kjaniak | 53ba170 | 2018-10-25 14:25:13 +0200 | [diff] [blame] | 1 | **WARNING: SSL/TLS authorization is a part of an experimental feature for ONAP Casablanca release and thus should be treated as unstable and subject to change in future releases.** |
| 2 | |
kjaniak | e284409 | 2018-11-14 15:42:03 +0100 | [diff] [blame] | 3 | .. _ssl_tls_authorization: |
kjaniak | 53ba170 | 2018-10-25 14:25:13 +0200 | [diff] [blame] | 4 | |
| 5 | SSL/TLS authorization |
| 6 | ===================== |
| 7 | |
| 8 | HV-VES can be configured to require usage of SSL/TLS on every TCP connection. This can be done only during deployment of application container. For reference about exact commands, see :ref:`deployment`. |
| 9 | |
| 10 | General steps for configuring TLS for HV-VES collector: |
| 11 | |
| 12 | 1. Create the collector's key-store in **PKCS #12** format and add HV-VES server certificate to it. |
| 13 | 2. Create the collector's trust-store in **PKCS #12** format with all trusted certificates and certification authorities. Every client with certificate signed by a Certificate Authority (CA) in chain of trust is allowed. The trust-store should not contain ONAP's root CAs. |
| 14 | 3. Start the collector with all required options specified. |
| 15 | |
| 16 | .. code-block:: bash |
| 17 | |
| 18 | docker run -v /path/to/key/and/trust/stores:/etc/hv-ves nexus3.onap.org:10001/onap/org.onap.dcaegen2.collectors.hv-ves.hv-collector-main --listen-port 6061 --config-url http://consul:8500/v1/kv/dcae-hv-ves-collector --key-store /etc/hv-ves/keystore.p12 --key-store-password keystorePass --trust-store /etc/hv-ves/truststore.p12 --trust-store-password truststorePass |
| 19 | |
| 20 | |
| 21 | |
| 22 | HV-VES uses OpenJDK (version 8u181) implementation of TLS ciphers. For reference, see https://docs.oracle.com/javase/8/docs/technotes/guides/security/overview/jsoverview.html. |
| 23 | |
| 24 | If SSL/TLS is enabled for HV-VES container then service turns on also client authentication. HV-VES requires clients to provide their certificates on connection. In addition, HV-VES provides its certificate to every client during SSL/TLS-handshake to enable two-way authorization. |
| 25 | |
| 26 | The service rejects any connection attempt that is not secured by SSL/TLS and every connection made by unauthorized client - this is client which certificate is not signed by CA contained within the HV-VES Collector trust store. With TLS tunneling, the communication protocol does not change (see the description in :ref:`hv_ves_behaviors`). In particular there is no change to Wire Frame Protocol. |