Architecture
============
-The micro-service called CertService is designed for requesting certificates
-signed by external Certificate Authority (CA) using CMP over HTTP protocol. It uses CMPv2 client to send and receive CMPv2 messages.
-CertService's client will be also provided so other ONAP components (aka end components) can easily get certificate from CertService.
-End component is an ONAP component (e.g. DCAE collector or controller) which requires certificate from CMPv2 server
-to protect external traffic and uses CertService's client to get it.
-CertService's client communicates with CertService via REST API over HTTPS, while CertService with CMPv2 server via CMP over HTTP.
-
-.. image:: resources/certservice_high_level.jpg
+Interaction between components
+------------------------------
+
+.. image:: resources/certservice_high_level.png
:width: 855px
- :height: 178px
+ :height: 223px
:alt: Interaction between components
+
+
+Simplified certificate enrollment flow
+--------------------------------------
+
+.. image:: resources/certService_cert_enrollment_flow.png
+ :width: 1191px
+ :height: 893px
+ :alt: Simplified certificate enrollment flow
+
+Security considerations
+-----------------------
+
+CertService's REST API is protected by mutual HTTPS, meaning server requests client's certificate and **authenticate** only requests with trusted certificate. After ONAP default installation only certificate from CertService's client is trusted. **Authorization** isn't supported in Frankfurt release.
\ No newline at end of file
Code Review / oom / platform / cert-service.git / blobdiff