aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--docs/platform/PolicyGUI_BlacklistPolicy.pngbin0 -> 261249 bytes
-rw-r--r--docs/platform/guardpolicy.rst4
-rw-r--r--packages/base/src/files/etc/profile.d/env.sh4
-rw-r--r--packages/base/src/files/etc/ssl/ca-aaf.crt31
-rw-r--r--packages/base/src/files/etc/ssl/policy-keystorebin114865 -> 4535 bytes
-rw-r--r--packages/base/src/files/etc/ssl/policy-truststorebin0 -> 124180 bytes
-rw-r--r--packages/base/src/files/install/servers/brmsgw/init.d/brmsgw4
-rw-r--r--packages/base/src/files/install/servers/common/tomcat/bin/setenv.sh5
-rw-r--r--packages/base/src/files/install/servers/common/tomcat/conf/server.xml6
-rw-r--r--packages/base/src/files/install/servers/configs/conf/server.xml10
-rw-r--r--packages/base/src/files/install/servers/console/conf/server.xml9
-rw-r--r--packages/docker/src/main/docker/do-start.sh7
-rw-r--r--packages/docker/src/main/docker/docker-install.sh11
-rw-r--r--packages/install/src/files/base.conf3
14 files changed, 79 insertions, 15 deletions
diff --git a/docs/platform/PolicyGUI_BlacklistPolicy.png b/docs/platform/PolicyGUI_BlacklistPolicy.png
new file mode 100644
index 000000000..569e189a5
--- /dev/null
+++ b/docs/platform/PolicyGUI_BlacklistPolicy.png
Binary files differ
diff --git a/docs/platform/guardpolicy.rst b/docs/platform/guardpolicy.rst
index 9dabb3040..6c72ce6d4 100644
--- a/docs/platform/guardpolicy.rst
+++ b/docs/platform/guardpolicy.rst
@@ -29,6 +29,10 @@ The GUARD policy can be created from the POLICY GUI as shown below.
.. image:: PolicyGUI_GuardPolicy.png
+In a Blacklist policy, the blacklist entries can be entered either manually or imported from an excel sheet. This import option can also be used to delete existing blacklist entries and to add new entries.
+
+.. image:: PolicyGUI_BlacklistPolicy.png
+
API Method
----------
diff --git a/packages/base/src/files/etc/profile.d/env.sh b/packages/base/src/files/etc/profile.d/env.sh
index 2484bbc42..90533bf89 100644
--- a/packages/base/src/files/etc/profile.d/env.sh
+++ b/packages/base/src/files/etc/profile.d/env.sh
@@ -1,8 +1,9 @@
+#!/usr/bin/env bash
###
# ============LICENSE_START=======================================================
# ONAP Policy Engine
# ================================================================================
-# Copyright (C) 2017 AT&T Intellectual Property. All rights reserved.
+# Copyright (C) 2017-2018 AT&T Intellectual Property. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -23,6 +24,7 @@ export POLICY_USER=${{POLICY_USER}}
export POLICY_GROUP=${{POLICY_GROUP}}
export POLICY_LOGS=${{POLICY_LOGS}}
export KEYSTORE_PASSWD=${{KEYSTORE_PASSWD}}
+export TRUSTSTORE_PASSWD=${{TRUSTSTORE_PASSWD}}
export JAVA_HOME=${{JAVA_HOME}}
export PATH=${PATH}:${{POLICY_HOME}}/bin
diff --git a/packages/base/src/files/etc/ssl/ca-aaf.crt b/packages/base/src/files/etc/ssl/ca-aaf.crt
new file mode 100644
index 000000000..e9a50d7ea
--- /dev/null
+++ b/packages/base/src/files/etc/ssl/ca-aaf.crt
@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFPjCCAyagAwIBAgIJAJ6u7cCnzrWdMA0GCSqGSIb3DQEBCwUAMCwxDjAMBgNV
+BAsMBU9TQUFGMQ0wCwYDVQQKDARPTkFQMQswCQYDVQQGEwJVUzAeFw0xODA0MDUx
+NDE1MjhaFw0zODAzMzExNDE1MjhaMCwxDjAMBgNVBAsMBU9TQUFGMQ0wCwYDVQQK
+DARPTkFQMQswCQYDVQQGEwJVUzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
+ggIBAMA5pkgRs7NhGG4ew5JouhyYakgYUyFaG121+/h8qbSdt0hVQv56+EA41Yq7
+XGie7RYDQK9NmAFF3gruE+6X7wvJiChp+Cyd7sFMnb65uWhxEdxWTM2BJFrgfzUn
+H8ZCxgaCo3XH4PzlKRy2LQQJEJECwl/RZmRCXijMt5e9h8XoZY/fKkKcZZUsWNCM
+pTo266wjvA9MXLmdgReRj0+vrCjrNqy+htwJDztoiHWiYPqT6o8EvGcgjNqjlZx7
+NUNf8MfLDByqKF6+wRbHv1GKjn3/Vijd45Fv8riyRYROiFanvbV6jIfBkv8PZbXg
+2VDWsYsgp8NAvMxK+iV8cO+Ck3lBI2GOPZbCEqpPVTYbLUz6sczAlCXwQoPzDIZY
+wYa3eR/gYLY1gP2iEVHORag3bLPap9ZX5E8DZkzTNTjovvLk8KaCmfcaUMJsBtDd
+ApcUitz10cnRyZc1sX3gE1f3DpzQM6t9C5sOVyRhDcSrKqqwb9m0Ss04XAS9FsqM
+P3UWYQyqDXSxlUAYaX892u8mV1hxnt2gjb22RloXMM6TovM3sSrJS0wH+l1nznd6
+aFXftS/G4ZVIVZ/LfT1is4StoyPWZCwwwly1z8qJQ/zhip5NgZTxQw4mi7ww35DY
+PdAQOCoajfSvFjqslQ/cPRi/MRCu079heVb5fQnnzVtnpFQRAgMBAAGjYzBhMB0G
+A1UdDgQWBBRTVTPyS+vQUbHBeJrBKDF77+rtSTAfBgNVHSMEGDAWgBRTVTPyS+vQ
+UbHBeJrBKDF77+rtSTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAN
+BgkqhkiG9w0BAQsFAAOCAgEAPx/IaK94n02wPxpnYTy+LVLIxwdq/kawNd6IbiMz
+L87zmNMDmHcGbfoRCj8OkhuggX9Lx1/CkhpXimuYsZOFQi5blr/u+v4mIbsgbmi9
+7j+cUHDP0zLycvSvxKHty51LwmaX9a4wkJl5zBU4O1sd/H9tWcEmwJ39ltKoBKBx
+c94Zc3iMm5ytRWGj+0rKzLDAXEWpoZ5bE5PLJauA6UDCxDLfs3FwhbS7uDggxYvf
+jySF5FCNET94oJ+m8s7VeHvoa8iPGKvXrIqdd7XDHnqJJlVKr7m9S0fMbyEB8ci2
+RtOXDt93ifY1uhoEtEykn4dqBSp8ezvNMnwoXdYPDvTd9uCAFeWFLVreBAWxd25h
+PsBTkZA5hpa/rA+mKv6Af4VBViYr8cz4dZCsFChuioVebe9ighrfjB//qKepFjPF
+CyjzKN1u0JKm/2x/ORqxkTONG8p3uDwoIOyimUcTtTMv42bfYD88RKakqSFXE9G+
+Z0LlaKABqfjK49o/tsAp+c5LoNlYllKhnetO3QAdraHwdmC36BhoghzR1jpX751A
+cZn2VH3Q4XKyp01cJNCJIrua+A+bx6zh3RyW6zIIkbRCbET+UD+4mr8WIcSE3mtR
+ZVlnhUDO4z9//WKMVzwS9Rh8/kuszrGFI1KQozXCHLrce3YP6RYZfOed79LXaRwX
+dYY=
+-----END CERTIFICATE-----
diff --git a/packages/base/src/files/etc/ssl/policy-keystore b/packages/base/src/files/etc/ssl/policy-keystore
index c3890965b..b92217cf6 100644
--- a/packages/base/src/files/etc/ssl/policy-keystore
+++ b/packages/base/src/files/etc/ssl/policy-keystore
Binary files differ
diff --git a/packages/base/src/files/etc/ssl/policy-truststore b/packages/base/src/files/etc/ssl/policy-truststore
new file mode 100644
index 000000000..8834ac257
--- /dev/null
+++ b/packages/base/src/files/etc/ssl/policy-truststore
Binary files differ
diff --git a/packages/base/src/files/install/servers/brmsgw/init.d/brmsgw b/packages/base/src/files/install/servers/brmsgw/init.d/brmsgw
index c951b12a4..837b7b96e 100644
--- a/packages/base/src/files/install/servers/brmsgw/init.d/brmsgw
+++ b/packages/base/src/files/install/servers/brmsgw/init.d/brmsgw
@@ -42,8 +42,8 @@ function um_start() {
JVM_JAVA_OPTS=("-Xms${COMPONENT_X_MS_MB}M" "-Xmx${COMPONENT_X_MX_MB}M")
JVM_SECURITY+=("-Djavax.net.ssl.keyStore=${POLICY_HOME}/etc/ssl/policy-keystore")
JVM_SECURITY+=("-Djavax.net.ssl.keyStorePassword=${KEYSTORE_PASSWD}")
- JVM_SECURITY+=("-Djavax.net.ssl.trustStore=${POLICY_HOME}/etc/ssl/policy-keystore")
- JVM_SECURITY+=("-Djavax.net.ssl.trustStorePassword=${KEYSTORE_PASSWD}")
+ JVM_SECURITY+=("-Djavax.net.ssl.trustStore=${POLICY_HOME}/etc/ssl/policy-truststore")
+ JVM_SECURITY+=("-Djavax.net.ssl.trustStorePassword=${TRUSTSTORE_PASSWD}")
CMD_JAVA_OPTS+=("-DPOLICY_LOGS=${POLICY_LOGS}")
JAVA_OPTS=("${JVM_JAVA_OPTS[@]}" "${JMX_JAVA_OPTS[@]}" "${JVM_SECURITY[@]}" "${CMD_JAVA_OPTS[@]}")
diff --git a/packages/base/src/files/install/servers/common/tomcat/bin/setenv.sh b/packages/base/src/files/install/servers/common/tomcat/bin/setenv.sh
index dc9bfbc36..d86f737f2 100644
--- a/packages/base/src/files/install/servers/common/tomcat/bin/setenv.sh
+++ b/packages/base/src/files/install/servers/common/tomcat/bin/setenv.sh
@@ -1,3 +1,4 @@
+#!/usr/bin/env bash
###
# ============LICENSE_START=======================================================
# ONAP Policy Engine
@@ -24,8 +25,8 @@ CATALINA_OPTS="${CATALINA_OPTS} -Dcom.sun.management.jmxremote.ssl=false"
CATALINA_OPTS="${CATALINA_OPTS} -Dcom.sun.management.jmxremote.authenticate=false"
CATALINA_OPTS="${CATALINA_OPTS} -Djavax.net.ssl.keyStore=${POLICY_HOME}/etc/ssl/policy-keystore"
CATALINA_OPTS="${CATALINA_OPTS} -Djavax.net.ssl.keyStorePassword=${KEYSTORE_PASSWD}"
-CATALINA_OPTS="${CATALINA_OPTS} -Djavax.net.ssl.trustStore=${POLICY_HOME}/etc/ssl/policy-keystore"
-CATALINA_OPTS="${CATALINA_OPTS} -Djavax.net.ssl.trustStorePassword=${KEYSTORE_PASSWD}"
+CATALINA_OPTS="${CATALINA_OPTS} -Djavax.net.ssl.trustStore=${POLICY_HOME}/etc/ssl/policy-truststore"
+CATALINA_OPTS="${CATALINA_OPTS} -Djavax.net.ssl.trustStorePassword=${TRUSTSTORE_PASSWD}"
CATALINA_OPTS="${CATALINA_OPTS} -DPOLICY_LOGS=${POLICY_LOGS}"
CATALINA_OPTS="${CATALINA_OPTS} -Xms${{TOMCAT_X_MS_MB}}M"
CATALINA_OPTS="${CATALINA_OPTS} -Xmx${{TOMCAT_X_MX_MB}}M"
diff --git a/packages/base/src/files/install/servers/common/tomcat/conf/server.xml b/packages/base/src/files/install/servers/common/tomcat/conf/server.xml
index a78dfc82e..02c548c80 100644
--- a/packages/base/src/files/install/servers/common/tomcat/conf/server.xml
+++ b/packages/base/src/files/install/servers/common/tomcat/conf/server.xml
@@ -104,10 +104,14 @@
documentation -->
<!-- Use http instead of https
+ Setting the keystore and truststore in the connector, overrides the javax.net.ssl system properties
+ passed in to the tomcat JVM:
+
<Connector port="${{SSL_HTTP_CONNECTOR_PORT}}" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2"
- keystoreFile="${{POLICY_HOME}}/etc/ssl/policy-keystore" keystorePass="${{KEYSTORE_PASSWD}}"/>
+ keystoreFile="${{POLICY_HOME}}/etc/ssl/policy-keystore" keystorePass="${{KEYSTORE_PASSWD}}"
+ truststoreFile="${{POLICY_HOME}}/etc/ssl/policy-truststore" truststorePass="${{TRUSTSTORE_PASSWD}}"/>
-->
<Connector port="${{SSL_HTTP_CONNECTOR_PORT}}" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" />
diff --git a/packages/base/src/files/install/servers/configs/conf/server.xml b/packages/base/src/files/install/servers/configs/conf/server.xml
index ecbeb6e4d..3bccc6ffb 100644
--- a/packages/base/src/files/install/servers/configs/conf/server.xml
+++ b/packages/base/src/files/install/servers/configs/conf/server.xml
@@ -104,12 +104,16 @@
OpenSSL style configuration is required as described in the APR/native
documentation -->
- <!--
+ <!--
+ Setting the keystore and truststore in the connector, overrides the javax.net.ssl system properties
+ passed in to the tomcat JVM:
+
<Connector port="${{SSL_HTTP_CONNECTOR_PORT}}" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
- keystoreFile="${{POLICY_HOME}}/etc/ssl/policy-keystore" keystorePass="${{KEYSTORE_PASSWD}}"/>
- -->
+ keystoreFile="${{POLICY_HOME}}/etc/ssl/policy-keystore" keystorePass="${{KEYSTORE_PASSWD}}"
+ truststoreFile="${{POLICY_HOME}}/etc/ssl/policy-truststore" truststorePass="${{TRUSTSTORE_PASSWD}}"/>
+ -->
<!-- Define an AJP 1.3 Connector on port 8009 -->
diff --git a/packages/base/src/files/install/servers/console/conf/server.xml b/packages/base/src/files/install/servers/console/conf/server.xml
index 618a6a99a..5e6226742 100644
--- a/packages/base/src/files/install/servers/console/conf/server.xml
+++ b/packages/base/src/files/install/servers/console/conf/server.xml
@@ -106,11 +106,16 @@
documentation
-->
- <!-- ONAP portal currently using http instead of https
+ <!-- ONAP portal currently using http instead of https
+
+ Setting the keystore and truststore in the connector, overrides the javax.net.ssl system properties
+ passed in to the tomcat JVM:
+
<Connector port="${{SSL_HTTP_CONNECTOR_PORT}}" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2"
- keystoreFile="${{POLICY_HOME}}/etc/ssl/policy-keystore" keystorePass="${{KEYSTORE_PASSWD}}"/>
+ keystoreFile="${{POLICY_HOME}}/etc/ssl/policy-keystore" keystorePass="${{KEYSTORE_PASSWD}}"
+ truststoreFile="${{POLICY_HOME}}/etc/ssl/policy-truststore" truststorePass="${{TRUSTSTORE_PASSWD}}"/>
-->
<Connector port="${{SSL_HTTP_CONNECTOR_PORT}}" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" />
diff --git a/packages/docker/src/main/docker/do-start.sh b/packages/docker/src/main/docker/do-start.sh
index 0179fad70..c655ce90a 100644
--- a/packages/docker/src/main/docker/do-start.sh
+++ b/packages/docker/src/main/docker/do-start.sh
@@ -64,11 +64,16 @@ else
. /opt/app/policy/etc/profile.d/env.sh
+ # override the policy keystore and truststore if present
+
if [[ -f config/policy-keystore ]]; then
- # install policy keystore
cp config/policy-keystore $POLICY_HOME/etc/ssl
fi
+ if [[ -f config/policy-truststore ]]; then
+ cp -f config/policy-trustore ${POLICY_HOME}/etc/ssl
+ fi
+
if [[ -f config/$container-tweaks.sh ]] ; then
# file may not be executable; running it as an
# argument to bash avoids needing execute perms.
diff --git a/packages/docker/src/main/docker/docker-install.sh b/packages/docker/src/main/docker/docker-install.sh
index 09cba6e96..7176abf20 100644
--- a/packages/docker/src/main/docker/docker-install.sh
+++ b/packages/docker/src/main/docker/docker-install.sh
@@ -169,6 +169,7 @@ function configure_component() {
SED_LINE+=" -e 's!\${{POLICY_USER}}!${POLICY_USER}!g' "
SED_LINE+=" -e 's!\${{POLICY_GROUP}}!${POLICY_GROUP}!g' "
SED_LINE+=" -e 's!\${{KEYSTORE_PASSWD}}!${KEYSTORE_PASSWD}!g' "
+ SED_LINE+=" -e 's!\${{TRUSTSTORE_PASSWD}}!${TRUSTSTORE_PASSWD}!g' "
SED_LINE+=" -e 's!\${{JAVA_HOME}}!${JAVA_HOME}!g' "
SED_LINE+=" -e 's!\${{COMPONENT_TYPE}}!${COMPONENT_TYPE}!g' "
SED_LINE+=" -e 's!\${{POLICY_LOGS}}!${POLICY_LOGS}!g' "
@@ -405,10 +406,16 @@ function configure_keystore() {
fi
local DEFAULT_KEYSTORE_PASSWORD="Pol1cy_0nap"
+ local DEFAULT_KEYSTORE_PASSWORD='Pol1cy_0nap'
+
+ if [[ -n ${TRUSTSTORE_PASSWD} ]]; then
+ keytool -storepasswd -storepass "${DEFAULT_TRUSTSTORE_PASSWORD}" -keystore "${POLICY_HOME}/etc/ssl/policy-truststore" -new "${TRUSTSTORE_PASSWD}"
+ keytool -list -keystore "${POLICY_HOME}/etc/ssl/policy-truststore" -storepass "${TRUSTSTORE_PASSWD}"
+ fi
if [[ -n ${KEYSTORE_PASSWD} ]]; then
- keytool -storepasswd -storepass ${DEFAULT_KEYSTORE_PASSWORD} -keystore ${POLICY_HOME}/etc/ssl/policy-keystore -new ${KEYSTORE_PASSWD}
- keytool -list -keystore ${POLICY_HOME}/etc/ssl/policy-keystore -storepass ${KEYSTORE_PASSWD}
+ keytool -storepasswd -storepass "${DEFAULT_KEYSTORE_PASSWORD}" -keystore "${POLICY_HOME}/etc/ssl/policy-keystore" -new "${KEYSTORE_PASSWD}"
+ keytool -list -keystore "${POLICY_HOME}/etc/ssl/policy-keystore" -storepass "${KEYSTORE_PASSWD}"
fi
}
diff --git a/packages/install/src/files/base.conf b/packages/install/src/files/base.conf
index 25a2a355d..dbf5da79c 100644
--- a/packages/install/src/files/base.conf
+++ b/packages/install/src/files/base.conf
@@ -21,7 +21,8 @@
JAVA_HOME=/usr/lib/jvm/java-8-oracle
POLICY_HOME=/opt/app/policy
POLICY_LOGS=/opt/app/policy/logs
-KEYSTORE_PASSWD=PolicyR0ck$
+KEYSTORE_PASSWD=Pol1cy_0nap
+TRUSTSTORE_PASSWD=Pol1cy_0nap
JDBC_DRIVER=org.mariadb.jdbc.Driver
JDBC_URL=jdbc:mariadb://localhost:3306/onap_sdk