| Table of Contents | ||
|---|---|---|
|
Project Name:
- Proposed name for the project:
Certificate and Secret Management Service Proposed name for the repository : csm
...
- [csm] Team ONAP7, Thr. UTC 04:00 / Thr. China 12:00 / Wed Eastern 23:00 / Wed Pacific 20:00
- Slides presented at Beijing Developer Forum, Santa Clara.
| View file | ||||
|---|---|---|---|---|
|
Project description:
This project proposal address two areas in the ONAP deployment structure from a security perspective.
- Secure Communication between microservices.
- Current state and need
ONAP consists of multiple micro services which talk to each other.
There are two types of communication.- REST API based communication.
- DMAPP DMAAP publish/subscriber based communication.
Since the communication is mostly over HTTP, there is a need to protect services from:
- Bad actors stealing the data on the wire.
- Receiving messages from bad actors
- Requirement:
- Enable TLS1.2+ for securing communication among the services. Java and Python libraries do support this functionality, but easy certificate provisioning is required for Mutual TLS. This project aims to simplify PKI - certificate provisioning via a simple and secure CA service that stores private keys (CA private key at CA and user certificate private keys) securely using hardware security.
- Current state and need
- Storage of sensitive information such as passwords.
- Current state and gaps
- Many services in ONAP use password based authentication. Eg: Database servers, publish/subscribe brokers etc.
- Passwords are stored in plain text files in many services.
- With multiple instances of these services, the attach surface area becomes very big.
- Hence there is a need to ensure that attack surface related to password exposure is reduced.
- Requirement:
- Need for secure secret management. Services are expected to get the secret only on needed basis using secret reference and remove the secrets once they are used up.
- Current state and gaps
...
The below diagram illustrates how a micro service will use the Secret Client Agent to talk to the Secret Service to store or retrieve passwords.
SoftHSMv2 +TPM2-Plugin
This project provides SoftHSMv2 with an extended capabilities to leverage TPM2.0 hardware capabilities to generate RSA/ECC keypairs and import keys generated outside of TPM2.0 module. This is achieved by modifying SoftHSMv2, adding an adapter layer between SofhHSMv2 and TPM2-Plugin.
Bullseys coverage tool is used to measure the codes coverage:
Architecture Alignment:
CSM is a common service across ONAP components.
...
Release Components Name:
Note: refer to existing project for details on how to fill out this table
Components Name | Components Repository name | Maven Group ID | Components Description |
|---|---|---|---|
| sms | aaf/sms | org.onap.aaf.sms | Secret Management Service that will contain the webservice as well as client code for managing and accessing secrets. |
| sshsm | aaf/sshsm | org.onap.aaf.sshsm | A repository for softhsm modifications and hardware security plugin |
Resources committed to the Release:
...
Role | First Name Last Name | Linux Foundation ID | Email Address | Location | ||
|---|---|---|---|---|---|---|
| PTL | Kiran Kamineni | kirankamineni | kiran.k.kamineni@intel.com | Santa Clara, CA | ||
| Committers | Kiran Kamineni | kirankamineni | kiran.k.kamineni@intel.com | Santa Clara, CA | Manjunath Ranganathaiah | Ning Sun |
| Girish Havaldar | giri | hg0071052@techmahindra.com | Bangalore, India | |||
| Contributors | Vamshi Namilikonda | vamshi.nemalikonda | vn00480215@techmahindra.com | Pune, India | Contributors||
| Manjunath Ranganathaiah | mrangana | manjunath.ranganathaiah@intel.com | Santa Clara, CA, USA | |||
| Ning Sun | ningsun | ning.sun@intel.com | Santa Clara, CA, USA |