{"type":"doc","content":[{"type":"extension","attrs":{"extensionType":"com.atlassian.confluence.macro.core","extensionKey":"toc","parameters":{"macroParams":{},"macroMetadata":{"macroId":{"value":"decea971-c6c2-4e30-9ab5-c773905ebc58"},"schemaVersion":{"value":"1"},"title":"Table of Contents"}}}},{"type":"heading","attrs":{"level":2},"content":[{"text":"Use Cases","type":"text","marks":[{"type":"strong"},{"type":"underline"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Communication security between SOL003/SOL005 Adapters and SVNFM/NFVO","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Feature Descriptions","type":"text","marks":[{"type":"strong"},{"type":"underline"}]}]},{"type":"table","attrs":{"layout":"full-width"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Feature","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Feature","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Secured communication and authentication and authorization support","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Secured communication and authentication and authorization support between SOL003/SOL005 Adapter and External NFVO","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"HTTPS protocol","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Authentication and Authorization support via AAF","type":"text"}]}]}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Epic and User Story","type":"text","marks":[{"type":"strong"},{"type":"underline"}]}]},{"type":"table","content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Epic","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"User Story","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Guilin Plan?","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"JIRA","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Secured communication","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"type":"hardBreak"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Support Secure communication for ONAP Internal components and ONAP External components","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Yes","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"type":"hardBreak"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"type":"hardBreak"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"SO needs to a common security communication solution for ONAP internal components","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"SO needs to a common security communication solution","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Yes","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"type":"hardBreak"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"type":"hardBreak"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Secured communication between SOL003 Adapter and SVNFM","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Secured communication between SOL003 Adapter and SVNFM","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Yes","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Covered by SOL003 Adapter JIRA","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"type":"hardBreak"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Secured communication between SOL005 Adapter and external NFVO","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Secured communication between SOL005 Adapter and external NFVO","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Yes","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Covered by SOL005 Adapter JIRA","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"type":"hardBreak"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Authentication and authorization support between between SOL003 Adapter and SVFNM","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Authentication and authorization support between between SOL003 Adapter and SVFNM","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"support of vendor SVNFM authentication and authorization","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"support of SOL003 Adapter authentication and authorization","type":"text"}]}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Yes","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Covered by SOL003 Adapter JIRA","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"type":"hardBreak"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Authentication and authorization support between between SOL005 Adapter and external NFVO","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Authentication and authorization support between between SOL005 Adapter and external NFVO","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"support of external NFVO authentication and authorization","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"support of SOL005 Adapter authentication and authorization","type":"text"}]}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Yes","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Covered by SOL005 Adapter JIRA","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"type":"hardBreak"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Authentication and authorization support between between SOL002 Adapter and SVFNM","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Authentication and authorization support between between SOL002 Adapter and SVFNM","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"support of vendor SVNFM authentication and authorization - OAuth2 Token-based only","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"support of SOL002 Adapter authentication and authorization - OAuth2 Token-based only","type":"text"}]}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Yes","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Covered by SOL002 Adapter JIRA","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Communication Security Architecture for SOL005 and SOL003 APIs","type":"text","marks":[{"type":"strong"},{"type":"underline"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"ONAP ETSI-Alignment API security conforms to ETSI NFV SEC022 Security specification (SEC022 GS).","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Requirement: External NFVO and SVNFM need to validate incoming ETSI package","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"The SOL003/SOL005 Adapters communicate with the SVNFM and the external NFVO via secured HTTPS protocol with a proper authentication and authorization.","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Support of HTTPs protocol is a must","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"SOL003/SOL005 Adapters provide security mechanism for authentication and authorization.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"SVNFM/NFVO provide security mechanism for authentication and authorization.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"authentication federation between the Adapters and the SVNFM/NFVO is under discussion.","type":"text"}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":" ","type":"text"}]}]}]},{"type":"paragraph","content":[{"type":"hardBreak"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"High-Level View","type":"text","marks":[{"type":"strong"},{"type":"underline"}]}]},{"type":"paragraph","content":[{"text":"The following diagram depicts a high-level view of ONAP ETSI-Alignment API security.","type":"text","marks":[{"type":"textColor","attrs":{"color":"#003366"}}]}]},{"type":"extension","attrs":{"extensionType":"com.atlassian.confluence.macro.core","extensionKey":"gliffy","parameters":{"macroParams":{"macroId":{"value":"698cf91d-a283-44ee-a8c6-967f41343468"},"name":{"value":"ETSI Secure Communication High-level for Guilin"},"pagePin":{"value":"2"}},"macroMetadata":{"macroId":{"value":"72e982bc-ef6e-4b39-80d4-e374403793bf"},"schemaVersion":{"value":"1"},"placeholder":[{"type":"image","data":{"url":"https://confluence-connect.gliffy.net/diagram/image/placeHolder.png?macroId=698cf91d-a283-44ee-a8c6-967f41343468&name=ETSI+Secure+Communication+High-level+for+Guilin&pagePin=2"}}],"title":"Gliffy Diagram"}}}},{"type":"paragraph","content":[{"type":"hardBreak"}]},{"type":"paragraph","content":[{"type":"hardBreak"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Detailed View","type":"text","marks":[{"type":"strong"},{"type":"underline"}]}]},{"type":"extension","attrs":{"extensionType":"com.atlassian.confluence.macro.core","extensionKey":"gliffy","parameters":{"macroParams":{"macroId":{"value":"7cf46312-dd58-4673-a845-35b00e7bb0e1"},"name":{"value":"ETSI Secure Communication for Guilin"},"pagePin":{"value":"4"}},"macroMetadata":{"macroId":{"value":"4eacc711-5234-480b-a2d4-ef66c0a48d35"},"schemaVersion":{"value":"1"},"placeholder":[{"type":"image","data":{"url":"https://confluence-connect.gliffy.net/diagram/image/placeHolder.png?macroId=7cf46312-dd58-4673-a845-35b00e7bb0e1&name=ETSI+Secure+Communication+for+Guilin&pagePin=4"}}],"title":"Gliffy Diagram"}}}},{"type":"paragraph","content":[{"text":" ","type":"text"}]},{"type":"paragraph","content":[{"type":"hardBreak"}]},{"type":"paragraph","content":[{"type":"hardBreak"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"HTTPS Support","type":"text","marks":[{"type":"strong"},{"type":"underline"}]}]},{"type":"paragraph","content":[{"text":"To secure communications between the SOL003/SOL005 Adapter and SVNFM/NFVO, the communication between them will be done via HTTPS protocol.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"One-Way TLS configuration ","type":"text","marks":[{"type":"strong"},{"type":"underline"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"SOL003/SOL005 Adapter","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"The following parameters can be set to configure the certificate for the Adapters (as the server side).","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"The values shown below related to the certificate included in the Adapter which has been generated from AAF.","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"If a different certificate is to be used then these values should be changed accordingly.","type":"text"}]}]}]}]}]}]}]}]}]},{"type":"paragraph","content":[{"text":"server:","type":"text"}]},{"type":"paragraph","content":[{"text":"ssl:","type":"text"}]},{"type":"paragraph","content":[{"text":"key-alias: ","type":"text"},{"text":"so@so.onap.org","type":"text","marks":[{"type":"link","attrs":{"href":"mailto:so@so.onap.org"}}]}]},{"type":"paragraph","content":[{"text":"key-store-password: 'I,re7WWEJR$e]x370wRgx?qE'","type":"text"}]},{"type":"paragraph","content":[{"text":"key-store: classpath:","type":"text"},{"text":"org.onap.so","type":"text","marks":[{"type":"link","attrs":{"href":"http://org.onap.so/"}}]},{"text":".p12","type":"text"}]},{"type":"paragraph","content":[{"text":"key-store-type: PKCS12","type":"text"}]},{"type":"paragraph","content":[{"type":"hardBreak"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"The following parameters can be set to configure the trust store for the Adapters (as the client-side)","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"http:","type":"text"},{"type":"hardBreak"},{"text":"client:","type":"text"},{"type":"hardBreak"},{"text":"ssl:","type":"text"},{"type":"hardBreak"},{"text":"trust-store:","type":"text"},{"text":" ","type":"text"},{"text":"org.onap.so","type":"text","marks":[{"type":"link","attrs":{"href":"http://org.onap.so/"}}]},{"text":".trust.jks","type":"text"},{"type":"hardBreak"},{"text":"trust-store-password: NyRD](z:EJJNIt?},QgM3o7H","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"The values shown above relate to the trust store included in the VNFM adapter jar which has been generated from AAI. If a different trust store is to be used then these values should be changed accordingly.","type":"text"}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Ensure the Adapter endpoint values for the below parameter uses https instead of http","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"vnfmadapter: ","type":"text"}]},{"type":"paragraph","content":[{"text":"endpoint:","type":"text"},{"text":" ","type":"text"},{"text":"https://so-vnfm-adapter.onap:9092","type":"text","marks":[{"type":"link","attrs":{"href":"http://so-vnfm-adapter.onap:9092/"}}]},{"text":" (for example)","type":"text"}]},{"type":"paragraph","content":[{"text":"sol005adapter:","type":"text"}]},{"type":"paragraph","content":[{"text":"endpoint: ","type":"text"},{"text":"https://sol005-adapter.onap:9094","type":"text","marks":[{"type":"link","attrs":{"href":"https://sol005-adapter.onap:9094/"}}]},{"text":" (for example)","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Adapter client needs to configure the following endpoints to use https","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"so:","type":"text"}]},{"type":"paragraph","content":[{"text":"vnfm:","type":"text"}]},{"type":"paragraph","content":[{"text":"adapter:","type":"text"}]},{"type":"paragraph","content":[{"text":"url: ","type":"text"},{"text":"https://so-vnfm-adapter.onap:9092/so/vnfm-adapter/v1/","type":"text","marks":[{"type":"link","attrs":{"href":"https://so-vnfm-adapter.onap:9092/so/vnfm-adapter/v1/"}}]}]},{"type":"paragraph","content":[{"type":"hardBreak"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Two-Way TLS Configuration","type":"text","marks":[{"type":"strong"},{"type":"textColor","attrs":{"color":"#003366"}},{"type":"underline"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Ensure the value for username and password are empty in the AAI entry for the VNFM ","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"The VNFM Adapter will use OAuth instead of two way TLS if the username/password is set.","type":"text"}]}]}]}]}]},{"type":"paragraph","content":[{"text":"---------------","type":"text"},{"type":"hardBreak"},{"text":"VNFM adapter","type":"text"},{"type":"hardBreak"},{"text":"---------------","type":"text"},{"type":"hardBreak"},{"text":"Set the following parameter for the VNFM adapter:","type":"text"},{"type":"hardBreak"},{"text":"server:","type":"text"},{"type":"hardBreak"},{"text":" ssl:","type":"text"},{"type":"hardBreak"},{"text":" client-auth: need","type":"text"},{"type":"hardBreak"},{"type":"hardBreak"},{"text":"---------------","type":"text"},{"type":"hardBreak"},{"text":"Adapter Client (e.g., bpmn-infra or any Adapter client):","type":"text"},{"type":"hardBreak"},{"text":"---------------","type":"text"},{"type":"hardBreak"},{"text":"Set the following parameters for adapter client:","type":"text"},{"type":"hardBreak"},{"text":"rest:","type":"text"},{"type":"hardBreak"},{"text":" http:","type":"text"},{"type":"hardBreak"},{"text":" client:","type":"text"},{"type":"hardBreak"},{"text":" configuration:","type":"text"},{"type":"hardBreak"},{"text":" ssl:","type":"text"},{"type":"hardBreak"},{"text":" keyStore: classpath:","type":"text"},{"text":"org.onap.so","type":"text","marks":[{"type":"link","attrs":{"href":"http://org.onap.so/"}}]},{"text":".p12","type":"text"},{"type":"hardBreak"},{"text":" keyStorePassword: 'RLe5ExMWW;Kd6GTSt0WQz;.Y'","type":"text"},{"type":"hardBreak"},{"text":" trustStore: classpath:","type":"text"},{"text":"org.onap.so","type":"text","marks":[{"type":"link","attrs":{"href":"http://org.onap.so/"}}]},{"text":".trust.jks","type":"text"},{"type":"hardBreak"},{"text":" trustStorePassword: '6V%8oSU$,%WbYp3IUe;^mWt4'","type":"text"}]},{"type":"paragraph","content":[{"text":"Ensure the value for the below parameter uses https instead of http","type":"text"},{"type":"hardBreak"},{"text":"so:","type":"text"},{"type":"hardBreak"},{"text":" vnfm:","type":"text"},{"type":"hardBreak"},{"text":" adapter:","type":"text"},{"type":"hardBreak"},{"text":" url:","type":"text"},{"text":" ","type":"text"},{"text":"https://so-vnfm-adapter.onap:9092/so/vnfm-adapter/v1/","type":"text","marks":[{"type":"link","attrs":{"href":"https://so-vnfm-adapter.onap:9092/so/vnfm-adapter/v1/"}}]}]},{"type":"paragraph","content":[{"text":"---------------------------- ","type":"text"},{"type":"hardBreak"},{"text":"VNFM (or VNFM simulator):","type":"text"},{"type":"hardBreak"},{"text":"----------------------------","type":"text"},{"type":"hardBreak"},{"text":"Set the following parameters for the VNFM simulator (if used):","type":"text"},{"type":"hardBreak"},{"text":"server:","type":"text"},{"type":"hardBreak"},{"text":" ssl:","type":"text"},{"type":"hardBreak"},{"text":" client-auth: need","type":"text"},{"type":"hardBreak"},{"text":" request:","type":"text"},{"type":"hardBreak"},{"text":" grant:","type":"text"},{"type":"hardBreak"},{"text":" auth: twowaytls","type":"text"}]},{"type":"paragraph","content":[{"type":"hardBreak"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"OAuth2 Token-based Authentication","type":"text","marks":[{"type":"strong"},{"type":"underline"}]}]},{"type":"paragraph","content":[{"text":"---------------","type":"text"},{"type":"hardBreak"},{"text":"VNFM adapter:","type":"text"},{"type":"hardBreak"},{"text":"---------------","type":"text"},{"type":"hardBreak"},{"text":"Ensure the value for username and password set set in the AAI entry for the VNFM. The VNFM adapter will use this username/password as the client credentials in the request for a token for the VNFM. The token endpoint","type":"text"},{"type":"hardBreak"},{"text":"for the VNFM will by default will be derived from the service url for the VNFM in AAI as follows: /oauth/token, e.g. if the service url is","type":"text"},{"text":" ","type":"text"},{"text":"https://so-vnfm-simulator.onap/vnflcm/v1","type":"text","marks":[{"type":"link","attrs":{"href":"https://so-vnfm-simulator.onap/vnflcm/v1"}}]},{"text":" ","type":"text"},{"text":"then the token url will","type":"text"},{"type":"hardBreak"},{"text":"be taken to be","type":"text"},{"text":" ","type":"text"},{"text":"https://so-vnfm-simulator.onap/oauth/token","type":"text","marks":[{"type":"link","attrs":{"href":"https://so-vnfm-simulator.onap/oauth/token"}}]},{"text":". This can be overriden using the following parameter for the VNFM adapter:","type":"text"},{"type":"hardBreak"},{"text":"vnfmadapter:","type":"text"},{"type":"hardBreak"},{"text":" temp:","type":"text"},{"type":"hardBreak"},{"text":" vnfm:","type":"text"},{"type":"hardBreak"},{"text":" oauth:","type":"text"},{"type":"hardBreak"},{"text":" endpoint:","type":"text"},{"type":"hardBreak"},{"type":"hardBreak"},{"text":"The VNFM adapter exposes a token point at url: https://:/oauth/token e.g.","type":"text"},{"text":" ","type":"text"},{"text":"https://so-vnfm-adapter.onap:9092/oauth/token","type":"text","marks":[{"type":"link","attrs":{"href":"https://so-vnfm-adapter.onap:9092/oauth/token"}}]},{"text":". The VNFM can request a token from this endpoint for use in grant requests and notifications","type":"text"},{"type":"hardBreak"},{"text":"to the VNFM adapter. The username/password to be used in the token request are passed to the VNFM in a subscription request. The username/password sent by the VNFM adpater in the subscription request can be configuered using the","type":"text"},{"type":"hardBreak"},{"text":"following parameter:","type":"text"},{"type":"hardBreak"},{"text":"vnfmadapter:","type":"text"},{"type":"hardBreak"},{"text":" auth: ","type":"text"},{"type":"hardBreak"},{"text":"where is ':' encoded using","type":"text"},{"text":" ","type":"text"},{"text":"org.onap.so","type":"text","marks":[{"type":"link","attrs":{"href":"http://org.onap.so/"}}]},{"text":".utils.CryptoUtils with the key set by the paramter:","type":"text"},{"type":"hardBreak"},{"text":"mso:","type":"text"},{"type":"hardBreak"},{"text":" key: ","type":"text"},{"type":"hardBreak"},{"text":"The default username:password is vnfm-adapter:123456 when vnfm-adapter.auth is not set.","type":"text"},{"type":"hardBreak"},{"type":"hardBreak"},{"text":"---------------","type":"text"},{"type":"hardBreak"},{"text":"VNFM simulator:","type":"text"},{"type":"hardBreak"},{"text":"---------------","type":"text"},{"type":"hardBreak"},{"text":"Set the following parameters for the simulator:","type":"text"},{"type":"hardBreak"},{"text":"spring:","type":"text"},{"type":"hardBreak"},{"text":" profiles:","type":"text"},{"type":"hardBreak"},{"text":" active: oauth-authentication","type":"text"},{"type":"hardBreak"},{"text":"server:","type":"text"},{"type":"hardBreak"},{"text":" request:","type":"text"},{"type":"hardBreak"},{"text":" grant:","type":"text"},{"type":"hardBreak"},{"text":" auth: oauth","type":"text"},{"type":"hardBreak"},{"type":"hardBreak"},{"text":"==========================================","type":"text"},{"type":"hardBreak"},{"text":"To use basic auth for notifications","type":"text"},{"type":"hardBreak"},{"text":"==========================================","type":"text"},{"type":"hardBreak"},{"text":"The same username/password is used as for oauth token requests as describe above and passed to the VNFM in the subscription request.","type":"text"}]},{"type":"paragraph","content":[{"type":"hardBreak"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Authentication and Authorization for the VNFM Adapter and the VNFM","type":"text","marks":[{"type":"strong"},{"type":"underline"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Leverage AAF for authentication and authorization to secure communications among ONAP components and SVNFM and external NFVO (App-to-App AA). The following is input from AT&T. More to discuss…","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"OAuth2 is not yet used in ONAP. Start with HTTP Basic Authentication with HTTPS","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Update an application pom file and add properties; i.e., no application code changes?","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Remove Spring Security as well, as we cannot have both in place","type":"text"}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"There is no need to use the CADI Rest Client at all","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"The CADI filter can be configured to handle authorization; that is the method AT&T uses, or the application can enforce the authorization. It supports basic URI matching semantics","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Generate certificates by AAF for HTTPS is the current gap.","type":"text"}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Authentication and Authorization on SOL003 and SOL005 APIs need to be supported.","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"HTTP Basic Authentication + TLS","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"OAuth2","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Two-way TLS","type":"text"}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"How does ONAP support vendor-specific SVNFM security (authentication/authorization)? It is under discussion.","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Security between SOL003/SOL005 and SVNFM/NFVO","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Each SVNFM can use their own security mechanism; i.e., non-AAF based","type":"text"}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Note:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Communications between SOL003/SOL005 Adapter and SVNFM/NFVO must be secured through HTTPS","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"SOL002 Adapter is facing the similar security requirements.","type":"text"}]}]}]}]}]},{"type":"mediaSingle","attrs":{"layout":"align-start","width":70.0},"content":[{"type":"media","attrs":{"width":906,"id":"6f9f2da8-66c3-405c-a91d-f02194359031","collection":"contentId-16415519","type":"file","height":792}}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"AAF-Based Authentication and Authorization","type":"text","marks":[{"type":"strong"},{"type":"textColor","attrs":{"color":"#003366"}},{"type":"underline"}]}]},{"type":"paragraph","content":[{"text":"","type":"text","marks":[{"type":"textColor","attrs":{"color":"#003366"}}]}]},{"type":"paragraph","content":[{"type":"hardBreak"}]}],"version":1}

Browser not supported