Hi, we tried to automatically enroll certificate from AAF for DCAE component called PRH (PNF Registration Handler) on our Nokia internal lab. But seems default (=OOM) ONAP installation is not sufficient cause when PRH requests certificate from local adapter, AAF logs following error:
[email protected][BAth],ip=10.42.6.93,port=44228,ms=4.457968,status=403,meth=PUT,path=/cert/local,msg="Request<mailto:[email protected][BAth],ip=10.42.6.93,port=44228,ms=4.457968,status=403,meth=PUT,path=/cert/local,msg=%22Request> New Certificate/ErrResp [SVC1403] Forbidden: Dynamic SANs for ([email protected]<mailto:[email protected]>) requires Permission" So, within our lab, after checking properties file located under /mnt/data/aaf/config/local/org.osaaf.aaf.cm.ca.props, where cm_ca.local.perm_type=org.osaaf.aaf.ca property is kept, we have added new permission and assigned it role called org.osaaf.aaf.deploy: perm create org.osaaf.aaf.ca local request,ignoreIPs,showpass,dynamic_sans org.osaaf.aaf.deploy cause this role is assigned to user deployer. But after that another error popped up: 2019-12-09 13:02:58,831+0000 ERROR [service] 2019-12-09T13:02:58.830+0000 ERROR [service] java.net.UnknownHostException: dcae: Name does not resolve at java.net.Inet4AddressImpl.lookupAllHostAddr(Native Method) at java.net.InetAddress$2.lookupAllHostAddr(InetAddress.java:929) at java.net.InetAddress.getAddressesFromNameService(InetAddress.java:1324) at java.net.InetAddress.getAllByName0(InetAddress.java:1277) at java.net.InetAddress.getAllByName(InetAddress.java:1193) at java.net.InetAddress.getAllByName(InetAddress.java:1127) at org.onap.aaf.auth.cm.service.CMService.requestCert(CMService.java:219) at org.onap.aaf.auth.cm.facade.FacadeImpl.requestCert(FacadeImpl.java:260) at org.onap.aaf.auth.cm.api.API_Cert$1.handle(API_Cert.java:70) at org.onap.aaf.auth.cm.api.API_Cert$1.handle(API_Cert.java:61) at org.onap.aaf.auth.rserv.RServlet.service(RServlet.java:109) at org.onap.aaf.auth.server.JettyServiceStarter$1$1.doFilter(JettyServiceStarter.java:169) at org.onap.aaf.auth.rserv.TransFilter.doFilter(TransFilter.java:140) at org.onap.aaf.auth.server.JettyServiceStarter$FCImpl.doFilter(JettyServiceStarter.java:240) at org.onap.aaf.auth.server.JettyServiceStarter$1.handle(JettyServiceStarter.java:176) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) at org.eclipse.jetty.server.Server.handle(Server.java:494) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:374) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:268) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:426) at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:320) at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:158) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129) at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:367) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:782) at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:918) at java.lang.Thread.run(Thread.java:748) 2019-12-09 13:02:58,832+0000 INFO [service] 2019-12-09T13:02:58.832+0000 INFO [service] [email protected][BAth],ip=10.42.6.95,port=33978,ms=15.288093,status=406,meth=PUT,path=/cert/local,msg="Request<mailto:[email protected][BAth],ip=10.42.6.95,port=33978,ms=15.288093,status=406,meth=PUT,path=/cert/local,msg=%22Request> New Certificate/ErrResp [SVC1406] Not Acceptable: There is no DNS lookup for dcae" In code we found out that we can add property called cm_allow_ignore_ips=true and permissions, which are already added to deployer user (NS.certman|local|ignoreIPs) will be taken into account. But after that another error popped up: [email protected][BAth],ip=10.42.3.84,port=33370,ms=11.452003,status=403,meth=PUT,path=/cert/local,msg="Request<mailto:[email protected][BAth],ip=10.42.3.84,port=33370,ms=11.452003,status=403,meth=PUT,path=/cert/local,msg=%22Request> New Certificate/ErrResp [SVC1403] Forbidden: Authorization must not include SANS when doing Dynamic SANS ([email protected]<mailto:[email protected]>, dcae)" And we stuck :/ Is anyone know how to configure AAF for automatic certificate enrollment from local CA? Regards Pawel Baniewski ____________________________________________ Nokia Mobile Networks BTSOAM Serviceability ARCH Tribe Security Architect mobile: +48 728 361 386 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#19635): https://lists.onap.org/g/onap-discuss/message/19635 Mute This Topic: https://lists.onap.org/mt/67972304/21656 Group Owner: [email protected] Unsubscribe: https://lists.onap.org/g/onap-discuss/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
