Hi Brian, I am launching AAI using the steps in [1], which does not use OOM. So, I manually updated the files aai.keyfile, aai.p12, and aai.props in my local directory:
aai/resources/aai-resources/src/main/resources/aaf/onap But I guess in order to make my setup work, I also need to update the trust store file in SDNC (i.e., sdnc/oam/installation/sdnc/src/main/resources/truststoreONAPall.jks). i.e., I am launching SDNC using docker-compose, rather than using OOM. Thanks, Henry [1] https://wiki.onap.org/display/DW/AAI+Developer+Environment+Setup+-+Dublin On Wed, Apr 1, 2020 at 3:17 PM FREEMAN, BRIAN D <[email protected]> wrote: > > Did you apply the patch and or use a fresh clone of the aai master branch to > pickup the new aai certs ? > > Brian > > > -----Original Message----- > From: [email protected] <[email protected]> On Behalf Of > TIMONEY, DAN > Sent: Wednesday, April 1, 2020 3:00 PM > To: Henry Yu <[email protected]>; [email protected] > Cc: Hesam Rahimi <[email protected]>; Gaurav agrawal > <[email protected]> > Subject: Re: [onap-discuss] SDNC-->A&AI SSL authentication error > > *** Security Advisory: This Message Originated Outside of AT&T ***. > Reference http://cso.att.com/EmailSecurity/IDSP.html for more information. > > Henry, > > Are you starting ONAP using the latest helm charts in OOM? > > If not, that could be the issue. The latest version of the helm charts use > an init container to generate new certs on startup via AAF - so those should > never expire. > > Dan > > On 4/1/20, 1:41 PM, "Henry Yu" <[email protected]> wrote: > > According to this answer from stackoverflow [1], trustsore expiry > would cause the javax.net.ssl.SSLHandshakeException exception which we > see. Could anyone tell us how to update truststoreONAPall.jks? > > Thanks, > Henry > > [1] > https://urldefense.proofpoint.com/v2/url?u=https-3A__stackoverflow.com_questions_22253862_what-2Dif-2Dtruststore-2Dcertificate-2Dexpires&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=qLcfee4a2vOwYSub0bljcQ&m=x1CgMlHWTo1epwH0SbgyEFqn6ECuNIrsZTFtNfIojO4&s=0NbaRPk-JZMB4giPTjX-lW9Ce8FMO99YQYLCJ3_l-5A&e= > > On Wed, Apr 1, 2020 at 10:39 AM Henry Yu via Lists.Onap.Org > <[email protected]> wrote: > > > > Hi Dan and all, > > > > We are testing the SDNC changes made by the CCVPN use case on the > master branch. We are seeing the following error [1], which occurs when SDNC > DGs try to interact (i.e., read/write) with AAI. Note that this error was not > there before, and it started to occur a week ago. > > > > The error seems to be related to the certificate expiry. I noticed the > certificate update made in AAI > (https://urldefense.proofpoint.com/v2/url?u=https-3A__gerrit.onap.org_r_c_aai_oom_-2B_104416&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=qLcfee4a2vOwYSub0bljcQ&m=x1CgMlHWTo1epwH0SbgyEFqn6ECuNIrsZTFtNfIojO4&s=ZzSv3salV17vC4lpoi4g5PKtjbnfZLE9gs5qUtNsK48&e= > ). But it does not seem to fix the problem. > > > > So my question is: should we also update the following trustsotre file > in SDNC: > > > > sdnc/oam/installation/sdnc/src/main/resources/truststoreONAPall.jks > > > > Do the certs in that file also has expiry date? Our Frankfurt > integration testing is blocked by this issue, so any help would be greatly > appreciated. > > > > Thanks, > > Henry > > > > [1] > > 17:55:39.368 INFO [qtp446699013-295] Request Time : > 2020-03-27T17:55:39.367Z, Method : PUT > > 17:55:39.368 INFO [qtp446699013-295] Request URL : > https://urldefense.proofpoint.com/v2/url?u=https-3A__192.168.198.177-3A8443_aai_v19_network_pnfs_pnf_networkId-2DproviderId-2D5555-2DclientId-2D6666-2DtopologyId-2D33-2DnodeId-2D0.191.0.4_p-2Dinterfaces_p-2Dinterface_networkId-2DproviderId-2D5555-2DclientId-2D6666-2DtopologyId-2D33-2DnodeId-2D0.191.0.4-2DltpId-2D16777228&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=qLcfee4a2vOwYSub0bljcQ&m=x1CgMlHWTo1epwH0SbgyEFqn6ECuNIrsZTFtNfIojO4&s=gLe-cvY8Rn0fSRFAoDu72kcpaReSyxs_qPRxxP2QjG4&e= > > 17:55:39.369 DEBUG [qtp446699013-295] MetricLogger requestId = > 7e494f9f-e08a-4d5e-848d-9a4a2173bc9c > > 17:55:39.371 INFO [qtp446699013-295] Input - data : > {"interface-name":"networkId-providerId-5555-clientId-6666-topologyId-33-nodeId-0.191.0.4-ltpId-16777228","speed-value":"10000000","in-maint":true,"operational-status":"down"} > > 17:55:39.371 INFO [qtp446699013-295] Invoke > > 17:55:39.375 WARN [qtp446699013-295] AAIRequestExecutor.post > > javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path validation failed: > java.security.cert.CertPathValidatorException: validity check failed > > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:?] > > at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946) ~[?:?] > > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316) ~[?:?] > > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310) ~[?:?] > > at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639) > ~[?:?] > > at > sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223) > ~[?:?] > > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) ~[?:?] > > at sun.security.ssl.Handshaker.process_record(Handshaker.java:965) > ~[?:?] > > at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064) > ~[?:?] > > at > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367) > ~[?:?] > > at > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395) ~[?:?] > > at > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379) ~[?:?] > > at > sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) > ~[?:?] > > at > sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) > ~[?:?] > > at > sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1340) > ~[?:?] > > at > sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1315) > ~[?:?] > > at > sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:264) > ~[?:?] > > at > org.onap.ccsdk.sli.adaptors.aai.AAIClientRESTExecutor.post(AAIClientRESTExecutor.java:383) > [467:org.onap.ccsdk.sli.adaptors.aai-service-provider:1.0.0.SNAPSHOT] > > at > org.onap.ccsdk.sli.adaptors.aai.AAIDeclarations.newModelSave(AAIDeclarations.java:1448) > [467:org.onap.ccsdk.sli.adaptors.aai-service-provider:1.0.0.SNAPSHOT] > > at > org.onap.ccsdk.sli.adaptors.aai.AAIDeclarations.save(AAIDeclarations.java:501) > [467:org.onap.ccsdk.sli.adaptors.aai-service-provider:1.0.0.SNAPSHOT] > > at > org.onap.ccsdk.sli.adaptors.aai.AAIService.save(AAIService.java:1375) > [467:org.onap.ccsdk.sli.adaptors.aai-service-provider:1.0.0.SNAPSHOT] > > at sun.reflect.GeneratedMethodAccessor47.invoke(Unknown Source) ~[?:?] > > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > ~[?:?] > > at java.lang.reflect.Method.invoke(Method.java:498) ~[?:?] > > at > org.apache.aries.proxy.impl.ProxyHandler$1.invoke(ProxyHandler.java:54) > [92:org.apache.aries.proxy:1.1.4] > > at > org.apache.aries.proxy.impl.ProxyHandler.invoke(ProxyHandler.java:119) > [92:org.apache.aries.proxy:1.1.4] > > at org.onap.ccsdk.sli.adaptors.aai.$AAIService1830433421.save(Unknown > Source) [467:org.onap.ccsdk.sli.adaptors.aai-service-provider:1.0.0.SNAPSHOT] > > at > org.onap.ccsdk.sli.core.sli.provider.base.SaveNodeExecutor.execute(SaveNodeExecutor.java:73) > > [435:wrap_file__opt_opendaylight_system_org_onap_ccsdk_sli_core_sli-provider-base_1.0.0-SNAPSHOT_sli-provider-base-1.0.0-SNAPSHOT.jar:0.0.0] > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#20457): https://lists.onap.org/g/onap-discuss/message/20457 Mute This Topic: https://lists.onap.org/mt/72702035/21656 Group Owner: [email protected] Unsubscribe: https://lists.onap.org/g/onap-discuss/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
