...
The goal of this requirement is to implement new adapter within AAF's Certificate Manager (aka CertMan) micro-service called CertService which will request certificates signed by external Certificate Authority (CA) using CMPv2 CMP over HTTP protocol. New adapter can be used together with already existing adapters: LocalCA and JScepCA. To proof that new adapter Uses CMPv2 client to send and receive CMPv2 messages.
CertService's client will be also provided so other ONAP components (aka end components) can easily get certificate from CertService. End component is an ONAP component (e.g. DCAE collector or controller) which requires certificate from CMPv2 server to protect external traffic and uses CertService's client to get it.
CertService's client communicates with CertService via REST API, while CertService with CMPv2 server via CMP over HTTP.
To proof that CertService works Open Source CMPv2 server (EJBCA) will be deployed and used in E2E tests.
It is planned that Network Functions (aka xNFs) will get certificates from the same CMPv2 server and the same Certificate AuthorityCA hierarchy, but will use own means to get such certificates. Cause xNFs and ONAP will get certificates signed by the same root CA and will trust such root CA, both parties will automatically trust each other and can communicate with each other.
Architecture sketch
| Gliffy Diagram | ||||||
|---|---|---|---|---|---|---|
|
Components description
CertService
REST API
CMPv2 adapter properties:
| Method | Endpoint | Parameter | Returned values | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Name | Is required? | Transfer method | Description | Name | Always returned? | Transfer method | Description | ||
| GET | /certificate/{caName} | CA name | Yes | Path parameter | Name of Certificate Authority which should sign sent CSR. Must match CertService's CMPv2 servers configuration. | Certificate chain | Yes | Body (JSON) | Signed certificate with whole certificate chain. |
| Base64 encoded CSR (Certificate Signing Request) | Yes | Header | Certificate Signing Request for given component | Trusted certificates | Yes | Body (JSON) | Trusted certificates. In other words list of root CAs which should be treated as trust anchors. Must contain root CA which was used to sign certificate and may contain other root CAs. | ||
| Base64 encoded private key | Yes | Header | Private key. Needed to create proof of possession (PoP) | ||||||
CMPv2 server properties
CertService contains configuration of CMPv2 servers. To enroll certificate at least one CMPv2 server has to be configured. Section holds all properties which are planned to be supported by CertService for CMPv2 based CA. Some parameters are planned to be processed before sending to CMPv2 clientserver.
| Parameter name | Required |
|---|
| Syntax | Description |
|---|
| Validation rules | |
|---|---|
| CA Name | Yes |
| String (1-128) | The CA name should include the name of the external CA server and the issuerDN, which is the distinguished name of the CA on the external CA server that will sign our certificate. |
| ||
| URL | Yes | Schema + IPv4/FQDN + port + path | Url to CMPv2 server; includes mandatory parts: schema (http://) and IPv4/FQDN and optional parts: port and path (alias); e.g. http://127.0.0.1:8080/pkix or http://127.0.0.1/ejbca/publicweb/cmp/cmp NOTE: If FQDN is given ONAP must be able to resolve it |
|
| Issuer DN | Yes | String ( |
| 4-256) | Distinguished Name of the CA that will sign the certificate on the |
| CMPv2 server side. When creating an end entity on the external CA server for client mode this IssuerDN will be passed through as the ca to sign for that user. |
| |||
| CA Mode | Yes | Enum (CLIENT|RA) | Issuer mode (either Registration Authority (RA) or client mode) |
|
| Authentication data::IAK | Yes | String (1-256) | Initial authentication key, used, together with RV, to authenticate request in CMPv2 server |
|
| Authentication data::RV | Yes |
| String (1-256) | Reference value, used, together with IAK, to authenticate request in CMPv2 server |
|
|
Simplified certificate enrollment flow from CertService's perspective
CMPv2 client
CertService's client
CertService's client properties:
| Group | Parameter name | Required | Default | Syntax | Description | Origin |
|---|---|---|---|---|---|---|
| Timeout | No | 30s | Timeout for REST API calls | Application helm chart | ||
| Path | Yes | Path where client will output generated keystore and truststore. Normally this path should be on a volume which is used to transfer keystore and truststore between CertService's client and main application | Application helm chart | |||
| CA name | Yes | Name of CA which will enroll certificate. Must be same as configured on server side. Used in REST API calls | OOM global value | |||
CSR details | Common Name | Yes | Common name for which certificate from CMPv2 server should be issued | Application helm chart | ||
| Organization | Yes | Organization for which certificate from CMPv2 server should be issued | OOM global value | |||
| Organization Unit | No | Organization unit for which certificate from CMPv2 server should be issued | OOM global value | |||
| Location | No | Location for which certificate from CMPv2 server should be issued | OOM global value | |||
| State | Yes | State for which certificate from CMPv2 server should be issued | OOM global value | |||
| Country | Yes | Country for which certificate from CMPv2 server should be issued | OOM global value | |||
| SANs | No | Subject Alternative Names (SANs) for which certificate from CMPv2 server should be issued | Application helm chart |
Simplified certificate enrollment flow from CertService's client perspective:
Input Table for CMPV2 client:
...