Versions Compared

Old Version 83

changes.mady.by.user Pawel Baniewski

Saved on

compared with

New Version 84

changes.mady.by.user Pawel Baniewski

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
# WARNING - work in progress so still can change
{
   "cmpv2Servers":[
      {
         "caName":"TEST",
         "url":"http://127.0.0.1/ejbca/publicweb/cmp/cmp",
         "issuerDN":"CN=ManagementCA",
         "caMode":"CLIENT",
         "authentication":{
            "iak":"xxx",
            "rv":"yyy"
         }
      },
      {
         "caName":"TEST2",
         "url":"http://127.0.0.1/ejbca/publicweb/cmp/cmpRA",
         "issuerDN":"CN=ManagementCA2",
         "caMode":"RA",
         "authentication":{
            "iak":"xxx",
            "rv":"yyy"
         }
      }
   ]
}

CMPv2 client

Warning

CMPv2 client exposes only internal API and is called by CertService only.


Input table for CMPv2 client

CMPv2 will get two POJOs and one String: first with CSR, plain fields extracted from CSR (like subject DN, list of SANs, etc) and private key (in general data passed via REST API call) and second with CMPv2 server details and one String: CA name.


Input valueInput typeDescriptionUsage
CsrModelObjectPOJO which transfers sent CSR, plain fields extracted from CSR (like Common Name, Country, etc)
CsrModel:: csrorg.bouncycastle.pkcs.PKCS10CertificationRequest (question)Certificate Signing Request received via REST API
CsrModel:: subjectDNorg.bouncycastle.asn1.x500.X500NameSubjectDN retrieved from sent CSR
CsrModel:: privateKeyjava.security.PrivateKeyPrivate key received via REST API
CsrModel:: publicKeyjava.security.PublicKeyPublic key retrieved from sent CSR
CsrModel:: sansList of StringsSubject Alterative Names retrieved from sent CSRCsrModel:: (question)(question)(question)(warning) Others (plain data extracted from sent CSR)  if needed (warning)(question)(question)(question)
CMPv2ServerDetailsObjectPOJO which transfers CMPv2 server properties
CMPv2ServerDetails:: CA nameStringCA name as configured in CMPv2 server properties
CMPv2ServerDetails:: URLURL or StringURL to CMPv2 server as configured in CMPv2 server details
CMPv2ServerDetails:: IssuerDNorg.bouncycastle.asn1.x500.X500NameIssuer DN as configured in CMPv2 server details
CMPv2ServerDetails:: CA modeENUMCA mode as configured in CMPv2 server details
CMPv2ServerDetails:: IAKStringIAK as configured in CMPv2 server details
CMPv2ServerDetails:: RVStringRV as configured in CMPv2 server details
CA nameStringCA name received via REST API

...

CMPv2 client

...

CMPv2 client returns:

List <java.security.cert.X509Certificate> certificateChain

List <java.security.cert.X509Certificate> trustedCerts

CMPv2 client POC

TBD (warning)

Currently the POC for CMPv2 client is working based on the inputs below.

...

Input Values

...

Description

...

Usage

...

csrMeta: CA Details

...

.cer file

...

used to validate response (.crt)/ certificate send from EJBCA server

...

call to CMPv2 server

Relevant values in Initialization Request (IR) message sent to CMPv2 server:

Value

Description

Information Included

PKIHeaderContains information common to many PKI messages.

SenderDN

IssuerDN

ProtectionAlgorithm (used for PkiProtection below)

PKIBodyContains message-specific information ie. initialization request message

CertificateRequestMessage, which includes:

SubjectDN

IssuerDN

SubjectPublicKey

PKIProtectionContains bits that protect PKImessage (Specifically the iak/rv)


Return values from CMPv2 client

Following table represents return values from CMPv2 client.


Output valueOutput typeDescription
certificateChainList <java.security.cert.X509Certificate>Enrolled certificate with full certificate chain (all certificates of intermediate CAs), without root CA
trustedCertsList <java.security.cert.X509Certificate>All trusted certificates returned from CMPv2 server, including root CA

Relevant values in Certificate Request message to EJBCA:

Value

Description

Information Included

PKIHeaderContains information common to many PKI messages.

SenderDN

IssuerDN

ProtectionAlgorithm (used for PkiProtection below)

PKIBodycontains message-specific information ie. certificate request message

CertificateRequestMessage, which includes:

SubjectDN

IssuerDN

SubjectPublicKey

PKIProtectioncontains bits that protect PKImessage (Specifically the iak/rv)



Test code for running cmpv2 client against EJBCA server through unit test

Code Block
@Test
  public void testServerWithRealUrl() throws CmpClientException {

    setValidCsrMetaValuesAndDateValues();

    csrMeta.caUrl("http://127.0.0.1/ejbca/publicweb/cmp/cmpRA");
    csrMeta.password("mypassword");

    CmpClientImpl cmpClient = new CmpClientImpl(HttpClients.createDefault());
    cmpClient.createCertificate("data", "RA", csrMeta, cert, notBefore, notAfter);
  }

  private void setValidCsrMetaValuesAndDateValues() {
    ArrayList<RDN> rdns = new ArrayList<>();
    try {
      rdns.add(new RDN("O=CommonCompany"));
    } catch (CertException e) {
      e.printStackTrace();
    }
    csrMeta = new CSRMeta(rdns);
    csrMeta.cn("CN=CommonName");
    csrMeta.san("CommonName.com");
    csrMeta.password("password");
    csrMeta.email("CommonName@cn.com");
    csrMeta.issuerCn("CN=ManagementCA");
    when(kpg.generateKeyPair()).thenReturn(keyPair);
    csrMeta.keypair();
    csrMeta.caUrl("http://127.0.0.1/ejbca/publicweb/cmp/cmp");

    try {
      notBefore =
              new SimpleDateFormat("yyyy/MM/dd HH:mm:ss").parse("2019/11/11 12:00:00");
      notAfter =
              new SimpleDateFormat("yyyy/MM/dd HH:mm:ss").parse("2020/11/11 12:00:00");
    } catch (ParseException e) {
      e.printStackTrace();
    }
  }

Usage

Docker

Run CertService as docker via following command: (warning) TBA (warning)

;
    }
  }


Usage

Docker

Run CertService as docker via following command: 

Code Block
docker run -p $PORT_MAPPING --name $NAME --mount $CMPV2_SERVERS_CONFIGURATION $IMAGE_NAME
e.g.
docker run -p 8080:8080 --name aaf-certservice-api --mount type=bind,source=/<absolute_path>/cmpServers.json,target=/etc/onap/aaf/certservice/cmpServers.json nexus3.onap.org:10001/onap/org.onap.aaf.certservice.aaf-certservice-api:$VERSION
Code Block
docker run -p 8080:8080 --name cert-service $IMAGE_NAME


Kubernetes

For Kubernetes helm chart is provided. Just overwrite needed values and deploy helm chart using following command: (warning) TBA (warning)

...

CertService's client input properties

...

Below table presents all properties which should/can be passed to CertService's client to make a successful call to CertService to enroll certificate.


CSR details

Parameter nameENV variable nameRequiredDefaultSyntaxValidation rulesDescriptionOrigin
UrlREQUEST_URLNohttp(s)://aaf-cert-service-service:8080/v1/certificate/URLSyntax column

URL to Cert Service. Default value will be aligned with ONAP K8s deployment (Cert Service's K8s service name and port). Needs to be changed for plain docker deployment.

Application helm chart
TimeoutREQUEST_TIMEOUTNo30000

Int (0-120000)

Syntax columnTimeout for REST API calls. In miliseconds. A timeout value of zero is interpreted as an infinite timeout.Application helm chart
PathOUTPUT_PATHYes
String (1-256)

Syntax column

Path is valid *inx path

Path where client will output generated keystore and truststore. Normally this path should be on a volume which is used to transfer keystore and truststore between CertService's client and end componentApplication helm chart
CA nameCA_NAMEYes
String (1-128)

Syntax column

Must contain only alphanumeric characters

Name of CA which will enroll certificate. Must be same as configured on server side. Used in REST API callsOOM global value
Common NameCOMMON_NAMEYes
String (1-256)

Syntax column

CN can't contain (special characters (?, $, % and so on), IP addresses, Port numbers, or "http:// or https://")

Common name for which certificate from CMPv2 server should be issuedApplication helm chart
OrganizationORGANIZATIONYes
String (1-256)

Syntax column

Organization can't contain invalid characters from list "! @ # $ % ^ * ( ) ~ ? > < / \" (without "")

Organization for which certificate from CMPv2 server should be issuedOOM global value
Organization UnitORGANIZATION_UNITNoNot available in generated certificateString (0-256)Syntax columnOrganization unit for which certificate from CMPv2 server should be issuedOOM global value
LocationLOCATIONNoNot available in generated certificateString (0-256)

Syntax column


Location for which certificate from CMPv2 server should be issuedOOM global value
StateSTATEYes
String (1-256)Syntax columnState for which certificate from CMPv2 server should be issuedOOM global value
CountryCOUNTRYYes
String(2)C must be a 2-character ISO format country codeCountry for which certificate from CMPv2 server should be issuedOOM global value
SANsSANSNoNot available in generated certificate

String (0-2048)

SAN1[:SAN2]

Syntax columnSubject Alternative Names (SANs) for which certificate from CMPv2 server should be issued. Colon is used as delimiter, e.g. example.com:example.pl. The only supported type of SANs is DNS domain name.Application helm chart

...

Run CertService's client as docker via following command: (warning) TBA (warning)

Code Block

TEST


Kuberenetes

Cause ONAP is deployed in K8s, CertService's client will be delivered as independent container and should run as init container for end component. Both init container and end component must mount the same volume (persistent or ephemeral) to transfer generated artifacts.

...