From 1f68035b96e9336b737bc9a5d055c5ffdd016813 Mon Sep 17 00:00:00 2001 From: danielhanrahan Date: Wed, 8 Sep 2021 10:49:44 +0100 Subject: Ensure that login in policy-gui works with AAF Add CLAMP SSL cert and key to Docker image Change nginx port from 8080 to 2443 and enable SSL Update README to include instructions on certificate login Issue-ID: POLICY-3615 Signed-off-by: danielhanrahan Change-Id: I5211d30c420d75a94621399f33763b8156c50b5b --- README.md | 18 ++++++++---- .../policy-gui-docker/src/main/docker/Dockerfile | 4 ++- .../src/main/docker/etc/ssl/clamp.key | 32 +++++++++++++++++++++ .../src/main/docker/etc/ssl/clamp.pem | 33 ++++++++++++++++++++++ .../src/main/docker/nginx/default.conf.template | 7 ++++- 5 files changed, 87 insertions(+), 7 deletions(-) create mode 100644 packages/policy-gui-docker/src/main/docker/etc/ssl/clamp.key create mode 100644 packages/policy-gui-docker/src/main/docker/etc/ssl/clamp.pem diff --git a/README.md b/README.md index 6322319..4bff635 100644 --- a/README.md +++ b/README.md @@ -13,10 +13,10 @@ To build it using Maven 3, run: mvn clean install -P docker # Docker image Maven produces a single docker image containing the policy GUIs. These are exposed on -the same port (8080) using different URLs: -- Apex Policy Editor: http://localhost:8080/apex-editor -- PDP Monitoring UI: http://localhost:8080/pdp-monitoring -- CLAMP Designer UI: http://localhost:8080/clamp +the same port (2443) using different URLs: +- Apex Policy Editor: http://localhost:2443/apex-editor +- PDP Monitoring UI: http://localhost:2443/pdp-monitoring +- CLAMP Designer UI: http://localhost:2443/clamp ## Building You can use the following command to build the policy-gui docker image: @@ -38,8 +38,16 @@ backend, then CLAMP_REST_URL should be set to `https://policy-clamp-backend:8443 If running clamp backend on localhost port 8443, the policy-gui docker image would be started like this: ``` -docker run -p 8080:8080 \ +docker run -p 2443:2443 \ --add-host host.docker.internal:host-gateway \ --env CLAMP_REST_URL=https://host.docker.internal:8443 \ onap/policy-gui ``` + +## Client Credentials +A certificate must be added in the browser and is required to log in properly: + +[org.onap.clamp.p12 (from clamp master)](URL "https://gerrit.onap.org/r/gitweb?p=clamp.git;a=blob_plain;f=src/main/resources/clds/aaf/org.onap.clamp.p12;hb=refs/heads/master") +(Password: "China in the Spring") + +See onap/clamp repo README for details. diff --git a/packages/policy-gui-docker/src/main/docker/Dockerfile b/packages/policy-gui-docker/src/main/docker/Dockerfile index 8820139..681a58d 100644 --- a/packages/policy-gui-docker/src/main/docker/Dockerfile +++ b/packages/policy-gui-docker/src/main/docker/Dockerfile @@ -37,6 +37,8 @@ WORKDIR $POLICY_HOME COPY policy-gui.sh ./bin/ COPY /maven/gui-editor-apex-uber.jar ./lib/ COPY /maven/gui-pdp-monitoring-uber.jar ./lib/ +COPY etc/ssl/clamp.key /etc/ssl/clamp.key +COPY etc/ssl/clamp.pem /etc/ssl/clamp.pem COPY nginx/nginx.conf /etc/nginx/nginx.conf COPY nginx/default.conf.template /etc/nginx/templates/default.conf.template COPY nginx/index.html /usr/share/nginx/html/ @@ -52,4 +54,4 @@ RUN rm /etc/nginx/conf.d/default.conf && \ USER policy WORKDIR $POLICY_HOME/bin ENTRYPOINT [ "./policy-gui.sh" ] -EXPOSE 8080 +EXPOSE 2443 diff --git a/packages/policy-gui-docker/src/main/docker/etc/ssl/clamp.key b/packages/policy-gui-docker/src/main/docker/etc/ssl/clamp.key new file mode 100644 index 0000000..bcbb9f1 --- /dev/null +++ b/packages/policy-gui-docker/src/main/docker/etc/ssl/clamp.key @@ -0,0 +1,32 @@ +Bag Attributes + friendlyName: clamp@clamp.onap.org + localKeyID: 54 69 6D 65 20 31 35 38 30 38 32 39 30 36 35 34 37 39 +Key Attributes: +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCTB30nMh0hczIk +vWJo7Omg7cAHhz50NBhLB7u+60oXRGCya4SqssqqxNnNqNQQP9MmflW2q/bZepWn +8Rk23X6CLmoIUlrj8BMPkUCRqzgvlaWPSNAK5QcOp6GUvXTuX4EsaWxJhbs9Ujz2 ++qi137iNOqfAx1sUygah1kjALrqHkXDqJGvIfxU5ES0akBi/lB7A3WpE52KTioSF +JS5Kbnpj1ogffGNKyAiNqU61LcF1FjWmINat2z3ZMk/3Xm+HCDg/GLPnbh4E1KoE +10O22AMys6YGEyPvgRfrTF13DsDX52PmmUHbkSB6kwS/CeV5Uu++8b6T2IWpPyZ2 ++5ptmL+tAgMBAAECggEBAIUplzRUswWEq7mSvPqC9+YE7pLi7rGYLRhnXKdBuszv +5RQzROjFHcEkoI8fhVFiPP70FPVpMh0uZTTBrDCA0v9cwjPfQuqGmPzUdUJ5bF3M +jzICpEn5vDaNpE5ueOUcIoXyxVyhfj+/p++YfgybHy7qHN0AsYFWqEMTLLjCmbYF +pZozbAcGQoAR8PSfwuvgusuEezrhYertHsdFwlfZhDtJvnm/4YKRUVEBzuaaA7B9 +sUhnQFS8ScqiUbkAGdjfY9wOYRHnQgjtqiP8poIzLkqCNSoVctgh5Pdv4jp4HO90 +J5QC+f7m7rOoWUw8EYbRo/4C4Mckh0GQQ+oP4xzrtZECgYEA3DYALFgOEY+0RR1K +61HAKqdNy1YbeuidpCBEJEwmIbzdgO1DcJdNznbfdRlmS7VB9orwRfNbf7Hxm2w/ +/xn9USENXWx7fvDoISqSDegvEsBSq5hSEMVl3f7CfQZrYl1f6gxfe7L/jtmbn0eQ +avsr9RaUCWP794DEXKuA9pC8hVsCgYEAquy5I4hO4jNBQ6v5+omjsEgk4513/RNs +f47Md8bsDHKJMbCMKCdqM1D3J1xbgV3DgSv0yNlKdU2wenWdgQAyBtz18NBgno85 +YNanFhp1CymgLFHdLJHSOqAkzutSuCNnGTT6AKspOQvy+cuj7XsnbsxtYK3Cgw5h +Mom3RnUy9ZcCgYAnForHVEYDBgAYuI9g39z9dT8Q1dMA6SN6S6Ps0Xt/R5gF15e9 +941/FYiqr3yB+cWgrp7hu8XFD9/0F63waTuW2AgYSjZNnROHN5g/UbRxXqQOA3al +tXRUiHEbYjVTe4GX+ORF/8rvH19JUZmn87ekxII4fH/wOfIhBOxaV+yuuwKBgHtz +5Tizz/3y9TWSdkgtt6uwP+yipLKGn/v1wNrWM1G+PDdGg8TQyxTrasfkHjdu6LFY +dUHIJ85X4ZphbvRolrl8SKq5Zr+/RLsb7qy5SUZZt1Wrfysc25H6bvuA3ksfTuzW +5acr+Oc6KTGgkvMI229cebe1aONNtIhTDav3JGpbAoGAX5DQvNreqnP8qSAvUN2I +TAHXIzawR3f6vgGgVIdkHkiS2eKzs/fgP3VAK80TbrGSR8HvBcPEcR/icOn1u/e6 +tDp0j6mGt5aPKK9VQkBn94bW35T12FUbdB+L8FWWTUrfiVWJtEW8tEsKil5ac8U4 +Bn3vC5WUeKhW6v6kD4AigqE= +-----END PRIVATE KEY----- diff --git a/packages/policy-gui-docker/src/main/docker/etc/ssl/clamp.pem b/packages/policy-gui-docker/src/main/docker/etc/ssl/clamp.pem new file mode 100644 index 0000000..a01b587 --- /dev/null +++ b/packages/policy-gui-docker/src/main/docker/etc/ssl/clamp.pem @@ -0,0 +1,33 @@ +Bag Attributes + friendlyName: clamp@clamp.onap.org + localKeyID: 54 69 6D 65 20 31 35 38 30 38 32 39 30 36 35 34 37 39 +subject=CN = clamp, emailAddress = mark.d.manager@people.osaaf.com, OU = clamp@clamp.onap.org:DEV, OU = OSAAF, O = ONAP, C = US + +issuer=C = US, O = ONAP, OU = OSAAF, CN = intermediateCA_9 + +-----BEGIN CERTIFICATE----- +MIIEWDCCA0CgAwIBAgIILw1zyDGqB5IwDQYJKoZIhvcNAQELBQAwRzELMAkGA1UE +BhMCVVMxDTALBgNVBAoMBE9OQVAxDjAMBgNVBAsMBU9TQUFGMRkwFwYDVQQDDBBp +bnRlcm1lZGlhdGVDQV85MB4XDTIwMDIwNDEyMjM1MloXDTIxMDIwNDEyMjM1Mlow +gY8xDjAMBgNVBAMMBWNsYW1wMS4wLAYJKoZIhvcNAQkBFh9tYXJrLmQubWFuYWdl +ckBwZW9wbGUub3NhYWYuY29tMSEwHwYDVQQLDBhjbGFtcEBjbGFtcC5vbmFwLm9y +ZzpERVYxDjAMBgNVBAsMBU9TQUFGMQ0wCwYDVQQKDARPTkFQMQswCQYDVQQGEwJV +UzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJMHfScyHSFzMiS9Ymjs +6aDtwAeHPnQ0GEsHu77rShdEYLJrhKqyyqrE2c2o1BA/0yZ+Vbar9tl6lafxGTbd +foIuaghSWuPwEw+RQJGrOC+VpY9I0ArlBw6noZS9dO5fgSxpbEmFuz1SPPb6qLXf +uI06p8DHWxTKBqHWSMAuuoeRcOoka8h/FTkRLRqQGL+UHsDdakTnYpOKhIUlLkpu +emPWiB98Y0rICI2pTrUtwXUWNaYg1q3bPdkyT/deb4cIOD8Ys+duHgTUqgTXQ7bY +AzKzpgYTI++BF+tMXXcOwNfnY+aZQduRIHqTBL8J5XlS777xvpPYhak/Jnb7mm2Y +v60CAwEAAaOB/jCB+zAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIF4DAgBgNVHSUB +Af8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwVAYDVR0jBE0wS4AUgfeZWxC5yIze +81Je6k5poEM+rN2hMKQuMCwxDjAMBgNVBAsMBU9TQUFGMQ0wCwYDVQQKDARPTkFQ +MQswCQYDVQQGEwJVU4IBBzAdBgNVHQ4EFgQUzfIed+18wgFs7E6q0b6BbMICtfsw +RwYDVR0RBEAwPoIFY2xhbXCCCmNsYW1wLW9uYXCCHWNsYW1wLmFwaS5zaW1wbGVk +ZW1vLm9uYXAub3JnggpjbGFtcC5vbmFwMA0GCSqGSIb3DQEBCwUAA4IBAQBizhsW +XrJ9wQy3PrBxgh90sOF15tayXPRZSFYPoQb5LhRh3IY/PvXLaSHlkgPHlCLLx36S +0/DiVf86/83ABvyaq9gJIyg/m4ntNae23OKH1AkA1aN+JCKA8yhsAzDBcRF6Aj7E +VJ+vQlSzz5oh+efP1e/8DUMd1/WwbTXvRd0Iqv/fyZunbjb82qNMrsK1mQ2q+87A +0jx9u1EdeMihP6vWiuKzlwy4mKoNT573SPpvaOkjX3yDlmf2CTQZ9vdAvjmFmVsH +1wyrNZOIgW4VjluiZfAk3mOEskrZiP/7aUXnxmNnYTpgZMbhiouLbRrTc4lLEyhx +G7A61/KGTsLZlvxb +-----END CERTIFICATE----- diff --git a/packages/policy-gui-docker/src/main/docker/nginx/default.conf.template b/packages/policy-gui-docker/src/main/docker/nginx/default.conf.template index d407827..9b3348a 100644 --- a/packages/policy-gui-docker/src/main/docker/nginx/default.conf.template +++ b/packages/policy-gui-docker/src/main/docker/nginx/default.conf.template @@ -1,5 +1,9 @@ server { - listen 8080; + listen 2443 default ssl; + ssl_protocols TLSv1.2; + ssl_certificate /etc/ssl/clamp.pem; + ssl_certificate_key /etc/ssl/clamp.key; + ssl_verify_client optional_no_ca; location / { root /usr/share/nginx/html; @@ -9,6 +13,7 @@ server { location /clamp/restservices/clds/ { proxy_pass ${CLAMP_REST_URL}/restservices/clds/; + proxy_set_header X-SSL-Cert $ssl_client_escaped_cert; } location /pdp-monitoring/papservices/monitoring/ { -- cgit 1.2.3-korg