project_creation_date: '2017-07-12'
lifecycle_state: 'Incubation'
project_lead: &onap_releng_ptl
- name: 'Ram Koya'
- email: 'rk541m@att.com'
- id: 'rampi_k'
+ name: 'Jonathan Gathman'
+ email: 'jonathan.gathman@us.att.com'
+ id: 'instrumental'
company: 'ATT'
timezone: 'America/Dallas'
primary_contact: *onap_releng_ptl
public X509andChain sign(Trans trans, CSRMeta csrmeta) throws IOException, CertException {
GregorianCalendar gc = new GregorianCalendar();
Date start = gc.getTime();
- gc.add(GregorianCalendar.MONTH, 2);
+ gc.add(GregorianCalendar.MONTH, 6);
Date end = gc.getTime();
X509Certificate x509;
TimeTaken tt = trans.start("Create/Sign Cert",Env.SUB);
} else {
for (String cn : req.value.fqdns) {
- try {
- InetAddress[] ias = InetAddress.getAllByName(cn);
- Set<String> potentialSanNames = new HashSet<>();
- for (InetAddress ia1 : ias) {
- InetAddress ia2 = InetAddress.getByAddress(ia1.getAddress());
- if (primary == null && ias.length == 1 && trans.ip().equals(ia1.getHostAddress())) {
- primary = ia1;
- } else if (!cn.equals(ia1.getHostName())
- && !ia2.getHostName().equals(ia2.getHostAddress())) {
- potentialSanNames.add(ia1.getHostName());
+ if(ignoreIPs) {
+ potentialSanNames.add(cn);
+ } else {
+ try {
+ InetAddress[] ias = InetAddress.getAllByName(cn);
+ Set<String> potentialSanNames = new HashSet<>();
+ for (InetAddress ia1 : ias) {
+ InetAddress ia2 = InetAddress.getByAddress(ia1.getAddress());
+ if (primary == null && ias.length == 1 && trans.ip().equals(ia1.getHostAddress())) {
+ primary = ia1;
+ } else if (!cn.equals(ia1.getHostName())
+ && !ia2.getHostName().equals(ia2.getHostAddress())) {
+ potentialSanNames.add(ia1.getHostName());
+ }
}
+ } catch (UnknownHostException e1) {
+ return Result.err(Result.ERR_BadData, "There is no DNS lookup for %s", cn);
}
- } catch (UnknownHostException e1) {
- return Result.err(Result.ERR_BadData, "There is no DNS lookup for %s", cn);
}
-
}
}
}
COPY public /opt/app/aaf_config/public
COPY logs /opt/app/aaf_config/logs
COPY bin/service.sh /opt/app/aaf_config/bin/agent.sh
+COPY bin/aaf-cadi-aaf-${VERSION}-full.jar /opt/app/aaf_config/bin/
ENTRYPOINT ["/bin/bash","/opt/app/aaf_config/bin/agent.sh"]
CMD []
-FQI=clamp@clamp.onap.org
-VOLUME=clamp_aaf
-LONGITUDE=-92
-FQDN=meriadoc.mithril.sbc.com
VERSION=2.1.2-SNAPSHOT
-DRIVER=local
-LATITUDE=38
-FQDN_IP=192.168.99.100
AAF_FQDN=meriadoc.mithril.sbc.com
-AAF_AAF_FQDN_IP=192.168.99.100
DEPLOY_FQI=deployer@people.osaaf.org
-DEPLOY_PASSWORD=demo123456!
APP_FQDN=meriadoc.mithril.sbc.com
APP_FQI=clamp@clamp.onap.org
+VOLUME=clamp_aaf
+DRIVER=local
+LATITUDE=38.432899
+LONGITUDE=-90.43248
+AAF_AAF_FQDN_IP=192.168.99.100
+DEPLOY_PASSWORD=demo123456!
CONF_ROOT_DIR=/opt/app/osaaf
# Local Env info
-HOSTNAME=
+HOSTNAME=aaf.osaaf.org
HOST_IP=
-CASS_HOST=<cass FQDN>:<cass IP>
+CASS_HOST=cass.aaf.osaaf.org:<Cass IP>
# AAF Machine info
-aaf_env=DEV
-aaf_register_as=$HOSTNAME
-cadi_latitude=
-cadi_longitude=
+AAF_ENV=DEV
+AAF_REGISTER_AS=$HOSTNAME
+LATITUDE=
+LONGITUDE=
#!/bin/bash
-sh ./dstop.sh "$@"
-sh ./dstart.sh "$@"
+bash ./dstop.sh "$@"
+bash ./dstart.sh "$@"
# Clean up
rm sample/Dockerfile sample/bin/aaf-cadi-aaf-${VERSION}-full.jar
cd -
-
########
# Second, build a core Docker Image
echo Building aaf_$AAF_COMPONENT...
rsync -uh --exclude=.gitignore /opt/app/aaf_config/$D/* /opt/app/osaaf/$D
done
;;
+ showpass)
+ echo "## Show Passwords"
+ $JAVA -jar /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar showpass ${APP_FQI} ${APP_FQDN}
+ ;;
+ check)
+ $JAVA -Dcadi_prop_files=/opt/app/osaaf/local/${NS}.props -jar /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar check ${APP_FQI} ${APP_FQDN}
+ ;;
validate)
echo "## validate requested"
- $JAVA -jar /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar validate cadi_prop_files=/opt/app/osaaf/local/${NS}.props
+ $JAVA -jar /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar validate /opt/app/osaaf/local/${NS}.props
;;
bash)
if [ ! -e ~/.bash_aliases ]; then
aai|ONAP AAI Application|AAI|ONAP Application|||a|aaf_admin
appc|ONAP APPC Application|APPC|ONAP Application|||a|aaf_admin
dcae|ONAP DCAE Application|CLAMP|ONAP Application|||a|aaf_admin
-dmaap-bc|ONAP DMaap BC Application|DMaap BC|ONAP Application|||_admina|aaf
+dmaap-bc|ONAP DMaap BC Application|DMaap BC|ONAP Application|||a|aaf_admin
dmaap-mr|ONAP DMaap MR Application|DMaap MR|ONAP Application|||a|aaf_admin
oof|ONAP OOF Application|OOF|ONAP Application|||a|aaf_admin
sdnc|ONAP SDNC Application|SDNC|ONAP Application|||a|aaf_admin
# ONAP default Users
aaf_admin|AAF Administrator|Mr AAF|AAF Admin|||e|mmanager
deploy|Deployer|Deployer|Depoyer|||e|aaf_admin
-demo|PORTAL DEMO|PORTAL|DEMO|||e|aaf
-jh0003|PORTAL ADMIN|PORTAL|ADMIN|||e|aaf
-cs0008|PORTAL DESIGNER|PORTAL|DESIGNER|||e|aaf
-jm0007|PORTAL TESTER|PORTAL|TESTER|||e|aaf
-op0001|PORTAL OPS|PORTAL|OPS|||e|aaf
-gv0001|PORTAL GOVERNOR|PORTAL|GOVERNOR|||e|aaf
+demo|PORTAL DEMO|PORTAL|DEMO|||e|aaf_admin
+jh0003|PORTAL ADMIN|PORTAL|ADMIN|||e|aaf_admin
+cs0008|PORTAL DESIGNER|PORTAL|DESIGNER|||e|aaf_admin
+jm0007|PORTAL TESTER|PORTAL|TESTER|||e|aaf_admin
+op0001|PORTAL OPS|PORTAL|OPS|||e|aaf_admin
+gv0001|PORTAL GOVERNOR|PORTAL|GOVERNOR|||e|aaf_admin
# ONAP App IDs
aaf|AAF Application|AAF|Application|||a|aaf_admin
aaf-sms|AAF SMS Application|AAF SMS|Application|||a|aaf_admin
aai|ONAP AAI Application|AAI|ONAP Application|||a|aaf_admin
appc|ONAP APPC Application|APPC|ONAP Application|||a|aaf_admin
dcae|ONAP DCAE Application|CLAMP|ONAP Application|||a|aaf_admin
-dmaap-bc|ONAP DMaap BC Application|DMaap BC|ONAP Application|||_admina|aaf
+dmaap-bc|ONAP DMaap BC Application|DMaap BC|ONAP Application|||a|aaf_admin
dmaap-mr|ONAP DMaap MR Application|DMaap MR|ONAP Application|||a|aaf_admin
oof|ONAP OOF Application|OOF|ONAP Application|||a|aaf_admin
sdnc|ONAP SDNC Application|SDNC|ONAP Application|||a|aaf_admin
type = name;
this.instance = instance;
this.action = action;
- key = ns + '|' + type + '|' + instance + '|' + action;
+ if(ns==null) {
+ key = type + '|' + instance + '|' + action;
+ } else {
+ key = ns + '|' + type + '|' + instance + '|' + action;
+ }
this.roles = NO_ROLES;
}
type = name;
this.instance = instance;
this.action = action;
- key = ns + '|' + type + '|' + instance + '|' + action;
+ if(ns==null) {
+ key = type + '|' + instance + '|' + action;
+ } else {
+ key = ns + '|' + type + '|' + instance + '|' + action;
+ }
this.roles = roles==null?NO_ROLES:roles;
}
}
}
boolean typeMatches;
- if(aafNS.length() == ns.length()) {
+ if(aafNS==null) {
+ if(ns==null) {
+ typeMatches = aafType.equals(type);
+ } else {
+ typeMatches = aafType.equals(ns+'.'+type);
+ }
+ } else if(ns==null) {
+ typeMatches = type.equals(aafNS+'.'+aafType);
+ } else if(aafNS.length() == ns.length()) {
typeMatches = aafNS.equals(ns) && aafType.equals(type);
} else { // Allow for restructuring of NS/Perm structure
typeMatches = (aafNS+'.'+aafType).equals(ns+'.'+type);
System.out.println("Usage: ConnectivityTester <cadi_prop_files> [<AAF FQDN (i.e. aaf.dev.att.com)>]");
} else {
print(true,"START OF CONNECTIVITY TESTS",new Date().toString(),System.getProperty("user.name"),
- "Note: All API Calls are /authz/perms/user/<MechID/Alias of the caller>");
+ "Note: All API Calls are /authz/perms/user/<AppID/Alias of the caller>");
if(!args[0].contains(Config.CADI_PROP_FILES+'=')) {
args[0]=Config.CADI_PROP_FILES+'='+args[0];
private static final String ORG_OSAAF_CADI_OAUTH_O_AUTH2_LUR = "org.osaaf.cadi.oauth.OAuth2Lur";
/**
- * Need to be able to transmutate a Principal into either ATTUID or MechID, which are the only ones accepted at this
+ * Need to be able to transmutate a Principal into either Person or AppID, which are the only ones accepted at this
* point by AAF. There is no "domain", aka, no "@att.com" in "ab1234@att.com".
*
* The only thing that matters here for AAF is that we don't waste calls with IDs that obviously aren't valid.
protected User<AAFPermission> loadUser(final Principal principal) {
final String name = principal.getName();
-// // Note: The rules for AAF is that it only stores permissions for ATTUID and MechIDs, which don't
-// // have domains. We are going to make the Transitive Class (see this.transmutative) to convert
-// final Principal tp = principal; //transmutate.mutate(principal);
-// if(tp==null) {
-// return null; // if not a valid Transmutated credential, don't bother calling...
-// }
// TODO Create a dynamic way to declare domains supported.
final long start = System.nanoTime();
final boolean[] success = new boolean[]{false};
private static final String HASHES = "################################################################";
private static final String PRINT = "print";
private static final String FILE = "file";
- private static final String PKCS12 = "pkcs12";
- private static final String JKS = "jks";
+ public static final String PKCS12 = "pkcs12";
+ public static final String JKS = "jks";
private static final String SCRIPT="script";
private static final String CM_VER = "1.0";
AAFSSO aafsso=null;
PropAccess access;
- if(args.length>1 && args[0].equals("validate")) {
+ if(args.length>1 && args[0].equals("validate") ) {
int idx = args[1].indexOf('=');
aafsso = null;
access = new PropAccess(
private static String fqi(Deque<String> cmds) {
if(cmds.size()<1) {
String alias = env.getProperty(Config.CADI_ALIAS);
- return alias!=null?alias:AAFSSO.cons.readLine("MechID: ");
+ return alias!=null?alias:AAFSSO.cons.readLine("AppID: ");
}
return cmds.removeFirst();
}
Artifacts artifacts = new Artifacts();
Artifact arti = new Artifact();
artifacts.getArtifact().add(arti);
- arti.setMechid(mechID!=null?mechID:AAFSSO.cons.readLine("MechID: "));
+ arti.setMechid(mechID!=null?mechID:AAFSSO.cons.readLine("AppID: "));
arti.setMachine(machine!=null?machine:AAFSSO.cons.readLine("Machine (%s): ",InetAddress.getLocalHost().getHostName()));
arti.setCa(AAFSSO.cons.readLine("CA: (%s): ","aaf"));
- String resp = AAFSSO.cons.readLine("Types [file,jks,script] (%s): ", "jks");
+ String resp = AAFSSO.cons.readLine("Types [file,pkcs12,jks,script] (%s): ", PKCS12);
for(String s : Split.splitTrim(',', resp)) {
arti.getType().add(s);
}
if(future.get(TIMEOUT)) {
boolean printed = false;
for(Artifact a : future.value.getArtifact()) {
- AAFSSO.cons.printf("MechID: %s\n",a.getMechid());
+ AAFSSO.cons.printf("AppID: %s\n",a.getMechid());
AAFSSO.cons.printf(" Sponsor: %s\n",a.getSponsor());
AAFSSO.cons.printf("Machine: %s\n",a.getMachine());
AAFSSO.cons.printf("CA: %s\n",a.getCa());
// Have to wait for JDK 1.7 source...
//switch(artifact.getType()) {
if(acf.value.getArtifact()==null || acf.value.getArtifact().isEmpty()) {
- AAFSSO.cons.printf("No Artifacts found for %s on %s", mechID, machine);
+ AAFSSO.cons.printf("No Artifacts found for %s on %s ", mechID, machine);
} else {
String id = aafcon.defID();
boolean allowed;
&& aafcon.securityInfo().defSS.getClass().isAssignableFrom(HBasicAuthSS.class)));
if(!allowed) {
Future<String> pf = aafcon.client(CM_VER).read("/cert/may/" +
- a.getNs() + ".certman|"+a.getCa()+"|showpass","*/*");
+ a.getNs()+"|certman|"+a.getCa()+"|showpass","*/*");
if(pf.get(TIMEOUT)) {
allowed = true;
} else {
String prop;
File f;
- if((prop=props.getProperty(Config.CADI_KEYFILE))==null ||
+ if((prop=trans.getProperty(Config.CADI_KEYFILE))==null ||
!(f=new File(prop)).exists()) {
trans.error().printf("Keyfile must exist to check Certificates for %s on %s",
a.getMechid(), a.getMachine());
} else {
- String ksf = props.getProperty(Config.CADI_KEYSTORE);
- String ksps = props.getProperty(Config.CADI_KEYSTORE_PASSWORD);
+ String ksf = trans.getProperty(Config.CADI_KEYSTORE);
+ String ksps = trans.getProperty(Config.CADI_KEYSTORE_PASSWORD);
if(ksf==null || ksps == null) {
trans.error().printf("Properties %s and %s must exist to check Certificates for %s on %s",
Config.CADI_KEYSTORE, Config.CADI_KEYSTORE_PASSWORD,a.getMechid(), a.getMachine());
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
-import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
@Override
public boolean _place(Trans trans, CertInfo certInfo, Artifact arti) throws CadiException {
- File fks = new File(dir,arti.getNs()+'.'+(kst=="pkcs12"?"p12":kst));
+ File fks = new File(dir,arti.getNs()+'.'+(kst==Agent.PKCS12?"p12":kst));
try {
KeyStore jks = KeyStore.getInstance(kst);
if(fks.exists()) {
fks.renameTo(backup);
}
- jks = KeyStore.getInstance("jks");
+ jks = KeyStore.getInstance(Agent.JKS);
// Set Truststore Password
addProperty(Config.CADI_TRUSTSTORE,fks.getAbsolutePath());
import org.mockito.Mock;
import org.mockito.MockitoAnnotations;
import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.configure.Agent;
import org.onap.aaf.cadi.configure.ArtifactDir;
import org.onap.aaf.cadi.util.Chmod;
import org.onap.aaf.misc.env.Trans;
} catch(NullPointerException e) {
}
- KeyStore ks = KeyStore.getInstance("pkcs12");
+ KeyStore ks = KeyStore.getInstance(Agent.PKCS12);
try {
ArtifactDir.write(writableFile, Chmod.to755, ks, luggagePassword.toCharArray());
fail("Should've thrown an exception");
package org.onap.aaf.cadi.cm.test;
-import static org.junit.Assert.*;
-import static org.hamcrest.CoreMatchers.*;
-import static org.mockito.Mockito.*;
+import static org.hamcrest.CoreMatchers.is;
+import static org.junit.Assert.assertThat;
+import static org.junit.Assert.fail;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
import java.io.BufferedReader;
import java.io.ByteArrayOutputStream;
import java.io.FileNotFoundException;
import java.io.FileReader;
import java.io.IOException;
+import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.List;
-import java.security.cert.CertificateException;
-
-import org.junit.*;
-import org.mockito.*;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.Mock;
+import org.mockito.MockitoAnnotations;
import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.configure.Agent;
import org.onap.aaf.cadi.configure.PlaceArtifactInKeystore;
import org.onap.aaf.misc.env.Env;
import org.onap.aaf.misc.env.TimeTaken;
@Test
public void test() throws CadiException {
// Note: PKCS12 can't be tested in JDK 7 and earlier. Can't handle Trusting Certificates.
- PlaceArtifactInKeystore placer = new PlaceArtifactInKeystore("jks");
+ PlaceArtifactInKeystore placer = new PlaceArtifactInKeystore(Agent.JKS);
certs.add(x509String);
certs.add(x509Chain);
assertThat(placer.place(transMock, certInfoMock, artiMock, "machine"), is(true));
- for (String ext : new String[] {"chal", "keyfile", "jks", "trust.jks", "cred.props"}) {
+ for (String ext : new String[] {"chal", "keyfile", Agent.JKS, "trust.jks", "cred.props"}) {
File f = new File(dirName + '/' + nsName + '.' + ext);
assertThat(f.exists(), is(true));
}
--- /dev/null
+.. This work is licensed under a Creative Commons Attribution 4.0 International License.
+.. http://creativecommons.org/licenses/by/4.0
+.. Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+
+========================================
+Setting up Certs and CADI Configurations
+========================================
+
+*Note: this document assumes UNIX Bash Shell. Being Java, AAF works in Windows, but you will have to create your own script/instruction conversions.*
+
+------------------
+Strategy
+------------------
+
+ONAP is deployed in Docker Containers or Kubernetes managed Docker Containers. Therefore, this instruction utilizes a Docker Container as a standalone Utility... (This means that this container will stop as soon as it is done with its work... it is not a long running daemon)
+
+Given that all ONAP entities are also in Docker Containers, they all can access Persistent Volumes.
+
+This tool creates all the Configurations, including Certificates, onto a declared Volume on the directories starting with "/opt/app/osaaf"
+
+------------------
+Prerequisites
+------------------
+ * Docker
+ * Note: it does NOT have to be the SAME Docker that AAF is deployed on...
+ | but it DOES have be accessible to the AAF Instance.
+ * For ONAP, this means
+
+ * Windriver VPN
+ * include "10.12.6.214 aaf-onap-test.osaaf.org" in your /etc/hosts or DNS
+
+-----------------------
+Obtain the Agent Script
+-----------------------
+Choose the directory you wish to start in...
+
+If you don't want to clone all of AAF, just get the "agent.sh" from a Browser:
+
+ https://gerrit.onap.org/r/gitweb?p=aaf/authz.git;a=blob_plain;f=auth/docker/agent.sh;hb=HEAD
+
+ Note: curl/wget get html, instead of text
+ | You might have to mv, and rename it to "agent.sh", but avoids full clone
+
+-------------------------
+Run Script
+-------------------------
+
+In your chosen directory ::
+
+ $ bash agent.sh
+
+The Agent will look for "aaf.props", and if it doesn't exist, or is missing information, it will ask for it
+
+
+--------------- ---------------
+Tag Value
+--------------- ---------------
+CADI Version Defaults to CADI version of this
+AAF's FQDN PUBLIC Name for AAF. For ONAP Test, it is 'aaf-onap-test.osaaf.org'
+Deployer's FQI deployer@people.osaaf.org. In a REAL system, this would be a person or process
+App's Root FQDN This will show up in the Cert Subject, and should be the name given by Docker. i.e. clamp.onap
+App's FQI Fully Qualified ID given by Organization and with AAF NS/domain. ex: clamp@clamp.onap.org
+App's Volume Volume to put the data, see above. ex: clamp_aaf
+DRIVER Docker Volume type... See Docker Volume documentation
+LATITUDE Global latitude coordinate of Node (best guess for Kubernetes)
+LONGITUDE Global longitude coordinate of Node (best guess for Kubernetes)
+--------------- ---------------
+
+
+
--- /dev/null
+.. This work is licensed under a Creative Commons Attribution 4.0 International License.
+.. http://creativecommons.org/licenses/by/4.0
+.. Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+
+============================
+Installing from Source Code
+============================
+
+*Note: this document assumes UNIX Bash Shell. Being Java, AAF works in Windows, but you will have to create your own script/instruction conversions.*
+
+------------------
+Modes
+------------------
+
+AAF can be run in various ways
+ * Standalone (on your O/S)
+ * Docker (localized)
+ * Kubernetes
+ * ONAP Styles
+ * HEAT (Docker Container Based Initilization)
+ * OOM (a Helm Chart based Kubernetes Environment)
+
+------------------
+Prerequisites
+------------------
+
+You need the following tools to build and run AAF
+ * git
+ * maven
+ * Java (JDK 1.8+, openjdk is fine)
+ * Cassandra
+ * a separate installation is fine
+ * these instructions will start off with a Docker based Cassandra instance
+ * Machine - one of the following
+ * Standalone Java Processes - no additional running environments necessary
+ * docker - typically available via packages for O/S
+ * kubernetes - ditto
+
+
+------------------
+Build from Source
+------------------
+Choose the directory you wish to start in... This process will create an "authz" subdirectory::
+
+ $ mkdir -p ~/src
+ $ cd ~/src
+
+Use 'git' to 'clone' the master code::
+
+ $ git clone https://gerrit.onap.org/r/aaf/authz
+
+Change to that directory::
+
+ $ cd authz
+
+Use Maven to build::
+
+ << TODO, get ONAP Settings.xml>>
+ $ mvn install
+
+.. -----------------
+.. Standalone
+.. -----------------
+
+-----------------
+Docker Mode
+-----------------
+
+After you have successfully run maven, you will need a Cassandra. If you don't have one, here are instructions for a Docker Standalone Cassandra. For a *serious* endeavor, you need a multi-node Cassandra.
+
+From "authz"::
+
+ $ cd auth/auth-cass/src/main/cql
+ $ vi config.dat
+
+===================
+Existing Cassandra
+===================
+
+AAF Casablanca has added a table. If you have an existing AAF Cassandra, do the following::
+
+ ### If Container Cassandra, add these steps, otherwise, skip
+ $ docker container cp init2_1.cql aaf_cass:/tmp
+ $ docker exec -it aaf_cass bash
+ (docker) $ cd /tmp
+ ###
+ $ cqlsh -f 'init2_1.cql'
+
+=====================
+New Docker Cassandra
+=====================
+
+Assuming you are in your src/authz directory::
+
+ $ cd auth/auth-cass/docker
+ $ sh dinstall.sh
+
+---------------------
+AAF Itself
+---------------------
+
+Assuming you are in your src/authz directory::
+
+ $ cd auth/docker
+ ### If you have not done so before (don't overwrite your work!)
+ $ cp d.props.init d.props
+
+You will need to edit and fill out the information in your d.props file. Here is info to help
+
+**Local Env info** - These are used to load the /etc/hosts file in the Containers, so AAF is available internally and externally
+
+ =============== =============
+ Variable Explanation
+ =============== =============
+ HOSTNAME This must be the EXTERNAL FQDN of your host. Must be in DNS or /etc/hosts
+ HOST_IP This must be the EXTERNAL IP of your host. Must be accessible from "anywhere"
+ CASS_HOST If Docker Cass, this is the INTERNAL FQDN/IP. If external Cass, then DNS|/etc/hosts entry
+ aaf_env This shows up in GUI and certs, to differentiate environments
+ aaf_register_as As pre-set, it is the same external hostname.
+ cadi_latitude Use "https://bing.com/maps", if needed, to locate your current Global Coords
+ cadi_longitude ditto
+ =============== =============
+
+==============================
+"Bleeding Edge" Source install
+==============================
+
+AAF can be built, and local Docker Images built with the following::
+
+ $ sh dbuild.sh
+
+Otherwise, just let it pull from Nexus
+
+==============================
+Configure AAF Volume
+==============================
+
+AAF uses a Persistent Volume to store data longer term, such as CADI configs, Organization info, etc, so that data is not lost when changing out a container.
+
+This volume is created automatically, as necessary, and linked into the container when starting. ::
+
+ ## Be sure to have your 'd.props' file filled out before running.
+ $ sh aaf.sh
+
+==============================
+Bootstrapping with Keystores
+==============================
+
+Start the container in bash mode, so it stays up. ::
+
+ $ bash aaf.sh bash
+ id@77777:
+
+In another shell, find out your Container name. ::
+
+ $ docker container ls | grep aaf_config
+
+CD to directory with CA p12 files
+
+ * org.osaaf.aaf.p12
+ * org.osaaf.aaf.signer.p12 (if using Certman to sign certificates)
+
+Copy keystores for this AAF Env ::
+
+ $ docker container cp -L org.osaaf.aaf.p12 aaf_agent_<Your ID>:/opt/app/osaaf/local
+ ### IF using local CA Signer
+ $ docker container cp -L org.osaaf.aaf.signer.p12 aaf_agent_<Your ID>:/opt/app/osaaf/local
+
+In Agent Window ::
+
+ id@77777: agent encrypt cadi_keystore_password
+ ### IF using local CA Signer
+ id@77777: agent encrypt cm_ca.local
+
+Check to make sure all passwords are set ::
+
+ id@77777: grep "enc:" *.props
+
+When good, exit from Container Shell and run AAF ::
+
+ id@77777: exit
+ $ bash drun.sh
+
+Check the Container logs for correct Keystore passwords, other issues ::
+
+ $ docker container logs aaf_<service>
+
+Watch logs ::
+
+ $ sh aaf.sh taillog
+
+Notes:
+
+You can find an ONAP Root certificate, and pre-built trustores for ONAP Test systems at:
+ | authz/auth/sample/public/AAF_RootCA.cert
+ | authz/auth/sample/public/truststoreONAPall.jks
+
+Good Tests to run ::
+
+ ## From "docker" dir
+ ##
+ ## assumes you have DNS or /etc/hosts entry for aaf-onap-test.osaaf.org
+ ##
+ $ curl --cacert ../sample/public/AAF_RootCA.cer -u demo@people.osaaf.org:demo123456! https://aaf-onap-test.osaaf.org:8100/authz/perms/user/demo@people.osaaf.org
+ $ openssl s_client -connect aaf-onap-test.osaaf.org:8100
+
+
+
+
+
+
+
+
+
+
+
+
+
+
Code Review / aaf / authz.git / commitdiff