...
- Secure Communication between microservices.
- Current state and need
ONAP consists of multiple micro services which talk to each other.
There are two types of communication.- REST API based communication.
- DMAPP DMAAP publish/subscriber based communication.
Since the communication is mostly over HTTP, there is a need to protect services from:
- Bad actors stealing the data on the wire.
- Receiving messages from bad actors
- Requirement:
- Enable TLS1.2+ for securing communication among the services. Java and Python libraries do support this functionality, but easy certificate provisioning is required for Mutual TLS. This project aims to simplify PKI - certificate provisioning via a simple and secure CA service that stores private keys (CA private key at CA and user certificate private keys) securely using hardware security.
- Current state and need
- Storage of sensitive information such as passwords.
- Current state and gaps
- Many services in ONAP use password based authentication. Eg: Database servers, publish/subscribe brokers etc.
- Passwords are stored in plain text files in many services.
- With multiple instances of these services, the attach surface area becomes very big.
- Hence there is a need to ensure that attack surface related to password exposure is reduced.
- Requirement:
- Need for secure secret management. Services are expected to get the secret only on needed basis using secret reference and remove the secrets once they are used up.
- Current state and gaps
...