...
- HTTP/S provides the core Encryption whenever used, so all of AAF Components require HTTP/S to the current protocol standards (current is TLS 1.1+ as of Nov 2016)
- HTTP/S requires X.509 certificates at least on the Server at minimum. (in this mode, 1 way, a client Certificate is generated)
- Certificate Manager can generate certificates signed by the AT&T Internal Certificate Authority, which is secure and cost effective if external access are not needed
- These same certificates can be used for identifying the Application during the HTTP/S transaction, making a separate UserID/Password unnecessary for Authentication.
- Authentication - In order to tie generated certificates to a specific Application Identity, AAF Certificate Manager embeds a Organization ILM AppID in the Subject. These are created by AT&T specific Internal Certificate Authority, which only generates certificates for AAF Certman. Since AAF Certman validates the Sponsorship of the AppID with requests (automatically), the end user can depend on the AppID embedded in the Subject to be valid without resorting to external calls or passwords.
- ex:
- Authorization - AAF Certman utilizes AAF's Fine-grained authorizations to ensure that only the right entities perform functions, thus ensuring the integrity of the entire Certificate Process
...
The majority of the setup is for establishing the Application's Identity in AAF and OrganizationILM. This is required to ensure the chain of responsibility from the Certificates to the Sponsor of the AppID. If your app already uses AAF, that can be skipped. If a AppID is already established for AppID/Password, that one should be used. Do not obtain another one.
- Organization ILM enrolled AppID, because these are about Applications
- AAF Namespace, so we can ensure only the right people may generate a certificate purporting to be that identity
Steps 1 and 2 are accomplished by following these instructions: OnBoarding
- Install CADI (Latest Version) on boxes where you will use "CMAgent"
- Java, should be 1.8+ (1.7 still works)
- Direct Jar Method - this is the best way to use Certificate Manager Agent...
...
The App Owner (Should be the Namespace Owner AND the Sponsor of Record of the AppID in Organization ILM Records). Follow these instructions: GUI Instructions
...
Java 1.7+ (must be at least JDK 1.7, because communications use TLS 1.1+ per Organization ILM Requirement, and JDK 1.6 does not natively support.)
...
Special Cases - Templates
Note: Organization ILM no longer requires special exceptions for SANs. You may add them in your Artifact at creation time.
...
The "Domain" is a special case, used strictly by Dynamic VM creators, and similar tools. In this case, the AppID owner specifies that his AppID may deployed on any in a specific domain, such as "*.vmgroup.onap.org". This approval requires special Organization ILM exception as well as AAF approval, and when accepted, the permission "org.onap.aaf.ca|aaf|domain" is grant
...