blob: bd907697150be7429f5c63c3c02078986ab47f1a [file] [log] [blame]
Vijay VK2648c6d2018-09-19 04:30:37 +01001.. This work is licensed under a Creative Commons Attribution 4.0 International License.
2.. http://creativecommons.org/licenses/by/4.0
deen1985de4f9782021-03-25 17:33:35 +01003.. _tls_enablement:
Vijay VK2648c6d2018-09-19 04:30:37 +01004
5TLS Support
6===========
7
Jack Lucasb2807bc2020-03-26 12:15:21 -04008To comply with ONAP security requirement, all services exposing external API required TLS support using AAF generated certificates. DCAE Platform was updated in R3 to enable certificate distribution mechanism for services needing TLS support. For R6, we have moved from generating certificates manually to retrieving certificates from AAF at deployment time.
Vijay VK2648c6d2018-09-19 04:30:37 +01009
10Solution overview
11-----------------
Jack Lucasb2807bc2020-03-26 12:15:21 -0400121. Certificate setup:
13
14 AAF requires setting up certificate details in AAF manually before a certificate is generated.
15 This step is currently done using a test AAF instance in POD25.
16 Required namespace, DCAE identity (dcae@dcae.onap.org), roles and Subject Alternative Names for all components are set in the test instance.
17 We use a single certificate for all DCAE components, with a long list of Subject Alternative Names (SANs).
dfarrellydd0365a2019-04-10 19:08:47 +000018
19 Current SAN listing::
20
21 bbs-event-processor, bbs-event-processor.onap, bbs-event-processor.onap.svc.cluster.local, config-binding-service, config-binding-service.onap, config-binding-service.onap.svc.cluster.local, dcae-cloudify-manager, dcae-cloudify-manager.onap, dcae-cloudify-manager.onap.svc.cluster.local, dcae-datafile-collector, dcae-datafile-collector.onap, dcae-datafile-collector.onap.svc.cluster.local, dcae-hv-ves-collector, dcae-hv-ves-collector.onap, dcae-hv-ves-collector.onap.svc.cluster.local, dcae-pm-mapper, dcae-pm-mapper.onap, dcae-pm-mapper.onap.svc.cluster.local, dcae-prh, dcae-prh.onap, dcae-prh.onap.svc.cluster.local, dcae-tca-analytics, dcae-tca-analytics.onap, dcae-tca-analytics.onap.svc.cluster.local, dcae-ves-collector, dcae-ves-collector.onap, dcae-ves-collector.onap.svc.cluster.local, deployment-handler, deployment-handler.onap, deployment-handler.onap.svc.cluster.local, holmes-engine-mgmt, holmes-engine-mgmt.onap, holmes-engine-mgmt.onap.svc.cluster.local, holmes-rule-mgmt, holmes-rules-mgmt.onap, holmes-rules-mgmt.onap.svc.cluster.local, inventory, inventory.onap, inventory.onap.svc.cluster.local, policy-handler, policy-handler.onap, policy-handler.onap.svc.cluster.local
Jack Lucas5b41cf02019-09-06 10:07:11 -040022
Jack Lucasb2807bc2020-03-26 12:15:21 -0400232. Certificate generation and retrieval:
24
25 When a DCAE component that needs a TLS certificate is launched, a Kubernetes init container runs before the main
26 component container is launched. The init container contacts the AAF certificate manager server. The AAF certificate
27 management server generates a certificate based on the information previously set up in step 1 above and sends the certificate
28 (in several formats) along with keys and passwords to the init container. The init container renames the files to conform to
29 DCAE naming conventions and creates some additional formats. It stores the results into a volume that's shared with
30 the main component container.
31
32 DCAE platform components are deployed via ONAP OOM. The Helm chart for each deployment includes the init container
33 and sets up the shared volume.
34
35 DCAE service components (sometimes called "microservices") are deployed via Cloudify using blueprints. This is described
36 in more detail in the next section.
37
383. Plugin and Blueprint:
39 The blueprint for a component that needs a TLS certificate needs to include the node property called "tls_info" in
40 the node properties for the component. The property is a dictionary with two elements:
Jack Lucas7c6b15d2018-10-30 12:25:02 -040041
Jack Lucas5b41cf02019-09-06 10:07:11 -040042 * A boolean (``use_tls``) that indicates whether the component uses TLS.
Jack Lucas7c6b15d2018-10-30 12:25:02 -040043 * A string (``cert_directory``) that indicates where the component expects to find certificate artifacts.
Jack Lucas5b41cf02019-09-06 10:07:11 -040044
Vijay VKf6659fc2018-11-02 05:07:27 +010045 Example
Jack Lucasb2807bc2020-03-26 12:15:21 -040046
Vijay VKf6659fc2018-11-02 05:07:27 +010047.. code-block:: yaml
48
49 tls_info:
Jack Lucas5b41cf02019-09-06 10:07:11 -040050 cert_directory: '/opt/app/dh/etc/cert'
Vijay VKf6659fc2018-11-02 05:07:27 +010051 use_tls: true
Jack Lucasb2807bc2020-03-26 12:15:21 -040052
Jack Lucas5b41cf02019-09-06 10:07:11 -040053(Note that the ``cert_directory`` value does not include a trailing ``/``.)
Vijay VKf6659fc2018-11-02 05:07:27 +010054
Jack Lucasb2807bc2020-03-26 12:15:21 -040055For this example the certificates are mounted into ``/opt/app/dh/etc/cert`` directory within the container.
Jack Lucas5b41cf02019-09-06 10:07:11 -040056
Jack Lucas7c6b15d2018-10-30 12:25:02 -040057 During deployment Kubernetes plugin (referenced in blueprint) will check if the ``tls_info`` property is set and ``use_tls`` is set to true, then the plugin will add some elements to the Kubernetes Deployment for the component:
58 * A Kubernetes volume (``tls-info``) that will hold the certificate artifacts
59 * A Kubernetes initContainer (``tls-init``)
Jack Lucasb2807bc2020-03-26 12:15:21 -040060 * A Kubernetes volumeMount for the initContainer that mounts the ``tls-info`` volume at ``/opt/app/osaaf``.
Jack Lucas7c6b15d2018-10-30 12:25:02 -040061 * A Kubernetes volumeMount for the main container that mounts the ``tls-info`` volume at the mount point specified in the ``cert_directory`` property.
Jack Lucas5b41cf02019-09-06 10:07:11 -040062
Jack Lucasb2807bc2020-03-26 12:15:21 -040063Service components that act as HTTPS clients only need access to the root CA certificate used by AAF. For R6, such
64components should set up a tls_info property as described above. See below for a note about an alternative approach
65that is available in R6 but is not currently being used.
66
674. Certificate artifacts
Vijay VK2648c6d2018-09-19 04:30:37 +010068
Jack Lucas7c6b15d2018-10-30 12:25:02 -040069 The certificate directory mounted on the container will include the following files:
70 * ``cert.jks``: A Java keystore containing the DCAE certificate.
71 * ``jks.pass``: A text file with a single line that contains the password for the ``cert.jks`` keystore.
72 * ``trust.jks``: A Java truststore containing the AAF CA certificate. (Needed by clients that access TLS-protected servers.)
73 * ``trust.pass``: A text file with a single line that contains the password for the ``trust.jks`` keystore.
74 * ``cert.p12``: The DCAE certificate and private key packaged in PKCS12 form.
75 * ``p12.pass``: A text file with a single line that contains the password for ``cert.p12`` file.
76 * ``cert.pem``: The DCAE certificate concatenated with the intermediate CA certficate from AAF, in PEM form.
77 * ``key.pem``: The private key for the DCAE certificate. The key is not encrypted.
78 * ``cacert.pem``: The AAF CA certificate, in PEM form. (Needed by clients that access TLS-protected servers.)
Jack Lucasb2807bc2020-03-26 12:15:21 -040079
805. Alternative for getting CA certificate only
81
82 The certificates generated by AAF are signed by AAF, not by a recognized certificate authority (CA). If a component acts
83 as a client and makes an HTTPS request to another component, it will not be able to validate the other component's
84 server certificate because it will not recognize the CA. Most HTTPS client library software will raise an error
85 and drop the connection. To prevent this, the client component needs to have a copy of the AAF CA certificate.
86 As noted in section 3 above, one way to do this is to set up the tls_info property as described in section 3 above.
87
88 There are alternatives. In R6, two versions of the DCAE k8splugin are available: version 1.7.2 and version 2.0.0.
89 They behave differently with respect to setting up the CA certs.
90
91 * k8splugin version 1.7.2 will automatically mount the CA certificate, in PEM format, at ``/opt/dcae/cacert/cacert.pem``.
92 It is not necessary to add anything to the blueprint. To get the CA certificate in PEM format in a different directory,
93 add a ``tls_info`` property to the blueprint, set ``use_tls`` to ``false``, and set ``cert_directory`` to the directory
94 where the CA cert is needed. For example:
95
96 .. code-block:: yaml
97
98 tls_info:
99 cert_directory: '/opt/app/certs'
100 use_tls: false
101
102 For this example, the CA certificate would be mounted at ``/opt/app/certs/cacert.pem``.
103
104 k8splugin version 1.7.2 uses a configmap, rather than an init container, to supply the CA certificate.
105
106 * k8splugin version 2.0.0 will automatically mount the CA certificate, in PEM and JKS formats, in the directory ``/opt/dcae/cacert``.
107 It is not necessary to add anything to the blueprint. To get the CA certificates in a different directory, add a ``tls_info`` property to the blueprint, set ``use_tls`` to ``false``, and set ``cert_directory`` to the directory
108 where the CA certs are needed. Whatever directory is used, the following files will be available:
109
110 * ``trust.jks``: A Java truststore containing the AAF CA certificate. (Needed by clients that access TLS-protected servers.)
111 * ``trust.pass``: A text file with a single line that contains the password for the ``trust.jks`` keystore.
112 * ``cacert.pem``: The AAF CA certificate, in PEM form. (Needed by clients that access TLS-protected servers.)
113
Piotr Marcinkiewicz91389942020-07-16 08:54:40 +0200114 k8splugin version 2.0.0 uses an init container to supply the CA certificates.
115
116External TLS Support
117--------------------
118
119External TLS support was introduced in order to integrate DCAE with CertService to acquire operator certificates meant to protect external traffic between DCAE's components (VES collector, HV-VES, RestConf collector and DFC) and xNFs. For that reason K8s plugin which creates K8s resources from Cloudify blueprints was enhanced with new TLS properties support. New TLS properties are meant to control CertService's client call in init containers section and environment variables which are passed to it.
120
121This external TLS support doesn't influence ONAP internal traffic which is protected by certificates issued by AAF's CertMan. External TLS Support was introduced in k8splugin 3.1.0.
122
Piotr Marcinkiewicz2ba6ca22020-09-09 16:43:29 +0200123From k8splugin 3.4.1 when external TLS is enabled (use_external_tls=true), keystore contains only certificate from CMPv2 server. Keystore issued by CertMan has appended .bak extension and is not used.
124
Piotr Marcinkiewicz91389942020-07-16 08:54:40 +02001251. Certificate setup:
126
Remigiusz Janeczekde375522020-08-11 12:22:00 +0200127 To create certificate artifacts, OOM CertService must obtain the certificate details. Common name and list of Subject Alternative Names (SANs) are set in blueprint as described in step 3.
Piotr Marcinkiewicz91389942020-07-16 08:54:40 +0200128 The following parameters with default values are stored in OOM in k8splugin configuration file (k8splugin.json) in group ``external_cert``:
129
130 * A string ``image_tag`` that indicates CertService client image name and version
131 * A string ``request_url`` that indicates URL to Cert Service API
132 * A string ``timeout`` that indicates request timeout.
133 * A string ``country`` that indicates country name in ISO 3166-1 alpha-2 format, for which certificate will be created
134 * A string ``organization`` that indicates organization name, for which certificate will be created.
135 * A string ``state`` that indicates state name, for which certificate will be created.
136 * A string ``organizational_unit`` that indicates organizational unit name, for which certificate will be created.
137 * A string ``location`` that indicates location name, for which certificate will be created.
Piotr Marcinkiewiczcf6cbf72020-07-29 09:16:55 +0200138 * A string ``keystore_password`` that indicates keystore password.
139 * A string ``truststore_password`` that indicates truststore password.
Piotr Marcinkiewicz91389942020-07-16 08:54:40 +0200140
141 Group ``external_cert`` from k8splugin.json with default values:
142
143 .. code-block:: JSON
144
145 {
Remigiusz Janeczekde375522020-08-11 12:22:00 +0200146 "image_tag": "nexus3.onap.org:10001/onap/org.onap.oom.platform.certservice.oom-certservice-client:$VERSION",
147 "request_url": "https://oom-cert-service:8443/v1/certificate/",
Piotr Marcinkiewicz91389942020-07-16 08:54:40 +0200148 "timeout": "30000",
149 "country": "US",
150 "organization": "Linux-Foundation",
151 "state": "California",
152 "organizational_unit": "ONAP",
Piotr Marcinkiewiczcf6cbf72020-07-29 09:16:55 +0200153 "location": "San-Francisco",
154 "keystore_password": "secret",
155 "truststore_password": "secret"
Piotr Marcinkiewicz91389942020-07-16 08:54:40 +0200156 }
157
158
159 Parameters configured in k8splugin are propagated via Helm Charts to Kubernetes ConfigMap and finally they are transfered to Consul.
160 Blueprint, during start of execution, reads k8splugin.json configuration from Consul and applies it.
161
1622. Certificate generation and retrieval:
163
Piotr Marcinkiewiczcf6cbf72020-07-29 09:16:55 +0200164 When a DCAE component that needs an external TLS certificate is launched, a Kubernetes init container runs before the main
Remigiusz Janeczekde375522020-08-11 12:22:00 +0200165 component container is launched. The init container contacts the OOM CertService.
Piotr Marcinkiewicz91389942020-07-16 08:54:40 +0200166
167 DCAE service components (sometimes called "microservices") are deployed via Cloudify using blueprints. This is described
168 in more detail in the next section.
169
1703. Plugin and Blueprint:
Piotr Marcinkiewiczcf6cbf72020-07-29 09:16:55 +0200171 The blueprint for a component that needs an external TLS certificate needs to include the node property called "external_cert" in
Piotr Marcinkiewicz91389942020-07-16 08:54:40 +0200172 the node properties for the component. The property is a dictionary with following elements:
173
174 * A boolean (``use_external_tls``) that indicates whether the component uses TLS in external traffic.
175 * A string (``external_cert_directory``) that indicates where the component expects to find operator certificate and trusted certs.
176 * A string (``ca_name``) that indicates name of Certificate Authority configured on CertService side (in cmpServers.json).
177 * A string (``output_type``) that indicates certificate output type.
178 * A dictionary (``external_certificate_parameters``) with two elements:
179 * A string (``common_name``) that indicates common name which should be present in certificate. Specific for every blueprint (e.g. dcae-ves-collector for VES).
Piotr Marcinkiewiczac5aacc2020-12-10 16:04:25 +0100180 * A string (``sans``) that indicates list of Subject Alternative Names (SANs) which should be present in certificate. Delimiter - , Should contain common_name value and other FQDNs under which given component is accessible. The following SANs types are supported: DNS names, IPs, URIs, emails.
Piotr Marcinkiewicz91389942020-07-16 08:54:40 +0200181
Jan Malkiewicz0cbaa4e2020-08-28 09:35:49 +0200182 As a final step of the plugin the generated CMPv2 truststore entries will be appended to AAF CA truststore (see certificate artifacts below).
183
Piotr Marcinkiewicz91389942020-07-16 08:54:40 +0200184 Example
185
186 .. code-block:: yaml
187
188 external_cert:
189 external_cert_directory: /opt/app/dcae-certificate/
190 use_external_tls: true
191 ca_name: "RA"
192 cert_type: "P12"
193 external_certificate_parameters:
194 common_name: "simpledemo.onap.org"
Remigiusz Janeczeke0d2ada2020-12-01 12:54:14 +0100195 sans: "simpledemo.onap.org,ves.simpledemo.onap.org,ves.onap.org"
Piotr Marcinkiewicz91389942020-07-16 08:54:40 +0200196
197 For this example the certificates are mounted into ``/opt/app/dcae-certificate/external`` directory within the container.
198
199 During deployment Kubernetes plugin (referenced in blueprint) will check if the ``external_cert`` property is set and ``use_external_tls`` is set to true, then the plugin will add some elements to the Kubernetes Deployment for the component:
200 * A Kubernetes volume (``tls-volume``) that will hold the certificate artifacts
201 * A Kubernetes initContainer (``cert-service-client``)
Remigiusz Janeczekde375522020-08-11 12:22:00 +0200202 * A Kubernetes volumeMount for the initContainer that mounts the ``tls-volume`` volume at ``/etc/onap/oom/certservice/certs/``.
Piotr Marcinkiewicz91389942020-07-16 08:54:40 +0200203 * A Kubernetes volumeMount for the main container that mounts the ``tls-info`` volume at the mount point specified in the ``external_cert_directory`` property.
204
205 Kurbernetes volumeMount tls-info is shared with TLS init container for internal traffic.
206
2074. Certificate artifacts
208
209 The certificate directory mounted on the container will include the following:
210 * Directory ``external`` with files:
211 * ``keystore.p12``: A keystore containing the operator certificate.
212 * ``keystore.pass``: A text file with a single line that contains the password for the ``keystore.p12`` keystore.
213 * ``truststore.p12``: A truststore containing the operator certificate. (Needed by clients that access TLS-protected servers in external traffic.)
214 * ``truststore.pass``: A text file with a single line that contains the password for the ``truststore.p12`` keystore.
Jan Malkiewicz0cbaa4e2020-08-28 09:35:49 +0200215 * ``trust.jks``: A file with the AAF CA certificate and CMPv2 certificate with private key packaged in Java form.
216 * ``trust.jks.bak``: The (original) file with the AAF CA certificate only.
217 * ``trust.pass``: A text file with a single line that contains the password for ``trust.jks`` and ``trust.jks.bak`` file.
Piotr Marcinkiewicz91389942020-07-16 08:54:40 +0200218 * ``cacert.pem``: The AAF CA certificate, in PEM form.