3 CLAMP is a platform for designing and managing control loops. It is used to design a closed loop, configure it with specific parameters for a particular network service, then deploying and undeploying it. Once deployed, the user can also update the loop with new parameters during runtime, as well as suspending and restarting it.
5 It interacts with other systems to deploy and execute the closed loop. For example, it pushes the control loop design to the SDC catalog, associating it with the VF resource. It requests from DCAE the instantiation of microservices to manage the closed loop flow. Further, it creates and updates multiple policies in the Policy Engine that define the closed loop flow.
7 The ONAP CLAMP platform abstracts the details of these systems under the concept of a control loop model. The design of a control loop and its management is represented by a workflow in which all relevant system interactions take place. This is essential for a self-service model of creating and managing control loops, where no low-level user interaction with other components is required.
9 At a higher level, CLAMP is about supporting and managing the broad operational life cycle of VNFs/VMs and ultimately ONAP components itself. It will offer the ability to design, test, deploy and update control loop automation - both closed and open. Automating these functions would represent a significant saving on operational costs compared to traditional methods.
12 Owner: ONAP CLAMP Dev team
13 Mailing List : onap-discuss@lists.onap.org
14 Add the following prefix to Subject on the mailing list : [CLAMP]
15 See here to subscribe : https://wiki.onap.org/display/DW/Mailing+Lists
18 https://wiki.onap.org/display/DW/CLAMP+Project
21 Jenkins Job: ${jenkins-joblink}
23 CLAMP UI: ${cockpit-link}
30 You can use the following command to build the clamp docker image:
32 mvn clean install -P docker
36 Currently, the clamp docker image can be deployed with small configuration needs. Though, you might need to make small adjustments to the configuration. As clamp is spring based, you can use the SPRING_APPLICATION_JSON environment variable to update its parameters.
39 There are two needed datasource for Clamp. By default, both will try to connect to the localhost server using the credentials available in the example SQL files. If you need to change the default database host and/or credentials, you can do it by using the following json as SPRING_APPLICATION_JSON environment variable :
40 Note that all others configurations can be configured in the JSON as well,
44 "spring.datasource.cldsdb.url": "jdbc:mysql://anotherDB.onap.org:3306/cldsdb4?autoReconnect=true&connectTimeout=10000&socketTimeout=10000&retriesAllDown=3",
45 "spring.datasource.cldsdb.username": "admin",
46 "spring.datasource.cldsdb.password": "password"
48 "clamp.config.dcae.inventory.url": "http://dcaegen2.host:8080",
49 "clamp.config.dcae.dispatcher.url": "http://dcaegen2.host:8080",
50 "clamp.config.policy.pdpUrl1": "https://policy-pdp.host:9091/pdp/ , testpdp, alpha123",
51 "clamp.config.policy.pdpUrl2": "https://policy-pdp.host:9091/pdp/ , testpdp, alpha123",
52 "clamp.config.policy.papUrl": "https://policy-pap.host:8443/pap/ , testpap, alpha123",
53 "clamp.config.policy.clientKey": "5CE79532B3A2CB4D132FC0C04BF916A7"
54 "clamp.config.files.sdcController":"file:/opt/clamp/config/sdc-controllers-config.json"
57 ### SDC-Controllers config
59 This file is a JSON that must be specified to Spring config, here is an example:
66 "consumerGroup": "consumerGroup1",
67 "consumerId": "consumerId1",
68 "environmentName": "AUTO",
69 "sdcAddress": "localhost:8443",
70 "password": "b7acccda32b98c5bb7acccda32b98c5b05D511BD6D93626E90D18E9D24D9B78CD34C7EE8012F0A189A28763E82271E50A5D4EC10C7D93E06E0A2D27CAE66B981",
73 "activateServerTLSAuth":"false",
74 "keyStorePassword":"",
76 "messageBusAddresses":["dmaaphost.com"]
80 "consumerGroup": "consumerGroup1",
81 "consumerId": "consumerId1",
82 "environmentName": "AUTO",
83 "sdcAddress": "localhost:8443",
84 "password": "b7acccda32b98c5bb7acccda32b98c5b05D511BD6D93626E90D18E9D24D9B78CD34C7EE8012F0A189A28763E82271E50A5D4EC10C7D93E06E0A2D27CAE66B981",
87 "activateServerTLSAuth":"false",
88 "keyStorePassword":"",
90 "messageBusAddresses":["dmaaphost.com"]
95 Multiple controllers can be configured so that Clamp is able to receive the notifications from different SDC servers.
96 Each Clamp existing in a cluster should have different consumerGroup and consumerId so that they can each consume the SDC notification.
97 The environmentName is normally the Dmaap Topic used by SDC.
98 If the sdcAddress is not specified or not available (connection failure) the messageBusAddresses will be used (Dmaap servers)
102 A [docker-compose example file](extra/docker/clamp/docker-compose.yml) can be found under the [extra/docker/clamp/ folder](extra/docker/).
104 Once the image has been built and is available locally, you can use the `docker-compose up` command to deploy a prepopullated database and a clamp instance available on [http://localhost:8080/designer/index.html](http://localhost:8080/designer/index.html).
109 Clamp uses logback framework to generate logs. The logback.xml file can be found under the [src/main/resources/ folder](src/main/resources).
111 With the default log settings, all logs will be generated into console and into root.log file under the Clamp root folder. The root.log file is not allowed to be appended, thus restarting the clamp will result in cleaning of the old log files.
115 You can see the swagger definition for the jaxrs apis at `/restservices/clds/v1/openapi.json`
117 ## Clamp AAF - Renew Certificates
118 - Connect to windriver with openvpn
119 - create a folder aaf-renewal and go to it
120 - create a file aaf.props with that content (or run the agent.sh script below, it will prompt you for values at first run)
122 DOCKER_REPOSITORY=nexus3.onap.org:10001
125 AAF_FQDN=aaf-onap-test.osaaf.org
126 AAF_FQDN_IP=10.12.5.145
127 DEPLOY_FQI=deployer@people.osaaf.org
129 APP_FQI=clamp@clamp.onap.org
134 - wget -O agent.sh 'https://gerrit.onap.org/r/gitweb?p=aaf/authz.git;a=blob_plain;f=auth/docker/agent.sh;h=32910874e01ad13865510091ddd4ef9ae5966410;hb=refs/heads/elalto'
135 - wget https://nexus.onap.org/content/repositories/releases/org/onap/aaf/authz/aaf-auth-cmd/2.1.13/aaf-auth-cmd-2.1.13-full.jar
137 It's going to ask some questions:
138 Password for deployer@people.osaaf.org: demo123456!
139 AAF Locator URL=https://aaf-onap-test.osaaf.org:8095
140 # If you do not know your Global Coordinates, we suggest bing.com/maps
141 cadi_latitude[0.000]=10.0
142 cadi_longitude[0.000]=10.0
143 - Certs should created, you can get them in /var/lib/docker/volumes/clamp_config/_data/local
144 If you want to recreate the certs, you have to delete the docker volume (otherwise it will be re used) : docker volume rm clamp_config
145 - wget https://nexus.onap.org/content/repositories/releases/org/onap/aaf/authz/aaf-cadi-aaf/2.1.13/aaf-cadi-aaf-2.1.13-full.jar
146 - to encrypt or decrypt the store passwords: java -jar aaf-cadi-aaf-2.1.13-full.jar cadi digest changeit testos.key
147 - you can also use the agent.sh script to decrypt the passwords, by running the showpass commands (see wiki below)
148 - Extract private key from P12: 'openssl pkcs12 -in org.onap.clamp.p12 -nocerts -nodes > clamp.key'
149 - Extract public certificate from P12: 'openssl pkcs12 -in org.onap.clamp.p12 -clcerts -nokeys > clamp.pem'
150 - Extract CA certificate from P12: 'openssl pkcs12 -in org.onap.clamp.p12 -cacerts -nokeys -chain > ca-certs.pem'
151 - reference wiki: https://wiki.onap.org/display/DW/AAF+Certificate+Management+for+Dummies
152 - you need to place new clamp.key, clamp.pem and ca-certs.pem into src/main/resources/clds/aaf/ssl, this will be used by the FrontEnd
153 - you need to replace the password of the generated keystore (clamp uses the p12 keystore), we want to keep the same demo password across release
154 to do so, you can use keytool to update the password and set it back to 'China in the Spring'
155 keytool -storepasswd -keystore ./org.onap.clamp.p12
156 - this will prompt for the current keystore password (the one generated by the aaf script that you can get from the above)
157 - you can then set it to 'China in the Spring'
158 - once done, you can replace : org.onap.clamp.p12 into src/main/resources/clds/aaf
159 - rebuild Clamp Docker containers, they should be updated with the renewed certificates
164 There are two mechanisms that can enabled for the authentication, one or the other never both at the same time.
165 They can be enabled in the application.properties.
168 There is a section for SSL enablement and cadi configuration (for AAF) + one spring profile to enable
171 server.ssl.key-store=classpath:/clds/aaf/org.onap.clamp.p12
172 server.ssl.key-store-password=enc:WWCxchk4WGBNSvuzLq3MLjMs5ObRybJtts5AI0XD1Vc
173 server.ssl.key-password=enc:WWCxchk4WGBNSvuzLq3MLjMs5ObRybJtts5AI0XD1Vc
174 server.ssl.key-store-type=PKCS12
175 server.ssl.key-alias=clamp@clamp.onap.org
176 clamp.config.keyFile=classpath:/clds/aaf/org.onap.clamp.keyfile
177 server.ssl.client-auth=want
178 server.ssl.trust-store=classpath:/clds/aaf/truststoreONAPall.jks
179 server.ssl.trust-store-password=enc:iDnPBBLq_EMidXlMa1FEuBR8TZzYxrCg66vq_XfLHdJ
180 server.http-to-https-redirection.port=8080
182 spring.profiles.active=clamp-default,clamp-aaf-authentication,clamp-sdc-controller-new,clamp-ssl-config
184 clamp.config.cadi.keyFile=classpath:/clds/aaf/org.onap.clamp.keyfile
185 clamp.config.cadi.cadiLoglevel=DEBUG
186 clamp.config.cadi.cadiLatitude=10
187 clamp.config.cadi.cadiLongitude=10
188 clamp.config.cadi.aafLocateUrl=https://aaf.api.simpledemo.onap.org:8095
189 clamp.config.cadi.cadiKeystorePassword=enc:V_kq_EwDNb4itWp_lYfDGXIWJzemHGkhkZOxAQI9IHs
190 clamp.config.cadi.cadiTruststorePassword=enc:Mj0YQqNCUKbKq2lPp1kTFQWeqLxaBXKNwd5F1yB1ukf
191 clamp.config.cadi.aafEnv=DEV
192 clamp.config.cadi.aafUrl=https://AAF_LOCATE_URL/AAF_NS.service:2.0
193 clamp.config.cadi.cadiX509Issuers=CN=intermediateCA_9, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US
195 In that case a certificate must be added in the browser and is required to login properly
196 Please check that section to get the certificate
197 https://wiki.onap.org/display/DW/Control+Loop+Flows+and+Models+for+Casablanca#ControlLoopFlowsandModelsforCasablanca-Configure
199 Or it can be found in the Clamp source code folder src/main/resources/clds/aaf
200 (Default Password: "China in the Spring")
202 2. Spring authentication
203 It's possible to enable the spring authentication by disabling the "clamp-aaf-authentication" profile and enabling only the "clamp-default-user"
204 spring.profiles.active=clamp-default,clamp-default-user,clamp-sdc-controller
205 In that case, the credentials should be specified in `src/main/resources/clds/clds-users.json`. You might specify you own credential file by redefining the `clamp.config.files.cldsUsers` in `application.properties`.
207 Passwords should be hashed using Bcrypt :
209 # pip3 install bcrypt # if you don't have the bcrypt python lib installed, should be done once.
210 # python3 -c 'import bcrypt; print(bcrypt.hashpw("password".encode(), bcrypt.gensalt(rounds=10, prefix=b"2a")))'
213 Default credentials are admin/password and cs0008/password.
215 There is a spring file that disables the AAF and enable the Spring authentication by default.
218 --spring.config.name=application-noaaf
220 to the jvm parameters. This file is available by default in the java classpath resource folder.