From b81c681cb6be761a2abb5e2f5af1b923bef1f6b4 Mon Sep 17 00:00:00 2001 From: awudzins Date: Fri, 13 Mar 2020 16:54:18 +0100 Subject: [PATCH] Switch client and server to communicate over TLS MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Issue-ID: AAF-1084 Signed-off-by: Adam Wudziński Change-Id: I7f11b27c7dcdf4fc3eba2d5e64b6dc775c80dd74 --- Makefile | 2 + README.md | 8 + .../resources/certServiceClient-keystore.jks | Bin 0 -> 4087 bytes .../resources/certServiceServer-keystore.jks | Bin 0 -> 4126 bytes .../resources/certServiceServer-keystore.p12 | Bin 0 -> 4691 bytes .../helm/aaf-cert-service/resources/root.crt | 32 ++++ .../helm/aaf-cert-service/resources/truststore.jks | Bin 0 -> 1722 bytes .../aaf-cert-service/templates/deployment.yaml | 37 +++- .../templates/secret_client_tls.yaml | 10 ++ .../templates/secret_server_tls.yaml | 14 ++ .../helm/aaf-cert-service/templates/service.yaml | 2 +- certService/helm/aaf-cert-service/values.yaml | 28 ++- .../src/main/resources/application.properties | 11 ++ .../src/test/resources/application.properties | 11 ++ certServiceClient/README.md | 4 + .../aaf/certservice/client/CertServiceClient.java | 17 +- .../aaf/certservice/client/api/ExitStatus.java | 3 +- .../client/configuration/EnvsForTls.java | 47 +++++ .../client/configuration/TlsConfigurationEnvs.java | 28 +++ .../exception/TlsConfigurationException.java | 36 ++++ .../factory/CsrConfigurationFactory.java | 2 +- .../configuration/factory/SslContextFactory.java | 85 +++++++++ .../configuration/model/ClientConfiguration.java | 2 +- ...ider.java => CloseableHttpsClientProvider.java} | 13 +- .../certservice/client/httpclient/HttpClient.java | 4 +- .../factory/SslContextFactoryTest.java | 197 +++++++++++++++++++++ .../model/ClientConfigurationFactoryTest.java | 4 +- .../client/httpclient/HttpClientTest.java | 2 +- certServiceClient/src/test/resources/keystore.jks | Bin 0 -> 5581 bytes .../src/test/resources/truststore.jks | Bin 0 -> 1722 bytes certs/Makefile | 110 ++++++++++++ certs/certServiceClient-keystore.jks | Bin 0 -> 4087 bytes certs/certServiceServer-keystore.jks | Bin 0 -> 4126 bytes certs/certServiceServer-keystore.p12 | Bin 0 -> 4691 bytes certs/root.crt | 32 ++++ certs/truststore.jks | Bin 0 -> 1722 bytes compose-resources/client-configuration.env | 10 +- docker-compose.yml | 15 +- docs/sections/configuration.rst | 4 +- pom.xml | 12 -- 40 files changed, 735 insertions(+), 47 deletions(-) create mode 100644 certService/helm/aaf-cert-service/resources/certServiceClient-keystore.jks create mode 100644 certService/helm/aaf-cert-service/resources/certServiceServer-keystore.jks create mode 100644 certService/helm/aaf-cert-service/resources/certServiceServer-keystore.p12 create mode 100644 certService/helm/aaf-cert-service/resources/root.crt create mode 100644 certService/helm/aaf-cert-service/resources/truststore.jks create mode 100644 certService/helm/aaf-cert-service/templates/secret_client_tls.yaml create mode 100644 certService/helm/aaf-cert-service/templates/secret_server_tls.yaml create mode 100644 certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/EnvsForTls.java create mode 100644 certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/TlsConfigurationEnvs.java create mode 100644 certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/exception/TlsConfigurationException.java create mode 100644 certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/factory/SslContextFactory.java rename certServiceClient/src/main/java/org/onap/aaf/certservice/client/httpclient/{CloseableHttpClientProvider.java => CloseableHttpsClientProvider.java} (80%) create mode 100644 certServiceClient/src/test/java/org/onap/aaf/certservice/client/configuration/factory/SslContextFactoryTest.java create mode 100644 certServiceClient/src/test/resources/keystore.jks create mode 100644 certServiceClient/src/test/resources/truststore.jks create mode 100644 certs/Makefile create mode 100644 certs/certServiceClient-keystore.jks create mode 100644 certs/certServiceServer-keystore.jks create mode 100644 certs/certServiceServer-keystore.p12 create mode 100644 certs/root.crt create mode 100644 certs/truststore.jks diff --git a/Makefile b/Makefile index 1e4f871c..45ffb48b 100644 --- a/Makefile +++ b/Makefile @@ -23,6 +23,8 @@ run-client: --env-file ./compose-resources/client-configuration.env \ --network certservice_certservice \ --mount type=bind,src=`pwd`/compose-resources/client-volume/,dst=/var/certs \ + --volume `pwd`/certs/truststore.jks:/etc/onap/aaf/certservice/certs/truststore.jks \ + --volume `pwd`/certs/certServiceClient-keystore.jks:/etc/onap/aaf/certservice/certs/certServiceClient-keystore.jks \ onap/org.onap.aaf.certservice.aaf-certservice-client:latest stop-client: diff --git a/README.md b/README.md index 8fabbee9..2db3abf5 100644 --- a/README.md +++ b/README.md @@ -30,6 +30,14 @@ or make build ``` +### Generating certificates +There are example certificates already generated in certs/ directory. +In order to generate new certificates, first remove existing ones. +Then execute following command from certs(!) directory: +``` + make +``` + ### Running Docker containers from docker-compose with EJBCA Docker-compose uses a local image of certservice-api and make run-client uses a local image of certservice-client Build docker images locally before running docker compose command. diff --git a/certService/helm/aaf-cert-service/resources/certServiceClient-keystore.jks b/certService/helm/aaf-cert-service/resources/certServiceClient-keystore.jks new file mode 100644 index 0000000000000000000000000000000000000000..f24908c55dbb0abb8d38450f0c7c42b03dbfb369 GIT binary patch literal 4087 zcmc(hXH-+&(#KP2p$AZqUJW$?B?b_bDhkqjl_o6&L+=ozC?L{{f)puIg3_c&6B|XE z2+~175TrK=B5%~^z3W-`xu5Qr`(dwhX7;RE|1)RyZ}!i%pKAaB07PEE-;2rK5%2Bg zi1&4|ceHnRarE#e@7z){sB#AYpdcgx@)Jo zr5vZ~)Ec+#q~$E%u=3POLAF~~XFjJ)N96&?VcX(nTV@&%(4iWx{w00J>`|5I7kdl_ z{RH~$!HK?m)H+y)Z-jI)%~kt7@G?O~^;{{psCerzdK`o@QE6TU6JhH*^ zD5IO{qhCdNh=1Y16UtxmNg8V?Mm{TbA?TH?=?JH|M1o0 zLw_LRU!7KQnLAu_)3T{qu?miL@JntQM`D@^Lm>*&M_?+VJfxG-N%>zTxtJB zyx5~hs(RP@{ewL1oLa7aQ2)@i^p~$K7<@m5Q-d zTD+XX7p4+=H<>(HKgVHtsBEBRD){!&ZcC=54fMG5xfr4lr;Gz5%@p@)2Vx}c70D~0 z#&)MN(ar6iO18&WNg*$$p^{|EO3H#-g-Ky$j3wo_84<}xMgodw4AQO##KwGLaL(1^ zJ3tVf??#6Qs-c&&cZ+Y+W zIb$Oo5ZyUltA5uJr_F~zl<{0t-=qoeS-Kk@lS0fIww?s>}FPN@$ zWo-ys)%k9`Acmc*k$W-@)D6tC|1|rqGRObOQjfEa^0rZSl`wCf+|TbzD^ha2v8 z&X!PMw>4W&f4=D~2JOk6e+DF3w7=lU(w{$j-z!iS05TANAPJy_JTM3d0zsr`{jVYED5yoFuS6fv0fDsS2s{dg zq^1BHK`7uLT`d#~lKGcG1&68P+&uz#4cu>dxuF=zR3&>U;glwLoW1)EKNKqx{>wuH zr`5;dym?h{SkD_C0VpOU!!I`sPW9WZgTMLzE-;)5PmYwd$6=A&r|6`S$a6>;BnBlb zjWqvlqLI>nnaGH&|4tM)lJk!!)?Z`7;Ln&)`8_6habzj{NZvo{*#Egt*7f@f{>lM{ z|1-yL?F1nI-%CiIFkk|Zfm~@I4Tt~)0$S810$u2KqO`&^XuUobS%ykJG1HhMQ36U9 zZwkk{28WpBOP&e=-CQ!2_-cMMOuy5logyZ*!DYJ0!RChIzxoutrJeCiLN~Znm2Diy zyskjP#L#t4#6_pJf6tf*Xvu;d!7&O9!_fD2TleTAoxfMa_m%UQp=gY1qD!u0TRK?6 zCI_@SI2Tts6@qTeYm^;J7Qj2GU#vF^oT?DLmKZd-9F)BXS1>1_FSEc%&zii(G3idI%eYWnaFjVRLiq;CRa9 zo=ml?Yl_@C-QSJE1&2@}DS*He5DS%GfjR7I4WE@#^oh$m_Bsc9DS8sSDME#?20H;xhmedXJ!w2OB1R0Er zXY)>17>mTIs!(%bhdcQ-tPiM9=!M2=%U;I_y(_(3il8{qL0KBFQSy&W|74=`ea!x5 zEB)1e5`NmvGjDz8x?iho!$rm1TTku$FwK`l zO?UcB*E7Qa@!P&8?O7|GFV_4-hV8uVO&DlMSzrA#IssWZ+s6sLj&27(jcIBNP_rZT z)!O)|y38JNe?y)yp+GifD|nw))(toQc7XA=v1hpw{K) z{bKvnaQnX9%WwKCRP>4^6{7d0uRQ46qw1o_luZlSJY)QA;e4@O#Hp4Mml&Zcl(2~n zM+q9QF4(l!++Y0t#r44_vo^3?r zsODNU9@tfxJj*u9HvV-?Upai>(i3pX84p=@Lq1x=kM-Re<cY z9lcCEN52o#m$roT5#lMz3nwr}2KQ<3GhfK9R@|{LAAMj2SYP<^Na}EYZL|&tRnUK4 zHq_ckfof8I#T0&V>xtAPJ{f0Lpr)TnFB|S`QAxbG2l+4`PhH!yV^Ag=w|YgnbPdx-=Ee9`O9<8IXjx7uUc8}EVBH_` z3BbAyco=XgC!+I*Uj-LfXuz%eJxZq^GL!d}7`SEWD?l+<>`)-&H zX_gP`Hx5xd=-_0VTBMp(upQoXg7eN{fuGb1_bp}wcoiev5ZMFVN<4a^)RkPT6-<;& zRvozb(xnTHwg-(`yl!%z7&dW-R^v@hPj`e!EidA3*Vq(IBaC?=9Fw13$Mgmp1~yBJ zobu8tJ_^QoCZ8_7A1@;!{hm8{k6k>gxrY<3+-45AYQFd62x=g-0id+2Ej2NC z;dQptL4!>I8-?hMSCnG5ye2ogJ{Z%SE-D&CnVlD_`c}eRnBA+pLnJI0;_^7C;sh`q zRhi$!j8+JWO2nIYYza<~!u{OBtB4XtJfd959^RU5Q^UHnbU{0en>Nk1yFM0u?Mqae z0%0iV*$184b1|{bm*C#u_sMs71K~9{4HDIV%Ci(h3^y|pid9Vk&F97v?y!GX16Rgf zT9mEs`8FByqVnRI%OV!qTJp9`>gs;Jv5Jb^%N41t({F>c)*;My*Pggp1VUmq9u{@Q z%MoYh8#q7Jc9t-Y4Ty5u&p96{Y$Vs76)%pA=nml`3FgsFrKG17fA&or&v@;4k?Bw- zrt@6PfVI4~$e^E2YlGH_GOJxz)5ay@w)B+x$9VP<=VB6qXaNOnWn8o>3#e#oK^#?1=LW_^l+7Ze z$^tkjQ48w<8tk@X8zl!zuazFHxeBA5$vlktp)?TwS1W?0p3&rS>f5xZ&FvURbrp6) z{`Nq)d8f)p-b9f1l;Da> zJ*_@9a4;TvW3Iq8Zr53~ zQgFAR|8ix`O>dn5Wy9k32=4n5sH2RWt`mae!4J~n&*?qOkwyCJrdBdQV&;1tfAgjN zNBRbtDen?tVFP)gbEXI1Mt}A(gm?p?I-g9z?^eE3`r`ebS}Tk5hL#VPOnha2gBZ1X zFzu-@f7H^PGq=kYP~!UWN`la38pVTwbI?_)mz!vzNSWI+=fk;#n@*`)Z}h*8aZ;Gt zuzL4l_*f`4=lGr=XsSB=vZ{f8wV~^zaWm{dNRfDVLcvbB-?x&#Sm6%cJH|wXH>HgR zDDl?JyLoS=Ey?cPv=8>Y@^MP?@FAUTP>6KUi=p{GgWjxIQL|xXwq&89XLC`;OJ?eJyBhOvm_b-lq<7XzBq%h0~=1%7RNA=X`7E!?B)-$=r;@U{g(p z@4VOs+ZG`U_PS|`q+C8Wu+n_xlY?WY;6RnV>SO#RBoTvIl8%U|%w1MA%ix+tT!-5l zy`(ZX@Eo3#F@ zOE&xQl!n`hJ=N^sFnPD%Ph`a{!q9f8ouVJn5IfhJcm)Amxl`d#HBgbP&0ktR%vxtE z#^#Zee4@WP@?b^HK*OTpuE-CIJ`7K=9|M!{ad-aS@@izZ<;MB1?8L{t)*p$QYT0P{ z*y~dcMGPmqgs14QlaO{%sHLBGvy~>NSUDcQ>xJ|_oK5h#gi$k z!TndnZ&s4oNXf&LNk9~VVabGGSTHRC3<82c5G$227Z@Eml~|lX+#VeeNJ|EQq2M$y zDsr$Dgd7SoGlsLkn9mGKD2*=C$1jB6!p9}R8_r0gD#=R$rMQkly85^T!C7I@GY>VC z)*OjM^XnjeZ@c(~z?onSXKorO@l*hkaU??Su6e;D3^o8-U)5*YKaxht#GF(AM z=EiSR5hn956BeEE|4WJw#`7mB)-#2$_#+T!9RkIVB&8w%f-1rGa6A0)MR@NnF5KAOnEprv_nxKtO(9WIT0+by+2p{tA1+MM*d)Il$;bK=I7j z(V$WB@-1Kdqq5|uEz$*ph63MQOZBXTv^34x5jeD}?uTvAT6)TiMj`#S!&kOFhw*iv z?Y9Zq^d;K2dgKkam7CmK{Mz-diOD6XI#Ibk)N^98{CT5^dcyx`Uuz#4n7Rho`_mXOX8 zi$onS7uVFCEU_t==-DtypHCs@V7%DBl^RRsgLHNA@k9ooe{U#WD1;J5P6`JB0kCst za|IzBFt#WbT!ww>YU!tq`sc4>SMVUS>r7PTf8H$&VS}-dQK+V;Kku->_MsdE-ymWoOyrnjkz*IweigrH7bH;Kc5|3!>+x5NulE9_2zN) z3!xSSHdhHz21d|m!B1E;8EQnDafS&NUAhnWEGC2#$Q;Nbkq#D{e8?38qO`up3Ewt> zKTb|KSUk2m$t;+5Nu;j8q{Fnlp1MbOVY^nJF`*Et7_W03G4VMXDLpv8IW5t}B3FbV zJk-HWPxC;!!NqcXVXBjkheX>3L{n(fXW!P-THh;}4GPhqS`^b*24DgGE6r+b&;MAW zr{w;L0?`!XQZ9IrM^YRuRr!Ycz6K(-l4UP~;_#v8KzH#F+rg>ImtVGgC(KpZSESBA zqfg$jZg{DW;V>Nw1^|e+9cC&O^`{4?!dzl1|k< z;>Lhf`M8^PMZFO2)oNr+-ZiCLj)R?&uXvZOhj(;lMA*jJran)aYex-h6@k;a{S-JY z&(m6t)%59?$h>$YDjdelz$cM~4S5L6R9q{Uqu-@5m$8QoVUx&93Z|8vCBW$o9=hIc89PjJH;p(RevZ6P}vmkFzynuu1pO_q1e7G zmAsg_(;C5hssmRK;$s!(%C}u(Ush-yf&>_(nit;@ewO#s%lok3mG7jrLQ*7&Y(p@l|&nquh6Pe`bkGVtOfltp(4zofcds;&F%L1ZM{>l?b6mj=i0PM zAJ6pb@>l^T_Moj(@N)uV;z4ob)herWMS({j$goKp{q`9sd+x7WZ*0E((F2mw|3wY{ zPhg+j8F-;*YCr}9le+&paK904KjdOFVpuY2UOz(Rb``16@LIY-$F~hlC$#7p89Jd? zuxmFb$gdIOEs7uJ(>!-gjH--xqm+q)$)OFI^kP-1-g&RynBQAvf?*4J;4szTUhzZt z@O9Ju*h;6uSy5|#2-nO+SNuSjWoVDLn0yzq zccRKdgjjB6;fT66fJV7V+&#|y%iyy6TFVNr`oGMCHUhpPIV{HG`pNT1?OR%vhy*bv zx-XpfP>4YHF+KAkaUn2yDys{j&U7Ff-ys)2?5JvT@m<~rk3ZPuH;4d1lNzsr2o m8%yGR?nyipEw>{BZI|Y0tP0V^dl-<37K`(JI4p*!e)%UQHr2)e literal 0 HcmV?d00001 diff --git a/certService/helm/aaf-cert-service/resources/certServiceServer-keystore.p12 b/certService/helm/aaf-cert-service/resources/certServiceServer-keystore.p12 new file mode 100644 index 0000000000000000000000000000000000000000..2106c817efbe3c69fc3ad4970fde274e24d9018d GIT binary patch literal 4691 zcmY+EbyO6Lw#8?Np*tNykgks*hEN)$8>EC8=`LvyfdPh)lA%$$kq+rbaOjXuK}5Pc zp7*Zz?p<%4b=KKypR>=OKL~G=L6GBu@VJr6$V(z14loBnc8!G~JBJ|1jv)x_ z!2h?xcELhmJN&h6{?_)G&5?+F~tQ5RjRS0n0TZfd69cjFt{ z+R!u`D!(t48`0oa8y*%JA2h=@h|QF{;bos}D(K_((??yfX8bH-5T>K+rzH`!d*X>& zo|Tqq^PpLE559UR0ZRa?S!?IL=Y?W7DZC3C*Q~UBHL5!`* zb4Ee_ES1lBjU(BW+@Y;rj>#`5M%qc2o;Qt8hddS9%;F$Sp&&YN16oX>b3gHd)0c=A zaM_ivjlsEjU}Y7wN@(*6%EAQ)wM}qq-n_OP?Fe{_RlqjrUP5;5-I}iTJuglpq2SuD zyU6ZS9xVWM(ZO`WS(|Jbo?w(TR#cWhO5*j>_>l+q&>uPV+1W{ms!)EnuLy6%0 z=6Yz2_@WZ+Ah8(Rd|G`9_sUrxR}8xssDRT0nS<5L@G@ zMaFX9JM1~66(a=%@fc}Y|Fk*dwV8FT`trx0i9Y&l z4+?McVW$mZTwAgytADhev@8cl+|w}Y(%KJppMeBx@4+*<&uhf zP5}NwTTbX@nIq#miIZNmu2!3iz2D$%Q~;@bLQ6=N|J%6IO$vDtDl%rF*QX@*y(sFt z`G=qi90O0J4%&~Ky(r{4qepFzzeerr@WK&!1f9Cr8GGO2LWBP?v}}yZT-Ky;z6NP| ziM3bws5~W(IFKsV=}C+f-MzTB&D{D0I1{foM20#drGis$&(KLe!4t=|yh zzfKeUH+6#%gtU2%4f`P6Sh5=VsZNqNzZ(JtCIj>QMIAejF|&hr z@#(Vz7zKL?Vuk!!G*&?r(a}6|J}l}UE4PEsL%_3%>cNo&20;6gq0!>8-y8v`c|@_& z`*;FqC@wOY)|tN|ofLQW%U953w3u~hFN*>5aHS~Mo%5scVpR0bcN^uJXg1z-yxX6~ z36Ztq!in^L`@~dn#cmv}2db&$S&_D6k%}5}osFa>NObf>vs@SIog$cRuB-o!EV#~7 zwMT3t^P?dtZ3~aSJT>m3?dwxV0li(SH@lI?if{rvTwt2rmyu>!2BWH{K}>Xg#A#X+ zKC+r7t;%@~jn?J;aqYG?+$k444Y4O4o9fATQ6}<)`Q!>%XQ(--F_2uYSf+?(vM*+W zoK#@5U003Q#BrF;%jZo zlUcwx}QxO z?>RbDe37!-q-*$33TX%)>L?WjtL63)`9u%MaGNYICo2(Olc{A``ZAd@%A~n6iFk>p zcbXWOgiBTBPNV&2LaWI6@%TFe$7au?BNX@pqr2p`F3xZlXutq(hLMfPpb(Hf?evb} zDa=*x6Vq>@U(Z(xhVEG7>)o{F7z{_q(-n7ujZP;*{HhINNW&kzYRVLO_?k&UU4`U1 zXk%d4h9H^EJ^^+Ul>0}hFWaKHtM_HA_omH5&)W2YT7*YS5|X}tJLH2ZCakI`lf*xl z>71U9%k$w(M1zv7DbvYZ^ASu|ng7lZQn)h>TeF?juSq6I9Hz;MQ~@_>93_Y$^Mh=nSWT>vz}a zvT6-kv4tIq-<(p~Dnp+K-Y(omM+y{tzyh&;u7>)!@jNnzf~Qph?O{x*7t>)X-Go5M zSP%suPm_YG^%;hlldIy`oX^kYP+L!+fA0}MaS7+0_en)A2TgX~QAbPd9p5r%941X9 zXbCkMk0XN4plrfPene*_xQ4j1u<-sM643INvBGU+HztYa4KCj}9P_GAKVxE(SR{QI zs^_7|8@9nQRFlK{nt@emB5YooxIP_IP=~o)t@A{Me}(rTLxpbx_vBt%tq_q8CY@I89807@gH@GmZ)M zxJanb#HTAuRL|%9hE7lqYs$KTM47w5P5;_4JCz~+##A!vAL&Nzo0j56?WnH&m+m-; zy}(cKS8|HzN(z-?4tyons{7jT!Kd3i8sgFqEC!|WG-CwJW{_nvuAx~YXh@BZPX1zI zt7K^cAewsSQ+*ap>Hc0C7_g1QK4O12k9!`F&vm~kR)9~TM61_wFU}66g?#Sw^yhaV z?E123`PpnVl<~Wx_aQ&&X;^3Iut)A?2Aik;a3#nKye!K=pi4^X@q&mm6n#Uz=tP|N zPO!8g+z4T;x*o(sfqPTQ@-mfNVdwN1Q&>rwgEy!_R|Vzr(FB-9udvwY_X|ODb(*GW z<);&LH|Y@igj3dV%US`-PFG>s$=j?}qe|R4X&eFDyW+y+$j`Ko-%bzU3xMTHWS{2{ zYvFgdoqe!h-qBF@7G=46SGV45B(Zr)C7+Dj#Kk*&|1Rk`D(OZ}l2-ewh^C-HMX$|& zbW#$3?w?YhexUu9pK-z5Tdyyw?N;!zvFCXKN<93wZ091}JTwdKgz8Ujjx>s<^d&`Y@YB=muG}dW*LEnqPT9I@Zy1Vv3=OW)NUf~E$dZF8L0Vyb4?7ci zdxe9z$EAUe;m9!@>#r?Z5*R*Vj^b-SX&7&xxtjWl0bm&~(MLt+r)=9nGJ=7VyJxHs zc3xyw>8vUGihy4<{*W{ab?}Kab&x>e0L2(rr&%)=YEc-jFwa)dFSwug zhNY(R>NMFaKE*NZ*0}kg1-D!5LKQzMoXs1pC+QNVFwb${lS4B(ryV`F53$|S38+dj zA6HFEN54Ny{osu={l49(nr-g7R>K!x$Gt<218UPNzju#A>LG;bLU{|tje6`%DEt+@XR~dfW8Xg=+HK-(v45NTd zNXMv)agSJ{vmgOX{oZNQoB|YjUyF z)$z5Y(uEia zvinT4cOkG%NMVxsO>_Al3-!+_HjnuO`|+~GXCLu{3KH${=@Z;8=X|wAYZ7lJ(wArZ zm-(v7i0WSO(uTNre(1tZV`&p{ni=kr2U$59#;OcQn*~Dx)N$f8V7ryy&UFBfn%}u)hQG1Pz z$CLzH68Qm%>SL>{L=hAnz1&G?Nm!VslLE;Uy8z!9XN*d>2Ox~#cGynrmboJ?CIMOxb!QQ>pUU4mxEIwxGQ4Md;Pq^hG0i&9Hv>9Py z9B{BU4Ow_`o4oU;h9+C+P9f5jB+WxC%IM6HnJv8{En=(|->Ta#Xzk>zJpYSyy==q+ z9IVFT)jIJ2mb3WcA0aJb$;HUrRI{J6!oX%8h%)_FP!q?_$tMqyf-pnyK-fIQm>6Je z02XDUY!@-SP?@HUY9J0UBC*%R32?!ptiyX{eArQ{^@ctypQ2dILbFIm0s{cUP=JC40BLgQX&X64bt^`=;ZL35U~(9Z_LPX-M|$kk zIoj|Jy6L0|FSQfi{gK4#mGQteW3pe6+F8<2cbeA->1Ty^{zQ8;4K-4u^WvqJrF@8z z#?#Ypm^ZR!;5cn=O3AVVWN&Dq2>Da*C!y2Y>@5_>X z-b>Fh7-g%NM=Gx$YrpjbCM(O@!u4L{<8{_SN6P+oX*Yo5_e&8$pX_;z%UwH!Qqur- zfFH^euHMe$s2`9-uM#$0LLCbFuc=J_1`siZf?yLq;@uRY`0dV^8fu6b%>0}{Hu3{P z2L}z+%haiv?}kF`);igKk3X=187f&Ze^-6PHi13(FHP|qnF+kVLP=FRbw-tLsbua} z@tI;ud5QfmaPVSzp%kD7?wl%}*QN|#q@51NTeu_lT#JD5tn>wrTt%Him9~L$qpd)c z$C$1!acema-IgwuU$(6DXxIzKoaCvit$^PjPjLNu9IbdRVZN#Uh(uVQ46iwT;_ zrt+5+3ujsW66UB18nI5MN9rg>E-aGG9zI_BV9mYvhx`E{n75dj3bw$lwZH6(0y|>k z%(&#oZt%z4AJwro^&@z3eA)dtg%yXcwiu51Upri5dSgvgo1%aqA-XP+L!fJbX9sJ0 zONi>soUGN^alyFQuSx&m%USJ4C?#_n3Z56hAm03zf<&YO${bRtpMkCK6t~U zKtO<=Wb2mz9i2yxZl>vkv~ybLQu8hy`+>UNB3Idy=h69G6pW+TARD~lDoCu3bi3AR z3_bQejE|3yfk`WX1>%9v%m3?YL@h*buBv2F%=7| zL@!G)TTrb|bGGN=*5kVd{DNnS&|)EG%(5&8b(PX1runA0teg4-7pO2e;r-n?GL=b0 z)KAd3Jjz89+96xmuN6D74lkfFwWtL-p0EFXIT>0J($V{pjwP5r>lU9-=@+P!9vv$SNjP4MHiOML&wy0I=QlvKVjqK zc}vl{4>&KTnPszsmSxH18A9~@H4t#XVWOMg|NPW+S~o;oTl{&|?a`?DG#9ZInr-oq zFa(lwqI8wuvlidHkqz-Zx}Nfsg?es9AIke6i{q%X}sVBYF8}4sVMndU4o<~KBh}jtqbC?LKWisocXtz z1DZ=5bG(L?jO!Pky-Nfcs+@$+Gfz_bT9Zqb&#=62QOB-lj=}MUC(PY{f3uJaE)|{L zs#poq360)fs*}wSPF(Ii!0>yA{6vO0lwGeMtW{r2v}*ZTc;ZZ<%uv96b5u;v{oQAr zB5D-l6jmD}+|ws-DniTNsL!t@0F{gyvP~uyhc?YFUS1d38p5^eXiR05+A1)@If`R7 zRD@mKEX+D#t5IGicj|0oZjGIiU@txqrlr@UP zlT`dcc%YWfKG<}8mJxDCe29{L6xa*JGQ7wl+=9#N#H_cy%Jpg_T&acPT!wN&7r;%~ zmEu;r4ATUxjy-KRN4ek+`fb!&(@6d2_Bm^5NYtM(%Ds+LQ;txJg%jtK1gQgm@Gwy- z_<-Kq-9RO5P)MRt?-Y#s!WVc3fTJW7r; zWISUGyx$uE0cyLM6c?8e0gv_wVo`>j)7qqR&lC1GyAeqg?F2hp;>0FjagQ`$ZITho zW^kF`bp>*mijsvTF^!H&Y+|}A@Oy-31%A3fr3WS!?))Hdp3q5E>0d1-K7OmNO9~gQ zL@+)uAutIB1uG5%0vZJX1Qe}2gt$9yT?9O?#L{Xxzkq;%Sr`Nqyd%}a`dA2ua^S-L QP+N65HcJ*|0s{etpglA>RsaA1 literal 0 HcmV?d00001 diff --git a/certService/helm/aaf-cert-service/templates/deployment.yaml b/certService/helm/aaf-cert-service/templates/deployment.yaml index f8b2d43f..f4a28f46 100644 --- a/certService/helm/aaf-cert-service/templates/deployment.yaml +++ b/certService/helm/aaf-cert-service/templates/deployment.yaml @@ -16,27 +16,52 @@ spec: - name: {{ .Values.volume.name }} secret: secretName: {{ .Values.secret.name }} + - name: {{ .Values.tls.server.volume.name }} + secret: + secretName: {{ .Values.tls.server.secret.name }} containers: - name: aaf-cert-service image: {{ .Values.repository }}/{{ .Values.image }} imagePullPolicy: {{ .Values.pullPolicy }} ports: - containerPort: {{ .Values.containerPort }} + env: + - name: HTTPS_PORT + value: "{{ .Values.containerPort }}" + - name: KEYSTORE_PATH + value: "{{ .Values.tls.server.volume.mountPath }}/{{ .Values.envs.keystore.jksName }}" + - name: KEYSTORE_P12_PATH + value: "{{ .Values.tls.server.volume.mountPath }}/{{ .Values.envs.keystore.p12Name }}" + - name: TRUSTSTORE_PATH + value: "{{ .Values.tls.server.volume.mountPath }}/{{ .Values.envs.truststore.jksName }}" + - name: ROOT_CERT + value: "{{ .Values.tls.server.volume.mountPath }}/{{ .Values.envs.truststore.crtName }}" + - name: KEYSTORE_PASSWORD + value: "{{ .Values.envs.keystore.password }}" + - name: TRUSTSTORE_PASSWORD + value: "{{ .Values.envs.truststore.password }}" livenessProbe: - httpGet: - port: {{ .Values.containerPort }} - path: {{ .Values.liveness.path }} + exec: + command: + - /bin/bash + - -c + - {{ .Values.liveness.command }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} readinessProbe: - httpGet: - port: {{ .Values.containerPort }} - path: {{ .Values.readiness.path }} + exec: + command: + - /bin/bash + - -c + - {{ .Values.readiness.command }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: - name: {{ .Values.volume.name }} mountPath: {{ .Values.volume.mountPath }} readOnly: true + - name: {{ .Values.tls.server.volume.name }} + mountPath: {{ .Values.tls.server.volume.mountPath }} + readOnly: true resources: {{ toYaml .Values.resources }} diff --git a/certService/helm/aaf-cert-service/templates/secret_client_tls.yaml b/certService/helm/aaf-cert-service/templates/secret_client_tls.yaml new file mode 100644 index 00000000..b80a4af4 --- /dev/null +++ b/certService/helm/aaf-cert-service/templates/secret_client_tls.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.tls.client.secret.name }} +type: Opaque +data: + certServiceClient-keystore.jks: + {{ (.Files.Glob "resources/certServiceClient-keystore.jks").AsSecrets }} + truststore.jks: + {{ (.Files.Glob "resources/truststore.jks").AsSecrets }} diff --git a/certService/helm/aaf-cert-service/templates/secret_server_tls.yaml b/certService/helm/aaf-cert-service/templates/secret_server_tls.yaml new file mode 100644 index 00000000..535e3dbd --- /dev/null +++ b/certService/helm/aaf-cert-service/templates/secret_server_tls.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.tls.server.secret.name }} +type: Opaque +data: + certServiceServer-keystore.jks: + {{ (.Files.Glob "resources/certServiceServer-keystore.jks").AsSecrets }} + certServiceServer-keystore.p12: + {{ (.Files.Glob "resources/certServiceServer-keystore.p12").AsSecrets }} + truststore.jks: + {{ (.Files.Glob "resources/truststore.jks").AsSecrets }} + root.crt: + {{ (.Files.Glob "resources/root.crt").AsSecrets }} \ No newline at end of file diff --git a/certService/helm/aaf-cert-service/templates/service.yaml b/certService/helm/aaf-cert-service/templates/service.yaml index fba7e5fa..f3c0ee0c 100644 --- a/certService/helm/aaf-cert-service/templates/service.yaml +++ b/certService/helm/aaf-cert-service/templates/service.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: Service metadata: - name: {{ .Chart.Name }}-service + name: {{ .Chart.Name }} spec: type: {{ .Values.service.type }} selector: diff --git a/certService/helm/aaf-cert-service/values.yaml b/certService/helm/aaf-cert-service/values.yaml index 0dab1e32..efb16a5a 100644 --- a/certService/helm/aaf-cert-service/values.yaml +++ b/certService/helm/aaf-cert-service/values.yaml @@ -3,17 +3,17 @@ replicaCount: 1 repository: nexus3.onap.org:10001 image: onap/org.onap.aaf.certservice.aaf-certservice-api:1.0.0 pullPolicy: Always -containerPort: 8080 +containerPort: 8443 service: type: ClusterIP liveness: initialDelaySeconds: 60 periodSeconds: 10 - path: /actuator/health + command: curl https://localhost:$HTTPS_PORT/actuator/health --cacert $ROOT_CERT --cert-type p12 --cert $KEYSTORE_P12_PATH --pass $KEYSTORE_PASSWORD readiness: initialDelaySeconds: 30 periodSeconds: 10 - path: /ready + command: curl https://localhost:$HTTPS_PORT/ready --cacert $ROOT_CERT --cert-type p12 --cert $KEYSTORE_P12_PATH --pass $KEYSTORE_PASSWORD volume: name: aaf-cert-service-volume mountPath: /etc/onap/aaf/certservice @@ -28,3 +28,25 @@ resources: secret: name: aaf-cert-service-secret + +tls: + server: + secret: + name: aaf-cert-service-server-tls-secret + volume: + name: aaf-cert-service-server-tls-volume + mountPath: /etc/onap/aaf/certservice/certs/ + client: + secret: + name: aaf-cert-service-client-tls-secret + +envs: + keystore: + jksName: certServiceServer-keystore.jks + p12Name: certServiceServer-keystore.p12 + password: secret + truststore: + jksName: truststore.jks + crtName: root.crt + password: secret + diff --git a/certService/src/main/resources/application.properties b/certService/src/main/resources/application.properties index 9ccdd326..c5d14370 100644 --- a/certService/src/main/resources/application.properties +++ b/certService/src/main/resources/application.properties @@ -9,3 +9,14 @@ springdoc.swagger-ui.path=/docs # AAF CertService app specific configuration app.config.path=/etc/onap/aaf/certservice + +# Mutual TLS configuration +server.ssl.enabled=true +server.ssl.client-auth=need +server.port=${HTTPS_PORT:8443} + +server.ssl.key-store=${KEYSTORE_PATH:/etc/onap/aaf/certservice/certs/certServiceServer-keystore.jks} +server.ssl.key-store-password=${KEYSTORE_PASSWORD:secret} + +server.ssl.trust-store=${TRUSTSTORE_PATH:/etc/onap/aaf/certservice/certs/truststore.jks} +server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD:secret} diff --git a/certService/src/test/resources/application.properties b/certService/src/test/resources/application.properties index 39001571..b70ab3b4 100644 --- a/certService/src/test/resources/application.properties +++ b/certService/src/test/resources/application.properties @@ -1,2 +1,13 @@ # AAF CertService app specific configuration app.config.path=./src/test/resources + +# Mutual TLS configuration +server.ssl.enabled=true +server.ssl.client-auth=need +server.port=${HTTPS_PORT:8443} + +server.ssl.key-store=${KEYSTORE_PATH:/etc/onap/aaf/certservice/certs/certServiceServer-keystore.jks} +server.ssl.key-store-password=${KEYSTORE_PASSWORD:secret} + +server.ssl.trust-store=${TRUSTSTORE_PATH:/etc/onap/aaf/certservice/certs/truststore.jks} +server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD:secret} \ No newline at end of file diff --git a/certServiceClient/README.md b/certServiceClient/README.md index 7748b29b..43d732c8 100644 --- a/certServiceClient/README.md +++ b/certServiceClient/README.md @@ -43,6 +43,10 @@ LOCATION=San-Francisco STATE=California COUNTRY=US SANS=example.com:example2.com +KEYSTORE_PATH=/etc/onap/aaf/certservice/certs/certServiceClient-keystore.jks +KEYSTORE_PASSWORD=secret +TRUSTSTORE_PATH=/etc/onap/aaf/certservice/certs/truststore.jks +TRUSTSTORE_PASSWORD=secret ``` ### Logs locally diff --git a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/CertServiceClient.java b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/CertServiceClient.java index 0916bb8a..1b5b8ee3 100644 --- a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/CertServiceClient.java +++ b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/CertServiceClient.java @@ -19,26 +19,30 @@ package org.onap.aaf.certservice.client; -import java.security.KeyPair; import org.onap.aaf.certservice.client.api.ExitableException; -import org.onap.aaf.certservice.client.certification.PrivateKeyToPemEncoder; import org.onap.aaf.certservice.client.certification.CsrFactory; import org.onap.aaf.certservice.client.certification.KeyPairFactory; +import org.onap.aaf.certservice.client.certification.PrivateKeyToPemEncoder; import org.onap.aaf.certservice.client.certification.conversion.KeystoreTruststoreCreator; import org.onap.aaf.certservice.client.certification.conversion.KeystoreTruststoreCreatorFactory; import org.onap.aaf.certservice.client.common.Base64Encoder; import org.onap.aaf.certservice.client.configuration.EnvsForClient; import org.onap.aaf.certservice.client.configuration.EnvsForCsr; +import org.onap.aaf.certservice.client.configuration.EnvsForTls; import org.onap.aaf.certservice.client.configuration.factory.ClientConfigurationFactory; import org.onap.aaf.certservice.client.configuration.factory.CsrConfigurationFactory; +import org.onap.aaf.certservice.client.configuration.factory.SslContextFactory; import org.onap.aaf.certservice.client.configuration.model.ClientConfiguration; import org.onap.aaf.certservice.client.configuration.model.CsrConfiguration; -import org.onap.aaf.certservice.client.httpclient.CloseableHttpClientProvider; +import org.onap.aaf.certservice.client.httpclient.CloseableHttpsClientProvider; import org.onap.aaf.certservice.client.httpclient.HttpClient; import org.onap.aaf.certservice.client.httpclient.model.CertServiceResponse; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import javax.net.ssl.SSLContext; +import java.security.KeyPair; + import static org.onap.aaf.certservice.client.api.ExitStatus.SUCCESS; import static org.onap.aaf.certservice.client.certification.EncryptionAlgorithmConstants.KEY_SIZE; import static org.onap.aaf.certservice.client.certification.EncryptionAlgorithmConstants.RSA_ENCRYPTION_ALGORITHM; @@ -62,9 +66,10 @@ public class CertServiceClient { CsrConfiguration csrConfiguration = new CsrConfigurationFactory(new EnvsForCsr()).create(); KeyPair keyPair = keyPairFactory.create(); CsrFactory csrFactory = new CsrFactory(csrConfiguration); + SSLContext sslContext = new SslContextFactory(new EnvsForTls()).create(); - CloseableHttpClientProvider provider = new CloseableHttpClientProvider( - clientConfiguration.getRequestTimeout()); + CloseableHttpsClientProvider provider = new CloseableHttpsClientProvider( + sslContext, clientConfiguration.getRequestTimeout()); HttpClient httpClient = new HttpClient(provider, clientConfiguration.getUrlToCertService()); CertServiceResponse certServiceData = @@ -74,7 +79,7 @@ public class CertServiceClient { base64Encoder.encode(pkEncoder.encodePrivateKeyToPem(keyPair.getPrivate()))); KeystoreTruststoreCreator filesCreator = new KeystoreTruststoreCreatorFactory( - clientConfiguration.getCertsOutputPath()).create(); + clientConfiguration.getCertsOutputPath()).create(); filesCreator.createKeystore(certServiceData.getCertificateChain(), keyPair.getPrivate()); filesCreator.createTruststore(certServiceData.getTrustedCertificates()); } catch (ExitableException e) { diff --git a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/api/ExitStatus.java b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/api/ExitStatus.java index c474fd03..78ecc778 100644 --- a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/api/ExitStatus.java +++ b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/api/ExitStatus.java @@ -28,7 +28,8 @@ public enum ExitStatus { CERT_SERVICE_API_CONNECTION_EXCEPTION(5,"CertService HTTP unsuccessful response"), HTTP_CLIENT_EXCEPTION(6,"Internal HTTP Client connection problem"), PKCS12_CONVERSION_EXCEPTION(7,"Fail in PKCS12 conversion"), - PK_TO_PEM_ENCODING_EXCEPTION(8,"Fail in Private Key to PEM Encoding"); + PK_TO_PEM_ENCODING_EXCEPTION(8,"Fail in Private Key to PEM Encoding"), + TLS_CONFIGURATION_EXCEPTION(9, "Invalid TLS configuration"); private final int value; private final String message; diff --git a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/EnvsForTls.java b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/EnvsForTls.java new file mode 100644 index 00000000..b2f782c2 --- /dev/null +++ b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/EnvsForTls.java @@ -0,0 +1,47 @@ +/* + * ============LICENSE_START======================================================= + * aaf-certservice-client + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.aaf.certservice.client.configuration; + +import java.util.Optional; + +public class EnvsForTls { + private final EnvProvider envProvider = new EnvProvider(); + + public Optional getKeystorePath() { + return readEnv(TlsConfigurationEnvs.KEYSTORE_PATH); + } + + public Optional getKeystorePassword() { + return readEnv(TlsConfigurationEnvs.KEYSTORE_PASSWORD); + } + + public Optional getTruststorePath() { + return readEnv(TlsConfigurationEnvs.TRUSTSTORE_PATH); + } + + public Optional getTruststorePassword() { + return readEnv(TlsConfigurationEnvs.TRUSTSTORE_PASSWORD); + } + + private Optional readEnv(TlsConfigurationEnvs envName) { + return envProvider.readEnvVariable(envName.toString()); + } +} diff --git a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/TlsConfigurationEnvs.java b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/TlsConfigurationEnvs.java new file mode 100644 index 00000000..4009a088 --- /dev/null +++ b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/TlsConfigurationEnvs.java @@ -0,0 +1,28 @@ +/* + * ============LICENSE_START======================================================= + * aaf-certservice-client + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.aaf.certservice.client.configuration; + +public enum TlsConfigurationEnvs { + KEYSTORE_PATH, + KEYSTORE_PASSWORD, + TRUSTSTORE_PATH, + TRUSTSTORE_PASSWORD +} diff --git a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/exception/TlsConfigurationException.java b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/exception/TlsConfigurationException.java new file mode 100644 index 00000000..a10185b2 --- /dev/null +++ b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/exception/TlsConfigurationException.java @@ -0,0 +1,36 @@ +/* + * ============LICENSE_START======================================================= + * aaf-certservice-client + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.aaf.certservice.client.configuration.exception; + +import org.onap.aaf.certservice.client.api.ExitStatus; +import org.onap.aaf.certservice.client.api.ExitableException; + +public class TlsConfigurationException extends ExitableException { + private static final ExitStatus EXIT_STATUS = ExitStatus.CERT_SERVICE_API_CONNECTION_EXCEPTION; + + public TlsConfigurationException(String message) { + super(message); + } + + public ExitStatus applicationExitStatus() { + return EXIT_STATUS; + } +} diff --git a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/factory/CsrConfigurationFactory.java b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/factory/CsrConfigurationFactory.java index a94c906f..1d4cf2b2 100644 --- a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/factory/CsrConfigurationFactory.java +++ b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/factory/CsrConfigurationFactory.java @@ -27,12 +27,12 @@ import org.onap.aaf.certservice.client.configuration.model.CsrConfiguration; import org.slf4j.Logger; import org.slf4j.LoggerFactory; + public class CsrConfigurationFactory extends AbstractConfigurationFactory { private static final Logger LOGGER = LoggerFactory.getLogger(CsrConfigurationFactory.class); private final EnvsForCsr envsForCsr; - public CsrConfigurationFactory(EnvsForCsr envsForCsr) { this.envsForCsr = envsForCsr; } diff --git a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/factory/SslContextFactory.java b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/factory/SslContextFactory.java new file mode 100644 index 00000000..ef74d830 --- /dev/null +++ b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/factory/SslContextFactory.java @@ -0,0 +1,85 @@ +/*============LICENSE_START======================================================= + * aaf-certservice-client + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.aaf.certservice.client.configuration.factory; + +import org.apache.http.ssl.SSLContexts; +import org.onap.aaf.certservice.client.configuration.EnvsForTls; +import org.onap.aaf.certservice.client.configuration.TlsConfigurationEnvs; +import org.onap.aaf.certservice.client.configuration.exception.TlsConfigurationException; + +import javax.net.ssl.SSLContext; +import java.io.File; +import java.io.FileInputStream; +import java.io.IOException; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.cert.CertificateException; + +public class SslContextFactory { + + private static final String JKS = "jks"; + + private EnvsForTls envsForTls; + + public SslContextFactory(EnvsForTls envsForTls) { + this.envsForTls = envsForTls; + } + + public SSLContext create() throws TlsConfigurationException { + String keystorePath = envsForTls.getKeystorePath() + .orElseThrow(() -> new TlsConfigurationException(createEnvMissingMessage(TlsConfigurationEnvs.KEYSTORE_PATH))); + String keystorePassword = envsForTls.getKeystorePassword() + .orElseThrow(() -> new TlsConfigurationException(createEnvMissingMessage(TlsConfigurationEnvs.KEYSTORE_PASSWORD))); + String truststorePath = envsForTls.getTruststorePath() + .orElseThrow(() -> new TlsConfigurationException(createEnvMissingMessage(TlsConfigurationEnvs.TRUSTSTORE_PATH))); + String truststorePassword = envsForTls.getTruststorePassword() + .orElseThrow(() -> new TlsConfigurationException(createEnvMissingMessage(TlsConfigurationEnvs.TRUSTSTORE_PASSWORD))); + + return createSSLContext(keystorePath, keystorePassword, truststorePath, truststorePassword); + } + + private String createEnvMissingMessage(TlsConfigurationEnvs keystorePath) { + return String.format("%s env is missing.", keystorePath); + } + + private KeyStore setupKeystore(String keystorePath, String certPassword) + throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException { + KeyStore keyStore = KeyStore.getInstance(JKS); + FileInputStream identityKeyStoreFile = new FileInputStream(new File( + keystorePath)); + keyStore.load(identityKeyStoreFile, certPassword.toCharArray()); + return keyStore; + } + + private SSLContext createSSLContext(String keystorePath, String keystorePassword, String truststorePath, String truststorePassword) throws TlsConfigurationException { + try { + KeyStore identityKeystore = setupKeystore(keystorePath, keystorePassword); + KeyStore trustKeystore = setupKeystore(truststorePath, truststorePassword); + + return SSLContexts.custom() + .loadKeyMaterial(identityKeystore, keystorePassword.toCharArray()) + .loadTrustMaterial(trustKeystore, null) + .build(); + } catch (Exception e) { + throw new TlsConfigurationException("TLS configuration exception: " + e); + } + } +} diff --git a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/model/ClientConfiguration.java b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/model/ClientConfiguration.java index ff2db831..2ac481dc 100644 --- a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/model/ClientConfiguration.java +++ b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/model/ClientConfiguration.java @@ -25,7 +25,7 @@ import org.onap.aaf.certservice.client.configuration.ClientConfigurationEnvs; public class ClientConfiguration implements ConfigurationModel { private static final Integer DEFAULT_TIMEOUT_MS = 30000; - private static final String DEFAULT_REQUEST_URL = "http://aaf-cert-service-service:8080/v1/certificate/"; + private static final String DEFAULT_REQUEST_URL = "https://aaf-cert-service:8443/v1/certificate/"; private String urlToCertService; private Integer requestTimeout; diff --git a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/httpclient/CloseableHttpClientProvider.java b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/httpclient/CloseableHttpsClientProvider.java similarity index 80% rename from certServiceClient/src/main/java/org/onap/aaf/certservice/client/httpclient/CloseableHttpClientProvider.java rename to certServiceClient/src/main/java/org/onap/aaf/certservice/client/httpclient/CloseableHttpsClientProvider.java index 5ad933ff..3b7a46ab 100644 --- a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/httpclient/CloseableHttpClientProvider.java +++ b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/httpclient/CloseableHttpsClientProvider.java @@ -24,11 +24,15 @@ import org.apache.http.client.config.RequestConfig; import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.HttpClientBuilder; -public class CloseableHttpClientProvider { +import javax.net.ssl.SSLContext; + +public class CloseableHttpsClientProvider { private final int timeout; + private final SSLContext sslContext; - public CloseableHttpClientProvider(int timeout) { + public CloseableHttpsClientProvider(SSLContext sslContext, int timeout) { + this.sslContext = sslContext; this.timeout = timeout; } @@ -39,6 +43,9 @@ public class CloseableHttpClientProvider { .setConnectTimeout(timeout) .setSocketTimeout(timeout) .build(); - return HttpClientBuilder.create().setDefaultRequestConfig(config).build(); + + return HttpClientBuilder.create() + .setSSLContext(sslContext) + .setDefaultRequestConfig(config).build(); } } diff --git a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/httpclient/HttpClient.java b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/httpclient/HttpClient.java index 7512830d..0780afad 100644 --- a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/httpclient/HttpClient.java +++ b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/httpclient/HttpClient.java @@ -44,10 +44,10 @@ public class HttpClient { private static final String CHARSET_UTF_8 = "UTF-8"; private final Gson gson = new Gson(); - private final CloseableHttpClientProvider httpClientProvider; + private final CloseableHttpsClientProvider httpClientProvider; private final String certServiceAddress; - public HttpClient(CloseableHttpClientProvider httpClientProvider, String certServiceAddress) { + public HttpClient(CloseableHttpsClientProvider httpClientProvider, String certServiceAddress) { this.httpClientProvider = httpClientProvider; this.certServiceAddress = certServiceAddress; } diff --git a/certServiceClient/src/test/java/org/onap/aaf/certservice/client/configuration/factory/SslContextFactoryTest.java b/certServiceClient/src/test/java/org/onap/aaf/certservice/client/configuration/factory/SslContextFactoryTest.java new file mode 100644 index 00000000..e71e9895 --- /dev/null +++ b/certServiceClient/src/test/java/org/onap/aaf/certservice/client/configuration/factory/SslContextFactoryTest.java @@ -0,0 +1,197 @@ +/* + * ============LICENSE_START======================================================= + * aaf-certservice-client + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.aaf.certservice.client.configuration.factory; + +import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.extension.ExtendWith; +import org.mockito.Mock; +import org.mockito.junit.jupiter.MockitoExtension; +import org.onap.aaf.certservice.client.configuration.EnvsForTls; +import org.onap.aaf.certservice.client.configuration.exception.TlsConfigurationException; + +import javax.net.ssl.SSLContext; +import java.util.Optional; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.junit.jupiter.api.Assertions.assertNotNull; +import static org.junit.jupiter.api.Assertions.assertThrows; +import static org.mockito.Mockito.when; + + +@ExtendWith(MockitoExtension.class) +public class SslContextFactoryTest { + + public static final String INVALID_KEYSTORE_PATH = "nonexistent/keystore"; + public static final String VALID_KEYSTORE_NAME = "keystore.jks"; + public static final String VALID_KEYSTORE_PASSWORD = "secret"; + public static final String INVALID_KEYSTORE_PASSWORD = "wrong_secret"; + public static final String INVALID_TRUSTSTORE_PATH = "nonexistent/truststore"; + public static final String VALID_TRUSTSTORE_PASSWORD = "secret"; + public static final String INVALID_TRUSTSTORE_PASSWORD = "wrong_secret"; + public static final String VALID_TRUSTSTORE_NAME = "truststore.jks"; + @Mock + private EnvsForTls envsForTls; + + @Test + public void shouldThrowExceptionWhenKeystorePathEnvIsMissing() { + // Given + when(envsForTls.getKeystorePath()).thenReturn(Optional.empty()); + SslContextFactory sslContextFactory = new SslContextFactory(envsForTls); + + // When, Then + Exception exception = assertThrows( + TlsConfigurationException.class, sslContextFactory::create + ); + assertThat(exception.getMessage()).contains("KEYSTORE_PATH"); + } + + @Test + public void shouldThrowExceptionWhenKeystorePasswordEnvIsMissing() { + // Given + when(envsForTls.getKeystorePath()).thenReturn(Optional.of("keystore")); + when(envsForTls.getKeystorePassword()).thenReturn(Optional.empty()); + SslContextFactory sslContextFactory = new SslContextFactory(envsForTls); + + // When, Then + Exception exception = assertThrows( + TlsConfigurationException.class, sslContextFactory::create + ); + assertThat(exception.getMessage()).contains("KEYSTORE_PASSWORD"); + } + + @Test + public void shouldThrowExceptionWhenTruststorePathEnvIsMissing() { + // Given + when(envsForTls.getKeystorePath()).thenReturn(Optional.of("keystore")); + when(envsForTls.getKeystorePassword()).thenReturn(Optional.of("password")); + when(envsForTls.getTruststorePath()).thenReturn(Optional.empty()); + SslContextFactory sslContextFactory = new SslContextFactory(envsForTls); + + // When, Then + Exception exception = assertThrows( + TlsConfigurationException.class, sslContextFactory::create + ); + assertThat(exception.getMessage()).contains("TRUSTSTORE_PATH"); + } + + @Test + public void shouldThrowExceptionWhenTruststorePasswordEnvIsMissing() { + // Given + when(envsForTls.getKeystorePath()).thenReturn(Optional.of("keystore")); + when(envsForTls.getKeystorePassword()).thenReturn(Optional.of("password")); + when(envsForTls.getTruststorePath()).thenReturn(Optional.of("truststore")); + when(envsForTls.getTruststorePassword()).thenReturn(Optional.empty()); + SslContextFactory sslContextFactory = new SslContextFactory(envsForTls); + + // When, Then + Exception exception = assertThrows( + TlsConfigurationException.class, sslContextFactory::create + ); + assertThat(exception.getMessage()).contains("TRUSTSTORE_PASSWORD"); + } + + @Test + public void shouldThrowExceptionWhenKeystoreIsMissing() { + // Given + when(envsForTls.getKeystorePath()).thenReturn(Optional.of(INVALID_KEYSTORE_PATH)); + when(envsForTls.getKeystorePassword()).thenReturn(Optional.of("secret")); + when(envsForTls.getTruststorePath()).thenReturn(Optional.of("truststore.jks")); + when(envsForTls.getTruststorePassword()).thenReturn(Optional.of("secret")); + SslContextFactory sslContextFactory = new SslContextFactory(envsForTls); + + // When, Then + assertThrows( + TlsConfigurationException.class, sslContextFactory::create + ); + } + + @Test + public void shouldThrowExceptionWhenKeystorePasswordIsWrong() { + // Given + String keystorePath = getResourcePath(VALID_KEYSTORE_NAME); + when(envsForTls.getKeystorePath()).thenReturn(Optional.of(keystorePath)); + when(envsForTls.getKeystorePassword()).thenReturn(Optional.of(INVALID_KEYSTORE_PASSWORD)); + when(envsForTls.getTruststorePath()).thenReturn(Optional.of(VALID_TRUSTSTORE_NAME)); + when(envsForTls.getTruststorePassword()).thenReturn(Optional.of(VALID_TRUSTSTORE_PASSWORD)); + SslContextFactory sslContextFactory = new SslContextFactory(envsForTls); + + // When, Then + assertThrows( + TlsConfigurationException.class, sslContextFactory::create + ); + } + + @Test + public void shouldThrowExceptionWhenTruststoreIsMissing() { + // Given + String keystorePath = getResourcePath(VALID_KEYSTORE_NAME); + when(envsForTls.getKeystorePath()).thenReturn(Optional.of(keystorePath)); + when(envsForTls.getKeystorePassword()).thenReturn(Optional.of(VALID_KEYSTORE_PASSWORD)); + when(envsForTls.getTruststorePath()).thenReturn(Optional.of(INVALID_TRUSTSTORE_PATH)); + when(envsForTls.getTruststorePassword()).thenReturn(Optional.of(VALID_TRUSTSTORE_PASSWORD)); + SslContextFactory sslContextFactory = new SslContextFactory(envsForTls); + + // When, Then + assertThrows( + TlsConfigurationException.class, sslContextFactory::create + ); + } + + @Test + public void shouldThrowExceptionWhenTruststorePasswordIsWrong() { + // Given + String keystorePath = getResourcePath(VALID_KEYSTORE_NAME); + String truststorePath = getResourcePath(VALID_TRUSTSTORE_NAME); + when(envsForTls.getKeystorePath()).thenReturn(Optional.of(keystorePath)); + when(envsForTls.getKeystorePassword()).thenReturn(Optional.of(VALID_KEYSTORE_PASSWORD)); + when(envsForTls.getTruststorePath()).thenReturn(Optional.of(truststorePath)); + when(envsForTls.getTruststorePassword()).thenReturn(Optional.of(INVALID_TRUSTSTORE_PASSWORD)); + SslContextFactory sslContextFactory = new SslContextFactory(envsForTls); + + // When, Then + assertThrows( + TlsConfigurationException.class, sslContextFactory::create + ); + } + + @Test + public void shouldReturnSSLContext() throws TlsConfigurationException { + // Given + String keystorePath = getResourcePath(VALID_KEYSTORE_NAME); + String truststorePath = getResourcePath(VALID_TRUSTSTORE_NAME); + when(envsForTls.getKeystorePath()).thenReturn(Optional.of(keystorePath)); + when(envsForTls.getKeystorePassword()).thenReturn(Optional.of(VALID_KEYSTORE_PASSWORD)); + when(envsForTls.getTruststorePath()).thenReturn(Optional.of(truststorePath)); + when(envsForTls.getTruststorePassword()).thenReturn(Optional.of(VALID_TRUSTSTORE_PASSWORD)); + SslContextFactory sslContextFactory = new SslContextFactory(envsForTls); + + // When + SSLContext sslContext = sslContextFactory.create(); + + // Then + assertNotNull(sslContext); + } + + private String getResourcePath(String resource) { + return getClass().getClassLoader().getResource(resource).getFile(); + } +} + diff --git a/certServiceClient/src/test/java/org/onap/aaf/certservice/client/configuration/model/ClientConfigurationFactoryTest.java b/certServiceClient/src/test/java/org/onap/aaf/certservice/client/configuration/model/ClientConfigurationFactoryTest.java index c936ef52..f4f92495 100644 --- a/certServiceClient/src/test/java/org/onap/aaf/certservice/client/configuration/model/ClientConfigurationFactoryTest.java +++ b/certServiceClient/src/test/java/org/onap/aaf/certservice/client/configuration/model/ClientConfigurationFactoryTest.java @@ -38,8 +38,8 @@ public class ClientConfigurationFactoryTest { private final String CA_NAME_VALID = "caaaftest2"; private final String TIME_OUT_VALID = "30000"; private final String OUTPUT_PATH_VALID = "/opt/app/osaaf"; - private final String URL_TO_CERT_SERVICE_VALID = "http://cert-service:8080/v1/certificate/"; - private final String URL_TO_CERT_SERVICE_DEFAULT = "http://aaf-cert-service-service:8080/v1/certificate/"; + private final String URL_TO_CERT_SERVICE_VALID = "https://cert-service:8443/v1/certificate/"; + private final String URL_TO_CERT_SERVICE_DEFAULT = "https://aaf-cert-service:8443/v1/certificate/"; private final String CA_NAME_INVALID = "caaaftest2#$"; private final String OUTPUT_PATH_INVALID = "/opt//app/osaaf"; diff --git a/certServiceClient/src/test/java/org/onap/aaf/certservice/client/httpclient/HttpClientTest.java b/certServiceClient/src/test/java/org/onap/aaf/certservice/client/httpclient/HttpClientTest.java index 2a539414..60c2e93d 100644 --- a/certServiceClient/src/test/java/org/onap/aaf/certservice/client/httpclient/HttpClientTest.java +++ b/certServiceClient/src/test/java/org/onap/aaf/certservice/client/httpclient/HttpClientTest.java @@ -66,7 +66,7 @@ class HttpClientTest { statusLine = mock(StatusLine.class); httpResponse = mock(CloseableHttpResponse.class); - CloseableHttpClientProvider httpClientProvider = mock(CloseableHttpClientProvider.class); + CloseableHttpsClientProvider httpClientProvider = mock(CloseableHttpsClientProvider.class); when(httpClientProvider.getClient()).thenReturn(closeableHttpClient); String testCertServiceAddress = ""; diff --git a/certServiceClient/src/test/resources/keystore.jks b/certServiceClient/src/test/resources/keystore.jks new file mode 100644 index 0000000000000000000000000000000000000000..0de9a18d9259d83610e73f928bcff1635ed22fa4 GIT binary patch literal 5581 zcmeH~XFOc%_Q$6gofush6MZ-sZA2$}qSpi=dhh)p%!rbRPDmmm`UoLchVsr`O z=!_CAq~H!Y_kPa3=l|-y_}@2qu|IpS^_0E#^Q`ClTl;w9cmn_cfd0II06Kd|zW{$n zzaUq8M|%%fN3Q??0O+%FWoZ!rAOWDTkRK=-D1{Id2muO$=zu^H00awJx#G(=E@2@Q z_;NCOC{N`1I+_J8fB6lz75*?OQ?R4AgjSB36;e7NIuqRG^;|+vxBr9gA)`+1)5vuz z=y%?eFuJ$J^k1-rO0=P7<31&qb6`%HAvJTNOrXU0m9lTSHq*XVmRtqY;+$ObwKjh| zyRp!2X6@2%zZ0ik=0(RB1`x>))`~8htAp{V#%!~1UBsw$hG~zN=!(RVxo$^~-=U)1 z#eS?~$|}W;d{|fN#9KZT>OrvW#=rDwz4OWMEwZ_>4nHQ+7gBWNWxDy!iuWD+jjy5N zIjL$6`4N=bsz27EsIGY2{3hDe`;`ztKC8u8j=wZqIQ@lU#wjkts!0ShBjMI4#`WP| zs#FnNLg1x4dmnsOK4u3qSo@u$cc7lZ>z2#|OB3*77g@u)UQjGk;t8-i$5?H%;DQk! z^D5!05L)kh|4gBC*G1Cc^Ov%1LGKuO@{bThNo|qL&Q7)~87YS?6`S2;*JG}1wyo9M zZ}0P)4}*JnZ^g>r|AC8qX**{~m6^j%Fuj$R>E*XsJ

YVbNZW(|urm;&ET2TbKt- zWwG2M?3(13yPZur^I6$<8?X`)MddL6bRdsun_Piq(Y}sWlNKJN@{I4B6Pn?%hC{hn z`N->|HgQA!$6wy!;fSlDo4ge91}c{CT5ObxpR&l+oAt*fdmSLU2d?oq=c=#ULLxWk zIMQ?bvoPGuOo6^EIG2qfjcc*+91?&oKt@i(@t+`$stKWI~%s zkMZQ>J7@UhQrnh$${t0t|L-5A?{_ZnV~U?TSbjr%-{nr^jzA}RUg1q36vVv2xA4`k zxj22MgR?D0^eTScsF**cNA%8{2PeI9Br*0XrgV zHptkGbCfF{=M#@$2yAf&YT6pdwC!LE87~0m_(19b`9{W!K%-P4TTrUri3tv?lz4NP1u@KiXsY9=FJ< zr$1um!$#9^rSN*E%AtIl?H-x=6wE3pmgNyTV0pP;G?1=8af`3m=F*okZ~s%amRM(@fs)a~dYN4F=w$H}SQx%q{}_ih-(jB#_!O4` zNl-O>ce49Hd$D_W%)&hBl7}TmPk@gVxhp~XsvKD!w)Uzn$|DSFv_S_~PrqjuBP(C5 znIM~;pl!%)CtV>C8_GKQ2V=HY)V>u^bA>ibytGiz{Np3?-ho~epL&s$AxDlxyVU(` zGQZOEonbjOy&|G}+pAAh`Qzm121RJwT{D;R{JUVI(fbEvt37!|9o73O%5SWC6jMVI z%&~hKrYg?s@5g0Fz&t@L>sz&@JPH+N3N6vADtNVL;ZaO+;#Xww8)BwPqXp*Juwc?WFbD_&L7bXiLQ&LEa=}=w*aK=HkctRQKQT%a zITUOPfzpEvbi^1?uv3GKo>I-*!z&bF>|yKgE_RN{RHB!Zp48mW+up-ASd0-xf9j#2 zr!w;P4nU}Sd-~XVg^JOkXiwdg^kipleLv@ay1?{ge#D+4_THW-I5V|43MC;XEhZ+3 zk`lK#GtpvFf0`)F{r@f~IEwveP>iP{Vf<4hRL?{L;Y|#M3x)U@9qZrQiE*8M!Jl)0 z>Hj{*S?pLK*I$>As4rkFkd`PsKnf5R2n5u9a!s?HatV8>JkKp*^lCrfe0gUle+;L1 z9yZp{(Rb}6*lZ!(z@~{zWl2g`Rn+sm(-Bn)g$cPOnPbFb0+c}G5FH}0Vw>>UEDU7+ zKs=ppBuSVtRp0Rw>I5leXJlpOTY2G)@i{`vAG&(d=j%-^*kya3PzzTjSdV%9&_n~^ zh`TMjYg{~+C$^g{F98lTy*qS5DHx(tj7+WN^E=)gEM--TE;$D$40LY_HcZZwS_bJ_ z@IKO<(Y)-{2d=uO+@Sy*o6ik4x=bDr8yqoudMo{%u z(`!k=NPcg#b@C?V5P0$7{m_i>+MAC-U?2ckfXP5%Qc)bl)#jjqFhLkNk3yo&xDC7^ zt+F}~o8F6vn25qqoTtr1i9Uf4vk7}9?EkiBXSu{d4ZVmb!f zPFR((Y5g%gxILIE!RgL z)g?(dnwv_}wr<3^@Z7B6j(EVs->tC0%!OC~Zgi~;+ZKJR=ZWs1)^e+Ih%#Kj&F?u8UnA)efPc|4n@GzHA}z!J zNlR8p|9@o6|DKkTGDKQRN~12K#7}8SH2)_tVL^YVAn25WAR+~cr>cg7ff@V)=c-)= z=h5FfNE3egM>MCe`OV`I_0&=;WfwR@OHTW<2UZoS<-9J>?XLTUch62xU*^f(I)GrY=QcQdrh6Org}WhwSW#G ziF|a1`3*bFROvGtrifcNN?Z>`4|v@$mrO_^n91^PnoPOU))5pVG&pisWezDq;Mtg2 zR8T{}jvgK?+!^F$J~!l&0!X!5vvuQ)7g}O|;_k+BnN97Ej?X(GJp=f#fkY%)fJcjk z<~AUC_JjMnX@CF1wm`0v9mW_S__<;&RM)FWlXEjusXMQwjlC;fvJP{7c;Ig3kjCd` zv&9;1SiswLh{n*JM)!IZcJ?(1h(GX>Rik?_03ze6>Up1g4jv@?np9Mg?#8I%<7`G|E(d zL^t!YDyZT!Yq{C#OSh)_p)nM-YlX&Re&h+f6;*d6WFKa0tfx6 z29Th@#M^%yxHCjMWM{3K#5pGkXNw<`B(hz-=be2`ODV<}nJjX!W&CYwQhlN@r?J#Z zA&4bp1^8oY0>lmQG@9?oTqgG83H4xn|FT`0dDiog!G-xScWEONjpHm8E?aj~^ zjFLZAtiCusrI92nC$Oa-C%0IxSw!|V-iNxTQ!;4l!aWsi5Cu*Uh#NYg zn+IC&RhCln>diO2oV{3}vvQHk$Uf44NK!#2vV^@X=u1h(HGck?)`J%uMUf@9TvR~{xCrk9qqIW%V&6OlZyrnV|8X(zPZa82Xqs&BKURCGD9oUfPY zy-i{6_nSTJX*lnMB}?{|Z@k$C81XSezTz{7)pU8BW73#0(P^n z{XR|3G4QOYg`8H8KY#TXalfGb-;~|Ip#2Nlzo7jK+W#-mt_l@eNTXY!RFQ@|GJUBM JZ14;h{s*i}5pw_l literal 0 HcmV?d00001 diff --git a/certServiceClient/src/test/resources/truststore.jks b/certServiceClient/src/test/resources/truststore.jks new file mode 100644 index 0000000000000000000000000000000000000000..2686690e2e242d855f20922ab78724cc93ac3dc0 GIT binary patch literal 1722 zcmV;r21WTWf(Et%0Ru3C25$xlDuzgg_YDCD0ic2gU<85&Trh$LSTKSHR0atuhDe6@ z4FLxRpn?WPFoFg_0s#Opf(AMU2`Yw2hW8Bt2LUiC1_~;MNQUs zWva=(13RFDjEhAT?g{#iws-#!kF$_@cjY_Ss+B@3Nl`f2MoK-yfSV8~bvPkOmJ`*M z&bZ6Jr|0I=;)KhL87BbDSe&7xK?#Xhdpbja=i%l5?hiXuQ3`4ouDS7|J+n|=V@K7w zd`|rc7!fj}{yX@J#_(fiAv~Xm@)89fN^op@xE0huydbK@fFG#q<3ST?8oc7+O+;>{rETrNBD+ z8#42or`A2%G(FG0omH=RDRJGjbABFhSXwri2?FI_-o5`0tyX#}Y{kO!c`h$3P2?e3 z^Z34~yeurQ_1{a9p}2Q#nt}vQg9d;AM4fJiXbi#|Mik2BjvfX%sJM81X^(OS4_r)Q zJLK|o2R)#!u%Udn9DB6a4RinYg*hT3869h*p$k$kYo;&tVC}RCJmhIAO&d6|?iP>Z z&64Q8!Bu5B=?(0V9LP=iA2`*KHO6u{df-3#Xi|>-@N+OowQJT@GwCYpvoF5(4a^Mf zIzLCbG(QTD0vm3Z(M`>e`260XU_>Ard6vdxuAhcHc!Vu7RD;J~oKd35iOc)_UL@qo z&TP)|5JDPDZ)SY;RH;ukCVqt{LvVfjl@9ALvqS-m8G_>D2hUz&{1Qntj*F-eMKkds zln3YdWFPnfykiGJNG#8fr*hGzw87{UUs#V9=zqO&3|y4;mSj&Q2fG*w{l`ZsG{M!Q zO&3neoy0?t?1qQp!+#fnDNqkyCBaS8h+Q-%5y6(@>-TC-H3zw3iD@x|+N_6ly_{Yh z8vp3Qiof;{)9pAcR3sQdBbgM^M{7PC!-w)V=+!Kd)mA;qAB#&}Uw=xz_a zJHVDrP#iO86EJIRT?hbQ3RKK$ObKg9I-v(03LCSn@p z397Vxwx0U%IBxeTKcd_%CdvI&%#t>ks=Gz1)jM^LMWcGqd=eW0vY| zJ1{;lAutIB1uG5%0vZJX1Qhc8s)OYT>Idd1-U$w}e&4UhGkpXU_0DOm?5&w>I=J%T QQ^Da~a+kS_0s{etphEmA+yDRo literal 0 HcmV?d00001 diff --git a/certs/Makefile b/certs/Makefile new file mode 100644 index 00000000..6d90f65f --- /dev/null +++ b/certs/Makefile @@ -0,0 +1,110 @@ +all: step_1 step_2 step_3 step_4 step_5 step_6 step_7 step_8 step_9 step_10 step_11 step_12 step_13 step_14 step_15 +.PHONY: all +#Clear certificates +clear: + @echo "Clear certificates" + rm certServiceClient-keystore.jks certServiceServer-keystore.jks root.crt truststore.jks certServiceServer-keystore.p12 + @echo "#####done#####" + +#Generate root private and public keys +step_1: + @echo "Generate root private and public keys" + keytool -genkeypair -v -alias root -keyalg RSA -keysize 4096 -validity 3650 -keystore root-keystore.jks \ + -dname "CN=root.com, OU=Root Org, O=Root Company, L=Wroclaw, ST=Dolny Slask, C=PL" -keypass secret \ + -storepass secret -ext BasicConstraints:critical="ca:true" + @echo "#####done#####" + +#Export public key as certificate +step_2: + @echo "(Export public key as certificate)" + keytool -exportcert -alias root -keystore root-keystore.jks -storepass secret -file root.crt -rfc + @echo "#####done#####" + +#Self-signed root (import root certificate into truststore) +step_3: + @echo "(Self-signed root (import root certificate into truststore))" + keytool -importcert -alias root -keystore truststore.jks -file root.crt -storepass secret -noprompt + @echo "#####done#####" + +#Generate certService's client private and public keys +step_4: + @echo "Generate certService's client private and public keys" + keytool -genkeypair -v -alias certServiceClient -keyalg RSA -keysize 2048 -validity 730 \ + -keystore certServiceClient-keystore.jks -storetype JKS \ + -dname "CN=certServiceClient.com,OU=certServiceClient company,O=certServiceClient org,L=Wroclaw,ST=Dolny Slask,C=PL" \ + -keypass secret -storepass secret + @echo "####done####" + +#Generate certificate signing request for certService's client +step_5: + @echo "Generate certificate signing request for certService's client" + keytool -certreq -keystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -file certServiceClient.csr + @echo "####done####" + +#Sign certService's client certificate by root CA +step_6: + @echo "Sign certService's client certificate by root CA" + keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceClient.csr \ + -outfile certServiceClientByRoot.crt -rfc -ext bc=0 -ext ExtendedkeyUsage="serverAuth,clientAuth" + @echo "####done####" + +#Import root certificate into client +step_7: + @echo "Import root certificate into intermediate" + cat root.crt >> certServiceClientByRoot.crt + @echo "####done####" + +#Import signed certificate into certService's client +step_8: + @echo "Import signed certificate into certService's client" + keytool -importcert -file certServiceClientByRoot.crt -destkeystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -noprompt + @echo "####done####" + +#Generate certService private and public keys +step_9: + @echo "Generate certService private and public keys" + keytool -genkeypair -v -alias aaf-cert-service -keyalg RSA -keysize 2048 -validity 730 \ + -keystore certServiceServer-keystore.jks -storetype JKS \ + -dname "CN=aaf-cert-service,OU=certServiceServer company,O=certServiceServer org,L=Wroclaw,ST=Dolny Slask,C=PL" \ + -keypass secret -storepass secret -ext BasicConstraints:critical="ca:false" + @echo "####done####" + +#Generate certificate signing request for certService +step_10: + @echo "Generate certificate signing request for certService" + keytool -certreq -keystore certServiceServer-keystore.jks -alias aaf-cert-service -storepass secret -file certServiceServer.csr + @echo "####done####" + +#Sign certService certificate by root CA +step_11: + @echo "Sign certService certificate by root CA" + keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceServer.csr \ + -outfile certServiceServerByRoot.crt -rfc -ext bc=0 -ext ExtendedkeyUsage="serverAuth,clientAuth" \ + -ext SubjectAlternativeName:="DNS:aaf-cert-service,DNS:localhost" + @echo "####done####" + +#Import root certificate into server +step_12: + @echo "Import root certificate into intermediate(server)" + cat root.crt >> certServiceServerByRoot.crt + @echo "####done####" + +#Import signed certificate into certService +step_13: + @echo "Import signed certificate into certService" + keytool -importcert -file certServiceServerByRoot.crt -destkeystore certServiceServer-keystore.jks -alias aaf-cert-service \ + -storepass secret -noprompt + @echo "####done####" + +#Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12) +step_14: + @echo "Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)" + keytool -importkeystore -srckeystore certServiceServer-keystore.jks -srcstorepass secret \ + -destkeystore certServiceServer-keystore.p12 -deststoretype PKCS12 -deststorepass secret + @echo "#####done#####" + +#Clear unused certificates +step_15: + @echo "Clear unused certificates" + rm certServiceClientByRoot.crt certServiceClient.csr root-keystore.jks certServiceServerByRoot.crt certServiceServer.csr + @echo "#####done#####" diff --git a/certs/certServiceClient-keystore.jks b/certs/certServiceClient-keystore.jks new file mode 100644 index 0000000000000000000000000000000000000000..f24908c55dbb0abb8d38450f0c7c42b03dbfb369 GIT binary patch literal 4087 zcmc(hXH-+&(#KP2p$AZqUJW$?B?b_bDhkqjl_o6&L+=ozC?L{{f)puIg3_c&6B|XE z2+~175TrK=B5%~^z3W-`xu5Qr`(dwhX7;RE|1)RyZ}!i%pKAaB07PEE-;2rK5%2Bg zi1&4|ceHnRarE#e@7z){sB#AYpdcgx@)Jo zr5vZ~)Ec+#q~$E%u=3POLAF~~XFjJ)N96&?VcX(nTV@&%(4iWx{w00J>`|5I7kdl_ z{RH~$!HK?m)H+y)Z-jI)%~kt7@G?O~^;{{psCerzdK`o@QE6TU6JhH*^ zD5IO{qhCdNh=1Y16UtxmNg8V?Mm{TbA?TH?=?JH|M1o0 zLw_LRU!7KQnLAu_)3T{qu?miL@JntQM`D@^Lm>*&M_?+VJfxG-N%>zTxtJB zyx5~hs(RP@{ewL1oLa7aQ2)@i^p~$K7<@m5Q-d zTD+XX7p4+=H<>(HKgVHtsBEBRD){!&ZcC=54fMG5xfr4lr;Gz5%@p@)2Vx}c70D~0 z#&)MN(ar6iO18&WNg*$$p^{|EO3H#-g-Ky$j3wo_84<}xMgodw4AQO##KwGLaL(1^ zJ3tVf??#6Qs-c&&cZ+Y+W zIb$Oo5ZyUltA5uJr_F~zl<{0t-=qoeS-Kk@lS0fIww?s>}FPN@$ zWo-ys)%k9`Acmc*k$W-@)D6tC|1|rqGRObOQjfEa^0rZSl`wCf+|TbzD^ha2v8 z&X!PMw>4W&f4=D~2JOk6e+DF3w7=lU(w{$j-z!iS05TANAPJy_JTM3d0zsr`{jVYED5yoFuS6fv0fDsS2s{dg zq^1BHK`7uLT`d#~lKGcG1&68P+&uz#4cu>dxuF=zR3&>U;glwLoW1)EKNKqx{>wuH zr`5;dym?h{SkD_C0VpOU!!I`sPW9WZgTMLzE-;)5PmYwd$6=A&r|6`S$a6>;BnBlb zjWqvlqLI>nnaGH&|4tM)lJk!!)?Z`7;Ln&)`8_6habzj{NZvo{*#Egt*7f@f{>lM{ z|1-yL?F1nI-%CiIFkk|Zfm~@I4Tt~)0$S810$u2KqO`&^XuUobS%ykJG1HhMQ36U9 zZwkk{28WpBOP&e=-CQ!2_-cMMOuy5logyZ*!DYJ0!RChIzxoutrJeCiLN~Znm2Diy zyskjP#L#t4#6_pJf6tf*Xvu;d!7&O9!_fD2TleTAoxfMa_m%UQp=gY1qD!u0TRK?6 zCI_@SI2Tts6@qTeYm^;J7Qj2GU#vF^oT?DLmKZd-9F)BXS1>1_FSEc%&zii(G3idI%eYWnaFjVRLiq;CRa9 zo=ml?Yl_@C-QSJE1&2@}DS*He5DS%GfjR7I4WE@#^oh$m_Bsc9DS8sSDME#?20H;xhmedXJ!w2OB1R0Er zXY)>17>mTIs!(%bhdcQ-tPiM9=!M2=%U;I_y(_(3il8{qL0KBFQSy&W|74=`ea!x5 zEB)1e5`NmvGjDz8x?iho!$rm1TTku$FwK`l zO?UcB*E7Qa@!P&8?O7|GFV_4-hV8uVO&DlMSzrA#IssWZ+s6sLj&27(jcIBNP_rZT z)!O)|y38JNe?y)yp+GifD|nw))(toQc7XA=v1hpw{K) z{bKvnaQnX9%WwKCRP>4^6{7d0uRQ46qw1o_luZlSJY)QA;e4@O#Hp4Mml&Zcl(2~n zM+q9QF4(l!++Y0t#r44_vo^3?r zsODNU9@tfxJj*u9HvV-?Upai>(i3pX84p=@Lq1x=kM-Re<cY z9lcCEN52o#m$roT5#lMz3nwr}2KQ<3GhfK9R@|{LAAMj2SYP<^Na}EYZL|&tRnUK4 zHq_ckfof8I#T0&V>xtAPJ{f0Lpr)TnFB|S`QAxbG2l+4`PhH!yV^Ag=w|YgnbPdx-=Ee9`O9<8IXjx7uUc8}EVBH_` z3BbAyco=XgC!+I*Uj-LfXuz%eJxZq^GL!d}7`SEWD?l+<>`)-&H zX_gP`Hx5xd=-_0VTBMp(upQoXg7eN{fuGb1_bp}wcoiev5ZMFVN<4a^)RkPT6-<;& zRvozb(xnTHwg-(`yl!%z7&dW-R^v@hPj`e!EidA3*Vq(IBaC?=9Fw13$Mgmp1~yBJ zobu8tJ_^QoCZ8_7A1@;!{hm8{k6k>gxrY<3+-45AYQFd62x=g-0id+2Ej2NC z;dQptL4!>I8-?hMSCnG5ye2ogJ{Z%SE-D&CnVlD_`c}eRnBA+pLnJI0;_^7C;sh`q zRhi$!j8+JWO2nIYYza<~!u{OBtB4XtJfd959^RU5Q^UHnbU{0en>Nk1yFM0u?Mqae z0%0iV*$184b1|{bm*C#u_sMs71K~9{4HDIV%Ci(h3^y|pid9Vk&F97v?y!GX16Rgf zT9mEs`8FByqVnRI%OV!qTJp9`>gs;Jv5Jb^%N41t({F>c)*;My*Pggp1VUmq9u{@Q z%MoYh8#q7Jc9t-Y4Ty5u&p96{Y$Vs76)%pA=nml`3FgsFrKG17fA&or&v@;4k?Bw- zrt@6PfVI4~$e^E2YlGH_GOJxz)5ay@w)B+x$9VP<=VB6qXaNOnWn8o>3#e#oK^#?1=LW_^l+7Ze z$^tkjQ48w<8tk@X8zl!zuazFHxeBA5$vlktp)?TwS1W?0p3&rS>f5xZ&FvURbrp6) z{`Nq)d8f)p-b9f1l;Da> zJ*_@9a4;TvW3Iq8Zr53~ zQgFAR|8ix`O>dn5Wy9k32=4n5sH2RWt`mae!4J~n&*?qOkwyCJrdBdQV&;1tfAgjN zNBRbtDen?tVFP)gbEXI1Mt}A(gm?p?I-g9z?^eE3`r`ebS}Tk5hL#VPOnha2gBZ1X zFzu-@f7H^PGq=kYP~!UWN`la38pVTwbI?_)mz!vzNSWI+=fk;#n@*`)Z}h*8aZ;Gt zuzL4l_*f`4=lGr=XsSB=vZ{f8wV~^zaWm{dNRfDVLcvbB-?x&#Sm6%cJH|wXH>HgR zDDl?JyLoS=Ey?cPv=8>Y@^MP?@FAUTP>6KUi=p{GgWjxIQL|xXwq&89XLC`;OJ?eJyBhOvm_b-lq<7XzBq%h0~=1%7RNA=X`7E!?B)-$=r;@U{g(p z@4VOs+ZG`U_PS|`q+C8Wu+n_xlY?WY;6RnV>SO#RBoTvIl8%U|%w1MA%ix+tT!-5l zy`(ZX@Eo3#F@ zOE&xQl!n`hJ=N^sFnPD%Ph`a{!q9f8ouVJn5IfhJcm)Amxl`d#HBgbP&0ktR%vxtE z#^#Zee4@WP@?b^HK*OTpuE-CIJ`7K=9|M!{ad-aS@@izZ<;MB1?8L{t)*p$QYT0P{ z*y~dcMGPmqgs14QlaO{%sHLBGvy~>NSUDcQ>xJ|_oK5h#gi$k z!TndnZ&s4oNXf&LNk9~VVabGGSTHRC3<82c5G$227Z@Eml~|lX+#VeeNJ|EQq2M$y zDsr$Dgd7SoGlsLkn9mGKD2*=C$1jB6!p9}R8_r0gD#=R$rMQkly85^T!C7I@GY>VC z)*OjM^XnjeZ@c(~z?onSXKorO@l*hkaU??Su6e;D3^o8-U)5*YKaxht#GF(AM z=EiSR5hn956BeEE|4WJw#`7mB)-#2$_#+T!9RkIVB&8w%f-1rGa6A0)MR@NnF5KAOnEprv_nxKtO(9WIT0+by+2p{tA1+MM*d)Il$;bK=I7j z(V$WB@-1Kdqq5|uEz$*ph63MQOZBXTv^34x5jeD}?uTvAT6)TiMj`#S!&kOFhw*iv z?Y9Zq^d;K2dgKkam7CmK{Mz-diOD6XI#Ibk)N^98{CT5^dcyx`Uuz#4n7Rho`_mXOX8 zi$onS7uVFCEU_t==-DtypHCs@V7%DBl^RRsgLHNA@k9ooe{U#WD1;J5P6`JB0kCst za|IzBFt#WbT!ww>YU!tq`sc4>SMVUS>r7PTf8H$&VS}-dQK+V;Kku->_MsdE-ymWoOyrnjkz*IweigrH7bH;Kc5|3!>+x5NulE9_2zN) z3!xSSHdhHz21d|m!B1E;8EQnDafS&NUAhnWEGC2#$Q;Nbkq#D{e8?38qO`up3Ewt> zKTb|KSUk2m$t;+5Nu;j8q{Fnlp1MbOVY^nJF`*Et7_W03G4VMXDLpv8IW5t}B3FbV zJk-HWPxC;!!NqcXVXBjkheX>3L{n(fXW!P-THh;}4GPhqS`^b*24DgGE6r+b&;MAW zr{w;L0?`!XQZ9IrM^YRuRr!Ycz6K(-l4UP~;_#v8KzH#F+rg>ImtVGgC(KpZSESBA zqfg$jZg{DW;V>Nw1^|e+9cC&O^`{4?!dzl1|k< z;>Lhf`M8^PMZFO2)oNr+-ZiCLj)R?&uXvZOhj(;lMA*jJran)aYex-h6@k;a{S-JY z&(m6t)%59?$h>$YDjdelz$cM~4S5L6R9q{Uqu-@5m$8QoVUx&93Z|8vCBW$o9=hIc89PjJH;p(RevZ6P}vmkFzynuu1pO_q1e7G zmAsg_(;C5hssmRK;$s!(%C}u(Ush-yf&>_(nit;@ewO#s%lok3mG7jrLQ*7&Y(p@l|&nquh6Pe`bkGVtOfltp(4zofcds;&F%L1ZM{>l?b6mj=i0PM zAJ6pb@>l^T_Moj(@N)uV;z4ob)herWMS({j$goKp{q`9sd+x7WZ*0E((F2mw|3wY{ zPhg+j8F-;*YCr}9le+&paK904KjdOFVpuY2UOz(Rb``16@LIY-$F~hlC$#7p89Jd? zuxmFb$gdIOEs7uJ(>!-gjH--xqm+q)$)OFI^kP-1-g&RynBQAvf?*4J;4szTUhzZt z@O9Ju*h;6uSy5|#2-nO+SNuSjWoVDLn0yzq zccRKdgjjB6;fT66fJV7V+&#|y%iyy6TFVNr`oGMCHUhpPIV{HG`pNT1?OR%vhy*bv zx-XpfP>4YHF+KAkaUn2yDys{j&U7Ff-ys)2?5JvT@m<~rk3ZPuH;4d1lNzsr2o m8%yGR?nyipEw>{BZI|Y0tP0V^dl-<37K`(JI4p*!e)%UQHr2)e literal 0 HcmV?d00001 diff --git a/certs/certServiceServer-keystore.p12 b/certs/certServiceServer-keystore.p12 new file mode 100644 index 0000000000000000000000000000000000000000..2106c817efbe3c69fc3ad4970fde274e24d9018d GIT binary patch literal 4691 zcmY+EbyO6Lw#8?Np*tNykgks*hEN)$8>EC8=`LvyfdPh)lA%$$kq+rbaOjXuK}5Pc zp7*Zz?p<%4b=KKypR>=OKL~G=L6GBu@VJr6$V(z14loBnc8!G~JBJ|1jv)x_ z!2h?xcELhmJN&h6{?_)G&5?+F~tQ5RjRS0n0TZfd69cjFt{ z+R!u`D!(t48`0oa8y*%JA2h=@h|QF{;bos}D(K_((??yfX8bH-5T>K+rzH`!d*X>& zo|Tqq^PpLE559UR0ZRa?S!?IL=Y?W7DZC3C*Q~UBHL5!`* zb4Ee_ES1lBjU(BW+@Y;rj>#`5M%qc2o;Qt8hddS9%;F$Sp&&YN16oX>b3gHd)0c=A zaM_ivjlsEjU}Y7wN@(*6%EAQ)wM}qq-n_OP?Fe{_RlqjrUP5;5-I}iTJuglpq2SuD zyU6ZS9xVWM(ZO`WS(|Jbo?w(TR#cWhO5*j>_>l+q&>uPV+1W{ms!)EnuLy6%0 z=6Yz2_@WZ+Ah8(Rd|G`9_sUrxR}8xssDRT0nS<5L@G@ zMaFX9JM1~66(a=%@fc}Y|Fk*dwV8FT`trx0i9Y&l z4+?McVW$mZTwAgytADhev@8cl+|w}Y(%KJppMeBx@4+*<&uhf zP5}NwTTbX@nIq#miIZNmu2!3iz2D$%Q~;@bLQ6=N|J%6IO$vDtDl%rF*QX@*y(sFt z`G=qi90O0J4%&~Ky(r{4qepFzzeerr@WK&!1f9Cr8GGO2LWBP?v}}yZT-Ky;z6NP| ziM3bws5~W(IFKsV=}C+f-MzTB&D{D0I1{foM20#drGis$&(KLe!4t=|yh zzfKeUH+6#%gtU2%4f`P6Sh5=VsZNqNzZ(JtCIj>QMIAejF|&hr z@#(Vz7zKL?Vuk!!G*&?r(a}6|J}l}UE4PEsL%_3%>cNo&20;6gq0!>8-y8v`c|@_& z`*;FqC@wOY)|tN|ofLQW%U953w3u~hFN*>5aHS~Mo%5scVpR0bcN^uJXg1z-yxX6~ z36Ztq!in^L`@~dn#cmv}2db&$S&_D6k%}5}osFa>NObf>vs@SIog$cRuB-o!EV#~7 zwMT3t^P?dtZ3~aSJT>m3?dwxV0li(SH@lI?if{rvTwt2rmyu>!2BWH{K}>Xg#A#X+ zKC+r7t;%@~jn?J;aqYG?+$k444Y4O4o9fATQ6}<)`Q!>%XQ(--F_2uYSf+?(vM*+W zoK#@5U003Q#BrF;%jZo zlUcwx}QxO z?>RbDe37!-q-*$33TX%)>L?WjtL63)`9u%MaGNYICo2(Olc{A``ZAd@%A~n6iFk>p zcbXWOgiBTBPNV&2LaWI6@%TFe$7au?BNX@pqr2p`F3xZlXutq(hLMfPpb(Hf?evb} zDa=*x6Vq>@U(Z(xhVEG7>)o{F7z{_q(-n7ujZP;*{HhINNW&kzYRVLO_?k&UU4`U1 zXk%d4h9H^EJ^^+Ul>0}hFWaKHtM_HA_omH5&)W2YT7*YS5|X}tJLH2ZCakI`lf*xl z>71U9%k$w(M1zv7DbvYZ^ASu|ng7lZQn)h>TeF?juSq6I9Hz;MQ~@_>93_Y$^Mh=nSWT>vz}a zvT6-kv4tIq-<(p~Dnp+K-Y(omM+y{tzyh&;u7>)!@jNnzf~Qph?O{x*7t>)X-Go5M zSP%suPm_YG^%;hlldIy`oX^kYP+L!+fA0}MaS7+0_en)A2TgX~QAbPd9p5r%941X9 zXbCkMk0XN4plrfPene*_xQ4j1u<-sM643INvBGU+HztYa4KCj}9P_GAKVxE(SR{QI zs^_7|8@9nQRFlK{nt@emB5YooxIP_IP=~o)t@A{Me}(rTLxpbx_vBt%tq_q8CY@I89807@gH@GmZ)M zxJanb#HTAuRL|%9hE7lqYs$KTM47w5P5;_4JCz~+##A!vAL&Nzo0j56?WnH&m+m-; zy}(cKS8|HzN(z-?4tyons{7jT!Kd3i8sgFqEC!|WG-CwJW{_nvuAx~YXh@BZPX1zI zt7K^cAewsSQ+*ap>Hc0C7_g1QK4O12k9!`F&vm~kR)9~TM61_wFU}66g?#Sw^yhaV z?E123`PpnVl<~Wx_aQ&&X;^3Iut)A?2Aik;a3#nKye!K=pi4^X@q&mm6n#Uz=tP|N zPO!8g+z4T;x*o(sfqPTQ@-mfNVdwN1Q&>rwgEy!_R|Vzr(FB-9udvwY_X|ODb(*GW z<);&LH|Y@igj3dV%US`-PFG>s$=j?}qe|R4X&eFDyW+y+$j`Ko-%bzU3xMTHWS{2{ zYvFgdoqe!h-qBF@7G=46SGV45B(Zr)C7+Dj#Kk*&|1Rk`D(OZ}l2-ewh^C-HMX$|& zbW#$3?w?YhexUu9pK-z5Tdyyw?N;!zvFCXKN<93wZ091}JTwdKgz8Ujjx>s<^d&`Y@YB=muG}dW*LEnqPT9I@Zy1Vv3=OW)NUf~E$dZF8L0Vyb4?7ci zdxe9z$EAUe;m9!@>#r?Z5*R*Vj^b-SX&7&xxtjWl0bm&~(MLt+r)=9nGJ=7VyJxHs zc3xyw>8vUGihy4<{*W{ab?}Kab&x>e0L2(rr&%)=YEc-jFwa)dFSwug zhNY(R>NMFaKE*NZ*0}kg1-D!5LKQzMoXs1pC+QNVFwb${lS4B(ryV`F53$|S38+dj zA6HFEN54Ny{osu={l49(nr-g7R>K!x$Gt<218UPNzju#A>LG;bLU{|tje6`%DEt+@XR~dfW8Xg=+HK-(v45NTd zNXMv)agSJ{vmgOX{oZNQoB|YjUyF z)$z5Y(uEia zvinT4cOkG%NMVxsO>_Al3-!+_HjnuO`|+~GXCLu{3KH${=@Z;8=X|wAYZ7lJ(wArZ zm-(v7i0WSO(uTNre(1tZV`&p{ni=kr2U$59#;OcQn*~Dx)N$f8V7ryy&UFBfn%}u)hQG1Pz z$CLzH68Qm%>SL>{L=hAnz1&G?Nm!VslLE;Uy8z!9XN*d>2Ox~#cGynrmboJ?CIMOxb!QQ>pUU4mxEIwxGQ4Md;Pq^hG0i&9Hv>9Py z9B{BU4Ow_`o4oU;h9+C+P9f5jB+WxC%IM6HnJv8{En=(|->Ta#Xzk>zJpYSyy==q+ z9IVFT)jIJ2mb3WcA0aJb$;HUrRI{J6!oX%8h%)_FP!q?_$tMqyf-pnyK-fIQm>6Je z02XDUY!@-SP?@HUY9J0UBC*%R32?!ptiyX{eArQ{^@ctypQ2dILbFIm0s{cUP=JC40BLgQX&X64bt^`=;ZL35U~(9Z_LPX-M|$kk zIoj|Jy6L0|FSQfi{gK4#mGQteW3pe6+F8<2cbeA->1Ty^{zQ8;4K-4u^WvqJrF@8z z#?#Ypm^ZR!;5cn=O3AVVWN&Dq2>Da*C!y2Y>@5_>X z-b>Fh7-g%NM=Gx$YrpjbCM(O@!u4L{<8{_SN6P+oX*Yo5_e&8$pX_;z%UwH!Qqur- zfFH^euHMe$s2`9-uM#$0LLCbFuc=J_1`siZf?yLq;@uRY`0dV^8fu6b%>0}{Hu3{P z2L}z+%haiv?}kF`);igKk3X=187f&Ze^-6PHi13(FHP|qnF+kVLP=FRbw-tLsbua} z@tI;ud5QfmaPVSzp%kD7?wl%}*QN|#q@51NTeu_lT#JD5tn>wrTt%Him9~L$qpd)c z$C$1!acema-IgwuU$(6DXxIzKoaCvit$^PjPjLNu9IbdRVZN#Uh(uVQ46iwT;_ zrt+5+3ujsW66UB18nI5MN9rg>E-aGG9zI_BV9mYvhx`E{n75dj3bw$lwZH6(0y|>k z%(&#oZt%z4AJwro^&@z3eA)dtg%yXcwiu51Upri5dSgvgo1%aqA-XP+L!fJbX9sJ0 zONi>soUGN^alyFQuSx&m%USJ4C?#_n3Z56hAm03zf<&YO${bRtpMkCK6t~U zKtO<=Wb2mz9i2yxZl>vkv~ybLQu8hy`+>UNB3Idy=h69G6pW+TARD~lDoCu3bi3AR z3_bQejE|3yfk`WX1>%9v%m3?YL@h*buBv2F%=7| zL@!G)TTrb|bGGN=*5kVd{DNnS&|)EG%(5&8b(PX1runA0teg4-7pO2e;r-n?GL=b0 z)KAd3Jjz89+96xmuN6D74lkfFwWtL-p0EFXIT>0J($V{pjwP5r>lU9-=@+P!9vv$SNjP4MHiOML&wy0I=QlvKVjqK zc}vl{4>&KTnPszsmSxH18A9~@H4t#XVWOMg|NPW+S~o;oTl{&|?a`?DG#9ZInr-oq zFa(lwqI8wuvlidHkqz-Zx}Nfsg?es9AIke6i{q%X}sVBYF8}4sVMndU4o<~KBh}jtqbC?LKWisocXtz z1DZ=5bG(L?jO!Pky-Nfcs+@$+Gfz_bT9Zqb&#=62QOB-lj=}MUC(PY{f3uJaE)|{L zs#poq360)fs*}wSPF(Ii!0>yA{6vO0lwGeMtW{r2v}*ZTc;ZZ<%uv96b5u;v{oQAr zB5D-l6jmD}+|ws-DniTNsL!t@0F{gyvP~uyhc?YFUS1d38p5^eXiR05+A1)@If`R7 zRD@mKEX+D#t5IGicj|0oZjGIiU@txqrlr@UP zlT`dcc%YWfKG<}8mJxDCe29{L6xa*JGQ7wl+=9#N#H_cy%Jpg_T&acPT!wN&7r;%~ zmEu;r4ATUxjy-KRN4ek+`fb!&(@6d2_Bm^5NYtM(%Ds+LQ;txJg%jtK1gQgm@Gwy- z_<-Kq-9RO5P)MRt?-Y#s!WVc3fTJW7r; zWISUGyx$uE0cyLM6c?8e0gv_wVo`>j)7qqR&lC1GyAeqg?F2hp;>0FjagQ`$ZITho zW^kF`bp>*mijsvTF^!H&Y+|}A@Oy-31%A3fr3WS!?))Hdp3q5E>0d1-K7OmNO9~gQ zL@+)uAutIB1uG5%0vZJX1Qe}2gt$9yT?9O?#L{Xxzkq;%Sr`Nqyd%}a`dA2ua^S-L QP+N65HcJ*|0s{etpglA>RsaA1 literal 0 HcmV?d00001 diff --git a/compose-resources/client-configuration.env b/compose-resources/client-configuration.env index e79aa618..bc62f1f7 100644 --- a/compose-resources/client-configuration.env +++ b/compose-resources/client-configuration.env @@ -1,6 +1,6 @@ #Client envs -REQUEST_URL=http://aafcert-service:8080/v1/certificate/ -REQUEST_TIMEOUT=1000 +REQUEST_URL=https://aaf-cert-service:8443/v1/certificate/ +REQUEST_TIMEOUT=10000 OUTPUT_PATH=/var/certs CA_NAME=RA #Csr config envs @@ -11,4 +11,8 @@ LOCATION=San-Francisco STATE=California COUNTRY=US SANS=example.org - +#Tls config envs +KEYSTORE_PATH=/etc/onap/aaf/certservice/certs/certServiceClient-keystore.jks +KEYSTORE_PASSWORD=secret +TRUSTSTORE_PATH=/etc/onap/aaf/certservice/certs/truststore.jks +TRUSTSTORE_PASSWORD=secret diff --git a/docker-compose.yml b/docker-compose.yml index 851ad317..1ce8ed48 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -18,16 +18,25 @@ services: networks: - certservice - certservice: + aaf-cert-service: image: onap/org.onap.aaf.certservice.aaf-certservice-api:latest - container_name: aafcert-service volumes: - ./certService/helm/aaf-cert-service/resources/cmpServers.json:/etc/onap/aaf/certservice/cmpServers.json + - ./certs/truststore.jks:/etc/onap/aaf/certservice/certs/truststore.jks + - ./certs/root.crt:/etc/onap/aaf/certservice/certs/root.crt + - ./certs/certServiceServer-keystore.jks:/etc/onap/aaf/certservice/certs/certServiceServer-keystore.jks + - ./certs/certServiceServer-keystore.p12:/etc/onap/aaf/certservice/certs/certServiceServer-keystore.p12 + container_name: aafcert-service ports: - - "8080:8080" + - "8443:8443" depends_on: ejbca: condition: service_healthy + healthcheck: + test: ["CMD-SHELL", "curl https://localhost:8443/actuator/health --cacert /etc/onap/aaf/certservice/certs/root.crt --cert-type p12 --cert /etc/onap/aaf/certservice/certs/certServiceServer-keystore.p12 --pass secret"] + interval: 10s + timeout: 3s + retries: 15 networks: - certservice diff --git a/docs/sections/configuration.rst b/docs/sections/configuration.rst index d49c86bd..d77a2da0 100644 --- a/docs/sections/configuration.rst +++ b/docs/sections/configuration.rst @@ -20,7 +20,7 @@ Certification Service Client image: .. code-block:: #Client envs - REQUEST_URL=http://aaf-cert-service-service:8080/v1/certificate/ + REQUEST_URL=http://aaf-cert-service:8080/v1/certificate/ REQUEST_TIMEOUT=1000 OUTPUT_PATH=/var/certs CA_NAME=RA @@ -77,7 +77,7 @@ Example deployment: imagePullPolicy: Always env: - name: REQUEST_URL - value: http://aaf-cert-service-service:8080/v1/certificate/ + value: http://aaf-cert-service:8080/v1/certificate/ - name: REQUEST_TIMEOUT value: "1000" - name: OUTPUT_PATH diff --git a/pom.xml b/pom.xml index 9780c8f9..8698a281 100644 --- a/pom.xml +++ b/pom.xml @@ -114,18 +114,6 @@ repackage - - pre-integration-test - - start - - - - post-integration-test - - stop - - -- 2.16.6