1 .. This work is licensed under a Creative Commons Attribution 4.0 International License.
2 .. http://creativecommons.org/licenses/by/4.0
3 .. Copyright 2020 NOKIA
8 Standalone docker container
9 ---------------------------
11 Certification Service Client image:
15 nexus3.onap.org:10001/onap/org.onap.aaf.certservice.aaf-certservice-client:latest
18 1. Create file with environments as in example below.
23 REQUEST_URL=http://aaf-cert-service:8080/v1/certificate/
25 OUTPUT_PATH=/var/certs
29 ORGANIZATION=Linux-Foundation
30 ORGANIZATION_UNIT=ONAP
31 LOCATION=San-Francisco
34 SANS=test.onap.org:onap.com
37 2. Run docker container with environments file and docker network (API and client must be running in same network).
41 AAFCERT_CLIENT_IMAGE=nexus3.onap.org:10001/onap/org.onap.aaf.certservice.aaf-certservice-client:latest
42 DOCKER_ENV_FILE= <path to environment file>
43 NETWORK_CERT_SERVICE= <docker network of cert service>
44 DOCKER_VOLUME="<absolute path to local dir>:<output path>"
46 docker run --env-file $DOCKER_ENV_FILE --network $NETWORK_CERT_SERVICE --volume $DOCKER_VOLUME $AAFCERT_CLIENT_IMAGE
49 Configuring Cert Service
50 ------------------------
51 Cert Service keeps configuration of CMP Servers in file *cmpServers.json*.
53 Example cmpServers.json file:
61 "url": "http://aafcert-ejbca:8080/ejbca/publicweb/cmp/cmp",
62 "issuerDN": "CN=ManagementCA",
71 "url": "http://aafcert-ejbca:8080/ejbca/publicweb/cmp/cmpRA",
72 "issuerDN": "CN=ManagementCA",
82 This contains list of CMP Servers, where each server has following properties:
84 - *caName* - name of the external CA server
85 - *url* - Url to CMPv2 server
86 - *issuerDN* - Distinguished Name of the CA that will sign the certificate
87 - *caMode* - Issuer mode
90 - *iak* - Initial authentication key, used to authenticate request in CMPv2 server
91 - *rv* - Reference values, used ti authenticate request in CMPv2 server
95 This configuration is read on the application start. It can also be reloaded in runtime, by calling HTTP endpoint.
98 Configuring in local(docker-compose) deployment:
99 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
104 1. Edit *cmpServers.json* file in certservice/compose-resources
105 2. Start containers::
112 1. Find CertService docker container name.
115 docker exec -it <certservice-container-name> bash
117 3. Edit *cmpServers.json* file::
119 vim /etc/onap/aaf/certservice/cmpServers.json
122 5. Reload configuration::
124 curl -I https://localhost:8443/reload --cacert /etc/onap/aaf/certservice/certs/root.crt --cert-type p12 --cert /etc/onap/aaf/certservice/certs/certServiceServer-keystore.p12 --pass secret
127 Configuring in OOM deployment:
128 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
133 *Note! This must be executed before calling make all or needs remaking aaf Charts*
135 1. Edit *cmpServers.json* file
137 - if it's test deployment - edit *kubernetes/aaf/charts/aaf-cert-service/resources/test/cmpServers.json*
138 - if it's normal deployment - edit *kubernetes/aaf/charts/aaf-cert-service/resources/default/cmpServers.json*
140 2. Build and start OOM deployment
145 1. Encode your configuration to base64 (You can use for example online encoders or command line tool *base64*)
148 kubectl edit secret <cmp-servers-secret-name> # aaf-cert-service-secret by default
150 3. Replace value for *cmpServers.json* with your base64 encoded configuration. For example:
156 cmpServers.json: <HERE_PLACE_YOUR_BASE64_ENCODED_CONFIG>
159 creationTimestamp: "2020-04-21T16:30:29Z"
160 name: aaf-cert-service-secret
162 resourceVersion: "33892990"
163 selfLink: /api/v1/namespaces/default/secrets/aaf-cert-service-secret
164 uid: 6a037526-83ed-11ea-b731-fa163e2144f6
168 5. New configuration will be automatically mounted to CertService pod, but reload is needed.
169 6. Enter CertService pod::
171 kubectl exec -it <cert-service-pod-name> bash
173 7. Reload configuration::
175 curl -I https://localhost:$HTTPS_PORT/reload --cacert $ROOT_CERT --cert-type p12 --cert $KEYSTORE_P12_PATH --pass $KEYSTORE_PASSWORD
178 Generating certificates for CertService and CertService Client
179 --------------------------------------------------------------
180 CertService and CertService client use mutual TLS for communication. Certificates are generated using Makefile.
185 Certificates are mounted to containers by docker volumes:
187 - CertService volumes are defined in certservice/docker-compose.yaml
188 - CertClient volumes are defined in certservice/Makefile
190 All certificates are stored in *certservice/certs* directory. To recreate certificates go to *certservice/certs* directory and execute::
194 This will clear existing certs and generate new ones.
199 Certificates are stored in secrets, which are mounted to pods as volumes. Both secrets are stored in *kubernetes/aaf/charts/aaf-cert-service/templates/secret.yaml*.
200 Secrets take certificates from *kubernetes/aaf/charts/aaf-cert-service/resources* directory. Certificates are generated automatically during building(using Make) OOM repository.
202 *kubernetes/aaf/charts/aaf-cert-service/Makefile* is similar to the one stored in certservice repository. It actually generates certificates.
203 This Makefile is executed by *kubernetes/aaf/Makefile*, which is automatically executed during OOM build.
206 Configuring EJBCA server for testing
207 ------------------------------------
209 To instantiate an EJBCA server for testing purposes with an OOM deployment, cmpv2Enabled and cmpv2Testing have to be changed to true in oom/kubernetes/aaf/values.yaml.
211 cmpv2Enabled has to be true to enable aaf-cert-service to be instantiated and used with an external Certificate Authority to get certificates for secure communication.
213 If cmpv2Testing is enabled then an EJBCA test server will be instantiated in the OOM deployment as well, and will come pre-configured with a test CA to request a certificate from.
215 Currently the recommended mode is single-layer RA mode.
220 +---------------------+---------------------------------------------------------------------------------------------------------------------------------+
222 +=====================+=================================================================================================================================+
223 | Request URL | http://aaf-ejbca:8080/ejbca/publicweb/cmp/cmpRA |
224 +---------------------+---------------------------------------------------------------------------------------------------------------------------------+
225 | Response Type | PKI Response |
226 +---------------------+---------------------------------------------------------------------------------------------------------------------------------+
228 +---------------------+---------------------------------------------------------------------------------------------------------------------------------+
230 +---------------------+---------------------------------------------------------------------------------------------------------------------------------+
233 If you wish to configure the EJBCA server, you can find Documentation for EJBCA here: https://doc.primekey.com/ejbca/
235 If you want to understand how CMP works on EJBCA in more detail, you can find Details here: https://download.primekey.com/docs/EJBCA-Enterprise/6_14_0/CMP.html
237 Init Container for K8s
238 ----------------------
254 - image: sample.image
258 - mountPath: /var/certs #CERTS CAN BE FOUND IN THIS DIRECTORY
262 - name: cert-service-client
263 image: nexus3.onap.org:10001/onap/org.onap.aaf.certservice.aaf-certservice-client:latest
264 imagePullPolicy: Always
267 value: http://aaf-cert-service:8080/v1/certificate/
268 - name: REQUEST_TIMEOUT
277 value: Linux-Foundation
278 - name: ORGANIZATION_UNIT
287 value: test.onap.org:onap.com
289 - mountPath: /var/certs