This page contains information about the default certs in A1 Policy Management Service and how to update/replace them using docker.
The A1 Policy Management Service has a default keystore and truststore that are built into the container. The paths and passwords for these stores are located in a yaml file:
nonrtric/policy-agent/config/application.yaml
The default truststore includes a1simulator cert as a trusted cert which is located here:
https://gerrit.o-ran-sc.org/r/gitweb?p=sim/a1-interface.git;a=tree;f=near-rt-ric-simulator/certificate;h=172c1e5aacd52d760e4416288dc5648a5817ce65;hb=HEAD
The default truststore also includes a1controller cert as a trusted cert which is located here (keystore.jks file):
https://gerrit.o-ran-sc.org/r/gitweb?p=nonrtric.git;a=tree;f=sdnc-a1-controller/oam/installation/sdnc-a1/src/main/resources;h=17fdf6cecc7a866c5ce10a35672b742a9f0c4acf;hb=HEAD
There is also A1 Policy Management Service's own cert in the default truststore for mocking purposes and unit-testing (ApplicationTest.java).
The keystore and truststore can be configured in Kubernetes. In the source code repository, the default files are located. Updating this in a running cluster can be done in more than one way, but this is probably the simplest.
First you need to create a directory with three files.
config/
application.yaml
keystore.jks
truststore.jks
The default application.yaml can be taken from the source code repository or by using command "kubectl describe configmap policymanagementservice-configmap -n nonrtric"
Then you need to create the keystore.jks and (if used, this is not used by default) a truststore.jks .
There is a README file in the source code repository that describes how the default keystore and truststore are created. This involves creating a CA cert used for signing.
The following parameters in the application.yaml needs to updated (the non relevant parameters for this are omitted):
...
server:
ssl:
key-store-type: JKS
key-store-password: secret
key-store: /opt/app/policy-agent/config/keystore.jks
key-password: secret
key-alias: policy_agent
app:
webclient:
trust-store-used: false
trust-store-password: policy_agent
trust-store: /opt/app/policy-agent/config/truststore.jks
...
The default keystore, truststore, and application.yaml files can be overridden by mounting new files using the "volumes" field of docker-compose or docker run command.
Assuming that the keystore, truststore, and application.yaml files are located in the same directory as docker-compose, the volumes field should have these entries:
volumes:
- ./new_keystore.jks:/opt/app/policy-agent/etc/cert/keystore.jks:ro
- ./new_truststore.jks:/opt/app/policy-agent/etc/cert/truststore.jks:ro
- ./new_application.yaml:/opt/app/policy-agent/config/application.yaml:ro
The target paths in the container should not be modified.
Example docker run command for mounting new files (assuming they are located in the current directory):
docker run -p 8081:8081 -p 8433:8433 --name=policy-agent-container --network=nonrtric-docker-net --volume "$PWD/new_keystore.jks:/opt/app/policy-agent/etc/cert/keystore.jks" --volume "$PWD/new_truststore.jks:/opt/app/policy-agent/etc/cert/truststore.jks" --volume "$PWD/new_application.yaml:/opt/app/policy-agent/config/application.yaml" o-ran-sc/nonrtric-policy-agent:2.0.0-SNAPSHOT