-
Story
-
Resolution: Done
-
High
-
Dublin Release
-
None
-
VNFRQTS Sprint 18
There are security requirements on VNF/PNF package in SOL004 which is missing in VNF requirement.
Proposed Change:
---------------------------------------------
Remove old requirement R-444945
---------------------------------------------
5.1.6.4. VNF and PNF Package Authenticity and Integrity
VNF/PNF package shall support a method for authenticity and integrity assurance.
According to ETSI SOL004 the onboarding package shall be secured. ETSI SOL004 provides two options:
Option 1 - One Digest hash for each component of the VNF package. The table of hashes is included in the manifest file, which is signed with the VNF provider private key. A signing certificate including the provider’s public key shall be included in the package. If a format of the signature allows the signature may be embedded in the manifest file.
Option 2 - The complete CSAR file shall be digitally signed with the provider private key. The provider delivers one zip file consisting of the CSAR file, a signature file and a certificate file that includes the VNF provider public key.
Dublin release note,
-pre-onboarding:
-Option 1 specified in ETSI SOL004 is supported
-Option 2 specified in ETSI SOL004 is supported
- onboarding:
-Option 2 specified in ETSI SOL004 is supported
-Option 1 will be supported
Requirement: R- 787965
target: VNF/PNF TOSCA CSAR Authenticity
keyword: MUST
introduced: Dublin
If option 2 is supported, the complete VNF/PNF TOSCA CSAR file MUST be digitally signed with the VNF/PNF provider private key. The VNF/PNF provider delivers one zip file consisting of the CSAR file, a signature file and a certificate file that includes the VNF/PNF provider public key. The certificate may also be included in the signature container, if the signature format allows that. The VNF/PNF provider creates a zip file consisting of the CSAR file with .csar extension, signature and certificate files. The signature and certificate files must be siblings of the CSAR file with extensions .cms and .cert respectively.
Requirement: R- 130206
target: VNF/PNF TOSCA CSAR Authenticity
keyword: MUST
introduced: Dublin
If option 1 is supported, the VNF/PNF package MUST contain a Digest (a.k.a. hash) for each of the components of the VNF/PNF package. The table of hashes is included in the package manifest file, which is signed with the VNF/PNF provider private key. In addition, the VNF/PNF provider MUST include a signing certificate that includes the VNF/PNF provider public key, following a pre-defined naming convention and located either at the root of the archive or in a predefined location specified by the TOSCA.meta file with the corresponding entry named "ETSI-Entry-Certificate".
---------------------------------------------
- is blocked by
-
VNFRQTS-453 VNF Package authenticity TOSCA requirements
- Closed
- is cloned by
-
VNFRQTS-604 Adding xNF Package security based on ETSI SOL004
- Closed
- relates to
-
VNFRQTS-506 Supporting PNF package onboarding
- Closed
-
SDC-1980 Supporting onboarding packaging security
- Closed
-
VNFSDK-342 Support packaging security SOL004: Option 2b - zip contains 3 files
- Closed
- mentioned in
-
Page Loading...