...
For ONAP_Component credentials, two few use cases are described here
1. Provisioning the credentials
<< insert here >>
2. Retrieving the credentials to use for internal communication
<< Insert here >>
.Certificate Authority Instance creation : This is normally required to be only one per ONAP deployment.
Steps are given below:
- Administrator user creates CA instance by providing details such as following to CA Service
- Subject name to use on self-signed CA certificate
- PKCS11 slot ID and Key ID to use (in case PKCS11 based HW protection of CA private key)
- Public key algorithm
- In case of RSA, key size
- In case of ECDSA, curve
- Hash algorithm and key size
- Validity time of CA certificate
- Whether to create token backend. If token backend is needed, life time and usage count of tokens to be supplied.
- Returns:
- Token request URL
- Certificate request URL
- CA Certificate
- Administrator user also creates policy rules to apply on user certificate request with information such as
- Subject name prefix, CA instance should accept.
- Signing algorithm, key sizes or curves that are acceptable.
- Hashing algorithm and key sizes that are acceptable.
- MAC addresses it should accept in the subject name
- Whether to verify MAC address in the subject name of PKCS10 request with the MAC address of the VM/Container.
- Check for valid token (Yes/No)
- Validity time of certificate.
- Administrator user creates CA instance by providing details such as following to CA Service
2. Certificat request - Creation of credentials required for secure communication : This normally occurs when service (e.g java application service) is started or when the certificate renewal is due
Steps are given below:
- Java application gets the CA URL, Token, Subject name prefix to be used via environment variables in case of containers or via cloud-init user data in case of VM.
- Certificate Credential Client agent is called by application during its startup to create and get the certificate signed by CA by giving CA URL, token information.
- Certificate Credential agent does following:
- If there is an existing certificate and private key and if it is still valid, it returns back to the application immediately. If not, it does following
- Generate ECDSA key pair.
- Create PKCS10 request with subject name prefix + MAC address as Common Name of the subject name.
- Sends PKCS10 request, token to CA.
- Gets the x.50v3 certificate from CA.
- Stores the certificate in file system.
- Returns back private key handle, slot ID and path to the certificate.
- Certificate credential agent informs application on acquiring credentials
- Application moves forward to inform TLS service with CA certificate and subject prefix to validate incoming requests.
- If Application is making TLS connection to another service, then it uses certificate enrolled and private key handle while creating TLS endpoint.
For ONAP_Foreign credentials:
...
- The solution MUST support the credential management solution and MUST NOT be tied to any particular credential management scheme.
- The soluction MUST allow Service Design and Creation to validate the package from a security perspective.
6. ONAP known vulnerability management
...
- Informing Actions that a project has to do at the release milestones.
...
7 (tmp) input to the S3P (carrier grade) discussions from a security perspective
...