Versions Compared

Old Version 13

changes.mady.by.user Stephen Terrill

Saved on

compared with

New Version 14

changes.mady.by.user Stephen Terrill

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Update to the credential management

...

2 ONAP Credential Management.

 Status: Draft

2.1 Credentials to be managed

Credentials may be certificates, passwords and the like.  These need to be managed through the entire lifecycle.  The types of credentials that need to be managed are:

    • Credentials for ONAP users to access ONAP.  These are referred to as Type A credentials.
    • Credentials for ONAP to communicate to other ONAP components.  These are referred to as Type B credentials.
      • Note: This includes credentials for VNF SDK to package the artefacts onboarded into SDC.
    • Credentials for ONAP to communicate with other systems.  These are referred to as Type C credentials.
      • As an example, if ONAP is to communicate to an external SDN controller or a cloud infrastructure, these need to be managed.

2.2 Credential Lifecycle


It is useful to consider the lifecycle of the credentials.  This section describes the considered lifecycle steps of the credentials (note the usage of the credentials are out-of-scope of the credential management):

  • Credential Creation
    • The credentials are created.  The means to create the credentials is considered out-of-scope from ONAP and an existing credential creation scheme is used. 
  • Credential Provisioning 
    • Provisioning the credentials involves putting the credentials into the ONAP system, ensuring that they are securily stored.
  • Credential Update 
    • The credentials that have been previously provisioned are updated. 
  • Credential Validation 
    • The validation of provisioned credentials to ensure that the credentials are still valid. 
  • Credential Distribution 
    • The distribution of the credentials so that they are accessable to the ONAP functions.
      Note: this implies no statement on the means to distribute the credentials. 
  • Credential Revoke
    • The ability to revoke and remove a credential 

2.3 Credential Management Input Requirements

The credential management solution considers the following:

  • The credential management solution must be able to interact with existing credential creation and validation schemes
  • The credential management solution must be able to interact with certificate authorities selected by the ONAP operator. 

2.4 ONAP Credential Management Overview

ONAP requires two components to improve the security of credentials used in orchestration.

...

    • Work with the AAF team to include this functionality in Release 2. It is important to understand that the AAF solution depends on the CA supporting the SCEP protocol.
    • Enhance AAF to provision userIDs & passwords to ONAP instances and VNFs. Most VNFs only support userID/password authentication today. ETSI NFV SEC may issue a spec in the future on a more comprehensive approach to using PKI for NFV which can be visited by ONAP SEC when released. Steve is working on this right now but doesn’t know when he’ll be done.

2.2 Credential Lifecycle

The lifecycle of the credentials are:

  • Provisioning Credentials
    • Provisioning the credentials involves putting the credentials into the ONAP system, ensuring that they are securily stored.
  • Updateing Credentials
  • Validating Credentials
  • Distributing Credentials
  • Removing Credentials

(Note:  A description of the above is required)

Question:

...

    • .


2.3 Recommended approach


2.4 Implications to the ONAP

...