diff options
| author |   Krzysztof Opasiak <k.opasiak@samsung.com> | 2019-05-27 20:43:09 +0200 |
|---|---|---|
| committer | Krzysztof Opasiak <k.opasiak@samsung.com> | 2019-05-27 20:43:09 +0200 |
| commit | b891bf5b4e365e2f0cc77b22ee6a2276789e6adf (patch) | |
| tree | e714e23b41f6ce4e76ec6e6c48e6e4c6643e29de | |
| parent | 082be1a805d268bb4ae01dc75a8e63da082504ac (diff) | |
Improve security release notes
In order to provide users with more details of project's state in
terms of security let's divide the security release notes into three
sections:
- Fixed Security Issues
Contains a list of security fixes merged during this
release (especially those reported via OJSI tickets).
- Known Security Issues
Contains a list of vulnerabilities detected in project during
release which have not been fixed yet and thus should be mitigated
by the user.
- Known Vulnerabilities in Used Modules
Contains information about NexusIQ scan results
Issue-ID: SECCOM-238
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Change-Id: I07a057dd5bdec7a2d3ad42be854faa9c8abd38e0
| -rwxr-xr-x | docs/releasenotes/releasenotes.rst | 35 |
1 files changed, 21 insertions, 14 deletions
diff --git a/docs/releasenotes/releasenotes.rst b/docs/releasenotes/releasenotes.rst index 5b656b6..1d5a460 100755 --- a/docs/releasenotes/releasenotes.rst +++ b/docs/releasenotes/releasenotes.rst @@ -42,29 +42,36 @@ Many other changes and improvement are listed in JIRA: **Security Notes** +*Fixed Security Issues* + NBI has been improved to reduce signs of vulnerabilities, especially by migrating from Springboot 1.x to Springboot 2 and using ONAP Parent pom.xml -Warning: NBI exposes non TLS API endpoint on port 30274, meaning full plain text exchange with NBI API. -TLS configuration, with ONAP Root CA signed certificate will be proposed in El Alto. +*Known Security Issues* + +- `OJSI-136 <https://jira.onap.org/browse/OJSI-136>`_ - In default deployment EXTAPI (nbi) exposes HTTP port 30274 outside of cluster. + NBI exposes non TLS API endpoint on port 30274, meaning full plain text exchange with NBI API. + TLS configuration, with ONAP Root CA signed certificate will be proposed in El Alto. + + As a workaround it is quite easy to add HTTPS support to NBI by configuring SSL and activating strict https. + Presuming you have a valid JKS keystore, with private key and a signed certificate: -As a workaround it is quite easy to add HTTPS support to NBI by configuring SSL and activating strict https. -Presuming you have a valid JKS keystore, with private key and a signed certificate: + :: -:: + src/main/resources/application.properties - src/main/resources/application.properties + :: -:: + # tls/ssl + server.ssl.key-store-type=JKS + server.ssl.key-store=classpath:certificate/yourkeystore.jks + server.ssl.key-store-password=password + server.ssl.key-alias=youralias - # tls/ssl - server.ssl.key-store-type=JKS - server.ssl.key-store=classpath:certificate/yourkeystore.jks - server.ssl.key-store-password=password - server.ssl.key-alias=youralias + # disable http and activate https + security.require-ssl=true - # disable http and activate https - security.require-ssl=true +*Known Vulnerabilities in Used Modules* - `Dublin Vulnerability Report <https://wiki.onap.org/pages/viewpage.action?pageId=51282484>`_ |