...
Section holds all properties which are planned to be supported by CertService for CMPv2 based server.
| Parameter name | Required | Syntax | Description | Validation rules |
|---|---|---|---|---|
| CA Name | Yes | String (1-128) | The CA name should include the name of the external CA server and the issuerDN, which is the distinguished name of the CA on the external CA server that will sign our certificate. | String (1-128) |
| URL | Yes | Schema + IPv4/FQDN + port + path | Url to CMPv2 server; includes mandatory parts: scheme (http://) and IPv4/FQDN and optional parts: port and path (alias); e.g. http://127.0.0.1:8080/pkix or http://127.0.0.1/ejbca/publicweb/cmp/cmp NOTE: If FQDN is given ONAP must be able to resolve it | Must be correct URL Must start with http:// scheme If port given, port from 1-65535 range |
| Issuer DN | Yes | String (4-256) | Distinguished Name of the CA that will sign the certificate on the CMPv2 server side. When creating an end entity on the external CA server for client mode this IssuerDN will be passed through as the ca to sign for that user. | String (4-256) Correct DN |
| CA Mode | Yes | Enum (CLIENT|RA) | Issuer mode (either Registration Authority (RA) or client mode) | Value from predefined set |
| Authentication data::IAK | Yes | String (1-256) | Initial authentication key, used, together with RV, to authenticate request in CMPv2 server | String (1-256) |
| Authentication data::RV | Yes | String (1-256) | Reference value, used, together with IAK, to authenticate request in CMPv2 server | String (1-256) |
CMPv2 client
Input
...
table for
...
CMPv2 client
CMPv2 will get two POJOs: first with CSR, fields extracted from CSR (like plain Common Name, Country, etc), private key and CA name (data mapped from REST API call) and second with CMPv2 server details.
Currently the POC for CMPv2 client is working based on the inputs below.
Input Values | Input Type | Description | Usage |
|---|---|---|---|
| csrMeta | object | csrMeta object from aaf, would contain values needed for certificate request. any needed values that should be stored in the csrMeta will be mentioned below. | stores all pertinent values for certificate request - these will be detailed below, and should be set before being passed to the cmpv2 client. |
| csrMeta:IssuerDn | org.bouncycastle.asn1.x500.X500Name | distinguished name of the CA we're receiving certificate from. Cannot be null | used in the creation of the cert on EJBCA server |
| csrMeta: SubjectDn | org.bouncycastle.asn1.x500.X500Name | Distinguished name of the Entity the certificate is being issued to/ Certificate Requesting Entity. Cannot be null. | used in the creation of the cert on EJBCA server |
| csrMeta: KeyPair | java.security.KeyPair | KeyPair associated with the entity the certificate is being issued to. Cannot be null | used to create proof of possession for request to EJBCA server |
| csrMeta: Password | object which contains iak/rv? | secret password value shared by EJBCA server. Cannot be null | used to authenticate ourselves to the EJBCA serve |
csrMeta: CA Details | object | Certification Authority Details ( Http address, Port number and Path (which includes alias if used)). Cannot be null | used to Post Http request to External CA. |
.cer file | java.security.cert.X509Certificate | .cer (CSR) generated by Cert-man using Key-pair. Cannot be null. | used to validate response (.crt)/ certificate send from EJBCA server |
| caName | string | the name which is a general description of the external CA | used for debugging purposes |
| caMode | enum | string noting whether the server we are contacting will be operating in either client or RA mode | used for debugging purposes |
Relevant values in Certificate Request message to EJBCA:
Value | Description | Information Included |
|---|---|---|
| PKIHeader | Contains information common to many PKI messages. | SenderDN IssuerDN ProtectionAlgorithm (used for PkiProtection below) |
| PKIBody | contains message-specific information ie. certificate request message | CertificateRequestMessage, which includes: SubjectDN IssuerDN SubjectPublicKey |
| PKIProtection | contains bits that protect PKImessage (Specifically the iak/rv) |
EJBCA SETUP SCRIPT
| View file | ||||
|---|---|---|---|---|
|
...
CertService's client properties
| Group | Parameter name | ENV variable name | Required | Default | Syntax | Description | Origin |
|---|---|---|---|---|---|---|---|
| Timeout | No | 30s | Timeout for REST API calls | Application helm chart | |||
| Path | Yes | Path where client will output generated keystore and truststore. Normally this path should be on a volume which is used to transfer keystore and truststore between CertService's client and end component | Application helm chart | ||||
| CA name | Yes | Name of CA which will enroll certificate. Must be same as configured on server side. Used in REST API calls | OOM global value | ||||
CSR details | Common Name | Yes | Common name for which certificate from CMPv2 server should be issued | Application helm chart | |||
| Organization | Yes | Organization for which certificate from CMPv2 server should be issued | OOM global value | ||||
| Organization Unit | No | Organization unit for which certificate from CMPv2 server should be issued | OOM global value | ||||
| Location | No | Location for which certificate from CMPv2 server should be issued | OOM global value | ||||
| State | Yes | State for which certificate from CMPv2 server should be issued | OOM global value | ||||
| Country | Yes | Country for which certificate from CMPv2 server should be issued | OOM global value | ||||
| SANs | No | Subject Alternative Names (SANs) for which certificate from CMPv2 server should be issued | Application helm chart |
Usage
Cause ONAP is deployed in K8s, CertService's client will be delivered as independent container and should run as init container for end component. Both init container and end component must mount the same volume (persistent or ephemeral) to transfer generated artifacts.
...