Gitiles
Code Review Sign In
gerrit.nordix.org / onap / dcaegen2 / 9f58a5d51f8945b4813227957edc8e49451c1eca / . / docs / sections / services / dfc / certificates.rst
blob: 17bfb2f3d3475c19c7755c8e984fb8e95d39622f [file] [log] [blame]
TamasBakai67eccc92019-04-26 10:58:08 +0000[diff] [blame]1.. This work is licensed under a Creative Commons Attribution 4.0 International License.
2.. http://creativecommons.org/licenses/by/4.0
3
4Certificates
5============
6
7Configuration of Certificates in test environment(For FTP over TLS):
8
9DFC supports two protocols: FTPES and SFTP.
10For FTPES, it is mutual authentication with certificates.
11In our test environment, we use vsftpd to simulate xNF, and we generate self-signed
12keys & certificates on both vsftpd server and DFC.
13
141. Generate key/certificate with openssl for DFC:
15-------------------------------------------------
16.. code:: bash
17
18 openssl genrsa -out dfc.key 2048
19 openssl req -new -out dfc.csr -key dfc.key
20 openssl x509 -req -days 365 -in dfc.csr -signkey dfc.key -out dfc.crt
21
222. Generate key & certificate with openssl for vsftpd:
23------------------------------------------------------
24.. code:: bash
25
26 openssl genrsa -out ftp.key 2048
27 openssl req -new -out ftp.csr -key ftp.key
28 openssl x509 -req -days 365 -in ftp.csr -signkey ftp.key -out ftp.crt
29
303. Configure java keystore in DFC:
31----------------------------------
32We have two keystore files, one for TrustManager, one for KeyManager.
33
34**For TrustManager:**
35
361. First, convert your certificate in a DER format :
37
38 .. code:: bash
39
40 openssl x509 -outform der -in ftp.crt -out ftp.der
41
422. And after, import it in the keystore :
43
44 .. code:: bash
45
46 keytool -import -alias ftp -keystore ftp.jks -file ftp.der
47
48**For KeyManager:**
49
501. First, create a jks keystore:
51
52 .. code:: bash
53
54 keytool -keystore dfc.jks -genkey -alias dfc
55
562. Second, import dfc.crt and dfc.key to dfc.jks. This is a bit troublesome.
57
58 1). Step one: Convert x509 Cert and Key to a pkcs12 file
59
60 .. code:: bash
61
62 openssl pkcs12 -export -in dfc.crt -inkey dfc.key -out dfc.p12 -name [some-alias]
63
64 Note: Make sure you put a password on the p12 file - otherwise you'll get a null reference exception when you try to import it.
65
66 Note 2: You might want to add the -chainoption to preserve the full certificate chain.
67
68 2). Step two: Convert the pkcs12 file to a java keystore:
69
70 .. code:: bash
71
72 keytool -importkeystore -deststorepass [changeit] -destkeypass [changeit] -destkeystore dfc.jks -srckeystore dfc.p12 -srcstoretype PKCS12 -srcstorepass [some-password] -alias [some-alias]
73
743. Finished
75
764. Configure vsftpd:
77--------------------
78 update /etc/vsftpd/vsftpd.conf:
79
80 .. code-block:: bash
81
82 rsa_cert_file=/etc/ssl/private/ftp.crt
83 rsa_private_key_file=/etc/ssl/private/ftp.key
84 ssl_enable=YES
85 allow_anon_ssl=NO
86 force_local_data_ssl=YES
87 force_local_logins_ssl=YES
88
89 ssl_tlsv1=YES
90 ssl_sslv2=YES
91 ssl_sslv3=YES
92
93 require_ssl_reuse=NO
94 ssl_ciphers=HIGH
95
96 require_cert=YES
97 ssl_request_cert=YES
98 ca_certs_file=/home/vsftpd/myuser/dfc.crt
99
1005. Configure config/datafile_endpoints.json:
101--------------------------------------------
102 Update the file accordingly:
103
104 .. code-block:: javascript
105
106 "ftpesConfiguration": {
107 "keyCert": "/config/dfc.jks",
108 "keyPassword": "[yourpassword]",
109 "trustedCA": "/config/ftp.jks",
110 "trustedCAPassword": "[yourpassword]"
111 }
112
1136. This has been tested with vsftpd and dfc, with self-signed certificates.
114---------------------------------------------------------------------------
115 In real deployment, we should use ONAP-CA signed certificate for DFC, and vendor-CA signed certificate for xNF