Versions Compared

Old Version 52

changes.mady.by.user Pawel Baniewski

Saved on

compared with

New Version 53

changes.mady.by.user Pawel Baniewski

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Gliffy Diagram
sizeM
namecertService_cert_enrollment_flow
pagePin3

Security considerations

CertService's REST API will be protected by mutual HTTPS, meaning server will request client's certificate and authenticate only requests with trusted certificate. After ONAP default installation only certificate from CertService's client will be trusted. Authorization won't be supported in Frankfurt release.

Components description

CertService

...

Swagger will be added here (warning)

Security considerations

CertService's REST API will be protected by mutual HTTPS, meaning server will request client's certificate and authenticate only requests with trusted certificate. After ONAP default installation only certificate from CertService's client will be trusted. Authorization won't be supported in Frankfurt release.

CMPv2 server properties

CMPv2 server properties

CertService contains configuration of CMPv2 CertService contains configuration of CMPv2 servers. To enroll certificate at least one CMPv2 server has to be configured. CMPv2 server configuration is read during CertService startup and runtime changes require (question) CertService restart.

...

Input valueInput typeDescriptionUsage
CsrModelObjectPOJO which transfers sent CSR, plain fields extracted from CSR (like Common Name, Country, etc)
CsrModel:: csrorg.bouncycastle.pkcs.PKCS10CertificationRequestCertificate Signing Request received via REST API
CsrModel:: subjectDNorg.bouncycastle.asn1.x500.X500NameSubjectDN retrieved from sent CSR
CsrModel:: privateKeyEither org.bouncycastle.util.io.pem.PemObject or java.security.PrivateKeyPrivate key received via REST API
CsrModel:: publicKeyEither org.bouncycastle.util.io.pem.PemObject or java.security.PublicKeyPublic key retrieved from sent CSR
CsrModel:: ????(warning) Others if needed (warning)(plain data extracted from sent CSR)  if needed (warning)

CMPv2ServerDetailsObjectPOJO which transfers CMPv2 server properties
CMPv2ServerDetails:: CA nameStringCA name as configured in CMPv2 server properties
CMPv2ServerDetails:: URLURL or String

CMPv2ServerDetails:: IssuerDNorg.bouncycastle.asn1.x500.X500Name

CMPv2ServerDetails:: CA modeENUM

CMPv2ServerDetails:: IAKString

CMPv2ServerDetails:: RVString

CA nameStringCA name received via REST API

...

GroupParameter nameENV variable nameRequiredDefaultSyntaxDescriptionOrigin

UrlREQUEST_URLNohttp(s)://cert-service:8080/certificate/URL

URL to Cert Service. Default value will be aligned with ONAP K8s deployment (Cert Service's K8s service name and port). Needs to be changed for plain docker deployment.

Application helm chart

TimeoutREQUEST_TIMEOUTNo300-600Timeout for REST API calls. In secondsApplication helm chart

PathOUTPUT_PATHYes/certificates

Path where client will output generated keystore and truststore. Normally this path should be on a volume which is used to transfer keystore and truststore between CertService's client and end componentApplication helm chart

CA nameCA_NAMEYes

Name of CA which will enroll certificate. Must be same as configured on server side. Used in REST API callsOOM global value





CSR details

Common NameCOMMON_NAMEYes

Common name for which certificate from CMPv2 server should be issuedApplication helm chart
OrganizationORGANIZATIONYes

Organization for which certificate from CMPv2 server should be issuedOOM global value
Organization UnitORGANIZATION_UNITNoNot available in generated certificate
Organization unit for which certificate from CMPv2 server should be issuedOOM global value
LocationLOCATIONNoNot available in generated certificate
Location for which certificate from CMPv2 server should be issuedOOM global value
StateSTATEYes

State for which certificate from CMPv2 server should be issuedOOM global value
CountryCOUNTRYYes

Country for which certificate from CMPv2 server should be issuedOOM global value
SANsSANSNoNot available in generated certificateSAN1[:SAN2]Subject Alternative Names (SANs) for which certificate from CMPv2 server should be issued. Colon is used as delimiterApplication helm chart


Usage

Cause ONAP is deployed in K8s, CertService's client will be delivered as independent container and should run as init container for end component. Both init container and end component must mount the same volume (persistent or ephemeral) to transfer generated artifacts.

(warning) File interface (names, passwords) should be defined (warning)

Example

Volume to transfer generated artifacts should be mounted to application container (lines 46-49). Within K8s workload, CertService's client as init container should be added (lines 10-13). All needed ENV variables should be passed to CertService's client (lines 14-36). CertService's client should mount the same volume as application container (lines 37-39). Volume to transfer generated artifacts can be an emptyDir type (lines 51-53).

Code Block
linenumberstrue
# WARNING - work in progress so still can change
...
kind: Deployment
metadata:
  ...
spec:
...
  template:
  ...
    spec:
      initContainers:
        - name: cert-service-client
          image: {{ .Values.global.csClientRepository }}/{{ .Values.global.csClientImage }}
          imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
          env:
            - name: REQUEST_URL
              value: {{ .Values.certService.url }}
            - name: REQUEST_TIMEOUT
              value: {{ .Values.certService.timeout }}
            - name: OUTPUT_PATH
              value: {{ .Values.certService.outputPath }}
            - name: CA_NAME
              value: {{ .Values.global.certService.caName }}
            - name: COMMON_NAME
              value: {{ .Values.certService.commonName }}
            - name: ORGANIZATION
              value: {{ .Values.global.certService.organization }}
            - name: ORGANIZATION_UNIT
              value: {{ .Values.global.certService.organizationUnit }}
            - name: LOCATION
              value: {{ .Values.global.certService.location }}
            - name: STATE
              value: {{ .Values.global.certService.state }}
            - name: COUNTRY
              value: {{ .Values.global.certService.country }}
            - name: SANS
              value: {{ .Values.certService.sans }}
          volumeMounts:
            - mountPath: {{ .Values.certService.outputPath }}
              name: {{ include "common.fullname" . }}-cmpv2-certs
      containers:
        - name: {{ include "common.name" . }}
          image: "{{ include "common.repository" . }}/{{ .Values.image }}"
          imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
          resources:
{{ include "common.resources" . | indent 12 }}
          volumeMounts:
            - mountPath: /certificates/external
              name: {{ include "common.fullname" . }}-cmpv2-certs
              readOnly: true
          ...
      volumes:
        - name: {{ include "common.fullname" . }}-cmpv2-certs
          emptyDir: {}

...