1. Cloud Native Core Security Guide
  2. 4G/5G Core Network Function Security Recommendations and Procedures
  3. Network Repository Function(OCNRF) Security Recommendations and Procedures

Network Repository Function(OCNRF) Security Recommendations and Procedures

This addendum provides Network Function Repository Function (OCNRF) specific security recommendations and procedures. Recommendations common to all 5G/4G are found in the Common Procedures Section

Access Token configuration

Table 8-1 Access Token configuration

Step Description Est time
1 Create following files:-

ECDSA private key (For example:- ecdsa_private_key_pkcs8.pem)

RSA private key (For example:- rsa_private_key_pkcs1.pem)

TrustStore password file (For example:- trustStorePassword.txt)

KeyStore password file (For example:- keyStorePassword.txt)

CA signed ECDSA OCNRF certificate (For example:- ecdsa_ocnrf_certificate.crt)

CA signed RSA OCNRF certificate (For example:- rsa_ocnrf_certificate.crt)

Note: Creation of keys, certificates, password is on discretion of user/operator, how to create

5m
2 Login to Bastion Host or server from where kubectl can be executed 1m
3 Create namespace for the secret

$ kubectl create namespace ocnrf

1m
4 Create kubernetes secret for NF Access token:

Note:The filenames in below command are same as in Step 1 

$ kubectl create secret generic ocnrfaccesstoken-secret --from-file=
ecdsa_private_key_pkcs8.pem --from-file=rsa_private_key_pkcs1.pem --from-file=
trustStorePassword.txt --from-file=keyStorePassword.txt --from-file=
ecdsa_ocnrf_certificate.crt--from-file=rsa_ocnrf_certificate.crt -n ocnrf
1m
5 Verify that secret is create successfully

$ kubectl describe secret ocnrfaccesstoken-secret -n ocnrf

1m

How to update keys used to sign JSON Web Token (JWTs) for Access Token

Table 8-2 How to update keys used to sign JSON Web Token (JWTs) for Access Token

Step Description Est time

1

Update the following files as per need to update the keys:

ECDSA private key (For example:- ecdsa_private_key_pkcs8.pem)

RSA private key (For example:- rsa_private_key_pkcs1.pem)

CA signed ECDSA OCNRF certificate (For example:- ecdsa_ocnrf_certificate.crt)

CA signed RSA OCNRF certificate (For example:- rsa_ocnrf_certificate.crt)

NOTE:- Updation of keys, certificates, password is on discretion of user/operator, how to create.

5m

2

Login to Bastion Host or server from where kubectl can be executed

1m

3

Update the secret with new/updated details

# Delete the secret and recreate it

$ kubectl delete secret ocnrfaccesstoken-secret -n ocnrf

# Recreate the secret with updated details

$ kubectl create secret generic ocnrfaccesstoken-secret --from-file=ecdsa_private_key_pkcs8.pem --from-file=rsa_private_key_pkcs1.pem --from-file=trustStorePassword.txt --from-file=keyStorePassword.txt --from-file=ecdsa_ocnrf_certificate.crt--from-file=rsa_ocnrf_certificate.crt -n ocnrf

1m

OCNRF MYSQL Secret Configuration

Table 8-3 OCNRF MYSQL Secret configuration

Step Description Est time
1 Login to Bastion Host or server from where kubectl can be executed 1m
2 Create namespace for the mysql secret.Skip this step, if already created.

$ kubectl create namespace ocnrf 		1m
3 Create kubernetes secret for Mysql :

$ kubectl create secret generic database-secret --from-literal=dbUsername=<OCNRF Mysql database username> --from-literal=dbPassword=<OCNRF Mysql database passsword>--from-literal=dbName=<OCNRF Mysql database name> -n $<Namespace of MYSQL secret> 		1m
4 Verify that secret is create successfully:

$ kubectl describe secret database-secret -n ocnrf 		1m

OCNRF MYSQL Secret Updates for Password of DB User

Table 8-4 OCNRF MYSQL Secret updates for password of DB user

Step Description Est time
1 Login to Bastion Host or server from where kubectl can be executed 1m
2 Update the kubernetes secret for Mysql

# Delete the secret

kubectl create secret database-secret

# Create the secret with updated details

$ kubectl create secret generic database-secret --from-literal=dbUsername=<OCNRF Mysql database username> --from-literal=dbPassword=<OCNRF Mysql database passsword>--from-literal=dbName=<OCNRF Mysql database name> -n $<Namespace of MYSQL secret> 		1m