| Instrumental | 647c1c3 | 2018-07-23 16:35:19 -0500 | [diff] [blame] | 1 | .. This work is licensed under a Creative Commons Attribution 4.0 International License. |
| 2 | .. http://creativecommons.org/licenses/by/4.0 |
| 3 | .. Copyright © 2017 AT&T Intellectual Property. All rights reserved. |
| 4 | |
| 5 | |
| 6 | Development |
| 7 | ============ |
| 8 | .. _Example RESTful Client: https://gerrit.onap.org/r/gitweb?p=aaf/authz.git;a=blob;f=cadi/oauth-enduser/src/main/java/org/onap/aaf/cadi/enduser/SimpleRESTClient.java;h=30344de521ae628221bdb54642a71733304a5656;hb=HEAD |
| 9 | .. _Developer Video: https://wiki.onap.org/download/attachments/38111886/ONAPClient.mp4?version=1&modificationDate=1532378616000&api=v2 |
| 10 | |
| 11 | ============ |
| 12 | Resources |
| 13 | ============ |
| 14 | * `Example RESTful Client`_ (Java Client) |
| 15 | * `Developer Video`_ (might be large) |
| 16 | |
| Instrumental | 0d41057 | 2018-11-19 13:28:53 -0600 | [diff] [blame] | 17 | ========================= |
| 18 | ONAP Test Env |
| 19 | ========================= |
| 20 | |
| 21 | ------- |
| 22 | Purpose |
| 23 | ------- |
| 24 | |
| 25 | The AAF Test Environment is a single instance VM setp so that |
| 26 | - ONAP Developers can utilize AAF with their personal machines without having to run their own AAF. |
| 27 | - ONAP Developers can put the Permissions and Roles required for their Apps into a common AAF Environment with others |
| 28 | - AAF will pull (on demand) all the ONAP related Data (Perms/Roles/Identities) and put into "Bootstrap Data". |
| 29 | - This Bootstrap data becomes available on the myriad Testing Systems so that |
| 30 | - They don't have to create AAF Data loading on their own. |
| 31 | - The data is already consistent with other ONAP entities. |
| 32 | |
| 33 | ------ |
| 34 | Access |
| 35 | ------ |
| 36 | |
| 37 | You must be connected to the WindRiver "pod-onap-01" VPN to gain access |
| 38 | to AAF Beijing |
| 39 | |
| 40 | ---------------- |
| 41 | DNS (/etc/hosts) |
| 42 | ---------------- |
| 43 | |
| 44 | At this time, there is no known DNS available for ONAP Entities. It is |
| 45 | recommended that you add the following entry into your "/etc/hosts" on |
| 46 | your accessing machine: |
| 47 | |
| 48 | /etc/hosts: |
| 49 | |
| 50 | 10.12.6.214 aaf-onap-beijing-test aaf-onap-beijing-test.osaaf.org |
| 51 | |
| 52 | ------------------------------ |
| 53 | Environment Artifacts (AAF FS) |
| 54 | ------------------------------ |
| 55 | |
| 56 | AAF has an HTTP Fileserver to gain access to needed public info. |
| 57 | |
| 58 | http://aaf-onap-beijing-test.osaaf.org/- |
| 59 | |
| 60 | ----------- |
| 61 | Credentials |
| 62 | ----------- |
| 63 | |
| 64 | AAF does support User/Password, and allows additional plugins as it |
| 65 | did in Amsterdam, however, User/Password credentials are inferior to |
| 66 | PKI technology, and does not match the ONAP Design goal of TLS and |
| 67 | PKI Identity across the board. Therefore, while an individual |
| 68 | organization might avail themselves of the User/Password facilities |
| 69 | within AAF, for ONAP, we are avoiding. |
| 70 | |
| 71 | THEREFORE: **GO WITH CERTIFICATE IDENTITY** |
| 72 | |
| 73 | |
| 74 | Root Certificate |
| 75 | ^^^^^^^^^^^^^^^^ |
| 76 | |
| 77 | `AAF\_RootCA.cer <http://aaf-onap-beijing-test.osaaf.org/AAF_RootCA.cer>`__ |
| 78 | |
| 79 | AAF CA |
| 80 | ^^^^^^ |
| 81 | |
| 82 | At time of Beijing, an official Certificate Authority for ONAP was |
| 83 | not declared, installed or operationalized. Secure TLS requires |
| 84 | certificates, so for the time being, the Certificate Authority is |
| 85 | being run by AAF Team. |
| 86 | |
| 87 | Root Certificate |
| 88 | '''''''''''''''' |
| 89 | |
| 90 | | The Root Certificate for ONAP Certificate Authority used by AAF |
| 91 | is \ `AAF\_RootCA.cer <http://aaf-onap-beijing-test.osaaf.org/AAF_RootCA.cer>`__ |
| 92 | | Depending on your Browser/ Operating System, clicking on this link |
| 93 | will allow you to install this Cert into your Browser for GUI |
| 94 | access (see next) |
| 95 | |
| 96 | This Root Certificate is also available in "truststore" form, ready |
| 97 | to be used by Java or other processes: |
| 98 | |
| 99 | - |
| 100 | |
| 101 | - |
| 102 | |
| 103 | - `truststoreONAP.p12 <http://aaf-onap-beijing-test.osaaf.org/truststoreONAP.p12>`__ |
| 104 | - This Truststore has ONLY the ONAP AAF\_RootCA in it. |
| 105 | |
| 106 | - `truststoreONAPall.jks <http://aaf-onap-beijing-test.osaaf.org/truststoreONAPall.jks>`__ |
| 107 | - This Truststore has the ONAP AAF\_RootCA in it PLUS all the Public CA Certs that are in Java 1.8.131 (note: this is in jks format, because the original JAVA truststore was in jks format) |
| 108 | |
| 109 | Note: as of Java 8, pkcs12 format is recommended, rather than jks. |
| 110 | Java's "keytool" utility provides a conversion for .jks for Java 7 |
| 111 | and previous. |
| 112 | |
| 113 | Identity |
| 114 | '''''''' |
| 115 | |
| 116 | Certificates certify nothing if there is no identity or process to |
| 117 | verify the Identity. Typically, for a company, an HR department |
| 118 | will establish the formal organization, specifically, who reports to |
| 119 | whom. For ONAP, at time of Beijing, no such formalized "Org Chart" |
| 120 | existed, so we'll be building this up as we go along. |
| 121 | |
| 122 | Therefore, with each Certificate Request, we'll need identity |
| 123 | information as well, that will be entered into an ONAP Identity |
| 124 | file. Again, as a real company, this can be derived or accessed |
| 125 | real-time (if available) as an "Organization Plugin". Again, as |
| 126 | there appears to be no such central formal system in ONAP, though, |
| 127 | of course, Linux Foundation logins have some of this information for |
| 128 | ALL LF projects. Until ONAP declares such a system or decides how |
| 129 | we might integrate with LF for Identity and we have time to create |
| 130 | an Integration strategy, AAF will control this data. |
| 131 | |
| 132 | For each Identity, we'll need: |
| 133 | |
| 134 | People |
| 135 | |
| 136 | |
| 137 | | # 0 - unique ID (for Apps, just make sure it is unique, for |
| 138 | People, one might consider your LinuxFoundation ID) |
| 139 | | # 1 - full name (for App, name of the APP) |
| 140 | | # 2 - first name (for App, |
| 141 | | # 3 - last name |
| 142 | | # 4 - phone |
| 143 | | # 5 - official email |
| 144 | | # 6 - type - person |
| 145 | | # 7 - reports to: If you are working as part of a Project, list |
| 146 | the PTL of your Project. If you are PTL, just declare you are the |
| 147 | PTL |
| 148 | |
| 149 | Applications |
| 150 | |
| 151 | |
| 152 | | # 0 - unique ID - For ONAP Test, this will be the same a the App |
| 153 | Acronym. |
| 154 | | # 1 - full name of the App |
| 155 | | # 2 - App Acronym |
| 156 | | # 3 - App Description, or just "Application" |
| 157 | | # 5 - official email - a Distribution list for the Application, or |
| 158 | the Email of the Owner |
| 159 | | # 6 - type - application |
| 160 | | # 7 - reports to: give the Application Owner's Unique ID. Note, |
| 161 | this should also be the Owner in AAF Namespace |
| 162 | |
| 163 | Obtaining a Certificate |
| 164 | ''''''''''''''''''''''' |
| 165 | |
| 166 | Services/Clients |
| 167 | See `Automated Configuration and Certificates`_. |
| 168 | |
| 169 | .. _Automated Configuration and Certificates: AAF_4.1_config.html |
| 170 | |
| 171 | People |
| 172 | |
| 173 | |
| 174 | People Certificates can be used for browsers, curl, etc. |
| 175 | |
| 176 | Automation and tracking of People Certificates will be proposed for |
| 177 | Dublin. |
| Instrumental | 647c1c3 | 2018-07-23 16:35:19 -0500 | [diff] [blame] | 178 | |
| 179 | |
| 180 | |