Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
exclude""
printablefalse

Access

You must be connected to the WindRiver "pod-onap-01" VPN to gain access to AAF Beijing

...

http://aaf-onap-beijing-test.osaaf.org/-

Credentials

AAF does support User/Password, and allows additional plugins as it did in Amsterdam, however, User/Password credentials are inferior to PKI technology, and does not match the ONAP Design goal of TLS and PKI Identity across the board.  Therefore, while an individual organization might avail themselves of the User/Password facilities within AAF, for ONAP, we are avoiding.

THEREFORE: GO WITH CERTIFICATE IDENTITY

Certificates

Root Certificate

...

AAF_RootCA.cer

AAF CA

At time of Beijing, an official Certificate Authority for ONAP was not declared, installed or operationalized.  Secure TLS requires certificates, so for the time being, the Certificate Authority is being run by AAF Team.

Root Certificate

The Root Certificate for ONAP Certificate Authority used by AAF is AAF_RootCA.cer
Depending on your Browser/ Operating System, clicking on this link will allow you to install this Cert into your Browser for GUI access (see next)

This Root Certificate is also available in "truststore" form, ready to be used by Java or other processes in pkcs12 format:

...

      •   -  This Truststore has ONLY the ONAP AAF_RootCA in it.
      • truststoreONAPall.jks - This Truststore has the ONAP AAF_RootCA in it PLUS all the Public CA Certs that are in Java 1.8.131 (note: this is in jks format, because the original JAVA truststore was in jks format)

Note: as of Java 8, pkcs12 format is recommended, rather than jks.  Java's "keytool" utility provides a conversion for .jks for Java 7 and previous.

...

Therefore, with each Certificate Request, we'll need identity information as well, that will be entered into an ONAP Identity file.  Again, as a real company, this can be derived or accessed real-time (if available) as an "Organization Plugin".  Again, as there appears to be no such central formal system in ONAP, or until , though, of course, Linux Foundation logins have some of this information for ALL LF projects.  Until ONAP declares such a system or decides how we might integrate with LF for Identity and we have time to create an Integration strategy, AAF will control this data.

...

  Applications

# 0 - unique ID - Let's go with this naming convention:  a[0-9]{4}[a-z,0-9], meaning the letter "a", followed by 4 digits and a final letter or digit. For ONAP Test, this will be the same a the App Acronym.
# 1 - full name of the App
# 2 - App Acronym
# 3 - App Description, or just "Application"
# 5 - official email - I would expect a Distribution list for the Application, or the Email of the Owner.
# 6 - type - application
# 7 - reports to: give the Application Owner's Unique ID.  Note, this should also be the Owner in AAF Namespace

Obtaining a Certificate

There are 3 types of Certificates available for AAF and ONAP community through AAF.  People, App Client-only, and App Service (can be used for both Client and Service)

Process (This process may fluctuate, or move to iTrack, so revisit this page for each certificate you request)
        1. Email the AAF Team (jonathan.gathman@att.com, for now)
        2. Put "REQUEST ONAP CERTIFICATE" in the Subject Line
        3. If you have NOT established an Identity, see above, put the Identity information in first
        4. Then declare which of the three kinds of Certificates you want.
          1. People and App Client-only certificates will be Manual
            1. You will receive a reply email with instructions on creating and signing a CSR, with a specific Subject.
            2. Reply back with the CSR attached. DO NOT CHANGE the Subject.  
              1. Subject is NOT NEGOTIABLE. If it does not match the original Email, you will be rejected, and will waste everyone's time.
            3. You will receive back the certificate itself, and some openssl instructions to build a .p12 file (or maybe a ready-to-run Shell Script)
          2. App Service Certificate is supported by AAF's Certman
            1. However, this requires the establishment of Deployer Identities, as no Certificate is deployed without Authorization.
            2. Therefore, for now, follow the "Manual" method, described in 4.a, but include the Machine to be the "cn="
People

People Certificates can be used for browsers, curl, etc.

Automation and tracking of People Certificates will be proposed for Casablanca.

In the meantime, for testing purposes, you may request a certificate from AAF team, see process.

Application Client-only

Application Client-only certificates are not tied to a specific machine.  They function just like people, only it is expected that they are used within "keystores" as identity when talking to AAF enabled components.

PLEASE USE your APP NAME IN CI/CD (OOM, etc) in your request.  That makes the most sense for identity.

Automation and tracking of Application Certificates will be proposed for Casablanca. 

In the meantime, for testing purposes, you may request a certificate from AAF team, see process.

Application Service 

This kind of Certificate must have the Machine Name in the "CN=" position.  

AAF supports Automated Certificate Deployment, but this has not been integrated with OOM at this time (April 12, 2018).  

    • Please request Manual Certificate, but specify the Machine as well.  Machine should be a name, so you might need to provide your Clients with instructions on adding to /etc/hosts until ONAP address Name Services for ONAP Environments (i.e. DNS)

GUI

https://aaf-onap-beijing-test.osaaf.org

...