From 96e029e6796dd96324d8abd9a5dfc569d0976fc5 Mon Sep 17 00:00:00 2001 From: andrzejszukuc Date: Wed, 28 Nov 2018 18:09:37 +0100 Subject: Adding docs for TLS mutual authentication in VES. Issue-ID: DCAEGEN2-959 Change-Id: Iad5c4c02635579d0e4310d2e92bd3b56fa81d547 Signed-off-by: ANDRZEJ SZUKUC --- docs/sections/services/ves-http/index.rst | 2 +- .../services/ves-http/tls-authentication.rst | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 docs/sections/services/ves-http/tls-authentication.rst diff --git a/docs/sections/services/ves-http/index.rst b/docs/sections/services/ves-http/index.rst index 48b91d8c..e1edb4b6 100644 --- a/docs/sections/services/ves-http/index.rst +++ b/docs/sections/services/ves-http/index.rst @@ -23,7 +23,7 @@ VES Collector (HTTP) overview and functions ./configuration.rst ./delivery.rst ./installation.rst - + ./tls-authentication.rst API reference ^^^^^^^^^^^^^ diff --git a/docs/sections/services/ves-http/tls-authentication.rst b/docs/sections/services/ves-http/tls-authentication.rst new file mode 100644 index 00000000..b3cbafdf --- /dev/null +++ b/docs/sections/services/ves-http/tls-authentication.rst @@ -0,0 +1,20 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 + +Certificates as authentication method for PNFs/VNFs +=================================================== + +VES supports mutual TLS authentication via X.509 certificates. If VES is deployed via docker image then VES configuration can be modified by editing */opt/app/VESCollector/etc/collector.properties* which is present on the docker container. VES detects changes made to the mentioned file automatically and restarts the application. + +The authentication can be enabled by *collector.service.secure.clientauth* property. When *collector.service.secure.clientauth=1* VES uses additional properties: + + * *collector.truststore.file.location* - a path to jks trust store containing certificates of clients or certificate authorities + * *collector.truststore.passwordfile* - a path to file containing password for the trust store + +Of course, mutual TLS authentication requires also server certificates, so following properties have to be set to valid values: + + * *collector.keystore.file.location* - a path to jks key store containing certificates which can be used for TLS handshake + * *collector.keystore.passwordfile* - a path to file containing a password for the key store + * *collector.keystore.alias* - a name of a certificate from a key store which VES will use during TLS handshake + +Property *header.authflag=1* may by used along *collector.service.secure.clientauth=1* in order to enable mutual TLS authentication and basic HTTP authentication. -- cgit 1.2.3-korg