AAI Certificate Generator Automation

References

• onap-seccom list: https://lists.onap.org/g/onap-seccom/message/1368
• aaf-hello demonstration application
  • DDF event https://wiki.lfnetworking.org/display/LN/2019+June+Event+Topic+Proposals
  • https://wiki.lfnetworking.org/download/attachments/15630468/Cert%20mgmt%20and%20secure%20storage%20ONAP%20F2F%20Kista.pptx?version=1&modificationDate=1560418135343&api=v2
  • https://wiki.lfnetworking.org/download/attachments/15630468/Certificate%20handling%20and%20secure%20key%20storage%20discussion%20Kista%20ONAP%20F2F%202019-06-12.mp4?version=1&modificationDate=1560417944352&api=v2
• JIRA
  • AAI-2476 - Getting issue details... STATUS
  • TSC-120 - Getting issue details... STATUS
  • AAI-2282 - Getting issue details... STATUS
  • AAI-2286 - Getting issue details... STATUS
  • AAI-2474 - Getting issue details... STATUS
  • AAI-2489 - Getting issue details... STATUS
  • and many others: Getting issues...
• AAF Repository
  • aaf/authz/auth/docker/drun.sh
  • aaf/authz/auth/helm/aaf-hello/Chart.yaml
  • aaf/authz/auth/helm/aaf-hello/templates/aaf-hello.yaml
  • aaf/authz/auth/helm/aaf-hello/values.yaml
  • aaf/authz/auth/sample/cass_data/artifact.dat

Discussion

• Between Amsterdam release and Dublin release, certificates have been replaced at least 4 times.
• One of those was in the emergency Casablanca Maintenance Release because the certificate expiry date was very soon after the Casablanca Release date.
• ONAP is moving towards a higher-security system, e.g. adding more encryption by replacing HTTP with HTTPS, resulting in more certificates being required.
• Current process is for each ONAP project to manually generate certificates for their own microservices.
• The aaf-hello demonstration application shows how certificates can be automatically generated when the pod is deployed.
• Goal is to understand how this works and how to integrate similar techniques into other pods, such as AAI-Resources, AAI-Traversal, etc.
• tbc

Analysis

• aaf-hello application
  • aaf/authz/auth/auth-hello/src/main/java/org/onap/aaf/auth/hello/
    • GET,"/hello/:perm*"
    • POST,"/resthello/:id"
    • GET,"/resthello/:id"
    • PUT,"/resthello/:id"
    • DELETE,"/resthello/:id"
  • Prints out simple message including actual authorisation information e.g.
    • req.getUserPrincipal().getName()
    • req.isUserInRole(perm)
    • trans.getUserPrincipal().getClass().getSimpleName()
  • Provides simple proof that application is authorised through AAF
• aaf-hello Docker
  • aaf/authz/auth/docker/Dockerfile.hello

    • COPY bin/pod_wait.sh /opt/app/aaf/bin/ (shell scripts apparently from aaf/authz/auth/sample/bin/pod_wait.sh)

    • COPY etc /opt/app/osaaf/etc (property files apparently from aaf/authz/auth/sample/etc/)

    • RUN mkdir -p /opt/app/aaf/status (used by pod_wait.sh to communicate between processes in the pod)

    • based on aaf/authz/auth/docker/Dockerfile.core

      • COPY lib /opt/app/aaf/lib

      • COPY bin /opt/app/aaf/bin

      • COPY theme /opt/app/aaf/theme

      • based on aaf/authz/auth/docker/Dockerfile.base

        • add bash, openssl, curl

        • based on openjdk:8-jre-alpine

• aaf Helm charts
  • aaf/authz/auth/helm/aaf-hello/
    • values.yaml
    • Chart.yaml
    • aaf.sh
  • tbc

• It has been documented in the wiki now as Application Config & Cert Documentation (Temporary)