starlingx
/
config
Code Issues Proposed changes
config/sysinv/sysinv/sysinv/sysinv/ipsec_auth
History
Leonardo Mendes 49df34a4f4 Add Intermediate CA support to IPsec configuration 
The current implementation of IPsec configuration by IPsec
server/client supports Root CA only. This commit adds support
for Intermediate CA. Now, IPSec Auth Server send both certificates
to IPSec Auth client to store. If it's a self-signed certificate,
the same certificate is send as Root CA.

Test plan:
PASS: In a DX system with available enabled active status with IPsec
      server being executed from controller-0 and a self-signed CA
      installed. Run "ipsec-client pxecontroller --opcode 1" in
      controller-1. Observe that 4 CAs certificates are created,
      but they are the same certificate. Observe that a security
      association is established between the hosts via "swanctl
      --list-sas" command.
PASS: In a DX system with available enabled active status with IPsec
      server being executed from controller-0 and a self-signed CA
      installed. Run "ipsec-client pxecontroller --opcode 2" in
      controller-1. Observe the previously created CertificateRequest
      was deleted and generated a new one for controller-1's node.
      The new certificate is sent to IPsec Client with Root and
      Intermediate CA, which is the same, to be stored and the
      swanctl rekey command executed successfully.
PASS: In a DX system with available enabled active status with IPsec
      server being executed from controller-0 and an intermediate CA
      installed. Run "ipsec-client pxecontroller --opcode 1" in
      worker-0. Observe that 4 CAs certificates are created,
      including Root and Intermediate CA. Observe that a security
      association is established between the hosts via "swanctl
      --list-sas" command.
PASS: In a DX system with available enabled active status with IPsec
      server being executed from controller-0 and an Intermediate CA
      installed. Run "ipsec-client pxecontroller --opcode 2" in
      worker-0. Observe the previously created CertificateRequest
      was deleted and generated a new one for worker-0's node.
      The new certificate is sent to IPsec Client with Root and
      Intermediate CA to be stored and the swanctl rekey command
      executed successfully.
PASS: In a DX system, simulate the IPsec cert is about to expire,
      run the script, verify IPsec cert, private key and trusted CA
      cert are renewed.

Story: 2010940
Task: 49825

Change-Id: I25c973350c4f460233a4e6e5ddda8366b948d120
Signed-off-by: Leonardo Mendes <Leonardo.MendesSantana@windriver.com>
 		2024-04-09 16:01:53 -03:00
..
client Add Intermediate CA support to IPsec configuration 2024-04-09 16:01:53 -03:00
common Add Intermediate CA support to IPsec configuration 2024-04-09 16:01:53 -03:00
server Add Intermediate CA support to IPsec configuration 2024-04-09 16:01:53 -03:00
__init__.py Initial implementation of IPsec Auth Server 2024-01-30 14:31:05 -03:00