VNFM adapter support two way TLS

Change-Id: Icdb57587c9070bcce405eeaea4275fea0af0533a
Issue-ID: SO-2190
Signed-off-by: MichaelMorris <michael.morris@est.tech>

11 files changed, 281 insertions, 25 deletions

diff --git a/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/Readme.txt b/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/Readme.txt
new file mode 100644
index 0000000000..66876311db
--- /dev/null
+++ b/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/Readme.txt
@@ -0,0 +1,128 @@
+The following describes how to configure authentication for the VNFM adapter.

+

+

+==========================================

+To confgure TLS

+==========================================

+

+---------------

+VNFM Adapter

+---------------

+The following parameters can be set to configure the certificate for the VNFM adapter

+server:

+  ssl:

+    key-alias: so@so.onap.org

+    key--store-password: 'I,re7WWEJR$e]x370wRgx?qE'

+    key-store: classpath:org.onap.so.p12

+    key-store-type: PKCS12

+The values shown above relate to the certificate included in the VNFM adapter jar which has been generated from AAF. If a different certificate is to be used then these values should be changed accordingly.

+

+The following paramters can be set to configure the trust store for the VNFM adapter:

+http:

+  client:

+    ssl:

+      trust-store: org.onap.so.trust.jks

+      trust-store-password: NyRD](z:EJJNIt?},QgM3o7H

+The values shown above relate to the trust store included in the VNFM adapter jar which has been generated from AAI. If a different trust store is to be used then these values should be changed accordingly.

+

+Ensure the value for the below parameter uses https instead of http

+vnfmadapter:

+  endpoint: http://so-vnfm-adapter.onap:9092

+  

+---------------

+bpmn-infra

+---------------

+For bpmn-infra, ensure the value for the below parameter uses https instead of http

+so:

+  vnfm:

+    adapter:

+      url: https://so-vnfm-adapter.onap:9092/so/vnfm-adapter/v1/

+

+

+==========================================

+To use two way TLS

+==========================================

+

+Ensure the value for username and password are empty in the AAI entry for the VNFM (The VNFM adapter will use oauth instead of two way TLS if the username/password is set).

+Ensure TLS has been configuered as detailed above.

+

+---------------

+VNFM adapter

+---------------

+Set the following parameter for the VNFM adapter:

+server:

+  ssl:

+    client-auth: need

+	

+---------------

+bpmn-infra:

+---------------

+Set the following paramters for bpmn-infra:

+rest:

+  http:

+    client:

+      configuration:

+        ssl:

+          keyStore: classpath:org.onap.so.p12

+          keyStorePassword: 'RLe5ExMWW;Kd6GTSt0WQz;.Y'

+          trustStore: classpath:org.onap.so.trust.jks

+          trustStorePassword: '6V%8oSU$,%WbYp3IUe;^mWt4'

+Ensure the value for the below parameter uses https instead of http

+so:

+  vnfm:

+    adapter:

+      url: https://so-vnfm-adapter.onap:9092/so/vnfm-adapter/v1/

+	  

+---------------	  

+VNFM simulator:

+---------------

+Set the following parameters for the VNFM simulator (if used):

+server:

+  ssl:

+    client-auth: need

+  request:

+    grant:

+      auth: twowaytls

+

+==========================================

+To use oauth token base authentication

+==========================================

+

+---------------	  

+VNFM adapter:

+---------------

+Ensure the value for username and password set set in the AAI entry for the VNFM. The VNFM adapter will use this username/password as the client credentials in the request for a token for the VNFM. The token endpoint

+for the VNFM will by default will be derived from the service url for the VNFM in AAI as follows: <base of service url>/oauth/token, e.g. if the service url is https://so-vnfm-simulator.onap/vnflcm/v1 then the token url will

+be taken to be https://so-vnfm-simulator.onap/oauth/token. This can be overriden using the following parameter for the VNFM adapter:

+vnfmadapter:

+  temp:

+    vnfm:

+	  oauth:

+	    endpoint:

+		

+The VNFM adapter exposes a token point at url: https://<hostname>:<port>/oauth/token e.g. https://so-vnfm-adapter.onap:9092/oauth/token. The VNFM can request a token from this endpoint for use in grant requests and notifications

+to the VNFM adapter. The username/password to be used in the token request are passed to the VNFM in a subscription request. The username/password sent by the VNFM adpater in the subscription request can be configuered using the 

+following parameter:

+vnfmadapter:

+  auth: <encoded value>

+where <encoded value> is '<username>:<password>' encoded using org.onap.so.utils.CryptoUtils with the key set by the paramter:

+mso:

+  key: <key>

+The default username:password is vnfm-adapter:123456 when vnfm-adapter.auth is not set.

+		  

+---------------	  

+VNFM simulator:

+---------------

+Set the following parameters for the simulator:

+spring:

+  profiles:

+    active: oauth-authentication

+server:

+  request:

+    grant:

+      auth: oauth

+		

+==========================================

+To use basic auth for notifications

+==========================================		

+The same username/password is used as for oauth token requests as describe above and passed to the VNFM in the subscription request.
\ No newline at end of file
diff --git a/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/main/java/org/onap/so/adapters/vnfmadapter/WebSecurityConfigImpl.java b/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/main/java/org/onap/so/adapters/vnfmadapter/WebSecurityConfigImpl.java
index 2b33e8b11d..f45d5a0219 100644
--- a/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/main/java/org/onap/so/adapters/vnfmadapter/WebSecurityConfigImpl.java
+++ b/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/main/java/org/onap/so/adapters/vnfmadapter/WebSecurityConfigImpl.java
@@ -22,6 +22,7 @@ package org.onap.so.adapters.vnfmadapter;
 
 import org.onap.so.security.MSOSpringFirewall;
 import org.onap.so.security.WebSecurityConfig;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.builders.WebSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
@@ -34,11 +35,18 @@ import org.springframework.util.StringUtils;
 @EnableWebSecurity
 public class WebSecurityConfigImpl extends WebSecurityConfig {
 
+    @Value("${server.ssl.client-auth:none}")
+    private String clientAuth;
+
     @Override
     protected void configure(final HttpSecurity http) throws Exception {
-        http.csrf().disable().authorizeRequests().antMatchers("/manage/health", "/manage/info").permitAll()
-                .antMatchers("/**").hasAnyRole(StringUtils.collectionToDelimitedString(getRoles(), ",")).and()
-                .httpBasic();
+        if (clientAuth.equalsIgnoreCase("need")) {
+            http.csrf().disable().authorizeRequests().anyRequest().permitAll();
+        } else {
+            http.csrf().disable().authorizeRequests().antMatchers("/manage/health", "/manage/info").permitAll()
+                    .antMatchers("/**").hasAnyRole(StringUtils.collectionToDelimitedString(getRoles(), ",")).and()
+                    .httpBasic();
+        }
     }
 
     @Override
diff --git a/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/main/java/org/onap/so/adapters/vnfmadapter/extclients/vnfm/VnfmHelper.java b/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/main/java/org/onap/so/adapters/vnfmadapter/extclients/vnfm/VnfmHelper.java
index b4355efc20..7c22020287 100644
--- a/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/main/java/org/onap/so/adapters/vnfmadapter/extclients/vnfm/VnfmHelper.java
+++ b/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/main/java/org/onap/so/adapters/vnfmadapter/extclients/vnfm/VnfmHelper.java
@@ -212,6 +212,8 @@ public class VnfmHelper {
         basicAuthParams.setPassword(decrypedAuth[1]);
         authentication.addAuthTypeItem(AuthTypeEnum.BASIC);
         authentication.paramsBasic(basicAuthParams);
+
+        authentication.addAuthTypeItem(AuthTypeEnum.TLS_CERT);
         return authentication;
     }
 
diff --git a/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/main/java/org/onap/so/adapters/vnfmadapter/extclients/vnfm/VnfmServiceProviderConfiguration.java b/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/main/java/org/onap/so/adapters/vnfmadapter/extclients/vnfm/VnfmServiceProviderConfiguration.java
index a604f9a6b9..93312cfa64 100644
--- a/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/main/java/org/onap/so/adapters/vnfmadapter/extclients/vnfm/VnfmServiceProviderConfiguration.java
+++ b/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/main/java/org/onap/so/adapters/vnfmadapter/extclients/vnfm/VnfmServiceProviderConfiguration.java
@@ -24,11 +24,12 @@ import static org.onap.so.client.RestTemplateConfig.CONFIGURABLE_REST_TEMPLATE;
 import com.google.gson.Gson;
 import java.io.IOException;
 import java.security.KeyManagementException;
+import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
+import java.security.UnrecoverableKeyException;
 import java.security.cert.CertificateException;
 import java.util.Iterator;
-import java.util.ListIterator;
 import java.util.Map;
 import java.util.UUID;
 import java.util.concurrent.ConcurrentHashMap;
@@ -42,7 +43,6 @@ import org.onap.aai.domain.yang.EsrSystemInfo;
 import org.onap.aai.domain.yang.EsrVnfm;
 import org.onap.so.adapters.vnfmadapter.extclients.vnfm.lcn.JSON;
 import org.onap.so.configuration.rest.BasicHttpHeadersProvider;
-import org.onap.so.logging.jaxrs.filter.SpringClientFilter;
 import org.onap.so.rest.service.HttpRestServiceProvider;
 import org.onap.so.rest.service.HttpRestServiceProviderImpl;
 import org.slf4j.Logger;
@@ -52,7 +52,7 @@ import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.io.Resource;
-import org.springframework.http.client.ClientHttpRequestInterceptor;
+import org.springframework.http.client.BufferingClientHttpRequestFactory;
 import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
 import org.springframework.http.converter.HttpMessageConverter;
 import org.springframework.http.converter.json.GsonHttpMessageConverter;
@@ -73,7 +73,12 @@ public class VnfmServiceProviderConfiguration {
     @Value("${http.client.ssl.trust-store:#{null}}")
     private Resource trustStore;
     @Value("${http.client.ssl.trust-store-password:#{null}}")
-    private String trustPassword;
+    private String trustStorePassword;
+
+    @Value("${server.ssl.key-store:#{null}}")
+    private Resource keyStoreResource;
+    @Value("${server.ssl.key--store-password:#{null}}")
+    private String keyStorePassword;
 
     /**
      * This property is only intended to be temporary until the AAI schema is updated to support setting the endpoint
@@ -98,7 +103,6 @@ public class VnfmServiceProviderConfiguration {
         if (trustStore != null) {
             setTrustStore(restTemplate);
         }
-        removeSpringClientFilter(restTemplate);
         return new HttpRestServiceProviderImpl(restTemplate, new BasicHttpHeadersProvider());
     }
 
@@ -141,27 +145,26 @@ public class VnfmServiceProviderConfiguration {
     private void setTrustStore(final RestTemplate restTemplate) {
         SSLContext sslContext;
         try {
-            sslContext =
-                    new SSLContextBuilder().loadTrustMaterial(trustStore.getURL(), trustPassword.toCharArray()).build();
+            if (keyStoreResource != null) {
+                KeyStore keystore = KeyStore.getInstance("pkcs12");
+                keystore.load(keyStoreResource.getInputStream(), keyStorePassword.toCharArray());
+                sslContext =
+                        new SSLContextBuilder().loadTrustMaterial(trustStore.getURL(), trustStorePassword.toCharArray())
+                                .loadKeyMaterial(keystore, keyStorePassword.toCharArray()).build();
+            } else {
+                sslContext = new SSLContextBuilder()
+                        .loadTrustMaterial(trustStore.getURL(), trustStorePassword.toCharArray()).build();
+            }
             logger.info("Setting truststore: {}", trustStore.getURL());
             final SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(sslContext);
             final HttpClient httpClient = HttpClients.custom().setSSLSocketFactory(socketFactory).build();
             final HttpComponentsClientHttpRequestFactory factory =
                     new HttpComponentsClientHttpRequestFactory(httpClient);
-            restTemplate.setRequestFactory(factory);
+            restTemplate.setRequestFactory(new BufferingClientHttpRequestFactory(factory));
         } catch (KeyManagementException | NoSuchAlgorithmException | KeyStoreException | CertificateException
-                | IOException exception) {
+                | IOException | UnrecoverableKeyException exception) {
             logger.error("Error reading truststore, TLS connection to VNFM will fail.", exception);
         }
     }
 
-    private void removeSpringClientFilter(final RestTemplate restTemplate) {
-        ListIterator<ClientHttpRequestInterceptor> interceptorIterator = restTemplate.getInterceptors().listIterator();
-        while (interceptorIterator.hasNext()) {
-            if (interceptorIterator.next() instanceof SpringClientFilter) {
-                interceptorIterator.remove();
-            }
-        }
-    }
-
 }
diff --git a/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/test/java/org/onap/so/adapters/vnfmadapter/rest/VnfmAdapterControllerTest.java b/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/test/java/org/onap/so/adapters/vnfmadapter/rest/VnfmAdapterControllerTest.java
index 6cdabb9374..fe55907420 100644
--- a/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/test/java/org/onap/so/adapters/vnfmadapter/rest/VnfmAdapterControllerTest.java
+++ b/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/test/java/org/onap/so/adapters/vnfmadapter/rest/VnfmAdapterControllerTest.java
@@ -133,7 +133,7 @@ public class VnfmAdapterControllerTest {
         setUpVimInMockAai();
 
         final String expectedsubscriptionRequest =
-                "{\"filter\":{\"vnfInstanceSubscriptionFilter\":{\"vnfInstanceIds\":[\"vnfId\"]},\"notificationTypes\":[\"VnfLcmOperationOccurrenceNotification\"]},\"callbackUri\":\"https://so-vnfm-adapter.onap:30406/so/vnfm-adapter/v1/lcn/VnfLcmOperationOccurrenceNotification\",\"authentication\":{\"authType\":[\"OAUTH2_CLIENT_CREDENTIALS\", \"BASIC\"],\"paramsOauth2ClientCredentials\":{\"clientId\":\"vnfm\",\"clientPassword\":\"password1$\",\"tokenEndpoint\":\"https://so-vnfm-adapter.onap:30406/oauth/token\"},\"paramsBasic\":{\"userName\":\"vnfm\",\"password\":\"password1$\"}}}";
+                "{\"filter\":{\"vnfInstanceSubscriptionFilter\":{\"vnfInstanceIds\":[\"vnfId\"]},\"notificationTypes\":[\"VnfLcmOperationOccurrenceNotification\"]},\"callbackUri\":\"https://so-vnfm-adapter.onap:30406/so/vnfm-adapter/v1/lcn/VnfLcmOperationOccurrenceNotification\",\"authentication\":{\"authType\":[\"OAUTH2_CLIENT_CREDENTIALS\", \"BASIC\", \"TLS_CERT\"],\"paramsOauth2ClientCredentials\":{\"clientId\":\"vnfm\",\"clientPassword\":\"password1$\",\"tokenEndpoint\":\"https://so-vnfm-adapter.onap:30406/oauth/token\"},\"paramsBasic\":{\"userName\":\"vnfm\",\"password\":\"password1$\"}}}";
         final InlineResponse2001 subscriptionResponse = new InlineResponse2001();
 
         final InlineResponse201 createResponse = createCreateResponse();
diff --git a/bpmn/mso-infrastructure-bpmn/pom.xml b/bpmn/mso-infrastructure-bpmn/pom.xml
index ea1a205317..25913eabba 100644
--- a/bpmn/mso-infrastructure-bpmn/pom.xml
+++ b/bpmn/mso-infrastructure-bpmn/pom.xml
@@ -134,6 +134,24 @@
         </executions>
       </plugin>
     </plugins>
+    <resources>
+      <resource>
+        <directory>src/main/resources</directory>
+        <filtering>true</filtering>
+        <excludes>
+          <exclude>**/*.p12</exclude>
+          <exclude>**/*.jks</exclude>
+        </excludes>
+      </resource>
+      <resource>
+        <directory>src/main/resources</directory>
+        <filtering>false</filtering>
+        <includes>
+          <include>**/*.p12</include>
+          <include>**/*.jks</include>
+        </includes>
+      </resource>
+    </resources>
   </build>
   <dependencyManagement>
     <dependencies>
diff --git a/bpmn/mso-infrastructure-bpmn/src/main/resources/org.onap.so.p12 b/bpmn/mso-infrastructure-bpmn/src/main/resources/org.onap.so.p12
new file mode 100644
index 0000000000..79631bf344
--- /dev/null
+++ b/bpmn/mso-infrastructure-bpmn/src/main/resources/org.onap.so.p12
diff --git a/bpmn/mso-infrastructure-bpmn/src/main/resources/org.onap.so.trust.jks b/bpmn/mso-infrastructure-bpmn/src/main/resources/org.onap.so.trust.jks
new file mode 100644
index 0000000000..6f8168d896
--- /dev/null
+++ b/bpmn/mso-infrastructure-bpmn/src/main/resources/org.onap.so.trust.jks
diff --git a/bpmn/so-bpmn-tasks/src/main/java/org/onap/so/bpmn/infrastructure/adapter/vnfm/tasks/VnfmAdapterCreateVnfTaskConfiguration.java b/bpmn/so-bpmn-tasks/src/main/java/org/onap/so/bpmn/infrastructure/adapter/vnfm/tasks/VnfmAdapterCreateVnfTaskConfiguration.java
index f5bae2c82a..c3c0047fff 100644
--- a/bpmn/so-bpmn-tasks/src/main/java/org/onap/so/bpmn/infrastructure/adapter/vnfm/tasks/VnfmAdapterCreateVnfTaskConfiguration.java
+++ b/bpmn/so-bpmn-tasks/src/main/java/org/onap/so/bpmn/infrastructure/adapter/vnfm/tasks/VnfmAdapterCreateVnfTaskConfiguration.java
@@ -21,14 +21,32 @@
 package org.onap.so.bpmn.infrastructure.adapter.vnfm.tasks;
 
 import static org.onap.so.client.RestTemplateConfig.CONFIGURABLE_REST_TEMPLATE;
+import java.io.IOException;
+import java.security.KeyManagementException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.CertificateException;
+import javax.net.ssl.SSLContext;
+import org.apache.http.client.HttpClient;
+import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
+import org.apache.http.impl.client.HttpClients;
+import org.apache.http.ssl.SSLContextBuilder;
 import org.onap.so.configuration.rest.BasicHttpHeadersProvider;
 import org.onap.so.configuration.rest.HttpHeadersProvider;
 import org.onap.so.rest.service.HttpRestServiceProvider;
 import org.onap.so.rest.service.HttpRestServiceProviderImpl;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.core.io.Resource;
+import org.springframework.http.client.BufferingClientHttpRequestFactory;
+import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
 import org.springframework.web.client.RestTemplate;
 
 /**
@@ -40,13 +58,55 @@ import org.springframework.web.client.RestTemplate;
 @Configuration
 public class VnfmAdapterCreateVnfTaskConfiguration {
 
+    private static final Logger logger = LoggerFactory.getLogger(VnfmAdapterCreateVnfTaskConfiguration.class);
+
+    @Value("${rest.http.client.configuration.ssl.trustStore:#{null}}")
+    private Resource trustStore;
+
+    @Value("${rest.http.client.configuration.ssl.trustStorePassword:#{null}}")
+    private String trustStorePassword;
+
+    @Value("${rest.http.client.configuration.ssl.keyStore:#{null}}")
+    private Resource keyStoreResource;
+
+    @Value("${rest.http.client.configuration.ssl.keyStorePassword:#{null}}")
+    private String keyStorePassword;
+
     @Bean
     public HttpRestServiceProvider databaseHttpRestServiceProvider(
             @Qualifier(CONFIGURABLE_REST_TEMPLATE) @Autowired final RestTemplate restTemplate,
             @Autowired final VnfmBasicHttpConfigProvider etsiVnfmAdapter) {
+        if (trustStore != null) {
+            setTrustStore(restTemplate);
+        }
         return getHttpRestServiceProvider(restTemplate, new BasicHttpHeadersProvider(etsiVnfmAdapter.getAuth()));
     }
 
+    private void setTrustStore(final RestTemplate restTemplate) {
+        SSLContext sslContext;
+        try {
+            if (keyStoreResource != null) {
+                KeyStore keystore = KeyStore.getInstance("pkcs12");
+                keystore.load(keyStoreResource.getInputStream(), keyStorePassword.toCharArray());
+                sslContext =
+                        new SSLContextBuilder().loadTrustMaterial(trustStore.getURL(), trustStorePassword.toCharArray())
+                                .loadKeyMaterial(keystore, keyStorePassword.toCharArray()).build();
+            } else {
+                sslContext = new SSLContextBuilder()
+                        .loadTrustMaterial(trustStore.getURL(), trustStorePassword.toCharArray()).build();
+            }
+            logger.info("Setting truststore: {}", trustStore.getURL());
+            final SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(sslContext);
+            final HttpClient httpClient = HttpClients.custom().setSSLSocketFactory(socketFactory).build();
+            final HttpComponentsClientHttpRequestFactory factory =
+                    new HttpComponentsClientHttpRequestFactory(httpClient);
+            restTemplate.setRequestFactory(new BufferingClientHttpRequestFactory(factory));
+        } catch (KeyManagementException | NoSuchAlgorithmException | KeyStoreException | CertificateException
+                | IOException | UnrecoverableKeyException exception) {
+            logger.error("Error reading truststore, TLS connection to VNFM will fail.", exception);
+        }
+    }
+
     private HttpRestServiceProvider getHttpRestServiceProvider(final RestTemplate restTemplate,
             final HttpHeadersProvider httpHeadersProvider) {
         return new HttpRestServiceProviderImpl(restTemplate, httpHeadersProvider);
diff --git a/vnfm-simulator/vnfm-service/src/main/java/org/onap/svnfm/simulator/config/ApplicationConfig.java b/vnfm-simulator/vnfm-service/src/main/java/org/onap/svnfm/simulator/config/ApplicationConfig.java
index 32c05ebca8..a1abb05f07 100644
--- a/vnfm-simulator/vnfm-service/src/main/java/org/onap/svnfm/simulator/config/ApplicationConfig.java
+++ b/vnfm-simulator/vnfm-service/src/main/java/org/onap/svnfm/simulator/config/ApplicationConfig.java
@@ -1,6 +1,5 @@
 package org.onap.svnfm.simulator.config;
 
-import java.net.InetAddress;
 import java.util.Arrays;
 import org.onap.svnfm.simulator.constants.Constant;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -23,6 +22,9 @@ public class ApplicationConfig implements ApplicationRunner {
     @Value("${server.dns.name:so-vnfm-simulator.onap}")
     private String serverDnsName;
 
+    @Value("${server.request.grant.auth:oauth}")
+    private String grantAuth;
+
     @Autowired
     private Environment environment;
 
@@ -37,6 +39,10 @@ public class ApplicationConfig implements ApplicationRunner {
         return baseUrl;
     }
 
+    public String getGrantAuth() {
+        return grantAuth;
+    }
+
     @Bean
     public CacheManager cacheManager() {
         final Cache inlineResponse201 = new ConcurrentMapCache(Constant.IN_LINE_RESPONSE_201_CACHE);
diff --git a/vnfm-simulator/vnfm-service/src/main/java/org/onap/svnfm/simulator/services/OperationProgressor.java b/vnfm-simulator/vnfm-service/src/main/java/org/onap/svnfm/simulator/services/OperationProgressor.java
index eed62780c0..6e9478bdeb 100644
--- a/vnfm-simulator/vnfm-service/src/main/java/org/onap/svnfm/simulator/services/OperationProgressor.java
+++ b/vnfm-simulator/vnfm-service/src/main/java/org/onap/svnfm/simulator/services/OperationProgressor.java
@@ -8,10 +8,17 @@ import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.net.URL;
 import java.nio.charset.StandardCharsets;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.CertificateException;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.UUID;
 import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
 import javax.ws.rs.core.MediaType;
 import org.apache.commons.codec.binary.Base64;
 import org.modelmapper.ModelMapper;
@@ -44,12 +51,16 @@ import org.onap.svnfm.simulator.repository.VnfOperationRepository;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.core.io.ClassPathResource;
+import org.springframework.core.io.Resource;
 
 public abstract class OperationProgressor implements Runnable {
 
     private static final Logger LOGGER = LoggerFactory.getLogger(OperationProgressor.class);
     private static final String CERTIFICATE_TO_TRUST = "so-vnfm-adapter.crt.pem";
 
+    private Resource keyStoreResource = new ClassPathResource("so-vnfm-simulator.p12");
+    private String keyStorePassword = "7Em3&j4.19xYiMelhD5?xbQ.";
+
     protected final VnfOperation operation;
     protected final SvnfmService svnfmService;
     private final VnfOperationRepository vnfOperationRepository;
@@ -73,12 +84,14 @@ public abstract class OperationProgressor implements Runnable {
         String callBackUrl = subscriptionService.getSubscriptions().iterator().next().getCallbackUri();
         callBackUrl = callBackUrl.substring(0, callBackUrl.indexOf("/lcn/"));
         apiClient.setBasePath(callBackUrl);
+        apiClient.setKeyManagers(getKeyManagers());
         apiClient.setSslCaCert(getCertificateToTrust());
         notificationClient = new DefaultApi(apiClient);
 
         final org.onap.so.adapters.vnfmadapter.extclients.vnfm.grant.ApiClient grantApiClient =
                 new org.onap.so.adapters.vnfmadapter.extclients.vnfm.grant.ApiClient();
         grantApiClient.setBasePath(callBackUrl);
+        grantApiClient.setKeyManagers(getKeyManagers());
         grantApiClient.setSslCaCert(getCertificateToTrust());
         grantClient = new org.onap.so.adapters.vnfmadapter.extclients.vnfm.grant.api.DefaultApi(grantApiClient);
     }
@@ -92,6 +105,22 @@ public abstract class OperationProgressor implements Runnable {
         }
     }
 
+    private KeyManager[] getKeyManagers() {
+        KeyStore keystore;
+        try {
+            keystore = KeyStore.getInstance("pkcs12");
+            keystore.load(keyStoreResource.getInputStream(), keyStorePassword.toCharArray());
+            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509");
+            keyManagerFactory.init(keystore, keyStorePassword.toCharArray());
+            return keyManagerFactory.getKeyManagers();
+        } catch (KeyStoreException | NoSuchAlgorithmException | CertificateException | IOException
+                | UnrecoverableKeyException exception) {
+            LOGGER.error("Error reading certificate, https calls using two way TLS to VNFM adapter will fail",
+                    exception);
+            return new KeyManager[0];
+        }
+    }
+
     @Override
     public void run() {
         try {
@@ -247,8 +276,10 @@ public abstract class OperationProgressor implements Runnable {
             final SubscriptionsAuthenticationParamsOauth2ClientCredentials subscriptionAuthentication =
                     subscriptionService.getSubscriptions().iterator().next().getAuthentication()
                             .getParamsOauth2ClientCredentials();
-            final String authHeader =
-                    "Bearer " + getToken(notificationClient.getApiClient(), subscriptionAuthentication);
+
+            final String authHeader = applicationConfig.getGrantAuth().equals("oauth")
+                    ? "Bearer " + getToken(notificationClient.getApiClient(), subscriptionAuthentication)
+                    : null;
 
             final ApiResponse<InlineResponse201> response = grantClient.grantsPostWithHttpInfo(grantRequest,
                     MediaType.APPLICATION_JSON, MediaType.APPLICATION_JSON, authHeader);