1. Cloud Native Core Security Guide
  2. 4G/5G Core Network Function Security Recommendations and Procedures
  3. Policy Control Function (PCF)Security Recommendations and Procedures

Policy Control Function (PCF)Security Recommendations and Procedures

Access Token configuration

This addendum provides Policy Control Function (PCF) specific security recommendations and procedures. Recommendations common to all 5G/4G are found in the Common Procedures Section

Table 8-5 Access Token configuration

Step Description Est time
1 Create following files:

ECDSA private key (For example: ecdsa_private_key_pkcs8.pem)

RSA private key (For example: rsa_private_key_pkcs1.pem)

TrustStore password file (For example: trustStorePassword.txt)

KeyStore password file (For example: keyStorePassword.txt)

CA signed ECDSA OCPCF certificate (For example: ecdsa_ocpcf_certificate.crt)

CA signed RSA OCPCF certificate (For example: rsa_ocpcf_certificate.crt)

Note: Creation of keys, certificates, password is on discretion of user/operator.

5m
2 Login to Bastion Host or server from where kubectl can be executed 1m
3 Create namespace for the secret:

$ kubectl create namespace ocpcf

1m
4 Create kubernetes secret for NF Access token :

Note: The filenames in below command are same as in Step 1 

$ kubectl create secret generic ocpcfaccesstoken-secret --from-file=
ecdsa_private_key_pkcs8.pem --from-file=rsa_private_key_pkcs1.pem --from-file=
trustStorePassword.txt --from-file=keyStorePassword.txt --from-file=
ecdsa_ocpcf_certificate.crt--from-file=rsa_ocpcf_certificate.crt -n ocpcf
1m
5 Verify that secret is create successfully:

$ kubectl describe secret ocpcfaccesstoken-secret -n ocpcf

1m

How to update keys used to sign JSON Web Token (JWTs) for Access Token

Table 8-6 How to update keys used to sign JSON Web Token (JWTs) for Access Token

Step Description Est time

1

Update the following files as per need to update the keys:

ECDSA private key (For example: ecdsa_private_key_pkcs8.pem)

RSA private key (For example: rsa_private_key_pkcs1.pem)

CA signed ECDSA OCPCF certificate (For example:- ecdsa_ocpcf_certificate.crt)

CA signed RSA OCPCF certificate (For example:- rsa_ocpcf_certificate.crt)

Note: How to create and update keys, certificates, password is on discretion of user or operator.

5m

2

Login to Bastion Host or server from where kubectl can be executed

1m

3

Update the secret with new/updated details

# Delete the secret and recreate it

$ kubectl delete secret ocpcfaccesstoken-secret -n ocpcf

# Recreate the secret with updated details

$ kubectl create secret generic ocpcfaccesstoken-secret --from-file=ecdsa_private_key_pkcs8.pem --from-file=rsa_private_key_pkcs1.pem --from-file=trustStorePassword.txt --from-file=keyStorePassword.txt --from-file=ecdsa_ocpcf_certificate.crt--from-file=rsa_ocpcf_certificate.crt -n ocpcf

1m

OCPCF MYSQL kubernetes secret for storing database username and password

Table 8-7 OCPCF MYSQL kubernetes secret

Step Description Est time
1 Login to Bastion Host or server from where kubectl can be executed 1m
2 Create namespace for the mysql secret. Skip this step, if already created.

$ kubectl create namespace <namespace>

3 Create a yaml file with the username and password in with the syntax shown below:

apiVersion: v1

kind: Secret

metadata:

name: <secret-name>

type: Opaque

data:

mysql-username: cGNmdXNy

mysql-password: cGNmcGFzc3dk

Note: The values for "mysql-username" and "mysql-password" should be base64 encoded.

1m
4 Execute "kubectl create -f <yaml_file_name> -n <namespace> to create the secret. 1m
5 Verify:

$ kubectl describe secret <secret-name> -n <namespace>

1m