...
- Secure Communication between services.
- Need descriptionCurrent state and need
ONAP consists of multiple micro services which talk to each other.
There are two types of communication.- REST API based communication.
- DMAPP publish/subscriber based communication.
Since the communication is mostly over HTTP, there is a need to protect services from:
- Bad actors stealing the data on the wire.
- Receiving messages from bad actors
- Requirement:
- Enable TLS 1.2+ for securing communication among the services. Java and Python libraries do support this functionality, but easy certificate provisioning is required for Mutual TLS. This project aims to simplify PKI - certificate provisioning via simple, secure CA service, store private keys (CA private key at CA and user certificate private keys) securely using hardware security.
- Need descriptionCurrent state and need
- Storage of sensitive information such as passwords.
- Need description Current state and gaps
- Many services in ONAP use password based authentication. Eg: Database servers, publish/subscribe brokers etc.
- Passwords are stored in plain text files in many services.
- With multiple instances of these services, the attach surface area becomes very big.
- Hence there is a need to ensure that attack surface related to password exposure is reduced.
- Requirement:
- Need for secure secret management. Services are expected to get the secret only on needed basis using secret reference and remove the secrets once they are used up.
- Need description Current state and gaps
...