FRANKFURT UPDATE for Configurations - AAF Agent
Topic: Demo of AAF-Hello, which demonstrates how to use the AAF Agent for Auto-configuration for Frankfurt.
- Note: AAF Version: 2.1.20
- Covers JDK 11 update
- Covers running YOUR container Non-root
- The video uses some short hand commands, which are setup as Bash Functions and Aliases for AAF. These are available on the following page as well.
Frankfurt Docker Agent Video Page
Original Video for Configuration
Developer Instructions for creating Configurations, Certificates and Coding in Java.
Apologies for size... 369.4. Will try to make smaller, or look into streaming options later.
21 Comments
Dominic Lunanuova
this seems to be the same video Jonathan posted on readthedocs, but we can make comments here.
Dominic Lunanuova
Although I didn't catch him actually saying it, the password for aaf_admin@people.osaaf.org, which is used in the demo, is the same as the password for deployer@people.osaaf.org.
Dominic Lunanuova
NOTE: when I download the agent.sh script in my Mozilla browser, it saves it as auth_docker_agent.sh. Seems to be the same file...
Dominic Lunanuova
the agent script attempts to run docker image onap/aaf/aaf_agent:2.1.2-SNAPSHOT but that is not in nexus3 at this time.
Dominic Lunanuova
So, using instructions here built a local copy.
Used modified command: mvn clean install -Dmaven.test.skip=true
Stopped after step for ./dbuild.sh succeeded in creating local images.
Then, returned to run the agent script, which ran but gave me a mixed result. i.e. it seemed to create certificate-related files in local but ultimately gave me a 404 for the UserRole not found. (I was using Role dmaap-bc@dmaap-bc.onap.org so back to GUI to see what is the correct value....) Any files that had been downloaded seem to have been removed upon getting the error.
Dominic Lunanuova
Never did discover the reason for the 404 I saw. Stopped investigating when I found the generated files...
Dominic Lunanuova
As of 8/15, I see these containers in nexus3, so no need to build locally!
Dominic Lunanuova
Notice in the video that Jonathan is in /opt/app/osaaft directory when he invokes bash agent.sh
but after the container starts and does it's work, he is now in a bash shell within the container in /opt/app/osaaft/local. This is where he zips things up and copies to the docker host.
This didn't happen for me. That is, the container ran, seemed to do something, and then exited without a trace - it didn't even show up in docker ps -a output. I was left in my original directory on docker host.
However, I finally did find the generated files in /var/lib/docker/volumes/bc_local where bc_local was the value I used for VOLUME.
Vijay Venkatesh Kumar
Thanks Dominic Lunanuova for the pointers! Was able to get the container build and certificate generated.
The 404 is due to missing role assignment ("dcae@dcae.onap.org") under dcae namespace which is used in testing by default.
Jorge Hernandez
I think you may be missing the "bash" argument to the script (note the last line in auth_docker_agent.sh script). It needs the "bash" argument to go into interactive mode, ie: "bash ~/bin/auth_docker_agent.sh bash". The bash opens in the "/opt/app/osaaf/local" directory of the container that has the generated files.
Dominic Lunanuova
correct! ...glad there was a reasonable explanation. I was uncomfortable with how this "just worked"...
Dominic Lunanuova
Q: All passwords are properly encrypted in props files for cadi library. But how would I decrypt password to allow a non-cadi server (e.g. embedded Jetty server) to use the SSL certificate?
Dominic Lunanuova
Passwords were generated by AAF, so Jonathan wouldn't have provided them to us via backchannel as he did for Beijing.
Steps to see them on the docker host:
/opt/app/osaaf/local# java -jar /home/dgl/workspace/aaf.Certs/authz/cadi/aaf/target/aaf-cadi-aaf-2.1.2-SNAPSHOT-full.jar cadi_prop_files=./org.onap.dmaap-bc.props showpass dmaap-bc@dmaap-bc.onap.org dmaap-bc
cadi_truststore_password=GeneratedPasswordNotPastedToWikiArticle
cadi_key_password=GeneratedPasswordNotPastedToWikiArticle
cadi_keystore_password=GeneratedPasswordNotPastedToWikiArticle
ChallengePassword=GeneratedPasswordNotPastedToWikiArticle
2018-08-02T21:41:56.753-0400: Trans Info
REMOTE Show Password 2550.5276ms
Vijay Venkatesh Kumar
Thanks. None of these password can be used to list truststoreONAPall.jks; were you successful in integrating the generated cert with your application?
Dominic Lunanuova
RE: listing the certs using the output from showpass - mixed success.
NOTES:
cadi_keystore=/opt/app/osaaf/local/org.onap.dmaap-bc.p12
cadi_keystore_password=enc:gxav8WEKurl47o1w19cBzsLtNneP00zh7YG-yVxTgJV58cpfK_Owoa722N23XfC0
# keytool -list -v -keystore /opt/app/osaaf/local/org.onap.dmaap-bc.p12 -storepass 'GeneratedPasswordNotPastedToWikiArticle'
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: dmaap-bc@dmaap-bc.onap.org
Creation date: Aug 2, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: C=US, O=ONAP, OU=OSAAF, OU=dmaap-bc@dmaap-bc.onap.org, EMAILADDRESS=, CN=dmaap-bc
Issuer: CN=intermediateCA_7, OU=OSAAF, O=ONAP, C=US
Serial number: 4c8612025f0c8caf
Valid from: Thu Aug 02 16:08:04 EDT 2018 until: Sat Feb 02 15:08:04 EST 2019
Certificate fingerprints:
MD5: 49:88:CF:1B:09:05:DF:76:C5:D3:64:4F:02:B5:7C:7E
SHA1: D1:53:95:C8:88:F9:EE:30:55:A4:3E:CA:84:44:DD:9A:F8:1D:D1:3E
SHA256: 27:9B:1E:38:16:9F:72:8A:2A:34:B1:2F:DE:9A:62:2C:DE:BA:CC:08:28:38:E2:DE:F0:13:50:0B:86:4B:19:99
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 0F 10 14 E7 D3 67 F7 C4 AB 0B 6E 33 88 65 35 8A .....g....n3.e5.
0010: 70 93 43 93 p.C.
]
[C=US, O=ONAP, OU=OSAAF]
SerialNumber: [ 05]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
#3: ObjectId: 2.5.29.37 Criticality=true
ExtendedKeyUsages [
serverAuth
clientAuth
]
#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
]
#5: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: dmaap-bc
DNSName: dmaap-bc.onap dmaap-bc.api.simpledemo.onap.org dbc.api.simpledemo.onap.org dbc.onap dmaap-bc dmaap-prov dmaapbc dmaap-listener.onap dbc.api.simpledemo.onap.org dbc-prov
]
<remaining output cut>
cadi_truststore=/opt/app/osaaf/local/org.onap.dmaap-bc.trust.jks
cadi_truststore_password=enc:ly70s-hHM5zauCEVW3zpLHc_p12BriHyMnxMIFBs8UgApl_nvXxo9jKwaWrEtNIT
# keytool -list -v -keystore /opt/app/osaaf/local/org.onap.dmaap-bc.trust.jks -storepass 'GeneratedPasswordNotPastedToWikiArticle'
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: ca_local_0
Creation date: Aug 2, 2018
Entry type: trustedCertEntry
Owner: C=US, O=ONAP, OU=OSAAF
Issuer: C=US, O=ONAP, OU=OSAAF
Serial number: 9eaeedc0a7ceb59d
Valid from: Thu Apr 05 10:15:28 EDT 2018 until: Wed Mar 31 10:15:28 EDT 2038
Certificate fingerprints:
MD5: 77:EB:5E:94:2E:B7:A3:45:97:6C:87:FE:A7:F7:64:0F
SHA1: 90:25:D1:D3:8B:3C:BE:2C:73:E9:6C:1A:48:5B:06:A8:39:0D:54:3B
SHA256: 1F:C2:BB:F6:7E:11:6F:F0:4C:C3:D9:6C:73:E5:99:B7:CA:7D:4D:EF:AA:6C:69:46:0D:2C:7B:A9:E4:23:5F:EA
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 4096-bit RSA key
< remaining output cut>
Will attempt to use the cert with my app (running embedded Jetty to see how it behaves) and report results here.
Vijay Venkatesh Kumar
Yes, I was able to validate the cert and looks okay so far.
Dominic Lunanuova
After modifying AAF Certificate setup to only have jks (and not p12), and use the showpass command as above, was able to configure an embedded Jetty app to use the clear password and dump the certificate contents using openssl request (from that same host):
$ openssl s_client -connect localhost:8443 2>&1 | openssl x509 -text | grep DNS
DNS:dmaap-bc, DNS:dmaap-bc.onap dmaap-bc.api.simpledemo.onap.org dbc.api.simpledemo.onap.org dbc.onap dmaap-bc dmaap-prov dmaapbc dmaap-listener.onap dbc.api.simpledemo.onap.org dbc-prov
Jorge Hernandez
The truststoreONAPall.jks is the JDK one plus a couple aai ones and the aaf root: ..
Vijay Venkatesh Kumar
Next will be to figure out how to set the CN and SAN dynamically. I can see this can be updated via AAF Gui.. If there is way to specify this through script execution, will be better.
Jerry Flood
Just found this comment thread. Trying to understand if any of this is applicable to my current observations. Using the above video and these docs for reference.
https://docs.onap.org/en/casablanca/submodules/aaf/authz.git/docs/sections/development/index.html
https://docs.onap.org/en/casablanca/submodules/aaf/authz.git/docs/sections/configuration/AAF_4.1_config.html
Managed to work through some of the credentials issues as described earlier in the comments.
The software does not behave as described in the video and so I am having trouble proceeding.
The agent.sh that we downloaded and renamed does not automatically execute the commands in the container as described in the video even with the 'bash' argument. In order to proceed, I did the following
Results attached. -
Then copied the following to my local (Mac)
And ran the sample app from the video. results are attached.
Thanks
Jerry
Update 02/29/2019:
cadi_truststore_password encoded in theorg.onap.oof.cred.props file did not decrypt properly. Removed the property from the file in order to default to 'changeit' to resolve the Keyfile password issue.
Now having an issue with the aaf_id and aaf_password in the same file. Get the following result regardless of the credentials provided
2019-02-19T10:47:31.411-0500: Error reading location information from https://aaf-onap-test.osaaf.org:8095/locate/AAF_NS.token:2.1: 403 <html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 403 Access Denied</title>
</head>
<body><h2>HTTP ERROR 403</h2>
<p>Problem accessing /locate/AAF_NS.token:2.1. Reason:
<pre> Access Denied</pre></p><hr><a href="http://eclipse.org/jetty">Powered by Jetty:// 9.4.12.v20180830</a><hr/>
</body>
Same result with
Robert Bogacki
Hi. I am trying to run SimpleRestClientExample by following instructions from the video. I am able to generate certificate but I am getting CadiException in SimpleRestClient after unsuccessful call to https://aaf-token:8140/ endpoint (error code 404) . Any ideas how to resolve it?