You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

This page contains information about the default certs in A1 Policy Management Service, as well as how to update/replace them using docker.

Policy Management Service

The A1 Policy Management Service uses the default keystore and truststore that are built into the container. The paths and passwords for these stores are located in a yaml file, with an example is provided in the source code repository a1-policy-management/config/application.yaml

Sample: application.yaml 
#
# ============LICENSE_START=======================================================
# ONAP : ccsdk oran
# ================================================================================
# Copyright (C) 2020 Nordix Foundation. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# SPDX-License-Identifier: Apache-2.0
# ============LICENSE_END=========================================================
#
spring:
  profiles:
    active: prod
  main:
    allow-bean-definition-overriding: true
  aop:
    auto: false
management:
  endpoints:
    web:
      exposure:
        # Enabling of springboot actuator features. See springboot documentation.
        include: "loggers,logfile,health,info,metrics,threaddump,heapdump"

logging:
  # Configuration of logging
  level:
    ROOT: ERROR
    org.springframework: ERROR
    org.springframework.data: ERROR
    org.springframework.web.reactive.function.client.ExchangeFunctions: ERROR
    org.onap.ccsdk.oran.a1policymanagementservice: INFO
    # org.onap.ccsdk.oran.a1policymanagementservice.tasks: TRACE  
  file:
    name: /var/log/policy-agent/application.log
server:
   # Configuration of the HTTP/REST server. The parameters are defined and handeled by the springboot framework.
   # See springboot documentation.
   port : 8433
   http-port: 8081
   ssl:
      key-store-type: JKS
      key-store-password: policy_agent
      key-store: /opt/app/policy-agent/etc/cert/keystore.jks
      key-password: policy_agent
      key-alias: policy_agent
app:
  # Location of the component configuration file. The file will only be used if the Consul database is not used;
  # configuration from the Consul will override the file.
  filepath: /opt/app/policy-agent/data/application_configuration.json
  webclient:
    # Configuration of the trust store used for the HTTP client (outgoing requests)
    # The file location and the password for the truststore is only relevant if trust-store-used == true
    # Note that the same keystore as for the server is used.
    trust-store-used: false
    trust-store-password: policy_agent
    trust-store: /opt/app/policy-agent/etc/cert/truststore.jks
    # Configuration of usage of HTTP Proxy for the southbound accesses.
    # The HTTP proxy (if configured) will only be used for accessing NearRT RIC:s
    # proxy-type can be either HTTP, SOCKS4 or SOCKS5
    http.proxy-host:
    http.proxy-port: 0
    http.proxy-type: HTTP
  # path where the service can store data
  vardata-directory: /var/policy-management-service
  config-file-schema-path:



There is also Policy Management Service's own cert in the default truststore for mocking purposes and unit-testing (ApplicationTest.java).

The default keystore, truststore, and application.yaml files can be overridden by mounting new files using the "volumes" field of docker-compose or docker run command.

Assuming that the keystore, truststore, and application.yaml files are located in the same directory as docker-compose, the volumes field should have these entries:

volumes:
        - ./new_keystore.jks:/opt/app/policy-agent/etc/cert/keystore.jks:ro

        - ./new_truststore.jks:/opt/app/policy-agent/etc/cert/truststore.jks:ro

        - ./new_application.yaml:/opt/app/policy-agent/config/application.yaml:ro

The target paths in the container should not be modified.

Example docker run command for mounting new files (assuming they are located in the current directory):

docker run -p 8081:8081 -p 8433:8433 --name=policy-agent-container --network=nonrtric-docker-net --volume "$PWD/new_keystore.jks:/opt/app/policy-agent/etc/cert/keystore.jks" --volume "$PWD/new_truststore.jks:/opt/app/policy-agent/etc/cert/truststore.jks" --volume "$PWD/new_application.yaml:/opt/app/policy-agent/config/application.yaml" onap/ccsdk-oran-a1policymanagementservice:1.2.2

  • No labels