Hello Sylvain, Catherine, David, Kenny Thanks for touching this topic, perhaps we could discuss in TSC call today as well (at least the CertService part).
On the CertService / CertService Client (I don`t want to write "AAF-CertService" - as You noted it has nothing to do with AAF, except from its name...) we have the following situation: * We have completed the CertService + Client work in ONAP/Frankfurt release * During the DCAE integration (after FF release), Vijay asked us to extend the CertService Client capabilities to support different certificate formats. * This work has been done already (just after the FF release) * We have self-released the CertService Client container (version 1.2.0): https://nexus3.onap.org/#browse/search=keyword%3Dcertservice:dd58d789774f5adedfe0af4eddf21355:1fac56450b93cede9a6bbbec058ce990 * We have updated the release notes of CertService to cover this change: https://docs.onap.org/projects/onap-aaf-certservice/en/latest/sections/release-notes.html#version-1-2-0 * These changes are already merged to OOM/Master, they`re confirmed to work properly. * So far the CertService Client is not really referred from within any of the Helm charts in ONAP, to what I know. (There was some integration with SDNC planned, but I am not really sure, if it was completed in Frankfurt) * We, as Nokia, are fully committed to the CertService (actually internally, there are 2 teams working on the DCAE integration) * Looking at the future changes in ONAP architecture, it would make most sense, if CertService (and CertService Client) could be moved to OOM project. (Future deployment architecture - means Istio, Ingress, Keycloak, ...) Based on this, I would like to propose following approach: 1. We`d like to release the updated CertService Client container as part of Frankfurt Maintenenace Release (this is as well a suggestion from @VENKATESH KUMAR, VIJAY<mailto:vv7...@att.com>). 2. We`d like to ask Sylvain @sylvain.desbure...@orange.com<mailto:sylvain.desbure...@orange.com>, what is his opinion about moving the CertService to OOM project. (CertService has no dependencies to AAF, as Sylvain wrote below - and we strongly believe CertService shall become part of OOM in next releases). What would be the next steps here? As I wrote before, we`re fully supporting the CertService, as You`ve seen, we`re releasing, updating, fixing the code, we create all the necessary documentation (dedicated RTD page), and we keep updating the release notes. I think, the capability to request certificates from external CMP v2 servers is an important capability, when supporting 3GPP and ORAN compliant devices/applications. Rgds, Damian From: sylvain.desbure...@orange.com <sylvain.desbure...@orange.com> Sent: Thursday, July 16, 2020 9:12 AM To: Lefevre, Catherine <catherine.lefe...@intl.att.com>; dmcbr...@linuxfoundation.org; Kenny Paul <kp...@linuxfoundation.org> Cc: DEBEAU Eric TGI/OLN <eric.deb...@orange.com>; Pawel Pawlak <p.paw...@f5.com>; ranny.ha...@samsung.com; ZWARICO, AMY <az9...@att.com>; ROUZAUT Fabian TGI/OLN <fabian.rouz...@orange.com>; Nowak, Damian (Nokia - PL/Wroclaw) <damian.no...@nokia.com>; Closset, Christophe <christophe.clos...@intl.att.com>; RICHOMME Morgan TGI/OLN <morgan.richo...@orange.com>; onap-...@lists.onap.org; onap-tsc@lists.onap.org Subject: [ONAP][AAF]Maintenance mode and consequences Hello Catherine, David and Kenny, If I've understood well last TSC meeting, AAF is now on "maintenance" mode. Regarding REQ-361<https://jira.onap.org/browse/REQ-361> (Continue hardcoded passwords removal, TSC Must Have as it's a continuation), we mandate ONAP components to retrieve automatically their certificates using certInitializer. In order for that to work (with current ONAP implementation, mandating AAF as certificate generator), components needs to have created "namespaces", "roles" and certificates into AAF. According to Morgan's email, this means that at least the following components (I'm just listing, some are also not planned for Guilin) will need to create all that in AAF: * APPC * DGBuilder * CLI * ESR Server * Holmes * MSB * Multicloud * Robot * UUI These ones may be impacted also (they have "sslv3 alert bad certificate" or are using GRPC): * AAI * CDS * DCAE When they have created what's needed in AAF, a new release with these changes mut be created as far as I understand AAF process I know also that Damian's team would like to update aaf cert service with new features, this subcomponent being "autonomous" with the rest of AAF. My question is then: will we have new release of AAF in order to onboard these new certificates? If no, what's plan B? Regards, Sylvain _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#6795): https://lists.onap.org/g/onap-tsc/message/6795 Mute This Topic: https://lists.onap.org/mt/75536893/21656 Group Owner: onap-tsc+ow...@lists.onap.org Unsubscribe: https://lists.onap.org/g/onap-tsc/leave/2743226/1412191262/xyzzy [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-