| MichaelMorris | 37cacbd | 2019-08-02 23:20:31 +0000 | [diff] [blame^] | 1 | The following describes how to configure authentication for the VNFM adapter.
|
| 2 |
|
| 3 |
|
| 4 | ==========================================
|
| 5 | To confgure TLS
|
| 6 | ==========================================
|
| 7 |
|
| 8 | ---------------
|
| 9 | VNFM Adapter
|
| 10 | ---------------
|
| 11 | The following parameters can be set to configure the certificate for the VNFM adapter
|
| 12 | server:
|
| 13 | ssl:
|
| 14 | key-alias: so@so.onap.org
|
| 15 | key--store-password: 'I,re7WWEJR$e]x370wRgx?qE'
|
| 16 | key-store: classpath:org.onap.so.p12
|
| 17 | key-store-type: PKCS12
|
| 18 | The values shown above relate to the certificate included in the VNFM adapter jar which has been generated from AAF. If a different certificate is to be used then these values should be changed accordingly.
|
| 19 |
|
| 20 | The following paramters can be set to configure the trust store for the VNFM adapter:
|
| 21 | http:
|
| 22 | client:
|
| 23 | ssl:
|
| 24 | trust-store: org.onap.so.trust.jks
|
| 25 | trust-store-password: NyRD](z:EJJNIt?},QgM3o7H
|
| 26 | The values shown above relate to the trust store included in the VNFM adapter jar which has been generated from AAI. If a different trust store is to be used then these values should be changed accordingly.
|
| 27 |
|
| 28 | Ensure the value for the below parameter uses https instead of http
|
| 29 | vnfmadapter:
|
| 30 | endpoint: http://so-vnfm-adapter.onap:9092
|
| 31 |
|
| 32 | ---------------
|
| 33 | bpmn-infra
|
| 34 | ---------------
|
| 35 | For bpmn-infra, ensure the value for the below parameter uses https instead of http
|
| 36 | so:
|
| 37 | vnfm:
|
| 38 | adapter:
|
| 39 | url: https://so-vnfm-adapter.onap:9092/so/vnfm-adapter/v1/
|
| 40 |
|
| 41 |
|
| 42 | ==========================================
|
| 43 | To use two way TLS
|
| 44 | ==========================================
|
| 45 |
|
| 46 | Ensure the value for username and password are empty in the AAI entry for the VNFM (The VNFM adapter will use oauth instead of two way TLS if the username/password is set).
|
| 47 | Ensure TLS has been configuered as detailed above.
|
| 48 |
|
| 49 | ---------------
|
| 50 | VNFM adapter
|
| 51 | ---------------
|
| 52 | Set the following parameter for the VNFM adapter:
|
| 53 | server:
|
| 54 | ssl:
|
| 55 | client-auth: need
|
| 56 |
|
| 57 | ---------------
|
| 58 | bpmn-infra:
|
| 59 | ---------------
|
| 60 | Set the following paramters for bpmn-infra:
|
| 61 | rest:
|
| 62 | http:
|
| 63 | client:
|
| 64 | configuration:
|
| 65 | ssl:
|
| 66 | keyStore: classpath:org.onap.so.p12
|
| 67 | keyStorePassword: 'RLe5ExMWW;Kd6GTSt0WQz;.Y'
|
| 68 | trustStore: classpath:org.onap.so.trust.jks
|
| 69 | trustStorePassword: '6V%8oSU$,%WbYp3IUe;^mWt4'
|
| 70 | Ensure the value for the below parameter uses https instead of http
|
| 71 | so:
|
| 72 | vnfm:
|
| 73 | adapter:
|
| 74 | url: https://so-vnfm-adapter.onap:9092/so/vnfm-adapter/v1/
|
| 75 |
|
| 76 | ---------------
|
| 77 | VNFM simulator:
|
| 78 | ---------------
|
| 79 | Set the following parameters for the VNFM simulator (if used):
|
| 80 | server:
|
| 81 | ssl:
|
| 82 | client-auth: need
|
| 83 | request:
|
| 84 | grant:
|
| 85 | auth: twowaytls
|
| 86 |
|
| 87 | ==========================================
|
| 88 | To use oauth token base authentication
|
| 89 | ==========================================
|
| 90 |
|
| 91 | ---------------
|
| 92 | VNFM adapter:
|
| 93 | ---------------
|
| 94 | Ensure the value for username and password set set in the AAI entry for the VNFM. The VNFM adapter will use this username/password as the client credentials in the request for a token for the VNFM. The token endpoint
|
| 95 | for the VNFM will by default will be derived from the service url for the VNFM in AAI as follows: <base of service url>/oauth/token, e.g. if the service url is https://so-vnfm-simulator.onap/vnflcm/v1 then the token url will
|
| 96 | be taken to be https://so-vnfm-simulator.onap/oauth/token. This can be overriden using the following parameter for the VNFM adapter:
|
| 97 | vnfmadapter:
|
| 98 | temp:
|
| 99 | vnfm:
|
| 100 | oauth:
|
| 101 | endpoint:
|
| 102 |
|
| 103 | The VNFM adapter exposes a token point at url: https://<hostname>:<port>/oauth/token e.g. https://so-vnfm-adapter.onap:9092/oauth/token. The VNFM can request a token from this endpoint for use in grant requests and notifications
|
| 104 | to the VNFM adapter. The username/password to be used in the token request are passed to the VNFM in a subscription request. The username/password sent by the VNFM adpater in the subscription request can be configuered using the
|
| 105 | following parameter:
|
| 106 | vnfmadapter:
|
| 107 | auth: <encoded value>
|
| 108 | where <encoded value> is '<username>:<password>' encoded using org.onap.so.utils.CryptoUtils with the key set by the paramter:
|
| 109 | mso:
|
| 110 | key: <key>
|
| 111 | The default username:password is vnfm-adapter:123456 when vnfm-adapter.auth is not set.
|
| 112 |
|
| 113 | ---------------
|
| 114 | VNFM simulator:
|
| 115 | ---------------
|
| 116 | Set the following parameters for the simulator:
|
| 117 | spring:
|
| 118 | profiles:
|
| 119 | active: oauth-authentication
|
| 120 | server:
|
| 121 | request:
|
| 122 | grant:
|
| 123 | auth: oauth
|
| 124 |
|
| 125 | ==========================================
|
| 126 | To use basic auth for notifications
|
| 127 | ==========================================
|
| 128 | The same username/password is used as for oauth token requests as describe above and passed to the VNFM in the subscription request. |