...
- HTTP/S provides the core Encryption whenever used, so all of AAF Components require HTTP/S to the current protocol standards (current is TLS 1.1+ as of Nov 2016)
- HTTP/S requires X.509 certificates at least on the Server at minimum. (in this mode, 1 way, a client Certificate is generated)
- Certificate Manager can generate certificates signed by the AT&T Internal Certificate Authority, which is secure and cost effective if external access are not needed
- These same certificates can be used for identifying the Application during the HTTP/S transaction, making a separate UserID/Password unnecessary for Authentication.
- Authentication - In order to tie generated certificates to a specific Application Identity, AAF Certificate Manager embeds a Organization MechID AppID in the Subject. These are created by AT&T specific Internal Certificate Authority, which only generates certificates for AAF Certman. Since AAF Certman validates the Sponsorship of the MechID AppID with requests (automatically), the end user can depend on the mechID AppID embedded in the Subject to be valid without resorting to external calls or passwords.
- ex:
- Authorization - AAF Certman utilizes AAF's Fine-grained authorizations to ensure that only the right entities perform functions, thus ensuring the integrity of the entire Certificate Process
...
UserID (dgl@openecomp.org):
Global Login Password:
MechIDAppID: a123@myapp.onap.org
Machine: xyz.com
...
The majority of the setup is for establishing the Application's Identity in AAF and Organization. This is required to ensure the chain of responsibility from the Certificates to the Sponsor of the MechIDAppID. If your app already uses AAF, that can be skipped. If a MechID AppID is already established for MechIDAppID/Password, that one should be used. Do not obtain another one.
- Organization enrolled MechIDAppID, because these are about Applications
- AAF Namespace, so we can ensure only the right people may generate a certificate purporting to be that identity
Steps 1 and 2 are accomplished by following these instructions: OnBoarding
- Install CADI (Latest Version) on boxes where you will use "CMAgent"
- Java, should be 1.8+ (1.7 still works)
- Direct Jar Method - this is the best way to use Certificate Manager Agent...
...
The App Owner (Should be the Namespace Owner AND the Sponsor of Record of the MechID AppID in Organization Records). Follow these instructions: GUI Instructions
...
- For details on creating roles, adding users to roles, etc, see: Documentation for Namespace Admins
- You may use your MechIDAppID's password instead of a Deployer's name, but it MUST BE FULLY QUALIFIED MechIDQUALIFIED AppID, i.e. a123@myapp.onap.org
- Step 4: Deploy/Install Certificates
...
Note that the ID Used must be a DEPLOYER. This means it is either the MechID AppID itself (if User/Password exists), or someone with the appropriate AAF Permission granted to them.
...
- " a123@myapp.onap.org " is the mechID AppID reference to the Artifact
- "mymachine.domain.att.com" is the fully qualified Machine Name (FQDN), which matches an Artifiact in Certificate Manager (see above for creation)
- See "Templates" below for Special Cases
- For Automation purposes, CMAgent will try the Java Default for machine if not on Command Line. Whether this returns a fully qualified name (FQDN) may depend on setup. Another option for automation (in Linux) may be replacing "my machine.domain.att.com" with "`uname -n`.domain.att.com"
...
2016-11-11T10:26:49.746-0500: PropertyLocator enabled with https://aafcrl.test.att.com:8150
MechIDAppID: a123@myapp.onap.org
...
The "Domain" is a special case, used strictly by Dynamic VM creators, and similar tools. In this case, the MechID AppID owner specifies that his MechID AppID may deployed on any in a specific domain, such as "*.vmgroup.onap.org". This approval requires special Organization exception as well as AAF approval, and when accepted, the permission "org.onap.aaf.ca|aaf|domain" is grant
...