summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Mokry <mm117s@att.com>2018-09-21 15:56:43 -0500
committerMichael Mokry <mm117s@att.com>2018-09-25 08:59:59 -0500
commite9312923e96a2678f794fcf08ff5918d1b005bbd (patch)
tree14625c864f82336de5e9dfc2568283092b183e36
parent26eed4a43bd97265ea08ded2eaf626a23bf66ce4 (diff)
CADI AAF changes for policy/engine
Added cadi properties and modified policy aaf client code. Fixed issue with namespace and modified code to reverse it for structuring the username sent in AAF API call Added properties for keystore and keystore password after getting error response from AAF when setting up the connection to AAF Missed a fix for one of Jorge's comments in last patch, here it is. Change-Id: Ic164ade8aa34da95a560c1592656e0caf990a595 Issue-ID: POLICY-913 Signed-off-by: Michael Mokry <mm117s@att.com>
-rw-r--r--ONAP-PDP-REST/src/main/java/org/onap/policy/pdp/rest/config/PDPApiAuth.java278
-rw-r--r--PolicyEngineUtils/src/main/java/org/onap/policy/utils/AAFPolicyClientImpl.java158
-rw-r--r--packages/base/src/files/etc/ssl/aaf-cadi.keyfile27
-rw-r--r--packages/base/src/files/install/servers/pdp/bin/xacml.pdp.properties26
-rw-r--r--packages/install/src/files/base.conf3
5 files changed, 267 insertions, 225 deletions
diff --git a/ONAP-PDP-REST/src/main/java/org/onap/policy/pdp/rest/config/PDPApiAuth.java b/ONAP-PDP-REST/src/main/java/org/onap/policy/pdp/rest/config/PDPApiAuth.java
index 1e3a41aeb..d06321d64 100644
--- a/ONAP-PDP-REST/src/main/java/org/onap/policy/pdp/rest/config/PDPApiAuth.java
+++ b/ONAP-PDP-REST/src/main/java/org/onap/policy/pdp/rest/config/PDPApiAuth.java
@@ -27,7 +27,9 @@ import java.nio.file.Paths;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
+import java.util.Collections;
import java.util.HashMap;
+import java.util.List;
import java.util.Map;
import java.util.Properties;
import java.util.StringTokenizer;
@@ -45,145 +47,153 @@ import org.onap.policy.xacml.api.XACMLErrorConstants;
import com.att.research.xacml.util.XACMLProperties;
public class PDPApiAuth {
- private static final Logger LOGGER = FlexLogger.getLogger(PDPApiAuth.class);
+ private static final Logger LOGGER = FlexLogger.getLogger(PDPApiAuth.class);
- private static String environment = null;
- private static Path clientPath = null;
- private static Map<String,ArrayList<String>> clientMap = null;
- private static Long oldModified = null;
- private static AAFPolicyClient aafClient = null;
+ private static String environment = null;
+ private static Path clientPath = null;
+ private static Map<String,ArrayList<String>> clientMap = null;
+ private static Long oldModified = null;
+ private static AAFPolicyClient aafClient = null;
- private PDPApiAuth(){
- // Private Constructor
- }
+ private PDPApiAuth(){
+ // Private Constructor
+ }
- /*
- * Set Property by reading the properties File.
- */
- public static void setProperty() {
- environment = XACMLProperties.getProperty("ENVIRONMENT", "DEVL");
- String clientFile = XACMLProperties.getProperty(XACMLRestProperties.PROP_PEP_IDFILE);
- if(clientFile!=null){
- clientPath = Paths.get(clientFile);
- }
- try {
- aafClient = AAFPolicyClient.getInstance(XACMLProperties.getProperties());
- } catch (AAFPolicyException | IOException e) {
- LOGGER.error(MessageCodes.ERROR_SYSTEM_ERROR, e, "AAF Client Not instantiated properly.");
- }
- }
+ /*
+ * Set Property by reading the properties File.
+ */
+ public static void setProperty() {
+ environment = XACMLProperties.getProperty("ENVIRONMENT", "DEVL");
+ String clientFile = XACMLProperties.getProperty(XACMLRestProperties.PROP_PEP_IDFILE);
+ if(clientFile!=null){
+ clientPath = Paths.get(clientFile);
+ }
+ try {
+ aafClient = AAFPolicyClient.getInstance(XACMLProperties.getProperties());
+ } catch (AAFPolicyException | IOException e) {
+ LOGGER.error(MessageCodes.ERROR_SYSTEM_ERROR, e, "AAF Client Not instantiated properly.");
+ }
+ }
- /*
- * Return Environment value of the PDP servlet.
- */
- public static String getEnvironment() {
- if(environment==null){
- setProperty();
- }
- return environment;
- }
+ /*
+ * Return Environment value of the PDP servlet.
+ */
+ public static String getEnvironment() {
+ if(environment==null){
+ setProperty();
+ }
+ return environment;
+ }
- /*
- * Security check for authentication and authorizations.
- */
- public static boolean checkPermissions(String clientEncoding, String requestID,
- String resource) {
- try{
- String[] userNamePass = PolicyUtils.decodeBasicEncoding(clientEncoding);
- if(userNamePass==null || userNamePass.length==0){
- String usernameAndPassword = null;
- byte[] decodedBytes = Base64.getDecoder().decode(clientEncoding);
- usernameAndPassword = new String(decodedBytes, "UTF-8");
- StringTokenizer tokenizer = new StringTokenizer(usernameAndPassword, ":");
- String username = tokenizer.nextToken();
- String password = tokenizer.nextToken();
- userNamePass= new String[]{username, password};
- }
- LOGGER.info("User " + userNamePass[0] + " is Accessing Policy Engine API.");
- Boolean result = false;
- // Check Backward Compatibility.
- try{
- result = clientAuth(userNamePass);
- }catch(Exception e){
- LOGGER.error(MessageCodes.ERROR_PERMISSIONS, e);
- }
- if(!result){
- String aafPolicyNameSpace = XACMLProperties.getProperty("policy.aaf.namespace");
- String aafResource = XACMLProperties.getProperty("policy.aaf.resource");
- if(!userNamePass[0].contains("@") && aafPolicyNameSpace!= null){
- userNamePass[0] = userNamePass[0] + "@" + aafPolicyNameSpace;
- }else{
- LOGGER.info("No AAF NameSpace specified in properties");
- }
- if(aafResource != null){
- resource = aafResource + resource;
- }else{
- LOGGER.info("No AAF Resource specified in properties");
- }
- LOGGER.info("Contacting AAF in : " + environment);
- result = aafClient.checkAuthPerm(userNamePass[0], userNamePass[1], resource, environment, ".*");
- }
- return result;
- }catch(Exception e){
- LOGGER.error(MessageCodes.ERROR_PERMISSIONS, e);
- return false;
- }
- }
+ /*
+ * Security check for authentication and authorizations.
+ */
+ public static boolean checkPermissions(String clientEncoding, String requestID,
+ String resource) {
+ try{
+ String[] userNamePass = PolicyUtils.decodeBasicEncoding(clientEncoding);
+ if(userNamePass==null || userNamePass.length==0){
+ String usernameAndPassword = null;
+ byte[] decodedBytes = Base64.getDecoder().decode(clientEncoding);
+ usernameAndPassword = new String(decodedBytes, "UTF-8");
+ StringTokenizer tokenizer = new StringTokenizer(usernameAndPassword, ":");
+ String username = tokenizer.nextToken();
+ String password = tokenizer.nextToken();
+ userNamePass= new String[]{username, password};
+ }
+ LOGGER.info("User " + userNamePass[0] + " is Accessing Policy Engine API.");
+ Boolean result = false;
+ // Check Backward Compatibility.
+ try{
+ result = clientAuth(userNamePass);
+ }catch(Exception e){
+ LOGGER.error(MessageCodes.ERROR_PERMISSIONS, e);
+ }
+ if(!result){
+ String aafPolicyNameSpace = XACMLProperties.getProperty("policy.aaf.namespace");
+ String aafResource = XACMLProperties.getProperty("policy.aaf.root.permission");
+ String type = null;
+ if(!userNamePass[0].contains("@") && aafPolicyNameSpace!= null){
+ userNamePass[0] = userNamePass[0] + "@" + reverseNamespace(aafPolicyNameSpace);
+ }else{
+ LOGGER.info("No AAF NameSpace specified in properties");
+ }
+ if(aafResource != null){
+ type = aafResource + "." + resource;
+ }else{
+ LOGGER.warn("No AAF Resource specified in properties");
+ return false;
+ }
+ LOGGER.info("Contacting AAF in : " + environment);
+ result = aafClient.checkAuthPerm(userNamePass[0], userNamePass[1], type, environment, "*");
+ }
+ return result;
+ }catch(Exception e){
+ LOGGER.error(MessageCodes.ERROR_PERMISSIONS, e);
+ return false;
+ }
+ }
- private static Boolean clientAuth(String[] userNamePass){
- if(clientPath==null){
- setProperty();
- }
- if (!clientPath.toFile().exists()) {
- return false;
- }else if(clientPath.toString().endsWith(".properties")) {
- try {
- readProps(clientPath);
- if (clientMap.containsKey(userNamePass[0]) && clientMap.get(userNamePass[0]).get(0).equals(userNamePass[1])) {
- return true;
- }
- }catch(PolicyEngineException e){
- LOGGER.error(MessageCodes.ERROR_PERMISSIONS, e);
- return false;
- }
- }
- return false;
- }
+ private static Boolean clientAuth(String[] userNamePass){
+ if(clientPath==null){
+ setProperty();
+ }
+ if (!clientPath.toFile().exists()) {
+ return false;
+ }else if(clientPath.toString().endsWith(".properties")) {
+ try {
+ readProps(clientPath);
+ if (clientMap.containsKey(userNamePass[0]) && clientMap.get(userNamePass[0]).get(0).equals(userNamePass[1])) {
+ return true;
+ }
+ }catch(PolicyEngineException e){
+ LOGGER.error(MessageCodes.ERROR_PERMISSIONS, e);
+ return false;
+ }
+ }
+ return false;
+ }
- private static Map<String, ArrayList<String>> readProps(Path clientPath) throws PolicyEngineException{
- if(oldModified!=null){
- Long newModified = clientPath.toFile().lastModified();
- if (newModified == oldModified) {
- return clientMap;
- }
- }
- InputStream in;
- Properties clientProp = new Properties();
- try {
- in = new FileInputStream(clientPath.toFile());
- clientProp.load(in);
- } catch (IOException e) {
- LOGGER.error(XACMLErrorConstants.ERROR_SYSTEM_ERROR , e);
- throw new PolicyEngineException(XACMLErrorConstants.ERROR_SYSTEM_ERROR +"Cannot Load the Properties file", e);
- }
- // Read the Properties and Load the Clients and their scopes.
- clientMap = new HashMap<>();
- //
- for (Object propKey : clientProp.keySet()) {
- String clientID = (String)propKey;
- String clientValue = clientProp.getProperty(clientID);
- if (clientValue != null && clientValue.contains(",")) {
- ArrayList<String> clientValues = new ArrayList<>(Arrays.asList(clientValue.split("\\s*,\\s*")));
- if(clientValues.get(0)!=null || clientValues.get(1)!=null || clientValues.get(0).isEmpty() || clientValues.get(1).isEmpty()){
- clientMap.put(clientID, clientValues);
- }
- }
- }
- if (clientMap.isEmpty()) {
- LOGGER.debug(XACMLErrorConstants.ERROR_PERMISSIONS + "No Clients ID , Client Key and Scopes are available. Cannot serve any Clients !!");
- throw new PolicyEngineException("Empty Client file");
- }
- oldModified = clientPath.toFile().lastModified();
- return clientMap;
- }
+ private static String reverseNamespace(String namespace) {
+ final List<String> components = Arrays.asList(namespace.split("\\."));
+ Collections.reverse(components);
+ return String.join(".", components);
+ }
+
+ private static Map<String, ArrayList<String>> readProps(Path clientPath) throws PolicyEngineException{
+ if(oldModified!=null){
+ Long newModified = clientPath.toFile().lastModified();
+ if (newModified == oldModified) {
+ return clientMap;
+ }
+ }
+ InputStream in;
+ Properties clientProp = new Properties();
+ try {
+ in = new FileInputStream(clientPath.toFile());
+ clientProp.load(in);
+ } catch (IOException e) {
+ LOGGER.error(XACMLErrorConstants.ERROR_SYSTEM_ERROR , e);
+ throw new PolicyEngineException(XACMLErrorConstants.ERROR_SYSTEM_ERROR +"Cannot Load the Properties file", e);
+ }
+ // Read the Properties and Load the Clients and their scopes.
+ clientMap = new HashMap<>();
+ //
+ for (Object propKey : clientProp.keySet()) {
+ String clientID = (String)propKey;
+ String clientValue = clientProp.getProperty(clientID);
+ if (clientValue != null && clientValue.contains(",")) {
+ ArrayList<String> clientValues = new ArrayList<>(Arrays.asList(clientValue.split("\\s*,\\s*")));
+ if(clientValues.get(0)!=null || clientValues.get(1)!=null || clientValues.get(0).isEmpty() || clientValues.get(1).isEmpty()){
+ clientMap.put(clientID, clientValues);
+ }
+ }
+ }
+ if (clientMap.isEmpty()) {
+ LOGGER.debug(XACMLErrorConstants.ERROR_PERMISSIONS + "No Clients ID , Client Key and Scopes are available. Cannot serve any Clients !!");
+ throw new PolicyEngineException("Empty Client file");
+ }
+ oldModified = clientPath.toFile().lastModified();
+ return clientMap;
+ }
} \ No newline at end of file
diff --git a/PolicyEngineUtils/src/main/java/org/onap/policy/utils/AAFPolicyClientImpl.java b/PolicyEngineUtils/src/main/java/org/onap/policy/utils/AAFPolicyClientImpl.java
index e65ac2780..1513507ca 100644
--- a/PolicyEngineUtils/src/main/java/org/onap/policy/utils/AAFPolicyClientImpl.java
+++ b/PolicyEngineUtils/src/main/java/org/onap/policy/utils/AAFPolicyClientImpl.java
@@ -32,53 +32,41 @@ import org.onap.aaf.cadi.aaf.v2_0.AAFAuthn;
import org.onap.aaf.cadi.aaf.v2_0.AAFCon;
import org.onap.aaf.cadi.aaf.v2_0.AAFConHttp;
import org.onap.aaf.cadi.aaf.v2_0.AAFLurPerm;
-import org.onap.aaf.cadi.config.Config;
import org.onap.aaf.cadi.locator.PropertyLocator;
import org.onap.aaf.cadi.principal.UnAuthPrincipal;
-
-
/**
- * AAF Client: Generic AAF Client implementation to connect to AAF Resources to validate permissions and authorization.
+ * AAF Client: Generic AAF Client implementation to connect to AAF Resources to
+ * validate permissions and authorization.
*
*/
-public class AAFPolicyClientImpl implements AAFPolicyClient{
+public class AAFPolicyClientImpl implements AAFPolicyClient {
private static Logger logger = Logger.getLogger(AAFPolicyClientImpl.class.getName());
private static final String ENVIRONMENT = "ENVIRONMENT";
-
- // Warning Please don't Change these Values. Confirm with AAF team.
- private static final String DEVL_AAF_URL = "";
- private static final String TEST_AAF_URL = "";
- private static final String PROD_AAF_URL = "";
- private static final String DEFAULT_AFT_LATITUDE = "32.780140";
- private static final String DEFAULT_AFT_LONGITUDE = "-96.800451";
- private static final String TEST_AFT_ENVIRONMENT = "AFTUAT";
- private static final String PROD_AFT_ENVIRONMENT = "AFTPRD";
- private static final String DEFAULT_AAF_USER_EXPIRES = Integer.toString(5*60000); // 5 minutes for found items to live in cache
- private static final String DEFAULT_AAF_HIGH_COUNT = Integer.toString(400); // Maximum number of items in Cache
-
private static AAFPolicyClientImpl instance = null;
-
- private static Properties props = new Properties();
+ private static Properties cadiprops = new Properties();
private static AAFCon<?> aafCon = null;
private static AAFLurPerm aafLurPerm = null;
private static AAFAuthn<?> aafAuthn = null;
private static PropAccess access = null;
- private AAFPolicyClientImpl(Properties properties) throws AAFPolicyException{
+ private AAFPolicyClientImpl(Properties properties) throws AAFPolicyException {
setup(properties);
}
/**
- * Gets the instance of the AAFClient instance. Needs Proper properties with CLIENT_ID, CLIENT_KEY and ENVIRONMENT
+ * Gets the instance of the AAFClient instance. Needs Proper properties with
+ * CLIENT_ID, CLIENT_KEY and ENVIRONMENT
*
- * @param properties Properties with CLIENT_ID, CLIENT_KEY and ENVIRONMENT
+ * @param properties
+ * Properties with CLIENT_ID, CLIENT_KEY and ENVIRONMENT
* @return AAFClient instance.
- * @throws AAFPolicyException Exceptions.
+ * @throws AAFPolicyException
+ * Exceptions.
*/
- public static synchronized AAFPolicyClientImpl getInstance(Properties properties) throws AAFPolicyException{
- if(instance == null) {
+ public static synchronized AAFPolicyClientImpl getInstance(Properties properties) throws AAFPolicyException {
+ if (instance == null) {
logger.info("Creating AAFClient Instance ");
instance = new AAFPolicyClientImpl(properties);
}
@@ -87,84 +75,76 @@ public class AAFPolicyClientImpl implements AAFPolicyClient{
// To set Property values && Connections.
private static void setup(Properties properties) throws AAFPolicyException {
- if(properties!=null && !properties.isEmpty()){
- props = System.getProperties();
- props.setProperty("AFT_LATITUDE", properties.getProperty("AFT_LATITUDE", DEFAULT_AFT_LATITUDE));
- props.setProperty("AFT_LONGITUDE", properties.getProperty("AFT_LONGITUDE", DEFAULT_AFT_LONGITUDE));
- String aftEnv = TEST_AFT_ENVIRONMENT;
- props.setProperty("aaf_id",properties.getProperty("aaf_id", "aafID"));
- props.setProperty("aaf_password", properties.getProperty("aaf_password", "aafPass"));
- if(properties.containsKey(Config.AAF_URL)){
- // if given a value in properties file.
- props.setProperty(Config.AAF_URL, properties.getProperty(Config.AAF_URL));
- }else{
- // Set Default values.
- if(properties.getProperty(ENVIRONMENT, "DEVL").equalsIgnoreCase(AAFEnvironment.TEST.toString())){
- props.setProperty(Config.AAF_URL, TEST_AAF_URL);
- }else if(properties.getProperty(ENVIRONMENT, "DEVL").equalsIgnoreCase(AAFEnvironment.PROD.toString())){
- props.setProperty(Config.AAF_URL, PROD_AAF_URL);
- aftEnv = PROD_AFT_ENVIRONMENT;
- }else{
- props.setProperty(Config.AAF_URL, DEVL_AAF_URL);
- }
- }
- props.setProperty("AFT_ENVIRONMENT", properties.getProperty("AFT_ENVIRONMENT", aftEnv));
- props.setProperty(Config.AAF_USER_EXPIRES, properties.getProperty(Config.AAF_USER_EXPIRES, DEFAULT_AAF_USER_EXPIRES));
- props.setProperty(Config.AAF_HIGH_COUNT, properties.getProperty(Config.AAF_HIGH_COUNT, DEFAULT_AAF_HIGH_COUNT));
- }else{
+ if (properties != null && !properties.isEmpty()) {
+ cadiprops = properties;
+ access = new PolicyAccess(cadiprops,
+ Level.valueOf(cadiprops.getProperty("cadi_loglevel", Level.DEBUG.toString())));
+ } else {
logger.error("Required Property value is missing : " + ENVIRONMENT);
throw new AAFPolicyException("Required Property value is missing : " + ENVIRONMENT);
}
- access = new PolicyAccess(props, Level.valueOf(properties.getProperty("AAF_LOG_LEVEL", Level.ERROR.toString())));
setUpAAF();
}
/**
* Updates the Properties file in case if required.
*
- * @param properties Properties with CLIENT_ID, CLIENT_KEY and ENVIRONMENT
- * @throws AAFPolicyException exceptions if any.
+ * @param properties
+ * Properties with CLIENT_ID, CLIENT_KEY and ENVIRONMENT
+ * @throws AAFPolicyException
+ * exceptions if any.
*/
@Override
- public void updateProperties(Properties properties) throws AAFPolicyException{
+ public void updateProperties(Properties properties) throws AAFPolicyException {
setup(properties);
}
/**
* Checks the Authentication and Permissions for the given values.
*
- * @param mechID MechID or ATT ID must be registered under the Name space.
- * @param pass Password pertaining to the MechID or ATTID.
- * @param type Permissions Type.
- * @param instance Permissions Instance.
- * @param action Permissions Action.
+ * @param userName
+ * Username must be registered under the Name space.
+ * @param pass
+ * Password pertaining to the Username.
+ * @param type
+ * Permissions Type.
+ * @param instance
+ * Permissions Instance.
+ * @param action
+ * Permissions Action.
* @return
*/
@Override
- public boolean checkAuthPerm(String mechID, String pass, String type, String instance, String action){
- return checkAuth(mechID, pass) && checkPerm(mechID, pass, type, instance, action);
+ public boolean checkAuthPerm(String userName, String pass, String type, String instance, String action) {
+ return checkAuth(userName, pass) && checkPerm(userName, pass, type, instance, action);
}
/**
* Checks the Authentication of the UserName and Password Given.
*
- * @param userName UserName or MechID
- * @param pass Password.
+ * @param userName
+ * UserName
+ * @param pass
+ * Password.
* @return True or False.
*/
@Override
- public boolean checkAuth(String userName, String pass){
+ public boolean checkAuth(String userName, String pass) {
if (aafAuthn == null) {
return false;
}
try {
- int i=0;
- do{
- if(aafAuthn.validate(userName, pass)==null){
+ int i = 0;
+ do {
+ String aafAuthResponse = aafAuthn.validate(userName, pass);
+ if (aafAuthResponse==null) {
return true;
+ } else {
+ logger.warn("User, " + userName + ", failed to authenticate with AAF. \n"
+ + "AAF Response is " + aafAuthResponse);
}
i++;
- }while(i<2);
+ } while (i < 2);
} catch (Exception e) {
logger.error(e.getMessage() + e);
}
@@ -173,28 +153,31 @@ public class AAFPolicyClientImpl implements AAFPolicyClient{
}
/**
- * Checks Permissions for the given UserName, Password and Type, Instance Action.
+ * Checks Permissions for the given UserName, Password and Type, Instance
+ * Action.
*
- * @param userName UserName or MechID
- * @param pass Password.
- * @param type Permissions Type.
- * @param instance Permissions Instance.
- * @param action Permissions Action.
+ * @param userName
+ * UserName
+ * @param pass
+ * Password.
+ * @param type
+ * Permissions Type.
+ * @param instance
+ * Permissions Instance.
+ * @param action
+ * Permissions Action.
* @return True or False.
*/
@Override
- public boolean checkPerm(String userName, String pass, String type, String instance, String action){
- int i =0;
- Boolean result= false;
- do{
- if(aafCon!=null && aafLurPerm !=null){
+ public boolean checkPerm(String userName, String pass, String type, String instance, String action) {
+ int i = 0;
+ Boolean result = false;
+ do {
+ if (aafCon != null && aafLurPerm != null) {
try {
aafCon.basicAuth(userName, pass);
- //
- // The first parameter is the namespace. At this point we will default
- // to null until we are given a namespace to use.
- //
- AAFPermission perm = new AAFPermission(null, type, instance, action);
+ AAFPermission perm = new AAFPermission(cadiprops.getProperty("policy.aaf.namespace"), type,
+ instance, action);
final Principal p = new UnAuthPrincipal(userName);
result = aafLurPerm.fish(p, perm);
} catch (CadiException e) {
@@ -203,13 +186,14 @@ public class AAFPolicyClientImpl implements AAFPolicyClient{
}
}
i++;
- }while(i<2 && !result); // Try once more to check if this can be passed. AAF has some issues.
+ } while (i < 2 && !result); // Try once more to check if this can be passed. AAF has some issues.
return result;
}
- private static boolean setUpAAF(){
+ private static boolean setUpAAF() {
try {
- aafCon = new AAFConHttp(access,new PropertyLocator("https://aaf-onap-beijing-test.osaaf.org:8100"));
+ aafCon = new AAFConHttp(access,
+ new PropertyLocator("https://" + cadiprops.getProperty("aaf_fqdn") + ":8100"));
aafLurPerm = aafCon.newLur();
aafAuthn = aafCon.newAuthn(aafLurPerm);
return true;
diff --git a/packages/base/src/files/etc/ssl/aaf-cadi.keyfile b/packages/base/src/files/etc/ssl/aaf-cadi.keyfile
new file mode 100644
index 000000000..59d544f3e
--- /dev/null
+++ b/packages/base/src/files/etc/ssl/aaf-cadi.keyfile
@@ -0,0 +1,27 @@
+N3INM2bAlQ8cNODnjR3Fuvo5z4GeID0KnRYlELmt-oHCFxq_XYVyepBVR591CIbJI9prNd_LLuv7
+tQD8xX_ypcNA-jQsecTwtw4GxvpqkZPhq6Q8BWNQaCegtXGDVTQ8gG2biKiQ7v-2C6Qhx4zj62b6
+bRPS5j1bfxqcAZu7082V00oQjbn40T2zFcLwCuBChZfx5DXTW49bwtLbkCbGqJSzFcIJpbGQ8gLg
+ussIoL8VE2Vee7bPJmUAdT4x9B1wrMIuvKlUMppeq0Bj-6ZJgxhM9F0WT8eEBh6NFANdK3LUgZrk
+D3kY3LrK-MT9u1TOMx13nOU7vOaVjl7_rkp5Q65gFd9VYbnJBYvJcc7asOQMsrugiSiRIoXH0Fyy
+-f9L3ROGae042J4M8qxcoOihMbcjVkEXqn6eRIFbDe0eIAlkSRYfaxg9v4tf8GbBjQcShBjzGaI2
+g6QxTA5G6Aa7p63aVRGv3ZODCHcbsbxnkyByXgmkON4cTk9vR0RbT6YYhT5t8xTU3rhqV3jeE0Bz
+KbU0c4188xTnhdq_bje2TuuLvtEvevdvDsbtAj7chQmWMOW7GMF3MnqdEpcw1NCoNRdN8wpAdE-5
+mkG-jlYHljSRh9qZK5wdEoO4IXgpFktdGj50XuzcskqqURNfDGHGb29fHznL1-ssdQK6EXcKN0AU
+nYyGLAie3VfFxWKj5dGODBs5RttvkX4PHyLcLD3kOrVgtQrz7d0PWWYCxDRqKT6qnJkLB1CUwghn
+XweEiDfoQmuUmwFEQNRDp0NGLnde5nsw7NYgLrv5VafGK8EyT4GeVhuu5Tnb6T-HalxCq2p5JaIA
+SG8zlDmRx_TykrhfQEJe7sr0pRcAMwgxEhwunG2oBiKnzdRx5jxMfqnVC8xGirumhmOQNterfnd5
+0pIsfvIuntyxRQ48yzIb2gb5kaSkfSzCaVnlqK-_jpj1T74qO86eaKVee4faQAbXDPYF2z5w06nD
+WS2dd54wBjGmkFNzi13ejTrAJeA6UzOd1CF_WSpc9XSJJPTPUGxmnfLjmGThErFBYuQxjhpH7vKN
+uZgokkIXX78rVcO3zpfa5kTYWjE8lk9y3WA7sGNtTWfG8bR3WLWNLPCnrzxtKZdhq2JsQYC0gwW7
+ZgJSXhgPoaC_RrtCn7haj1_601G_MkD-jcUEsO-4XOBVicsCgG8hn7B-SpgKspqv8gulbeKoORqa
+CkrtiFPlXEqdNuaBSHcQ0MWJ3tpXzWtIPM3ouEFOR32xVfptfz4sRPOkM_PNiVXxQtLOn_z3uC7K
+VVJCKZxVaavQ6QiZvRRANS9_GD3kDILX15EnbEvh-2DfycDrEo330vMwvNJP7i9eM5vo0YADe--G
+r5UDqctmFjl1ulc1yAQkDBGWGxT92x-hhLqCnCXcYPu_aeWssfDpRj573PHPaTiM0SYxJixjszRD
+6-AMC1DqugkjiGA5_enQORn-G_H4ZVtoQ_zebizEfIxKv5-8uRdyZDHGG3mDu6_nasEffry-UyVu
+STU3oJMycZ1qf5GR1evRJ7gxkrtPXHWKNnVgxfrBC72ON6wJnr7KaY-l9L44epIsk1pEmXm3YQu1
+N0NxiAwdus9OnCXQ7GgZPRXCpxjJPNs7EIKFrYjKJfdtSzT85ZrTpHQtjim2L1ZP9iIlq2QVKD1v
+bKSjCwjtb9ztjrV-Bw1BHcAApPcfpXHLhYkJ7iL1XUhxjXp_DGUkD7ZN9S5tuyrsMXz5hh6wMfcq
+NPR_XqHaS2ur-ONNrHuFFCmY7Ehc5FArFzb_Xn1JTpOQJTcy6_3r3u3B_euT8GmXHahtVN1Rv8RM
+kAD5m_UBx-nHoZDVDYZkfR9k4hF2Sz5rfrWs6Zrl0r8FBrVFtU1j2vOTvTGwrkO9yZvgIqOkX_eq
+TnGIpM4paHxEGTP8H8A3Y0ZpsvLttmh0rT_OwzBPa1Mof3RQKhyTzfbptxuUJyVxU0Ln-9f--5Mk
+wEFqhuSrgssI6b1iMqm97PqFQMYrWX3SV8l0V-PKxFxDM1bguHq4mOXEtmZBUtMBepwSsI96 \ No newline at end of file
diff --git a/packages/base/src/files/install/servers/pdp/bin/xacml.pdp.properties b/packages/base/src/files/install/servers/pdp/bin/xacml.pdp.properties
index f05f9e951..ad27cd09e 100644
--- a/packages/base/src/files/install/servers/pdp/bin/xacml.pdp.properties
+++ b/packages/base/src/files/install/servers/pdp/bin/xacml.pdp.properties
@@ -136,10 +136,28 @@ javax.persistence.jdbc.password=${{JDBC_PASSWORD}}
ENVIRONMENT=${{ENVIRONMENT}}
xacml.rest.pep.idfile = client.properties
-#AAF Policy Name space
-#Required only, when we use AAF
-policy.aaf.namespace = ${{POLICY_AAF_NAMESPACE}}
-policy.aaf.resource = ${{POLICY_AAF_RESOURCE}}
+#AAF cadi properties
+policy.aaf.namespace = ${{AAF_NAMESPACE}}
+policy.aaf.root.permission=${{AAF_NAMESPACE}}.pdpx
+cm_url=https://${{AAF_HOST}}:8095/AAF_NS.cm:2.1
+cadi_latitude=38.000
+cadi.longitude=72.000
+cadi_alias=policy@policy.onap.org
+cadi_loglevel=DEBUG
+cadi_keyfile=${{POLICY_HOME}}/etc/ssl/aaf-cadi.keyfile
+cadi_protocols=TLSv1.1,TLSv1.2
+cadi_x509_issuers=CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_7, OU=OSAAF, O=ONAP, C=US
+cadi_keystore=${{POLICY_HOME}}/etc/ssl/policy-keystore
+cadi_keystore_password=${{KEYSTORE_PASSWD}}
+cadi_key_password=${{KEYSTORE_PASSWD}}
+aaf_env=DEV
+aaf_url=https://${{AAF_HOST}}:8095/AAF_NS.service:2.1
+aaf_fqdn=${{AAF_HOST}}
+aaf_oauth2_introspect_url=https://${{AAF_HOST}}:8095/AAF_NS.introspect:2.1/introspect
+aaf_oauth2_token_url=https://${{AAF_HOST}}:8095/AAF_NS.token:2.1/token
+fs_url=https://${{AAF_HOST}}:8095/AAF_NS.fs.2.1
+gui_url=https://${{AAF_HOST}}:8095/AAF_NS.gui.2.1
+
# Decision Response settings.
# can be either PERMIT or DENY.
decision.indeterminate.response=${{DECISION_INDETERMINATE_RESPONSE}}
diff --git a/packages/install/src/files/base.conf b/packages/install/src/files/base.conf
index dbf5da79c..2bc01c8b1 100644
--- a/packages/install/src/files/base.conf
+++ b/packages/install/src/files/base.conf
@@ -38,4 +38,7 @@ write_fpc_interval=5
max_fpc_update_interval=60
test_via_jmx=false
+AAF_NAMESPACE=org.onap.policy
+AAF_HOST=aaf-onap-test.osaaf.org
+
ENVIRONMENT=TEST