4G/5G Core Network Function Security Recommendations and Procedures

Network Repository Function (NRF) Security Recommendations and Procedures

This section provides Network Repository Function (NRF) specific security recommendations and procedures. Recommendations common to all 5G/4G are available in the Common Procedures Section.

The procedures are:

NRF Access Token Secret Configuration

Use the following procedure to create access token secret :

Create the following files:
- ECDSA private key and CA signed certificate of OCNRF (if initialAlgorithm is ES256)
- RSA private key and CA signed certificate of OCNRF (if initialAlgorithm is RS256)
- KeyStore password file
Note: Creation of private keys, certificates and passwords are at the discretion of user.
Login to Bastion Host or server from where kubectl can be executed.
Create namespace for the secret by following:
1. Verify required namespace already exists in system:
```
$ kubectl get namespaces
```
2. In the output of the above command, check if required namespace is available. If not available, create the namespace using following command:
  Note: This is an optional step. In case required namespace already exists, proceed with next procedures.
```
$ kubectl create namespace <required namespace>
```
  Example:
```
$ kubectl create namespace ocnrf
```
Create kubernetes secret for Access token by following :
1. To create kubernetes secret for HTTPS, following files are required:
  - ECDSA private key and CA signed certificate of OCNRF (if initialAlgorithm is ES256)
  - RSA private key and CA signed certificate of OCNRF (if initialAlgorithm is RS256)
  - KeyStore password file
  Note:Creation process for private keys, certificates and passwords is on discretion of user/operator.
2. Execute the following command to create secret. The names used below are same as provided in custom values.yaml in OCNRF deployment:
```
$ kubectl create secret generic <ocnrfaccesstoken-secret-name>  --from-file=<ecdsa_private_key.pem>
 --from-file=<rsa_private_key.pem>  --from-file=<ssl_truststore.txt> --from-file=<keystore_password.txt> 
  --from-file=rsa_certificate.crt --from-file=<ecdsa_certificate.crt> -n <Namespace of OCNRF AccessToken secret>
```
  Note: Note down the command used during the creation of kubernetes secret, this command will be used for updates in future.
```
$ kubectl create secret generic ocnrfaccesstoken-secret  --from-file=ecdsa_private_key.pem 
--from-file=rsa_private_key.pem  --from-file=ssl_truststore.txt --from-file=keystore_password.txt  --from-file=
rsa_certificate.crt --from-file=ecdsa_certificate.crt -n ocnrf
```
3. Execute the following command to verify secret created:
```
$ kubectl describe secret <ocnrfaccesstoken-secret-name> -n <Namespace of OCNRF AccessToken secret>
```
  Example:
```
 $ kubectl describe secret ocnrfaccesstoken-secret -n ocnrf
```

NRF Access Token Secret Update

Use the following procedure to update access token secret:

Update the following files:
- ECDSA private key and CA signed certificate of OCNRF (if initialAlgorithm is ES256)
- RSA private key and CA signed certificate of OCNRF (if initialAlgorithm is RS256)
- KeyStore password file
Note: Update of private keys, certificates and passwords are at the discretion of user.
Login to Bastion Host or server from where kubectl can be executed

Update the secret with new/updated details by following:

Copy the exact command used in above section during creation of secret.
Update the same command with string "--dry-run -o yaml" and "kubectl replace -f - -n <Namespace of Access Token secret>".

Create secret command will look like:

kubectl create secret generic <ocnrfaccesstoken-secret>  --from-file=<ecdsa_private_key.pem> 
 --from-file=<rsa_private_key.pem>  --from-file=<ssl_truststore.txt> --from-file=<keystore_password.txt> 
  --from-file=<rsa_certificate.crt> --from-file=<ecdsa_certificate.crt> --dry-run -o yaml -n 
 <Namespace of Access Token secret> | kubectl replace -f - -n <Namespace of Access Token secret>Copy

Example: The names used below are same as provided in custom_values.yaml in OCNRF deployment:

$ kubectl create secret generic ocnrfaccesstoken-secret  --from-file=ecdsa_private_key.pem --from-file=rsa_private_key.pem
  --from-file=ssl_truststore.txt --from-file=keystore_password.txt  --from-file=rsa_certificate.crt --from-file=ecdsa_certificate.crt 
--dry-run -o yaml -n ocnrf | kubectl replace -f - -n ocnrfCopy

Execute the updated command.
After successful secret update, the following message is displayed:
```
secret/<ocnrfaccesstoken-secret> replaced
```

OCNRF MYSQL Secret Configuration

This section describes the secret creation for two type of OCNRF users. Different users has different set of permissions.

OCNRF privileged user : This catogory of user has complete set of permissions. The user can perform DDL and DML operations to perform install/upgrade/rollback or delete operations.
OCNRF application user : This catogory of user has less set of permissions and will be used by OCNRF application during service operations handling. The user can insert, update, get, remove the records. This user can't create, alter and drop the database as wells as tables

Kubernetes secret creation for OCNRF privilaged database user

This section explains the steps to create kubernetes secrets for accessing OCNRF database for the privileged user.

Login to Bastion Host or server from where kubectl can be executed.
Create namespace for the secret by following:
1. Verify required namespace already exists in system:
```
$ kubectl get namespaces
```
2. In the output of the above command, check if required namespace is available. If not available, create the namespace using following command:
  Note:This is an optional step. In case required namespace already exists, proceed with next procedures.
```
$ kubectl create namespace <required namespace>
```
  For example:
```
$ kubectl create namespace ocnrf
```

Create kubernetes secret for privileged user as follows:

Create kubernetes secret for MySQL:

$ kubectl create secret generic <privileged user secret name> --from-literal=dbUsername=<OCNRF Privileged Mysql database username> --from-literal=dbPassword=<OCNRF Privileged Mysql User database passsword> --from-literal=appDbName=<OCNRF Mysql database name> --from-literal=networkScopedDbName=<OCNRF Mysql Network database name> -n <Namespace of OCNRF deployment>

Note:

Note down the command used during the creation of kubernetes secret, this command is used for updates in future.

Example:

$ kubectl create secret generic privilegeduser-secret --from-literal=dbUsername=nrfPrivilegedUsr --from-literal=dbPassword=nrfPrivilegedPasswd --from-literal=appDbName=nrfApplicationDb --from-literal=networkScopedDbName=nrfNetworkDB -n ocnrf

Verify the secret created using above command:

$ kubectl describe secret <database secret name> -n <Namespace of OCNRF deployment>

Example:

$ kubectl describe secret privilegeduser-secret -n ocnrf

Kubernetes secret update for OCNRF privileged database user

This section explains the steps to update kubernetes secrets for accessing OCNRF database for the privileged user.

Login to Bastion Host or server from where kubectl can be executed.

This section describes the steps to update the secrets. Update Kubernetes secret for privileged user as follows:

Copy the exact command used in section during creation of secret:

$ kubectl create secret generic <privileged user secret name> --from-literal=dbUsername=<OCNRF Privileged Mysql database username> --from-literal=dbPassword=<OCNRF Privileged Mysql database password> --from-literal=appDbName=<OCNRF Mysql database name> --from-literal=networkScopedDbName=<OCNRF Mysql Network database name> -n <Namespace of OCNRF deployment>

Update the same command with string "--dry-run -o yaml" and "kubectl replace -f - -n <Namespace of MYSQL secret>". After update, the command will be as follows:

$ kubectl create secret generic <privileged user secret name> --from-literal=dbUsername=<OCNRF Privileged Mysql database username> --from-literal=dbPassword=<OCNRF Privileged Mysql database password> --from-literal=appDbName=<OCNRF Mysql database name> --from-literal=networkScopedDbName=<OCNRF Mysql Network database name> --dry-run -o yaml -n <Namespace of OCNRF deployment> | kubectl replace -f - -n <Namespace of OCNRF deployment>

Execute the updated command. The following message is displayed:
```
secret/<database secret name> replaced
```

Kubernetes secret creation for OCNRF application database user

This section explains the steps to create kubernetes secrets for accessing OCNRF database for the application database user.

Login to Bastion Host or server from where kubectl can be executed.
Create namespace for the secret by following:
1. Verify required namespace already exists in system:
```
$ kubectl get namespaces
```
2. In the output of the above command, check if required namespace is available. If not available, create the namespace using following command:
  Note: This is an optional step. In case required namespace already exists, proceed with next procedures.
```
$ kubectl create namespace <required namespace>
```
  Example:
```
$ kubectl create namespace ocnrf
```

Create kubernetes secret for OCNRF application database user for configuring records is as follows:

Create kubernetes secret for OCNRF application database user:

$ kubectl create secret generic <appuser-secret name> --from-literal=dbUsername=<OCNRF APPLICATION User Name> --from-literal=dbPassword=<Password for OCNRF APPLICATION User> --from-literal=appDbName=<OCNRF Application Database> -n <Namespace of OCNRF deployment>

Note:

Note down the command used during the creation of kubernetes secret, this command will be used for updates in future.

Example:

$ kubectl create secret generic appuser-secret --from-literal=dbUsername=nrfApplicationUsr --from-literal=dbPassword=nrfApplicationPasswd --from-literal=appDbName=nrfApplicationDB -n ocnrf

Verify the secret creation:

$ kubectl describe secret <appuser-secret name> -n <Namespace of OCNRF deployment>

Example:

$ kubectl describe secret appuser-secret -n ocnrf

Kubernetes secret update for OCNRF application database user

This section explains the steps to update kubernetes secrets for accessing OCNRF database for the application database user.

Login to Bastion Host or server from where kubectl can be executed.

This section explains how to update the kubernetes secret.

Copy the exact command used in above section during creation of secret:

$ kubectl create secret generic <appuser-secret name> --from-literal=dbUsername=<OCNRF APPLICATION
 User Name> --from-literal=dbPassword=<Password for OCNRF APPLICATION User> --from-literal=appDbName=<OCNRF 
Application Database> -n <Namespace of OCNRF deployment>

Update the same command with string "--dry-run -o yaml" and "kubectl replace -f - -n <Namespace of MYSQL secret>". After update, the command will be as follows:

$ kubectl create secret generic <database secret name> --from-literal=dbUsername=<OCNRF APPLICATION 
User Name> --from-literal=dbPassword=<Password for OCNRF APPLICATION User> --from-literal=appDbName=<OCNRF 
Application Database> --dry-run -o yaml -n <Namespace of OCNRF deployment> | kubectl replace -f - -n <Namespace 
of OCNRF deployment>

Execute the updated command. The following message is displayed:
```
secret/<database secret name> replaced
```

Cloud Native Core Policy Security Recommendations and Procedures

Access Token configuration

This section provides Cloud Native Core Policy specific security recommendations and procedures. Recommendations common to all 5G/4G are available in the Common Procedures Section.

The procedures are:

Use the following procedure to create access token :

Create following files:
ECDSA private key (Example: ecdsa_private_key_pkcs8.pem)

RSA private key (Example:rsa_private_key_pkcs1.pem)

TrustStore password file (Example: trustStorePassword.txt)

KeyStore password file (Example: keyStorePassword.txt)

CA signed ECDSA OCPolicy certificate (Example: ecdsa_occnp_certificate.crt)

CA signed RSA OCPolicy certificate (Example: rsa_occnp_certificate.crt)

Note: Creation of private keys, certificates and passwords are at the discretion of user.
Login to Bastion Host or server from where kubectl can be executed.
Create namespace for the secret:
```
$ kubectl create namespace occnp
```

Create kubernetes secret for NF Access token :

Note: The filenames in below command are same as in Step 1

$ kubectl create secret generic ocpcfaccesstoken-secret --from-file=
ecdsa_private_key_pkcs8.pem --from-file=rsa_private_key_pkcs1.pem --from-file=
trustStorePassword.txt --from-file=keyStorePassword.txt --from-file=
ecdsa_ocpcf_certificate.crt--from-file=rsa_ocpcf_certificate.crt -n ocpcf

Verify that secret is create successfully:

$ kubectl describe secret ocpcfaccesstoken-secret -n ocpcf

Update Keys to Sign JSON Web Token (JWTs) for Access Token

Use the following procedure to update keys to sign JSON web token (JWTs) for access token:

Update the following files:

ECDSA private key (Example: ecdsa_private_key_pkcs8.pem)

RSA private key (Example: rsa_private_key_pkcs1.pem)

CA signed ECDSA OCPolicy certificate (Example: ecdsa_occnp_certificate.crt)

CA signed RSA OCPolicy certificate (Example: rsa_occnp_certificate.crt)

Note: Update of private keys, certificates and passwords are at the discretion of user
Login to Bastion host or server from where kubectl can be executed.
Update the secret with new/updated details:

Delete the secret by executing the following command:

$ kubectl delete secret ocpcfaccesstoken-secret -n ocpcf

Create the secret with updated details:

$ kubectl create secret generic ocpcfaccesstoken-secret --from-file=ecdsa_private_key_pkcs8.pem --from-file=rsa_private_key_pkcs1.pem --from-file=trustStorePassword.txt --from-file=keyStorePassword.txt --from-file=ecdsa_occnp_certificate.crt--from-file=rsa_ocpcf_certificate.crt -n occnp

Create CNC Policy MYSQL Kubernetes Secret for Storing Database Username and Password for Admin and Application Users

Use the following procedure to create OCPolicy MYSQL kubernetes secret for storing database username and password:

Login to Bastion Host or server from where kubectl can be executed.
Create namespace for the mysql secret. Skip this step, if already created.
$ kubectl create namespace <namespace>
To create a kubernetes secret for storing database username and password for an admin user and an application user:
1. Create a yaml file with the application user's username and password with the syntax shown below:
  
  Note:
  The values mentioned in the right side of column (:) are examples.
```
apiVersion: v1
kind: Secret
metadata:
  name: occnp-db-pass
type: Opaque
data:
  mysql-username: b2NjbnB1c3I=
  mysql-password: b2NjbnBwYXNzd2Q=
```
2. Create a yaml file with the admin user's username and password with the syntax shown below:
  
  Note:
  The values mentioned in the right side of column (:) are examples.
```
apiVersion: v1
kind: Secret
metadata:
  name: occnp-admin-db-pass
type: Opaque
data:
  mysql-username: b2NjbnBhZG1pbnVzcg==
  mysql-password: b2NjbnBhZG1pbnBhc3N3ZA==
```
  Note:
  'name' will be used for the dbCredSecretName and privilegedDbCredSecretName parameters in the CNC Policy custom-values.yaml file.
  
  Note:
  The values for mysql-username and mysql-password should be base64 encoded.
3. Execute the following commands to add the kubernetes secrets in a namespace:
```
kubectl create -f yaml_file_name1 -n release_namespace
kubectl create -f yaml_file_name2 -n release_namespace
```
  where:
  release_namespace is the deployment namespace used by the helm command.
  
  yaml_file_name1 is a name of the yaml file that is created in step a.
  
  yaml_file_name2 is a name of the yaml file that is created in step b.
Verify the whether the secret is created by executing the following command:
```
$ kubectl describe secret <secret-name> -n <namespace>
```

Create a Kubernetes Secret for Storing LDAP credentials

Use the following procedure to create a kubernetes secret for storing LDAP credentials:

Create a yaml file with the following syntax:

Note:
The values mentioned in the right side of column (:) are examples.
```
apiVersion: v1 
kind: Secret 
metadata:  
  name: secretarial  
  labels:    
    type: ocpm.secret.ldap 
type: Opaque 
stringData:  
  name: "ldap1"  
  password: "camiant"  
  authDn: "uid=PolicyServer,ou=vodafone,c=hu,o=vodafone"
```
where,

name is the configured LDAP server name.

password is the LDAP credential for that data source.

authDN is the authentication DN for that LDAP data source.
Create the secret by executing the following command: kubectl apply -f yaml_file_name -n <namespace>
here:
yaml_file_name is a name of the yaml file that is created in step 1.
<namespace> is the deployment namespace used by the helm command.

Cloud Native Diameter Routing Agent (cnDRA) Security Recommendations and Procedures

This section provides cloud native Diameter Routing Agent (cnDRA) specific security recommendations and procedures. Recommendations common to all 5G/4G are available in the Common Procedures Section.

The procedures are:

User (OAM) Authentication and Authorization

cnDRA supports REST based MMI interface. There is no GUI provided in the current cnDRA release.
The MMI interface is based on fixed user and password, using which the security token is requested by REST client from cnDRA.
cnDRA does not allow or support configuration or modify these credentials (user and password).

Authentication and Authorization of Applications

cnDRA currently supports TCP based signaling traffic connection towards the Remote Peer Nodes. These connections are not currently secured via TLS etc mechanism. Currently there is no plan to enable securing of the application/Diameter traffic.

Cloud Native Core Ingress/Egress Gateways Security Recommendations and Procedures

This section provides Ingress/Egress Gateway specific security recommendations and procedures. Recommendations common to all 5G/4G are available in the Common Procedures Section.

The procedures are:

Enabling TLS and Ciphers in Ingress/Egress Gateway

Use the following procedure to enable the TLS and Ciphers :

Helm Configuration to enable TLS:

To open Https port in Ingress gateway: configure in helm enableIncomingHttps: true

To have a Https client configured in Egress gateway: configure in helm enableOutgoingHttps: true
Create following files:
1. RSA or ECDSA Private key (Example: rsa_private_key_pkcs1.pem)
2. Trust store password (Example: trust.txt)
3. Key store password(Example: key.txt)
4. Certificate chain for trust store (Example: caroot.cer)
5. Signed server certificate (Example: ocingress.cer) or Signed client certificate (Example: ocegress.cer)
Note: Creation of private keys, certificates and passwords are at the discretion of user.

Create secret by executing following command:

$ kubectl create secret generic ocingress-secret --from-file=rsa_private_key_pkcs1.pem 
--from-file=trust.txt --from-file=key.txt --from-file=ocingress.cer --from-file=caroot.cer -n ocingress

Enable cipher suites:

# Cipher Suites to be enabled on Server side (Ingress Gateway),

# Cipher Suites to be enabled on Client side (Egress Gateway),

cipherSuites:


-TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Certificate Management and Dynamic reload of certificates in Gateways

Whenever certificates gets compromised or a new certificate chain is required to be added to the truststore, we can update the key and truststore used by the application.

To update the key and the truststore, update or replace the secret:

Command:

$ kubectl create secret generic ocingress-secret --from-file=rsa_private_key_pkcs1.pem
 --from-file=trust.txt --from-file=key.txt --from-file=tmp.cer --from-file=caroot.cer --dry-run -o yaml
 -n ocingress| kubectl replace -f - -n ocingress

Whenever there is an update in the certificate chain or signed certificate placed in secret, kubernetes watcher which is implemented in update container will check for change in file state and replace the key and truststore accordingly in the mounted shared volume.

Dynamic reload of certificates is not supported in Ingress Gateway as of now, so a manual restart of pod is required when any update in the configuration is made with respect to https.

In case of Egress Gateway update container will trigger the rest end point to dynamically reload key and truststore. Then egress gateway will pickup new store files from shared volume and reload trust and key managers. Egress gateway will use the replaced store to establish new connections and gracefully terminate existing connections by sending a GOAWAY frame.

Service Communication Proxy (SCP) Security Recommendations And Procedures

This section provides Service Communication Proxy Function (SCP) specific security recommendations and procedures. Recommendations common to all 5G/4G are available in the Common Procedures Section.

The procedures are:

OCSCP MYSQL Secret configuration

Use the following procedure to create Mysql kubernetes secret:

Login to Bastion Host or server from where kubectl can be executed.
Create namespace for the mysql secret. Skip this step, if already created.
```
$ kubectl create namespace <namespace>
```
Example:
```
$ kubectl create namespace ocscp
```

Execute the following command to create the secret for MySQL:

kubectl create secret generic appusersecret --fromliteral=DB_USERNAME=<DB User name> --from-literal=DB_PASSWORD=<DB user password>
 --fromliteral=DB_NAME=<DB NAME> --dry-run -o yaml -n <Namespace> | kubectl replace -f -n <Namespace>

d

Execute the updated command. The following message is displayed:
```
secret/<database secret name> replaced
```
.

Verify the whether the secret is created

$ kubectl describe secret <secret-name> -n <SCPnamespace>

Example:

$ kubectl describe secret database-secret -n ocscp

.

OCSCP MYSQL Secret Updates for Password of DB User

Use the following procedure to update Mysql secret:

Login to Bastion Host or server from where kubectl can be executed.

Update the kubernetes secret for Mysql by executing the following command:

Delete the secret:

$ kubectl delete secret database-secret -n <SCPNamespace>

Create the secret with updated details:

For privileged users:
       kubectl create secret generic privilegedusersecret --fromliteral=DB_USERNAME=<DB User name>
      --from-literal=DB_PASSWORD=<DB user password> --fromliteral=DB_NAME=<DB NAME> -n<SCPNamespace>
       For Application Users:
       kubectl create secret generic appusersecret --fromliteral=DB_USERNAME=<DB User name>
      --from-literal=DB_PASSWORD=<DB user password> --fromliteral=DB_NAME=<DB NAME> -n
      <SCPNamespace>

Network Slice Selection Function (NSSF) Security Recommendations and Procedures

This section provides Network Slice Selection Function (NSSF) specific security recommendations and procedures. Recommendations common to all 5G/4G are available in the Common Procedures Section.

The procedures are:

OCNSSF Access Token Secret Configuration

Use the following procedure to create access token secret:

Create the following files:
- ECDSA private key (Example: ecdsa_private_key_pkcs8.pem)
- RSA private key (Example: rsa_private_key_pkcs1.pem)
- TrustStore password file (Example: trustStorePassword.txt)
- KeyStore password file (Example:keyStorePassword.txt)
- CA signed ECDSA OCNSSF certificate (Example: ecdsa_ocnssf_certificate.crt)
- CA signed RSA OCNSSF certificate (Example: rsa_ocnssf_certificate.crt)
Note: Creation of private keys, certificates and passwords are at the discretion of user.
Login to Bastion Host or server from where kubectl can be executed.
Create namespace for the secret by executing the following command:
$ kubectl create namespace ocnssf

Create kubernetes secret for NF Access token by executing the following command:

$ kubectl create secret generic
         ocnssfaccesstoken-secret --from-file=ecdsa_private_key_pkcs8.pem
         --from-file=rsa_private_key_pkcs1.pem --from-file=trustStorePassword.txt
         --from-file=keyStorePassword.txt --from-file=ecdsa_ocnssf_certificate.crt--from-file=rsa_ocnssf_certificate.crt -n
      ocnssf

Verify that secret is created successfully by executing the following command:
$ kubectl describe secret ocnssfaccesstoken-secret -n ocnssf

OCNSSF Access Token Secret Update

Use the following procedure to update access token secret:

Update the following files:
- ECDSA private key (Example: ecdsa_private_key_pkcs8.pem)
- RSA private key (Example: rsa_private_key_pkcs1.pem)
- TrustStore password file (Example: trustStorePassword.txt)
- KeyStore password file (Example:keyStorePassword.txt)
- CA signed ECDSA OCNSSF certificate (Example: ecdsa_ocnssf_certificate.crt)
- CA signed RSA OCNSSF certificate (Example: rsa_ocnssf_certificate.crt)
Note:Update of private keys, certificates and passwords are at the discretion of user.
Login to Bastion Host or server from where kubectl can be executed.

Update the secret with new/updated details by executing the following commands:

Delete the secret:$ kubectl delete secret ocnssfaccesstoken-secret -n ocnssf Create the secret again with updated details:

$ kubectl create secret generic ocnssfaccesstoken-secret --from-file=ecdsa_private_key_pkcs8.pem
 --from-file=rsa_private_key_pkcs1.pem --from-file=trustStorePassword.txt --from-file=keyStorePassword.txt 
--from-file=ecdsa_ocnssf_certificate.crt--from-file=rsa_ocnssf_certificate.crt -n ocnssf

OCNSSF MYSQL Secret Configuration

Use the following procedure to create Mysql kubernetes secret:

Login to Bastion Host or server from where kubectl can be executed.
Create namespace for the mysql secret. Skip this step, if already created.
```
 $ kubectl create namespace ocnssf 
```
Create a yaml file with the username and password with the syntax shown below:

Note:
The values mentioned in the right side of column (:) are examples.
```
apiVersion: v1 
 kind: Secret 
 metadata: 
   name: <secret-name> 
   type: Opaque 
 data: 
   mysql-username: cGNmdXNy 
   mysql-password: cGNmcGFzc3dk
```

Note: The values for "mysql-username" and "mysql-password" must be base64 encoded.
Execute
```
kubectl create -f <yaml_file_name> -n <namespace> 
```
to create the secret.
Verify whether the secret is created by executing the following command:
```
$ kubectl describe secret <secret-name> -n <namespace>
```

OCNSSF MYSQL Secret Update

Use the following procedure to update Mysql kubernetes secret:

Login to Bastion Host or server from where kubectl can be executed.

Delete the kubernetes secret for Mysql:

# Delete the secret
$ kubectl delete secret <secret name> -n <namespace>

Update yaml file from step 3 in secret creation with new values for mysql-username and mysql-password
Execute kubectl create -f <yaml_file_name> -n <namespace> to create the secret.
Verify whether the secret is created by executing the following command:
$ kubectl describe secret <secret-name> -n <namespace>

Security Edge Protection Proxy (SEPP) Security Recommendations and Procedures

This section provides Security Edge Protection Proxy (SEPP) specific security recommendations and procedures. Recommendations common to all 5G/4G are available in the Common Procedures Section.

The procedures are:

SEPP Access Token Secret Configuration

Use the following procedure to create access token secret :

Login to Bastion Host or server from where kubectl can be executed.
Create the following files:
- ECDSA private key with P-256 curve
  Example:
```
ecdsa_private_key_pkcs8.pem
```
Note: Creation of private keys, certificates and passwords are at the discretion of user.
Create namespace for the secret by executing the following command:
```
$ kubectl create namespace seppsvc
```

Create kubernetes secret for Access token by executing the following command:

$ kubectl create secret generic ocsepp-ipx-secret 
--from-file=ecdsa_private_key_pkcs8.pem -n seppsvc

OCSEPP Access Token Secret Update

Use the following procedure to update access token secret:

Login to Bastion Host or server from where kubectl can be executed.
Update the following files:
- ECDSA private key with P-256 curve
  Example:
```
ecdsa_private_key_pkcs8.pem
```
Note:Update of private keys, certificates and passwords are at the discretion of user.

Update the secret with new/updated details.

Delete the secret:

$ kubectl delete secret ocsepp-ipx-secret -n seppsvc

Create the secret again with updated details:

$ kubectl create secret generic ocsepp-ipx-secret 
--from-file=ecdsa_private_key_pkcs8.pem -n seppsvc

Unified Data Repository (UDR) / Unstructured Data Storage Function (UDSF) Security Recommendations and Procedures

This section provides Unified Data Repository (UDR) / Unstructured Data Storage Function (UDSF) specific security recommendations and procedures. Recommendations common to all 5G/4G are available in the Common Procedures Section.

The procedures are:

Oauth Token Validation Configuration

Use the following procedure for Oauth Token validation configuration:

Nrf creates access tokens using following private keys.
ECDSA private key (For example:
```
ecdsa_private_key_pkcs8.pem
```
)
RSA private key (For example:
```
rsa_private_key_pkcs1.pem
```
)
To validate access token, secret needs to be created and configured in ocudr ingress gateway with public keys fetched from nrf.
public key naming format must be
```
<nrfInstanceId>_<AlgorithmUsed>.pem (6faf1bbc-6e4a-4454-a507-a14ef8e1bc5c_ES256.pem)
```
.
Login to Bastion Host or server from where kubectl can be executed.
Create namespace for the secret.
```
$ kubectl create namespace ocudr
```

Create kubernetes secret for NF Access token validation

Note:

The filenames in below command are same as in Step 1

$ kubectl create secret generic oauthsecret --from-file=6faf1bbc-6e4a-4454-a507-a14ef8e1bc5c_ES256.pem
--from-file=6faf1bbc-6e4a-4454-a507-a14ef8e1bc5c_RS256.pem -n ocudr

Verify that secret is create successfully:

$ kubectl describe secret oauthsecret -n ocudr

Public key Update for Changed Access Token

Use the following procedure for public key update for changed access token:

Login to Bastion Host or server from where kubectl can be executed.

Update the secret with new/updated details:

# Delete the secret and recreate it
$ kubectl delete secret oauthsecret -n ocudr

# Fetch updated public keys from nrf 

# Recreate the secret with updated details
$ kubectl create secret generic oauthsecret 
--from-file=0263663c-f5c2-4d1b-9170-f7b1a9116337_ES256.pem

--from-file=0263663c-f5c2-4d1b-9170-f7b1a9116337_RS256.pem -n ocudr

OCUDR MYSQL Kubernetes Secret for storing Database Username and Password

Use the following procedure to create Mysql kubernetes secret for storing database username and password:

Login to Bastion Host or server from where kubectl can be executed.
Create namespace for the mysql secret. Skip this step, if already created.
```
 $ kubectl create namespace <namespace>
```
Create a yaml file with the username and password with the syntax shown below:

Note:
The values mentioned in the right side of column (:) are examples.
```
apiVersion: v1 
 kind: Secret 
 metadata: 
   name: <secret-name> 
   type: Opaque 
 data: 
    dbname: dWRyZGI=  
    dsusername: dWRydXNlcg==  
    dspassword: dWRycGFzc3dk  
    encryptionkey: TXkgc2VjcmV0IHBhc3NwaHJhc2U=
```
Note: The values for "dbname", "dsusername", "dspassword" and "encryptionkey" must be base64 encoded.

Execute

kubectl create -f <yaml_file_name> -n <namespace>

to create the secret.

Verify the whether the secret is created by executing the following command:
```
$ kubectl describe secret <secret-name> -n <namespace>  
```

TLS certificate for HTTPs support

Refer Cloud Native Core - Ingress/Egress Gateways - Security Recommendations / Procedures for TLS configuration.

InterWorking and Mediation Function (IWF) Security Recommendations and Procedures

This section provides InterWorking and Mediation Function (IWF) specific security recommendations and procedures. Recommendations common to all 5G/4G are available in the Common Procedures Section.

The procedures are:

OCIWF MYSQL Secret configuration

Use the following procedure to configure Mysql secret:

Login to Bastion Host or server from where kubectl can be executed.

Create namespace for the mysql secret. If it is already created, skip this step.

$ kubectl create namespace <IwfNamespace>
Example: $ kubectl create namespace iwfsvc

Create kubernetes secret for Mysql

$ kubectl create secret generic <secretName> --fromliteral=DB_USERNAME=<userName>
      --fromliteral=DB_PASSWORD=<password> --fromliteral=DBNAME=<dbName> -n <IwfNamespace>
Example: $ kubectl create secret generic cred --fromliteral=DB_USERNAME=root
      --fromliteral=DB_PASSWORD=lLn94uba5p --fromliteral=DB_NAME=ociwfdb -n
    iwfsvc

Note:

<secretName> → Secret name must be same to value present for 'dbSecretName' in ociwf_values.yaml file.
<IwfNamespace> -> Must be the name of namespace where IWF will be deployed.

Verify that secret is create successfully

$ kubectl describe secret database-secret -n <IwfNamespace>
Example: $ kubectl describe secret database-secret -n iwfsvc

OCIWF MYSQL Secret updates for password of DB user

Use the following procedure to update MYSQL Secret for password of DB user:

Login to Bastion Host or server from where kubectl can be executed

Update the kubernetes secret for Mysql

Delete the secret:
         $ kubectl delete secret database-secret -n <IwfNamespace>  
         Create the secret with updated details:
         $ kubectl create secret generic <secretName> --fromliteral=DB_USERNAME=<userName>
      --fromliteral=DB_PASSWORD=<password> --fromliteral=DBNAME=<dbName> -n
    <IwfNamespace>

Binding Support Function (BSF) Security Recommendations and Procedures

This section provides Binding Support Function (BSF) specific security recommendations and procedures. Recommendations common to all 5G/4G are available in the Common Procedures Section.

The procedure is:

Creating BSF MYSQL Kubernetes Secret for Storing Database Username and Password

Creating BSF MYSQL Kubernetes Secret for Storing Database Username and Password

Use the following procedure to create BSF MYSQL kubernetes secret for storing database username and password:

Login to Bastion Host or server from where kubectl can be executed.
Create namespace, if already does not exists, by entering the command:
```
kubectl create namespace <namespace>
```
where:
<namespace> is the deployment BSF namespace.
Create a kubernetes secret for an admin user and an application user.
To create a kubernetes secret for storing database username and password for these users:

Create a yaml file with the application user's username and password with the syntax shown below:
Note:
The values mentioned in the right side of column (:) are examples.
```
apiVersion: v1
             kind: Secret
             metadata:
             name: <secret-name>
             type: Opaque
             data:
             mysql-username: YnNmdXNy
             mysql-password: YnNmcGFzc3dk
```
Create a yaml file with the admin user's username and password with the syntax shown below:
Note:
The values mentioned in the right side of column (:) are examples.
```
apiVersion: v1
           kind: Secret
           metadata:
           name: <secret-name>
           type: Opaque
           data:
            mysql-username: YnNmcHJpdmlsZWdlZHVzcg==
            mysql-password: YnNmcHJpdmlsZWdlZHBhc3N3ZA==
```
Note:
The values for mysql-username and mysql-password should be base64 encoded
Execute the following command to create the secret:
```
kubectl create -f <yaml_file_name> -n <namespace>
```
Verify whether the secret is created by executing the following command:
```
$ kubectl describe secret <secret-name> -n <namespace>
```