diff options
Diffstat (limited to 'docs/sections/configuration.rst')
| -rw-r--r-- | docs/sections/configuration.rst | 59 |
1 files changed, 35 insertions, 24 deletions
diff --git a/docs/sections/configuration.rst b/docs/sections/configuration.rst index 43de0e43..b325712e 100644 --- a/docs/sections/configuration.rst +++ b/docs/sections/configuration.rst @@ -3,7 +3,7 @@ .. Copyright 2020 NOKIA Configuration -============= +============== Configuring Cert Service @@ -41,7 +41,7 @@ Example cmpServers.json file: This contains list of CMP Servers, where each server has following properties: - - *caName* - name of the external CA server. It's used to match *CA_NAME* sent by client in order to match proper configuration. + - *caName* - name of the external CA server. It's used to match *CA_NAME* sent by CertService client in order to match proper configuration. - *url* - URL to CMPv2 server - *issuerDN* - Distinguished Name of the CA that will sign the certificate - *caMode* - Issuer mode. Allowed values are *CLIENT* and *RA* @@ -57,8 +57,8 @@ This configuration is read on the application start. It can also be reloaded in Next sections explain how to configure Cert Service in local (docker-compose) and OOM Deployments. -Configuring in local(docker-compose) deployment: -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Configuring in local (docker-compose) deployment: +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Before application start: """"""""""""""""""""""""" @@ -76,6 +76,9 @@ When application is running: docker exec -it <certservice-container-name> bash + e.g. + docker exec -it aafcert-service bash + 3. Edit *cmpServers.json* file:: vim /etc/onap/aaf/certservice/cmpServers.json @@ -83,7 +86,7 @@ When application is running: 4. Save the file. Note that this file is mounted as volume, so change will be persistent. 5. Reload configuration:: - curl -I https://localhost:8443/reload --cacert /etc/onap/aaf/certservice/certs/root.crt --cert-type p12 --cert /etc/onap/aaf/certservice/certs/certServiceServer-keystore.p12 --pass secret + curl -I https://localhost:8443/reload --cacert /etc/onap/aaf/certservice/certs/root.crt --cert-type p12 --cert /etc/onap/aaf/certservice/certs/certServiceServer-keystore.p12 --pass $KEYSTORE_PASSWORD 6. Exit container:: @@ -96,7 +99,7 @@ Configuring in OOM deployment: Before OOM installation: """""""""""""""""""""""" -Note! This must be executed before calling *make all* (from OOM Installation) or needs remaking aaf Charts. +Note! This must be executed before calling *make all* (from OOM Installation) or needs remaking AAF charts. 1. Edit *cmpServers.json* file. If OOM *global.addTestingComponents* flag is set to: @@ -109,15 +112,20 @@ Note! This must be executed before calling *make all* (from OOM Installation) or When CertService is deployed: """"""""""""""""""""""""""""" -1. Encode your configuration to base64:: +1. Create file with configuration + +2. Encode your configuration to base64:: - echo "CONFIGURATION_TO_ENCODE" | base64 + cat <configuration_file> | base64 -2. Edit secret:: +3. Edit secret:: - kubectl edit secret <cmp-servers-secret-name> # aaf-cert-service-secret by default + kubectl -n onap edit secret <cmp-servers-secret-name> -3. Replace value for *cmpServers.json* with your base64 encoded configuration. For example: + e.g. + kubectl -n onap edit secret aaf-cert-service-secret + +4. Replace value for *cmpServers.json* with your base64 encoded configuration. For example: .. code-block:: yaml @@ -134,17 +142,20 @@ When CertService is deployed: uid: 6a037526-83ed-11ea-b731-fa163e2144f6 type: Opaque -4. Save and exit -5. New configuration will be automatically mounted to CertService pod, but application configuration reload is needed. -6. To reload configuration enter CertService pod:: +5. Save and exit +6. New configuration will be automatically mounted to CertService pod, but application configuration reload is needed. +7. To reload configuration enter CertService pod:: + + kubectl -n onap exec -it <cert-service-pod-name> bash - kubectl exec -it <cert-service-pod-name> bash + e.g. + kubectl -n onap exec -it $(kubectl -n onap get pods | grep cert-service | awk '{print $1}') bash -7. Reload configuration:: +8. Reload configuration:: curl -I https://localhost:$HTTPS_PORT/reload --cacert $ROOT_CERT --cert-type p12 --cert $KEYSTORE_P12_PATH --pass $KEYSTORE_PASSWORD -8. Exit container:: +9. Exit container:: exit @@ -185,19 +196,19 @@ This section describes how to use custom, external certificates for CertService 1. Set *tls.certificateExternalSecret* flag to true in *kubernetes/aaf/charts/aaf-cert-service/values.yaml* 2. Prepare secret for CertService. It must be provided before OOM installation. It must contain four files: - - *certServiceServer-keystore.jks* - keystore in jks format. Signed by some Root CA - - *certServiceServer-keystore.p12* - same keystore in p12 format - - *truststore.jks* - truststore in jks format, containing certificates of the Root CA that signed CertService Client certificate - - *root.crt* - certificate of the RootCA that signed Client certificate in crt format + - *certServiceServer-keystore.jks* - keystore in JKS format. Signed by some Root CA + - *certServiceServer-keystore.p12* - same keystore in PKCS#12 format + - *truststore.jks* - truststore in JKS format, containing certificates of the Root CA that signed CertService Client certificate + - *root.crt* - certificate of the RootCA that signed Client certificate in CRT format 3. Name the secret properly - the name should match *tls.server.secret.name* value from *kubernetes/aaf/charts/aaf-cert-service/values.yaml* file 4. Prepare secret for CertService Client. It must be provided before OOM installation. It must contain two files: - - *certServiceClient-keystore.jks* - keystore in jks format. Signed by some Root CA - - *truststore.jks* - truststore in jks format, containing certificates of the RootCA that signed CertService certificate + - *certServiceClient-keystore.jks* - keystore in JKS format. Signed by some Root CA + - *truststore.jks* - truststore in JKS format, containing certificates of the RootCA that signed CertService certificate -5. Name the secret properly - the name should match *global.aaf.certService.client.secret.name* +5. Name the secret properly - the name should match *global.aaf.certService.client.secret.name* value from *kubernetes/onap/values.yaml* file 6. Provide keystore and truststore passwords for CertService. It can be done in two ways: |