...
It is planned that Network Functions (aka xNFs) will get certificates from the same CMPv2 server and the same CA hierarchy, but will use own means to get such certificates. Cause xNFs and ONAP will get certificates signed by the same root CA and will trust such root CA, both parties will automatically trust each other and can communicate with each other.
Context view
| Gliffy Diagram | ||||||
|---|---|---|---|---|---|---|
|
Architecture sketch
| Gliffy Diagram | ||||||
|---|---|---|---|---|---|---|
|
Simplified certificate enrollment flow
| Gliffy Diagram | ||||||
|---|---|---|---|---|---|---|
|
Security considerations
CertService's REST API is protected by mutual HTTPS, meaning server requests client's certificate and authenticate only requests with trusted certificate. After ONAP default installation only certificate from CertService's client is trusted. Authorization isn't supported in Frankfurt release.
...
| Parameter name | Required | Syntax | Description | Validation rules |
|---|---|---|---|---|
| CA Name | Yes | String (1-128) | The CA name should include the name of the external CA server and the issuerDN, which is the distinguished name of the CA on the external CA server that will sign our certificate. | String (1-128) Should be URL safe as it is used by clients as path parameter in REST calls |
| URL | Yes | Schema + IPv4/FQDN + port + path | Url to CMPv2 server; includes mandatory parts: scheme (http://) and IPv4/FQDN and optional parts: port and path (alias); e.g. http://127.0.0.1:8080/pkix or http://127.0.0.1/ejbca/publicweb/cmp/cmp NOTE: If FQDN is given ONAP must be able to resolve it without extra manual configuration | Must be correct URL Must start with http:// scheme If port given, port from 1-65535 range |
| Issuer DN | Yes | String (4-256) | Distinguished Name of the CA that will sign the certificate on the CMPv2 server side. When creating an end entity on the external CA server for client mode this IssuerDN will be passed through as the ca to sign for that user. | String (4-256) Correct DN |
| CA Mode | Yes | Enum (CLIENT|RA) | Issuer mode (either Registration Authority (RA) or client mode) | Value from predefined set |
| Authentication data::IAK | Yes | String (1-256) | Initial authentication key, used, together with RV, to authenticate request in CMPv2 server | String (1-256) |
| Authentication data::RV | Yes | String (1-256) | Reference value, used, together with IAK, to authenticate request in CMPv2 server | String (1-256) |
...
| Parameter name | ENV variable name | Required | Default | Syntax | Validation rules | Description | Origin |
|---|---|---|---|---|---|---|---|
| Url | REQUEST_URL | No | https://aaf-cert-service-service:8443/v1/certificate/ | URL | Syntax column | URL to Cert Service. Default value will be aligned with ONAP K8s deployment (Cert Service's K8s service name and port). Needs to be changed for plain docker deployment. | Application helm chart |
| Timeout | REQUEST_TIMEOUT | No | 30000 | Int (0-120000) | Syntax column | Timeout for REST API calls. In miliseconds. A timeout value of zero is interpreted as an infinite timeout. | Application helm chart |
| Path | OUTPUT_PATH | Yes | String (1-256) | Syntax column Path is valid *inx path | Path where client will output generated keystore and truststore. Normally this path should be on a volume which is used to transfer keystore and truststore between CertService's client and end component | Application helm chart | |
| CA name | CA_NAME | Yes | String (1-128) | Syntax column Must contain only alphanumeric characters | Name of CA which will enroll certificate. Must be same as configured on server side. Used in REST API calls | OOM global value | |
| Common Name | COMMON_NAME | Yes | String (1-256) | Syntax column CN can't contain (special characters (?, $, % and so on), IP addresses, Port numbers, or "http:// or https://") | Common name for which certificate from CMPv2 server should be issued | Application helm chart | |
| Organization | ORGANIZATION | Yes | String (1-256) | Syntax column Organization can't contain invalid characters from list "! @ # $ % ^ * ( ) ~ ? > < / \" (without "") | Organization for which certificate from CMPv2 server should be issued | OOM global value | |
| Organization Unit | ORGANIZATION_UNIT | No | Not available in generated certificate | String (0-256) | Syntax column | Organization unit for which certificate from CMPv2 server should be issued | OOM global value |
| Location | LOCATION | No | Not available in generated certificate | String (0-256) | Syntax column | Location for which certificate from CMPv2 server should be issued | OOM global value |
| State | STATE | Yes | String (1-256) | Syntax column | State for which certificate from CMPv2 server should be issued | OOM global value | |
| Country | COUNTRY | Yes | String(2) | C must be a 2-character ISO format country code | Country for which certificate from CMPv2 server should be issued | OOM global value | |
| SANs | SANS | No | Not available in generated certificate | String (0-2048) SAN1[:SAN2] | Syntax column | Subject Alternative Names (SANs) for which certificate from CMPv2 server should be issued. Colon is used as delimiter, e.g. example.com:example.pl. The only supported type of SANs is DNS domain name. NOTE: starting Honolulu release comma is used as delimiter, e.g. example.com,example.pl. | Application helm chart |
Results
...
| Name | Description |
|---|---|
| keystore.jks | Keystore with certificate chain saved under 'certificate' alias. Protected by random generated password. Keystore in PKCS#12 format. |
| keystore.pass | File with password to keystore. Password should be min. 16 chars long and should contain only alphanumeric characters and special characters like Underscore (_), Dollar ($) and Pound (#). Password should be random. |
| truststore.jks | Truststore with all trusted certificates. Protected by random generated password. Every trusted certificate is saved under alias with 'trusted-certificate-' prefix. Truststore in PKCS#12 format. |
| truststore.pass | File with password to truststore. Password should be min. 16 chars long and should contain only alphanumeric characters and special characters like Underscore (_), Dollar ($) and Pound (#). Password should be random. |
...
Volume to transfer generated artifacts should be mounted to application container (lines 4657-4961). Within K8s workload, CertService's client as init container should be added conditionally (lines 10-1314 and 49). All needed ENV variables should be passed to CertService's client (lines 1415-3645). CertService's client should mount the same volume as application container (lines 3746-3948). Volume to transfer generated artifacts can be an emptyDir type (lines 5164-5367).
| Code Block | ||
|---|---|---|
| ||
... # WARNING - work in progress so still can change
kind: Deployment
metadata:
...
spec:
...
template:
...
spec:
{{- if .Values.global.cmpv2Enabled }}
initContainers:
- name: cert-service-client
image: {{ .Values.global.repository }}/{{ .Values.global.aaf.certServiceClient.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
env:
- name: REQUEST_URL
value: {{ .Values.global.aaf.certServiceClient.envVariables.requestURL }}
- name: REQUEST_TIMEOUT
value: {{ .Values.global.aaf.certServiceClient.envVariables.requestTimeout}}
- name: OUTPUT_PATH
value: {{ .Values.certificate.outputPath }}
- name: CA_NAME
value: {{ .Values.global.aaf.certServiceClient.envVariables.caName }}
- name: COMMON_NAME
value: {{ .Values.certificate.commonName }}
- name: ORGANIZATION
value: {{ .Values.global.aaf.certServiceClient.envVariables.cmpv2Organization }}
- name: ORGANIZATION_UNIT
value: {{ .Values.global.aaf.certServiceClient.envVariables.cmpv2OrganizationalUnit }}
- name: LOCATION
value: {{ .Values.global.aaf.certServiceClient.envVariables.cmpv2Location }}
- name: STATE
value: {{ .Values.global.aaf.certServiceClient.envVariables.cmpv2State }}
- name: COUNTRY
value: {{ .Values.global.aaf.certServiceClient.envVariables.cmpv2Country }}
- name: SANS
value: {{ .Values.certificate.sans }}
- name: KEYSTORE_PATH
value: {{ .Values.global.aaf.certServiceClient.envVariables.keystorePath }}
- name: KEYSTORE_PASSWORD
value: {{ .Values.global.aaf.certServiceClient.envVariables.keystorePassword }}
- name: TRUSTSTORE_PATH
value: {{ .Values.global.aaf.certServiceClient.envVariables.truststorePath }}
- name: TRUSTSTORE_PASSWORD
value: {{ .Values.global.aaf.certServiceClient.envVariables.truststorePassword }}
volumeMounts:
- mountPath: {{ .Values.certService.outputPath }}
name: {{ include "common.fullname" . }}-cmpv2-certs
{{ end -}}
containers:
- name: {{ include "common.name" . }}
image: "{{ include "common.repository" . }}/{{ .Values.image }}"
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
resources:
{{ include "common.resources" . | indent 12 }}
volumeMounts:
{{- if .Values.global.cmpv2Enabled }}
- mountPath: /certificates/external
name: {{ include "common.fullname" . }}-cmpv2-certs
readOnly: true
{{ end -}}
...
volumes:
{{- if .Values.global.cmpv2Enabled }}
- name: {{ include "common.fullname" . }}-cmpv2-certs
emptyDir: {}
{{ end -}} |
...
- Keep CMPv2 server details in e.g. ESR
Support configurable output type to output artifacts in desired format: JKS, P12 or PEM- implemented in Guilin release- Certificate update implementation on server and client side
- Add to CertService new endpoint to call certificate update in CMPv2 server
- Adjust CertService's client to work as sidecar, not init container
CerService's client adjusted to run in loop (e.g. keep watermark and read it in every run)
- If certificate is not enrolled - request certificate
- If certificate is already enrolled - request certificate update
- Application adjusted to reload keystore/truststore in the runtime or if such is not possible, adjusted to restart itself or inform K8s via probes mechanism that restart is required
- Adjust logging to ONAP guidance
- CMPv2 over HTTPS support