```json
{
- "spring.datasource.cldsdb.url": "jdbc:mysql://anotherDB.onap.org:3306/cldsdb4?autoReconnect=true&connectTimeout=10000&socketTimeout=10000&retriesAllDown=3",
- "spring.datasource.cldsdb.username": "admin",
- "spring.datasource.cldsdb.password": "password"
+ "spring.datasource.url": "jdbc:mysql://anotherDB.onap.org:3306/cldsdb4?autoReconnect=true&connectTimeout=10000&socketTimeout=10000&retriesAllDown=3",
+ "spring.datasource.username": "admin",
+ "spring.datasource.password": "password"
"clamp.config.dcae.inventory.url": "http://dcaegen2.host:8080",
"clamp.config.dcae.dispatcher.url": "http://dcaegen2.host:8080",
A [docker-compose example file](extra/docker/clamp/docker-compose.yml) can be found under the [extra/docker/clamp/ folder](extra/docker/).
-Once the image has been built and is available locally, you can use the `docker-compose up` command to deploy a prepopullated database and a clamp instance available on [http://localhost:8080/designer/index.html](http://localhost:8080/designer/index.html).
+Once the image has been built and is available locally, you can use the `docker-compose up` command to deploy a prepopullated database and a clamp instance available on [https://localhost:3000](https://localhost:3000).
### Logs
-Clamp uses logback framework to generate logs. The logback.xml file cand be found under the [src/main/resources/ folder](src/main/resources).
+Clamp uses logback framework to generate logs. The logback.xml file can be found under the [src/main/resources/ folder](src/main/resources).
With the default log settings, all logs will be generated into console and into root.log file under the Clamp root folder. The root.log file is not allowed to be appended, thus restarting the clamp will result in cleaning of the old log files.
You can see the swagger definition for the jaxrs apis at `/restservices/clds/v1/openapi.json`
+## Clamp AAF - Renew Certificates
+- Connect to windriver with openvpn
+- create a folder aaf-renewal and go to it
+- create a file aaf.props with that content (or run the agent.sh script below, it will prompt you for values at first run)
+ VERSION=2.1.13
+ DOCKER_REPOSITORY=nexus3.onap.org:10001
+ HOSTNAME=
+ CONTAINER_NS=onap
+ AAF_FQDN=aaf-onap-test.osaaf.org
+ AAF_FQDN_IP=10.12.5.145
+ DEPLOY_FQI=deployer@people.osaaf.org
+ APP_FQDN=clamp
+ APP_FQI=clamp@clamp.onap.org
+ VOLUME=clamp_config
+ DRIVER=local
+ LATITUDE=10
+ LONGITUDE=10
+- wget -O agent.sh 'https://gerrit.onap.org/r/gitweb?p=aaf/authz.git;a=blob_plain;f=auth/docker/agent.sh;h=32910874e01ad13865510091ddd4ef9ae5966410;hb=refs/heads/elalto'
+- wget https://nexus.onap.org/content/repositories/releases/org/onap/aaf/authz/aaf-auth-cmd/2.1.13/aaf-auth-cmd-2.1.13-full.jar
+- bash agent.sh bash
+ It's going to ask some questions:
+ Password for deployer@people.osaaf.org: demo123456!
+ AAF Locator URL=https://aaf-onap-test.osaaf.org:8095
+ # If you do not know your Global Coordinates, we suggest bing.com/maps
+ cadi_latitude[0.000]=10.0
+ cadi_longitude[0.000]=10.0
+- Certs should created, you can get them in /var/lib/docker/volumes/clamp_config/_data/local
+ If you want to recreate the certs, you have to delete the docker volume (otherwise it will be re used) : docker volume rm clamp_config
+- wget https://nexus.onap.org/content/repositories/releases/org/onap/aaf/authz/aaf-cadi-aaf/2.1.13/aaf-cadi-aaf-2.1.13-full.jar
+- to encrypt or decrypt the store passwords: java -jar aaf-cadi-aaf-2.1.13-full.jar cadi digest changeit testos.key
+- you can also use the agent.sh script to decrypt the passwords, by running the showpass commands (see wiki below)
+- Extract private key from P12: 'openssl pkcs12 -in org.onap.clamp.p12 -nocerts -nodes > clamp.key'
+- Extract public certificate from P12: 'openssl pkcs12 -in org.onap.clamp.p12 -clcerts -nokeys > clamp.pem'
+- Extract CA certificate from P12: 'openssl pkcs12 -in org.onap.clamp.p12 -cacerts -nokeys -chain > ca-certs.pem'
+- reference wiki: https://wiki.onap.org/display/DW/AAF+Certificate+Management+for+Dummies
+- you need to place new clamp.key, clamp.pem and ca-certs.pem into src/main/resources/clds/aaf/ssl, this will be used by the FrontEnd
+- you need to replace the password of the generated keystore (clamp uses the p12 keystore), we want to keep the same demo password across release
+ to do so, you can use keytool to update the password and set it back to 'China in the Spring'
+ keytool -storepasswd -keystore ./org.onap.clamp.p12
+- this will prompt for the current keystore password (the one generated by the aaf script that you can get from the above)
+- you can then set it to 'China in the Spring'
+- once done, you can replace : org.onap.clamp.p12 into src/main/resources/clds/aaf
+- rebuild Clamp Docker containers, they should be updated with the renewed certificates
+
## Clamp Credentials
server.port=8443
server.ssl.key-store=classpath:/clds/aaf/org.onap.clamp.p12
-server.ssl.key-store-password=China in the Spring
-server.ssl.key-password=China in the Spring
+server.ssl.key-store-password=enc:WWCxchk4WGBNSvuzLq3MLjMs5ObRybJtts5AI0XD1Vc
+server.ssl.key-password=enc:WWCxchk4WGBNSvuzLq3MLjMs5ObRybJtts5AI0XD1Vc
server.ssl.key-store-type=PKCS12
server.ssl.key-alias=clamp@clamp.onap.org
+clamp.config.keyFile=classpath:/clds/aaf/org.onap.clamp.keyfile
server.ssl.client-auth=want
server.ssl.trust-store=classpath:/clds/aaf/truststoreONAPall.jks
-server.ssl.trust-store-password=changeit
-
+server.ssl.trust-store-password=enc:iDnPBBLq_EMidXlMa1FEuBR8TZzYxrCg66vq_XfLHdJ
server.http-to-https-redirection.port=8080
....
-spring.profiles.active=clamp-default,clamp-aaf-authentication,clamp-sdc-controller
+spring.profiles.active=clamp-default,clamp-aaf-authentication,clamp-sdc-controller-new,clamp-ssl-config
....
clamp.config.cadi.keyFile=classpath:/clds/aaf/org.onap.clamp.keyfile
clamp.config.cadi.cadiLoglevel=DEBUG
Passwords should be hashed using Bcrypt :
```
-# pip3 install bcrypt # if you don't have the bcrypt python lib installed, should be done once.
+# pip3 install --no-cache-dir bcrypt # if you don't have the bcrypt python lib installed, should be done once.
# python3 -c 'import bcrypt; print(bcrypt.hashpw("password".encode(), bcrypt.gensalt(rounds=10, prefix=b"2a")))'
```
--spring.config.name=application-noaaf
-to the jvm parameters. This file is available by default in the java classpath resource folder.
\ No newline at end of file
+to the jvm parameters. This file is available by default in the java classpath resource folder.
Code Review / clamp.git / blobdiff