory = new SslContextFactory(envsForTls); + + // When, Then + assertThrows( + TlsConfigurationException.class, sslContextFactory::create + ); + } + + @Test + public void shouldReturnSSLContext() throws TlsConfigurationException { + // Given + String keystorePath = getResourcePath(VALID_KEYSTORE_NAME); + String truststorePath = getResourcePath(VALID_TRUSTSTORE_NAME); + when(envsForTls.getKeystorePath()).thenReturn(Optional.of(keystorePath)); + when(envsForTls.getKeystorePassword()).thenReturn(Optional.of(VALID_KEYSTORE_PASSWORD)); + when(envsForTls.getTruststorePath()).thenReturn(Optional.of(truststorePath)); + when(envsForTls.getTruststorePassword()).thenReturn(Optional.of(VALID_TRUSTSTORE_PASSWORD)); + SslContextFactory sslContextFactory = new SslContextFactory(envsForTls); + + // When + SSLContext sslContext = sslContextFactory.create(); + + // Then + assertNotNull(sslContext); + } + + private String getResourcePath(String resource) { + return getClass().getClassLoader().getResource(resource).getFile(); + } +} + diff --git a/certServiceClient/src/test/java/org/onap/aaf/certservice/client/configuration/model/ClientConfigurationFactoryTest.java b/certServiceClient/src/test/java/org/onap/aaf/certservice/client/configuration/model/ClientConfigurationFactoryTest.java index c936ef52..f4f92495 100644 --- a/certServiceClient/src/test/java/org/onap/aaf/certservice/client/configuration/model/ClientConfigurationFactoryTest.java +++ b/certServiceClient/src/test/java/org/onap/aaf/certservice/client/configuration/model/ClientConfigurationFactoryTest.java @@ -38,8 +38,8 @@ public class ClientConfigurationFactoryTest { private final String CA_NAME_VALID = "caaaftest2"; private final String TIME_OUT_VALID = "30000"; private final String OUTPUT_PATH_VALID = "/opt/app/osaaf"; - private final String URL_TO_CERT_SERVICE_VALID = "http://cert-service:8080/v1/certificate/"; - private final String URL_TO_CERT_SERVICE_DEFAULT = "http://aaf-cert-service-service:8080/v1/certificate/"; + private final String URL_TO_CERT_SERVICE_VALID = "https://cert-service:8443/v1/certificate/"; + private final String URL_TO_CERT_SERVICE_DEFAULT = "https://aaf-cert-service:8443/v1/certificate/"; private final String CA_NAME_INVALID = "caaaftest2#$"; private final String OUTPUT_PATH_INVALID = "/opt//app/osaaf"; diff --git a/certServiceClient/src/test/java/org/onap/aaf/certservice/client/httpclient/HttpClientTest.java b/certServiceClient/src/test/java/org/onap/aaf/certservice/client/httpclient/HttpClientTest.java index 2a539414..60c2e93d 100644 --- a/certServiceClient/src/test/java/org/onap/aaf/certservice/client/httpclient/HttpClientTest.java +++ b/certServiceClient/src/test/java/org/onap/aaf/certservice/client/httpclient/HttpClientTest.java @@ -66,7 +66,7 @@ class HttpClientTest { statusLine = mock(StatusLine.class); httpResponse = mock(CloseableHttpResponse.class); - CloseableHttpClientProvider httpClientProvider = mock(CloseableHttpClientProvider.class); + CloseableHttpsClientProvider httpClientProvider = mock(CloseableHttpsClientProvider.class); when(httpClientProvider.getClient()).thenReturn(closeableHttpClient); String testCertServiceAddress = ""; diff --git a/certServiceClient/src/test/resources/keystore.jks b/certServiceClient/src/test/resources/keystore.jks Binary files differnew file mode 100644 index 00000000..0de9a18d --- /dev/null +++ b/certServiceClient/src/test/resources/keystore.jks diff --git a/certServiceClient/src/test/resources/truststore.jks b/certServiceClient/src/test/resources/truststore.jks Binary files differnew file mode 100644 index 00000000..2686690e --- /dev/null +++ b/certServiceClient/src/test/resources/truststore.jks diff --git a/certs/Makefile b/certs/Makefile new file mode 100644 index 00000000..6d90f65f --- /dev/null +++ b/certs/Makefile @@ -0,0 +1,110 @@ +all: step_1 step_2 step_3 step_4 step_5 step_6 step_7 step_8 step_9 step_10 step_11 step_12 step_13 step_14 step_15 +.PHONY: all +#Clear certificates +clear: + @echo "Clear certificates" + rm certServiceClient-keystore.jks certServiceServer-keystore.jks root.crt truststore.jks certServiceServer-keystore.p12 + @echo "#####done#####" + +#Generate root private and public keys +step_1: + @echo "Generate root private and public keys" + keytool -genkeypair -v -alias root -keyalg RSA -keysize 4096 -validity 3650 -keystore root-keystore.jks \ + -dname "CN=root.com, OU=Root Org, O=Root Company, L=Wroclaw, ST=Dolny Slask, C=PL" -keypass secret \ + -storepass secret -ext BasicConstraints:critical="ca:true" + @echo "#####done#####" + +#Export public key as certificate +step_2: + @echo "(Export public key as certificate)" + keytool -exportcert -alias root -keystore root-keystore.jks -storepass secret -file root.crt -rfc + @echo "#####done#####" + +#Self-signed root (import root certificate into truststore) +step_3: + @echo "(Self-signed root (import root certificate into truststore))" + keytool -importcert -alias root -keystore truststore.jks -file root.crt -storepass secret -noprompt + @echo "#####done#####" + +#Generate certService's client private and public keys +step_4: + @echo "Generate certService's client private and public keys" + keytool -genkeypair -v -alias certServiceClient -keyalg RSA -keysize 2048 -validity 730 \ + -keystore certServiceClient-keystore.jks -storetype JKS \ + -dname "CN=certServiceClient.com,OU=certServiceClient company,O=certServiceClient org,L=Wroclaw,ST=Dolny Slask,C=PL" \ + -keypass secret -storepass secret + @echo "####done####" + +#Generate certificate signing request for certService's client +step_5: + @echo "Generate certificate signing request for certService's client" + keytool -certreq -keystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -file certServiceClient.csr + @echo "####done####" + +#Sign certService's client certificate by root CA +step_6: + @echo "Sign certService's client certificate by root CA" + keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceClient.csr \ + -outfile certServiceClientByRoot.crt -rfc -ext bc=0 -ext ExtendedkeyUsage="serverAuth,clientAuth" + @echo "####done####" + +#Import root certificate into client +step_7: + @echo "Import root certificate into intermediate" + cat root.crt >> certServiceClientByRoot.crt + @echo "####done####" + +#Import signed certificate into certService's client +step_8: + @echo "Import signed certificate into certService's client" + keytool -importcert -file certServiceClientByRoot.crt -destkeystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -noprompt + @echo "####done####" + +#Generate certService private and public keys +step_9: + @echo "Generate certService private and public keys" + keytool -genkeypair -v -alias aaf-cert-service -keyalg RSA -keysize 2048 -validity 730 \ + -keystore certServiceServer-keystore.jks -storetype JKS \ + -dname "CN=aaf-cert-service,OU=certServiceServer company,O=certServiceServer org,L=Wroclaw,ST=Dolny Slask,C=PL" \ + -keypass secret -storepass secret -ext BasicConstraints:critical="ca:false" + @echo "####done####" + +#Generate certificate signing request for certService +step_10: + @echo "Generate certificate signing request for certService" + keytool -certreq -keystore certServiceServer-keystore.jks -alias aaf-cert-service -storepass secret -file certServiceServer.csr + @echo "####done####" + +#Sign certService certificate by root CA +step_11: + @echo "Sign certService certificate by root CA" + keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceServer.csr \ + -outfile certServiceServerByRoot.crt -rfc -ext bc=0 -ext ExtendedkeyUsage="serverAuth,clientAuth" \ + -ext SubjectAlternativeName:="DNS:aaf-cert-service,DNS:localhost" + @echo "####done####" + +#Import root certificate into server +step_12: + @echo "Import root certificate into intermediate(server)" + cat root.crt >> certServiceServerByRoot.crt + @echo "####done####" + +#Import signed certificate into certService +step_13: + @echo "Import signed certificate into certService" + keytool -importcert -file certServiceServerByRoot.crt -destkeystore certServiceServer-keystore.jks -alias aaf-cert-service \ + -storepass secret -noprompt + @echo "####done####" + +#Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12) +step_14: + @echo "Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)" + keytool -importkeystore -srckeystore certServiceServer-keystore.jks -srcstorepass secret \ + -destkeystore certServiceServer-keystore.p12 -deststoretype PKCS12 -deststorepass secret + @echo "#####done#####" + +#Clear unused certificates +step_15: + @echo "Clear unused certificates" + rm certServiceClientByRoot.crt certServiceClient.csr root-keystore.jks certServiceServerByRoot.crt certServiceServer.csr + @echo "#####done#####" diff --git a/certs/certServiceClient-keystore.jks b/certs/certServiceClient-keystore.jks Binary files differnew file mode 100644 index 00000000..f24908c5 --- /dev/null +++ b/certs/certServiceClient-keystore.jks diff --git a/certs/certServiceServer-keystore.jks b/certs/certServiceServer-keystore.jks Binary files differnew file mode 100644 index 00000000..89605b6b --- /dev/null +++ b/certs/certServiceServer-keystore.jks diff --git a/certs/certServiceServer-keystore.p12 b/certs/certServiceServer-keystore.p12 Binary files differnew file mode 100644 index 00000000..2106c817 --- /dev/null +++ b/certs/certServiceServer-keystore.p12 diff --git a/certs/root.crt b/certs/root.crt new file mode 100644 index 00000000..faeee813 --- /dev/null +++ b/certs/root.crt @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFlDCCA3ygAwIBAgIETsAy8jANBgkqhkiG9w0BAQwFADByMQswCQYDVQQGEwJQ
+TDEUMBIGA1UECBMLRG9sbnkgU2xhc2sxEDAOBgNVBAcTB1dyb2NsYXcxFTATBgNV
+BAoTDFJvb3QgQ29tcGFueTERMA8GA1UECxMIUm9vdCBPcmcxETAPBgNVBAMTCHJv
+b3QuY29tMB4XDTIwMDQwMzA5MTYxNloXDTMwMDQwMTA5MTYxNlowcjELMAkGA1UE
+BhMCUEwxFDASBgNVBAgTC0RvbG55IFNsYXNrMRAwDgYDVQQHEwdXcm9jbGF3MRUw
+EwYDVQQKEwxSb290IENvbXBhbnkxETAPBgNVBAsTCFJvb3QgT3JnMREwDwYDVQQD
+Ewhyb290LmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAImm68wu
+rtdkVrC5JI2y53+DoVE4al7NxC2yHeVW0PRD3CgW1xba6dlSQoDQQKkDkxtuNhlU
+IQxU1bbKR6syqJgpJXwSDx4sl4J5lQGWN+iuNA72C1IyXATOgowGq6PbOVVTkApy
+3+ZZGBCmweTjhvddAO7k5p8v+ePt17VvBTxSt6rSvrkGMbpCxBGAPfGpL9xykm9Z
+okVSlA42gGhbra499QTT0Yc/WPPFotKkDKFGaDrLW3NYX1Lio11myYNvLOMwfSEV
+Xy9vkwxcdqFJpHjx+EVLLQXwkudZP+D53N4bk8nP3SacbZSQ/A85mZpWNtw+r9QL
+fZGecY1YIR0udLj66CIG3ybl3gSXX7TSRERTIMR6Um1lt+039FSa18mRBpQTCDXV
+tSL58Qs5BHFkCe0sGpY+XiSEypc6oYPf/7YjiTvMT/mHhDffrvFjhK+wP/oCIg8u
+vuPRoPWuyw41bBeFGitJgDn7E8p9B4K/1DCO/ZcjXiYMgn5Hwb3ojablYUeiXs99
+2AAV8gCceUCdgcP8d6wdAydOVljavkgHPG0IMbiVG1WT57oM3HQpejgpujlKDDsI
+bi9/lbcC/U0JoN9yAaJZFr7CXJrxRv8DWeTwzMTo203KHNu9roQiERd38P8Dp6AQ
+ivmqf0+0VZM3IpjWBYKM68tclHJcG+7wyFjvAgMBAAGjMjAwMB0GA1UdDgQWBBSN
+lFyR56zh67mnvYTmmgJQVxEJrjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEB
+DAUAA4ICAQBczmFY0kmr1FK50glkT282ur0vukNtwXQNJONof3rYRqP2W98jID6D
+ayma0B4/H1EqCa0d66wRBxFdwW+MqOc4uWD3uUwgazrYD/Bv+V3aumaw8yX6vbyL
+hLNfpd4pViAEGtzYxYfMfFR6uzInF3NMpvt8OXCSGKiQjDMnMs0ekvUZLJm7yxwT
+Qr9aAEFYQYM/GstUC6qFfuUa4MaGvmyKWhZ10JoKXYbGGeFU4wI7Kzifh3VvawTg
+r314ZvQ3zpEwzNJpdvT5ZKuPvyN+drAKFpSPfOTFmmb3uF95FgYq33OFPpo7SR43
+tnw5u5YqKnsHmqCIRMctWiYZc8rBJ3+eBGmke6z/AN6FraG6Ejc8e4WPclrB8STb
++oB3a4Cvri1VHyodkm50Sb/d1FAMDXvzEPBfu2D0dVvOwOcISSN/MQUom8NN4YeI
+aEATdAPNkokgehOzZ1OPRv47FKYEVPCXjaZEWAC7NNmNiRn4RQOti0DlNrLL7Nx9
+vK09G0EnW01MO2ARRkZ3dog+Ph7orJQV3sd7TO4EEortqWtbegSH75ylyYw6rt/j
+uBzYtMOnEtnQKhxj4Wj7PO+StCgspoOByn0d+iSgDd2TlpWm4naP2pfFZT0R+TOH
+wzSH0F47TSfRd0++uEz/QhViybrvQK7yMt1G1YwZp2im+imuWwUC8Q== +-----END CERTIFICATE----- diff --git a/certs/truststore.jks b/certs/truststore.jks Binary files differnew file mode 100644 index 00000000..c32d37fd --- /dev/null +++ b/certs/truststore.jks diff --git a/compose-resources/client-configuration.env b/compose-resources/client-configuration.env index e79aa618..bc62f1f7 100644 --- a/compose-resources/client-configuration.env +++ b/compose-resources/client-configuration.env @@ -1,6 +1,6 @@ #Client envs -REQUEST_URL=http://aafcert-service:8080/v1/certificate/ -REQUEST_TIMEOUT=1000 +REQUEST_URL=https://aaf-cert-service:8443/v1/certificate/ +REQUEST_TIMEOUT=10000 OUTPUT_PATH=/var/certs CA_NAME=RA #Csr config envs @@ -11,4 +11,8 @@ LOCATION=San-Francisco STATE=California COUNTRY=US SANS=example.org - +#Tls config envs +KEYSTORE_PATH=/etc/onap/aaf/certservice/certs/certServiceClient-keystore.jks +KEYSTORE_PASSWORD=secret +TRUSTSTORE_PATH=/etc/onap/aaf/certservice/certs/truststore.jks +TRUSTSTORE_PASSWORD=secret diff --git a/certService/helm/aaf-cert-service/resources/cmpServers.json b/compose-resources/cmpServers.json index d6557c52..d6557c52 100644 --- a/certService/helm/aaf-cert-service/resources/cmpServers.json +++ b/compose-resources/cmpServers.json diff --git a/docker-compose.yml b/docker-compose.yml index 851ad317..8aa72a55 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -18,16 +18,25 @@ services: networks: - certservice - certservice: + aaf-cert-service: image: onap/org.onap.aaf.certservice.aaf-certservice-api:latest - container_name: aafcert-service volumes: - - ./certService/helm/aaf-cert-service/resources/cmpServers.json:/etc/onap/aaf/certservice/cmpServers.json + - ./compose-resources/cmpServers.json:/etc/onap/aaf/certservice/cmpServers.json + - ./certs/truststore.jks:/etc/onap/aaf/certservice/certs/truststore.jks + - ./certs/root.crt:/etc/onap/aaf/certservice/certs/root.crt + - ./certs/certServiceServer-keystore.jks:/etc/onap/aaf/certservice/certs/certServiceServer-keystore.jks + - ./certs/certServiceServer-keystore.p12:/etc/onap/aaf/certservice/certs/certServiceServer-keystore.p12 + container_name: aafcert-service ports: - - "8080:8080" + - "8443:8443" depends_on: ejbca: condition: service_healthy + healthcheck: + test: ["CMD-SHELL", "curl https://localhost:8443/actuator/health --cacert /etc/onap/aaf/certservice/certs/root.crt --cert-type p12 --cert /etc/onap/aaf/certservice/certs/certServiceServer-keystore.p12 --pass secret"] + interval: 10s + timeout: 3s + retries: 15 networks: - certservice diff --git a/docs/index.rst b/docs/index.rst index e84df935..7a55a2cf 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -1,6 +1,7 @@ .. This work is licensed under a Creative Commons Attribution 4.0 International License. .. http://creativecommons.org/licenses/by/4.0 .. Copyright 2020 NOKIA +.. _master_index: AAF Certification Service ========================================= diff --git a/docs/sections/architecture.rst b/docs/sections/architecture.rst index 9b1b481e..c70dd56d 100644 --- a/docs/sections/architecture.rst +++ b/docs/sections/architecture.rst @@ -1,6 +1,7 @@ .. This work is licensed under a Creative Commons Attribution 4.0 International License. .. http://creativecommons.org/licenses/by/4.0 .. Copyright 2020 NOKIA +.. _architecture: Architecture ============ diff --git a/docs/sections/configuration.rst b/docs/sections/configuration.rst index 1c9c62b5..51c87aa7 100644 --- a/docs/sections/configuration.rst +++ b/docs/sections/configuration.rst @@ -20,7 +20,7 @@ Certification Service Client image: .. code-block:: #Client envs - REQUEST_URL=http://aaf-cert-service-service:8080/v1/certificate/ + REQUEST_URL=http://aaf-cert-service:8080/v1/certificate/ REQUEST_TIMEOUT=1000 OUTPUT_PATH=/var/certs CA_NAME=RA @@ -107,7 +107,7 @@ Example deployment: imagePullPolicy: Always env: - name: REQUEST_URL - value: http://aaf-cert-service-service:8080/v1/certificate/ + value: http://aaf-cert-service:8080/v1/certificate/ - name: REQUEST_TIMEOUT value: "1000" - name: OUTPUT_PATH diff --git a/docs/sections/offeredapis.rst b/docs/sections/offeredapis.rst index 8d84b638..61c5bc33 100644 --- a/docs/sections/offeredapis.rst +++ b/docs/sections/offeredapis.rst @@ -1,6 +1,7 @@ .. This work is licensed under a Creative Commons Attribution 4.0 International License. .. http://creativecommons.org/licenses/by/4.0 .. Copyright 2020 NOKIA +.. _offeredapis: Offered APIs ============ @@ -114,18 +114,6 @@ <goal>repackage</goal> </goals> </execution> - <execution> - <id>pre-integration-test</id> - <goals> - <goal>start</goal> - </goals> - </execution> - <execution> - <id>post-integration-test</id> - <goals> - <goal>stop</goal> - </goals> - </execution> </executions> </plugin> <plugin> |