...
- HTTP/S provides the core Encryption whenever used, so all of AAF Components require HTTP/S to the current protocol standards (current is TLS 1.1+ as of Nov 2016)
- HTTP/S requires X.509 certificates at least on the Server at minimum. (in this mode, 1 way, a client Certificate is generated)
- Certificate Manager can generate certificates signed by the AT&T Internal Certificate Authority, which is secure and cost effective if external access are not needed
- These same certificates can be used for identifying the Application during the HTTP/S transaction, making a separate UserID/Password unnecessary for Authentication.
- Authentication - In order to tie generated certificates to a specific Application Identity, AAF Certificate Manager embeds a CSO Organization MechID in the Subject. These are created by AT&T specific Internal Certificate Authority, which only generates certificates for AAF Certman. Since AAF Certman validates the Sponsorship of the MechID with requests (automatically), the end user can depend on the mechID embedded in the Subject to be valid without resorting to external calls or passwords.
- ex:
- Authorization - AAF Certman utilizes AAF's Fine-grained authorizations to ensure that only the right entities perform functions, thus ensuring the integrity of the entire Certificate Process
...
The majority of the setup is for establishing the Application's Identity in AAF and CSOOrganization. This is required to ensure the chain of responsibility from the Certificates to the Sponsor of the MechID. If your app already uses AAF, that can be skipped. If a MechID is already established for MechID/Password, that one should be used. Do not obtain another one.
- CSO Organization enrolled MechID, because these are about Applications
- AAF Namespace, so we can ensure only the right people may generate a certificate purporting to be that identity
Steps 1 and 2 are accomplished by following these instructions: OnBoarding
- Install CADI (Latest Version) on boxes where you will use "CMAgent"
- Java, should be 1.8+ (1.7 still works)
- Direct Jar Method - this is the best way to use Certificate Manager Agent...
...
The App Owner (Should be the Namespace Owner AND the Sponsor of Record of the MechID in CSO Organization Records). Follow these instructions: GUI Instructions
...
Java 1.7+ (must be at least JDK 1.7, because communications use TLS 1.1+ per CSO Organization Requirement, and JDK 1.6 does not natively support.)
...
Special Cases - Templates
Note: CSO Organization no longer requires special exceptions for SANs. You may add them in your Artifact at creation time.
...
The "Domain" is a special case, used strictly by Dynamic VM creators, and similar tools. In this case, the MechID owner specifies that his MechID may deployed on any in a specific domain, such as "*.vmgroup.onap.org". This approval requires special CSO Organization exception as well as AAF approval, and when accepted, the permission "org.onap.aaf.ca|aaf|domain" is grant
...