Introduction
NSP user authentication modes
The NSP supports local user authentication, and authentication using external authentication agents such as RADIUS, LDAP/S, and TACACS+ servers. Windows Active Directory is also supported.
The NSP can be deployed in one of the following user authentication modes:
-
OAUTH2 mode—default; based on Keycloak open-source identity and access management, uses OAuth 2.0 protocol
-
CAS mode—deprecated; based on Central Authentication Service SSO solution and identity provider
An NSP system in either mode includes configurable mechanisms that guard against unwanted system access by maintaining strict control over repeated login attempts. See OAUTH2 login protection and CAS login protection for information.
OAUTH2 mode also supports the forwarding of user activity log events, as described in OAUTH2 user activity logging.
See Configuring Single-Sign-On (SSO) for specific OAUTH2 and CAS configuration information.
Note: You must use CAS authentication if the NSP deployment includes the WS-NOC.
Migrating from CAS to OAUTH2
Because CAS authentication is to be removed in a future NSP release, if you currently use CAS, it is strongly recommended that you migrate from CAS to OAUTH2. See To migrate from CAS to OAUTH2 NSP user authentication for information.
Kafka user authentication
The NSP Kafka subsystem reports events to internal clients and systems, for example, the NFM-P, and to external clients, such as OSS subscribers. The internal and external Kafka communication is secured using TLS.
Kafka authentication for internal and external clients is configurable in the nsp—modules—nspos—kafka section of the NSP configuration file.
The following parameter in the NSP configuration file enables or disables the support for the deprecated TLS versions:
External Kafka client user authentication
If an NSP system is in OAUTH2 mode and uses separate interfaces for client and internal communication, you can enable NSP OAUTH2 user authentication for the external Kafka clients.
The following parameter in the NSP configuration file enables or disables the support:
Internal Kafka client authentication
Kafka authentication for internal clients is based on two-way mTLS, rather than NSP user credentials.
The following parameter in the NSP configuration file enables or disables the support:
An NFM-P shared-mode system supports internal Kafka client authentication. The authentication is configured using the samconfig utility on a main server, as described in the NFM-P deployment procedures. See NFM-P installation for mTLS configuration information.
The following parameter in the NSP configuration file enables or disables the support: