1 .. This work is licensed under a Creative Commons Attribution 4.0 International License.
2 .. http://creativecommons.org/licenses/by/4.0
3 .. Copyright 2020 NOKIA
5 How to use functionality
6 ========================
10 Certification Client needs the following configuration parameters to work properly:
12 1. Parameters for connection to certification service API and generate trustore and keystore
14 - REQUEST_URL *(default: https://aaf-cert-service:8443/v1/certificate/)*
15 - REQUEST_TIMEOUT *(default: 30000)*
16 - OUTPUT_PATH *(required)*
17 - CA_NAME *(required)*
20 2. Parameters for generate CSR file:
22 - COMMON_NAME *(required)*
23 - ORGANIZATION *(required)*
24 - ORGANIZATION_UNIT *(optional)*
25 - LOCATION *(optional)*
27 - COUNTRY *(required)*
28 - SANS *(optional)(SANS's should be separated by a colon)*
30 3. Parameters for secure connection:
32 - KEYSTORE_PATH *(required)*
33 - KEYSTORE_PASSWORD *(required)*
34 - TRUSTSTORE_PATH *(required)*
35 - TRUSTSTORE_PASSWORD *(required)*
37 Certification Service Client image can be find on Nexus repository :
41 nexus3.onap.org:10001/onap/org.onap.aaf.certservice.aaf-certservice-client:latest
44 As standalone docker container
45 ------------------------------
46 You need certification files to connect to certification service API via https. Information how to generate truststore and keystore files you can find in project repository README `Gerrit GitWeb <https://gerrit.onap.org/r/gitweb?p=aaf%2Fcertservice.git;a=summary>`__
48 To run Certification Client as standalone docker container execute following steps:
50 1. Create file with environments as in example below:
55 REQUEST_URL=<url to certification service API>
57 OUTPUT_PATH=/var/certs
61 ORGANIZATION=Linux-Foundation
62 ORGANIZATION_UNIT=ONAP
63 LOCATION=San-Francisco
66 SANS=test.onap.org:onap.com
68 KEYSTORE_PATH=/etc/onap/aaf/certservice/certs/certServiceClient-keystore.jks
69 KEYSTORE_PASSWORD=<password to keystore.jks>
70 TRUSTSTORE_PATH=/etc/onap/aaf/certservice/certs/certServiceClient-truststore.jks
71 TRUSTSTORE_PASSWORD=<password to certServiceClient-truststore.jks>
73 2. Run docker container as in following example (API and client must be running in same network):
79 --name aafcert-client \
80 --env-file <path to environments file> \
81 --network <docker network of cert service> \
82 --mount type=bind,src=<path to local directory>,dst=<OUTPUT_PATH> \
83 --volume <local path to keystore.jks>:<KEYSTORE_PATH> \
84 --volume <local path to trustore.jks>:<TRUSTSTORE_PATH> \
85 nexus3.onap.org:10001/onap/org.onap.aaf.certservice.aaf-certservice-client:latest
89 After successful creation of certifications, container exits with exit code 0, expected logs looks like:
93 INFO 1 [ main] o.o.a.c.c.c.f.ClientConfigurationFactory : Successful validation of Client configuration. Configuration data: REQUEST_URL: https://aaf-cert-service:8443/v1/certificate/, REQUEST_TIMEOUT: 10000, OUTPUT_PATH: /var/certs, CA_NAME: RA
94 INFO 1 [ main] o.o.a.c.c.c.f.CsrConfigurationFactory : Successful validation of CSR configuration. Configuration data: COMMON_NAME: onap.org, COUNTRY: US, STATE: California, ORGANIZATION: Linux-Foundation, ORGANIZATION_UNIT: ONAP, LOCATION: San-Francisco, SANS: test.onap.org:onap.org
95 INFO 1 [ main] o.o.a.c.c.c.KeyPairFactory : KeyPair generation started with algorithm: RSA and key size: 2048
96 INFO 1 [ main] o.o.a.c.c.c.CsrFactory : Creation of CSR has been started with following parameters: COMMON_NAME: onap.org, COUNTRY: US, STATE: California, ORGANIZATION: Linux-Foundation, ORGANIZATION_UNIT: ONAP, LOCATION: San-Francisco, SANS: test.onap.org:onap.org
97 INFO 1 [ main] o.o.a.c.c.c.CsrFactory : Creation of CSR has been completed successfully
98 INFO 1 [ main] o.o.a.c.c.c.CsrFactory : Conversion of CSR to PEM has been started
99 INFO 1 [ main] o.o.a.c.c.c.PrivateKeyToPemEncoder : Attempt to encode private key to PEM
100 INFO 1 [ main] o.o.a.c.c.h.HttpClient : Attempt to send request to API, on url: https://aaf-cert-service:8443/v1/certificate/RA
101 INFO 1 [ main] o.o.a.c.c.h.HttpClient : Received response from API
102 INFO 1 [ main] o.o.a.c.c.c.c.PemToPKCS12Converter : Conversion of PEM certificates to PKCS12 keystore
103 DEBUG 1 [ main] o.o.a.c.c.c.c.PKCS12FilesCreator : Attempt to create PKCS12 keystore files and saving data. Keystore path: /var/certs/keystore.jks
104 INFO 1 [ main] o.o.a.c.c.c.c.PemToPKCS12Converter : Conversion of PEM certificates to PKCS12 truststore
105 DEBUG 1 [ main] o.o.a.c.c.c.c.PKCS12FilesCreator : Attempt to create PKCS12 truststore files and saving data. Truststore path: /var/certs/truststore.jks
106 INFO 1 [ main] o.o.a.c.c.AppExitHandler : Application exits with following exit code: 0 and message: Success
109 If container exits with non 0 exit code, you can find more information in logs, see :ref:`cert_logs` page.
111 As init container for Kubernetes
112 --------------------------------
114 To run Certification Client as init container for ONAP component, add following configuration to deploymnet:
128 - image: sample.image
132 - mountPath: /var/certs #CERTS CAN BE FOUND IN THIS DIRECTORY
136 - name: cert-service-client
137 image: nexus3.onap.org:10001/onap/org.onap.aaf.certservice.aaf-certservice-client:latest
138 imagePullPolicy: Always
141 value: http://aaf-cert-service:8080/v1/certificate/
142 - name: REQUEST_TIMEOUT
151 value: Linux-Foundation
152 - name: ORGANIZATION_UNIT
161 value: test.onap.org:onap.com
163 - mountPath: /var/certs