blob: 79b2fffc723ec08a71b9922c542fc1b51c36a2eb [file] [log] [blame]
Sai Gandhamd67a9de2018-05-25 15:48:11 +00001.. contents::
2 :depth: 3
3.. This work is licensed under a Creative Commons Attribution 4.0 International License.
4.. http://creativecommons.org/licenses/by/4.0
5.. Copyright © 2017 AT&T Intellectual Property. All rights reserved.
6
7Summary
8Essentials
9Technologies required to run AAF
10Optional Technologies for special cases
11Data Definitions
12AAF Data Definitions
13ILM (Identity Lifecycle Management)
14Initializing Default Implementation
15Extract Sample Configuration
16Certificate Authority
17Creating your own Certificate Authority (if desired)
18Create your Intermediate CAs
19Use the Intermediate CA for creating Service/Identity Certs (can be utilized by Certman with LocalCA)
20Copy initializations to Host Machine
21Load Data and/or Meta-Data into Cassandra
22Build Source
23Run Java
24
25Summary
26-------
27
28AAF Components are all Java(tm) HTTP/S based RESTful services, with the following exceptions:
29
30 - AAF GUI component is an HTTP/S HTML5 generating component. It uses the same code base, but isn't strictly RESTful according to definition.
31 - AAF FS component is a FileServer, and is HTTP only (not TLS), so it can deliver publicly accessible artifacts without Authentication.
32
33Essentials
34==========
35
36Technologies required to run AAF
37--------------------------------
38
39 - Java(tm). Version 8.121+
40 - Oracle Java previous to Oracle Java SE 8 to version 8 Update 121 is vulnerable to "SWEET32" attack.
41
42 1369383 - CVE-2016-2183 SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32)
43
44 - Cassandra, Version 2.1.14+
45 - X509 Certificates (at minimum to support HTTP/S TLS transactions (TLS1.1 and TLS1.2 are default, but can be configured).
46
47Optional Technologies for special cases
48---------------------------------------
49
50 - Build your own Certificate Authority for Bootstrapping and/or Certificate Manager component.
51 - openssl
52 - bash
53
54Data Definitions
55----------------
56
57AAF Data Definitions
58
59 - AAF is Data Driven, and therefore, needs to have some structure around the Initial Data so that it can function. You will need to define:
60
61Your Organization:
62 - Example: Are you a company? Do you already have a well known internet URL?
63 - If so, you should set up AAF Namespaces with this in mind. Example:
64
65 - for "Kumquat Industries, LTD", with internet presence "kumquats4you.com" (currently, a fictitious name), you would want all your AAF Namespaces to start with:
66
67"com.kumquats4you"
68The examples all use
69
70"org.osaaf"
71
72However it is recommended that you change this once you figure out your organizations' structure.
73Your AAF Root Namespace
74This can be within your company namespace, i.e.
75
76"com.kumquats4you.aaf"
77
78but you might consider putting it under different root structure.
79Again, the bootstrapping examples use:
80
81"org.osaaf.aaf"
82
83While creating these, recognize that
842nd position of the Namespace indicates company/organization
853rd+ position are applications within that company/organization
86
87"com.kumquats4you.dmaap"
88
89Following this "positional" structure is required for expected Authorization behavior.
90
91
92ILM (Identity Lifecycle Management)
93Neither Authentication nor Authorization make any sense outside the context of Identity within your Organization.
94
95Some organizations or companies will have their own ILM managers.
96
97If so you may write your own implementation of "Organization"
98Ensure the ILM of choice can be access real-time, or consider exporting the data into File Based mechanism (see entry)
99AAF comes with a "DefaultOrganization", which implements a file based localization of ILM in a simple text file
100
101Each line represents an identity in the organization, including essential contact information, and reporting structure
102This file can be updated by bringing in the entire file via ftp or other file transfer protocol, HOWEVER
103Provide a process that
104Validates no corruption has occurred
105Pulls the ENTIRE file down before moving into the place where AAF Components will see it.
106Take advantage of UNIX File System behaviors, by MOVING the file into place (mv), rather than copying while AAF is Active
107Note: This file-based methodology has been shown to be extremely effective for a 1 million+ Identity organization
108TBA-how to add an entry
109
110TBA-what does "sponsorship mean"
111
112Initializing Default Implementation
113This is recommended for learning/testing AAF. You can modify and save off this information for your Organizational use at your discretion.
114
115Extract Sample Configuration
116On your Linux box (creating/setting permissions as required)
117
118mkdir -p /opt/app/osaaf
119
120cd /opt/app/osaaf
121
122# Download AAF_sample_config_v1.zip (TBA)
123
124jar -xvf AAF_sample_config_v1.zip
125
126Certificate Authority
127You need to identify a SAFE AND SECURE machine when working with your own Certificate Authority. Realize that if a hacker gets the private keys of your CA or Intermediate CAs, you will be TOTALLY Compromised.
128
129For that reason, many large companies will isolate any machines dealing with Certificates, and that is the recommendation here as well... However, this page cannot explain what works best for you. JSCEP is an option if you have this setup already.
130
131If you choose to make your own CA, at the very least, once you create your private key for your Root Cert, and your Intermediate Certs, you might consider saving your Private Keys off line and removing from the exposed box. Again, this is YOUR responsibility, and must follow your policy.
132
133
134
135IMPORTANT! As you create Certificates for Identities, the Identities you use MUST be identities in your ILM. See /opt/app/aaf/osaaf/data/identities.dat
136
137Creating your own Certificate Authority (if desired)
1381) Obtain all the Shell Scripts from the "conf/CA" directory which you can get the from the git repo.
139
140For this example, we'll put everything in /opt/app/osaaf
141
142mkdir /opt/app/osaaf/CA, if required
143
144$ cd /opt/app/osaaf/CA
145
146view README.txt for last minute info
147
ankatarec1877782018-09-06 12:18:52 +0530148view and/or change "subject.aaf" for your needs. This format will be used on all generated certs from the CA.
Sai Gandhamd67a9de2018-05-25 15:48:11 +0000149
150$ cat subject.aaf
151
152If you will be using PKCS11 option, review the "cfg.pkcs11" file as well
153
154$ cat cfg.pkcs11
155
156$ bash newca.sh
157
158Obviously, save off your passphrase in an encrypted place... how you do this is your procedure
159
160At this point, your Root CA information has been created. If you want to start over, you may use "bash clean.sh"
161
162Create your Intermediate CAs
1632) You do NOT sign regular Cert requests with your Root. You only sign with Intermediate CA. The "intermediate.sh" will create a NEW Intermediate CA Directory and copy appropriate Shell scripts over. Do this for as many Intermediate CAs as you need.
164
165$ bash newIntermediate.sh
166
167creates directories in order, intermediate_1, intermediate_2, etc.
168
169Use the Intermediate CA for creating Service/Identity Certs (can be utilized by Certman with LocalCA)
1703) When creating a Manual Certificate, DO THIS from the Intermediate CA needed
171
172$ cd intermediate_1
173
1744) Create initial Certificate for AAF
175
176IMPORTANT! As you create Certificates for Identities, the Identities you use MUST be identities in your ILM. See /opt/app/aaf/osaaf/data/identities.dat
177
178To create LOCALLY, meaning create the CSR, and submit immediately, do the following
179
180$ bash manual.sh <machine-name> -local
181
182FQI (Fully Qualified Identity):
183
184<identity from identities.dat>@<domain, ex: aaf.osaaf.org>
185
186To create Information suitable for Emailing, and signing the returned CSR
187
188$ bash manual.sh <machine-name>
189
190FQI (Fully Qualified Identity):
191
192<identity from identities.dat>@<domain, ex: aaf.osaaf.org>
193
1945) Create p12 file for AAF
195
196REMAIN in the intermediate directory...
197
198$ bash p12.sh <machine-name>
199
200Copy initializations to Host Machine
201AAF is setup so it can run
202
203On the O/S, using Java
204On Docker
205On K8
206In each case, even for Docker/K8, we utilize the File O/S for host specific information. This is because
207
208Many things are Host Specific
209The Hostname required for TLS interactions
210Cassandra specific information (when external/clustered)
211Logging (if logging is done in container, it will be lost if container goes down)
212To make things simpler, we are assuming that the file structure will be "/opt/app/osaaf". The code supports changing this, but documentation will wait until use cases arises for ONAP.
213
214Steps:
215
2161) Copy "osaaf.zip" to your Host Machine, where osaaf.zip is provided by AAF SME. // TODO POST SAMPLE HERE
217
2182) Copy your "p12" file generated by your CA (see above), and place in your "certs" directory
219
2203) SSH (or otherwise login) to your Docker/K8 Host Machine
221
2224) setup your directories (you might need to be root, then adjust what you need for O/S File Permissions
223
224$ mkdir /opt/app/osaaf
225
226$ cd /opt/app/osaaf
227
228$ mkdir cred logs
229
230$ unzip ~/osaaf.zip
231
232$ mv ~/<p12 file from CA above> cred
233
234$
235
236Unzip the "osaaf.zip" so it goes into the /opt/app/osaaf directory (should have "etc", "data", "public" and "certs" directories)
237
2384) Modify "org.osaaf.props" to have
239
240
241
242Load Data and/or Meta-Data into Cassandra
243Setting this initial Data can be done directly onto Cassadra using "cqlsh" using the following "cql" files:
244
245init<version>.cql (whatever is latest in the "zip" file)
246osaaf.cql
247 This file contains initial Authorization Structures, see AAF Data Structures.
248 This is where you would modify your own initial Structures.
249Build Source
250(if not done already)
251
252Run Java
253Note: If you have a Kubernets requirement (support), it is STILL RECOMMENDED you run AAF as stand-alone Java Components on your system, and work out any modifications required BEFORE trying to run in Kubernetes.
254
255TBA <java -Dcadi_prop_files=/opt/app/osaaf/etc/org.osaaf.locator.props -cp <path> File>
256