...
Project description:
This project proposal tries address two areas in the ONAP deployment structure from a security perspective.
- Secure Communication between servicesbetween microservices.
- Current state and need
ONAP consists of multiple micro services which talk to each other.
There are two types of communication.- REST API based communication.
- DMAPP publish/subscriber based communication.
Since the communication is mostly over HTTP, there is a need to protect services from:
- Bad actors stealing the data on the wire.
- Receiving messages from bad actors
- Requirement:
- Enable TLS 1TLS1.2+ for securing communication among the services. Java and Python libraries do support this functionality, but easy certificate provisioning is required for Mutual TLS. This project aims to simplify PKI - certificate provisioning via a simple , and secure CA service , store that stores private keys (CA private key at CA and user certificate private keys) securely using hardware security.
- Current state and need
- Storage of sensitive information such as passwords.
- Current state and gaps
- Many services in ONAP use password based authentication. Eg: Database servers, publish/subscribe brokers etc.
- Passwords are stored in plain text files in many services.
- With multiple instances of these services, the attach surface area becomes very big.
- Hence there is a need to ensure that attack surface related to password exposure is reduced.
- Requirement:
- Need for secure secret management. Services are expected to get the secret only on needed basis using secret reference and remove the secrets once they are used up.
- Current state and gaps
This project aims to provide solutions to the above needs by:
- Provide certificate management service Certificate Management Service (CA Service) to provision signed certificates required for Mutual TLS.
- Provide certificate request agent Certificate Request Agent SDK
- Provide hardware security plugin for storing private keys and for performing crypto operations that require private keys.
- GUI/CLI for Certificate Management Service
- Provide secret service Secret Management Service for adding/deleting/updating/reading secrets.
- Provide secret client agent Secret Client Agent SDK
- GUI/CLI for Secret Management Service.
Scope:
...
Certificate Management Service
The proposed project will provide an Internal CA Broker a Certificate Management Service which will be used for certificate enrollment by micro services. The ultimate goal is to make sure that all micro services communicate securely between each other using the Interal CA for enrollment and then use TLS to establish secure communication channels between each other.
The CA Broker Certificate Management Service will support the following:
- RESTful API support for Certificate Request Operations by micro services
- Generate Certificate
- Revocation of Certificate
- Usage report updates
- Token Authentication
- An Admin interface
- That will generate a self signed CA
- Upload any admin generated CA Cert + Private Key pair
- Usage usage reports on each key
- Revoke certificates
- Get CA Certificate in PEM/DER format
- Token service to provide temporary tokens
...
- Generate RSA/ECDSA key pair using PKCS11
- Securely store the private key.
- Store the private key using TPM if it is available
- PKCS10 CSR generation
- Communicates with the previously described CA Broker Certificate Management Service over REST API
- Periodically generates a usage report
- Certificate Renewal
- Discovery of Internal CA Broker Certificate Management Service
The below diagram illustrates Best Practices of Certificate Enrollment that is end-point initiated.
...
Use Case Sequence Diagrams
Secret Management Service
The project will also provide a Secret Service with the following features and capabilities:
...