diff options
| author |   Matthieu Geerebaert <matthieu.geerebaert@orange.com> | 2019-05-10 16:45:37 +0200 |
|---|---|---|
| committer | Matthieu Geerebaert <matthieu.geerebaert@orange.com> | 2019-05-15 12:39:38 +0200 |
| commit | 082be1a805d268bb4ae01dc75a8e63da082504ac (patch) | |
| tree | 24ee18fadb9b8e9ee8e0d0b265a7674a790d4d9f | |
| parent | 4e864e25383896e6a04d608b86fed31c23b7f3cf (diff) | |
Document Release note, vulnerabilty section, exposing only a non https API
Add HTTP/HTTPS relative warning in Security Notes section
Change-Id: I3fafdcd376fd58a9ad4fcf980cd74707e0799ebe
Issue-ID: EXTAPI-238
Signed-off-by: MatthieuGeerebaert <matthieu.geerebaert@orange.com>
| -rwxr-xr-x | docs/releasenotes/releasenotes.rst | 27 |
1 files changed, 23 insertions, 4 deletions
diff --git a/docs/releasenotes/releasenotes.rst b/docs/releasenotes/releasenotes.rst index 99dc838..5b656b6 100755 --- a/docs/releasenotes/releasenotes.rst +++ b/docs/releasenotes/releasenotes.rst @@ -38,14 +38,33 @@ Many other changes and improvement are listed in JIRA: **Known Issues** - `EXTAPI-197 <https://jira.onap.org/browse/EXTAPI-197>`_ - Bad hostname while registering on MSB` - -Will be fixed in the next release El Alto +- `EXTAPI-222 <https://jira.onap.org/browse/EXTAPI-222>`_ - Add support for HTTPS` **Security Notes** -NBI still exposes non TLS API endpoint. TLS will be proposed in next the release, El Alto. +NBI has been improved to reduce signs of vulnerabilities, +especially by migrating from Springboot 1.x to Springboot 2 and using ONAP Parent pom.xml + +Warning: NBI exposes non TLS API endpoint on port 30274, meaning full plain text exchange with NBI API. +TLS configuration, with ONAP Root CA signed certificate will be proposed in El Alto. + +As a workaround it is quite easy to add HTTPS support to NBI by configuring SSL and activating strict https. +Presuming you have a valid JKS keystore, with private key and a signed certificate: + +:: + + src/main/resources/application.properties + +:: + + # tls/ssl + server.ssl.key-store-type=JKS + server.ssl.key-store=classpath:certificate/yourkeystore.jks + server.ssl.key-store-password=password + server.ssl.key-alias=youralias -NBI has been improved to reduce signs of vulnerabilities, especially by migrating from Springboot 1.x to Springboot 2 and using the ONAP Parent pom.xml + # disable http and activate https + security.require-ssl=true - `Dublin Vulnerability Report <https://wiki.onap.org/pages/viewpage.action?pageId=51282484>`_ |