```json
{
- "spring.datasource.cldsdb.url": "jdbc:mysql://anotherDB.onap.org:3306/cldsdb4?autoReconnect=true&connectTimeout=10000&socketTimeout=10000&retriesAllDown=3",
- "spring.datasource.cldsdb.username": "admin",
- "spring.datasource.cldsdb.password": "password"
+ "spring.datasource.url": "jdbc:mysql://anotherDB.onap.org:3306/cldsdb4?autoReconnect=true&connectTimeout=10000&socketTimeout=10000&retriesAllDown=3",
+ "spring.datasource.username": "admin",
+ "spring.datasource.password": "password"
"clamp.config.dcae.inventory.url": "http://dcaegen2.host:8080",
"clamp.config.dcae.dispatcher.url": "http://dcaegen2.host:8080",
A [docker-compose example file](extra/docker/clamp/docker-compose.yml) can be found under the [extra/docker/clamp/ folder](extra/docker/).
-Once the image has been built and is available locally, you can use the `docker-compose up` command to deploy a prepopullated database and a clamp instance available on [http://localhost:8080/designer/index.html](http://localhost:8080/designer/index.html).
+Once the image has been built and is available locally, you can use the `docker-compose up` command to deploy a prepopullated database and a clamp instance available on [https://localhost:3000](https://localhost:3000).
### Logs
-Clamp uses logback framework to generate logs. The logback.xml file cand be found under the [src/main/resources/ folder](src/main/resources).
+Clamp uses logback framework to generate logs. The logback.xml file can be found under the [src/main/resources/ folder](src/main/resources).
With the default log settings, all logs will be generated into console and into root.log file under the Clamp root folder. The root.log file is not allowed to be appended, thus restarting the clamp will result in cleaning of the old log files.
You can see the swagger definition for the jaxrs apis at `/restservices/clds/v1/openapi.json`
+## Clamp AAF - Renew Certificates
+- Connect to windriver with openvpn
+- create a folder aaf-renewal and go to it
+- create a file aaf.props with that content (or run the agent.sh script below, it will prompt you for values at first run)
+ VERSION=2.1.13
+ DOCKER_REPOSITORY=nexus3.onap.org:10001
+ HOSTNAME=
+ CONTAINER_NS=onap
+ AAF_FQDN=aaf-onap-test.osaaf.org
+ AAF_FQDN_IP=10.12.5.145
+ DEPLOY_FQI=deployer@people.osaaf.org
+ APP_FQDN=clamp
+ APP_FQI=clamp@clamp.onap.org
+ VOLUME=clamp_config
+ DRIVER=local
+ LATITUDE=10
+ LONGITUDE=10
+- wget -O agent.sh 'https://gerrit.onap.org/r/gitweb?p=aaf/authz.git;a=blob_plain;f=auth/docker/agent.sh;h=32910874e01ad13865510091ddd4ef9ae5966410;hb=refs/heads/elalto'
+- wget https://nexus.onap.org/content/repositories/releases/org/onap/aaf/authz/aaf-auth-cmd/2.1.13/aaf-auth-cmd-2.1.13-full.jar
+- bash agent.sh bash
+ It's going to ask some questions:
+ Password for deployer@people.osaaf.org: demo123456!
+ AAF Locator URL=https://aaf-onap-test.osaaf.org:8095
+ # If you do not know your Global Coordinates, we suggest bing.com/maps
+ cadi_latitude[0.000]=10.0
+ cadi_longitude[0.000]=10.0
+- Certs should created, you can get them in /var/lib/docker/volumes/clamp_config/_data/local
+ If you want to recreate the certs, you have to delete the docker volume (otherwise it will be re used) : docker volume rm clamp_config
+- wget https://nexus.onap.org/content/repositories/releases/org/onap/aaf/authz/aaf-cadi-aaf/2.1.13/aaf-cadi-aaf-2.1.13-full.jar
+- to encrypt or decrypt the store passwords: java -jar aaf-cadi-aaf-2.1.13-full.jar cadi digest changeit testos.key
+- you can also use the agent.sh script to decrypt the passwords, by running the showpass commands (see wiki below)
+- Extract private key from P12: 'openssl pkcs12 -in org.onap.clamp.p12 -nocerts -nodes > clamp.key'
+- Extract public certificate from P12: 'openssl pkcs12 -in org.onap.clamp.p12 -clcerts -nokeys > clamp.pem'
+- Extract CA certificate from P12: 'openssl pkcs12 -in org.onap.clamp.p12 -cacerts -nokeys -chain > ca-certs.pem'
+- reference wiki: https://wiki.onap.org/display/DW/AAF+Certificate+Management+for+Dummies
+- you need to place new clamp.key, clamp.pem and ca-certs.pem into src/main/resources/clds/aaf/ssl, this will be used by the FrontEnd
+- you need to replace the password of the generated keystore (clamp uses the p12 keystore), we want to keep the same demo password across release
+ to do so, you can use keytool to update the password and set it back to 'China in the Spring'
+ keytool -storepasswd -keystore ./org.onap.clamp.p12
+- this will prompt for the current keystore password (the one generated by the aaf script that you can get from the above)
+- you can then set it to 'China in the Spring'
+- once done, you can replace : org.onap.clamp.p12 into src/main/resources/clds/aaf
+- rebuild Clamp Docker containers, they should be updated with the renewed certificates
+
## Clamp Credentials
server.port=8443
server.ssl.key-store=classpath:/clds/aaf/org.onap.clamp.p12
-server.ssl.key-store-password=34xqGdj]VnHothQ]5qCykV3X
-server.ssl.key-password=34xqGdj]VnHothQ]5qCykV3X
+server.ssl.key-store-password=enc:WWCxchk4WGBNSvuzLq3MLjMs5ObRybJtts5AI0XD1Vc
+server.ssl.key-password=enc:WWCxchk4WGBNSvuzLq3MLjMs5ObRybJtts5AI0XD1Vc
server.ssl.key-store-type=PKCS12
server.ssl.key-alias=clamp@clamp.onap.org
+clamp.config.keyFile=classpath:/clds/aaf/org.onap.clamp.keyfile
server.ssl.client-auth=want
server.ssl.trust-store=classpath:/clds/aaf/truststoreONAPall.jks
-server.ssl.trust-store-password=changeit
-
+server.ssl.trust-store-password=enc:iDnPBBLq_EMidXlMa1FEuBR8TZzYxrCg66vq_XfLHdJ
server.http-to-https-redirection.port=8080
....
-spring.profiles.active=clamp-default,clamp-aaf-authentication,clamp-sdc-controller
+spring.profiles.active=clamp-default,clamp-aaf-authentication,clamp-sdc-controller-new,clamp-ssl-config
....
clamp.config.cadi.keyFile=classpath:/clds/aaf/org.onap.clamp.keyfile
clamp.config.cadi.cadiLoglevel=DEBUG
-clamp.config.cadi.cadiLatitude=37.78187
-clamp.config.cadi.cadiLongitude=-122.26147
+clamp.config.cadi.cadiLatitude=10
+clamp.config.cadi.cadiLongitude=10
clamp.config.cadi.aafLocateUrl=https://aaf.api.simpledemo.onap.org:8095
clamp.config.cadi.cadiKeystorePassword=enc:V_kq_EwDNb4itWp_lYfDGXIWJzemHGkhkZOxAQI9IHs
clamp.config.cadi.cadiTruststorePassword=enc:Mj0YQqNCUKbKq2lPp1kTFQWeqLxaBXKNwd5F1yB1ukf
clamp.config.cadi.aafEnv=DEV
clamp.config.cadi.aafUrl=https://AAF_LOCATE_URL/AAF_NS.service:2.0
-clamp.config.cadi.cadiX509Issuers=CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US
+clamp.config.cadi.cadiX509Issuers=CN=intermediateCA_9, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US
In that case a certificate must be added in the browser and is required to login properly
Please check that section to get the certificate
https://wiki.onap.org/display/DW/Control+Loop+Flows+and+Models+for+Casablanca#ControlLoopFlowsandModelsforCasablanca-Configure
Or it can be found in the Clamp source code folder src/main/resources/clds/aaf
-(Default Password: "34xqGdj]VnHothQ]5qCykV3X")
+(Default Password: "China in the Spring")
2. Spring authentication
It's possible to enable the spring authentication by disabling the "clamp-aaf-authentication" profile and enabling only the "clamp-default-user"
Passwords should be hashed using Bcrypt :
```
-# pip3 install bcrypt # if you don't have the bcrypt python lib installed, should be done once.
+# pip3 install --no-cache-dir bcrypt # if you don't have the bcrypt python lib installed, should be done once.
# python3 -c 'import bcrypt; print(bcrypt.hashpw("password".encode(), bcrypt.gensalt(rounds=10, prefix=b"2a")))'
```
--spring.config.name=application-noaaf
-to the jvm parameters. This file is available by default in the java classpath resource folder.
\ No newline at end of file
+to the jvm parameters. This file is available by default in the java classpath resource folder.
Code Review / clamp.git / blobdiff