"cbs.firstRequestDelaySec": 10,
"cbs.requestIntervalSec": 5,
"security.keys.keyStoreFile": "/etc/ves-hv/ssl/server.p12",
- "security.keys.keyStorePassword": "onaponap",
+ "security.keys.keyStorePasswordFile": "/etc/ves-hv/ssl/server.pass",
"security.keys.trustStoreFile": "/etc/ves-hv/ssl/trust.p12",
- "security.keys.trustStorePassword": "onaponap"
+ "security.keys.trustStorePasswordFile": "/etc/ves-hv/ssl/trust.pass"
}
\ No newline at end of file
"cbs.firstRequestDelaySec": 10,
"cbs.requestIntervalSec": 5,
"security.keys.keyStoreFile": "development/ssl/server.p12",
- "security.keys.keyStorePassword": "onaponap",
+ "security.keys.keyStorePasswordFile": "development/ssl/server.pass",
"security.keys.trustStoreFile": "development/ssl/trust.p12",
- "security.keys.trustStorePassword": "onaponap"
+ "security.keys.trustStorePasswordFile": "development/ssl/server.pass"
}
"--ves-host", "ves-hv-collector",
"--ves-port", "6061",
"--key-store", "/etc/ves-hv/client.p12",
- "--key-store-password", "onaponap",
- "--trust-store-password", "onaponap"]
+ "--key-store-password-file", "/etc/ves-hv/client.pass",
+ "--trust-store", "/etc/ves-hv/trust.p12",
+ "--trust-store-password-file", "/etc/ves-hv/trust.pass"]
healthcheck:
test: curl -f http://localhost:6063/health/ready || exit 1
interval: 10s
*.csr
*.pkcs12
*.p12
-
+*.pass
#!/usr/bin/env bash
+# ============LICENSE_START=======================================================
+# csit-dcaegen2-collectors-hv-ves
+# ================================================================================
+# Copyright (C) 2018-2019 NOKIA
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
set -eu -o pipefail -o xtrace
keytool -certreq -alias ${key_name} -keyalg RSA ${keystore} | \
keytool -alias ${ca} -gencert -ext "san=dns:${CN_PREFIX}-${ca}" ${store_opts} -keystore ${ca}.p12 | \
keytool -alias ${key_name} -importcert ${keystore}
+
+ printf ${STORE_PASS} > ${key_name}.pass
}
function gen_truststore() {
local trusted_ca="$1"
keytool -import -trustcacerts -alias ca -file ${trusted_ca}.crt ${store_opts} -keystore ${TRUST}.p12
+ printf ${STORE_PASS} > ${TRUST}.pass
}
function clean() {
- rm -f *.crt *.p12
+ rm -f *.crt *.p12 *.pass
}
if [[ $# -eq 0 ]]; then
},
{
"name": "security.keys.keyStoreFile",
- "value": "/etc/ves-hv/ssl/keystore.p12",
+ "value": "/etc/ves-hv/ssl/cert.jks",
"description": "Points to private key store file",
"sourced_at_deployment": false,
"policy_editable": false,
"designer_editable": false
},
{
- "name": "security.keys.keyStorePassword",
- "value": "onaponap",
- "description": "Password for the key store",
+ "name": "security.keys.keyStorePasswordFile",
+ "value": "/etc/ves-hv/ssl/jks.pass",
+ "description": "File which contains password for the key store",
"sourced_at_deployment": false,
"policy_editable": false,
"designer_editable": false
},
{
"name": "security.keys.trustStoreFile",
- "value": "/etc/ves-hv/ssl/truststore.p12",
+ "value": "/etc/ves-hv/ssl/trust.jks",
"description": "Points to trust store file which contains trusted client certificates and/or CAs",
"sourced_at_deployment": false,
"policy_editable": false,
"designer_editable": false
},
{
- "name": "security.keys.trustStorePassword",
- "value": "onaponap",
- "description": "Password for the trust store",
+ "name": "security.keys.trustStorePasswordFile",
+ "value": "/etc/ves-hv/ssl/trust.pass",
+ "description": "File which contains password for the trust store",
"sourced_at_deployment": false,
"policy_editable": false,
"designer_editable": false
.desc("Key store in PKCS12 format")
.build()
),
- KEY_STORE_PASSWORD(
+ KEY_STORE_PASSWORD_FILE(
Option.builder("kp")
- .longOpt("key-store-password")
+ .longOpt("key-store-password-file")
.hasArg()
- .desc("Key store password")
+ .desc("File with key store password")
.build()
),
TRUST_STORE_FILE(
.desc("File with trusted certificate bundle in PKCS12 format")
.build()
),
- TRUST_STORE_PASSWORD(
+ TRUST_STORE_PASSWORD_FILE(
Option.builder("tp")
- .longOpt("trust-store-password")
+ .longOpt("trust-store-password-file")
.hasArg()
- .desc("Trust store password")
+ .desc("File with trust store password")
.build()
),
MAXIMUM_PAYLOAD_SIZE_BYTES(
sslDisable = base.sslDisable.updateToGivenOrNone(update.sslDisable),
keyStoreFile = base.keyStoreFile.updateToGivenOrNone(update.keyStoreFile),
- keyStorePassword = base.keyStorePassword.updateToGivenOrNone(update.keyStorePassword),
+ keyStorePasswordFile = base.keyStorePasswordFile.updateToGivenOrNone(update.keyStorePasswordFile),
trustStoreFile = base.trustStoreFile.updateToGivenOrNone(update.trustStoreFile),
- trustStorePassword = base.trustStorePassword.updateToGivenOrNone(update.trustStorePassword),
+ trustStorePasswordFile = base.trustStorePasswordFile.updateToGivenOrNone(update.trustStorePasswordFile),
streamPublishers = base.streamPublishers.updateToGivenOrNone(update.streamPublishers),
SecurityConfiguration(
createSecurityKeys(
File(it.keyStoreFile.bind()).toPath(),
- it.keyStorePassword.bind(),
+ File(it.keyStorePasswordFile.bind()).toPath(),
File(it.trustStoreFile.bind()).toPath(),
- it.trustStorePassword.bind()
+ File(it.trustStorePasswordFile.bind()).toPath()
).toOption()
)
}
private fun createSecurityKeys(keyStorePath: Path,
- keyStorePassword: String,
+ keyStorePasswordPath: Path,
trustStorePath: Path,
- trustStorePassword: String) =
+ trustStorePasswordPath: Path) =
ImmutableSecurityKeys.builder()
.keyStore(ImmutableSecurityKeysStore.of(keyStorePath))
- .keyStorePassword(Passwords.fromString(keyStorePassword))
+ .keyStorePassword(Passwords.fromPath(keyStorePasswordPath))
.trustStore(ImmutableSecurityKeysStore.of(trustStorePath))
- .trustStorePassword(Passwords.fromString(trustStorePassword))
+ .trustStorePassword(Passwords.fromPath(trustStorePasswordPath))
.build()
private fun validatedCollectorConfig(partial: PartialConfiguration) =
val sslDisable: Option<Boolean> = None,
@SerializedName("security.keys.keyStoreFile")
val keyStoreFile: Option<String> = None,
- @SerializedName("security.keys.keyStorePassword")
- val keyStorePassword: Option<String> = None,
+ @SerializedName("security.keys.keyStorePasswordFile")
+ val keyStorePasswordFile: Option<String> = None,
@SerializedName("security.keys.trustStoreFile")
val trustStoreFile: Option<String> = None,
- @SerializedName("security.keys.trustStorePassword")
- val trustStorePassword: Option<String> = None,
+ @SerializedName("security.keys.trustStorePasswordFile")
+ val trustStorePasswordFile: Option<String> = None,
@SerializedName("logLevel")
val logLevel: Option<LogLevel> = None,
import org.onap.dcaegen2.services.sdk.model.streams.dmaap.KafkaSink
import org.onap.dcaegen2.services.sdk.security.ssl.SecurityKeys
import java.io.File
+import java.nio.file.Paths
import java.time.Duration
-
internal object ConfigurationValidatorTest : Spek({
describe("ConfigurationValidator") {
val cut = ConfigurationValidator()
firstRequestDelaySec = Some(defaultFirstReqDelaySec),
requestIntervalSec = Some(defaultRequestIntervalSec),
sslDisable = Some(false),
- keyStoreFile = Some(KEYSTORE),
- keyStorePassword = Some(KEYSTORE_PASSWORD),
- trustStoreFile = Some(TRUSTSTORE),
- trustStorePassword = Some(TRUSTSTORE_PASSWORD),
+ keyStoreFile = Some(keyStore),
+ keyStorePasswordFile = Some(keyStorePassFile),
+ trustStoreFile = Some(trustStore),
+ trustStorePasswordFile = Some(trustStorePassFile),
streamPublishers = Some(sampleStreamsDefinition),
logLevel = Some(LogLevel.TRACE)
)
val securityKeys = it.security.keys
.getOrElse { fail("Should be immutableSecurityKeys") } as SecurityKeys
- assertThat(securityKeys.keyStore().path()).isEqualTo(File(KEYSTORE).toPath())
- assertThat(securityKeys.trustStore().path()).isEqualTo(File(TRUSTSTORE).toPath())
- securityKeys.keyStorePassword().use { assertThat(it).isEqualTo(KEYSTORE_PASSWORD.toCharArray()) }
- securityKeys.trustStorePassword().use { assertThat(it).isEqualTo(TRUSTSTORE_PASSWORD.toCharArray()) }
+ assertThat(securityKeys.keyStore().path()).isEqualTo(File(keyStore).toPath())
+ assertThat(securityKeys.trustStore().path()).isEqualTo(File(trustStore).toPath())
+ securityKeys.keyStorePassword().use { assertThat(it).isEqualTo(keyStorePass.toCharArray()) }
+ securityKeys.trustStorePassword().use { assertThat(it).isEqualTo(trustStorePass.toCharArray()) }
assertThat(it.cbs.firstRequestDelay)
.isEqualTo(Duration.ofSeconds(defaultFirstReqDelaySec))
{
val securityKeys = it.security.keys
.getOrElse { fail("Should be immutableSecurityKeys") } as SecurityKeys
- assertThat(securityKeys.keyStore().path()).isEqualTo(File(KEYSTORE).toPath())
- assertThat(securityKeys.trustStore().path()).isEqualTo(File(TRUSTSTORE).toPath())
- securityKeys.keyStorePassword().use { assertThat(it).isEqualTo(KEYSTORE_PASSWORD.toCharArray()) }
- securityKeys.trustStorePassword().use { assertThat(it).isEqualTo(TRUSTSTORE_PASSWORD.toCharArray()) }
+ assertThat(securityKeys.keyStore().path()).isEqualTo(File(keyStore).toPath())
+ assertThat(securityKeys.trustStore().path()).isEqualTo(File(trustStore).toPath())
+ securityKeys.keyStorePassword().use { assertThat(it).isEqualTo(keyStorePass.toCharArray()) }
+ securityKeys.trustStorePassword().use { assertThat(it).isEqualTo(trustStorePass.toCharArray()) }
}
)
}
firstReqDelaySec: Option<Long> = Some(defaultFirstReqDelaySec),
requestIntervalSec: Option<Long> = Some(defaultRequestIntervalSec),
sslDisable: Option<Boolean> = Some(false),
- keyStoreFile: Option<String> = Some(KEYSTORE),
- keyStorePassword: Option<String> = Some(KEYSTORE_PASSWORD),
- trustStoreFile: Option<String> = Some(TRUSTSTORE),
- trustStorePassword: Option<String> = Some(TRUSTSTORE_PASSWORD),
+ keyStoreFile: Option<String> = Some(keyStore),
+ keyStorePassword: Option<String> = Some(keyStorePassFile),
+ trustStoreFile: Option<String> = Some(trustStore),
+ trustStorePassword: Option<String> = Some(trustStorePassFile),
streamPublishers: Option<List<KafkaSink>> = Some(sampleStreamsDefinition),
logLevel: Option<LogLevel> = Some(LogLevel.INFO)
) = PartialConfiguration(
requestIntervalSec = requestIntervalSec,
sslDisable = sslDisable,
keyStoreFile = keyStoreFile,
- keyStorePassword = keyStorePassword,
+ keyStorePasswordFile = keyStorePassword,
trustStoreFile = trustStoreFile,
- trustStorePassword = trustStorePassword,
+ trustStorePasswordFile = trustStorePassword,
streamPublishers = streamPublishers,
logLevel = logLevel
)
-const val defaultListenPort = 1234
-const val defaultRequestIntervalSec = 3L
-const val defaultIdleTimeoutSec = 10L
-const val defaultFirstReqDelaySec = 10L
+private fun resourcePathAsString(resource: String) =
+ Paths.get(ConfigurationValidatorTest::class.java.getResource(resource).toURI()).toString()
+
+private const val defaultListenPort = 1234
+private const val defaultRequestIntervalSec = 3L
+private const val defaultIdleTimeoutSec = 10L
+private const val defaultFirstReqDelaySec = 10L
-const val KEYSTORE = "test.ks.pkcs12"
-const val KEYSTORE_PASSWORD = "changeMe"
-const val TRUSTSTORE = "trust.ks.pkcs12"
-const val TRUSTSTORE_PASSWORD = "changeMeToo"
+private const val keyStore = "test.ks.pkcs12"
+private const val trustStore = "trust.ks.pkcs12"
+private const val keyStorePass = "change.me"
+private const val trustStorePass = "change.me.too"
+private val keyStorePassFile = resourcePathAsString("/test.ks.pass")
+private val trustStorePassFile = resourcePathAsString("/trust.ks.pass")
-const val sampleSinkName = "perf3gpp"
+private const val sampleSinkName = "perf3gpp"
const val sampleMaxPayloadSize = 1024
private val sink = mock<KafkaSink>().also {
}
private val sampleStreamsDefinition = listOf(sink)
-private val sampleRouting = listOf(Route(sink.name(), sink))
\ No newline at end of file
+private val sampleRouting = listOf(Route(sink.name(), sink))
import org.onap.dcae.collectors.veshv.tests.utils.resourceAsStream
import org.onap.dcae.collectors.veshv.utils.logging.LogLevel
import java.io.StringReader
-import java.time.Duration
import kotlin.test.fail
/**
assertThat(config.sslDisable).isEqualTo(Some(false))
assertThat(config.keyStoreFile).isEqualTo(Some("test.ks.pkcs12"))
- assertThat(config.keyStorePassword).isEqualTo(Some("changeMe"))
+ assertThat(config.keyStorePasswordFile).isEqualTo(Some("test.ks.pass"))
assertThat(config.trustStoreFile).isEqualTo(Some("trust.ks.pkcs12"))
- assertThat(config.trustStorePassword).isEqualTo(Some("changeMeToo"))
+ assertThat(config.trustStorePasswordFile).isEqualTo(Some("trust.ks.pass"))
}
}
}
"cbs.requestIntervalSec": 900,
"security.sslDisable": false,
"security.keys.keyStoreFile": "test.ks.pkcs12",
- "security.keys.keyStorePassword": "changeMe",
+ "security.keys.keyStorePasswordFile": "test.ks.pass",
"security.keys.trustStoreFile": "trust.ks.pkcs12",
- "security.keys.trustStorePassword": "changeMeToo"
+ "security.keys.trustStorePasswordFile": "trust.ks.pass"
}
\ No newline at end of file
--- /dev/null
+change.me
\ No newline at end of file
--- /dev/null
+change.me.too
\ No newline at end of file
import arrow.core.None
import arrow.core.Some
import arrow.core.Try
-import arrow.core.getOrElse
import org.apache.commons.cli.CommandLine
import org.onap.dcae.collectors.veshv.commandline.CommandLineOption
import org.onap.dcae.collectors.veshv.commandline.hasOption
*/
const val KEY_STORE_FILE = "/etc/ves-hv/server.p12"
+const val KEY_STORE_PASSWORD_FILE = "/etc/ves-hv/server.pass"
const val TRUST_STORE_FILE = "/etc/ves-hv/trust.p12"
+const val TRUST_STORE_PASSWORD_FILE = "/etc/ves-hv/trust.pass"
fun createSecurityConfiguration(cmdLine: CommandLine): Try<SecurityConfiguration> =
createSecurityConfigurationProvider(cmdLine).map { it() }
private fun enabledSecurityConfiguration(cmdLine: CommandLine): SecurityConfiguration {
val ksFile = cmdLine.stringValue(CommandLineOption.KEY_STORE_FILE, KEY_STORE_FILE)
- val ksPass = cmdLine.stringValue(CommandLineOption.KEY_STORE_PASSWORD).getOrElse { "" }
+ val ksPass = cmdLine.stringValue(CommandLineOption.KEY_STORE_PASSWORD_FILE, KEY_STORE_PASSWORD_FILE)
val tsFile = cmdLine.stringValue(CommandLineOption.TRUST_STORE_FILE, TRUST_STORE_FILE)
- val tsPass = cmdLine.stringValue(CommandLineOption.TRUST_STORE_PASSWORD).getOrElse { "" }
+ val tsPass = cmdLine.stringValue(CommandLineOption.TRUST_STORE_PASSWORD_FILE, TRUST_STORE_PASSWORD_FILE)
val keys = ImmutableSecurityKeys.builder()
.keyStore(ImmutableSecurityKeysStore.of(pathFromFile(ksFile)))
- .keyStorePassword(Passwords.fromString(ksPass))
+ .keyStorePassword(Passwords.fromPath(pathFromFile(ksPass)))
.trustStore(ImmutableSecurityKeysStore.of(pathFromFile(tsFile)))
- .trustStorePassword(Passwords.fromString(tsPass))
+ .trustStorePassword(Passwords.fromPath(pathFromFile(tsPass)))
.build()
return SecurityConfiguration(Some(keys))
package org.onap.dcae.collectors.veshv.ssl.boundary
import com.nhaarman.mockitokotlin2.doReturn
+import com.nhaarman.mockitokotlin2.eq
import com.nhaarman.mockitokotlin2.mock
import com.nhaarman.mockitokotlin2.verify
import com.nhaarman.mockitokotlin2.whenever
import org.jetbrains.spek.api.dsl.on
import org.onap.dcae.collectors.veshv.commandline.CommandLineOption
import org.onap.dcae.collectors.veshv.commandline.hasOption
+import org.onap.dcae.collectors.veshv.commandline.stringValue
+import java.nio.file.Paths
-internal object SecurityUtilsTest : Spek({
+internal object UtilsKtTest : Spek({
describe("creating securty configuration provider") {
on("command line without ssl disable") {
+ val passwordFile = resourcePathAsString("/ssl/password")
val commandLine: CommandLine = mock()
whenever(commandLine.hasOption(CommandLineOption.SSL_DISABLE)).doReturn(false)
+ whenever(commandLine.stringValue(CommandLineOption.TRUST_STORE_PASSWORD_FILE, TRUST_STORE_PASSWORD_FILE))
+ .doReturn(passwordFile)
+ whenever(commandLine.stringValue(CommandLineOption.KEY_STORE_PASSWORD_FILE, KEY_STORE_PASSWORD_FILE))
+ .doReturn(passwordFile)
it("should create configuration with some keys") {
val configuration = createSecurityConfiguration(commandLine)
}
}
})
+
+private fun resourcePathAsString(resource: String) =
+ Paths.get(UtilsKtTest::class.java.getResource(resource).toURI()).toString()
--- /dev/null
+onaponap
\ No newline at end of file
import org.onap.dcae.collectors.veshv.commandline.ArgBasedConfiguration
import org.onap.dcae.collectors.veshv.commandline.CommandLineOption.HEALTH_CHECK_API_PORT
import org.onap.dcae.collectors.veshv.commandline.CommandLineOption.KEY_STORE_FILE
-import org.onap.dcae.collectors.veshv.commandline.CommandLineOption.KEY_STORE_PASSWORD
+import org.onap.dcae.collectors.veshv.commandline.CommandLineOption.KEY_STORE_PASSWORD_FILE
import org.onap.dcae.collectors.veshv.commandline.CommandLineOption.LISTEN_PORT
import org.onap.dcae.collectors.veshv.commandline.CommandLineOption.MAXIMUM_PAYLOAD_SIZE_BYTES
import org.onap.dcae.collectors.veshv.commandline.CommandLineOption.SSL_DISABLE
import org.onap.dcae.collectors.veshv.commandline.CommandLineOption.TRUST_STORE_FILE
-import org.onap.dcae.collectors.veshv.commandline.CommandLineOption.TRUST_STORE_PASSWORD
+import org.onap.dcae.collectors.veshv.commandline.CommandLineOption.TRUST_STORE_PASSWORD_FILE
import org.onap.dcae.collectors.veshv.commandline.CommandLineOption.VES_HV_HOST
import org.onap.dcae.collectors.veshv.commandline.CommandLineOption.VES_HV_PORT
import org.onap.dcae.collectors.veshv.commandline.intValue
MAXIMUM_PAYLOAD_SIZE_BYTES,
SSL_DISABLE,
KEY_STORE_FILE,
- KEY_STORE_PASSWORD,
+ KEY_STORE_PASSWORD_FILE,
TRUST_STORE_FILE,
- TRUST_STORE_PASSWORD)
+ TRUST_STORE_PASSWORD_FILE)
override fun getConfiguration(cmdLine: CommandLine): Option<SimulatorConfiguration> =
binding {