Use separate keystore/truststore for ves.
Add network for communication between ves and pnfsim.
Issue-ID: INT-1744
Signed-off-by: tkogut <tomasz.kogut@nokia.com>
Change-Id: I6626ac6d6f74e739aeb93879eddfd44f9e9383ea
1. Generate a private key for the SSL client: ```openssl genrsa -out client.key 2048```
2. Use the client’s private key to generate a cert request: ```openssl req -new -key client.key -out client.csr```
3. Issue the client certificate using the cert request and the CA cert/key: ```openssl x509 -req -in client.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out client.crt -days 500 -sha256```
- 4. Convert the client certificate and private key to pkcs#12 format: openssl pkcs12 -export -inkey client.key -in client.cer -out client.p12
+ 4. Convert the client certificate and private key to pkcs#12 format: ```openssl pkcs12 -export -inkey client.key -in client.crt -out client.p12```
5. Copy pkcs file into pnf simulators folder: ```/app/store/```
#### How to generate correct truststore for pnf-simulator
2. If you want to replace keystore or truststore put them into the /app/store folder.
3. Edit /app/application.properties file as follow:
- ssl.clientCertificateEnabled=true (to disable/enable client authentication)
+- ssl.strictHostnameVerification=true (to disable/enable hostname verification)
- ssl.clientCertificateDir=/app/store/client.p12 (to replace keystore file)
- ssl.clientCertificatePassword=collector (to replace password for keystore)
- ssl.trustStoreDir=/app/store/trustStore (to replace truststore file)
- ssl.trustStorePassword=collector (to replace password for truststore)
-4. Refresh configuration by sending simple POST request to correct actuator endpoint at: ```curl http://localhost:5001/refresh -H 'Content-type: application/json' -X POST --data '{}'```
+4. Refresh configuration by sending simple POST request to correct actuator endpoint at: ```curl http://localhost:5000/refresh -H 'Content-type: application/json' -X POST --data '{}'```
* ============LICENSE_START=======================================================
* PNF-REGISTRATION-HANDLER
* ================================================================================
- * Copyright (C) 2018 Nokia. All rights reserved.
+ * Copyright (C) 2020 Nokia. All rights reserved.
* ================================================================================
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
import org.apache.http.HttpResponse;
import org.apache.http.client.HttpClient;
-import org.apache.http.client.config.RequestConfig;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.entity.StringEntity;
import org.apache.http.util.EntityUtils;
+import org.onap.pnfsimulator.simulator.client.utils.ssl.HttpClientFactoryFacade;
import org.onap.pnfsimulator.simulator.client.utils.ssl.SslAuthenticationHelper;
-import org.onap.pnfsimulator.simulator.client.utils.ssl.SslSupportLevel;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.slf4j.MDC;
public class HttpClientAdapterImpl implements HttpClientAdapter {
- private static final int CONNECTION_TIMEOUT = 1000;
private static final Logger LOGGER = LoggerFactory.getLogger(HttpClientAdapterImpl.class);
private static final String CONTENT_TYPE = "Content-Type";
private static final String APPLICATION_JSON = "application/json";
- private static final RequestConfig CONFIG = RequestConfig.custom()
- .setConnectTimeout(CONNECTION_TIMEOUT)
- .setConnectionRequestTimeout(CONNECTION_TIMEOUT)
- .setSocketTimeout(CONNECTION_TIMEOUT)
- .build();
private static final Marker INVOKE = MarkerFactory.getMarker("INVOKE");
- private SslSupportLevel sslSupportLevel;
- private HttpClient client;
+ private final HttpClient client;
private final String targetUrl;
public HttpClientAdapterImpl(String targetUrl, SslAuthenticationHelper sslAuthenticationHelper)
- throws IOException, GeneralSecurityException {
- this.sslSupportLevel = sslAuthenticationHelper.isClientCertificateEnabled()
- ? SslSupportLevel.CLIENT_CERT_AUTH
- : SslSupportLevel.getSupportLevelBasedOnProtocol(targetUrl);
- this.client = sslSupportLevel.getClient(CONFIG, sslAuthenticationHelper);
+ throws IOException, GeneralSecurityException {
+ this.client = HttpClientFactoryFacade.create(targetUrl, sslAuthenticationHelper);
this.targetUrl = targetUrl;
}
}
}
- public SslSupportLevel getSslSupportLevel() {
- return sslSupportLevel;
- }
-
private HttpResponse sendAndRetrieve(String content) throws IOException {
HttpPost request = createRequest(content);
HttpResponse httpResponse = client.execute(request);
--- /dev/null
+/*
+ * ============LICENSE_START=======================================================
+ * PNF-REGISTRATION-HANDLER
+ * ================================================================================
+ * Copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.pnfsimulator.simulator.client.utils.ssl;
+
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.GeneralSecurityException;
+import java.security.KeyStore;
+
+class CertificateReader {
+
+ KeyStore read(String certificate, String password, String type) throws GeneralSecurityException, IOException {
+ try (InputStream keyStoreStream = new FileInputStream(certificate)) {
+ KeyStore keyStore = KeyStore.getInstance(type);
+ keyStore.load(keyStoreStream, PasswordConverter.convert(password));
+ return keyStore;
+ }
+ }
+}
--- /dev/null
+/*
+ * ============LICENSE_START=======================================================
+ * PNF-REGISTRATION-HANDLER
+ * ================================================================================
+ * Copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.pnfsimulator.simulator.client.utils.ssl;
+
+import io.vavr.control.Try;
+import org.apache.http.client.HttpClient;
+import org.apache.http.client.config.RequestConfig;
+import org.apache.http.conn.ssl.DefaultHostnameVerifier;
+import org.apache.http.conn.ssl.NoopHostnameVerifier;
+import org.apache.http.impl.client.HttpClientBuilder;
+import org.apache.http.impl.client.HttpClients;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.SSLContext;
+import java.io.IOException;
+import java.net.URL;
+import java.security.GeneralSecurityException;
+import java.security.KeyManagementException;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+
+class HttpClientFactory {
+ private static final int CONNECTION_TIMEOUT = 1000;
+ private static final RequestConfig CONFIG = RequestConfig.custom()
+ .setConnectTimeout(CONNECTION_TIMEOUT)
+ .setConnectionRequestTimeout(CONNECTION_TIMEOUT)
+ .setSocketTimeout(CONNECTION_TIMEOUT)
+ .build();
+ private static final Logger LOGGER = LoggerFactory.getLogger(HttpClientFactory.class);
+ private final SSLContextFactory sslContextFactory;
+
+ HttpClientFactory(SSLContextFactory sslContextFactory) {
+ this.sslContextFactory = sslContextFactory;
+ }
+
+ HttpClient create(String url, SslAuthenticationHelper sslAuthenticationHelper) throws GeneralSecurityException, IOException {
+ HttpClient client;
+ if (!sslAuthenticationHelper.isClientCertificateEnabled()) {
+ client = "https".equals(new URL(url).getProtocol()) ? createForHttps() : createBasic();
+ } else if (sslAuthenticationHelper.isStrictHostnameVerification()) {
+ client = createSecured(sslContextFactory.create(sslAuthenticationHelper), new DefaultHostnameVerifier());
+ } else {
+ client = createSecured(sslContextFactory.create(sslAuthenticationHelper), new NoopHostnameVerifier());
+ }
+ return client;
+ }
+
+ private HttpClient createForHttps() {
+ return Try.of(this::createSecuredTrustAlways)
+ .onFailure(this::logErrorMessage)
+ .getOrElse(createBasic());
+ }
+
+ private void logErrorMessage(Throwable e) {
+ String message = String.format(
+ "Could not initialize client due to SSL exception: %s. " +
+ "Default client without SSL support will be used instead." +
+ "\nCause: %s",
+ e.getMessage(),
+ e.getCause()
+ );
+ LOGGER.error(message, e);
+ }
+
+
+ private HttpClient createBasic() {
+ return HttpClientBuilder
+ .create()
+ .setDefaultRequestConfig(CONFIG)
+ .build();
+ }
+
+ private HttpClient createSecuredTrustAlways() throws NoSuchAlgorithmException, KeyStoreException, KeyManagementException {
+ return createSecured(sslContextFactory.createTrustAlways(), new NoopHostnameVerifier());
+ }
+
+ private HttpClient createSecured(SSLContext trustAlways, HostnameVerifier hostnameVerifier) {
+ return HttpClients.custom()
+ .setSSLContext(trustAlways)
+ .setDefaultRequestConfig(CONFIG)
+ .setSSLHostnameVerifier(hostnameVerifier)
+ .build();
+ }
+}
--- /dev/null
+/*
+ * ============LICENSE_START=======================================================
+ * PNF-REGISTRATION-HANDLER
+ * ================================================================================
+ * Copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.pnfsimulator.simulator.client.utils.ssl;
+
+import org.apache.http.client.HttpClient;
+
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+
+public class HttpClientFactoryFacade {
+
+ private HttpClientFactoryFacade() {
+ }
+
+ private static final CertificateReader CERTIFICATE_READER = new CertificateReader();
+ private static final SSLContextFactory SSL_CONTEXT_FACTORY = new SSLContextFactory(CERTIFICATE_READER);
+ private static final HttpClientFactory HTTP_CLIENT_FACTORY = new HttpClientFactory(SSL_CONTEXT_FACTORY);
+
+ public static HttpClient create(String url, SslAuthenticationHelper sslAuthenticationHelper) throws GeneralSecurityException, IOException {
+ return HTTP_CLIENT_FACTORY.create(url, sslAuthenticationHelper);
+ }
+}
--- /dev/null
+/*
+ * ============LICENSE_START=======================================================
+ * PNF-REGISTRATION-HANDLER
+ * ================================================================================
+ * Copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.pnfsimulator.simulator.client.utils.ssl;
+
+import java.util.Optional;
+
+class PasswordConverter {
+ private PasswordConverter() {
+ }
+
+ static char[] convert(String password) {
+ return Optional.ofNullable(password).map(String::toCharArray).orElse(null);
+ }
+}
--- /dev/null
+/*
+ * ============LICENSE_START=======================================================
+ * PNF-REGISTRATION-HANDLER
+ * ================================================================================
+ * Copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+package org.onap.pnfsimulator.simulator.client.utils.ssl;
+
+import org.apache.http.conn.ssl.TrustAllStrategy;
+import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
+import org.apache.http.conn.ssl.TrustStrategy;
+import org.apache.http.ssl.SSLContextBuilder;
+import org.apache.http.ssl.SSLContexts;
+
+import javax.net.ssl.SSLContext;
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.security.KeyManagementException;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+
+class SSLContextFactory {
+ private static final TrustStrategy TRUST_STRATEGY_ALWAYS = new TrustAllStrategy();
+
+ private final CertificateReader certificateReader;
+
+ SSLContextFactory(CertificateReader certificateReader) {
+ this.certificateReader = certificateReader;
+ }
+ SSLContext create(SslAuthenticationHelper sslAuthenticationHelper) throws GeneralSecurityException, IOException {
+ return SSLContexts.custom()
+ .loadKeyMaterial(certificateReader.read(sslAuthenticationHelper.getClientCertificateDir(), sslAuthenticationHelper.getClientCertificatePassword(), "PKCS12"), PasswordConverter.convert(sslAuthenticationHelper.getClientCertificatePassword()))
+ .loadTrustMaterial(certificateReader.read(sslAuthenticationHelper.getTrustStoreDir(), sslAuthenticationHelper.getTrustStorePassword(), "JKS"), new TrustSelfSignedStrategy())
+ .build();
+ }
+
+ SSLContext createTrustAlways() throws KeyStoreException, NoSuchAlgorithmException, KeyManagementException {
+ return SSLContextBuilder.create().loadTrustMaterial(TRUST_STRATEGY_ALWAYS).build();
+ }
+
+}
* ============LICENSE_START=======================================================
* PNF-REGISTRATION-HANDLER
* ================================================================================
- * Copyright (C) 2019 Nokia. All rights reserved.
+ * Copyright (C) 2020 Nokia. All rights reserved.
* ================================================================================
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
public class SslAuthenticationHelper implements Serializable {
private boolean clientCertificateEnabled;
+ private boolean strictHostnameVerification;
private String clientCertificateDir;
private String clientCertificatePassword;
private String trustStoreDir;
+++ /dev/null
-/*
- * ============LICENSE_START=======================================================
- * PNF-REGISTRATION-HANDLER
- * ================================================================================
- * Copyright (C) 2018 Nokia. All rights reserved.
- * ================================================================================
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- * ============LICENSE_END=========================================================
- */
-
-package org.onap.pnfsimulator.simulator.client.utils.ssl;
-
-import org.apache.http.client.HttpClient;
-import org.apache.http.client.config.RequestConfig;
-import org.apache.http.conn.ssl.NoopHostnameVerifier;
-import org.apache.http.conn.ssl.TrustAllStrategy;
-import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
-import org.apache.http.conn.ssl.TrustStrategy;
-import org.apache.http.impl.client.HttpClientBuilder;
-import org.apache.http.impl.client.HttpClients;
-import org.apache.http.ssl.SSLContextBuilder;
-import org.apache.http.ssl.SSLContexts;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import javax.net.ssl.SSLContext;
-import java.io.FileInputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.net.MalformedURLException;
-import java.net.URL;
-import java.security.GeneralSecurityException;
-import java.security.KeyStore;
-import java.util.Optional;
-
-public enum SslSupportLevel {
-
- NONE {
- public HttpClient getClient(RequestConfig requestConfig, SslAuthenticationHelper sslAuthenticationHelper) {
- LOGGER.info("<!-----IN SslSupportLevel.NONE, Creating BasicHttpClient for http protocol----!>");
- return HttpClientBuilder
- .create()
- .setDefaultRequestConfig(requestConfig)
- .build();
- }
- },
- ALWAYS_TRUST {
- public HttpClient getClient(RequestConfig requestConfig, SslAuthenticationHelper sslAuthenticationHelper)
- throws GeneralSecurityException, IOException {
- LoggerFactory.getLogger(SslSupportLevel.class).info("<!-----IN SslSupportLevel.ALWAYS_TRUST, Creating client with SSL support for https protocol----!>");
- HttpClient client;
- try {
- SSLContext alwaysTrustSslContext = SSLContextBuilder.create().loadTrustMaterial(TRUST_STRATEGY_ALWAYS).build();
- client = HttpClients.custom()
- .setSSLContext(alwaysTrustSslContext)
- .setSSLHostnameVerifier(new NoopHostnameVerifier())
- .setDefaultRequestConfig(requestConfig)
- .build();
-
- } catch (GeneralSecurityException e) {
- String errorMessage =
- String.format(
- "Could not initialize client due to SSL exception: %s. " +
- "Default client without SSL support will be used instead." +
- "\nCause: %s",
- e.getMessage(),
- e.getCause()
- );
- LOGGER.error(errorMessage, e);
- client = NONE.getClient(requestConfig, sslAuthenticationHelper);
- }
- return client;
- }
- },
- CLIENT_CERT_AUTH {
- @Override
- public HttpClient getClient(RequestConfig requestConfig, SslAuthenticationHelper sslAuthenticationHelper)
- throws GeneralSecurityException, IOException {
-
- SSLContext sslContext = SSLContexts.custom()
- .loadKeyMaterial(readCertificate(sslAuthenticationHelper.getClientCertificateDir(), sslAuthenticationHelper.getClientCertificatePassword(), "PKCS12"), getPasswordAsCharArray(sslAuthenticationHelper.getClientCertificatePassword()))
- .loadTrustMaterial(readCertificate(sslAuthenticationHelper.getTrustStoreDir(), sslAuthenticationHelper.getTrustStorePassword(), "JKS"), new TrustSelfSignedStrategy())
- .build();
-
- return HttpClients.custom()
- .setSSLContext(sslContext)
- .setSSLHostnameVerifier(new NoopHostnameVerifier())
- .setDefaultRequestConfig(requestConfig)
- .build();
- }
-
- private KeyStore readCertificate(String certificate, String password, String type) throws GeneralSecurityException, IOException {
- try (InputStream keyStoreStream = new FileInputStream(certificate)) {
- KeyStore keyStore = KeyStore.getInstance(type);
- keyStore.load(keyStoreStream, getPasswordAsCharArray(password));
- return keyStore;
- }
- }
-
- private char[] getPasswordAsCharArray(String clientCertificatePassword) {
- return Optional.ofNullable(clientCertificatePassword).map(String::toCharArray).orElse(null);
- }
- };
-
- private static final Logger LOGGER = LoggerFactory.getLogger(SslSupportLevel.class);
- private static final TrustStrategy TRUST_STRATEGY_ALWAYS = new TrustAllStrategy();
-
- public static SslSupportLevel getSupportLevelBasedOnProtocol(String url) throws MalformedURLException {
- return "https".equals(new URL(url).getProtocol()) ? SslSupportLevel.ALWAYS_TRUST : SslSupportLevel.NONE;
- }
-
- public abstract HttpClient getClient(RequestConfig config, SslAuthenticationHelper sslAuthenticationHelper)
- throws GeneralSecurityException, IOException;
-
-}
management.endpoints.web.exposure.include=refresh,health
ssl.clientCertificateEnabled=true
+ssl.strictHostnameVerification=${STRICT_HOSTNAME_VERIFICATION:false}
ssl.clientCertificateDir=/app/store/cert.p12
ssl.clientCertificatePassword=${CLIENT_CERT_PASS:collector}
ssl.trustStoreDir=/app/store/trust.jks
--- /dev/null
+/*
+ * ============LICENSE_START=======================================================
+ * PNF-REGISTRATION-HANDLER
+ * ================================================================================
+ * Copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.pnfsimulator.simulator.client.utils.ssl;
+
+import org.junit.jupiter.api.Test;
+
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+
+import static org.junit.Assert.assertNotNull;
+
+class HttpClientFactoryFacadeTest {
+ @Test
+ void shouldSuccessfullyCreateHttpClient() throws GeneralSecurityException, IOException {
+ assertNotNull(HttpClientFactoryFacade.create("http://example.com", new SslAuthenticationHelper()));
+ }
+}
--- /dev/null
+/*
+ * ============LICENSE_START=======================================================
+ * PNF-REGISTRATION-HANDLER
+ * ================================================================================
+ * Copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.pnfsimulator.simulator.client.utils.ssl;
+
+import org.hamcrest.CoreMatchers;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+
+import java.io.IOException;
+import java.net.MalformedURLException;
+import java.security.GeneralSecurityException;
+import java.security.KeyStoreException;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+class HttpClientFactoryTest {
+ private static final String HTTPS_URL = "https://example.com";
+ private static final String HTTP_URL = "http://example.com";
+
+ private SSLContextFactory sslContextFactoryMock;
+ private HttpClientFactory httpClientFactory;
+ private SslAuthenticationHelper sslAuthenticationHelper;
+
+ @BeforeEach
+ public void setup() {
+ sslContextFactoryMock = mock(SSLContextFactory.class);
+ httpClientFactory = new HttpClientFactory(sslContextFactoryMock);
+ sslAuthenticationHelper = new SslAuthenticationHelper();
+ }
+
+ @Test
+ void shouldCreateHttpsClient_whenClientCertificationDisabled() throws GeneralSecurityException, IOException {
+ // given
+ sslAuthenticationHelper.setClientCertificateEnabled(false);
+
+ // when
+ final var httpClient = httpClientFactory.create(HTTPS_URL, sslAuthenticationHelper);
+
+ // then
+ assertNotNull(httpClient);
+ verifySslContextFactoryMockCalls(0, 1);
+ }
+
+ @Test
+ void shouldCreateHttpsClient_whenClientCertificationDisabled_AndCannotCreateTrustAlwaysSslContext() throws GeneralSecurityException, IOException {
+ // given
+ sslAuthenticationHelper.setClientCertificateEnabled(false);
+ when(sslContextFactoryMock.createTrustAlways()).thenThrow(KeyStoreException.class);
+
+ // when
+ final var httpClient = httpClientFactory.create(HTTPS_URL, sslAuthenticationHelper);
+
+ // then
+ assertNotNull(httpClient);
+ verifySslContextFactoryMockCalls(0, 1);
+ }
+
+ @Test
+ void shouldCreateHttpClient_whenClientCertificationDisabled() throws GeneralSecurityException, IOException {
+ // given
+ sslAuthenticationHelper.setClientCertificateEnabled(false);
+
+ // when
+ final var httpClient = httpClientFactory.create(HTTP_URL, sslAuthenticationHelper);
+
+ // then
+ assertNotNull(httpClient);
+ verifySslContextFactoryMockCalls(0, 0);
+ }
+
+
+ @Test
+ void shouldCreateHttpClient_whenClientCertificationAndStrictHostnameVerificationAreEnabled() throws GeneralSecurityException, IOException {
+ // given
+ sslAuthenticationHelper.setClientCertificateEnabled(true);
+ sslAuthenticationHelper.setStrictHostnameVerification(true);
+
+ // when
+ final var httpClient = httpClientFactory.create(HTTP_URL, sslAuthenticationHelper);
+
+ // then
+ assertNotNull(httpClient);
+ verifySslContextFactoryMockCalls(1, 0);
+ }
+
+ @Test
+ void shouldCreateHttpClient_whenClientCertificationEnabledAndStrictHostnameVerificationDisabled() throws GeneralSecurityException, IOException {
+ // given
+ sslAuthenticationHelper.setClientCertificateEnabled(true);
+ sslAuthenticationHelper.setStrictHostnameVerification(false);
+
+ // when
+ final var httpClient = httpClientFactory.create(HTTP_URL, sslAuthenticationHelper);
+
+ // then
+ assertNotNull(httpClient);
+ verifySslContextFactoryMockCalls(1, 0);
+ }
+
+ @Test
+ void shouldThrowMalformedURLException_whenInvalidUrl() throws GeneralSecurityException, IOException {
+ // given
+ var invalidUrl = "invalid";
+
+ // when
+ final var exception = assertThrows(MalformedURLException.class,
+ () -> httpClientFactory.create(invalidUrl, sslAuthenticationHelper));
+
+ // then
+ assertThat(exception.getMessage(), CoreMatchers.containsString("invalid"));
+ }
+
+ private void verifySslContextFactoryMockCalls(int createCalls, int createTrustAlwaysCalls) throws GeneralSecurityException, IOException {
+ verify(sslContextFactoryMock, times(createCalls)).create(any());
+ verify(sslContextFactoryMock, times(createTrustAlwaysCalls)).createTrustAlways();
+ }
+
+}
--- /dev/null
+/*
+ * ============LICENSE_START=======================================================
+ * PNF-REGISTRATION-HANDLER
+ * ================================================================================
+ * Copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.pnfsimulator.simulator.client.utils.ssl;
+
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.assertArrayEquals;
+import static org.junit.jupiter.api.Assertions.assertNull;
+
+class PasswordConverterTest {
+
+ @Test
+ void shouldSuccessfullyConvert() {
+ // given, when
+ final char[] result = PasswordConverter.convert("sw ./#%");
+
+ // then
+ assertArrayEquals(new char[]{'s', 'w', ' ', '.', '/', '#', '%'}, result);
+ }
+
+ @Test
+ void shouldReturnNull_whenNullPasswordUsed() {
+ // given, when, then
+ assertNull(PasswordConverter.convert(null));
+ }
+}
--- /dev/null
+/*
+ * ============LICENSE_START=======================================================
+ * PNF-REGISTRATION-HANDLER
+ * ================================================================================
+ * Copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.pnfsimulator.simulator.client.utils.ssl;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
+
+class SSLContextFactoryTest {
+ private CertificateReader certificateReaderMock;
+ private SSLContextFactory sslContextFactory;
+
+ @BeforeEach
+ void setup() {
+ certificateReaderMock = mock(CertificateReader.class);
+ sslContextFactory = new SSLContextFactory(certificateReaderMock);
+ }
+
+ @Test
+ void shouldSuccessfullyCreateTrustAlwaysSSLContext() throws GeneralSecurityException, IOException {
+ // given, when, then
+ assertNotNull(sslContextFactory.createTrustAlways());
+ verify(certificateReaderMock, times(0)).read(any(), any(), any());
+ }
+
+ @Test
+ void shouldSuccessfullyCreateSSLContext() throws GeneralSecurityException, IOException {
+ // given, when, then
+ assertNotNull(sslContextFactory.create(new SslAuthenticationHelper()));
+ verify(certificateReaderMock, times(2)).read(any(), any(), any());
+ }
+
+}
+
+++ /dev/null
-/*
- * ============LICENSE_START=======================================================
- * PNF-REGISTRATION-HANDLER
- * ================================================================================
- * Copyright (C) 2018 Nokia. All rights reserved.
- * ================================================================================
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- * ============LICENSE_END=========================================================
- */
-
-package org.onap.pnfsimulator.simulator.client.utils.ssl;
-
-import org.junit.jupiter.api.Test;
-
-import java.net.MalformedURLException;
-
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertThrows;
-
-class SslSupportLevelTest {
-
- private static final String HTTPS_URL = "https://127.0.0.1:8443/";
- private static final String HTTP_URL = "http://127.0.0.1:8080/";
-
- @Test
- void testShouldReturnAlwaysTrustSupportLevelForHttpsUrl() throws MalformedURLException {
- SslSupportLevel actualSupportLevel = SslSupportLevel.getSupportLevelBasedOnProtocol(HTTPS_URL);
- assertEquals(SslSupportLevel.ALWAYS_TRUST, actualSupportLevel);
- }
-
- @Test
- void testShouldReturnNoneSupportLevelForHttpUrl() throws MalformedURLException {
- SslSupportLevel actualSupportLevel = SslSupportLevel.getSupportLevelBasedOnProtocol(HTTP_URL);
- assertEquals(SslSupportLevel.NONE, actualSupportLevel);
- }
-
- @Test
- void testShouldRaiseExceptionWhenInvalidUrlPassed() {
- assertThrows(MalformedURLException.class, () -> SslSupportLevel.getSupportLevelBasedOnProtocol("http://bla:VES-PORT/"));
- }
-
-}
{
- "vesServerUrl": "http://172.17.0.1:8080/eventListener/v7"
+ "vesServerUrl": "https://ves:8443/eventListener/v7"
}
+++ /dev/null
-default:
- @echo "There is no default target. Use: make <specific_target>"
-
-start-ejbca: --run-ejbca-container --wait-for-ejbca --configure-ejbca
-
-start-pnfsim-with-certservice-certs: --create-certservice-internal-certs --create-client-volume --run-certservice-and-pnfsim-containers
-
-start-local-secured-ves:
- docker-compose -f docker-compose-ves.yml up
-
-start-pnfsim-with-certman-certs:
- docker-compose -f docker-compose-certman.yml up
-
-clean-pnfsim-with-certman-setup:
- docker-compose -f docker-compose-certman.yml down
-
-clean-pnfsim-with-certservice-setup: --clean-certservice-internal-certs --clean-client-volume
- docker rm -f oomcert-ejbca || true
- docker-compose -f docker-compose-certservice.yml down
- docker-compose -f docker-compose-ves.yml down
-
---run-ejbca-container:
- docker run \
- -d \
- --rm \
- --name oomcert-ejbca \
- --hostname cahostname \
- -p 80:8080 \
- -p 443:8443 \
- --volume `pwd`/certservice/ejbca-resources/ejbca-configuration.sh:/opt/primekey/scripts/ejbca-configuration.sh \
- --health-cmd "curl -kI https://localhost:8443/ejbca/publicweb/healthcheck/ejbcahealth" \
- --health-interval 10s \
- --health-timeout 3s \
- --health-retries 15 \
- primekey/ejbca-ce:6.15.2.5
-
---configure-ejbca:
- docker exec oomcert-ejbca /opt/primekey/scripts/ejbca-configuration.sh
-
---create-client-volume:
- mkdir -p ./certservice/client-resources/client-volume -m 777
-
---run-certservice-and-pnfsim-containers:
- docker-compose -f docker-compose-certservice.yml up
-
---create-certservice-internal-certs:
- make -C certservice/certs all
-
---clean-certservice-internal-certs:
- make -C certservice/certs clear
-
---clean-client-volume:
- rm -rf certservice/client-resources/client-volume
-
---wait-for-ejbca:
- @echo 'Waiting for EJBCA...'
- until docker container inspect oomcert-ejbca | grep '"Status": "healthy"'; do sleep 3; done
-Standalone PNF Simulator configuration for HTTPS communication to VES
+Standalone PNF Simulator configuration for HTTPS communication with VES
------------------------
-### General description
+This directory contains files for secured PNF Simulator deployments, which will use certificates for HTTPS communication with VES.
-Makefile in sanitycheck/pnfsimulator-secured is an interface for deployment of PNF simulator with fetching certs from
-chosen source.
-
-Makefile offers functionalities that allows to:
-
- * Run PNF simulator with fetching certs from AAF Certman
- * Run PNF simulator with fetching certs from OOM Certservice (CMPv2)
-
-## Fetching from AAF Certman
-### Description
-
-docker-compose-certman.yml prepares PNF simulator container for HTTPS communication with VES.
-
-When docker-compose starts certs-init container fills connected volume with certificates, truststores, keystores,
-passwords etc. Next pnf-simulator container starts and connects to the same volume. On startup it should read password
-values from proper files and set them in system environment variables. With these variables and files in volume
-application is ready to work on HTTPS.
-
-### Prerequisites
-
-1. certs-init container works with external AAF on cloud. Due to that fact it must have set correct IPs to workers that
-has access to AAF. In docker-compose.yml fields with mentioned IPs are:
-
- * aaf-locate.onap
- * aaf-cm.onap
- * aaf-service.onap
-
-### Start
-
-**ATTENTION**
-
-Proper IPs to AAF must be set in the docker-compose-certman.yml before start (as described in prerequisites)!
-
-```
-make start-pnfsim-with-certman-certs
-```
-
-### Send event
-
-**ATTENTION**
-
-``sanitycheck/events/eventToVes.json`` file which is request for sending event to VES must have correct ``vesServerURL``
-field before sending event.
-IP of ``vesServerURL`` should be the same as given in docker-compose-certman.yml in ``aaf-locate.onap`` field.
-To use secured connection remember about setting protocol to https:// and port to proper secured port of VES.
-
-To send event from PNF simulator to VES use this command from ``pnf-simulator/sanitycheck`` directory:
-
-````
-make generate-event
-````
-
-Sample ``sanitycheck/events/eventToVes.json`` file content is:
-
-```json
-{
- "vesServerUrl": "https://10.183.35.177:30417/eventListener/v7",
- "event": {
- "event": {
- "commonEventHeader": {
- "version": "4.0.1",
- "vesEventListenerVersion": "7.0.1",
- "domain": "fault",
- "eventName": "Fault_Vscf:Acs-Ericcson_PilotNumberPoolExhaustion",
- "eventId": "fault0000245",
- "sequence": 1,
- "priority": "High",
- "reportingEntityId": "cc305d54-75b4-431b-adb2-eb6b9e541234",
- "reportingEntityName": "ibcx0001vm002oam001",
- "sourceId": "de305d54-75b4-431b-adb2-eb6b9e546014",
- "sourceName": "scfx0001vm002cap001",
- "nfVendorName": "Ericsson",
- "nfNamingCode": "scfx",
- "nfcNamingCode": "ssc",
- "startEpochMicrosec": 1413378172000000,
- "lastEpochMicrosec": 1413378172000000,
- "timeZoneOffset": "UTC-05:30"
- },
- "faultFields": {
- "faultFieldsVersion": "4.0",
- "alarmCondition": "PilotNumberPoolExhaustion",
- "eventSourceType": "other",
- "specificProblem": "Calls cannot complete - pilot numbers are unavailable",
- "eventSeverity": "CRITICAL",
- "vfStatus": "Active",
- "alarmAdditionalInformation": {
- "PilotNumberPoolSize": "1000"
- }
- }
- }
- }
-}
-```
-
-### Stop
-To remove pnf-simulator containers use:
-```
-make clean-pnfsim-with-certman-setup
-```
-
-## Fetching certificates from OOM Certservice (CMPv2)
-### Description
-
-Running Makefile with Certservice target will start the following flow:
-
-1. Create certificates that will be used for internal communication between Certservice and Certservice-client.
- Generated internal certificates should be present in sanitycheck/pnfsimulator-secured/certservice/certs directory.
-
-2. Run docker-compose-certservice.yml that creates:
-
- 2.1. Certservice container with mounted previously generated certificates.
-
- 2.2. Certservice-client with mounted internal certificates as well. This containers requests Certservice for
- Certificates that will be used by PNF simulator in HTTPS connection. Before closing of container it saves
- these certs in locally mounted volume in
- sanitycheck/pnfsimulator-secured/certservice/client-resources/client-volume
+Currently, there are two ways for PNF Simulator to fetch certificates:
+* Using AAF Certman
+* Using OOM CertService (CMPv2)
- 2.3. PNF simulator that has mounted certificates from client. Before starting the simulator itself, names of certs
- files are changed to fit the PNF simulator configuration.
-
-### Prerequisites
-
-
-##### EJBCA configuration
-Certservice container will try to connect to EJBCA on docker-compose-certservice.yml startup to fetch certs.
-Whole connection configuration to EJBCA server must be done before start in file
-sanitycheck/pnfsimulator-secured/certservice/certservice-resources/cmpServers.json.
-
-EJBCA might be deployed locally or externally. Described in this README Makefile has a target that runs configured EJBCA
-container locally. To run that target use:
-
-```
-make start-ejbca
-```
-
-
-Configuration of cmpServers.json for this local EJBCA container should be:
-```json
-{
- "cmpv2Servers": [
- {
- "caName": "Client",
- "url": "http://<docker0_network_ip>:80/ejbca/publicweb/cmp/cmp",
- "issuerDN": "CN=ManagementCA",
- "caMode": "CLIENT",
- "authentication": {
- "iak": "mypassword",
- "rv": "mypassword"
- }
- },
- {
- "caName": "RA",
- "url": "http://<docker0_network_ip>:80/ejbca/publicweb/cmp/cmpRA",
- "issuerDN": "CN=ManagementCA",
- "caMode": "RA",
- "authentication": {
- "iak": "mypassword",
- "rv": "mypassword"
- }
- }
- ]
-}
-```
-``docker0_network_ip`` might be found when running `ifconfig docker0` next to `inet` field.
-
-### Start
-
-**ATTENTION**
-
-Remember that before starting certservice, the EJBCA server must run, be properly configured and
-sanitycheck/pnfsimulator-secured/certservice/certservice-resources/cmpServers.json must be set correctly.
-
-For more info read _prerequisites_ section.
-
-```
-make start-pnfsim-with-certservice-certs
-```
-
-### Send event
-
-##### VES collector
-
-Destination VES collector should use certificate generated from the same CMPv2 server for successful HTTPS
-communication. There is local deployment of VES (with DMAAP simulator) to be used from Makefile that
-uses certificates generated by the same CMPv2 server as PNF simulator uses.
-
-##### VES collector local deployment prerequisites
-
-By default the image of VES from Nexus supports only HTTP communication. Local image with enabled HTTPS must be
-build to use local VES as PNF simulator destination.
-
-1. Pull VES repository
-2. In `<VES_PROJECT_ROOT>/etc/collector.properties` file set field `auth.method=certBasicAuth`
-3. Build local image: `mvn clean install docker:build` from VES project root directory.
-
-VES deployment from Makefile uses also DMAAP simulator. Its image should be built locally as well.
-1. Go to `sanitycheck/dmaap-simulator` directory
-2. Run: `make build`
-
-If you want to use that VES + DMAAP simulator deployment enter:
-```
-make start-local-secured-ves
-```
-
-**ATTENTION**
-
-Before sending an event to VES, the correct VES server URL must be passed to
-``sanitycheck/events/vesAddressConfiguration.json`` file in field ``vesServerURL``.
-
-For local VES, `vesServerURL` should have value: ``https://<docker0_network_ip>:8444/eventListener/v7``.
-``docker0_network_ip`` might be found when running `ifconfig docker0` next to `inet` field.
-
-To reconfigure PNF simulator to use
-new URL use this command from ``pnf-simulator/sanitycheck`` directory:
-```
-make reconfigure-ves-url
-```
-
-
-To send event from PNF simulator to VES use this command from ``pnf-simulator/sanitycheck`` directory:
-
-```
-make generate-event
-```
-
-### Stop
+Both ways are described in `certman` and `certservice` directories respectively
-To clean all generated certificates, remove pnf-simulator, certservice, ejbca and ves containers use:
-```
-make clean-pnfsim-with-certservice-certs
-```
\ No newline at end of file
--- /dev/null
+default:
+ @echo "There is no default target. Use: make <specific_target>"
+
+start-pnfsim:
+ docker-compose -f docker-compose.yml up
+
+clean-pnfsim:
+ docker-compose -f docker-compose.yml down
--- /dev/null
+## Fetching from AAF Certman
+This readme describes how to run PNF Simulator with certificates fetched using AAF Certman
+
+### Description
+
+docker-compose.yml prepares PNF simulator container for HTTPS communication with VES.
+
+When docker-compose starts certs-init container fills connected volume with certificates, truststores, keystores,
+passwords etc. Next pnf-simulator container starts and connects to the same volume. On startup it should read password
+values from proper files and set them in system environment variables. With these variables and files in volume
+application is ready to work on HTTPS.
+
+### Prerequisites
+
+certs-init container works with external AAF on cloud. Due to that fact it must have set correct IPs to workers that
+has access to AAF. In docker-compose.yml fields with mentioned IPs are:
+
+ * aaf-locate.onap
+ * aaf-cm.onap
+ * aaf-service.onap
+
+### Start
+
+Run PNF Simulator:
+
+```
+make start-pnfsim
+```
+
+### Send event
+
+**ATTENTION**
+
+``sanitycheck/events/eventToVes.json`` file which is request for sending event to VES must have correct ``vesServerURL``
+field before sending event.
+IP of ``vesServerURL`` should be the same as given in docker-compose-certman.yml in ``aaf-locate.onap`` field.
+To use secured connection remember about setting protocol to https:// and port to proper secured port of VES.
+
+To send event from PNF simulator to VES use this command from ``pnf-simulator/sanitycheck`` directory:
+
+````
+make generate-event
+````
+
+Sample ``sanitycheck/events/eventToVes.json`` file content is:
+
+```json
+{
+ "vesServerUrl": "https://10.183.35.177:30417/eventListener/v7",
+ "event": {
+ "event": {
+ "commonEventHeader": {
+ "version": "4.0.1",
+ "vesEventListenerVersion": "7.0.1",
+ "domain": "fault",
+ "eventName": "Fault_Vscf:Acs-Ericcson_PilotNumberPoolExhaustion",
+ "eventId": "fault0000245",
+ "sequence": 1,
+ "priority": "High",
+ "reportingEntityId": "cc305d54-75b4-431b-adb2-eb6b9e541234",
+ "reportingEntityName": "ibcx0001vm002oam001",
+ "sourceId": "de305d54-75b4-431b-adb2-eb6b9e546014",
+ "sourceName": "scfx0001vm002cap001",
+ "nfVendorName": "Ericsson",
+ "nfNamingCode": "scfx",
+ "nfcNamingCode": "ssc",
+ "startEpochMicrosec": 1413378172000000,
+ "lastEpochMicrosec": 1413378172000000,
+ "timeZoneOffset": "UTC-05:30"
+ },
+ "faultFields": {
+ "faultFieldsVersion": "4.0",
+ "alarmCondition": "PilotNumberPoolExhaustion",
+ "eventSourceType": "other",
+ "specificProblem": "Calls cannot complete - pilot numbers are unavailable",
+ "eventSeverity": "CRITICAL",
+ "vfStatus": "Active",
+ "alarmAdditionalInformation": {
+ "PilotNumberPoolSize": "1000"
+ }
+ }
+ }
+ }
+}
+```
+
+### Stop
+To remove pnf-simulator containers use:
+```
+make clean-pnfsim
+```
networks:
- tls-init-network
volumes:
- - ../../pnfsimulator/db:/docker-entrypoint-initdb.d
+ - ../../../pnfsimulator/db:/docker-entrypoint-initdb.d
ports:
- "27017:27017"
&& java -Dspring.config.location=file:/app/application.properties -cp /app/libs/*:/app/pnf-simulator.jar org.onap.pnfsimulator.Main
"
volumes:
- - ../../pnfsimulator/logs:/var/log
- - ../../pnfsimulator/templates:/app/templates
- - ../../pnfsimulator/src/main/resources/application.properties:/app/application.properties
+ - ../../../pnfsimulator/logs:/var/log
+ - ../../../pnfsimulator/templates:/app/templates
+ - ../../../pnfsimulator/src/main/resources/application.properties:/app/application.properties
- certs-volume:/app/store
networks:
- tls-init-network
--- /dev/null
+default:
+ @echo "There is no default target. Use: make <specific_target>"
+
+setup-env: --start-certservice-and-ejbca --run-certservice-clients --start-local-secured-ves
+
+start-pnfsim:
+ docker-compose -f docker-compose-pnfsim.yml up
+
+restart-pnfsim: --clean-pnfsim start-pnfsim
+
+clean-all: --clean-pnfsim --clean-env
+
+
+
+--start-certservice-and-ejbca: --create-certservice-internal-certs --start-certservice-ejbca-containers --configure-ejbca
+
+--start-certservice-ejbca-containers:
+ docker-compose -f docker-compose-certservice-ejbca.yml up -d
+
+--create-certservice-internal-certs:
+ make -C resources/certs all
+
+--configure-ejbca: --wait-for-ejbca --run-ejbca-script
+
+--wait-for-ejbca:
+ @echo 'Waiting for EJBCA... It may take a minute or two'
+ until docker container inspect oomcert-ejbca | grep '"Status": "healthy"'; do sleep 3; done
+
+--run-ejbca-script:
+ docker exec oomcert-ejbca /opt/primekey/scripts/ejbca-configuration.sh
+
+--run-certservice-clients: --create-client-volumes
+ docker-compose -f docker-compose-certservice-clients.yml up -d
+ @echo 'Waiting for client certifiactes...'
+ @until ls -1 ./resources/certservice-client/client-volume-for-pnfsim | grep "store" 1>/dev/null; do sleep 3; done
+ @until ls -1 ./resources/certservice-client/client-volume-for-ves | grep "store" 1>/dev/null; do sleep 3; done
+
+--create-client-volumes:
+ mkdir -p ./resources/certservice-client/client-volume-for-pnfsim -m 777
+ mkdir -p ./resources/certservice-client/client-volume-for-ves -m 777
+
+--start-local-secured-ves:
+ docker-compose -f docker-compose-ves-dmaap.yml up
+
+--clean-pnfsim:
+ docker-compose -f docker-compose-pnfsim.yml down
+ rm -rf ./resources/certservice-client/client-volume-for-pnfsim/cert.p12 || true
+ rm -rf ./resources/certservice-client/client-volume-for-pnfsim/trust.jks || true
+
+--clean-env:
+ docker-compose -f docker-compose-ves-dmaap.yml down
+ docker-compose -f docker-compose-certservice-clients.yml down
+ rm -rf ./resources/certservice-client/client-volume-for-pnfsim || true
+ rm -rf ./resources/certservice-client/client-volume-for-ves || true
+ docker-compose -f docker-compose-certservice-ejbca.yml down
+ make -C resources/certs clear
--- /dev/null
+## Fetching certificates from OOM CertService (CMPv2)
+This readme describes how to run PNF Simulator with certificates fetched using OOM CertService (CMPv2)
+
+### Description
+
+Using Makefile in this directory following can be achieved:
+
+* Setup environment for PNF Simulator, i.e.:
+ * Create certificates that will be used for internal communication between CertService and CertService Clients.
+ Generated internal certificates should be present in `resources/certs` directory.
+ * Start and configure EJBCA
+ * Start and configure AAF Cert Service.
+ * Run Cert Service Clients to fetch certificates for VES and PNF Simulator. Certificates will be stored for the components
+in `resources/certservice-client/client-volume-for-ves` and `resources/certservice-client/client-volume-for-pnfsim` accordingly.
+ * Start VES and DMaaP Simulator. Fetched certificates will be mounted to VES.
+
+* Start PNF Simulator. Fetched certificates will be mounted to PNF Simulator.
+* Clean up.
+
+### Prerequisites
+##### VES collector local deployment prerequisites
+
+By default, the image of VES from Nexus supports only HTTP communication. A local image with enabled HTTPS must be
+build to use local VES as PNF simulator destination.
+
+1. Pull VES repository
+2. In `<VES_PROJECT_ROOT>/etc/collector.properties` file set field `auth.method=certBasicAuth`
+3. Build a local image: `mvn clean install docker:build` from VES project root directory.
+
+Local VES deployment uses also DMaaP simulator. Its image should be built locally as well.
+1. Go to `sanitycheck/dmaap-simulator` directory
+2. Run: `make build`
+
+
+
+### Setup environment
+To set up whole environment for PNF Simulator, i.e.:
+- deploy and configure EJBCA
+- deploy Cert Service
+- fetch certificates for VES and PNF Simulator using Cert Service clients
+- run DMaaP Simulator
+- run VES with fetched certificates
+
+execute:
+````
+make setup-env
+````
+Note that this command setups whole environment besides PNF Simulator itself.
+
+## Run PNF Simulator
+To run PNF Simulator execute:
+````
+make start-pnfsim
+````
+This command starts PNF Simulator with certificates fetched using CertService (certificates are fetched in the previous step)
+
+### Send event
+
+Configure PNF simulator to use proper VES URL by executing this command from ``pnf-simulator/sanitycheck`` directory:
+```
+make reconfigure-ves-url
+```
+
+
+Send an event from PNF simulator to VES by executing this command from ``pnf-simulator/sanitycheck`` directory:
+```
+make generate-event
+```
+
+### Restart PNF Simulator
+
+To restart only PNF Simulator execute:
+```
+make restart-pnfsim
+```
+
+### Clean up
+To clean all generated certificates, remove PNF Simulator, CertService, EJBCA, VES and DMaaP Simulator containers:
+```
+make clean-all
+```
--- /dev/null
+version: "2.1"
+
+networks:
+ onap:
+ external: true
+
+services:
+ oom-cert-client-ves:
+ image: nexus3.onap.org:10001/onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.1.0
+ container_name: oomcert-client-for-ves
+ env_file: ./resources/certservice-client/client-configuration-for-ves.env
+ networks:
+ - onap
+ volumes:
+ - ./resources/certservice-client/client-volume-for-ves:/var/certs:rw
+ - ./resources/certs/truststore.jks:/etc/onap/oom/certservice/certs/truststore.jks
+ - ./resources/certs/certServiceClient-keystore.jks:/etc/onap/oom/certservice/certs/certServiceClient-keystore.jks
+
+ oom-cert-client-pnfsim:
+ image: nexus3.onap.org:10001/onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.1.0
+ container_name: oomcert-client
+ env_file: ./resources/certservice-client/client-configuration-for-pnfsim.env
+ networks:
+ - onap
+ volumes:
+ - ./resources/certservice-client/client-volume-for-pnfsim:/var/certs:rw
+ - ./resources/certs/truststore.jks:/etc/onap/oom/certservice/certs/truststore.jks
+ - ./resources/certs/certServiceClient-keystore.jks:/etc/onap/oom/certservice/certs/certServiceClient-keystore.jks
--- /dev/null
+version: "2.1"
+
+networks:
+ onap:
+ driver: bridge
+ name: onap
+ public:
+ driver: bridge
+ name: public
+
+services:
+ ejbca:
+ image: primekey/ejbca-ce:6.15.2.5
+ hostname: cahostname
+ container_name: oomcert-ejbca
+ ports:
+ - "80:8080"
+ - "443:8443"
+ volumes:
+ - ./resources/ejbca/ejbca-configuration.sh:/opt/primekey/scripts/ejbca-configuration.sh
+ healthcheck:
+ test: [ "CMD-SHELL", "curl -kI https://localhost:8443/ejbca/publicweb/healthcheck/ejbcahealth" ]
+ interval: 10s
+ timeout: 3s
+ retries: 15
+ networks:
+ - onap
+
+ oom-cert-service:
+ image: nexus3.onap.org:10001/onap/org.onap.oom.platform.cert-service.oom-certservice-api:2.1.0
+ volumes:
+ - ./resources/certservice/cmpServers.json:/etc/onap/oom/certservice/cmpServers.json
+ - ./resources/certs/truststore.jks:/etc/onap/oom/certservice/certs/truststore.jks
+ - ./resources/certs/root.crt:/etc/onap/oom/certservice/certs/root.crt
+ - ./resources/certs/certServiceServer-keystore.jks:/etc/onap/oom/certservice/certs/certServiceServer-keystore.jks
+ - ./resources/certs/certServiceServer-keystore.p12:/etc/onap/oom/certservice/certs/certServiceServer-keystore.p12
+ container_name: oomcert-service
+ ports:
+ - "8443:8443"
+ healthcheck:
+ test: ["CMD-SHELL", "curl https://localhost:8443/actuator/health --cacert /etc/onap/oom/certservice/certs/root.crt --cert-type p12 --cert /etc/onap/oom/certservice/certs/certServiceServer-keystore.p12 --pass secret"]
+ interval: 10s
+ timeout: 3s
+ retries: 15
+ networks:
+ - onap
+ - public
--- /dev/null
+version: "2.1"
+
+networks:
+ pnfsimulator:
+ driver: bridge
+ name: pnfsimulator
+ public:
+ external: true
+ onap:
+ external: true
+
+services:
+ mongo:
+ image: mongo
+ restart: always
+ networks:
+ - pnfsimulator
+ environment:
+ MONGO_INITDB_ROOT_USERNAME: root
+ MONGO_INITDB_ROOT_PASSWORD: zXcVbN123!
+ MONGO_INITDB_DATABASE: pnf_simulator
+ volumes:
+ - ../../../pnfsimulator/db:/docker-entrypoint-initdb.d
+ ports:
+ - "27017:27017"
+
+ mongo-express:
+ image: mongo-express
+ restart: always
+ networks:
+ - pnfsimulator
+ ports:
+ - 8081:8081
+ environment:
+ ME_CONFIG_MONGODB_ADMINUSERNAME: root
+ ME_CONFIG_MONGODB_ADMINPASSWORD: zXcVbN123!
+
+ pnf-simulator:
+ image: nexus3.onap.org:10003/onap/org.onap.integration.simulators.pnfsimulator
+ ports:
+ - "5000:5000"
+ networks:
+ - pnfsimulator
+ - public
+ command: bash -c "
+ while [[ $$(ls -1 /app/store | wc -l) != '4' ]]; do echo 'Waiting for certs...'; sleep 3; done
+ && cp /app/store/truststore.jks /app/store/trust.jks
+ && cp /app/store/keystore.jks /app/store/cert.p12
+ && export CLIENT_CERT_PASS=$$(cat /app/store/keystore.pass)
+ && export TRUST_CERT_PASS=$$(cat /app/store/truststore.pass)
+ && java -Dspring.config.location=file:/app/application.properties -cp /app/libs/*:/app/pnf-simulator.jar org.onap.pnfsimulator.Main
+ "
+ volumes:
+ - ../../../pnfsimulator/logs:/var/log
+ - ../../../pnfsimulator/templates:/app/templates
+ - ../../../pnfsimulator/src/main/resources/application.properties:/app/application.properties
+ - ./resources/certservice-client/client-volume-for-pnfsim/:/app/store/
+ restart: on-failure
+ depends_on:
+ - mongo
+ - mongo-express
--- /dev/null
+version: "2.1"
+
+networks:
+ public:
+ external: true
+ onap:
+ external: true
+
+services:
+ ves:
+ container_name: ves
+ image: nexus3.onap.org:10003/onap/org.onap.dcaegen2.collectors.ves.vescollector:latest
+ ports:
+ - "8082:8080"
+ - "8444:8443"
+ networks:
+ - onap
+ - public
+ volumes:
+ - ./resources/certservice-client/client-volume-for-ves/keystore.jks:/opt/app/VESCollector/etc/keystore
+ - ./resources/certservice-client/client-volume-for-ves/keystore.pass:/opt/app/VESCollector/etc/passwordfile
+ - ./resources/certservice-client/client-volume-for-ves/truststore.jks:/opt/app/VESCollector/etc/truststore
+ - ./resources/certservice-client/client-volume-for-ves/truststore.pass:/opt/app/VESCollector/etc/trustpasswordfile
+ depends_on:
+ - onap-dmaap
+
+ onap-dmaap:
+ container_name: dmaap
+ image: dmaap-simulator
+ ports:
+ - "3904:3904"
+ networks:
+ - onap
--- /dev/null
+#Client envs
+REQUEST_URL=https://oom-cert-service:8443/v1/certificate/
+REQUEST_TIMEOUT=10000
+OUTPUT_PATH=/var/certs
+CA_NAME=RA
+OUTPUT_TYPE=JKS
+#Csr config envs
+COMMON_NAME=ves-onap.org
+ORGANIZATION=Linux-Foundation
+ORGANIZATION_UNIT=ONAP
+LOCATION=San-Francisco
+STATE=California
+COUNTRY=US
+SANS=ves
+#Tls config envs
+KEYSTORE_PATH=/etc/onap/oom/certservice/certs/certServiceClient-keystore.jks
+KEYSTORE_PASSWORD=secret
+TRUSTSTORE_PATH=/etc/onap/oom/certservice/certs/truststore.jks
+TRUSTSTORE_PASSWORD=secret
"cmpv2Servers": [
{
"caName": "Client",
- "url": "http://172.17.0.1:80/ejbca/publicweb/cmp/cmp",
+ "url": "http://oomcert-ejbca:8080/ejbca/publicweb/cmp/cmp",
"issuerDN": "CN=ManagementCA",
"caMode": "CLIENT",
"authentication": {
},
{
"caName": "RA",
- "url": "http://172.17.0.1:80/ejbca/publicweb/cmp/cmpRA",
+ "url": "http://oomcert-ejbca:8080/ejbca/publicweb/cmp/cmpRA",
"issuerDN": "CN=ManagementCA",
"caMode": "RA",
"authentication": {
+++ /dev/null
-version: "2.1"
-
-networks:
- certservice-network:
- driver: bridge
- name: certservice-network
- pnf-simulator-network:
- driver: bridge
- name: pnf-simulator-network
-
-services:
-
- oom-cert-service:
- image: nexus3.onap.org:10001/onap/org.onap.oom.platform.cert-service.oom-certservice-api:2.1.0
- volumes:
- - ./certservice/certservice-resources/cmpServers.json:/etc/onap/oom/certservice/cmpServers.json
- - ./certservice/certs/truststore.jks:/etc/onap/oom/certservice/certs/truststore.jks
- - ./certservice/certs/root.crt:/etc/onap/oom/certservice/certs/root.crt
- - ./certservice/certs/certServiceServer-keystore.jks:/etc/onap/oom/certservice/certs/certServiceServer-keystore.jks
- - ./certservice/certs/certServiceServer-keystore.p12:/etc/onap/oom/certservice/certs/certServiceServer-keystore.p12
- container_name: oomcert-service
- ports:
- - "8443:8443"
- healthcheck:
- test: ["CMD-SHELL", "curl https://localhost:8443/actuator/health --cacert /etc/onap/oom/certservice/certs/root.crt --cert-type p12 --cert /etc/onap/oom/certservice/certs/certServiceServer-keystore.p12 --pass secret"]
- interval: 10s
- timeout: 3s
- retries: 15
- networks:
- - certservice-network
-
- oom-cert-client:
- image: nexus3.onap.org:10001/onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.1.0
- container_name: oomcert-client
- env_file: ./certservice/client-resources/client-configuration.env
- networks:
- - certservice-network
- volumes:
- - ./certservice/client-resources/client-volume:/var/certs:rw
- - ./certservice/certs/truststore.jks:/etc/onap/oom/certservice/certs/truststore.jks
- - ./certservice/certs/certServiceClient-keystore.jks:/etc/onap/oom/certservice/certs/certServiceClient-keystore.jks
- depends_on:
- oom-cert-service:
- condition: service_healthy
-
- mongo:
- image: mongo
- restart: always
- networks:
- - pnf-simulator-network
- environment:
- MONGO_INITDB_ROOT_USERNAME: root
- MONGO_INITDB_ROOT_PASSWORD: zXcVbN123!
- MONGO_INITDB_DATABASE: pnf_simulator
- volumes:
- - ../../pnfsimulator/db:/docker-entrypoint-initdb.d
- ports:
- - "27017:27017"
-
- mongo-express:
- image: mongo-express
- restart: always
- networks:
- - pnf-simulator-network
- ports:
- - 8081:8081
- environment:
- ME_CONFIG_MONGODB_ADMINUSERNAME: root
- ME_CONFIG_MONGODB_ADMINPASSWORD: zXcVbN123!
-
- pnf-simulator:
- image: nexus3.onap.org:10003/onap/org.onap.integration.simulators.pnfsimulator
- ports:
- - "5000:5000"
- networks:
- - pnf-simulator-network
- command: bash -c "
- while [[ $$(ls -1 /app/store | wc -l) != '4' ]]; do echo 'Waiting for certs...'; sleep 3; done
- && cp /app/store/truststore.jks /app/store/trust.jks
- && cp /app/store/keystore.jks /app/store/cert.p12
- && export CLIENT_CERT_PASS=$$(cat /app/store/keystore.pass)
- && export TRUST_CERT_PASS=$$(cat /app/store/truststore.pass)
- && java -Dspring.config.location=file:/app/application.properties -cp /app/libs/*:/app/pnf-simulator.jar org.onap.pnfsimulator.Main
- "
- volumes:
- - ../../pnfsimulator/logs:/var/log
- - ../../pnfsimulator/templates:/app/templates
- - ../../pnfsimulator/src/main/resources/application.properties:/app/application.properties
- - ./certservice/client-resources/client-volume/:/app/store/
- restart: on-failure
- depends_on:
- - mongo
- - mongo-express
+++ /dev/null
-version: '3'
-services:
- ves:
- container_name: ves
- image: nexus3.onap.org:10003/onap/org.onap.dcaegen2.collectors.ves.vescollector:latest
- ports:
- - "8082:8080"
- - "8444:8443"
- networks:
- - vesnetwork
- volumes:
- - ./certservice/client-resources/client-volume/keystore.jks:/opt/app/VESCollector/etc/keystore
- - ./certservice/client-resources/client-volume/keystore.pass:/opt/app/VESCollector/etc/passwordfile
- - ./certservice/client-resources/client-volume/trust.jks:/opt/app/VESCollector/etc/truststore
- - ./certservice/client-resources/client-volume/truststore.pass:/opt/app/VESCollector/etc/trustpasswordfile
- onap-dmaap:
- container_name: dmaap
- image: dmaap-simulator
- ports:
- - "3904:3904"
- networks:
- - vesnetwork
-networks:
- vesnetwork:
- driver: bridge
Code Review / integration / simulators / pnf-simulator.git / commitdiff