Overview
The goal of this requirement is to implement new micro-service called CertService which will request certificates signed by external Certificate Authority (CA) using CMP over HTTP protocol. Uses CMPv2 client to send and receive CMPv2 messages.
CertService's client will be also provided so other ONAP components (aka end components) can easily get certificate from CertService. End component is an ONAP component (e.g. DCAE collector or controller) which requires certificate from CMPv2 server to protect external traffic and uses CertService's client to get it.
CertService's client communicates with CertService via REST API over HTTPS, while CertService with CMPv2 server via CMP over HTTP.
To proof that CertService works Open Source CMPv2 server (EJBCA) will be deployed and used in E2E tests.
It is planned that Network Functions (aka xNFs) will get certificates from the same CMPv2 server and the same CA hierarchy, but will use own means to get such certificates. Cause xNFs and ONAP will get certificates signed by the same root CA and will trust such root CA, both parties will automatically trust each other and can communicate with each other.
Architecture sketch
Simplified certificate enrollment flow
Security considerations
CertService's REST API is protected by mutual HTTPS, meaning server requests client's certificate and authenticate only requests with trusted certificate. After ONAP default installation only certificate from CertService's client is trusted. Authorization isn't supported in Frankfurt release.
Components description
CertService
REST API
| Method | Endpoint | Parameter | Returned values | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Name | Is required? | Transfer method | Description | Name | Always returned? | Transfer method | Description | ||
| GET | /certificate/{caName} | CA name | Yes | Path parameter | Name of Certificate Authority which should sign sent CSR. Must match CertService's CMPv2 servers configuration. | Certificate chain | Yes | Body (JSON) | Base64 decoded  signed certificate with whole certificate chain (intermediate CA certificates). |
| Base64 encoded CSR (Certificate Signing Request) | Yes | Header | Certificate Signing Request for given component | Trusted certificates | Yes | Body (JSON) | Base64 decoded list of trusted certificates. In other words list of root CAs which should be treated as trust anchors. Must contain root CA which was used to sign certificate and may contain other root CAs. | ||
| Base64 encoded private key | Yes | Header | Private key. Needed to create proof of possession (PoP) | ||||||
Return HTTP codes:
| HTTP code | Description |
|---|---|
| 200 (OK) | Everything is ok. Certificate chain and trusted certificates returned |
| 400 (Bad Request) | Incorrect/missing CSR and/or private key |
| 401 (Unauthorized) | Missing client certificate or presented certificate is not trusted |
| 404 (Not found) | Invalid CA name in REST API call or wrong endpoint called |
| 500 (Internal Server Error) | In case of exception on server side. |
OpenAPI
Swagger will be added here 
CMPv2 server properties
CertService contains configuration of CMPv2 servers. To enroll certificate at least one CMPv2 server has to be configured. CMPv2 servers configuration is read during CertService startup and to take runtime changes into account CertService's refresh configuration endpoint has to be called.
Section holds all properties which are planned to be supported by CertService for CMPv2 based server.
| Parameter name | Required | Syntax | Description | Validation rules |
|---|---|---|---|---|
| CA Name | Yes | String (1-128) | The CA name should include the name of the external CA server and the issuerDN, which is the distinguished name of the CA on the external CA server that will sign our certificate. | String (1-128) |
| URL | Yes | Schema + IPv4/FQDN + port + path | Url to CMPv2 server; includes mandatory parts: scheme (http://) and IPv4/FQDN and optional parts: port and path (alias); e.g. http://127.0.0.1:8080/pkix or http://127.0.0.1/ejbca/publicweb/cmp/cmp NOTE: If FQDN is given ONAP must be able to resolve it without extra manual configuration | Must be correct URL Must start with http:// scheme If port given, port from 1-65535 range |
| Issuer DN | Yes | String (4-256) | Distinguished Name of the CA that will sign the certificate on the CMPv2 server side. When creating an end entity on the external CA server for client mode this IssuerDN will be passed through as the ca to sign for that user. | String (4-256) Correct DN |
| CA Mode | Yes | Enum (CLIENT|RA) | Issuer mode (either Registration Authority (RA) or client mode) | Value from predefined set |
| Authentication data::IAK | Yes | String (1-256) | Initial authentication key, used, together with RV, to authenticate request in CMPv2 server | String (1-256) |
| Authentication data::RV | Yes | String (1-256) | Reference value, used, together with IAK, to authenticate request in CMPv2 server | String (1-256) |
Example
# WARNING - work in progress so still can change
{
"cmpv2Servers":[
{
"caName":"TEST",
"url":"http://127.0.0.1/ejbca/publicweb/cmp/cmp",
"issuerDN":"CN=ManagementCA",
"caMode":"CLIENT",
"authentication":{
"iak":"xxx",
"rv":"yyy"
}
},
{
"caName":"TEST2",
"url":"http://127.0.0.1/ejbca/publicweb/cmp/cmpRA",
"issuerDN":"CN=ManagementCA2",
"caMode":"RA",
"authentication":{
"iak":"xxx",
"rv":"yyy"
}
}
]
}
CMPv2 client
Input table for CMPv2 client
CMPv2 will get two POJOs and one String: first with CSR, plain fields extracted from CSR (like subject DN, list of SANs, etc) and private key (in general data passed via REST API call) and second with CMPv2 server details and CA name
| Input value | Input type | Description | Usage |
|---|---|---|---|
| CsrModel | Object | POJO which transfers sent CSR, plain fields extracted from CSR (like Common Name, Country, etc) | |
| CsrModel:: csr | org.bouncycastle.pkcs.PKCS10CertificationRequest | Certificate Signing Request received via REST API | |
| CsrModel:: subjectDN | org.bouncycastle.asn1.x500.X500Name | SubjectDN retrieved from sent CSR | |
| CsrModel:: privateKey | Either org.bouncycastle.util.io.pem.PemObject or java.security.PrivateKey | Private key received via REST API | |
| CsrModel:: publicKey | Either org.bouncycastle.util.io.pem.PemObject or java.security.PublicKey | Public key retrieved from sent CSR | |
| CsrModel:: | Others (plain data extracted from sent CSR) if needed | | |
| CMPv2ServerDetails | Object | POJO which transfers CMPv2 server properties | |
| CMPv2ServerDetails:: CA name | String | CA name as configured in CMPv2 server properties | |
| CMPv2ServerDetails:: URL | URL or String | URL to CMPv2 server as configured in CMPv2 server details | |
| CMPv2ServerDetails:: IssuerDN | org.bouncycastle.asn1.x500.X500Name | Issuer DN as configured in CMPv2 server details | |
| CMPv2ServerDetails:: CA mode | ENUM | CA mode as configured in CMPv2 server details | |
| CMPv2ServerDetails:: IAK | String | IAK as configured in CMPv2 server details | |
| CMPv2ServerDetails:: RV | String | RV as configured in CMPv2 server details | |
| CA name | String | CA name received via REST API |
Return values from CMPv2 client
Currently the POC for CMPv2 client is working based on the inputs below.
Input Values | Input Type | Description | Usage |
|---|---|---|---|
| csrMeta | object | csrMeta object from aaf, would contain values needed for certificate request. any needed values that should be stored in the csrMeta will be mentioned below. | stores all pertinent values for certificate request - these will be detailed below, and should be set before being passed to the cmpv2 client. |
| csrMeta:IssuerDn | org.bouncycastle.asn1.x500.X500Name | distinguished name of the CA we're receiving certificate from. Cannot be null | used in the creation of the cert on EJBCA server |
| csrMeta: SubjectDn | org.bouncycastle.asn1.x500.X500Name | Distinguished name of the Entity the certificate is being issued to/ Certificate Requesting Entity. Cannot be null. | used in the creation of the cert on EJBCA server |
| csrMeta: KeyPair | java.security.KeyPair | KeyPair associated with the entity the certificate is being issued to. Cannot be null | used to create proof of possession for request to EJBCA server |
| csrMeta: Password | object which contains iak/rv? | secret password value shared by EJBCA server. Cannot be null | used to authenticate ourselves to the EJBCA serve |
csrMeta: CA Details | object | Certification Authority Details ( Http address, Port number and Path (which includes alias if used)). Cannot be null | used to Post Http request to External CA. |
.cer file | java.security.cert.X509Certificate | .cer (CSR) generated by Cert-man using Key-pair. Cannot be null. | used to validate response (.crt)/ certificate send from EJBCA server |
| caName | string | the name which is a general description of the external CA | used for debugging purposes |
| caMode | enum | string noting whether the server we are contacting will be operating in either client or RA mode | used for debugging purposes |
Relevant values in Certificate Request message to EJBCA:
Value | Description | Information Included |
|---|---|---|
| PKIHeader | Contains information common to many PKI messages. | SenderDN IssuerDN ProtectionAlgorithm (used for PkiProtection below) |
| PKIBody | contains message-specific information ie. certificate request message | CertificateRequestMessage, which includes: SubjectDN IssuerDN SubjectPublicKey |
| PKIProtection | contains bits that protect PKImessage (Specifically the iak/rv) |
Test code for running cmpv2 client against EJBCA server through unit test
@Test
public void testServerWithRealUrl()
throws CmpClientException {
setValidCsrMetaValuesAndDateValues();
csrMeta.externalCaUrl("http://127.0.0.1/ejbca/publicweb/cmp/cmpRA");
csrMeta.password("mypassword");
CmpClientImpl cmpClient = new CmpClientImpl();
try {
cmpClient.createCertRequest("data", "RA", csrMeta, cert, notBefore, notAfter);
} catch (CAOfflineException e) {
e.printStackTrace();
}
}
private void setValidCsrMetaValuesAndDateValues() {
ArrayList<RDN> rdns = new ArrayList<>();
try {
rdns.add(new RDN("O=CommonCompany"));
} catch (CertException e) {
e.printStackTrace();
}
csrMeta = new CSRMeta(rdns);
csrMeta.cn("Node123");
csrMeta.san("CommonName.com");
csrMeta.password("password");
csrMeta.email("CommonName@cn.com");
csrMeta.issuerCn("ManagementCA");
when(kpg.generateKeyPair()).thenReturn(keyPair);
csrMeta.keypair(trans);
csrMeta.externalCaUrl("http://127.0.0.1/ejbca/publicweb/cmp/cmpRA");
try {
notBefore = Optional.ofNullable(new SimpleDateFormat("yyyy/MM/dd HH:mm:ss").parse("2019/11/11 12:00:00"));
notAfter = Optional.ofNullable(new SimpleDateFormat("yyyy/MM/dd HH:mm:ss").parse("2020/11/11 12:00:00"));
} catch (ParseException e) {
e.printStackTrace();
}
}
Usage
Docker
Run CertService as docker via following command: TBA
docker run -it -p 8080:8080/tcp $CONTAINER_IMAGE
Kubernetes
For Kubernetes helm chart is provided. Just fill in all values and deploy helm chart using following command: TBA
helm install --name $NAME --namespace onap $PATH_TO_HELM_CHART --values $PATH_TO_OVERRIDDEN_VALUES
CertService's client
CertService's client input properties
| Group | Parameter name | ENV variable name | Required | Default | Syntax | Description | Origin |
|---|---|---|---|---|---|---|---|
| Url | REQUEST_URL | No | http(s)://cert-service:8080/certificate/ | URL | URL to Cert Service. Default value will be aligned with ONAP K8s deployment (Cert Service's K8s service name and port). Needs to be changed for plain docker deployment. | Application helm chart | |
| Timeout | REQUEST_TIMEOUT | No | 30000 | 0-120000 | Timeout for REST API calls. In miliseconds. A timeout value of zero is interpreted as an infinite timeout. | Application helm chart | |
| Path | OUTPUT_PATH | Yes | Path where client will output generated keystore and truststore. Normally this path should be on a volume which is used to transfer keystore and truststore between CertService's client and end component | Application helm chart | |||
| CA name | CA_NAME | Yes | Name of CA which will enroll certificate. Must be same as configured on server side. Used in REST API calls | OOM global value | |||
CSR details | Common Name | COMMON_NAME | Yes | Common name for which certificate from CMPv2 server should be issued | Application helm chart | ||
| Organization | ORGANIZATION | Yes | Organization for which certificate from CMPv2 server should be issued | OOM global value | |||
| Organization Unit | ORGANIZATION_UNIT | No | Not available in generated certificate | Organization unit for which certificate from CMPv2 server should be issued | OOM global value | ||
| Location | LOCATION | No | Not available in generated certificate | Location for which certificate from CMPv2 server should be issued | OOM global value | ||
| State | STATE | Yes | State for which certificate from CMPv2 server should be issued | OOM global value | |||
| Country | COUNTRY | Yes | Country for which certificate from CMPv2 server should be issued | OOM global value | |||
| SANs | SANS | No | Not available in generated certificate | SAN1[:SAN2] | Subject Alternative Names (SANs) for which certificate from CMPv2 server should be issued. Colon is used as delimiter | Application helm chart |
Results
As the successful result of running CertService's client (exitCode = 0) following artifacts are created:
Other exitCodes:
File interface (names, passwords) should be defined
Usage
Docker
Run CertService's client as docker via following command: TBA
Kuberenetes
Cause ONAP is deployed in K8s, CertService's client will be delivered as independent container and should run as init container for end component. Both init container and end component must mount the same volume (persistent or ephemeral) to transfer generated artifacts.
Example
Volume to transfer generated artifacts should be mounted to application container (lines 46-49). Within K8s workload, CertService's client as init container should be added (lines 10-13). All needed ENV variables should be passed to CertService's client (lines 14-36). CertService's client should mount the same volume as application container (lines 37-39). Volume to transfer generated artifacts can be an emptyDir type (lines 51-53).
... # WARNING - work in progress so still can change
kind: Deployment
metadata:
...
spec:
...
template:
...
spec:
initContainers:
- name: cert-service-client
image: {{ .Values.global.csClientRepository }}/{{ .Values.global.csClientImage }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
env:
- name: REQUEST_URL
value: {{ .Values.certService.url }}
- name: REQUEST_TIMEOUT
value: {{ .Values.certService.timeout }}
- name: OUTPUT_PATH
value: {{ .Values.certService.outputPath }}
- name: CA_NAME
value: {{ .Values.global.certService.caName }}
- name: COMMON_NAME
value: {{ .Values.certService.commonName }}
- name: ORGANIZATION
value: {{ .Values.global.certService.organization }}
- name: ORGANIZATION_UNIT
value: {{ .Values.global.certService.organizationUnit }}
- name: LOCATION
value: {{ .Values.global.certService.location }}
- name: STATE
value: {{ .Values.global.certService.state }}
- name: COUNTRY
value: {{ .Values.global.certService.country }}
- name: SANS
value: {{ .Values.certService.sans }}
volumeMounts:
- mountPath: {{ .Values.certService.outputPath }}
name: {{ include "common.fullname" . }}-cmpv2-certs
containers:
- name: {{ include "common.name" . }}
image: "{{ include "common.repository" . }}/{{ .Values.image }}"
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
resources:
{{ include "common.resources" . | indent 12 }}
volumeMounts:
- mountPath: /certificates/external
name: {{ include "common.fullname" . }}-cmpv2-certs
readOnly: true
...
volumes:
- name: {{ include "common.fullname" . }}-cmpv2-certs
emptyDir: {}
CMPv2 server
For testing purpose EJBCA is set up. It is configured with 2 layer CA hierarchy (root CA and intermediate CA).
