AAF Configuration in PDP-D

AAF is disabled by default until pairwise testing is completed.

Change-Id: Ica83873a2605742689ed0c2e06dfade20bef8bf0
Signed-off-by: Jorge Hernandez <jh1730@att.com>
Issue-ID: POLICY-1043
Signed-off-by: Jorge Hernandez <jh1730@att.com>
diff --git a/.gitignore b/.gitignore
index eb32cca..144f267 100644
--- a/.gitignore
+++ b/.gitignore
@@ -10,8 +10,8 @@
 .metadata/
 .idea/
 target/
+*/config/
 */logs/
 */sql/
 */testingLogs/
-*/config/
 **/*.iml
diff --git a/config/policy-engine.properties b/config/policy-engine.properties
deleted file mode 100644
index 56c2a67..0000000
--- a/config/policy-engine.properties
+++ /dev/null
@@ -1,38 +0,0 @@
-###
-# ============LICENSE_START=======================================================
-# policy-management
-# ================================================================================
-# Copyright (C) 2018 AT&T Intellectual Property. All rights reserved.
-# ================================================================================
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-# 
-#      http://www.apache.org/licenses/LICENSE-2.0
-# 
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-# ============LICENSE_END=========================================================
-###
-
-# Policy Engine Configuration
-
-# Configuration Channel Settings: PDPD_CONFIGURATION
-
-http.server.services=CONFIG,SECURED-CONFIG
-http.server.services.CONFIG.host=0.0.0.0
-http.server.services.CONFIG.port=9696
-http.server.services.CONFIG.restPackages=org.onap.policy.drools.server.restful
-http.server.services.CONFIG.managed=false
-http.server.services.CONFIG.swagger=true
-http.server.services.CONFIG.https=false
-
-http.server.services.SECURED-CONFIG.host=0.0.0.0
-http.server.services.SECURED-CONFIG.port=9697
-http.server.services.SECURED-CONFIG.restPackages=org.onap.policy.drools.server.restful
-http.server.services.SECURED-CONFIG.managed=false
-http.server.services.SECURED-CONFIG.swagger=true
-http.server.services.SECURED-CONFIG.https=true
diff --git a/config/policy-keystore b/config/policy-keystore
deleted file mode 100644
index b92217c..0000000
--- a/config/policy-keystore
+++ /dev/null
Binary files differ
diff --git a/config/policy-truststore b/config/policy-truststore
deleted file mode 100644
index 8834ac2..0000000
--- a/config/policy-truststore
+++ /dev/null
Binary files differ
diff --git a/feature-healthcheck/src/main/feature/config/feature-healthcheck.properties b/feature-healthcheck/src/main/feature/config/feature-healthcheck.properties
index ec457b7..e44543a 100644
--- a/feature-healthcheck/src/main/feature/config/feature-healthcheck.properties
+++ b/feature-healthcheck/src/main/feature/config/feature-healthcheck.properties
@@ -27,6 +27,8 @@
 http.server.services.HEALTHCHECK.userName=${{HEALTHCHECK_USER}}
 http.server.services.HEALTHCHECK.password=${{HEALTHCHECK_PASSWORD}}
 http.server.services.HEALTHCHECK.https=true
+http.server.services.HEALTHCHECK.aaf=false
+http.server.services.HEALTHCHECK.filterClasses=
 
 http.client.services=PAP,PDP
 
diff --git a/feature-healthcheck/src/main/java/org/onap/policy/drools/healthcheck/AafHealthCheckFilter.java b/feature-healthcheck/src/main/java/org/onap/policy/drools/healthcheck/AafHealthCheckFilter.java
new file mode 100644
index 0000000..3cb9def
--- /dev/null
+++ b/feature-healthcheck/src/main/java/org/onap/policy/drools/healthcheck/AafHealthCheckFilter.java
@@ -0,0 +1,35 @@
+/*-
+ * ============LICENSE_START=======================================================
+ * ONAP
+ * ================================================================================
+ * Copyright (C) 2018 AT&T Intellectual Property. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.policy.drools.healthcheck;
+
+import org.onap.policy.common.endpoints.http.server.aaf.AafGranularAuthFilter;
+import org.onap.policy.drools.server.restful.aaf.AafBase;
+
+/**
+ * Healthcheck AAF Authorization Filter
+ */
+public class AafHealthCheckFilter extends AafGranularAuthFilter {
+
+    @Override
+    public String getPermissionTypeRoot() {
+        return AafBase.AAF_ROOT_PERMISSION;
+    }
+}
diff --git a/feature-healthcheck/src/test/java/org/onap/policy/drools/healthcheck/HealthCheckFeatureTest.java b/feature-healthcheck/src/test/java/org/onap/policy/drools/healthcheck/HealthCheckFeatureTest.java
index 8ae7343..e0312f1 100644
--- a/feature-healthcheck/src/test/java/org/onap/policy/drools/healthcheck/HealthCheckFeatureTest.java
+++ b/feature-healthcheck/src/test/java/org/onap/policy/drools/healthcheck/HealthCheckFeatureTest.java
@@ -25,6 +25,7 @@
 
 import java.io.File;
 import java.io.FileWriter;
+import java.io.IOException;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
@@ -34,6 +35,7 @@
 import org.junit.BeforeClass;
 import org.junit.Test;
 import org.onap.policy.common.endpoints.properties.PolicyEndPointProperties;
+import org.onap.policy.common.utils.network.NetworkUtil;
 import org.onap.policy.drools.healthcheck.HealthCheck.Report;
 import org.onap.policy.drools.healthcheck.HealthCheck.Reports;
 import org.onap.policy.drools.persistence.SystemPersistence;
@@ -81,7 +83,11 @@
                 PolicyEndPointProperties.PROPERTY_HTTP_SERVER_SERVICES + "." + "HEALTHCHECK"
                         + PolicyEndPointProperties.PROPERTY_HTTP_REST_CLASSES_SUFFIX,
                 org.onap.policy.drools.healthcheck.RestMockHealthCheck.class.getName());
-        httpProperties.setProperty(PolicyEndPointProperties.PROPERTY_HTTP_CLIENT_SERVICES + "." + "HEALTHCHECK"
+        httpProperties.setProperty(
+                PolicyEndPointProperties.PROPERTY_HTTP_SERVER_SERVICES + "." + "HEALTHCHECK"
+                    + PolicyEndPointProperties.PROPERTY_HTTP_FILTER_CLASSES_SUFFIX,
+                org.onap.policy.drools.healthcheck.TestAafHealthCheckFilter.class.getName());
+        httpProperties.setProperty(PolicyEndPointProperties.PROPERTY_HTTP_SERVER_SERVICES + "." + "HEALTHCHECK"
                 + PolicyEndPointProperties.PROPERTY_MANAGED_SUFFIX, "true");
 
 
@@ -101,7 +107,6 @@
         httpProperties.setProperty(PolicyEndPointProperties.PROPERTY_HTTP_CLIENT_SERVICES + "." + "HEALTHCHECK"
                 + PolicyEndPointProperties.PROPERTY_MANAGED_SUFFIX, "true");
 
-
         configDirSetup();
 
     }
@@ -117,15 +122,21 @@
     }
 
     @Test
-    public void test() {
+    public void test() throws IOException, InterruptedException {
 
         HealthCheckFeature feature = new HealthCheckFeature();
         feature.afterStart(PolicyEngine.manager);
 
+        if (!NetworkUtil.isTcpPortOpen("localhost", 7777, 5, 10000L)) {
+            throw new IllegalStateException("cannot connect to port " + 7777);
+        }
+
         Reports reports = HealthCheck.monitor.healthCheck();
 
+        assertTrue(reports.getDetails().size() > 0);
+
         for (Report rpt : reports.getDetails()) {
-            if (rpt.getName() == "HEALTHCHECK") {
+            if ("HEALTHCHECK".equals(rpt.getName())) {
                 assertTrue(rpt.isHealthy());
                 assertEquals(200, rpt.getCode());
                 assertEquals("All Alive", rpt.getMessage());
@@ -141,7 +152,7 @@
     /**
      * setup up config directory.
      */
-    protected static void configDirSetup() {
+    private static void configDirSetup() {
 
         File origPropsFile = new File(healthCheckPropsPath.toString());
         File backupPropsFile = new File(healthCheckPropsBackupPath.toString());
@@ -167,7 +178,7 @@
     /**
      * cleanup up config directory.
      */
-    protected static void configDirCleanup() {
+    private static void configDirCleanup() {
 
         File origPropsFile = new File(healthCheckPropsBackupPath.toString());
         File backupPropsFile = new File(healthCheckPropsPath.toString());
diff --git a/feature-healthcheck/src/test/java/org/onap/policy/drools/healthcheck/TestAafHealthCheckFilter.java b/feature-healthcheck/src/test/java/org/onap/policy/drools/healthcheck/TestAafHealthCheckFilter.java
new file mode 100644
index 0000000..03ca689
--- /dev/null
+++ b/feature-healthcheck/src/test/java/org/onap/policy/drools/healthcheck/TestAafHealthCheckFilter.java
@@ -0,0 +1,46 @@
+/*-
+ * ============LICENSE_START=======================================================
+ * ONAP
+ * ================================================================================
+ * Copyright (C) 2018 AT&T Intellectual Property. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.policy.drools.healthcheck;
+
+import javax.servlet.http.HttpServletRequest;
+import org.onap.policy.common.utils.network.NetworkUtil;
+
+/**
+ * Healthcheck AAF Authorization Filter
+ */
+public class TestAafHealthCheckFilter extends AafHealthCheckFilter {
+
+    @Override
+    protected String getRole(HttpServletRequest request) {
+        String expectedPerm = "org.onap.policy.pdpd.healthcheck.test|"
+            + NetworkUtil.getHostname() + "|get";
+        if (!expectedPerm.equals(super.getRole(request))) {
+            throw new IllegalStateException("unexpected AAF granular permission");
+        } else {
+            return "user";
+        }
+    }
+
+    @Override
+    public String getPermissionTypeRoot() {
+        return "org.onap.policy.pdpd";
+    }
+}
diff --git a/packages/docker/src/main/docker/do-start.sh b/packages/docker/src/main/docker/do-start.sh
index 9e4659d..af7b3d9 100644
--- a/packages/docker/src/main/docker/do-start.sh
+++ b/packages/docker/src/main/docker/do-start.sh
@@ -56,7 +56,7 @@
 
 	. /opt/app/policy/etc/profile.d/env.sh
 
-	# override the policy keystore and truststore if present
+	# allow user to override the key or/and the trust stores
 
 	if [[ -f config/policy-keystore ]]; then
 	    cp -f config/policy-keystore ${POLICY_HOME}/etc/ssl
@@ -66,6 +66,24 @@
 	    cp -f config/policy-truststore ${POLICY_HOME}/etc/ssl
 	fi
 
+	# allow user to override all or some aaf configuration
+
+	if [[ -f config/aaf.properties ]]; then
+	    cp -f config/aaf.properties ${POLICY_HOME}/config/aaf.properties
+	fi
+
+	if [[ -f config/aaf-location.properties ]]; then
+	    cp -f config/aaf-location.properties ${POLICY_HOME}/config/aaf-location.properties
+	fi
+
+	if [[ -f config/aaf-credentials.properties ]]; then
+	    cp -f config/aaf-credentials.properties ${POLICY_HOME}/config/aaf-credentials.properties
+	fi
+
+	if [[ -f config/aaf-cadi.keyfile ]]; then
+	    cp -f config/aaf-cadi.keyfile ${POLICY_HOME}/config/aaf-cadi.keyfile
+	fi
+
 	if [[ -f config/drools-tweaks.sh ]] ; then
 		echo "Executing tweaks"
 		# file may not be executable; running it as an
diff --git a/packages/install/src/files/base.conf b/packages/install/src/files/base.conf
index 0c44093..dd9e7c5 100644
--- a/packages/install/src/files/base.conf
+++ b/packages/install/src/files/base.conf
@@ -59,6 +59,11 @@
 PDPD_CONFIGURATION_CONSUMER_INSTANCE=
 PDPD_CONFIGURATION_PARTITION_KEY=
 
+# AAF
+
+AAF_NAMESPACE=org.onap.policy
+AAF_HOST=aaf-onap-test.osaaf.org
+
 # PAP
 
 PAP_HOST=
diff --git a/policy-management/src/main/java/org/onap/policy/drools/server/restful/aaf/AafBase.java b/policy-management/src/main/java/org/onap/policy/drools/server/restful/aaf/AafBase.java
new file mode 100644
index 0000000..0c8465a
--- /dev/null
+++ b/policy-management/src/main/java/org/onap/policy/drools/server/restful/aaf/AafBase.java
@@ -0,0 +1,35 @@
+/*-
+ * ============LICENSE_START=======================================================
+ * ONAP
+ * ================================================================================
+ * Copyright (C) 2018 AT&T Intellectual Property. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.policy.drools.server.restful.aaf;
+
+import org.onap.policy.common.endpoints.http.server.aaf.AafAuthFilter;
+import org.onap.policy.drools.system.PolicyEngine;
+
+/**
+ * AAF Base Class
+ */
+public abstract class AafBase extends AafAuthFilter {
+    public static final String AAF_NODETYPE = "pdpd";
+    public static final String AAF_ROOT_PERMISSION_PROPERTY = "aaf.root.permission";
+    public static final String AAF_ROOT_PERMISSION =
+        PolicyEngine.manager.getProperties().getProperty
+            (AAF_ROOT_PERMISSION_PROPERTY, DEFAULT_NAMESPACE + "." + AAF_NODETYPE);
+}
diff --git a/policy-management/src/main/java/org/onap/policy/drools/server/restful/aaf/AafTelemetryAuthFilter.java b/policy-management/src/main/java/org/onap/policy/drools/server/restful/aaf/AafTelemetryAuthFilter.java
new file mode 100644
index 0000000..f2e50ee
--- /dev/null
+++ b/policy-management/src/main/java/org/onap/policy/drools/server/restful/aaf/AafTelemetryAuthFilter.java
@@ -0,0 +1,41 @@
+/*-
+ * ============LICENSE_START=======================================================
+ * ONAP
+ * ================================================================================
+ * Copyright (C) 2018 AT&T Intellectual Property. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package  org.onap.policy.drools.server.restful.aaf;
+
+import javax.servlet.http.HttpServletRequest;
+import org.onap.policy.common.utils.network.NetworkUtil;
+
+/**
+ * AAF Telemetry Authorization
+ */
+public class AafTelemetryAuthFilter extends AafBase {
+    private static final String RESOURCE_TYPE = AAF_ROOT_PERMISSION + "." + "telemetry";
+
+    @Override
+    protected String getPermissionType(HttpServletRequest request) {
+        return RESOURCE_TYPE;
+    }
+
+    @Override
+    protected String getPermissionInstance(HttpServletRequest request) {
+        return NetworkUtil.getHostname();
+    }
+}
diff --git a/policy-management/src/main/server-gen/bin/policy-management-controller b/policy-management/src/main/server-gen/bin/policy-management-controller
index cc6a8c7..bad1783 100644
--- a/policy-management/src/main/server-gen/bin/policy-management-controller
+++ b/policy-management/src/main/server-gen/bin/policy-management-controller
@@ -96,9 +96,9 @@
        remove_pid_file
     else
 	if [[ -n ${ENGINE_MANAGEMENT_PASSWORD} ]]; then
-	    http_proxy= curl --silent --user ${ENGINE_MANAGEMENT_USER}:${ENGINE_MANAGEMENT_PASSWORD} -X DELETE http://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine -o /dev/null
+	    http_proxy= curl -k --silent --user ${ENGINE_MANAGEMENT_USER}:${ENGINE_MANAGEMENT_PASSWORD} -X DELETE https://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine -o /dev/null
 	else
-	    http_proxy= curl --silent -X DELETE http://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine -o /dev/null
+	    http_proxy= curl -k --silent -X DELETE https://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine -o /dev/null
 	fi
 	sleep 5
 	echo "Stopping $SNAME..."
diff --git a/policy-management/src/main/server-gen/bin/rest-add-controller b/policy-management/src/main/server-gen/bin/rest-add-controller
index 187b291..0dd82ee 100644
--- a/policy-management/src/main/server-gen/bin/rest-add-controller
+++ b/policy-management/src/main/server-gen/bin/rest-add-controller
@@ -26,11 +26,11 @@
 
 if [ -f ${json} ]; then
 	if [[ -n ${ENGINE_MANAGEMENT_PASSWORD} ]]; then
-	curl --silent --user ${ENGINE_MANAGEMENT_USER}:${ENGINE_MANAGEMENT_PASSWORD} -X POST --data @${json} --header "Content-Type: application/json" \
-			http://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine/controllers
+	curl -k --silent --user ${ENGINE_MANAGEMENT_USER}:${ENGINE_MANAGEMENT_PASSWORD} -X POST --data @${json} --header "Content-Type: application/json" \
+			https://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine/controllers
 	else
-		curl --silent -X POST --data @${json} --header "Content-Type: application/json" \
-			http://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine/controllers
+		curl -k --silent -X POST --data @${json} --header "Content-Type: application/json" \
+			https://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine/controllers
 	fi
 else
 	echo "Usage: rest-add-controller.sh closed-loop-sample|reporter|sepc|vsegw|.. (or any other config file ending with *-controller.rest.json)"	
diff --git a/policy-management/src/main/server-gen/bin/rest-delete-controller b/policy-management/src/main/server-gen/bin/rest-delete-controller
index de1d601..03e6748 100644
--- a/policy-management/src/main/server-gen/bin/rest-delete-controller
+++ b/policy-management/src/main/server-gen/bin/rest-delete-controller
@@ -24,11 +24,11 @@
 
 if [[ -n $1 ]]; then
 	if [[ -n ${ENGINE_MANAGEMENT_PASSWORD} ]]; then
-		curl --silent --user ${ENGINE_MANAGEMENT_USER}:${ENGINE_MANAGEMENT_PASSWORD} -X DELETE --header "Content-Type: application/json" \
-			http://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine/controllers/${1}
+		curl -k --silent --user ${ENGINE_MANAGEMENT_USER}:${ENGINE_MANAGEMENT_PASSWORD} -X DELETE --header "Content-Type: application/json" \
+			https://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine/controllers/${1}
 	else
-		curl --silent -X DELETE --header "Content-Type: application/json" \
-			http://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine/controllers/${1}
+		curl -k --silent -X DELETE --header "Content-Type: application/json" \
+			https://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine/controllers/${1}
 	fi
 	echo
 	exit	
diff --git a/policy-management/src/main/server/config/aaf-cadi.keyfile b/policy-management/src/main/server/config/aaf-cadi.keyfile
new file mode 100644
index 0000000..59d544f
--- /dev/null
+++ b/policy-management/src/main/server/config/aaf-cadi.keyfile
@@ -0,0 +1,27 @@
+N3INM2bAlQ8cNODnjR3Fuvo5z4GeID0KnRYlELmt-oHCFxq_XYVyepBVR591CIbJI9prNd_LLuv7
+tQD8xX_ypcNA-jQsecTwtw4GxvpqkZPhq6Q8BWNQaCegtXGDVTQ8gG2biKiQ7v-2C6Qhx4zj62b6
+bRPS5j1bfxqcAZu7082V00oQjbn40T2zFcLwCuBChZfx5DXTW49bwtLbkCbGqJSzFcIJpbGQ8gLg
+ussIoL8VE2Vee7bPJmUAdT4x9B1wrMIuvKlUMppeq0Bj-6ZJgxhM9F0WT8eEBh6NFANdK3LUgZrk
+D3kY3LrK-MT9u1TOMx13nOU7vOaVjl7_rkp5Q65gFd9VYbnJBYvJcc7asOQMsrugiSiRIoXH0Fyy
+-f9L3ROGae042J4M8qxcoOihMbcjVkEXqn6eRIFbDe0eIAlkSRYfaxg9v4tf8GbBjQcShBjzGaI2
+g6QxTA5G6Aa7p63aVRGv3ZODCHcbsbxnkyByXgmkON4cTk9vR0RbT6YYhT5t8xTU3rhqV3jeE0Bz
+KbU0c4188xTnhdq_bje2TuuLvtEvevdvDsbtAj7chQmWMOW7GMF3MnqdEpcw1NCoNRdN8wpAdE-5
+mkG-jlYHljSRh9qZK5wdEoO4IXgpFktdGj50XuzcskqqURNfDGHGb29fHznL1-ssdQK6EXcKN0AU
+nYyGLAie3VfFxWKj5dGODBs5RttvkX4PHyLcLD3kOrVgtQrz7d0PWWYCxDRqKT6qnJkLB1CUwghn
+XweEiDfoQmuUmwFEQNRDp0NGLnde5nsw7NYgLrv5VafGK8EyT4GeVhuu5Tnb6T-HalxCq2p5JaIA
+SG8zlDmRx_TykrhfQEJe7sr0pRcAMwgxEhwunG2oBiKnzdRx5jxMfqnVC8xGirumhmOQNterfnd5
+0pIsfvIuntyxRQ48yzIb2gb5kaSkfSzCaVnlqK-_jpj1T74qO86eaKVee4faQAbXDPYF2z5w06nD
+WS2dd54wBjGmkFNzi13ejTrAJeA6UzOd1CF_WSpc9XSJJPTPUGxmnfLjmGThErFBYuQxjhpH7vKN
+uZgokkIXX78rVcO3zpfa5kTYWjE8lk9y3WA7sGNtTWfG8bR3WLWNLPCnrzxtKZdhq2JsQYC0gwW7
+ZgJSXhgPoaC_RrtCn7haj1_601G_MkD-jcUEsO-4XOBVicsCgG8hn7B-SpgKspqv8gulbeKoORqa
+CkrtiFPlXEqdNuaBSHcQ0MWJ3tpXzWtIPM3ouEFOR32xVfptfz4sRPOkM_PNiVXxQtLOn_z3uC7K
+VVJCKZxVaavQ6QiZvRRANS9_GD3kDILX15EnbEvh-2DfycDrEo330vMwvNJP7i9eM5vo0YADe--G
+r5UDqctmFjl1ulc1yAQkDBGWGxT92x-hhLqCnCXcYPu_aeWssfDpRj573PHPaTiM0SYxJixjszRD
+6-AMC1DqugkjiGA5_enQORn-G_H4ZVtoQ_zebizEfIxKv5-8uRdyZDHGG3mDu6_nasEffry-UyVu
+STU3oJMycZ1qf5GR1evRJ7gxkrtPXHWKNnVgxfrBC72ON6wJnr7KaY-l9L44epIsk1pEmXm3YQu1
+N0NxiAwdus9OnCXQ7GgZPRXCpxjJPNs7EIKFrYjKJfdtSzT85ZrTpHQtjim2L1ZP9iIlq2QVKD1v
+bKSjCwjtb9ztjrV-Bw1BHcAApPcfpXHLhYkJ7iL1XUhxjXp_DGUkD7ZN9S5tuyrsMXz5hh6wMfcq
+NPR_XqHaS2ur-ONNrHuFFCmY7Ehc5FArFzb_Xn1JTpOQJTcy6_3r3u3B_euT8GmXHahtVN1Rv8RM
+kAD5m_UBx-nHoZDVDYZkfR9k4hF2Sz5rfrWs6Zrl0r8FBrVFtU1j2vOTvTGwrkO9yZvgIqOkX_eq
+TnGIpM4paHxEGTP8H8A3Y0ZpsvLttmh0rT_OwzBPa1Mof3RQKhyTzfbptxuUJyVxU0Ln-9f--5Mk
+wEFqhuSrgssI6b1iMqm97PqFQMYrWX3SV8l0V-PKxFxDM1bguHq4mOXEtmZBUtMBepwSsI96
\ No newline at end of file
diff --git a/policy-management/src/main/server/config/aaf-credentials.properties b/policy-management/src/main/server/config/aaf-credentials.properties
new file mode 100644
index 0000000..aaa5f16
--- /dev/null
+++ b/policy-management/src/main/server/config/aaf-credentials.properties
@@ -0,0 +1,9 @@
+cm_url=https://AAF_LOCATE_URL/AAF_NS.cm:2.1
+cadi_x509_issuers=CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_7, OU=OSAAF, O=ONAP, C=US
+cadi_keyfile=${{POLICY_HOME}}/config/aaf-cadi.keyfile
+cadi_keystore=${{POLICY_HOME}}/etc/ssl/policy-keystore
+cadi_keystore_password=${{KEYSTORE_PASSWD}}
+cadi_key_password=${{KEYSTORE_PASSWD}}
+cadi_alias=policy@policy.onap.org
+cadi_truststore=${{POLICY_HOME}}/etc/ssl/policy-truststore
+cadi_truststore_password=${{TRUSTSTORE_PASSWD}}
\ No newline at end of file
diff --git a/policy-management/src/main/server/config/aaf-location.properties b/policy-management/src/main/server/config/aaf-location.properties
new file mode 100644
index 0000000..dc828e7
--- /dev/null
+++ b/policy-management/src/main/server/config/aaf-location.properties
@@ -0,0 +1,2 @@
+cadi_latitude=38.000
+cadi_longitude=-72.000
diff --git a/policy-management/src/main/server/config/aaf.properties b/policy-management/src/main/server/config/aaf.properties
new file mode 100644
index 0000000..8084be9
--- /dev/null
+++ b/policy-management/src/main/server/config/aaf.properties
@@ -0,0 +1,11 @@
+cadi_prop_files=${{POLICY_HOME}}/config/aaf-credentials.properties:${{POLICY_HOME}}/config/aaf-location.properties
+cadi_loglevel=DEBUG
+aaf_env=DEV
+aaf_locate_url=https://${{AAF_HOST}}:8095
+aaf_oauth2_introspect_url=https://AAF_LOCATE_URL/AAF_NS.introspect:2.1/introspect
+aaf_oauth2_token_url=https://AAF_LOCATE_URL/AAF_NS.token:2.1/token
+aaf_url=https://AAF_LOCATE_URL/AAF_NS.service:2.1
+cadi_protocols=TLSv1.1,TLSv1.2
+cm_url=https://AAF_LOCATE_URL/AAF_NS.cm:2.1
+fs_url=https://AAF_LOCATE_URL/AAF_NS.fs.2.1
+gui_url=https://AAF_LOCATE_URL/AAF_NS.gui.2.1
diff --git a/policy-management/src/main/server/config/policy-engine.properties b/policy-management/src/main/server/config/policy-engine.properties
index 758d13e..8e51752 100644
--- a/policy-management/src/main/server/config/policy-engine.properties
+++ b/policy-management/src/main/server/config/policy-engine.properties
@@ -49,3 +49,6 @@
 http.server.services.SECURED-CONFIG.managed=false
 http.server.services.SECURED-CONFIG.swagger=true
 http.server.services.SECURED-CONFIG.https=true
+
+aaf.namespace=${{AAF_NAMESPACE}}
+aaf.root.permission=${{AAF_NAMESPACE}}.pdpd
diff --git a/policy-management/src/main/server/config/system.properties b/policy-management/src/main/server/config/system.properties
index 5c024e1..6bac0ea 100644
--- a/policy-management/src/main/server/config/system.properties
+++ b/policy-management/src/main/server/config/system.properties
@@ -34,6 +34,10 @@
 javax.net.ssl.keyStore=${{POLICY_HOME}}/etc/ssl/policy-keystore
 javax.net.ssl.keyStorePassword=${{KEYSTORE_PASSWD}}
 
+# aaf
+
+cadi_prop_files=config/aaf.properties
+
 # standard logging
 
 logback.configurationFile=config/logback.xml
diff --git a/policy-management/src/test/java/org/onap/policy/drools/server/restful/test/RestManagerTest.java b/policy-management/src/test/java/org/onap/policy/drools/server/restful/test/RestManagerTest.java
index 68a52ad..ce34ec8 100644
--- a/policy-management/src/test/java/org/onap/policy/drools/server/restful/test/RestManagerTest.java
+++ b/policy-management/src/test/java/org/onap/policy/drools/server/restful/test/RestManagerTest.java
@@ -29,14 +29,17 @@
 import java.util.Properties;
 
 import org.apache.http.HttpEntity;
-import org.apache.http.client.ClientProtocolException;
+import org.apache.http.auth.AuthScope;
+import org.apache.http.auth.UsernamePasswordCredentials;
+import org.apache.http.client.CredentialsProvider;
 import org.apache.http.client.methods.CloseableHttpResponse;
 import org.apache.http.client.methods.HttpDelete;
 import org.apache.http.client.methods.HttpGet;
 import org.apache.http.client.methods.HttpPut;
 import org.apache.http.entity.StringEntity;
+import org.apache.http.impl.client.BasicCredentialsProvider;
 import org.apache.http.impl.client.CloseableHttpClient;
-import org.apache.http.impl.client.HttpClients;
+import org.apache.http.impl.client.HttpClientBuilder;
 import org.apache.http.util.EntityUtils;
 import org.junit.AfterClass;
 import org.junit.BeforeClass;
@@ -45,6 +48,7 @@
 import org.junit.runners.MethodSorters;
 import org.onap.policy.common.endpoints.event.comm.TopicEndpoint;
 import org.onap.policy.common.endpoints.properties.PolicyEndPointProperties;
+import org.onap.policy.common.utils.network.NetworkUtil;
 import org.onap.policy.drools.persistence.SystemPersistence;
 import org.onap.policy.drools.system.PolicyController;
 import org.onap.policy.drools.system.PolicyEngine;
@@ -53,10 +57,12 @@
 
 @FixMethodOrder(MethodSorters.NAME_ASCENDING)
 public class RestManagerTest {
-    public static final int DEFAULT_TELEMETRY_PORT = 7887;
+    private static final int DEFAULT_TELEMETRY_PORT = 7887;
     private static final String HOST = "localhost";
     private static final String REST_MANAGER_PATH = "/policy/pdp";
     private static final String HOST_URL = "http://" + HOST + ":" + DEFAULT_TELEMETRY_PORT + REST_MANAGER_PATH;
+    private static final String TELEMETRY_USER = "x";
+    private static final String TELEMETRY_PASSWORD = "y";
     private static final String FOO_CONTROLLER = "foo";
 
     private static final String UEB_TOPIC = "UEB-TOPIC-TEST";
@@ -100,7 +106,7 @@
      * @throws IOException throws an IO exception
      */
     @BeforeClass
-    public static void setUp() throws IOException {
+    public static void setUp() throws IOException, InterruptedException {
         cleanUpWorkingDirs();
 
         SystemPersistence.manager.setConfigurationDir(null);
@@ -110,6 +116,15 @@
         engineProps.put(PolicyEndPointProperties.PROPERTY_HTTP_SERVER_SERVICES + "."
                 + PolicyEngine.TELEMETRY_SERVER_DEFAULT_NAME + PolicyEndPointProperties.PROPERTY_HTTP_PORT_SUFFIX,
                 "" + DEFAULT_TELEMETRY_PORT);
+        engineProps.put(PolicyEndPointProperties.PROPERTY_HTTP_SERVER_SERVICES + "."
+                + PolicyEngine.TELEMETRY_SERVER_DEFAULT_NAME + PolicyEndPointProperties.PROPERTY_HTTP_FILTER_CLASSES_SUFFIX,
+            TestAafTelemetryAuthFilter.class.getName());
+        engineProps.put(PolicyEndPointProperties.PROPERTY_HTTP_SERVER_SERVICES + "."
+                + PolicyEngine.TELEMETRY_SERVER_DEFAULT_NAME + PolicyEndPointProperties.PROPERTY_HTTP_AUTH_USERNAME_SUFFIX,
+            TELEMETRY_USER);
+        engineProps.put(PolicyEndPointProperties.PROPERTY_HTTP_SERVER_SERVICES + "."
+                + PolicyEngine.TELEMETRY_SERVER_DEFAULT_NAME + PolicyEndPointProperties.PROPERTY_HTTP_AUTH_PASSWORD_SUFFIX,
+            TELEMETRY_PASSWORD);
 
         /* other properties */
         engineProps.put(PolicyEndPointProperties.PROPERTY_UEB_SOURCE_TOPICS, UEB_TOPIC);
@@ -132,10 +147,16 @@
         Properties controllerProps = new Properties();
         PolicyEngine.manager.createPolicyController(FOO_CONTROLLER, controllerProps);
 
+        // client = HttpClients.createDefault();
+        CredentialsProvider provider = new BasicCredentialsProvider();
+        UsernamePasswordCredentials credentials = new UsernamePasswordCredentials(TELEMETRY_USER, TELEMETRY_PASSWORD);
+        provider.setCredentials(AuthScope.ANY, credentials);
 
-        client = HttpClients.createDefault();
+        client = HttpClientBuilder.create().setDefaultCredentialsProvider(provider).build();
 
-
+        if (!NetworkUtil.isTcpPortOpen("localhost", DEFAULT_TELEMETRY_PORT, 5, 10000L)) {
+            throw new IllegalStateException("cannot connect to port " + DEFAULT_TELEMETRY_PORT);
+        }
     }
 
     /**
@@ -157,7 +178,7 @@
 
 
     @Test
-    public void putDeleteTest() throws ClientProtocolException, IOException, InterruptedException {
+    public void putDeleteTest() throws IOException {
         HttpDelete httpDelete;
         CloseableHttpResponse response;
 
@@ -358,7 +379,7 @@
 
 
     @Test
-    public void getTest() throws ClientProtocolException, IOException, InterruptedException {
+    public void getTest() throws IOException {
         HttpGet httpGet;
         CloseableHttpResponse response;
 
@@ -854,7 +875,7 @@
      * @param response incoming response
      * @return the body or null
      */
-    public String getResponseBody(CloseableHttpResponse response) {
+    private String getResponseBody(CloseableHttpResponse response) {
 
         HttpEntity entity;
         try {
diff --git a/policy-management/src/test/java/org/onap/policy/drools/server/restful/test/TestAafTelemetryAuthFilter.java b/policy-management/src/test/java/org/onap/policy/drools/server/restful/test/TestAafTelemetryAuthFilter.java
new file mode 100644
index 0000000..c7d5232
--- /dev/null
+++ b/policy-management/src/test/java/org/onap/policy/drools/server/restful/test/TestAafTelemetryAuthFilter.java
@@ -0,0 +1,43 @@
+/*-
+ * ============LICENSE_START=======================================================
+ * ONAP
+ * ================================================================================
+ * Copyright (C) 2018 AT&T Intellectual Property. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.policy.drools.server.restful.test;
+
+import javax.servlet.http.HttpServletRequest;
+import org.onap.policy.common.utils.network.NetworkUtil;
+import org.onap.policy.drools.server.restful.aaf.AafTelemetryAuthFilter;
+
+/**
+ * Test AAF Telemetry Authorization Filter for Junits
+ */
+public class TestAafTelemetryAuthFilter extends AafTelemetryAuthFilter {
+
+    @Override
+    protected String getRole(HttpServletRequest request) {
+        String expectedPerm = "org.onap.policy.pdpd.telemetry|"
+            + NetworkUtil.getHostname() + "|"
+            +  request.getMethod().toLowerCase();
+        if (!expectedPerm.equals(super.getRole(request))) {
+            throw new IllegalStateException("unexpected permission");
+        } else {
+            return "user";
+        }
+    }
+}