Uploaded image for project: 'Acumos'
  1. Acumos
  2. ACUMOS-2424

AIO support for user-supplied CA and server certs

    XMLWordPrintable

    Details

      Description

      AIO support for user-supplied CA and server certs. Allow user to to specify the following in acumos-env.sh, replacing the default values where set, and setting the other values ("...PASSWORD") per your certs etc. 

      export ACUMOS_CA_CERT=acumosCA.crt
      export ACUMOS_CERT=acumos.crt
      export ACUMOS_CERT_KEY=acumos.key
      export ACUMOS_CERT_KEY_PASSWORD=
      export ACUMOS_KEYSTORE=acumos_aio.p12
      export ACUMOS_KEYSTORE_PASSWORD=
      export ACUMOS_TRUSTSTORE=acumosTrustStore.jks
      export ACUMOS_TRUSTSTORE_PASSWORD=

      When the oneclick toolset finds that any of these values are not the default, it will assume that the user has prepared a set of files that the platform should use. We may provide tools to assist the user, or at least a documentation guide: 

      • ACUMOS_CA_CERT : public cert for the CA, needed for kong and for the federation-gateway
      • ACUMOS_CERT : cert that issued for your Acumos domain
      • ACUMOS_CERT_KEY : private key file for your cert (you created this as part of the certificate signing request process)
      • ACUMOS_KEYSTORE : PKCS12 keystore you created containing your cert
      • ACUMOS_TRUSTSTORE : PKCS12 truststore you created with your CA cert

      The process is:

      • update the acumos-env.sh file, as described above
      • Create the truststore and keystore files, and prepare the host folder where they are shared with Acumos service components:
        • create a folder on your AIO host machine named "/var/acumos/certs" 
      sudo mkdir -p /var/acumos/certs
      sudo chown $USER:$USER /var/acumos/certs
      chmod 777 /var/acumos/certs
      • copy the CA cert, Acumos cert, and Acumos cert key to that folder
      • run the following commands to create the keystore and truststore
      source acumos-env.sh
      openssl pkcs12 -export \
      -in /var/$ACUMOS_NAMESPACE/certs/$ACUMOS_CERT \
      -inkey /var/$ACUMOS_NAMESPACE/certs/$ACUMOS_CERT_KEY \
      -passin pass:$ACUMOS_CERT_KEY_PASSWORD \
      -certfile /var/$ACUMOS_NAMESPACE/certs/$ACUMOS_CERT \
      -out /var/$ACUMOS_NAMESPACE/certs/$ACUMOS_KEYSTORE \
      -passout pass:$ACUMOS_KEYSTORE_PASSWORD
      keytool -import \
      -file /var/$ACUMOS_NAMESPACE/certs/$ACUMOS_CA_CERT \
      -alias acumosCA \
      -keystore /var/$ACUMOS_NAMESPACE/certs/$ACUMOS_TRUSTSTORE \
      -storepass $ACUMOS_TRUSTSTORE_PASSWORD -noprompt
      
      • if you have interim CA(s) to add to the truststore, run the following command for each, supplying the  <cert-file> and <cert-name> values
        • <cert-file>: filename containing the cert 
        • <cert-name>: name to associate with the cert in the truststore
      keytool -import \
       -file <cert-file> \
       -alias <cert-name> \
       -keystore /var/$ACUMOS_NAMESPACE/certs/$ACUMOS_TRUSTSTORE \
       -storepass $ACUMOS_TRUSTSTORE_PASSWORD -noprompt
      
      • run oneclick_deploy.sh to deploy the platform using your CA and cert

       

        Attachments

          Issue Links

          # Subject Branch Project Status CR V

            Activity

              People

              Assignee:
              blsaws Bryan Sullivan
              Reporter:
              blsaws Bryan Sullivan
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated: