6 Common Security Recommendations and Procedures
4G/5G Application Authentication and Authorization
4G/5G NFs use Mutual Transport Layer Security (mTLS) authentication to secure communication. All NFs require a trust relationship to be established with all peers by exchanging and trusting peer root or intermediate certificates. All the peer certificates must be available in the trust store (K8s Secrets) in order to establish secured communication. Ideally, the trust store is populated from the customer Public Key Infrastructure (PKI) using ACME protocols. 4G/5G NFs also support manual importation and a semi-automatic import using the cert-manager external provider.
DB-Tier Authentication and Authorization
The DB-Tier provides a highly available multisite database used to store NF state and configuration. When installed, the MySQL DB is configured with a root account whose password is randomly generated. Each NF must have additional accounts for that particular NF. The procedures in this section explains how to change these account passwords. Additionally, communication between the NFs and the MySQL query nodes are protected using TLS.
Procedure: Modify MySQL NDB Root Password
This procedure is executed by the DB Administrator.
For each of the MySQL Query nodes, perform the following steps :
- Log into the next query node using ssh:
$ ssh admusr@<mysql query node>
- Execute the following command to make the node as root:
$ sudo su
- Invoke mysql using existing DB Root credentials:
# mysql -h 127.0.0.1 -uroot -p
<enter existing root password>
- Change the DB Root credentials:
mysql> ALTER USER'root'@'localhost'IDENTIFIED BY'<NEW_PASSWORD>'; mysql> FLUSH PRIVILEGES;
Repeat steps 1 through 4 for each MySQL Query node.
Note:
If you are accessing a DB instance for the first time, the DB Root password is stored in the
/var/occnedb/mysqld_expired.log
file. The system generates a random
password at installation time.
Note:
Recommendation 1: Separation of Roles
The roles of DB Administrator and Cluster Administration must be kept separate. The DB Administrator must be responsible for securing and maintaining the DB-Tier MySQL NDM cluster. The Cluster Administrator must be responsible for securing and operating the Bastion Host and K8s Cluster. When 5G NFs are installed, the DB Administrator is required to create new NF database and NF DB accounts (using the DB Root credentials). Once this is completed, the Cluster Administrator installs the NF (using helm).
Recommendation 2: Use Strong Passwords
The DB Administrator must choose a complex DB Root password as per their organization's security guidelines.
Procedure: Configure TLS for MySQL NDB Query Nodes
The MySQL NDB comes preconfigured to use a self-signed certificate that expires after 365 days. User can replace this certificate using the following procedure:
- Create private CA and a set of Keys/Certificate pairs for use in securing
MySQL :
$ my_ssl_rsa_setup
- The available set of PEM files containing CA, server, and client certificates and keys that must be installed on all the MySQL Query Nodes.
-
Using SCP, copy the PEM files to the MySQL Query Node:
$ scp *.pem admusr@<mysql query node>
-
Login to the MySQL Query Node using ssh:
$ ssh admusr@<mysql query node>
-
Create a directory to hold the TLS keys and certs, and move them into root:
$ sudo mkdir /var/occnedb/opensslcerts $ sudo chmod 700 /var/occnedb/opensslcerts $ sudo mv ~admusr/*pem /var/occnedb/opensslcerts
-
Mysql Cluster Manager (mcm) is used to configure the TLS configuration from any of the DB nodes
- Login to any DB node:
-
$ ssh admusr@<any_db_node> $ sudo su
-
- Login to the mcm client:
$ mcm
$ mcm>
- Update TLS config for all the SQL nodes using the mcm client:
$ mcm> set ssl-ca:mysqld=/var/occnedb/opensslcerts/ca.pem occnendbclustera; $ mcm> set ssl-cert:mysqld=/var/occnedb/opensslcerts/server-cert.pem occnendbclustera; $ mcm> set ssl-key:mysqld=/var/occnedb/opensslcerts/server-key.pem occnendbclustera; $ mcm> set tls_version:mysqld=TLSv1.2 occnendbclustera; $ mcm> set ssl-cipher:mysqld=DHE-RSA-AES128-GCM-SHA256 occnendbclustera; $ mcm> set ssl-ca:mysqld=/var/occnedb/opensslcerts/ca.pem occnendbclustera; $ mcm> set ssl-cert:mysqld=/var/occnedb/opensslcerts/server-cert.pem occnendbclustera; $ mcm> set ssl-key:mysqld=/var/occnedb/opensslcerts/server-key.pem occnendbclustera; $ mcm> set tls_version:mysqld=TLSv1.2 occnendbclustera; $ mcm> set ssl-cipher:mysqld=DHE-RSA-AES128-GCM-SHA256 occnendbclustera;
- Login to any DB node:
-
Restart SQL nodes from MySQL Cluster Manager (mcm) client tool.
$ mcm> stop process 56 occnendbclustera; $ mcm>start process 56 occnendbclustera; $ mcm> stop process 57 occnendbclustera; $ mcm> start process 57 occnendbclustera;
Repeat steps 3 through 7 for each MySQL Query node.
Note:
It is possible to integrate into an existing Public Key Infrastructure (PKI) by creating signing requests and having the PKI to generate the needed key/certificate pairs.