4G/5G Core Network Function Security Recommendations and Procedures

Network Repository Function (NRF) Security Recommendations and Procedures

This section provides Network Function Repository Function (NRF) specific security recommendations and procedures. Recommendations common to all 5G/4G are availabel in the Common Procedures Section.

NRF Access Token Secret Configuration

Use the following procedure to create access token secret :

Table 7-1 NRF Access Token Secret Configuration

Step	Description	Est time
1	Create the following files: ECDSA private key and CA signed certificate of OCNRF (if initialAlgorithm is ES256) RSA private key and CA signed certificate of OCNRF (if initialAlgorithm is RSA256) KeyStore password file Note: Creation of private keys, certificates and passwords are at the discretion of user.	5m
2	Login to Bastion Host or server from where kubectl can be executed.	1m
3	Create namespace for the secret by following: Creating OCNRF namespace under the OCNRF pre-deployment configuration of Network Repository Function (NRF) Cloud Native Installation and Upgrade Guide.	1m
4	Create kubernetes secret for Access token by following : Configuring secret for enabling AccessToken service under the OCNRF pre-deployment configuration of Network Repository Function (NRF) Cloud Native Installation and Upgrade Guide.	2m

NRF Access Token Secret Update

Use the following procedure to update access token secret:

Table 7-2 NRF Access Token Secret Update

Step	Description	Est time
1	Update the following files: ECDSA private key and CA signed certificate of OCNRF (if initialAlgorithm is ES256) RSA private key and CA signed certificate of OCNRF (if initialAlgorithm is RSA256) KeyStore password file Note: Update of private keys, certificates and passwords are at the discretion of user.	5m
2	Login to Bastion Host or server from where kubectl can be executed	1m
3	Update the secret with new/updated details by following: Configuring secret for enabling AccessToken service under the OCNRF pre-deployment configuration of Network Repository Function (NRF) Cloud Native Installation and Upgrade Guide.	1m

Step

Description

Est time

1

Update the following files:

ECDSA private key and CA signed certificate of OCNRF (if initialAlgorithm is ES256)
RSA private key and CA signed certificate of OCNRF (if initialAlgorithm is RSA256)
KeyStore password file

Note: Update of private keys, certificates and passwords are at the discretion of user.

5m

2

Login to Bastion Host or server from where kubectl can be executed

1m

3

Update the secret with new/updated details by following:

Configuring secret for enabling AccessToken service under the OCNRF pre-deployment configuration of Network Repository Function (NRF) Cloud Native Installation and Upgrade Guide.

1m

NRF MYSQL Secret Configuration

Use the following procedure to create Mysql kubernetes secret:

Table 7-3 NRF MYSQL Secret Configuration

Step	Description	Est time
1	Login to Bastion Host or server from where kubectl can be executed.	1m
2	Create namespace for the secret by following: Creating OCNRF namespace under the OCNRF pre-deployment configuration of Network Repository Function (NRF) Cloud Native Installation and Upgrade Guide.	1m
3	Create kubernetes secret for Access token by following : Configuring MySQL secret under the OCNRF pre-deployment configuration of Network Repository Function (NRF) Cloud Native Installation and Upgrade Guide.	5m

NRF MYSQL Secret Update

Use the following procedure to update Mysql kubernetes secret:

Table 7-4 NRF MYSQL Secret Update

Step	Description	Est time
1	Login to Bastion Host or server from where kubectl can be executed.	1m
2	Update the kubernetes secret for Access token by following : Configuring MySQL secret under the OCNRF pre-deployment configuration of Network Repository Function (NRF) Cloud Native Installation and Upgrade Guide.	2 m

Policy Control Function (PCF) Security Recommendations and Procedures

Access Token configuration

This section provides Policy Control Function (PCF) specific security recommendations and procedures. Recommendations common to all 5G/4G are available in the Common Procedures Section.

Use the following procedure to create access token :

Table 7-5 Access Token configuration

Step	Description	Est time
1	Create following files: ECDSA private key (Example: `ecdsa_private_key_pkcs8.pem`) RSA private key (Example:`rsa_private_key_pkcs1.pem`) TrustStore password file (Example: `trustStorePassword.txt`) KeyStore password file (Example: `keyStorePassword.txt`) CA signed ECDSA OCPCF certificate (Example: `ecdsa_ocpcf_certificate.crt`) CA signed RSA OCPCF certificate (Example: `rsa_ocpcf_certificate.crt)` Note: Creation of private keys, certificates and passwords are at the discretion of user.	5m
2	Login to Bastion Host or server from where kubectl can be executed.	1m
3	Create namespace for the secret: `$ kubectl create namespace ocpcf`	1m
4	Create kubernetes secret for NF Access token : Note: The filenames in below command are same as in Step 1 `$ kubectl create secret generic ocpcfaccesstoken-secret --from-file= ecdsa_private_key_pkcs8.pem --from-file=rsa_private_key_pkcs1.pem --from-file= trustStorePassword.txt --from-file=keyStorePassword.txt --from-file= ecdsa_ocpcf_certificate.crt--from-file=rsa_ocpcf_certificate.crt -n ocpcf`	1m
5	Verify that secret is create successfully: `$ kubectl describe secret ocpcfaccesstoken-secret -n ocpcf`	1m

Update Keys to Sign JSON Web Token (JWTs) for Access Token

Use the following procedure to update keys to sign JSON web token (JWTs) for access token:

Table 7-6 Update keys to Sign JSON Web Token (JWTs) for Access Token

Step Description Est time

Step	Description	Est time
1	Update the following files: ECDSA private key (Example: `ecdsa_private_key_pkcs8.pem`) RSA private key (Example: `rsa_private_key_pkcs1.pem`) CA signed ECDSA OCPCF certificate (Example: `ecdsa_ocpcf_certificate.crt`) CA signed RSA OCPCF certificate (Example: `rsa_ocpcf_certificate.crt`) Note: Update of private keys, certificates and passwords are at the discretion of user	5m
2	Login to Bastion host or server from where kubectl can be executed.	1m
3	Update the secret with new/updated details: Delete the secret by executing the following command: `$ kubectl delete secret ocpcfaccesstoken-secret -n ocpcf` Create the secret with updated details: `$ kubectl create secret generic ocpcfaccesstoken-secret --from-file=ecdsa_private_key_pkcs8.pem --from-file=rsa_private_key_pkcs1.pem --from-file=trustStorePassword.txt --from-file=keyStorePassword.txt --from-file=ecdsa_ocpcf_certificate.crt--from-file=rsa_ocpcf_certificate.crt -n ocpcf`	1m

1

Update the following files:

ECDSA private key (Example: ecdsa_private_key_pkcs8.pem)

RSA private key (Example: rsa_private_key_pkcs1.pem)

CA signed ECDSA OCPCF certificate (Example: ecdsa_ocpcf_certificate.crt)

CA signed RSA OCPCF certificate (Example: rsa_ocpcf_certificate.crt)

Note: Update of private keys, certificates and passwords are at the discretion of user

5m

2

Login to Bastion host or server from where kubectl can be executed.

1m

3

Update the secret with new/updated details:

Delete the secret by executing the following command:

$ kubectl delete secret ocpcfaccesstoken-secret -n ocpcf

Create the secret with updated details:

$ kubectl create secret generic ocpcfaccesstoken-secret --from-file=ecdsa_private_key_pkcs8.pem --from-file=rsa_private_key_pkcs1.pem --from-file=trustStorePassword.txt --from-file=keyStorePassword.txt --from-file=ecdsa_ocpcf_certificate.crt--from-file=rsa_ocpcf_certificate.crt -n ocpcf

1m

Creating OCPCF MYSQL Kubernetes Secret for Storing Database Username and Password

Use the following procedure to create OCPCF MYSQL kubernetes secret for storing database username and password:

Table 7-7 Creating OCPCF MYSQL Kubernetes Secret

Step	Description	Est time
1	Login to Bastion Host or server from where kubectl can be executed.	1m
2	Create namespace for the mysql secret. Skip this step, if already created. `$ kubectl create namespace <namespace>`	1m
3	Create a yaml file with the username and password in with the syntax shown below: `apiVersion: v1 kind: Secret metadata: name: <secret-name> type: Opaque data: mysql-username: cGNmdXNy mysql-password: cGNmcGFzc3dk` Note: The values for "mysql-username" and "mysql-password" must be base64 encoded.	1m
4	Execute `kubectl create -f <yaml_file_name> -n <namespace>` to create the secret.	1m
5	Verify the whether the secret is created by executing the following command: `$ kubectl describe secret <secret-name> -n <namespace>`	1m

Create a Kubernetes Secret for Storing LDAP credentails

Use the following procedure to create a kubernetes secret for storing LDAP credentails:

Create a yaml file with the following syntax:

apiVersion: v1 
kind: Secret 
metadata:  
  name: ldapsecret  
  labels:    
    type: ocpm.secret.ldap 
type: Opaque 
stringData:  
  name: "ldap1"  
  password: "camiant"  
  authDn: "uid=PolicyServer,ou=vodafone,c=hu,o=vodafone"

where,

name is the configured LDAP server name.

password is the LDAP credential for that data source.

authDN is the authentication DN for that LDAP datsource.

Create the secret by executing the following command: kubectl apply -f yaml_file_name -n pcf-namespace
where:
yaml_file_name is a name of the yaml file that is created in step 1.
pcf-namespace is the deployment namespace used by the helm command.

Cloud Native Policy Control Repository Function (CNPCRF) Security Recommendations and Procedures

This section provides Cloud Native Policy Control Repository Function (CNPCRF) specific security recommendations and procedures. Recommendations common to all 5G/4G are available in the Common Procedures Section.

Creating CNPCRF MYSQL Kubernetes Secret for Storing Database Username and Password

Use the following procedure to create CNPCRF MYSQL kubernetes secret for storing database username and password:

Table 7-8 Creating CNPCRF MYSQL Kubernetes Secret

Step	Description	Est time
1	Login to Bastion Host or server from where kubectl can be executed.	1m
2	Create namespace for the mysql secret: Skip this step, if already created. `$ kubectl create namespace <namespace>`	1 m
3	Create a yaml file with the username and password in with the syntax shown below: `apiVersion: v1 kind: Secret metadata: name: <secret-name> type: Opaque data: mysql-username: cGNmdXNy mysql-password: cGNmcGFzc3dk` Note: The values for "mysql-username" and "mysql-password" must be base64 encoded.	1m
4	Execute `kubectl create -f <yaml_file_name> -n <namespace>` to create the secret.	1m
5	Verify the whether the secret is created by executing the following command: `$ kubectl describe secret <secret-name> -n <namespace>`	1m

Create a Kubernetes Secret for Storing LDAP credentails

Use the following procedure to create a kubernetes secret for storing LDAP credentails:

Create a yaml file with the following syntax:
```
apiVersion: v1 
kind: Secret 
metadata:  
  name: ldapsecret  
  labels:    
    type: ocpm.secret.ldap 
type: Opaque 
stringData:  
  name: "ldap1"  
  password: "camiant"  
  authDn: "uid=PolicyServer,ou=vodafone,c=hu,o=vodafone"
```
where,

name is the configured LDAP server name.

password is the LDAP credential for that data source.

authDN is the authentication DN for that LDAP datsource.
Create the secret by executing the following command: kubectl apply -f yaml_file_name -n cnpcrf-namespace
where:
yaml_file_name is a name of the yaml file that is created in step 1.
cnpcrf-namespace is the deployment namespace used by the helm command.

Cloud Native Diameter Routing Agent (cnDRA) Security Recommendations and Procedures

This section provides cloud native Diameter Routing Agent (cnDRA) specific security recommendations and procedures. Recommendations common to all 5G/4G are availabe in the Common Procedures Section.

User (OAM) Authentication and Authorization

cnDRA supports REST based MMI interface. There is no GUI provided in the current cnDRA release.
The MMI interface is based on fixed user and password, using which the security token is requested by REST client from cnDRA.
cnDRA does not allow or support configuration or modify these credentials (user and password).

Authentication and Authorization of Applications

cnDRA currently supports TCP based signaling traffic connection towards the Remote Peer Nodes. These connections are not currently secured via TLS etc mechanism. Currently there is no plan to enable securing of the application/Diameter traffic.

Cloud Native Core - Ingress/Egress Gateways - Security Recommendations / Procedures

Enabling TLS and Ciphers in Ingress/Egress Gateway

Step	Description
1	Helm Configuration to enable TLS: To open Https port in Ingress gateway: configure in helm `enableIncomingHttps: true` To have a Https client configured in Egress gateway: configure in helm `enableOutgoingHttps: true`
2	Create following files: RSA or ECDSA Private key (Example: `rsa_private_key_pkcs1.pem`) Trust store password (Example: `trust.txt`) Key store password(Example: `key.txt`) Certificate chain for trust store (Example: `caroot.cer`) Signed server certificate (Example: ocingress.cer) or Signed client certificate (For example: `ocegress.cer`) Note: Creation of private keys, certificates and passwords are at the discretion of user.
3	Create secret Command : `$ kubectl create secret generic ocingress-secret --from-file=rsa_private_key_pkcs1.pem --from-file=trust.txt --from-file=key.txt --from-file=ocingress.cer --from-file=caroot.cer -n ocingress`
4	Enable cipher suites: # Cipher Suites to be enabled on Server side (Ingress Gateway), # Cipher Suites to be enabled on Client side (Egress Gateway), cipherSuites: -TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Note: The above list is the allowed cipher list as per Verizon requirement, this also coincides with the allowed list of ciphers as per Oracle standards. Helm deployment may fail due to invalid configuration or cipher suite mismatch. Manual restart of pod is required if there is update in cipher configuration during run time.

Certificate Management and Dynamic reload of certificates in Gateways

Whenever certificates gets compromised or a new certificate chain is required to be added to the truststore, we can update the key and truststore used by the application.

To update the key and the truststore, update or replace the secret:

Command:

$ kubectl create secret generic ocingress-secret --from-file=rsa_private_key_pkcs1.pem --from-file=trust.txt --from-file=key.txt --from-file=tmp.cer --from-file=caroot.cer --dry-run -o yaml -n ocingress| kubectl replace -f - -n ocingress

Whenever there is an update in the certificate chain or signed certificate placed in secret, kubernetes watcher which is implemented in update container will check for change in file state and replace the key and truststore accordingly in the mounted shared volume.

Dynamic reload of certificates is not supported in Ingress Gateway as of now, so a manual restart of pod is required when any update in the configuration is made with respect to https.

In case of Egress Gateway update container will trigger the rest end point to dynamically reload key and truststore. Then egress gateway will pickup new store files from shared volume and reload trust and key managers. Egress gateway will use the replaced store to establish new connections and gracefully terminate existing connections by sending a GOAWAY frame.

Service Communication Proxy (SCP) Security Recommendations And Procedures

This section provides Service Communication Proxy Function (SCP) specific security recommendations and procedures. Recommendations common to all 5G/4G are availabe in the Common Procedures Section.

OCSCP MYSQL Secret configuration

Use the following procedure to create Mysql kubernetes secret :

Table 7-9 OCSCP MYSQL Kubernetes Secret Configuration

Step	Description	Est time
1	Login to Bastion Host or server from where kubectl can be executed.	1m
2	Create namespace for the mysql secret. Skip this step, if already created. `$ kubectl create namespace <namespace>` Example: `$ kubectl create namespace ocscp`	1m
3	Execute `$ kubectl create secret generic <secretName> --fromliteral=DB_USERNAME=<userName> --fromliteral=DB_PASSWORD=<password> --fromliteral=DBNAME=<dbName> -n <SCPNamespace>` to create the secret for Mysql. Example: `$ kubectl create secret generic cred --fromliteral=DB_USERNAME=root --fromliteral=DB_PASSWORD=lLn94uba5p --fromliteral=DB_NAME=ocscpdb -n scpsvc` Where `<secretName>` is Secret name and must be same value present for 'dbSecretName' in ocscp_values.yaml file. `<SCPNamespace>` must be the name of namespace where SCP will be deployed.	1m
4	Verify the whether the secret is created `$ kubectl describe secret <secret-name> -n <SCPnamespace>` Example: `$ kubectl describe secret database-secret -n ocscp`	1m

.

OCSCP MYSQL Secret Updates for Password of DB User

Use the following procedure to update Mysql secret:

Table 7-10 OCSCP MYSQL Secret Update

Step Description Est time

1 Login to Bastion Host or server from where kubectl can be executed. 1m

3

Update the kubernetes secret for Mysql by by executing the following command:

Delete the secret:

 $ kubectl delete secret database-secret -n
                                        <SCPNamespace>

Create the secret with updated details:

 $ kubectl create secret generic <secretName>
                                        --fromliteral=DB_USERNAME=<userName>
                                        --fromliteral=DB_PASSWORD=<password>
                                        --fromliteral=DBNAME=<dbName> -n
                                        <SCPNamespace>

2 m

Network Slice Selection Function (NSSF) Security Recommendations and Procedures

This section provides Network Slice Selection Function (NSSF) specific security recommendations and procedures. Recommendations common to all 5G/4G are available in the Common Procedures Section.

OCNSSF Access Token Secret Configuration

Use the following procedure to create access token secret:

Table 7-11 OCnssf Access Token Secret Configuration

Step	Description	Est time
1	Create the following files: ECDSA private key (Example: `ecdsa_private_key_pkcs8.pem`) RSA private key (Example: `rsa_private_key_pkcs1.pem`) TrustStore password file (Example: `trustStorePassword.txt`) KeyStore password file (Example:`keyStorePassword.txt`) CA signed ECDSA OCNSSF certificate (Example: `ecdsa_ocnssf_certificate.crt`) CA signed RSA OCNSSF certificate (Example: `rsa_ocnssf_certificate.crt)` Note: Creation of private keys, certificates and passwords are at the discretion of user.	5m
2	Login to Bastion Host or server from where kubectl can be executed.	1m
3	Create namespace for the secret by executing the following command: `$ kubectl create namespace ocnssf`	1m
4	Create kubernetes secret for NF Access token by executing the following command: : `$ kubectl create secret generic ocnssfaccesstoken-secret --from-file=ecdsa_private_key_pkcs8.pem --from-file=rsa_private_key_pkcs1.pem --from-file=trustStorePassword.txt --from-file=keyStorePassword.txt --from-file=ecdsa_ocnssf_certificate.crt--from-file=rsa_ocnssf_certificate.crt -n ocnssf`	2m
5	Verify that secret is created successfully by executing the following command: `$ kubectl describe secret ocnssfaccesstoken-secret -n ocnssf`	2m

OCNSSF Access Token Secret Update

Use the following procedure to update access token secret:

Table 7-12 OCNSSF Access Token Secret Update

Step	Description	Est time
1	Update the following files: ECDSA private key (Example: `ecdsa_private_key_pkcs8.pem`) RSA private key (Example: `rsa_private_key_pkcs1.pem`) TrustStore password file (Example: `trustStorePassword.txt`) KeyStore password file (Example: `keyStorePassword.txt`) CA signed ECDSA OCNSSF certificate (Example: `ecdsa_ocnssf_certificate.crt`) CA signed RSA OCNSSF certificate (Example: `rsa_ocnssf_certificate.crt)` Note:Update of private keys, certificates and passwords are at the discretion of user.	5m
2	Login to Bastion Host or server from where kubectl can be executed.	1m
3	Update the secret with new/updated details by executing the following commands: Delete the secret:`$ kubectl delete secret ocnssfaccesstoken-secret -n ocnssf` Create the secret again with updated details: `$ kubectl create secret generic ocnssfaccesstoken-secret --from-file=ecdsa_private_key_pkcs8.pem --from-file=rsa_private_key_pkcs1.pem --from-file=trustStorePassword.txt --from-file=keyStorePassword.txt --from-file=ecdsa_ocnssf_certificate.crt--from-file=rsa_ocnssf_certificate.crt -n ocnssf`	1m

OCNSSF MYSQL Secret Configuration

Use the following procedure to create Mysql kubernetes secret:

Table 7-13 Creating ONSSF MYSQL Kubernetes Secret

Step	Description	Est time
1	Login to Bastion Host or server from where kubectl can be executed.	1m
2	Create namespace for the mysql secret. Skip this step, if already created. `$ kubectl create namespace ocnssf`	1m
3	Create a yaml file with the username and password with the syntax shown below: `apiVersion: v1 kind: Secret metadata: name: <secret-name> type: Opaque data: mysql-username: cGNmdXNy mysql-password: cGNmcGFzc3dk` Note: The values for "mysql-username" and "mysql-password" must be base64 encoded.	1m
4	Execute `kubectl create -f <yaml_file_name> -n <namespace>` to create the secret.	1m
5	Verify whether the secret is created by executing the following command: `$ kubectl describe secret <secret-name> -n <namespace>`	1m

OCNSSF MYSQL Secret Update

Use the following procedure to update Mysql kubernetes secret:

Table 7-14 OCNSSF MYSQL Secret Update

Step	Description	Est time
1	Login to Bastion Host or server from where kubectl can be executed.	1m
2	Delete the kubernetes secret for Mysql: `# Delete the secret $ kubectl delete secret <secret name> -n <namespace>`	1m
3	Update yaml file from step 3 in secret creation with new values for mysql-username and mysql-password	2 m
4	Execute `kubectl create -f <yaml_file_name> -n <namespace>` to create the secret.	1m
5	Verify whether the secret is created by executing the following command: `$ kubectl describe secret <secret-name> -n <namespace>`	1m

Security Edge Protection Proxy (SEPP) Security Recommendations and Procedures

This section provides Security Edge Protection Proxy (SEPP) specific security recommendations and procedures. Recommendations common to all 5G/4G are available in the Common Procedures Section.

OCSEPP Access Token Secret Configuration

Use the following procedure to create access token secret :

Table 7-15 OCNRF Access Token Secret Configuration

Step	Description	Est time
	Login to Bastion Host or server from where kubectl can be executed.	1m
1	Create the following files: ECDSA private key with P-256 curve Example: `ecdsa_private_key_pkcs8.pem` Note: Creation of private keys, certificates and passwords are at the discretion of user.	5m
3	Create namespace for the secret by executing the following command: `$ kubectl create namespace seppsvc`	1m
4	Create kubernetes secret for Access token by executing the following command: `$ kubectl create secret generic ocsepp-ipx-secret --from-file=ecdsa_private_key_pkcs8.pem -n seppsvc`	2m

OCSEPP Access Token Secret Update

Use the following procedure to update access token secret:

Table 7-16 OCSEPP Access Token Secret Update

Step Description Est time

1 Login to Bastion Host or server from where kubectl can be executed. 1m

2

Update the following files:

ECDSA private key with P-256 curve
Example: ecdsa_private_key_pkcs8.pem

Note:Update of private keys, certificates and passwords are at the discretion of user.

5m

3

Update the secret with new/updated details.

Delete the secret:

$ kubectl delete secret ocsepp-ipx-secret -n seppsvc

Create the secret again with updated details:

$ kubectl create secret generic ocsepp-ipx-secret --from-file=ecdsa_private_key_pkcs8.pem -n seppsvc

2m

Unified Data Repository (UDR) / Unstructured Data Storage Function (UDSF) Security Recommendations and Procedures

This section provides Unified Data Repository (UDR) / Unstructured Data Storage Function (UDSF) specific security recommendations and procedures. Recommendations common to all 5G/4G are available in the Common Procedures Section.

OCUDR MYSQL kubernetes secret for storing database username and password

Use the following procedure to create Mysql kubernetes secret:

Table 7-17 Creating OCUDR MYSQL Kubernetes Secret

Step	Description	Est time
1	Login to Bastion Host or server from where kubectl can be executed.	1m
2	Create namespace for the mysql secret. Skip this step, if already created. `$ kubectl create namespace <namespace>`
3	Create a yaml file with the username and password with the syntax shown below: `apiVersion: v1 kind: Secret metadata: name: <secret-name> type: Opaque data: dbname: dWRyZGI= dsusername: dWRydXNlcg== dspassword: dWRycGFzc3dk encryptionkey: TXkgc2VjcmV0IHBhc3NwaHJhc2U=` Note: The values for "dbname", "dsusername", "dspassword" and "encryptionkey" must be base64 encoded.	1m
4	Execute `kubectl create -f <yaml_file_name> -n <namespace>` to create the secret.	1m
5	Verify the whether the secret is created by executing the following command: `$ kubectl describe secret <secret-name> -n <namespace>`	1m