--- /dev/null
+The following describes how to configure authentication for the VNFM adapter.\r
+\r
+\r
+==========================================\r
+To confgure TLS\r
+==========================================\r
+\r
+---------------\r
+VNFM Adapter\r
+---------------\r
+The following parameters can be set to configure the certificate for the VNFM adapter\r
+server:\r
+ ssl:\r
+ key-alias: so@so.onap.org\r
+ key--store-password: 'I,re7WWEJR$e]x370wRgx?qE'\r
+ key-store: classpath:org.onap.so.p12\r
+ key-store-type: PKCS12\r
+The values shown above relate to the certificate included in the VNFM adapter jar which has been generated from AAF. If a different certificate is to be used then these values should be changed accordingly.\r
+\r
+The following paramters can be set to configure the trust store for the VNFM adapter:\r
+http:\r
+ client:\r
+ ssl:\r
+ trust-store: org.onap.so.trust.jks\r
+ trust-store-password: NyRD](z:EJJNIt?},QgM3o7H\r
+The values shown above relate to the trust store included in the VNFM adapter jar which has been generated from AAI. If a different trust store is to be used then these values should be changed accordingly.\r
+\r
+Ensure the value for the below parameter uses https instead of http\r
+vnfmadapter:\r
+ endpoint: http://so-vnfm-adapter.onap:9092\r
+ \r
+---------------\r
+bpmn-infra\r
+---------------\r
+For bpmn-infra, ensure the value for the below parameter uses https instead of http\r
+so:\r
+ vnfm:\r
+ adapter:\r
+ url: https://so-vnfm-adapter.onap:9092/so/vnfm-adapter/v1/\r
+\r
+\r
+==========================================\r
+To use two way TLS\r
+==========================================\r
+\r
+Ensure the value for username and password are empty in the AAI entry for the VNFM (The VNFM adapter will use oauth instead of two way TLS if the username/password is set).\r
+Ensure TLS has been configuered as detailed above.\r
+\r
+---------------\r
+VNFM adapter\r
+---------------\r
+Set the following parameter for the VNFM adapter:\r
+server:\r
+ ssl:\r
+ client-auth: need\r
+ \r
+---------------\r
+bpmn-infra:\r
+---------------\r
+Set the following paramters for bpmn-infra:\r
+rest:\r
+ http:\r
+ client:\r
+ configuration:\r
+ ssl:\r
+ keyStore: classpath:org.onap.so.p12\r
+ keyStorePassword: 'RLe5ExMWW;Kd6GTSt0WQz;.Y'\r
+ trustStore: classpath:org.onap.so.trust.jks\r
+ trustStorePassword: '6V%8oSU$,%WbYp3IUe;^mWt4'\r
+Ensure the value for the below parameter uses https instead of http\r
+so:\r
+ vnfm:\r
+ adapter:\r
+ url: https://so-vnfm-adapter.onap:9092/so/vnfm-adapter/v1/\r
+ \r
+--------------- \r
+VNFM simulator:\r
+---------------\r
+Set the following parameters for the VNFM simulator (if used):\r
+server:\r
+ ssl:\r
+ client-auth: need\r
+ request:\r
+ grant:\r
+ auth: twowaytls\r
+\r
+==========================================\r
+To use oauth token base authentication\r
+==========================================\r
+\r
+--------------- \r
+VNFM adapter:\r
+---------------\r
+Ensure the value for username and password set set in the AAI entry for the VNFM. The VNFM adapter will use this username/password as the client credentials in the request for a token for the VNFM. The token endpoint\r
+for the VNFM will by default will be derived from the service url for the VNFM in AAI as follows: <base of service url>/oauth/token, e.g. if the service url is https://so-vnfm-simulator.onap/vnflcm/v1 then the token url will\r
+be taken to be https://so-vnfm-simulator.onap/oauth/token. This can be overriden using the following parameter for the VNFM adapter:\r
+vnfmadapter:\r
+ temp:\r
+ vnfm:\r
+ oauth:\r
+ endpoint:\r
+ \r
+The VNFM adapter exposes a token point at url: https://<hostname>:<port>/oauth/token e.g. https://so-vnfm-adapter.onap:9092/oauth/token. The VNFM can request a token from this endpoint for use in grant requests and notifications\r
+to the VNFM adapter. The username/password to be used in the token request are passed to the VNFM in a subscription request. The username/password sent by the VNFM adpater in the subscription request can be configuered using the \r
+following parameter:\r
+vnfmadapter:\r
+ auth: <encoded value>\r
+where <encoded value> is '<username>:<password>' encoded using org.onap.so.utils.CryptoUtils with the key set by the paramter:\r
+mso:\r
+ key: <key>\r
+The default username:password is vnfm-adapter:123456 when vnfm-adapter.auth is not set.\r
+ \r
+--------------- \r
+VNFM simulator:\r
+---------------\r
+Set the following parameters for the simulator:\r
+spring:\r
+ profiles:\r
+ active: oauth-authentication\r
+server:\r
+ request:\r
+ grant:\r
+ auth: oauth\r
+ \r
+==========================================\r
+To use basic auth for notifications\r
+========================================== \r
+The same username/password is used as for oauth token requests as describe above and passed to the VNFM in the subscription request.
\ No newline at end of file
import org.onap.so.security.MSOSpringFirewall;
import org.onap.so.security.WebSecurityConfig;
+import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
@EnableWebSecurity
public class WebSecurityConfigImpl extends WebSecurityConfig {
+ @Value("${server.ssl.client-auth:none}")
+ private String clientAuth;
+
@Override
protected void configure(final HttpSecurity http) throws Exception {
- http.csrf().disable().authorizeRequests().antMatchers("/manage/health", "/manage/info").permitAll()
- .antMatchers("/**").hasAnyRole(StringUtils.collectionToDelimitedString(getRoles(), ",")).and()
- .httpBasic();
+ if (clientAuth.equalsIgnoreCase("need")) {
+ http.csrf().disable().authorizeRequests().anyRequest().permitAll();
+ } else {
+ http.csrf().disable().authorizeRequests().antMatchers("/manage/health", "/manage/info").permitAll()
+ .antMatchers("/**").hasAnyRole(StringUtils.collectionToDelimitedString(getRoles(), ",")).and()
+ .httpBasic();
+ }
}
@Override
basicAuthParams.setPassword(decrypedAuth[1]);
authentication.addAuthTypeItem(AuthTypeEnum.BASIC);
authentication.paramsBasic(basicAuthParams);
+
+ authentication.addAuthTypeItem(AuthTypeEnum.TLS_CERT);
return authentication;
}
import com.google.gson.Gson;
import java.io.IOException;
import java.security.KeyManagementException;
+import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
+import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.util.Iterator;
-import java.util.ListIterator;
import java.util.Map;
import java.util.UUID;
import java.util.concurrent.ConcurrentHashMap;
import org.onap.aai.domain.yang.EsrVnfm;
import org.onap.so.adapters.vnfmadapter.extclients.vnfm.lcn.JSON;
import org.onap.so.configuration.rest.BasicHttpHeadersProvider;
-import org.onap.so.logging.jaxrs.filter.SpringClientFilter;
import org.onap.so.rest.service.HttpRestServiceProvider;
import org.onap.so.rest.service.HttpRestServiceProviderImpl;
import org.slf4j.Logger;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.io.Resource;
-import org.springframework.http.client.ClientHttpRequestInterceptor;
+import org.springframework.http.client.BufferingClientHttpRequestFactory;
import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
import org.springframework.http.converter.HttpMessageConverter;
import org.springframework.http.converter.json.GsonHttpMessageConverter;
@Value("${http.client.ssl.trust-store:#{null}}")
private Resource trustStore;
@Value("${http.client.ssl.trust-store-password:#{null}}")
- private String trustPassword;
+ private String trustStorePassword;
+
+ @Value("${server.ssl.key-store:#{null}}")
+ private Resource keyStoreResource;
+ @Value("${server.ssl.key--store-password:#{null}}")
+ private String keyStorePassword;
/**
* This property is only intended to be temporary until the AAI schema is updated to support setting the endpoint
if (trustStore != null) {
setTrustStore(restTemplate);
}
- removeSpringClientFilter(restTemplate);
return new HttpRestServiceProviderImpl(restTemplate, new BasicHttpHeadersProvider());
}
private void setTrustStore(final RestTemplate restTemplate) {
SSLContext sslContext;
try {
- sslContext =
- new SSLContextBuilder().loadTrustMaterial(trustStore.getURL(), trustPassword.toCharArray()).build();
+ if (keyStoreResource != null) {
+ KeyStore keystore = KeyStore.getInstance("pkcs12");
+ keystore.load(keyStoreResource.getInputStream(), keyStorePassword.toCharArray());
+ sslContext =
+ new SSLContextBuilder().loadTrustMaterial(trustStore.getURL(), trustStorePassword.toCharArray())
+ .loadKeyMaterial(keystore, keyStorePassword.toCharArray()).build();
+ } else {
+ sslContext = new SSLContextBuilder()
+ .loadTrustMaterial(trustStore.getURL(), trustStorePassword.toCharArray()).build();
+ }
logger.info("Setting truststore: {}", trustStore.getURL());
final SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(sslContext);
final HttpClient httpClient = HttpClients.custom().setSSLSocketFactory(socketFactory).build();
final HttpComponentsClientHttpRequestFactory factory =
new HttpComponentsClientHttpRequestFactory(httpClient);
- restTemplate.setRequestFactory(factory);
+ restTemplate.setRequestFactory(new BufferingClientHttpRequestFactory(factory));
} catch (KeyManagementException | NoSuchAlgorithmException | KeyStoreException | CertificateException
- | IOException exception) {
+ | IOException | UnrecoverableKeyException exception) {
logger.error("Error reading truststore, TLS connection to VNFM will fail.", exception);
}
}
- private void removeSpringClientFilter(final RestTemplate restTemplate) {
- ListIterator<ClientHttpRequestInterceptor> interceptorIterator = restTemplate.getInterceptors().listIterator();
- while (interceptorIterator.hasNext()) {
- if (interceptorIterator.next() instanceof SpringClientFilter) {
- interceptorIterator.remove();
- }
- }
- }
-
}
setUpVimInMockAai();
final String expectedsubscriptionRequest =
- "{\"filter\":{\"vnfInstanceSubscriptionFilter\":{\"vnfInstanceIds\":[\"vnfId\"]},\"notificationTypes\":[\"VnfLcmOperationOccurrenceNotification\"]},\"callbackUri\":\"https://so-vnfm-adapter.onap:30406/so/vnfm-adapter/v1/lcn/VnfLcmOperationOccurrenceNotification\",\"authentication\":{\"authType\":[\"OAUTH2_CLIENT_CREDENTIALS\", \"BASIC\"],\"paramsOauth2ClientCredentials\":{\"clientId\":\"vnfm\",\"clientPassword\":\"password1$\",\"tokenEndpoint\":\"https://so-vnfm-adapter.onap:30406/oauth/token\"},\"paramsBasic\":{\"userName\":\"vnfm\",\"password\":\"password1$\"}}}";
+ "{\"filter\":{\"vnfInstanceSubscriptionFilter\":{\"vnfInstanceIds\":[\"vnfId\"]},\"notificationTypes\":[\"VnfLcmOperationOccurrenceNotification\"]},\"callbackUri\":\"https://so-vnfm-adapter.onap:30406/so/vnfm-adapter/v1/lcn/VnfLcmOperationOccurrenceNotification\",\"authentication\":{\"authType\":[\"OAUTH2_CLIENT_CREDENTIALS\", \"BASIC\", \"TLS_CERT\"],\"paramsOauth2ClientCredentials\":{\"clientId\":\"vnfm\",\"clientPassword\":\"password1$\",\"tokenEndpoint\":\"https://so-vnfm-adapter.onap:30406/oauth/token\"},\"paramsBasic\":{\"userName\":\"vnfm\",\"password\":\"password1$\"}}}";
final InlineResponse2001 subscriptionResponse = new InlineResponse2001();
final InlineResponse201 createResponse = createCreateResponse();
</executions>
</plugin>
</plugins>
+ <resources>
+ <resource>
+ <directory>src/main/resources</directory>
+ <filtering>true</filtering>
+ <excludes>
+ <exclude>**/*.p12</exclude>
+ <exclude>**/*.jks</exclude>
+ </excludes>
+ </resource>
+ <resource>
+ <directory>src/main/resources</directory>
+ <filtering>false</filtering>
+ <includes>
+ <include>**/*.p12</include>
+ <include>**/*.jks</include>
+ </includes>
+ </resource>
+ </resources>
</build>
<dependencyManagement>
<dependencies>
package org.onap.so.bpmn.infrastructure.adapter.vnfm.tasks;
import static org.onap.so.client.RestTemplateConfig.CONFIGURABLE_REST_TEMPLATE;
+import java.io.IOException;
+import java.security.KeyManagementException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.CertificateException;
+import javax.net.ssl.SSLContext;
+import org.apache.http.client.HttpClient;
+import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
+import org.apache.http.impl.client.HttpClients;
+import org.apache.http.ssl.SSLContextBuilder;
import org.onap.so.configuration.rest.BasicHttpHeadersProvider;
import org.onap.so.configuration.rest.HttpHeadersProvider;
import org.onap.so.rest.service.HttpRestServiceProvider;
import org.onap.so.rest.service.HttpRestServiceProviderImpl;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
+import org.springframework.core.io.Resource;
+import org.springframework.http.client.BufferingClientHttpRequestFactory;
+import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
import org.springframework.web.client.RestTemplate;
/**
@Configuration
public class VnfmAdapterCreateVnfTaskConfiguration {
+ private static final Logger logger = LoggerFactory.getLogger(VnfmAdapterCreateVnfTaskConfiguration.class);
+
+ @Value("${rest.http.client.configuration.ssl.trustStore:#{null}}")
+ private Resource trustStore;
+
+ @Value("${rest.http.client.configuration.ssl.trustStorePassword:#{null}}")
+ private String trustStorePassword;
+
+ @Value("${rest.http.client.configuration.ssl.keyStore:#{null}}")
+ private Resource keyStoreResource;
+
+ @Value("${rest.http.client.configuration.ssl.keyStorePassword:#{null}}")
+ private String keyStorePassword;
+
@Bean
public HttpRestServiceProvider databaseHttpRestServiceProvider(
@Qualifier(CONFIGURABLE_REST_TEMPLATE) @Autowired final RestTemplate restTemplate,
@Autowired final VnfmBasicHttpConfigProvider etsiVnfmAdapter) {
+ if (trustStore != null) {
+ setTrustStore(restTemplate);
+ }
return getHttpRestServiceProvider(restTemplate, new BasicHttpHeadersProvider(etsiVnfmAdapter.getAuth()));
}
+ private void setTrustStore(final RestTemplate restTemplate) {
+ SSLContext sslContext;
+ try {
+ if (keyStoreResource != null) {
+ KeyStore keystore = KeyStore.getInstance("pkcs12");
+ keystore.load(keyStoreResource.getInputStream(), keyStorePassword.toCharArray());
+ sslContext =
+ new SSLContextBuilder().loadTrustMaterial(trustStore.getURL(), trustStorePassword.toCharArray())
+ .loadKeyMaterial(keystore, keyStorePassword.toCharArray()).build();
+ } else {
+ sslContext = new SSLContextBuilder()
+ .loadTrustMaterial(trustStore.getURL(), trustStorePassword.toCharArray()).build();
+ }
+ logger.info("Setting truststore: {}", trustStore.getURL());
+ final SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(sslContext);
+ final HttpClient httpClient = HttpClients.custom().setSSLSocketFactory(socketFactory).build();
+ final HttpComponentsClientHttpRequestFactory factory =
+ new HttpComponentsClientHttpRequestFactory(httpClient);
+ restTemplate.setRequestFactory(new BufferingClientHttpRequestFactory(factory));
+ } catch (KeyManagementException | NoSuchAlgorithmException | KeyStoreException | CertificateException
+ | IOException | UnrecoverableKeyException exception) {
+ logger.error("Error reading truststore, TLS connection to VNFM will fail.", exception);
+ }
+ }
+
private HttpRestServiceProvider getHttpRestServiceProvider(final RestTemplate restTemplate,
final HttpHeadersProvider httpHeadersProvider) {
return new HttpRestServiceProviderImpl(restTemplate, httpHeadersProvider);
package org.onap.svnfm.simulator.config;
-import java.net.InetAddress;
import java.util.Arrays;
import org.onap.svnfm.simulator.constants.Constant;
import org.springframework.beans.factory.annotation.Autowired;
@Value("${server.dns.name:so-vnfm-simulator.onap}")
private String serverDnsName;
+ @Value("${server.request.grant.auth:oauth}")
+ private String grantAuth;
+
@Autowired
private Environment environment;
return baseUrl;
}
+ public String getGrantAuth() {
+ return grantAuth;
+ }
+
@Bean
public CacheManager cacheManager() {
final Cache inlineResponse201 = new ConcurrentMapCache(Constant.IN_LINE_RESPONSE_201_CACHE);
import java.io.InputStreamReader;
import java.net.URL;
import java.nio.charset.StandardCharsets;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.List;
import java.util.UUID;
import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
import javax.ws.rs.core.MediaType;
import org.apache.commons.codec.binary.Base64;
import org.modelmapper.ModelMapper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.core.io.ClassPathResource;
+import org.springframework.core.io.Resource;
public abstract class OperationProgressor implements Runnable {
private static final Logger LOGGER = LoggerFactory.getLogger(OperationProgressor.class);
private static final String CERTIFICATE_TO_TRUST = "so-vnfm-adapter.crt.pem";
+ private Resource keyStoreResource = new ClassPathResource("so-vnfm-simulator.p12");
+ private String keyStorePassword = "7Em3&j4.19xYiMelhD5?xbQ.";
+
protected final VnfOperation operation;
protected final SvnfmService svnfmService;
private final VnfOperationRepository vnfOperationRepository;
String callBackUrl = subscriptionService.getSubscriptions().iterator().next().getCallbackUri();
callBackUrl = callBackUrl.substring(0, callBackUrl.indexOf("/lcn/"));
apiClient.setBasePath(callBackUrl);
+ apiClient.setKeyManagers(getKeyManagers());
apiClient.setSslCaCert(getCertificateToTrust());
notificationClient = new DefaultApi(apiClient);
final org.onap.so.adapters.vnfmadapter.extclients.vnfm.grant.ApiClient grantApiClient =
new org.onap.so.adapters.vnfmadapter.extclients.vnfm.grant.ApiClient();
grantApiClient.setBasePath(callBackUrl);
+ grantApiClient.setKeyManagers(getKeyManagers());
grantApiClient.setSslCaCert(getCertificateToTrust());
grantClient = new org.onap.so.adapters.vnfmadapter.extclients.vnfm.grant.api.DefaultApi(grantApiClient);
}
}
}
+ private KeyManager[] getKeyManagers() {
+ KeyStore keystore;
+ try {
+ keystore = KeyStore.getInstance("pkcs12");
+ keystore.load(keyStoreResource.getInputStream(), keyStorePassword.toCharArray());
+ KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509");
+ keyManagerFactory.init(keystore, keyStorePassword.toCharArray());
+ return keyManagerFactory.getKeyManagers();
+ } catch (KeyStoreException | NoSuchAlgorithmException | CertificateException | IOException
+ | UnrecoverableKeyException exception) {
+ LOGGER.error("Error reading certificate, https calls using two way TLS to VNFM adapter will fail",
+ exception);
+ return new KeyManager[0];
+ }
+ }
+
@Override
public void run() {
try {
final SubscriptionsAuthenticationParamsOauth2ClientCredentials subscriptionAuthentication =
subscriptionService.getSubscriptions().iterator().next().getAuthentication()
.getParamsOauth2ClientCredentials();
- final String authHeader =
- "Bearer " + getToken(notificationClient.getApiClient(), subscriptionAuthentication);
+
+ final String authHeader = applicationConfig.getGrantAuth().equals("oauth")
+ ? "Bearer " + getToken(notificationClient.getApiClient(), subscriptionAuthentication)
+ : null;
final ApiResponse<InlineResponse201> response = grantClient.grantsPostWithHttpInfo(grantRequest,
MediaType.APPLICATION_JSON, MediaType.APPLICATION_JSON, authHeader);