From: Taka Cho <takamune.cho@att.com>
Date: Tue, 11 Jun 2019 21:04:50 +0000 (-0400)
Subject: move http to https
X-Git-Tag: 1.6.2~11
X-Git-Url: https://gerrit.onap.org/r/gitweb?p=appc%2Fdeployment.git;a=commitdiff_plain;h=d3f590c87f20a26272cbaf9d6fde1dcc2e7466b8

move http to https

use jetty to move to
https

Issue-ID: APPC-1573
Change-Id: I814e8159d39f7e09cfbfcf5a314a1909774486cc
Signed-off-by: Taka Cho <takamune.cho@att.com>
---

diff --git a/docker-compose/docker-compose.yml b/docker-compose/docker-compose.yml
index 706465b..b5f0506 100644
--- a/docker-compose/docker-compose.yml
+++ b/docker-compose/docker-compose.yml
@@ -72,6 +72,7 @@ services:
     container_name: appc_controller_container
     entrypoint: ["/opt/onap/appc/bin/startODL.sh"]
     ports:
+      - "8443:8443"
       - "8282:8181"
       - "1830:1830"
       - "9090:9191"
diff --git a/installation/appc/pom.xml b/installation/appc/pom.xml
index 82c3d14..6c5378d 100644
--- a/installation/appc/pom.xml
+++ b/installation/appc/pom.xml
@@ -112,11 +112,13 @@ limitations under the License.
 								<resource>
 									<directory>src/main/resources</directory>
 									<includes>
+										<include>keystore</include>
 										<include>*.dump</include>
 										<include>*.sh</include>
 										<include>*.cfg</include>
 										<include>*.xml</include>
 										<include>*.json</include>
+										<include>*.properties</include>
 									</includes>
 									<filtering>false</filtering>
 								</resource>
@@ -359,11 +361,13 @@ limitations under the License.
 										<resource>
 											<directory>src/main/resources</directory>
 											<includes>
+												<include>keystore</include>
 												<include>*.dump</include>
 												<include>*.sh</include>
 												<include>*.cfg</include>
 												<include>*.xml</include>
 												<include>*.json</include>
+												<include>*.properties</include>
 											</includes>
 											<filtering>false</filtering>
 										</resource>
diff --git a/installation/appc/src/main/resources/custom.properties b/installation/appc/src/main/resources/custom.properties
new file mode 100644
index 0000000..ebfaf8e
--- /dev/null
+++ b/installation/appc/src/main/resources/custom.properties
@@ -0,0 +1,88 @@
+# Extra packages to import from the boot class loader
+org.osgi.framework.system.packages.extra=org.apache.karaf.branding,sun.reflect,sun.reflect.misc,sun.misc,sun.nio.ch,com.sun.media.sound,sun.net,sun.security.x509,com.sun.management
+
+# https://bugs.eclipse.org/bugs/show_bug.cgi?id=325578
+# Extend the framework to avoid the resources to be presented with
+# a URL of type bundleresource: but to be presented as file:
+osgi.hook.configurators.include=org.eclipse.virgo.kernel.equinox.extensions.hooks.ExtensionsHookConfigurator
+
+# Embedded Tomcat configuration File
+org.eclipse.gemini.web.tomcat.config.path=configuration/tomcat-server.xml
+org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true
+
+# Use Equinox as default OSGi Framework Implementation
+karaf.framework=equinox
+
+# Show a progress bar on startup and start the console when all bundles are up and running.
+# (If you are in a hurry you can still type enter to start the shell faster.)
+karaf.delay.console=true
+
+# Set security provider to BouncyCastle
+org.apache.karaf.security.providers = org.bouncycastle.jce.provider.BouncyCastleProvider
+
+# We set this to false to disable the Aries BlueprintExtender from doing its orderly container
+# shutdown so we can do it after the CSS has shut down all its modules. Otherwise Aries will
+# shutdown blueprint containers when the karaf framework starts shutdown (ie when bundle 0 is
+# stopped) which can cause failures on CSS module shutdown due to the core blueprint containers
+# and services already being shut down. This setting can be removed when/if CSS is removed
+# completely from ODL.
+org.apache.aries.blueprint.preemptiveShutdown=false
+
+netconf.config.persister.active=1
+
+netconf.config.persister.1.storageAdapterClass=org.opendaylight.controller.config.persist.storage.file.xml.XmlFileStorageAdapter
+netconf.config.persister.1.properties.fileStorage=etc/opendaylight/current/controller.currentconfig.xml
+netconf.config.persister.1.properties.numberOfBackups=1
+
+# Container configuration
+container.profile = Container
+
+# Connection manager configuration
+connection.scheme = ANY_CONTROLLER_ONE_MASTER
+
+# TLS configuration
+# To enable TLS, set secureChannelEnabled=true and specify the location of controller Java KeyStore and TrustStore files.
+# The Java KeyStore contains controller's private key and certificate. The Java TrustStore contains the trusted certificate
+# entries, including switches' Certification Authority (CA) certificates. For example,
+# secureChannelEnabled=true
+# controllerKeyStore=./configuration/ctlKeyStore
+# controllerKeyStorePassword=xxxxxxxx (this password should match the password used for KeyStore generation and at least 6 characters)
+# controllerTrustStore=./configuration/ctlTrustStore
+# controllerTrustStorePassword=xxxxxxxx (this password should match the password used for TrustStore generation and at least 6 characters)
+
+secureChannelEnabled=false
+controllerKeyStore=
+controllerKeyStorePassword=
+controllerTrustStore=
+controllerTrustStorePassword=
+
+org.osgi.service.http.secure.enabled=true
+org.osgi.service.http.port.secure=8443
+org.ops4j.pax.web.ssl.keystore=./etc/keystore
+org.ops4j.pax.web.ssl.password=123456
+org.ops4j.pax.web.ssl.keypassword=123456
+
+# User Manager configurations
+enableStrongPasswordCheck = false
+
+#Jolokia configurations
+#org.jolokia.listenForHttpService=false
+
+# Logging configuration for Tomcat-JUL logging
+java.util.logging.config.file=configuration/tomcat-logging.properties
+
+#Hosttracker hostsdb key scheme setting
+hosttracker.keyscheme=IP
+
+# LISP Flow Mapping configuration
+# Enable merging RLOC sets received from different xTR-IDs for the same EID (default: false)
+lisp.mappingMerge = false
+# Enable the Solicit-Map-Request (SMR) mechanism (default: true)
+lisp.smr = true
+# Choose policy for Explicit Locator Path (ELP) handling
+# There are three options:
+#   default: don't add or remove locator records, return mapping as-is
+#   both: keep the ELP, but add the next hop as a standalone non-LCAF locator with a lower priority
+#   replace: remove the ELP, add the next hop as a standalone non-LCAF locator
+lisp.elpPolicy = default
+
diff --git a/installation/appc/src/main/resources/jetty.xml b/installation/appc/src/main/resources/jetty.xml
new file mode 100644
index 0000000..cc80dff
--- /dev/null
+++ b/installation/appc/src/main/resources/jetty.xml
@@ -0,0 +1,131 @@
+<?xml version="1.0"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements.  See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership.  The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License.  You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied.  See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//
+DTD Configure//EN" "http://jetty.mortbay.org/configure.dtd">
+
+<Configure id="Server" class="org.eclipse.jetty.server.Server">
+
+    <!-- =========================================================== -->
+    <!-- Set connectors -->
+    <!-- =========================================================== -->
+    <!-- One of each type! -->
+    <!-- =========================================================== -->
+
+    <!-- Use this connector for many frequently idle connections and for
+        threadless continuations. -->
+    <New id="http-default" class="org.eclipse.jetty.server.HttpConfiguration">
+        <Set name="secureScheme">https</Set>
+        <Set name="securePort">
+            <Property name="jetty.secure.port" default="8443" />
+        </Set>
+        <Set name="outputBufferSize">32768</Set>
+        <Set name="requestHeaderSize">8192</Set>
+        <Set name="responseHeaderSize">8192</Set>
+
+        <!-- Default security setting: do not leak our version -->
+        <Set name="sendServerVersion">false</Set>
+
+        <Set name="sendDateHeader">false</Set>
+        <Set name="headerCacheSize">512</Set>
+    </New>
+
+    <New id="http-legacy" class="org.eclipse.jetty.server.HttpConfiguration">
+        <Set name="secureScheme">https</Set>
+        <Set name="securePort">
+            <Property name="jetty.secure.port" default="8443" />
+        </Set>
+        <Set name="outputBufferSize">32768</Set>
+        <Set name="requestHeaderSize">8192</Set>
+        <Set name="responseHeaderSize">8192</Set>
+
+        <!-- Default security setting: do not leak our version -->
+        <Set name="sendServerVersion">false</Set>
+
+        <Set name="sendDateHeader">false</Set>
+        <Set name="headerCacheSize">512</Set>
+    </New>
+
+    <Call name="addConnector">
+        <Arg>
+            <New class="org.eclipse.jetty.server.ServerConnector">
+                <Arg name="server">
+                    <Ref refid="Server" />
+                </Arg>
+                <Arg name="factories">
+                    <Array type="org.eclipse.jetty.server.ConnectionFactory">
+                        <Item>
+                            <New class="org.eclipse.jetty.server.HttpConnectionFactory">
+                                <Arg name="config">
+                                    <Ref refid="http-default"/>
+                                </Arg>
+                            </New>
+                        </Item>
+                    </Array>
+                </Arg>
+                <Set name="host">
+                    <Property name="jetty.host"/>
+                </Set>
+                <Set name="port">
+                    <Property name="jetty.port" default="8181"/>
+                </Set>
+                <Set name="idleTimeout">
+                    <Property name="http.timeout" default="300000"/>
+                </Set>
+                <Set name="name">jetty-default</Set>
+            </New>
+        </Arg>
+    </Call>
+
+    <!-- =========================================================== -->
+    <!-- Configure Authentication Realms -->
+    <!-- Realms may be configured for the entire server here, or -->
+    <!-- they can be configured for a specific web app in a context -->
+    <!-- configuration (see $(jetty.home)/contexts/test.xml for an -->
+    <!-- example). -->
+    <!-- =========================================================== -->
+    <Call name="addBean">
+        <Arg>
+            <New class="org.eclipse.jetty.jaas.JAASLoginService">
+                <Set name="name">karaf</Set>
+                <Set name="loginModuleName">karaf</Set>
+                <Set name="roleClassNames">
+                    <Array type="java.lang.String">
+                        <Item>org.apache.karaf.jaas.boot.principal.RolePrincipal
+                        </Item>
+                    </Array>
+                </Set>
+            </New>
+        </Arg>
+    </Call>
+    <Call name="addBean">
+        <Arg>
+            <New class="org.eclipse.jetty.jaas.JAASLoginService">
+                <Set name="name">default</Set>
+                <Set name="loginModuleName">karaf</Set>
+                <Set name="roleClassNames">
+                    <Array type="java.lang.String">
+                        <Item>org.apache.karaf.jaas.boot.principal.RolePrincipal
+                        </Item>
+                    </Array>
+                </Set>
+            </New>
+        </Arg>
+    </Call>
+</Configure>
diff --git a/installation/appc/src/main/resources/keystore b/installation/appc/src/main/resources/keystore
new file mode 100644
index 0000000..cd37a73
Binary files /dev/null and b/installation/appc/src/main/resources/keystore differ
diff --git a/installation/appc/src/main/scripts/dockerInstall.sh b/installation/appc/src/main/scripts/dockerInstall.sh
index 264e8d9..a35896d 100644
--- a/installation/appc/src/main/scripts/dockerInstall.sh
+++ b/installation/appc/src/main/scripts/dockerInstall.sh
@@ -70,6 +70,11 @@ echo "" >> $APPC_HOME/data/properties/appc.properties
 echo "Copying the aaa shiro configuration into opendaylight"
 cp ${APPC_HOME}/data/aaa-app-config.xml ${ODL_HOME}/etc/opendaylight/datastore/initial/config/aaa-app-config.xml
 
+echo "Copying jetty, keystore for https into opendalight"
+cp ${APPC_HOME}/data/jetty.xml ${ODL_HOME}/etc/jetty.xml
+cp ${APPC_HOME}/data/keystore ${ODL_HOME}/etc/keystore
+cp ${APPC_HOME}/data/custom.properties ${ODL_HOME}/etc/custom.properties
+
 echo "Stopping OpenDaylight and waiting for it to stop"
 ${ODL_HOME}/bin/stop
 #The karaf command will exit when odl shuts down. This is the most reliable way to wait for opendaylight to stop