1 .. This work is licensed under a Creative Commons Attribution 4.0 International License.
2 .. http://creativecommons.org/licenses/by/4.0
4 Certificates (From AAF)
5 =======================
6 DCAE service components will use common certifcates generated from AAF/test instance and made available during deployment of DCAE TLS init container.
8 DCAE has a generalized process of certificate distribution as documented here - https://docs.onap.org/projects/onap-dcaegen2/en/latest/sections/tls_enablement.html
10 The updated certificates are located in https://git.onap.org/dcaegen2/deployments/tree/tls-init-container/tls
12 Certificates (Manual configuration of self-signed certifcates)
13 ==============================================================
15 Configuration of Certificates in test environment(For FTP over TLS):
17 DFC supports two protocols: FTPES and SFTP.
18 For FTPES, it is mutual authentication with certificates.
19 In our test environment, we use vsftpd to simulate xNF, and we generate self-signed
20 keys & certificates on both vsftpd server and DFC.
22 1. Generate key/certificate with openssl for DFC:
23 -------------------------------------------------
26 openssl genrsa -out dfc.key 2048
27 openssl req -new -out dfc.csr -key dfc.key
28 openssl x509 -req -days 365 -in dfc.csr -signkey dfc.key -out dfc.crt
30 2. Generate key & certificate with openssl for vsftpd:
31 ------------------------------------------------------
34 openssl genrsa -out ftp.key 2048
35 openssl req -new -out ftp.csr -key ftp.key
36 openssl x509 -req -days 365 -in ftp.csr -signkey ftp.key -out ftp.crt
38 3. Configure java keystore in DFC:
39 ----------------------------------
40 We have two keystore files, one for TrustManager, one for KeyManager.
44 1. First, convert your certificate in a DER format :
48 openssl x509 -outform der -in ftp.crt -out ftp.der
50 2. And after, import it in the keystore :
54 keytool -import -alias ftp -keystore ftp.jks -file ftp.der
58 1. First, create a jks keystore:
62 keytool -keystore dfc.jks -genkey -alias dfc
64 2. Second, import dfc.crt and dfc.key to dfc.jks. This is a bit troublesome.
66 1). Step one: Convert x509 Cert and Key to a pkcs12 file
70 openssl pkcs12 -export -in dfc.crt -inkey dfc.key -out dfc.p12 -name [some-alias]
72 Note: Make sure you put a password on the p12 file - otherwise you'll get a null reference exception when you try to import it.
74 Note 2: You might want to add the -chainoption to preserve the full certificate chain.
76 2). Step two: Convert the pkcs12 file to a java keystore:
80 keytool -importkeystore -deststorepass [changeit] -destkeypass [changeit] -destkeystore dfc.jks -srckeystore dfc.p12 -srcstoretype PKCS12 -srcstorepass [some-password] -alias [some-alias]
82 4. Update existing jks.b64 files
83 ---------------------------------
85 Copy the existing jks from the DFC container to a local environment.
89 docker cp <DFC container>:/opt/app/datafile/config/ftp.jks .
90 docker cp <DFC container>:/opt/app/datafile/config/dfc.jks .
94 openssl base64 -in ftp.jks -out ftp.jks.b64
95 openssl base64 -in dfc.jks -out dfc.jks.b64
100 chmod 755 dfc.jks.b64
102 Copy the new jks.64 files from local environment to the DFC container.
106 docker cp ftp.jks.b64 <DFC container>:/opt/app/datafile/config/
107 docker cp dfc.jks.b64 <DFC container>:/opt/app/datafile/config/
113 docker restart <DFC container>
117 update /etc/vsftpd/vsftpd.conf:
121 rsa_cert_file=/etc/ssl/private/ftp.crt
122 rsa_private_key_file=/etc/ssl/private/ftp.key
125 force_local_data_ssl=YES
126 force_local_logins_ssl=YES
137 ca_certs_file=/home/vsftpd/myuser/dfc.crt
139 6. Configure config/datafile_endpoints.json:
140 --------------------------------------------
141 Update the file accordingly:
143 .. code-block:: javascript
145 "ftpesConfiguration": {
146 "keyCert": "/config/dfc.jks",
147 "keyPassword": "[yourpassword]",
148 "trustedCA": "/config/ftp.jks",
149 "trustedCAPassword": "[yourpassword]"
153 ---------------------------------------------------------------------------
154 This has been tested with vsftpd and dfc, with self-signed certificates.
155 In real deployment, we should use ONAP-CA signed certificate for DFC, and vendor-CA signed certificate for xNF