Move csits form aaf to oom
create csit folder under oom
move csits from aaf to oom
reconfigure csits: remove aaf word, use new image
Issue-ID: OOM-2526
Signed-off-by: Pawel <pawel.kasperkiewicz@nokia.com>
Change-Id: I7b1f010fe46420cb734c67133f038bdadffd5ecc
diff --git a/plans/oom-platform-cert-service/certservice/certs/Makefile b/plans/oom-platform-cert-service/certservice/certs/Makefile
new file mode 100644
index 0000000..ea90c5c
--- /dev/null
+++ b/plans/oom-platform-cert-service/certservice/certs/Makefile
@@ -0,0 +1,110 @@
+all: step_1 step_2 step_3 step_4 step_5 step_6 step_7 step_8 step_9 step_10 step_11 step_12 step_13 step_14 step_15
+.PHONY: all
+#Clear certificates
+clear:
+ @echo "Clear certificates"
+ rm -f certServiceClient-keystore.jks certServiceServer-keystore.jks root.crt truststore.jks certServiceServer-keystore.p12
+ @echo "#####done#####"
+
+#Generate root private and public keys
+step_1:
+ @echo "Generate root private and public keys"
+ keytool -genkeypair -v -alias root -keyalg RSA -keysize 4096 -validity 3650 -keystore root-keystore.jks \
+ -dname "CN=root.com, OU=Root Org, O=Root Company, L=Wroclaw, ST=Dolny Slask, C=PL" -keypass secret \
+ -storepass secret -ext BasicConstraints:critical="ca:true"
+ @echo "#####done#####"
+
+#Export public key as certificate
+step_2:
+ @echo "(Export public key as certificate)"
+ keytool -exportcert -alias root -keystore root-keystore.jks -storepass secret -file root.crt -rfc
+ @echo "#####done#####"
+
+#Self-signed root (import root certificate into truststore)
+step_3:
+ @echo "(Self-signed root (import root certificate into truststore))"
+ keytool -importcert -alias root -keystore truststore.jks -file root.crt -storepass secret -noprompt
+ @echo "#####done#####"
+
+#Generate certService's client private and public keys
+step_4:
+ @echo "Generate certService's client private and public keys"
+ keytool -genkeypair -v -alias certServiceClient -keyalg RSA -keysize 2048 -validity 730 \
+ -keystore certServiceClient-keystore.jks -storetype JKS \
+ -dname "CN=certServiceClient.com,OU=certServiceClient company,O=certServiceClient org,L=Wroclaw,ST=Dolny Slask,C=PL" \
+ -keypass secret -storepass secret
+ @echo "####done####"
+
+#Generate certificate signing request for certService's client
+step_5:
+ @echo "Generate certificate signing request for certService's client"
+ keytool -certreq -keystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -file certServiceClient.csr
+ @echo "####done####"
+
+#Sign certService's client certificate by root CA
+step_6:
+ @echo "Sign certService's client certificate by root CA"
+ keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceClient.csr \
+ -outfile certServiceClientByRoot.crt -rfc -ext bc=0 -ext ExtendedkeyUsage="serverAuth,clientAuth"
+ @echo "####done####"
+
+#Import root certificate into client
+step_7:
+ @echo "Import root certificate into intermediate"
+ cat root.crt >> certServiceClientByRoot.crt
+ @echo "####done####"
+
+#Import signed certificate into certService's client
+step_8:
+ @echo "Import signed certificate into certService's client"
+ keytool -importcert -file certServiceClientByRoot.crt -destkeystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -noprompt
+ @echo "####done####"
+
+#Generate certService private and public keys
+step_9:
+ @echo "Generate certService private and public keys"
+ keytool -genkeypair -v -alias oom-cert-service -keyalg RSA -keysize 2048 -validity 730 \
+ -keystore certServiceServer-keystore.jks -storetype JKS \
+ -dname "CN=oom-cert-service,OU=certServiceServer company,O=certServiceServer org,L=Wroclaw,ST=Dolny Slask,C=PL" \
+ -keypass secret -storepass secret -ext BasicConstraints:critical="ca:false"
+ @echo "####done####"
+
+#Generate certificate signing request for certService
+step_10:
+ @echo "Generate certificate signing request for certService"
+ keytool -certreq -keystore certServiceServer-keystore.jks -alias oom-cert-service -storepass secret -file certServiceServer.csr
+ @echo "####done####"
+
+#Sign certService certificate by root CA
+step_11:
+ @echo "Sign certService certificate by root CA"
+ keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceServer.csr \
+ -outfile certServiceServerByRoot.crt -rfc -ext bc=0 -ext ExtendedkeyUsage="serverAuth,clientAuth" \
+ -ext SubjectAlternativeName:="DNS:oom-cert-service,DNS:localhost"
+ @echo "####done####"
+
+#Import root certificate into server
+step_12:
+ @echo "Import root certificate into intermediate(server)"
+ cat root.crt >> certServiceServerByRoot.crt
+ @echo "####done####"
+
+#Import signed certificate into certService
+step_13:
+ @echo "Import signed certificate into certService"
+ keytool -importcert -file certServiceServerByRoot.crt -destkeystore certServiceServer-keystore.jks -alias oom-cert-service \
+ -storepass secret -noprompt
+ @echo "####done####"
+
+#Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)
+step_14:
+ @echo "Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)"
+ keytool -importkeystore -srckeystore certServiceServer-keystore.jks -srcstorepass secret \
+ -destkeystore certServiceServer-keystore.p12 -deststoretype PKCS12 -deststorepass secret
+ @echo "#####done#####"
+
+#Clear unused certificates
+step_15:
+ @echo "Clear unused certificates"
+ rm -f certServiceClientByRoot.crt certServiceClient.csr root-keystore.jks certServiceServerByRoot.crt certServiceServer.csr
+ @echo "#####done#####"
diff --git a/plans/oom-platform-cert-service/certservice/cmpServers.json b/plans/oom-platform-cert-service/certservice/cmpServers.json
new file mode 100644
index 0000000..7256494
--- /dev/null
+++ b/plans/oom-platform-cert-service/certservice/cmpServers.json
@@ -0,0 +1,24 @@
+{
+ "cmpv2Servers": [
+ {
+ "caName": "Client",
+ "url": "http://oomcert-ejbca:8080/ejbca/publicweb/cmp/cmp",
+ "issuerDN": "CN=ManagementCA",
+ "caMode": "CLIENT",
+ "authentication": {
+ "iak": "mypassword",
+ "rv": "mypassword"
+ }
+ },
+ {
+ "caName": "RA",
+ "url": "http://oomcert-ejbca:8080/ejbca/publicweb/cmp/cmpRA",
+ "issuerDN": "CN=ManagementCA",
+ "caMode": "RA",
+ "authentication": {
+ "iak": "mypassword",
+ "rv": "mypassword"
+ }
+ }
+ ]
+}
diff --git a/plans/oom-platform-cert-service/certservice/docker-compose.yml b/plans/oom-platform-cert-service/certservice/docker-compose.yml
new file mode 100644
index 0000000..b281101
--- /dev/null
+++ b/plans/oom-platform-cert-service/certservice/docker-compose.yml
@@ -0,0 +1,47 @@
+version: "2.1"
+
+services:
+ ejbca:
+ image: primekey/ejbca-ce:6.15.2.5
+ hostname: cahostname
+ container_name: oomcert-ejbca
+ ports:
+ - "80:8080"
+ - "443:8443"
+ volumes:
+ - $SCRIPTS_PATH:/opt/primekey/scripts
+ healthcheck:
+ test: ["CMD-SHELL", "curl -kI https://localhost:8443/ejbca/publicweb/healthcheck/ejbcahealth"]
+ interval: 20s
+ timeout: 3s
+ retries: 9
+ networks:
+ - certservice
+
+ oom-cert-service:
+ image: nexus3.onap.org:10001/onap/org.onap.oom.platform.cert-service.oom-certservice-api:latest
+ volumes:
+ - $CONFIGURATION_PATH:/etc/onap/oom/certservice/cmpServers.json
+ - ./certs/truststore.jks:/etc/onap/oom/certservice/certs/truststore.jks
+ - ./certs/root.crt:/etc/onap/oom/certservice/certs/root.crt
+ - ./certs/certServiceServer-keystore.jks:/etc/onap/oom/certservice/certs/certServiceServer-keystore.jks
+ - ./certs/certServiceServer-keystore.p12:/etc/onap/oom/certservice/certs/certServiceServer-keystore.p12
+ container_name: oomcert-service
+ ports:
+ - "8443:8443"
+ depends_on:
+ ejbca:
+ condition: service_healthy
+ healthcheck:
+ test: ["CMD-SHELL", "curl https://localhost:8443/actuator/health --cacert /etc/onap/oom/certservice/certs/root.crt --cert-type p12 --cert /etc/onap/oom/certservice/certs/certServiceServer-keystore.p12 --pass secret"]
+ interval: 10s
+ timeout: 3s
+ retries: 15
+ networks:
+ - certservice
+
+
+networks:
+ certservice:
+ driver: bridge
+
diff --git a/plans/oom-platform-cert-service/certservice/scripts/ejbca-configuration.sh b/plans/oom-platform-cert-service/certservice/scripts/ejbca-configuration.sh
new file mode 100755
index 0000000..77f5c55
--- /dev/null
+++ b/plans/oom-platform-cert-service/certservice/scripts/ejbca-configuration.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+configureEjbca() {
+ ejbca.sh config cmp addalias --alias cmpRA
+ ejbca.sh config cmp updatealias --alias cmpRA --key operationmode --value ra
+ ejbca.sh ca editca --caname ManagementCA --field cmpRaAuthSecret --value mypassword
+ ejbca.sh config cmp updatealias --alias cmpRA --key responseprotection --value pbe
+ ejbca.sh config cmp dumpalias --alias cmpRA
+ ejbca.sh config cmp addalias --alias cmp
+ ejbca.sh config cmp updatealias --alias cmp --key allowautomatickeyupdate --value true
+ ejbca.sh config cmp updatealias --alias cmp --key responseprotection --value pbe
+ ejbca.sh ra addendentity --username Node123 --dn "CN=Node123" --caname ManagementCA --password mypassword --type 1 --token USERGENERATED
+ ejbca.sh ra setclearpwd --username Node123 --password mypassword
+ ejbca.sh config cmp updatealias --alias cmp --key extractusernamecomponent --value CN
+ ejbca.sh config cmp dumpalias --alias cmp
+ ejbca.sh ca getcacert --caname ManagementCA -f /dev/stdout > cacert.pem
+}
+
+configureEjbca
diff --git a/plans/oom-platform-cert-service/certservice/setup.sh b/plans/oom-platform-cert-service/certservice/setup.sh
new file mode 100644
index 0000000..bee54cd
--- /dev/null
+++ b/plans/oom-platform-cert-service/certservice/setup.sh
@@ -0,0 +1,109 @@
+#!/bin/bash
+#
+# Copyright 2020 Nokia.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# ------------------------------------
+# Resolve path to script's directory and cmp servers configuration
+
+SCRIPT=`realpath $0`
+CURRENT_WORKDIR_PATH=`dirname $SCRIPT`
+PROJECT_DIRECTORY="plans/oom-platform-cert-service/certservice"
+
+SCRIPTS_DIRECTORY="scripts"
+
+JENKINS_SCRIPTS_PATH="$CURRENT_WORKDIR_PATH/$PROJECT_DIRECTORY/$SCRIPTS_DIRECTORY"
+LOCAL_SCRIPTS_PATH="$CURRENT_WORKDIR_PATH/$SCRIPTS_DIRECTORY"
+
+# ------------------------------------
+#Prepare enviroment for client
+#install docker sdk
+echo "Uninstall docker-py and reinstall docker."
+pip uninstall -y docker-py
+pip uninstall -y docker
+pip install -U docker==2.7.0
+
+#reinstall pyopenssl library
+echo "Reinstall pyopenssl library."
+pip uninstall pyopenssl -y
+pip install pyopenssl==17.5.0
+
+#install pyjks for .jks files management
+pip install pyjks
+
+#Disable proxy - for local run
+unset http_proxy https_proxy
+
+#export container name
+export ClientContainerName=CertServiceClient
+# ------------------------------------
+
+if test -d "$JENKINS_SCRIPTS_PATH"; then
+ SCRIPTS_PATH=$JENKINS_SCRIPTS_PATH
+else test -f "$LOCAL_SCRIPTS_PATH";
+ SCRIPTS_PATH=$LOCAL_SCRIPTS_PATH
+fi
+echo "Use scripts from: $SCRIPTS_PATH"
+
+CONFIGURATION_FILE="cmpServers.json"
+
+JENKINS_CONFIGURATION_PATH="$CURRENT_WORKDIR_PATH/$PROJECT_DIRECTORY/$CONFIGURATION_FILE"
+LOCAL_CONFIGURATION_PATH="$CURRENT_WORKDIR_PATH/$CONFIGURATION_FILE"
+
+if test -f "$JENKINS_CONFIGURATION_PATH"; then
+ CONFIGURATION_PATH="$JENKINS_CONFIGURATION_PATH"
+else test -f "$LOCAL_CONFIGURATION_PATH";
+ CONFIGURATION_PATH=$LOCAL_CONFIGURATION_PATH
+fi
+echo "Use configuration from: $CONFIGURATION_PATH"
+
+# -------------------------------------
+
+export CONFIGURATION_PATH=${CONFIGURATION_PATH}
+export SCRIPTS_PATH=${SCRIPTS_PATH}
+
+#Generate keystores, truststores, certificates and keys
+mkdir -p ${WORKSPACE}/tests/oom-platform-cert-service/certservice/assets/certs/
+make all -C ./certs/
+cp ${WORKSPACE}/plans/oom-platform-cert-service/certservice/certs/root.crt ${WORKSPACE}/tests/oom-platform-cert-service/certservice/assets/certs/root.crt
+echo "Generated keystores"
+openssl pkcs12 -in ${WORKSPACE}/plans/oom-platform-cert-service/certservice/certs/certServiceServer-keystore.p12 -clcerts -nokeys -password pass:secret | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ${WORKSPACE}/tests/oom-platform-cert-service/certservice/assets/certs/certServiceServer.crt
+echo "Generated server certificate"
+openssl pkcs12 -in ${WORKSPACE}/plans/oom-platform-cert-service/certservice/certs/certServiceServer-keystore.p12 -nocerts -nodes -password pass:secret| sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > ${WORKSPACE}/tests/oom-platform-cert-service/certservice/assets/certs/certServiceServer.key
+echo "Generated server key"
+
+docker-compose up -d
+
+OOMCERT_IP='none'
+# Wait container ready
+for i in {1..9}
+do
+ OOMCERT_IP=`get-instance-ip.sh oomcert-service`
+ RESP_CODE=$(curl -s https://localhost:8443/actuator/health --cacert ./certs/root.crt --cert-type p12 --cert ./certs/certServiceServer-keystore.p12 --pass secret | \
+ python2 -c 'import json,sys;obj=json.load(sys.stdin);print obj["status"]')
+ if [[ "$RESP_CODE" == "UP" ]]; then
+ echo 'OOM Cert Service is ready'
+ export OOMCERT_IP=${OOMCERT_IP}
+ docker exec oomcert-ejbca /opt/primekey/scripts/ejbca-configuration.sh
+ break
+ fi
+ echo 'Waiting for OOM Cert Service to start up...'
+ sleep 30s
+done
+
+if [ "$OOMCERT_IP" == 'none' -o "$OOMCERT_IP" == '' ]; then
+ echo "OOM Cert Service is not ready!"
+ exit 1 # Return error code
+fi
diff --git a/plans/oom-platform-cert-service/certservice/teardown.sh b/plans/oom-platform-cert-service/certservice/teardown.sh
new file mode 100644
index 0000000..f531180
--- /dev/null
+++ b/plans/oom-platform-cert-service/certservice/teardown.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# Copyright 2017 ZTE, Inc. and others.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+docker-compose down
+
+make clear -C ./certs/
+echo "Removed old keystores"
+rm -rf ${WORKSPACE}/tests/oom-platform-cert-service/certservice/assets/certs
+echo "Removed old certificates"
+
+kill-instance.sh ${ClientContainerName}
\ No newline at end of file
diff --git a/plans/oom-platform-cert-service/certservice/testplan.txt b/plans/oom-platform-cert-service/certservice/testplan.txt
new file mode 100755
index 0000000..ed9ee12
--- /dev/null
+++ b/plans/oom-platform-cert-service/certservice/testplan.txt
@@ -0,0 +1,3 @@
+# Test suites are relative paths under [integration/csit.git]/tests/.
+# Place the suites in run order.
+oom-platform-cert-service/certservice