summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAleksandra Maciaga <aleksandra.maciaga@nokia.com>2020-05-06 15:19:19 +0200
committerBartosz Gardziejewski <bartosz.gardziejewski@nokia.com>2020-05-08 10:09:56 +0200
commit0c3c68ba16c8c1953247776e48072ff7668a7b02 (patch)
treed6f43bbd8aaa5e281db2da446cdf5a584c28eaf2
parent2639149f7f97ebf1c703b23d1aed17dad628bd64 (diff)
Update CertService Introduction Documentation
Issue-ID: AAF-1091 Signed-off-by: Aleksandra Maciaga <aleksandra.maciaga@nokia.com> Change-Id: Ica4596e08648b49782316be48769395223a15397
-rw-r--r--docs/index.rst1
-rw-r--r--docs/sections/architecture.rst28
-rw-r--r--docs/sections/configuration.rst4
-rw-r--r--docs/sections/introduction.rst33
-rw-r--r--docs/sections/release-notes.rst1
-rw-r--r--docs/sections/resources/certService_cert_enrollment_flow.pngbin0 -> 90932 bytes
-rw-r--r--docs/sections/resources/certservice_high_level.jpgbin24640 -> 0 bytes
-rw-r--r--docs/sections/resources/certservice_high_level.pngbin0 -> 20276 bytes
-rw-r--r--docs/sections/resources/cmpv2_context_view.pngbin0 -> 20201 bytes
9 files changed, 56 insertions, 11 deletions
diff --git a/docs/index.rst b/docs/index.rst
index d85e3656..1d86fe77 100644
--- a/docs/index.rst
+++ b/docs/index.rst
@@ -10,6 +10,7 @@ AAF Certification Service
:maxdepth: 2
:caption: Contents:
+ sections/introduction.rst
sections/architecture.rst
sections/build.rst
sections/offeredapis.rst
diff --git a/docs/sections/architecture.rst b/docs/sections/architecture.rst
index c70dd56d..1a5b3687 100644
--- a/docs/sections/architecture.rst
+++ b/docs/sections/architecture.rst
@@ -6,14 +6,24 @@
Architecture
============
-The micro-service called CertService is designed for requesting certificates
-signed by external Certificate Authority (CA) using CMP over HTTP protocol. It uses CMPv2 client to send and receive CMPv2 messages.
-CertService's client will be also provided so other ONAP components (aka end components) can easily get certificate from CertService.
-End component is an ONAP component (e.g. DCAE collector or controller) which requires certificate from CMPv2 server
-to protect external traffic and uses CertService's client to get it.
-CertService's client communicates with CertService via REST API over HTTPS, while CertService with CMPv2 server via CMP over HTTP.
-
-.. image:: resources/certservice_high_level.jpg
+Interaction between components
+------------------------------
+
+.. image:: resources/certservice_high_level.png
:width: 855px
- :height: 178px
+ :height: 223px
:alt: Interaction between components
+
+
+Simplified certificate enrollment flow
+--------------------------------------
+
+.. image:: resources/certService_cert_enrollment_flow.png
+ :width: 1191px
+ :height: 893px
+ :alt: Simplified certificate enrollment flow
+
+Security considerations
+-----------------------
+
+CertService's REST API is protected by mutual HTTPS, meaning server requests client's certificate and **authenticate** only requests with trusted certificate. After ONAP default installation only certificate from CertService's client is trusted. **Authorization** isn't supported in Frankfurt release. \ No newline at end of file
diff --git a/docs/sections/configuration.rst b/docs/sections/configuration.rst
index fc75d11b..43de0e43 100644
--- a/docs/sections/configuration.rst
+++ b/docs/sections/configuration.rst
@@ -154,7 +154,7 @@ Generating certificates for CertService and CertService Client
CertService and CertService client use mutual TLS for communication. Certificates are generated during CertService installation.
Docker mode:
-^^^^^^
+^^^^^^^^^^^^
Certificates are mounted to containers by docker volumes:
@@ -168,7 +168,7 @@ All certificates are stored in *certservice/certs* directory. To recreate certif
This will clear existing certs and generate new ones.
ONAP OOM installation:
-^^^^
+^^^^^^^^^^^^^^^^^^^^^^
Certificates are stored in secrets, which are mounted to pods as volumes. Both secrets are stored in *kubernetes/aaf/charts/aaf-cert-service/templates/secret.yaml*.
Secrets take certificates from *kubernetes/aaf/charts/aaf-cert-service/resources* directory. Certificates are generated automatically during building (using Make) OOM repository.
diff --git a/docs/sections/introduction.rst b/docs/sections/introduction.rst
new file mode 100644
index 00000000..0b7e8d1b
--- /dev/null
+++ b/docs/sections/introduction.rst
@@ -0,0 +1,33 @@
+.. This work is licensed under a Creative Commons Attribution 4.0 International License.
+.. http://creativecommons.org/licenses/by/4.0
+.. Copyright 2020 NOKIA
+.. _introduction:
+
+
+Introduction
+============
+
+Overview
+--------
+The micro-service called CertService is designed for requesting certificates signed by external Certificate Authority (CA) using CMP over HTTP protocol. It uses CMPv2 client to send and receive CMPv2 messages.
+
+CertService's client is also provided so other ONAP components (aka end components) can easily get certificate from CertService. End component is an ONAP component (e.g. DCAE collector or controller) which requires certificate from CMPv2 server to protect external traffic and uses CertService's client to get it.
+
+CertService's client communicates with CertService via REST API over HTTPS, while CertService with CMPv2 server via CMP over HTTP.
+
+To proof that CertService works Open Source CMPv2 server (EJBCA) is deployed and used in E2E tests.
+
+It is planned that Network Functions (aka xNFs) will get certificates from the same CMPv2 server and the same CA hierarchy, but will use own means to get such certificates. Cause xNFs and ONAP will get certificates signed by the same root CA and will trust such root CA, both parties will automatically trust each other and can communicate with each other.
+
+
+Context View
+------------
+
+.. image:: resources/cmpv2_context_view.png
+ :width: 533px
+ :height: 315px
+ :alt: CMPV2 Context View
+
+
+In Frankfurt release only `Initialization Request <https://tools.ietf.org/html/rfc4210#section-5.3.1>`_ with `ImplicitConfirm <https://tools.ietf.org/html/rfc4210#section-5.1.1.1>`_ is supported.
+Request sent to CMPv2 server is authenticated by secret value (initial authentication key) and reference value (used to identify the secret value) as described in `RFC-4210 <https://tools.ietf.org/html/rfc4210#section-4.2.1.2>`_.
diff --git a/docs/sections/release-notes.rst b/docs/sections/release-notes.rst
index 00b9e085..d01a84a8 100644
--- a/docs/sections/release-notes.rst
+++ b/docs/sections/release-notes.rst
@@ -15,6 +15,7 @@ Version: 1.0.1
The Frankfurt Release is the first release of the Certification Service.
+
**Bug Fixes**
- `AAF-1132 <https://jira.onap.org/browse/AAF-1132>`_ - CertService Client returns exit status 5 when TLS configuration fails
diff --git a/docs/sections/resources/certService_cert_enrollment_flow.png b/docs/sections/resources/certService_cert_enrollment_flow.png
new file mode 100644
index 00000000..6e070bfe
--- /dev/null
+++ b/docs/sections/resources/certService_cert_enrollment_flow.png
Binary files differ
diff --git a/docs/sections/resources/certservice_high_level.jpg b/docs/sections/resources/certservice_high_level.jpg
deleted file mode 100644
index 11466983..00000000
--- a/docs/sections/resources/certservice_high_level.jpg
+++ /dev/null
Binary files differ
diff --git a/docs/sections/resources/certservice_high_level.png b/docs/sections/resources/certservice_high_level.png
new file mode 100644
index 00000000..7cab5e88
--- /dev/null
+++ b/docs/sections/resources/certservice_high_level.png
Binary files differ
diff --git a/docs/sections/resources/cmpv2_context_view.png b/docs/sections/resources/cmpv2_context_view.png
new file mode 100644
index 00000000..85570cbe
--- /dev/null
+++ b/docs/sections/resources/cmpv2_context_view.png
Binary files differ