From 94f1c9730e4aa28521906649a906742911782dd8 Mon Sep 17 00:00:00 2001 From: Joanna Jeremicz Date: Wed, 14 Jul 2021 16:18:00 +0200 Subject: Update RTD with certificate update use case - Update change log and release notes - Update "How to use" page Issue-ID: OOM-2754 Signed-off-by: Joanna Jeremicz Change-Id: I32b34bdf37142f5bc8b62fe96248c29b349e541a --- certServiceClient/version.properties | 2 +- docs/sections/introduction.rst | 6 +- docs/sections/release-notes.rst | 133 +++++++++++++++++++++++++++++++++-- docs/sections/usage.rst | 29 ++++++++ version.properties | 4 +- 5 files changed, 162 insertions(+), 12 deletions(-) diff --git a/certServiceClient/version.properties b/certServiceClient/version.properties index 29a89d0c..c5515fc9 100644 --- a/certServiceClient/version.properties +++ b/certServiceClient/version.properties @@ -1,6 +1,6 @@ major=2 minor=3 -patch=2 +patch=3 base_version=${major}.${minor}.${patch} release_version=${base_version} snapshot_version=${base_version}-SNAPSHOT diff --git a/docs/sections/introduction.rst b/docs/sections/introduction.rst index 023066b8..e46e207c 100644 --- a/docs/sections/introduction.rst +++ b/docs/sections/introduction.rst @@ -31,10 +31,12 @@ Functionality In Frankfurt release only `Initialization Request `_ with `ImplicitConfirm `_ is supported. -Request sent to CMPv2 server is authenticated by secret value (initial authentication key) and reference value (used to identify the secret value) as described in `RFC-4210 `_. +Istanbul release includes also support for `Key Update Request and Certification Request `_ +Initialization Request and Certification Request sent to CMPv2 server are authenticated by secret value (initial authentication key) and reference value (used to identify the secret value) as described in `RFC-4210 `_. +Key Update Request uses `signature protection `_ so old certificate and private key are needed to authenticate the request. Security considerations ----------------------- -CertService's REST API is protected by mutual HTTPS, meaning server requests client's certificate and **authenticate** only requests with trusted certificate. After ONAP default installation only certificate from CertService's client is trusted. **Authorization** isn't supported in Frankfurt release. \ No newline at end of file +CertService's REST API is protected by mutual HTTPS, meaning server requests client's certificate and **authenticate** only requests with trusted certificate. After ONAP default installation only certificate from CertService's client is trusted. **Authorization** isn't supported in Frankfurt release. diff --git a/docs/sections/release-notes.rst b/docs/sections/release-notes.rst index 8b2536fc..7d418211 100644 --- a/docs/sections/release-notes.rst +++ b/docs/sections/release-notes.rst @@ -7,13 +7,132 @@ OOM Certification Service Release Notes *************************************** +.. contents:: + :depth: 2 +.. + +Version: 2.4.0 [not released yet] +================================= + Abstract -======== +-------- + +This document provides the release notes for the Istanbul release. + +Summary +------- + +Certificate update use case is now available. For details go to: +:ref:`How to use instructions` + +Release Data +------------ + ++--------------------------------------+---------------------------------------------------------------------------------------+ +| **Project** | OOM | +| | | ++--------------------------------------+---------------------------------------------------------------------------------------+ +| **Docker images** | * onap/org.onap.oom.platform.cert-service.oom-certservice-api:2.4.0 | +| | * onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.4.0 | +| | * onap/org.onap.oom.platform.cert-service.oom-certservice-k8s-external-provider:2.4.0| +| | | ++--------------------------------------+---------------------------------------------------------------------------------------+ +| **Release designation** | Istanbul | +| | | ++--------------------------------------+---------------------------------------------------------------------------------------+ + + +New features +------------ + +- `OOM-2754 `_ Implement certificate update in CMPv2 external issuer + +- `OOM-2753 `_ Implement certificate update in CMPv2 CertService + +- `OOM-2744 `_ Remove CertService Client mechanism from ONAP + +- `OOM-2649 `_ Update contrib/ejbca to 7.x + +**Bug fixes** + +- `OOM-2771 `_ Fix CertificateRequest resource was not found issue in CMPv2 external issuer + +- `OOM-2764 `_ Fix sonar issues in CertService + +**Known Issues** + +None + +Deliverables +------------ + +Software Deliverables +~~~~~~~~~~~~~~~~~~~~~ +Docker images mentioned in Release Date section. + +Documentation Deliverables +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- :ref:`CMPv2 certificate provider description ` + +Known Limitations, Issues and Workarounds +----------------------------------------- + +System Limitations +~~~~~~~~~~~~~~~~~~ + +Any known system limitations. + + +Known Vulnerabilities +~~~~~~~~~~~~~~~~~~~~~ + +Any known vulnerabilities. + + +Workarounds +~~~~~~~~~~~ + +Any known workarounds. + + +Security Notes +-------------- + +**Fixed Security Issues** + +None + +**Known Security Issues** + +None + + +Test Results +------------ +Not applicable + + +References +---------- + +For more information on the ONAP Istanbul release, please see: + +#. `ONAP Home Page`_ +#. `ONAP Documentation`_ +#. `ONAP Release Downloads`_ +#. `ONAP Wiki Page`_ + +Version: 2.3.3 +============== + +Abstract +-------- This document provides the release notes for the Honolulu release. Summary -======= +------- Certification Service provides certificates signed by external CMPv2 server - such certificates are further called operators certificates. Operators certificates are meant to secure external ONAP traffic - traffic between network functions (xNFs) and ONAP. @@ -21,7 +140,7 @@ This project was moved from Application Authorization Framework (AAF), to check Release Data -============ +------------ +--------------------------------------+---------------------------------------------------------------------------------------+ | **Project** | OOM | @@ -72,10 +191,10 @@ Docker images mentioned in Release Date section. Documentation Deliverables ~~~~~~~~~~~~~~~~~~~~~~~~~~ -- :doc:`CMPv2 certificate provider description ` +- :ref:`CMPv2 certificate provider description ` Known Limitations, Issues and Workarounds -========================================= +----------------------------------------- System Limitations ------------------ @@ -108,12 +227,12 @@ None Test Results -============ +------------ Not applicable References -========== +---------- For more information on the ONAP Honolulu release, please see: diff --git a/docs/sections/usage.rst b/docs/sections/usage.rst index 3031f364..cd48b55a 100644 --- a/docs/sections/usage.rst +++ b/docs/sections/usage.rst @@ -2,6 +2,8 @@ .. http://creativecommons.org/licenses/by/4.0 .. Copyright 2020-2021 NOKIA +.. _cmpv2_cert_provider: + How to use functionality ========================= Common information how to use CMPv2 certificate provider described below @@ -38,6 +40,7 @@ Here is a definition of a *CMPv2Issuer* provided with ONAP installation: url: https://oom-cert-service:8443 healthEndpoint: actuator/health certEndpoint: v1/certificate + updateEndpoint: v1/certificate-update caName: RA certSecretRef: name: cmpv2-issuer-secret @@ -146,3 +149,29 @@ Here is an example of generated *secret* containing certificates: keystore.jks: 3786 bytes <-- Certificate and Private Key (JKS) keystore.p12: 4047 bytes <-- Certificate and Private Key (P12) +.. _how_to_use_certificate_update: + +Certificate update +------------------------------ + +When the certificate already exists, but its date has expired or certificate data should be changed, then the certificate update scenario can be executed. +This use case requires the update endpoint configured for *CMPv2Issuer* CRD: + +.. code-block:: yaml + + ... + certEndpoint: v1/certificate + updateEndpoint: v1/certificate-update + caName: RA + ... + +If *updateEndpoint* field is not present or empty, then *certEndpoint* will be used (regular initial request instead of update) to get the certificate and this event will be logged. +This behavior comes from releases prior to 2.4.0, when the certificate update feature was not implemented. To be able to perform the certificate update scenario, +make sure the updateEndpoint is present in *CMPv2Issuer* CRD. + +There are two possible types of requests when a certificate needs to be updated: Key Update Request (KUR) and Certification Request (CR). +Certification Service internally compares the old and new certificates fields. When they are equal, KUR request is sent. +If there is a difference, the type of request is CR. + +There is a difference between CR and KUR in terms of the request authentication. Certificate Request uses IAK/RV mechanism, while KUR uses signature protection. +The old certificate and the old private key are required to be sent in the headers of the update request. diff --git a/version.properties b/version.properties index c5515fc9..c0f75b6a 100644 --- a/version.properties +++ b/version.properties @@ -1,6 +1,6 @@ major=2 -minor=3 -patch=3 +minor=4 +patch=0 base_version=${major}.${minor}.${patch} release_version=${base_version} snapshot_version=${base_version}-SNAPSHOT -- cgit 1.2.3-korg