diff options
author | Pamela Dragosh <pdragosh@research.att.com> | 2018-08-20 18:33:55 +0000 |
---|---|---|
committer | Gerrit Code Review <gerrit@onap.org> | 2018-08-20 18:33:55 +0000 |
commit | 181e4d4f95d7fab6b1e134406a22b568a9881bf3 (patch) | |
tree | aedf26707492af60d678826b7e4ab7ab1a7efe5b | |
parent | 13d0d6b9f3a88a32ca9aff945469c7aa9f19292b (diff) | |
parent | 3bbdb237654a09496c2916ce2c7545f2aabbe339 (diff) |
Merge "https certs with aaf+pdpd containers compatibility"
-rw-r--r-- | config/policy-engine.properties | 38 | ||||
-rw-r--r-- | config/policy-keystore | bin | 0 -> 4535 bytes | |||
-rw-r--r-- | config/policy-truststore | bin | 0 -> 124180 bytes | |||
-rw-r--r-- | packages/base/src/files/etc/ssl/ca-aaf.crt | 31 | ||||
-rw-r--r-- | packages/base/src/files/etc/ssl/policy-keystore | bin | 114865 -> 4535 bytes | |||
-rw-r--r-- | packages/base/src/files/etc/ssl/policy-truststore | bin | 0 -> 124180 bytes | |||
-rw-r--r-- | packages/docker/src/main/docker/do-start.sh | 9 | ||||
-rw-r--r-- | packages/docker/src/main/docker/docker-install.sh | 13 | ||||
-rw-r--r-- | packages/install/src/files/base.conf | 2 | ||||
-rw-r--r-- | policy-management/src/main/server/config/policy-engine.properties | 17 | ||||
-rw-r--r-- | policy-management/src/main/server/config/system.properties | 11 |
11 files changed, 110 insertions, 11 deletions
diff --git a/config/policy-engine.properties b/config/policy-engine.properties new file mode 100644 index 00000000..56c2a673 --- /dev/null +++ b/config/policy-engine.properties @@ -0,0 +1,38 @@ +### +# ============LICENSE_START======================================================= +# policy-management +# ================================================================================ +# Copyright (C) 2018 AT&T Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= +### + +# Policy Engine Configuration + +# Configuration Channel Settings: PDPD_CONFIGURATION + +http.server.services=CONFIG,SECURED-CONFIG +http.server.services.CONFIG.host=0.0.0.0 +http.server.services.CONFIG.port=9696 +http.server.services.CONFIG.restPackages=org.onap.policy.drools.server.restful +http.server.services.CONFIG.managed=false +http.server.services.CONFIG.swagger=true +http.server.services.CONFIG.https=false + +http.server.services.SECURED-CONFIG.host=0.0.0.0 +http.server.services.SECURED-CONFIG.port=9697 +http.server.services.SECURED-CONFIG.restPackages=org.onap.policy.drools.server.restful +http.server.services.SECURED-CONFIG.managed=false +http.server.services.SECURED-CONFIG.swagger=true +http.server.services.SECURED-CONFIG.https=true diff --git a/config/policy-keystore b/config/policy-keystore Binary files differnew file mode 100644 index 00000000..b92217cf --- /dev/null +++ b/config/policy-keystore diff --git a/config/policy-truststore b/config/policy-truststore Binary files differnew file mode 100644 index 00000000..8834ac25 --- /dev/null +++ b/config/policy-truststore diff --git a/packages/base/src/files/etc/ssl/ca-aaf.crt b/packages/base/src/files/etc/ssl/ca-aaf.crt new file mode 100644 index 00000000..e9a50d7e --- /dev/null +++ b/packages/base/src/files/etc/ssl/ca-aaf.crt @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFPjCCAyagAwIBAgIJAJ6u7cCnzrWdMA0GCSqGSIb3DQEBCwUAMCwxDjAMBgNV +BAsMBU9TQUFGMQ0wCwYDVQQKDARPTkFQMQswCQYDVQQGEwJVUzAeFw0xODA0MDUx +NDE1MjhaFw0zODAzMzExNDE1MjhaMCwxDjAMBgNVBAsMBU9TQUFGMQ0wCwYDVQQK +DARPTkFQMQswCQYDVQQGEwJVUzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC +ggIBAMA5pkgRs7NhGG4ew5JouhyYakgYUyFaG121+/h8qbSdt0hVQv56+EA41Yq7 +XGie7RYDQK9NmAFF3gruE+6X7wvJiChp+Cyd7sFMnb65uWhxEdxWTM2BJFrgfzUn +H8ZCxgaCo3XH4PzlKRy2LQQJEJECwl/RZmRCXijMt5e9h8XoZY/fKkKcZZUsWNCM +pTo266wjvA9MXLmdgReRj0+vrCjrNqy+htwJDztoiHWiYPqT6o8EvGcgjNqjlZx7 +NUNf8MfLDByqKF6+wRbHv1GKjn3/Vijd45Fv8riyRYROiFanvbV6jIfBkv8PZbXg +2VDWsYsgp8NAvMxK+iV8cO+Ck3lBI2GOPZbCEqpPVTYbLUz6sczAlCXwQoPzDIZY +wYa3eR/gYLY1gP2iEVHORag3bLPap9ZX5E8DZkzTNTjovvLk8KaCmfcaUMJsBtDd +ApcUitz10cnRyZc1sX3gE1f3DpzQM6t9C5sOVyRhDcSrKqqwb9m0Ss04XAS9FsqM +P3UWYQyqDXSxlUAYaX892u8mV1hxnt2gjb22RloXMM6TovM3sSrJS0wH+l1nznd6 +aFXftS/G4ZVIVZ/LfT1is4StoyPWZCwwwly1z8qJQ/zhip5NgZTxQw4mi7ww35DY +PdAQOCoajfSvFjqslQ/cPRi/MRCu079heVb5fQnnzVtnpFQRAgMBAAGjYzBhMB0G +A1UdDgQWBBRTVTPyS+vQUbHBeJrBKDF77+rtSTAfBgNVHSMEGDAWgBRTVTPyS+vQ +UbHBeJrBKDF77+rtSTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAN +BgkqhkiG9w0BAQsFAAOCAgEAPx/IaK94n02wPxpnYTy+LVLIxwdq/kawNd6IbiMz +L87zmNMDmHcGbfoRCj8OkhuggX9Lx1/CkhpXimuYsZOFQi5blr/u+v4mIbsgbmi9 +7j+cUHDP0zLycvSvxKHty51LwmaX9a4wkJl5zBU4O1sd/H9tWcEmwJ39ltKoBKBx +c94Zc3iMm5ytRWGj+0rKzLDAXEWpoZ5bE5PLJauA6UDCxDLfs3FwhbS7uDggxYvf +jySF5FCNET94oJ+m8s7VeHvoa8iPGKvXrIqdd7XDHnqJJlVKr7m9S0fMbyEB8ci2 +RtOXDt93ifY1uhoEtEykn4dqBSp8ezvNMnwoXdYPDvTd9uCAFeWFLVreBAWxd25h +PsBTkZA5hpa/rA+mKv6Af4VBViYr8cz4dZCsFChuioVebe9ighrfjB//qKepFjPF +CyjzKN1u0JKm/2x/ORqxkTONG8p3uDwoIOyimUcTtTMv42bfYD88RKakqSFXE9G+ +Z0LlaKABqfjK49o/tsAp+c5LoNlYllKhnetO3QAdraHwdmC36BhoghzR1jpX751A +cZn2VH3Q4XKyp01cJNCJIrua+A+bx6zh3RyW6zIIkbRCbET+UD+4mr8WIcSE3mtR +ZVlnhUDO4z9//WKMVzwS9Rh8/kuszrGFI1KQozXCHLrce3YP6RYZfOed79LXaRwX +dYY= +-----END CERTIFICATE----- diff --git a/packages/base/src/files/etc/ssl/policy-keystore b/packages/base/src/files/etc/ssl/policy-keystore Binary files differindex c3890965..b92217cf 100644 --- a/packages/base/src/files/etc/ssl/policy-keystore +++ b/packages/base/src/files/etc/ssl/policy-keystore diff --git a/packages/base/src/files/etc/ssl/policy-truststore b/packages/base/src/files/etc/ssl/policy-truststore Binary files differnew file mode 100644 index 00000000..8834ac25 --- /dev/null +++ b/packages/base/src/files/etc/ssl/policy-truststore diff --git a/packages/docker/src/main/docker/do-start.sh b/packages/docker/src/main/docker/do-start.sh index fa4cd6ab..0a550694 100644 --- a/packages/docker/src/main/docker/do-start.sh +++ b/packages/docker/src/main/docker/do-start.sh @@ -56,9 +56,14 @@ else . /opt/app/policy/etc/profile.d/env.sh + # override the policy keystore and truststore if present + if [[ -f config/policy-keystore ]]; then - # install policy keystore if present - cp config/policy-keystore ${POLICY_HOME}/etc/ssl + cp -f config/policy-keystore ${POLICY_HOME}/etc/ssl + fi + + if [[ -f config/policy-truststore ]]; then + cp -f config/policy-trustore ${POLICY_HOME}/etc/ssl fi if [[ -f config/drools-tweaks.sh ]] ; then diff --git a/packages/docker/src/main/docker/docker-install.sh b/packages/docker/src/main/docker/docker-install.sh index c17cba2a..98560202 100644 --- a/packages/docker/src/main/docker/docker-install.sh +++ b/packages/docker/src/main/docker/docker-install.sh @@ -154,6 +154,7 @@ function configure_component() { SED_LINE+=" -e 's!\${{POLICY_USER}}!${POLICY_USER}!g' " SED_LINE+=" -e 's!\${{POLICY_GROUP}}!${POLICY_GROUP}!g' " SED_LINE+=" -e 's!\${{KEYSTORE_PASSWD}}!${KEYSTORE_PASSWD}!g' " + SED_LINE+=" -e 's!\${{TRUSTSTORE_PASSWD}}!${TRUSTSTORE_PASSWD}!g' " SED_LINE+=" -e 's!\${{JAVA_HOME}}!${JAVA_HOME}!g' " while read line || [ -n "${line}" ]; do @@ -245,11 +246,17 @@ function configure_keystore() { set -x fi - local DEFAULT_KEYSTORE_PASSWORD="Pol1cy_0nap" + local DEFAULT_TRUSTSTORE_PASSWORD='Pol1cy_0nap' + local DEFAULT_KEYSTORE_PASSWORD='Pol1cy_0nap' + + if [[ -n ${TRUSTSTORE_PASSWD} ]]; then + keytool -storepasswd -storepass "${DEFAULT_TRUSTSTORE_PASSWORD}" -keystore "${POLICY_HOME}/etc/ssl/policy-truststore" -new "${TRUSTSTORE_PASSWD}" + keytool -list -keystore "${POLICY_HOME}/etc/ssl/policy-truststore" -storepass "${TRUSTSTORE_PASSWD}" + fi if [[ -n ${KEYSTORE_PASSWD} ]]; then - keytool -storepasswd -storepass ${DEFAULT_KEYSTORE_PASSWORD} -keystore ${POLICY_HOME}/etc/ssl/policy-keystore -new ${KEYSTORE_PASSWD} - keytool -list -keystore ${POLICY_HOME}/etc/ssl/policy-keystore -storepass ${KEYSTORE_PASSWD} + keytool -storepasswd -storepass "${DEFAULT_KEYSTORE_PASSWORD}" -keystore "${POLICY_HOME}/etc/ssl/policy-keystore" -new "${KEYSTORE_PASSWD}" + keytool -list -keystore "${POLICY_HOME}/etc/ssl/policy-keystore" -storepass "${KEYSTORE_PASSWD}" fi } diff --git a/packages/install/src/files/base.conf b/packages/install/src/files/base.conf index f1a37d0f..0c440937 100644 --- a/packages/install/src/files/base.conf +++ b/packages/install/src/files/base.conf @@ -24,6 +24,8 @@ POLICY_HOME=/opt/app/policy POLICY_LOGS=/opt/app/policy/logs JAVA_HOME=/opt/jdk1.8.0_77 M2_HOME=/opt/app/policy/3rdparty/apache-maven-3.3.1 +KEYSTORE_PASSWD=Pol1cy_0nap +TRUSTSTORE_PASSWD=Pol1cy_0nap # Telemetry credentials diff --git a/policy-management/src/main/server/config/policy-engine.properties b/policy-management/src/main/server/config/policy-engine.properties index 70a5dcca..c89b95bb 100644 --- a/policy-management/src/main/server/config/policy-engine.properties +++ b/policy-management/src/main/server/config/policy-engine.properties @@ -2,7 +2,7 @@ # ============LICENSE_START======================================================= # policy-management # ================================================================================ -# Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. +# Copyright (C) 2017-2018 AT&T Intellectual Property. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -37,7 +37,11 @@ ueb.sink.topics.${{PDPD_CONFIGURATION_TOPIC}}.apiSecret=${{PDPD_CONFIGURATION_AP ueb.sink.topics.${{PDPD_CONFIGURATION_TOPIC}}.partitionKey=${{PDPD_CONFIGURATION_PARTITION_KEY}} ueb.sink.topics.${{PDPD_CONFIGURATION_TOPIC}}.managed=false -http.server.services=CONFIG +# temporary configuration to support an http and https server, +# to support the incremental phase out of http. + +http.server.services=CONFIG,SECURED-CONFIG + http.server.services.CONFIG.host=${{ENGINE_MANAGEMENT_HOST}} http.server.services.CONFIG.port=${{ENGINE_MANAGEMENT_PORT}} http.server.services.CONFIG.userName=${{ENGINE_MANAGEMENT_USER}} @@ -45,3 +49,12 @@ http.server.services.CONFIG.password=${{ENGINE_MANAGEMENT_PASSWORD}} http.server.services.CONFIG.restPackages=org.onap.policy.drools.server.restful http.server.services.CONFIG.managed=false http.server.services.CONFIG.swagger=true + +http.server.services.SECURED-CONFIG.host=${{ENGINE_MANAGEMENT_HOST}} +http.server.services.SECURED-CONFIG.port=9697 +http.server.services.SECURED-CONFIG.userName=${{ENGINE_MANAGEMENT_USER}} +http.server.services.SECURED-CONFIG.password=${{ENGINE_MANAGEMENT_PASSWORD}} +http.server.services.SECURED-CONFIG.restPackages=org.onap.policy.drools.server.restful +http.server.services.SECURED-CONFIG.managed=false +http.server.services.SECURED-CONFIG.swagger=true +http.server.services.SECURED-CONFIG.https=true diff --git a/policy-management/src/main/server/config/system.properties b/policy-management/src/main/server/config/system.properties index 7f92c879..5c024e15 100644 --- a/policy-management/src/main/server/config/system.properties +++ b/policy-management/src/main/server/config/system.properties @@ -1,8 +1,8 @@ ### # ============LICENSE_START======================================================= -# policy-management +# ONAP # ================================================================================ -# Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. +# Copyright (C) 2017-2018 AT&T Intellectual Property. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -28,8 +28,11 @@ com.sun.management.jmxremote.ssl=false # certs -javax.net.ssl.trustStore=${{POLICY_HOME}}/etc/ssl/policy-keystore -javax.net.ssl.trustStorePassword=${{KEYSTORE_PASSWD}} +javax.net.ssl.trustStore=${{POLICY_HOME}}/etc/ssl/policy-truststore +javax.net.ssl.trustStorePassword=${{TRUSTSTORE_PASSWD}} + +javax.net.ssl.keyStore=${{POLICY_HOME}}/etc/ssl/policy-keystore +javax.net.ssl.keyStorePassword=${{KEYSTORE_PASSWD}} # standard logging |