[so.git] / adapters / etsi-sol003-adapter / etsi-sol003-adapter-application / Readme.txt

The following describes how to configure authentication for the VNFM adapter.\r
\r
TLS should always be configured to ensure secure communication between the VNFM-adapter <-> BPMN infra and VNFM-adapter <-> VNFM\r
If two-way TLS is configured then there is no need for any further authentication (i.e. no need for token or basic auth).\r
If two-way TLS is NOT configured then authentication is REQUIRED. Oauth token based authentication must be used for requests, while for notifications either oauth tokens or basic auth can be used.\r
\r
\r
==========================================\r
To confgure TLS\r
==========================================\r
\r
---------------\r
VNFM Adapter\r
---------------\r
The following parameters can be set to configure the certificate for the VNFM adapter\r
server:\r
  ssl:\r
    key-alias: so@so.onap.org\r
    key--store-password: 'ywsqCy:EEo#j}HJHM7z^Rk[L'\r
    key-store: classpath:so-vnfm-adapter.p12\r
    key-store-type: PKCS12\r
The values shown above relate to the certificate included in the VNFM adapter jar which has been generated from AAF. If a different certificate is to be used then these values should be changed accordingly.\r
\r
The following paramters can be set to configure the trust store for the VNFM adapter:\r
http:\r
  client:\r
    ssl:\r
      trust-store: classpath:org.onap.so.trust.jks\r
      trust-store-password: ',sx#.C*W)]wVgJC6ccFHI#:H'\r
The values shown above relate to the trust store included in the VNFM adapter jar which has been generated from AAI. If a different trust store is to be used then these values should be changed accordingly.\r
\r
Ensure the value for the below parameter uses https instead of http\r
vnfmadapter:\r
  endpoint: http://so-vnfm-adapter.onap:9092\r
  \r
---------------\r
bpmn-infra\r
---------------\r
For bpmn-infra, ensure the value for the below parameter uses https instead of http\r
so:\r
  vnfm:\r
    adapter:\r
      url: https://so-vnfm-adapter.onap:9092/so/vnfm-adapter/v1/\r
\r
\r
==========================================\r
To use two way TLS\r
==========================================\r
\r
Ensure the value for username and password are empty in the AAI entry for the VNFM (The VNFM adapter will use oauth instead of two way TLS if the username/password is set).\r
Ensure TLS has been configuered as detailed above.\r
\r
---------------\r
VNFM adapter\r
---------------\r
Set the following parameter for the VNFM adapter:\r
server:\r
  ssl:\r
    client-auth: need\r
        \r
---------------\r
bpmn-infra:\r
---------------\r
Set the following paramters for bpmn-infra:\r
rest:\r
  http:\r
    client:\r
      configuration:\r
        ssl:\r
          keyStore: classpath:org.onap.so.p12\r
          keyStorePassword: 'RLe5ExMWW;Kd6GTSt0WQz;.Y'\r
          trustStore: classpath:org.onap.so.trust.jks\r
          trustStorePassword: '6V%8oSU$,%WbYp3IUe;^mWt4'\r
Ensure the value for the below parameter uses https instead of http\r
so:\r
  vnfm:\r
    adapter:\r
      url: https://so-vnfm-adapter.onap:9092/so/vnfm-adapter/v1/\r
          \r
---------------   \r
VNFM simulator:\r
---------------\r
Set the following parameters for the VNFM simulator (if used):\r
server:\r
  ssl:\r
    client-auth: need\r
  request:\r
    grant:\r
      auth: twowaytls\r
\r
==========================================\r
To use oauth token base authentication\r
==========================================\r
\r
---------------   \r
VNFM adapter:\r
---------------\r
Ensure the value for username and password set set in the AAI entry for the VNFM. The VNFM adapter will use this username/password as the client credentials in the request for a token for the VNFM. The token endpoint\r
for the VNFM will by default will be derived from the service url for the VNFM in AAI as follows: <base of service url>/oauth/token, e.g. if the service url is https://so-vnfm-simulator.onap/vnflcm/v1 then the token url will\r
be taken to be https://so-vnfm-simulator.onap/oauth/token. This can be overriden using the following parameter for the VNFM adapter:\r
vnfmadapter:\r
  temp:\r
    vnfm:\r
          oauth:\r
            endpoint:\r
                \r
The VNFM adapter exposes a token point at url: https://<hostname>:<port>/oauth/token e.g. https://so-vnfm-adapter.onap:9092/oauth/token. The VNFM can request a token from this endpoint for use in grant requests and notifications\r
to the VNFM adapter. The username/password to be used in the token request are passed to the VNFM in a subscription request. The username/password sent by the VNFM adpater in the subscription request can be configuered using the \r
following parameter:\r
vnfmadapter:\r
  auth: <encoded value>\r
where <encoded value> is '<username>:<password>' encoded using org.onap.so.utils.CryptoUtils with the key set by the paramter:\r
mso:\r
  key: <key>\r
The default username:password is vnfm-adapter:123456 when vnfm-adapter.auth is not set.\r
                  \r
---------------   \r
VNFM simulator:\r
---------------\r
Set the following parameters for the simulator:\r
spring:\r
  profiles:\r
    active: oauth-authentication\r
server:\r
  request:\r
    grant:\r
      auth: oauth\r
                \r
==========================================\r
To use basic auth for notifications\r
==========================================              \r
The same username/password is used as for oauth token requests as describe above and passed to the VNFM in the subscription request.