--env-file ./compose-resources/client-configuration.env \
--network certservice_certservice \
--mount type=bind,src=`pwd`/compose-resources/client-volume/,dst=/var/certs \
+ --volume `pwd`/certs/truststore.jks:/etc/onap/aaf/certservice/certs/truststore.jks \
+ --volume `pwd`/certs/certServiceClient-keystore.jks:/etc/onap/aaf/certservice/certs/certServiceClient-keystore.jks \
onap/org.onap.aaf.certservice.aaf-certservice-client:latest
stop-client:
make build
```
+### Generating certificates
+There are example certificates already generated in certs/ directory.
+In order to generate new certificates, first remove existing ones.
+Then execute following command from certs(!) directory:
+```
+ make
+```
+
### Running Docker containers from docker-compose with EJBCA
Docker-compose uses a local image of certservice-api and make run-client uses a local image of certservice-client
Build docker images locally before running docker compose command.
4. Stop Cert Service and EJBCA
make stop-backend
```
-
-### Running API with Helm
-1. Use environment/server with installed kubernetes and helm.
-2. Copy certService/helm/aaf-cert-service directory to that environment.
-3. Enter that environment
-4. Run ```helm install ./aaf-cert-service```
-
### AAF CertService CSITs
#### CSIT repository
+# ============LICENSE_START=======================================================
+# aaf-certservice
+# ================================================================================
+# Copyright (C) 2020 Nokia. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
openapi: 3.0.1
info:
title: CertService Documentation
get:
tags:
- CertificationService
- summary: sign certificate
+ summary: Sign certificate
description: Web endpoint for requesting certificate signing. Used by system
components to gain certificate signed by CA.
operationId: signCertificate
required: true
schema:
type: string
+ example: "RA_TEST"
- name: CSR
in: header
description: Certificate signing request in form of PEM object encoded in
required: true
schema:
type: string
+ example: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJREVqQ0NBZm9DQVFBd2daY3hDekFKQmdOVkJBWVRBbFZUTVJNd0VRWURWUVFJREFwRFlXeHBabTl5Ym1saApNUll3RkFZRFZRUUhEQTFUWVc0dFJuSmhibU5wYzJOdk1Sa3dGd1lEVlFRS0RCQk1hVzUxZUMxR2IzVnVaR0YwCmFXOXVNUTB3Q3dZRFZRUUxEQVJQVGtGUU1SRXdEd1lEVlFRRERBaHZibUZ3TG05eVp6RWVNQndHQ1NxR1NJYjMKRFFFSkFSWVBkR1Z6ZEdWeVFHOXVZWEF1YjNKbk1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQgpDZ0tDQVFFQXpRekpQTmhrRURhL3JnUmhJUmpLVDF2RC84Wk9scXA3UmRuYTEybXFIU2FqQ0hHeGR0K1JPZk0vCkpINk9NczZNSjlwNXRJVE5VUWVDUEQ5cE44WkpzMCtOaWQvRE1Nb1B3MW94NnZyNFc5Rnh4K3NGN2hnK05nYjEKNGxvZVZob2EwajlKd1hlc2krSThNbFBObGRMRXlGYnZubDgyNzl0Qjg2dmRpR2g3blFjek8rbnY5elBqZllVcQpIaGlRK1ptMEZjbWFxblVJOG54aWJQNmFMMS9uWFQ3aHlwY0VzOCtpenNZVktqdVdwSjhlZHN0T1NBYTlkWXkrCkVhYTFPTlo5RFRDQzArZmM4S0pBNGJjWVE0T2tPYXFmcnhxY0xMOXZJL1BROWZtYThTUXBmcXVTbmQvbjNOazMKK1NoYnVCclorVnNQRWhsWnBJb2lXdS9scjlrdnp3SURBUUFCb0RVd013WUpLb1pJaHZjTkFRa09NU1l3SkRBaQpCZ05WSFJFRUd6QVpnZ2h2Ym1Gd0xtOXlaNElOZEdWemRDNXZibUZ3TG05eVp6QU5CZ2txaGtpRzl3MEJBUXNGCkFBT0NBUUVBV0N2QlJzTmZ5S0F1NWhIWldWUm8xd2VWSVJvbHQyRWdsSUkzbHI4d0ZlN1hobUtZVlhESzJ3aHEKc2hCakNNQUJHNW90MlBXUE8yK1JLSmsveEh2RXRoQzMybityQlhOS2hHUUJMY3dyeFNBbjVUMHFNa0xzTGJiRAphTU1nTnRiYWxmOC9mVmNWWDY1WTVVb052Y2FScEpvVUdYY1ovZ3kvMG5aWnNXbURkejk1Rys2MXFnY0s3RlhOClB1bENxLy9YNUZkK2NkQy9TTnNxaGtqdlgyd3hYMUZRVVYwcFp0akcwenl3b3JwNE9HSkRiUUxtaWFZSlQ2Ym8KNjAyZ21zWFNTQlJzVWFCOEsxeWMzalRkS043QjYxcjhwYW05NlBxQjdXME13MVRJVFAzQnhJTk5kN1hhNlI5VAo5T3BTcDhFcUZ5R043M3NJN0svbDdNZVJvUm1PUUE9PQotLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0K"
- name: PK
in: header
description: Private key in form of PEM object encoded in Base64 (with header
required: true
schema:
type: string
+ example: "LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2d0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktrd2dnU2xBZ0VBQW9JQkFRRE5ETWs4MkdRUU5yK3UKQkdFaEdNcFBXOFAveGs2V3FudEYyZHJYYWFvZEpxTUljYkYyMzVFNTh6OGtmbzR5em93bjJubTBoTTFSQjRJOApQMmszeGttelQ0MkozOE13eWcvRFdqSHErdmhiMFhISDZ3WHVHRDQyQnZYaVdoNVdHaHJTUDBuQmQ2eUw0and5ClU4MlYwc1RJVnUrZVh6YnYyMEh6cTkySWFIdWRCek03NmUvM00rTjloU29lR0pENW1iUVZ5WnFxZFFqeWZHSnMKL3BvdlgrZGRQdUhLbHdTeno2TE94aFVxTzVha254NTJ5MDVJQnIxMWpMNFJwclU0MW4wTk1JTFQ1OXp3b2tEaAp0eGhEZzZRNXFwK3ZHcHdzdjI4ajg5RDErWnJ4SkNsK3E1S2QzK2ZjMlRmNUtGdTRHdG41V3c4U0dWbWtpaUphCjcrV3YyUy9QQWdNQkFBRUNnZ0VBZkN5cUVYYlo0aGZGckpScVhhaXRtN0Z1Mkk0M09YYTBnSENWM3EzV255Q3UKeW9aUGVqV1p0UVpoenEvMVhUOUlFVHAxU2FUQzBiZENYMG5uWmlkbXFuZ2F0c3dUWUpCOVMwaHJ3bW1KemREZwpucmp0Tm1yb0FiL2xWOVpMV01rbVJQeWVwZExiWXpyMlNXUUd0QnlYbnR0RzhSbW9JMGtjZjN3dEJGYUJ4VzFwClFzRUNXUFBpdjNZRDh2SzlSRG9wdmxCMnFZVWxCTm1kQ3AxWEJXMU9OZm5wckUwZFhiYTJxVzB3M3lqU2dJdGYKUWJBSTJZQzJEWlpIK3liRGFMZWVtb0p3dDdPK1F6NWp4SkgwWkFpSnVaNzNpSTVocFBJQlhLamRkU1p1bjRpRwpEOFZaaCtYWE9yQWJxVURXdlN4UW9kdFhYeGNSSS9aWUx5WWR1OHdhd1FLQmdRRHA3UEhwdWFDSk50MlBLV3d6Cll4SDhIYlB1L0pTS2R3UytZek5SNzJaYlUwSmQxWTdPc1JCR1Bvd24zOW55WDlJYzJINXBLc2VJYnpsK1lJS1MKQW9BKy9nbFZZUGpIZ2RmVHF6R01QMm5meVh0dVpFQzdicVBLSVlzL0Qwb0pGQzFkUThwUjFxcXp6NjJEMEUvawpSS1MrVFhpSlkvMlJiQVhDckFDVnNwVmQzUUtCZ1FEZ1prZE45SkhIMjYyRWdLQ3p1Q0NHMXlYa3IrcWVHZ3ozCldWbUtMaGVveitHVXlvVDVuaGlvUTJxNlllYTJ1ODlVYUdGZFk4Y0hIQVdhUy9UdU9FYzdBRHV4eTZsVWpKWkQKU3V0YU80cWk3eXh6UGxNN2w5alVpejV5MldZZGRnWEhLOG82M0pOSHdwd0FYaDgycytTbm9STUZSd1JOTGsyWQp4WmxxRm55WG13S0JnUUNkdEkrWEtmMHY1SnhVUXZIZVp3RWQvb3hySnoraFpnSDl0UFZKWE9PZDJERGEvL25xCklQYysxRFk3UDdBNHRoNzZNWDV2dWxhUkJhTTJMeXgzOFZXeW9pTjZ1d2lkd0V6WU9BY01iVWdjaGtJL3R6am8KNC90cWIxam9KNCtiTlU0c0hXTE43N0pmelRoR3NHN2NEdWNlSVM2Tk9hc2VtanY3OVdmamhHVXN4UUtCZ1FETQpwbHFYVE5uNjlHek9MK1Rmb3FmL2NZMjhmM2N3VXovS0FYRzRwSXF0U1ZGSXVsNEZyTnA5OG1ZT3J5U1RPTHRBCkZxWGRYeGJ2Yysza0p5dXNhaVVFT1JVMzlDNXN6bjVueHBiWHh2K0wweWF0djRSM0QrZ1BCeUtmNlliSWpZOTkKY29GUHAwU21xR1JQclljNEExNGdSclVyRmZabFVUb3hmdHlJTlJQUnl3S0JnUURoSFkvT24vRTNodmo4aHBKRQplMWNuQ2ZsV2VKWlZSdnBPQm96NCtwMVltMzZZZEQ0azBpSEh6anZUUGlBSnNGTFB5VXVTZXI0T3hpN2cvcmYvCklPVjN4bHZyNXdSRmxLYWxvWjY5azkxNm5qdWM0d2lXVzdMbGt1YWptVDhlSUszTU05MU9SL1VFcE16dFMyMHEKZ3hRMEVieTFaMlh6TWlkMEhZZTlVcTJaSmc9PQotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tCg=="
responses:
"200":
- description: certificate successfully signed
+ description: Certificate successfully signed
content:
- application/json; charset=utf-8:
+ application/json:
schema:
$ref: '#/components/schemas/CertificationModel'
- "500":
- description: something went wrong during connecting to cmp client
+ "400":
+ description: Given CSR or/and PK is incorrect
content:
- application/json; charset=utf-8:
+ application/json:
schema:
$ref: '#/components/schemas/ErrorResponseModel'
"404":
description: CA not found for given name
content:
- application/json; charset=utf-8:
+ application/json:
schema:
$ref: '#/components/schemas/ErrorResponseModel'
- "400":
- description: given CSR or/and PK is incorrect
+ "500":
+ description: Something went wrong during connectiion to CMPv2 server
content:
- application/json; charset=utf-8:
+ application/json:
schema:
$ref: '#/components/schemas/ErrorResponseModel'
/ready:
get:
tags:
- CertificationService
- summary: check is container is ready
+ summary: Check if CertService application is ready
description: Web endpoint for checking if service is ready to be used.
operationId: checkReady
responses:
"200":
- description: configuration is loaded and service is ready to use
- content:
- application/json; charset=utf-8:
- schema:
- type: string
+ description: Configuration is loaded and service is ready to use
+ content: {}
"503":
- description: configuration loading failed and service is unavailable
- content:
- application/json; charset=utf-8:
- schema:
- type: string
+ description: Configuration loading failed and service is unavailable
+ content: {}
/reload:
get:
tags:
- CertificationService
- summary: reload service configuration from file
+ summary: Reload CMPv2 servers configuration from configuration file
description: Web endpoint for performing configuration reload. Used to reload
- configuration file from file.
+ configuration from file.
operationId: reloadConfiguration
responses:
"200":
- description: configuration has been successfully reloaded
- content:
- application/json; charset=utf-8:
- schema:
- type: string
+ description: Configuration has been successfully reloaded
+ content: {}
"500":
- description: something went wrong during configuration loading
+ description: Something went wrong during configuration loading
content:
- application/json; charset=utf-8:
+ string:
schema:
- $ref: '#/components/schemas/ErrorResponseModel'
+ type: string
+ example: "can't parse JSON. Raw result: Exception occurred during CMP Servers configuration loading"
/actuator/health:
get:
tags:
- Actuator
summary: Actuator web endpoint 'health'
- operationId: handle_0
+ operationId: healthCheck
responses:
"200":
- description: default response
- content: {}
- /actuator/health/**:
- get:
- tags:
- - Actuator
- summary: Actuator web endpoint 'health-path'
- operationId: handle_1
- responses:
- "200":
- description: default response
- content: {}
- /actuator:
- get:
- tags:
- - Actuator
- summary: Actuator root web endpoint
- operationId: links_2
- responses:
- "200":
- description: default response
- content: {}
+ description: Service is healthy
+ content:
+ string:
+ schema:
+ $ref: '#/components/schemas/StatusResponseModel'
components:
schemas:
+ StatusResponseModel:
+ type: object
+ properties:
+ status:
+ type: string
+ example: "UP"
ErrorResponseModel:
type: object
properties:
errorMessage:
type: string
+ example: "Internal server error"
CertificationModel:
type: object
properties:
type: array
items:
type: string
+ example: "-----BEGIN CERTIFICATE-----\nMIIErDCCAxSgAwIBAgIUfYvpzoT6WTxiu2KtxDwdvB56iVUwDQYJKoZIhvcNAQEL\nBQAwYTEjMCEGCgmSJomT8ixkAQEME2MtMGI1YzFhYTBkNzA4NjVjNGUxFTATBgNV\nBAMMDE1hbmFnZW1lbnRDQTEjMCEGA1UECgwaRUpCQ0EgQ29udGFpbmVyIFF1aWNr\nc3RhcnQwHhcNMjAwNDAxMTAyNzAwWhcNMjIwNDAxMTAyNDEyWjCBlzEeMBwGCSqG\nSIb3DQEJARYPdGVzdGVyQG9uYXAub3JnMREwDwYDVQQDDAhvbmFwLm9yZzENMAsG\nA1UECwwET05BUDEZMBcGA1UECgwQTGludXgtRm91bmRhdGlvbjEWMBQGA1UEBwwN\nU2FuLUZyYW5jaXNjbzETMBEGA1UECAwKQ2FsaWZvcm5pYTELMAkGA1UEBhMCVVMw\nggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNDMk82GQQNr+uBGEhGMpP\nW8P/xk6WqntF2drXaaodJqMIcbF235E58z8kfo4yzown2nm0hM1RB4I8P2k3xkmz\nT42J38Mwyg/DWjHq+vhb0XHH6wXuGD42BvXiWh5WGhrSP0nBd6yL4jwyU82V0sTI\nVu+eXzbv20Hzq92IaHudBzM76e/3M+N9hSoeGJD5mbQVyZqqdQjyfGJs/povX+dd\nPuHKlwSzz6LOxhUqO5aknx52y05IBr11jL4RprU41n0NMILT59zwokDhtxhDg6Q5\nqp+vGpwsv28j89D1+ZrxJCl+q5Kd3+fc2Tf5KFu4Gtn5Ww8SGVmkiiJa7+Wv2S/P\nAgMBAAGjgaQwgaEwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBQ4TWsw5NCfgMjt\nc6sLNV008AniSjAiBgNVHREEGzAZgghvbmFwLm9yZ4INdGVzdC5vbmFwLm9yZzAd\nBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFAMyW8sAIjOG\n4qiMVEWuBfliFNeyMA4GA1UdDwEB/wQEAwIF4DANBgkqhkiG9w0BAQsFAAOCAYEA\nCviGRpVZgd4Vr3R3pslegH9GRa1TmCVP8wTD6CUA84VqMzVatcdWbaDFNoCVv54v\nUCYPsN8REx/I53R1jbQ5tralj8JMublrdDaKDQY7OdfjL53nGS4OGl76ZLMt50cF\nnXreoSixCdv3OkPO7+P5szzfnwcCQEa235GfHOxAKv2DIhI8+aFMdi1vTJMYmROs\nYA/6DuJAFjfjPM6T4hzKdW8FPyyUw4kWSNRtt+cxN1JxGDYRt1bnjj7u7nMA5Mge\noWn5oeHLO8rkWgMy0BPxL+YVJhqhdD1fiSek99vmWNUKqmui/4TOXf06SjuMgPgL\nOdp/e2+unwOw+TfdQ/Vu1736IRuWKgLxXOXoOHq2RCZpMgfol2wOFdWSeHWnOag2\nstKD9mmxUaq3wactkVQEkljo3vOgw3D829jC5BOVASxoYoiNzRQlpXrP+kj9QPt0\nZN6haQCgjejHOVpKeuUNoZTUyH+2MwpANLiaJjQcZrwt8N9bAN7WilY+f7CHwMK+\n-----END CERTIFICATE-----\n"
trustedCertificates:
type: array
items:
type: string
+ example: "-----BEGIN CERTIFICATE-----\nMIIEszCCAxugAwIBAgIUK3BbY7jXBtQfSMhob3Ls9BoorbYwDQYJKoZIhvcNAQEL\nBQAwYTEjMCEGCgmSJomT8ixkAQEME2MtMGI1YzFhYTBkNzA4NjVjNGUxFTATBgNV\nBAMMDE1hbmFnZW1lbnRDQTEjMCEGA1UECgwaRUpCQ0EgQ29udGFpbmVyIFF1aWNr\nc3RhcnQwHhcNMjAwNDAxMTAyNzAwWhcNMzAwNDAxMTAyNzAwWjBhMSMwIQYKCZIm\niZPyLGQBAQwTYy0wYjVjMWFhMGQ3MDg2NWM0ZTEVMBMGA1UEAwwMTWFuYWdlbWVu\ndENBMSMwIQYDVQQKDBpFSkJDQSBDb250YWluZXIgUXVpY2tzdGFydDCCAaIwDQYJ\nKoZIhvcNAQEBBQADggGPADCCAYoCggGBAJ5UAlOGkFyyjyDfFBADJrVzce5/wvNC\nDzL8OoB5CRa22NxHZqPL6fNpqexH1alE7ko/g+vvu1BLHnjKzglVMVV880jjG/tq\ngUf9syfmRdRcgPUrF71dOTNw52ZGB23e8es7VQNYca5QH0mfjaw2AxKf4pNzScTi\nbYXw/KxuoeBHP2ybKhSCxau1k6eePUEkpzHlu33XjtTKGRklCo4lDslLtMOV0gWm\nJj2pd9v+/qY9AMio1XkqczGmnGrSRDD7fp+3WpBI2Q4ZaDZZHnzg/9TXmpBGWhwi\n5Ca5e9Cmb9WGjE8W4uICyvaBSmvsGqB2nBjLC0rBUyJxkMxaxZYxoWbegCqlnwgo\naG2OMbGq1qO/U5ArW9WppovA9y540j49CuYWgvf2pH21GzQX2uCtiHDge01exko/\np7c8/20B0rNjyvBFM9s2NOQ4wCIrLVKPClX3mpzuIGliRpnXnC6FQMrC4yNvyO7s\nB2PwzesXaBdD07AfXpYtSaHeqLZafMtqRwIDAQABo2MwYTAPBgNVHRMBAf8EBTAD\nAQH/MB8GA1UdIwQYMBaAFDhNazDk0J+AyO1zqws1XTTwCeJKMB0GA1UdDgQWBBQ4\nTWsw5NCfgMjtc6sLNV008AniSjAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQEL\nBQADggGBAImYiKkQfR52L2NzjuHI6y8darhBNpZSNf5Hhzv5MOs6yKJSFxh6mQFg\nRfF860AbxgxAfE8bvK2IX+W6b193ecFXAOrRc+UcEyqTg2efqp2zuCdQpnA4nopf\n+474iRkAHdlwdeI0FTE931AOCMfKaQAiEn40Xo3xB09xvMhK7ce2xkxFp90uqbyZ\nwXPRORUj5rKhCiL10jkgXmTfGGlzgQfpHxQxnwQzuAPcv31l+0YVZpDpkSP8A2ts\nmS/yGFfBylyPnGa/+mChZoI7AAKUZ0QWSTDVQLFW6RIs0ByX9zPZqQx0ncGzXH++\nmLu/33YpyjfcjFzvhFVRJCNpELTa0aCElDcD+LIiz80fFP3bxbI42ifYXbt+k/8w\nAB8Ffh1GOneWnaOl42mghNs6ve9e+PjOphYS1sQI74b0liXQdI4tmobAyPoACpgR\ncJ9DAfYtkpMQjxkV/FUM92m76WQpFnIRNQl6C5XLzWHCAVvS+MxEydtINsl4FCvw\nPDdu3P8UkA==\n-----END CERTIFICATE-----\n"
```
http://localchost:8080/docs
```
+
+### OpenAPI
+during project building yaml file with openAPI 3.0 documentation is generated in target directory with name api-docs.yaml
+file OpenAPI.yaml located in certService directory must be update be hand if needed
+++ /dev/null
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
+++ /dev/null
-apiVersion: v1
-appVersion: "1.0"
-description: A Helm chart for AAF Cert Service
-name: aaf-cert-service
-version: 0.1.0
+++ /dev/null
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: {{ .Chart.Name }}-deployment
-spec:
- selector:
- matchLabels:
- app: {{ .Values.appLabel }}
- replicas: {{ .Values.replicaCount }}
- template:
- metadata:
- labels:
- app: {{ .Values.appLabel }}
- spec:
- volumes:
- - name: {{ .Values.volume.name }}
- secret:
- secretName: {{ .Values.secret.name }}
- containers:
- - name: aaf-cert-service
- image: {{ .Values.repository }}/{{ .Values.image }}
- imagePullPolicy: {{ .Values.pullPolicy }}
- ports:
- - containerPort: {{ .Values.containerPort }}
- livenessProbe:
- httpGet:
- port: {{ .Values.containerPort }}
- path: {{ .Values.liveness.path }}
- initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
- periodSeconds: {{ .Values.liveness.periodSeconds }}
- readinessProbe:
- httpGet:
- port: {{ .Values.containerPort }}
- path: {{ .Values.readiness.path }}
- initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
- periodSeconds: {{ .Values.readiness.periodSeconds }}
- volumeMounts:
- - name: {{ .Values.volume.name }}
- mountPath: {{ .Values.volume.mountPath }}
- readOnly: true
- resources:
- {{ toYaml .Values.resources }}
+++ /dev/null
-apiVersion: v1
-kind: Secret
-metadata:
- name: {{ .Values.secret.name }}
-type: Opaque
-data:
- {{ (.Files.Glob "resources/cmpServers.json").AsSecrets }}
\ No newline at end of file
+++ /dev/null
-apiVersion: v1
-kind: Service
-metadata:
- name: {{ .Chart.Name }}-service
-spec:
- type: {{ .Values.service.type }}
- selector:
- app: {{ .Values.appLabel }}
- ports:
- - protocol: TCP
- port: {{ .Values.containerPort }}
\ No newline at end of file
+++ /dev/null
-appLabel: aaf-cert-service
-replicaCount: 1
-repository: nexus3.onap.org:10001
-image: onap/org.onap.aaf.certservice.aaf-certservice-api:1.0.0
-pullPolicy: Always
-containerPort: 8080
-service:
- type: ClusterIP
-liveness:
- initialDelaySeconds: 60
- periodSeconds: 10
- path: /actuator/health
-readiness:
- initialDelaySeconds: 30
- periodSeconds: 10
- path: /ready
-volume:
- name: aaf-cert-service-volume
- mountPath: /etc/onap/aaf/certservice
-
-resources:
- limits:
- cpu: 2
- memory: 2Gi
- requests:
- cpu: 1
- memory: 1Gi
-
-secret:
- name: aaf-cert-service-secret
* @param encodedPrivateKey Private key for CSR, needed for PoP, encoded in Base64 form
* @return JSON containing trusted certificates and certificate chain
*/
- @GetMapping(value = "v1/certificate/{caName}", produces = "application/json; charset=utf-8")
+ @GetMapping(value = "v1/certificate/{caName}", produces = "application/json")
@ApiResponses(value = {
- @ApiResponse(responseCode = "200", description = "certificate successfully signed"),
- @ApiResponse(responseCode = "400", description = "given CSR or/and PK is incorrect",
+ @ApiResponse(responseCode = "200", description = "Certificate successfully signed"),
+ @ApiResponse(responseCode = "400", description = "Given CSR or/and PK is incorrect",
content = @Content(schema = @Schema(implementation = ErrorResponseModel.class))),
@ApiResponse(responseCode = "404", description = "CA not found for given name",
content = @Content(schema = @Schema(implementation = ErrorResponseModel.class))),
- @ApiResponse(responseCode = "500", description = "something went wrong during connecting to cmp client",
+ @ApiResponse(responseCode = "500", description = "Something went wrong during connectiion to CMPv2 server",
content = @Content(schema = @Schema(implementation = ErrorResponseModel.class)))
})
@Operation(
this.cmpServersConfig = cmpServersConfig;
}
- @GetMapping(value = "/ready", produces = "application/json; charset=utf-8")
+ @GetMapping(value = "/ready", produces = "application/json")
@ApiResponses(value = {
- @ApiResponse(responseCode = "200", description = "configuration is loaded and service is ready to use"),
- @ApiResponse(responseCode = "503", description = "configuration loading failed and service is unavailable")
+ @ApiResponse(responseCode = "200", description = "Configuration is loaded and service is ready to use"),
+ @ApiResponse(responseCode = "503", description = "Configuration loading failed and service is unavailable")
})
@Operation(
- summary = "check is container is ready",
+ summary = "Check if CertService application is ready",
description = "Web endpoint for checking if service is ready to be used.",
tags = {"CertificationService"})
public ResponseEntity<String> checkReady() {
this.cmpServersConfig = cmpServersConfig;
}
- @GetMapping(value = "/reload", produces = "application/json; charset=utf-8")
+ @GetMapping(value = "/reload", produces = "application/json")
@ApiResponses(value = {
- @ApiResponse(responseCode = "200", description = "configuration has been successfully reloaded"),
- @ApiResponse(responseCode = "500", description = "something went wrong during configuration loading",
+ @ApiResponse(responseCode = "200", description = "Configuration has been successfully reloaded"),
+ @ApiResponse(responseCode = "500", description = "Something went wrong during configuration loading",
content = @Content(schema = @Schema(implementation = ErrorResponseModel.class)))
})
@Operation(
- summary = "reload service configuration from file",
- description = "Web endpoint for performing configuration reload. Used to reload configuration file from file.",
+ summary = "Reload CMPv2 servers configuration from configuration file",
+ description = "Web endpoint for performing configuration reload. Used to reload configuration from file.",
tags = {"CertificationService"})
public ResponseEntity<String> reloadConfiguration() throws CmpServersConfigLoadingException {
cmpServersConfig.reloadConfiguration();
# AAF CertService app specific configuration
app.config.path=/etc/onap/aaf/certservice
+
+# Mutual TLS configuration
+server.ssl.enabled=true
+server.ssl.client-auth=need
+server.port=${HTTPS_PORT:8443}
+
+server.ssl.key-store=${KEYSTORE_PATH:/etc/onap/aaf/certservice/certs/certServiceServer-keystore.jks}
+server.ssl.key-store-password=${KEYSTORE_PASSWORD:secret}
+
+server.ssl.trust-store=${TRUSTSTORE_PATH:/etc/onap/aaf/certservice/certs/truststore.jks}
+server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD:secret}
# AAF CertService app specific configuration
app.config.path=./src/test/resources
+
+# Mutual TLS configuration
+server.ssl.enabled=true
+server.ssl.client-auth=need
+server.port=${HTTPS_PORT:8443}
+
+server.ssl.key-store=${KEYSTORE_PATH:/etc/onap/aaf/certservice/certs/certServiceServer-keystore.jks}
+server.ssl.key-store-password=${KEYSTORE_PASSWORD:secret}
+
+server.ssl.trust-store=${TRUSTSTORE_PATH:/etc/onap/aaf/certservice/certs/truststore.jks}
+server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD:secret}
\ No newline at end of file
STATE=California
COUNTRY=US
SANS=example.com:example2.com
+KEYSTORE_PATH=/etc/onap/aaf/certservice/certs/certServiceClient-keystore.jks
+KEYSTORE_PASSWORD=secret
+TRUSTSTORE_PATH=/etc/onap/aaf/certservice/certs/truststore.jks
+TRUSTSTORE_PASSWORD=secret
```
### Logs locally
package org.onap.aaf.certservice.client;
-import java.security.KeyPair;
import org.onap.aaf.certservice.client.api.ExitableException;
-import org.onap.aaf.certservice.client.certification.PrivateKeyToPemEncoder;
import org.onap.aaf.certservice.client.certification.CsrFactory;
import org.onap.aaf.certservice.client.certification.KeyPairFactory;
+import org.onap.aaf.certservice.client.certification.PrivateKeyToPemEncoder;
import org.onap.aaf.certservice.client.certification.conversion.KeystoreTruststoreCreator;
import org.onap.aaf.certservice.client.certification.conversion.KeystoreTruststoreCreatorFactory;
import org.onap.aaf.certservice.client.common.Base64Encoder;
import org.onap.aaf.certservice.client.configuration.EnvsForClient;
import org.onap.aaf.certservice.client.configuration.EnvsForCsr;
+import org.onap.aaf.certservice.client.configuration.EnvsForTls;
import org.onap.aaf.certservice.client.configuration.factory.ClientConfigurationFactory;
import org.onap.aaf.certservice.client.configuration.factory.CsrConfigurationFactory;
+import org.onap.aaf.certservice.client.configuration.factory.SslContextFactory;
import org.onap.aaf.certservice.client.configuration.model.ClientConfiguration;
import org.onap.aaf.certservice.client.configuration.model.CsrConfiguration;
-import org.onap.aaf.certservice.client.httpclient.CloseableHttpClientProvider;
+import org.onap.aaf.certservice.client.httpclient.CloseableHttpsClientProvider;
import org.onap.aaf.certservice.client.httpclient.HttpClient;
import org.onap.aaf.certservice.client.httpclient.model.CertServiceResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import javax.net.ssl.SSLContext;
+import java.security.KeyPair;
+
import static org.onap.aaf.certservice.client.api.ExitStatus.SUCCESS;
import static org.onap.aaf.certservice.client.certification.EncryptionAlgorithmConstants.KEY_SIZE;
import static org.onap.aaf.certservice.client.certification.EncryptionAlgorithmConstants.RSA_ENCRYPTION_ALGORITHM;
CsrConfiguration csrConfiguration = new CsrConfigurationFactory(new EnvsForCsr()).create();
KeyPair keyPair = keyPairFactory.create();
CsrFactory csrFactory = new CsrFactory(csrConfiguration);
+ SSLContext sslContext = new SslContextFactory(new EnvsForTls()).create();
- CloseableHttpClientProvider provider = new CloseableHttpClientProvider(
- clientConfiguration.getRequestTimeout());
+ CloseableHttpsClientProvider provider = new CloseableHttpsClientProvider(
+ sslContext, clientConfiguration.getRequestTimeout());
HttpClient httpClient = new HttpClient(provider, clientConfiguration.getUrlToCertService());
CertServiceResponse certServiceData =
base64Encoder.encode(pkEncoder.encodePrivateKeyToPem(keyPair.getPrivate())));
KeystoreTruststoreCreator filesCreator = new KeystoreTruststoreCreatorFactory(
- clientConfiguration.getCertsOutputPath()).create();
+ clientConfiguration.getCertsOutputPath()).create();
filesCreator.createKeystore(certServiceData.getCertificateChain(), keyPair.getPrivate());
filesCreator.createTruststore(certServiceData.getTrustedCertificates());
} catch (ExitableException e) {
CERT_SERVICE_API_CONNECTION_EXCEPTION(5,"CertService HTTP unsuccessful response"),
HTTP_CLIENT_EXCEPTION(6,"Internal HTTP Client connection problem"),
PKCS12_CONVERSION_EXCEPTION(7,"Fail in PKCS12 conversion"),
- PK_TO_PEM_ENCODING_EXCEPTION(8,"Fail in Private Key to PEM Encoding");
+ PK_TO_PEM_ENCODING_EXCEPTION(8,"Fail in Private Key to PEM Encoding"),
+ TLS_CONFIGURATION_EXCEPTION(9, "Invalid TLS configuration");
private final int value;
private final String message;
public class KeyPairFactory {
- private final static Logger LOGGER = LoggerFactory.getLogger(KeyPairFactory.class);
+ private static final Logger LOGGER = LoggerFactory.getLogger(KeyPairFactory.class);
private final String encryptionAlgorithm;
private final int keySize;
throws PemToPKCS12ConverterException {
Password password = generator.generate(PASSWORD_LENGTH);
creator.saveKeystoreData(converter.convertKeystore(data, password, CERTIFICATE_ALIAS, privateKey),
- password.getPassword());
+ password.getCurrentPassword());
}
public void createTruststore(List<String> data)
throws PemToPKCS12ConverterException {
Password password = generator.generate(PASSWORD_LENGTH);
creator.saveTruststoreData(converter.convertTruststore(data, password, TRUSTED_CERTIFICATE_ALIAS),
- password.getPassword());
+ password.getCurrentPassword());
}
}
package org.onap.aaf.certservice.client.certification.conversion;
class Password {
- private static final String PASSWORD_PATTERN = "[\\w$#]{16,}";
- private final String password;
+ // We are excluding this line in Sonar due to fact that
+ // PASSWORD_PATTERN does not contain password. This solution
+ // is safe.
+ private static final String PASSWORD_PATTERN = "[\\w$#]{16,}"; // NOSONAR
+ private final String currentPassword;
- Password(String password) {
- this.password = password;
+ Password(String currentPassword) {
+ this.currentPassword = currentPassword;
}
- String getPassword() {
- return password;
+ String getCurrentPassword() {
+ return currentPassword;
}
char[] toCharArray() {
- return password.toCharArray();
+ return currentPassword.toCharArray();
}
boolean isCorrectPasswordPattern() {
- return password.matches(PASSWORD_PATTERN);
+ return currentPassword.matches(PASSWORD_PATTERN);
}
}
package org.onap.aaf.certservice.client.certification.conversion;
import java.security.SecureRandom;
+
import org.apache.commons.lang3.RandomStringUtils;
class RandomPasswordGenerator {
private static final boolean USE_LETTERS_ONLY = false;
private static final boolean USE_NUMBERS_ONLY = false;
+ // We are excluding this line in Sonar due to fact that
+ //we are using new SecureRandom which provides
+ //cryptographic security
Password generate(int passwordLength) {
- return new Password(RandomStringUtils.random(
- passwordLength,
- START_POSITION_IN_ASCII_CHARS,
- END_POSITION_IN_ASCII_CHARS,
- USE_LETTERS_ONLY,
- USE_NUMBERS_ONLY,
- SET_OF_CHARS,
- new SecureRandom()));
+ return new Password(RandomStringUtils.random(//NOSONAR
+ passwordLength,
+ START_POSITION_IN_ASCII_CHARS,
+ END_POSITION_IN_ASCII_CHARS,
+ USE_LETTERS_ONLY,
+ USE_NUMBERS_ONLY,
+ SET_OF_CHARS,
+ new SecureRandom())
+ );
}
}
--- /dev/null
+/*
+ * ============LICENSE_START=======================================================
+ * aaf-certservice-client
+ * ================================================================================
+ * Copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.aaf.certservice.client.configuration;
+
+import java.util.Optional;
+
+public class EnvsForTls {
+ private final EnvProvider envProvider = new EnvProvider();
+
+ public Optional<String> getKeystorePath() {
+ return readEnv(TlsConfigurationEnvs.KEYSTORE_PATH);
+ }
+
+ public Optional<String> getKeystorePassword() {
+ return readEnv(TlsConfigurationEnvs.KEYSTORE_PASSWORD);
+ }
+
+ public Optional<String> getTruststorePath() {
+ return readEnv(TlsConfigurationEnvs.TRUSTSTORE_PATH);
+ }
+
+ public Optional<String> getTruststorePassword() {
+ return readEnv(TlsConfigurationEnvs.TRUSTSTORE_PASSWORD);
+ }
+
+ private Optional<String> readEnv(TlsConfigurationEnvs envName) {
+ return envProvider.readEnvVariable(envName.toString());
+ }
+}
--- /dev/null
+/*
+ * ============LICENSE_START=======================================================
+ * aaf-certservice-client
+ * ================================================================================
+ * Copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.aaf.certservice.client.configuration;
+
+public enum TlsConfigurationEnvs {
+ KEYSTORE_PATH,
+ KEYSTORE_PASSWORD,
+ TRUSTSTORE_PATH,
+ TRUSTSTORE_PASSWORD
+}
--- /dev/null
+/*
+ * ============LICENSE_START=======================================================
+ * aaf-certservice-client
+ * ================================================================================
+ * Copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.aaf.certservice.client.configuration.exception;
+
+import org.onap.aaf.certservice.client.api.ExitStatus;
+import org.onap.aaf.certservice.client.api.ExitableException;
+
+public class TlsConfigurationException extends ExitableException {
+ private static final ExitStatus EXIT_STATUS = ExitStatus.CERT_SERVICE_API_CONNECTION_EXCEPTION;
+
+ public TlsConfigurationException(String message) {
+ super(message);
+ }
+
+ public ExitStatus applicationExitStatus() {
+ return EXIT_STATUS;
+ }
+}
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+
public class CsrConfigurationFactory extends AbstractConfigurationFactory<CsrConfiguration> {
private static final Logger LOGGER = LoggerFactory.getLogger(CsrConfigurationFactory.class);
private final EnvsForCsr envsForCsr;
-
public CsrConfigurationFactory(EnvsForCsr envsForCsr) {
this.envsForCsr = envsForCsr;
}
--- /dev/null
+/*============LICENSE_START=======================================================
+ * aaf-certservice-client
+ * ================================================================================
+ * Copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.aaf.certservice.client.configuration.factory;
+
+import org.apache.http.ssl.SSLContexts;
+import org.onap.aaf.certservice.client.configuration.EnvsForTls;
+import org.onap.aaf.certservice.client.configuration.TlsConfigurationEnvs;
+import org.onap.aaf.certservice.client.configuration.exception.TlsConfigurationException;
+
+import javax.net.ssl.SSLContext;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+
+public class SslContextFactory {
+
+ private static final String JKS = "jks";
+
+ private EnvsForTls envsForTls;
+
+ public SslContextFactory(EnvsForTls envsForTls) {
+ this.envsForTls = envsForTls;
+ }
+
+ public SSLContext create() throws TlsConfigurationException {
+ String keystorePath = envsForTls.getKeystorePath()
+ .orElseThrow(() -> new TlsConfigurationException(createEnvMissingMessage(TlsConfigurationEnvs.KEYSTORE_PATH)));
+ String keystorePassword = envsForTls.getKeystorePassword()
+ .orElseThrow(() -> new TlsConfigurationException(createEnvMissingMessage(TlsConfigurationEnvs.KEYSTORE_PASSWORD)));
+ String truststorePath = envsForTls.getTruststorePath()
+ .orElseThrow(() -> new TlsConfigurationException(createEnvMissingMessage(TlsConfigurationEnvs.TRUSTSTORE_PATH)));
+ String truststorePassword = envsForTls.getTruststorePassword()
+ .orElseThrow(() -> new TlsConfigurationException(createEnvMissingMessage(TlsConfigurationEnvs.TRUSTSTORE_PASSWORD)));
+
+ return createSSLContext(keystorePath, keystorePassword, truststorePath, truststorePassword);
+ }
+
+ private String createEnvMissingMessage(TlsConfigurationEnvs keystorePath) {
+ return String.format("%s env is missing.", keystorePath);
+ }
+
+ private KeyStore setupKeystore(String keystorePath, String certPassword)
+ throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
+ KeyStore keyStore = KeyStore.getInstance(JKS);
+ FileInputStream identityKeyStoreFile = new FileInputStream(new File(
+ keystorePath));
+ keyStore.load(identityKeyStoreFile, certPassword.toCharArray());
+ return keyStore;
+ }
+
+ private SSLContext createSSLContext(String keystorePath, String keystorePassword, String truststorePath, String truststorePassword) throws TlsConfigurationException {
+ try {
+ KeyStore identityKeystore = setupKeystore(keystorePath, keystorePassword);
+ KeyStore trustKeystore = setupKeystore(truststorePath, truststorePassword);
+
+ return SSLContexts.custom()
+ .loadKeyMaterial(identityKeystore, keystorePassword.toCharArray())
+ .loadTrustMaterial(trustKeystore, null)
+ .build();
+ } catch (Exception e) {
+ throw new TlsConfigurationException("TLS configuration exception: " + e);
+ }
+ }
+}
public class ClientConfiguration implements ConfigurationModel {
private static final Integer DEFAULT_TIMEOUT_MS = 30000;
- private static final String DEFAULT_REQUEST_URL = "http://aaf-cert-service-service:8080/v1/certificate/";
+ private static final String DEFAULT_REQUEST_URL = "https://aaf-cert-service:8443/v1/certificate/";
private String urlToCertService;
private Integer requestTimeout;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
-public class CloseableHttpClientProvider {
+import javax.net.ssl.SSLContext;
+
+public class CloseableHttpsClientProvider {
private final int timeout;
+ private final SSLContext sslContext;
- public CloseableHttpClientProvider(int timeout) {
+ public CloseableHttpsClientProvider(SSLContext sslContext, int timeout) {
+ this.sslContext = sslContext;
this.timeout = timeout;
}
.setConnectTimeout(timeout)
.setSocketTimeout(timeout)
.build();
- return HttpClientBuilder.create().setDefaultRequestConfig(config).build();
+
+ return HttpClientBuilder.create()
+ .setSSLContext(sslContext)
+ .setDefaultRequestConfig(config).build();
}
}
private static final String CHARSET_UTF_8 = "UTF-8";
private final Gson gson = new Gson();
- private final CloseableHttpClientProvider httpClientProvider;
+ private final CloseableHttpsClientProvider httpClientProvider;
private final String certServiceAddress;
- public HttpClient(CloseableHttpClientProvider httpClientProvider, String certServiceAddress) {
+ public HttpClient(CloseableHttpsClientProvider httpClientProvider, String certServiceAddress) {
this.httpClientProvider = httpClientProvider;
this.certServiceAddress = certServiceAddress;
}
// then
verify(passwordGenerator, times(1)).generate(passwordLength);
verify(converter, times(1)).convertKeystore(certificates, password, alias, privateKey);
- verify(filesCreator, times(1)).saveKeystoreData(keystoreBytes, password.getPassword());
+ verify(filesCreator, times(1)).saveKeystoreData(keystoreBytes, password.getCurrentPassword());
}
@Test
// then
verify(passwordGenerator, times(1)).generate(passwordLength);
verify(converter, times(1)).convertTruststore(certificates, password, alias);
- verify(filesCreator, times(1)).saveTruststoreData(truststoreBytes, password.getPassword());
+ verify(filesCreator, times(1)).saveTruststoreData(truststoreBytes, password.getCurrentPassword());
}
}
\ No newline at end of file
--- /dev/null
+/*
+ * ============LICENSE_START=======================================================
+ * aaf-certservice-client
+ * ================================================================================
+ * Copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.aaf.certservice.client.configuration.factory;
+
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.onap.aaf.certservice.client.configuration.EnvsForTls;
+import org.onap.aaf.certservice.client.configuration.exception.TlsConfigurationException;
+
+import javax.net.ssl.SSLContext;
+import java.util.Optional;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.mockito.Mockito.when;
+
+
+@ExtendWith(MockitoExtension.class)
+public class SslContextFactoryTest {
+
+ public static final String INVALID_KEYSTORE_PATH = "nonexistent/keystore";
+ public static final String VALID_KEYSTORE_NAME = "keystore.jks";
+ public static final String VALID_KEYSTORE_PASSWORD = "secret";
+ public static final String INVALID_KEYSTORE_PASSWORD = "wrong_secret";
+ public static final String INVALID_TRUSTSTORE_PATH = "nonexistent/truststore";
+ public static final String VALID_TRUSTSTORE_PASSWORD = "secret";
+ public static final String INVALID_TRUSTSTORE_PASSWORD = "wrong_secret";
+ public static final String VALID_TRUSTSTORE_NAME = "truststore.jks";
+ @Mock
+ private EnvsForTls envsForTls;
+
+ @Test
+ public void shouldThrowExceptionWhenKeystorePathEnvIsMissing() {
+ // Given
+ when(envsForTls.getKeystorePath()).thenReturn(Optional.empty());
+ SslContextFactory sslContextFactory = new SslContextFactory(envsForTls);
+
+ // When, Then
+ Exception exception = assertThrows(
+ TlsConfigurationException.class, sslContextFactory::create
+ );
+ assertThat(exception.getMessage()).contains("KEYSTORE_PATH");
+ }
+
+ @Test
+ public void shouldThrowExceptionWhenKeystorePasswordEnvIsMissing() {
+ // Given
+ when(envsForTls.getKeystorePath()).thenReturn(Optional.of("keystore"));
+ when(envsForTls.getKeystorePassword()).thenReturn(Optional.empty());
+ SslContextFactory sslContextFactory = new SslContextFactory(envsForTls);
+
+ // When, Then
+ Exception exception = assertThrows(
+ TlsConfigurationException.class, sslContextFactory::create
+ );
+ assertThat(exception.getMessage()).contains("KEYSTORE_PASSWORD");
+ }
+
+ @Test
+ public void shouldThrowExceptionWhenTruststorePathEnvIsMissing() {
+ // Given
+ when(envsForTls.getKeystorePath()).thenReturn(Optional.of("keystore"));
+ when(envsForTls.getKeystorePassword()).thenReturn(Optional.of("password"));
+ when(envsForTls.getTruststorePath()).thenReturn(Optional.empty());
+ SslContextFactory sslContextFactory = new SslContextFactory(envsForTls);
+
+ // When, Then
+ Exception exception = assertThrows(
+ TlsConfigurationException.class, sslContextFactory::create
+ );
+ assertThat(exception.getMessage()).contains("TRUSTSTORE_PATH");
+ }
+
+ @Test
+ public void shouldThrowExceptionWhenTruststorePasswordEnvIsMissing() {
+ // Given
+ when(envsForTls.getKeystorePath()).thenReturn(Optional.of("keystore"));
+ when(envsForTls.getKeystorePassword()).thenReturn(Optional.of("password"));
+ when(envsForTls.getTruststorePath()).thenReturn(Optional.of("truststore"));
+ when(envsForTls.getTruststorePassword()).thenReturn(Optional.empty());
+ SslContextFactory sslContextFactory = new SslContextFactory(envsForTls);
+
+ // When, Then
+ Exception exception = assertThrows(
+ TlsConfigurationException.class, sslContextFactory::create
+ );
+ assertThat(exception.getMessage()).contains("TRUSTSTORE_PASSWORD");
+ }
+
+ @Test
+ public void shouldThrowExceptionWhenKeystoreIsMissing() {
+ // Given
+ when(envsForTls.getKeystorePath()).thenReturn(Optional.of(INVALID_KEYSTORE_PATH));
+ when(envsForTls.getKeystorePassword()).thenReturn(Optional.of("secret"));
+ when(envsForTls.getTruststorePath()).thenReturn(Optional.of("truststore.jks"));
+ when(envsForTls.getTruststorePassword()).thenReturn(Optional.of("secret"));
+ SslContextFactory sslContextFactory = new SslContextFactory(envsForTls);
+
+ // When, Then
+ assertThrows(
+ TlsConfigurationException.class, sslContextFactory::create
+ );
+ }
+
+ @Test
+ public void shouldThrowExceptionWhenKeystorePasswordIsWrong() {
+ // Given
+ String keystorePath = getResourcePath(VALID_KEYSTORE_NAME);
+ when(envsForTls.getKeystorePath()).thenReturn(Optional.of(keystorePath));
+ when(envsForTls.getKeystorePassword()).thenReturn(Optional.of(INVALID_KEYSTORE_PASSWORD));
+ when(envsForTls.getTruststorePath()).thenReturn(Optional.of(VALID_TRUSTSTORE_NAME));
+ when(envsForTls.getTruststorePassword()).thenReturn(Optional.of(VALID_TRUSTSTORE_PASSWORD));
+ SslContextFactory sslContextFactory = new SslContextFactory(envsForTls);
+
+ // When, Then
+ assertThrows(
+ TlsConfigurationException.class, sslContextFactory::create
+ );
+ }
+
+ @Test
+ public void shouldThrowExceptionWhenTruststoreIsMissing() {
+ // Given
+ String keystorePath = getResourcePath(VALID_KEYSTORE_NAME);
+ when(envsForTls.getKeystorePath()).thenReturn(Optional.of(keystorePath));
+ when(envsForTls.getKeystorePassword()).thenReturn(Optional.of(VALID_KEYSTORE_PASSWORD));
+ when(envsForTls.getTruststorePath()).thenReturn(Optional.of(INVALID_TRUSTSTORE_PATH));
+ when(envsForTls.getTruststorePassword()).thenReturn(Optional.of(VALID_TRUSTSTORE_PASSWORD));
+ SslContextFactory sslContextFactory = new SslContextFactory(envsForTls);
+
+ // When, Then
+ assertThrows(
+ TlsConfigurationException.class, sslContextFactory::create
+ );
+ }
+
+ @Test
+ public void shouldThrowExceptionWhenTruststorePasswordIsWrong() {
+ // Given
+ String keystorePath = getResourcePath(VALID_KEYSTORE_NAME);
+ String truststorePath = getResourcePath(VALID_TRUSTSTORE_NAME);
+ when(envsForTls.getKeystorePath()).thenReturn(Optional.of(keystorePath));
+ when(envsForTls.getKeystorePassword()).thenReturn(Optional.of(VALID_KEYSTORE_PASSWORD));
+ when(envsForTls.getTruststorePath()).thenReturn(Optional.of(truststorePath));
+ when(envsForTls.getTruststorePassword()).thenReturn(Optional.of(INVALID_TRUSTSTORE_PASSWORD));
+ SslContextFactory sslContextFactory = new SslContextFactory(envsForTls);
+
+ // When, Then
+ assertThrows(
+ TlsConfigurationException.class, sslContextFactory::create
+ );
+ }
+
+ @Test
+ public void shouldReturnSSLContext() throws TlsConfigurationException {
+ // Given
+ String keystorePath = getResourcePath(VALID_KEYSTORE_NAME);
+ String truststorePath = getResourcePath(VALID_TRUSTSTORE_NAME);
+ when(envsForTls.getKeystorePath()).thenReturn(Optional.of(keystorePath));
+ when(envsForTls.getKeystorePassword()).thenReturn(Optional.of(VALID_KEYSTORE_PASSWORD));
+ when(envsForTls.getTruststorePath()).thenReturn(Optional.of(truststorePath));
+ when(envsForTls.getTruststorePassword()).thenReturn(Optional.of(VALID_TRUSTSTORE_PASSWORD));
+ SslContextFactory sslContextFactory = new SslContextFactory(envsForTls);
+
+ // When
+ SSLContext sslContext = sslContextFactory.create();
+
+ // Then
+ assertNotNull(sslContext);
+ }
+
+ private String getResourcePath(String resource) {
+ return getClass().getClassLoader().getResource(resource).getFile();
+ }
+}
+
private final String CA_NAME_VALID = "caaaftest2";
private final String TIME_OUT_VALID = "30000";
private final String OUTPUT_PATH_VALID = "/opt/app/osaaf";
- private final String URL_TO_CERT_SERVICE_VALID = "http://cert-service:8080/v1/certificate/";
- private final String URL_TO_CERT_SERVICE_DEFAULT = "http://aaf-cert-service-service:8080/v1/certificate/";
+ private final String URL_TO_CERT_SERVICE_VALID = "https://cert-service:8443/v1/certificate/";
+ private final String URL_TO_CERT_SERVICE_DEFAULT = "https://aaf-cert-service:8443/v1/certificate/";
private final String CA_NAME_INVALID = "caaaftest2#$";
private final String OUTPUT_PATH_INVALID = "/opt//app/osaaf";
statusLine = mock(StatusLine.class);
httpResponse = mock(CloseableHttpResponse.class);
- CloseableHttpClientProvider httpClientProvider = mock(CloseableHttpClientProvider.class);
+ CloseableHttpsClientProvider httpClientProvider = mock(CloseableHttpsClientProvider.class);
when(httpClientProvider.getClient()).thenReturn(closeableHttpClient);
String testCertServiceAddress = "";
--- /dev/null
+all: step_1 step_2 step_3 step_4 step_5 step_6 step_7 step_8 step_9 step_10 step_11 step_12 step_13 step_14 step_15
+.PHONY: all
+#Clear certificates
+clear:
+ @echo "Clear certificates"
+ rm certServiceClient-keystore.jks certServiceServer-keystore.jks root.crt truststore.jks certServiceServer-keystore.p12
+ @echo "#####done#####"
+
+#Generate root private and public keys
+step_1:
+ @echo "Generate root private and public keys"
+ keytool -genkeypair -v -alias root -keyalg RSA -keysize 4096 -validity 3650 -keystore root-keystore.jks \
+ -dname "CN=root.com, OU=Root Org, O=Root Company, L=Wroclaw, ST=Dolny Slask, C=PL" -keypass secret \
+ -storepass secret -ext BasicConstraints:critical="ca:true"
+ @echo "#####done#####"
+
+#Export public key as certificate
+step_2:
+ @echo "(Export public key as certificate)"
+ keytool -exportcert -alias root -keystore root-keystore.jks -storepass secret -file root.crt -rfc
+ @echo "#####done#####"
+
+#Self-signed root (import root certificate into truststore)
+step_3:
+ @echo "(Self-signed root (import root certificate into truststore))"
+ keytool -importcert -alias root -keystore truststore.jks -file root.crt -storepass secret -noprompt
+ @echo "#####done#####"
+
+#Generate certService's client private and public keys
+step_4:
+ @echo "Generate certService's client private and public keys"
+ keytool -genkeypair -v -alias certServiceClient -keyalg RSA -keysize 2048 -validity 730 \
+ -keystore certServiceClient-keystore.jks -storetype JKS \
+ -dname "CN=certServiceClient.com,OU=certServiceClient company,O=certServiceClient org,L=Wroclaw,ST=Dolny Slask,C=PL" \
+ -keypass secret -storepass secret
+ @echo "####done####"
+
+#Generate certificate signing request for certService's client
+step_5:
+ @echo "Generate certificate signing request for certService's client"
+ keytool -certreq -keystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -file certServiceClient.csr
+ @echo "####done####"
+
+#Sign certService's client certificate by root CA
+step_6:
+ @echo "Sign certService's client certificate by root CA"
+ keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceClient.csr \
+ -outfile certServiceClientByRoot.crt -rfc -ext bc=0 -ext ExtendedkeyUsage="serverAuth,clientAuth"
+ @echo "####done####"
+
+#Import root certificate into client
+step_7:
+ @echo "Import root certificate into intermediate"
+ cat root.crt >> certServiceClientByRoot.crt
+ @echo "####done####"
+
+#Import signed certificate into certService's client
+step_8:
+ @echo "Import signed certificate into certService's client"
+ keytool -importcert -file certServiceClientByRoot.crt -destkeystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -noprompt
+ @echo "####done####"
+
+#Generate certService private and public keys
+step_9:
+ @echo "Generate certService private and public keys"
+ keytool -genkeypair -v -alias aaf-cert-service -keyalg RSA -keysize 2048 -validity 730 \
+ -keystore certServiceServer-keystore.jks -storetype JKS \
+ -dname "CN=aaf-cert-service,OU=certServiceServer company,O=certServiceServer org,L=Wroclaw,ST=Dolny Slask,C=PL" \
+ -keypass secret -storepass secret -ext BasicConstraints:critical="ca:false"
+ @echo "####done####"
+
+#Generate certificate signing request for certService
+step_10:
+ @echo "Generate certificate signing request for certService"
+ keytool -certreq -keystore certServiceServer-keystore.jks -alias aaf-cert-service -storepass secret -file certServiceServer.csr
+ @echo "####done####"
+
+#Sign certService certificate by root CA
+step_11:
+ @echo "Sign certService certificate by root CA"
+ keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceServer.csr \
+ -outfile certServiceServerByRoot.crt -rfc -ext bc=0 -ext ExtendedkeyUsage="serverAuth,clientAuth" \
+ -ext SubjectAlternativeName:="DNS:aaf-cert-service,DNS:localhost"
+ @echo "####done####"
+
+#Import root certificate into server
+step_12:
+ @echo "Import root certificate into intermediate(server)"
+ cat root.crt >> certServiceServerByRoot.crt
+ @echo "####done####"
+
+#Import signed certificate into certService
+step_13:
+ @echo "Import signed certificate into certService"
+ keytool -importcert -file certServiceServerByRoot.crt -destkeystore certServiceServer-keystore.jks -alias aaf-cert-service \
+ -storepass secret -noprompt
+ @echo "####done####"
+
+#Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)
+step_14:
+ @echo "Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)"
+ keytool -importkeystore -srckeystore certServiceServer-keystore.jks -srcstorepass secret \
+ -destkeystore certServiceServer-keystore.p12 -deststoretype PKCS12 -deststorepass secret
+ @echo "#####done#####"
+
+#Clear unused certificates
+step_15:
+ @echo "Clear unused certificates"
+ rm certServiceClientByRoot.crt certServiceClient.csr root-keystore.jks certServiceServerByRoot.crt certServiceServer.csr
+ @echo "#####done#####"
--- /dev/null
+-----BEGIN CERTIFICATE-----
+MIIFlDCCA3ygAwIBAgIETsAy8jANBgkqhkiG9w0BAQwFADByMQswCQYDVQQGEwJQ\r
+TDEUMBIGA1UECBMLRG9sbnkgU2xhc2sxEDAOBgNVBAcTB1dyb2NsYXcxFTATBgNV\r
+BAoTDFJvb3QgQ29tcGFueTERMA8GA1UECxMIUm9vdCBPcmcxETAPBgNVBAMTCHJv\r
+b3QuY29tMB4XDTIwMDQwMzA5MTYxNloXDTMwMDQwMTA5MTYxNlowcjELMAkGA1UE\r
+BhMCUEwxFDASBgNVBAgTC0RvbG55IFNsYXNrMRAwDgYDVQQHEwdXcm9jbGF3MRUw\r
+EwYDVQQKEwxSb290IENvbXBhbnkxETAPBgNVBAsTCFJvb3QgT3JnMREwDwYDVQQD\r
+Ewhyb290LmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAImm68wu\r
+rtdkVrC5JI2y53+DoVE4al7NxC2yHeVW0PRD3CgW1xba6dlSQoDQQKkDkxtuNhlU\r
+IQxU1bbKR6syqJgpJXwSDx4sl4J5lQGWN+iuNA72C1IyXATOgowGq6PbOVVTkApy\r
+3+ZZGBCmweTjhvddAO7k5p8v+ePt17VvBTxSt6rSvrkGMbpCxBGAPfGpL9xykm9Z\r
+okVSlA42gGhbra499QTT0Yc/WPPFotKkDKFGaDrLW3NYX1Lio11myYNvLOMwfSEV\r
+Xy9vkwxcdqFJpHjx+EVLLQXwkudZP+D53N4bk8nP3SacbZSQ/A85mZpWNtw+r9QL\r
+fZGecY1YIR0udLj66CIG3ybl3gSXX7TSRERTIMR6Um1lt+039FSa18mRBpQTCDXV\r
+tSL58Qs5BHFkCe0sGpY+XiSEypc6oYPf/7YjiTvMT/mHhDffrvFjhK+wP/oCIg8u\r
+vuPRoPWuyw41bBeFGitJgDn7E8p9B4K/1DCO/ZcjXiYMgn5Hwb3ojablYUeiXs99\r
+2AAV8gCceUCdgcP8d6wdAydOVljavkgHPG0IMbiVG1WT57oM3HQpejgpujlKDDsI\r
+bi9/lbcC/U0JoN9yAaJZFr7CXJrxRv8DWeTwzMTo203KHNu9roQiERd38P8Dp6AQ\r
+ivmqf0+0VZM3IpjWBYKM68tclHJcG+7wyFjvAgMBAAGjMjAwMB0GA1UdDgQWBBSN\r
+lFyR56zh67mnvYTmmgJQVxEJrjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEB\r
+DAUAA4ICAQBczmFY0kmr1FK50glkT282ur0vukNtwXQNJONof3rYRqP2W98jID6D\r
+ayma0B4/H1EqCa0d66wRBxFdwW+MqOc4uWD3uUwgazrYD/Bv+V3aumaw8yX6vbyL\r
+hLNfpd4pViAEGtzYxYfMfFR6uzInF3NMpvt8OXCSGKiQjDMnMs0ekvUZLJm7yxwT\r
+Qr9aAEFYQYM/GstUC6qFfuUa4MaGvmyKWhZ10JoKXYbGGeFU4wI7Kzifh3VvawTg\r
+r314ZvQ3zpEwzNJpdvT5ZKuPvyN+drAKFpSPfOTFmmb3uF95FgYq33OFPpo7SR43\r
+tnw5u5YqKnsHmqCIRMctWiYZc8rBJ3+eBGmke6z/AN6FraG6Ejc8e4WPclrB8STb\r
++oB3a4Cvri1VHyodkm50Sb/d1FAMDXvzEPBfu2D0dVvOwOcISSN/MQUom8NN4YeI\r
+aEATdAPNkokgehOzZ1OPRv47FKYEVPCXjaZEWAC7NNmNiRn4RQOti0DlNrLL7Nx9\r
+vK09G0EnW01MO2ARRkZ3dog+Ph7orJQV3sd7TO4EEortqWtbegSH75ylyYw6rt/j\r
+uBzYtMOnEtnQKhxj4Wj7PO+StCgspoOByn0d+iSgDd2TlpWm4naP2pfFZT0R+TOH\r
+wzSH0F47TSfRd0++uEz/QhViybrvQK7yMt1G1YwZp2im+imuWwUC8Q==
+-----END CERTIFICATE-----
#Client envs
-REQUEST_URL=http://aafcert-service:8080/v1/certificate/
-REQUEST_TIMEOUT=1000
+REQUEST_URL=https://aaf-cert-service:8443/v1/certificate/
+REQUEST_TIMEOUT=10000
OUTPUT_PATH=/var/certs
CA_NAME=RA
#Csr config envs
STATE=California
COUNTRY=US
SANS=example.org
-
+#Tls config envs
+KEYSTORE_PATH=/etc/onap/aaf/certservice/certs/certServiceClient-keystore.jks
+KEYSTORE_PASSWORD=secret
+TRUSTSTORE_PATH=/etc/onap/aaf/certservice/certs/truststore.jks
+TRUSTSTORE_PASSWORD=secret
networks:
- certservice
- certservice:
+ aaf-cert-service:
image: onap/org.onap.aaf.certservice.aaf-certservice-api:latest
- container_name: aafcert-service
volumes:
- - ./certService/helm/aaf-cert-service/resources/cmpServers.json:/etc/onap/aaf/certservice/cmpServers.json
+ - ./compose-resources/cmpServers.json:/etc/onap/aaf/certservice/cmpServers.json
+ - ./certs/truststore.jks:/etc/onap/aaf/certservice/certs/truststore.jks
+ - ./certs/root.crt:/etc/onap/aaf/certservice/certs/root.crt
+ - ./certs/certServiceServer-keystore.jks:/etc/onap/aaf/certservice/certs/certServiceServer-keystore.jks
+ - ./certs/certServiceServer-keystore.p12:/etc/onap/aaf/certservice/certs/certServiceServer-keystore.p12
+ container_name: aafcert-service
ports:
- - "8080:8080"
+ - "8443:8443"
depends_on:
ejbca:
condition: service_healthy
+ healthcheck:
+ test: ["CMD-SHELL", "curl https://localhost:8443/actuator/health --cacert /etc/onap/aaf/certservice/certs/root.crt --cert-type p12 --cert /etc/onap/aaf/certservice/certs/certServiceServer-keystore.p12 --pass secret"]
+ interval: 10s
+ timeout: 3s
+ retries: 15
networks:
- certservice
.. This work is licensed under a Creative Commons Attribution 4.0 International License.
.. http://creativecommons.org/licenses/by/4.0
.. Copyright 2020 NOKIA
+.. _master_index:
AAF Certification Service
=========================================
.. This work is licensed under a Creative Commons Attribution 4.0 International License.
.. http://creativecommons.org/licenses/by/4.0
.. Copyright 2020 NOKIA
+.. _architecture:
Architecture
============
.. code-block::
#Client envs
- REQUEST_URL=http://aaf-cert-service-service:8080/v1/certificate/
+ REQUEST_URL=http://aaf-cert-service:8080/v1/certificate/
REQUEST_TIMEOUT=1000
OUTPUT_PATH=/var/certs
CA_NAME=RA
imagePullPolicy: Always
env:
- name: REQUEST_URL
- value: http://aaf-cert-service-service:8080/v1/certificate/
+ value: http://aaf-cert-service:8080/v1/certificate/
- name: REQUEST_TIMEOUT
value: "1000"
- name: OUTPUT_PATH
.. This work is licensed under a Creative Commons Attribution 4.0 International License.
.. http://creativecommons.org/licenses/by/4.0
.. Copyright 2020 NOKIA
+.. _offeredapis:
Offered APIs
============
<goal>repackage</goal>
</goals>
</execution>
- <execution>
- <id>pre-integration-test</id>
- <goals>
- <goal>start</goal>
- </goals>
- </execution>
- <execution>
- <id>post-integration-test</id>
- <goals>
- <goal>stop</goal>
- </goals>
- </execution>
</executions>
</plugin>
<plugin>
Code Review / oom / platform / cert-service.git / commitdiff