Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Sylvain is acting PTL in OOM.

For the only HTTP port exposed - action Amy – to contact PTL Bharath. - no OJSI ticket assigned as it should have appeared after our scans or component was not responding at the scanning moment. No value to open an additional tickets. MUSIC team should either: remove http, switch to https or ask for a waiver with justification.

To approach David to check who would open Jira tickets per project for package upgrades.

Jira No
SummaryDescriptionStatusSolution

New Notary v2 project - address container image signing

Tero shared info about this new project

In general it aims at validation of container images.

Notary v2 use  cases: https://github.com/notaryproject/requirements/blob/master/scenarios.md

Industry telcom part is missing as contributor.

According to lastest ETSI NFV specs containers could be also signed by the operator.

OCI artefacts project aiming for modyfying image registry so that helm charts could be stored.




TSC logging presentation – discussion point

20_04_30_ONAPLoggingGuilin_V1.pptxONAP project use of Logging

TSC logging presentation – discussion point

vF2F summary

Synch meeting with Requirements Subcommittee 

We missed the one on 27th of April to present SECCOM requirements for Guilin release – next meeting is sccheduled on May 11th.Latest feedback received from Integration teamPTLs meeting update (27th of April)Scorecard for requirement req-223

David proposed to descope this requirement.

Progress is minor but SECCOM porposes to keep this requirement as in scope.

Tony - to update scoorecard with green status and comment on minor but positive direction

TSC decision is needed, so proposal to be sent to TSC.

Comments collection by  29th of April COB.


Hardcoding certificates in docker images

PKI - public certificate that is signed by the Certificate Authority.

AAF contains hardcoded trust store. According to Krzysztof this is a security issue as root CA in ONAP is already compromised. By default none of the ONAP images should trust that CA. Only If user is deploying ONAP for testing, in lab environemnt, it is fine to use that. 

A lot of components use AAF hardcoded certificate.

Trust store that is in the AAF agent image should be removed from that image and placed in the OOM as a resource and delivered in the image at the deployment time. 







We need to have an agreement from projects. This proposal to be presented at the PTLs call.


vF2F summary

We discussed about removing passwords in Guilin release, On eof the issues is removing hardcoded certificates and obviously passwords to unclock those certificates. We decied continue using AAF as an official way of retrieveing certificates. but we strongly recommen using of common template intead of doing helm chart on your own so that is it much easier to switch taht in the future, if we decide to do so. 

Good perception of package upgrade strategy. Jira tickets under creation.

CMPv2: several mechanisms to retrieve certificats (one internal and one external). Planning to integrated CMPv2 with DCAE. CErtificate update use case will be added. Enhancements to the Client like configurable format of the output artefacts: P12 and time format support.

SDNC update for 3 patches merge on CMPv2.

CNTT allignment meeting. CIS benchmark test shared.








Jira tickets under creation.




Adam to help Gerard.


Synch meeting with Requirements Subcommittee 

Synch meeting with Requirements Subcommittee – we missed the one on 27th of April to present SECCOM requirements for Guilin release – next meeting is sccheduled on May 11th. CMPv2 requirements will be presented by Pawel on to the Requirements Subcommittee. 


CII Badging requirement 

Jira tickets to be created info to be shared with Krzysztof.





 OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 5th OF MAY'20.


...

View file
name2020-04-28_SECCOM_week.mp4
height150

View file
name2020-04-28 ONAP Security Meeting - AgendaAndMinutes.pptx
height150