1 .. This work is licensed under a Creative Commons Attribution 4.0 International License.
2 .. http://creativecommons.org/licenses/by/4.0
3 .. Copyright © 2017 AT&T Intellectual Property. All rights reserved.
8 .. _Example RESTful Client: https://gerrit.onap.org/r/gitweb?p=aaf/authz.git;a=blob;f=cadi/oauth-enduser/src/main/java/org/onap/aaf/cadi/enduser/SimpleRESTClient.java;h=30344de521ae628221bdb54642a71733304a5656;hb=HEAD
9 .. _Developer Video: https://wiki.onap.org/download/attachments/38111886/ONAPClient.mp4?version=1&modificationDate=1532378616000&api=v2
14 * `Example RESTful Client`_ (Java Client)
15 * `Developer Video`_ (might be large)
17 =========================
19 =========================
25 The AAF Test Environment is a single instance VM setp so that
26 - ONAP Developers can utilize AAF with their personal machines without having to run their own AAF.
27 - ONAP Developers can put the Permissions and Roles required for their Apps into a common AAF Environment with others
28 - AAF will pull (on demand) all the ONAP related Data (Perms/Roles/Identities) and put into "Bootstrap Data".
29 - This Bootstrap data becomes available on the myriad Testing Systems so that
30 - They don't have to create AAF Data loading on their own.
31 - The data is already consistent with other ONAP entities.
37 You must be connected to the WindRiver "pod-onap-01" VPN to gain access
44 At this time, there is no known DNS available for ONAP Entities. It is
45 recommended that you add the following entry into your "/etc/hosts" on
46 your accessing machine:
50 10.12.6.214 aaf-onap-beijing-test aaf-onap-beijing-test.osaaf.org
52 ------------------------------
53 Environment Artifacts (AAF FS)
54 ------------------------------
56 AAF has an HTTP Fileserver to gain access to needed public info.
58 http://aaf-onap-beijing-test.osaaf.org/-
64 AAF does support User/Password, and allows additional plugins as it
65 did in Amsterdam, however, User/Password credentials are inferior to
66 PKI technology, and does not match the ONAP Design goal of TLS and
67 PKI Identity across the board. Therefore, while an individual
68 organization might avail themselves of the User/Password facilities
69 within AAF, for ONAP, we are avoiding.
71 THEREFORE: **GO WITH CERTIFICATE IDENTITY**
77 `AAF\_RootCA.cer <http://aaf-onap-beijing-test.osaaf.org/AAF_RootCA.cer>`__
82 At time of Beijing, an official Certificate Authority for ONAP was
83 not declared, installed or operationalized. Secure TLS requires
84 certificates, so for the time being, the Certificate Authority is
85 being run by AAF Team.
90 | The Root Certificate for ONAP Certificate Authority used by AAF
91 is \ `AAF\_RootCA.cer <http://aaf-onap-beijing-test.osaaf.org/AAF_RootCA.cer>`__
92 | Depending on your Browser/ Operating System, clicking on this link
93 will allow you to install this Cert into your Browser for GUI
96 This Root Certificate is also available in "truststore" form, ready
97 to be used by Java or other processes:
103 - `truststoreONAP.p12 <http://aaf-onap-beijing-test.osaaf.org/truststoreONAP.p12>`__
104 - This Truststore has ONLY the ONAP AAF\_RootCA in it.
106 - `truststoreONAPall.jks <http://aaf-onap-beijing-test.osaaf.org/truststoreONAPall.jks>`__
107 - This Truststore has the ONAP AAF\_RootCA in it PLUS all the Public CA Certs that are in Java 1.8.131 (note: this is in jks format, because the original JAVA truststore was in jks format)
109 Note: as of Java 8, pkcs12 format is recommended, rather than jks.
110 Java's "keytool" utility provides a conversion for .jks for Java 7
116 Certificates certify nothing if there is no identity or process to
117 verify the Identity. Typically, for a company, an HR department
118 will establish the formal organization, specifically, who reports to
119 whom. For ONAP, at time of Beijing, no such formalized "Org Chart"
120 existed, so we'll be building this up as we go along.
122 Therefore, with each Certificate Request, we'll need identity
123 information as well, that will be entered into an ONAP Identity
124 file. Again, as a real company, this can be derived or accessed
125 real-time (if available) as an "Organization Plugin". Again, as
126 there appears to be no such central formal system in ONAP, though,
127 of course, Linux Foundation logins have some of this information for
128 ALL LF projects. Until ONAP declares such a system or decides how
129 we might integrate with LF for Identity and we have time to create
130 an Integration strategy, AAF will control this data.
132 For each Identity, we'll need:
137 | # 0 - unique ID (for Apps, just make sure it is unique, for
138 People, one might consider your LinuxFoundation ID)
139 | # 1 - full name (for App, name of the APP)
140 | # 2 - first name (for App,
143 | # 5 - official email
144 | # 6 - type - person
145 | # 7 - reports to: If you are working as part of a Project, list
146 the PTL of your Project. If you are PTL, just declare you are the
152 | # 0 - unique ID - For ONAP Test, this will be the same a the App
154 | # 1 - full name of the App
156 | # 3 - App Description, or just "Application"
157 | # 5 - official email - a Distribution list for the Application, or
158 the Email of the Owner
159 | # 6 - type - application
160 | # 7 - reports to: give the Application Owner's Unique ID. Note,
161 this should also be the Owner in AAF Namespace
163 Obtaining a Certificate
164 '''''''''''''''''''''''
167 See `Automated Configuration and Certificates`_.
169 .. _Automated Configuration and Certificates: AAF_4.1_config.html
174 People Certificates can be used for browsers, curl, etc.
176 Automation and tracking of People Certificates will be proposed for