8 Cloud Native Core Console (CNCC) Security Recommendations and Procedures
This section provides Cloud Native Core Console (CNCC) specific security recommendations and procedures. Recommendations common to all 5G/4G are available in the Common Procedures Section.
CNCC IAM MYSQL Secret Configuration
Use the following procedure to create Mysql kubernetes secret:
- Login to Bastion Host or server from where kubectl can be executed
- Create namespace for the secret by executing the following commands:
Verify whether the required namespace already exists in system by executing the following command:
$ kubectl get namespacesIf the output of the above command does not display the required namespace then create the namespace by executing following command:
$ kubectl create namespace <required namespace>$ kubectl create namespace cncc - Execute the following command to create the kubernetes secret for MySQL:
Execute the following command to verify the secret creation:
kubectl create secret generic <database secret name> --from-literal=dbUserNameKey=<CNCC Mysql database username> --from-literal=dbPasswordKey=<CNCC Mysql database passsword> -n <Namespace of MYSQL secret$ kubectl describe secret <database secret name> -n <Namespace of MYSQL secret>Example:$ kubectl create secret generic cncc-db-secret --from-literal=dbUserNameKey=root --from- literal=dbPasswordKey=mypass -n cncc $ kubectl describe secret cncc-db-secret -n cncc
CNCC IAM Default User (Admin) Secret Configuration
Use the following procedure to create default user (Admin) secret :
- Login to Bastion Host or server from where kubectl can be executed
- Create namespace for the secret by executing the following commands:
Verify whether the required namespace already exists in system by executing the following command:
$ kubectl get namespacesIf the output of the above command does not display the required namespace then create the namespace by executing following command:
$ kubectl create namespace <required namespace>$ kubectl create namespace cncc - Execute the following command to create the kubernetes secret for MySQL for
Admin User:
Execute the following command to verify the secret creation:
$ kubectl create secret generic <secret-name> --from-literal=iamAdminPasswordKey=<password> --namespace <namespace>$ kubectl describe secret <secret name> -n <namespace>Example:$ kubectl create secret generic cncc-iam-secret --from-literal=iamAdminPasswordKey=cncciampasswordvalue --namespace cncc $ kubectl describe secret cncc-iam-secret -n cncc
CNCC IAM LDAP Configuration
Use the following procedure to configure CNCC IAM LDAP :
- Setting up User Federation with CNCC IAM by executing following steps:
- Login to CNCC IAM application.
- Select Cncc Realms and select User Federation; User federation Screen appears.
- Fill the necessary parameters and save.
- New buttons (Synchronize changed users, Synchronize all users, Remove imported, Unlink users) appears next to the Save and Cancel.
- If a user has to be import to CNCC-IAM, Click Synchronize all users.
- The user can view the imported users by clicking Users under Manage in the left pane and click View all users in the right pane.
- Steps to add Group-Mapper and Assign Roles:
- Login to CNCC IAM application.
- Select Cncc Realms and select User Federation; User federation Screen appears.
- Click Configure and select User Federation. Click ldap (Console Display Name) and select the Mappers tab, and click Create.
- The Add User federation mapper page appears. Select 'group-ldap-mapper' as Mapper Type drop down menu. Click Save.
- Enter the details in the new screen and Save.
- New buttons Synchronize LDAP Groups to Keyclaok and Synchronize Keyclaok Groups to LDAP appears.
- Click Synchronize LDAP Groups to Keyclaok.
- Select the Groups in the left pane and click the View all groups in the right pane.
- Click any group and click Edit. The following tabs appear: Settings, Attributes, Role Mappings, and Members.
- Select Role Mapping tab to see a list of roles that are pre-defined in cncc-iam.
- Select one or more roles from Available Roles and assign it to the group.
CNCC TLS Secret configuration
Use the following procedure to configure CNCC TLS Secret:
-
To create kubernetes secret for HTTPS, following files are required:
- ECDSA private key and CA signed certificate of CNCC (if initialAlgorithm is ES256)
- RSA private key and CA signed certificate of CNCC (if initialAlgorithm is RSA256)
- TrustStore password file
- KeyStore password file
- CA certificate
- Create a secret by executing the following
command:
$ kubectl create secret generic <secret-name> --fromfile=<ssl_ecdsa_private_key.pem> --from-file=<rsa_private_key_pkcs1.pem> --fromfile=<ssl_truststore.txt> --from-file=<ssl_keystore.txt> --from-file=<caroot.cer> --fromfile=<ssl_rsa_certificate.crt> --from-file=<ssl_ecdsa_certificate.crt> -n <Namespace of CNCC IAM Ingress Gateway secret>Example:
On successfully executing the above command, the following message will be displayed:$ kubectl create secret generic cncc-iam-ingress-secret --fromfile=ssl_ecdsa_private_key.pem --from-file=rsa_private_key_pkcs1.pem --fromfile=ssl_truststore.txt --from-file=ssl_keystore.txt --from-file=caroot.cer --fromfile=ssl_rsa_certificate.crt --from-file=ssl_ecdsa_certificate.crt -n cnccsecret/cncc-iam-ingress-secret created
Execute the following command to verify the secret creation: :$ kubectl describe secret cncc-iam-ingress-secret -n cncc
- This section explains how to update the secrets for enabling HTTPS, if they
already exist:Create a secret by executing the following
command:
$ kubectl create secret generic <secret-name> --fromfile=<ssl_ecdsa_private_key.pem> --from-file=<rsa_private_key_pkcs1.pem> --fromfile=<ssl_truststore.txt> --from-file=<ssl_keystore.txt> --from-file=<caroot.cer> --fromfile=<ssl_rsa_certificate.crt> --from-file=<ssl_ecdsa_certificate.crt> --dry-run -o yaml -n <Namespace of CNCC IAM Ingress Gateway secret> | kubectl replace -f - -n <Namespace of CNCC IAM Ingress Gateway secret>Example:
On successfully executing the above command, the following message will be displayed:$ kubectl create secret generic cncc-iam-ingress-secret --fromfile=ssl_ecdsa_private_key.pem --from-file=rsa_private_key_pkcs1.pem --fromfile=ssl_truststore.txt --from-file=ssl_keystore.txt --from-file=caroot.cer --fromfile=ssl_rsa_certificate.crt --from-file=ssl_ecdsa_certificate.crt --dry-run -o yaml -n cncc | kubectl replace -f - -n cnccsecret/cncc-iam-ingress-secret replaced
CNCC Core Secret Configuration to Enable HTTPS
Use the following procedure to configure CNCC Core Secret to Enable HTTPS:
-
To create kubernetes secret for HTTPS, following files are required:
- ECDSA private key and CA signed certificate of CNCC (if initialAlgorithm is ES256)
- RSA private key and CA signed certificate of CNCC (if initialAlgorithm is RSA256)
- TrustStore password file
- KeyStore password file
- CA certificate
- Create a secret by executing the following
command:
$ kubectl create secret generic <secret-name> --fromfile=<ssl_ecdsa_private_key.pem> --from-file=<rsa_private_key_pkcs1.pem> --fromfile=<ssl_truststore.txt> --from-file=<ssl_keystore.txt> --from-file=<caroot.cer> --fromfile=<ssl_rsa_certificate.crt> --from-file=<ssl_ecdsa_certificate.crt> -n <Namespace of CNCC Core Ingress Gateway secret>Example:
On successfully executing the above command, the following message will be displayed:kubectl create secret generic cncc-core-ingress-secret --fromfile=ssl_ecdsa_private_key.pem --from-file=rsa_private_key_pkcs1.pem --fromfile=ssl_truststore.txt --from-file=ssl_keystore.txt --from-file=caroot.cer --fromfile=ssl_rsa_certificate.crt --from-file=ssl_ecdsa_certificate.crt -n cncc cnccsecret/cncc-core-ingress-secret created
Execute the following command to verify the secret creation:$ kubectl describe secret cncc-core-ingress-secret -n cncc -
This section explains how to update the secrets for enabling HTTPS, if they already exist:
Create a secret by executing the following command:$ kubectl create secret generic <secret-name> --fromfile=<ssl_ecdsa_private_key.pem> --from-file=<rsa_private_key_pkcs1.pem> --fromfile=<ssl_truststore.txt> --from-file=<ssl_keystore.txt> --from-file=<caroot.cer> --fromfile=<ssl_rsa_certificate.crt> --from-file=<ssl_ecdsa_certificate.crt> --dry-run -o yaml -n <Namespace of CNCC Core Ingress Gateway secret> | kubectl replace -f - -n <Namespace of CNCC Core Ingress Gateway secret>Example:
On successfully executing the above command, the following message will be displayed:$ kubectl create secret generic cncc-core-ingress-secret --fromfile=ssl_ecdsa_private_key.pem --from-file=rsa_private_key_pkcs1.pem --fromfile=ssl_truststore.txt --from-file=ssl_keystore.txt --from-file=caroot.cer --fromfile=ssl_rsa_certificate.crt --from-file=ssl_ecdsa_certificate.crt --dry-run -o yaml -n cncc | kubectl replace -f - -n cnccsecret/cncc-core-ingress-secret replaced
CNCC IAM SAML Configuration
- To configure SAML identity provider (IdP) in CNCC IAM, login to CNCC IAM Console using admin credentials provided during installation of CNCC IAM .
- Select Cncc realm and the Identity Provider tab in the left pane. Identity Providers screen appears in the right pane.
- From the Add provider drop down list select the saml entry and the Add Identity Provider screen appears.
- To create custom 'First Login Flow', click Authentication tab In the left pane. The Authentication screen appears.
- Click New at the right pane. Create Top Level Form screen
appears.
Enter the appropriate alias and click Save
- The Authentication screen with the newly created custom flow selected in the drop down list appears. Click Add Execution in the right pane .
- Create Authenticator Execution screen appears.
Select Create User If Unique from the Provider drop down list. Click Save.
- The Authentication screen with the newly created custom flow selected in the drop down. Under Requirement section, select Alternative.
- Select Identity Provider in the left pane. Select the custom flow from First Login Flow drop down list.