From ed3e1826d2deb3700be36a0e2fe13566bd0a2a97 Mon Sep 17 00:00:00 2001 From: elinuxhenrik Date: Tue, 23 Jun 2020 15:16:05 +0200 Subject: [PATCH] Make certs in A1 controller configurable Change-Id: I33dd9bf57cd0ddd8f09d67282600591670675a43 Signed-off-by: elinuxhenrik --- .../northbound/restadapter/RestAdapterImpl.java | 32 ++++++++------- .../oam/installation/sdnc-a1/pom.xml | 4 +- .../sdnc-a1/src/main/docker/standalone.Dockerfile | 6 +-- .../sdnc-a1/src/main/resources/truststore.jks | Bin 0 -> 970 bytes .../sdnc-a1/src/main/scripts/startODL.sh | 5 +++ .../src/main/properties/https-props.properties} | 8 +++- .../oam/installation/src/main/yaml/README.md | 43 +++++++++++++++++++++ .../installation/src/main/yaml/docker-compose.yml | 4 ++ 8 files changed, 78 insertions(+), 24 deletions(-) create mode 100644 sdnc-a1-controller/oam/installation/sdnc-a1/src/main/resources/truststore.jks rename sdnc-a1-controller/{northbound/nonrt-ric-api/provider/src/main/resources/nonrt-ric-api-provider.properties => oam/installation/src/main/properties/https-props.properties} (77%) create mode 100644 sdnc-a1-controller/oam/installation/src/main/yaml/README.md diff --git a/sdnc-a1-controller/northbound/nonrt-ric-api/provider/src/main/java/org/o_ran_sc/nonrtric/sdnc_a1/northbound/restadapter/RestAdapterImpl.java b/sdnc-a1-controller/northbound/nonrt-ric-api/provider/src/main/java/org/o_ran_sc/nonrtric/sdnc_a1/northbound/restadapter/RestAdapterImpl.java index 928b65fe..d2e602ff 100644 --- a/sdnc-a1-controller/northbound/nonrt-ric-api/provider/src/main/java/org/o_ran_sc/nonrtric/sdnc_a1/northbound/restadapter/RestAdapterImpl.java +++ b/sdnc-a1-controller/northbound/nonrt-ric-api/provider/src/main/java/org/o_ran_sc/nonrtric/sdnc_a1/northbound/restadapter/RestAdapterImpl.java @@ -20,7 +20,7 @@ package org.o_ran_sc.nonrtric.sdnc_a1.northbound.restadapter; -import java.io.FileNotFoundException; +import java.io.FileInputStream; import java.io.IOException; import java.io.InputStream; import java.net.MalformedURLException; @@ -36,6 +36,7 @@ import org.apache.http.conn.ssl.NoopHostnameVerifier; import org.apache.http.conn.ssl.SSLConnectionSocketFactory; import org.apache.http.conn.ssl.TrustAllStrategy; import org.apache.http.impl.client.HttpClients; +import org.apache.http.ssl.SSLContextBuilder; import org.apache.http.ssl.SSLContexts; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -58,7 +59,6 @@ import org.springframework.web.client.RestTemplate; public class RestAdapterImpl implements RestAdapter { - private static final String PROPERTIES_FILE = "nonrt-ric-api-provider.properties"; private final Logger log = LoggerFactory.getLogger(RestAdapterImpl.class); private RestTemplate restTemplateHttp; @@ -76,24 +76,26 @@ public class RestAdapterImpl implements RestAdapter { private RestTemplate createRestTemplateForHttps() throws IOException, UnrecoverableKeyException, CertificateException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException { - InputStream inputStream = RestAdapterImpl.class.getClassLoader().getResourceAsStream(PROPERTIES_FILE); - if (inputStream == null) { - throw new FileNotFoundException("properties file not found in classpath"); - } else { + try (InputStream inputStream = new FileInputStream(ResourceUtils.getFile("/opt/onap/sdnc/data/properties/https-props.properties"))) { Properties properties = new Properties(); properties.load(inputStream); - final String keystorePassword = properties.getProperty("key-store-password"); - SSLConnectionSocketFactory scsf = new SSLConnectionSocketFactory( - SSLContexts.custom() - .loadKeyMaterial(ResourceUtils.getFile(properties.getProperty("key-store")), - keystorePassword.toCharArray(), keystorePassword.toCharArray()) - .loadTrustMaterial(null, new TrustAllStrategy()) - .build(), - NoopHostnameVerifier.INSTANCE); + final String keyPassword = properties.getProperty("key-password"); + final String keystorePassword = properties.getProperty("keystore-password"); + final String truststorePassword = properties.getProperty("truststore-password"); + final boolean isTrustStoreUsed = Boolean.parseBoolean(properties.getProperty("isTrustStoreUsed")); + SSLContextBuilder builder = SSLContexts.custom() + .loadKeyMaterial(ResourceUtils.getFile(properties.getProperty("key-store")), + keystorePassword.toCharArray(), keyPassword.toCharArray()); + if (isTrustStoreUsed) { + builder.loadTrustMaterial(ResourceUtils.getFile(properties.getProperty("trust-store")), + truststorePassword.toCharArray()); + } else { + builder.loadTrustMaterial(null, new TrustAllStrategy()); + } + SSLConnectionSocketFactory scsf = new SSLConnectionSocketFactory(builder.build(), NoopHostnameVerifier.INSTANCE); HttpClient client = HttpClients.custom().setSSLSocketFactory(scsf).build(); HttpComponentsClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory(); requestFactory.setHttpClient(client); - inputStream.close(); return new RestTemplate(requestFactory); } } diff --git a/sdnc-a1-controller/oam/installation/sdnc-a1/pom.xml b/sdnc-a1-controller/oam/installation/sdnc-a1/pom.xml index cd580730..b8816ece 100644 --- a/sdnc-a1-controller/oam/installation/sdnc-a1/pom.xml +++ b/sdnc-a1-controller/oam/installation/sdnc-a1/pom.xml @@ -190,9 +190,7 @@ src/main/resources - idmlight.db.mv.db - keystore.jks - aaa-app-config.xml + *.jks false diff --git a/sdnc-a1-controller/oam/installation/sdnc-a1/src/main/docker/standalone.Dockerfile b/sdnc-a1-controller/oam/installation/sdnc-a1/src/main/docker/standalone.Dockerfile index 03977f81..e80187a2 100755 --- a/sdnc-a1-controller/oam/installation/sdnc-a1/src/main/docker/standalone.Dockerfile +++ b/sdnc-a1-controller/oam/installation/sdnc-a1/src/main/docker/standalone.Dockerfile @@ -45,7 +45,7 @@ ENV SDNC_CONFIG_DIR /opt/onap/sdnc/data/properties ENV JAVA_SECURITY_DIR /etc/ssl/certs/java ENV SDNC_NORTHBOUND_REPO mvn:org.o-ran-sc.nonrtric.sdnc-a1.northbound/sdnc-a1-northbound-all/${sdnc.northbound.version}/xml/features ENV SDNC_KEYSTORE keystore.jks -ENV SDNC_KEYPASS sdnc-a1-controller +ENV SDNC_TRUSTSTORE truststore.jks ENV SDNC_SECUREPORT 8443 USER root @@ -60,13 +60,11 @@ RUN sed -i "s/odl-restconf-all/odl-restconf-all,odl-netconf-topology/g" $ODL_HO # Install java certificate COPY $SDNC_KEYSTORE $JAVA_SECURITY_DIR +COPY $SDNC_TRUSTSTORE $JAVA_SECURITY_DIR # Secure with TLS RUN echo org.osgi.service.http.secure.enabled=true >> $ODL_HOME/etc/custom.properties RUN echo org.osgi.service.http.secure.port=$SDNC_SECUREPORT >> $ODL_HOME/etc/custom.properties -RUN echo org.ops4j.pax.web.ssl.keystore=$JAVA_SECURITY_DIR/$SDNC_KEYSTORE >> $ODL_HOME/etc/custom.properties -RUN echo org.ops4j.pax.web.ssl.password=$SDNC_KEYPASS >> $ODL_HOME/etc/custom.properties -RUN echo org.ops4j.pax.web.ssl.keypassword=$SDNC_KEYPASS >> $ODL_HOME/etc/custom.properties RUN chown -R odl:odl /opt diff --git a/sdnc-a1-controller/oam/installation/sdnc-a1/src/main/resources/truststore.jks b/sdnc-a1-controller/oam/installation/sdnc-a1/src/main/resources/truststore.jks new file mode 100644 index 0000000000000000000000000000000000000000..ce2d0edb840a58929dd209f19a042bf06f550b77 GIT binary patch literal 970 zcmV;*12z0Gf&<0^0Ru3C1AhhyDuzgg_YDCD0ic2da0G$_Y%qcYXfT2UWCjT;hDe6@ z4FLxRpn?NcFoFY70s#Opf&)qh2`Yw2hW8Bt2LUiC1_~;MNQUUp6H@suBy)H4 z$-2K_Y(3`hcBOA1pz?`7(La3ohy}3Yqh#Wdt8x~5&bFDIlN0Q4-g^VF8WPdx2Jh1V zj8Wk5UO#eCL`(gKBMH4zx>uG(inZ@NKVJt?pxBsDJbQ(ZQ23fr7X^Ez);=;dnosb; zLbehQh#EWo#wzgPKaTt_9j|jMDOkq)6J5LDG2U>YtZpG2>Orf)`~pgV>q%dZyGT5( z1~p;H7@JbyN8iMQA z?bW;$I*Hvhs9OTT@DaKLW+2~*0?ek}Gg^?@wwyKZ%^7OZ;nQyknXA`uzgn1i1Ze3S z)8A|Fk$uH3yBU@EUURbhcly#X7x((EZSmnA^1hiX9?`DdM{pUXf*%$5*lGgFw!=xn z?hn_%hsE3TB6%6LTkuUqWcyXi^m>f1Cd8msR4EhQgDvAckLtRPRgdJ|WkI^3`UZ!r z$#^NZJ-~1NWPhRg-B+G)bPlcKC1298Iul%)@kXIu+Q1tlxM z!R&jEg$0Re99X%C0aFlsF4RE}94c^FAp|yvWiUQ4AutIB1uG5%0vZJX1Qaz$BXosg sSp4JhksViyygs?MQ(goVs7xk0s{etpo0R> /opt/opendaylight/etc/custom.properties +echo org.ops4j.pax.web.ssl.keypassword=$(cat $HTTPS_PROPS | grep -w key-password | cut -d '=' -f2) >> /opt/opendaylight/etc/custom.properties + # # Wait for database # diff --git a/sdnc-a1-controller/northbound/nonrt-ric-api/provider/src/main/resources/nonrt-ric-api-provider.properties b/sdnc-a1-controller/oam/installation/src/main/properties/https-props.properties similarity index 77% rename from sdnc-a1-controller/northbound/nonrt-ric-api/provider/src/main/resources/nonrt-ric-api-provider.properties rename to sdnc-a1-controller/oam/installation/src/main/properties/https-props.properties index 6a066a6d..e3155c5b 100644 --- a/sdnc-a1-controller/northbound/nonrt-ric-api/provider/src/main/resources/nonrt-ric-api-provider.properties +++ b/sdnc-a1-controller/oam/installation/src/main/properties/https-props.properties @@ -16,5 +16,9 @@ # limitations under the License. # ========================LICENSE_END=================================== -key-store-password = sdnc-a1-controller -key-store = /etc/ssl/certs/java/keystore.jks \ No newline at end of file +key-store=/etc/ssl/certs/java/keystore.jks +key-password=sdnc-a1-controller +keystore-password=sdnc-a1-controller +isTrustStoreUsed=true +trust-store=/etc/ssl/certs/java/truststore.jks +truststore-password=sdnc-a1-controller diff --git a/sdnc-a1-controller/oam/installation/src/main/yaml/README.md b/sdnc-a1-controller/oam/installation/src/main/yaml/README.md new file mode 100644 index 00000000..a82c70df --- /dev/null +++ b/sdnc-a1-controller/oam/installation/src/main/yaml/README.md @@ -0,0 +1,43 @@ +The SDNC-A1 controller uses the default keystore and truststore that are built into the container. + +The paths and passwords for these stores are located in a properties file: +nonrtric/sdnc-a1-controller/oam/installation/src/main/properties/https-props.properties + +The default truststore includes the a1simulator cert as a trusted cert which is located here: +https://gerrit.o-ran-sc.org/r/gitweb?p=sim/a1-interface.git;a=tree;f=near-rt-ric-simulator/certificate;h=172c1e5aacd52d760e4416288dc5648a5817ce65;hb=HEAD + +The default keystore, truststore, and https-props.properties files can be overridden by mounting new files using the "volumes" field of docker-compose. Uncommment the following lines in docker-compose to do this, and provide paths to the new files: + +#volumes: + # - :/etc/ssl/certs/java/keystore.jks:ro + # - :/etc/ssl/certs/java/truststore.jks:ro + # - :/opt/onap/sdnc/data/properties/https-props.properties:ro + +The target paths in the container should not be modified. + +For example, assuming that the keystore, truststore, and https-props.properties files are located in the same directory as docker-compose: + +volumes: + - ./new_keystore.jks:/etc/ssl/certs/java/keystore.jks:ro + - ./new_truststore.jks:/etc/ssl/certs/java/truststore.jks:ro + - ./new_https-props.properties:/opt/onap/sdnc/data/properties/https-props.properties:ro + + +## License + +Copyright (C) 2020 Nordix Foundation. +Licensed under the Apache License, Version 2.0 (the "License") +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +For more information about license please see the [LICENSE](LICENSE.txt) file for details. + + diff --git a/sdnc-a1-controller/oam/installation/src/main/yaml/docker-compose.yml b/sdnc-a1-controller/oam/installation/src/main/yaml/docker-compose.yml index c2b99787..93121a7a 100644 --- a/sdnc-a1-controller/oam/installation/src/main/yaml/docker-compose.yml +++ b/sdnc-a1-controller/oam/installation/src/main/yaml/docker-compose.yml @@ -55,6 +55,10 @@ services: environment: - MYSQL_ROOT_PASSWORD=openECOMP1.0 - SDNC_CONFIG_DIR=/opt/onap/sdnc/data/properties + #volumes: + # - :/etc/ssl/certs/java/keystore.jks:ro + # - :/etc/ssl/certs/java/truststore.jks:ro + # - :/opt/onap/sdnc/data/properties/https-props.properties:ro dns: - ${DNS_IP_ADDR-10.0.100.1} logging: -- 2.16.6