ONOS-6758 Enable TLS by default for intra-cluster communication
Default key store location is config/onos.jks with password changeit
Change-Id: I07cbc09abb22fd8e98fe39a012ce0a65d17d8e39
diff --git a/tools/build/envDefaults b/tools/build/envDefaults
index 41a9503..fd282c9 100644
--- a/tools/build/envDefaults
+++ b/tools/build/envDefaults
@@ -51,3 +51,6 @@
export ONOS_GROUP="${ONOS_GROUP:-sdn}" # ONOS group on remote system
export ONOS_PWD="rocks" # ONOS user password on remote system
export ONOS_SCENARIOS=$ONOS_ROOT/tools/test/scenarios
+
+export ONOS_CLUSTER_KEY_FILE="/tmp/onos.jks"
+export ONOS_CLUSTER_KEY_PASSWORD="changeit"
\ No newline at end of file
diff --git a/tools/test/bin/onos-gen-cluster-key b/tools/test/bin/onos-gen-cluster-key
new file mode 100755
index 0000000..168a174
--- /dev/null
+++ b/tools/test/bin/onos-gen-cluster-key
@@ -0,0 +1,23 @@
+#!/bin/bash
+# ------------------------------------------------------------------------
+# This script generates a self-signed certificate and private key pair
+# and stores them in a Java keystore. This keystore can be used as the
+# keystore and trust store for client and server ends of TLS connections
+# for all nodes in the cluster.
+# ------------------------------------------------------------------------
+
+[ ! -d "$ONOS_ROOT" ] && echo "ONOS_ROOT is not defined" >&2 && exit 1
+. $ONOS_ROOT/tools/build/envDefaults
+
+[ "$1" = "-f" ] && shift && generate_new_key=true
+
+[ "$generate_new_key" = true ] && rm -f $ONOS_CLUSTER_KEY_FILE
+
+keytool -genkey -keystore $ONOS_CLUSTER_KEY_FILE \
+ -storepass $ONOS_CLUSTER_KEY_PASSWORD \
+ -keyalg RSA \
+ -alias onos \
+ -validity 3600 \
+ -keysize 2048 \
+ -dname CN=onos \
+ -keypass $ONOS_CLUSTER_KEY_PASSWORD
\ No newline at end of file
diff --git a/tools/test/bin/onos-install b/tools/test/bin/onos-install
index 2231667..cc00da0 100755
--- a/tools/test/bin/onos-install
+++ b/tools/test/bin/onos-install
@@ -102,5 +102,8 @@
# Configure the ONOS installation
onos-config $node
+# Upload the shared cluster key if present
+[ -f "$ONOS_CLUSTER_KEY_FILE" ] && onos-push-cluster-key $1
+
# Unless -n option was given, attempt to ignite the ONOS service.
[ -z "$nostart" ] && onos-service $node start || true
\ No newline at end of file
diff --git a/tools/test/bin/onos-push-cluster-key b/tools/test/bin/onos-push-cluster-key
new file mode 100755
index 0000000..c2a77f6
--- /dev/null
+++ b/tools/test/bin/onos-push-cluster-key
@@ -0,0 +1,11 @@
+#!/bin/bash
+# -----------------------------------------------------------------------------
+# Pushes the cluster key to the ONOS config directory on a remote ONOS node.
+# -----------------------------------------------------------------------------
+
+[ ! -d "$ONOS_ROOT" ] && echo "ONOS_ROOT is not defined" >&2 && exit 1
+. $ONOS_ROOT/tools/build/envDefaults
+
+remote=$ONOS_USER@${1:-$OCI}
+
+scp -q $ONOS_CLUSTER_KEY_FILE $remote:$ONOS_INSTALL_DIR/config/onos.jks
\ No newline at end of file
diff --git a/tools/test/scenarios/setup.xml b/tools/test/scenarios/setup.xml
index 4f45deb..1d1c36a 100644
--- a/tools/test/scenarios/setup.xml
+++ b/tools/test/scenarios/setup.xml
@@ -30,19 +30,21 @@
</group>
<group name="Install">
+ <step name="Generate-Cluster-Key" exec="onos-gen-cluster-key -f" />
+
<group name="Sequential-Install" if="${ONOS_STC_SEQ_START}">
<sequential var="${OC#}"
starts="Sequential-Install-${#}"
ends="Sequential-Install-${#-1}">
<step name="Sequential-Install-${#}" exec="onos-install ${OC#}"
- requires="Push-Bits-${#},Push-Bits,Cleanup"/>
+ requires="Generate-Cluster-Key,Push-Bits-${#},Push-Bits,Cleanup"/>
</sequential>
</group>
<group name="Parallel-Install" unless="${ONOS_STC_SEQ_START}">
<parallel var="${OC#}">
<step name="Parallel-Install-${#}" exec="onos-install ${OC#}"
- requires="Push-Bits-${#},Push-Bits,Cleanup"/>
+ requires="Generate-Cluster-Key,Push-Bits-${#},Push-Bits,Cleanup"/>
</parallel>
</group>
</group>