summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authordanielhanrahan <daniel.hanrahan@est.tech>2021-09-08 10:49:44 +0100
committerDaniel Hanrahan <daniel.hanrahan@est.tech>2021-09-10 08:23:04 +0000
commit1f68035b96e9336b737bc9a5d055c5ffdd016813 (patch)
tree9deb894ae8e5a9b3820555e79dbb1cdd7be0b5e1
parentf2047d16b47f086395856aefca6c5047b488d207 (diff)
Ensure that login in policy-gui works with AAF
Add CLAMP SSL cert and key to Docker image Change nginx port from 8080 to 2443 and enable SSL Update README to include instructions on certificate login Issue-ID: POLICY-3615 Signed-off-by: danielhanrahan <daniel.hanrahan@est.tech> Change-Id: I5211d30c420d75a94621399f33763b8156c50b5b
-rw-r--r--README.md18
-rw-r--r--packages/policy-gui-docker/src/main/docker/Dockerfile4
-rw-r--r--packages/policy-gui-docker/src/main/docker/etc/ssl/clamp.key32
-rw-r--r--packages/policy-gui-docker/src/main/docker/etc/ssl/clamp.pem33
-rw-r--r--packages/policy-gui-docker/src/main/docker/nginx/default.conf.template7
5 files changed, 87 insertions, 7 deletions
diff --git a/README.md b/README.md
index 6322319..4bff635 100644
--- a/README.md
+++ b/README.md
@@ -13,10 +13,10 @@ To build it using Maven 3, run: mvn clean install -P docker
# Docker image
Maven produces a single docker image containing the policy GUIs. These are exposed on
-the same port (8080) using different URLs:
-- Apex Policy Editor: http://localhost:8080/apex-editor
-- PDP Monitoring UI: http://localhost:8080/pdp-monitoring
-- CLAMP Designer UI: http://localhost:8080/clamp
+the same port (2443) using different URLs:
+- Apex Policy Editor: http://localhost:2443/apex-editor
+- PDP Monitoring UI: http://localhost:2443/pdp-monitoring
+- CLAMP Designer UI: http://localhost:2443/clamp
## Building
You can use the following command to build the policy-gui docker image:
@@ -38,8 +38,16 @@ backend, then CLAMP_REST_URL should be set to `https://policy-clamp-backend:8443
If running clamp backend on localhost port 8443, the policy-gui docker image would be
started like this:
```
-docker run -p 8080:8080 \
+docker run -p 2443:2443 \
--add-host host.docker.internal:host-gateway \
--env CLAMP_REST_URL=https://host.docker.internal:8443 \
onap/policy-gui
```
+
+## Client Credentials
+A certificate must be added in the browser and is required to log in properly:
+
+[org.onap.clamp.p12 (from clamp master)](URL "https://gerrit.onap.org/r/gitweb?p=clamp.git;a=blob_plain;f=src/main/resources/clds/aaf/org.onap.clamp.p12;hb=refs/heads/master")
+(Password: "China in the Spring")
+
+See onap/clamp repo README for details.
diff --git a/packages/policy-gui-docker/src/main/docker/Dockerfile b/packages/policy-gui-docker/src/main/docker/Dockerfile
index 8820139..681a58d 100644
--- a/packages/policy-gui-docker/src/main/docker/Dockerfile
+++ b/packages/policy-gui-docker/src/main/docker/Dockerfile
@@ -37,6 +37,8 @@ WORKDIR $POLICY_HOME
COPY policy-gui.sh ./bin/
COPY /maven/gui-editor-apex-uber.jar ./lib/
COPY /maven/gui-pdp-monitoring-uber.jar ./lib/
+COPY etc/ssl/clamp.key /etc/ssl/clamp.key
+COPY etc/ssl/clamp.pem /etc/ssl/clamp.pem
COPY nginx/nginx.conf /etc/nginx/nginx.conf
COPY nginx/default.conf.template /etc/nginx/templates/default.conf.template
COPY nginx/index.html /usr/share/nginx/html/
@@ -52,4 +54,4 @@ RUN rm /etc/nginx/conf.d/default.conf && \
USER policy
WORKDIR $POLICY_HOME/bin
ENTRYPOINT [ "./policy-gui.sh" ]
-EXPOSE 8080
+EXPOSE 2443
diff --git a/packages/policy-gui-docker/src/main/docker/etc/ssl/clamp.key b/packages/policy-gui-docker/src/main/docker/etc/ssl/clamp.key
new file mode 100644
index 0000000..bcbb9f1
--- /dev/null
+++ b/packages/policy-gui-docker/src/main/docker/etc/ssl/clamp.key
@@ -0,0 +1,32 @@
+Bag Attributes
+ friendlyName: clamp@clamp.onap.org
+ localKeyID: 54 69 6D 65 20 31 35 38 30 38 32 39 30 36 35 34 37 39
+Key Attributes: <No Attributes>
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCTB30nMh0hczIk
+vWJo7Omg7cAHhz50NBhLB7u+60oXRGCya4SqssqqxNnNqNQQP9MmflW2q/bZepWn
+8Rk23X6CLmoIUlrj8BMPkUCRqzgvlaWPSNAK5QcOp6GUvXTuX4EsaWxJhbs9Ujz2
++qi137iNOqfAx1sUygah1kjALrqHkXDqJGvIfxU5ES0akBi/lB7A3WpE52KTioSF
+JS5Kbnpj1ogffGNKyAiNqU61LcF1FjWmINat2z3ZMk/3Xm+HCDg/GLPnbh4E1KoE
+10O22AMys6YGEyPvgRfrTF13DsDX52PmmUHbkSB6kwS/CeV5Uu++8b6T2IWpPyZ2
++5ptmL+tAgMBAAECggEBAIUplzRUswWEq7mSvPqC9+YE7pLi7rGYLRhnXKdBuszv
+5RQzROjFHcEkoI8fhVFiPP70FPVpMh0uZTTBrDCA0v9cwjPfQuqGmPzUdUJ5bF3M
+jzICpEn5vDaNpE5ueOUcIoXyxVyhfj+/p++YfgybHy7qHN0AsYFWqEMTLLjCmbYF
+pZozbAcGQoAR8PSfwuvgusuEezrhYertHsdFwlfZhDtJvnm/4YKRUVEBzuaaA7B9
+sUhnQFS8ScqiUbkAGdjfY9wOYRHnQgjtqiP8poIzLkqCNSoVctgh5Pdv4jp4HO90
+J5QC+f7m7rOoWUw8EYbRo/4C4Mckh0GQQ+oP4xzrtZECgYEA3DYALFgOEY+0RR1K
+61HAKqdNy1YbeuidpCBEJEwmIbzdgO1DcJdNznbfdRlmS7VB9orwRfNbf7Hxm2w/
+/xn9USENXWx7fvDoISqSDegvEsBSq5hSEMVl3f7CfQZrYl1f6gxfe7L/jtmbn0eQ
+avsr9RaUCWP794DEXKuA9pC8hVsCgYEAquy5I4hO4jNBQ6v5+omjsEgk4513/RNs
+f47Md8bsDHKJMbCMKCdqM1D3J1xbgV3DgSv0yNlKdU2wenWdgQAyBtz18NBgno85
+YNanFhp1CymgLFHdLJHSOqAkzutSuCNnGTT6AKspOQvy+cuj7XsnbsxtYK3Cgw5h
+Mom3RnUy9ZcCgYAnForHVEYDBgAYuI9g39z9dT8Q1dMA6SN6S6Ps0Xt/R5gF15e9
+941/FYiqr3yB+cWgrp7hu8XFD9/0F63waTuW2AgYSjZNnROHN5g/UbRxXqQOA3al
+tXRUiHEbYjVTe4GX+ORF/8rvH19JUZmn87ekxII4fH/wOfIhBOxaV+yuuwKBgHtz
+5Tizz/3y9TWSdkgtt6uwP+yipLKGn/v1wNrWM1G+PDdGg8TQyxTrasfkHjdu6LFY
+dUHIJ85X4ZphbvRolrl8SKq5Zr+/RLsb7qy5SUZZt1Wrfysc25H6bvuA3ksfTuzW
+5acr+Oc6KTGgkvMI229cebe1aONNtIhTDav3JGpbAoGAX5DQvNreqnP8qSAvUN2I
+TAHXIzawR3f6vgGgVIdkHkiS2eKzs/fgP3VAK80TbrGSR8HvBcPEcR/icOn1u/e6
+tDp0j6mGt5aPKK9VQkBn94bW35T12FUbdB+L8FWWTUrfiVWJtEW8tEsKil5ac8U4
+Bn3vC5WUeKhW6v6kD4AigqE=
+-----END PRIVATE KEY-----
diff --git a/packages/policy-gui-docker/src/main/docker/etc/ssl/clamp.pem b/packages/policy-gui-docker/src/main/docker/etc/ssl/clamp.pem
new file mode 100644
index 0000000..a01b587
--- /dev/null
+++ b/packages/policy-gui-docker/src/main/docker/etc/ssl/clamp.pem
@@ -0,0 +1,33 @@
+Bag Attributes
+ friendlyName: clamp@clamp.onap.org
+ localKeyID: 54 69 6D 65 20 31 35 38 30 38 32 39 30 36 35 34 37 39
+subject=CN = clamp, emailAddress = mark.d.manager@people.osaaf.com, OU = clamp@clamp.onap.org:DEV, OU = OSAAF, O = ONAP, C = US
+
+issuer=C = US, O = ONAP, OU = OSAAF, CN = intermediateCA_9
+
+-----BEGIN CERTIFICATE-----
+MIIEWDCCA0CgAwIBAgIILw1zyDGqB5IwDQYJKoZIhvcNAQELBQAwRzELMAkGA1UE
+BhMCVVMxDTALBgNVBAoMBE9OQVAxDjAMBgNVBAsMBU9TQUFGMRkwFwYDVQQDDBBp
+bnRlcm1lZGlhdGVDQV85MB4XDTIwMDIwNDEyMjM1MloXDTIxMDIwNDEyMjM1Mlow
+gY8xDjAMBgNVBAMMBWNsYW1wMS4wLAYJKoZIhvcNAQkBFh9tYXJrLmQubWFuYWdl
+ckBwZW9wbGUub3NhYWYuY29tMSEwHwYDVQQLDBhjbGFtcEBjbGFtcC5vbmFwLm9y
+ZzpERVYxDjAMBgNVBAsMBU9TQUFGMQ0wCwYDVQQKDARPTkFQMQswCQYDVQQGEwJV
+UzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJMHfScyHSFzMiS9Ymjs
+6aDtwAeHPnQ0GEsHu77rShdEYLJrhKqyyqrE2c2o1BA/0yZ+Vbar9tl6lafxGTbd
+foIuaghSWuPwEw+RQJGrOC+VpY9I0ArlBw6noZS9dO5fgSxpbEmFuz1SPPb6qLXf
+uI06p8DHWxTKBqHWSMAuuoeRcOoka8h/FTkRLRqQGL+UHsDdakTnYpOKhIUlLkpu
+emPWiB98Y0rICI2pTrUtwXUWNaYg1q3bPdkyT/deb4cIOD8Ys+duHgTUqgTXQ7bY
+AzKzpgYTI++BF+tMXXcOwNfnY+aZQduRIHqTBL8J5XlS777xvpPYhak/Jnb7mm2Y
+v60CAwEAAaOB/jCB+zAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIF4DAgBgNVHSUB
+Af8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwVAYDVR0jBE0wS4AUgfeZWxC5yIze
+81Je6k5poEM+rN2hMKQuMCwxDjAMBgNVBAsMBU9TQUFGMQ0wCwYDVQQKDARPTkFQ
+MQswCQYDVQQGEwJVU4IBBzAdBgNVHQ4EFgQUzfIed+18wgFs7E6q0b6BbMICtfsw
+RwYDVR0RBEAwPoIFY2xhbXCCCmNsYW1wLW9uYXCCHWNsYW1wLmFwaS5zaW1wbGVk
+ZW1vLm9uYXAub3JnggpjbGFtcC5vbmFwMA0GCSqGSIb3DQEBCwUAA4IBAQBizhsW
+XrJ9wQy3PrBxgh90sOF15tayXPRZSFYPoQb5LhRh3IY/PvXLaSHlkgPHlCLLx36S
+0/DiVf86/83ABvyaq9gJIyg/m4ntNae23OKH1AkA1aN+JCKA8yhsAzDBcRF6Aj7E
+VJ+vQlSzz5oh+efP1e/8DUMd1/WwbTXvRd0Iqv/fyZunbjb82qNMrsK1mQ2q+87A
+0jx9u1EdeMihP6vWiuKzlwy4mKoNT573SPpvaOkjX3yDlmf2CTQZ9vdAvjmFmVsH
+1wyrNZOIgW4VjluiZfAk3mOEskrZiP/7aUXnxmNnYTpgZMbhiouLbRrTc4lLEyhx
+G7A61/KGTsLZlvxb
+-----END CERTIFICATE-----
diff --git a/packages/policy-gui-docker/src/main/docker/nginx/default.conf.template b/packages/policy-gui-docker/src/main/docker/nginx/default.conf.template
index d407827..9b3348a 100644
--- a/packages/policy-gui-docker/src/main/docker/nginx/default.conf.template
+++ b/packages/policy-gui-docker/src/main/docker/nginx/default.conf.template
@@ -1,5 +1,9 @@
server {
- listen 8080;
+ listen 2443 default ssl;
+ ssl_protocols TLSv1.2;
+ ssl_certificate /etc/ssl/clamp.pem;
+ ssl_certificate_key /etc/ssl/clamp.key;
+ ssl_verify_client optional_no_ca;
location / {
root /usr/share/nginx/html;
@@ -9,6 +13,7 @@ server {
location /clamp/restservices/clds/ {
proxy_pass ${CLAMP_REST_URL}/restservices/clds/;
+ proxy_set_header X-SSL-Cert $ssl_client_escaped_cert;
}
location /pdp-monitoring/papservices/monitoring/ {