From 432d572a0485d4a9468484c886c4f701366f012e Mon Sep 17 00:00:00 2001 From: fhernan2 Date: Mon, 11 Mar 2019 09:29:29 -0500 Subject: [PATCH] Manual Tests: Security OAM Interface Adding "SECURITY" Domain with OAM_Interface sub-domain test cases. Change-Id: Id5961f7b73c11b82caafd84685ed7d9c8d37860a --- doc/source/manual_tests/index.rst | 3 +- doc/source/manual_tests/security/index.rst | 18 + .../security/security_OAM_suite.rst | 1242 +++++++++++++++++ 3 files changed, 1262 insertions(+), 1 deletion(-) create mode 100644 doc/source/manual_tests/security/index.rst create mode 100644 doc/source/manual_tests/security/security_OAM_suite.rst diff --git a/doc/source/manual_tests/index.rst b/doc/source/manual_tests/index.rst index 819aa6b..013b243 100644 --- a/doc/source/manual_tests/index.rst +++ b/doc/source/manual_tests/index.rst @@ -13,7 +13,8 @@ For more information about StarlingX, see https://docs.starlingx.io/. .. toctree:: :maxdepth: 2 + gnochi/index heat/index networking/index - gnochi/index storage/index + security/index diff --git a/doc/source/manual_tests/security/index.rst b/doc/source/manual_tests/security/index.rst new file mode 100644 index 0000000..bea1b87 --- /dev/null +++ b/doc/source/manual_tests/security/index.rst @@ -0,0 +1,18 @@ +======== +SECURITY +======== + +----------------- +Test Requirements +----------------- + +NA + +---------- +Subdomains +---------- + +.. toctree:: + :maxdepth: 2 + + security_OAM_suite diff --git a/doc/source/manual_tests/security/security_OAM_suite.rst b/doc/source/manual_tests/security/security_OAM_suite.rst new file mode 100644 index 0000000..6f434bd --- /dev/null +++ b/doc/source/manual_tests/security/security_OAM_suite.rst @@ -0,0 +1,1242 @@ +============= +OAM Interface +============= + +.. contents:: + :local: + :depth: 1 + +------------------------- +SECURITY_OAM_interface_01 +------------------------- + +:Test ID: SECURITY_OAM_interface_01 +:Test Title: Set up OAM interface Firewall +:Tags: port_services + +~~~~~~~~~~~~~~~~~~ +Testcase Objective +~~~~~~~~~~~~~~~~~~ + +Use Netfilter/IpTables to set default firewall for OAM Interface. + +~~~~~~~~~~~~~~~~~~~ +Test Pre-Conditions +~~~~~~~~~~~~~~~~~~~ + +a) Starlingx uses Netfilter framework for firewall setup. Make sure +"iptables" and "iptables-config" files exist in /etc/sysconfig path. + +b) On Active Controller, execute following commands to enable 443 https port: + +.. code:: bash + + $ system modify -p true + $ system modify --https_enabled true + +~~~~~~~~~~ +Test Steps +~~~~~~~~~~ + +1. Once Starlingx product installed, go to Active controller, +/etc/sysconfig/iptables and check following protocol/ports are accepted: + +:: + + Protocol Port Service Name + tcp 22 ssh + tcp 80 horizon (http only) + tcp 443 horizon (https only) + tcp 4545 nfv-vim-api + tcp 5000 keystone-api + tcp 6080 nova-nonvc-proxy + tcp 6385 sysinv-api + tcp 8000 heat-cfn + tcp 8003 heat-cloudwatch-api + tcp 8004 heat-api + tcp 8042 aodh-api + tcp 8776 cinder-api + tcp 8774 nova-api + tcp 9292 glance-api + tcp 9696 neutron-api + tcp 15491 patching-api + udp 123 ntp + udp 161 snmp + udp 2222 service manager + udp 2223 service manager + + +2. Use netstat command to verify that ports are up and listening by typing: + +.. code:: bash + + Controller-0 $ sudo netstat -plant | grep + +REMARK: Please repeat netstat command for every single port listed in above +step. + +or + +.. code:: bash + + Controller-0 $ sudo netstat -plant | grep LISTEN + +REMARK: you should get the full list of listening ports with all available +IPs. + +~~~~~~~~~~~~~~~~~ +Expected Behavior +~~~~~~~~~~~~~~~~~ + +1. Once you open the /etc/sysconfig/iptables file you should be able to see +following rules listed: + +:: + + -A INPUT -p tcp -m multiport --dports 22 -m comment --comment """"011 platform accept ssh ipv4"""" -j ACCEPT + -A INPUT -p tcp -m multiport --dports 80 -m comment --comment """"500 horizon incoming dashboard"""" -j ACCEP + -A INPUT -p tcp -m multiport --dports 4545 -m comment --comment """"500 nfv-vim incoming nfv-vim-api"""" -j ACCEPT + -A INPUT -p tcp -m multiport --dports 5000 -m comment --comment """"500 keystone incoming keystone-api"""" -j ACCEPT + -A INPUT -p tcp -m multiport --dports 6080 -m comment --comment """"500 nova-novnc incoming nova-novnc"""" -j ACCEPT + -A INPUT -p tcp -m multiport --dports 6385 -m comment --comment """"500 sysinv incoming sysinv-api"""" -j ACCEPT + -A INPUT -p tcp -m multiport --dports 8000 -m comment --comment """"500 heat-cfn incoming heat-cfn"""" -j ACCEPT + -A INPUT -p tcp -m multiport --dports 8003 -m comment --comment """"500 heat-cloudwatch incoming heat-cloudwatch"""" -j ACCEPT + -A INPUT -p tcp -m multiport --dports 8004 -m comment --comment """"500 heat incoming heat-api"""" -j ACCEPT + -A INPUT -p tcp -m multiport --dports 8042 -m comment --comment """"500 aodh incoming aodh-api"""" -j ACCEPT + -A INPUT -p tcp -m multiport --dports 8776 -m comment --comment """"500 cinder incoming cinder-api"""" -j ACCEPT + -A INPUT -p tcp -m multiport --dports 8774 -m comment --comment """"500 nova incoming nova-api-rules"""" -j ACCEPT + -A INPUT -p tcp -m multiport --dports 9292 -m comment --comment """"500 glance incoming glance-api"""" -j ACCEPT + -A INPUT -p tcp -m multiport --dports 9696 -m comment --comment """"500 neutron incoming neutron-api"""" -j ACCEPT + -A INPUT -p tcp -m multiport --dports 15491 -m comment --comment """"500 patching incoming patching-api"""" -j ACCEPT + -A INPUT -p udp -m multiport --dports 123 -m comment --comment """"201 platform accept ntp ipv4"""" -j ACCEPT + -A INPUT -p udp -m multiport --dports 161 -m comment --comment """"202 platform accept snmp ipv4"""" -j ACCEPT + -A INPUT -p udp -m multiport --dports 2222,2223 -m comment --comment """"010 platform accept sm ipv4"""" -j ACCEPT + -A INPUT -p tcp -m multiport --dports 443 -m comment --comment """"500 horizon incoming dashboard"""" -j ACCEPT + +REMARK: Per Ken Young(Windriver): we no longer need to open 8777 for the +cellometer-api, nor 8773 for nova-ec2. + +2. All ports listed in the iptable file should be displayed successfully. + +:: + + e.g. [wrsroot@controller-0 syslog-ng(keystone_admin)]$ sudo netstat -plant | grep 8080 + tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 3733/gunicorn: work + tcp 0 0 10.10.10.2:8080 0.0.0.0:* LISTEN 27240/haproxy + +------------------------- +SECURITY_OAM_interface_02 +------------------------- + +:Test ID: SECURITY_OAM_interface_02 +:Test Title: Validate that services respond over https +:Tags: API + +~~~~~~~~~~~~~~ +Test Objective +~~~~~~~~~~~~~~ + +From and external host, browse HTTPS REST API for each service. + +~~~~~~~~~~~~~~~~~~~ +Test Pre-Conditions +~~~~~~~~~~~~~~~~~~~ + +a) On Active Controller, execute following commands to enable 443 https port: + +.. code:: bash + + $ system modify -p true + + $ system modify --https_enabled true + +b) Obtain a CA-Signed Certificate. Steps to create your own CA certificate. + +1. Generate your own server private key (can be used on multiple servers) +by typing: + +.. code:: bash + + $ openssl genrsa -out server-key.pem 2048 + +2. Generate the public certificate for the server private key (""commonName"" attribute must match the floating IP of the servers) For more reference go to [0] + +.. code:: bash + + $ openssl req -new -key server-key.pem -out /home/user/server.csr -batch -subj ""/countryName=CN/stateOrProvinceName=/localityName=/organizationName=/organizationalUnitName=/commonName=10.10.10.2"" + +  e.g. + + $ openssl req -new -key server-key.pem -out /home/fhernan2/server.csr -batch –subj ""/countryName=MX/stateOrProvinceName=Jalisco/localityName=Guadalajara/organizationName=intel/organizationalUnitName=SSG/commonName=10.10.10.2"" + +3. Generate CA private key by typing: + +.. code:: bash + + $ openssl genrsa -out ca-key.pem 2048 + +4. Generate CA public certificate (to be installed on the client browser) +by typing: + +.. code:: bash + + $ openssl req -x509 -new -nodes -key ca-key.pem -days 3650 -out ca-cert.pem -outform PEM -subj ""/countryName=CN/stateOrProvinceName=/localityName=Ottawa/organizationName=/organizationalUnitName=/commonName="" -text –batch + + :e.g. + $openssl req -x509 -new -nodes -key ca-key.pem -days 3650 -out ca-cert.pem -outform PEM -subj ""/countryName=MX/stateOrProvinceName=Jalisco/localityName=Guadalajara/organizationName=intel/organizationalUnitName=SSG/commonName=10.10.10.2"" + +5. Signing the server public certificate with CA private key by typing: + +.. code:: bash + + $ openssl x509 -req -in ../vbox/server.csr -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out ../vbox/server.pem -days 3650 + + :e.g. + + $ openssl x509 -req -in /home/fhernan2/CA_certificate/server.csr -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out /home/fhernan2/CA_certificate/server.pem -days 3650 + Signature ok + subject=/C=MX/ST=Jalisco/L=Guadalajara/O=intel/OU=SSG/CN=10.10.10.2 + Getting CA Private Key + +6. Move the server-key.pem, server.pem, files from the host where you create +them to Active Controller by typing: + +.. code:: bash + + $ scp server* wrsroot@10.10.10.3:~ + +7. Create a server key file by concatenating the server private key and the +CA-signed server certificate in a key file. Generate key file for installation +on controller node by typing + +.. code:: bash + + $ cat server-key.pem /home/wrsroot/server.pem > /home/wrsroot/server-with-key.pem + +8. Install the server key file on the controllers by typing: + +.. code:: bash + + $ system certificate-install server-with-key.pem + +9. Install the CA certificate on you browser (this will allow the browser to +recognize the server). + +~~~~~~~~~~ +Test Steps +~~~~~~~~~~ + +1. Browse Horizon with HTTPS. + +.. code:: bash + + e.g. + https://10.10.10.3 + +2. Go to Project --> API Access. + +3. Browse every single service available and male sure in add the exception by +importing the certificate from the browser. + +e.g. + +a)Browse --> https://10.10.10.2:8 + +b)Browser should come with following message: + +:: + + Your connection is not secure. + The owner of 10.10.10.2 has configured their website improperly. + To protect your information from being stolen, Firefox has not + connected to this website.... + +c)Hit "Advanced" button. + +d)Following message should be displayed: + +.. code:: bash + + 10.10.10.2:8977 uses an invalid security certificate. + The certificate is not trusted because it is self-signed. + The certificate is only valid for . + Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT + +e) Hit "Add Exception..." button. + +f) "Add Security Exception" pop up window should be displayed explaining that +"You are about to override how Firefox identifies this site..." + +g) Hit "View" button in order to display Details of CA-certificate and make +sure it is the one you created. + +h) Hit over """"Get certificate"""" or "Confirm Security Exception" button to +accept the certificate. + +~~~~~~~~~~~~~~~~~ +Expected Behavior +~~~~~~~~~~~~~~~~~ + + +1. Horizon should be opened successufly with https browser connection. + +2. A list of services and service ponts should be displayed. + +.. code:: bash + + e.g. + Service | Service Endpoint + Alarming | https://10.10.10.2:8042 + Cloudformation | https://10.10.10.2:8000/v1/a52d40232ea64352b522b113ddc41d05 + Compute | https://10.10.10.2:8774/v2.1/a52d40232ea64352b522b113ddc41d05 + Event | https://10.10.10.2:8977 + Faultmanagement | https://10.10.10.2:18002 + Identity | https://10.10.10.2:5000/v3 + Image | https://10.10.10.2:9292 + Metering  - + Metric | https://10.10.10.2:8041 + Network | https://10.10.10.2:9696 + Nfv | https://10.10.10.2:4545 + Orchestration | https://10.10.10.2:8004/v1/a52d40232ea64352b522b113ddc41d05 + Patching | https://10.10.10.2:15491 + Placement | https://10.10.10.2:8778 + Platform | https://10.10.10.2:6385/v1 + Smapi | https://10.10.10.2:7777 + +3. You should be able to get a response from the Service. + +:: + + e.g. + + versions +    values +       0 +          status """"stable"""" +          updated """"2013-02-13T00:00:00Z"""" +          media-types +             0 +                base """"application/json"""" +                type """"application/vnd.openstack.telemetry-v2+json"""" +             1 +                base """"application/xml"""" +                type """"application/vnd.openstack.telemetry-v2+xml"""" +       id """"v2"""" +    links +       0 +          href """"https://10.10.10.2:8977/v2"""" +          rel """"self"""" +       1 +         href """"http://docs.openstack.org/"""" +          type """"text/html"""" +          rel """"describedby""""" + +------------------------- +SECURITY_OAM_interface_03 +------------------------- + +:Test ID: SECURITY_OAM_interface_03 +:Test Title: Backup and restore with OAM Firewall configuration file. +:Tags: Security config + +~~~~~~~~~~~~~~ +Test Objective +~~~~~~~~~~~~~~ + +The goal of this test is to confirm the port configration is preserved by the +backup and restore procedure. + +~~~~~~~~~~~~~~~~~~~ +Test Pre-Conditions +~~~~~~~~~~~~~~~~~~~ + +Starlingx uses Netfilter framework for firewall setup. Make sure "iptables" +and "iptables-config" files exist in /etc/sysconfig path. + +~~~~~~~~~~ +Test Steps +~~~~~~~~~~ + +1. Install the Starlingx configuration with a custom configuration file. + +2. Ensure there are no unexpected alarms post-install. + +3. Use netstat command to verify that ports are up and listening by typing: + +.. code:: bash + + Controller-0 $ sudo netstat -plant | grep + +REMARK: Please repeat netstat command for every single port listed in above +step. + +or + +.. code:: bash + + Controller-0 $ sudo netstat -plant | grep LISTEN + +REMARK: you should get the full list of listening ports with all available +ips, save the list in order to compare it once the you do the restore in +further steps. Verify this on both controllers as well as the OAM float port. + +or + +.. code:: bash + + Controller-0 $ source /etc/nova/openrc + + Controller-0 $ openstack endpoint list + +4. Pre-requisites to do a BACKUP. + +To ensure recovery from backup files during a restore procedure, VMs must be +in the active state when performing the backup. VMs that are in a shutdown or +paused state at the time of the backup will not be recovered after a +subsequent restore procedure. + +.. code:: bash + + execute "sudo config_controller --backup " + +5. Pre-requisites to do RESTORE. + +All cluster hosts must be prepared for network boot and then powered down. +(Means for virtual you should power on wait for PXE messages and then +Power-down) + +The restore procedure requires all hosts but controller-0 to boot over the +internal management network using the PXE protocol. Ideally, the old boot +images are no longer present, so that the hosts boot from the network when +powered on. If this is not the case, you must configure each host manually +for network boot immediately after powering it on. + +Note: Save the backups previously created in a clean environment, perform +sudo config_controller --restore-system /home/$user/ + +6. Pre-requisites to do RESTORE. + +All cluster hosts must be prepared for network boot and then powered down. +(Means for virtual you should power on wait for PXE messages and then +Power-down) + +The restore procedure requires all hosts but controller-0 to boot over the +internal management network using the PXE protocol. Ideally, the old boot +images are no longer present, so that the hosts boot from the network when +powered on. If this is not the case, you must configure each host manually +for network boot immediately after powering it on. + +Note: Save the backups previously created in a clean environment, perform +sudo config_controller --restore-images /home/$user/ + +7. Once the system is restored ensure the expected ports are still open. Use +netstat command to verify that ports are up and listening by typing: + +.. code:: bash + + Controller-0 $ sudo netstat -plant | grep + +REMARK: Please repeat netstat command for every single port listed in above +step. + +or + +.. code:: bash + + Controller-0 $ sudo netstat -plant | grep LISTEN + +~~~~~~~~~~~~~~~~~ +Expected Behavior +~~~~~~~~~~~~~~~~~ + +1. Starlingx configuration should be installed successfully. + +2. No unexpected alarms were displayed in post-install. + +3. The list of available ports should be displayed and saved it successfully. + +4. After execute the sudo config_controller --backup command +system.tgz and image.tgz files should be created successfully. + +.. code:: bash + + e.g. + Performing backup (this might take several minutes): + Step 16 of 16 [#############################################] [100%] + System backup file created: /opt/backups/_system.tgz + Images backup file created: /opt/backups/backupname_images.tgz"" + +5. system should be in the same way that the files were generated before + +6. images shoule be in the same way that the files were generated before + +7. Once the system is restore expected ports are open post-restored + +------------------------- +SECURITY_OAM_interface_04 +------------------------- + +:Test ID: SECURITY_OAM_interface_04 +:Test Title: Default system install without configuration file iptables rules. +:Tags: IPtable_rule + +~~~~~~~~~~~~~~ +Test Objective +~~~~~~~~~~~~~~ + +The goal of this test is to default system install without configuration file +iptables rules making sure when installing with/without Firewall ip tables +the installation is successfull. + +~~~~~~~~~~~~~~~~~~~ +Test Pre-Conditions +~~~~~~~~~~~~~~~~~~~ + +Netfilter framework installed on Starlingx configuration. + +~~~~~~~~~~ +Test Steps +~~~~~~~~~~ + +1. Go to Virtual Dedicated Storage Installation Guide [1] + +2. Go one step before "sudo config_controller" installation step - (one step +before ""Configuring Controller-0"" section) + +3. Go to active controller and make sure in remove "iptables", +"iptables-config", "iptables.save", "ip6tables", "ip6tables-config", +"ip6tables.save" from /etc/sysconfig path by typing rm -rf + +4. On active controller type: + +.. code:: bash + + Controller-0 $ sudo config_controller and accept all default values + + or + + Controller-0 $ sudo config_controller --config-file + If you have created a specific configuration file for your cluster. + +5. After "config_controller" bootstrap configuration Starlingx firewall is +enabled, make sure the ipfirewall rules are set by typing: + +.. code:: bash + + Controller-0 $ sudo iptables --list-rules + +~~~~~~~~~~~~~~~~~ +Expected Behavior +~~~~~~~~~~~~~~~~~ + +1. Steps for Virtual Dedicated Storage Installation Guide should be displayed. + +2. Went one step before "sudo config_controller" installation step +successfully. + +3. "iptables", "iptables-config", "iptables.save", "ip6tables", +"ip6tables-config", "ip6tables.save" files removed from /etc/sysconfig path +successfully. + +4. "config_controller" bootstrap configuration command executed successfully. + +5. Following rules should be listed: + +:: + + -A INPUT -p tcp -m multiport --dports 22 -m comment --comment """"011 platform accept ssh ipv4"""" -j ACCEPT + -A INPUT -p tcp -m multiport --dports 80 -m comment --comment """"500 horizon incoming dashboard"""" -j ACCEPT + -A INPUT -p tcp -m multiport --dports 4545 -m comment --comment """"500 nfv-vim incoming nfv-vim-api"""" -j ACCEPT + -A INPUT -p tcp -m multiport --dports 5000 -m comment --comment """"500 keystone incoming keystone-api"""" -j ACCEPT + -A INPUT -p tcp -m multiport --dports 6080 -m comment --comment """"500 nova-novnc incoming nova-novnc"""" -j ACCEPT + -A INPUT -p tcp -m multiport --dports 6385 -m comment --comment """"500 sysinv incoming sysinv-api"""" -j ACCEPT + -A INPUT -p tcp -m multiport --dports 8000 -m comment --comment """"500 heat-cfn incoming heat-cfn"""" -j ACCEPT + -A INPUT -p tcp -m multiport --dports 8003 -m comment --comment """"500 heat-cloudwatch incoming heat-cloudwatch"""" -j ACCEPT + -A INPUT -p tcp -m multiport --dports 8004 -m comment --comment """"500 heat incoming heat-api"""" -j ACCEPT + -A INPUT -p tcp -m multiport --dports 8042 -m comment --comment """"500 aodh incoming aodh-api"""" -j ACCEPT + -A INPUT -p tcp -m multiport --dports 8776 -m comment --comment """"500 cinder incoming cinder-api"""" -j ACCEPT + -A INPUT -p tcp -m multiport --dports 8774 -m comment --comment """"500 nova incoming nova-api-rules"""" -j ACCEPT + -A INPUT -p tcp -m multiport --dports 9292 -m comment --comment """"500 glance incoming glance-api"""" -j ACCEPT + -A INPUT -p tcp -m multiport --dports 9696 -m comment --comment """"500 neutron incoming neutron-api"""" -j ACCEPT + -A INPUT -p tcp -m multiport --dports 15491 -m comment --comment """"500 patching incoming patching-api"""" -j ACCEPT + -A INPUT -p udp -m multiport --dports 123 -m comment --comment """"201 platform accept ntp ipv4"""" -j ACCEPT + -A INPUT -p udp -m multiport --dports 161 -m comment --comment """"202 platform accept snmp ipv4"""" -j ACCEPT + -A INPUT -p udp -m multiport --dports 2222,2223 -m comment --comment """"010 platform accept sm ipv4"""" -j ACCEPT + -A INPUT -p tcp -m multiport --dports 443 -m comment --comment """"500 horizon incoming dashboard"""" -j ACCEPT + +:REMARK Per Ken Young(Windriver): we no longer need to open 8777 for the cellometer-api, nor 8773 for nova-ec2. + +------------------------- +SECURITY_OAM_interface_05 +------------------------- + +:Test ID: SECURITY_OAM_interface_05 +:Test Title: SSH root access sshd config file changed, Connection rejected. +:Tags: SSH + +~~~~~~~~~~~~~~ +Test Objective +~~~~~~~~~~~~~~ + +Verify SSH root access to the regular lab is rejected after the change to sshd +config. + +~~~~~~~~~~~~~~~~~~~ +Test Pre-Conditions +~~~~~~~~~~~~~~~~~~~ + +At least 1 Active Controller. + +~~~~~~~~~~ +Test Steps +~~~~~~~~~~ + +1. Generate an SSH key-pair. + +.. code:: bash + + $ ssh-keygen -t rsa"" + +2. Copy the Public key over the Lab controller. + +.. code:: bash + + $ scp ~/.ssh/ wrsroot@"" + +3. Copy the publick key from your wrsroot account into the "authorized_keys" +file of the "root" account. + +Steps for adding ssh key: + a) login to controller + b) do sudo su to get to root + c) create folder/file: /root/.ssh/authorized_keys if they do not exist + d) cat /home/wrsroot/> /root/.ssh/authorized_keys"" + +4. Now login from your desktop using. + +.. code:: bash + + $ ssh -I root@" + +On attempting to ssh with root(with/without password). The user will now +get "Permission denied" Error. Even if user try ssh -l he should not be +prompt for password at all. The Denial output should be shown before any +password prompt. + +~~~~~~~~~~~~~~~~~ +Expected Behavior +~~~~~~~~~~~~~~~~~ + +This generates a set of keys (private key and pub key. The pub one has the +.pub extention. + +This adds your key into the roots authorized_ssh key. + +------------------------- +SECURITY_OAM_interface_06 +------------------------- + +:Test ID: SECURITY_OAM_interface_06 +:Test Title: Firewall rule removal function remove rules from both controllers +:Tags: firewall_rules + +~~~~~~~~~~~~~~ +Test Objective +~~~~~~~~~~~~~~ + +Verify firewall rule removal function correctly from both controllers. + +~~~~~~~~~~~~~~~~~~~ +Test Pre-Conditions +~~~~~~~~~~~~~~~~~~~ + +a) Starlingx uses Netfilter framework for firewall setup. Make sure "iptables" +and "iptables-config" files exist in /etc/sysconfig path. + +b) Make sure in add at least one custom IP firewall. Check detail in how to do +it in "CLI firewall rules install function" Test Case. + +~~~~~~~~~~ +Test Steps +~~~~~~~~~~ + +1. On active Controller, create an empty file to remove all firewall rules. + +.. code:: bash + + $ touch /home/wrstoot/empty.rules + +2. Install empty rule file to remove all the firewall rules by typing: + +.. code:: bash + + $ system firewall-rules-install /home/wrsroot/empty.rules + +3. After installed is completed make sure the firewall rules were removed by +typing: + +.. code:: bash + + $ sudo iptables -L + +~~~~~~~~~~~~~~~~~ +Expected Behavior +~~~~~~~~~~~~~~~~~ + +1. "empty.rules" file is created successfully. + +2. System firewall installed command is executed successfully. + +3. Custom firewall rules should be removed successfully. + +------------------------- +SECURITY_OAM_interface_07 +------------------------- + +:Test ID: SECURITY_OAM_interface_07 +:Test Title: CLI firewall rules install function. +:Tags: firewall_rules + +~~~~~~~~~~~~~~ +Test Objective +~~~~~~~~~~~~~~ + +Verify that firewall-rules-install CLI command function works properly. + +~~~~~~~~~~~~~~~~~~~ +Test Pre-Conditions +~~~~~~~~~~~~~~~~~~~ + +Starlingx uses Netfilter framework for firewall setup. Make sure "iptables" +and "iptables-config" files exist in /etc/sysconfig path. + +~~~~~~~~~~ +Test Steps +~~~~~~~~~~ + +1. Create a ""iptables.rules"" file with custom firewall rule. + +.. code:: bash + + $ iptables-save > iptables.rules + +2. Create new rule by adding port 9000 + +.. code:: bash + + e.g. + + $ sudo vim iptables.rules + + -A INPUT -p tcp -m multiport --dports 9000 -m comment --comment "your rule" -j ACCEPT + +3. Validate the file by typing the following command + +.. code:: bash + + $ sudo iptables-restore --noflush --test < + + e.g. + + $ sudo iptables-restore --noflush --test < iptables.rules + +4. Install custom firewall by typing: source /etc/nova/openrc + +.. code:: bash + + $ system firewall-rules-install + + e.g. + + $ system firewall-rules-install iptables.rules + +5. Make sure the custom firewall rule was applied successfully by typing: + +.. code:: bash + + $ sudo iptables -L -n | grep + + e.g. + + $ sudo iptables -L -n | grep 9000 + +:MAKE SURE THE PORT WAS ADDED SUCCESSFULLY BY USING IT FOR SSH COMMANDS. + +6. Run the following command: + +.. code:: bash + + $ sudo vim /etc/ssh/sshd_config + +7. Locate the following line: + +.. code:: bash + + # Port 22 + +8. Remove the # and change '22' to your desired port number. <9000> + +9. Restart the sshd service by running the following command: $sudo su + +.. code:: bash + + $ service sshd restart + +10. Establish a ssh to the new port by typing: + +.. code:: bash + + $ ssh @ - + + e.g. + + $ ssh wrsroot@10.10.10.4 -p 9000 + +~~~~~~~~~~~~~~~~~ +Expected Behavior +~~~~~~~~~~~~~~~~~ + +1. "iptables.rules" file created successfully with custome firewall rule. + +.. code:: bash + + e.g. + *filter + :INPUT DROP [0:0] + :FORWARD DROP [0:0] + :OUTPUT ACCEPT [2:312] + :INPUT-custom-post - [0:0] + :INPUT-custom-pre - [0:0] + -A INPUT -p tcp -m multiport --dports 9000 -m comment --comment ""custome 9000 firewall rule"" -j ACCEPT + COMMIT + +2. The validation should be done successfully and no error message should be +shown. + +3. The custom firewall was applied successfully and message logged. + +.. code:: bash + + +--------------+--------------------------------------+ + | Property | Value | + +--------------+--------------------------------------+ + | uuid | 183cb3a5-1085-49e0-b4c3-0970bb784fde | + | firewall_sig | ab9dd4976d1d1d404df4e6fcda26e0dd | + | updated_at | 2018-12-03 14:59:39.425337+00:00 | + +--------------+--------------------------------------+ + +4. Custom firewall rule applied successfully. + +.. code:: bash + + e.g. + + [wrsroot@controller-1 ~(keystone_admin)]$ sudo iptables -L -n |grep 9000 + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 9000 /* custome 9000 firewall rule */ + +MAKE SURE THE PORT WAS ADDED SUCCESSFULLY BY USING IT FOR SSH COMMANDS. + +5. sshd_config file is able to edit. + +6. Proper line with # Port 22 was identified. + +7. Line was edited successfully with port 9000. + +8. sshd service was restarted successfully. + +9. ssh connection made with port 9000. + +------------------------- +SECURITY_OAM_interface_08 +------------------------- + +:Test ID: SECURITY_OAM_interface_08 +:Test Title: Apply firewall rule on contr-1 and modifying it on contr-0. +:Tags: firewall_rules + +~~~~~~~~~~~~~~ +Test Objective +~~~~~~~~~~~~~~ + +Verify that by using the firewall-rules-install CLI command you can add a +firewall rule on Controller-1 and then modified that rule on Controller-0. + +~~~~~~~~~~~~~~~~~~~ +Test Pre-Conditions +~~~~~~~~~~~~~~~~~~~ + +Starlingx uses Netfilter framework for firewall setup. Make sure "iptables" +and "iptables-config" files exist in /etc/sysconfig path. + +~~~~~~~~~~ +Test Steps +~~~~~~~~~~ + +1. Go to Active Controller-0 and execute the "CLI firewall rules install +function" test case. + +2. swact controller-0 to controoler-1. + +3. $sudo vim /etc/ssh/sshd_config + +.. code:: bash + + change port 22 to port 9000 + +4. sudo service sshd restart + +5. ssh wrsroot@ip-controller-1 -p 9000 + +~~~~~~~~~~~~~~~~~ +Expected Behavior +~~~~~~~~~~~~~~~~~ + +1. On Controller-1 custome firewall rule was installed successfully. + +2. On Controller-0 custome firewall rule was updated sucessfully. + +3. Custome Firewall rule modifcation from step 2 taken in both controllers. + +------------------------- +SECURITY_OAM_interface_09 +------------------------- + +:Test ID: SECURITY_OAM_interface_09 +:Test Title: Custom firewall rule persistance after backup/restore. +:Tags: firewall_rules + +~~~~~~~~~~~~~~ +Test Objective +~~~~~~~~~~~~~~ + +Verify that once "System firewall-rules-install" CLI is executed the new +custom firewall rule persist after backup/restore. + + +~~~~~~~~~~~~~~~~~~~ +Test Pre-Conditions +~~~~~~~~~~~~~~~~~~~ + +Starlingx uses Netfilter framework for firewall setup. Make sure "iptables" +and "iptables-config" files exist in /etc/sysconfig path. + +~~~~~~~~~~ +Test Steps +~~~~~~~~~~ + +1. Go to Active Controller and execute the "CLI firewall rules install +function" test case. + +2. Once the custome firewall rule is applied do a backup of your cluster. + +**Pre-requisites to do a BACKUP.** + +To ensure recovery from backup files during a restore procedure, VMs must be +in the active state when performing the backup. VMs that are in a shutdown or +paused state at the time of the backup will not be recovered after a +subsequent restore procedure. + +.. code:: bash + + execute "sudo config_controller --backup " + +3. Make a System Restore expecting to see the custome firewall rule. + +**Pre-requisites to do RESTORE.** + +All cluster hosts must be prepared for network boot and then powered down. +(Means for virtual you should power on wait for PXE messages and then +Power-down) + +The restore procedure requires all hosts but controller-0 to boot over the +internal management network using the PXE protocol. Ideally, the old boot +images are no longer present, so that the hosts boot from the network when +powered on. If this is not the case, you must configure each host manually for +network boot immediately after powering it on. + +Note: Save the backups previously created in a clean environment, perform: + +.. code:: bash + + sudo config_controller --restore-system /home/$user/" + +4. Make a Image restore. + +**Pre-requisites to do RESTORE.** + +All cluster hosts must be prepared for network boot and then powered down. +(Means for virtual you should power on wait for PXE messages and then +Power-down) + +The restore procedure requires all hosts but controller-0 to boot over the +internal management network using the PXE protocol. Ideally, the old boot +images are no longer present, so that the hosts boot from the network when +powered on. If this is not the case, you must configure each host manually for +network boot immediately after powering it on. + +**Note:** Save the backups previously created in a clean environment, perform: + +.. code:: bash + + sudo config_controller --restore-images /home/$user/" + +5. Once the system is restored ensure the expected ports are still open. Use +netstat command to verify that ports are up and listening by typing: + +.. code:: bash + + Controller-0 $ sudo netstat -plant | grep + +**REMARK:** Please repeat netstat command for every single port listed in above +step. + +or + +.. code:: bash + + Controller-0 $ sudo netstat -plant | grep LISTEN" + +~~~~~~~~~~~~~~~~~ +Expected Behavior +~~~~~~~~~~~~~~~~~ + +1. On Controller-1 custome firewall rule was installed successfully. + +2. After execute the sudo config_controller --backup command +system.tgz and image.tgz files should be created successfully. + +.. code:: bash + + e.g. + Performing backup (this might take several minutes): + Step 16 of 16 [#############################################] [100%] + System backup file created: /opt/backups/_system.tgz + Images backup file created: /opt/backups/backupname_images.tgz + +3. system should be in the same way that the files were generated before + +4. images shoule be in the same way that the files were generated before + +5. Once the system is restore expected ports are open post-restored + +------------------------- +SECURITY_OAM_interface_10 +------------------------- + +:Test ID: SECURITY_OAM_interface_10 +:Test Title: "iptables.rules" file with wrong format used with "firewall-rules-install" command. +:Tags: firewall_rules + +~~~~~~~~~~~~~~ +Test Objective +~~~~~~~~~~~~~~ + +Verify when using an "iptables.rules" file with wrong format, the system +firewall install CLI command get a gracefully error output. + +~~~~~~~~~~~~~~~~~~~ +Test Pre-Conditions +~~~~~~~~~~~~~~~~~~~ + +Starlingx uses Netfilter framework for firewall setup. Make sure "iptables" +and "iptables-config" files exist in /etc/sysconfig path. + +~~~~~~~~~~ +Test Steps +~~~~~~~~~~ + +1. Create a "wrongiptables" file with wrong format. + +2. Install custom firewall by typing: + +.. code:: bash + + $ system firewall-rules-install + + e.g. + + $ system firewall-rules-install wrongiptables + +~~~~~~~~~~~~~~~~~ +Expected Behavior +~~~~~~~~~~~~~~~~~ + +1. "wrongiptables" file with wrong format created successfully. + +2. Firewall rule install command executed should display an error message when +"wrongiptables" wrong format file was used. + +.. code:: bash + + e.g. + + controller-1 ~(keystone_admin)]$ system firewall-rules-install wrongiptables + Error in custom firewall rule file" + +------------------------- +SECURITY_OAM_interface_11 +------------------------- + +:Test ID: SECURITY_OAM_interface_11 +:Test Title: NFV (port 32323) software debug access removed. +:Tags: api + +~~~~~~~~~~~~~~ +Test Objective +~~~~~~~~~~~~~~ + +Verify that NFV (port 32323) software debug access is removed by using curl +command request and "openstack endpoint list" command. The reason of this test +case is to comply with intel security debug access removal in all intel +products. By default the port "32323" and the IP assigned to the network +interface card (NIC) which connect to external orchestration, administration +and operation (OAM) network it is used only for debugging purposes by the +design team. + +~~~~~~~~~~~~~~~~~~~ +Test Pre-Conditions +~~~~~~~~~~~~~~~~~~~ + +a) Add Service Endpoing IP into no_proxy .bashrc file. + +:: + + - Go to Horizon --> Project --> API Access and identify what Service Endpoint has your Starlingx cluster. + - Open a terminal in the Host where your Starlingx cluster resides. + - Add the Service Endpoint IP into your no_proxy .bashrc + +.. code:: bash + + e.g. + + export no_proxy=intel.com,10.10.10.2 + Authenticate 10.10.10.2 + +- Open a terminal and make sure you can ssh to the Service Endpoint IP + +.. code:: bash + + $ ssh wrsroot@10.10.10.2. (submit proper password) + +b) Get token from keystone. + +:: + + - In the ssh 10.10.10.2 session send the following curl command to get the proper token from keystone where is your Horizon admin password. + +.. code:: bash + + $ curl -i -X POST http://10.10.10.2:5000/v2.0/tokens -H ""Content-Type: application/json"" -H ""User-Agent: python-keystoneclient"" -d '{""auth"": {""tenantName"": ""admin"", ""passwordCredentials"": {""username"": ""admin"", ""password"": """"}}}' | tail -n 1 + + e.g. + You would be expecting an output similar like this: + + {""access"": {""token"": {""issued_at"": ""2018-12-07T10:52:27.000000Z"", ""expires"": ""2018-12-07T11:52:27.000000Z"", ""id"": ""gAAAAABcClDrLoF7_W03l8uhrPQ9dn4tkuvbd9pfsgIo6-PkObg3imG4HTGT2IQLGkBOszjcS1jOC7g0ZqKByoZ3cEax7LKAiEgC_fkPEnB_mpSjqd5ACzc20VLZaklQfFLXiU4b-w_pZeMPHF09FsP8P4j-ixqx9IgYEEc-4Zmb9cjZ5phNQfA"",… + +~~~~~~~~~~ +Test Steps +~~~~~~~~~~ + +1. Open a terminal in the Host where your Starlingx cluster resides. From pre- +requisites make sure you did ssh to the Service Endpoint IP. + +2. Make a curl request to nfv port 32323 using the "token" gotten from Pre- +requisites steps. + +.. code:: bash + + e.g. + + $ curl -i http://10.10.10.2:32323 -X GET -H ""Contenpe: application/json"" -H ""Accept: application/json"" -H ""X-Auth-Token:""gAAAAABcCnq_pXb57FKTwP0VI8Ry5kuDTHzRWTgcAXfS9ir-HiBN14BSVuXKwIsqDU0SWoztk4sBj0U912AEdU1GawOdniI1yC3-VY_I7BwWSXSlPDccojU7GMdB3KAwXoUWVPELrshGwkBSu2RSLsbZhjSZarxH1CNgeUgPsj5fSMdq81R4qzw"""" | tail -n 1 + +3. Go to Active controller and make sure no NFV (port 32323) Service exist by +typing: + +.. code:: bash + + $ openstack endpoint list | grep 32323 + +~~~~~~~~~~~~~~~~~ +Expected Behavior +~~~~~~~~~~~~~~~~~ + +1. Open terminal and validate ssh connection to the Service Endpoint IP +successfully. + +2. Curl command will get a failure message "Failed to connect to 10.10.10.2 +port 32323: Connection timed out" + +:: + + % Total % Received % Xferd Average Speed Time Time Time Current + Dload Upload Total Spent Left Speed + 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:- + 0 0 0 0 0 0 0 0 --:--:-- 0:00:02 --:- + 0 0 0 0 0 0 0 0 --:--:-- 0:01:39 --:- + 0 0 0 0 0 0 0 0 --:--:-- 0:01:40 --:- + 0 0 0 0 0 0 0 0 --:--:-- 0:02:09 --:- + curl: (7) Failed to connect to 10.10.10.2 port 32323: Connection timed out + 100 90 100 90 0 0 183 0 --:--:-- --:--:-- --:--:-- 548 + +3. No NFV (port 32323) service exist. + +------------------------- +SECURITY_OAM_interface_12 +------------------------- + +:Test ID: SECURITY_OAM_interface_12 +:Test Title: NFV (port 4545) API Service +:Tags: API + +~~~~~~~~~~~~~~ +Test Objective +~~~~~~~~~~~~~~ + +Verify that NFV (port 4545) Service is LISTENING by using curl command request +and "openstack endpoint list" command. + +~~~~~~~~~~~~~~~~~~~ +Test Pre-Conditions +~~~~~~~~~~~~~~~~~~~ + +Verify that NFV (port 4545) Service is LISTENING by using curl command request +and "openstack endpoint list" command. + +~~~~~~~~~~ +Test Steps +~~~~~~~~~~ + +1. Open a terminal in the Host where your Starlingx cluster resides. From pre- +requisites make sure you did ssh to the Service Endpoint IP. + +2. Make a curl request to nfv port 4545 using the "token" gotten from Pre- +requisites steps. + +.. code:: bash + + e.g. + $ curl -i http://10.10.10.2:4545 -X GET -H ""Contenpe: application/json"" -H ""Accept: application/json"" -H ""X-Auth-Token:""gAAAAABcCnq_pXb57FKTwP0VI8Ry5kuDTHzRWTgcAXfS9ir-HiBN14BSVuXKwIsqDU0SWoztk4sBj0U912AEdU1GawOdniI1yC3-VY_I7BwWSXSlPDccojU7GMdB3KAwXoUWVPELrshGwkBSu2RSLsbZhjSZarxH1CNgeUgPsj5fSMdq81R4qzw"""" | tail -n 1 + +3. Go to Active controller and make sure no NFV (port 4545) Service exist by typing: + +.. code:: bash + + $ openstack endpoint list | grep 4545 + +~~~~~~~~~~~~~~~~~ +Expected Behavior +~~~~~~~~~~~~~~~~~ + +1. Open terminal and validate ssh connection to the Service Endpoint IP +successfully. + +2. Curl command will succed. + +3. The NFV (port 4545) service exist and is in LISTENING status. + +~~~~~~~~~~~ +References: +~~~~~~~~~~~ +[0] - https://www.sslshopper.com/what-is-a-csr-certificate-signing-request.html" + +[1] - https://docs.starlingx.io/installation_guide/dedicated_storage.html#dedicated-storage