From 955e56b891ce62e832cbb93afd29b65c891bd71a Mon Sep 17 00:00:00 2001 From: RehanRaza Date: Thu, 25 Jun 2020 19:15:45 +0200 Subject: [PATCH] Make certs in Policy Agent configurable Change-Id: I85787b757546288f783e44c05fdda90c32e59f7e Issue-ID: NONRTRIC-254 Signed-off-by: RehanRaza --- policy-agent/Dockerfile | 2 ++ policy-agent/README.md | 26 +++++++++++++++++++++ policy-agent/config/application.yaml | 4 ++-- .../{src/main/resources => config}/keystore.jks | Bin policy-agent/config/truststore.jks | Bin 0 -> 2970 bytes .../org/oransc/policyagent/ApplicationTest.java | 5 ++++ .../org/oransc/policyagent/MockPolicyAgent.java | 5 ++++ 7 files changed, 40 insertions(+), 2 deletions(-) rename policy-agent/{src/main/resources => config}/keystore.jks (100%) create mode 100644 policy-agent/config/truststore.jks diff --git a/policy-agent/Dockerfile b/policy-agent/Dockerfile index 15f05023..7c722e16 100644 --- a/policy-agent/Dockerfile +++ b/policy-agent/Dockerfile @@ -30,6 +30,8 @@ EXPOSE 8081 8433 ADD /config/application.yaml /opt/app/policy-agent/config/application.yaml ADD /config/application_configuration.json /opt/app/policy-agent/data/application_configuration.json_example ADD target/${JAR} /opt/app/policy-agent/policy-agent.jar +ADD /config/keystore.jks /opt/app/policy-agent/etc/cert/keystore.jks +ADD /config/truststore.jks /opt/app/policy-agent/etc/cert/truststore.jks RUN chmod -R 777 /opt/app/policy-agent/config/ diff --git a/policy-agent/README.md b/policy-agent/README.md index d6eb9544..90a67c9e 100644 --- a/policy-agent/README.md +++ b/policy-agent/README.md @@ -11,6 +11,32 @@ It provides support for: all policies of a type etc. -Maps O1 resources (ManagedElement) as defined in O1 to the controlling RIC +The Policy Agent uses the default keystore and truststore that are built into the container. The paths and passwords for these stores are located in a yaml file: +nonrtric/policy-agent/config/application.yaml + +The default truststore includes a1simulator cert as a trusted cert which is located here: +https://gerrit.o-ran-sc.org/r/gitweb?p=sim/a1-interface.git;a=tree;f=near-rt-ric-simulator/certificate;h=172c1e5aacd52d760e4416288dc5648a5817ce65;hb=HEAD + +The default truststore also includes a1controller cert as a trusted cert which is located here (keystore.jks file): +https://gerrit.o-ran-sc.org/r/gitweb?p=nonrtric.git;a=tree;f=sdnc-a1-controller/oam/installation/sdnc-a1/src/main/resources;h=17fdf6cecc7a866c5ce10a35672b742a9f0c4acf;hb=HEAD + +There is also Policy Agent's own cert in the default truststore for mocking purposes and unit-testing (ApplicationTest.java). + +The default keystore, truststore, and application.yaml files can be overridden by mounting new files using the "volumes" field of docker-compose or docker run command. + +Assuming that the keystore, truststore, and application.yaml files are located in the same directory as docker-compose, the volumes field should have these entries: + +volumes: + - ./new_keystore.jks:/opt/app/policy-agent/etc/cert/keystore.jks:ro + - ./new_truststore.jks:/opt/app/policy-agent/etc/cert/truststore.jks:ro + - ./new_application.yaml:/opt/app/policy-agent/config/application.yaml:ro + +The target paths in the container should not be modified. + +Example docker run command for mounting new files: +docker run -p 8081:8081 -p 8433:8433 --name=policy-agent-container --network=nonrtric-docker-net --volume /new_keystore.jks:/opt/app/policy-agent/etc/cert/keystore.jks --volume /new_truststore.jks:/opt/app/policy-agent/etc/cert/truststore.jks --volume /new_application.yaml:/opt/app/policy-agent/config/application.yaml o-ran-sc/nonrtric-policy-agent:2.0.0-SNAPSHOT + + To Run Policy Agent in Local: In the folder /opt/app/policy-agent/config/, create a soft link with below command, ln -s application_configuration.json diff --git a/policy-agent/config/application.yaml b/policy-agent/config/application.yaml index aac43930..e9146e01 100644 --- a/policy-agent/config/application.yaml +++ b/policy-agent/config/application.yaml @@ -25,7 +25,7 @@ server: ssl: key-store-type: JKS key-store-password: policy_agent - key-store: classpath:keystore.jks + key-store: /opt/app/policy-agent/etc/cert/keystore.jks key-password: policy_agent key-alias: policy_agent app: @@ -33,5 +33,5 @@ app: webclient: trust-store-used: false trust-store-password: policy_agent - trust-store: classpath:keystore.jks + trust-store: /opt/app/policy-agent/etc/cert/truststore.jks diff --git a/policy-agent/src/main/resources/keystore.jks b/policy-agent/config/keystore.jks similarity index 100% rename from policy-agent/src/main/resources/keystore.jks rename to policy-agent/config/keystore.jks diff --git a/policy-agent/config/truststore.jks b/policy-agent/config/truststore.jks new file mode 100644 index 0000000000000000000000000000000000000000..1845abe1dcce77173b2c3e24c1d6447156ed87ef GIT binary patch literal 2970 zcmV;L3uW{$f(w=c0Ru3C3r_|KDuzgg_YDCD0ic2lKm>vdJTQU_I52_>GzJMOhDe6@ z4FLxRpn?k}FoFvq0s#Opf(sf32`Yw2hW8Bt2LUiC1_~;MNQUnk!<&S1&d80s{cUP=JC8;Of8&PuY87YB3?vJaFmk=hKhN=HC?3a@#7L z&JHsL&8dRS7#^N$^ZbpOHKqRU;L4WZA(jzFDM(!kwEQO>^1c5GhOdQpOG|Cm@Z z4@G`?VYyWWd{=_3JrhpfCJc1rJK+jr*-x9#txH0I2MC+(>*nbbLd1w{zfOQ|K7eq{ z2Rvo9MzlvsQNy~3nvUtg_IzjH$zM5A$6dS@aa}OFT+$LaTI%l-3(CiGUK)PyT*x=) z*7{Ge4wIR*;2XU!pa3$Z&rW_40it2uG}=-7K{?bW(pdIIXwj_*3yE z#8v)KJm9)+dsXojy}Qz-dKc(EQlwgA$#%153|l5j;aQj?$cte`yG9oF?I4UpRk1L$wBzzL;GIAOVBC>$kCs@VR*#PJ zrXg9w;>dfZYQ1N(uy#l=l#+x42~_5@&C3XE$1L4^n+cJ=2YQ~)1w^nVY?sZXlK zAyJY+JZhM9>o% z4wW|%Co4mWj`MR7A)=9o+;zvv{OGc_5#{CXR=JSiSsJZXgX#WY&aD;tuPjTapevWS zWZ(Fnt|O|!V-)CScWX#WRN0Q|85x2AUcTEd-yz&S-XPPBWE`^xA8*n#4^eAYJ6mhM zM`Gh=hmUSxd=OUEUv!5vLcS?w3JwiKqib1lYCdn+#!s>^Jz9>NIf`YabjTLw^M2>! z!e8tjPDsgVi(y2Qd*VY)oElss0^Ag{Q^HF(r&g120}LbsWi4WM+q0oX{p`|>a( z6=%hlr%|UV2D!w|%y{jf9okzrTiO%SQfh2&n@>AUpnMO~)5phY-(|m5iGaRnJdYUa zozzk_h+K62aSSG}cgtxrmWL@FG0KNJ%zXz81}*Ib5@18rYJ_EqzxdnmGv2@->iwHD z{k2=6$L=_vN`>zQ+P$1$1$6NV*;0ev9#WCy8bFVvDsj%QDr?^dyvVx5u;8wjS9M;d zv}B8mFf$qI3t#vS+U9W{zq!9Z?@_2`P<2rNW1|$_1k^RcY1X5w2&$>do)KdYen;;6 zypt?y;d0`dbu$WZ<_09-zjUGQs zTuDad#=v^cH~-;|4lupl6qDv+r2kHIk+M}pqJ7Vp=7b&kq&%(N_TBA$Lp;D&TsuhY zCF2np)ynoYb>Umx`<&sGs*CiYSB&UeOjyDOQOM5VFMop*Rh^5MWyDPZj&=!mh|!x& zMbeW27-?;T;pS8b?cX4h^z7UC>BH|spG282&A1O~Fm287xFY`ns1;nS$#7Z)0at#< z(T_ZXQTd#~N2p(jDS#BK3@T*}w*-RNH@;wP!=v;Mi73)=c(nusI&i3R*K52s!x&^= z0RFIB@;G5k9hs))b1clj|D8qoh)Dkt57Z6_$!5iw$$e z)l2XS00HC($@y8pb*gEL?Hcm6bK4ct6ImGvLv9*zaeDL!~o^Vk)1RPRfziyXghf;e}hj4yazRKOW0@gI3_dm14%}-1giTmW0Mvlp-g0vq(Ou#I7lISYfP3h&)a1nprOtGS?IR9O@wk z^i1Q#2={G)vt~VKkc>Ld>z)4t<5ijEuSjP%OeV@I!pw4wr0DAf1||(9Hjq21`k=*# zAXiY3xHExZEKPW9+sSd93kJaH_b5oRk|e#n)G7x6q*5Ib?jX)r%1=gA^smM6%Nuh& zZ8w!%^59y8%{Fcmpl~XNssM^L1?JnGg46z`aaDA;iEjyMX)+!@8F#5MVAMK+@-w=o1%)&)=l6Bnd7Qpe-rS&0Gr6&vIV%p%w_lixWMg58c z*z9&JYb$!veWAZo(4>q44BTc*E<2Bs z@-KyNUNX|%gE~R{3}2YZ0%%Wrqo2d_T2Akah4IVRSLeK4UE!%e{{$ZFLcHyRvyL4J zu-p9eAcm--)l6KQxw6wuQPufTr#p0xplr_{*H%q!a8D>0~C ziDcI*I5PM+9i~@W;k(1H48>+S!$VGar zx{-#bMdKep(65}Cu)}|069F@~S=Toebhn_Z*`snQmVx_a5d&!vaavXFrtA@2 zNW(jDB!(J;B$w6ziMrI%lL*xxKoNrHEm7&oR&T|Q(p5)1jh)6+h`oHYfkdCi>o4_< zMwR<}uU))WFkonPZqmU7zboX@_MCjL;t$U)$XSwr2&->0{Z`dZgPqH9e195&=^T>oQxZw+$LA0R&xlb&_9>2d8fhqP%xVoG9Q zw!MZfZs*1VE&atK#wL1#6^7 zN|&?X@##C6KUYDACNghv-8zMRQ-goZB`abIk5l_=>iKr6{Mi-0HM|L~1@Ln;zFOY=0( z`!GH*AutIB1uG5%0vZJX1QZ;{-^fwmJ9BSXS@DS~XCIT0hv5Vi6-ZbkEc{(!@-_H% Qc{7JogKecw0s{etph4!GyZ`_I literal 0 HcmV?d00001 diff --git a/policy-agent/src/test/java/org/oransc/policyagent/ApplicationTest.java b/policy-agent/src/test/java/org/oransc/policyagent/ApplicationTest.java index a8cab60c..a1972f62 100644 --- a/policy-agent/src/test/java/org/oransc/policyagent/ApplicationTest.java +++ b/policy-agent/src/test/java/org/oransc/policyagent/ApplicationTest.java @@ -81,6 +81,7 @@ import org.springframework.context.ApplicationContext; import org.springframework.context.annotation.Bean; import org.springframework.http.HttpStatus; import org.springframework.http.ResponseEntity; +import org.springframework.test.context.TestPropertySource; import org.springframework.test.context.junit.jupiter.SpringExtension; import org.springframework.web.reactive.function.client.WebClientResponseException; @@ -90,6 +91,10 @@ import reactor.util.annotation.Nullable; @ExtendWith(SpringExtension.class) @SpringBootTest(webEnvironment = WebEnvironment.RANDOM_PORT) +@TestPropertySource( + properties = { // + "server.ssl.key-store=./config/keystore.jks", // + "app.webclient.trust-store=./config/truststore.jks"}) class ApplicationTest { private static final Logger logger = LoggerFactory.getLogger(ApplicationTest.class); diff --git a/policy-agent/src/test/java/org/oransc/policyagent/MockPolicyAgent.java b/policy-agent/src/test/java/org/oransc/policyagent/MockPolicyAgent.java index d37a2be4..f42a631f 100644 --- a/policy-agent/src/test/java/org/oransc/policyagent/MockPolicyAgent.java +++ b/policy-agent/src/test/java/org/oransc/policyagent/MockPolicyAgent.java @@ -50,11 +50,16 @@ import org.springframework.boot.test.context.SpringBootTest.WebEnvironment; import org.springframework.boot.test.context.TestConfiguration; import org.springframework.boot.web.server.LocalServerPort; import org.springframework.context.annotation.Bean; +import org.springframework.test.context.TestPropertySource; import org.springframework.test.context.junit.jupiter.SpringExtension; import org.springframework.util.StringUtils; @ExtendWith(SpringExtension.class) @SpringBootTest(webEnvironment = WebEnvironment.DEFINED_PORT) +@TestPropertySource( + properties = { // + "server.ssl.key-store=./config/keystore.jks", // + "app.webclient.trust-store=./config/truststore.jks"}) class MockPolicyAgent { private static final Logger logger = LoggerFactory.getLogger(MockPolicyAgent.class); -- 2.16.6