Policy Control Function (PCF)Security Recommendations and Procedures

Access Token configuration

This addendum provides Policy Control Function (PCF) specific security recommendations and procedures. Recommendations common to all 5G/4G are found in the Common Procedures Section

Table 8-5 Access Token configuration

Step Description Est time
1 Create following files:

ECDSA private key (For example: ecdsa_private_key_pkcs8.pem)

RSA private key (For example: rsa_private_key_pkcs1.pem)

TrustStore password file (For example: trustStorePassword.txt)

KeyStore password file (For example: keyStorePassword.txt)

CA signed ECDSA OCPCF certificate (For example: ecdsa_ocpcf_certificate.crt)

CA signed RSA OCPCF certificate (For example: rsa_ocpcf_certificate.crt)

Note: Creation of keys, certificates, password is on discretion of user/operator.

5m
2 Login to Bastion Host or server from where kubectl can be executed 1m
3 Create namespace for the secret:

$ kubectl create namespace ocpcf

1m
4 Create kubernetes secret for NF Access token :

Note: The filenames in below command are same as in Step 1

$ kubectl create secret generic ocpcfaccesstoken-secret --from-file=
ecdsa_private_key_pkcs8.pem --from-file=rsa_private_key_pkcs1.pem --from-file=
trustStorePassword.txt --from-file=keyStorePassword.txt --from-file=
ecdsa_ocpcf_certificate.crt--from-file=rsa_ocpcf_certificate.crt -n ocpcf 
1m
5 Verify that secret is create successfully:

$ kubectl describe secret ocpcfaccesstoken-secret -n ocpcf

1m

How to update keys used to sign JSON Web Token (JWTs) for Access Token

Table 8-6 How to update keys used to sign JSON Web Token (JWTs) for Access Token

Step Description Est time

1

Update the following files as per need to update the keys:

ECDSA private key (For example: ecdsa_private_key_pkcs8.pem)

RSA private key (For example: rsa_private_key_pkcs1.pem)

CA signed ECDSA OCPCF certificate (For example:- ecdsa_ocpcf_certificate.crt)

CA signed RSA OCPCF certificate (For example:- rsa_ocpcf_certificate.crt)

Note: How to create and update keys, certificates, password is on discretion of user or operator.

5m

2

Login to Bastion Host or server from where kubectl can be executed

1m

3

Update the secret with new/updated details

# Delete the secret and recreate it

$ kubectl delete secret ocpcfaccesstoken-secret -n ocpcf

# Recreate the secret with updated details

$ kubectl create secret generic ocpcfaccesstoken-secret --from-file=ecdsa_private_key_pkcs8.pem --from-file=rsa_private_key_pkcs1.pem --from-file=trustStorePassword.txt --from-file=keyStorePassword.txt --from-file=ecdsa_ocpcf_certificate.crt--from-file=rsa_ocpcf_certificate.crt -n ocpcf

1m

OCPCF MYSQL kubernetes secret for storing database username and password

Table 8-7 OCPCF MYSQL kubernetes secret

Step Description Est time
1 Login to Bastion Host or server from where kubectl can be executed 1m
2 Create namespace for the mysql secret. Skip this step, if already created.

$ kubectl create namespace <namespace>

3 Create a yaml file with the username and password in with the syntax shown below:

apiVersion: v1

kind: Secret

metadata:

name: <secret-name>

type: Opaque

data:

mysql-username: cGNmdXNy

mysql-password: cGNmcGFzc3dk

Note: The values for "mysql-username" and "mysql-password" should be base64 encoded.

1m
4 Execute "kubectl create -f <yaml_file_name> -n <namespace> to create the secret. 1m
5 Verify:

$ kubectl describe secret <secret-name> -n <namespace>

1m