blob: 5d4925c6d05ac0adde8ac751830ac9aafdd99184 [file] [log] [blame]
Vijay VK2648c6d2018-09-19 04:30:37 +01001.. This work is licensed under a Creative Commons Attribution 4.0 International License.
2.. http://creativecommons.org/licenses/by/4.0
3
4TLS Support
5===========
6
Jack Lucas7c6b15d2018-10-30 12:25:02 -04007To comply with ONAP security requirement, all services exposing external API required TLS support using AAF generated certificates. DCAE Platform was updated in R3 to enable certificate distribution mechanism for services needing TLS support.
Vijay VK2648c6d2018-09-19 04:30:37 +01008
9Solution overview
10-----------------
111. Certificate generation:
Jack Lucas7c6b15d2018-10-30 12:25:02 -040012 This step is done manually currently using Test AAF instance in POD25. Required namespace, DCAE identity (dcae@dcae.onap.org), roles and Subject Alternative Names for all components are preset. Using the procedure desribed by AAF (using ``agent.sh``), the certificates are generated. Using the Java keystore file (``.jks``) generated from AAF, create the .pem files and load them into tls-init-container under dcaegen2/deployment repository. The image has a script that runs when the image is deployed. The script copies the certificate artifacts into a Kubernetes volume. The container is used as an "init-container" included in the Kubernetes pod for a component that needs to use TLS.
dfarrellydd0365a2019-04-10 19:08:47 +000013
14 Current SAN listing::
15
16 bbs-event-processor, bbs-event-processor.onap, bbs-event-processor.onap.svc.cluster.local, config-binding-service, config-binding-service.onap, config-binding-service.onap.svc.cluster.local, dcae-cloudify-manager, dcae-cloudify-manager.onap, dcae-cloudify-manager.onap.svc.cluster.local, dcae-datafile-collector, dcae-datafile-collector.onap, dcae-datafile-collector.onap.svc.cluster.local, dcae-hv-ves-collector, dcae-hv-ves-collector.onap, dcae-hv-ves-collector.onap.svc.cluster.local, dcae-pm-mapper, dcae-pm-mapper.onap, dcae-pm-mapper.onap.svc.cluster.local, dcae-prh, dcae-prh.onap, dcae-prh.onap.svc.cluster.local, dcae-tca-analytics, dcae-tca-analytics.onap, dcae-tca-analytics.onap.svc.cluster.local, dcae-ves-collector, dcae-ves-collector.onap, dcae-ves-collector.onap.svc.cluster.local, deployment-handler, deployment-handler.onap, deployment-handler.onap.svc.cluster.local, holmes-engine-mgmt, holmes-engine-mgmt.onap, holmes-engine-mgmt.onap.svc.cluster.local, holmes-rule-mgmt, holmes-rules-mgmt.onap, holmes-rules-mgmt.onap.svc.cluster.local, inventory, inventory.onap, inventory.onap.svc.cluster.local, policy-handler, policy-handler.onap, policy-handler.onap.svc.cluster.local
Vijay VK2648c6d2018-09-19 04:30:37 +010017
182. Plugin and Blueprint:
Jack Lucas7c6b15d2018-10-30 12:25:02 -040019 Update blueprint to include new (optional) node property (tls_info) to the type definitions for the Kubernetes component types. The property is a dictionary with two elements:
20
21 * A boolean (``use_tls``) that indicates whether the component uses TLS.
22 * A string (``cert_directory``) that indicates where the component expects to find certificate artifacts.
Vijay VK2648c6d2018-09-19 04:30:37 +010023
Vijay VKf6659fc2018-11-02 05:07:27 +010024 Example
25.. code-block:: yaml
26
27 tls_info:
28 cert_directory: '/opt/app/dh/etc/cert/'
29 use_tls: true
30
31For this example the certificates are mounted into /opt/app/dh/etc/cert directory within the conainer.
32
33
Jack Lucas7c6b15d2018-10-30 12:25:02 -040034 During deployment Kubernetes plugin (referenced in blueprint) will check if the ``tls_info`` property is set and ``use_tls`` is set to true, then the plugin will add some elements to the Kubernetes Deployment for the component:
35 * A Kubernetes volume (``tls-info``) that will hold the certificate artifacts
36 * A Kubernetes initContainer (``tls-init``)
37 * A Kubernetes volumeMount for the initContainer that mounts the ``tls-info`` volume at ``/opt/tls/shared``.
38 * A Kubernetes volumeMount for the main container that mounts the ``tls-info`` volume at the mount point specified in the ``cert_directory`` property.
Vijay VK2648c6d2018-09-19 04:30:37 +010039
403. Certificate Artifacts
41
Jack Lucas7c6b15d2018-10-30 12:25:02 -040042 The certificate directory mounted on the container will include the following files:
43 * ``cert.jks``: A Java keystore containing the DCAE certificate.
44 * ``jks.pass``: A text file with a single line that contains the password for the ``cert.jks`` keystore.
45 * ``trust.jks``: A Java truststore containing the AAF CA certificate. (Needed by clients that access TLS-protected servers.)
46 * ``trust.pass``: A text file with a single line that contains the password for the ``trust.jks`` keystore.
47 * ``cert.p12``: The DCAE certificate and private key packaged in PKCS12 form.
48 * ``p12.pass``: A text file with a single line that contains the password for ``cert.p12`` file.
49 * ``cert.pem``: The DCAE certificate concatenated with the intermediate CA certficate from AAF, in PEM form.
50 * ``key.pem``: The private key for the DCAE certificate. The key is not encrypted.
51 * ``cacert.pem``: The AAF CA certificate, in PEM form. (Needed by clients that access TLS-protected servers.)