...
As already mentioned, DFC protects external and internal traffic using two different pairs of certificate and trusted certificates. Such are configured by properties:
| Code Block |
|---|
# External traffic: dmaap.ftpesConfig.keyCert: /opt/app/datafile/config/cert.jks dmaap.ftpesConfig.keyPasswordPath: /opt/app/datafile/config/jks.pass dmaap.ftpesConfig.trustedCa: /opt/app/datafile/config/trust.jks dmaap.ftpesConfig.trustedCaPasswordPath: /opt/app/datafile/etc/cert/trust.pass # Internal traffic: dmaap.security.enableDmaapCertAuth: false dmaap.security.keyStorePasswordPath: /opt/app/datafile/etc/cert/key.pass dmaap.security.keyStorePath: /opt/app/datafile/etc/cert/key.p12 dmaap.security.trustStorePasswordPath: /opt/app/datafile/etc/cert/trust.pass dmaap.security.trustStorePath: /opt/app/datafile/etc/cert/trust.jks |
...
VES collector protects both external and internal traffic using the same certificate and trusted certificates. Such are configured by properties:
| Code Block |
|---|
# Current one is actually external one:
collector.keystore.file.location: /opt/app/dcae-certificate/cert.jks
collector.keystore.passwordfile: /opt/app/dcae-certificate/jks.pass
collector.truststore.file.location: /opt/app/dcae-certificate/trust.jks
collector.truststore.passwordfile: /opt/app/dcae-certificate/trust.pass |
...
HV-VES collector protects both external and internal traffic using the same certificate and trusted certificates. Such are configured by properties:
| Code Block |
|---|
# Current one is actually external one:
security.keys.keyStoreFile: /etc/ves-hv/ssl/cert.jks
security.keys.keyStorePasswordFile: /etc/ves-hv/ssl/jks.pass
security.keys.trustStoreFile: /etc/ves-hv/ssl/trust.jks
security.keys.trustStorePasswordFile: /etc/ves-hv/ssl/trust.pass |
RestConf collector
RestConf collector has two keystores and one truststore. One keystore is used to protect RestConf's REST API while second is used to protect communication between RestConf collector and external controllers. The same truststore is used to protect both communications. Right now its is unknown 
if the same truststore is used when RestConf communicates with DMaaP.
| Code Block |
|---|
# Keystore used to protect RestConf's REST API:
collector.keystore.file.location: "/opt/app/restconfcollector/etc/sdnc.p12"
collector.keystore.passwordfile: "/opt/app/restconfcollector/etc/passwordfile"
# Seems this alias is used to lookup correct certificate from Keystore to proetect RestConf's REST API:
collector.rcc.keystore.alias: "dynamically generated"
# Keystore used to protect communication between RestConf collector and external controllers:
collector.rcc.keystore.file.location: "/opt/app/restconfcollector/etc/keystore"
collector.rcc.keystore.passwordfile: "/opt/app/restconfcollector/etc/rcc_passwordfile"
# Truststore used to protect both external communications
collector.rcc.truststore.file.location: "/opt/app/restconfcollector/etc/truststore.onap.client.jks"
collector.rcc.truststore.passwordfile: "/opt/app/restconfcollector/etc/trustpasswordfile" |
Way forward
Blueprint generator
...
| Group | Property name | Type (input*/blueprint**/plugin***/cbs****) | Default | Description |
|---|---|---|---|---|
| external_cert | use_external_tls | input | true | A boolean that indicates whether the component uses AAF CertService to acquire operator certificate to protect external (between xNFs and ONAP) traffic. For a time being only operator certificate from CMPv2 server is supported |
| external_cert_directory | blueprint | /opt/app/dcae-certificate/external_cert | Directory where operator certificate and trusted certs should be created | |
| ca_name | input | RA | Name of Certificate Authority configured on CertService side (in cmpServers.json). Default RA_TEST corresponds to default CMPv2 testing configuration. | |
external_cert: external_certificate_parameters | common_name | input | <Specific for every blueprint> | Common name which should be present in certificate. Specific for every blueprint (e.g. dcae-ves-collector for VES) |
| sans | input | <Specific for every blueprint> | List of Subject Alternative Names (SANs) which should be present in certificate. Delimiter - : Should contain common_name value and other FQDNs under which given component is accessible, e.g. if xNFs uses ves-collector in request URL, such should be also present in SANs - e.g. dcae-ves-collector:ves-collector. | |
| Extra configuration parameters stored in CBS | ||||
properties: application_config | external_keystore_path | blueprint + cbs | /opt/app/dcae-certificate/external_cert/keystore.jks | Path to keystore with external certificate |
| external_keystore_password_path | blueprint + cbs | /opt/app/dcae-certificate/external_cert/keystore.pass | Path to password for keystore with external certificate | |
| external_truststore_path | blueprint + cbs | /opt/app/dcae-certificate/external_cert/truststore.jks | Path to truststore with external trust anchors | |
| external_truststore_password_path | blueprint + cbs | /opt/app/dcae-certificate/external_cert/truststore.pass | Path to password for truststore with external trust anchors | |
| Extra K8s plugin configuration parameters | ||||
| image_tag | plugin | nexus3.onap.org:10001/onap/org.onap.aaf.certservice.aaf-certservice-client:$VERSION | Image name and version | |
| request_url | plugin | https://aaf-cert-service:8443/v1/certificate/ | URL to Cert Service API | |
| timeout | plugin | 30000 | Request timeout | |
| country | plugin | US | Country name in ISO 3166-1 alpha-2 format, for which certificate will be created | |
| organization | plugin | Linux-Foundation | Organization name, for which certificate will be created | |
| state | plugin | California | State name, for which certificate will be created | |
| organizational_unit | plugin | ONAP | Organizational unit name, for which certificate will be created | |
| location | plugin | San-Francisco | Location name, for which certificate will be created | |
...