X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=README.md;h=031c0e8ef70b05ba272dbb6b9dc1e434f1a9f61c;hb=refs%2Fheads%2Fguilin;hp=f3eab638a508adc44bc78c5b4b64794fbff3ae8a;hpb=86042f471f05f08a9c6935988b523c3e2949b7f0;p=clamp.git diff --git a/README.md b/README.md index f3eab638..031c0e8e 100644 --- a/README.md +++ b/README.md @@ -41,9 +41,9 @@ Note that all others configurations can be configured in the JSON as well, ```json { - "spring.datasource.cldsdb.url": "jdbc:mysql://anotherDB.onap.org:3306/cldsdb4?autoReconnect=true&connectTimeout=10000&socketTimeout=10000&retriesAllDown=3", - "spring.datasource.cldsdb.username": "admin", - "spring.datasource.cldsdb.password": "password" + "spring.datasource.url": "jdbc:mysql://anotherDB.onap.org:3306/cldsdb4?autoReconnect=true&connectTimeout=10000&socketTimeout=10000&retriesAllDown=3", + "spring.datasource.username": "admin", + "spring.datasource.password": "password" "clamp.config.dcae.inventory.url": "http://dcaegen2.host:8080", "clamp.config.dcae.dispatcher.url": "http://dcaegen2.host:8080", @@ -101,7 +101,7 @@ If the sdcAddress is not specified or not available (connection failure) the mes A [docker-compose example file](extra/docker/clamp/docker-compose.yml) can be found under the [extra/docker/clamp/ folder](extra/docker/). -Once the image has been built and is available locally, you can use the `docker-compose up` command to deploy a prepopullated database and a clamp instance available on [http://localhost:8080/designer/index.html](http://localhost:8080/designer/index.html). +Once the image has been built and is available locally, you can use the `docker-compose up` command to deploy a prepopullated database and a clamp instance available on [https://localhost:3000](https://localhost:3000). ### Logs @@ -114,6 +114,50 @@ With the default log settings, all logs will be generated into console and into You can see the swagger definition for the jaxrs apis at `/restservices/clds/v1/openapi.json` +## Clamp AAF - Renew Certificates +- Connect to windriver with openvpn +- create a folder aaf-renewal and go to it +- create a file aaf.props with that content (or run the agent.sh script below, it will prompt you for values at first run) + VERSION=2.1.13 + DOCKER_REPOSITORY=nexus3.onap.org:10001 + HOSTNAME= + CONTAINER_NS=onap + AAF_FQDN=aaf-onap-test.osaaf.org + AAF_FQDN_IP=10.12.5.145 + DEPLOY_FQI=deployer@people.osaaf.org + APP_FQDN=clamp + APP_FQI=clamp@clamp.onap.org + VOLUME=clamp_config + DRIVER=local + LATITUDE=10 + LONGITUDE=10 +- wget -O agent.sh 'https://gerrit.onap.org/r/gitweb?p=aaf/authz.git;a=blob_plain;f=auth/docker/agent.sh;h=32910874e01ad13865510091ddd4ef9ae5966410;hb=refs/heads/elalto' +- wget https://nexus.onap.org/content/repositories/releases/org/onap/aaf/authz/aaf-auth-cmd/2.1.13/aaf-auth-cmd-2.1.13-full.jar +- bash agent.sh bash + It's going to ask some questions: + Password for deployer@people.osaaf.org: demo123456! + AAF Locator URL=https://aaf-onap-test.osaaf.org:8095 + # If you do not know your Global Coordinates, we suggest bing.com/maps + cadi_latitude[0.000]=10.0 + cadi_longitude[0.000]=10.0 +- Certs should created, you can get them in /var/lib/docker/volumes/clamp_config/_data/local + If you want to recreate the certs, you have to delete the docker volume (otherwise it will be re used) : docker volume rm clamp_config +- wget https://nexus.onap.org/content/repositories/releases/org/onap/aaf/authz/aaf-cadi-aaf/2.1.13/aaf-cadi-aaf-2.1.13-full.jar +- to encrypt or decrypt the store passwords: java -jar aaf-cadi-aaf-2.1.13-full.jar cadi digest changeit testos.key +- you can also use the agent.sh script to decrypt the passwords, by running the showpass commands (see wiki below) +- Extract private key from P12: 'openssl pkcs12 -in org.onap.clamp.p12 -nocerts -nodes > clamp.key' +- Extract public certificate from P12: 'openssl pkcs12 -in org.onap.clamp.p12 -clcerts -nokeys > clamp.pem' +- Extract CA certificate from P12: 'openssl pkcs12 -in org.onap.clamp.p12 -cacerts -nokeys -chain > ca-certs.pem' +- reference wiki: https://wiki.onap.org/display/DW/AAF+Certificate+Management+for+Dummies +- you need to place new clamp.key, clamp.pem and ca-certs.pem into src/main/resources/clds/aaf/ssl, this will be used by the FrontEnd +- you need to replace the password of the generated keystore (clamp uses the p12 keystore), we want to keep the same demo password across release + to do so, you can use keytool to update the password and set it back to 'China in the Spring' + keytool -storepasswd -keystore ./org.onap.clamp.p12 +- this will prompt for the current keystore password (the one generated by the aaf script that you can get from the above) +- you can then set it to 'China in the Spring' +- once done, you can replace : org.onap.clamp.p12 into src/main/resources/clds/aaf +- rebuild Clamp Docker containers, they should be updated with the renewed certificates + ## Clamp Credentials @@ -125,17 +169,17 @@ There is a section for SSL enablement and cadi configuration (for AAF) + one spr server.port=8443 server.ssl.key-store=classpath:/clds/aaf/org.onap.clamp.p12 -server.ssl.key-store-password=China in the Spring -server.ssl.key-password=China in the Spring +server.ssl.key-store-password=enc:WWCxchk4WGBNSvuzLq3MLjMs5ObRybJtts5AI0XD1Vc +server.ssl.key-password=enc:WWCxchk4WGBNSvuzLq3MLjMs5ObRybJtts5AI0XD1Vc server.ssl.key-store-type=PKCS12 server.ssl.key-alias=clamp@clamp.onap.org +clamp.config.keyFile=classpath:/clds/aaf/org.onap.clamp.keyfile server.ssl.client-auth=want server.ssl.trust-store=classpath:/clds/aaf/truststoreONAPall.jks -server.ssl.trust-store-password=changeit - +server.ssl.trust-store-password=enc:iDnPBBLq_EMidXlMa1FEuBR8TZzYxrCg66vq_XfLHdJ server.http-to-https-redirection.port=8080 .... -spring.profiles.active=clamp-default,clamp-aaf-authentication,clamp-sdc-controller +spring.profiles.active=clamp-default,clamp-aaf-authentication,clamp-sdc-controller-new,clamp-ssl-config .... clamp.config.cadi.keyFile=classpath:/clds/aaf/org.onap.clamp.keyfile clamp.config.cadi.cadiLoglevel=DEBUG @@ -162,7 +206,7 @@ In that case, the credentials should be specified in `src/main/resources/clds/cl Passwords should be hashed using Bcrypt : ``` -# pip3 install bcrypt # if you don't have the bcrypt python lib installed, should be done once. +# pip3 install --no-cache-dir bcrypt # if you don't have the bcrypt python lib installed, should be done once. # python3 -c 'import bcrypt; print(bcrypt.hashpw("password".encode(), bcrypt.gensalt(rounds=10, prefix=b"2a")))' ```