| Table of Contents | ||||
|---|---|---|---|---|
|
Access
You must be connected to the WindRiver "pod-onap-01" VPN to gain access to AAF Beijing
...
THEREFORE: GO WITH CERTIFICATE IDENTITY
Certificates
Root Certificate
...
AAF CA
At time of Beijing, an official Certificate Authority for ONAP was not declared, installed or operationalized. Secure TLS requires certificates, so for the time being, the Certificate Authority is being run by AAF Team.
Root Certificate
The Root Certificate for ONAP Certificate Authority used by AAF is AAF_RootCA.cer
Depending on your Browser/ Operating System, clicking on this link will allow you to install this Cert into your Browser for GUI access (see next)
This Root Certificate is also available in "truststore" form, ready to be used by Java or other processes in pkcs12 format:
...
- - This Truststore has ONLY the ONAP AAF_RootCA in it.
- truststoreONAPall.jks - This Truststore has the ONAP AAF_RootCA in it PLUS all the Public CA Certs that are in Java 1.8.131 (note: this is in jks format, because the original JAVA truststore was in jks format)
Note: as of Java 8, pkcs12 format is recommended, rather than jks. Java's "keytool" utility provides a conversion for .jks for Java 7 and previous.
...
Applications
# 0 - unique ID - Let's go with this naming convention: a[0-9]{4}[a-z,0-9], meaning the letter "a", followed by 4 digits and a final letter or digit. For ONAP Test, this will be the same a the App Acronym.
# 1 - full name of the App
# 2 - App Acronym
# 3 - App Description, or just "Application"
# 5 - official email - a Distribution list for the Application, or the Email of the Owner
# 6 - type - application
# 7 - reports to: give the Application Owner's Unique ID. Note, this should also be the Owner in AAF Namespace
...
Application Client-only certificates are not tied to a specific machine. They function just like people, only it is expected that they are used within "keystores" as identity when talking to AAF enabled components.
PLEASE USE your APP NAME IN CI/CD (OOM, etc) in your request. That makes the most sense for identity.
Automation and tracking of Application Certificates will be proposed for Casablanca.
In the meantime, for testing purposes, you may request a certificate from AAF team, see process.
Application Service
This kind of Certificate must have the Machine Name in the "CN=" position.
AAF supports Automated Certificate Deployment, but this has not been integrated with OOM at this time (April 12, 2018).
- Please request Manual Certificate, but specify the Machine as well. Machine should be a name, so you might need to provide your Clients with instructions on adding to /etc/hosts until ONAP address Name Services for ONAP Environments (i.e. DNS)
GUI
https://aaf-onap-beijing-test.osaaf.org
...
- Accept the Root Certificate
- Obtain a Personal Certificate above
- Add the Personal Certificate/Private key to your Browser. Typically, this is done by having it packaged in a Phttps://zoom.us/j/793296315