package org.o_ran_sc.nonrtric.sdnc_a1.northbound.restadapter;
-import java.io.FileNotFoundException;
+import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.MalformedURLException;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.conn.ssl.TrustAllStrategy;
import org.apache.http.impl.client.HttpClients;
+import org.apache.http.ssl.SSLContextBuilder;
import org.apache.http.ssl.SSLContexts;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
public class RestAdapterImpl implements RestAdapter {
- private static final String PROPERTIES_FILE = "nonrt-ric-api-provider.properties";
private final Logger log = LoggerFactory.getLogger(RestAdapterImpl.class);
private RestTemplate restTemplateHttp;
private RestTemplate createRestTemplateForHttps() throws IOException, UnrecoverableKeyException, CertificateException,
NoSuchAlgorithmException, KeyStoreException, KeyManagementException {
- InputStream inputStream = RestAdapterImpl.class.getClassLoader().getResourceAsStream(PROPERTIES_FILE);
- if (inputStream == null) {
- throw new FileNotFoundException("properties file not found in classpath");
- } else {
+ try (InputStream inputStream = new FileInputStream(ResourceUtils.getFile("/opt/onap/sdnc/data/properties/https-props.properties"))) {
Properties properties = new Properties();
properties.load(inputStream);
- final String keystorePassword = properties.getProperty("key-store-password");
- SSLConnectionSocketFactory scsf = new SSLConnectionSocketFactory(
- SSLContexts.custom()
- .loadKeyMaterial(ResourceUtils.getFile(properties.getProperty("key-store")),
- keystorePassword.toCharArray(), keystorePassword.toCharArray())
- .loadTrustMaterial(null, new TrustAllStrategy())
- .build(),
- NoopHostnameVerifier.INSTANCE);
+ final String keyPassword = properties.getProperty("key-password");
+ final String keystorePassword = properties.getProperty("keystore-password");
+ final String truststorePassword = properties.getProperty("truststore-password");
+ final boolean isTrustStoreUsed = Boolean.parseBoolean(properties.getProperty("isTrustStoreUsed"));
+ SSLContextBuilder builder = SSLContexts.custom()
+ .loadKeyMaterial(ResourceUtils.getFile(properties.getProperty("key-store")),
+ keystorePassword.toCharArray(), keyPassword.toCharArray());
+ if (isTrustStoreUsed) {
+ builder.loadTrustMaterial(ResourceUtils.getFile(properties.getProperty("trust-store")),
+ truststorePassword.toCharArray());
+ } else {
+ builder.loadTrustMaterial(null, new TrustAllStrategy());
+ }
+ SSLConnectionSocketFactory scsf = new SSLConnectionSocketFactory(builder.build(), NoopHostnameVerifier.INSTANCE);
HttpClient client = HttpClients.custom().setSSLSocketFactory(scsf).build();
HttpComponentsClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory();
requestFactory.setHttpClient(client);
- inputStream.close();
return new RestTemplate(requestFactory);
}
}
<resource>
<directory>src/main/resources</directory>
<includes>
- <include>idmlight.db.mv.db</include>
- <include>keystore.jks</include>
- <include>aaa-app-config.xml</include>
+ <include>*.jks</include>
</includes>
<filtering>false</filtering>
</resource>
ENV JAVA_SECURITY_DIR /etc/ssl/certs/java
ENV SDNC_NORTHBOUND_REPO mvn:org.o-ran-sc.nonrtric.sdnc-a1.northbound/sdnc-a1-northbound-all/${sdnc.northbound.version}/xml/features
ENV SDNC_KEYSTORE keystore.jks
-ENV SDNC_KEYPASS sdnc-a1-controller
+ENV SDNC_TRUSTSTORE truststore.jks
ENV SDNC_SECUREPORT 8443
USER root
# Install java certificate
COPY $SDNC_KEYSTORE $JAVA_SECURITY_DIR
+COPY $SDNC_TRUSTSTORE $JAVA_SECURITY_DIR
# Secure with TLS
RUN echo org.osgi.service.http.secure.enabled=true >> $ODL_HOME/etc/custom.properties
RUN echo org.osgi.service.http.secure.port=$SDNC_SECUREPORT >> $ODL_HOME/etc/custom.properties
-RUN echo org.ops4j.pax.web.ssl.keystore=$JAVA_SECURITY_DIR/$SDNC_KEYSTORE >> $ODL_HOME/etc/custom.properties
-RUN echo org.ops4j.pax.web.ssl.password=$SDNC_KEYPASS >> $ODL_HOME/etc/custom.properties
-RUN echo org.ops4j.pax.web.ssl.keypassword=$SDNC_KEYPASS >> $ODL_HOME/etc/custom.properties
RUN chown -R odl:odl /opt
ODL_HOME=${ODL_HOME:-/opt/opendaylight/current}
ODL_ADMIN_USERNAME=${ODL_ADMIN_USERNAME:-admin}
ODL_ADMIN_PASSWORD=${ODL_ADMIN_PASSWORD:-Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U}
+HTTPS_PROPS=${HTTPS_PROPS:-/opt/onap/sdnc/data/properties/https-props.properties}
SDNC_HOME=${SDNC_HOME:-/opt/onap/sdnc}
SDNC_BIN=${SDNC_BIN:-/opt/onap/sdnc/bin}
MYSQL_PASSWD=${MYSQL_PASSWD:-openECOMP1.0}
INSTALLED_DIR=${INSTALLED_FILE:-/opt/opendaylight/current/daexim}
export ODL_ADMIN_PASSWORD ODL_ADMIN_USERNAME
+echo org.ops4j.pax.web.ssl.keystore=$(cat $HTTPS_PROPS | grep -w key-store | cut -d '=' -f2) >> /opt/opendaylight/etc/custom.properties
+echo org.ops4j.pax.web.ssl.password=$(cat $HTTPS_PROPS | grep -w keystore-password | cut -d '=' -f2) >> /opt/opendaylight/etc/custom.properties
+echo org.ops4j.pax.web.ssl.keypassword=$(cat $HTTPS_PROPS | grep -w key-password | cut -d '=' -f2) >> /opt/opendaylight/etc/custom.properties
+
#
# Wait for database
#
# limitations under the License.
# ========================LICENSE_END===================================
-key-store-password = sdnc-a1-controller
-key-store = /etc/ssl/certs/java/keystore.jks
\ No newline at end of file
+key-store=/etc/ssl/certs/java/keystore.jks
+key-password=sdnc-a1-controller
+keystore-password=sdnc-a1-controller
+isTrustStoreUsed=true
+trust-store=/etc/ssl/certs/java/truststore.jks
+truststore-password=sdnc-a1-controller
--- /dev/null
+The SDNC-A1 controller uses the default keystore and truststore that are built into the container.
+
+The paths and passwords for these stores are located in a properties file:
+nonrtric/sdnc-a1-controller/oam/installation/src/main/properties/https-props.properties
+
+The default truststore includes the a1simulator cert as a trusted cert which is located here:
+https://gerrit.o-ran-sc.org/r/gitweb?p=sim/a1-interface.git;a=tree;f=near-rt-ric-simulator/certificate;h=172c1e5aacd52d760e4416288dc5648a5817ce65;hb=HEAD
+
+The default keystore, truststore, and https-props.properties files can be overridden by mounting new files using the "volumes" field of docker-compose. Uncommment the following lines in docker-compose to do this, and provide paths to the new files:
+
+#volumes:
+ # - <path_to_keystore>:/etc/ssl/certs/java/keystore.jks:ro
+ # - <path_to_truststore>:/etc/ssl/certs/java/truststore.jks:ro
+ # - <path_to_https-props>:/opt/onap/sdnc/data/properties/https-props.properties:ro
+
+The target paths in the container should not be modified.
+
+For example, assuming that the keystore, truststore, and https-props.properties files are located in the same directory as docker-compose:
+
+volumes:
+ - ./new_keystore.jks:/etc/ssl/certs/java/keystore.jks:ro
+ - ./new_truststore.jks:/etc/ssl/certs/java/truststore.jks:ro
+ - ./new_https-props.properties:/opt/onap/sdnc/data/properties/https-props.properties:ro
+
+
+## License
+
+Copyright (C) 2020 Nordix Foundation.
+Licensed under the Apache License, Version 2.0 (the "License")
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+For more information about license please see the [LICENSE](LICENSE.txt) file for details.
+
+
environment:
- MYSQL_ROOT_PASSWORD=openECOMP1.0
- SDNC_CONFIG_DIR=/opt/onap/sdnc/data/properties
+ #volumes:
+ # - <path_to_keystore>:/etc/ssl/certs/java/keystore.jks:ro
+ # - <path_to_truststore>:/etc/ssl/certs/java/truststore.jks:ro
+ # - <path_to_https-props>:/opt/onap/sdnc/data/properties/https-props.properties:ro
dns:
- ${DNS_IP_ADDR-10.0.100.1}
logging:
Code Review / nonrtric.git / commitdiff