From 082be1a805d268bb4ae01dc75a8e63da082504ac Mon Sep 17 00:00:00 2001
From: Matthieu Geerebaert <matthieu.geerebaert@orange.com>
Date: Fri, 10 May 2019 16:45:37 +0200
Subject: [PATCH] Document Release note, vulnerabilty section, exposing only a
 non https API

Add HTTP/HTTPS relative warning in Security Notes section

Change-Id: I3fafdcd376fd58a9ad4fcf980cd74707e0799ebe
Issue-ID: EXTAPI-238
Signed-off-by: MatthieuGeerebaert <matthieu.geerebaert@orange.com>
---
 docs/releasenotes/releasenotes.rst | 27 +++++++++++++++++++++++----
 1 file changed, 23 insertions(+), 4 deletions(-)

diff --git a/docs/releasenotes/releasenotes.rst b/docs/releasenotes/releasenotes.rst
index 99dc838..5b656b6 100755
--- a/docs/releasenotes/releasenotes.rst
+++ b/docs/releasenotes/releasenotes.rst
@@ -38,14 +38,33 @@ Many other changes and improvement are listed in JIRA:
 **Known Issues**
 
 - `EXTAPI-197 <https://jira.onap.org/browse/EXTAPI-197>`_ - Bad hostname while registering on MSB`
-
-Will be fixed in the next release El Alto
+- `EXTAPI-222 <https://jira.onap.org/browse/EXTAPI-222>`_ - Add support for HTTPS`
 
 **Security Notes**
 
-NBI still exposes non TLS API endpoint. TLS will be proposed in next the release, El Alto.
+NBI has been improved to reduce signs of vulnerabilities,
+especially by migrating from Springboot 1.x to Springboot 2 and using ONAP Parent pom.xml
+
+Warning: NBI exposes non TLS API endpoint on port 30274, meaning full plain text exchange with NBI API.
+TLS configuration, with ONAP Root CA signed certificate will be proposed in El Alto.
+
+As a workaround it is quite easy to add HTTPS support to NBI by configuring SSL and activating strict https.
+Presuming you have a valid JKS keystore, with private key and a signed certificate:
+
+::
+
+    src/main/resources/application.properties
+
+::
+
+    # tls/ssl
+    server.ssl.key-store-type=JKS
+    server.ssl.key-store=classpath:certificate/yourkeystore.jks
+    server.ssl.key-store-password=password
+    server.ssl.key-alias=youralias
 
-NBI has been improved to reduce signs of vulnerabilities, especially by migrating from Springboot 1.x to Springboot 2 and using the ONAP Parent pom.xml
+    # disable http and activate https
+    security.require-ssl=true
 
 - `Dublin Vulnerability Report <https://wiki.onap.org/pages/viewpage.action?pageId=51282484>`_
 
-- 
2.16.6