...
It is useful to consider the lifecycle of the credentials. This section describes the considered lifecycle steps of the credentials (note the usage of the credentials are out-of-scope of the credential management):
- Credential Null
- The security credential does not exist.
- Credential Creation
- The credentials are created. The means to create the credentials is considered out-of-scope from ONAP and an existing credential creation scheme is used.
Note: The credentials may be created by a CA. (binding an identity to a credential using the X.509v3 certificate)
- The credentials are created. The means to create the credentials is considered out-of-scope from ONAP and an existing credential creation scheme is used.
- Credential Provisioning
- Provisioning the credentials involves putting the credentials into the ONAP system, ensuring that they are securily stored. (PKCS11 secure generation and storage of private key)
- Credential Update
- The credentials that have been previously provisioned are updated.
- Credential Validation
- The validation of provisioned credentials to ensure that the credentials are still valid.
- Credential Distribution
- The distribution of the credentials so that they are accessable to the ONAP functions.
Note: this implies no statement on the means to distribute the credentials. - Note: For discussin - is (or should) this state visible in the lifecycle ?
- The distribution of the credentials so that they are accessable to the ONAP functions.
- Credential Expiration
- The credential has been expired and is no longer considered valid.
- Credential Revoke
- The credential has been expired and is no longer considered valid.
- Credential Revoke
- The ability to revoke and remove a credential
...
- ability to revoke and remove a credential
2.3 Formal Credential Lifecycle
2.3.1 Credential State Diagram
2.3.2 Credential States
State | Definition |
---|---|
Credential_Null | No credential currently exists. The only valid operation is to create a credential. (The mechanism for creating a credential is out of scope of ONAP.) |
Credential_Created | A credential has been created. The credential is not yet available within ONAP, and cannot be validated. |
Credential_Provisioned | The credential is provisioned into ONAP. The credential can be validated within ONAP. |
Credential_Expired | The credential has expired. Credential validation within ONAP will fail. The credential can be updated. |
Credential_Revoked | The credential has been revoked. Credential validation within ONAP will fail. The credential cannot be updated. |
Credential_Destroyed | Note: Credentials can be copied, and the copy can be presented for validation. Credentials can never be destroyed. |
2.3.3 Credential Operations
Operation | Definition |
---|---|
CREATE | Creates a new credential. Credential creation is external to ONAP. |
Credentials may not be deleted. (Design Note 1). | |
PROVISION | Provisions an existing credential into ONAP. A credential must go through state Credential_Provisioned before it can be used within ONAP. |
UPDATE | Updates an existing credential within ONAP. UPDATE is used to update a credential in state Credential_Expired and return it to state Credential_Provisioned. UPDATE may also be used to update internal parts of a credential. |
VALIDATE | Validates an existing credential. VALIDATE is used to test that a presented credential gives permission for access to a resource within ONAP (e.g. to access an ONAP component, perform an ONAP operation, or access data). |
EXPIRE | Expires an existing credential. EXPIRE may be an implicit operation, as some credentials have a defined lifetime, and will expire automatically. EXPIRE may be an explicit operation, where a specific credential is expired. Credentials in state Credential_Expired may be updated. |
REVOKE | Revokes an existing credential. Once a credential is in state Credential_Revoked there are no valid operations. A new credential is required. |
Design Notes:
- Design Note 1 - this is intended to make explicit that digital credentials may always be re-used, even if they are expired or revoked.
2.4 Credential Management Input Requirements
The credential management solution considers the following:
- The credential management solution must be able to interact with existing credential creation and validation schemes
2.
...
5 ONAP Credential Management Overview
ONAP requires two components to improve the security of credentials used in orchestration.
...
- Work with the AAF team to include this functionality in Release 2. It is important to understand that the AAF solution depends on the CA supporting the SCEP protocol.
- Enhance AAF to provision userIDs & passwords to ONAP instances and VNFs. Most VNFs only support userID/password authentication today. ETSI NFV SEC may issue a spec in the future on a more comprehensive approach to using PKI for NFV which can be visited by ONAP SEC when released. Steve is working on this right now but doesn’t know when he’ll be done.
2.
...
6 Recommended approach
2.
...
7 Implications to the ONAP
Describe what this means to ONAP
...