Topics

Working procedure / AAF configuration for automatic certificate enrollment from AAF (local adapter)

Pawel Baniewski (Nokia)
 

Hi, we tried to automatically enroll certificate from AAF for DCAE component called PRH (PNF Registration Handler) on our Nokia internal lab. But seems default (=OOM) ONAP installation is not sufficient cause when PRH requests certificate from local adapter, AAF logs following error:

 

user=deployer@...[BAth],ip=10.42.6.93,port=44228,ms=4.457968,status=403,meth=PUT,path=/cert/local,msg="Request New Certificate/ErrResp [SVC1403] Forbidden: Dynamic SANs for (dcae@...) requires Permission"

 

 

So, within our lab, after checking properties file located under /mnt/data/aaf/config/local/org.osaaf.aaf.cm.ca.props, where cm_ca.local.perm_type=org.osaaf.aaf.ca property is kept, we have added new permission and assigned it role called org.osaaf.aaf.deploy:  

perm create org.osaaf.aaf.ca local request,ignoreIPs,showpass,dynamic_sans org.osaaf.aaf.deploy

cause this role is assigned to user deployer.

 

But after that another error popped up:

2019-12-09 13:02:58,831+0000 ERROR [service] 2019-12-09T13:02:58.830+0000 ERROR [service] java.net.UnknownHostException: dcae: Name does not resolve

        at java.net.Inet4AddressImpl.lookupAllHostAddr(Native Method)

        at java.net.InetAddress$2.lookupAllHostAddr(InetAddress.java:929)

        at java.net.InetAddress.getAddressesFromNameService(InetAddress.java:1324)

        at java.net.InetAddress.getAllByName0(InetAddress.java:1277)

        at java.net.InetAddress.getAllByName(InetAddress.java:1193)

        at java.net.InetAddress.getAllByName(InetAddress.java:1127)

        at org.onap.aaf.auth.cm.service.CMService.requestCert(CMService.java:219)

        at org.onap.aaf.auth.cm.facade.FacadeImpl.requestCert(FacadeImpl.java:260)

        at org.onap.aaf.auth.cm.api.API_Cert$1.handle(API_Cert.java:70)

        at org.onap.aaf.auth.cm.api.API_Cert$1.handle(API_Cert.java:61)

        at org.onap.aaf.auth.rserv.RServlet.service(RServlet.java:109)

        at org.onap.aaf.auth.server.JettyServiceStarter$1$1.doFilter(JettyServiceStarter.java:169)

        at org.onap.aaf.auth.rserv.TransFilter.doFilter(TransFilter.java:140)

        at org.onap.aaf.auth.server.JettyServiceStarter$FCImpl.doFilter(JettyServiceStarter.java:240)

        at org.onap.aaf.auth.server.JettyServiceStarter$1.handle(JettyServiceStarter.java:176)

        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)

        at org.eclipse.jetty.server.Server.handle(Server.java:494)

        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:374)

        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:268)

        at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)

        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)

        at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:426)

        at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:320)

        at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:158)

        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)

        at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)

      at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)

        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)

        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)

        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)

        at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:367)

        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:782)

        at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:918)

        at java.lang.Thread.run(Thread.java:748)

 

2019-12-09 13:02:58,832+0000 INFO [service] 2019-12-09T13:02:58.832+0000 INFO [service] user=deployer@...[BAth],ip=10.42.6.95,port=33978,ms=15.288093,status=406,meth=PUT,path=/cert/local,msg="Request New Certificate/ErrResp [SVC1406] Not Acceptable: There is no DNS lookup for dcae"

 

 

In code we found out that we can add property called cm_allow_ignore_ips=true and permissions, which are already added to deployer user (NS.certman|local|ignoreIPs) will be taken into account.

 

But after that another error popped up:

user=deployer@...[BAth],ip=10.42.3.84,port=33370,ms=11.452003,status=403,meth=PUT,path=/cert/local,msg="Request New Certificate/ErrResp [SVC1403] Forbidden: Authorization must not include SANS when doing Dynamic SANS (dcae@..., dcae)"

 

And we stuck :/

 

Is anyone know how to configure AAF for automatic certificate enrollment from local CA?

 

 

Regards

Pawel Baniewski

____________________________________________

Nokia Mobile Networks  BTSOAM Serviceability ARCH Tribe Security Architect

 

mobile: +48 728 361 386