Hi, Rich, Where you put the ca cert is implementation specific – those locations sound reasonable. You do not need to request a client-only certificate, but if your service might need to request a server certificate.
Thanks, jimmy From: "TABEDZKI, RICHARD" <[email protected]> Date: Wednesday, May 2, 2018 at 10:13 AM To: "FORSYTH, JAMES" <[email protected]>, "[email protected]" <[email protected]> Cc: HARISH V KAJUR <[email protected]>, "GATHMAN, JONATHAN C" <[email protected]> Subject: RE: AAI using new certificate in Beijing Jim, Is it enough then to place AAF_RootCA.cer in /etc/ssl/certs and import truststoreONAP.p12 to /etc/ssl/certs/java/cacerts or each application still needs to request Application Client-Only and Application client certificates? Thanks, Rich From: [email protected] <[email protected]> On Behalf Of FORSYTH, JAMES Sent: Wednesday, April 18, 2018 1:03 PM To: [email protected] Cc: KAJUR, HARISH V <[email protected]>; GATHMAN, JONATHAN C <[email protected]> Subject: Re: [onap-discuss] AAI using new certificate in Beijing ***Security Advisory: This Message Originated Outside of AT&T *** Reference http://cso.att.com/EmailSecurity/IDSP.html for more information. AAI clients: Just a reminder that AAI will be changing its server certificate tomorrow at the end of the day – you will need to take action to include the AAF root certificate in your trust store. Instructions are here, including keystore files that have been modified to include the AAF root: https://wiki.onap.org/display/DW/AAF+Environment+-+Beijing<https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.onap.org_display_DW_AAF-2BEnvironment-2B-2D-2BBeijing&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=QzH9_nx-kp6x-cnIqopMqvu4S8LrNfbKJVNxre1GX28&m=3b0rLxCQ8FObL2YX7AqhtW18zzMdBQRVD8PO7tSovs8&s=VRssEilZ3AC16i--8BVi9-BcY8vUn0vlXbbjYtZUWYU&e=> The integration team is aware of this change and will hopefully be able to patch applications that do not update their trustStores, but if you care at all about Brian and Marco’s sanity, please update your artifacts in advance 😊 Thanks, jimmy From: "FORSYTH, JAMES" <[email protected]<mailto:[email protected]>> Date: Monday, April 16, 2018 at 4:43 PM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: AAI using new certificate in Beijing Hi, Everyone, AAI will be replacing its openecomp signed certificate with a new one signed by AAF. https://wiki.onap.org/display/DW/AAF+Environment+-+Beijing#AAFEnvironment-Beijing-RootCertificate.1<https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.onap.org_display_DW_AAF-2BEnvironment-2B-2D-2BBeijing-23AAFEnvironment-2DBeijing-2DRootCertificate.1&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=QzH9_nx-kp6x-cnIqopMqvu4S8LrNfbKJVNxre1GX28&m=3b0rLxCQ8FObL2YX7AqhtW18zzMdBQRVD8PO7tSovs8&s=y5_3fJmResTvJyMnFnZ2yIarq9o3AT3iP-bsOOGhDRo&e=> has a link to the AAF root certificate which signed the AAI cert. AAI’s certificate is issued by: CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US, which is issued by: C=US, O=ONAP, OU=OSAAF AAI clients – please let me know if you will have issues importing the AAF root certificate into your trustStore. The current plan is to switch the AAI server certificates to the new ones signed by AAF at RC0 (this Thursday) Thanks, jimmy
_______________________________________________ onap-discuss mailing list [email protected] https://lists.onap.org/mailman/listinfo/onap-discuss
