4 Configuring OCNRF
OCNRF can be configured using HELM and REST configuration. Some configuration are performed during installation using HELM and few are modified using REST. For HELM configuration refer to OCNRF Cloud Native Installation and Upgrade Guide. The REST configurations can also be performed using Cloud Native Core (CNC) Console. Refer to Configuring OCNRF using CNC Console for more details.
Mandatory Configurations
- nrfPlmnList: PLMN(s) served by OCNRF. This must be configured before using any OCNRF Services.
- ocnrfEndPointHost: OCNRF EndPoint Host's FQDN.
- ocnrfEndPointPort: OCNRF EndPoint Host's Port.
OCNRF Host Configuration
OCNRF's NfHostConfig Configuration attribute allows to configure the details of NRF and SLF/UDR Network Functions. These attributes (nrfHostConfig and slfHostConfig) used for NRF forwarding and Subscriber Location Function (SLF) features respectively.
The NfHostConfig configuration consists of attributes like apiVersion, scheme, FQDN, port, priority, etc. OCNRF allows to configure more than two host details. However the host with highest priority is considered as Primary Host. The host with second highest priority is considered as Secondary Host.
Note:
- Refer 29.510, release 15.5 for definition and allowed range for NfHostConfig attributes (apiVersion, scheme, FQDN, port, priority, etc).
- Apart from priority attribute, no other attributes plays any role in Primary/Secondary host selection.
- Apart from Primary/Secondary host, other configured hosts (if any) are not used during any message processing.
- When more than one host is configured with highest priority, then two of them will be picked as Primary/Secondary host randomly.
- rerouteOnResponseHttpStatusCodes: This configuration is used to determine if the SLF request message can be sent to Secondary SLF or not. After getting response from primary SLF, if response status code from primary SLF matches with this configuration, then OCNRF reroutes the request to the secondary SLF. Refer nfHostConfig attribute for Primary and Secondary SLF details.
- maximumHopCount: This configuration is used to determine Maximum number of hops (SLF/NRF) that OCNRF can forward a given service request. This Configuration more useful during NRF Forwarding and SLF feature interaction.
- nrfRerouteOnResponseHttpStatusCodes: This configuration is used to determine if the service operation message can be forwarded to Secondary NRF or not. After getting response from primary NRF, if response status code from primary NRF matches with this configuration, then OCNRF reroutes the request to the secondary NRF. Refer nfHostConfig attribute for Primary and Secondary NRF details.
- maximumHopCount: This configuration is used to determine Maximum number of hops (SLF/NRF) that OCNRF can forward a given service request. This Configuration more useful during NRF Forwarding and SLF feature interaction.
General Configurations
The section provides information for performing general configurations in OCNRF.
General configuration - OCNRF system options
Table 4-1 Service API Interface
Resource Name | Resource URI | HTTP Method or Custom Operation | Description |
---|---|---|---|
nrf-configuration (Store) | {apiRoot}/nrf-configuration/v1/system-options | GET | Retrieves OCNRF system options configuration |
nrf-configuration (Store) | {apiRoot}/nrf-configuration/v1/system-options | PUT | Updates OCNRF system options configuration |
Table 4-2 Data structures supported by the GET Response Body
Data Type | Mandatory(M)/Optional(O)/Conditional(C) | Cardinality | Response Codes | Description |
---|---|---|---|---|
ProblemDetails | M | 1 | 500 Internal Server Error | The response body contains the error reason of the request message. |
NrfSystemOptions | M | 1 | 200 OK | Response body contains the OCNRF current system options |
Table 4-3 Data structures supported by the PUT Request Body
Data Type | P | Cardinality | Description |
---|---|---|---|
NA | M | 1 | NrfSystemOptions details |
Table 4-4 Data structures supported by the PUT Response Body
Data Type | Mandatory(M)/Optional(O)/Conditional(C) | Cardinality | Response Codes | Description |
---|---|---|---|---|
ProblemDetails | M | 1 | 500 Internal Server Error | The response body contains the error reason of the request message. |
ProblemDetails | M | 1 | 400 Bad request | The response body contains the error reason of the request message. |
NrfSystemOptions | M | 1 | 200 OK | Specifies that the update of NrfSystemOptions is successful and provides the values in database. |
REST Message Sample
Request_Type: GET and PUT
URL{
"generalSystemOptions": {
"nrfPlmnList": [{
"mcc": "310",
"mnc": "14"
}],
"enableF3": true,
"enableF5": true,
"maximumHopCount": 3,
"defaultLoad": 5,
"defaultPriority": 100,
"addPriorityInNFProfile": false,
"addLoadInNFProfile": false,
"ocnrfEndPointHost": "ocnrf-ingressgateway.ocnrf.svc.cluster.local",
"ocnrfEndPointPort": 80
},
"nfScreeningSystemOptions": {
"nfScreeningFeatureStatus": "DISABLED",
"nfScreeningFailureHttpCode": 403
},
"nfAccessTokenSystemOptions": {
"oauthTokenAlgorithm": "ES256",
"oauthTokenExpiryTime": "1h",
"authorizeRequesterNf": "ENABLED",
"logicalOperatorForScope": "AND",
"audienceType": "NF_INSTANCE_ID",
"authFeatureConfig":{
"authFeatureStatus":"DISABLED",
"authConfig":[{
"targetNfType":"AMF",
"requesterNfType":"UDM",
"serviceNames":["namf-loc"]
}],
"authErrorResponses":[{
"errorCondition":"RequesterNf_Unauthorized",
"errorCode":400,
"errorResponse":"The Consumer NfType is not authorized to receive access token for the requested Nftype."
}]
}
},
"nfManagementSystemOptions": {
"nfHeartBeatTimers": [
{
"nfType": "ALL_NF_TYPE",
"minHbTimer": "30s",
"maxHbTimer": "5m",
"defaultHbTimer": "30s",
"nfHeartBeatMissAllowed": 3
},
{
"nfType": "AMF",
"minHbTimer": "10s",
"maxHbTimer": "120s",
"defaultHbTimer": "20s",
"nfHeartBeatMissAllowed": 1
}
],
"nfNotifyLoadThreshold": 5,
"nrfSupportForProfileChangesInResponse": true,
"subscriptionValidityDuration": "24h",
"nrfSupportForProfileChangesInNotification": false,
"nfProfileSuspendDuration": "168h",
"acceptAdditionalAttributes": false,
"allowDuplicateSubscriptions": true
},
"nfDiscoverSystemOptions": {
"discoveryValidityPeriod": "1h",
"profilesCountInDiscoveryResponse": 3,
"discoveryResultLoadThreshold": 0
},
"slfSystemOptions": {
"supportedNfTypeList": [],
"preferredSubscriberIdType": "SUPI",
"slfHostConfig": [{
"nfInstanceId": "c56a4180-65aa-42ec-a945-5fd21dec0538",
"apiVersions": [{
"apiVersionInUri": "v1",
"apiFullVersion": "15.5.0"
}],
"scheme": "http",
"fqdn": "ocudrSlf-1-ingressgateway.ocnrf.svc.cluster.local",
"priority": 100,
"port": 80
}],
"rerouteOnResponseHttpStatusCodes": {
"codeList": [134]
},
"slfFeatureStatus": "DISABLED"
},
"nfAuthenticationSystemOptions": {
"nfRegistrationAuthenticationStatus": "DISABLED",
"nfSubscriptionAuthenticationStatus": "DISABLED",
"nfDiscoveryAuthenticationStatus": "DISABLED",
"accessTokenAuthenticationStatus": "DISABLED",
"nfProfileRetrievalAuthenticationStatus": "DISABLED",
"nfListRetrievalAuthenticationStatus": "DISABLED",
"checkIfNfIsRegistered": "DISABLED",
"nfAuthenticationErrorResponses": [{
"errorCondition": "Nf_Fqdn_Authentication_Failure",
"errorCode": 403,
"errorResponse": "Failed to authenticate NF using FQDN",
"retryAfter": "5m"}]
},
"errorResponses": {
"slfErrorResponses": [{
"errorCondition": "SLF_Missing_Mandatory_Parameters",
"errorCode": 400,
"errorResponse": "Mandatory parameter missing for SLF Lookup"
}, {
"errorCondition": "SLF_GroupId_NotFound",
"errorCode": 404,
"errorResponse": "Group Id Not found from SLF"
}, {
"errorCondition": "SLF_Not_Reachable",
"errorCode": 504,
"errorResponse": "SLF not reachable"
}],
"nrfForwardingErrorResponses": [{
"errorCondition": "NRF_Not_Reachable",
"errorCode": 504,
"errorResponse": "NRF not reachable"
}, {
"errorCondition": "NRF_Forwarding_Loop_Detection",
"errorCode": 508,
"errorResponse": "Loop Detected"
}]
},
"forwardingSystemOptions": {
"profileRetreivalForwardingStatus": "DISABLED",
"subscriptionForwardingStatus": "DISABLED",
"discoveryForwardingStatus": "DISABLED",
"accessTokenForwardingStatus": "DISABLED",
"nrfHostConfig": [{
"nfInstanceId": "c56a4180-65aa-42ec-a945-5fd21dec0538",
"apiVersions": [{
"apiVersionInUri": "v1",
"apiFullVersion": "15.5.0"
}],
"scheme": "http",
"fqdn": "ocnrf-1-ingressgateway.ocnrf.svc.cluster.local",
"priority": 100,
"port": 80
}],
"nrfRerouteOnResponseHttpStatusCodes": {
"pattern": "^[3,5][0-9]{2}$"
}
},
"geoRedundancySystemOptions": {
"geoRedundancyFeatureStatus": "DISABLED",
"replicationLatency": "5s",
"monitorNrfServiceStatusInterval": "5s",
"monitorDBReplicationStatusInterval": "5s"
},
"loggingLevelSystemOptions": {
"nfSubscriptionLogLevel": "WARN",
"nfRegistrationLogLevel": "WARN",
"nfDiscoveryLogLevel": "WARN",
"nfAccessTokenLogLevel": "WARN",
"nrfAuditorLogLevel": "WARN",
"nrfConfigurationLogLevel": "WARN",
}
}
Data Model
Note:
At least one attribute must be present to ensure that the PUT request is not empty.Table 4-5 NrfSystemOptions - Parameters
Parent Attribute Name | Attribute Name | Data Type | Constraints | Default Values | Description |
---|---|---|---|---|---|
generalSystemOptions | nrfPlmnList | array (PlmnId) | This value will have at least one PLMN supported by OCNRF and this value is set before using OCNRF. See the footnote. | ||
generalSystemOptions | enableF3 | ENUM (true or false) | true or false | true | OCNRF functions as per 29510 v15.3 specification, if this flag is set to true. If it is set to true, then OCNRF will compliant to 29510 v15.3. If it is set to false, OCNRF will compliant to 29510 v15.2. |
generalSystemOptions | enableF5 | ENUM (true or false) | true or false | true | OCNRF functions as per 29510 v15.5 specification, if this flag is set to true. If it is set to false, OCNRF functions as per 29510 v15.2 or v15.3 specification (depends on enableF3 flag. |
generalSystemOptions | defaultLoad | INTEGER | 0 - 100 | 5 | defaultLoad value is set in NF load attribute of NFProfile, if this attribute is set to true.This value is sent in NFDiscover response and NFProfile sent in NFNotify operation, in case NFProfile does not have load attribute. |
generalSystemOptions | defaultPriority | INTEGER | 0 - 65535 | 100 | This attribute is default value of NF Priority and will be used if NFProfile does not have priority attribute set by NF. |
generalSystemOptions | addLoadInNFProfile | ENUM (true or false) | true or false | false | Value of default NF load will be set in NF Load attribute of NFProfile while sending in NFDiscover response and NFProfile sent in NFNotify operation, in case NFProfile does not have Load attribute. |
generalSystemOptions | addPriorityInNFProfile | ENUM (true or false) | true or false | false | Value of default NF Priority will be set in NF Priority attribute of NFProfile while sending in NFDiscover response and NFProfile sent in NFNotify operation, in case NFProfile does not have Priority attribute. |
generalSystemOptions | maximumHopCount | INTEGER | 1-5 | 3 | Maximum number of Nodes (SLF/NRF's) that OCNRF can communicate, to service a request. |
generalSystemOptions | ocnrfEndPointHost | STRING | None | ocnrf-ingressgateway.ocnrf.svc.cluster.local | ocnrfEndPointHost needs to be OCNRF's
External Routable FQDN (e.g. ocnrf.oracle.com) OR External Routable
IpAddress (e.g. 10.75.212.60) OR for routing with in the same K8
cluster use full OCNRF Ingress Gateway's Service FQDN as below
format: <helm-releasename>- ingressgateway.<n
amespace>.svc.<cluster-domainname> . Example:
ocnrfingressgateway.nrf-1.svc.cluster.local
where ocnrf: is the helm release name (deployment name that will be
used during "helm install")
nrf-1: is the namespace in which NRF will be deployed cluster.local: is the K8's dnsDomain name (dnsDomain
can be found using |
generalSystemOptions | ocnrfEndPointPort | INTEGER | None | 80 | OCNRF EndPoint Host's Port |
forwardingSystemOptions | nrfHostConfig | array (NFConfig) | This is used to configure Primary and
Secondary NRF Details which is used for forwarding various requests.
It allows to configure details of NRF like apiVersion, scheme, FQDN, port, etc. The only supported value for apiVersionInUri is v1. Hence the apiVersions attribute must have at least one data record with apiVersionInUri attribute values set as v1. This configuration allows you to configure more than 2 NRF Details. NRF with highest priority is considered as Primary NRF for forwarding messages. NRF with second highest priority is considered as Secondary NRF for forwarding. To reset this attribute, please send empty array, for example:- "nrfHostConfig": [ ] If this attribute is already set then there is no need to provide the value again. See the footnote. |
||
forwardingSystemOptions | nrfRerouteOnResponseHttpStatusCodes | ResponseHttpStatusCodes | pattern or specific code list | "pattern": "^[3,5][0-9]{2}$" | This configuration is used to determine if the service operation message needs to forwarded to Secondary NRF. After getting response from primary NRF, if response status code from primary NRF matches with the configured response status code list, then NRF reroutes the request to the secondary NRF. Refer nfHostConfig for details for Primary and Secondary NRF details. See the footnote. |
forwardingSystemOptions | profileRetreivalForwardingStatus | String (Feature Status) | DISABLED | This attribute controls the forwarding of NFProfileRetrieval service operation messages. If the flag is set to true and OCNRF is not able to complete the request due to unavailability of any matching profile, then OCNRF forwards the NfProfileRetrival request to the configured NRF host(s) and relays the response received from forwarding NRF to the Consumer NF. If flag is false, OCNRF will not forward the NfProfileRetrival request in any case. It will return a response to consumer NF without forwarding it. See the footnote. See the footnote. | |
forwardingSystemOptions | subscriptionForwardingStatus | String (Feature Status) | DISABLED |
This attribute controls the forwarding of NFStatusSubscribe, NFStatusUnsubscribe service operation messages. If the flag is set to true and OCNRF is not able to complete the request due to unavailability of any matching profile, then OCNRF forwards the NfStatusSubscribe/NfStatusUnSubscribe request to the configured NRF host(s) and relays the response received from forwarding NRF to the Consumer NF. If flag is false, OCNRF will not forward the NfStatusSubscribe/NfStatusUnSubscribe request in any case. It will return a response to consumer NF without forwarding it. Note: NfStatusSubscribe forwarding is supported only if the NfInstanceIdCond condition is requested in the Subscription Request. See the footnote. |
|
forwardingSystemOptions | discoveryForwardingStatus | String (Feature Status) | DISABLED | This attribute controls the forwarding of NFDiscover service operation messages. If the flag is set to true and OCNRF is not able to complete the request due to unavailability of any matching profile, then OCNRF forwards the NfDiscover request to the configured NRF host(s) and relays the response received from forwarding NRF to the Consumer NF. If flag is false, OCNRF will not forward the NfDiscover request in any case. It will return a response to consumer NF without forwarding it. See the footnote. | |
forwardingSystemOptions | accessTokenForwardingStatus | String (Feature Status) | DISABLED | This attribute controls the forwarding of AccessToken service operation messages. If the flag is set to true and OCNRF is not able to complete the request due to unavailability of any matching Producer NF, then OCNRF forwards the AccessToken request to the configured NRF host(s) and relays the response received from forwarding NRF to the Consumer NF. If flag is false, OCNRF will not forward the AccessToken request in any case. It will return a response to consumer NF without forwarding it. See the footnote. | |
nfScreeningSystemOptions | nfScreeningFeatureStatus | String (Feature Status) | DISABLED | This attribute indicates if NF Screening Feature is enabled or not. See the footnote. | |
nfScreeningSystemOptions | nfScreeningFailureHttpCode | INTEGER | 403 | This attribute will inform what HTTP status code will be returned if incoming request does not pass NF Screening rules barrier. See the footnote. | |
nfManagementSystemOptions | nfHeartbeatTimers | array (Table 4-16) |
This attribute is used to configure the heartbeat related information of the NF. It allows to configure the heartbeat information per NFType. By default, the nfHeartbeatTimer information for ALL_NF_TYPE is present. |
||
nfManagementSystemOptions | nfNotifyLoadThreshold | INTEGER | 0 - 99 | 5 | OCNRF generates the Notification trigger when difference between the 'load' value reported by NF in most recent heartbeat and the last reported ‘load’ is more than configured value of nfNotifyloadThreshold attribute. See the footnote. |
nfManagementSystemOptions | nrfSupportForProfileChangesInResponse | ENUM (true or false) | true or false | true | OCNRF sends mandatory and modified attributes in the NFRegister and NFUpdate responses instead of complete profile, if this flag is enabled. See the footnote. |
nfManagementSystemOptions | subscriptionValidityDuration | String | 10s - 720h | 24h |
If Validity time attribute is not received in SubscriptionData during NFSubscribe, this default value will be used for calculation of validity time (current time + default duration). If Validity time attribute is received in SubscriptionData during NFSubscribe, this is minimum value will be used for validation and limit purpose. It means if value provided is less than ( current time + minimum value), then calculated value with minimum duration value will be considered as validity time of subscription and similarly in case validity time is more than (current time + maximum duration), then calculated value with maximum duration will be considered as validity time of subscription. The value is in pHqMrS format. Where p,q,r are integers and H,M,S or h,m,s denote hours, minutes & seconds respectively. See the footnote. |
nfManagementSystemOptions | nrfSupportForProfileChangesInNotification | ENUM (true, false) | true or false | false | OCNRF sends profileChanges attribute instead of NFProfile in Notification, if this flag is enabled. See the footnote. |
nfManagementSystemOptions | nfProfileSuspendDuration | String | 10s - 744h | 168h | Indicates the duration for which the NF is suspended, before it is deleted from OCNRF database. The value is in pHqMrS format. Where p,q,r are integers and H,M,S or h,m,s denote hours, minutes & seconds respectively. See the footnote. |
nfManagementSystemOptions | acceptAdditionalAttributes | ENUM (true, false) | true or false | false | OCNRF preserves additional attributes that are not defined by 3GPP in NFProfile/NFService in the database based on this attribute value. See the footnote. |
nfManagementSystemOptions | allowDuplicateSubscriptions | ENUM (true, false) | true or false | true | This attribute specifies if OCNRF
should allow duplicate Subscriptions to be created or not.
Note: In case duplicate subscriptions are not allowed and this flag is marked as false, there will be performance degradation around 50% during NFSubscribe service operation. |
nfDiscoverSystemOptions | discoveryValidityPeriod | String | 1s - 168h | 1h | This attribute mentions the validity period of a discovery request after which requester NF must perform discovery again to get the latest values. The value is in pHqMrS format. Where p,q,r are integers and H,M,S or h,m,s denote hours, minutes & seconds respectively. See the footnote. |
nfDiscoverSystemOptions | profilesCountInDiscoveryResponse | INTEGER | 0 - 20 | 3 | This value restricts NF profile count in NFDiscover
response.
If value of this attribute is 0, it means this functionality will get disabled, in that case all the profiles will be returned. If GET option returns this attribute value as 0, then it means this feature is disabled. Note:- If Limit attribute is present in SearchData URI then this attribute is not used. |
nfDiscoverSystemOptions | discoveryResultLoadThreshold | INTEGER | 0 - 100 | 0 | This configuration is used to select out profiles
from discovery response whose load is more than the configured
value. NFDiscover response contains NF profiles with load attribute
value less than or equal to this configured value.
Value 0 indicates this feature is disabled. |
nfAccessTokenSystemOptions | oauthTokenAlgorithm | String (oauthTokenAlgorithm) | ES256 | Access token key algorithm which will be used to sign the oauth token. See the footnote. | |
nfAccessTokenSystemOptions | oauthTokenExpiryTime | String | 1s - 168h | 1h | Oauth token expiry time. The value is in pHqMrS format. Where p,q,r are integers and H,M,S or h,m,s denote hours, minutes & seconds respectively. See the footnote. |
nfAccessTokenSystemOptions | authorizeRequesterNf | String (Feature Status) | ENABLED | This attribute validates the requester NF is
registered with OCNRF or not. OCNRF issues the access token only to
the registered requester NFs.
If the value is Disabled, OCNRF will issue token to non-registered NFs as well. |
|
nfAccessTokenSystemOptions | audienceType | String (AudienceType ) | NF_INSTANCE_ID | This value decides the AudienceType in AccessTokenClaim. OCNRF considers this value only if targetnfInstanceId is not received in AccessTokenRequest. | |
nfAccessTokenSystemOptions | logicalOperatorForScope | String ( LogicalOperatorForScope) | AND | This value will decide whether values in scope will
have relationship AND or OR.
If value is AND, while looking for producer network function profiles, token will be issued for profiles matching all the services-names present in scope. If value is OR, token will be issued for profiles matching any of the services-names present in scope. |
|
nfAccessTokenSystemOptions | authFeatureConfig | Table 4-17 | The attribute contains the parameters required to enable and configure NfAccessToken Authorization Feature. | ||
slfSystemOptions | slfFeatureStatus | String (Feature Status) | DISABLED | Enables/disables the SLF Feature. See NOTE 1. | |
slfSystemOptions | slfHostConfig | array (NfConfig) | This is used to configure Primary and Secondary SLF
Details which is used for forwarding various requests.
It allows to configure details of SLF like apiVersion, scheme, FQDN, port, etc. The only supported value for apiVersionInUri is v1. Hence the apiVersions attribute must have at least one data record with apiVersionInUri attribute values set as v1. This configuration allows you to configure more than 2 SLF Details. SLF with highest priority is considered as Primary SLF for forwarding messages. SLF with second highest priority is considered as Secondary SLF for forwarding. If supportedNfTypeList is set, then operator must set this attribute. This is because this value will be used to contact the network function hosting the SLF. To reset this attribute, please send empty array, for example:- "slfHostConfig": [ ] If this attribute is already set then there is no need to provide the value again. See the footnote. |
||
slfSystemOptions | supportedNfTypeList | array | NF Type list for which SLF need to be supported.
SLF look up will happen only for NF Types mentioned in this configuration. To reset this attribute, send empty array, for example:-"supportedNfTypeList": [ ] If this value is set, then slfHostConfig is also set. See the footnote. |
||
slfSystemOptions | preferredSubscriberIdType | String (SubscriberIdType) | SUPI or GPSI | SUPI | This attribute will only be used, in case different type of subscriber identifiers (SUPI, GPSI) are present in NFDiscover service operation message, which subscriber identifier is used for the query to SLF. See the footnote. |
slfSystemOptions | rerouteOnResponseHttpStatusCodes | String (ResponseHttpStatusCodes) | "pattern": "^[3,5][0-9]{2}$" | This attribute will be used after getting response from primary SLF (SLF Config with highest priority), if response code from primary SLF is present/matches this configuration, then OCNRF will reroute the SLF query to secondary SLF (SLF Config with second highest priority). See the footnote. | |
geoRedundancySystemOptions | geoRedundancyFeatureStatus | String (Feature Status) | DISABLED | Enables/Disables the geoRedundancy feature in
OCNRF.
See the footnote. |
|
geoRedundancySystemOptions | replicationLatency | String | 1s - 10m | 5s | This attribute defines the time taken for the data in the database to get replicated between GeoRedundant OCNRFs. The value is in pHqMrS format. Where p,q,r are integers and H,M,S or h,m,s denote hours, minutes & seconds respectively. |
geoRedundancySystemOptions | monitorNrfServiceStatusInterval | String | 1s - 10s | 5s | This attribute defines the time interval for monitoring the aggregated Nf_Management service status (combined status of nfRegistration, nfSubscription and nrfAuditor service). The value is in pHqMrS format. Where p,q,r are integers and H,M,S or h,m,s denote hours, minutes & seconds respectively. |
geoRedundancySystemOptions | monitorDBReplicationStatusInterval | String | 1s - 10s | 5s | This attribute defines the time interval for monitoring the DB replication status. The value is in pHqMrS format. Where p,q,r are integers and H,M,S or h,m,s denote hours, minutes & seconds respectively. |
errorResponses | slfErrorResponses | array (ErrorInfo) | This attribute defines the error responses which may be sent during SLF processing. This attribute will allow to update the error response code and error response description for preloaded error conditions. See the footnote. | ||
errorResponses | nrfForwardingErrorResponses | array (ErrorInfo) | This attribute defines the error responses which may be sent during NRF Forwarding scenarios. This attribute will allow to update the error response code and error response description for preloaded error conditions. See the footnote. | ||
nfAuthenticationSystemOptions | nfAuthenticationErrorResponses | array (ErrorInfo) | This attribute defines the error responses which may be sent for NF Authentication scenarios. This attribute will allow to update the error response code, error response description,retryAfter and redirectUrl for preloaded error condition. See the footnote. | ||
nfAuthenticationSystemOptions | nfRegistrationAuthenticationStatus | String (Feature Status) | DISABLED | This attribute controls the authentication of consumer NF for NfRegister, NfUpdate and NfDeregister service operations. If this attribute is enabled then identity of consumer NF is validated. If this attribute is disabled then validation is not performed for consumer NF. | |
nfAuthenticationSystemOptions | nfSubscriptionAuthenticationStatus | String(Feature Status) | DISABLED |
This attribute controls the authentication of consumer NF for NfStatusSubscribe and NfStatusUnsubscribe service operations. If this attribute is enabled then identity of consumer NF is validated and NRF allows the subscription only if the NF is registered with NRF. If this attribute is disabled then validation is not performed for consumer NF. |
|
nfAuthenticationSystemOptions | nfDiscoveryAuthenticationStatus | String (Feature Status) | DISABLED |
This attribute controls the authentication of consumer NF for NfDiscover service operations. If this attribute is enabled then NF identity of consumer NF is validated. If this attribute is disabled then validation is not performed for consumer NF. In case NF identity is not present in discovery request messages then validation is performed as per checkIfNfIsRegistered attribute. |
|
nfAuthenticationSystemOptions | accessTokenAuthenticationStatus | String (Feature Status) | DISABLED | This attribute controls the authentication of consumer NF for AccessToken service operation. If this attribute is enabled then identity of consumer NF is validated. If this attribute is disabled then validation is not performed for consumer NF. | |
nfAuthenticationSystemOptions | nfProfileRetrivalAuthenticationStatus | String(Feature Status) | DISABLED | This attribute controls the authentication of consumer NF for NfProfileRetrieval service operation. If this attribute is enabled then NF identity is validated against registered NF Profiles. If this attribute is disabled then validation is not performed for consumer NF. | |
nfAuthenticationSystemOptions | nfListRetrievalAuthenticationStatus | String (Feature Status) | DISABLED | This attribute controls the authentication of consumer NF for NfListRetrieval service operation. If this attribute is enabled then NF identity is validated against registered NF Profiles. If this attribute is disabled then validation is not performed for consumer NF. | |
nfAuthenticationSystemOptions | checkIfNfIsRegistered | String (Feature Status) | DISABLED |
This attribute controls the authentication of consumer identity against the registered profiles in database. If this attribute is enabled then for below mentioned case NF identity of registered profiles in database is validated:
If this attribute is disabled then validation is not performed for consumer NF. |
|
loggingLevelSystemOptions | nfSubscriptionLogLevel | string | OFF, FATAL, ERROR, WARN, INFO, DEBUG, TRACE | WARN | Logging Level for the NFSubscription Microservice |
loggingLevelSystemOptions | nfRegistrationLogLevel | string | OFF, FATAL, ERROR, WARN, INFO, DEBUG, TRACE | WARN | Logging Level for the NFRegistration Microservice |
loggingLevelSystemOptions | nfDiscoveryLogLevel | string | OFF, FATAL, ERROR, WARN, INFO, DEBUG, TRACE | WARN | Logging Level for the NFdiscovery Microservice |
loggingLevelSystemOptions | nfAccessTokenLogLevel | string | OFF, FATAL, ERROR, WARN, INFO, DEBUG, TRACE | WARN | Logging Level for the NFAccessToken Microservice |
loggingLevelSystemOptions | nrfAuditorLogLevel | string | OFF, FATAL, ERROR, WARN, INFO, DEBUG, TRACE | WARN | Logging Level for the NRFAuditor Microservice |
loggingLevelSystemOptions | nrfConfigurationLogLevel | string | OFF, FATAL, ERROR, WARN, INFO, DEBUG, TRACE | WARN | Logging Level for the NRFConfiguration Microservice |
Note:
If the attribute is not present, existing value in database is used. It can be the default value or the last updated value. But at least one attribute must be present so that the PUT request is not empty.Table 4-6 General Data Types
Data Type | Reference |
---|---|
NFType | 3GPP TS 29.510 |
NFServiceVersion | 3GPP TS 29.510 |
UriScheme | 3GPP TS 29.510 |
Fqdn | 3GPP TS 29.510 |
Table 4-7 Feature Status
Enumeration value | Description |
---|---|
ENABLED | Enables the feature. |
DISABLED | Disables the feature. |
Table 4-8 OauthTokenAlgorithm
Enumeration value | Description |
---|---|
ES256 | ES256 algorithm key will be used to sign the oauth token |
RS256 | RS256 algorithm key will be used to sign the oauth token |
Table 4-9 AudienceType
Enumeration value | Description |
---|---|
NF_INSTANCE_ID | NF Instance Id(s) in audience IE of AccessTokenClaim. |
NF_TYPE | NF Type in audience IE of AccessTokenClaim. |
Table 4-10 LogicalOperatorForScope
Enumeration value | Description |
---|---|
AND | If value is AND, while looking for profiles of producer network function, OCNRF issues token for all profiles matching with services-names present in the scope. |
OR | If value is OR, OCNRF includes producers matching with any of the services-names present in scope, while looking for profiles of producer NFs. |
Table 4-11 NFConfig
Attribute | DataType | Presence | Description |
---|---|---|---|
apiVersions | array (NFServiceVersion) | M | API Version of NF |
scheme | UriScheme | M | URI schema supported by NF |
fqdn | Fqdn | M | FQDN of NF |
port | integer | O | Port of NF
default value:80 if scheme is HTTP, 443 if its HTTPS |
apiPrefix | string | O | ApiPrefix |
priority | integer | M | Priority of NF |
nfInstanceId | string | M | nfInstanceId of NF |
Table 4-12 SubscriberIdType
Enumeration Value | Description |
---|---|
SUPI | Subscriber Id is SUPI |
GPSI | Subscriber Id is GPSI |
Table 4-13 ErrorInfo
Attribute | DataType | Presence | Description |
---|---|---|---|
errorCondition | ErrorCondition | ReadOnly | Error Conditions |
errorCode | Integer | M | This response code will be used when corresponding error condition will occur. |
errorResponse | String | M | This response description will be used when corresponding error condition will occur. |
retryAfter | Duration | O | The attribute indicates the time interval after which the NF retries the
request. the attribute is included in retryAfter header of Error
Response by the OCNRF only where error_response_code is present in
retryAfterErrorCodes list introduced in general engineering system
options.
The value is in pHqMrS format. Where p,q,r are integers and H,M,S or h,m,s denote hours, minutes and seconds respectively. No validation will be performed on retryAfter attribute. Configuration will be accepted for retryAfter attribute even when its not in confluence with error_response_code being configured. Range: 60s-1h Default Value: 5m |
redirectUrl | String | O | The attribute indicates the NF to redirect its request to this uri. the
attribute is included in location header of Error Response by the
OCNRF only where error_response_code is present in
redirectUrlErrorCodes list present in general engineering system
options. redirectUrl should be in URI format.
Its mandatory to configure redirectUrl when error_response_code configured is present in redirectUrlErrorCodes list introduced in general engineering system options. |
Table 4-14 ErrorCondition
Error Condition | Error Response Code | Description |
---|---|---|
SLF_Missing_Mandatory_Parameters | 400 | SLF mandatory parameters are missing |
SLF_Not_Reachable | 504 | SLF is not reachable from OCNRF |
SLF_GroupId_NotFound | 404 | Group Id Not found from SLF |
NRF_Not_Reachable | 504 | Primary/Secondary NRF is not reachable from NRF |
NRF_Forwarding_Loop_Detection | 508 | Loop detected while processing NRF Service Operation Message |
RequesterNF_Unauthorized | 400 | The RequesterNfType is not authorized to receive access token for the targetNfType. |
Nf_Fqdn_Authentication_Failure | 403 | Failed to authenticate NF using FQDN |
Table 4-15 ResponseHttpStatusCodes
Attribute | DataType | Presence | Description |
---|---|---|---|
pattern | String | C | Either pattern or codeList is present. |
codeList | array (integer) | C | Either pattern or codeList is present. |
Table 4-16 HeartBeatInfo
Attribute | DataType | Presence | Description |
---|---|---|---|
nfType | String | M | All nftypes supported in 29.510 Rel 15.5.0. In addition to this,
ALL_NF_TYPE and CUSTOM_NF_TYPE is also
supported.ALL_NF_TYPE is the NfType to be used to specify
the default configuration that is to be used when nfType specific
configuration is not present. Note: ALL_NF_TYPE is preloaded
and cannot be removed. CUSTOM_NF_TYPE is the Nftype to be
used to specify the configuration for custom nftypes.
By default
record will pre-loaded for ALL_NF_TYPE with
values
|
minHbTimer | Duration | M | The minimum HeartbeatTimer allowed for the NF
The value is in pHqMrS format. Where p,q,r are integers and H,M,S or h,m,s denote hours, minutes & seconds respectively. |
maxHbTimer | Duration | M | The maximum HeartbeatTimer allowed for the NF.
The value is in pHqMrS format. Where p,q,r are integers and H,M,S or h,m,s denote hours, minutes & seconds respectively. |
defaultHbTimer | Duration | M | The default HeartTimer to be used when the NF does not provide.
The value is in pHqMrS format. Where p,q,r are integers and H,M,S or h,m,s denote hours, minutes & seconds respectively. |
nfHeartbeatMissAllowed | Integer | M | The allowed number of missed HeartBeat after which the NFProfile is marked as suspended. |
Table 4-17 AuthFeatureConfig
Attribute | DataType | Presence | Description |
---|---|---|---|
authFeatureStatus | String (Feature Status) | O | Enables/Disables the NfAccessToken Authorization Feature. |
authConfig | array (Table 4-18) | O |
The attribute defines the mapping across Requester NF Type, Target NF Type and the allowed Services. This attribute should be configured if the authFeatureStatus is set to 'ENABLED' Refer Note. |
authErrorResponses | array (ErrorInfo) | O | This attribute defines the error responses which may be sent during NRF
AccessToken Authorization failure scenarios.
This attribute will allow to update the error response code and error response description. This attribute should be configured if the authFeatureStatus is set to 'ENABLED'. By default, the RequesterNF_Unauthorized condition is preloaded. Refer Note. |
Note:
The attributes authFeatureStatus, authConfig and authErrorResponses can be configured in any order and independently. However, when the feature is enabled, it is expected that the authConfig is already configured previously or present in the current request.Table 4-18 AuthConfig
Attribute | DataType | Presence | Description |
---|---|---|---|
targetNfType | String | M | The attribute defines the nftype of the target NF. |
requesterNfType | String | M | The attribute defines the nftype of the requester NF that is authorized to access the target Nf Type and its services. |
serviceNames | array (String) | M | This attribute defines the NF services that is authorized to be accessed by the requester NF type. The value "*" indicates that all the services are authorized to be accessed the requester Nf Type. If "*" is to be used, the services contain only a single entry in the list with this value. |
Configuring NF Screening
This section provides information for configuring NF Screening.
Table 4-19 Resources and Methods Overview
Resource Name | Resource URI | HTTP Method or Custom Operation | Description |
---|---|---|---|
screening-rules (Store) |
{apiRoot}/nrf-configuration/v1/screening-rules | GET | Returns all the screening rules |
screening-rules (Document) |
{apiRoot}/nrf-configuration/v1/screening-rules/{nfScreeningRulesListType} | GET | Returns screening rules corresponding to the specified NF Screening Rule List Type. |
screening-rules (Document) |
{apiRoot}/nrf-configuration/v1/screening-rules/{nfScreeningRulesListType} | PUT | Replace the complete specified NF Screening Rule List Type |
screening-rules (Document) |
{apiRoot}/nrf-configuration/v1/screening-rules/{nfScreeningRulesListType} | PATCH | Partially updates the specified NF Screening Rule List Type. |
Table 4-20 Data structures supported by the PUT Request Body
Data Type | Mandatory(M)/Optional(O)/Conditional(C) | Cardinality | Description |
---|---|---|---|
NfScreening Rules | M | 1 | NF Screening Rules which need to be updated. |
Table 4-21 Data structures supported by the PUT Response Body
Data Type | Mandatory(M)/Optional(O)/Conditional(C) | Cardinality | Response Codes | Description |
---|---|---|---|---|
NfScreeningRules | 200 OK | Successful response | ||
ProblemDetails | C | 1 |
404 NOT FOUND 500 INTERNAL ERROR 400 BAD REQUEST |
The response body contains the error reason of the request message. |
Table 4-22 Data structures supported by the PATCH Request Body
Data Type | Mandatory(M)/Optional(O)/Conditional(C) | Cardinality | Description |
---|---|---|---|
PatchDocument | M | 1 | It contains the list of changes to be made to the NF Screening Rule, according to the JSON PATCH format specified in IETF RFC 6902 [13]. |
Table 4-23 Data structures supported by the PATCH Response Body
Data Type | Mandatory(M)/Optional(O)/Conditional(C) | Cardinality | Response Codes | Description |
---|---|---|---|---|
NfScreeningRules | 200 OK | Successful response | ||
ProblemDetails | C | 1 |
404 NOT FOUND 500 INTERNAL ERROR 400 BAD REQUEST |
The response body contains the error reason of the request message. |
GET - Collection of screening rules
Table 4-24 URI query parameters supported by the GET method
Name | Data Type | Mandatory(M)/Optional(O)/Conditional(C) | Cardinality | Description |
---|---|---|---|---|
nfScreeningRulesListType | NfScreeningRulesListType | O | 0.1 | The type of NF screening rules on this basis of rules list type. |
nfScreeningRulesListStatus | NfScreeningRulesListStatus | O | 0.1 | Screening Rules List on the basis of status (Enabled or Disabled) |
Table 4-25 Data structures supported by the GET Response Body
Data Type | Mandatory(M)/Optional(O)/Conditional(C) | Cardinality | Response Codes | Description |
---|---|---|---|---|
ScreeningRulesResult | M | 1 | 200 OK | The response body contains a list of screening lists, or an empty object if there are no screening rules to return in the query result. |
ProblemDetails | C | 1 |
500 INTERNAL ERROR 400 BAD REQUEST |
The response body contains the error reason of the request message. |
Table 4-26 ScreeningRulesResult - Parameters
Attribute Name | Data type | Mandatory(M)/Optional(O)/Conditional(C) | Cardinality | Description |
---|---|---|---|---|
nfScreeningRulesList | array (NfScreeningRules) | M | 0.N | It shall contain an array of NF Screening List. An empty array means there is no NF Screening list configured. |
GET - Particular screening list rule
Table 4-27 Data structures supported by the GET Response Body
Data Type | Mandatory(M)/Optional(O)/Conditional(C) | Cardinality | Response Codes | Description |
---|---|---|---|---|
NfScreeningRules | M | 1 | 200 OK | The response body contains requested screening list. |
ProblemDetails | C | 1 |
500 INTERNAL ERROR 400 BAD REQUEST |
The response body contains the error reason of the request message. |
REST message samples
Screening List Update
NF screening rules to update particular rule configuration (except read only attributes)
URL: http://host:port/nrf-configuration/v1/ screening-rules /CALLBACK_URIRequest_Type: PUT
Content-Type: application/jsonRequest Body
NF screening rules to get all of the configured rules
{
"nfScreeningType": "BLACKLIST",
"nfScreeningRulesListStatus": "ENABLED",
"globalScreeningRulesData": {
"failureAction": "SEND_ERROR",
"nfCallBackUriList": [
{
"ipv4AddressRange":{
"start": "155.90.171.123",
"end": "233.123.19.165"
},
"ports":[10,20]
},
{
"ipv6AddressRange":{
"start": "1001:cdba:0000:0000:0000:0000:3257:9652",
"end": "3001:cdba:0000:0000:0000:0000:3257:9652"
}
}
]
},
"amfScreeningRulesData": {
"failureAction": "CONTINUE",
"nfCallBackUriList": [
{
"fqdn": "ocnrf-d5g.oracle.com"
},
{
"ipv4AddressRange":{
"start": "155.90.171.123",
"end": "233.123.19.165"
},
"ports":[10,20]
}
]
}
}
URL:
http://host:port/nrf-configuration/v1/ screening-rules /
Request_Type: GET
Response Body
{
"nfScreeningRulesList": [
{
"nfScreeningRulesListType": "NF_FQDN",
"nfScreeningType": "BLACKLIST",
"nfScreeningRulesListStatus": "DISABLED"
},
{
"nfScreeningRulesListType": "NF_IP_ENDPOINT",
"nfScreeningType": "BLACKLIST",
"nfScreeningRulesListStatus": "ENABLED",
"amfScreeningRulesData": {
"failureAction": "SEND_ERROR",
"nfIpEndPointList": [
{
"ipv4Address": "198.21.87.192",
"ports": [
10,
20
]
}
]
}
},
{
"nfScreeningRulesListType": "CALLBACK_URI",
"nfScreeningType": "BLACKLIST",
"nfScreeningRulesListStatus": "ENABLED",
"globalScreeningRulesData": {
"failureAction": "SEND_ERROR",
"nfCallBackUriList": [
{
"fqdn": "ocnrf-d5g.oracle.com",
"ports": [
10,
20
]
}
]
}
},
{
"nfScreeningRulesListType": "PLMN_ID",
"nfScreeningType": "BLACKLIST",
"nfScreeningRulesListStatus": "DISABLED"
},
{
"nfScreeningRulesListType": "NF_TYPE_REGISTER",
"nfScreeningType": "WHITELIST",
"nfScreeningRulesListStatus": "ENABLED",
"globalScreeningRulesData": {
"failureAction": "SEND_ERROR",
"nfTypeList": [
"AMF",
"SMF",
"PCF"
]
}
}
]
}
NF screening rules to get a particular configured rule
URL: http://host:port/nrf-configuration/v1/ screening-rules /CALLBACK_URIRequest_Type: GET
Response Body
{
"nfScreeningRulesListType": "CALLBACK_URI",
"nfScreeningType": "BLACKLIST",
"nfScreeningRulesListStatus": "ENABLED",
"globalScreeningRulesData": {
"failureAction": "SEND_ERROR",
"nfCallBackUriList": [
{
"ipv4AddressRange": {
"start": "155.90.171.123",
"end": "233.123.19.165"
},
"ports": [
10,
20
]
},
{
"ipv6AddressRange": {
"start": "1001:cdba:0000:0000:0000:0000:3257:9652",
"end": "3001:cdba:0000:0000:0000:0000:3257:9652"
}
}
]
},
"amfScreeningRulesData": {
"failureAction": "SEND_ERROR",
"nfCallBackUriList": [
{
"fqdn": "ocnrf-d5g.oracle.com"
},
{
"ipv4AddressRange": {
"start": "155.90.171.123",
"end": "233.123.19.165"
},
"ports": [
10,
20
]
}
]
}
}
NF screening rules for partial rule update
http://host:port/nrf-configuration/v1/screening-rules/CALLBACK_URIRequest_Type: PATCH
Content-Type: application/json-patch+jsonRequest Body
[
{"op":"remove","path":"/globalScreeningRulesData/nfCallBackUriList/2/ports/0"},
{"op":"replace","path":"/globalScreeningRulesData/failureAction","value": "CONTINUE"}
]
URL:
http://host:port/nrf-configuration/v1/ screening-rules /CALLBACK_URI
Request_Type: PATCH
Content-Type: application/json-patch+jsonResponse Body
[{"op":"add","path":"/nrfScreeningRulesData","value": {"failureAction": "SEND_ERROR","nfCallBackUriList": [{"ipv4AddressRange":{"start" : "189.163.192.10","end": "190.178.127.10"}}]}}]
Table 4-28 NfScreeningRules - Parameters
Attribute Name | Data type | Mandatory(M)/Optional(O)/Conditional(C) | Description |
---|---|---|---|
nfScreeningRulesListType | Table 4-30 | C | ReadOnly. It will be returned while retrieving the rule. |
nfScreeningType | Table 4-31 | M | Screening type of complete screening list. Blacklist or whitelist. All the rules can be either blacklist or whitelist. |
nfScreeningRulesListStatus | Table 4-32 | M | This attribute will enable or disable complete screening list. |
globalScreeningRulesData | Table 4-29 | O | This attribute will be present if global screening rules need to be configured. |
customNfScreeningRulesData | Table 4-29 | O | This attribute will be present if screening rules for custom NF need to be configured. |
nrfScreeningRulesData | Table 4-29 | O | This attribute will be present if screening rules for NRF need to be configured. |
udmScreeningRulesData | Table 4-29 | O | This attribute will be present if screening rules for UDM need to be configured. |
amfScreeningRulesData | Table 4-29 | O | This attribute will be present if screening rules for AMF need to be configured. |
smfScreeningRulesData | Table 4-29 | O | This attribute will be present if screening rules for custom SMF need to be configured. |
ausfScreeningRulesData | Table 4-29 | O | This attribute will be present if screening rules for AUSF need to be configured. |
nefScreeningRulesData | Table 4-29 | O | This attribute will be present if screening rules for NEF need to be configured. |
pcfScreeningRulesData | Table 4-29 | O | This attribute will be present if screening rules for PCF need to be configured. |
nssfScreeningRulesData | Table 4-29 | O | This attribute will be present if screening rules for NSSF need to be configured. |
udrScreeningRulesData | Table 4-29 | O | This attribute will be present if screening rules for UDR need to be configured. |
lmfScreeningRulesData | Table 4-29 | O | This attribute will be present if screening rules for IMF need to be configured. |
gmlcScreeningRulesData | Table 4-29 | O | This attribute will be present if screening rules for GMLC need to be configured. |
fiveG_EirScreeningRules | Table 4-29 | O | This attribute will be present if screening rules for EIR need to be configured. |
seppScreeningRulesData | Table 4-29 | O | This attribute will be present if screening rules for SEPP need to be configured. |
upfScreeningRulesData | Table 4-29 | O | This attribute will be present if screening rules for UPF need to be configured. |
n3iwfScreeningRulesData | Table 4-29 | O | This attribute will be present if screening rules for IWF need to be configured. |
afScreeningRulesData | Table 4-29 | O | This attribute will be present if screening rules for AF need to be configured. |
udsfScreeningRulesData | Table 4-29 | O | This attribute will be present if screening rules for UDSF need to be configured. |
bsfScreeningRulesData | Table 4-29 | O | This attribute will be present if screening rules for BSF need to be configured. |
chfScreeningRulesData | Table 4-29 | O | This attribute will be present if screening rules for CHF need to be configured. |
nwdafScreeningRulesData | Table 4-29 | O | This attribute will be present if screening rules forNWDAF need to be configured. |
Table 4-29 NfScreeningRulesData - Parameters
Attribute Name | Data type | Mandatory(M)/Optional(O)/Conditional(C) | Description |
---|---|---|---|
failureAction | Table 4-33 | M | Indicates what action needs to be taken during failure. |
nfFqdn | Table 4-34 | C | If this attribute is present in message it shouldn't be null. This attribute will be present if screeningListType is NF_FQDN. |
nfCallBackUriList | array(Table 4-36) | C | If this attribute is present in message it shouldn't be null. This attribute will be present if screeningListType is CALLBACK_URI. |
nfIpEndPointList | array(Table 4-35) | C | If this attribute is present in message it shouldn't be null. This attribute may be present if screeningListType is NF_IP_ENDPOINT. |
plmnList | array(PlmnId) | C | If this attribute is present in message it shouldn't be null. This attribute may be present if screeningListType is PLMN_ID. |
nfTypeList | array(NfTypeList) | C | If this attribute is present in message it shouldn't be null. This attribute may be present if screeningListType is NF_TYPE_REGISTER. |
Table 4-30 NfScreeningRulesListType - Parameters
Enumeration Value | Description |
---|---|
"NF_FQDN" | Screening List type for NF FQDN |
"NF_IP_ENDPOINT" | Screening list type for IP Endpoint |
"CALLBACK_URI" | Screening list type for callback URIs in NF Service and nfStatusNotificationUri in SubscriptionData |
"PLMN_ID" | Screening list type for PLMN ID |
"NF_TYPE_REGISTER" | Screening list type for allowed NF Types to register |
Table 4-31 NfScreeningType - Parameters
Enumeration Value | Description |
---|---|
"BLACKLIST" | When a screening list is configured to operate as a blacklist, the request is allowed to access the service only if the corresponding attribute value is not present in the blacklist. |
"WHITELIST" | When a screening list is configured to operate as a whitelist, the request is allowed to access the service only if the corresponding attribute value is present in the whitelist. |
Table 4-32 NfScreeningRulesListStatus - Parameters
Enumeration Value | Description |
---|---|
"ENABLED" | Screening List feature is enabled to apply the rules. |
"DISABLED" | Screening List feature is disabled. |
Table 4-33 FailureAction - Parameters
Enumeration Value | Description |
---|---|
"CONTINUE" | Continue Processing |
"SEND_ERROR" | Send response with configured HTTP status code |
Table 4-34 NfFqdn - Parameters
Attribute Name | Data type | Mandatory(M)/Optional(O)/Conditional(C) | Description |
---|---|---|---|
fqdn | array(FQDN) | C | Exact FQDN to be matched. This is conditional, at least one attribute shall be present. |
pattern | array(string) | C | Regular Expression for FQDN. This is conditional, at least one attribute shall be present. |
Table 4-35 NfIpEndPoint - Parameters
Attribute Name | Data type | Mandatory(M)/Optional(O)/Conditional(C) | Description |
---|---|---|---|
ipv4Address | Ipv4Addr | C | IPv4 address to be matched. |
ipv4AddressRange | Ipv4AddressRange | C | Range of IPv4 addresses. |
ipv6Address | Ipv6Addr | C | IPv6 address to be matched. |
ipv6AddressRange | Table 4-38 | C | Range of IPv6 addresses. |
port | array(integer) | O | If this attribute is not configured then it will not be considered for validation. |
portRange | array(PortRange) | O | If this attribute is not configured then it will not be considered for validation. |
Note:
Depending on the conditions, only one of the ipv4Address, ipv4AddressRange, ipv6Address, and ipv6AddressRange attributes can be present.Table 4-36 NfCallBackUri - Parameters
Attribute Name | Data type | Mandatory(M)/Optional(O)/Conditional(C) | Description |
---|---|---|---|
fqdn | FQDN | C | Exact Fqdn to be matched. |
pattern | string | C | Regular Expression for FQDN, Ipv4Address or Ipv6Address. |
ipv4Address | Ipv4Addr | C | IPv4 address to be matched. |
ipv4AddressRange | Ipv4AddressRange | C | Range of IPv4 addresses. |
ipv6Address | Ipv6Addr | C | IPv6 address to be matched. |
ipv6AddressRange | Table 4-38 | C | Range of IPv6 addresses. |
port | array(integer) | O | If this attribute is not configured then it will not be considered for validation. |
portRange | array(PortRange) | O | If this attribute is not configured then it will not be considered for validation. |
Note:
Depending on the conditions, only one of the fqdn, pattern, ipv4Address, ipv4AddressRange, ipv6Address, and ipv6AddressRange attributes can be present.Table 4-37 PortRange - Parameters
Attribute Name | Data type | Mandatory(M)/Optional(O)/Conditional(C) | Description |
---|---|---|---|
start | integer | M | First value identifying the start of port range. |
end | integer | M | Last value identifying the end of port range. |
Table 4-38 Ipv6AddressRange - Parameters
Attribute Name | Data type | Mandatory(M)/Optional(O)/Conditional(C) | Description |
---|---|---|---|
start | Ipv6Addr | M | First value identifying the start of an IPv6 Address range. |
end | Ipv6Addr | M | Last value identifying the end of an IPv6 Address range. |
Table 4-39 Common data types
Data Type | Reference |
---|---|
Ipv6Addr | 3GPP TS 29.571 |
Ipv4Addr | 3GPP TS 29.571 |
Ipv4AddressRange | 3GPP TS 29.510 |
PlmnId | 3GPP TS 29.571 |
Uri | 3GPP TS 29.571 |
IpEndPoint | 3GPP TS 29.510 |
NFType | 3GPP TS 29.510 |
ProblemDetails | 3GPP TS 29.571 |
Configuring Access Token Request Authorization
OCNRF plays major role as an OAuth2.0 Authorization server in 5G Service based architecture. When a NF service Consumer needs to access the services of a NF producer of a particular NFType and NFInstanceId, it shall obtain an OAuth2 access token from the OCNRF. OCNRF shall perform the required authorization, and if successful will issue the token with the requested claims. Using this feature, OCNRF provides the user an option to tailor the authorization of the Producer-Consumer NF Types along with the Producer NF's services.
User can configure mapping of the RequesterNfType, TargetNfType and the allowedServices of the Target NF. Access Token request received based on the configuration and is furthered processes the request only if the authorization is successful. Allowed Services can be configured as single wild card '*' which denotes all the TargetNfs services are allowed for the consumer NF. User can also configure the HTTP status code and error description that will be used in the Error Response sent by the NRF when an Access Token request is rejected.
Access Token configurable attribute
"logicalOperatorForScope
" is used while authorizing the services in
the Access Token Request's scope against the allowed services in the configuration. If
the logicalOperatorForScope
is set to "OR", at-least one of the
services in the scope will be present in the allowed Services. If it is set to "AND",
all the services in the scope will be present in the allowed services.
Configuration for OCNRF Access Token Request Authorization Feature
Under nfAccessTokenSystemOptions
parent attribute,
authFeatureConfig
attribute provides the attributes required to
use OCNRF Access Token Request Authorization Feature. Refer to General Configurations table for more details.
"nfAccessTokenSystemOptions":{
"oauthTokenAlgorithm":"ES256",
"oauthTokenExpiryTime":"1h",
"authorizeRequesterNf":"ENABLED",
"logicalOperatorForScope":"AND",
"audienceType":"NF_INSTANCE_ID",
"authFeatureConfig":{
"authFeatureStatus":"ENABLED",
"authConfig":[
{
"targetNfType":"PCF",
"requesterNfType":"AMF",
"serviceNames":[
"npcf-am-policy-control",
"npcf-eventexposure"
]
},
{
"targetNfType":"UDM",
"requesterNfType":"AMF",
"serviceNames":[
"*"
]
}
],
"authErrorResponses":[
{
"errorCondition":"RequesterNf_Unauthorized",
"errorCode":400,
"errorResponse":"The Consumer NfType is not authorized to receive access token for the requested Nftype."
}
]
}
}
Configuring NF Authentication using TLS certificate
This feature is used by OCNRF to authenticate the Network Function before accessing the OCNRF services. In case, authentication fails, service operation request is rejected. In this feature, some attributes from TLS certificate is challenged against defined attributes.
OCNRF provides configuration to enable/disable the feature dynamically.
Refer to xfccHeaderValidation
attribute in User Configurable Section of
OCNRF Installation Guide to enable the feature on Ingress API gateway in
OCNRF deployment.
Note:
- This feature is disabled by default. Feature needs to be enabled at API-GW and OCNRF levels both to make this feature work. At OCNRF level, feature enabling/disabling can be done using mentioned configuration below.
- Once this feature is enabled. All of NFs must re-register with FQDN in NF Profile or NFs can send NFUpdate with FQDN. For Subscription Service Operations, Network Functions need to register with OCNRF, even NFs has taken Subscription Prior to enabling the Feature , need to Register with NRF for further service operations.
Configuration Required to use OCNRF NF Authentication using TLS certificate feature
Refer to attributes under nfAuthenticationSystemOptions
in General Configurations table for more details.
Sample configuration to use the feature
"nfAuthenticationSystemOptions": {
"nfRegistrationAuthenticationStatus": "DISABLED",
"nfSubscriptionAuthenticationStatus": "DISABLED",
"nfDiscoveryAuthenticationStatus": "DISABLED",
"accessTokenAuthenticationStatus": "DISABLED",
"nfProfileRetrievalAuthenticationStatus": "DISABLED",
"nfListRetrievalAuthenticationStatus": "DISABLED",
"checkIfNfIsRegistered": "DISABLED"
}