Versions Compared

Version Old Version 25 New Version Current
Changes made by

Kiran (Deactivated)

NingSun

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
outlinetrue

Project Name:

  • Proposed name for the project: Certificate and Secret Management Service
  • Proposed name for the repository : csm

...

          

View file
nameONAP-Security-December-Conference-Final.pptx
height150
 

Project description:

This project proposal address two areas in the ONAP deployment structure from a security perspective.

  1. Secure Communication between microservices.
    • Current state and need

      • ONAP consists of multiple micro services which talk to each other.
        There are two types of communication. 

        1. REST API based communication.
        2. DMAPP DMAAP publish/subscriber based communication.

        Since the communication is mostly over HTTP, there is a need to protect services from:

        • Bad actors stealing the data on the wire.
        • Receiving messages from bad actors
    • Requirement:
      • Enable TLS1.2+ for securing communication among the services. Java and Python libraries do support this functionality, but easy certificate provisioning is required for Mutual TLS. This project aims to simplify PKI - certificate provisioning via a simple and secure CA service that stores private keys (CA private key at CA and user certificate private keys) securely using hardware security.
  2. Storage of sensitive information such as passwords.
    • Current state and gaps
      • Many services in ONAP use password based authentication. Eg: Database servers, publish/subscribe brokers etc.
      • Passwords are stored in plain text files in many services.
      • With multiple instances of these services, the attach surface area becomes very big.
      • Hence there is a need to ensure that attack surface related to password exposure is reduced.
    • Requirement:
      • Need for secure secret management. Services are expected to get the secret only on needed basis using secret reference and remove the secrets once they are used up. 

...

The project will also provide a Secret Management Service with the following features and capabilities:

  • RESTful API support
  • ADD
  • UPDATE
  • DELETE
  • Token based authentication for above requests
    • username and password based authentication will also be supportedSupport multiple Secret domains
    • Each domain can be used to multiple secrets
    • Each domain is associated with various policies
  • Each secret can have multiple key value pairs
  • Certificate based authentication
  • Authenticate users with AAF
  • Token based authentication
  • Securely store secrets using AES encryption
    • Use TPM/SGX for key storage if available
  • RESTful API support for ADD, UPDATE, DELETE of secrets

The below diagram illustraces the Secret Service High Level Flow in an ONAP Context

...

The below diagram illustrates how a micro service will use the Secret Client Agent to talk to the Secret Service to store or retrieve passwords.

SoftHSMv2 +TPM2-Plugin

This project provides SoftHSMv2 with an extended capabilities to leverage TPM2.0 hardware capabilities to generate RSA/ECC keypairs and import keys generated outside of TPM2.0 module. This is achieved by modifying SoftHSMv2, adding an adapter layer between SofhHSMv2 and TPM2-Plugin. 

Bullseys coverage tool is used to measure the codes coverage: 

Image Added


Architecture Alignment:

CSM is a common service across ONAP components.

Other Information:

  • Seed code:

    Key Project Facts:

    Primary Contact : Srinivasa Addepalli

    ...

    Release Components Name:

    Note: refer to existing project for details on how to fill out this table

    Components Name

    Components Repository name

    Maven Group ID

    Components Description

    smsaaf/smsorg.onap.aaf.smsSecret Management Service that will contain the webservice as well as client code for managing and accessing secrets.
    sshsmaaf/sshsmorg.onap.aaf.sshsmA repository for softhsm modifications and hardware security plugin

    Resources committed to the Release:

    ...

    Contributors

    Role

    First Name Last Name

    Linux Foundation ID

    Email Address

    Location

    PTLKiran Kaminenikirankaminenikiran.k.kamineni@intel.comSanta Clara, CA
    CommittersKiran Kaminenikirankaminenikiran.k.kamineni@intel.comSanta Clara, CA

    		Manjunath Ranganathaiah

    Ning Sun

    		Girish Havaldargirihg0071052@techmahindra.com

    Bangalore, India

    ContributorsVamshi Namilikondavamshi.nemalikondavn00480215@techmahindra.comPune, India

    		Manjunath Ranganathaiahmranganamanjunath.ranganathaiah@intel.comSanta Clara, CA, USA

    		Ning Sun

    ningsun

    		ning.sun@intel.comSanta Clara, CA, USA