Overview

OAUTH2 user authentication

The NSP employs OAUTH2 user authentication, which is based on Keycloak open-source identity and access management using the OAuth 2.0 protocol.

OAUTH2 supports local user authentication, and authentication using external authentication agents such as RADIUS, LDAP/S, and TACACS+ servers. Windows Active Directory is also supported.

NSP user authentication includes configurable mechanisms that guard against unwanted system access by maintaining strict control over repeated login attempts. See NSP login protection for information.

The NSP also supports the forwarding of user activity log events, as described in NSP user activity logging.

See Configuring single sign-on for specific OAUTH2 configuration information.

Migrating from CAS to OAUTH2

Because CAS authentication is to be removed in an upcoming NSP release, if you currently use CAS, it is strongly recommended that you migrate from CAS to OAUTH2. See To migrate from CAS to OAUTH2 NSP user authentication for information.

Note: The WS-NOC supports only the deprecated CAS authentication mode.

Kafka user authentication

The NSP Kafka subsystem reports events to internal clients and systems, for example, the NFM-P, and to external clients, such as OSS subscribers. The internal and external Kafka communication is secured using TLS.

Kafka authentication for internal and external clients is configurable in the nspmodulesnsposkafka section of the NSP configuration file.

The following parameter in the NSP configuration file enables or disables the support for the for the deprecated TLS versions:

External Kafka client user authentication

If an NSP system uses separate interfaces for client and internal communication, you can enable NSP user authentication for the external Kafka clients.

The following parameter in the NSP configuration file enables or disables the support:

Internal Kafka client authentication

Kafka authentication for internal clients is based on two-way mTLS, rather than NSP user credentials.

The following parameter in the NSP configuration file enables or disables the support:

The NFM-P also supports internal Kafka client authentication, which you enable using the samconfig utility on a main server, as described in the NFM-P deployment procedures. See NFM-P installation for mTLS configuration information.

The following parameter in the NSP configuration file enables or disables the support: