1 .. This work is licensed under a Creative Commons Attribution 4.0 International License.
2 .. http://creativecommons.org/licenses/by/4.0
4 Certificates (From AAF)
5 =======================
6 DCAE service components will use common certifcates generated from AAF/test instance and made available during deployment of DCAE TLS init container.
8 DCAE has a generalized process of certificate distribution as documented here - https://docs.onap.org/projects/onap-dcaegen2/en/latest/sections/tls_enablement.html
10 The updated certificates are located in https://git.onap.org/dcaegen2/deployments/tree/tls-init-container/tls
12 Certificates (Manual configuration of self-signed certifcates)
13 ==============================================================
15 Configuration of Certificates in test environment(For FTP over TLS):
17 DFC supports two protocols: FTPES and SFTP.
18 For FTPES, it is mutual authentication with certificates.
19 In our test environment, we use vsftpd to simulate xNF, and we generate self-signed
20 keys & certificates on both vsftpd server and DFC.
22 1. Generate key/certificate with openssl for DFC:
23 -------------------------------------------------
26 openssl genrsa -out dfc.key 2048
27 openssl req -new -out dfc.csr -key dfc.key
28 openssl x509 -req -days 365 -in dfc.csr -signkey dfc.key -out dfc.crt
30 2. Generate key & certificate with openssl for vsftpd:
31 ------------------------------------------------------
34 openssl genrsa -out ftp.key 2048
35 openssl req -new -out ftp.csr -key ftp.key
36 openssl x509 -req -days 365 -in ftp.csr -signkey ftp.key -out ftp.crt
38 3. Configure java keystore in DFC:
39 ----------------------------------
40 We have two keystore files, one for TrustManager, one for KeyManager.
44 1. First, convert your certificate in a DER format :
48 openssl x509 -outform der -in ftp.crt -out ftp.der
50 2. And after copy existing keystore and password from container:
54 kubectl cp <DFC pod>:/opt/app/datafile/etc/cert/trust.jks trust.jks
55 kubectl cp <DFC pod>:/opt/app/datafile/etc/cert/trust.pass trust.pass
57 3. Import DER certificate in the keystore :
61 keytool -import -alias ftp -keystore trust.jks -file ftp.der
65 1. Import dfc.crt and dfc.key to dfc.jks. This is a bit troublesome.
67 Convert x509 Cert and Key to a pkcs12 file
71 openssl pkcs12 -export -in dfc.crt -inkey dfc.key -out cert.p12 -name dfc
73 Note: Make sure you put a password on the p12 file - otherwise you'll get a null reference exception when you try to import it.
75 2. Create password files for cert.p12
79 printf "[your password]" > p12.pass
81 4. Update existing KeyStore files
82 ---------------------------------
84 Copy the new trust.jks and cert.p12 and password files from local environment to the DFC container.
93 kubectl cp mycert/ <DFC pod>:/opt/app/datafile/etc/cert/
95 5. Update configuration in consul
96 -----------------------------------
97 Change path in consul:
101 dmaap.ftpesConfig.keyCert": "/opt/app/datafile/etc/cert/mycert/cert.p12
102 dmaap.ftpesConfig.keyPasswordPath": "/opt/app/datafile/etc/cert/mycert/p12.pass
103 dmaap.ftpesConfig.trustedCa": "/opt/app/datafile/etc/cert/mycert/trust.jks
104 dmaap.ftpesConfig.trustedCaPasswordPath": "/opt/app/datafile/etc/cert/mycert/trust.pass
106 Consul's address: http://<worker external IP>:<Consul External Port>
110 kubectl -n onap get svc | grep consul
112 .. image:: ./consule-certificate-update.png
116 update /etc/vsftpd/vsftpd.conf:
120 rsa_cert_file=/etc/ssl/private/ftp.crt
121 rsa_private_key_file=/etc/ssl/private/ftp.key
124 force_local_data_ssl=YES
125 force_local_logins_ssl=YES
136 ca_certs_file=/home/vsftpd/myuser/dfc.crt
139 ---------------------------------------------------------------------------
140 This has been tested with vsftpd and dfc, with self-signed certificates.
141 In real deployment, we should use ONAP-CA signed certificate for DFC, and vendor-CA signed certificate for xNF.