From 0c3c68ba16c8c1953247776e48072ff7668a7b02 Mon Sep 17 00:00:00 2001 From: Aleksandra Maciaga Date: Wed, 6 May 2020 15:19:19 +0200 Subject: Update CertService Introduction Documentation Issue-ID: AAF-1091 Signed-off-by: Aleksandra Maciaga Change-Id: Ica4596e08648b49782316be48769395223a15397 --- docs/sections/architecture.rst | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) (limited to 'docs/sections/architecture.rst') diff --git a/docs/sections/architecture.rst b/docs/sections/architecture.rst index c70dd56d..1a5b3687 100644 --- a/docs/sections/architecture.rst +++ b/docs/sections/architecture.rst @@ -6,14 +6,24 @@ Architecture ============ -The micro-service called CertService is designed for requesting certificates -signed by external Certificate Authority (CA) using CMP over HTTP protocol. It uses CMPv2 client to send and receive CMPv2 messages. -CertService's client will be also provided so other ONAP components (aka end components) can easily get certificate from CertService. -End component is an ONAP component (e.g. DCAE collector or controller) which requires certificate from CMPv2 server -to protect external traffic and uses CertService's client to get it. -CertService's client communicates with CertService via REST API over HTTPS, while CertService with CMPv2 server via CMP over HTTP. - -.. image:: resources/certservice_high_level.jpg +Interaction between components +------------------------------ + +.. image:: resources/certservice_high_level.png :width: 855px - :height: 178px + :height: 223px :alt: Interaction between components + + +Simplified certificate enrollment flow +-------------------------------------- + +.. image:: resources/certService_cert_enrollment_flow.png + :width: 1191px + :height: 893px + :alt: Simplified certificate enrollment flow + +Security considerations +----------------------- + +CertService's REST API is protected by mutual HTTPS, meaning server requests client's certificate and **authenticate** only requests with trusted certificate. After ONAP default installation only certificate from CertService's client is trusted. **Authorization** isn't supported in Frankfurt release. \ No newline at end of file -- cgit 1.2.3-korg