Versions Compared

Version Old Version 18 New Version 19
Changes made by

Kiran (Deactivated)

Kiran (Deactivated)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated titles

Project Name:

  • Proposed name for the project: Certificate and Secret Management Service
  • Proposed name for the repository : csm

...

Project description:

This project proposal tries address two areas in the ONAP deployment structure from a security perspective.

...

  1. Provide certificate management service (CA Service)  to provision signed certificates required for Mutual TLS.
  2. Provide certificate request agent SDK
  3. Provide hardware security plugin for storing private keys and for performing crypto operations that require private keys.
  4. GUI/CLI for Certificate Management Service
  5. Provide secret service for adding/deleting/updating/reading secrets.
  6. Provide secret client agent SDK 
  7. GUI/CLI for Secret Management Service.

Scope:

Internal CA Broker Service

The proposed project will provide an Internal CA Broker Service which will be used for certificate enrollment by micro services. The ultimate goal is to make sure that all micro services communicate securely between each other using the Interal CA for enrollment and then use TLS to establish secure communication channels between each other.

...

  • Generate RSA/ECDSA key pair using PKCS11
  • Securely store the private key.
    • Store the private key using TPM if it is available
  • PKCS10 CSR generation
  • Communicates with the previously described CA Broker Service over REST API
  • Periodically generates a usage report
  • Certificate Renewal
  • Discovery of Internal CA Broker Service

The below diagram illustrates Best Practices of Certificate Enrollment that is end-point initiated.

This diagram shows mapping of Certificate Provisioing in ONAP context.

The below diagram details the architechture blocks used previously in detail:

Use Case Sequence Diagrams




Secret Service

The project will also provide a Secret Service with the following features and capabilities:

  • RESTful API support
    • ADD
    • UPDATE
    • DELETE
    • Token based authentication for above requests
    • username and password based authentication will also be supported
  • Securely store secrets using AES encryption
  • Use TPM/SGX for key storage if available

The below diagram illustraces the Secret Service High Level Flow in an ONAP Context


The below diagram illustrates how a micro service will use the Secret Client Agent to talk to the Secret Service to store or retrieve passwords.


Architecture Alignment:

CSM is a common service across ONAP components.

...