.. This work is licensed under a Creative Commons Attribution 4.0 International License.
.. http://creativecommons.org/licenses/by/4.0
-.. Copyright 2020 NOKIA
+.. Copyright 2020-2021 NOKIA
Configuration
==============
"caName": "Client",
"url": "http://oomcert-ejbca:8080/ejbca/publicweb/cmp/cmp",
"issuerDN": "CN=ManagementCA",
- "caMode": "CLIENT",
"authentication": {
"iak": "mypassword",
"rv": "mypassword"
"caName": "RA",
"url": "http://oomcert-ejbca:8080/ejbca/publicweb/cmp/cmpRA",
"issuerDN": "CN=ManagementCA",
- "caMode": "RA",
"authentication": {
"iak": "mypassword",
"rv": "mypassword"
- *caName* - name of the external CA server. It's used to match *CA_NAME* sent by CertService client in order to match proper configuration.
- *url* - URL to CMPv2 server
- *issuerDN* - Distinguished Name of the CA that will sign the certificate
- - *caMode* - Issuer mode. Allowed values are *CLIENT* and *RA*
- *authentication*
- *iak* - Initial authentication key, used to authenticate request in CMPv2 server
1. Edit *cmpServers.json* file. If OOM *global.addTestingComponents* flag is set to:
- - *true* - edit *kubernetes/aaf/charts/aaf-cert-service/resources/test/cmpServers.json*
- - *false* - edit *kubernetes/aaf/charts/aaf-cert-service/resources/default/cmpServers.json*
+ - *true* - edit *kubernetes/platform/components/oom-cert-service/resources/test/cmpServers.json*
+ - *false* - edit *kubernetes/platform/components/oom-cert-service/resources/default/cmpServers.json*
2. Build and start OOM deployment
kubectl -n onap edit secret <cmp-servers-secret-name>
e.g.
- kubectl -n onap edit secret aaf-cert-service-secret
+ kubectl -n onap edit secret oom-cert-service-secret
4. Replace value for *cmpServers.json* with your base64 encoded configuration. For example:
kind: Secret
metadata:
creationTimestamp: "2020-04-21T16:30:29Z"
- name: aaf-cert-service-secret
+ name: oom-cert-service-secret
namespace: default
resourceVersion: "33892990"
- selfLink: /api/v1/namespaces/default/secrets/aaf-cert-service-secret
+ selfLink: /api/v1/namespaces/default/secrets/oom-cert-service-secret
uid: 6a037526-83ed-11ea-b731-fa163e2144f6
type: Opaque
exit
-Generating certificates for CertService and CertService Client
---------------------------------------------------------------
-CertService and CertService client use mutual TLS for communication. Certificates are generated during CertService installation.
+Generating certificates for CertService and CMPv2 certificate provider
+----------------------------------------------------------------------
+CertService and CMPv2 certificate provider use mutual TLS for communication. Certificates are generated during CertService installation.
Docker mode:
^^^^^^^^^^^^
Certificates are mounted to containers by docker volumes:
- CertService volumes are defined in certservice/docker-compose.yaml
- - CertService Client volumes are defined in certservice/Makefile
All certificates are stored in *certservice/certs* directory. To recreate certificates go to *certservice/certs* directory and execute::
ONAP OOM installation:
^^^^^^^^^^^^^^^^^^^^^^
-Certificates are stored in secrets, which are mounted to pods as volumes. Both secrets are stored in *kubernetes/aaf/charts/aaf-cert-service/templates/secret.yaml*.
-Secrets take certificates from *kubernetes/aaf/charts/aaf-cert-service/resources* directory. Certificates are generated automatically during building (using Make) OOM repository.
+Certificates are stored in secrets, which are mounted to pods as volumes. For CMPv2 certificate provider, certificates are delivered in CMPv2Issuer as secrets name with corresponding keys.
-*kubernetes/aaf/charts/aaf-cert-service/Makefile* is similar to the one stored in certservice repository. It actually generates certificates.
-This Makefile is executed by *kubernetes/aaf/Makefile*, which is automatically executed during OOM build.
+Both secrets definitions are stored in *kubernetes/platform/components/oom-cert-service/values.yaml* as *secrets:* key.
+During platform component deployment, certificates in secrets are generated automatically using *Certificate* resources from cert-manager.
+Their definitions are stored in *kubernetes/platform/components/oom-cert-service/values.yaml* as *certificates:* key.
-Using external certificates for CertService and CertService Client
-------------------------------------------------------------------
-This section describes how to use custom, external certificates for CertService and CertService Client communication in OOM installation.
+Using external certificates for CertService and CMPv2 certificate provider
+--------------------------------------------------------------------------
+
+This section describes how to use custom, external certificates for CertService and CMPv2 certificate provider communication in OOM installation.
+
+1. Remove *certificates:* section from *kubernetes/platform/components/oom-cert-service/values.yaml*
-1. Set *tls.certificateExternalSecret* flag to true in *kubernetes/aaf/charts/aaf-cert-service/values.yaml*
2. Prepare secret for CertService. It must be provided before OOM installation. It must contain four files:
- - *certServiceServer-keystore.jks* - keystore in JKS format. Signed by some Root CA
- - *certServiceServer-keystore.p12* - same keystore in PKCS#12 format
+ - *keystore.jks* - keystore in JKS format. Signed by some Root CA
+ - *keystore.p12* - same keystore in PKCS#12 format
- *truststore.jks* - truststore in JKS format, containing certificates of the Root CA that signed CertService Client certificate
- - *root.crt* - certificate of the RootCA that signed Client certificate in CRT format
+ - *ca.crt* - certificate of the RootCA that signed Client certificate in CRT format
-3. Name the secret properly - the name should match *tls.server.secret.name* value from *kubernetes/aaf/charts/aaf-cert-service/values.yaml* file
+3. Name the secret properly - the name should match *tls.server.secret.name* value from *kubernetes/platform/components/oom-cert-service/values.yaml* file
-4. Prepare secret for CertService Client. It must be provided before OOM installation. It must contain two files:
+4. Prepare secret for CMPv2 certificate provider. It must be provided before OOM installation. It must contain three files:
- - *certServiceClient-keystore.jks* - keystore in JKS format. Signed by some Root CA
- - *truststore.jks* - truststore in JKS format, containing certificates of the RootCA that signed CertService certificate
+ - *tls.crt* - certificate in CRT format. Signed by some Root CA
+ - *tls.key* - private key in KEY format
+ - *ca.crt* - certificate of the RootCA that signed CertService certificate in CRT format
-5. Name the secret properly - the name should match *global.aaf.certService.client.secret.name* value from *kubernetes/onap/values.yaml* file
+5. Name the secret properly - the name should match *global.oom.certService.client.secret.name* value from *kubernetes/onap/values.yaml* file
-6. Provide keystore and truststore passwords for CertService. It can be done in two ways:
+6. Provide keystore and truststore passwords (the same for both) for CertService. It can be done in two ways:
- - by inlining them into *kubernetes/aaf/charts/aaf-cert-service/values.yaml*:
+ - by inlining them into *kubernetes/platform/components/oom-cert-service/values.yaml*:
- - override *credentials.tls.keystorePassword* value with keystore password
- - override *credentials.tls.truststorePassword* value with truststore password
+ - override *credentials.tls.certificatesPassword* value with keystore and truststore password
- or by providing them as secrets:
- - uncomment *credentials.tls.keystorePasswordExternalSecret* value and provide keystore password
- - uncomment *credentials.tls.truststorePasswordExternalSecret* value and provide truststore password
-
-7. Override default keystore and truststore passwords for CertService Client in *kubernetes/onap/values.yaml* file:
-
- - override *global.aaf.certServiceClient.envVariables.keystorePassword* value with keystore password
- - override *global.aaf.certServiceClient.envVariables.truststorePassword* value with truststore password
+ - uncomment *credentials.tls.certificatesPasswordExternalSecret* value and provide keystore and truststore password
Configuring EJBCA server for testing
------------------------------------
-To instantiate an EJBCA server for testing purposes with an OOM deployment, cmpv2Enabled and cmpv2Testing have to be changed to true in oom/kubernetes/aaf/values.yaml.
+To instantiate an EJBCA server for testing purposes with an OOM deployment, cmpv2Enabled and cmpv2Testing have to be changed to true in oom/kubernetes/platform/values.yaml.
cmpv2Enabled has to be true to enable oom-cert-service to be instantiated and used with an external Certificate Authority to get certificates for secure communication.
+---------------------+---------------------------------------------------------------------------------------------------------------------------------+
| Name | Value |
+=====================+=================================================================================================================================+
-| Request URL | http://aaf-ejbca:8080/ejbca/publicweb/cmp/cmpRA |
+| Request URL | http://ejbca:8080/ejbca/publicweb/cmp/cmpRA |
+---------------------+---------------------------------------------------------------------------------------------------------------------------------+
| Response Type | PKI Response |
+---------------------+---------------------------------------------------------------------------------------------------------------------------------+