.. Copyright 2020 NOKIA
Configuration
-=============
+==============
Configuring Cert Service
This contains list of CMP Servers, where each server has following properties:
- - *caName* - name of the external CA server. It's used to match *CA_NAME* sent by client in order to match proper configuration.
+ - *caName* - name of the external CA server. It's used to match *CA_NAME* sent by CertService client in order to match proper configuration.
- *url* - URL to CMPv2 server
- *issuerDN* - Distinguished Name of the CA that will sign the certificate
- *caMode* - Issuer mode. Allowed values are *CLIENT* and *RA*
Next sections explain how to configure Cert Service in local (docker-compose) and OOM Deployments.
-Configuring in local(docker-compose) deployment:
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+Configuring in local (docker-compose) deployment:
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Before application start:
"""""""""""""""""""""""""
docker exec -it <certservice-container-name> bash
+ e.g.
+ docker exec -it aafcert-service bash
+
3. Edit *cmpServers.json* file::
vim /etc/onap/aaf/certservice/cmpServers.json
4. Save the file. Note that this file is mounted as volume, so change will be persistent.
5. Reload configuration::
- curl -I https://localhost:8443/reload --cacert /etc/onap/aaf/certservice/certs/root.crt --cert-type p12 --cert /etc/onap/aaf/certservice/certs/certServiceServer-keystore.p12 --pass secret
+ curl -I https://localhost:8443/reload --cacert /etc/onap/aaf/certservice/certs/root.crt --cert-type p12 --cert /etc/onap/aaf/certservice/certs/certServiceServer-keystore.p12 --pass $KEYSTORE_PASSWORD
6. Exit container::
Before OOM installation:
""""""""""""""""""""""""
-Note! This must be executed before calling *make all* (from OOM Installation) or needs remaking aaf Charts.
+Note! This must be executed before calling *make all* (from OOM Installation) or needs remaking AAF charts.
1. Edit *cmpServers.json* file. If OOM *global.addTestingComponents* flag is set to:
When CertService is deployed:
"""""""""""""""""""""""""""""
-1. Encode your configuration to base64::
+1. Create file with configuration
+
+2. Encode your configuration to base64::
- echo "CONFIGURATION_TO_ENCODE" | base64
+ cat <configuration_file> | base64
-2. Edit secret::
+3. Edit secret::
- kubectl edit secret <cmp-servers-secret-name> # aaf-cert-service-secret by default
+ kubectl -n onap edit secret <cmp-servers-secret-name>
-3. Replace value for *cmpServers.json* with your base64 encoded configuration. For example:
+ e.g.
+ kubectl -n onap edit secret aaf-cert-service-secret
+
+4. Replace value for *cmpServers.json* with your base64 encoded configuration. For example:
.. code-block:: yaml
uid: 6a037526-83ed-11ea-b731-fa163e2144f6
type: Opaque
-4. Save and exit
-5. New configuration will be automatically mounted to CertService pod, but application configuration reload is needed.
-6. To reload configuration enter CertService pod::
+5. Save and exit
+6. New configuration will be automatically mounted to CertService pod, but application configuration reload is needed.
+7. To reload configuration enter CertService pod::
+
+ kubectl -n onap exec -it <cert-service-pod-name> bash
- kubectl exec -it <cert-service-pod-name> bash
+ e.g.
+ kubectl -n onap exec -it $(kubectl -n onap get pods | grep cert-service | awk '{print $1}') bash
-7. Reload configuration::
+8. Reload configuration::
curl -I https://localhost:$HTTPS_PORT/reload --cacert $ROOT_CERT --cert-type p12 --cert $KEYSTORE_P12_PATH --pass $KEYSTORE_PASSWORD
-8. Exit container::
+9. Exit container::
exit
1. Set *tls.certificateExternalSecret* flag to true in *kubernetes/aaf/charts/aaf-cert-service/values.yaml*
2. Prepare secret for CertService. It must be provided before OOM installation. It must contain four files:
- - *certServiceServer-keystore.jks* - keystore in jks format. Signed by some Root CA
- - *certServiceServer-keystore.p12* - same keystore in p12 format
- - *truststore.jks* - truststore in jks format, containing certificates of the Root CA that signed CertService Client certificate
- - *root.crt* - certificate of the RootCA that signed Client certificate in crt format
+ - *certServiceServer-keystore.jks* - keystore in JKS format. Signed by some Root CA
+ - *certServiceServer-keystore.p12* - same keystore in PKCS#12 format
+ - *truststore.jks* - truststore in JKS format, containing certificates of the Root CA that signed CertService Client certificate
+ - *root.crt* - certificate of the RootCA that signed Client certificate in CRT format
3. Name the secret properly - the name should match *tls.server.secret.name* value from *kubernetes/aaf/charts/aaf-cert-service/values.yaml* file
4. Prepare secret for CertService Client. It must be provided before OOM installation. It must contain two files:
- - *certServiceClient-keystore.jks* - keystore in jks format. Signed by some Root CA
- - *truststore.jks* - truststore in jks format, containing certificates of the RootCA that signed CertService certificate
+ - *certServiceClient-keystore.jks* - keystore in JKS format. Signed by some Root CA
+ - *truststore.jks* - truststore in JKS format, containing certificates of the RootCA that signed CertService certificate
-5. Name the secret properly - the name should match *global.aaf.certService.client.secret.name*
+5. Name the secret properly - the name should match *global.aaf.certService.client.secret.name* value from *kubernetes/onap/values.yaml* file
6. Provide keystore and truststore passwords for CertService. It can be done in two ways: