Gitiles
Code Review Sign In
gerrit.nordix.org / onap / aaf / certservice / 56f09f3f64b6f8f214fafdbfb1e6ca44ace2962c / . / docs / sections / configuration.rst
blob: 1c9c62b5d24d3bd6694677e845d4f88e2bcf76f8 [file] [log] [blame]
Bogumil Zebek483ccbf2020-03-25 11:54:11 +0100[diff] [blame]1.. This work is licensed under a Creative Commons Attribution 4.0 International License.
2.. http://creativecommons.org/licenses/by/4.0
3.. Copyright 2020 NOKIA
4
5Configuration
6=============
7
Tomasz Wrobel71986212020-03-26 09:43:41 +0100[diff] [blame]8Standalone docker container
9---------------------------
Bogumil Zebek483ccbf2020-03-25 11:54:11 +0100[diff] [blame]10
Tomasz Wrobel71986212020-03-26 09:43:41 +0100[diff] [blame]11Certification Service Client image:
12
13.. code-block::
14
15 nexus3.onap.org:10001/onap/org.onap.aaf.certservice.aaf-certservice-client:latest
16
17
181. Create file with environments as in example below.
19
20.. code-block::
21
22 #Client envs
23 REQUEST_URL=http://aaf-cert-service-service:8080/v1/certificate/
24 REQUEST_TIMEOUT=1000
25 OUTPUT_PATH=/var/certs
26 CA_NAME=RA
27 #Csr config envs
28 COMMON_NAME=onap.org
29 ORGANIZATION=Linux-Foundation
30 ORGANIZATION_UNIT=ONAP
31 LOCATION=San-Francisco
32 STATE=California
33 COUNTRY=US
34 SANS=test.onap.org:onap.com
35
36
372. Run docker container with environments file and docker network (API and client must be running in same network).
38
39.. code-block:: bash
40
41 AAFCERT_CLIENT_IMAGE=nexus3.onap.org:10001/onap/org.onap.aaf.certservice.aaf-certservice-client:latest
42 DOCKER_ENV_FILE= <path to environment file>
43 NETWORK_CERT_SERVICE= <docker network of cert service>
44 DOCKER_VOLUME="<absolute path to local dir>:<output path>"
45
46 docker run --env-file $DOCKER_ENV_FILE --network $NETWORK_CERT_SERVICE --volume $DOCKER_VOLUME $AAFCERT_CLIENT_IMAGE
Bogumil Zebek483ccbf2020-03-25 11:54:11 +0100[diff] [blame]47
48
egernug56f09f32020-03-31 11:28:11 +0100[diff] [blame^]49Configuring EJBCA server for testing
50------------------------------------
51
52To instantiate an EJBCA server for testing purposes with an OOM deployment, cmpv2Enabled and cmpv2Testing have to be changed to true in oom/kubernetes/aaf/values.yaml.
53
54cmpv2Enabled has to be true to enable aaf-cert-service to be instantiated and used with an external Certificate Authority to get certificates for secure communication.
55
56If cmpv2Testing is enabled then an EJBCA test server will be instantiated in the OOM deployment as well, and will come pre-configured with a test CA to request a certificate from.
57
58Currently the recommended mode is single-layer RA mode.
59
60
61Default Values:
62
63+---------------------+---------------------------------------------------------------------------------------------------------------------------------+
64| Name | Value |
65+=====================+=================================================================================================================================+
66| Request URL | http://aaf-ejbca:8080/ejbca/publicweb/cmp/cmpRA |
67+---------------------+---------------------------------------------------------------------------------------------------------------------------------+
68| Response Type | PKI Response |
69+---------------------+---------------------------------------------------------------------------------------------------------------------------------+
70| caMode | RA |
71+---------------------+---------------------------------------------------------------------------------------------------------------------------------+
72| alias | cmpRA |
73+---------------------+---------------------------------------------------------------------------------------------------------------------------------+
74
75
76If you wish to configure the EJBCA server, you can find Documentation for EJBCA here: https://doc.primekey.com/ejbca/
77
78If you want to understand how CMP works on EJBCA in more detail, you can find Details here: https://download.primekey.com/docs/EJBCA-Enterprise/6_14_0/CMP.html
Bogumil Zebek483ccbf2020-03-25 11:54:11 +0100[diff] [blame]79
Tomasz Wrobel71986212020-03-26 09:43:41 +0100[diff] [blame]80Init Container for K8s
81----------------------
Bogumil Zebek483ccbf2020-03-25 11:54:11 +0100[diff] [blame]82
Tomasz Wrobel71986212020-03-26 09:43:41 +0100[diff] [blame]83Example deployment:
Bogumil Zebek483ccbf2020-03-25 11:54:11 +0100[diff] [blame]84
Tomasz Wrobel71986212020-03-26 09:43:41 +0100[diff] [blame]85.. code-block:: yaml
Bogumil Zebek483ccbf2020-03-25 11:54:11 +0100[diff] [blame]86
Tomasz Wrobel71986212020-03-26 09:43:41 +0100[diff] [blame]87 ...
88 kind: Deployment
89 metadata:
90 ...
91 spec:
92 ...
93 template:
94 ...
95 spec:
96 containers:
97 - image: sample.image
98 name: sample.name
99 ...
100 volumeMounts:
101 - mountPath: /var/certs #CERTS CAN BE FOUND IN THIS DIRECTORY
102 name: certs
103 ...
104 initContainers:
105 - name: cert-service-client
106 image: nexus3.onap.org:10001/onap/org.onap.aaf.certservice.aaf-certservice-client:latest
107 imagePullPolicy: Always
108 env:
109 - name: REQUEST_URL
110 value: http://aaf-cert-service-service:8080/v1/certificate/
111 - name: REQUEST_TIMEOUT
112 value: "1000"
113 - name: OUTPUT_PATH
114 value: /var/certs
115 - name: CA_NAME
116 value: RA
117 - name: COMMON_NAME
118 value: onap.org
119 - name: ORGANIZATION
120 value: Linux-Foundation
121 - name: ORGANIZATION_UNIT
122 value: ONAP
123 - name: LOCATION
124 value: San-Francisco
125 - name: STATE
126 value: California
127 - name: COUNTRY
128 value: US
129 - name: SANS
130 value: test.onap.org:onap.com
131 volumeMounts:
132 - mountPath: /var/certs
133 name: certs
134 ...
135 volumes:
136 -emptyDir: {}
137 name: certs
138 ...
Bogumil Zebek483ccbf2020-03-25 11:54:11 +0100[diff] [blame]139
Tomasz Wrobel71986212020-03-26 09:43:41 +0100[diff] [blame]140