Versions Compared

Old Version 33

changes.mady.by.user Zygmunt Lozinski

Saved on

compared with

New Version 34

changes.mady.by.user Stephen Terrill

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

1 Introduction

This section captures recommendations for handling certain security questions that are studied by the security sub-committee.  These recommendations, when implemented, can lead to new best practices.  The recommendation states are:

...

    • Credentials for ONAP users to access ONAP.  These are referred to as ONAP_User credentials.
    • Credentials for using the APIs exposed by ONAP. These are referred to as ONAP_ExtAPI credentials.
    • Credentials for ONAP to communicate to other ONAP components.  These are referred to as ONAP_Component credentials.
      • Note: This includes credentials for VNF SDK to package the artefacts onboarded into SDC.
    • Credentials for ONAP to communicate with other systems.  These are referred to as ONAP_Foreign credentials.
      • As an example, if ONAP is to communicate to an external SDN controller or a cloud infrastructure, these credentials need to be managed.
      • A another example is the credentials to access a VNF

2.2 Credential Management Requirements

...

In the implementation, some types of credentials have to be provisioned into ONAP components, e.g. certificate-based credentials or (user-ID,password) have to be added to VM images or containers before deployment.  It is probably better to do this during the deployment rather than storing images with imbedded credentials.  The Secrets Vault  is used to store these credentials securely.  The transition to the Credential_Provisioned state means the credential is stored in the Secrets Vault.

<<<<<Comment: Remove external to ONAP and ONAP operations.  Add descriptive text that who the owning authority of the credential is (external, or onap)

ZL: Removed external to ONAP and ONAP operations 2017-12-06 . Text added (above)>>>


2.3.2 Credential States


StateDefinition
Credential_NullNo credential currently exists.  The only valid operation is to create a credential. (The mechanism for creating a credential is out of scope of ONAP.)
Credential_CreatedA credential has been created.  The credential is not yet available within ONAP, and cannot be validated.
Credential_ProvisionedThe credential is provisioned into ONAP.  The credential can be validated within ONAP.
Credential_ExpiredThe credential has expired.  Credential validation within ONAP will fail.  The credential can be updated.
Credential_RevokedThe credential has been revoked.   Credential validation within ONAP will fail. The credential cannot be updated.
Credential_DestroyedNote: Credentials can be copied, and the copy can be presented for validation.  Credentials can never be destroyed. 

...

  1. Provisioning the credentials
    <<insert here>>
  2.  Retrieving the credentials
  3. Accessing VNFs during runtime and installation

<< Describe the flow for the credentials to access VNFs .  To be more specif, who owns the credentials for the case when ONAP has to configure the VNFs>>  (Zyg)

4. onboarding VNFs.

<< Describe the case where the VNF image and VNF package is  signed from the vendor (with or without VNF package) >>

Assumptions:  Vendor signs the image, not encrypts.


Use case:


NOTE to seccom: Probably should describe how this works for all lifecycle steps. 

...