2 Documentation Test suite for Securing RESTCONF communication.
3 ... Note this suite requires PycURLLibrary to handle client certificates. While Requests library is able
4 ... to handle server certificates well, it lacks capabilities to deal with client certificates.
6 Suite Teardown Cleanup Suite
7 Library OperatingSystem
8 Library RequestsLibrary
11 Resource ../../../libraries/ClusterManagement.robot
12 Resource ../../../variables/Variables.robot
13 Resource ../../../libraries/Utils.robot
14 Resource ../../../libraries/KarafKeywords.robot
17 ${RESTCONF_MONITORING_URI} /restconf/operational/ietf-restconf-monitoring:restconf-state
18 ${RESTCONF_MONITORING_URL} https://${ODL_SYSTEM_IP}:${RESTCONFPORT_TLS}${RESTCONF_MONITORING_URI}
21 Basic Unsecure Restconf Request
22 [Documentation] Tests a basic HTTP request, just to ensure that system is working fine with normal, unsecure reqs
23 Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH} headers=${HEADERS}
24 ${resp} RequestsLibrary.Get Request session ${RESTCONF_MONITORING_URI}
25 Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code}
28 TLS on Restconf without Server Cert
29 [Documentation] Tests an HTTPS request towards secure port with ODL secure config deactivated
30 PycURLLibrary.Set Url ${RESTCONF_MONITORING_URL}
31 PycURLLibrary.Add Header "Content-Type:application/json"
32 PycURLLibrary.Add Header Authorization:Basic YWRtaW46YWRtaW4=
33 PycURLLibrary.Request Method GET
34 Run Keyword And Expect Error error: (7, 'Failed *${RESTCONFPORT_TLS}* Connection refused') PycURLLibrary.Perform
35 PycURLLibrary.Log Response
37 Activate TLS and Generate Server Certificate
38 [Documentation] Generates a server certificate, self-signed and activates ODL secure configuration.
39 Generate Server Self-Signed Certificate
41 # Check ODL was restarted properly
42 Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH} headers=${HEADERS}
43 ${resp} RequestsLibrary.Get Request session ${RESTCONF_MONITORING_URI}
45 Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code}
47 TLS on Restconf with Server Cert (Self-signed) (insecure)
48 [Documentation] Tests HTTPS request. Server certificate is self-signed, thus communication is insecure
49 PycURLLibrary.Set Url ${RESTCONF_MONITORING_URL}
50 PycURLLibrary.Add Header "Content-Type:application/json"
51 PycURLLibrary.Add Header Authorization:Basic YWRtaW46YWRtaW4=
52 PycURLLibrary.Request Method GET
54 PycURLLibrary.Log Response
55 PycURLLibrary.Response Status Should Contain 200
56 ${resp} PycURLLibrary.Response
57 Should Contain ${resp} "restconf-state":{"capabilities":{"capability":["urn:ietf:params:restconf:capability:depth
59 Activate Client Authentication and Generate Client Certificate
60 [Documentation] Generates a client certificate and imports it into ODL truststore.
61 ... Changes ODL config to require client authentication
62 Generate Client Self-Signed Certificate
63 Enable Client TLS Authentication in ODL
64 # Check ODL was restarted properly
65 Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH} headers=${HEADERS}
66 ${resp} RequestsLibrary.Get Request session ${RESTCONF_MONITORING_URI}
68 Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code}
70 TLS on Restconf with Server & Client Certs (Self-signed)
71 [Documentation] Test HTTPS request with ODL TLS config and client authentication by using certificate
72 PycURLLibrary.Set Url ${RESTCONF_MONITORING_URL}
73 PycURLLibrary.Add Header "Content-Type:application/json"
74 PycURLLibrary.Add Header Authorization:Basic YWRtaW46YWRtaW4=
75 PycURLLibrary.Client Certificate File ${USER_HOME}/clientcert.pem
76 PycURLLibrary.Private Key File ${USER_HOME}/clientkey.pem
77 PycURLLibrary.Request Method GET
79 PycURLLibrary.Log Response
80 PycURLLibrary.Response Status Should Contain 200
81 ${resp} PycURLLibrary.Response
82 Should Contain ${resp} "restconf-state":{"capabilities":{"capability":["urn:ietf:params:restconf:capability:depth
84 TLS on Restconf with Server & Client Certs (CA signed)
85 [Documentation] Tests HTTPS request with ODL TLS config and client authentication by using CA signed certificates
88 Restconf HTTPS/TLS Jolokia with server and client certificates CA signed
89 [Documentation] Tests HTTPS request with ODL TLS config and client authentication by using CA signed certificates for Jolokia
93 Log Certificates in Keystore
94 [Documentation] Shows content of keystore
95 ${output} Run Command On Remote System ${ODL_SYSTEM_IP} ${JAVA_HOME}/bin/keytool -list -storepass 123456 -keystore ${KEYSTORE_PATH}
98 Clean Up Certificates In Server
99 [Documentation] Cleans keystore content (only for private keys and trusted certificates)
100 Log Certificates in Keystore
101 Run Command On Remote System ${ODL_SYSTEM_IP} ${JAVA_HOME}/bin/keytool -list -keystore ${KEYSTORE_PATH} -storepass 123456|egrep -e "(trustedCertEntry|PrivateKeyEntry)"|cut -d"," -f1|xargs -I[] ${JAVA_HOME}/bin/keytool -delete -alias [] -keystore ${KEYSTORE_PATH} -storepass 123456
102 Log Certificates in Keystore
104 Generate Server Self-Signed Certificate
105 [Documentation] Generates a self-signed certificate, stores it into keystore and restarts jetty to load changes
106 ${KEYSTORE_DIR}= Split Path ${KEYSTORE_PATH}
107 Run Command On Remote System ${ODL_SYSTEM_IP} mkdir -p ${KEYSTORE_DIR[0]}
108 Log Certificates in Keystore
109 # Generate with openssl
110 Run Command On Remote System ${ODL_SYSTEM_IP} openssl req -x509 -newkey rsa:4096 -passout pass:myPass -keyout serverkey.pem -out servercert.pem -days 365 -subj "/C=ES/ST=Madrid/L=Madrid/O=OpenDayLight/OU=AAA/CN=OpenDayLight/emailAddress=unknown@unknown.com"
111 # Convert to pkcs12 (including public and private key together)
112 Run Command On Remote System ${ODL_SYSTEM_IP} openssl pkcs12 -export -in servercert.pem -inkey serverkey.pem -out server.p12 -name odl -passin pass:myPass -passout pass:myPass
113 # Import Certifcate into keystore
114 Run Command On Remote System ${ODL_SYSTEM_IP} ${JAVA_HOME}/bin/keytool -importkeystore -deststorepass 123456 -destkeypass myPass -destkeystore ${KEYSTORE_PATH} -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass myPass -alias odl
115 Log Certificates in Keystore
118 Generate Client Self-Signed Certificate
119 [Documentation] Generates a client self-signed certificate, stores it into the keystore (as trusted cert) and
120 ... restarts jettty to load changes
121 ${KEYSTORE_DIR}= Split Path ${KEYSTORE_PATH}
122 Run Command On Remote System ${ODL_SYSTEM_IP} mkdir -p ${KEYSTORE_DIR[0]}
123 Log Certificates in Keystore
124 # Generate with openssl
125 # Note -nodes is used to avoid passphrase in private key. Also -passout pass:myPass is skipped. This is due to a
126 # limitation in pycurl library that does not support key pem files with passphrase in automatic mode (it asks for it)
127 Run openssl req -x509 -newkey rsa:4096 -nodes -keyout ${USER_HOME}/clientkey.pem -out ${USER_HOME}/clientcert.pem -days 365 -subj "/C=ES/ST=Madrid/L=Madrid/O=OpenDayLight/OU=AAA/CN=MiguelAngelMunoz/emailAddress=myemail@unknown.com"
128 # Import client's cert as trusted
129 Copy File To Remote System ${ODL_SYSTEM_IP} ${USER_HOME}/clientcert.pem .
130 Run Command On Remote System ${ODL_SYSTEM_IP} ${JAVA_HOME}/bin/keytool -import -trustcacerts -file clientcert.pem -keystore ${KEYSTORE_PATH} -storepass 123456 -noprompt
131 Log Certificates in Keystore
135 [Documentation] Remove TLS configuration in custom.properties
136 Run Command On Remote System ${ODL_SYSTEM_IP} sed -i '/org.osgi.service.http.secure.enabled=/d' ${CUSTOMPROP}
137 Run Command On Remote System ${ODL_SYSTEM_IP} sed -i '/org.ops4j.pax.web.ssl.keystore=/d' ${CUSTOMPROP}
138 Run Command On Remote System ${ODL_SYSTEM_IP} sed -i '/org.ops4j.pax.web.ssl.password=/d' ${CUSTOMPROP}
139 Run Command On Remote System ${ODL_SYSTEM_IP} sed -i '/org.ops4j.pax.web.ssl.keypassword=/d' ${CUSTOMPROP}
140 Run Command On Remote System ${ODL_SYSTEM_IP} sed -i '/org.ops4j.pax.web.ssl.clientauthneeded=/d' ${CUSTOMPROP}
144 [Documentation] Add new secure configuration in custom.properties
145 Run Command On Remote System ${ODL_SYSTEM_IP} echo "org.osgi.service.http.secure.enabled=true">> ${CUSTOMPROP}
146 Run Command On Remote System ${ODL_SYSTEM_IP} echo "org.ops4j.pax.web.ssl.keystore=${KEYSTORE_RELATIVE_PATH}">> ${CUSTOMPROP}
147 Run Command On Remote System ${ODL_SYSTEM_IP} echo "org.ops4j.pax.web.ssl.password=myPass">> ${CUSTOMPROP}
148 Run Command On Remote System ${ODL_SYSTEM_IP} echo "org.ops4j.pax.web.ssl.keypassword=123456">> ${CUSTOMPROP}
151 Enable Client TLS Authentication in ODL
152 [Documentation] Add custom.properties configuration to enable client auth
153 Run Command On Remote System ${ODL_SYSTEM_IP} echo "org.ops4j.pax.web.ssl.clientauthneeded=true">> ${CUSTOMPROP}
157 [Documentation] Cleans TLS configuration and restart Karaf system to reload
158 ClusterManagement_Setup
159 Clean Up Certificates In Server
163 [Documentation] Deletes pending sessions in case there were any