X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=docs%2Fsections%2Fservices%2Fdfc%2Fcertificates.rst;h=d272dd8eda8ceea6e0f4711f628653854aaa963a;hb=HEAD;hp=05728235bfdc7f4fed2b224aba32f3730413131c;hpb=b8fff00b8fde6e95a2eaf9efe6a118d49dc35ebd;p=dcaegen2.git diff --git a/docs/sections/services/dfc/certificates.rst b/docs/sections/services/dfc/certificates.rst index 05728235..d272dd8e 100644 --- a/docs/sections/services/dfc/certificates.rst +++ b/docs/sections/services/dfc/certificates.rst @@ -1,8 +1,16 @@ .. This work is licensed under a Creative Commons Attribution 4.0 International License. .. http://creativecommons.org/licenses/by/4.0 -Certificates -============ +Certificates (From AAF) +======================= +DCAE service components will use common certifcates generated from AAF/test instance and made available during deployment of DCAE TLS init container. + +DCAE has a generalized process of certificate distribution as documented here - https://docs.onap.org/projects/onap-dcaegen2/en/latest/sections/tls_enablement.html + +The updated certificates are located in https://git.onap.org/dcaegen2/deployments/tree/tls-init-container/tls + +Certificates (Manual configuration of self-signed certifcates) +============================================================== Configuration of Certificates in test environment(For FTP over TLS): @@ -13,7 +21,7 @@ keys & certificates on both vsftpd server and DFC. 1. Generate key/certificate with openssl for DFC: ------------------------------------------------- -.. code:: bash +.. code-block:: bash openssl genrsa -out dfc.key 2048 openssl req -new -out dfc.csr -key dfc.key @@ -21,7 +29,7 @@ keys & certificates on both vsftpd server and DFC. 2. Generate key & certificate with openssl for vsftpd: ------------------------------------------------------ -.. code:: bash +.. code-block:: bash openssl genrsa -out ftp.key 2048 openssl req -new -out ftp.csr -key ftp.key @@ -35,76 +43,75 @@ We have two keystore files, one for TrustManager, one for KeyManager. 1. First, convert your certificate in a DER format : - .. code:: bash + .. code-block:: bash openssl x509 -outform der -in ftp.crt -out ftp.der -2. And after, import it in the keystore : +2. And after copy existing keystore and password from container: - .. code:: bash + .. code-block:: bash - keytool -import -alias ftp -keystore ftp.jks -file ftp.der + kubectl cp :/opt/app/datafile/etc/cert/trust.jks trust.jks + kubectl cp :/opt/app/datafile/etc/cert/trust.pass trust.pass -**For KeyManager:** +3. Import DER certificate in the keystore : -1. First, create a jks keystore: + .. code-block:: bash - .. code:: bash + keytool -import -alias ftp -keystore trust.jks -file ftp.der - keytool -keystore dfc.jks -genkey -alias dfc +**For KeyManager:** -2. Second, import dfc.crt and dfc.key to dfc.jks. This is a bit troublesome. +1. Import dfc.crt and dfc.key to dfc.jks. This is a bit troublesome. - 1). Step one: Convert x509 Cert and Key to a pkcs12 file + Convert x509 Cert and Key to a pkcs12 file - .. code:: bash + .. code-block:: bash - openssl pkcs12 -export -in dfc.crt -inkey dfc.key -out dfc.p12 -name [some-alias] + openssl pkcs12 -export -in dfc.crt -inkey dfc.key -out cert.p12 -name dfc Note: Make sure you put a password on the p12 file - otherwise you'll get a null reference exception when you try to import it. - Note 2: You might want to add the -chainoption to preserve the full certificate chain. - - 2). Step two: Convert the pkcs12 file to a java keystore: +2. Create password files for cert.p12 - .. code:: bash + .. code-block:: bash - keytool -importkeystore -deststorepass [changeit] -destkeypass [changeit] -destkeystore dfc.jks -srckeystore dfc.p12 -srcstoretype PKCS12 -srcstorepass [some-password] -alias [some-alias] + printf "[your password]" > p12.pass -4. Update existing jks.b64 files +4. Update existing KeyStore files --------------------------------- -Copy the existing jks from the DFC container to a local environment. +Copy the new trust.jks and cert.p12 and password files from local environment to the DFC container. - .. code:: bash - - docker cp :/opt/app/datafile/config/ftp.jks . - docker cp :/opt/app/datafile/config/dfc.jks . + .. code-block:: bash - .. code:: bash - - openssl base64 -in ftp.jks -out ftp.jks.b64 - openssl base64 -in dfc.jks -out dfc.jks.b64 + mkdir mycert + cp cert.p12 mycert/ + cp p12.pass mycert/ + cp trust.jks mycert/ + cp trust.pass mycert/ + kubectl cp mycert/ :/opt/app/datafile/etc/cert/ - .. code:: bash - - chmod 755 ftp.jks.b64 - chmod 755 dfc.jks.b64 +5. Update configuration in consul +----------------------------------- +Change path in consul: -Copy the new jks.64 files from local environment to the DFC container. +.. code-block:: bash - .. code:: bash - - docker cp ftp.jks.b64 :/opt/app/datafile/config/ - docker cp dfc.jks.b64 :/opt/app/datafile/config/ + dmaap.ftpesConfig.keyCert": "/opt/app/datafile/etc/cert/mycert/cert.p12 + dmaap.ftpesConfig.keyPasswordPath": "/opt/app/datafile/etc/cert/mycert/p12.pass + dmaap.ftpesConfig.trustedCa": "/opt/app/datafile/etc/cert/mycert/trust.jks + dmaap.ftpesConfig.trustedCaPasswordPath": "/opt/app/datafile/etc/cert/mycert/trust.pass -Finally +Consul's address: http://: - .. code:: bash - - docker restart + .. code-block:: bash -5. Configure vsftpd: + kubectl -n onap get svc | grep consul + +.. image:: ./consule-certificate-update.png + +6. Configure vsftpd: -------------------- update /etc/vsftpd/vsftpd.conf: @@ -128,20 +135,7 @@ Finally ssl_request_cert=YES ca_certs_file=/home/vsftpd/myuser/dfc.crt -6. Configure config/datafile_endpoints.json: --------------------------------------------- - Update the file accordingly: - - .. code-block:: javascript - - "ftpesConfiguration": { - "keyCert": "/config/dfc.jks", - "keyPassword": "[yourpassword]", - "trustedCA": "/config/ftp.jks", - "trustedCAPassword": "[yourpassword]" - } - 7. Other conditions --------------------------------------------------------------------------- This has been tested with vsftpd and dfc, with self-signed certificates. - In real deployment, we should use ONAP-CA signed certificate for DFC, and vendor-CA signed certificate for xNF + In real deployment, we should use ONAP-CA signed certificate for DFC, and vendor-CA signed certificate for xNF.