summaryrefslogtreecommitdiffstats
path: root/README.md
diff options
context:
space:
mode:
authorChrisC <christophe.closset@intl.att.com>2020-02-05 13:07:40 +0100
committerChristophe Closset <christophe.closset@intl.att.com>2020-02-05 12:23:12 +0000
commit504422fe7b93714222ff53b9ee9914a26b74c091 (patch)
treef0ce898fbbe94c3b67971cb52287970d9ee11277 /README.md
parent8d91398da6162c19643f3f7cae83327dd4e81263 (diff)
Update SSL Certs and doc
Update SSL certs for Frankfurt (expiry date Feb 2021) + fix clamp env for compose. Documentation updated to reflect what to do for cert renewal (readme). Issue-ID: CLAMP-641 Signed-off-by: ChrisC <christophe.closset@intl.att.com> Change-Id: I24e24ee88674c3d5b399bc0f1722c61f4c54a937
Diffstat (limited to 'README.md')
-rw-r--r--README.md27
1 files changed, 19 insertions, 8 deletions
diff --git a/README.md b/README.md
index 148ff959c..65fc0530c 100644
--- a/README.md
+++ b/README.md
@@ -114,10 +114,10 @@ With the default log settings, all logs will be generated into console and into
You can see the swagger definition for the jaxrs apis at `/restservices/clds/v1/openapi.json`
-## Clamp AAF
+## Clamp AAF - Renew Certificates
- Connect to windriver with openvpn
- create a folder aaf-renewal and go to it
-- create a file aaf.props with that content
+- create a file aaf.props with that content (or run the agent.sh script below, it will prompt you for values at first run)
VERSION=2.1.13
DOCKER_REPOSITORY=nexus3.onap.org:10001
HOSTNAME=
@@ -141,13 +141,24 @@ You can see the swagger definition for the jaxrs apis at `/restservices/clds/v1/
cadi_latitude[0.000]=10.0
cadi_longitude[0.000]=10.0
- Certs should created, you can get them in /var/lib/docker/volumes/clamp_config/_data/local
+ If you want to recreate the certs, you have to delete the docker volume (otherwise it will be re used) : docker volume rm clamp_config
- wget https://nexus.onap.org/content/repositories/releases/org/onap/aaf/authz/aaf-cadi-aaf/2.1.13/aaf-cadi-aaf-2.1.13-full.jar
- to encrypt or decrypt the store passwords: java -jar aaf-cadi-aaf-2.1.13-full.jar cadi digest changeit testos.key
-
+- you can also use the agent.sh script to decrypt the passwords, by running the showpass commands (see wiki below)
- Extract private key from P12: 'openssl pkcs12 -in org.onap.clamp.p12 -nocerts -nodes > clamp.key'
- Extract public certificate from P12: 'openssl pkcs12 -in org.onap.clamp.p12 -clcerts -nokeys > clamp.pem'
- Extract CA certificate from P12: 'openssl pkcs12 -in org.onap.clamp.p12 -cacerts -nokeys -chain > ca-certs.pem'
- reference wiki: https://wiki.onap.org/display/DW/AAF+Certificate+Management+for+Dummies
+- you need to place new clamp.key, clamp.pem and ca-certs.pem into src/main/resources/clds/aaf/ssl, this will be used by the FrontEnd
+- you need to replace the password of the generated keystore (clamp uses the p12 keystore), we want to keep the same demo password across release
+ to do so, you can use keytool to update the password and set it back to 'China in the Spring'
+ keytool -storepasswd -keystore ./org.onap.clamp.p12
+- this will prompt for the current keystore password (the one generated by the aaf script that you can get from the above)
+- you can then set it to 'China in the Spring'
+- once done, you can replace : org.onap.clamp.p12 into src/main/resources/clds/aaf
+- rebuild Clamp Docker containers, they should be updated with the renewed certificates
+
+
## Clamp Credentials
There are two mechanisms that can enabled for the authentication, one or the other never both at the same time.
@@ -158,17 +169,17 @@ There is a section for SSL enablement and cadi configuration (for AAF) + one spr
server.port=8443
server.ssl.key-store=classpath:/clds/aaf/org.onap.clamp.p12
-server.ssl.key-store-password=China in the Spring
-server.ssl.key-password=China in the Spring
+server.ssl.key-store-password=enc:WWCxchk4WGBNSvuzLq3MLjMs5ObRybJtts5AI0XD1Vc
+server.ssl.key-password=enc:WWCxchk4WGBNSvuzLq3MLjMs5ObRybJtts5AI0XD1Vc
server.ssl.key-store-type=PKCS12
server.ssl.key-alias=clamp@clamp.onap.org
+clamp.config.keyFile=classpath:/clds/aaf/org.onap.clamp.keyfile
server.ssl.client-auth=want
server.ssl.trust-store=classpath:/clds/aaf/truststoreONAPall.jks
-server.ssl.trust-store-password=changeit
-
+server.ssl.trust-store-password=enc:iDnPBBLq_EMidXlMa1FEuBR8TZzYxrCg66vq_XfLHdJ
server.http-to-https-redirection.port=8080
....
-spring.profiles.active=clamp-default,clamp-aaf-authentication,clamp-sdc-controller
+spring.profiles.active=clamp-default,clamp-aaf-authentication,clamp-sdc-controller-new,clamp-ssl-config
....
clamp.config.cadi.keyFile=classpath:/clds/aaf/org.onap.clamp.keyfile
clamp.config.cadi.cadiLoglevel=DEBUG