...
- Credentials for ONAP users to access ONAP. These are referred to as ONAP_User credentials.
- Credentials for using the APIs exposed by ONAP. These are referred to as ONAP_ExtAPI credentials.
- Credentials for ONAP to communicate to other ONAP components. These are referred to as ONAP_Component credentials.
- Note: This includes credentials for VNF SDK to package the artefacts onboarded into SDC.
- Note: Other ONAP components include VNFs that need to communicate with ONAP services such as DCAE securely.
- Note: ONAP components can spread across geographical locations. For example, DCAE systems at Edge communicating with Central ONAP services.
- Credentials for ONAP to communicate with other systems. These are referred to as ONAP_Foreign credentials.
- As an example, if ONAP is to communicate to an external SDN controller or a cloud infrastructure, these credentials need to be managed.
- A another example is the credentials to access a VNF
2.2 Credential Management Requirements
...
- The credential management solution MUST be able to interact with existing credential creation and validation schemes
- The following types of certificates SHOULD be supported by ONAP:
- a, b, c, ...
- Securing the private keys - CA private keys shall be secured using PKCS11 based HSMs (e.g PKCS11 secure generation and storage of private key)
- Usage of certificate identity wherever possible(binding an identity to a credential using the X.509v3 certificate)
...
Requirements for ONAP_Component credentials:
ONAP MUST support ONAP_Component credentials of type user-ID and Password- ONAP MUST support ONAP_Component credentials as certificates.
- ONAP components SHOULD use credentials based on certificates for communication with other ONAP components. The use of user-ID and Password is a fallback in the case of components that do not support certificates.
...