From: elinuxhenrik Date: Thu, 25 Jun 2020 17:15:45 +0000 (+0200) Subject: Make certs in Policy Agent configurable X-Git-Tag: 2.0.1~14 X-Git-Url: https://gerrit.o-ran-sc.org/r/gitweb?a=commitdiff_plain;h=refs%2Fchanges%2F38%2F4438%2F1;p=nonrtric.git Make certs in Policy Agent configurable Change-Id: I85787b757546288f783e44c05fdda90c32e59f7e Issue-ID: NONRTRIC-254 Signed-off-by: elinuxhenrik --- diff --git a/policy-agent/Dockerfile b/policy-agent/Dockerfile index 15f05023..7c722e16 100644 --- a/policy-agent/Dockerfile +++ b/policy-agent/Dockerfile @@ -30,6 +30,8 @@ EXPOSE 8081 8433 ADD /config/application.yaml /opt/app/policy-agent/config/application.yaml ADD /config/application_configuration.json /opt/app/policy-agent/data/application_configuration.json_example ADD target/${JAR} /opt/app/policy-agent/policy-agent.jar +ADD /config/keystore.jks /opt/app/policy-agent/etc/cert/keystore.jks +ADD /config/truststore.jks /opt/app/policy-agent/etc/cert/truststore.jks RUN chmod -R 777 /opt/app/policy-agent/config/ diff --git a/policy-agent/README.md b/policy-agent/README.md index d6eb9544..90a67c9e 100644 --- a/policy-agent/README.md +++ b/policy-agent/README.md @@ -11,6 +11,32 @@ It provides support for: all policies of a type etc. -Maps O1 resources (ManagedElement) as defined in O1 to the controlling RIC +The Policy Agent uses the default keystore and truststore that are built into the container. The paths and passwords for these stores are located in a yaml file: +nonrtric/policy-agent/config/application.yaml + +The default truststore includes a1simulator cert as a trusted cert which is located here: +https://gerrit.o-ran-sc.org/r/gitweb?p=sim/a1-interface.git;a=tree;f=near-rt-ric-simulator/certificate;h=172c1e5aacd52d760e4416288dc5648a5817ce65;hb=HEAD + +The default truststore also includes a1controller cert as a trusted cert which is located here (keystore.jks file): +https://gerrit.o-ran-sc.org/r/gitweb?p=nonrtric.git;a=tree;f=sdnc-a1-controller/oam/installation/sdnc-a1/src/main/resources;h=17fdf6cecc7a866c5ce10a35672b742a9f0c4acf;hb=HEAD + +There is also Policy Agent's own cert in the default truststore for mocking purposes and unit-testing (ApplicationTest.java). + +The default keystore, truststore, and application.yaml files can be overridden by mounting new files using the "volumes" field of docker-compose or docker run command. + +Assuming that the keystore, truststore, and application.yaml files are located in the same directory as docker-compose, the volumes field should have these entries: + +volumes: + - ./new_keystore.jks:/opt/app/policy-agent/etc/cert/keystore.jks:ro + - ./new_truststore.jks:/opt/app/policy-agent/etc/cert/truststore.jks:ro + - ./new_application.yaml:/opt/app/policy-agent/config/application.yaml:ro + +The target paths in the container should not be modified. + +Example docker run command for mounting new files: +docker run -p 8081:8081 -p 8433:8433 --name=policy-agent-container --network=nonrtric-docker-net --volume /new_keystore.jks:/opt/app/policy-agent/etc/cert/keystore.jks --volume /new_truststore.jks:/opt/app/policy-agent/etc/cert/truststore.jks --volume /new_application.yaml:/opt/app/policy-agent/config/application.yaml o-ran-sc/nonrtric-policy-agent:2.0.0-SNAPSHOT + + To Run Policy Agent in Local: In the folder /opt/app/policy-agent/config/, create a soft link with below command, ln -s application_configuration.json diff --git a/policy-agent/config/application.yaml b/policy-agent/config/application.yaml index aac43930..e9146e01 100644 --- a/policy-agent/config/application.yaml +++ b/policy-agent/config/application.yaml @@ -25,7 +25,7 @@ server: ssl: key-store-type: JKS key-store-password: policy_agent - key-store: classpath:keystore.jks + key-store: /opt/app/policy-agent/etc/cert/keystore.jks key-password: policy_agent key-alias: policy_agent app: @@ -33,5 +33,5 @@ app: webclient: trust-store-used: false trust-store-password: policy_agent - trust-store: classpath:keystore.jks + trust-store: /opt/app/policy-agent/etc/cert/truststore.jks diff --git a/policy-agent/src/main/resources/keystore.jks b/policy-agent/config/keystore.jks similarity index 100% rename from policy-agent/src/main/resources/keystore.jks rename to policy-agent/config/keystore.jks diff --git a/policy-agent/config/truststore.jks b/policy-agent/config/truststore.jks new file mode 100644 index 00000000..1845abe1 Binary files /dev/null and b/policy-agent/config/truststore.jks differ diff --git a/policy-agent/src/test/java/org/oransc/policyagent/ApplicationTest.java b/policy-agent/src/test/java/org/oransc/policyagent/ApplicationTest.java index a8cab60c..a1972f62 100644 --- a/policy-agent/src/test/java/org/oransc/policyagent/ApplicationTest.java +++ b/policy-agent/src/test/java/org/oransc/policyagent/ApplicationTest.java @@ -81,6 +81,7 @@ import org.springframework.context.ApplicationContext; import org.springframework.context.annotation.Bean; import org.springframework.http.HttpStatus; import org.springframework.http.ResponseEntity; +import org.springframework.test.context.TestPropertySource; import org.springframework.test.context.junit.jupiter.SpringExtension; import org.springframework.web.reactive.function.client.WebClientResponseException; @@ -90,6 +91,10 @@ import reactor.util.annotation.Nullable; @ExtendWith(SpringExtension.class) @SpringBootTest(webEnvironment = WebEnvironment.RANDOM_PORT) +@TestPropertySource( + properties = { // + "server.ssl.key-store=./config/keystore.jks", // + "app.webclient.trust-store=./config/truststore.jks"}) class ApplicationTest { private static final Logger logger = LoggerFactory.getLogger(ApplicationTest.class); diff --git a/policy-agent/src/test/java/org/oransc/policyagent/MockPolicyAgent.java b/policy-agent/src/test/java/org/oransc/policyagent/MockPolicyAgent.java index d37a2be4..f42a631f 100644 --- a/policy-agent/src/test/java/org/oransc/policyagent/MockPolicyAgent.java +++ b/policy-agent/src/test/java/org/oransc/policyagent/MockPolicyAgent.java @@ -50,11 +50,16 @@ import org.springframework.boot.test.context.SpringBootTest.WebEnvironment; import org.springframework.boot.test.context.TestConfiguration; import org.springframework.boot.web.server.LocalServerPort; import org.springframework.context.annotation.Bean; +import org.springframework.test.context.TestPropertySource; import org.springframework.test.context.junit.jupiter.SpringExtension; import org.springframework.util.StringUtils; @ExtendWith(SpringExtension.class) @SpringBootTest(webEnvironment = WebEnvironment.DEFINED_PORT) +@TestPropertySource( + properties = { // + "server.ssl.key-store=./config/keystore.jks", // + "app.webclient.trust-store=./config/truststore.jks"}) class MockPolicyAgent { private static final Logger logger = LoggerFactory.getLogger(MockPolicyAgent.class);