...
Heat and other non OOM deployments
- Use the files in {need commit here or attach fileshttps://gerrit.onap.org/r/50963}
- copy new certificate files into deployment
/opt/onap/appc/data/storer
org.onap.appc.keyfile
org.onap.appc.p12
truststoreONAPall.jks - copy new cadi.properites file
/opt/onap/appc/data/properties/cadi.properties
- copy new certificate files into deployment
- edit aaa-aap-config.xml
...
swap commenting for tokenAuthRealm
<main>
<pair-key>tokenAuthRealm</pair-key>
<pair-value>org.opendaylight.aaa.shiro.realm.TokenAuthRealm</pair-value>
<!-- <pair-value>org.onap.aaf.cadi.shiro.AAFRealm</pair-value> -->
</main>
To
<main>
<pair-key>tokenAuthRealm</pair-key>
<!-- <pair-value>org.opendaylight.aaa.shiro.realm.TokenAuthRealm</pair-value> -->
<pair-value>org.onap.aaf.cadi.shiro.AAFRealm</pair-value>
</main>
swap urls for urls to be secured by AAF. NOTE: DO THIS FOR ALL URLS USING authcBasic
<urls>
<pair-key>/**</pair-key>
<pair-value>authcBasic, roles[admin]</pair-value>
<!-- <pair-value>authcBasic, roles[org.onap.appc.odl|odl-api|*]</pair-value> -->
</urls>
To
<urls>
<pair-key>/**</pair-key>
<!-- <pair-value>authcBasic, roles[admin]</pair-value> -->
<pair-value>authcBasic, roles[org.onap.appc.odl|odl-api|*]</pair-value>
</urls>
3. Restart APPC
...
If there is not a DNS entry for aaf-onap-beijing-test.osaaf.org set the mapping to a valid AAF instance in etc/hosts.
Enabling AAF security for APPC old certificates
...
Older versions of ODL use shiro.ini located in the /etc directory in place of aaa-app-config.xml. The properties used in shiro.ini are the same. When updating the shiro.ini ODL has to be restared for changes to take effect.
Bath legacy credential support capability
The bath legacy credential support capability allows the legacy admin credentials to still function when AAF is enabled. The legacy admin credentials are stored in the /opt/onap/appc/data/properties/bath-config.csv file. If additional legacy credentials need to be added, they should be in the format expected below with a legacy base 64 encoded login/pw, AAF base 64 encoded login/pw, and expiration date in YYYY-MM-DD format:
Basic <legacy base 64 encoding of login and password>,Basic <AAF base 64 encoding of login and password>,YYYY-MM-DD
OOM deployments
- AAF is enabled by default in OOM. To disable AAF for APPC in OOM, set a config value of enableAAF: false in an override file. See the example below:
appc:
enabled: true
config:
enableAAF: false