Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...


ONAP Security RefDescriptionNotes
CNTT RelevantExistsCNTT Ref#Current Description, if existsRecommended Description (may be a modification of existing)Notes
1SECCOM-103ONAP MUST implement and enforce the principle of least privilege on all protected interfaces.

YYsec.sys.007The Platform must implement controls enforcing separation of duties and privileges, least privilege use and least common mechanism (Role-Based Access Control)

2SECCOM-114ONAP MUST provide a mechanism (e.g., access control list) to permit and/or restrict access to services on ONAP by source, destination, protocol, and/or port.

YYmultiple
The Platform MUST provide a mechanism (e.g., access control list) to permit and/or restrict access to platform services by source, destination, protocol, and/or port.Propose adding this explicit
3SECCOM-115ONAP SHOULD provide a mechanism that enables the operators to perform automated system configuration auditing at configurable time intervals.

YN

The Platform SHOULD provide a mechanism that enables the operators to perform automated system configuration auditing at configurable time intervals.
4SECCOM-116ONAP SHOULD provide the capability for the Operator to run security vulnerability scans of the operating system and all application layers.

YN

The Platform SHOULD provide the capability for the Operator to run security vulnerability scans of the operating system and all application layers.

Proposal to modify "all application layers" by "Platform application layers" in order to exclude the workloads.

It can be added in System Hardening

5SECCOM-117ONAP SHOULD have source code scanned using scanning tools (e.g., Fortify) and provide reports.

N



Image, log files and other scanning included in CNTT Reqts
6SECCOM-118ONAP MUST have all code (e.g., QCOW2) and configuration files (e.g., HEAT template, Ansible playbook, script) hardened, or with documented recommended configurations for hardening and interfaces that allow the Operator to harden ONAP. Actions taken to harden a system include disabling all unnecessary services (eg, listening ports), removing unnecessary programs (eg. compilers, testing tools, password crackers, port scanners, sample programs) and changing default values.

YYsec.gen.004The Operating Systems of all the servers part of Cloud Infrastructure must be hardened by...
for relevant components
7SECCOM-119Traffic of the ONAP internal APIs MUST be possible to be isolated from traffic of the ONAP external APIs

YYsec.sys.001 to sec.sys.004

OSTK intrinsic
8SECCOM-119Network isolation capability between the traffic of different ONAP external APIs MUST be supported. The capability to isolate ONAP NBI traffic from all other external traffic MUST be supported. 

YY

sec.sys.004



sec.sys.005



sec.sys.002

The Cloud Infrastructure must support Secure network channels


The Cloud Infrastructure must segregate the underlay and overlay networks


The Platform must support Traffic Filtering for workloads (for example, Fire Wall)



9SECCOM-119All the ONAP network isolation mechanisms MUST be operator configurable.

NN



10SECCOM-120ONAP SHOULD support network segregation on ONAP internal interfaces: both between and inside the Kubernetes cluster(s). This means isolation of the internal APIs with different types of traffic (like: DB traffic, monitoring traffic, ...).The separation is realized e.g., using network namespaces and K8s network policies. It must be carefully considered if multiple applications can be deployed in one K8s cluster, if the network segregation by namespaces and policies alone is sufficient - or if separation to different machines / VMs is required for increased security.






11SECCOM-121ONAP SHOULD be compatible with HW assisted security technologies like HSM, secure enclaves, TPM / virtual TPM for protection of more critical data (like encryption keys, secrets).

Y

Y

Partial

sec.sys.012The Platform must only use secrets encrypted using strong encryption techniques, and stored externally from the component
  1. The Notes mentions Barbican. Should it mention HSM and TPM → It could  be added but in "should" recommendation. In RM→ Should reco to be added to refer to 7.6.5
  2. Should there be a similar requirement for workloads?
12SECCOM-122ONAP MUST have patches available for vulnerabilities in ONAP aligned with CII badging specifications of criticality & delivery time.Link to the CII requirement:  https://github.com/coreinfrastructure/best-practices-badge/blob/master/doc/criteria.md 
YY

sec.lcm.011





sec.lcm.017

The Platform must implement Security life cycle management processes including proactively update and patch all deployed Cloud Infrastructure software.


The Platform must Audit systems for any missing security patches and take appropriate actions



13SECCOM-123ONAP MUST support encrypted access protocols, following the current best practices in: https://wiki.onap.org/display/DW/Recommended+Protocols 

YY

sec.sys.003




sec.lcm.002

The Platform must support Secure and encrypted communications, and confidentiality and integrity of network traffic


Operational (Typo??) (Operations) must use management protocols limiting security risk such as SNMPv3, SSH v2, ICMP, NTP, syslog and TLS  v1.2 or higher.

Suggest Add another requirement:

The Platform must support encrypted access protocols such as TLS1.2 and newer or better.

→ Yes,described in 6.3.3.1

When using TLS protocols, the Platform must choose an encryption cipher that supports PFS. In the list of ciphers found in https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet choose only ciphers in the A+, A or B category.


All web pages must be served over HTTPS and the HTTP Strict Transport Security (HSTS) policy must be preloaded on the browsers.


14SECCOM-124ONAP MUST store Authentication Credentials used to authenticate to other systems encrypted except where there is a technical need to store the password unencrypted in which case it must be protected using other security techniques that include, but are not limited to, the use of file and directory permissions.

YYsec.sys.012The Platform must only use secrets encrypted using strong encryption techniques, and stored externally from the component

15SECCOM-125For all GUI and command-line interfaces, ONAP MUST provide the ability to present a configurable warning notice. A warning notice is a formal statement of resource intent presented to everyone who accesses the system.

NN



16SECCOM-126ONAP MUST allow the Operator to disable or remove any security testing tools or programs included in ONAP, e.g., password cracker, port scanner.

NN



17SECCOM-127ONAP MUST define all the access points.

YYsec.sys.001

The Platform must support authenticated and secure APIs, API endpoints


The Platform must implement authenticated and secure access to GUI



18SECCOM-127ONAP MUST enforce authorization on all the access points, and/or give recommendations for the ONAP deployment to enforce in the Kubernetes platform and Rancher.

YYsec.sys.001The Platform must support authenticated and secure APIs, API endpoints

19SECCOM-128ONAP MUST log any security event required by ONAP Requirements to Syslog and give the user the ability to configure LOG_AUTHPRIV or LOG_AUTH as needed.can only know if it is a security event after analysis
YY

sec.gen.015




+

sec.mon.005, sec.mon.006

sec.mon.08 to sec.mon.12

Any change to the Platform must be logged as a security event, and the logged event must include the identity of the entity making the change, the change, the date and the time of the change.



multiple
20SECCOM-129ONAP MUST be operable without the use of Network File System (NFS).

N




21SECCOM-130ONAP MUST NOT contain any backdoors.

YN

PR#2081

New sec.sys.015:

The platform must not contain back door entries (unpublished access points, APIs, etc.)

Notes from RA1 meeting Oct. 19th:

Already tested by RC2

Nothing in OpenStack, but can be done

CIS benchmark?

22SECCOM-131If SNMP is utilized, ONAP MUST support the most recent secure version of SNMP with message authentication.

YYsec.lcm.002

general requirement to have latest security patches for all components
23SECCOM-132ONAP application processes MUST NOT run as root.

N



"OpenStack services generally run under a specific, unprivileged user. However, sometimes they need to run a command as root."

"All nodes wishing to run nova-rootwrap should contain a sudoers entry that lets the unprivileged user run nova-rootwrap as root, pointing to the root-owned rootwrap.conf configuration file."

24SECCOM-133Login access (e.g., shell access) to running instance of ONAP components, whether interactive or as part of an automated process, MUST be through an encrypted protocol such as SSH or TLS.

YNsec.lcm.002 partial coverage

PR#2081

New sec.sys.016:

Login access to the platform's components must be through encrypted protocols such as SSH v2 or TLS v1.2 or higher

Note: hardened jump servers isolated from external networks are recommended.

Notes from RA1 meeting Oct. 19th:

Https for OpenStack End Points, self signed certificates not allowed

->RA1 “should” or “must”?

Private EP/Public EP

Check the latest ONAP version

25SECCOM-134ONAP MUST, after a successful login at command line or a GUI, display the last valid login date and time and the number of unsuccessful attempts since then made with that user’s ID. This requirement is only applicable when the user account is defined locally in ONAP.

N



OSTK GUI (Horizon) provides this
26SECCOM-135ONAP MUST include a configuration that specifies the targetted parameters, e.g. a limited set of ports, over which ONAP run-time is accessed from (like: from ONAP design-time and ONAP north-bound interfaces).

N




27SECCOM-135ONAP MUST include a configuration that specifies the targetted parameters, e.g. a limited set of ports, over which ONAP design-time is accessed from (like: from ONAP north-bound interfaces).

N



OpenStack has default ports for each of its services
28SECCOM-136ONAP MUST support the creation of multiple unique IDs so that individual accountability can be supported.

N




29SECCOM-137ONAP MUST support a flexible mechanism to assign permissions to each user ID (human or system).

N



OpenStack RBAC where needed
30SECCOM-138Each ONAP component MUST support access restriction independently of other components.

YYsec.sys.001The Platform must support authenticated and secure access to API, GUI and command line interfaces.
OpenStack Intrinsic
31SECCOM-139ONAP MUST NOT allow the assumption of the permissions of another account to mask individual accountability. 

N

sec.sys.007


The Platform must implement controls enforcing separation of duties and privileges, least privilege use and least common mechanism (Role-Based Access Control).

sec.sys.007 does not cover  individual  accountability, but  is sufficient for a common set of requirements

32SECCOM-140ONAP MUST set the default settings for user access to deny authorization, except for a super user type of account. When ONAP is installed, nothing should be able to use it until the super user configures ONAP to allow other users (human and application) have access.

N




33SECCOM-141ONAP MUST support strong authentication, also known as multifactor authentication, on all protected interfaces exposed by ONAP for use by human users. Strong authentication uses at least two of the three different types of authentication factors in order to prove the claimed identity of a user.

removed

Although ONAP has removed shouldn't CNTT require it.

"Should" rather than "must"








34SECCOM-142ONAP MUST disable unnecessary or vulnerable cgi-bin programs.removed: covered by another requirement






35SECCOM-143ONAP MUST provide access controls that allow the Operator to restrict access to ONAP functions and data to authorized users.

YYsec.sys.007The Platform must implement controls enforcing separation of duties and privileges, least privilege use and least common mechanism (Role-Based Access Control)

36SECCOM-144ONAP MUST support OAuth 2.0 authorization using an external Authorization Server.

N



OpenStack Keystone API v3 supports OAUth1 and has an extension to support OAuth2.0


37SECCOM-145ONAP MUST, if not integrated with the Operator’s Identity and Access Management system, support configurable password expiration.

removed: Authentication is not in the scope of ONAP, but shall be externalized. And, Exception: the ONAP super-user default account. For this, no password expiration should be defined.

Although ONAP has removed shouldn't CNTT require it.

Integration with an external IAM is privileged, so it is not useful to adress this point



N



38SECCOM-146ONAP MUST support Role-Based Access Control to enforce least privilege.

YYsec.sys.007The Platform must implement controls enforcing separation of duties and privileges, least privilege use and least common mechanism (Role-Based Access Control)

39SECCOM-147ONAP MUST, if not integrated with the Operator’s Identity and Access Management system, comply with “password complexity” policy. When passwords are used, they shall be complex and shall at least meet the following password construction requirements: (1) be a minimum configurable number of characters in length, (2) include 3 of the 4 following types of characters: upper-case alphabetic, lower-case alphabetic, numeric, and special, (3) not be the same as the UserID with which they are associated or other common strings as specified by the environment, (4) not contain repeating or sequential characters or numbers, (5) not to use special characters that may have command functions, and (6) new passwords must not contain sequences of three or more characters from the previous password.

removed: Authentication is not in the scope of ONAP, but shall be externalized. And, Exception: the ONAP super-user default account. 

Although ONAP has removed shouldn't CNTT require it.

Already covered by sec.gen002 with the reference to  CIS Password Policy Guide, https://www.cisecurity.org/white-papers/cis-password-policy-guide,



Ysec.gen.002All systems part of Cloud Infrastructure must support password hardening as defined in CIS Password Policy Guide https://www.cisecurity.org/white-papers/cis-password-policy-guide.

40SECCOM-148ONAP MUST support deployment-time generation of passwords for internal components or applications which do not support certificate based authentication or external IdP.

?Ysec.sys.013The Platform must provide secrets dynamically as and when needed.

41SECCOM-149ONAP MUST, if not integrated with the Operator’s Identity and Access Management system, support the ability to disable the userID after a configurable number of consecutive unsuccessful authentication attempts using the same userID.

removed: Authentication is not in the scope of ONAP, but shall be externalized. And, Exception: the ONAP super-user default account. 

Although ONAP has removed shouldn't CNTT require it.

If we privilege an external IAM, it is not useful to adress this point








42SECCOM-150ONAP MUST, if not integrated with the Operator’s identity and access management system, authenticate all access to protected GUIs, CLIs, and APIs.removed: Is covered by the requirement SECCOM-143






43SECCOM-151ONAP MUST integrate with following standard identity provider protocols: LDAP, OpenID Connect and SAML authentication.

NY RA1


Per RA1 meeting Oct.19th

Not for RM,but relevant for RA

OpenStack supports integration with LDAP, OpenID and SAML

44SECCOM-152ONAP MUST have the capability of allowing the Operator to create, manage, and automatically provision user accounts using an Operator approved identity lifecycle management tool using a standard protocol.

removed: Authentication is not in the scope of ONAP, but shall be externalized. And, Exception: the ONAP super-user default account. For this, no password expiration should be defined.

Although ONAP has removed shouldn't CNTT require it.

Covered by sec.sys.006




sec.sys.006The Cloud Infrastructure must be able to utilize the Cloud Infrastructure Manager identity lifecycle management capabilities.

45SECCOM-153ONAP MUST support account names that contain at least A-Z, a-z, 0-9 character sets and be at least 6 characters in length.

removed: Authentication is not in the scope of ONAP, but shall be externalized. And, Exception: the ONAP super-user default account. For this, no password expiration should be defined.

Although ONAP has removed shouldn't CNTT require it.

Same as #41








46SECCOM-154For cases where ONAP is involved in the authentication process, eg LDAP: A failed authentication attempt MUST NOT identify the reason for the failure to the user, only that the authentication failed.

NN



47SECCOM-155ONAP MUST NOT display “Welcome” notices or messages that could be misinterpreted as extending an invitation to unauthorized users.

NN



48SECCOM-156ONAP MUST provide a means for the user to explicitly logout, thus ending that session for that authenticated user.

N



OpenStack Horizon including automatic logout
49SECCOM-157ONAP MUST enforce a configurable “terminate idle sessions” policy by terminating the session after a configurable period of inactivity. Access token represents a session.

N



currently under Recommendations – compliance with standards

Not for RM,

For CNTT, does it concern workloads or can it apply to the platform’s components?

50SECCOM-158ONAP SHOULD integrate with the Operator’s authentication and authorization services.

N




51SECCOM-159Each ONAP API MUST check the size (length) of all input. Do not permit an amount of input so great that it would cause the ONAP component to fail. Where the input may be a file, ONAP API must enforce a size limit.

N




52SECCOM-160Each ONAP API MUST NOT permit input that contains content or characters inappropriate to the input expected by the design. Inappropriate input, such as SQL expressions, may cause the system to execute undesirable and unauthorized transactions against the database or allow other inappropriate access to the internal network (injection attacks).

N




53SECCOM-161Each ONAP API MUST verify the format of the input files. No assumptions can be made based on MIME type nor file extension, other than indicating the expected type.

N




54SECCOM-162ONAP MUST be able to provide the ONAP related security events to an external system

YN

SECCOM-162 + SECCOM-182 + SECCOM-185

PR #2081

sec.mon.018

The platform, starting from initialization, must collect and analyze logs to identify security events, and store these events in an external system.

Requirements for collecting and analysis of logs, and corrective actions

1- Collect events

2- Analyze  and sort events, identify security events(ref?, list?)

3- Store event in a central external system

55SECCOM-162ONAP MUST be able to collect the security events from SW defined networks that it orchestrates

N



Knowing that something is a security event happens post-analysis
56SECCOM-163ONAP MUST support Integration functionality via API/Syslog/SNMP to SIEM.

N




57SECCOM-164ONAP MUST support API-based monitoring to take care of the scenarios where the control interfaces are not exposed, or are optimized and proprietary in nature.

removed: every ONAP application should support a healthcheck API. But that is not seen as security related.

Although ONAP has removed shouldn't CNTT require it.

Opinions?








58SECCOM-165ONAP MUST support detection of malformed packets, and generate an error message.

N




59SECCOM-166ONAP MUST support proactive monitoring to detect and report the attacks on resources so that ONAPs and associated VMs can be isolated, such as detection techniques for resource exhaustion, namely OS resource attacks, CPU attacks, consumption of kernel memory, local storage attacks.

YY

sec.mon.011

sec.mon.009



collection and analysis support this

Sec.mon.011 can be more precise

60SECCOM-167ONAP SHOULD operate with anti-virus software which produces alarms every time a virus is detected.







61SECCOM-168ONAP MUST protect all security audit logs (including API, OS and application-generated logs), security audit software, data, and associated documentation from any modification or unauthorized viewing. For example by OS access control mechanisms like file permissions, by sending to a remote system, or by encryption.

YYsec.mon.004The Platform must secure and protect Audit logs (contain sensitive information) both in-transit and at rest
multiple requirements
62SECCOM-169ONAP MUST at a minimum log the following: successful and unsuccessful authentication attempts, authentication associated with a transaction, authentication to create a session, authentication to assume elevated privilege.

YY

sec.mon.005








sec.mon.006

The Platform must Monitor and Audit various behaviours of connection and login attempts to detect access attacks and potential access attempts and take corrective actions accordingly


The Platform must Monitor and Audit operations by authorized account access after login to detect malicious operational activity and take corrective actions accordingly



63SECCOM-170ONAP MUST log logoffs

N




64SECCOM-171ONAP MUST log starting and stopping of security logging.

N




65SECCOM-172ONAP MUST log success and unsuccessful creation, removal, or change to the inherent privilege level of users.

YN


Requirement: Log privilege escalation
66SECCOM-173ONAP MUST log connections to the network listeners of the resource

N




67SECCOM-174ONAP MUST log the following fields in the security audit logs:
  -   event type
  -  date/time
  -  protocol
  -  service or program used for access
 -  success/failure
 -   Login ID
 -   source IP address


YN

PR#2081

Addition to Sec.mon.001

The platform’s components  must log the following fields in the security audit logs:

-   event type
  -  date/time
  -  protocol
  -  service or program used for access
 -  success/failure
 -   Login ID or process ID
 -   IP address and ports (source and destination) involved

Requirement to be added to list all mandatory fields part of a logged event


68SECCOM-175ONAP MUST NOT include an authentication credential, e.g., password, in any logs, even if encrypted.

YN

PR#2081

Sec.mon.019

The platform’s components must not include an authentication credential, e.g., password, in any logs, even if encrypted.

Requirement to be added
69SECCOM-176ONAP MUST detect when its security audit log storage medium is approaching capacity (configurable) and issue an alarm.

YYsec.mon.015The Platform must ensure that the Monitoring systems are never starved of resources.
sec.mon.015 can be enhanced
70SECCOM-177ONAP MUST support the capability of online storage of security audit logs

N




71SECCOM-178ONAP MUST activate security alarms automatically in following cases:
    - when a configurable number of consecutive unsuccessful login attempts is reached
    - when it detects the successful modification of a critical system or application file
    - when it detects an unsuccessful attempt to gain permissions or assume the identity of another user


N



Alarms not in CNTT scope
72SECCOM-179ONAP MUST include the following fields in the Security alarms (where applicable and technically feasible):
   -  date
  -  time
  -  service or program used for access
  -  success/failure
  -  Login ID


N



Alarms not in CNTT scope
73SECCOM-180ONAP MUST restrict changing the criticality level of a system security alarm to users with administrative privileges

N



Alarms not in CNTT scope
74SECCOM-181ONAP MUST monitor API invocation patterns to detect anomalous access patterns that may represent fraudulent access or other types of attacks, or integrate with tools that implement anomaly and abuse detection.

removed: It is not ONAP business to act as security management/monitoring system

Although ONAP has removed shouldn't CNTT require it.


N




75SECCOM-182ONAP MUST collect, and be able to send any security events to a logging system, eg by syslog. The logging system needs to be able to generate security audit logs as required.

YN


SEE comment on SECCOM-162
76SECCOM-183ONAP MUST log successful and unsuccessful access to ONAP resources, including data

N




77SECCOM-184ONAP logging system MUST support the storage of security audit logs for a configurable period of time

YN

PR#2081

Sec.mon.020

The platform’s logging system must support the storage of security audit logs for a configurable period of time.

78SECCOM-184ONAP MUST store security events locally in case the logging system is unavailable

YN



79SECCOM-185ONAP MUST send security events to a logging system from initialization

YN



80SECCOM-186ONAP MUST be implemented so that it is not vulnerable to OWASP Top 10 web application security risks

YYSec.std.004The Cloud Operator, Platform and Workloads should ensure that their code is not vulnerable to the OWASP Top Ten Security Risks https://owasp.org/www-project-top-ten/.
Should in CNTT
81SECCOM-187ONAP MUST protect against non-volumetric denial of service attacks

YY



82SECCOM-188ONAP MUST be capable of automatically synchronizing the system clock daily with the Operator’s trusted time source, to assure accurate time reporting in log files. It is recommended that Coordinated Universal Time (UTC) be used where possible, so as to eliminate ambiguity owing to daylight savings time and time zone differences.

YY



83SECCOM-189ONAP MUST have the capability to securely transmit the security logs and security events to a remote system before they are purged from the systemremoved: the contents is covered in other requirements






84SECCOM-190ONAP SHOULD provide the capability of maintaining the integrity of its static files using a cryptographic methodremoved, because operating system is not part of ONAP, and thus the ONAP user can monitor file integrity if he wants






85SECCOM-191ONAP MUST log automated remote activities performed with elevated privilegesremoved: the other logging requirements have sufficient coverage






86SECCOM-192ONAP MUST provide the capability to restrict read and write access to data handled by ONAP

YYsec.sys.007The Platform must implement controls enforcing separation of duties and privileges, least privilege use and least common mechanism (Role-Based Access Control).

87SECCOM-193ONAP MUST encrypt data in transit and protect its integrity

YYsec.sys.003The Platform must support Secure and encrypted communications, and confidentiality and integrity of network traffic.

88SECCOM-194

ONAP MUST provide the capability to encrypt data on non-volatile memory.

Non-volative memory is storage that is capable of retaining data without electrical power, e.g. Complementary metal-oxide-semiconductor (CMOS) or hard drives.

Modification in blue
YYsec.gen.010The Cloud Infrastructure must support encrypted storage, for example, block, object and file storage, with access to encryption keys restricted based on a need to know (Controlled Access Based on the Need to Know).

89SECCOM-195ONAP SHOULD disable the paging of the data requiring encryption, if possible, where the encryption of non-transient data is required on a device for which the operating system performs paging to virtual memory. If not possible to disable the paging of the data requiring encryption, the virtual memory should be encrypted.removed: not relevant for ONAP, this is on OS level






90SECCOM-196ONAP MUST use NIST and industry standard cryptographic algorithms and standard modes of operations when implementing cryptography.

This requirement is removed, because it is covered by CII badging section "use basic, good cryptographic practices"

Although ONAP has removed shouldn't CNTT require it.

Cryptography not required for basic profile and optional in NI profile


NN



91SECCOM-197ONAP MUST NOT use compromised encryption algorithms. For example, SHA, DSS, MD5, SHA-1 and Skipjack algorithms. Acceptable algorithms can be found in the NIST FIPS publications (https://csrc.nist.gov/publications/fips) and in the NIST Special Publications (https://csrc.nist.gov/publications/sp).

ONAP has removed this reqt. Made it is part of badging requirement

Although ONAP has removed shouldn't CNTT require it.

Cryptography not required for basic profile and optional in NI profile


NN



92SECCOM-198ONAP MUST use, whenever possible, standard implementations of security applications, protocols, and formats, e.g., S/MIME, TLS, SSH, IPSec, X.509 digital certificates for cryptographic implementations. These implementations must be purchased from reputable vendors or obtained from reputable open source communities and must not be developed in-house.

ONAP has removed this reqt. Made it is part of badging requirement

Although ONAP has removed shouldn't CNTT require it.

Same as #91


NN



93SECCOM-199ONAP MUST provide the ability to migrate to newer versions of cryptographic algorithms and protocols with minimal impact.

Same as #91

Software migration covered



NN



94SECCOM-200ONAP MUST support digital certificates that comply with X.509 standards.

YN


Add new requirement about

X.509 Certificates

95SECCOM-201ONAP MUST NOT use keys generated or derived from predictable functions or values, e.g., values considered predictable include user identity information, time of day, stored/transmitted data.

ONAP has removed this reqt. Made it is part of badging requirement

Although ONAP has removed shouldn't CNTT require it.


N




96SECCOM-202ONAP MUST provide the capability of using X.509 certificates issued by an external Certificate Authority.appears to be duplicate of SECCOM-215
YN


common with new requirement about

X.509

97SECCOM-203ONAP MUST be capable of protecting the confidentiality and integrity of data at rest and in transit from unauthorized access and modification.

removed: the contents is covered by other requirements

Although ONAP has removed shouldn't CNTT require it.


YYsec.ci.001The Platform must support Confidentiality and Integrity of data at rest and in transit.

98SECCOM-204ONAP MUST support the automated certificate management protocol CMPv2. Also Simple Certificate Enrollment Protocol (SCEP) or Automated Certificate Management Environment (ACME) SHOULD be supported.

There are 3 SECCOM-204 requirements

This is new

Opinions about CMPv2?


?




99SECCOM-204

ONAP SHOULD support installing certificates into each of its components, for example as a PKCS #12 file.



N




100SECCOM-204AAF MUST support installation of certificates using CMPv2, for ONAP external mTLS communication.AAF: Authentication & Authorization Framework
N




101SECCOM-205ONAP SHOULD provide the capability to integrate with an external encryption service.







102SECCOM-206ONAP MUST use symmetric keys of at least 112 bits in length.

ONAP has removed this reqt. Made it is part of badging requirement

Although ONAP has removed shouldn't CNTT require it.



YN


Add new requirement
103SECCOM-207ONAP MUST use asymmetric keys of at least 2048 bits in length.

ONAP has removed this reqt. Made it is part of badging requirement

Although ONAP has removed shouldn't CNTT require it.



YN


Add new requirement
104SECCOM-208ONAP MUST provide the capability to configure encryption algorithms or devices so that they comply with the laws of the jurisdiction in which there are plans to use data encryption.Out of CNTT scope at the moment
N




105SECCOM-209ONAP MUST provide the capability of allowing certificate renewal.

There are 2 SECCOM-209 requirements



YN


Add new requirement about certicates management
106SECCOM-209ONAP MUST provide the capability of allowing certificate revocation.

YN


Add new requirement about certicates management
107SECCOM-210ONAP MUST provide the capability of testing the validity of a digital certificate by validating the CA signature on the certificate.

YN


Add new requirement about certificate validity testing
108SECCOM-211ONAP MUST provide the capability of testing the validity of a digital certificate by validating the date the certificate is being used is within the validity period for the certificate.

YN


Add new requirement about certificate validity testing
109SECCOM-212ONAP MUST provide the capability of testing the validity of a digital certificate by checking that the certificate has not been revoked.

YN


Add new requirement about certificate validity testing
110SECCOM-213ONAP MUST provide the capability of testing the validity of a digital certificate by recognizing the identity represented by the certificate "Subject" field.

?




111SECCOM-214ONAP MUST support HTTP/S using TLS v1.2 or higher with strong cryptographic ciphers.

ONAP has removed this reqt. Made it is part of badging requirement

Although ONAP has removed shouldn't CNTT require it.


N




112SECCOM-215ONAP MUST support the use of X.509 certificates issued from any Certificate Authority (CA) that is compliant with RFC5280.

YN


Add new requirement about

X.509 Certificates

...