Make certs in A1 controller configurable 37/4437/1
authorelinuxhenrik <henrik.b.andersson@est.tech>
Tue, 23 Jun 2020 13:16:05 +0000 (15:16 +0200)
committerelinuxhenrik <henrik.b.andersson@est.tech>
Thu, 23 Jul 2020 12:23:11 +0000 (14:23 +0200)
Change-Id: I33dd9bf57cd0ddd8f09d67282600591670675a43
Signed-off-by: elinuxhenrik <henrik.b.andersson@est.tech>
sdnc-a1-controller/northbound/nonrt-ric-api/provider/src/main/java/org/o_ran_sc/nonrtric/sdnc_a1/northbound/restadapter/RestAdapterImpl.java
sdnc-a1-controller/oam/installation/sdnc-a1/pom.xml
sdnc-a1-controller/oam/installation/sdnc-a1/src/main/docker/standalone.Dockerfile
sdnc-a1-controller/oam/installation/sdnc-a1/src/main/resources/truststore.jks [new file with mode: 0644]
sdnc-a1-controller/oam/installation/sdnc-a1/src/main/scripts/startODL.sh
sdnc-a1-controller/oam/installation/src/main/properties/https-props.properties [moved from sdnc-a1-controller/northbound/nonrt-ric-api/provider/src/main/resources/nonrt-ric-api-provider.properties with 77% similarity]
sdnc-a1-controller/oam/installation/src/main/yaml/README.md [new file with mode: 0644]
sdnc-a1-controller/oam/installation/src/main/yaml/docker-compose.yml

index 928b65f..d2e602f 100644 (file)
@@ -20,7 +20,7 @@
 
 package org.o_ran_sc.nonrtric.sdnc_a1.northbound.restadapter;
 
-import java.io.FileNotFoundException;
+import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.MalformedURLException;
@@ -36,6 +36,7 @@ import org.apache.http.conn.ssl.NoopHostnameVerifier;
 import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
 import org.apache.http.conn.ssl.TrustAllStrategy;
 import org.apache.http.impl.client.HttpClients;
+import org.apache.http.ssl.SSLContextBuilder;
 import org.apache.http.ssl.SSLContexts;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -58,7 +59,6 @@ import org.springframework.web.client.RestTemplate;
 
 public class RestAdapterImpl implements RestAdapter {
 
-  private static final String PROPERTIES_FILE = "nonrt-ric-api-provider.properties";
   private final Logger log = LoggerFactory.getLogger(RestAdapterImpl.class);
 
   private RestTemplate restTemplateHttp;
@@ -76,24 +76,26 @@ public class RestAdapterImpl implements RestAdapter {
 
   private RestTemplate createRestTemplateForHttps() throws IOException, UnrecoverableKeyException, CertificateException,
               NoSuchAlgorithmException, KeyStoreException, KeyManagementException {
-      InputStream inputStream = RestAdapterImpl.class.getClassLoader().getResourceAsStream(PROPERTIES_FILE);
-      if (inputStream == null) {
-          throw new FileNotFoundException("properties file not found in classpath");
-      } else {
+      try (InputStream inputStream = new FileInputStream(ResourceUtils.getFile("/opt/onap/sdnc/data/properties/https-props.properties"))) {
           Properties properties = new Properties();
           properties.load(inputStream);
-          final String keystorePassword = properties.getProperty("key-store-password");
-          SSLConnectionSocketFactory scsf = new SSLConnectionSocketFactory(
-                  SSLContexts.custom()
-                             .loadKeyMaterial(ResourceUtils.getFile(properties.getProperty("key-store")),
-                                     keystorePassword.toCharArray(), keystorePassword.toCharArray())
-                             .loadTrustMaterial(null, new TrustAllStrategy())
-                             .build(),
-                  NoopHostnameVerifier.INSTANCE);
+          final String keyPassword = properties.getProperty("key-password");
+          final String keystorePassword = properties.getProperty("keystore-password");
+          final String truststorePassword = properties.getProperty("truststore-password");
+          final boolean isTrustStoreUsed = Boolean.parseBoolean(properties.getProperty("isTrustStoreUsed"));
+          SSLContextBuilder builder = SSLContexts.custom()
+                                                 .loadKeyMaterial(ResourceUtils.getFile(properties.getProperty("key-store")),
+                                                         keystorePassword.toCharArray(), keyPassword.toCharArray());
+          if (isTrustStoreUsed) {
+              builder.loadTrustMaterial(ResourceUtils.getFile(properties.getProperty("trust-store")),
+                              truststorePassword.toCharArray());
+          } else {
+              builder.loadTrustMaterial(null, new TrustAllStrategy());
+          }
+          SSLConnectionSocketFactory scsf = new SSLConnectionSocketFactory(builder.build(), NoopHostnameVerifier.INSTANCE);
           HttpClient client = HttpClients.custom().setSSLSocketFactory(scsf).build();
           HttpComponentsClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory();
           requestFactory.setHttpClient(client);
-          inputStream.close();
           return new RestTemplate(requestFactory);
       }
   }
index cd58073..b8816ec 100644 (file)
                                 <resource>
                                     <directory>src/main/resources</directory>
                                     <includes>
-                                        <include>idmlight.db.mv.db</include>
-                                        <include>keystore.jks</include>
-                                        <include>aaa-app-config.xml</include>
+                                        <include>*.jks</include>
                                     </includes>
                                     <filtering>false</filtering>
                                 </resource>
index 03977f8..e80187a 100755 (executable)
@@ -45,7 +45,7 @@ ENV SDNC_CONFIG_DIR /opt/onap/sdnc/data/properties
 ENV JAVA_SECURITY_DIR /etc/ssl/certs/java
 ENV SDNC_NORTHBOUND_REPO mvn:org.o-ran-sc.nonrtric.sdnc-a1.northbound/sdnc-a1-northbound-all/${sdnc.northbound.version}/xml/features
 ENV SDNC_KEYSTORE keystore.jks
-ENV SDNC_KEYPASS sdnc-a1-controller
+ENV SDNC_TRUSTSTORE truststore.jks
 ENV SDNC_SECUREPORT 8443
 
 USER root
@@ -60,13 +60,11 @@ RUN sed -i "s/odl-restconf-all/odl-restconf-all,odl-netconf-topology/g"  $ODL_HO
 
 # Install java certificate
 COPY $SDNC_KEYSTORE $JAVA_SECURITY_DIR
+COPY $SDNC_TRUSTSTORE $JAVA_SECURITY_DIR
 
 # Secure with TLS
 RUN echo org.osgi.service.http.secure.enabled=true >> $ODL_HOME/etc/custom.properties
 RUN echo org.osgi.service.http.secure.port=$SDNC_SECUREPORT >> $ODL_HOME/etc/custom.properties
-RUN echo org.ops4j.pax.web.ssl.keystore=$JAVA_SECURITY_DIR/$SDNC_KEYSTORE >> $ODL_HOME/etc/custom.properties
-RUN echo org.ops4j.pax.web.ssl.password=$SDNC_KEYPASS >> $ODL_HOME/etc/custom.properties
-RUN echo org.ops4j.pax.web.ssl.keypassword=$SDNC_KEYPASS >> $ODL_HOME/etc/custom.properties
 
 RUN chown -R odl:odl /opt
 
diff --git a/sdnc-a1-controller/oam/installation/sdnc-a1/src/main/resources/truststore.jks b/sdnc-a1-controller/oam/installation/sdnc-a1/src/main/resources/truststore.jks
new file mode 100644 (file)
index 0000000..ce2d0ed
Binary files /dev/null and b/sdnc-a1-controller/oam/installation/sdnc-a1/src/main/resources/truststore.jks differ
index 78d3ea3..54a7b6b 100755 (executable)
 ODL_HOME=${ODL_HOME:-/opt/opendaylight/current}
 ODL_ADMIN_USERNAME=${ODL_ADMIN_USERNAME:-admin}
 ODL_ADMIN_PASSWORD=${ODL_ADMIN_PASSWORD:-Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U}
+HTTPS_PROPS=${HTTPS_PROPS:-/opt/onap/sdnc/data/properties/https-props.properties}
 SDNC_HOME=${SDNC_HOME:-/opt/onap/sdnc}
 SDNC_BIN=${SDNC_BIN:-/opt/onap/sdnc/bin}
 MYSQL_PASSWD=${MYSQL_PASSWD:-openECOMP1.0}
 INSTALLED_DIR=${INSTALLED_FILE:-/opt/opendaylight/current/daexim}
 export ODL_ADMIN_PASSWORD ODL_ADMIN_USERNAME
 
+echo org.ops4j.pax.web.ssl.keystore=$(cat $HTTPS_PROPS | grep -w key-store | cut -d '=' -f2) >> /opt/opendaylight/etc/custom.properties
+echo org.ops4j.pax.web.ssl.password=$(cat $HTTPS_PROPS | grep -w keystore-password | cut -d '=' -f2) >> /opt/opendaylight/etc/custom.properties
+echo org.ops4j.pax.web.ssl.keypassword=$(cat $HTTPS_PROPS | grep -w key-password | cut -d '=' -f2) >> /opt/opendaylight/etc/custom.properties
+
 #
 # Wait for database
 #
@@ -16,5 +16,9 @@
 # limitations under the License.
 # ========================LICENSE_END===================================
 
-key-store-password = sdnc-a1-controller
-key-store = /etc/ssl/certs/java/keystore.jks
\ No newline at end of file
+key-store=/etc/ssl/certs/java/keystore.jks
+key-password=sdnc-a1-controller
+keystore-password=sdnc-a1-controller
+isTrustStoreUsed=true
+trust-store=/etc/ssl/certs/java/truststore.jks
+truststore-password=sdnc-a1-controller
diff --git a/sdnc-a1-controller/oam/installation/src/main/yaml/README.md b/sdnc-a1-controller/oam/installation/src/main/yaml/README.md
new file mode 100644 (file)
index 0000000..a82c70d
--- /dev/null
@@ -0,0 +1,43 @@
+The SDNC-A1 controller uses the default keystore and truststore that are built into the container.
+
+The paths and passwords for these stores are located in a properties file:
+nonrtric/sdnc-a1-controller/oam/installation/src/main/properties/https-props.properties
+
+The default truststore includes the a1simulator cert as a trusted cert which is located here:
+https://gerrit.o-ran-sc.org/r/gitweb?p=sim/a1-interface.git;a=tree;f=near-rt-ric-simulator/certificate;h=172c1e5aacd52d760e4416288dc5648a5817ce65;hb=HEAD
+
+The default keystore, truststore, and https-props.properties files can be overridden by mounting new files using the "volumes" field of docker-compose. Uncommment the following lines in docker-compose to do this, and provide paths to the new files:
+
+#volumes:
+    #  - <path_to_keystore>:/etc/ssl/certs/java/keystore.jks:ro
+    #  - <path_to_truststore>:/etc/ssl/certs/java/truststore.jks:ro
+    #  - <path_to_https-props>:/opt/onap/sdnc/data/properties/https-props.properties:ro
+
+The target paths in the container should not be modified.
+
+For example, assuming that the keystore, truststore, and https-props.properties files are located in the same directory as docker-compose:
+
+volumes:
+      - ./new_keystore.jks:/etc/ssl/certs/java/keystore.jks:ro
+      - ./new_truststore.jks:/etc/ssl/certs/java/truststore.jks:ro
+      - ./new_https-props.properties:/opt/onap/sdnc/data/properties/https-props.properties:ro
+
+
+## License
+
+Copyright (C) 2020 Nordix Foundation.
+Licensed under the Apache License, Version 2.0 (the "License")
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+For more information about license please see the [LICENSE](LICENSE.txt) file for details.
+
+
index c2b9978..93121a7 100644 (file)
@@ -55,6 +55,10 @@ services:
     environment:
       - MYSQL_ROOT_PASSWORD=openECOMP1.0
       - SDNC_CONFIG_DIR=/opt/onap/sdnc/data/properties
+    #volumes:
+    #  - <path_to_keystore>:/etc/ssl/certs/java/keystore.jks:ro
+    #  - <path_to_truststore>:/etc/ssl/certs/java/truststore.jks:ro
+    #  - <path_to_https-props>:/opt/onap/sdnc/data/properties/https-props.properties:ro
     dns:
       - ${DNS_IP_ADDR-10.0.100.1}
     logging: