From: RehanRaza Date: Tue, 23 Jun 2020 13:16:05 +0000 (+0200) Subject: Make certs in A1 controller configurable X-Git-Tag: 2.1.0~71^2 X-Git-Url: https://gerrit.o-ran-sc.org/r/gitweb?a=commitdiff_plain;h=ef04b3c0530ddcdcd089ba6aa9a52f4f854761dc;p=nonrtric.git Make certs in A1 controller configurable Change-Id: I33dd9bf57cd0ddd8f09d67282600591670675a43 Signed-off-by: RehanRaza --- diff --git a/sdnc-a1-controller/northbound/nonrt-ric-api/provider/src/main/java/org/o_ran_sc/nonrtric/sdnc_a1/northbound/restadapter/RestAdapterImpl.java b/sdnc-a1-controller/northbound/nonrt-ric-api/provider/src/main/java/org/o_ran_sc/nonrtric/sdnc_a1/northbound/restadapter/RestAdapterImpl.java index 928b65fe..d2e602ff 100644 --- a/sdnc-a1-controller/northbound/nonrt-ric-api/provider/src/main/java/org/o_ran_sc/nonrtric/sdnc_a1/northbound/restadapter/RestAdapterImpl.java +++ b/sdnc-a1-controller/northbound/nonrt-ric-api/provider/src/main/java/org/o_ran_sc/nonrtric/sdnc_a1/northbound/restadapter/RestAdapterImpl.java @@ -20,7 +20,7 @@ package org.o_ran_sc.nonrtric.sdnc_a1.northbound.restadapter; -import java.io.FileNotFoundException; +import java.io.FileInputStream; import java.io.IOException; import java.io.InputStream; import java.net.MalformedURLException; @@ -36,6 +36,7 @@ import org.apache.http.conn.ssl.NoopHostnameVerifier; import org.apache.http.conn.ssl.SSLConnectionSocketFactory; import org.apache.http.conn.ssl.TrustAllStrategy; import org.apache.http.impl.client.HttpClients; +import org.apache.http.ssl.SSLContextBuilder; import org.apache.http.ssl.SSLContexts; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -58,7 +59,6 @@ import org.springframework.web.client.RestTemplate; public class RestAdapterImpl implements RestAdapter { - private static final String PROPERTIES_FILE = "nonrt-ric-api-provider.properties"; private final Logger log = LoggerFactory.getLogger(RestAdapterImpl.class); private RestTemplate restTemplateHttp; @@ -76,24 +76,26 @@ public class RestAdapterImpl implements RestAdapter { private RestTemplate createRestTemplateForHttps() throws IOException, UnrecoverableKeyException, CertificateException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException { - InputStream inputStream = RestAdapterImpl.class.getClassLoader().getResourceAsStream(PROPERTIES_FILE); - if (inputStream == null) { - throw new FileNotFoundException("properties file not found in classpath"); - } else { + try (InputStream inputStream = new FileInputStream(ResourceUtils.getFile("/opt/onap/sdnc/data/properties/https-props.properties"))) { Properties properties = new Properties(); properties.load(inputStream); - final String keystorePassword = properties.getProperty("key-store-password"); - SSLConnectionSocketFactory scsf = new SSLConnectionSocketFactory( - SSLContexts.custom() - .loadKeyMaterial(ResourceUtils.getFile(properties.getProperty("key-store")), - keystorePassword.toCharArray(), keystorePassword.toCharArray()) - .loadTrustMaterial(null, new TrustAllStrategy()) - .build(), - NoopHostnameVerifier.INSTANCE); + final String keyPassword = properties.getProperty("key-password"); + final String keystorePassword = properties.getProperty("keystore-password"); + final String truststorePassword = properties.getProperty("truststore-password"); + final boolean isTrustStoreUsed = Boolean.parseBoolean(properties.getProperty("isTrustStoreUsed")); + SSLContextBuilder builder = SSLContexts.custom() + .loadKeyMaterial(ResourceUtils.getFile(properties.getProperty("key-store")), + keystorePassword.toCharArray(), keyPassword.toCharArray()); + if (isTrustStoreUsed) { + builder.loadTrustMaterial(ResourceUtils.getFile(properties.getProperty("trust-store")), + truststorePassword.toCharArray()); + } else { + builder.loadTrustMaterial(null, new TrustAllStrategy()); + } + SSLConnectionSocketFactory scsf = new SSLConnectionSocketFactory(builder.build(), NoopHostnameVerifier.INSTANCE); HttpClient client = HttpClients.custom().setSSLSocketFactory(scsf).build(); HttpComponentsClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory(); requestFactory.setHttpClient(client); - inputStream.close(); return new RestTemplate(requestFactory); } } diff --git a/sdnc-a1-controller/oam/installation/sdnc-a1/pom.xml b/sdnc-a1-controller/oam/installation/sdnc-a1/pom.xml index cd580730..b8816ece 100644 --- a/sdnc-a1-controller/oam/installation/sdnc-a1/pom.xml +++ b/sdnc-a1-controller/oam/installation/sdnc-a1/pom.xml @@ -190,9 +190,7 @@ src/main/resources - idmlight.db.mv.db - keystore.jks - aaa-app-config.xml + *.jks false diff --git a/sdnc-a1-controller/oam/installation/sdnc-a1/src/main/docker/standalone.Dockerfile b/sdnc-a1-controller/oam/installation/sdnc-a1/src/main/docker/standalone.Dockerfile index 03977f81..e80187a2 100755 --- a/sdnc-a1-controller/oam/installation/sdnc-a1/src/main/docker/standalone.Dockerfile +++ b/sdnc-a1-controller/oam/installation/sdnc-a1/src/main/docker/standalone.Dockerfile @@ -45,7 +45,7 @@ ENV SDNC_CONFIG_DIR /opt/onap/sdnc/data/properties ENV JAVA_SECURITY_DIR /etc/ssl/certs/java ENV SDNC_NORTHBOUND_REPO mvn:org.o-ran-sc.nonrtric.sdnc-a1.northbound/sdnc-a1-northbound-all/${sdnc.northbound.version}/xml/features ENV SDNC_KEYSTORE keystore.jks -ENV SDNC_KEYPASS sdnc-a1-controller +ENV SDNC_TRUSTSTORE truststore.jks ENV SDNC_SECUREPORT 8443 USER root @@ -60,13 +60,11 @@ RUN sed -i "s/odl-restconf-all/odl-restconf-all,odl-netconf-topology/g" $ODL_HO # Install java certificate COPY $SDNC_KEYSTORE $JAVA_SECURITY_DIR +COPY $SDNC_TRUSTSTORE $JAVA_SECURITY_DIR # Secure with TLS RUN echo org.osgi.service.http.secure.enabled=true >> $ODL_HOME/etc/custom.properties RUN echo org.osgi.service.http.secure.port=$SDNC_SECUREPORT >> $ODL_HOME/etc/custom.properties -RUN echo org.ops4j.pax.web.ssl.keystore=$JAVA_SECURITY_DIR/$SDNC_KEYSTORE >> $ODL_HOME/etc/custom.properties -RUN echo org.ops4j.pax.web.ssl.password=$SDNC_KEYPASS >> $ODL_HOME/etc/custom.properties -RUN echo org.ops4j.pax.web.ssl.keypassword=$SDNC_KEYPASS >> $ODL_HOME/etc/custom.properties RUN chown -R odl:odl /opt diff --git a/sdnc-a1-controller/oam/installation/sdnc-a1/src/main/resources/truststore.jks b/sdnc-a1-controller/oam/installation/sdnc-a1/src/main/resources/truststore.jks new file mode 100644 index 00000000..ce2d0edb Binary files /dev/null and b/sdnc-a1-controller/oam/installation/sdnc-a1/src/main/resources/truststore.jks differ diff --git a/sdnc-a1-controller/oam/installation/sdnc-a1/src/main/scripts/startODL.sh b/sdnc-a1-controller/oam/installation/sdnc-a1/src/main/scripts/startODL.sh index 78d3ea3d..54a7b6b6 100755 --- a/sdnc-a1-controller/oam/installation/sdnc-a1/src/main/scripts/startODL.sh +++ b/sdnc-a1-controller/oam/installation/sdnc-a1/src/main/scripts/startODL.sh @@ -27,12 +27,17 @@ ODL_HOME=${ODL_HOME:-/opt/opendaylight/current} ODL_ADMIN_USERNAME=${ODL_ADMIN_USERNAME:-admin} ODL_ADMIN_PASSWORD=${ODL_ADMIN_PASSWORD:-Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U} +HTTPS_PROPS=${HTTPS_PROPS:-/opt/onap/sdnc/data/properties/https-props.properties} SDNC_HOME=${SDNC_HOME:-/opt/onap/sdnc} SDNC_BIN=${SDNC_BIN:-/opt/onap/sdnc/bin} MYSQL_PASSWD=${MYSQL_PASSWD:-openECOMP1.0} INSTALLED_DIR=${INSTALLED_FILE:-/opt/opendaylight/current/daexim} export ODL_ADMIN_PASSWORD ODL_ADMIN_USERNAME +echo org.ops4j.pax.web.ssl.keystore=$(cat $HTTPS_PROPS | grep -w key-store | cut -d '=' -f2) >> /opt/opendaylight/etc/custom.properties +echo org.ops4j.pax.web.ssl.password=$(cat $HTTPS_PROPS | grep -w keystore-password | cut -d '=' -f2) >> /opt/opendaylight/etc/custom.properties +echo org.ops4j.pax.web.ssl.keypassword=$(cat $HTTPS_PROPS | grep -w key-password | cut -d '=' -f2) >> /opt/opendaylight/etc/custom.properties + # # Wait for database # diff --git a/sdnc-a1-controller/northbound/nonrt-ric-api/provider/src/main/resources/nonrt-ric-api-provider.properties b/sdnc-a1-controller/oam/installation/src/main/properties/https-props.properties similarity index 77% rename from sdnc-a1-controller/northbound/nonrt-ric-api/provider/src/main/resources/nonrt-ric-api-provider.properties rename to sdnc-a1-controller/oam/installation/src/main/properties/https-props.properties index 6a066a6d..e3155c5b 100644 --- a/sdnc-a1-controller/northbound/nonrt-ric-api/provider/src/main/resources/nonrt-ric-api-provider.properties +++ b/sdnc-a1-controller/oam/installation/src/main/properties/https-props.properties @@ -16,5 +16,9 @@ # limitations under the License. # ========================LICENSE_END=================================== -key-store-password = sdnc-a1-controller -key-store = /etc/ssl/certs/java/keystore.jks \ No newline at end of file +key-store=/etc/ssl/certs/java/keystore.jks +key-password=sdnc-a1-controller +keystore-password=sdnc-a1-controller +isTrustStoreUsed=true +trust-store=/etc/ssl/certs/java/truststore.jks +truststore-password=sdnc-a1-controller diff --git a/sdnc-a1-controller/oam/installation/src/main/yaml/README.md b/sdnc-a1-controller/oam/installation/src/main/yaml/README.md new file mode 100644 index 00000000..a82c70df --- /dev/null +++ b/sdnc-a1-controller/oam/installation/src/main/yaml/README.md @@ -0,0 +1,43 @@ +The SDNC-A1 controller uses the default keystore and truststore that are built into the container. + +The paths and passwords for these stores are located in a properties file: +nonrtric/sdnc-a1-controller/oam/installation/src/main/properties/https-props.properties + +The default truststore includes the a1simulator cert as a trusted cert which is located here: +https://gerrit.o-ran-sc.org/r/gitweb?p=sim/a1-interface.git;a=tree;f=near-rt-ric-simulator/certificate;h=172c1e5aacd52d760e4416288dc5648a5817ce65;hb=HEAD + +The default keystore, truststore, and https-props.properties files can be overridden by mounting new files using the "volumes" field of docker-compose. Uncommment the following lines in docker-compose to do this, and provide paths to the new files: + +#volumes: + # - :/etc/ssl/certs/java/keystore.jks:ro + # - :/etc/ssl/certs/java/truststore.jks:ro + # - :/opt/onap/sdnc/data/properties/https-props.properties:ro + +The target paths in the container should not be modified. + +For example, assuming that the keystore, truststore, and https-props.properties files are located in the same directory as docker-compose: + +volumes: + - ./new_keystore.jks:/etc/ssl/certs/java/keystore.jks:ro + - ./new_truststore.jks:/etc/ssl/certs/java/truststore.jks:ro + - ./new_https-props.properties:/opt/onap/sdnc/data/properties/https-props.properties:ro + + +## License + +Copyright (C) 2020 Nordix Foundation. +Licensed under the Apache License, Version 2.0 (the "License") +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +For more information about license please see the [LICENSE](LICENSE.txt) file for details. + + diff --git a/sdnc-a1-controller/oam/installation/src/main/yaml/docker-compose.yml b/sdnc-a1-controller/oam/installation/src/main/yaml/docker-compose.yml index c2b99787..93121a7a 100644 --- a/sdnc-a1-controller/oam/installation/src/main/yaml/docker-compose.yml +++ b/sdnc-a1-controller/oam/installation/src/main/yaml/docker-compose.yml @@ -55,6 +55,10 @@ services: environment: - MYSQL_ROOT_PASSWORD=openECOMP1.0 - SDNC_CONFIG_DIR=/opt/onap/sdnc/data/properties + #volumes: + # - :/etc/ssl/certs/java/keystore.jks:ro + # - :/etc/ssl/certs/java/truststore.jks:ro + # - :/opt/onap/sdnc/data/properties/https-props.properties:ro dns: - ${DNS_IP_ADDR-10.0.100.1} logging: