This page contains information about the default certs in A1 Policy Management Service and how to update/replace them using docker.

A1 Policy Management Service

The A1 Policy Management Service has a default keystore and truststore that are built into the container. The paths and passwords for these stores are located in a yaml file:
            nonrtric/policy-agent/config/application.yaml

The default truststore includes a1simulator cert as a trusted cert which is located here:
https://gerrit.o-ran-sc.org/r/gitweb?p=sim/a1-interface.git;a=tree;f=near-rt-ric-simulator/certificate;h=172c1e5aacd52d760e4416288dc5648a5817ce65;hb=HEAD

The default truststore also includes a1controller cert as a trusted cert which is located here (keystore.jks file):
https://gerrit.o-ran-sc.org/r/gitweb?p=nonrtric.git;a=tree;f=sdnc-a1-controller/oam/installation/sdnc-a1/src/main/resources;h=17fdf6cecc7a866c5ce10a35672b742a9f0c4acf;hb=HEAD

There is also A1 Policy Management Service's own cert in the default truststore for mocking purposes and unit-testing (ApplicationTest.java).

A1 Policy Management Service, configuration of certs in Kubernetes

The keystore and truststore can be configured in Kubernetes.  In the source code repository, the default files are located.  Updating this in a running cluster can be done in more than one way, but this is probably the simplest.
First you need to create a directory with three files.

config/
  application.yaml
  keystore.jks
  truststore.jks

The default application.yaml can be taken from the source code repository or by using command "kubectl describe configmap policymanagementservice-configmap -n nonrtric"
Then you need to create the keystore.jks and (if used, this is not used by default) a truststore.jks .
There is a README file in the source code repository that describes how the default keystore and truststore are created. This involves creating a CA cert used for signing.

The following parameters in the application.yaml needs to updated (the non relevant parameters for this are omitted):
...

server:
  ssl:
    key-store-type: JKS
    key-store-password: secret
    key-store: /opt/app/policy-agent/config/keystore.jks
    key-password: secret
    key-alias: policy_agent
app:
  webclient:
    trust-store-used: false
    trust-store-password: policy_agent
    trust-store: /opt/app/policy-agent/config/truststore.jks
...

A1 Policy Management Service, configuration of certs in Docker

The default keystore, truststore, and application.yaml files can be overridden by mounting new files using the "volumes" field of docker-compose or docker run command.

Assuming that the keystore, truststore, and application.yaml files are located in the same directory as docker-compose, the volumes field should have these entries:

volumes:
        - ./new_keystore.jks:/opt/app/policy-agent/etc/cert/keystore.jks:ro

        - ./new_truststore.jks:/opt/app/policy-agent/etc/cert/truststore.jks:ro

        - ./new_application.yaml:/opt/app/policy-agent/config/application.yaml:ro

The target paths in the container should not be modified.

Example docker run command for mounting new files (assuming they are located in the current directory):

docker run -p 8081:8081 -p 8433:8433 --name=policy-agent-container --network=nonrtric-docker-net --volume "$PWD/new_keystore.jks:/opt/app/policy-agent/etc/cert/keystore.jks" --volume "$PWD/new_truststore.jks:/opt/app/policy-agent/etc/cert/truststore.jks" --volume "$PWD/new_application.yaml:/opt/app/policy-agent/config/application.yaml" o-ran-sc/nonrtric-policy-agent:2.0.0-SNAPSHOT