...
** - property available in blueprint, doesn't need to be changed every deployment
| Group | Property name | Component spec type | Blueprint type Type (input*/blueprint**) | Default | Description |
|---|---|---|---|---|---|
| external_cert | use_external_tls | input | input | true | A boolean that indicates whether the component uses AAF CertService to acquire operator certificate to protect external (between xNFs and ONAP) traffic. For a time being only operator certificate from CMPv2 server is supported |
| external_cert_directory | hardcoded in BP Generator | blueprint | /opt/app/dcae-certificate/external_cert | Directory where operator certificate and trusted certs should be created | |
| ca_name | hardcoded in BP Generator | input | RA | Name of Certificate Authority configured on CertService side (in cmpServers.json). Default RA_TEST corresponds to default CMPv2 testing configuration. | |
| output_type | hardcoded in BP Generator | input | P12 | Certificate output type | |
external_cert: external_certificate_parameters | common_name | hardcoded in BP Generator | input | <Specific for every blueprint> | Common name which should be present in certificate. Specific for every blueprint (e.g. dcae-ves-collector for VES) |
| sans | hardcoded in BP Generator | input | <Specific for every blueprint> | List of Subject Alternative Names (SANs) which should be present in certificate. Delimiter - : Should contain common_name value and other FQDNs under which given component is accessible, e.g. if xNFs uses ves-collector in request URL, such should be also present in SANs - e.g. dcae-ves-collector:ves-collector. |
...
Keep application intact and implement truststores merger and invoke it as new init container to provide to application one truststore with multiple trust anchors taken from multiple truststores and one keystore with certificate from CMPv2 server.
Optionally adjust components (e.g. DFC) which use different certificates internally and externally to support the same truststore and keystore on both traffics.
...
| Property name | Example | Description |
|---|---|---|
| TRUSTSTORES_PATHS | /etc/dcae/truststore.jks:/etc/dcae/cacert.pem:/etc/dcae/truststore2.p12 | List of truststores to be merged. Certificates from all provided truststores will be added to first provided truststore after success execution. |
| TRUSTSTORES_PASSWORDS_PATHS | /etc/dcae/truststore.pass::/etc/dcae/truststore2.pass | List of passwords to provided truststores - order must be the same as in truststores WARNING: PEM is not protected by password so its value should be empty |
...
| Group | Property name | Origin | Default | Description |
|---|---|---|---|---|
| externaltruststore_certmerger | trust_merger_image_tag | global helm value | nexus3.onap.org:10001/onap/org.onap.dcae.trusttruststore-merger:$VERSION | Truststore merger image name and version |
...
| Group | Property name | Default | Description |
|---|---|---|---|
properties: application_config | external_keystore_path | /opt/app/dcae-certificate/external_cert/keystore.jks | Path to keystore with external certificate |
| external_keystore_password_path | /opt/app/dcae-certificate/external_cert/keystore.pass | Path to password for keystore with external certificate | |
| external_truststore_path | /opt/app/dcae-certificate/external_cert/truststore.jks | Path to truststore with external trust anchors | |
| external_truststore_password_path | /opt/app/dcae-certificate/external_cert/truststore.pass | Path to password for truststore with external trust anchors |
...
DCAE multisite deployment support
There are two ways to support DCAE multisite deployment:
- One which requires direct connectivity between EDGE cloud and CMPv2 server (which isn't so extraordinary if xNFs also use CMPv2 protocol to enroll certificates)
- One which doesn't require direct connectivity between EDGE cloud and CMPv2 server, but requires direct connectivity between EDGE cloud and central ONAP deployment.
Each option has its own benefits. Each requires different approach and procedure.
To correctly support first option, instance of CertService (server part) has to be deployed on every EDGE cloud, where DCAE collectors are expected to be running. Nothing else is required.
To correctly support second option, secret with certificate for CertService client has to be copied from central ONAP deployment to EDGE clouds, where DCAE collectors are expected to be running. On central ONAP deployment CertService has to be exposed outside K8s cluster. On every EDGE cloud proxy service is also required.