From: Instrumental Date: Mon, 25 Mar 2019 14:35:07 +0000 (-0500) Subject: Add more Certficate Local docs X-Git-Tag: 2.1.11~22 X-Git-Url: https://gerrit.onap.org/r/gitweb?p=aaf%2Fauthz.git;a=commitdiff_plain;h=6e665cbd18279bc2636a25d98c129ad17ccddf31 Add more Certficate Local docs Issue-ID: AAF-795 Change-Id: I6c1eaf1c963cdc6eb67135a74cad474a1e8bb453 Signed-off-by: Instrumental --- diff --git a/docs/sections/configuration/AAF_4.1_config.rst b/docs/sections/configuration/AAF_4.1_config.rst index bac03317..ff9816a1 100644 --- a/docs/sections/configuration/AAF_4.1_config.rst +++ b/docs/sections/configuration/AAF_4.1_config.rst @@ -26,7 +26,10 @@ Prerequisites * For ONAP TEST, this means * Windriver VPN - * include "10.12.6.214 aaf-onap-test.osaaf.org" in your /etc/hosts or DNS + * include lastest IP of aaf-onap-test.osaaf.org" in your /etc/hosts or DNS + + * As of Mar 20, 2019, this is 10.12.5.145. + * For Writing to Volumes for Docker or K8s * Docker @@ -88,6 +91,66 @@ In your chosen directory :: The Agent will look for "aaf.props", and if it doesn't exist, or is missing information, it will ask for it. +IMPORTANT: When you are doing "LOCAL", you are creating a CERTIFICATE for your local Machine. Therefore, you need to AUTHORIZE this creation +by creating an "Artifact" as the OWNER of the Namespace (In ONAP Test, all the NSs are owned by "aaf_admin@people.osaaf.org") + + 1) Copy the out-of-the-box Artifact from the Credentials of your Namespace + + * In ONAP Test, as "aaf_admin", click https://aaf-onap-test.osaaf.org:8200/gui/ns + * Select the NS you are need a Certificate for (i.e. org.onap.aai) + * Select the Green "Cred Details" button in Credentials area + * Select "View All" on credential line + * Select the ONAP default FQDN line's "Details" button + * Select "Copy Artifact" Radio Button at Bottom, and enter YOUR MACHINE'S FQDN in the entry box that appears. + * Click "Copy" button + * Click "Artifacts Show" Breadcrumb. You should see your new entry. + + 2) Edit the new Artifact to match your Local Machine + + * Check the SANS. If it does not include the original FQDN, then add it. (Example, add "aai"). This is so this Certificate can be used by aai + inside of containers as well. + * Change the "Directory" to be the Local Directory you want to put your Local Certs in. + * Change the "O/S User" to be the O/S user that needs to access the Certificate (yours) + * Click on the Artifact types you want. "file" means PEM format private key and cert. "script" has ready-made O/S crontab and validation scripts + for auto-renewal of O/S based Services. We will do something different for containers. + * click "Update" + + 3) Be sure to validate this information with a "read" command on your target machine. + +<**Instructions**> - Commands you can do with agent.sh local: + +Note: There are some command line defaults, relating to ID from aaf.props and FQDN, if your local machine (uname -n) REPORTS the same name as your FQDN. +If it does not, you will need to explicitly set the command. Examples will use "aai" and local machine "mymachine.myco.com" + + read + Prints the Artifact information from Certificate Manager related to command. Generally, it's a good idea to Read to make sure things are setup + Example: ``$ bash agent.sh local read aai@aai.onap.org mymachine.myco.com`` + + place + Actually creates the Certificate Artifacts requested on disk, in the directory requested with the O/S User requested, etc. + Depending on what you asked for in the Artifact, you should see: + Example: ``$ bash agent.sh local place aai@aai.onap.org mymachine.myco.com`` + + | Writing to /private/tmp/onap + | Writing file /private/tmp/onap/org.onap.aai.keyfile + | Writing file /private/tmp/onap/org.onap.aai.crt + | Writing file /private/tmp/onap/org.onap.aai.key + | Writing file /private/tmp/onap/org.onap.aai.p12 + | Writing file /private/tmp/onap/org.onap.aai.trust.jks + | Writing file /private/tmp/onap/org.onap.aai.check.sh + | Writing file /private/tmp/onap/org.onap.aai.crontab.sh + | Creating new /private/tmp/onap/org.onap.aai.cred.props + | 2019-03-25T09:14:29.174-0500: Trans Info + | REMOTE Place Artifact 2743.9736ms + | Reconstitute Private Key 0.212454ms + | + + Focus on "Reconstitute Private Key"... if that isn't there, it didn't create + + showpass + Shows the passwords generated and used for the various artifacts that need them. Example org.onap.aai. will be generated with a password. + Example: ``$ bash agent.sh local showpass aai@aai.onap.org mymachine.myco.com`` + ======================= 'aaf.prop' Properties ======================= @@ -100,7 +163,7 @@ Query Tag Description DOCKER REPOSITORY DOCKER_REPOSITORY Defaults to current ONAP Repository CADI Version VERSION Defaults to current CADI (AAF) version AAF's FQDN AAF_FQDN PUBLIC Name for AAF. For ONAP Test, it is 'aaf-onap-test.osaaf.org' -AAF FQDN IP AAF_FQDN_IP If FQDN isn't actually found with DNS, you will have to enter the IP. For 'aaf-onap-test.osaaf.org', it is '10.12.6.214' +AAF FQDN IP AAF_FQDN_IP If FQDN isn't actually found with DNS, you will have to enter the IP. For 'aaf-onap-test.osaaf.org', as of March 20, 2019, it is '10.12.5.145' Deployer's FQI DEPLOY_FQI In a REAL system, this would be a person or process. For ONAP Testing, the id is 'deployer@people.osaaf.org' Deployer's PASSWORD DEPLOY_PASSWORD OPTIONAL!! REAL systems should not store passwords in clear text. For ONAP Testing, the password is 'demo123456!' App's Root FQDN APP_FQDN This will show up in the Cert Subject, make it the App Acronym. i.e 'clamp'