Versions Compared

Old Version 30

changes.mady.by.user Stephen Terrill

Saved on

compared with

New Version 31

changes.mady.by.user Stephen Terrill

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

    • Credentials for ONAP users to access ONAP.  These are referred to as ONAPas ONAP_USER User credentials.
    • Credentials for using the APIs exposed by ONAP. These are referred to as ONAPas ONAP_ExtAPI credentials.
    • Credentials for ONAP to communicate to other ONAP components.  These are referred to as ONAP_Component credentials.
      • Note: This includes credentials for VNF SDK to package the artefacts onboarded into SDC.
    • Credentials for ONAP to communicate with other systems.  These are referred to as ONAP_Foreign credentials.
      • As an example, if ONAP is to communicate to an external SDN controller or a cloud infrastructure, these credentials need to be managed.

2.2 Credential

...

It is useful to consider the lifecycle of the credentials.  This section describes the considered lifecycle steps of the credentials (note the usage of the credentials are out-of-scope of the credential management):

<< Remove this section, keep red text, but in implementation close section >>

  • Credential Null
    • The security credential does not exist.
  • Credential Creation
    • The credentials are created.  The means to create the credentials is considered out-of-scope from ONAP and an existing credential creation scheme is used. 
      Note: The credentials may be created by a CA.
  • Credential Provisioning 
    • Provisioning the credentials involves putting the credentials into the ONAP system, ensuring that they are securily stored. (PKCS11 secure generation and storage of private key)
  • Credential Update 
    • The credentials that have been previously provisioned are updated. 
  • Credential Validation 
    • The validation of provisioned credentials to ensure that the credentials are still valid. 
  • Credential Distribution 
    • The distribution of the credentials so that they are accessable to the ONAP functions.
      Note: this implies no statement on the means to distribute the credentials.
    • Note: For discussin - is (or should) this state visible in the lifecycle ?
  • Credential Expiration
    • The credential has been expired and is no longer considered valid. 
  •  Credential Revoke
    • The ability to revoke and remove a credential

2.3 Credential Management Requirements

The credential management solution considers the following:

General Requirements

  • The credential management solution must be able to interact with existing credential creation and validation schemes
  • (PKCS11 secure generation and storage of private key)
  • (binding an identity to a credential using the X.509v3 certificate)

<< Insert section here for each credential type >>

2.4 Formal Credential Lifecycle

...

Management Requirements

The credential management solution considers the following:

General Requirements

  • The credential management solution MUST be able to interact with existing credential creation and validation schemes
  • The following types of certificates SHOULD be supported by ONAP:
    • a, b, c, ... 
  • (PKCS11 secure generation and storage of private key)
  • (binding an identity to a credential using the X.509v3 certificate)

Requirements for ONAP_USER credentials:

  • ONAP MUST support ONAP_User credentials of type user-ID and Password
  • ONAP Should support ONAP_User credentials as certificates.

Requirements for ONAP_ExtAPI credentials:

  • ONAP MUST support ONAP_ExtAPI credentials of type user-ID and Password
  • ONAP MUST support ONAP_ExtAPI credentials as certificates.


Requirements for ONAP_Component credentials:

  • ONAP MUST support ONAP_Component credentials of type user-ID and Password
  • ONAP MUST support ONAP_Component credentials as certificates
  • ONAP components SHOULD use credentials based on certificates for communication with other ONAP components.  The use of user-ID and Password is a fallback in the case of components that do not support certificates.

Requirements for ONAP_Foreign credentials:

  • ONAP MUST support ONAP_Foreign credentials of type user-ID and Password
  • ONAP MUST support ONAP_Foreign credentials as certificates



2.3 Credential Lifecycle

2.3.1 Credential State Diagram

<<<<<Comment: Remove external to ONAP and ONAP operations.  Add descriptive text that who the owning authority of the credential is (external, or onap) >>>

2.

...

3.2 Credential States

StateDefinition
Credential_NullNo credential currently exists.  The only valid operation is to create a credential. (The mechanism for creating a credential is out of scope of ONAP.)
Credential_CreatedA credential has been created.  The credential is not yet available within ONAP, and cannot be validated.
Credential_ProvisionedThe credential is provisioned into ONAP.  The credential can be validated within ONAP.
Credential_ExpiredThe credential has expired.  Credential validation within ONAP will fail.  The credential can be updated.
Credential_RevokedThe credential has been revoked.   Credential validation within ONAP will fail. The credential cannot be updated.
Credential_DestroyedNote: Credentials can be copied, and the copy can be presented for validation.  Credentials can never be destroyed. 

2.

...

3.3 Credential Operations

OperationDefinition
CREATECreates a new credential. Credential creation is external to ONAP.
DELETECredentials may not be deleted. (Design Note 1).
PROVISIONProvisions an existing credential into ONAP.  A credential must go through state Credential_Provisioned before it can be used within ONAP.
UPDATEUpdates an existing credential within ONAP.  UPDATE is used to update a credential in state Credential_Expired and return it to state Credential_Provisioned.  UPDATE may also be used to update internal parts of a credential.
VALIDATEValidates an existing credential.  VALIDATE is used to test that a presented credential gives permission for access to a resource within ONAP (e.g. to access an ONAP component, perform an ONAP operation, or access data).
EXPIREExpires an existing credential. EXPIRE may be an implicit operation, as some credentials have a defined lifetime, and will expire automatically.  EXPIRE may be an explicit operation, where a specific credential is expired. Credentials in state Credential_Expired may be updated.
REVOKERevokes an existing credential.  Once a credential is in state Credential_Revoked there are no valid operations. A new credential is required.

...

  • Design Note 1 - this is intended to make explicit that digital credentials may always be re-used, even if they are expired or revoked.

<<<<<< insert a section here detailing how the credentials classifications come into here >>>

...

2.

...

4 ONAP Credential Management Overview

ONAP requires two components to improve the security of credentials used in orchestration.

...

Component 1: Secrets Vault - A service that can be integrated with ONAP that provides secure storage of the credentials used by ONAP to authenticate to VNFs.

2.5 Use cases

Use Cases:

 For ONAP_User Credentials

...