Understanding Why CMPv2 and X.509 Certificates are Essential for Secured Communication in ONAP

Explore the significance of CMPv2 and X.509 certificates for establishing secured communication within the ONAP ecosystem. Learn about the challenges faced in ONAP Istanbul and the role of TLS in ensuring privacy, data integrity, and authentication between network functions and ONAP components.

• CMPv2 Overview
• X.509 Certificates
• ONAP Security
• TLS Protocol
• Network Communication

clint Follow

Uploaded on Aug 05, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. s CMPv2 support in ONAP Pawel Baniewski

2. Agenda Why CMPv2? Context X.509 certificate TLS overview CMPv2 overview CMPv2 support in ONAP Istanbul challenges

3. Why CMPv2? Network functions need X.509 certificates (1) to establish secured communication (2) with ONAP 3GPP defines CMPv2 (3) as target method to enroll X.509 certificates (3GPP TS 33.310) Solution: Enroll certificates from organization`s CMPv2 server to: Network functions ONAP Bordering components (DCAE collectors and controllers)

4. X.509 certificate X.509 certificate electronic document used to prove the ownership of a public key Includes information about: the key, validity, identity of its owner (called the subject), digital signature of an entity that has verified the certificate's contents (called the issuer).

5. TLS overview (1/4) Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. It is widely used in HTTPS, email, instant messaging and voice over IP The TLS protocol aims primarily to provide privacy and data integrity between a client (e.g., a web browser) and a server (e.g., ONAP portal) Two versions currently used: TLS 1.2 defined in RFC 5246 TLS 1.3 defined in RFC 8446

6. TLS overview (2/4) Connections secured by TLS should assure one or more of the following properties: privacy data is encrypted during transmission using symmetric-key algorithm (keys are generated uniquely for each connection based on a shared secret that was negotiated at the start of the session) authentication identity of communicating parties can be checked using X.509 certificates. This authentication is required for the server and optional for the client. reliability each message transmitted includes a message integrity check using a message authentication code

7. TLS overview (3/4) TLS 1.2 handshake

8. TLS overview (4/4) TLS 1.2 handshake with client identity check (aka mutual TLS)

9. CMPv2 overview Certificate Management Protocol version 2 (CMPv2) is an Internet protocol used for obtaining X.509 digital certificates Defined in RFC 4210 Updated by RFC 6712 (CMP over HTTP) CMPv2 specifies following features: Certificate enrollment Certificate update Own certificate revocation Cross certification request Key pair recovery

10. CMPv2 support in ONAP (1/5) CMPv2 support was added by Nokia and Ericsson to ONAP in Frankfurt release and enhanced by Nokia in Guilin and Honolulu release Certificates from CMPv2 server are mainly meant to protect external* ONAP traffic, so traffic between network functions (xNFs) and ONAP Internal ONAP traffic still uses certificates from AAF Agent (CertMan) * there is no technical obstacle to use certificates from CMPv2 server also for internal traffic

11. CMPv2 support in ONAP (2/5) CMPv2 support in ONAP (Frankfurt and Guilin) consists of 2 components: CertService (server) CertService client A single CertService (server) instance is expected to be deployed, and CertService client(s) are expected to be used as init containers within Pods of certain ONAP Bordering components For testing/validation purpose open source CMPv2 server (EJBCA) is provided

12. CMPv2 support in ONAP (3/5) Starting from Honolulu release Cert-Manager is a part of K8s PaaS for ONAP Cert-Manager is a native Kubernetes certificate management controller It can help with issuing certificates from a variety of sources, such as Let s Encrypt, HashiCorp Vault, Venafi, a simple signing key pair or self signed But it doesn t support CMPv2 It ensures certificates are valid and up to date, and attempt to renew certificates at a configured time before expiry

13. CMPv2 support in ONAP (4/5) Together with ONAP Honolulu, plugin for Cert-Manager (officially called CMPv2 external issuer) is deployed which extends Cert-Manager with the ability to enroll certificates using CMPv2 protocol Legacy way (via Init container) is still supported

14. CMPv2 support in ONAP (5/5) DCAE collectors (VES, HV-VES (RTPM use case) && DFC (BulkPM use case) and SDNC (NetConf over TLS use case) are able to acquire certificate from CMPv2 server The same CMPv2 message (Initialization Request (IR)) is used currently in ONAP to get and update certificate This is not inline with RFC and will be addressed in Istanbul release

15. Istanbul challenges Istanbul CMPv2 enhancements: Usage of CertService client as init container will be deprecated Certificate update using proper CMPv2 messages: Certificate Request (CR) and Key Update Request (KUR)