aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKrzysztof Opasiak <k.opasiak@samsung.com>2019-05-27 20:43:09 +0200
committerKrzysztof Opasiak <k.opasiak@samsung.com>2019-05-27 20:43:09 +0200
commitb891bf5b4e365e2f0cc77b22ee6a2276789e6adf (patch)
treee714e23b41f6ce4e76ec6e6c48e6e4c6643e29de
parent082be1a805d268bb4ae01dc75a8e63da082504ac (diff)
Improve security release notes
In order to provide users with more details of project's state in terms of security let's divide the security release notes into three sections: - Fixed Security Issues Contains a list of security fixes merged during this release (especially those reported via OJSI tickets). - Known Security Issues Contains a list of vulnerabilities detected in project during release which have not been fixed yet and thus should be mitigated by the user. - Known Vulnerabilities in Used Modules Contains information about NexusIQ scan results Issue-ID: SECCOM-238 Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Change-Id: I07a057dd5bdec7a2d3ad42be854faa9c8abd38e0
-rwxr-xr-xdocs/releasenotes/releasenotes.rst35
1 files changed, 21 insertions, 14 deletions
diff --git a/docs/releasenotes/releasenotes.rst b/docs/releasenotes/releasenotes.rst
index 5b656b6..1d5a460 100755
--- a/docs/releasenotes/releasenotes.rst
+++ b/docs/releasenotes/releasenotes.rst
@@ -42,29 +42,36 @@ Many other changes and improvement are listed in JIRA:
**Security Notes**
+*Fixed Security Issues*
+
NBI has been improved to reduce signs of vulnerabilities,
especially by migrating from Springboot 1.x to Springboot 2 and using ONAP Parent pom.xml
-Warning: NBI exposes non TLS API endpoint on port 30274, meaning full plain text exchange with NBI API.
-TLS configuration, with ONAP Root CA signed certificate will be proposed in El Alto.
+*Known Security Issues*
+
+- `OJSI-136 <https://jira.onap.org/browse/OJSI-136>`_ - In default deployment EXTAPI (nbi) exposes HTTP port 30274 outside of cluster.
+ NBI exposes non TLS API endpoint on port 30274, meaning full plain text exchange with NBI API.
+ TLS configuration, with ONAP Root CA signed certificate will be proposed in El Alto.
+
+ As a workaround it is quite easy to add HTTPS support to NBI by configuring SSL and activating strict https.
+ Presuming you have a valid JKS keystore, with private key and a signed certificate:
-As a workaround it is quite easy to add HTTPS support to NBI by configuring SSL and activating strict https.
-Presuming you have a valid JKS keystore, with private key and a signed certificate:
+ ::
-::
+ src/main/resources/application.properties
- src/main/resources/application.properties
+ ::
-::
+ # tls/ssl
+ server.ssl.key-store-type=JKS
+ server.ssl.key-store=classpath:certificate/yourkeystore.jks
+ server.ssl.key-store-password=password
+ server.ssl.key-alias=youralias
- # tls/ssl
- server.ssl.key-store-type=JKS
- server.ssl.key-store=classpath:certificate/yourkeystore.jks
- server.ssl.key-store-password=password
- server.ssl.key-alias=youralias
+ # disable http and activate https
+ security.require-ssl=true
- # disable http and activate https
- security.require-ssl=true
+*Known Vulnerabilities in Used Modules*
- `Dublin Vulnerability Report <https://wiki.onap.org/pages/viewpage.action?pageId=51282484>`_