...
The AAF shiro plugin is preloaded in the APPC docker image along with a sample cadi.properties file.
Enabling AAF security for APPC using two way certificate
New certificates are available on the master branch to replace expired one way ssl
Heat and other non OOM deployments
- Use the files in {need commit here or attach files}
- copy new certificate files into deployment
/opt/onap/appc/data/storer
org.onap.appc.keyfile
org.onap.appc.p12
truststoreONAPall.jks - copy new cadi.properites file
/opt/onap/appc/data/properties/cadi.properties
- copy new certificate files into deployment
- edit aaa-aap-config.xml
/opt/opendaylight/current/etc/opendaylight/datastore/initial/config/aaa-app-config.xml
swap commenting for tokenAuthRealm
<main>
<pair-key>tokenAuthRealm</pair-key>
<pair-value>org.opendaylight.aaa.shiro.realm.TokenAuthRealm</pair-value>
<!-- <pair-value>org.onap.aaf.cadi.shiro.AAFRealm</pair-value> -->
</main>
To
<main>
<pair-key>tokenAuthRealm</pair-key>
<!-- <pair-value>org.opendaylight.aaa.shiro.realm.TokenAuthRealm</pair-value> -->
<pair-value>org.onap.aaf.cadi.shiro.AAFRealm</pair-value>
</main>
swap urls for urls to be secured by AAF. NOTE: DO THIS FOR ALL URLS USING authcBasic
<urls>
<pair-key>/**</pair-key>
<pair-value>authcBasic, roles[admin]</pair-value>
<!-- <pair-value>authcBasic, roles[org.onap.appc.odl|odl-api|*]</pair-value> -->
</urls>
To
<urls>
<pair-key>/**</pair-key>
<!-- <pair-value>authcBasic, roles[admin]</pair-value> -->
<pair-value>authcBasic, roles[org.onap.appc.odl|odl-api|*]</pair-value>
</urls>
3. Restart APPC
Due to restart restrictions the new certificates cannot be used in OOM
Enabling AAF security for APPC old certificates
- update cadi.properties with the correct information for your environment.
/opt/onap/appc/data/properties/cadi.propertiesproperties include:
hostname= usually machine hostname, should be unique
aaf_url= AAF instance to connect to
aaf_id= id used to connect to AAF
aaf_password= password associated with aaf_id
cadi_keyfile= keyfile used for password encryption
- edit aaa-aap-config.xml
/opt/opendaylight/current/etc/opendaylight/datastore/initial/config/aaa-app-config.xml
swap commenting for tokenAuthRealm
<main>
<pair-key>tokenAuthRealm</pair-key>
<pair-value>org.opendaylight.aaa.shiro.realm.TokenAuthRealm</pair-value>
<!-- <pair-value>org.onap.aaf.cadi.shiro.AAFRealm</pair-value> -->
</main>
To
<main>
<pair-key>tokenAuthRealm</pair-key>
<!-- <pair-value>org.opendaylight.aaa.shiro.realm.TokenAuthRealm</pair-value> -->
<pair-value>org.onap.aaf.cadi.shiro.AAFRealm</pair-value>
</main>
swap urls for urls to be secured by AAF. NOTE: DO THIS FOR ALL URLS USING authcBasic
<urls>
<pair-key>/**</pair-key>
<pair-value>authcBasic, roles[admin]</pair-value>
<!-- <pair-value>authcBasic, roles[org.onap.appc.odl|odl-api|*]</pair-value> -->
</urls>
To
<urls>
<pair-key>/**</pair-key>
<!-- <pair-value>authcBasic, roles[admin]</pair-value> -->
<pair-value>authcBasic, roles[org.onap.appc.odl|odl-api|*]</pair-value>
</urls>
Customization
The permissions used to secure urls can be customized.
...