blob: aaad60320d08b8684c4796d11a6dd47eb243b562 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
|
The following describes how to configure authentication for the VNFM adapter.
TLS should always be configured to ensure secure communication between the VNFM-adapter <-> BPMN infra and VNFM-adapter <-> VNFM
If two-way TLS is configured then there is no need for any further authentication (i.e. no need for token or basic auth).
If two-way TLS is NOT configured then authentication is REQUIRED. Oauth token based authentication must be used for requests, while for notifications either oauth tokens or basic auth can be used.
==========================================
To confgure TLS
==========================================
---------------
VNFM Adapter
---------------
The following parameters can be set to configure the certificate for the VNFM adapter
server:
ssl:
key-alias: so@so.onap.org
key--store-password: 'ywsqCy:EEo#j}HJHM7z^Rk[L'
key-store: classpath:so-vnfm-adapter.p12
key-store-type: PKCS12
The values shown above relate to the certificate included in the VNFM adapter jar which has been generated from AAF. If a different certificate is to be used then these values should be changed accordingly.
The following paramters can be set to configure the trust store for the VNFM adapter:
http:
client:
ssl:
trust-store: classpath:org.onap.so.trust.jks
trust-store-password: ',sx#.C*W)]wVgJC6ccFHI#:H'
The values shown above relate to the trust store included in the VNFM adapter jar which has been generated from AAI. If a different trust store is to be used then these values should be changed accordingly.
Ensure the value for the below parameter uses https instead of http
vnfmadapter:
endpoint: http://so-vnfm-adapter.onap:9092
---------------
bpmn-infra
---------------
For bpmn-infra, ensure the value for the below parameter uses https instead of http
so:
vnfm:
adapter:
url: https://so-vnfm-adapter.onap:9092/so/vnfm-adapter/v1/
==========================================
To use two way TLS
==========================================
Ensure the value for username and password are empty in the AAI entry for the VNFM (The VNFM adapter will use oauth instead of two way TLS if the username/password is set).
Ensure TLS has been configuered as detailed above.
---------------
VNFM adapter
---------------
Set the following parameter for the VNFM adapter:
server:
ssl:
client-auth: need
---------------
bpmn-infra:
---------------
Set the following paramters for bpmn-infra:
rest:
http:
client:
configuration:
ssl:
keyStore: classpath:org.onap.so.p12
keyStorePassword: 'RLe5ExMWW;Kd6GTSt0WQz;.Y'
trustStore: classpath:org.onap.so.trust.jks
trustStorePassword: '6V%8oSU$,%WbYp3IUe;^mWt4'
Ensure the value for the below parameter uses https instead of http
so:
vnfm:
adapter:
url: https://so-vnfm-adapter.onap:9092/so/vnfm-adapter/v1/
---------------
VNFM simulator:
---------------
Set the following parameters for the VNFM simulator (if used):
server:
ssl:
client-auth: need
request:
grant:
auth: twowaytls
==========================================
To use oauth token base authentication
==========================================
---------------
VNFM adapter:
---------------
Ensure the value for username and password set set in the AAI entry for the VNFM. The VNFM adapter will use this username/password as the client credentials in the request for a token for the VNFM. The token endpoint
for the VNFM will by default will be derived from the service url for the VNFM in AAI as follows: <base of service url>/oauth/token, e.g. if the service url is https://so-vnfm-simulator.onap/vnflcm/v1 then the token url will
be taken to be https://so-vnfm-simulator.onap/oauth/token. This can be overriden using the following parameter for the VNFM adapter:
vnfmadapter:
temp:
vnfm:
oauth:
endpoint:
The VNFM adapter exposes a token point at url: https://<hostname>:<port>/oauth/token e.g. https://so-vnfm-adapter.onap:9092/oauth/token. The VNFM can request a token from this endpoint for use in grant requests and notifications
to the VNFM adapter. The username/password to be used in the token request are passed to the VNFM in a subscription request. The username/password sent by the VNFM adpater in the subscription request can be configuered using the
following parameter:
vnfmadapter:
auth: <encoded value>
where <encoded value> is '<username>:<password>' encoded using org.onap.so.utils.CryptoUtils with the key set by the paramter:
mso:
key: <key>
The default username:password is vnfm-adapter:123456 when vnfm-adapter.auth is not set.
---------------
VNFM simulator:
---------------
Set the following parameters for the simulator:
spring:
profiles:
active: oauth-authentication
server:
request:
grant:
auth: oauth
==========================================
To use basic auth for notifications
==========================================
The same username/password is used as for oauth token requests as describe above and passed to the VNFM in the subscription request.
|
