Versions Compared

Old Version 36

changes.mady.by.user Bogumil Zebek

Saved on

compared with

New Version 37

changes.mady.by.user user-dd04f

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

How to run CertService Client

As standalone docker:

You need certificate and trust anchors to connect to CertService API via HTTPS. Information how to generate truststore and keystore files you can find in project repository README Gerrit GitWeb

Create certificate for HTTPS connection.

Create file with environments as in example below.

Code Block
titleclient_docker.env
#Client envs
REQUEST_URL=http://aaf-cert-service-service:8080/v1/certificate/
REQUEST_TIMEOUT=1000
OUTPUT_PATH=/var/certs
CA_NAME=RA
#Csr<URL to CertService API>
REQUEST_TIMEOUT=10000
OUTPUT_PATH=/var/certs
CA_NAME=RA
OUTPUT_TYPE=P12

#CSR config envs
COMMON_NAME=onap.org
ORGANIZATION=Linux-Foundation
ORGANIZATION_UNIT=ONAP
LOCATION=San-Francisco
STATE=California
COUNTRY=US
SANS=test.onap.org:onap.com

Run docker container with environments file and docker network (API and client must be running in same network).

Code Block
AAFCERT_CLIENT_IMAGE=nexus3.onap.org:10001/onap/org.onap.aaf.certservice.aaf-certservice-client:latest
DOCKER_ENV_FILE= <path to environment file>
NETWORK_CERT_SERVICE= <docker network of cert service>
DOCKER_VOLUME="<absolute path to local dir>:<output path>"

docker run --env-file $DOCKER_ENV_FILE --network $NETWORK_CERT_SERVICE --volume $DOCKER_VOLUME $AAFCERT_CLIENT_IMAGE

As init container for K8s:



#TLS config envs
KEYSTORE_PATH=/etc/onap/aaf/certservice/certs/certServiceClient-keystore.jks
KEYSTORE_PASSWORD=<password to certServiceClient-keystore.jks>
TRUSTSTORE_PATH=/etc/onap/aaf/certservice/certs/certServiceClient-truststore.jks
TRUSTSTORE_PASSWORD=<password to certServiceClient-truststore.jks>

Run docker container with environments file and docker network (API and client must be running in same network).

Code Block
docker run \
   --rm \
   --name aafcert-client \
   --env-file <path to client env> \
   --network <docker network of cert service> \
   --mount type=bind,src=<path to local host directory where certificate and trust anchor will be created>,dst=<OUTPUT_PATH (same as in step 1)> \
   --volume <local path to keystore in JKS format>:<KEYSTORE_PATH> \
   --volume <local path to truststore in JKS format>:<TRUSTSTORE_PATH> \
   nexus3.onap.org:10001/onap/org.onap.aaf.certservice.aaf-certservice-client:$VERSION

As init container for K8s:

Code Block
titleSample deployment
  ...
kind: Deployment
metadata:
  ...
spec:
...
  template:
  ...
    spec:
      containers:
        - image: sample.image
          name: sample.name
          ...
          volumeMounts:
            - mountPath: /var/certs #CERTS CAN BE FOUND IN THIS DIRECTORY
              name: certs
          ...
      initContainers:
        - name: cert-service-client
          image: nexus3.onap.org:10001/onap/org.onap.aaf.certservice.aaf-certservice-client:latest
          imagePullPolicy: Always
          env:
            - name: REQUEST_URL
              value: https://aaf-cert-service:8443/v1/certificate/
            - name: REQUEST_TIMEOUT
              value: "1000"
            - name: OUTPUT_PATH
              value: /var/certs
            - name: CA_NAME
              value: RA
            - name: OUTPUT_TYPE
              value: P12
            - name: COMMON_NAME
              value: onap.org
            - name: ORGANIZATION
Code Block
titleSample deployment
... 
kind: Deployment
metadata:
  ...
spec:
...
  template:
  ...
    spec:
      initContainers:
        - namevalue: certLinux-service-clientFoundation
          image: nexus3.onap.org:10001/onap/org.onap.aaf.certservice.aaf-certservice-client:latest
  - name: ORGANIZATION_UNIT
              value: ONAP
            imagePullPolicy- name: AlwaysLOCATION
          env:    value: San-Francisco
            - name: REQUEST_URLSTATE
              value: http://aaf-cert-service-service:8080/v1/certificate/California
            - name: REQUEST_TIMEOUTCOUNTRY
              value: "1000"US
            - name: OUTPUT_PATHSANS
              value: /var/certstest.onap.org:onap.com
            - name: CAKEYSTORE_NAMEPATH
              value: RA/etc/onap/aaf/certservice/certs/certServiceClient-keystore.jks
            - name: COMMONKEYSTORE_NAMEPASSWORD
              value: onap.orgsecret
            - name: ORGANIZATIONTRUSTSTORE_PATH
              value: Linux-Foundation/etc/onap/aaf/certservice/certs/truststore.jks
            - name: ORGANIZATIONTRUSTSTORE_UNITPASSWORD
              value: ONAPsecret
            - name: LOCATIONvolumeMounts:
            -  valuemountPath: San-Francisco/var/certs
            -  name: STATEcerts
            -  value: California
mountPath: /etc/onap/aaf/certservice/certs/
             - name: COUNTRYtls-volume
        ...
      valuevolumes: US
            - name: SANScerts
        emptyDir: {}
     value: test.onap.org:onap.com
   - name tls-volume
        volumeMountssecret:
            - mountPath: /var/certs
  secretName: aaf-cert-service-client-tls-secret  # Value of global.aaf.certService.client.secret.name
      name: certs
		...


Client's exiting codes:

CodeInformation
0

Success

1Invalid client configuration
2Invalid CSR configuration
3Fail in key pair generation
4Fail in CSR generation
5CertService HTTP unsuccessful response
6Internal HTTP Client connection problem
7Fail in PKCS12 PEM conversion
8Fail in Private Key to PEM Encoding
9Wrong TLS configuration
10File could not be created