test/doc/source/manual_tests/security/security_OAM_suite.rst

=============
OAM Interface
=============

.. contents::
   :local:
   :depth: 1

-------------------------
SECURITY_OAM_interface_01
-------------------------

:Test ID: SECURITY_OAM_interface_01
:Test Title: Set up OAM interface Firewall
:Tags: port_services

~~~~~~~~~~~~~~~~~~
Testcase Objective
~~~~~~~~~~~~~~~~~~

Use Netfilter/IpTables to set default firewall for OAM Interface.

~~~~~~~~~~~~~~~~~~~
Test Pre-Conditions
~~~~~~~~~~~~~~~~~~~

a) Starlingx uses Netfilter framework for firewall setup. Make sure
"iptables" and "iptables-config" files exist in /etc/sysconfig path.

b) On Active Controller, execute following commands to enable 443 https port:

.. code:: bash

  $ system modify -p true
  $ system modify --https_enabled true

~~~~~~~~~~
Test Steps
~~~~~~~~~~

1. Once Starlingx product installed, go to Active controller,
/etc/sysconfig/iptables and check following protocol/ports are accepted:

::

  Protocol Port Service Name
  tcp 22 ssh
  tcp 80 horizon (http only)
  tcp 443 horizon (https only)
  tcp 4545 nfv-vim-api
  tcp 5000 keystone-api
  tcp 6080 nova-nonvc-proxy
  tcp 6385 sysinv-api
  tcp 8000 heat-cfn
  tcp 8003 heat-cloudwatch-api
  tcp 8004 heat-api
  tcp 8042 aodh-api
  tcp 8776 cinder-api
  tcp 8774 nova-api
  tcp 9292 glance-api
  tcp 9696 neutron-api
  tcp 15491 patching-api
  udp 123 ntp
  udp 161 snmp
  udp 2222 service manager
  udp 2223 service manager


2. Use netstat command to verify that ports are up and listening by typing:

.. code:: bash

  Controller-0 $ sudo netstat -plant | grep <port>

REMARK: Please repeat netstat command for every single port listed in above
step.

or

.. code:: bash

  Controller-0 $ sudo netstat -plant | grep LISTEN

REMARK: you should get the full list of listening ports with all available
IPs.

~~~~~~~~~~~~~~~~~
Expected Behavior
~~~~~~~~~~~~~~~~~

1. Once you open the /etc/sysconfig/iptables file you should be able to see
following rules listed:

::

  -A INPUT -p tcp -m multiport --dports 22 -m comment --comment """"011 platform accept ssh ipv4"""" -j ACCEPT
  -A INPUT -p tcp -m multiport --dports 80 -m comment --comment """"500 horizon incoming dashboard"""" -j ACCEP
  -A INPUT -p tcp -m multiport --dports 4545 -m comment --comment """"500 nfv-vim incoming nfv-vim-api"""" -j ACCEPT
  -A INPUT -p tcp -m multiport --dports 5000 -m comment --comment """"500 keystone incoming keystone-api"""" -j ACCEPT
  -A INPUT -p tcp -m multiport --dports 6080 -m comment --comment """"500 nova-novnc incoming nova-novnc"""" -j ACCEPT
  -A INPUT -p tcp -m multiport --dports 6385 -m comment --comment """"500 sysinv incoming sysinv-api"""" -j ACCEPT
  -A INPUT -p tcp -m multiport --dports 8000 -m comment --comment """"500 heat-cfn incoming heat-cfn"""" -j ACCEPT
  -A INPUT -p tcp -m multiport --dports 8003 -m comment --comment """"500 heat-cloudwatch incoming heat-cloudwatch"""" -j ACCEPT
  -A INPUT -p tcp -m multiport --dports 8004 -m comment --comment """"500 heat incoming heat-api"""" -j ACCEPT
  -A INPUT -p tcp -m multiport --dports 8042 -m comment --comment """"500 aodh incoming aodh-api"""" -j ACCEPT
  -A INPUT -p tcp -m multiport --dports 8776 -m comment --comment """"500 cinder incoming cinder-api"""" -j ACCEPT
  -A INPUT -p tcp -m multiport --dports 8774 -m comment --comment """"500 nova incoming nova-api-rules"""" -j ACCEPT
  -A INPUT -p tcp -m multiport --dports 9292 -m comment --comment """"500 glance incoming glance-api"""" -j ACCEPT
  -A INPUT -p tcp -m multiport --dports 9696 -m comment --comment """"500 neutron incoming neutron-api"""" -j ACCEPT
  -A INPUT -p tcp -m multiport --dports 15491 -m comment --comment """"500 patching incoming patching-api"""" -j ACCEPT
  -A INPUT -p udp -m multiport --dports 123 -m comment --comment """"201 platform accept ntp ipv4"""" -j ACCEPT
  -A INPUT -p udp -m multiport --dports 161 -m comment --comment """"202 platform accept snmp ipv4"""" -j ACCEPT
  -A INPUT -p udp -m multiport --dports 2222,2223 -m comment --comment """"010 platform accept sm ipv4"""" -j ACCEPT
  -A INPUT -p tcp -m multiport --dports 443 -m comment --comment """"500 horizon incoming dashboard"""" -j ACCEPT

REMARK: Per Ken Young(Windriver): we no longer need to open 8777 for the
cellometer-api, nor 8773 for nova-ec2.

2. All ports listed in the iptable file should be displayed successfully.

::

  e.g. [wrsroot@controller-0 syslog-ng(keystone_admin)]$ sudo netstat -plant | grep 8080
  tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      3733/gunicorn: work
  tcp        0      0 10.10.10.2:8080         0.0.0.0:*               LISTEN      27240/haproxy

-------------------------
SECURITY_OAM_interface_02
-------------------------

:Test ID: SECURITY_OAM_interface_02
:Test Title: Validate that services respond over https
:Tags: API

~~~~~~~~~~~~~~
Test Objective
~~~~~~~~~~~~~~

From and external host, browse HTTPS REST API for each service.

~~~~~~~~~~~~~~~~~~~
Test Pre-Conditions
~~~~~~~~~~~~~~~~~~~

a) On Active Controller, execute following commands to enable 443 https port:

.. code:: bash

  $ system modify -p true

  $ system modify --https_enabled true

b) Obtain a CA-Signed Certificate. Steps to create your own CA certificate.

1. Generate your own server private key (can be used on multiple servers)
by typing:

.. code:: bash

  $ openssl genrsa -out server-key.pem 2048

2. Generate the public certificate for the server private key (""commonName"" attribute must match the floating IP of the servers) For more reference go to [0]

.. code:: bash

  $ openssl req -new -key server-key.pem -out /home/user/server.csr -batch -subj ""/countryName=CN/stateOrProvinceName=<your state>/localityName=<city>/organizationName=<Your Company>/organizationalUnitName=<Your Org>/commonName=10.10.10.2""

  e.g.

  $ openssl req -new -key server-key.pem -out /home/fhernan2/server.csr -batch –subj ""/countryName=MX/stateOrProvinceName=Jalisco/localityName=Guadalajara/organizationName=intel/organizationalUnitName=SSG/commonName=10.10.10.2""

3. Generate CA private key by typing:

.. code:: bash

  $ openssl genrsa -out ca-key.pem 2048

4. Generate CA public certificate (to be installed on the client browser)
by typing:

.. code:: bash

  $ openssl req -x509 -new -nodes -key ca-key.pem -days 3650 -out ca-cert.pem -outform PEM -subj ""/countryName=CN/stateOrProvinceName=<your state>/localityName=Ottawa/organizationName=<your Company>/organizationalUnitName=<Your gruo>/commonName=<Your Common Name>"" -text –batch

  :e.g.
  $openssl req -x509 -new -nodes -key ca-key.pem -days 3650 -out ca-cert.pem -outform PEM -subj ""/countryName=MX/stateOrProvinceName=Jalisco/localityName=Guadalajara/organizationName=intel/organizationalUnitName=SSG/commonName=10.10.10.2""

5. Signing the server public certificate with CA private key by typing:

.. code:: bash

  $ openssl x509 -req -in ../vbox/server.csr -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out ../vbox/server.pem -days 3650

  :e.g.

  $ openssl x509 -req -in /home/fhernan2/CA_certificate/server.csr -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out /home/fhernan2/CA_certificate/server.pem -days 3650  
    Signature ok
    subject=/C=MX/ST=Jalisco/L=Guadalajara/O=intel/OU=SSG/CN=10.10.10.2
    Getting CA Private Key

6. Move the server-key.pem, server.pem, files from the host where you create
them to Active Controller by typing:

.. code:: bash

  $ scp server* wrsroot@10.10.10.3:~

7. Create a server key file by concatenating the server private key and the
CA-signed server certificate in a key file. Generate key file for installation
on controller node by typing

.. code:: bash

  $ cat server-key.pem /home/wrsroot/server.pem > /home/wrsroot/server-with-key.pem

8. Install the server key file on the controllers by typing:

.. code:: bash

  $ system certificate-install server-with-key.pem

9. Install the CA certificate on you browser (this will allow the browser to
recognize the server).

~~~~~~~~~~
Test Steps
~~~~~~~~~~

1. Browse Horizon with HTTPS.

.. code:: bash

  e.g.
  https://10.10.10.3

2. Go to Project --> API Access.

3. Browse every single service available and male sure in add the exception by
importing the certificate from the browser.

e.g.

a)Browse --> https://10.10.10.2:8

b)Browser should come with following message:

::

  Your connection is not secure.
  The owner of 10.10.10.2 has configured their website improperly.
  To protect your information from being stolen, Firefox has not
  connected to this website....

c)Hit "Advanced" button.

d)Following message should be displayed:

.. code:: bash

  10.10.10.2:8977 uses an invalid security certificate.
  The certificate is not trusted because it is self-signed.
  The certificate is only valid for .
  Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT

e) Hit "Add Exception..." button.

f) "Add Security Exception" pop up window should be displayed explaining that
"You are about to override how Firefox identifies this site..."

g) Hit "View" button in order to display Details of CA-certificate and make
sure it is the one you created.

h) Hit over """"Get certificate"""" or "Confirm Security Exception" button to
accept the certificate.

~~~~~~~~~~~~~~~~~
Expected Behavior
~~~~~~~~~~~~~~~~~


1. Horizon should be opened successufly with https browser connection.

2. A list of services and service ponts should be displayed.

.. code:: bash

  e.g.
  Service | Service Endpoint
  Alarming | https://10.10.10.2:8042
  Cloudformation | https://10.10.10.2:8000/v1/a52d40232ea64352b522b113ddc41d05
  Compute | https://10.10.10.2:8774/v2.1/a52d40232ea64352b522b113ddc41d05
  Event | https://10.10.10.2:8977
  Faultmanagement | https://10.10.10.2:18002
  Identity | https://10.10.10.2:5000/v3
  Image | https://10.10.10.2:9292
  Metering  -
  Metric | https://10.10.10.2:8041
  Network | https://10.10.10.2:9696
  Nfv | https://10.10.10.2:4545
  Orchestration | https://10.10.10.2:8004/v1/a52d40232ea64352b522b113ddc41d05
  Patching | https://10.10.10.2:15491
  Placement | https://10.10.10.2:8778
  Platform | https://10.10.10.2:6385/v1
  Smapi | https://10.10.10.2:7777

3. You should be able to get a response from the Service.

::

  e.g.

  versions
     values
        0
           status """"stable""""
           updated """"2013-02-13T00:00:00Z""""
           media-types 
              0
                 base """"application/json""""
                 type """"application/vnd.openstack.telemetry-v2+json""""
              1
                 base """"application/xml""""
                 type """"application/vnd.openstack.telemetry-v2+xml""""
        id """"v2""""
     links
        0
           href """"https://10.10.10.2:8977/v2""""
           rel """"self""""
        1
           href """"http://docs.openstack.org/""""
           type """"text/html""""
           rel """"describedby"""""

-------------------------
SECURITY_OAM_interface_03
-------------------------

:Test ID: SECURITY_OAM_interface_03
:Test Title: Backup and restore with OAM Firewall configuration file.
:Tags: Security config

~~~~~~~~~~~~~~
Test Objective
~~~~~~~~~~~~~~

The goal of this test is to confirm the port configration is preserved by the
backup and restore procedure.

~~~~~~~~~~~~~~~~~~~
Test Pre-Conditions
~~~~~~~~~~~~~~~~~~~

Starlingx uses Netfilter framework for firewall setup. Make sure "iptables"
and "iptables-config" files exist in /etc/sysconfig path.

~~~~~~~~~~
Test Steps
~~~~~~~~~~

1. Install the Starlingx configuration with a custom configuration file.

2. Ensure there are no unexpected alarms post-install.

3. Use netstat command to verify that ports are up and listening by typing:

.. code:: bash

  Controller-0 $ sudo netstat -plant | grep <port>

REMARK: Please repeat netstat command for every single port listed in above
step.

or

.. code:: bash

  Controller-0 $ sudo netstat -plant | grep LISTEN

REMARK: you should get the full list of listening ports with all available
ips, save the list in order to compare it once the you do the restore in
further steps. Verify this on both controllers as well as the OAM float port.

or

.. code:: bash

  Controller-0 $ source /etc/nova/openrc

  Controller-0 $ openstack endpoint list

4. Pre-requisites to do  a BACKUP.

To ensure recovery from backup files during a restore procedure, VMs must be
in the active state when performing the backup. VMs that are in a shutdown or
paused state at the time of the backup will not be recovered after a
subsequent restore procedure.

.. code:: bash

  execute "sudo config_controller --backup <backup_name>"

5. Pre-requisites to do RESTORE.

All cluster hosts must be prepared for network boot and then powered down.
(Means for virtual you should power on wait for PXE messages and then
Power-down)

The restore procedure requires all hosts but controller-0 to boot over the
internal management network using the PXE protocol. Ideally, the old boot
images are no longer present, so that the hosts boot from the network when
powered on. If this is not the case, you must configure each host manually
for network boot immediately after powering it on.

Note: Save the backups previously created in a clean environment, perform
sudo config_controller --restore-system /home/$user/<backup_name_system.tgz>

6. Pre-requisites to do RESTORE.

All cluster hosts must be prepared for network boot and then powered down.
(Means for virtual you should power on wait for PXE messages and then
Power-down)

The restore procedure requires all hosts but controller-0 to boot over the
internal management network using the PXE protocol. Ideally, the old boot
images are no longer present, so that the hosts boot from the network when
powered on. If this is not the case, you must configure each host manually
for network boot immediately after powering it on.

Note: Save the backups previously created in a clean environment, perform
sudo config_controller --restore-images /home/$user/<backup_name_images.tgz>

7. Once the system is restored ensure the expected ports are still open. Use
netstat command to verify that ports are up and listening by typing:

.. code:: bash

  Controller-0 $ sudo netstat -plant | grep <port>

REMARK: Please repeat netstat command for every single port listed in above
step.

or

.. code:: bash

  Controller-0 $ sudo netstat -plant | grep LISTEN

~~~~~~~~~~~~~~~~~
Expected Behavior
~~~~~~~~~~~~~~~~~

1. Starlingx configuration should be installed successfully.

2. No unexpected alarms were displayed in post-install.

3. The list of available ports should be displayed and saved it successfully.

4. After execute the sudo config_controller --backup <backupname> command
system.tgz and image.tgz files should be created successfully.

.. code:: bash

  e.g.
  Performing backup (this might take several minutes):
  Step 16 of 16 [#############################################] [100%]
  System backup file created: /opt/backups/<backupname>_system.tgz
  Images backup file created: /opt/backups/backupname_images.tgz""

5. system should be in the same way that the files were generated before

6. images shoule be in the same way that the files were generated before

7. Once the system is restore expected ports are open post-restored

-------------------------
SECURITY_OAM_interface_04
-------------------------

:Test ID: SECURITY_OAM_interface_04
:Test Title: Default system install without configuration file iptables rules.
:Tags: IPtable_rule

~~~~~~~~~~~~~~
Test Objective
~~~~~~~~~~~~~~

The goal of this test is to default system install without configuration file
iptables rules making sure when installing with/without Firewall ip tables
the installation is successfull.

~~~~~~~~~~~~~~~~~~~
Test Pre-Conditions
~~~~~~~~~~~~~~~~~~~

Netfilter framework installed on Starlingx configuration.

~~~~~~~~~~
Test Steps
~~~~~~~~~~

1. Go to Virtual Dedicated Storage Installation Guide [1]

2. Go one step before "sudo config_controller" installation step - (one step
before ""Configuring Controller-0"" section)

3. Go to active controller and make sure in remove "iptables",
"iptables-config", "iptables.save",  "ip6tables", "ip6tables-config",
"ip6tables.save" from /etc/sysconfig path by typing rm -rf <file>

4. On active controller type:

.. code:: bash

   Controller-0 $ sudo config_controller and accept all default values

   or

   Controller-0 $ sudo config_controller --config-file <cfg_file_name>
   If you have created a specific configuration file for your cluster.

5. After "config_controller" bootstrap configuration Starlingx firewall is
enabled, make sure the ipfirewall rules are set by typing:

.. code:: bash

  Controller-0 $ sudo iptables --list-rules

~~~~~~~~~~~~~~~~~
Expected Behavior
~~~~~~~~~~~~~~~~~

1. Steps for Virtual Dedicated Storage Installation Guide should be displayed.

2. Went one step before "sudo config_controller" installation step
successfully.

3. "iptables", "iptables-config", "iptables.save",  "ip6tables",
"ip6tables-config", "ip6tables.save" files removed from /etc/sysconfig path
successfully.

4. "config_controller" bootstrap configuration command executed successfully.

5. Following rules should be listed:

::

  -A INPUT -p tcp -m multiport --dports 22 -m comment --comment """"011 platform accept ssh ipv4"""" -j ACCEPT
  -A INPUT -p tcp -m multiport --dports 80 -m comment --comment """"500 horizon incoming dashboard"""" -j ACCEPT
  -A INPUT -p tcp -m multiport --dports 4545 -m comment --comment """"500 nfv-vim incoming nfv-vim-api"""" -j ACCEPT
  -A INPUT -p tcp -m multiport --dports 5000 -m comment --comment """"500 keystone incoming keystone-api"""" -j ACCEPT
  -A INPUT -p tcp -m multiport --dports 6080 -m comment --comment """"500 nova-novnc incoming nova-novnc"""" -j ACCEPT
  -A INPUT -p tcp -m multiport --dports 6385 -m comment --comment """"500 sysinv incoming sysinv-api"""" -j ACCEPT
  -A INPUT -p tcp -m multiport --dports 8000 -m comment --comment """"500 heat-cfn incoming heat-cfn"""" -j ACCEPT
  -A INPUT -p tcp -m multiport --dports 8003 -m comment --comment """"500 heat-cloudwatch incoming heat-cloudwatch"""" -j ACCEPT
  -A INPUT -p tcp -m multiport --dports 8004 -m comment --comment """"500 heat incoming heat-api"""" -j ACCEPT
  -A INPUT -p tcp -m multiport --dports 8042 -m comment --comment """"500 aodh incoming aodh-api"""" -j ACCEPT
  -A INPUT -p tcp -m multiport --dports 8776 -m comment --comment """"500 cinder incoming cinder-api"""" -j ACCEPT
  -A INPUT -p tcp -m multiport --dports 8774 -m comment --comment """"500 nova incoming nova-api-rules"""" -j ACCEPT
  -A INPUT -p tcp -m multiport --dports 9292 -m comment --comment """"500 glance incoming glance-api"""" -j ACCEPT
  -A INPUT -p tcp -m multiport --dports 9696 -m comment --comment """"500 neutron incoming neutron-api"""" -j ACCEPT
  -A INPUT -p tcp -m multiport --dports 15491 -m comment --comment """"500 patching incoming patching-api"""" -j ACCEPT
  -A INPUT -p udp -m multiport --dports 123 -m comment --comment """"201 platform accept ntp ipv4"""" -j ACCEPT
  -A INPUT -p udp -m multiport --dports 161 -m comment --comment """"202 platform accept snmp ipv4"""" -j ACCEPT
  -A INPUT -p udp -m multiport --dports 2222,2223 -m comment --comment """"010 platform accept sm ipv4"""" -j ACCEPT
  -A INPUT -p tcp -m multiport --dports 443 -m comment --comment """"500 horizon incoming dashboard"""" -j ACCEPT

:REMARK Per Ken Young(Windriver): we no longer need to open 8777 for the cellometer-api, nor 8773 for nova-ec2.

-------------------------
SECURITY_OAM_interface_05
-------------------------

:Test ID: SECURITY_OAM_interface_05
:Test Title: SSH root access sshd config file changed, Connection rejected.
:Tags: SSH

~~~~~~~~~~~~~~
Test Objective
~~~~~~~~~~~~~~

Verify SSH root access to the regular lab is rejected after the change to sshd
config.

~~~~~~~~~~~~~~~~~~~
Test Pre-Conditions
~~~~~~~~~~~~~~~~~~~

At least 1 Active Controller.

~~~~~~~~~~
Test Steps
~~~~~~~~~~

1. Generate an SSH key-pair.

.. code:: bash

  $ ssh-keygen -t rsa""

2. Copy the Public key over the Lab controller.

.. code:: bash

  $ scp ~/.ssh/<id_rsa.pub> wrsroot@<lab.ip>""

3. Copy the publick key from your wrsroot account into the "authorized_keys"
file of the "root" account.

Steps for adding ssh key:
  a) login to controller
  b) do sudo su to get to root
  c) create folder/file: /root/.ssh/authorized_keys if they do not exist
  d) cat /home/wrsroot/<id_rsa.pub/ >> /root/.ssh/authorized_keys""

4. Now login from your desktop using.

.. code:: bash

  $ ssh -I <id_rsa.pub> root@<lab.ip>"

On attempting to ssh with root(with/without password). The user will now
get "Permission denied" Error. Even if user try ssh -l <key> he should not be
prompt for password at all. The Denial output should be shown before any
password prompt.

~~~~~~~~~~~~~~~~~
Expected Behavior
~~~~~~~~~~~~~~~~~

This generates a set of keys (private key and pub key. The pub one has the
.pub extention.

This adds your key into the roots authorized_ssh key.

-------------------------
SECURITY_OAM_interface_06
-------------------------

:Test ID: SECURITY_OAM_interface_06
:Test Title: Firewall rule removal function remove rules from both controllers
:Tags: firewall_rules

~~~~~~~~~~~~~~
Test Objective
~~~~~~~~~~~~~~

Verify firewall rule removal function correctly from both controllers.

~~~~~~~~~~~~~~~~~~~
Test Pre-Conditions
~~~~~~~~~~~~~~~~~~~

a) Starlingx uses Netfilter framework for firewall setup. Make sure "iptables"
and "iptables-config" files exist in /etc/sysconfig path.

b) Make sure in add at least one custom IP firewall. Check detail in how to do
it in "CLI firewall rules install function" Test Case.

~~~~~~~~~~
Test Steps
~~~~~~~~~~

1. On active Controller, create an empty file to remove all firewall rules.

.. code:: bash

  $ touch /home/wrstoot/empty.rules

2. Install empty rule file to remove all the firewall rules by typing:

.. code:: bash

  $ system firewall-rules-install /home/wrsroot/empty.rules

3. After installed is completed make sure the firewall rules were removed by
typing:

.. code:: bash

  $ sudo iptables -L

~~~~~~~~~~~~~~~~~
Expected Behavior
~~~~~~~~~~~~~~~~~

1. "empty.rules" file is created successfully.

2. System firewall installed command is executed successfully.

3. Custom firewall rules should be removed successfully.

-------------------------
SECURITY_OAM_interface_07
-------------------------

:Test ID: SECURITY_OAM_interface_07
:Test Title: CLI firewall rules install function.
:Tags: firewall_rules

~~~~~~~~~~~~~~
Test Objective
~~~~~~~~~~~~~~

Verify that firewall-rules-install CLI command function works properly.

~~~~~~~~~~~~~~~~~~~
Test Pre-Conditions
~~~~~~~~~~~~~~~~~~~

Starlingx uses Netfilter framework for firewall setup. Make sure "iptables"
and "iptables-config" files exist in /etc/sysconfig path.

~~~~~~~~~~
Test Steps
~~~~~~~~~~

1. Create a ""iptables.rules"" file with custom firewall rule.

.. code:: bash

  $ iptables-save > iptables.rules

2. Create new rule by adding port 9000

.. code:: bash

  e.g.

  $ sudo vim iptables.rules

  -A INPUT -p tcp -m multiport --dports 9000 -m comment --comment "your rule" -j ACCEPT

3. Validate the file by typing the following command

.. code:: bash

  $ sudo iptables-restore --noflush --test < <iptable_rule_file>

  e.g.

  $ sudo iptables-restore --noflush --test < iptables.rules

4. Install custom firewall by typing: source /etc/nova/openrc

.. code:: bash

  $ system firewall-rules-install <iptable_rule_file>

  e.g.

  $ system firewall-rules-install iptables.rules

5. Make sure the custom firewall rule was applied successfully by typing:

.. code:: bash

  $ sudo iptables -L -n | grep <added_port>

  e.g.

  $ sudo iptables -L -n | grep 9000

:MAKE SURE THE PORT WAS ADDED SUCCESSFULLY BY USING IT FOR SSH COMMANDS.

6. Run the following command:

.. code:: bash

  $ sudo vim /etc/ssh/sshd_config

7. Locate the following line:

.. code:: bash

  # Port 22

8. Remove the # and change '22' to your desired port number. <9000>

9. Restart the sshd service by running the following command: $sudo su

.. code:: bash

  $ service sshd restart

10. Establish a ssh to the new port by typing:

.. code:: bash

  $ ssh <user>@<OAM_IP> - <specific_port>

  e.g.

  $ ssh wrsroot@10.10.10.4 -p 9000

~~~~~~~~~~~~~~~~~
Expected Behavior
~~~~~~~~~~~~~~~~~

1. "iptables.rules" file created successfully with custome firewall rule.

.. code:: bash

  e.g.
     *filter
     :INPUT DROP [0:0]
     :FORWARD DROP [0:0]
     :OUTPUT ACCEPT [2:312]
     :INPUT-custom-post - [0:0]
     :INPUT-custom-pre - [0:0]
     -A INPUT -p tcp -m multiport --dports 9000 -m comment --comment ""custome 9000 firewall rule"" -j ACCEPT
     COMMIT

2. The validation should be done successfully and no error message should be
shown.

3. The custom firewall was applied successfully and message logged.

.. code:: bash

   +--------------+--------------------------------------+
   | Property     | Value                                |
   +--------------+--------------------------------------+
   | uuid         | 183cb3a5-1085-49e0-b4c3-0970bb784fde |
   | firewall_sig | ab9dd4976d1d1d404df4e6fcda26e0dd     |
   | updated_at   | 2018-12-03 14:59:39.425337+00:00     |
   +--------------+--------------------------------------+

4. Custom firewall rule applied successfully.

.. code:: bash

  e.g.

  [wrsroot@controller-1 ~(keystone_admin)]$ sudo iptables -L -n |grep 9000
      ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 9000 /* custome 9000 firewall rule */

MAKE SURE THE PORT WAS ADDED SUCCESSFULLY BY USING IT FOR SSH COMMANDS.

5. sshd_config file is able to edit.

6. Proper line with # Port 22 was identified.

7. Line was edited successfully with port 9000.

8. sshd service was restarted successfully.

9. ssh connection made with port 9000.

-------------------------
SECURITY_OAM_interface_08
-------------------------

:Test ID: SECURITY_OAM_interface_08
:Test Title: Apply firewall rule on contr-1 and modifying it on contr-0.
:Tags: firewall_rules

~~~~~~~~~~~~~~
Test Objective
~~~~~~~~~~~~~~

Verify that by using the firewall-rules-install CLI command you can add a
firewall rule on Controller-1 and then modified that rule on Controller-0.

~~~~~~~~~~~~~~~~~~~
Test Pre-Conditions
~~~~~~~~~~~~~~~~~~~

Starlingx uses Netfilter framework for firewall setup. Make sure "iptables"
and "iptables-config" files exist in /etc/sysconfig path.

~~~~~~~~~~
Test Steps
~~~~~~~~~~

1. Go to Active Controller-0 and execute the "CLI firewall rules install
function" test case.

2. swact controller-0 to controoler-1.

3. $sudo vim /etc/ssh/sshd_config

.. code:: bash

  change port 22 to port 9000

4. sudo service sshd restart

5. ssh wrsroot@ip-controller-1 -p 9000

~~~~~~~~~~~~~~~~~
Expected Behavior
~~~~~~~~~~~~~~~~~

1. On Controller-1 custome firewall rule was installed successfully.

2. On Controller-0 custome firewall rule was updated sucessfully.

3. Custome Firewall rule modifcation from step 2 taken in both controllers.

-------------------------
SECURITY_OAM_interface_09
-------------------------

:Test ID: SECURITY_OAM_interface_09
:Test Title: Custom firewall rule persistance after backup/restore.
:Tags: firewall_rules

~~~~~~~~~~~~~~
Test Objective
~~~~~~~~~~~~~~

Verify that once "System firewall-rules-install" CLI is executed the new
custom firewall rule persist after backup/restore.


~~~~~~~~~~~~~~~~~~~
Test Pre-Conditions
~~~~~~~~~~~~~~~~~~~

Starlingx uses Netfilter framework for firewall setup. Make sure "iptables"
and "iptables-config" files exist in /etc/sysconfig path.

~~~~~~~~~~
Test Steps
~~~~~~~~~~

1. Go to Active Controller and execute the "CLI firewall rules install
function" test case.

2. Once the custome firewall rule is applied do a backup of your cluster.

**Pre-requisites to do  a BACKUP.**

To ensure recovery from backup files during a restore procedure, VMs must be
in the active state when performing the backup. VMs that are in a shutdown or
paused state at the time of the backup will not be recovered after a
subsequent restore procedure.

.. code:: bash

  execute "sudo config_controller --backup <backup_name>"

3. Make a System Restore expecting to see the custome firewall rule.

**Pre-requisites to do RESTORE.**

All cluster hosts must be prepared for network boot and then powered down.
(Means for virtual you should power on wait for PXE messages and then
Power-down)

The restore procedure requires all hosts but controller-0 to boot over the
internal management network using the PXE protocol. Ideally, the old boot
images are no longer present, so that the hosts boot from the network when
powered on. If this is not the case, you must configure each host manually for
network boot immediately after powering it on.

Note: Save the backups previously created in a clean environment, perform:

.. code:: bash

  sudo config_controller --restore-system /home/$user/<backup_name_system.tgz>"

4. Make a Image restore.

**Pre-requisites to do RESTORE.**

All cluster hosts must be prepared for network boot and then powered down.
(Means for virtual you should power on wait for PXE messages and then
Power-down)

The restore procedure requires all hosts but controller-0 to boot over the
internal management network using the PXE protocol. Ideally, the old boot
images are no longer present, so that the hosts boot from the network when
powered on. If this is not the case, you must configure each host manually for
network boot immediately after powering it on.

**Note:** Save the backups previously created in a clean environment, perform:

.. code:: bash

  sudo config_controller --restore-images /home/$user/<backup_name_images.tgz>"

5. Once the system is restored ensure the expected ports are still open. Use
netstat command to verify that ports are up and listening by typing:

.. code:: bash

  Controller-0 $ sudo netstat -plant | grep <port>

**REMARK:** Please repeat netstat command for every single port listed in above
step.

or

.. code:: bash

  Controller-0 $ sudo netstat -plant | grep LISTEN"

~~~~~~~~~~~~~~~~~
Expected Behavior
~~~~~~~~~~~~~~~~~

1. On Controller-1 custome firewall rule was installed successfully.

2. After execute the sudo config_controller --backup <backupname> command
system.tgz and image.tgz files should be created successfully.

.. code:: bash

  e.g.
  Performing backup (this might take several minutes):
  Step 16 of 16 [#############################################] [100%]
  System backup file created: /opt/backups/<backupname>_system.tgz
  Images backup file created: /opt/backups/backupname_images.tgz

3. system should be in the same way that the files were generated before

4. images shoule be in the same way that the files were generated before

5. Once the system is restore expected ports are open post-restored

-------------------------
SECURITY_OAM_interface_10
-------------------------

:Test ID: SECURITY_OAM_interface_10
:Test Title: "iptables.rules" file with wrong format used with "firewall-rules-install" command.
:Tags: firewall_rules

~~~~~~~~~~~~~~
Test Objective
~~~~~~~~~~~~~~

Verify when using an "iptables.rules" file with wrong format, the system
firewall install CLI command get a gracefully error output.

~~~~~~~~~~~~~~~~~~~
Test Pre-Conditions
~~~~~~~~~~~~~~~~~~~

Starlingx uses Netfilter framework for firewall setup. Make sure "iptables"
and "iptables-config" files exist in /etc/sysconfig path.

~~~~~~~~~~
Test Steps
~~~~~~~~~~

1. Create a "wrongiptables" file with wrong format.

2. Install custom firewall by typing:

.. code:: bash

  $ system firewall-rules-install <wrong_iptable_rule_file>

  e.g.

  $ system firewall-rules-install wrongiptables

~~~~~~~~~~~~~~~~~
Expected Behavior
~~~~~~~~~~~~~~~~~

1. "wrongiptables" file with wrong format created successfully.

2. Firewall rule install command executed should display an error message when
"wrongiptables" wrong format file was used.

.. code:: bash

  e.g.

  controller-1 ~(keystone_admin)]$ system firewall-rules-install wrongiptables
      Error in custom firewall rule file"

-------------------------
SECURITY_OAM_interface_11
-------------------------

:Test ID: SECURITY_OAM_interface_11
:Test Title: NFV (port 32323) software debug access removed.
:Tags: api

~~~~~~~~~~~~~~
Test Objective
~~~~~~~~~~~~~~

Verify that NFV (port 32323) software debug access is removed by using curl
command request and "openstack endpoint list" command. The reason of this test
case is to comply with intel security debug access removal in all intel
products. By default the port "32323" and the IP assigned to the network
interface card (NIC) which connect to external orchestration, administration
and operation (OAM) network it is used only for debugging purposes by the
design team.

~~~~~~~~~~~~~~~~~~~
Test Pre-Conditions
~~~~~~~~~~~~~~~~~~~

a) Add Service Endpoing IP into no_proxy .bashrc file.

::

  - Go to Horizon --> Project --> API Access and identify what Service Endpoint has your Starlingx cluster.
  - Open a terminal in the Host where your Starlingx cluster resides.
  - Add the Service Endpoint IP into your no_proxy .bashrc

.. code:: bash

  e.g.

  export no_proxy=intel.com,10.10.10.2
  Authenticate 10.10.10.2

- Open a terminal and make sure you can ssh to the Service Endpoint IP

.. code:: bash

  $ ssh wrsroot@10.10.10.2. (submit proper password)

b) Get token from keystone.

::

  - In the ssh 10.10.10.2 session send the following curl command to get the proper token from keystone where <PASSWORD> is your Horizon admin password.

.. code:: bash

  $ curl -i -X POST http://10.10.10.2:5000/v2.0/tokens -H ""Content-Type: application/json"" -H ""User-Agent: python-keystoneclient"" -d '{""auth"": {""tenantName"": ""admin"", ""passwordCredentials"": {""username"": ""admin"", ""password"": ""<PASSWORD>""}}}' | tail -n 1

  e.g.
  You would be expecting an output similar like this:

  {""access"": {""token"": {""issued_at"": ""2018-12-07T10:52:27.000000Z"", ""expires"": ""2018-12-07T11:52:27.000000Z"", ""id"": ""gAAAAABcClDrLoF7_W03l8uhrPQ9dn4tkuvbd9pfsgIo6-PkObg3imG4HTGT2IQLGkBOszjcS1jOC7g0ZqKByoZ3cEax7LKAiEgC_fkPEnB_mpSjqd5ACzc20VLZaklQfFLXiU4b-w_pZeMPHF09FsP8P4j-ixqx9IgYEEc-4Zmb9cjZ5phNQfA"",…

~~~~~~~~~~
Test Steps
~~~~~~~~~~

1. Open a terminal in the Host where your Starlingx cluster resides. From pre-
requisites make sure you did ssh to the Service Endpoint IP.

2. Make a curl request to nfv port 32323 using the "token" gotten from Pre-
requisites steps.

.. code:: bash

  e.g.

  $ curl -i http://10.10.10.2:32323 -X GET -H ""Contenpe: application/json"" -H ""Accept: application/json"" -H ""X-Auth-Token:""gAAAAABcCnq_pXb57FKTwP0VI8Ry5kuDTHzRWTgcAXfS9ir-HiBN14BSVuXKwIsqDU0SWoztk4sBj0U912AEdU1GawOdniI1yC3-VY_I7BwWSXSlPDccojU7GMdB3KAwXoUWVPELrshGwkBSu2RSLsbZhjSZarxH1CNgeUgPsj5fSMdq81R4qzw"""" | tail -n 1

3. Go to Active controller and make sure no NFV (port 32323) Service exist by
typing:

.. code:: bash

      $ openstack endpoint list | grep 32323

~~~~~~~~~~~~~~~~~
Expected Behavior
~~~~~~~~~~~~~~~~~

1. Open terminal and validate ssh connection to the Service Endpoint IP
successfully.

2. Curl command will get a failure message "Failed to connect to 10.10.10.2
port 32323: Connection timed out"

::

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:-
  0     0    0     0    0     0      0      0 --:--:--  0:00:02 --:-
  0     0    0     0    0     0      0      0 --:--:--  0:01:39 --:-
  0     0    0     0    0     0      0      0 --:--:--  0:01:40 --:-
  0     0    0     0    0     0      0      0 --:--:--  0:02:09 --:-
  curl: (7) Failed to connect to 10.10.10.2 port 32323: Connection timed out
  100    90  100    90    0     0    183      0 --:--:-- --:--:-- --:--:--   548

3. No NFV (port 32323) service exist.

-------------------------
SECURITY_OAM_interface_12
-------------------------

:Test ID: SECURITY_OAM_interface_12
:Test Title: NFV (port 4545) API Service
:Tags: API

~~~~~~~~~~~~~~
Test Objective
~~~~~~~~~~~~~~

Verify that NFV (port 4545) Service is LISTENING by using curl command request
and "openstack endpoint list" command.

~~~~~~~~~~~~~~~~~~~
Test Pre-Conditions
~~~~~~~~~~~~~~~~~~~

Verify that NFV (port 4545) Service is LISTENING by using curl command request
and "openstack endpoint list" command.

~~~~~~~~~~
Test Steps
~~~~~~~~~~

1. Open a terminal in the Host where your Starlingx cluster resides. From pre-
requisites make sure you did ssh to the Service Endpoint IP.

2. Make a curl request to nfv port 4545 using the "token" gotten from Pre-
requisites steps.

.. code:: bash

  e.g.
  $ curl -i http://10.10.10.2:4545 -X GET -H ""Contenpe: application/json"" -H ""Accept: application/json"" -H ""X-Auth-Token:""gAAAAABcCnq_pXb57FKTwP0VI8Ry5kuDTHzRWTgcAXfS9ir-HiBN14BSVuXKwIsqDU0SWoztk4sBj0U912AEdU1GawOdniI1yC3-VY_I7BwWSXSlPDccojU7GMdB3KAwXoUWVPELrshGwkBSu2RSLsbZhjSZarxH1CNgeUgPsj5fSMdq81R4qzw"""" | tail -n 1

3.  Go to Active controller and make sure no NFV (port 4545) Service exist by typing:

.. code:: bash

  $ openstack endpoint list | grep 4545

~~~~~~~~~~~~~~~~~
Expected Behavior
~~~~~~~~~~~~~~~~~

1. Open terminal and validate ssh connection to the Service Endpoint IP
successfully.

2. Curl command will succed.

3. The NFV (port 4545) service exist and is in LISTENING status.

~~~~~~~~~~~
References:
~~~~~~~~~~~
[0] - https://www.sslshopper.com/what-is-a-csr-certificate-signing-request.html"

[1] - https://docs.starlingx.io/installation_guide/dedicated_storage.html#dedicated-storage