1. Cloud Native Core Security Guide
  2. Cloud Native Core Console (CNCC) Security Recommendations and Procedures

8 Cloud Native Core Console (CNCC) Security Recommendations and Procedures

This section provides Cloud Native Core Console (CNCC) specific security recommendations and procedures. Recommendations common to all 5G/4G are available in the Common Procedures Section.

CNCC IAM MYSQL Secret Configuration

Use the following procedure to create Mysql kubernetes secret:

Table 8-1 CNCC IAM MYSQL Secret Configuration

Step Description Est time
1 Login to Bastion Host or server from where kubectl can be executed 1m
2 Create namespace for the secret by executing the following commands:

Verify whether the required namespace already exists in system by executing the following command:

$ kubectl get namespaces

If the output of the above command does not display the required namespace then create the namespace by executing following command:

$ kubectl create namespace <required namespace>

$ kubectl create namespace cncc

1m
3 Execute the following command to create the kubernetes secret for MySQL: 

kubectl create secret generic <database secret name> --from-literal=dbUserNameKey=<CNCC 
Mysql database username> --from-literal=dbPasswordKey=<CNCC Mysql database passsword> -n <Namespace of MYSQL secret
Execute the following command to verify the secret creation:

$ kubectl describe secret <database secret name> -n <Namespace of MYSQL secret>

Example:
$ kubectl create secret generic cncc-db-secret --from-literal=dbUserNameKey=root --from-
literal=dbPasswordKey=mypass -n cncc
$ kubectl describe secret cncc-db-secret -n cncc

 5m

CNCC IAM Default User (Admin) Secret Configuration

Use the following procedure to create default user (Admin) secret :

Table 8-2 CNCC IAM Default User (Admin) Secret Configuration

Step Description Est time
1 Login to Bastion Host or server from where kubectl can be executed 1m
2 Create namespace for the secret by executing the following commands:

Verify whether the required namespace already exists in system by executing the following command:

$ kubectl get namespaces

If the output of the above command does not display the required namespace then create the namespace by executing following command:

$ kubectl create namespace <required namespace>

$ kubectl create namespace cncc

1m
3 Execute the following command to create the kubernetes secret for MySQL for Admin User: 

$ kubectl create secret generic <secret-name> --from-literal=iamAdminPasswordKey=<password>
      --namespace <namespace>
Execute the following command to verify the secret creation:

$ kubectl describe secret <secret name> -n <namespace>

Example:
$ kubectl create secret generic cncc-iam-secret
        --from-literal=iamAdminPasswordKey=cncciampasswordvalue --namespace cncc
$ kubectl describe secret cncc-iam-secret -n cncc

 5m

CNCC IAM LDAP Configuration

Use the following procedure to configure CNCC IAM LDAP :

Table 8-3 CNCC IAM LDAP Configuration

Step Description Est time
1 Setting up User Federation with CNCC IAM by executing following steps:
  1. Login to CNCC IAM application.
  2. Select Cncc Realms and select User Federation; User federation Screen appears.
  3. Fill the necessary parameters and save.
  4. New buttons (Synchronize changed users, Synchronize all users, Remove imported, Unlink users) appears next to the Save and Cancel.
  5. If a user has to be import to CNCC-IAM, Click Synchronize all users.
  6. The user can view the imported users by clicking Users under Manage in the left pane and click View all users in the right pane.
 5m
2 Steps to add Group-Mapper and Assign Roles:
  1. Login to CNCC IAM application.
  2. Select Cncc Realms and select User Federation; User federation Screen apprears.
  3. Click Configure and select User Federation. Click ldap (Console Display Name) and select the Mappers tab, and click Create.
  4. The Add User federation mapper page appears. Select 'group-ldap-mapper' as Mapper Type drop down menu. Click Save.
  5. Enter the details in the new screen and Save.
  6. New buttons Synchronize LDAP Groups to Keyclaok and Synchronize Keyclaok Groups to LDAP appears.
  7. Click Synchronize LDAP Groups to Keyclaok.
  8. Select the Groups in the left pane and click the View all groups in the right pane.
  9. Click any group and click Edit. The following tabs appear: Settings, Attributes, Role Mappings, and Members.
  10. Select Role Mapping tab to see a list of roles that are pre-defined in cncc-iam.
  11. Select one or more roles from Available Roles and assign it to the group.
 5m

CNCC TLS Secret configuration

Use the following procedure to configure CNCC TLS Secret:

Table 8-4 CNCC IAM Secret Configuration to Enable HTTPS

Step Description Est time
1

To create kubernetes secret for HTTPS, following files are required:

  • ECDSA private key and CA signed certificate of CNCC (if initialAlgorithm is ES256)
  • RSA private key and CA signed certificate of CNCC (if initialAlgorithm is RSA256)
  • TrustStore password file
  • KeyStore password file
  • CA certificate

 1m
2 Create a secret by executing the following command:
$ kubectl create secret generic <secret-name> --fromfile=<ssl_ecdsa_private_key.pem>
      --from-file=<rsa_private_key_pkcs1.pem> --fromfile=<ssl_truststore.txt>
      --from-file=<ssl_keystore.txt> --from-file=<caroot.cer> --fromfile=<ssl_rsa_certificate.crt>
      --from-file=<ssl_ecdsa_certificate.crt> -n <Namespace of CNCC IAM Ingress Gateway
    secret>

Example:

$ kubectl create secret generic cncc-iam-ingress-secret
      --fromfile=ssl_ecdsa_private_key.pem  --from-file=rsa_private_key_pkcs1.pem
      --fromfile=ssl_truststore.txt --from-file=ssl_keystore.txt --from-file=caroot.cer
      --fromfile=ssl_rsa_certificate.crt --from-file=ssl_ecdsa_certificate.crt -n
    cncc
On successfully executing the above command, the following message will be displayed:

secret/cncc-iam-ingress-secret created

Execute the following command to verify the secret creation: :
$ kubectl describe secret cncc-iam-ingress-secret -n cncc
 1m
3 This section explains how to update the secrets for enabling HTTPS, if they already exist:Create a secret by executing the following command:
$ kubectl create secret generic <secret-name> --fromfile=<ssl_ecdsa_private_key.pem>
      --from-file=<rsa_private_key_pkcs1.pem> --fromfile=<ssl_truststore.txt>
      --from-file=<ssl_keystore.txt> --from-file=<caroot.cer> --fromfile=<ssl_rsa_certificate.crt>
      --from-file=<ssl_ecdsa_certificate.crt> --dry-run -o yaml -n <Namespace of CNCC IAM Ingress
      Gateway secret> | kubectl replace -f - -n <Namespace of CNCC IAM Ingress Gateway
    secret>

Example:

$ kubectl create secret generic cncc-iam-ingress-secret
      --fromfile=ssl_ecdsa_private_key.pem  --from-file=rsa_private_key_pkcs1.pem
      --fromfile=ssl_truststore.txt --from-file=ssl_keystore.txt --from-file=caroot.cer
      --fromfile=ssl_rsa_certificate.crt --from-file=ssl_ecdsa_certificate.crt --dry-run -o yaml -n
      cncc | kubectl replace -f - -n cncc
On successfully executing the above command, the following message will be displayed:

secret/cncc-iam-ingress-secret replaced

 5m

CNCC Core Secret Configuration to Enable HTTPS

Use the following procedure to configure CNCC Core Secret to Enable HTTPS:

Table 8-5 CNCC Core Secret Configuration to Enable HTTPS

Step Description Est time
1

To create kubernetes secret for HTTPS, following files are required:

  • ECDSA private key and CA signed certificate of CNCC (if initialAlgorithm is ES256)
  • RSA private key and CA signed certificate of CNCC (if initialAlgorithm is RSA256)
  • TrustStore password file
  • KeyStore password file
  • CA certificate

 1m
2 Create a secret by executing the following command:
$ kubectl create secret generic <secret-name> --fromfile=<ssl_ecdsa_private_key.pem>
      --from-file=<rsa_private_key_pkcs1.pem> --fromfile=<ssl_truststore.txt>
      --from-file=<ssl_keystore.txt> --from-file=<caroot.cer> --fromfile=<ssl_rsa_certificate.crt>
      --from-file=<ssl_ecdsa_certificate.crt> -n <Namespace of CNCC Core Ingress Gateway
    secret>

Example:

kubectl create secret generic cncc-core-ingress-secret --fromfile=ssl_ecdsa_private_key.pem 
      --from-file=rsa_private_key_pkcs1.pem --fromfile=ssl_truststore.txt
      --from-file=ssl_keystore.txt --from-file=caroot.cer --fromfile=ssl_rsa_certificate.crt
      --from-file=ssl_ecdsa_certificate.crt -n cncc    
    cncc
On successfully executing the above command, the following message will be displayed:

secret/cncc-core-ingress-secret created

Execute the following command to verify the secret creation:

$ kubectl describe secret cncc-core-ingress-secret -n cncc

 1m
3

This section explains how to update the secrets for enabling HTTPS, if they already exist:

Create a secret by executing the following command:
$ kubectl create secret generic <secret-name> --fromfile=<ssl_ecdsa_private_key.pem>
      --from-file=<rsa_private_key_pkcs1.pem> --fromfile=<ssl_truststore.txt>
      --from-file=<ssl_keystore.txt> --from-file=<caroot.cer> --fromfile=<ssl_rsa_certificate.crt>
      --from-file=<ssl_ecdsa_certificate.crt> --dry-run -o yaml -n <Namespace of CNCC Core Ingress
      Gateway secret> | kubectl replace -f - -n <Namespace of CNCC Core Ingress Gateway
    secret>

Example:

$ kubectl create secret generic cncc-core-ingress-secret
      --fromfile=ssl_ecdsa_private_key.pem  --from-file=rsa_private_key_pkcs1.pem
      --fromfile=ssl_truststore.txt --from-file=ssl_keystore.txt --from-file=caroot.cer
      --fromfile=ssl_rsa_certificate.crt --from-file=ssl_ecdsa_certificate.crt --dry-run -o yaml -n
      cncc | kubectl replace -f - -n cncc
On successfully executing the above command, the following message will be displayed:

secret/cncc-core-ingress-secret replaced

 5m