From 038b4a47c7194b51106cf2c325078924403defea Mon Sep 17 00:00:00 2001 From: dglFromAtt Date: Tue, 24 Apr 2018 08:46:34 -0400 Subject: [PATCH] Integrate AAF certificate and CA truststore This installs a server certificate with CN: dbc.api.simpledemo.onap.org which is probably good for the heat integration environment. Also, the container truststore is updated with the AAFRootCA so that Bus Controller can be a client to other ONAP components with AAF provided certificates. Change-Id: I158929dd86fa550f964fab18eb8e975cde8062d8 Signed-off-by: dglFromAtt Issue-ID: DMAAP-435 --- Dockerfile | 1 + README.md | 4 ++-- misc/cert-client-init.sh | 60 +++++++++++++++++++++++++++++------------------ misc/dbc-api.jks | Bin 0 -> 3570 bytes misc/dmaapbc | 29 ++++++++++++----------- misc/doaction | 1 - pom.xml | 2 +- version.properties | 2 +- 8 files changed, 57 insertions(+), 42 deletions(-) create mode 100644 misc/dbc-api.jks diff --git a/Dockerfile b/Dockerfile index cea2529..8c4eb17 100644 --- a/Dockerfile +++ b/Dockerfile @@ -18,6 +18,7 @@ COPY target/buscontroller.jar ${insdir}/lib/ # COPY target/site/apidocs/ ${insdir}/www/doc/ COPY misc/LocalKey ${insdir}/etc/ COPY misc/logback.xml ${insdir}/etc/ +COPY misc/dbc-api.jks ${insdir}/etc/keystore COPY misc/opensource.env ${insdir}/misc/ COPY misc/*.tmpl ${insdir}/misc/ COPY misc/cert-client-init.sh ${insdir}/misc/ diff --git a/README.md b/README.md index 3bc4fb4..773c04b 100644 --- a/README.md +++ b/README.md @@ -78,7 +78,7 @@ DMAAPBC_PE_AAF_ENV=TBD Then the following steps could be used to pull and run the Bus Controller. (onap-nexus is just an example) ``` $ -$ docker pull ecomp-nexus:51212/dcae_dmaapbc:1.0.0 -$ docker run -d -p 18080:8080 -v /tmp/docker-databus-controller.conf:/opt/app/config/conf onap-nexus:51212/dmaap/buscontroller:1.0.0 +$ docker pull nexus3.onap.org:10003/onap/dmaap/buscontroller:latest +$ docker run -d -p 18080:8080 -p 18443:8443 -v /tmp/docker-databus-controller.conf:/opt/app/config/conf nexus3.onap.org:10003/onap/dmaap/buscontroller:latest ``` diff --git a/misc/cert-client-init.sh b/misc/cert-client-init.sh index 53701f8..cba9354 100644 --- a/misc/cert-client-init.sh +++ b/misc/cert-client-init.sh @@ -8,35 +8,49 @@ # Works on both CentOS and Ubuntu. # set -x -cat >/tmp/aafcacert.crt <<'!EOF' + +# IMPORTANT: use a .crt suffix for update-ca-certificates to work +# +AAFCERT=AAF_RootCA.crt +cat >/tmp/$AAFCERT <<'!EOF' -----BEGIN CERTIFICATE----- -**************************************************************** -**************************************************************** -**************************************************************** -**************************************************************** -**************************************************************** -**************************************************************** -**************************************************************** -**************************************************************** -******* PUT REAL CERTIFICATE HERE **************************** -**************************************************************** -**************************************************************** -**************************************************************** -**************************************************************** -**************************************************************** -**************************************************************** -**************************************************************** -**************************************************************** -**************************************************************** -**************************************************************** +MIIFPjCCAyagAwIBAgIJAJ6u7cCnzrWdMA0GCSqGSIb3DQEBCwUAMCwxDjAMBgNV +BAsMBU9TQUFGMQ0wCwYDVQQKDARPTkFQMQswCQYDVQQGEwJVUzAeFw0xODA0MDUx +NDE1MjhaFw0zODAzMzExNDE1MjhaMCwxDjAMBgNVBAsMBU9TQUFGMQ0wCwYDVQQK +DARPTkFQMQswCQYDVQQGEwJVUzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC +ggIBAMA5pkgRs7NhGG4ew5JouhyYakgYUyFaG121+/h8qbSdt0hVQv56+EA41Yq7 +XGie7RYDQK9NmAFF3gruE+6X7wvJiChp+Cyd7sFMnb65uWhxEdxWTM2BJFrgfzUn +H8ZCxgaCo3XH4PzlKRy2LQQJEJECwl/RZmRCXijMt5e9h8XoZY/fKkKcZZUsWNCM +pTo266wjvA9MXLmdgReRj0+vrCjrNqy+htwJDztoiHWiYPqT6o8EvGcgjNqjlZx7 +NUNf8MfLDByqKF6+wRbHv1GKjn3/Vijd45Fv8riyRYROiFanvbV6jIfBkv8PZbXg +2VDWsYsgp8NAvMxK+iV8cO+Ck3lBI2GOPZbCEqpPVTYbLUz6sczAlCXwQoPzDIZY +wYa3eR/gYLY1gP2iEVHORag3bLPap9ZX5E8DZkzTNTjovvLk8KaCmfcaUMJsBtDd +ApcUitz10cnRyZc1sX3gE1f3DpzQM6t9C5sOVyRhDcSrKqqwb9m0Ss04XAS9FsqM +P3UWYQyqDXSxlUAYaX892u8mV1hxnt2gjb22RloXMM6TovM3sSrJS0wH+l1nznd6 +aFXftS/G4ZVIVZ/LfT1is4StoyPWZCwwwly1z8qJQ/zhip5NgZTxQw4mi7ww35DY +PdAQOCoajfSvFjqslQ/cPRi/MRCu079heVb5fQnnzVtnpFQRAgMBAAGjYzBhMB0G +A1UdDgQWBBRTVTPyS+vQUbHBeJrBKDF77+rtSTAfBgNVHSMEGDAWgBRTVTPyS+vQ +UbHBeJrBKDF77+rtSTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAN +BgkqhkiG9w0BAQsFAAOCAgEAPx/IaK94n02wPxpnYTy+LVLIxwdq/kawNd6IbiMz +L87zmNMDmHcGbfoRCj8OkhuggX9Lx1/CkhpXimuYsZOFQi5blr/u+v4mIbsgbmi9 +7j+cUHDP0zLycvSvxKHty51LwmaX9a4wkJl5zBU4O1sd/H9tWcEmwJ39ltKoBKBx +c94Zc3iMm5ytRWGj+0rKzLDAXEWpoZ5bE5PLJauA6UDCxDLfs3FwhbS7uDggxYvf +jySF5FCNET94oJ+m8s7VeHvoa8iPGKvXrIqdd7XDHnqJJlVKr7m9S0fMbyEB8ci2 +RtOXDt93ifY1uhoEtEykn4dqBSp8ezvNMnwoXdYPDvTd9uCAFeWFLVreBAWxd25h +PsBTkZA5hpa/rA+mKv6Af4VBViYr8cz4dZCsFChuioVebe9ighrfjB//qKepFjPF +CyjzKN1u0JKm/2x/ORqxkTONG8p3uDwoIOyimUcTtTMv42bfYD88RKakqSFXE9G+ +Z0LlaKABqfjK49o/tsAp+c5LoNlYllKhnetO3QAdraHwdmC36BhoghzR1jpX751A +cZn2VH3Q4XKyp01cJNCJIrua+A+bx6zh3RyW6zIIkbRCbET+UD+4mr8WIcSE3mtR +ZVlnhUDO4z9//WKMVzwS9Rh8/kuszrGFI1KQozXCHLrce3YP6RYZfOed79LXaRwX +dYY= -----END CERTIFICATE----- !EOF -chmod 444 /tmp/aafcacert.crt +chmod 444 /tmp/$AAFCERT if [ -f /etc/redhat-release ] then - mv /tmp/aafcacert.crt /etc/pki/ca-trust/source/anchors/aafcacert.pem + mv /tmp/$AAFCERT /etc/pki/ca-trust/source/anchors/aafcacert.pem update-ca-trust else - mv /tmp/aafcacert.crt /usr/local/share/ca-certificates/aafcacert.crt + mv /tmp/$AAFCERT /usr/local/share/ca-certificates/$AAFCERT update-ca-certificates fi diff --git a/misc/dbc-api.jks b/misc/dbc-api.jks new file mode 100644 index 0000000000000000000000000000000000000000..8c0f61affed09ee8775a8747fa678c331b171d3f GIT binary patch literal 3570 zcmb`Jc{o*T-^cgb1F;d?JRU=a$hP)o%TVSWGH2SxOxut#nQMzpk_-tM3mI~RPDr7I zj1fvU${0e3%wyi&>AdGT&v~BbeXsYr-aqc^UcYyqMav?X^C|UP;&*`>NF^)KNuEL(}ss5ff>P zCO68RJ9bj`A{xC#6sAk#ZrfSb;Vv>#-tM7V?8*=GR$yz5 zO~|<%RwMa{>haUuYMnybQd^?5TI1p*5#NwHPsHs^)^N_C*Sz@~ENit+uYF8fViUrPr5-eQB11}d#E^m|yLdNQowMiA9t;sJ zgGF+m_o2_yy%+P3MUw5vk2$kdA_n2D=Spziucio17h-Y3)3L#BUHvpFIWr@;C!XqC z63j9@JBD#;>^W74hWb`S3DMM4JR74R1@WENalTLY>=V+YgU@~_r6Xooi3QchIFE4F zsOP|^AU4;+rCfgtJQkYfAo)d|6z0)e+imr<6n~BOd-{#U&c(1A#<0G}*a?CUM_RuF z=gx=zM4R-?>G=Z9S6#MU^1TNxhn79{b1qp6~;zi<2NS!LHT9LbQQt3#(VbS-vtg;B)acm zBsWFS_C*6drW9<^nfCjmH9i|9L%GNFEe$t{*w)Z*|)<@x5q@?8hH;rX+^OVV|$#=(<`tS)0Pt1=mNO=x(XdWzN>L{+g zM-Q5smJ36xabhI_RbAng$GE@sL$cW7vC2`OhlEL=VwWk0ili>Sb-fvr)~8pJ8oVBB zsK!Vu-aOOKt!A~#5`L7KFQP*xJcZj^z3+Kx%-K74iiXo654QyE=eTSfy6{o2P@ly| zFzY80CLipCPJAqz9It<@GOB6-Ut~r(QqSv+q@Q2y zLY0E2*>4^;yuD)BT9i?)XxBTZjQP~j=Ja_XDCN;a-@>O534_zip(|PHOQ#%DHi55s z7mq)`G%DowYi{;7?bq6-`mmNPX|rm-rRRVu^!VPIIdh0l_cJot<1Fp*CBwi+<`qbv zk$1NSSs$%GnC(P`x89HyRDLCs>nu*V?(#g(jx?1|x!%}dA!5a4uU8>+hVjxTd~p@i z$()78c!ly{Z}j?;wyH4x*U_!M7Qte*>GIqu-x-uOW(_>YD(T*oSQMm{!8Y7H8|Z~f zwvf!pZ)^A0Q}1u);6#f%<5Wv7L`W_{wie6_wxGrt&lMr0!O+--I+* zSMvKr=ODz!OSL{&YfLn(bX0Gs$MeeciGlHQHrI}JL0;r(&iEayag@GbUkJTEyb6}U{C-G1z15w8al}sotP~~06C{k(`SL~q|eI|E1tg#Y@=)Mfx914pS{0-%SI0RWN(>spey zB^cKfFJMc)XH&; z-6GG-7~umv*)={`*^vTzOp<)zwWE8!<*zuQg3Md-GPEz>ZNED170uqh&#x#Yi7PM~ z&G2RHwij21OG#N#CI+(23`#F#aoAk^aQ+v!@_?(!_11SkMq_|cdhvro`f8T(iScq- ziz2oH%Jp;V3qB86?j2LzKZx9P;30qv?)v%8ne{FV1rwLnqC2BExHTIzp)ddf6h!WV zkz2p(fS(l(1tA~{4V^=b4iK}g0RV6~3`)}o%Kl@C5iZ7Y%*c=EV`{1|s7>@C`cqZl zB4|qV46*pa5TkEBKOaGD&7NWru|5EzDsr0W3rq-0&{i#nq3IK;c zGDl4OOhOdS0kY8?q5c*i5VSDh&nxI(RUQCD!}py<4pwS8XS&<~3pTC$|3c*lBE)g8T^(0u>-;AQ^h<4}buF`&|FG>ijn) zKpcjO208EtB@{q;Dkpx1|9?38-+Z4j8r66Z&EI>2hsZFhjY~-M*cx?(SmmlP$8V`{ z!+Q+7DUS>muVaSl=ej$#%}7{Y)pjQ^?4>PK9aq1 zN@c|Uo9lbF^LocHm9|@HFIoo*bSke0aGiE|33!xbjFPY`_>;U1op7rt zo3{_w>nv%t=je$rn&lbG>EEkVa1#(2NnVQS4>Mit{JZ=if zYLdWQUjDMA3!;9wjrE7yj({}O2?{{|*?~aJ-!uawQ}<-i-jD0kytxT4Aq3Hv2AD-k zzUpwQJ+E8_=_52hi}`M0Z}(bMp%off=3q`=;ZsJD)gH|E=h8RRU=Sq7tXqu73y7W= zFL|FLIrelf`g7@2?{ep^bUN=tT;2m1-uN)VP?A=Hn_#S8Pj|UW^$2P+!`4}0tT&8l z={@IL70aOb;;ce$uU%|de+JBrK&J_5zfXEC(55usCY=4CeS1A{!}Js)e^T&Fpr3pR z%u1!MgBX@sMVzzNIxxbWxs~i}q02a9+FBRu?)(0$`IMhYy9AFHVQW%GNg@4Vo$W<4CTzmf1V^7ZNk zjYyT8i(H5qCL*32Nk*%g>dtu8s;VW}QFpl8m2t=PJ61|`RI}xT!OwEYdf5iqXXj=d zWU+)8gs(+@F|a1EmRE4EEbhk@_oa{ytDNIxV{_)yt4v}I9!#OnjiD|tsr7BXgy zA0#UcRLMO*y2mG&s!rr>ONfOf*Kl4|%T8gH&N=^h@9I@Jj)_43EH%Yy;KVY1;n%BW z?=LxKFuy^a6kegM?#B;fDIeUp<=b*gG5UUjE1`DR@Gk`nYVY)dL5FMugfBMe#iSF9ki& AYybcN literal 0 HcmV?d00001 diff --git a/misc/dmaapbc b/misc/dmaapbc index c63fcee..5254108 100644 --- a/misc/dmaapbc +++ b/misc/dmaapbc @@ -43,13 +43,15 @@ config() { else echo "Not creating $APP_ROOT/ok_to_exit" fi - # comment out till certs are available - #if [ ! -f $APP_ROOT/misc/cert-client-init.sh ] - #then - # echo "Did not find $APP_ROOT/misc/cert-client-init.sh to append to truststore" - # exit 1 - #fi - #$APP_ROOT/misc/cert-client-init.sh + + if [ ! -f $APP_ROOT/misc/cert-client-init.sh ] + then + echo "Did not find $APP_ROOT/misc/cert-client-init.sh to append to truststore" + exit 1 + fi + $APP_ROOT/misc/cert-client-init.sh + . misc/havecert.tmpl > etc/havecert + chmod +x etc/havecert . misc/dmaapbc.properties.tmpl > etc/dmaapbc.properties . misc/PolicyEngineApi.properties.tmpl > config/PolicyEngineApi.properties set +x @@ -71,14 +73,13 @@ start() { fi cd $APP_ROOT -# disable until we use certs -# if etc/havecert -# then + if etc/havecert + then echo >/dev/null -# else -# echo No certificate file available. Cannot start -# exit 0 -# fi + else + echo No certificate file available. Cannot start + exit 0 + fi PIDS=`pids` if [ "$PIDS" != "" ] then diff --git a/misc/doaction b/misc/doaction index d3dd9b8..18b0caa 100644 --- a/misc/doaction +++ b/misc/doaction @@ -20,7 +20,6 @@ case "$action" in /bin/bash dmaapbc.properties.tmpl >dmaapbc.properties /bin/bash havecert.tmpl >havecert /bin/bash PolicyEngineApi.properties.tmpl > ../config/PolicyEngineApi.properties - echo "$AFTSWM_ACTION_NEW_VERSION" >VERSION.dmaapbc chmod +x havecert rm -f /opt/app/platform/rc.d/K90dmaapbc /opt/app/platform/rc.d/S10dmaapbc ln -s ../init.d/dmaapbc /opt/app/platform/rc.d/K90dmaapbc diff --git a/pom.xml b/pom.xml index 3625897..876c12d 100644 --- a/pom.xml +++ b/pom.xml @@ -302,7 +302,7 @@ UTF-8 9.3.7.v20160115 0.0.1 - 1.0.8 + 1.0.9 0.7.7.201606060606 3.2 diff --git a/version.properties b/version.properties index 9a4bc7e..8f72e5e 100644 --- a/version.properties +++ b/version.properties @@ -27,7 +27,7 @@ major=1 minor=0 -patch=8 +patch=9 base_version=${major}.${minor}.${patch} # Release must be completed with git revision # in Jenkins -- 2.16.6