Versions Compared

Old Version 13

changes.mady.by.user Patrik Buhr

Saved on

compared with

New Version Current

changes.mady.by.user Patrik Buhr

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This page contains information about the default certs in A1 Policy Management Service and how to update/replace them using dockerDocker and Kubernetes.

General

The A1 Policy Management Service and the Enrichment Coordinator Service has a default keystores and truststores that are built into the containers. The paths and passwords for these stores are located in a yaml file:
            config/application.yaml

The default trust store includes a1simulator cert as a trusted cert which is located here:
https://gerrit.o-ran-sc.org/r/gitweb?p=sim/a1-interface.git;a=tree;f=near-rt-ric-simulator/certificate;h=172c1e5aacd52d760e4416288dc5648a5817ce65;hb=HEAD

The default trust store also includes a1controller cert as a trusted cert which is located here (keystore.jks file):
https://gerrit.o-ran-sc.org/r/gitweb?p=nonrtric.git;a=tree;f=sdnc-a1-controller/oam/installation/sdnc-a1/src/main/resources;h=17fdf6cecc7a866c5ce10a35672b742a9f0c4acf;hb=HEAD

By default, trust validation is not enabled (which means that a peer with any cert can connect/be connected to the components).

...

server:
  ssl:
    key-store-type: JKS
    key-store-password: <key password>
    key-store: /opt/app/policy-agent/config/keystore.jks   ---- Note that the path needs to be updated to this
    key-password: <key store password>
    key-alias: <key alias>policy_agent
# Add the following 2 parameters if you want to enable trust validation for accesses towards the service (mainly the service NBI).
    trust-store-password: <trust store password>
    trust-store: /opt/app/policy-agent/config/truststore.jks
app:
  webclient:
  # – Update the following parameters if you want to enable trust validation in the connections from the service towards the RAN
    trust-store-used: true  
    trust-store-password: <trust store password>
    trust-store: /opt/app/policy-agent/config/truststore.jks
...

...

docker run -p 8081:8081 -p 8433:8433 --name=policy-agent-container --network=nonrtric-docker-net --volume "$PWD/new_keystore.jks:/opt/app/policy-agent/etc/cert/keystore.jks" --volume "$PWD/new_truststore.jks:/opt/app/policy-agent/etc/cert/truststore.jks" --volume "$PWD/new_application.yaml:/opt/app/policy-agent/config/application.yaml" o-ran-sc/nonrtric-policy-agent:2.02.0-SNAPSHOT