{"type":"doc","content":[{"type":"heading","attrs":{"level":2},"content":[{"text":"Overview","type":"text"}]},{"type":"paragraph","content":[{"text":"APPC uses the the AAF Shiro OSGI plugin to secure access to ODL web services with AAF.","type":"text"}]},{"type":"paragraph","content":[{"text":"The AAF shiro plugin is preloaded in the APPC docker image along with a sample cadi.properties file.","type":"text"}]},{"type":"paragraph","content":[{"type":"hardBreak"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Enabling AAF security for APPC using two way certificate","type":"text"}]},{"type":"paragraph","content":[{"text":"New certificates are available on the master branch to replace expired one way ssl","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Heat and other non OOM deployments","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Use the files in {","type":"text"},{"text":"https://gerrit.onap.org/r/50963","type":"text","marks":[{"type":"link","attrs":{"href":"https://gerrit.onap.org/r/50963"}}]},{"text":"}","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"copy new certificate files into deployment","type":"text"},{"type":"hardBreak"},{"text":"/opt/onap/appc/data/storer","type":"text"},{"type":"hardBreak"},{"text":"org.onap.appc.keyfile","type":"text"},{"type":"hardBreak"},{"text":"org.onap.appc.p12","type":"text"},{"type":"hardBreak"},{"text":"truststoreONAPall.jks","type":"text"},{"type":"hardBreak"},{"type":"hardBreak"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"copy new cadi.properites file","type":"text"},{"type":"hardBreak"},{"text":"/opt/onap/appc/data/properties/cadi.properties","type":"text"}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"edit aaa-aap-config.xml","type":"text"}]}]}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":" /opt/opendaylight/current/etc/opendaylight/datastore/initial/config/aaa-app-config.xml","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph"},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"swap commenting for tokenAuthRealm","type":"text"}]},{"type":"paragraph","content":[{"text":"

","type":"text"}]},{"type":"paragraph","content":[{"text":" tokenAuthRealm","type":"text"}]},{"type":"paragraph","content":[{"text":" org.opendaylight.aaa.shiro.realm.TokenAuthRealm","type":"text"}]},{"type":"paragraph","content":[{"text":" ","type":"text"}]},{"type":"paragraph","content":[{"text":"

","type":"text"}]},{"type":"paragraph","content":[{"text":"To","type":"text"}]},{"type":"paragraph","content":[{"text":"

","type":"text"}]},{"type":"paragraph","content":[{"text":" tokenAuthRealm","type":"text"}]},{"type":"paragraph","content":[{"text":" ","type":"text"}]},{"type":"paragraph","content":[{"text":" org.onap.aaf.cadi.shiro.AAFRealm","type":"text"}]},{"type":"paragraph","content":[{"text":"

","type":"text"}]},{"type":"paragraph","content":[{"text":"To","type":"text"}]},{"type":"paragraph","content":[{"text":"

","type":"text"}]},{"type":"paragraph","content":[{"type":"hardBreak"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"swap urls for urls to be secured by AAF. NOTE: DO THIS FOR ALL URLS USING authcBasic","type":"text"}]},{"type":"paragraph","content":[{"text":" ","type":"text"}]},{"type":"paragraph","content":[{"text":" /**","type":"text"}]},{"type":"paragraph","content":[{"text":" authcBasic, roles[admin]","type":"text"}]},{"type":"paragraph","content":[{"text":" ","type":"text"}]},{"type":"paragraph","content":[{"text":" ","type":"text"}]},{"type":"paragraph","content":[{"text":"To","type":"text"}]},{"type":"paragraph","content":[{"text":" ","type":"text"}]},{"type":"paragraph","content":[{"text":" /**","type":"text"}]},{"type":"paragraph","content":[{"text":" ","type":"text"}]},{"type":"paragraph","content":[{"text":" authcBasic, roles[org.onap.appc.odl|odl-api|*]","type":"text"}]},{"type":"paragraph","content":[{"text":" ","type":"text"}]},{"type":"paragraph","content":[{"text":" ","type":"text"}]}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Customization","type":"text"}]},{"type":"paragraph","content":[{"text":"The permissions used to secure urls can be customized.","type":"text"}]},{"type":"paragraph","content":[{"text":"To customize the permission used for a url:","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Ensure the permision has been added to AAF","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Identify the url in the aaa-app-config.xml","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"set the AAF permission to be used in the roles[] for the url","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Example:","type":"text"}]},{"type":"paragraph","content":[{"text":" to use the permission org.onap.appc.admin|*|* for the /auth/** url","type":"text"}]},{"type":"paragraph","content":[{"text":" ","type":"text"}]},{"type":"paragraph","content":[{"text":" /auth/**","type":"text"}]},{"type":"paragraph","content":[{"text":" authcBasic, roles[org.onap.appc.admin|*|*]","type":"text"}]},{"type":"paragraph","content":[{"text":" ","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Older ODL versions","type":"text"}]},{"type":"paragraph","content":[{"text":"Older versions of ODL use shiro.ini located in the /etc directory in place of aaa-app-config.xml. The properties used in shiro.ini are the same. When updating the shiro.ini ODL has to be restared for changes to take effect.","type":"text"}]},{"type":"heading","attrs":{"level":2},"marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"Bath legacy credential support capability","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"The bath legacy credential support capability allows the legacy admin credentials to still function when AAF is enabled. The legacy admin credentials are stored in the /opt/onap/appc/data/properties/bath-config.csv file. If additional legacy credentials need to be added, they should be in the format expected below with a legacy base 64 encoded login/pw, AAF base 64 encoded login/pw, and expiration date in YYYY-MM-DD format:","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"Basic ,Basic ,YYYY-MM-DD","type":"text"}]},{"type":"heading","attrs":{"level":3},"marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"OOM deployments","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"AAF is enabled by default in OOM. To disable AAF for APPC in OOM, set a config value of enableAAF: false in an override file. See the example below:","type":"text"},{"type":"hardBreak"},{"text":"appc:","type":"text"},{"type":"hardBreak"},{"text":" enabled: true","type":"text"},{"type":"hardBreak"},{"text":" config:","type":"text"},{"type":"hardBreak"},{"text":" enableAAF: false","type":"text"}]}]}]}],"version":1}

Browser not supported