Hi Sandra, The self-signed certificates should be not be used (they were included early on for local testing and needs to be removed).
In R3 the VES collector default configuration (driven from blueprint) are disabled for HTTPS support. But we do have AAF certificates including VES service SAN's and can be used for custom deployments. The VES blueprint requires changes to enable TLS distribution (and collector configuration to point to tls distribution). You can find information on TLS support in DCAE deployment here - https://onap.readthedocs.io/en/latest/submodules/dcaegen2.git/docs/sections/tls_enablement.html. Under this deployment the clients can use AAF root CA for SSL handshake with VESCollector. For R4 - the plan is to enable to mutual cert-based authentication via AAF/CADI; but this has dependency on overall ONAP solution on how certificates will be managed within ONAP and external (xNF). This will need some further discussion with SEC-COM team in coming weeks. Regards, Vijay From: Koblosz, Sandra (Nokia - PL/Wroclaw) <sandra.kobl...@nokia.com> Sent: Friday, November 02, 2018 7:41 AM To: onap-discuss@lists.onap.org Cc: VENKATESH KUMAR, VIJAY <vv7...@att.com>; HANSEN, TONY L <t...@att.com>; Darosz, Piotr (Nokia - PL/Wroclaw) <piotr.dar...@nokia.com>; Krysiak, Piotr (Nokia - PL/Wroclaw) <piotr.krys...@nokia.com> Subject: Expired self-signed certificate in VESCollector keystore #dcaegen2 Hi all, recently I needed to test SSL connection to VESCollector by allowing my java client to send notifications to VES via HTTPS but I noticed in VESCollector's keystore resides expired self-signed certificate. I wanted to ask DCAEGEN2 team (mainly Vijaj and Tony), if you have any plans regarding replacing expired certificate with renewed one or introduce AAF integration so as to enable using AAF root CA for clients? Keystore relevant content attached below: usr1@dcae-ves-collector:/opt/app/VESCollector/etc# keytool -list -v -keystore keystore Enter keystore password: Keystore type: jks Keystore provider: SUN Your keystore contains 1 entry Alias name: tomcat Creation date: Oct 20, 2016 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=DCAELOCAL, OU=OPEN-DCAE, O=DCAE, L=Middletown, ST=NJ, C=US Issuer: CN=DCAELOCAL, OU=OPEN-DCAE, O=DCAE, L=Middletown, ST=NJ, C=US Serial number: 580919e6 Valid from: Thu Oct 20 19:24:22 UTC 2016 until: Wed Jan 18 19:24:22 UTC 2017 Best regards, Sandra Koblosz Software Engineer MN MANO RD&Pz ONAP-UI-ML DEVOPS WRO 2 SG Nokia -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#13471): https://lists.onap.org/g/onap-discuss/message/13471 Mute This Topic: https://lists.onap.org/mt/27826752/21656 Mute #dcaegen2: https://lists.onap.org/mk?hashtag=dcaegen2&subid=2740164 Group Owner: onap-discuss+ow...@lists.onap.org Unsubscribe: https://lists.onap.org/g/onap-discuss/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-