Policy Control Function (PCF)Security Recommendations and Procedures
Access Token configuration
This addendum provides Policy Control Function (PCF) specific security recommendations and procedures. Recommendations common to all 5G/4G are found in the Common Procedures SectionTable 8-5 Access Token configuration
Step | Description | Est time |
---|---|---|
1 | Create following files:
ECDSA private key (For example: RSA private key (For example: TrustStore password file (For example: KeyStore password file (For example: CA signed ECDSA OCPCF certificate (For example:
CA signed RSA OCPCF certificate (For example:
Note: Creation of keys, certificates, password is on discretion of user/operator. |
5m |
2 | Login to Bastion Host or server from where kubectl can be executed | 1m |
3 | Create namespace for the secret:
|
1m |
4 | Create kubernetes secret for NF Access token :
Note: The filenames in below command are same as in Step 1
|
1m |
5 | Verify that secret is create successfully:
|
1m |
How to update keys used to sign JSON Web Token (JWTs) for Access Token
Table 8-6 How to update keys used to sign JSON Web Token (JWTs) for Access Token
Step | Description | Est time |
---|---|---|
1 |
Update the following files as per need to update the keys: ECDSA private key (For example: RSA private key (For example: CA signed ECDSA OCPCF certificate (For example:-
CA signed RSA OCPCF certificate (For example:-
Note: How to create and update keys, certificates, password is on discretion of user or operator. |
5m |
2 |
Login to Bastion Host or server from where kubectl can be executed |
1m |
3 |
Update the secret with new/updated details
|
1m |
OCPCF MYSQL kubernetes secret for storing database username and password
Table 8-7 OCPCF MYSQL kubernetes secret
Step | Description | Est time |
---|---|---|
1 | Login to Bastion Host or server from where kubectl can be executed | 1m |
2 | Create namespace for the mysql secret. Skip
this step, if already created.
|
|
3 | Create a yaml file with the username and
password in with the syntax shown below:
Note: The values for "mysql-username" and "mysql-password" should be base64 encoded. |
1m |
4 | Execute "kubectl create -f <yaml_file_name> -n <namespace> to create the secret. | 1m |
5 | Verify:
|
1m |