From d9911eeb5c2b30101882b60d64139cf5a3950e80 Mon Sep 17 00:00:00 2001 From: Zlatko Murgoski Date: Tue, 9 Jul 2019 12:29:48 +0200 Subject: VES Collecotr - update documentation https://jira.onap.org/browse/DCAEGEN2-1656 Issue-ID: DCAEGEN2-1618 Change-Id: I9f221163430f0913fbf96e8af005b0a10a772b73 Signed-off-by: Zlatko Murgoski --- docs/sections/services/ves-http/configuration.rst | 2 -- docs/sections/services/ves-http/installation.rst | 2 -- .../services/ves-http/tls-authentication.rst | 32 +++++++++++++++++++++- 3 files changed, 31 insertions(+), 5 deletions(-) diff --git a/docs/sections/services/ves-http/configuration.rst b/docs/sections/services/ves-http/configuration.rst index a6862f58..eaadf277 100644 --- a/docs/sections/services/ves-http/configuration.rst +++ b/docs/sections/services/ves-http/configuration.rst @@ -16,7 +16,6 @@ VES expects to be able to fetch configuration directly from consul service in fo "collector.service.port": "8080", "collector.schema.file": "{\"v1\":\"./etc/CommonEventFormat_27.2.json\",\"v2\":\"./etc/CommonEventFormat_27.2.json\",\"v3\":\"./etc/CommonEventFormat_27.2.json\",\"v4\":\"./etc/CommonEventFormat_27.2.json\",\"v5\":\"./etc/CommonEventFormat_28.4.1.json\",\"v7\":\"./etc/CommonEventFormat_30.0.1.json\"}", "collector.keystore.passwordfile": "/opt/app/VESCollector/etc/passwordfile", - "collector.inputQueue.maxPending": "8096", "streams_publishes": { "ves-measurement": { "type": "message_router", @@ -58,7 +57,6 @@ VES expects to be able to fetch configuration directly from consul service in fo "collector.service.secure.port": "8443", "auth.method": "noAuth", "collector.keystore.file.location": "/opt/app/VESCollector/etc/keystore", - "services_calls": [], "header.authlist": "sample1,$2a$10$0buh.2WeYwN868YMwnNNEuNEAMNYVU9.FSMJGyIKV3dGET/7oGOi6" } diff --git a/docs/sections/services/ves-http/installation.rst b/docs/sections/services/ves-http/installation.rst index 308a2ce3..be32d899 100644 --- a/docs/sections/services/ves-http/installation.rst +++ b/docs/sections/services/ves-http/installation.rst @@ -134,7 +134,6 @@ and remove following entry and save the changes; K8S will update the service de properties: application_config: collector.dmaap.streamid: fault=ves-fault|syslog=ves-syslog|heartbeat=ves-heartbeat|measurementsForVfScaling=ves-measurement|measurement=ves-measurement|mobileFlow=ves-mobileflow|other=ves-other|stateChange=ves-statechange|thresholdCrossingAlert=ves-thresholdCrossingAlert|voiceQuality=ves-voicequality|sipSignaling=ves-sipsignaling|notification=ves-notification|pnfRegistration=ves-pnfRegistration - collector.inputQueue.maxPending: "8096" collector.keystore.file.location: /opt/app/VESCollector/etc/keystore collector.keystore.passwordfile: /opt/app/VESCollector/etc/passwordfile collector.schema.checkflag: "1" @@ -144,7 +143,6 @@ and remove following entry and save the changes; K8S will update the service de event.transform.flag: "0" auth.method: certBasicAuth header.authlist: "sample1,$2a$10$0buh.2WeYwN868YMwnNNEuNEAMNYVU9.FSMJGyIKV3dGET/7oGOi6" - services_calls: [] streams_publishes: ves-fault: dmaap_info: diff --git a/docs/sections/services/ves-http/tls-authentication.rst b/docs/sections/services/ves-http/tls-authentication.rst index ad8d8d22..1ace3937 100644 --- a/docs/sections/services/ves-http/tls-authentication.rst +++ b/docs/sections/services/ves-http/tls-authentication.rst @@ -1,5 +1,11 @@ .. This work is licensed under a Creative Commons Attribution 4.0 International License. .. http://creativecommons.org/licenses/by/4.0 +.. raw:: html + + + +.. role:: red +.. role:: green Authentication Types ==================== @@ -19,6 +25,30 @@ Of course, mutual TLS authentication requires also server certificates, so follo Property *auth.method* is used to manage security mode, possible configuration: noAuth, basicAuth, certOnly, certBasicAuth * *auth.method=noAuth* default option - no security (http) + * *auth.method=certOnly* is used to enable mutual TLS authentication (https) + + * client without cert and without basic auth = :red:`Authentication failure` + * client without cert and wrong basic auth = :red:`Authentication failure` + * client without cert and correct basic auth = :red:`Authentication failure` + * client with cert and without/wrong basic auth = :green:`Authentication successful` + * client with cert and correct basic auth = :green:`Authentication successful` + * *auth.method=certBasicAuth* is used to enable mutual TLS authentication or/and basic HTTPs authentication - * *auth.method=basicAuth* is used to enable basic HTTPs authentication \ No newline at end of file + + * client without cert and without basic auth = :red:`Authentication failure` + * client without cert and wrong basic auth = :red:`Authentication failure` + * client without cert and correct basic auth = :green:`Authentication successful` + * client with cert and without/wrong basic auth = :green:`Authentication successful` + * client with cert and correct basic auth = :green:`Authentication successful` + + * *auth.method=basicAuth* is used to enable basic HTTPs authentication + + * client without cert and without basic auth = :red:`Authentication failure` + * client without cert and wrong basic auth = :red:`Authentication failure` + * client without cert and correct basic auth = :green:`Authentication successful` + * client with cert and without/wrong basic auth = :red:`Authentication failure` + * client with cert and correct basic auth = :green:`Authentication successful` + +When application is in certOnly or certBasicAuth mode then certificates are also validated by regexp in /etc/certSubjectMatcher.properties, +only SubjectDn field in certificate description are checked. Default regexp value is .* means that we approve all SubjectDN values. -- cgit 1.2.3-korg