aboutsummaryrefslogtreecommitdiffstats
path: root/adapters/mso-vnfm-adapter
diff options
context:
space:
mode:
authorMichaelMorris <michael.morris@est.tech>2019-08-02 23:20:31 +0000
committerMichaelMorris <michael.morris@est.tech>2019-08-02 23:20:31 +0000
commit37cacbd89a7129e5736916627b25d0ecf0364947 (patch)
tree44f3f1d58c189b67fc13852de31bb7d46f32a875 /adapters/mso-vnfm-adapter
parent8b02fbc54e6db36d969b233d136f90b8d6615f80 (diff)
VNFM adapter support two way TLS
Change-Id: Icdb57587c9070bcce405eeaea4275fea0af0533a Issue-ID: SO-2190 Signed-off-by: MichaelMorris <michael.morris@est.tech>
Diffstat (limited to 'adapters/mso-vnfm-adapter')
-rw-r--r--adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/Readme.txt128
-rw-r--r--adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/main/java/org/onap/so/adapters/vnfmadapter/WebSecurityConfigImpl.java14
-rw-r--r--adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/main/java/org/onap/so/adapters/vnfmadapter/extclients/vnfm/VnfmHelper.java2
-rw-r--r--adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/main/java/org/onap/so/adapters/vnfmadapter/extclients/vnfm/VnfmServiceProviderConfiguration.java39
-rw-r--r--adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/test/java/org/onap/so/adapters/vnfmadapter/rest/VnfmAdapterControllerTest.java2
5 files changed, 163 insertions, 22 deletions
diff --git a/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/Readme.txt b/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/Readme.txt
new file mode 100644
index 0000000000..66876311db
--- /dev/null
+++ b/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/Readme.txt
@@ -0,0 +1,128 @@
+The following describes how to configure authentication for the VNFM adapter.
+
+
+==========================================
+To confgure TLS
+==========================================
+
+---------------
+VNFM Adapter
+---------------
+The following parameters can be set to configure the certificate for the VNFM adapter
+server:
+ ssl:
+ key-alias: so@so.onap.org
+ key--store-password: 'I,re7WWEJR$e]x370wRgx?qE'
+ key-store: classpath:org.onap.so.p12
+ key-store-type: PKCS12
+The values shown above relate to the certificate included in the VNFM adapter jar which has been generated from AAF. If a different certificate is to be used then these values should be changed accordingly.
+
+The following paramters can be set to configure the trust store for the VNFM adapter:
+http:
+ client:
+ ssl:
+ trust-store: org.onap.so.trust.jks
+ trust-store-password: NyRD](z:EJJNIt?},QgM3o7H
+The values shown above relate to the trust store included in the VNFM adapter jar which has been generated from AAI. If a different trust store is to be used then these values should be changed accordingly.
+
+Ensure the value for the below parameter uses https instead of http
+vnfmadapter:
+ endpoint: http://so-vnfm-adapter.onap:9092
+
+---------------
+bpmn-infra
+---------------
+For bpmn-infra, ensure the value for the below parameter uses https instead of http
+so:
+ vnfm:
+ adapter:
+ url: https://so-vnfm-adapter.onap:9092/so/vnfm-adapter/v1/
+
+
+==========================================
+To use two way TLS
+==========================================
+
+Ensure the value for username and password are empty in the AAI entry for the VNFM (The VNFM adapter will use oauth instead of two way TLS if the username/password is set).
+Ensure TLS has been configuered as detailed above.
+
+---------------
+VNFM adapter
+---------------
+Set the following parameter for the VNFM adapter:
+server:
+ ssl:
+ client-auth: need
+
+---------------
+bpmn-infra:
+---------------
+Set the following paramters for bpmn-infra:
+rest:
+ http:
+ client:
+ configuration:
+ ssl:
+ keyStore: classpath:org.onap.so.p12
+ keyStorePassword: 'RLe5ExMWW;Kd6GTSt0WQz;.Y'
+ trustStore: classpath:org.onap.so.trust.jks
+ trustStorePassword: '6V%8oSU$,%WbYp3IUe;^mWt4'
+Ensure the value for the below parameter uses https instead of http
+so:
+ vnfm:
+ adapter:
+ url: https://so-vnfm-adapter.onap:9092/so/vnfm-adapter/v1/
+
+---------------
+VNFM simulator:
+---------------
+Set the following parameters for the VNFM simulator (if used):
+server:
+ ssl:
+ client-auth: need
+ request:
+ grant:
+ auth: twowaytls
+
+==========================================
+To use oauth token base authentication
+==========================================
+
+---------------
+VNFM adapter:
+---------------
+Ensure the value for username and password set set in the AAI entry for the VNFM. The VNFM adapter will use this username/password as the client credentials in the request for a token for the VNFM. The token endpoint
+for the VNFM will by default will be derived from the service url for the VNFM in AAI as follows: <base of service url>/oauth/token, e.g. if the service url is https://so-vnfm-simulator.onap/vnflcm/v1 then the token url will
+be taken to be https://so-vnfm-simulator.onap/oauth/token. This can be overriden using the following parameter for the VNFM adapter:
+vnfmadapter:
+ temp:
+ vnfm:
+ oauth:
+ endpoint:
+
+The VNFM adapter exposes a token point at url: https://<hostname>:<port>/oauth/token e.g. https://so-vnfm-adapter.onap:9092/oauth/token. The VNFM can request a token from this endpoint for use in grant requests and notifications
+to the VNFM adapter. The username/password to be used in the token request are passed to the VNFM in a subscription request. The username/password sent by the VNFM adpater in the subscription request can be configuered using the
+following parameter:
+vnfmadapter:
+ auth: <encoded value>
+where <encoded value> is '<username>:<password>' encoded using org.onap.so.utils.CryptoUtils with the key set by the paramter:
+mso:
+ key: <key>
+The default username:password is vnfm-adapter:123456 when vnfm-adapter.auth is not set.
+
+---------------
+VNFM simulator:
+---------------
+Set the following parameters for the simulator:
+spring:
+ profiles:
+ active: oauth-authentication
+server:
+ request:
+ grant:
+ auth: oauth
+
+==========================================
+To use basic auth for notifications
+==========================================
+The same username/password is used as for oauth token requests as describe above and passed to the VNFM in the subscription request. \ No newline at end of file
diff --git a/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/main/java/org/onap/so/adapters/vnfmadapter/WebSecurityConfigImpl.java b/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/main/java/org/onap/so/adapters/vnfmadapter/WebSecurityConfigImpl.java
index 2b33e8b11d..f45d5a0219 100644
--- a/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/main/java/org/onap/so/adapters/vnfmadapter/WebSecurityConfigImpl.java
+++ b/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/main/java/org/onap/so/adapters/vnfmadapter/WebSecurityConfigImpl.java
@@ -22,6 +22,7 @@ package org.onap.so.adapters.vnfmadapter;
import org.onap.so.security.MSOSpringFirewall;
import org.onap.so.security.WebSecurityConfig;
+import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
@@ -34,11 +35,18 @@ import org.springframework.util.StringUtils;
@EnableWebSecurity
public class WebSecurityConfigImpl extends WebSecurityConfig {
+ @Value("${server.ssl.client-auth:none}")
+ private String clientAuth;
+
@Override
protected void configure(final HttpSecurity http) throws Exception {
- http.csrf().disable().authorizeRequests().antMatchers("/manage/health", "/manage/info").permitAll()
- .antMatchers("/**").hasAnyRole(StringUtils.collectionToDelimitedString(getRoles(), ",")).and()
- .httpBasic();
+ if (clientAuth.equalsIgnoreCase("need")) {
+ http.csrf().disable().authorizeRequests().anyRequest().permitAll();
+ } else {
+ http.csrf().disable().authorizeRequests().antMatchers("/manage/health", "/manage/info").permitAll()
+ .antMatchers("/**").hasAnyRole(StringUtils.collectionToDelimitedString(getRoles(), ",")).and()
+ .httpBasic();
+ }
}
@Override
diff --git a/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/main/java/org/onap/so/adapters/vnfmadapter/extclients/vnfm/VnfmHelper.java b/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/main/java/org/onap/so/adapters/vnfmadapter/extclients/vnfm/VnfmHelper.java
index b4355efc20..7c22020287 100644
--- a/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/main/java/org/onap/so/adapters/vnfmadapter/extclients/vnfm/VnfmHelper.java
+++ b/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/main/java/org/onap/so/adapters/vnfmadapter/extclients/vnfm/VnfmHelper.java
@@ -212,6 +212,8 @@ public class VnfmHelper {
basicAuthParams.setPassword(decrypedAuth[1]);
authentication.addAuthTypeItem(AuthTypeEnum.BASIC);
authentication.paramsBasic(basicAuthParams);
+
+ authentication.addAuthTypeItem(AuthTypeEnum.TLS_CERT);
return authentication;
}
diff --git a/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/main/java/org/onap/so/adapters/vnfmadapter/extclients/vnfm/VnfmServiceProviderConfiguration.java b/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/main/java/org/onap/so/adapters/vnfmadapter/extclients/vnfm/VnfmServiceProviderConfiguration.java
index a604f9a6b9..93312cfa64 100644
--- a/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/main/java/org/onap/so/adapters/vnfmadapter/extclients/vnfm/VnfmServiceProviderConfiguration.java
+++ b/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/main/java/org/onap/so/adapters/vnfmadapter/extclients/vnfm/VnfmServiceProviderConfiguration.java
@@ -24,11 +24,12 @@ import static org.onap.so.client.RestTemplateConfig.CONFIGURABLE_REST_TEMPLATE;
import com.google.gson.Gson;
import java.io.IOException;
import java.security.KeyManagementException;
+import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
+import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.util.Iterator;
-import java.util.ListIterator;
import java.util.Map;
import java.util.UUID;
import java.util.concurrent.ConcurrentHashMap;
@@ -42,7 +43,6 @@ import org.onap.aai.domain.yang.EsrSystemInfo;
import org.onap.aai.domain.yang.EsrVnfm;
import org.onap.so.adapters.vnfmadapter.extclients.vnfm.lcn.JSON;
import org.onap.so.configuration.rest.BasicHttpHeadersProvider;
-import org.onap.so.logging.jaxrs.filter.SpringClientFilter;
import org.onap.so.rest.service.HttpRestServiceProvider;
import org.onap.so.rest.service.HttpRestServiceProviderImpl;
import org.slf4j.Logger;
@@ -52,7 +52,7 @@ import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.io.Resource;
-import org.springframework.http.client.ClientHttpRequestInterceptor;
+import org.springframework.http.client.BufferingClientHttpRequestFactory;
import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
import org.springframework.http.converter.HttpMessageConverter;
import org.springframework.http.converter.json.GsonHttpMessageConverter;
@@ -73,7 +73,12 @@ public class VnfmServiceProviderConfiguration {
@Value("${http.client.ssl.trust-store:#{null}}")
private Resource trustStore;
@Value("${http.client.ssl.trust-store-password:#{null}}")
- private String trustPassword;
+ private String trustStorePassword;
+
+ @Value("${server.ssl.key-store:#{null}}")
+ private Resource keyStoreResource;
+ @Value("${server.ssl.key--store-password:#{null}}")
+ private String keyStorePassword;
/**
* This property is only intended to be temporary until the AAI schema is updated to support setting the endpoint
@@ -98,7 +103,6 @@ public class VnfmServiceProviderConfiguration {
if (trustStore != null) {
setTrustStore(restTemplate);
}
- removeSpringClientFilter(restTemplate);
return new HttpRestServiceProviderImpl(restTemplate, new BasicHttpHeadersProvider());
}
@@ -141,27 +145,26 @@ public class VnfmServiceProviderConfiguration {
private void setTrustStore(final RestTemplate restTemplate) {
SSLContext sslContext;
try {
- sslContext =
- new SSLContextBuilder().loadTrustMaterial(trustStore.getURL(), trustPassword.toCharArray()).build();
+ if (keyStoreResource != null) {
+ KeyStore keystore = KeyStore.getInstance("pkcs12");
+ keystore.load(keyStoreResource.getInputStream(), keyStorePassword.toCharArray());
+ sslContext =
+ new SSLContextBuilder().loadTrustMaterial(trustStore.getURL(), trustStorePassword.toCharArray())
+ .loadKeyMaterial(keystore, keyStorePassword.toCharArray()).build();
+ } else {
+ sslContext = new SSLContextBuilder()
+ .loadTrustMaterial(trustStore.getURL(), trustStorePassword.toCharArray()).build();
+ }
logger.info("Setting truststore: {}", trustStore.getURL());
final SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(sslContext);
final HttpClient httpClient = HttpClients.custom().setSSLSocketFactory(socketFactory).build();
final HttpComponentsClientHttpRequestFactory factory =
new HttpComponentsClientHttpRequestFactory(httpClient);
- restTemplate.setRequestFactory(factory);
+ restTemplate.setRequestFactory(new BufferingClientHttpRequestFactory(factory));
} catch (KeyManagementException | NoSuchAlgorithmException | KeyStoreException | CertificateException
- | IOException exception) {
+ | IOException | UnrecoverableKeyException exception) {
logger.error("Error reading truststore, TLS connection to VNFM will fail.", exception);
}
}
- private void removeSpringClientFilter(final RestTemplate restTemplate) {
- ListIterator<ClientHttpRequestInterceptor> interceptorIterator = restTemplate.getInterceptors().listIterator();
- while (interceptorIterator.hasNext()) {
- if (interceptorIterator.next() instanceof SpringClientFilter) {
- interceptorIterator.remove();
- }
- }
- }
-
}
diff --git a/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/test/java/org/onap/so/adapters/vnfmadapter/rest/VnfmAdapterControllerTest.java b/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/test/java/org/onap/so/adapters/vnfmadapter/rest/VnfmAdapterControllerTest.java
index 6cdabb9374..fe55907420 100644
--- a/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/test/java/org/onap/so/adapters/vnfmadapter/rest/VnfmAdapterControllerTest.java
+++ b/adapters/mso-vnfm-adapter/mso-vnfm-etsi-adapter/src/test/java/org/onap/so/adapters/vnfmadapter/rest/VnfmAdapterControllerTest.java
@@ -133,7 +133,7 @@ public class VnfmAdapterControllerTest {
setUpVimInMockAai();
final String expectedsubscriptionRequest =
- "{\"filter\":{\"vnfInstanceSubscriptionFilter\":{\"vnfInstanceIds\":[\"vnfId\"]},\"notificationTypes\":[\"VnfLcmOperationOccurrenceNotification\"]},\"callbackUri\":\"https://so-vnfm-adapter.onap:30406/so/vnfm-adapter/v1/lcn/VnfLcmOperationOccurrenceNotification\",\"authentication\":{\"authType\":[\"OAUTH2_CLIENT_CREDENTIALS\", \"BASIC\"],\"paramsOauth2ClientCredentials\":{\"clientId\":\"vnfm\",\"clientPassword\":\"password1$\",\"tokenEndpoint\":\"https://so-vnfm-adapter.onap:30406/oauth/token\"},\"paramsBasic\":{\"userName\":\"vnfm\",\"password\":\"password1$\"}}}";
+ "{\"filter\":{\"vnfInstanceSubscriptionFilter\":{\"vnfInstanceIds\":[\"vnfId\"]},\"notificationTypes\":[\"VnfLcmOperationOccurrenceNotification\"]},\"callbackUri\":\"https://so-vnfm-adapter.onap:30406/so/vnfm-adapter/v1/lcn/VnfLcmOperationOccurrenceNotification\",\"authentication\":{\"authType\":[\"OAUTH2_CLIENT_CREDENTIALS\", \"BASIC\", \"TLS_CERT\"],\"paramsOauth2ClientCredentials\":{\"clientId\":\"vnfm\",\"clientPassword\":\"password1$\",\"tokenEndpoint\":\"https://so-vnfm-adapter.onap:30406/oauth/token\"},\"paramsBasic\":{\"userName\":\"vnfm\",\"password\":\"password1$\"}}}";
final InlineResponse2001 subscriptionResponse = new InlineResponse2001();
final InlineResponse201 createResponse = createCreateResponse();