Merge pull request #16 from Axway-API-Management-Plus/domaincert

Domaincert

domain.md

@@ -0,0 +1,207 @@
+# Externalize API Gateway domain certificates
+
+## Admin Node manager
+
+- Create a CSR file
+```bash
+./gen_domain_cert.py --domain-id=dss --out=csr --O=Axway --OU=DSS --C=US --ST=AZ --L=Scottsdale --pass-file=rootcerts/pass.txt
+```
+command creates a folder named dss under apigw-emt-scripts-2.1.0-SNAPSHOT/certs/ with following files
+
+    - dss.csr
+    - dss-key.pem
+
+- Create CA CSR, certificate and key
+```bash
+openssl genrsa -aes256 -out CA.key 2048
+openssl req -new -sha256 -key CA.key -out CA.csr -subj "/C=US/ST=AZ/L=Scottsdale/O=AXWAY/CN=CACERTIFICATE"
+openssl x509 -signkey CA.key -in CA.csr -req -days 3650 -out CA.pem
+```
+command creates following files
+
+    - CA.key
+    - CA.csr
+    - CA.pem
+    - CA.srl
+
+- Create a file openssl.cnf with following content
+
+```text
+[policy_any]
+domainComponent = optional
+organizationalUnitName = optional
+commonName = supplied
+
+[req]
+distinguished_name = req_distinguished_name
+
+[req_distinguished_name]
+
+[x509_extensions]
+
+[domain_extensions]
+basicConstraints = CA:TRUE, pathlen:0
+keyUsage = digitalSignature, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
+
+[admin_node_manager_extensions]
+basicConstraints = CA:FALSE
+keyUsage = digitalSignature, dataEncipherment, keyAgreement, keyEncipherment
+extendedKeyUsage = serverAuth, clientAuth, 1.3.6.1.4.1.17998.10.1.1.2.1, 1.3.6.1.4.1.17998.10.1.1.2.2
+subjectAltName = @alt_names
+
+[node_manager_extensions]
+basicConstraints = CA:FALSE
+keyUsage = digitalSignature, dataEncipherment, keyAgreement
+extendedKeyUsage = serverAuth, clientAuth, 1.3.6.1.4.1.17998.10.1.1.2.1
+subjectAltName = @alt_names
+
+[gateway_extensions]
+basicConstraints = CA:FALSE
+keyUsage = digitalSignature, dataEncipherment, keyAgreement
+extendedKeyUsage = serverAuth, clientAuth, 1.3.6.1.4.1.17998.10.1.1.2.3
+subjectAltName = @alt_names
+
+[alt_names]
+
+DNS.1 = localhost
+IP.1 = 127.0.0.1
+
+```
+
+- Sign dss.csr with CA certificate and key using openssl configuration 
+
+```bash
+openssl x509 -req -days 360 -in dss.csr -CA CA.pem -CAkey CA.key -CAcreateserial -out signedbyCA.crt -sha256 -extensions admin_node_manager_extensions -extfile openssl.cnf
+```
+
+- Create a P12 file from CA signed certificate and key file
+
+```bash
+openssl pkcs12 -export -in signedbyCA.crt -inkey dss-key.pem -out domain.p12 -chain -CAfile CA.pem -name 'topology-cert'
+```
+**alias name should be 'topology-cert'**
+
+- Prepare Admin Node Manager fed file
+
+    - Export Admin Node manager fed from classic installation, remove existing topology-cert and change remove / rename port name without blank space (e.g sslport)
+
+    - Import loadable module
+  Policystudio using File -> Import -> Import Custom filters -> select apim-policy-password-cert-env/src/main/resources/typeSet.xml.
+
+    - Export fed file
+
+- Configure environment variable (docker-compose / kubernetes deployment)
+
+```yaml
+ # docker-compose.yaml example
+ environment:
+      EMT_TOPOLOGY_LOG_ENABLED: 'true'
+      EMT_TOPOLOGY_LOG_DEST: 3
+      certandkey_sslport: /opt/Axway/apigateway/domain.p12
+      certandkeypassword_sslport: changeme
+      certandkeymtls_sslport: 'true'
+```
+    
+- comment lines related to certificate generation in apigw-emt-scripts-2.1.0-SNAPSHOT/Dockerfiles/emt-nodemanager/scripts/setup_emt_nodemanager.py
+```python
+  try:
+            # self._generateTopologyCert(nmHandler)
+            # self._storeCertsInEntityStore(nmHandler)
+
+            localNodeManager, topology, topologyParams = self._createTopologyJson()
+            # print("Enabling SSL on management interface")
+            # nmHandler.enableSSLInterface(True, TopologyCertificate.CERT_ALIAS, topologyParams)
+            # self._updateConfigFiles(localNodeManager, topology)
+
+            # Delete the cert generation temp directory
+            shutil.rmtree(nmHandler.tempCertPath)
+
+        except Exception, e:
+            _fail("Error generating topology cert: %s" % e)
+```
+- Build Admin Node Manger Image
+
+```bash
+./build_anm_image.py --default-cert --default-user --parent-image=apigw-base --merge-dir=/Users/rnatarajan/APIM/apigw-emt-scripts-2.1.0-SNAPSHOT/apigateway --fed extanm.fed --out-image=admin-node-manager-ext-ca-env:latest
+```
+**param default-cert is not used, but it is a mandatory argument for building anm image**
+
+## Configure Gateway
+
+- Create a CSR file
+
+```bash
+./gen_domain_cert.py --domain-id=dssgateway --out=csr --O=Axway --OU=DSS --C=US --ST=AZ --L=Scottsdale --pass-file=rootcerts/pass.txt
+```
+command creates a folder named dssgateway under apigw-emt-scripts-2.1.0-SNAPSHOT/certs/ with following files
+
+    - dssgateway.csr
+    - dssgateway-key.pem
+- Copy CA.pem, CA.key, CA.srl and openssl files from dss folder to dssgateway folder
+
+```bash
+dssgateway$cp ../dss/CA.pem .
+dssgateway$cp ../dss/CA.key .
+dssgateway$cp ../dss/CA.srl .
+dssgateway$cp ../dss/openssl.cnf .
+```
+- Sign dss.csr with CA certificate and key using openssl configuration
+
+```bash
+openssl x509 -req -days 360 -in dssgateway.csr -CA CA.pem -CAkey CA.key -CAcreateserial -out signedbygatewayCA.crt -sha256 -extensions gateway_extensions -extfile openssl.cnf
+```
+
+command creates a file named signedbygatewayCA.crt
+
+- Create p12 file **without password**
+
+```bash
+openssl pkcs12 -export -in signedbygatewayCA.crt -inkey dssgateway-key.pem -out topology.p12 -chain -CAfile CA.pem -name 'topology-cert' -passout pass:
+```
+
+- Prepare Admin Node Manager fed file
+
+    - Import loadable module
+      Policystudio using File -> Import -> Import Custom filters -> select apim-policy-password-cert-env/src/main/resources/typeSet.xml.
+
+    - Export fed file
+
+- Configure environment variable (docker-compose / kubernetes deployment)
+
+```yaml
+ # docker-compose.yaml example
+ # Mandatory 
+ volumes:
+   - /Users/rnatarajan/APIM/apigw-emt-scripts-2.1.0-SNAPSHOT/certs/dssgateway/p12:/opt/Axway/apigateway/groups/certs/
+ environment:
+      EMT_ANM_HOSTS: nodemgr:8090
+      CASS0: host.docker.internal
+      CASS_HOST: host.docker.internal
+      CASS_USER: dba
+      CASS_PASSWORD: super
+      CASS_KEYSPACE: axwayapim
+      # We should use same path
+      gatewaytoplogycertandkey_domain: /opt/Axway/apigateway/groups/certs/topology.p12
+      gatewaytoplogycertandkeypassword_domain: ''
+```
+
+- comment lines related to certificate generation in apigw-emt-scripts-2.1.0-SNAPSHOT/Dockerfiles/emt-gateway/scripts/setup_emt_instance.py
+
+```python
+def _setup():
+    _mergePolAndEnvToFed()
+    _installCustomFedFile()
+    _setupApiManager()
+    _createInstanceDirStructure()
+    _customizeInstallation()
+    _checkLicense()
+
+    # ch = CertHandler()
+    # ch.generateCert()
+    # ch.enableSSLInterface()
+```
+
+- Build API Gateway Image
+```bash
+./build_gw_image.py  --default-cert --license=/Users/rnatarajan/APIM/apigw-emt-scripts-2.1.0-SNAPSHOT/licenses/apim.lic --parent-image=apigw-base --merge-dir=/Users/rnatarajan/APIM/apigw-emt-scripts-2.1.0-SNAPSHOT/apigateway --fed=container_env.fed --out-image=apim-cert-ca-env:latest
+```

pom.xml

@@ -6,7 +6,7 @@
 
     <groupId>com.axway</groupId>
     <artifactId>apim-env-module</artifactId>
-    <version>1.1.3</version>
+    <version>1.1.4</version>
 
     <name>apim-env-module</name>
     <url>https://axway.com</url>
@@ -48,7 +48,6 @@
             <systemPath>${apim.lib.path}/vordel-apigateway-7.7.0.20201130-5.jar</systemPath>
         </dependency>
         <dependency>
-
             <groupId>vordel-core-runtime</groupId>
             <artifactId>vordel-core-runtime</artifactId>
             <scope>system</scope>
@@ -86,12 +85,12 @@
         <dependency>
             <groupId>org.apache.logging.log4j</groupId>
             <artifactId>log4j-api</artifactId>
-            <version>2.11.2</version>
+            <version>2.13.3</version>
         </dependency>
         <dependency>
             <groupId>org.apache.logging.log4j</groupId>
             <artifactId>log4j-core</artifactId>
-            <version>2.13.2</version>
+            <version>2.13.3</version>
         </dependency>
     </dependencies>
     <build>

src/main/java/com/axway/CertHelper.java

@@ -7,8 +7,7 @@
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
-import java.util.Base64;
-import java.util.Enumeration;
+import java.util.*;
 
 public class CertHelper {
 
@@ -63,18 +62,25 @@ public PKCS12 parseP12(String content, char[] password) throws KeyStoreException
     }
 
 
-    public X509Certificate parseX509(String base64EncodedCert) throws CertificateException, FileNotFoundException {
+    public List<X509Certificate> parseX509(String base64EncodedCertOrFilePath) throws CertificateException, FileNotFoundException {
 
-        File file = new File(base64EncodedCert);
+        File file = new File(base64EncodedCertOrFilePath);
         InputStream inputStream = null;
         if(file.exists()){
             inputStream = new FileInputStream(file);
         }else {
-            inputStream = new ByteArrayInputStream(base64EncodedCert.getBytes());
+            inputStream = new ByteArrayInputStream(base64EncodedCertOrFilePath.getBytes());
         }
 
         CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
-        return (X509Certificate) certificateFactory.generateCertificate(inputStream);
+        Collection<? extends Certificate> parsedCertificates = certificateFactory.generateCertificates(inputStream);
+        List<X509Certificate> certificates = new ArrayList<>();
+
+        for (Certificate certificate: parsedCertificates) {
+            certificates.add ((X509Certificate)certificate);
+        }
+        return certificates;
+      //  return (X509Certificate) certificateFactory.generateCertificate(inputStream);
     }
 
 }