.. Copyright 2020 NOKIA
Configuration
-=============
+==============
Configuring Cert Service
"cmpv2Servers": [
{
"caName": "Client",
- "url": "http://aafcert-ejbca:8080/ejbca/publicweb/cmp/cmp",
+ "url": "http://oomcert-ejbca:8080/ejbca/publicweb/cmp/cmp",
"issuerDN": "CN=ManagementCA",
"caMode": "CLIENT",
"authentication": {
},
{
"caName": "RA",
- "url": "http://aafcert-ejbca:8080/ejbca/publicweb/cmp/cmpRA",
+ "url": "http://oomcert-ejbca:8080/ejbca/publicweb/cmp/cmpRA",
"issuerDN": "CN=ManagementCA",
"caMode": "RA",
"authentication": {
This contains list of CMP Servers, where each server has following properties:
- - *caName* - name of the external CA server. It's used to match *CA_NAME* sent by client in order to match proper configuration.
+ - *caName* - name of the external CA server. It's used to match *CA_NAME* sent by CertService client in order to match proper configuration.
- *url* - URL to CMPv2 server
- *issuerDN* - Distinguished Name of the CA that will sign the certificate
- *caMode* - Issuer mode. Allowed values are *CLIENT* and *RA*
Next sections explain how to configure Cert Service in local (docker-compose) and OOM Deployments.
-Configuring in local(docker-compose) deployment:
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+Configuring in local (docker-compose) deployment:
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Before application start:
"""""""""""""""""""""""""
docker exec -it <certservice-container-name> bash
+ e.g.
+ docker exec -it oomcert-service bash
+
3. Edit *cmpServers.json* file::
- vim /etc/onap/aaf/certservice/cmpServers.json
+ vim /etc/onap/oom/certservice/cmpServers.json
4. Save the file. Note that this file is mounted as volume, so change will be persistent.
5. Reload configuration::
- curl -I https://localhost:8443/reload --cacert /etc/onap/aaf/certservice/certs/root.crt --cert-type p12 --cert /etc/onap/aaf/certservice/certs/certServiceServer-keystore.p12 --pass secret
+ curl -I https://localhost:8443/reload --cacert /etc/onap/oom/certservice/certs/root.crt --cert-type p12 --cert /etc/onap/oom/certservice/certs/certServiceServer-keystore.p12 --pass $KEYSTORE_PASSWORD
6. Exit container::
Before OOM installation:
""""""""""""""""""""""""
-Note! This must be executed before calling *make all* (from OOM Installation) or needs remaking aaf Charts.
+Note! This must be executed before calling *make all* (from OOM Installation) or needs remaking OOM charts.
1. Edit *cmpServers.json* file. If OOM *global.addTestingComponents* flag is set to:
When CertService is deployed:
"""""""""""""""""""""""""""""
-1. Encode your configuration to base64::
+1. Create file with configuration
+
+2. Encode your configuration to base64::
- echo "CONFIGURATION_TO_ENCODE" | base64
+ cat <configuration_file> | base64
-2. Edit secret::
+3. Edit secret::
- kubectl edit secret <cmp-servers-secret-name> # aaf-cert-service-secret by default
+ kubectl -n onap edit secret <cmp-servers-secret-name>
-3. Replace value for *cmpServers.json* with your base64 encoded configuration. For example:
+ e.g.
+ kubectl -n onap edit secret aaf-cert-service-secret
+
+4. Replace value for *cmpServers.json* with your base64 encoded configuration. For example:
.. code-block:: yaml
uid: 6a037526-83ed-11ea-b731-fa163e2144f6
type: Opaque
-4. Save and exit
-5. New configuration will be automatically mounted to CertService pod, but application configuration reload is needed.
-6. To reload configuration enter CertService pod::
+5. Save and exit
+6. New configuration will be automatically mounted to CertService pod, but application configuration reload is needed.
+7. To reload configuration enter CertService pod::
+
+ kubectl -n onap exec -it <cert-service-pod-name> bash
- kubectl exec -it <cert-service-pod-name> bash
+ e.g.
+ kubectl -n onap exec -it $(kubectl -n onap get pods | grep cert-service | awk '{print $1}') bash
-7. Reload configuration::
+8. Reload configuration::
curl -I https://localhost:$HTTPS_PORT/reload --cacert $ROOT_CERT --cert-type p12 --cert $KEYSTORE_P12_PATH --pass $KEYSTORE_PASSWORD
-8. Exit container::
+9. Exit container::
exit
1. Set *tls.certificateExternalSecret* flag to true in *kubernetes/aaf/charts/aaf-cert-service/values.yaml*
2. Prepare secret for CertService. It must be provided before OOM installation. It must contain four files:
- - *certServiceServer-keystore.jks* - keystore in jks format. Signed by some Root CA
- - *certServiceServer-keystore.p12* - same keystore in p12 format
- - *truststore.jks* - truststore in jks format, containing certificates of the Root CA that signed CertService Client certificate
- - *root.crt* - certificate of the RootCA that signed Client certificate in crt format
+ - *certServiceServer-keystore.jks* - keystore in JKS format. Signed by some Root CA
+ - *certServiceServer-keystore.p12* - same keystore in PKCS#12 format
+ - *truststore.jks* - truststore in JKS format, containing certificates of the Root CA that signed CertService Client certificate
+ - *root.crt* - certificate of the RootCA that signed Client certificate in CRT format
3. Name the secret properly - the name should match *tls.server.secret.name* value from *kubernetes/aaf/charts/aaf-cert-service/values.yaml* file
4. Prepare secret for CertService Client. It must be provided before OOM installation. It must contain two files:
- - *certServiceClient-keystore.jks* - keystore in jks format. Signed by some Root CA
- - *truststore.jks* - truststore in jks format, containing certificates of the RootCA that signed CertService certificate
+ - *certServiceClient-keystore.jks* - keystore in JKS format. Signed by some Root CA
+ - *truststore.jks* - truststore in JKS format, containing certificates of the RootCA that signed CertService certificate
-5. Name the secret properly - the name should match *global.aaf.certService.client.secret.name*
+5. Name the secret properly - the name should match *global.aaf.certService.client.secret.name* value from *kubernetes/onap/values.yaml* file
6. Provide keystore and truststore passwords for CertService. It can be done in two ways:
To instantiate an EJBCA server for testing purposes with an OOM deployment, cmpv2Enabled and cmpv2Testing have to be changed to true in oom/kubernetes/aaf/values.yaml.
-cmpv2Enabled has to be true to enable aaf-cert-service to be instantiated and used with an external Certificate Authority to get certificates for secure communication.
+cmpv2Enabled has to be true to enable oom-cert-service to be instantiated and used with an external Certificate Authority to get certificates for secure communication.
If cmpv2Testing is enabled then an EJBCA test server will be instantiated in the OOM deployment as well, and will come pre-configured with a test CA to request a certificate from.