...
- Credentials for ONAP users to access ONAP. These are referred to as ONAPas ONAP_USER User credentials.
- Credentials for using the APIs exposed by ONAP. These are referred to as ONAPas ONAP_ExtAPI credentials.
- Credentials for ONAP to communicate to other ONAP components. These are referred to as ONAP_Component credentials.
- Note: This includes credentials for VNF SDK to package the artefacts onboarded into SDC.
- Credentials for ONAP to communicate with other systems. These are referred to as ONAP_Foreign credentials.
- As an example, if ONAP is to communicate to an external SDN controller or a cloud infrastructure, these credentials need to be managed.
2.2 Credential
...
It is useful to consider the lifecycle of the credentials. This section describes the considered lifecycle steps of the credentials (note the usage of the credentials are out-of-scope of the credential management):
<< Remove this section, keep red text, but in implementation close section >>
- Credential Null
- The security credential does not exist.
- Credential Creation
- The credentials are created. The means to create the credentials is considered out-of-scope from ONAP and an existing credential creation scheme is used.
Note: The credentials may be created by a CA.
- The credentials are created. The means to create the credentials is considered out-of-scope from ONAP and an existing credential creation scheme is used.
- Credential Provisioning
- Provisioning the credentials involves putting the credentials into the ONAP system, ensuring that they are securily stored. (PKCS11 secure generation and storage of private key)
- Credential Update
- The credentials that have been previously provisioned are updated.
- Credential Validation
- The validation of provisioned credentials to ensure that the credentials are still valid.
- Credential Distribution
- The distribution of the credentials so that they are accessable to the ONAP functions.
Note: this implies no statement on the means to distribute the credentials. - Note: For discussin - is (or should) this state visible in the lifecycle ?
- The distribution of the credentials so that they are accessable to the ONAP functions.
- Credential Expiration
- The credential has been expired and is no longer considered valid.
- Credential Revoke
- The ability to revoke and remove a credential
2.3 Credential Management Requirements
The credential management solution considers the following:
General Requirements
- The credential management solution must be able to interact with existing credential creation and validation schemes
- (PKCS11 secure generation and storage of private key)
- (binding an identity to a credential using the X.509v3 certificate)
<< Insert section here for each credential type >>
2.4 Formal Credential Lifecycle
...
Management Requirements
The credential management solution considers the following:
General Requirements
- The credential management solution MUST be able to interact with existing credential creation and validation schemes
- The following types of certificates SHOULD be supported by ONAP:
- a, b, c, ...
- (PKCS11 secure generation and storage of private key)
- (binding an identity to a credential using the X.509v3 certificate)
Requirements for ONAP_USER credentials:
- ONAP MUST support ONAP_User credentials of type user-ID and Password
- ONAP Should support ONAP_User credentials as certificates.
Requirements for ONAP_ExtAPI credentials:
- ONAP MUST support ONAP_ExtAPI credentials of type user-ID and Password
- ONAP MUST support ONAP_ExtAPI credentials as certificates.
Requirements for ONAP_Component credentials:
- ONAP MUST support ONAP_Component credentials of type user-ID and Password
- ONAP MUST support ONAP_Component credentials as certificates
- ONAP components SHOULD use credentials based on certificates for communication with other ONAP components. The use of user-ID and Password is a fallback in the case of components that do not support certificates.
Requirements for ONAP_Foreign credentials:
- ONAP MUST support ONAP_Foreign credentials of type user-ID and Password
- ONAP MUST support ONAP_Foreign credentials as certificates
2.3 Credential Lifecycle
2.3.1 Credential State Diagram
<<<<<Comment: Remove external to ONAP and ONAP operations. Add descriptive text that who the owning authority of the credential is (external, or onap) >>>
2.
...
3.2 Credential States
State | Definition |
---|---|
Credential_Null | No credential currently exists. The only valid operation is to create a credential. (The mechanism for creating a credential is out of scope of ONAP.) |
Credential_Created | A credential has been created. The credential is not yet available within ONAP, and cannot be validated. |
Credential_Provisioned | The credential is provisioned into ONAP. The credential can be validated within ONAP. |
Credential_Expired | The credential has expired. Credential validation within ONAP will fail. The credential can be updated. |
Credential_Revoked | The credential has been revoked. Credential validation within ONAP will fail. The credential cannot be updated. |
Credential_Destroyed | Note: Credentials can be copied, and the copy can be presented for validation. Credentials can never be destroyed. |
2.
...
3.3 Credential Operations
Operation | Definition |
---|---|
CREATE | Creates a new credential. Credential creation is external to ONAP. |
Credentials may not be deleted. (Design Note 1). | |
PROVISION | Provisions an existing credential into ONAP. A credential must go through state Credential_Provisioned before it can be used within ONAP. |
UPDATE | Updates an existing credential within ONAP. UPDATE is used to update a credential in state Credential_Expired and return it to state Credential_Provisioned. UPDATE may also be used to update internal parts of a credential. |
VALIDATE | Validates an existing credential. VALIDATE is used to test that a presented credential gives permission for access to a resource within ONAP (e.g. to access an ONAP component, perform an ONAP operation, or access data). |
EXPIRE | Expires an existing credential. EXPIRE may be an implicit operation, as some credentials have a defined lifetime, and will expire automatically. EXPIRE may be an explicit operation, where a specific credential is expired. Credentials in state Credential_Expired may be updated. |
REVOKE | Revokes an existing credential. Once a credential is in state Credential_Revoked there are no valid operations. A new credential is required. |
...
- Design Note 1 - this is intended to make explicit that digital credentials may always be re-used, even if they are expired or revoked.
<<<<<< insert a section here detailing how the credentials classifications come into here >>>
...
2.
...
4 ONAP Credential Management Overview
ONAP requires two components to improve the security of credentials used in orchestration.
...
Component 1: Secrets Vault - A service that can be integrated with ONAP that provides secure storage of the credentials used by ONAP to authenticate to VNFs.
2.5 Use cases
Use Cases:
For ONAP_User Credentials
...