Hello Sylvain, Catherine, David, Kenny
Thanks for touching this topic, perhaps we could discuss in TSC call today as
well (at least the CertService part).
On the CertService / CertService Client (I don`t want to write
"AAF-CertService" - as You noted it has nothing to do with AAF, except from its
name...) we have the following situation:
* We have completed the CertService + Client work in ONAP/Frankfurt release
* During the DCAE integration (after FF release), Vijay asked us to extend
the CertService Client capabilities to support different certificate formats.
* This work has been done already (just after the FF release)
* We have self-released the CertService Client container (version 1.2.0):
https://nexus3.onap.org/#browse/search=keyword%3Dcertservice:dd58d789774f5adedfe0af4eddf21355:1fac56450b93cede9a6bbbec058ce990
* We have updated the release notes of CertService to cover this change:
https://docs.onap.org/projects/onap-aaf-certservice/en/latest/sections/release-notes.html#version-1-2-0
* These changes are already merged to OOM/Master, they`re confirmed to
work properly.
* So far the CertService Client is not really referred from within any of
the Helm charts in ONAP, to what I know.
(There was some integration with SDNC planned, but I am not really sure, if it
was completed in Frankfurt)
* We, as Nokia, are fully committed to the CertService (actually
internally, there are 2 teams working on the DCAE integration)
* Looking at the future changes in ONAP architecture, it would make most
sense, if CertService (and CertService Client) could be moved to OOM project.
(Future deployment architecture - means Istio, Ingress, Keycloak, ...)
Based on this, I would like to propose following approach:
1. We`d like to release the updated CertService Client container as part of
Frankfurt Maintenenace Release (this is as well a suggestion from @VENKATESH
KUMAR, VIJAY<mailto:vv7...@att.com>).
2. We`d like to ask Sylvain
@sylvain.desbure...@orange.com<mailto:sylvain.desbure...@orange.com>, what is
his opinion about moving the CertService to OOM project.
(CertService has no dependencies to AAF, as Sylvain wrote below - and we
strongly believe CertService shall become part of OOM in next releases).
What would be the next steps here?
As I wrote before, we`re fully supporting the CertService, as You`ve seen,
we`re releasing, updating, fixing the code, we create all the necessary
documentation (dedicated RTD page), and we keep updating the release notes. I
think, the capability to request certificates from external CMP v2 servers is
an important capability, when supporting 3GPP and ORAN compliant
devices/applications.
Rgds,
Damian
From: sylvain.desbure...@orange.com <sylvain.desbure...@orange.com>
Sent: Thursday, July 16, 2020 9:12 AM
To: Lefevre, Catherine <catherine.lefe...@intl.att.com>;
dmcbr...@linuxfoundation.org; Kenny Paul <kp...@linuxfoundation.org>
Cc: DEBEAU Eric TGI/OLN <eric.deb...@orange.com>; Pawel Pawlak
<p.paw...@f5.com>; ranny.ha...@samsung.com; ZWARICO, AMY <az9...@att.com>;
ROUZAUT Fabian TGI/OLN <fabian.rouz...@orange.com>; Nowak, Damian (Nokia -
PL/Wroclaw) <damian.no...@nokia.com>; Closset, Christophe
<christophe.clos...@intl.att.com>; RICHOMME Morgan TGI/OLN
<morgan.richo...@orange.com>; onap-...@lists.onap.org; onap-tsc@lists.onap.org
Subject: [ONAP][AAF]Maintenance mode and consequences
Hello Catherine, David and Kenny,
If I've understood well last TSC meeting, AAF is now on "maintenance" mode.
Regarding REQ-361<https://jira.onap.org/browse/REQ-361> (Continue hardcoded
passwords removal, TSC Must Have as it's a continuation), we mandate ONAP
components to retrieve automatically their certificates using certInitializer.
In order for that to work (with current ONAP implementation, mandating AAF as
certificate generator), components needs to have created "namespaces", "roles"
and certificates into AAF.
According to Morgan's email, this means that at least the following components
(I'm just listing, some are also not planned for Guilin) will need to create
all that in AAF:
* APPC
* DGBuilder
* CLI
* ESR Server
* Holmes
* MSB
* Multicloud
* Robot
* UUI
These ones may be impacted also (they have "sslv3 alert bad certificate" or are
using GRPC):
* AAI
* CDS
* DCAE
When they have created what's needed in AAF, a new release with these changes
mut be created as far as I understand AAF process
I know also that Damian's team would like to update aaf cert service with new
features, this subcomponent being "autonomous" with the rest of AAF.
My question is then: will we have new release of AAF in order to onboard these
new certificates? If no, what's plan B?
Regards,
Sylvain
_________________________________________________________________________________________________________________________
Ce message et ses pieces jointes peuvent contenir des informations
confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce
message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages
electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou
falsifie. Merci.
This message and its attachments may contain confidential or privileged
information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete
this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been
modified, changed or falsified.
Thank you.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6795): https://lists.onap.org/g/onap-tsc/message/6795
Mute This Topic: https://lists.onap.org/mt/75536893/21656
Group Owner: onap-tsc+ow...@lists.onap.org
Unsubscribe: https://lists.onap.org/g/onap-tsc/leave/2743226/1412191262/xyzzy
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
