diff options
-rw-r--r-- | docs/platform/PolicyGUI_BlacklistPolicy.png | bin | 0 -> 261249 bytes | |||
-rw-r--r-- | docs/platform/guardpolicy.rst | 4 | ||||
-rw-r--r-- | packages/base/src/files/etc/profile.d/env.sh | 4 | ||||
-rw-r--r-- | packages/base/src/files/etc/ssl/ca-aaf.crt | 31 | ||||
-rw-r--r-- | packages/base/src/files/etc/ssl/policy-keystore | bin | 114865 -> 4535 bytes | |||
-rw-r--r-- | packages/base/src/files/etc/ssl/policy-truststore | bin | 0 -> 124180 bytes | |||
-rw-r--r-- | packages/base/src/files/install/servers/brmsgw/init.d/brmsgw | 4 | ||||
-rw-r--r-- | packages/base/src/files/install/servers/common/tomcat/bin/setenv.sh | 5 | ||||
-rw-r--r-- | packages/base/src/files/install/servers/common/tomcat/conf/server.xml | 6 | ||||
-rw-r--r-- | packages/base/src/files/install/servers/configs/conf/server.xml | 10 | ||||
-rw-r--r-- | packages/base/src/files/install/servers/console/conf/server.xml | 9 | ||||
-rw-r--r-- | packages/docker/src/main/docker/do-start.sh | 7 | ||||
-rw-r--r-- | packages/docker/src/main/docker/docker-install.sh | 11 | ||||
-rw-r--r-- | packages/install/src/files/base.conf | 3 |
14 files changed, 79 insertions, 15 deletions
diff --git a/docs/platform/PolicyGUI_BlacklistPolicy.png b/docs/platform/PolicyGUI_BlacklistPolicy.png Binary files differnew file mode 100644 index 000000000..569e189a5 --- /dev/null +++ b/docs/platform/PolicyGUI_BlacklistPolicy.png diff --git a/docs/platform/guardpolicy.rst b/docs/platform/guardpolicy.rst index 9dabb3040..6c72ce6d4 100644 --- a/docs/platform/guardpolicy.rst +++ b/docs/platform/guardpolicy.rst @@ -29,6 +29,10 @@ The GUARD policy can be created from the POLICY GUI as shown below. .. image:: PolicyGUI_GuardPolicy.png +In a Blacklist policy, the blacklist entries can be entered either manually or imported from an excel sheet. This import option can also be used to delete existing blacklist entries and to add new entries. + +.. image:: PolicyGUI_BlacklistPolicy.png + API Method ---------- diff --git a/packages/base/src/files/etc/profile.d/env.sh b/packages/base/src/files/etc/profile.d/env.sh index 2484bbc42..90533bf89 100644 --- a/packages/base/src/files/etc/profile.d/env.sh +++ b/packages/base/src/files/etc/profile.d/env.sh @@ -1,8 +1,9 @@ +#!/usr/bin/env bash ### # ============LICENSE_START======================================================= # ONAP Policy Engine # ================================================================================ -# Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. +# Copyright (C) 2017-2018 AT&T Intellectual Property. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -23,6 +24,7 @@ export POLICY_USER=${{POLICY_USER}} export POLICY_GROUP=${{POLICY_GROUP}} export POLICY_LOGS=${{POLICY_LOGS}} export KEYSTORE_PASSWD=${{KEYSTORE_PASSWD}} +export TRUSTSTORE_PASSWD=${{TRUSTSTORE_PASSWD}} export JAVA_HOME=${{JAVA_HOME}} export PATH=${PATH}:${{POLICY_HOME}}/bin diff --git a/packages/base/src/files/etc/ssl/ca-aaf.crt b/packages/base/src/files/etc/ssl/ca-aaf.crt new file mode 100644 index 000000000..e9a50d7ea --- /dev/null +++ b/packages/base/src/files/etc/ssl/ca-aaf.crt @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFPjCCAyagAwIBAgIJAJ6u7cCnzrWdMA0GCSqGSIb3DQEBCwUAMCwxDjAMBgNV +BAsMBU9TQUFGMQ0wCwYDVQQKDARPTkFQMQswCQYDVQQGEwJVUzAeFw0xODA0MDUx +NDE1MjhaFw0zODAzMzExNDE1MjhaMCwxDjAMBgNVBAsMBU9TQUFGMQ0wCwYDVQQK +DARPTkFQMQswCQYDVQQGEwJVUzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC +ggIBAMA5pkgRs7NhGG4ew5JouhyYakgYUyFaG121+/h8qbSdt0hVQv56+EA41Yq7 +XGie7RYDQK9NmAFF3gruE+6X7wvJiChp+Cyd7sFMnb65uWhxEdxWTM2BJFrgfzUn +H8ZCxgaCo3XH4PzlKRy2LQQJEJECwl/RZmRCXijMt5e9h8XoZY/fKkKcZZUsWNCM +pTo266wjvA9MXLmdgReRj0+vrCjrNqy+htwJDztoiHWiYPqT6o8EvGcgjNqjlZx7 +NUNf8MfLDByqKF6+wRbHv1GKjn3/Vijd45Fv8riyRYROiFanvbV6jIfBkv8PZbXg +2VDWsYsgp8NAvMxK+iV8cO+Ck3lBI2GOPZbCEqpPVTYbLUz6sczAlCXwQoPzDIZY +wYa3eR/gYLY1gP2iEVHORag3bLPap9ZX5E8DZkzTNTjovvLk8KaCmfcaUMJsBtDd +ApcUitz10cnRyZc1sX3gE1f3DpzQM6t9C5sOVyRhDcSrKqqwb9m0Ss04XAS9FsqM +P3UWYQyqDXSxlUAYaX892u8mV1hxnt2gjb22RloXMM6TovM3sSrJS0wH+l1nznd6 +aFXftS/G4ZVIVZ/LfT1is4StoyPWZCwwwly1z8qJQ/zhip5NgZTxQw4mi7ww35DY +PdAQOCoajfSvFjqslQ/cPRi/MRCu079heVb5fQnnzVtnpFQRAgMBAAGjYzBhMB0G +A1UdDgQWBBRTVTPyS+vQUbHBeJrBKDF77+rtSTAfBgNVHSMEGDAWgBRTVTPyS+vQ +UbHBeJrBKDF77+rtSTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAN +BgkqhkiG9w0BAQsFAAOCAgEAPx/IaK94n02wPxpnYTy+LVLIxwdq/kawNd6IbiMz +L87zmNMDmHcGbfoRCj8OkhuggX9Lx1/CkhpXimuYsZOFQi5blr/u+v4mIbsgbmi9 +7j+cUHDP0zLycvSvxKHty51LwmaX9a4wkJl5zBU4O1sd/H9tWcEmwJ39ltKoBKBx +c94Zc3iMm5ytRWGj+0rKzLDAXEWpoZ5bE5PLJauA6UDCxDLfs3FwhbS7uDggxYvf +jySF5FCNET94oJ+m8s7VeHvoa8iPGKvXrIqdd7XDHnqJJlVKr7m9S0fMbyEB8ci2 +RtOXDt93ifY1uhoEtEykn4dqBSp8ezvNMnwoXdYPDvTd9uCAFeWFLVreBAWxd25h +PsBTkZA5hpa/rA+mKv6Af4VBViYr8cz4dZCsFChuioVebe9ighrfjB//qKepFjPF +CyjzKN1u0JKm/2x/ORqxkTONG8p3uDwoIOyimUcTtTMv42bfYD88RKakqSFXE9G+ +Z0LlaKABqfjK49o/tsAp+c5LoNlYllKhnetO3QAdraHwdmC36BhoghzR1jpX751A +cZn2VH3Q4XKyp01cJNCJIrua+A+bx6zh3RyW6zIIkbRCbET+UD+4mr8WIcSE3mtR +ZVlnhUDO4z9//WKMVzwS9Rh8/kuszrGFI1KQozXCHLrce3YP6RYZfOed79LXaRwX +dYY= +-----END CERTIFICATE----- diff --git a/packages/base/src/files/etc/ssl/policy-keystore b/packages/base/src/files/etc/ssl/policy-keystore Binary files differindex c3890965b..b92217cf6 100644 --- a/packages/base/src/files/etc/ssl/policy-keystore +++ b/packages/base/src/files/etc/ssl/policy-keystore diff --git a/packages/base/src/files/etc/ssl/policy-truststore b/packages/base/src/files/etc/ssl/policy-truststore Binary files differnew file mode 100644 index 000000000..8834ac257 --- /dev/null +++ b/packages/base/src/files/etc/ssl/policy-truststore diff --git a/packages/base/src/files/install/servers/brmsgw/init.d/brmsgw b/packages/base/src/files/install/servers/brmsgw/init.d/brmsgw index c951b12a4..837b7b96e 100644 --- a/packages/base/src/files/install/servers/brmsgw/init.d/brmsgw +++ b/packages/base/src/files/install/servers/brmsgw/init.d/brmsgw @@ -42,8 +42,8 @@ function um_start() { JVM_JAVA_OPTS=("-Xms${COMPONENT_X_MS_MB}M" "-Xmx${COMPONENT_X_MX_MB}M") JVM_SECURITY+=("-Djavax.net.ssl.keyStore=${POLICY_HOME}/etc/ssl/policy-keystore") JVM_SECURITY+=("-Djavax.net.ssl.keyStorePassword=${KEYSTORE_PASSWD}") - JVM_SECURITY+=("-Djavax.net.ssl.trustStore=${POLICY_HOME}/etc/ssl/policy-keystore") - JVM_SECURITY+=("-Djavax.net.ssl.trustStorePassword=${KEYSTORE_PASSWD}") + JVM_SECURITY+=("-Djavax.net.ssl.trustStore=${POLICY_HOME}/etc/ssl/policy-truststore") + JVM_SECURITY+=("-Djavax.net.ssl.trustStorePassword=${TRUSTSTORE_PASSWD}") CMD_JAVA_OPTS+=("-DPOLICY_LOGS=${POLICY_LOGS}") JAVA_OPTS=("${JVM_JAVA_OPTS[@]}" "${JMX_JAVA_OPTS[@]}" "${JVM_SECURITY[@]}" "${CMD_JAVA_OPTS[@]}") diff --git a/packages/base/src/files/install/servers/common/tomcat/bin/setenv.sh b/packages/base/src/files/install/servers/common/tomcat/bin/setenv.sh index dc9bfbc36..d86f737f2 100644 --- a/packages/base/src/files/install/servers/common/tomcat/bin/setenv.sh +++ b/packages/base/src/files/install/servers/common/tomcat/bin/setenv.sh @@ -1,3 +1,4 @@ +#!/usr/bin/env bash ### # ============LICENSE_START======================================================= # ONAP Policy Engine @@ -24,8 +25,8 @@ CATALINA_OPTS="${CATALINA_OPTS} -Dcom.sun.management.jmxremote.ssl=false" CATALINA_OPTS="${CATALINA_OPTS} -Dcom.sun.management.jmxremote.authenticate=false" CATALINA_OPTS="${CATALINA_OPTS} -Djavax.net.ssl.keyStore=${POLICY_HOME}/etc/ssl/policy-keystore" CATALINA_OPTS="${CATALINA_OPTS} -Djavax.net.ssl.keyStorePassword=${KEYSTORE_PASSWD}" -CATALINA_OPTS="${CATALINA_OPTS} -Djavax.net.ssl.trustStore=${POLICY_HOME}/etc/ssl/policy-keystore" -CATALINA_OPTS="${CATALINA_OPTS} -Djavax.net.ssl.trustStorePassword=${KEYSTORE_PASSWD}" +CATALINA_OPTS="${CATALINA_OPTS} -Djavax.net.ssl.trustStore=${POLICY_HOME}/etc/ssl/policy-truststore" +CATALINA_OPTS="${CATALINA_OPTS} -Djavax.net.ssl.trustStorePassword=${TRUSTSTORE_PASSWD}" CATALINA_OPTS="${CATALINA_OPTS} -DPOLICY_LOGS=${POLICY_LOGS}" CATALINA_OPTS="${CATALINA_OPTS} -Xms${{TOMCAT_X_MS_MB}}M" CATALINA_OPTS="${CATALINA_OPTS} -Xmx${{TOMCAT_X_MX_MB}}M" diff --git a/packages/base/src/files/install/servers/common/tomcat/conf/server.xml b/packages/base/src/files/install/servers/common/tomcat/conf/server.xml index a78dfc82e..02c548c80 100644 --- a/packages/base/src/files/install/servers/common/tomcat/conf/server.xml +++ b/packages/base/src/files/install/servers/common/tomcat/conf/server.xml @@ -104,10 +104,14 @@ documentation --> <!-- Use http instead of https + Setting the keystore and truststore in the connector, overrides the javax.net.ssl system properties + passed in to the tomcat JVM: + <Connector port="${{SSL_HTTP_CONNECTOR_PORT}}" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" - keystoreFile="${{POLICY_HOME}}/etc/ssl/policy-keystore" keystorePass="${{KEYSTORE_PASSWD}}"/> + keystoreFile="${{POLICY_HOME}}/etc/ssl/policy-keystore" keystorePass="${{KEYSTORE_PASSWD}}" + truststoreFile="${{POLICY_HOME}}/etc/ssl/policy-truststore" truststorePass="${{TRUSTSTORE_PASSWD}}"/> --> <Connector port="${{SSL_HTTP_CONNECTOR_PORT}}" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" /> diff --git a/packages/base/src/files/install/servers/configs/conf/server.xml b/packages/base/src/files/install/servers/configs/conf/server.xml index ecbeb6e4d..3bccc6ffb 100644 --- a/packages/base/src/files/install/servers/configs/conf/server.xml +++ b/packages/base/src/files/install/servers/configs/conf/server.xml @@ -104,12 +104,16 @@ OpenSSL style configuration is required as described in the APR/native documentation --> - <!-- + <!-- + Setting the keystore and truststore in the connector, overrides the javax.net.ssl system properties + passed in to the tomcat JVM: + <Connector port="${{SSL_HTTP_CONNECTOR_PORT}}" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" - keystoreFile="${{POLICY_HOME}}/etc/ssl/policy-keystore" keystorePass="${{KEYSTORE_PASSWD}}"/> - --> + keystoreFile="${{POLICY_HOME}}/etc/ssl/policy-keystore" keystorePass="${{KEYSTORE_PASSWD}}" + truststoreFile="${{POLICY_HOME}}/etc/ssl/policy-truststore" truststorePass="${{TRUSTSTORE_PASSWD}}"/> + --> <!-- Define an AJP 1.3 Connector on port 8009 --> diff --git a/packages/base/src/files/install/servers/console/conf/server.xml b/packages/base/src/files/install/servers/console/conf/server.xml index 618a6a99a..5e6226742 100644 --- a/packages/base/src/files/install/servers/console/conf/server.xml +++ b/packages/base/src/files/install/servers/console/conf/server.xml @@ -106,11 +106,16 @@ documentation --> - <!-- ONAP portal currently using http instead of https + <!-- ONAP portal currently using http instead of https + + Setting the keystore and truststore in the connector, overrides the javax.net.ssl system properties + passed in to the tomcat JVM: + <Connector port="${{SSL_HTTP_CONNECTOR_PORT}}" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" - keystoreFile="${{POLICY_HOME}}/etc/ssl/policy-keystore" keystorePass="${{KEYSTORE_PASSWD}}"/> + keystoreFile="${{POLICY_HOME}}/etc/ssl/policy-keystore" keystorePass="${{KEYSTORE_PASSWD}}" + truststoreFile="${{POLICY_HOME}}/etc/ssl/policy-truststore" truststorePass="${{TRUSTSTORE_PASSWD}}"/> --> <Connector port="${{SSL_HTTP_CONNECTOR_PORT}}" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" /> diff --git a/packages/docker/src/main/docker/do-start.sh b/packages/docker/src/main/docker/do-start.sh index 0179fad70..c655ce90a 100644 --- a/packages/docker/src/main/docker/do-start.sh +++ b/packages/docker/src/main/docker/do-start.sh @@ -64,11 +64,16 @@ else . /opt/app/policy/etc/profile.d/env.sh + # override the policy keystore and truststore if present + if [[ -f config/policy-keystore ]]; then - # install policy keystore cp config/policy-keystore $POLICY_HOME/etc/ssl fi + if [[ -f config/policy-truststore ]]; then + cp -f config/policy-trustore ${POLICY_HOME}/etc/ssl + fi + if [[ -f config/$container-tweaks.sh ]] ; then # file may not be executable; running it as an # argument to bash avoids needing execute perms. diff --git a/packages/docker/src/main/docker/docker-install.sh b/packages/docker/src/main/docker/docker-install.sh index 09cba6e96..7176abf20 100644 --- a/packages/docker/src/main/docker/docker-install.sh +++ b/packages/docker/src/main/docker/docker-install.sh @@ -169,6 +169,7 @@ function configure_component() { SED_LINE+=" -e 's!\${{POLICY_USER}}!${POLICY_USER}!g' " SED_LINE+=" -e 's!\${{POLICY_GROUP}}!${POLICY_GROUP}!g' " SED_LINE+=" -e 's!\${{KEYSTORE_PASSWD}}!${KEYSTORE_PASSWD}!g' " + SED_LINE+=" -e 's!\${{TRUSTSTORE_PASSWD}}!${TRUSTSTORE_PASSWD}!g' " SED_LINE+=" -e 's!\${{JAVA_HOME}}!${JAVA_HOME}!g' " SED_LINE+=" -e 's!\${{COMPONENT_TYPE}}!${COMPONENT_TYPE}!g' " SED_LINE+=" -e 's!\${{POLICY_LOGS}}!${POLICY_LOGS}!g' " @@ -405,10 +406,16 @@ function configure_keystore() { fi local DEFAULT_KEYSTORE_PASSWORD="Pol1cy_0nap" + local DEFAULT_KEYSTORE_PASSWORD='Pol1cy_0nap' + + if [[ -n ${TRUSTSTORE_PASSWD} ]]; then + keytool -storepasswd -storepass "${DEFAULT_TRUSTSTORE_PASSWORD}" -keystore "${POLICY_HOME}/etc/ssl/policy-truststore" -new "${TRUSTSTORE_PASSWD}" + keytool -list -keystore "${POLICY_HOME}/etc/ssl/policy-truststore" -storepass "${TRUSTSTORE_PASSWD}" + fi if [[ -n ${KEYSTORE_PASSWD} ]]; then - keytool -storepasswd -storepass ${DEFAULT_KEYSTORE_PASSWORD} -keystore ${POLICY_HOME}/etc/ssl/policy-keystore -new ${KEYSTORE_PASSWD} - keytool -list -keystore ${POLICY_HOME}/etc/ssl/policy-keystore -storepass ${KEYSTORE_PASSWD} + keytool -storepasswd -storepass "${DEFAULT_KEYSTORE_PASSWORD}" -keystore "${POLICY_HOME}/etc/ssl/policy-keystore" -new "${KEYSTORE_PASSWD}" + keytool -list -keystore "${POLICY_HOME}/etc/ssl/policy-keystore" -storepass "${KEYSTORE_PASSWD}" fi } diff --git a/packages/install/src/files/base.conf b/packages/install/src/files/base.conf index 25a2a355d..dbf5da79c 100644 --- a/packages/install/src/files/base.conf +++ b/packages/install/src/files/base.conf @@ -21,7 +21,8 @@ JAVA_HOME=/usr/lib/jvm/java-8-oracle POLICY_HOME=/opt/app/policy POLICY_LOGS=/opt/app/policy/logs -KEYSTORE_PASSWD=PolicyR0ck$ +KEYSTORE_PASSWD=Pol1cy_0nap +TRUSTSTORE_PASSWD=Pol1cy_0nap JDBC_DRIVER=org.mariadb.jdbc.Driver JDBC_URL=jdbc:mariadb://localhost:3306/onap_sdk |