...
Gliffy Diagram | ||||||
---|---|---|---|---|---|---|
|
Security considerations
CertService's REST API will be protected by mutual HTTPS, meaning server will request client's certificate and authenticate only requests with trusted certificate. After ONAP default installation only certificate from CertService's client will be trusted. Authorization won't be supported in Frankfurt release.
Components description
CertService
...
Swagger will be added here
Security considerations
CertService's REST API will be protected by mutual HTTPS, meaning server will request client's certificate and authenticate only requests with trusted certificate. After ONAP default installation only certificate from CertService's client will be trusted. Authorization won't be supported in Frankfurt release.
CMPv2 server properties
CMPv2 server properties
CertService contains configuration of CMPv2 CertService contains configuration of CMPv2 servers. To enroll certificate at least one CMPv2 server has to be configured. CMPv2 server configuration is read during CertService startup and runtime changes require CertService restart.
...
Input value | Input type | Description | Usage |
---|---|---|---|
CsrModel | Object | POJO which transfers sent CSR, plain fields extracted from CSR (like Common Name, Country, etc) | |
CsrModel:: csr | org.bouncycastle.pkcs.PKCS10CertificationRequest | Certificate Signing Request received via REST API | |
CsrModel:: subjectDN | org.bouncycastle.asn1.x500.X500Name | SubjectDN retrieved from sent CSR | |
CsrModel:: privateKey | Either org.bouncycastle.util.io.pem.PemObject or java.security.PrivateKey | Private key received via REST API | |
CsrModel:: publicKey | Either org.bouncycastle.util.io.pem.PemObject or java.security.PublicKey | Public key retrieved from sent CSR | |
CsrModel:: ???? | |||
CMPv2ServerDetails | Object | POJO which transfers CMPv2 server properties | |
CMPv2ServerDetails:: CA name | String | CA name as configured in CMPv2 server properties | |
CMPv2ServerDetails:: URL | URL or String | ||
CMPv2ServerDetails:: IssuerDN | org.bouncycastle.asn1.x500.X500Name | ||
CMPv2ServerDetails:: CA mode | ENUM | ||
CMPv2ServerDetails:: IAK | String | ||
CMPv2ServerDetails:: RV | String | ||
CA name | String | CA name received via REST API |
...
Group | Parameter name | ENV variable name | Required | Default | Syntax | Description | Origin | |
---|---|---|---|---|---|---|---|---|
Url | REQUEST_URL | No | http(s)://cert-service:8080/certificate/ | URL | URL to Cert Service. Default value will be aligned with ONAP K8s deployment (Cert Service's K8s service name and port). Needs to be changed for plain docker deployment. | Application helm chart | ||
Timeout | REQUEST_TIMEOUT | No | 30 | 0-600 | Timeout for REST API calls. In seconds | Application helm chart | ||
Path | OUTPUT_PATH | Yes | /certificates | Path where client will output generated keystore and truststore. Normally this path should be on a volume which is used to transfer keystore and truststore between CertService's client and end component | Application helm chart | |||
CA name | CA_NAME | Yes | Name of CA which will enroll certificate. Must be same as configured on server side. Used in REST API calls | OOM global value | ||||
CSR details | Common Name | COMMON_NAME | Yes | Common name for which certificate from CMPv2 server should be issued | Application helm chart | |||
Organization | ORGANIZATION | Yes | Organization for which certificate from CMPv2 server should be issued | OOM global value | ||||
Organization Unit | ORGANIZATION_UNIT | No | Not available in generated certificate | Organization unit for which certificate from CMPv2 server should be issued | OOM global value | |||
Location | LOCATION | No | Not available in generated certificate | Location for which certificate from CMPv2 server should be issued | OOM global value | |||
State | STATE | Yes | State for which certificate from CMPv2 server should be issued | OOM global value | ||||
Country | COUNTRY | Yes | Country for which certificate from CMPv2 server should be issued | OOM global value | ||||
SANs | SANS | No | Not available in generated certificate | SAN1[:SAN2] | Subject Alternative Names (SANs) for which certificate from CMPv2 server should be issued. Colon is used as delimiter | Application helm chart |
Usage
Cause ONAP is deployed in K8s, CertService's client will be delivered as independent container and should run as init container for end component. Both init container and end component must mount the same volume (persistent or ephemeral) to transfer generated artifacts.
File interface (names, passwords) should be defined
Example
Volume to transfer generated artifacts should be mounted to application container (lines 46-49). Within K8s workload, CertService's client as init container should be added (lines 10-13). All needed ENV variables should be passed to CertService's client (lines 14-36). CertService's client should mount the same volume as application container (lines 37-39). Volume to transfer generated artifacts can be an emptyDir type (lines 51-53).
Code Block | ||
---|---|---|
| ||
# WARNING - work in progress so still can change
...
kind: Deployment
metadata:
...
spec:
...
template:
...
spec:
initContainers:
- name: cert-service-client
image: {{ .Values.global.csClientRepository }}/{{ .Values.global.csClientImage }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
env:
- name: REQUEST_URL
value: {{ .Values.certService.url }}
- name: REQUEST_TIMEOUT
value: {{ .Values.certService.timeout }}
- name: OUTPUT_PATH
value: {{ .Values.certService.outputPath }}
- name: CA_NAME
value: {{ .Values.global.certService.caName }}
- name: COMMON_NAME
value: {{ .Values.certService.commonName }}
- name: ORGANIZATION
value: {{ .Values.global.certService.organization }}
- name: ORGANIZATION_UNIT
value: {{ .Values.global.certService.organizationUnit }}
- name: LOCATION
value: {{ .Values.global.certService.location }}
- name: STATE
value: {{ .Values.global.certService.state }}
- name: COUNTRY
value: {{ .Values.global.certService.country }}
- name: SANS
value: {{ .Values.certService.sans }}
volumeMounts:
- mountPath: {{ .Values.certService.outputPath }}
name: {{ include "common.fullname" . }}-cmpv2-certs
containers:
- name: {{ include "common.name" . }}
image: "{{ include "common.repository" . }}/{{ .Values.image }}"
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
resources:
{{ include "common.resources" . | indent 12 }}
volumeMounts:
- mountPath: /certificates/external
name: {{ include "common.fullname" . }}-cmpv2-certs
readOnly: true
...
volumes:
- name: {{ include "common.fullname" . }}-cmpv2-certs
emptyDir: {} |
...