From 2e83d548467048fe05cf082c1e9743ad9d972cba Mon Sep 17 00:00:00 2001 From: Adam Wudzinski Date: Tue, 21 Apr 2020 19:28:37 +0200 Subject: [PATCH 1/1] Update documentation related to configuration Signed-off-by: Adam Wudzinski Issue-ID: AAF-1091 Change-Id: I3b14febcf84a966d3d17b41c6500ec4fefdb62de --- docs/sections/configuration.rst | 133 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 131 insertions(+), 2 deletions(-) diff --git a/docs/sections/configuration.rst b/docs/sections/configuration.rst index 51c87aa7..baf2d4ac 100644 --- a/docs/sections/configuration.rst +++ b/docs/sections/configuration.rst @@ -46,6 +46,135 @@ Certification Service Client image: docker run --env-file $DOCKER_ENV_FILE --network $NETWORK_CERT_SERVICE --volume $DOCKER_VOLUME $AAFCERT_CLIENT_IMAGE +Configuring Cert Service +------------------------ +Cert Service keeps configuration of CMP Servers in file *cmpServers.json*. + +Example cmpServers.json file: + +.. code-block:: json + + { + "cmpv2Servers": [ + { + "caName": "Client", + "url": "http://aafcert-ejbca:8080/ejbca/publicweb/cmp/cmp", + "issuerDN": "CN=ManagementCA", + "caMode": "CLIENT", + "authentication": { + "iak": "mypassword", + "rv": "mypassword" + } + }, + { + "caName": "RA", + "url": "http://aafcert-ejbca:8080/ejbca/publicweb/cmp/cmpRA", + "issuerDN": "CN=ManagementCA", + "caMode": "RA", + "authentication": { + "iak": "mypassword", + "rv": "mypassword" + } + } + ] + } + +This contains list of CMP Servers, where each server has following properties: + + - *caName* - name of the external CA server + - *url* - Url to CMPv2 server + - *issuerDN* - Distinguished Name of the CA that will sign the certificate + - *caMode* - Issuer mode + - *authentication* + + - *iak* - Initial authentication key, used to authenticate request in CMPv2 server + - *rv* - Reference values, used ti authenticate request in CMPv2 server + + + +This configuration is read on the application start. It can also be reloaded in runtime, by calling HTTP endpoint. + + +Configuring in local(docker-compose) deployment: +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Static: +""""""" + +1. Edit *cmpServers.json* file in certservice/compose-resources +2. Start containers:: + + make start-backend + +Dynamic: +"""""""" + +1. Find CertService docker container name. +2. Enter container:: + + docker exec -it bash + +3. Edit *cmpServers.json* file:: + + vim /etc/onap/aaf/certservice/cmpServers.json + +4. Save +5. Reload configuration:: + + curl -I https://localhost:8443/reload --cacert /etc/onap/aaf/certservice/certs/root.crt --cert-type p12 --cert /etc/onap/aaf/certservice/certs/certServiceServer-keystore.p12 --pass secret + + +Configuring in OOM deployment: +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Static: +""""""" + +*Note! This must be executed before calling make all or needs remaking aaf Charts* + +1. Edit *cmpServers.json* file + + - if it's test deployment - edit *kubernetes/aaf/charts/aaf-cert-service/resources/test/cmpServers.json* + - if it's normal deployment - edit *kubernetes/aaf/charts/aaf-cert-service/resources/default/cmpServers.json* + +2. Build and start OOM deployment + +Dynamic: +"""""""" + +1. Encode your configuration to base64 (You can use for example online encoders or command line tool *base64*) +2. Edit secret:: + + kubectl edit secret # aaf-cert-service-secret by default + +3. Replace value for *cmpServers.json* with your base64 encoded configuration. For example: + + .. code-block:: yaml + + apiVersion: v1 + data: + cmpServers.json: + kind: Secret + metadata: + creationTimestamp: "2020-04-21T16:30:29Z" + name: aaf-cert-service-secret + namespace: default + resourceVersion: "33892990" + selfLink: /api/v1/namespaces/default/secrets/aaf-cert-service-secret + uid: 6a037526-83ed-11ea-b731-fa163e2144f6 + type: Opaque + +4. Save and exit +5. New configuration will be automatically mounted to CertService pod, but reload is needed. +6. Enter CertService pod:: + + kubectl exec -it bash + +7. Reload configuration:: + + curl -I https://localhost:$HTTPS_PORT/reload --cacert $ROOT_CERT --cert-type p12 --cert $KEYSTORE_P12_PATH --pass $KEYSTORE_PASSWORD + + Configuring EJBCA server for testing ------------------------------------ @@ -63,7 +192,7 @@ Default Values: +---------------------+---------------------------------------------------------------------------------------------------------------------------------+ | Name | Value | +=====================+=================================================================================================================================+ -| Request URL | http://aaf-ejbca:8080/ejbca/publicweb/cmp/cmpRA | +| Request URL | http://aaf-ejbca:8080/ejbca/publicweb/cmp/cmpRA | +---------------------+---------------------------------------------------------------------------------------------------------------------------------+ | Response Type | PKI Response | +---------------------+---------------------------------------------------------------------------------------------------------------------------------+ @@ -97,7 +226,7 @@ Example deployment: - image: sample.image name: sample.name ... - volumeMounts: + volumeMounts - mountPath: /var/certs #CERTS CAN BE FOUND IN THIS DIRECTORY name: certs ... -- 2.16.6