From bbe7154de3be6ff4fb3433ee6ea3688b4929ef71 Mon Sep 17 00:00:00 2001 From: Instrumental Date: Fri, 25 May 2018 12:29:38 -0500 Subject: Create Essential DOC Structure for AAF Issue-ID: AAF-328 Change-Id: I9508611149405bd95d0d1bf2ebe1e0ed37ba333b Signed-off-by: Instrumental --- docs/sections/architecture/aaf-cm.png | Bin 0 -> 149239 bytes docs/sections/architecture/aaf-object-model.jpg | Bin 0 -> 189989 bytes docs/sections/architecture/aaf_architecture.rst | 49 ++++ docs/sections/architecture/security.rst | 29 +++ docs/sections/configuration/client.rst | 8 + docs/sections/configuration/service.rst | 8 + docs/sections/index.rst | 28 +++ .../installation/Bootstrapping-AAF-Components.rst | 256 +++++++++++++++++++++ docs/sections/installation/Installation.rst | 19 ++ docs/sections/installation/fromsource.rst | 7 + docs/sections/installation/standalone.rst | 7 + docs/sections/logging.rst | 25 ++ docs/sections/release-notes.rst | 65 ++++++ 13 files changed, 501 insertions(+) create mode 100644 docs/sections/architecture/aaf-cm.png create mode 100644 docs/sections/architecture/aaf-object-model.jpg create mode 100644 docs/sections/architecture/aaf_architecture.rst create mode 100644 docs/sections/architecture/security.rst create mode 100644 docs/sections/configuration/client.rst create mode 100644 docs/sections/configuration/service.rst create mode 100644 docs/sections/index.rst create mode 100644 docs/sections/installation/Bootstrapping-AAF-Components.rst create mode 100644 docs/sections/installation/Installation.rst create mode 100644 docs/sections/installation/fromsource.rst create mode 100644 docs/sections/installation/standalone.rst create mode 100644 docs/sections/logging.rst create mode 100644 docs/sections/release-notes.rst (limited to 'docs/sections') diff --git a/docs/sections/architecture/aaf-cm.png b/docs/sections/architecture/aaf-cm.png new file mode 100644 index 00000000..602f17e4 Binary files /dev/null and b/docs/sections/architecture/aaf-cm.png differ diff --git a/docs/sections/architecture/aaf-object-model.jpg b/docs/sections/architecture/aaf-object-model.jpg new file mode 100644 index 00000000..30caa7d5 Binary files /dev/null and b/docs/sections/architecture/aaf-object-model.jpg differ diff --git a/docs/sections/architecture/aaf_architecture.rst b/docs/sections/architecture/aaf_architecture.rst new file mode 100644 index 00000000..6e522888 --- /dev/null +++ b/docs/sections/architecture/aaf_architecture.rst @@ -0,0 +1,49 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 + +AAF Architecture +================ +AAF is designed to cover Fine-Grained Authorization, meaning that the Authorizations provided are able to used an Application’s detailed authorizations, such as whether a user may be on a particular page, or has access to a particular Pub-SUB topic controlled within the App. + +This is a critical function for Cloud environments, as Services need to be able to be installed and running in a very short time, and should not be encumbered with local configurations of Users, Permissions and Passwords. + +To be effective during a computer transaction, Security must not only be secure, but very fast. Given that each transaction must be checked and validated for Authorization and Authentication, it is critical that all elements on this path perform optimally. + +|image0| + +.. |image0| image:: aaf-object-model.jpg + :height: 600px + :width: 800px + +Certificate Manager +=================== + +Overview +-------- +Every secure transaction requires 1) Encryption 2) Authentication 3) Authorization. + + - HTTP/S provides the core Encryption whenever used, so all of AAF Components require HTTP/S to the current protocol standards (current is TLS 1.1+ as of Nov 2016) + - HTTP/S requires X.509 certificates at least on the Server at minimum. (in this mode, 1 way, a client Certificate is generated) + - Certificate Manager can generate certificates signed by the AT&T Internal Certificate Authority, which is secure and cost effective if external access are not needed + - These same certificates can be used for identifying the Application during the HTTP/S transaction, making a separate UserID/Password unnecessary for Authentication. + - Authentication - In order to tie generated certificates to a specific Application Identity, AAF Certificate Manager embeds a ILM AppID in the Subject. These are created by AT&T specific Internal Certificate Authority, which only generates certificates for AAF Certman. Since AAF Certman validates the Sponsorship of the AppID with requests (automatically), the end user can depend on the AppID embedded in the Subject to be valid without resorting to external calls or passwords. + + - ex: + - Authorization - AAF Certman utilizes AAF's Fine-grained authorizations to ensure that only the right entities perform functions, thus ensuring the integrity of the entire Certificate Process + +|image1| + +.. |image1| image:: aaf-cm.png + :height: 768px + :width: 1024px + +Capabilities +------------ + + +Usage Scenarios +--------------- + + +Interactions +------------ diff --git a/docs/sections/architecture/security.rst b/docs/sections/architecture/security.rst new file mode 100644 index 00000000..fd10dc98 --- /dev/null +++ b/docs/sections/architecture/security.rst @@ -0,0 +1,29 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright © 2017 AT&T Intellectual Property. All rights reserved. + +Security Architecture +===================== +Communicating +------------- +When one compute process needs to communicate to another, it does so with networking. + +The service side is always compute process, but the client can be of two types: + - People (via browser, or perhaps command line tool) + - Compute process talking to another computer process. + +Thus, the essential building blocks of any networked system is made up of + + +In larger systems, it is atypical + +Communicating *Securely* +------------------------ +Whenever two processing entities exist that need to communicate securely, it is *essential* that + - The communications between the two are encrypted + - The identities of the caller and callee are established (authentication) + - The caller must be allowed to do what it is asking to do (authorization) + + + + diff --git a/docs/sections/configuration/client.rst b/docs/sections/configuration/client.rst new file mode 100644 index 00000000..935fd27c --- /dev/null +++ b/docs/sections/configuration/client.rst @@ -0,0 +1,8 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 + +Client Configuration +==================== + +| +| diff --git a/docs/sections/configuration/service.rst b/docs/sections/configuration/service.rst new file mode 100644 index 00000000..92ee69bf --- /dev/null +++ b/docs/sections/configuration/service.rst @@ -0,0 +1,8 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 + +Service Configuration +===================== + +| +| diff --git a/docs/sections/index.rst b/docs/sections/index.rst new file mode 100644 index 00000000..88c1db9b --- /dev/null +++ b/docs/sections/index.rst @@ -0,0 +1,28 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright © 2017 AT&T Intellectual Property. All rights reserved. + +Architecture +============ +.. toctree:: + :maxdepth: 2 + :glob: + + architecture/* + +Installation +============== +.. toctree:: + :maxdepth: 2 + :glob: + + installation/* + +Configuration +============= +.. toctree:: + :maxdepth: 2 + :glob: + + configuration/* + diff --git a/docs/sections/installation/Bootstrapping-AAF-Components.rst b/docs/sections/installation/Bootstrapping-AAF-Components.rst new file mode 100644 index 00000000..2bb329d6 --- /dev/null +++ b/docs/sections/installation/Bootstrapping-AAF-Components.rst @@ -0,0 +1,256 @@ +.. contents:: + :depth: 3 +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright © 2017 AT&T Intellectual Property. All rights reserved. + +Summary +Essentials +Technologies required to run AAF +Optional Technologies for special cases +Data Definitions +AAF Data Definitions +ILM (Identity Lifecycle Management) +Initializing Default Implementation +Extract Sample Configuration +Certificate Authority +Creating your own Certificate Authority (if desired) +Create your Intermediate CAs +Use the Intermediate CA for creating Service/Identity Certs (can be utilized by Certman with LocalCA) +Copy initializations to Host Machine +Load Data and/or Meta-Data into Cassandra +Build Source +Run Java + +Summary +------- + +AAF Components are all Java(tm) HTTP/S based RESTful services, with the following exceptions: + + - AAF GUI component is an HTTP/S HTML5 generating component. It uses the same code base, but isn't strictly RESTful according to definition. + - AAF FS component is a FileServer, and is HTTP only (not TLS), so it can deliver publicly accessible artifacts without Authentication. + +Essentials +========== + +Technologies required to run AAF +-------------------------------- + + - Java(tm). Version 8.121+ + - Oracle Java previous to Oracle Java SE 8 to version 8 Update 121 is vulnerable to "SWEET32" attack. + + 1369383 - CVE-2016-2183 SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32) + + - Cassandra, Version 2.1.14+ + - X509 Certificates (at minimum to support HTTP/S TLS transactions (TLS1.1 and TLS1.2 are default, but can be configured). + +Optional Technologies for special cases +--------------------------------------- + + - Build your own Certificate Authority for Bootstrapping and/or Certificate Manager component. + - openssl + - bash + +Data Definitions +---------------- + +AAF Data Definitions + + - AAF is Data Driven, and therefore, needs to have some structure around the Initial Data so that it can function. You will need to define: + +Your Organization: + - Example: Are you a company? Do you already have a well known internet URL? + - If so, you should set up AAF Namespaces with this in mind. Example: + + - for "Kumquat Industries, LTD", with internet presence "kumquats4you.com" (currently, a fictitious name), you would want all your AAF Namespaces to start with: + +"com.kumquats4you" +The examples all use + +"org.osaaf" + +However it is recommended that you change this once you figure out your organizations' structure. +Your AAF Root Namespace +This can be within your company namespace, i.e. + +"com.kumquats4you.aaf" + +but you might consider putting it under different root structure. +Again, the bootstrapping examples use: + +"org.osaaf.aaf" + +While creating these, recognize that +2nd position of the Namespace indicates company/organization +3rd+ position are applications within that company/organization + +"com.kumquats4you.dmaap" + +Following this "positional" structure is required for expected Authorization behavior. + + +ILM (Identity Lifecycle Management) +Neither Authentication nor Authorization make any sense outside the context of Identity within your Organization. + +Some organizations or companies will have their own ILM managers. + +If so you may write your own implementation of "Organization" +Ensure the ILM of choice can be access real-time, or consider exporting the data into File Based mechanism (see entry) +AAF comes with a "DefaultOrganization", which implements a file based localization of ILM in a simple text file + +Each line represents an identity in the organization, including essential contact information, and reporting structure +This file can be updated by bringing in the entire file via ftp or other file transfer protocol, HOWEVER +Provide a process that +Validates no corruption has occurred +Pulls the ENTIRE file down before moving into the place where AAF Components will see it. +Take advantage of UNIX File System behaviors, by MOVING the file into place (mv), rather than copying while AAF is Active +Note: This file-based methodology has been shown to be extremely effective for a 1 million+ Identity organization +TBA-how to add an entry + +TBA-what does "sponsorship mean" + +Initializing Default Implementation +This is recommended for learning/testing AAF. You can modify and save off this information for your Organizational use at your discretion. + +Extract Sample Configuration +On your Linux box (creating/setting permissions as required) + +mkdir -p /opt/app/osaaf + +cd /opt/app/osaaf + +# Download AAF_sample_config_v1.zip (TBA) + +jar -xvf AAF_sample_config_v1.zip + +Certificate Authority +You need to identify a SAFE AND SECURE machine when working with your own Certificate Authority. Realize that if a hacker gets the private keys of your CA or Intermediate CAs, you will be TOTALLY Compromised. + +For that reason, many large companies will isolate any machines dealing with Certificates, and that is the recommendation here as well... However, this page cannot explain what works best for you. JSCEP is an option if you have this setup already. + +If you choose to make your own CA, at the very least, once you create your private key for your Root Cert, and your Intermediate Certs, you might consider saving your Private Keys off line and removing from the exposed box. Again, this is YOUR responsibility, and must follow your policy. + + + +IMPORTANT! As you create Certificates for Identities, the Identities you use MUST be identities in your ILM. See /opt/app/aaf/osaaf/data/identities.dat + +Creating your own Certificate Authority (if desired) +1) Obtain all the Shell Scripts from the "conf/CA" directory which you can get the from the git repo. + +For this example, we'll put everything in /opt/app/osaaf + +mkdir /opt/app/osaaf/CA, if required + +$ cd /opt/app/osaaf/CA + +view README.txt for last minute info + +view an/or change "subject.aaf" for your needs. This format will be used on all generated certs from the CA. + +$ cat subject.aaf + +If you will be using PKCS11 option, review the "cfg.pkcs11" file as well + +$ cat cfg.pkcs11 + +$ bash newca.sh + +Obviously, save off your passphrase in an encrypted place... how you do this is your procedure + +At this point, your Root CA information has been created. If you want to start over, you may use "bash clean.sh" + +Create your Intermediate CAs +2) You do NOT sign regular Cert requests with your Root. You only sign with Intermediate CA. The "intermediate.sh" will create a NEW Intermediate CA Directory and copy appropriate Shell scripts over. Do this for as many Intermediate CAs as you need. + +$ bash newIntermediate.sh + +creates directories in order, intermediate_1, intermediate_2, etc. + +Use the Intermediate CA for creating Service/Identity Certs (can be utilized by Certman with LocalCA) +3) When creating a Manual Certificate, DO THIS from the Intermediate CA needed + +$ cd intermediate_1 + +4) Create initial Certificate for AAF + +IMPORTANT! As you create Certificates for Identities, the Identities you use MUST be identities in your ILM. See /opt/app/aaf/osaaf/data/identities.dat + +To create LOCALLY, meaning create the CSR, and submit immediately, do the following + +$ bash manual.sh -local + +FQI (Fully Qualified Identity): + +@ + +To create Information suitable for Emailing, and signing the returned CSR + +$ bash manual.sh + +FQI (Fully Qualified Identity): + +@ + +5) Create p12 file for AAF + +REMAIN in the intermediate directory... + +$ bash p12.sh + +Copy initializations to Host Machine +AAF is setup so it can run + +On the O/S, using Java +On Docker +On K8 +In each case, even for Docker/K8, we utilize the File O/S for host specific information. This is because + +Many things are Host Specific +The Hostname required for TLS interactions +Cassandra specific information (when external/clustered) +Logging (if logging is done in container, it will be lost if container goes down) +To make things simpler, we are assuming that the file structure will be "/opt/app/osaaf". The code supports changing this, but documentation will wait until use cases arises for ONAP. + +Steps: + +1) Copy "osaaf.zip" to your Host Machine, where osaaf.zip is provided by AAF SME. // TODO POST SAMPLE HERE + +2) Copy your "p12" file generated by your CA (see above), and place in your "certs" directory + +3) SSH (or otherwise login) to your Docker/K8 Host Machine + +4) setup your directories (you might need to be root, then adjust what you need for O/S File Permissions + +$ mkdir /opt/app/osaaf + +$ cd /opt/app/osaaf + +$ mkdir cred logs + +$ unzip ~/osaaf.zip + +$ mv ~/ cred + +$ + +Unzip the "osaaf.zip" so it goes into the /opt/app/osaaf directory (should have "etc", "data", "public" and "certs" directories) + +4) Modify "org.osaaf.props" to have + + + +Load Data and/or Meta-Data into Cassandra +Setting this initial Data can be done directly onto Cassadra using "cqlsh" using the following "cql" files: + +init.cql (whatever is latest in the "zip" file) +osaaf.cql + This file contains initial Authorization Structures, see AAF Data Structures. + This is where you would modify your own initial Structures. +Build Source +(if not done already) + +Run Java +Note: If you have a Kubernets requirement (support), it is STILL RECOMMENDED you run AAF as stand-alone Java Components on your system, and work out any modifications required BEFORE trying to run in Kubernetes. + +TBA File> + diff --git a/docs/sections/installation/Installation.rst b/docs/sections/installation/Installation.rst new file mode 100644 index 00000000..1852f848 --- /dev/null +++ b/docs/sections/installation/Installation.rst @@ -0,0 +1,19 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 + +Installation +============ + +Environment +----------- + + +Steps +----- + + + + +Testing +------- + diff --git a/docs/sections/installation/fromsource.rst b/docs/sections/installation/fromsource.rst new file mode 100644 index 00000000..6586ff5b --- /dev/null +++ b/docs/sections/installation/fromsource.rst @@ -0,0 +1,7 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright © 2017 AT&T Intellectual Property. All rights reserved. + +AAF From Source Code +==================== + diff --git a/docs/sections/installation/standalone.rst b/docs/sections/installation/standalone.rst new file mode 100644 index 00000000..5c8cb651 --- /dev/null +++ b/docs/sections/installation/standalone.rst @@ -0,0 +1,7 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright © 2017 AT&T Intellectual Property. All rights reserved. + +Standalone Java Installation +============================ + diff --git a/docs/sections/logging.rst b/docs/sections/logging.rst new file mode 100644 index 00000000..89eddd53 --- /dev/null +++ b/docs/sections/logging.rst @@ -0,0 +1,25 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 + +Logging +======= + +.. note:: + * This section is used to describe the informational or diagnostic messages emitted from + a software component and the methods or collecting them. + + * This section is typically: provided for a platform-component and sdk; and + referenced in developer and user guides + + * This note must be removed after content has been added. + + +Where to Access Information +--------------------------- +AAF uses log4j framework to generate logs and all the logs are stored in a persistent volume. + +Error / Warning Messages +------------------------ +Following are the error codes + + diff --git a/docs/sections/release-notes.rst b/docs/sections/release-notes.rst new file mode 100644 index 00000000..1a5f163d --- /dev/null +++ b/docs/sections/release-notes.rst @@ -0,0 +1,65 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 + + +Release Notes +============= + + + +Version: 2.1.0 +-------------- + + +:Release Date: 2018-04-18 + + + +**New Features** + +This release fixes the packaging and security issues. + +**Bug Fixes** + NA +**Known Issues** + NA + +**Security Issues** + This release fixes the security vulnerabilities due to the opensourced libraries used in the project + + +**Upgrade Notes** + NA + +**Deprecation Notes** + +Version: 1.0.1 + +Release Date: 2017-11-16 + + +New Features: + + - Service (primary) – All the Authorization information (more on that in a bit) + - Locate – how to find ANY OR ALL AAF instances across any geographic distribution + - OAuth 2.0 – new component providing Tokens and Introspection (no time to discuss here) + - GUI – Tool to view and manage Authorization Information, and create Credentials + - Certman – Certificate Manger, create and renew X509 with Fine-Grained Identity + - FS – File Server to provide access to distributable elements (like well known certs) + - Hello - Test your client access (certs, OAuth 2.0, etc) + + + + +Bug Fixes + - `AAF-290 `_ Fix aaf trusrstore + - `AAF-270 `_ AAF fails health check on HEAT deployment + - `AAF-286 `_ SMS fails health check on OOM deployment + - `AAF-273 `_ Cassandra pod running over 8G heap - or 10% of ONAP ram (for 135 other pods on 256G 4 node cluster) + + +Known Issues + - + +Other + -- cgit 1.2.3-korg