Re: [onap-discuss] #sdnc - certificate validity failed with AAI

[TIMONEY, DAN]

Jimmy,

Thanks!

Deepika – I think that’s probably the issue now: the name that we’re using 
(aai.api.simpledmeo.openecomp.org) is rather out of date and doesn’t match the 
latest certificate.   You’ll need to change your aaiclient.properties to use 
one of the names listed below instead of aai.api.simpledemo.openecomp.org.  
You’ll probably need to update your /etc/hosts as well to add whatever you pick 
there.

Dan


From: "FORSYTH, JAMES" <jf2...@att.com>
Date: Thursday, April 23, 2020 at 11:27 AM
To: "TIMONEY, DAN" <dt5...@att.com>, onap-discuss 
<onap-discuss@lists.onap.org>, "deepika....@wipro.com" <deepika....@wipro.com>, 
"timo...@m0049463.ppops.net-00191d01" <timo...@m0049463.ppops.net-00191d01>
Subject: Re: [onap-discuss] #sdnc - certificate validity failed with AAI


Hi, Dan,



These are the allowed names with the latest certificates:



X509v3 Subject Alternative Name:

                email:mark.d.mana...@people.osaaf.com,

DNS:aai,

DNS:aai-search-data.onap,

DNS:aai-sparky-be.onap,

DNS:aai.api.simpledemo.onap.org,

DNS:aai.elasticsearch.simpledemo.onap.org,

DNS:aai.gremlinserver.simpledemo.onap.org,

DNS:aai.hbase.simpledemo.onap.org,

DNS:aai.onap,

DNS:aai.searchservice.simpledemo.onap.org,

DNS:aai.simpledemo.onap.org,

DNS:aai.ui.simpledemo.onap.org

Thanks,
jimmy

From: "TIMONEY, DAN" <dt5...@att.com>
Date: Thursday, April 23, 2020 at 10:41 AM
To: "onap-discuss@lists.onap.org" <onap-discuss@lists.onap.org>, 
"deepika....@wipro.com" <deepika....@wipro.com>, 
"timo...@m0049463.ppops.net-00191d01" <timo...@m0049463.ppops.net-00191d01>, 
"FORSYTH, JAMES" <jf2...@att.com>
Subject: Re: [onap-discuss] #sdnc - certificate validity failed with AAI

Deepika,

We haven’t updated  truststoreONAPall.jks in quite a while (even in master, the 
last modify time I see in git log is 5/3/2018), which makes sense since the 
only cert we care about in there (the AAF CA cert) doesn’t expire until 2038.  
So I don’t think that file is the issue.

Jimmy – in Dublin, we’re still using the FQDN aai.api.simpledemo.openecomp.org 
to reference A&AI.  I couldn’t tell for sure if those new certs below contain 
that server name, or if we should be using aai.onap instead?


Dan


From: onap-discuss <onap-discuss@lists.onap.org> on behalf of "deepika.s84 via 
lists.onap.org" <deepika.s84=wipro....@lists.onap.org>
Reply-To: onap-discuss <onap-discuss@lists.onap.org>, "deepika....@wipro.com" 
<deepika....@wipro.com>
Date: Thursday, April 23, 2020 at 1:32 AM
To: "timo...@m0049463.ppops.net-00191d01" 
<timo...@m0049463.ppops.net-00191d01>, "TIMONEY, DAN" <dt5...@att.com>, 
onap-discuss <onap-discuss@lists.onap.org>
Subject: Re: [onap-discuss] #sdnc - certificate validity failed with AAI

Hi Dan,

You are Correct, the AAI server certificates was expired and we have updated 
the new aai certs using this gerrit commit 
https://gerrit.onap.org/r/c/aai/oom/+/104514 
<https://urldefense.proofpoint.com/v2/url?u=https-3A__gerrit.onap.org_r_c_aai_oom_-2B_104514&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=qLcfee4a2vOwYSub0bljcQ&m=SQB-O_Ji8BnLBZIdH6_e_4auareGcp3s95Grqp90o5I&s=ZkO-qkjrS7XQgB9v9P6Q2Jr3u2HMFEMRx7Co3-bd9ac&e=>

I have also updated SDNC key files using this Gerrit commit (master branch)



https://gerrit.onap.org/r/c/sdnc/oam/+/105729<https://urldefense.proofpoint.com/v2/url?u=https-3A__gerrit.onap.org_r_c_sdnc_oam_-2B_105729&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=qLcfee4a2vOwYSub0bljcQ&m=SQB-O_Ji8BnLBZIdH6_e_4auareGcp3s95Grqp90o5I&s=-dnIQHOutqi3RGPTjJ7WV4iX0TYUTe4ZARVksYWQlS0&e=>

But still i am facing the SSLHandShake Exception and i have checked the 
aaiClient properties(i.e., 
https://gerrit.onap.org/r/gitweb?p=sdnc/oam.git;a=blob;f=installation/src/main/properties/aaiclient.properties;h=6568383647a4410f35e54e19900536a91bf62895;hb=refs/heads/frankfurt<https://urldefense.proofpoint.com/v2/url?u=https-3A__gerrit.onap.org_r_gitweb-3Fp-3Dsdnc_oam.git-3Ba-3Dblob-3Bf-3Dinstallation_src_main_properties_aaiclient.properties-3Bh-3D6568383647a4410f35e54e19900536a91bf62895-3Bhb-3Drefs_heads_frankfurt&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=qLcfee4a2vOwYSub0bljcQ&m=SQB-O_Ji8BnLBZIdH6_e_4auareGcp3s95Grqp90o5I&s=Rrt11v8QP1SKitbuGoK8L3j0JVS4Z9629AmCBLK7umM&e=>
 ) here they have mentioned that ssl certificate truststore is 
truststoreONAPall.jks 
((i.e.,sdnc/oam/installation/sdnc/src/main/resources/truststoreONAPall.jks).

After the aai certs update in oom is there any update in this truststore key 
file in SDNC?

Can you look into it and help me to fix this error.

Thanks,
Deepika


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#20825): https://lists.onap.org/g/onap-discuss/message/20825
Mute This Topic: https://lists.onap.org/mt/73196174/21656
Mute #sdnc: https://lists.onap.org/mk?hashtag=sdnc&subid=2740164
Group Owner: onap-discuss+ow...@lists.onap.org
Unsubscribe: https://lists.onap.org/g/onap-discuss/unsub  
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-