4 Configuring OCNRF
Mandatory Configurations
- nrfPlmnList: PLMN(s) served by OCNRF. This must be configured before using any OCNRF Services.
- ocnrfEndPointHost: OCNRF EndPoint Host's FQDN.
- ocnrfEndPointPort: OCNRF EndPoint Host's Port.
OCNRF Configuration
OCNRF can be configured using HELM and REST configuration. Some configuration are performed during installation using HELM and few are modified using REST. For HELM configuration refer to OCNRF Cloud Native Installation and Upgrade Guide. The REST configurations can also be performed using Cloud Native Core (CNC) Console. Refer to Configuring OCNRF using CNC Console for more details.
OCNRF Host Configuration
OCNRF's NfHostConfig Configuration attribute allows to configure the details of NRF and SLF/UDR Network Functions. These attributes (nrfHostConfig and slfHostConfig) used for NRF forwarding and Subscriber Location Function (SLF) features respectively.
The NfHostConfig configuration consists of attributes like apiVersion, scheme, FQDN, port, priority, etc. OCNRF allows to configure more than two host details. However the host with highest priority is considered as Primary Host. The host with second highest priority is considered as Secondary Host.
Note:
- Refer 29.510, release 15.5 for definition and allowed range for NfHostConfig attributes (apiVersion, scheme, FQDN, port, priority, etc).
- Apart from priority attribute, no other attributes plays any role in Primary/Secondary host selection.
- Apart from Primary/Secondary host, other configured hosts (if any) are not used during any message processing.
- When more than one host is configured with highest priority, then two of them will be picked as Primary/Secondary host randomly.
- rerouteOnResponseHttpStatusCodes: This configuration is used to determine if the SLF request message can be sent to Secondary SLF or not. After getting response from primary SLF, if response status code from primary SLF matches with this configuration, then OCNRF reroutes the request to the secondary SLF. Refer nfHostConfig attribute for Primary and Secondary SLF details.
- maximumHopCount: This configuration is used to determine Maximum number of hops (SLF/NRF) that OCNRF can forward a given service request. This Configuration more useful during NRF Forwarding and SLF feature interaction.
- nrfRerouteOnResponseHttpStatusCodes: This configuration is used to determine if the service operation message can be forwarded to Secondary NRF or not. After getting response from primary NRF, if response status code from primary NRF matches with this configuration, then OCNRF reroutes the request to the secondary NRF. Refer nfHostConfig attribute for Primary and Secondary NRF details.
- maximumHopCount: This configuration is used to determine Maximum number of hops (SLF/NRF) that OCNRF can forward a given service request. This Configuration more useful during NRF Forwarding and SLF feature interaction.
General Configurations
The section provides information for configuring general configurations in OCNRF.
General configuration - OCNRF system options
Table 4-1 Service API Interface
Resource Name | Resource URI | HTTP Method or Custom Operation | Description |
---|---|---|---|
nrf-configuration (Store) | {apiRoot}/nrf-configuration/v1/system-options | GET | Retrieves OCNRF system options configuration |
nrf-configuration (Store) | {apiRoot}/nrf-configuration/v1/system-options | PUT | Updates OCNRF system options configuration |
Table 4-2 Data structures supported by the GET Response Body
Data Type | Mandatory(M)/Optional(O)/Conditional(C) | Cardinality | Response Codes | Description |
---|---|---|---|---|
ProblemDetails | M | 1 | 500 Internal Server Error | The response body contains the error reason of the request message. |
NrfSystemOptions | M | 1 | 200 OK | Response body contains the OCNRF current system options |
Table 4-3 Data structures supported by the PUT Request Body
Data Type | P | Cardinality | Description |
---|---|---|---|
NA | M | 1 | NrfSystemOptions details |
Table 4-4 Data structures supported by the PUT Response Body
Data Type | Mandatory(M)/Optional(O)/Conditional(C) | Cardinality | Response Codes | Description |
---|---|---|---|---|
ProblemDetails | M | 1 | 500 Internal Server Error | The response body contains the error reason of the request message. |
ProblemDetails | M | 1 | 400 Bad request | The response body contains the error reason of the request message. |
NrfSystemOptions | M | 1 | 200 OK | Specifies that the update of NrfSystemOptions is successful and provides the values in database. |
REST Message Sample
Request_Type: GET and PUT
{
"generalSystemOptions": {
"nrfPlmnList": [{
"mcc": "310",
"mnc": "14"
}],
"enableF3": true,
"enableF5": true,
"maximumHopCount": 3,
"defaultLoad": 5,
"defaultPriority": 100,
"addPriorityInNFProfile": false,
"addLoadInNFProfile": false
},
"nfScreeningSystemOptions": {
"nfScreeningFeatureStatus": "DISABLED",
"nfScreeningFailureHttpCode": 403
},
"nfAccessTokenSystemOptions": {
"oauthTokenAlgorithm": "ES256",
"oauthTokenExpiryTime": "1h",
"authorizeRequesterNf": "ENABLED",
"logicalOperatorForScope": "AND",
"audienceType": "NF_INSTANCE_ID"
},
"nfManagementSystemOptions": {
"nfHeartBeatTimer": "1m30s",
"nfHeartBeatMissAllowed": 3,
"nfNotifyLoadThreshold": 5,
"nrfSupportForProfileChangesInResponse": true,
"subscriptionValidityDuration": "24h",
"nrfSupportForProfileChangesInNotification": false,
"nfProfileSuspendDuration": "168h",
"acceptAdditionalAttributes": false,
"allowDuplicateSubscriptions": true
},
"nfDiscoverSystemOptions": {
"discoveryValidityPeriod": "1h",
"profilesCountInDiscoveryResponse": 3,
"discoveryResultLoadThreshold": 0
},
"slfSystemOptions": {
"supportedNfTypeList": [],
"preferredSubscriberIdType": "SUPI",
"slfHostConfig": [{
"nfInstanceId": "c56a4180-65aa-42ec-a945-5fd21dec0538",
"apiVersions": [{
"apiVersionInUri": "v1",
"apiFullVersion": "15.5.0"
}],
"scheme": "http",
"fqdn": "ocudrSlf-1-ingressgateway.ocnrf.svc.cluster.local",
"priority": 100,
"port": 80
}],
"rerouteOnResponseHttpStatusCodes": {
"codeList": [134]
},
"slfFeatureStatus": "DISABLED"
},
"errorResponses": {
"slfErrorResponses": [{
"errorCondition": "SLF_Missing_Mandatory_Parameters",
"errorCode": 400,
"errorResponse": "Mandatory parameter missing for SLF Lookup"
}, {
"errorCondition": "SLF_GroupId_NotFound",
"errorCode": 404,
"errorResponse": "Group Id Not found from SLF"
}, {
"errorCondition": "SLF_Not_Reachable",
"errorCode": 504,
"errorResponse": "SLF not reachable"
}],
"nrfForwardingErrorResponses": [{
"errorCondition": "NRF_Not_Reachable",
"errorCode": 504,
"errorResponse": "NRF not reachable"
}, {
"errorCondition": "NRF_Forwarding_Loop_Detection",
"errorCode": 508,
"errorResponse": "Loop Detected"
}]
},
"forwardingSystemOptions": {
"profileRetreivalForwardingStatus": "DISABLED",
"subscriptionForwardingStatus": "DISABLED",
"discoveryForwardingStatus": "DISABLED",
"accessTokenForwardingStatus": "DISABLED",
"nrfHostConfig": [{
"nfInstanceId": "c56a4180-65aa-42ec-a945-5fd21dec0538",
"apiVersions": [{
"apiVersionInUri": "v1",
"apiFullVersion": "15.5.0"
}],
"scheme": "http",
"fqdn": "ocnrf-1-ingressgateway.ocnrf.svc.cluster.local",
"priority": 100,
"port": 80
}],
"nrfRerouteOnResponseHttpStatusCodes": {
"pattern": "^[3,5][0-9]{2}$"
}
},
"geoRedundancySystemOptions": {
"geoRedundancyFeatureStatus": "DISABLED",
"replicationLatency": "5s",
"monitorNrfServiceStatusInterval": "5s",
"monitorDBReplicationStatusInterval": "5s"
}
}
Data Model
Note:
At least one attribute must be present to ensure that the PUT request is not empty.
Presence in the JSON BODY in PUT HTTP method means any attribute(s) can be updated individually or together.
O - Optional
M - Mandatory
C - Conditional
Table 4-5 NrfSystemOptions - Parameters
Parent Attribute Name | Attribute Name | Data Type | Constraints | M/O/C | Default Values | Description |
---|---|---|---|---|---|---|
generalSystemOptions | nrfPlmnList | array (PlmnId) | O | This value shall have at least one PLMN supported by OCNRF and this value shall be set before using OCNRF. See the footnote. | ||
generalSystemOptions | enableF3 | ENUM (true or false) | true or false | O | true | OCNRF functions as per 29510 v15.3 specification, if this flag is set to true. If it is set to true, then OCNRF will compliant to 29510 v15.3. If it is set to false, OCNRF will compliant to 29510 v15.2. |
generalSystemOptions | enableF5 | ENUM (true or false) | true or false | O | true | OCNRF functions as per 29510 v15.5 specification, if this flag is set to true. If it is set to false, OCNRF functions as per 29510 v15.2 or v15.3 specification (depends on enableF3 flag. |
generalSystemOptions | defaultLoad | INTEGER | 0 - 100 | O | 5 | defaultLoad value is set in NF load attribute of NFProfile, if this attribute is set to true.This value is sent in NFDiscover response and NFProfile sent in NFNotify operation, in case NFProfile does not have load attribute. |
generalSystemOptions | defaultPriority | INTEGER | 0 - 65535 | O | 100 | This attribute is default value of NF Priority and will be used if NFProfile does not have priority attribute set by NF. |
generalSystemOptions | addLoadInNFProfile | ENUM (true or false) | true or false | O | false | Value of default NF load will be set in NF Load attribute of NFProfile while sending in NFDiscover response and NFProfile sent in NFNotify operation, in case NFProfile does not have Load attribute. |
generalSystemOptions | addPriorityInNFProfile | ENUM (true or false) | true or false | O | false | Value of default NF Priority will be set in NF Priority attribute of NFProfile while sending in NFDiscover response and NFProfile sent in NFNotify operation, in case NFProfile does not have Priority attribute. |
generalSystemOptions | maximumHopCount | INTEGER | 1-5 | O | 3 | Maximum number of Nodes (SLF/NRF's) that OCNRF can communicate, to service a request. |
generalSystemOptions | ocnrfEndPointHost | STRING | None | O | ocnrf-ingressgateway.ocnrf.svc.cluster.local | ocnrfEndPointHost needs to be OCNRF's External Routable
FQDN (e.g. ocnrf.oracle.com) OR External Routable IpAddress (e.g.
10.75.212.60) OR for routing with in the same K8 cluster use full
OCNRF Ingress Gateway's Service FQDN as below format:
<helm-releasename>- ingressgateway.<n
amespace>.svc.<cluster-domainname> . Example:
ocnrfingressgateway.nrf-1.svc.cluster.local
where ocnrf: is the helm release name (deployment name that will be
used during "helm install")
nrf-1: is the namespace in which NRF will be deployed cluster.local: is the K8's dnsDomain name (dnsDomain can be found
using |
generalSystemOptions | ocnrfEndPointPort | INTEGER | None | O | 80 | OCNRF EndPoint Host's Port |
forwardingSystemOptions | nrfHostConfig | array (NFConfig) | O | This is used to configure Primary and
Secondary NRF Details which is used for forwarding various requests.
It allows to configure details of NRF like apiVersion, scheme, FQDN, port, etc. The only supported value for apiVersionInUri is v1. Hence the apiVersions attribute must have at least one data record with apiVersionInUri attribute values set as v1. This configuration allows you to configure more than 2 NRF Details. NRF with highest priority is considered as Primary NRF for forwarding messages. NRF with second highest priority is considered as Secondary NRF for forwarding. To reset this attribute, please send empty array, for example:- "nrfHostConfig": [ ] If this attribute is already set then there is no need to provide the value again. See the footnote. |
||
forwardingSystemOptions | nrfRerouteOnResponseHttpStatusCodes | ResponseHttpStatusCodes | pattern or specific code list | O | "pattern": "^[3,5][0-9]{2}$" | This configuration is used to determine if the service operation message needs to forwarded to Secondary NRF. After getting response from primary NRF, if response status code from primary NRF matches with the configured response status code list, then NRF reroutes the request to the secondary NRF. Refer nfHostConfig for details for Primary and Secondary NRF details. See the footnote. |
forwardingSystemOptions | profileRetreivalForwardingStatus | String (Feature Status) | O | DISABLED | This attribute controls the forwarding of NFProfileRetrieval service operation messages. If the flag is set to true and OCNRF is not able to complete the request due to unavailability of any matching profile, then OCNRF forwards the NfProfileRetrival request to the configured NRF host(s) and relays the response received from forwarding NRF to the Consumer NF. If flag is false, OCNRF will not forward the NfProfileRetrival request in any case. It will return a response to consumer NF without forwarding it. See the footnote. See the footnote. | |
forwardingSystemOptions | subscriptionForwardingStatus | String (Feature Status) | O | DISABLED |
This attribute controls the forwarding of NFStatusSubscribe, NFStatusUnsubscribe service operation messages. If the flag is set to true and OCNRF is not able to complete the request due to unavailability of any matching profile, then OCNRF forwards the NfStatusSubscribe/NfStatusUnSubscribe request to the configured NRF host(s) and relays the response received from forwarding NRF to the Consumer NF. If flag is false, OCNRF will not forward the NfStatusSubscribe/NfStatusUnSubscribe request in any case. It will return a response to consumer NF without forwarding it. Note: NfStatusSubscribe forwarding is supported only if the NfInstanceIdCond condition is requested in the Subscription Request. See the footnote. |
|
forwardingSystemOptions | discoveryForwardingStatus | String (Feature Status) | O | DISABLED | This attribute controls the forwarding of NFDiscover service operation messages. If the flag is set to true and OCNRF is not able to complete the request due to unavailability of any matching profile, then OCNRF forwards the NfDiscover request to the configured NRF host(s) and relays the response received from forwarding NRF to the Consumer NF. If flag is false, OCNRF will not forward the NfDiscover request in any case. It will return a response to consumer NF without forwarding it. See the footnote. | |
forwardingSystemOptions | accessTokenForwardingStatus | String (Feature Status) | O | DISABLED | This attribute controls the forwarding of AccessToken service operation messages. If the flag is set to true and OCNRF is not able to complete the request due to unavailability of any matching Producer NF, then OCNRF forwards the AccessToken request to the configured NRF host(s) and relays the response received from forwarding NRF to the Consumer NF. If flag is false, OCNRF will not forward the AccessToken request in any case. It will return a response to consumer NF without forwarding it. See the footnote. | |
nfScreeningSystemOptions | nfScreeningFeatureStatus | String (Feature Status) | O | DISABLED | This attribute indicates if NF Screening Feature is enabled or not. See the footnote. | |
nfScreeningSystemOptions | nfScreeningFailureHttpCode | INTEGER | O | 403 | This attribute will inform what HTTP status code will be returned if incoming request does not pass NF Screening rules barrier. See the footnote. | |
nfManagementSystemOptions | nfHeartBeatTimer | String | 10s - 5m | O | 1m30s | If Heartbeat timer value is not received in
NFProfile during NFRegister, this default value will be used by
OCNRF.
If Heartbeat timer value is received in NFProfile during NFRegister, minimum value will be used for validation and limit purpose. It means if value provided less than minimum value, then minimum value will be taken as heartbeat timer value. If Heartbeat timer value is received in NFProfile during NFRegister, maximum value of range will be used for validation and limit purpose. It means if value provided more than maximum value, then maximum value will be taken as heartbeat timer value.The value is in pHqMrS format. Where p,q,r are integers and H,M,S or h,m,s denote hours, minutes & seconds respectively. See the footnote. |
nfManagementSystemOptions | nfHeartBeatMissAllowed | INTEGER | 0 - 15 | O | 3 | Indicates the allowed number of HeartBeat miss after
which the NFProfile is marked as suspended.
If the value is set to 0, NF profiles for which even single heartbeat is missed will be marked as suspended. See the footnote. |
nfManagementSystemOptions | nfNotifyLoadThreshold | INTEGER | 0 - 99 | O | 5 | OCNRF generates the Notification trigger when difference between the 'load' value reported by NF in most recent heartbeat and the last reported ‘load’ is more than configured value of nfNotifyloadThreshold attribute. See the footnote. |
nfManagementSystemOptions | nrfSupportForProfileChangesInResponse | ENUM (true or false) | true or false | O | true | OCNRF sends mandatory and modified attributes in the NFRegister and NFUpdate responses instead of complete profile, if this flag is enabled. See the footnote. |
nfManagementSystemOptions | subscriptionValidityDuration | String | 10s - 720h | O | 24h |
If Validity time attribute is not received in SubscriptionData during NFSubscribe, this default value will be used for calculation of validity time (current time + default duration). If Validity time attribute is received in SubscriptionData during NFSubscribe, this is minimum value will be used for validation and limit purpose. It means if value provided is less than ( current time + minimum value), then calculated value with minimum duration value will be considered as validity time of subscription and similarly in case validity time is more than (current time + maximum duration), then calculated value with maximum duration will be considered as validity time of subscription. The value is in pHqMrS format. Where p,q,r are integers and H,M,S or h,m,s denote hours, minutes & seconds respectively. See the footnote. |
nfManagementSystemOptions | nrfSupportForProfileChangesInNotification | ENUM (true, false) | true or false | O | false | OCNRF sends profileChanges attribute instead of NFProfile in Notification, if this flag is enabled. See the footnote. |
nfManagementSystemOptions | nfProfileSuspendDuration | String | 10s - 744h | O | 168h | Indicates the duration for which the NF is suspended, before it is deleted from OCNRF database. The value is in pHqMrS format. Where p,q,r are integers and H,M,S or h,m,s denote hours, minutes & seconds respectively. See the footnote. |
nfManagementSystemOptions | acceptAdditionalAttributes | ENUM (true, false) | true or false | O | false | OCNRF preserves additional attributes that are not defined by 3gpp in NFProfile/NFService in the database based on this attribute value. See the footnote. |
nfManagementSystemOptions | allowDuplicateSubscriptions | ENUM (true, false) | true or false | O | true | This attribute specifies if OCNRF should allow duplicate
Subscriptions to be created or not.
Note: In case duplicate subscriptions are not allowed and this flag is marked as false, there will be performance degradation around 50% during NFSubscribe service operation. |
nfDiscoverSystemOptions | discoveryValidityPeriod | String | 1s - 168h | O | 1h | This attribute mentions the validity period of a discovery request after which requester NF must perform discovery again to get the latest values. The value is in pHqMrS format. Where p,q,r are integers and H,M,S or h,m,s denote hours, minutes & seconds respectively. See the footnote. |
nfDiscoverSystemOptions | profilesCountInDiscoveryResponse | INTEGER | 0 - 20 | C | 3 | This value restricts NF profile count in NFDiscover
response.
If value of this attribute is 0, it means this functionality will get disabled, in that case all the profiles will be returned. If GET option returns this attribute value as 0, then it means this feature is disabled. Note:- If Limit attribute is present in SearchData URI then this attribute is not used. |
nfDiscoverSystemOptions | discoveryResultLoadThreshold | INTEGER | 0 - 100 | C | 0 | This configuration is used to select out profiles
from discovery response whose load is more than the configured
value. NFDiscover response contains NF profiles with load attribute
value less than or equal to this configured value.
Value 0 indicates this feature is disabled. |
nfAccessTokenSystemOptions | oauthTokenAlgorithm | String (oauthTokenAlgorithm) | O | ES256 | Access token key algorithm which will be used to sign the oauth token. See the footnote. | |
nfAccessTokenSystemOptions | oauthTokenExpiryTime | String | 1s - 168h | O | 1h | Oauth token expiry time. The value is in pHqMrS format. Where p,q,r are integers and H,M,S or h,m,s denote hours, minutes & seconds respectively. See the footnote. |
nfAccessTokenSystemOptions | authorizeRequesterNf | String (Feature Status) | O | ENABLED | This attribute validates the requester NF is
registered with OCNRF or not. OCNRF issues the access token only to
the registered requester NFs.
If the value is Disabled, OCNRF will issue token to non-registered NFs as well. |
|
nfAccessTokenSystemOptions | audienceType | String (AudienceType ) | O | NF_INSTANCE_ID | This value decides the AudienceType in AccessTokenClaim. OCNRF considers this value only if targetnfInstanceId is not received in AccessTokenRequest. | |
nfAccessTokenSystemOptions | logicalOperatorForScope | String ( LogicalOperatorForScope) | O | AND | This value will decide whether values in scope will
have relationship AND or OR.
If value is AND, while looking for producer network function profiles, token will be issued for profiles matching all the services-names present in scope. If value is OR, token will be issued for profiles matching any of the services-names present in scope. |
|
slfSystemOptions | slfFeatureStatus | String (Feature Status) | O | DISABLED | Enables/disables the SLF Feature. See NOTE 1. | |
slfSystemOptions | slfHostConfig | array (NfConfig) | C | This is used to configure Primary and Secondary SLF
Details which is used for forwarding various requests.
It allows to configure details of SLF like apiVersion, scheme, FQDN, port, etc. The only supported value for apiVersionInUri is v1. Hence the apiVersions attribute must have at least one data record with apiVersionInUri attribute values set as v1. This configuration allows you to configure more than 2 SLF Details. SLF with highest priority is considered as Primary SLF for forwarding messages. SLF with second highest priority is considered as Secondary SLF for forwarding. If supportedNfTypeList is set, then operator must set this attribute. This is because this value will be used to contact the network function hosting the SLF. To reset this attribute, please send empty array, for example:- "slfHostConfig": [ ] If this attribute is already set then there is no need to provide the value again. See the footnote. |
||
slfSystemOptions | supportedNfTypeList | array | C | NF Type list for which SLF need to be supported.
SLF look up will happen only for NF Types mentioned in this configuration. To reset this attribute, send empty array, for example:-"supportedNfTypeList": [ ] If this value is set, then slfHostConfig shall also be set. See the footnote. |
||
slfSystemOptions | preferredSubscriberIdType | String (SubscriberIdType) | SUPI or GPSI | O | SUPI | This attribute will only be used, in case different type of subscriber identifiers (SUPI, GPSI) are present in NFDiscover service operation message, which subscriber identifier shall be used for the query to SLF. See the footnote. |
slfSystemOptions | rerouteOnResponseHttpStatusCodes | ResponseHttpStatusCodes | O | "pattern": "^[3,5][0-9]{2}$" | This attribute will be used after getting response from primary SLF (SLF Config with highest priority), if response code from primary SLF is present/matches this configuration, then OCNRF will reroute the SLF query to secondary SLF (SLF Config with second highest priority). See the footnote. | |
geoRedundancySystemOptions | geoRedundancyFeatureStatus | String (Feature Status) | O | DISABLED | Enables/Disables the geoRedundancy feature in
OCNRF.
See the footnote. |
|
geoRedundancySystemOptions | replicationLatency | String | 1s - 10m | O | 5s | This attribute defines the time taken for the data in the database to get replicated between GeoRedundant OCNRFs. The value is in pHqMrS format. Where p,q,r are integers and H,M,S or h,m,s denote hours, minutes & seconds respectively. |
geoRedundancySystemOptions | monitorNrfServiceStatusInterval | String | 1s - 10s | O | 5s | This attribute defines the time interval for monitoring the aggregated Nf_Management service status (combined status of nfRegistration, nfSubscription and nrfAuditor service). The value is in pHqMrS format. Where p,q,r are integers and H,M,S or h,m,s denote hours, minutes & seconds respectively. |
geoRedundancySystemOptions | monitorDBReplicationStatusInterval | String | 1s - 10s | O | 5s | This attribute defines the time interval for monitoring the DB replication status. The value is in pHqMrS format. Where p,q,r are integers and H,M,S or h,m,s denote hours, minutes & seconds respectively. |
errorResponses | slfErrorResponses | array (ErrorInfo) | O | This attribute defines the error responses which may be sent during SLF processing. This attribute will allow to update the error response code and error response description for preloaded error conditions. See the footnote. | ||
errorResponses | nrfForwardingErrorResponses | array (ErrorInfo) | O | This attribute defines the error responses which may be sent during NRF Forwarding scenarios. This attribute will allow to update the error response code and error response description for preloaded error conditions. See the footnote. |
Note:
If the attribute is not present, existing value in database is used. It can be the default value or the last updated value. But at least one attribute must be present so that the PUT request is not empty.Table 4-6 General Data Types
Data Type | Reference |
---|---|
NFType | 3GPP TS 29.510 |
NFServiceVersion | 3GPP TS 29.510 |
UriScheme | 3GPP TS 29.510 |
Fqdn | 3GPP TS 29.510 |
Table 4-7 Feature Status
Enumeration value | Description |
---|---|
ENABLED | Enables the feature. |
DISABLED | Disables the feature. |
Table 4-8 OauthTokenAlgorithm
Enumeration value | Description |
---|---|
ES256 | ES256 algorithm key will be used to sign the oauth token |
RS256 | RS256 algorithm key will be used to sign the oauth token |
Table 4-9 AudienceType
Enumeration value | Description |
---|---|
NF_INSTANCE_ID | NF Instance Id(s) in audience IE of AccessTokenClaim. |
NF_TYPE | NF Type in audience IE of AccessTokenClaim. |
Table 4-10 LogicalOperatorForScope
Enumeration value | Description |
---|---|
AND | If value is AND, while looking for profiles of producer network function, OCNRF issues token for all profiles matching with services-names present in the scope. |
OR | If value is OR, OCNRF includes producers matching with any of the services-names present in scope, while looking for profiles of producer NFs. |
Table 4-11 NFConfig
Attribute | DataType | Presence | Description |
---|---|---|---|
apiVersions | array (NFServiceVersion) | M | API Version of NF |
scheme | UriScheme | M | URI schema supported by NF |
fqdn | Fqdn | M | FQDN of NF |
port | integer | O | Port of NF
default value:80 if scheme is HTTP, 443 if its HTTPS |
apiPrefix | string | O | ApiPrefix |
priority | integer | M | Priority of NF |
nfInstanceId | string | M | nfInstanceId of NF |
Table 4-12 SubscriberIdType
Enumeration Value | Description |
---|---|
SUPI | Subscriber Id is SUPI |
GPSI | Subscriber Id is GPSI |
Table 4-13 ErrorInfo
Attribute | DataType | Presence | Description |
---|---|---|---|
error_condition | ErrorCondition | ReadOnly | Error Conditions |
error_response_code | Integer | M | This response code will be used when corresponding error condition will occur. |
error_response_description | String | M | This response description will be used when corresponding error condition will occur. |
Table 4-14 ErrorCondition
Error Condition | Error Response Code | Description |
---|---|---|
SLF_Missing_Mandatory_Parameters | 400 | SLF mandatory parameters are missing |
SLF_Not_Reachable | 504 | SLF is not reachable from OCNRF |
SLF_GroupId_NotFound | 404 | Group Id Not found from SLF |
NRF_Not_Reachable | 504 | Primary/Secondary NRF is not reachable from NRF |
NRF_Forwarding_Loop_Detection | 508 | Loop detected while processing NRF Service Operation Message |
Table 4-15 ResponseHttpStatusCodes
Attribute | DataType | Presence | Description |
---|---|---|---|
pattern
|
String
|
C
C |
Either pattern or codeList is present. |
codeList | array (integer) | C | Either pattern or codeList is present. |
Configuring NF Screening
This section provides information for configuring NF Screening.
Table 4-16 Resources and Methods Overview
Resource Name | Resource URI | HTTP Method or Custom Operation | Description |
---|---|---|---|
screening-rules (Store) |
{apiRoot}/nrf-configuration/v1/screening-rules | GET | Returns all the screening rules |
screening-rules (Document) |
{apiRoot}/nrf-configuration/v1/screening-rules/{nfScreeningRulesListType} | GET | Returns screening rules corresponding to the specified NF Screening Rule List Type. |
screening-rules (Document) |
{apiRoot}/nrf-configuration/v1/screening-rules/{nfScreeningRulesListType} | PUT | Replace the complete specified NF Screening Rule List Type |
screening-rules (Document) |
{apiRoot}/nrf-configuration/v1/screening-rules/{nfScreeningRulesListType} | PATCH | Partially updates the specified NF Screening Rule List Type. |
Table 4-17 Data structures supported by the PUT Request Body
Data Type | Mandatory(M)/Optional(O)/Conditional(C) | Cardinality | Description |
---|---|---|---|
NfScreening Rules | M | 1 | NF Screening Rules which need to be updated. |
Table 4-18 Data structures supported by the PUT Response Body
Data Type | Mandatory(M)/Optional(O)/Conditional(C) | Cardinality | Response Codes | Description |
---|---|---|---|---|
NfScreeningRules | 200 OK | Successful response | ||
ProblemDetails | C | 1 |
404 NOT FOUND 500 INTERNAL ERROR 400 BAD REQUEST |
The response body contains the error reason of the request message. |
Table 4-19 Data structures supported by the PATCH Request Body
Data Type | Mandatory(M)/Optional(O)/Conditional(C) | Cardinality | Description |
---|---|---|---|
PatchDocument | M | 1 | It contains the list of changes to be made to the NF Screening Rule, according to the JSON PATCH format specified in IETF RFC 6902 [13]. |
Table 4-20 Data structures supported by the PATCH Response Body
Data Type | Mandatory(M)/Optional(O)/Conditional(C) | Cardinality | Response Codes | Description |
---|---|---|---|---|
NfScreeningRules | 200 OK | Successful response | ||
ProblemDetails | C | 1 |
404 NOT FOUND 500 INTERNAL ERROR 400 BAD REQUEST |
The response body contains the error reason of the request message. |
GET - Collection of screening rules
Table 4-21 URI query parameters supported by the GET method
Name | Data Type | Mandatory(M)/Optional(O)/Conditional(C) | Cardinality | Description |
---|---|---|---|---|
nfScreeningRulesListType | NfScreeningRulesListType | O | 0.1 | The type of NF screening rules on this basis of rules list type. |
nfScreeningRulesListStatus | NfScreeningRulesListStatus | O | 0.1 | Screening Rules List on the basis of status (Enabled or Disabled) |
Table 4-22 Data structures supported by the GET Response Body
Data Type | Mandatory(M)/Optional(O)/Conditional(C) | Cardinality | Response Codes | Description |
---|---|---|---|---|
ScreeningRulesResult | M | 1 | 200 OK | The response body contains a list of screening lists, or an empty object if there are no screening rules to return in the query result. |
ProblemDetails | C | 1 |
500 INTERNAL ERROR 400 BAD REQUEST |
The response body contains the error reason of the request message. |
Table 4-23 ScreeningRulesResult - Parameters
Attribute Name | Data type | Mandatory(M)/Optional(O)/Conditional(C) | Cardinality | Description |
---|---|---|---|---|
nfScreeningRulesList | array (NfScreeningRules) | M | 0.N | It shall contain an array of NF Screening List. An empty array means there is no NF Screening list configured. |
GET - Particular screening list rule
Table 4-24 Data structures supported by the GET Response Body
Data Type | Mandatory(M)/Optional(O)/Conditional(C) | Cardinality | Response Codes | Description |
---|---|---|---|---|
NfScreeningRules | M | 1 | 200 OK | The response body contains requested screening list. |
ProblemDetails | C | 1 |
500 INTERNAL ERROR 400 BAD REQUEST |
The response body contains the error reason of the request message. |
REST message samples
Screening List Update
NF screening rules to update particular rule configuration (except read only attributes)
URL: http://host:port/nrf-configuration/v1/ screening-rules /CALLBACK_URIRequest_Type: PUT
Content-Type: application/jsonRequest Body
NF screening rules to get all of the configured rules
{
"nfScreeningType": "BLACKLIST",
"nfScreeningRulesListStatus": "ENABLED",
"globalScreeningRulesData": {
"failureAction": "SEND_ERROR",
"nfCallBackUriList": [
{
"ipv4AddressRange":{
"start": "155.90.171.123",
"end": "233.123.19.165"
},
"ports":[10,20]
},
{
"ipv6AddressRange":{
"start": "1001:cdba:0000:0000:0000:0000:3257:9652",
"end": "3001:cdba:0000:0000:0000:0000:3257:9652"
}
}
]
},
"amfScreeningRulesData": {
"failureAction": "CONTINUE",
"nfCallBackUriList": [
{
"fqdn": "ocnrf-d5g.oracle.com"
},
{
"ipv4AddressRange":{
"start": "155.90.171.123",
"end": "233.123.19.165"
},
"ports":[10,20]
}
]
}
}
URL:
http://host:port/nrf-configuration/v1/ screening-rules /
Request_Type: GET
Response Body
{
"nfScreeningRulesList": [
{
"nfScreeningRulesListType": "NF_FQDN",
"nfScreeningType": "BLACKLIST",
"nfScreeningRulesListStatus": "DISABLED"
},
{
"nfScreeningRulesListType": "NF_IP_ENDPOINT",
"nfScreeningType": "BLACKLIST",
"nfScreeningRulesListStatus": "ENABLED",
"amfScreeningRulesData": {
"failureAction": "SEND_ERROR",
"nfIpEndPointList": [
{
"ipv4Address": "198.21.87.192",
"ports": [
10,
20
]
}
]
}
},
{
"nfScreeningRulesListType": "CALLBACK_URI",
"nfScreeningType": "BLACKLIST",
"nfScreeningRulesListStatus": "ENABLED",
"globalScreeningRulesData": {
"failureAction": "SEND_ERROR",
"nfCallBackUriList": [
{
"fqdn": "ocnrf-d5g.oracle.com",
"ports": [
10,
20
]
}
]
}
},
{
"nfScreeningRulesListType": "PLMN_ID",
"nfScreeningType": "BLACKLIST",
"nfScreeningRulesListStatus": "DISABLED"
},
{
"nfScreeningRulesListType": "NF_TYPE_REGISTER",
"nfScreeningType": "WHITELIST",
"nfScreeningRulesListStatus": "ENABLED",
"globalScreeningRulesData": {
"failureAction": "SEND_ERROR",
"nfTypeList": [
"AMF",
"SMF",
"PCF"
]
}
}
]
}
NF screening rules to get a particular configured rule
URL: http://host:port/nrf-configuration/v1/ screening-rules /CALLBACK_URIRequest_Type: GET
Response Body
{
"nfScreeningRulesListType": "CALLBACK_URI",
"nfScreeningType": "BLACKLIST",
"nfScreeningRulesListStatus": "ENABLED",
"globalScreeningRulesData": {
"failureAction": "SEND_ERROR",
"nfCallBackUriList": [
{
"ipv4AddressRange": {
"start": "155.90.171.123",
"end": "233.123.19.165"
},
"ports": [
10,
20
]
},
{
"ipv6AddressRange": {
"start": "1001:cdba:0000:0000:0000:0000:3257:9652",
"end": "3001:cdba:0000:0000:0000:0000:3257:9652"
}
}
]
},
"amfScreeningRulesData": {
"failureAction": "SEND_ERROR",
"nfCallBackUriList": [
{
"fqdn": "ocnrf-d5g.oracle.com"
},
{
"ipv4AddressRange": {
"start": "155.90.171.123",
"end": "233.123.19.165"
},
"ports": [
10,
20
]
}
]
}
}
NF screening rules for partial rule update
http://host:port/nrf-configuration/v1/screening-rules/CALLBACK_URIRequest_Type: PATCH
Content-Type: application/json-patch+jsonRequest Body
[
{"op":"remove","path":"/globalScreeningRulesData/nfCallBackUriList/2/ports/0"},
{"op":"replace","path":"/globalScreeningRulesData/failureAction","value": "CONTINUE"}
]
URL:
http://host:port/nrf-configuration/v1/ screening-rules /CALLBACK_URI
Request_Type: PATCH
Content-Type: application/json-patch+jsonResponse Body
[{"op":"add","path":"/nrfScreeningRulesData","value": {"failureAction": "SEND_ERROR","nfCallBackUriList": [{"ipv4AddressRange":{"start" : "189.163.192.10","end": "190.178.127.10"}}]}}]
Table 4-25 NfScreeningRules - Parameters
Attribute Name | Data type | Mandatory(M)/Optional(O)/Conditional(C) | Description |
---|---|---|---|
nfScreeningRulesListType | Table 4-27 | C | ReadOnly. It will be returned while retrieving the rule. |
nfScreeningType | Table 4-28 | M | Screening type of complete screening list. Blacklist or whitelist. All the rules can be either blacklist or whitelist. |
nfScreeningRulesListStatus | Table 4-29 | M | This attribute will enable or disable complete screening list. |
globalScreeningRulesData | Table 4-26 | O | This attribute will be present if global screening rules need to be configured. |
customNfScreeningRulesData | Table 4-26 | O | This attribute will be present if screening rules for custom NF need to be configured. |
nrfScreeningRulesData | Table 4-26 | O | This attribute will be present if screening rules for NRF need to be configured. |
udmScreeningRulesData | Table 4-26 | O | This attribute will be present if screening rules for UDM need to be configured. |
amfScreeningRulesData | Table 4-26 | O | This attribute will be present if screening rules for AMF need to be configured. |
smfScreeningRulesData | Table 4-26 | O | This attribute will be present if screening rules for custom SMF need to be configured. |
ausfScreeningRulesData | Table 4-26 | O | This attribute will be present if screening rules for AUSF need to be configured. |
nefScreeningRulesData | Table 4-26 | O | This attribute will be present if screening rules for NEF need to be configured. |
pcfScreeningRulesData | Table 4-26 | O | This attribute will be present if screening rules for PCF need to be configured. |
nssfScreeningRulesData | Table 4-26 | O | This attribute will be present if screening rules for NSSF need to be configured. |
udrScreeningRulesData | Table 4-26 | O | This attribute will be present if screening rules for UDR need to be configured. |
lmfScreeningRulesData | Table 4-26 | O | This attribute will be present if screening rules for IMF need to be configured. |
gmlcScreeningRulesData | Table 4-26 | O | This attribute will be present if screening rules for GMLC need to be configured. |
fiveG_EirScreeningRules | Table 4-26 | O | This attribute will be present if screening rules for EIR need to be configured. |
seppScreeningRulesData | Table 4-26 | O | This attribute will be present if screening rules for SEPP need to be configured. |
upfScreeningRulesData | Table 4-26 | O | This attribute will be present if screening rules for UPF need to be configured. |
n3iwfScreeningRulesData | Table 4-26 | O | This attribute will be present if screening rules for IWF need to be configured. |
afScreeningRulesData | Table 4-26 | O | This attribute will be present if screening rules for AF need to be configured. |
udsfScreeningRulesData | Table 4-26 | O | This attribute will be present if screening rules for UDSF need to be configured. |
bsfScreeningRulesData | Table 4-26 | O | This attribute will be present if screening rules for BSF need to be configured. |
chfScreeningRulesData | Table 4-26 | O | This attribute will be present if screening rules for CHF need to be configured. |
nwdafScreeningRulesData | Table 4-26 | O | This attribute will be present if screening rules forNWDAF need to be configured. |
Table 4-26 NfScreeningRulesData - Parameters
Attribute Name | Data type | Mandatory(M)/Optional(O)/Conditional(C) | Description |
---|---|---|---|
failureAction | Table 4-30 | M | Indicates what action needs to be taken during failure. |
nfFqdn | Table 4-31 | C | If this attribute is present in message it shouldn't be null. This attribute will be present if screeningListType is NF_FQDN. |
nfCallBackUriList | array(Table 4-33) | C | If this attribute is present in message it shouldn't be null. This attribute will be present if screeningListType is CALLBACK_URI. |
nfIpEndPointList | array(Table 4-32) | C | If this attribute is present in message it shouldn't be null. This attribute may be present if screeningListType is NF_IP_ENDPOINT. |
plmnList | array(PlmnId) | C | If this attribute is present in message it shouldn't be null. This attribute may be present if screeningListType is PLMN_ID. |
nfTypeList | array(NfTypeList) | C | If this attribute is present in message it shouldn't be null. This attribute may be present if screeningListType is NF_TYPE_REGISTER. |
Table 4-27 NfScreeningRulesListType - Parameters
Enumeration Value | Description |
---|---|
"NF_FQDN" | Screening List type for NF FQDN |
"NF_IP_ENDPOINT" | Screening list type for IP Endpoint |
"CALLBACK_URI" | Screening list type for callback URIs in NF Service and nfStatusNotificationUri in SubscriptionData |
"PLMN_ID" | Screening list type for PLMN ID |
"NF_TYPE_REGISTER" | Screening list type for allowed NF Types to register |
Table 4-28 NfScreeningType - Parameters
Enumeration Value | Description |
---|---|
"BLACKLIST" | When a screening list is configured to operate as a blacklist, the request is allowed to access the service only if the corresponding attribute value is not present in the blacklist. |
"WHITELIST" | When a screening list is configured to operate as a whitelist, the request is allowed to access the service only if the corresponding attribute value is present in the whitelist. |
Table 4-29 NfScreeningRulesListStatus - Parameters
Enumeration Value | Description |
---|---|
"ENABLED" | Screening List feature is enabled to apply the rules. |
"DISABLED" | Screening List feature is disabled. |
Table 4-30 FailureAction - Parameters
Enumeration Value | Description |
---|---|
"CONTINUE" | Continue Processing |
"SEND_ERROR" | Send response with configured HTTP status code |
Table 4-31 NfFqdn - Parameters
Attribute Name | Data type | Mandatory(M)/Optional(O)/Conditional(C) | Description |
---|---|---|---|
fqdn | array(FQDN) | C | Exact FQDN to be matched. This is conditional, at least one attribute shall be present. |
pattern | array(string) | C | Regular Expression for FQDN. This is conditional, at least one attribute shall be present. |
Table 4-32 NfIpEndPoint - Parameters
Attribute Name | Data type | Mandatory(M)/Optional(O)/Conditional(C) | Description |
---|---|---|---|
ipv4Address | Ipv4Addr | C | IPv4 address to be matched. |
ipv4AddressRange | Ipv4AddressRange | C | Range of IPv4 addresses. |
ipv6Address | Ipv6Addr | C | IPv6 address to be matched. |
ipv6AddressRange | Table 4-35 | C | Range of IPv6 addresses. |
port | array(integer) | O | If this attribute is not configured then it will not be considered for validation. |
portRange | array(PortRange) | O | If this attribute is not configured then it will not be considered for validation. |
Note:
Depending on the conditions, only one of the ipv4Address, ipv4AddressRange, ipv6Address, and ipv6AddressRange attributes can be present.Table 4-33 NfCallBackUri - Parameters
Attribute Name | Data type | Mandatory(M)/Optional(O)/Conditional(C) | Description |
---|---|---|---|
fqdn | FQDN | C | Exact Fqdn to be matched. |
pattern | string | C | Regular Expression for FQDN, Ipv4Address or Ipv6Address. |
ipv4Address | Ipv4Addr | C | IPv4 address to be matched. |
ipv4AddressRange | Ipv4AddressRange | C | Range of IPv4 addresses. |
ipv6Address | Ipv6Addr | C | IPv6 address to be matched. |
ipv6AddressRange | Table 4-35 | C | Range of IPv6 addresses. |
port | array(integer) | O | If this attribute is not configured then it will not be considered for validation. |
portRange | array(PortRange) | O | If this attribute is not configured then it will not be considered for validation. |
Note:
Depending on the conditions, only one of the fqdn, pattern, ipv4Address, ipv4AddressRange, ipv6Address, and ipv6AddressRange attributes can be present.Table 4-34 PortRange - Parameters
Attribute Name | Data type | Mandatory(M)/Optional(O)/Conditional(C) | Description |
---|---|---|---|
start | integer | M | First value identifying the start of port range. |
end | integer | M | Last value identifying the end of port range. |
Table 4-35 Ipv6AddressRange - Parameters
Attribute Name | Data type | Mandatory(M)/Optional(O)/Conditional(C) | Description |
---|---|---|---|
start | Ipv6Addr | M | First value identifying the start of an IPv6 Address range. |
end | Ipv6Addr | M | Last value identifying the end of an IPv6 Address range. |
Table 4-36 Common data types
Data Type | Reference |
---|---|
Ipv6Addr | 3GPP TS 29.571 |
Ipv4Addr | 3GPP TS 29.571 |
Ipv4AddressRange | 3GPP TS 29.510 |
PlmnId | 3GPP TS 29.571 |
Uri | 3GPP TS 29.571 |
IpEndPoint | 3GPP TS 29.510 |
NFType | 3GPP TS 29.510 |
ProblemDetails | 3GPP TS 29.571 |
OCNRF Access Token Service Usage Details
OCNRF implements Nnrf_AccessToken service (used for OAuth2 authorization), along with the "Client Credentials" authorization grant. It exposes a "Token Endpoint" where the Access Token Request service can be requested by NF Service Consumers.
- Access Token Request (i.e. Nnrf_AccessToken_Get)
Note:
This procedure is specific to OCNRF Access Token service operation. OCNRF general configurations, database and database specific secret creation are not part of this procedure.Procedure to use OCNRF Access Token Service Operation
- Create OCNRF private key and public certificateThis step explains need to create the OCNRF private keys and public certificates. Private key are used by OCNRF NF to sign the Access Token generated. It shall be available only with OCNRF. Public certificates are used by producer NFs to validate the access token generated by OCNRF. So, public certificates shall be available with producer network functions. Two types of signing algorithms are supported by OCNRF. For both types different keys and certificates required to be generated:Sample keys and certificates:
- ES256: ECDSA digital signature with SHA-256 hash algorithm
- RS256: RSA digital signature with SHA-256 hash algorithm
Note:
Creation process for private keys, certificates and passwords is on discretion of user/operator.After execution of this step, there will be private keys and public certificates of OCNRF (generated files depends upon algorithms chosen by operator/user).
For example:
ES256 based keys and certificates:-
ecdsa_private_key.pem
-
ecdsa_certificate.crt
RS256 based keys and certificates:-
rsa_private_key.pem
-
rsa_certificate.crt
- Password to keep safely the generated keys and certificate inside OCNRF
container
This step explains the create password that is used to keep safely the generated keys and certificate inside OCNRF container.
Sample step to create:
where,echo qwerpoiu > keystore_password.txt
qwerpoiu
is the password andkeystore_password.txt
is the target password fileNote:
This file is provided in Kubernetes secret.After execution of this step, file will be available with password.
For example:
keystore_password.txt
- Name space creation for Secrets
This step explains the need for creating kubernetes namespace in which kubernetes secrets will be created for OCNRF private keys, OCNRF public certificate and keystore password. Refer to Creating OCNRF Namespace section in OCNRF Installation and Upgrade guide.
Note:
- Different namespaces or same namespace can be used for OCNRF private keys, OCNRF public certificate and keystore password.
- Namespace(s) shall have RBAC resources defined with required privileges.
- It can be same namespace as for OCNRF.
- Namespace will be available in which required secrets can be created in next steps
- Secret creation for OCNRF private keys, OCNRF public
certificate and keystore passwordThis step explain commands to create the kubernetes secret(s) in which OCNRF private keys, OCNRF public certificate and keystore password can be kept safely. Refer to Configuring Kubernetes Secret for Accessing OCNRF Database section in OCNRF Installation and Upgrade guide.
Note:
Single secret can be created for OCNRF private keys, OCNRF public certificate and keystore password. Sample command is provided in steps to create single secret. In case, there is need to create separate secret for each entity, then same command can be used. - Configure OCNRF custom_values.yaml with outcome details of
Steps 1 to 4
This step explains customize the OCNRF custom_values.yaml to use the OCNRF private keys, OCNRF public certificate, keystore password file, secrets, and secret namespace. Refer to Configuring Secret for Enabling AccessToken Service section in OCNRF Installation and Upgrade guide.
Key Attributes in OCNRF custom_values.yaml:- nfaccesstoken.oauth.nrfInstanceId - OCNRF's NF Instance ID that will be used for signing AccessTokenClaim.
- nfaccesstoken.oauth.initialAlgorithm - Signing algorithm which will be used by Access Token microservice. This is default value.
- NF Access Token OCNRF Private Key Details
- k8SecretName - K8 Secret Name for OCNRF Access Token Private key
- k8NameSpace - Namespace for OCNRF Access Token Private key Secret
- rsa.filename - Key File name which is OCNRF Access Token Private Key for RSA algorithm
- ecdsa.filename - Key File name which is OCNRF Access Token Private Key for ECDSA algorithm
- NF Access Token OCNRF Public Certificate Details
- k8SecretName - K8 Secret Name for OCNRF Access Token Public Certificate
- k8NameSpace - Namespace for OCNRF Access Token Public Certificate Secret
- rsa.filename - Key File name which is OCNRF Access Token Public Certificate for RSA algorithm
- ecdsa.filename - Key File name which is OCNRF Access Token Public Certificate for ECDSA algorithm
- NF Access Token Key Store Password Details
- k8SecretName - K8 Secret Name for OCNRF Access Token Key Store Password
- k8NameSpace - Namespace for OCNRF Access Token Key Store password Secret
- filename - KeyStore password file