blob: ddbdfff70fde6864ca8639943a4668d7aa64ffb0 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
|
# Cert service
### General description
More information about the project and all its functionalities you can find under the wiki page:
```
https://wiki.onap.org/display/DW/OOM+Certification+Service
```
Project consists of four submodules:
1. oom-certservice-api
2. *deprecated (no longer built)* oom-certservice-client
3. oom-certservice-post-processor
4. oom-certservice-k8s-external-provider
Detailed information about submodules can be found in ```README.md``` in their directories.
### Project building
```
mvn clean package
```
### Install the packages into the local repository
```
mvn clean install
```
### Building Docker images and install packages into local repository
```
mvn clean install -P docker
or
make build
```
### Generating certificates
There are example certificates already generated in certs/ directory.
In order to generate new certificates, first remove existing ones.
Then execute following command from certs(!) directory:
```
make
```
### Running Docker containers from docker-compose with EJBCA
Docker-compose uses a local image of certservice-api and make run-client uses a released image of certservice-client
Build certservice-api docker image locally before running docker compose command.
```
1. Build local images
make build
2. Start Cert Service with configured EJBCA
make start-backend
3. Run Cert Service Client
make run-client
4. Stop Cert Service and EJBCA
make stop-backend
```
### Generating certificates via REST Api
#### Requirements
* OpenSSL
* cURL
* jq (for parseCertServiceResponse.sh script)
#### Initialization Request
1. Create Certificate Signing Request and Private Key
```
openssl req -new -newkey rsa:2048 -nodes -keyout ./compose-resources/certs-from-curl/ir.key \
-out ./compose-resources/certs-from-curl/ir.csr \
-subj "/C=US/ST=California/L=San-Francisco/O=ONAP/OU=Linux-Foundation/CN=onap.org" \
-addext "subjectAltName = DNS:test.onap.org"
```
2. Send Initialization Request
```
curl -s https://localhost:8443/v1/certificate/RA -H "PK: $(cat ./compose-resources/certs-from-curl/ir.key | base64 | tr -d \\n)" \
-H "CSR: $(cat ./compose-resources/certs-from-curl/ir.csr | base64 | tr -d \\n)" \
--cert ./certs/cmpv2Issuer-cert.pem \
--key ./certs/cmpv2Issuer-key.pem \
--cacert ./certs/cacert.pem
```
to parse the response pipe the output to `parseCertserviceResponse.sh` script, providing prefix as argument
```
curl -sN https://localhost:8443/v1/certificate/RA -H "PK: $(cat ./compose-resources/certs-from-curl/ir.key | base64 | tr -d \\n)" \
-H "CSR: $(cat ./compose-resources/certs-from-curl/ir.csr | base64 | tr -d \\n)" \
--cert ./certs/cmpv2Issuer-cert.pem \
--key ./certs/cmpv2Issuer-key.pem \
--cacert ./certs/cacert.pem | `pwd`/parseCertServiceResponse.sh "ir"
```
#### Update Request
1. Create Certificate Signing Request and Private Key - same as for Initialization Request.
When CSR data (like Subject and SANS) is unchanged, Key Update Request will be performed.
Otherwise Certification Request will be performed.
Example for KUR:
```
openssl req -new -newkey rsa:2048 -nodes -keyout ./compose-resources/certs-from-curl/kur.key \
-out ./compose-resources/certs-from-curl/kur.csr \
-subj "/C=US/ST=California/L=San-Francisco/O=ONAP/OU=Linux-Foundation/CN=onap.org" \
-addext "subjectAltName = DNS:test.onap.org"
```
Example for CR:
```
openssl req -new -newkey rsa:2048 -nodes -keyout ./compose-resources/certs-from-curl/cr.key \
-out ./compose-resources/certs-from-curl/cr.csr \
-subj "/C=US/ST=California/L=San-Francisco/O=ONAP/OU=Linux-Foundation/CN=new-onap.org" \
-addext "subjectAltName = DNS:test.onap.org"
```
2. Send Update Request.
Example for KUR:
```
curl -sN https://localhost:8443/v1/certificate-update/RA -H "PK: $(cat ./compose-resources/certs-from-curl/kur.key | base64 | tr -d \\n)" \
-H "CSR: $(cat ./compose-resources/certs-from-curl/kur.csr | base64 | tr -d \\n)" \
-H "OLDPK: $(cat ./compose-resources/certs-from-curl/ir.key | base64 | tr -d \\n)" \
-H "OLDCERT: $(cat ./compose-resources/certs-from-curl/ir-cert.pem | base64 | tr -d \\n)" \
--cert ./certs/cmpv2Issuer-cert.pem \
--key ./certs/cmpv2Issuer-key.pem \
--cacert ./certs/cacert.pem | `pwd`/parseCertServiceResponse.sh "kur"
```
Example CR:
```
curl -sN https://localhost:8443/v1/certificate-update/RA -H "PK: $$(cat ./compose-resources/certs-from-curl/cr.key | base64 | tr -d \\n)" \
-H "CSR: $$(cat ./compose-resources/certs-from-curl/cr.csr | base64 | tr -d \\n)" \
-H "OLD_PK: $$(cat ./compose-resources/certs-from-curl/ir.key | base64 | tr -d \\n)" \
-H "OLD_CERT: $$(cat ./compose-resources/certs-from-curl/ir-cert.pem | base64 | tr -d \\n)" \
--cert ./certs/cmpv2Issuer-cert.pem \
--key ./certs/cmpv2Issuer-key.pem \
--cacert ./certs/cacert.pem | `pwd`/parseCertServiceResponse.sh "cr"
```
#### Using makefile
1. Perform Initialization Request:
```
make send-initialization-request
```
2. Perform Update Request:
```
make send-key-update-request
```
or:
```
make send-certification-request
```
### OOM CertService CSITs
#### CSIT repository
```
https://gerrit.onap.org/r/admin/repos/integration/csit
```
####How to run tests locally
1. Checkout CSIT repository
2. Configure CSIT local environment
3. Inside CSIT directory execute
```
sudo ./run-csit.sh plans/oom-platform-cert-service/certservice
```
####Jenkins build
https://jenkins.onap.org/view/CSIT/job/oom-platform-cert-service-master-csit-certservice/
### Sonar results
```
https://sonarcloud.io/dashboard?id=onap_oom-platform-cert-service
```
### Maven artifacts
All maven artifacts are deployed under nexus uri:
```
https://nexus.onap.org/content/repositories/snapshots/org/onap/oom/certservice/
```
### Docker artifacts
All docker images are hosted under nexus3 uri:
```
https://nexus3.onap.org/repository/docker.snapshot/v2/onap/org.onap.oom.certservice.oom-certservice-api/
```
### How to release containers
```
https://github.com/lfit/releng-global-jjb/blob/master/docs/jjb/lf-release-jobs.rst
```
|