2 OCCM Rest Specification
This chapter provides information about REST specifications used in Oracle Communications Cloud Native Core, Certificate Management
OCCM can be configured using Helm configurations, REST APIs, and Cloud Native Configuration Console (CNC Console). REST configurations can also be performed using the Cloud Native Configuration (CNC) Console.
For HELM configurations, see Oracle Communications Cloud Native Core, Certificate Management Installation, Upgrade, and Fault Recovery Guide.
For the configurations using CNC Console, see Oracle Communications Cloud Native Core, Certificate Management User Guide.
For installing OCCM in an existing NF deployment, see 'Introducing OCCM on an Existing NF Deployment' section in the Oracle Communications Cloud Native Core, Certificate Management User Guide.
2.1 OCCM Issuers
OCCM Issuers Data Model
Table 2-1 OCCM Issuers Request Parameters
| Field Name | DataType | Description |
|---|---|---|
| name | String | This is a mandatory parameter. Name of CA |
| server | String | This is a mandatory parameter.
Domain URL of CA Imp Note: user should provide the port where the CA server is running otherwise application will take it as default port 80 |
| recipientDN | String | This is a mandatory parameter.
Distinguished name(DN) of the CMP server(usually the addressed CA). Used in the recipient field of CMP request message headers. The argument must be formatted as /type0=value0/type1=value1/type2=.... Special characters may be escaped by \ (backslash); whitespace is retained. Empty values are permitted, but the corresponding type will not be included. Giving a single / will lead to an empty sequence of RDNs (a NULL-DN). Multi-valued RDNs can be formed by placing a + character instead of a / between the AttributeValueAssertions (AVAs) that specify the members of the set. Example:
|
| issuerDN | String | This is an optional parameter.
X509 issuer Distinguished Name of the CA server to place in the requested certificate template in IR/KUR. The argument must be formatted as /type0=value0/type1=value1/type2=.... Special characters may be escaped by \ (backslash); whitespace is retained. Empty values are permitted, but the corresponding type will not be included. Giving a single / will lead to an empty sequence of RDNs (a NULL-DN). Multi-valued RDNs can be formed by placing a + character instead of a / between the AttributeValueAssertions (AVAs) that specify the members of the set. Example:
|
| totalTimeOut | String | This is a mandatory parameter.
Maximum total number of seconds a CMP transaction may take. Default Value 720 seconds. Max is 21600 seconds. Note: totalTimeOut should always be greater than messageTimeout. |
| messageTimeout | String | This is a mandatory parameter.
Number of seconds a CMP request-response message round trip is allowed to take before a timeout error is returned. Default Value 120 seconds. Max is 600 seconds. Imp Note: messageTimeout should always be less than totalTimeOut. |
| cmpProtectionOccmCert | Object | This is a mandatory parameter except when OCCM certificate is manually configured. CMP client authentication options for OCCM certficate |
| cmpProtectionOccmCert.type | Enum | This is a mandatory parameter. MAC or SIGNATURE |
| cmpProtectionOccmCert.digestAlgorithm | Enum | This is a mandatory parameter except when
cmpProtectionOccmCert.type selected is MAC.
Supported digest to use. Default Value: SHA256 |
| cmpProtectionOccmCert.macAlgorithm | Enum | This is a mandatory parameter except when
cmpProtectionOccmCert.type selected is SIGNATURE)
MAC algorithm to use. Default Value: HMACSHA256 |
| cmpProtectionOccmCert.macK8sSecretIn | Object | This is a mandatory parameter except when
cmpProtectionOccmCert.type selected is SIGNATURE.
Kubernetes secret input details for MAC based authentication of OCCM cert. |
| cmpProtectionOccmCert.macK8sSecretIn.namespace | String | This is a mandatory parameter. Kubernetes secret namespace where MAC secret is present. |
| cmpProtectionOccmCert.macK8sSecretIn.namespace | String | This is a mandatory parameter. Name of Kubernetes secret holding MAC secret (pre-shared key) and reference information. |
| cmpProtectionOccmCert.macK8sSecretIn.passKey | String | This is a mandatory parameter.
Kubernetes secret data key against which MAC secret is provided. |
| cmpProtectionOccmCert.macK8sSecretIn.refKey | String | This is an optional parameter.
Kubernetes secret data key against which reference string is provided. |
| cmpProtectionOccmCert.signK8sSecretIn | Object | This is a mandatory parameter except when cmpProtectionOccmCert.type selected is MAC. Kubernetes secret input details for Signature based authentication of OCCM cert. |
| cmpProtectionOccmCert.signK8sSecretIn.name | String | This is a mandatory parameter. Kubernetes secret namespace where OCCM Sign secret is present. |
| cmpProtectionOccmCert.signK8sSecretIn.name | String | This is a mandatory parameter. Name of Kubernetes secret holding pre-configured private key and certificate. |
| cmpProtectionOccmCert.signK8sSecretIn.key | String | This is a mandatory parameter. Kubernetes secret data key against which the pre-configured private key file (private key file for the client's current CMP signer certificate) is provided. |
| cmpProtectionOccmCert.signK8sSecretIn.cert | String | This is a mandatory parameter. Kubernetes secret data key against which the pre-configured certificate (client's current CMP signer certificate) is provided. |
| cmpProtectionOccmCert.signK8sSecretIn.extraCerts | Object | This is a mandatory parameter. List of Kubernetes secret data keys against which the certificates to append in the extraCerts field can be provided. They can be used as the default CMP signer certificate chain to include. |
| cmpProtectionOtherCert | Object | This is a mandatory parameter.
CMP client authentication options for Other(NF) certficate |
| cmpProtectionOtherCert.type | Enum | This is a mandatory parameter. MAC or SIGNATURE |
| cmpProtectionOtherCert.digestAlgorithm | Enum | This is a mandatory parameter. Supported digest to use. Default Value: SHA256 |
| cmpProtectionOtherCert.signK8sSecretIn | Object | This is a mandatory parameter.
Kubernetes secret input details for Signature based authentication of Other (NF) cert. |
| cmpProtectionOtherCert.signK8sSecretIn.namespace | String | This is a mandatory parameter. Kubernetes secret namespace where NF Sign secret is present. |
| cmpProtectionOtherCert.signK8sSecretIn.name | String | This is a mandatory parameter. Name of Kubernetes secret holding OCCM key and cert information. |
| cmpProtectionOtherCert.signK8sSecretIn.key | String | This is a mandatory parameter. Kubernetes secret data key against which OCCM key is provided/created based on whether OCCM cert is created in manual or automatic mode. |
| cmpProtectionOtherCert.signK8sSecretIn.cert | String | This is a mandatory parameter. Kubernetes secret data key against which OCCM certificate is provided/created based on whether OCCM cert is created in manual or automatic mode. |
| cmpProtectionOtherCert.signK8sSecretIn.extraCerts | Array | This is a mandatory parameter. List of Kubernetes secret data keys against which the certificates to append in the extraCerts field can be provided or will be created (if received from CA) along with the OCCM cert, based on whether OCCM cert is created in manual or automatic mode. |
| occmTrustStoreK8sSecretIn | Object | This is a mandatory parameter. Kubernetes secret input which holds OCCM trust store information(CA certificates). Used to validate CMP response messages. |
| occmTrustStoreK8sSecretIn.namespace | String | This is a mandatory parameter. Kubernetes secret namespace where OCCM trust store secret is present. |
| occmTrustStoreK8sSecretIn.name | String | This is a mandatory parameter. Name of Kubernetes OCCM trust store secret. |
| occmTrustStoreK8sSecretIn.rootCACerts | List<String> | This is an optional parameter except if
occmTrustStoreK8sSecretIn.serverCert is provided.
The certificate(s), typically of root CAs, the client shall use as trust anchors when validating the certificate issued by CA. Note: If server cert is present this is ignored. |
| occmTrustStoreK8sSecretIn.intCACerts | List<String> | This is an optional parameter. Any non-trusted intermediate CA certificate(s) to use when validating newly enrolled certificates. |
| occmTrustStoreK8sSecretIn.serverCert | String | This is a mandatory parameter except if
occmTrustStoreK8sSecretIn.rootCACerts is provided.
CMP/CA server's certificate to expect and directly trust when validating the certificate issued by CA. Note: If this is present root CA certs will be ignored. |
| uuid | String | Unique ID for logging and tracking purpose |
Table 2-2 OCCM Issuers Response Codes
| Response codes | Data type | Cardinality | Description |
|---|---|---|---|
| 202 Accepted | Object (Issuers) | 1 | This is a mandatory parameter Object (Issuers) |
| 200 OK | Object (Issuers) Or List(Issuers) | 1 | This is a mandatory parameter Object (Issuers) Or List(Issuers) matching criteria |
| 400 Bad request | Problem Details | 1 | This is a mandatory parameter Input does not match to process request |
| 500 Internal Server Error | Problem Details | 1 | This is a mandatory parameter Something went wrong |
| 409 Conflict | Problem Details | 1 | This is a mandatory parameter Record already exists |
Note:
OCCM Issuers response body data model varies based on REST operation status.
OCCM Issuers JSON Payload
{
"name": "",
"server": "",
"recipientDN": "",
"issuerDN": "",
"totalTimeout": "",
"messageTimeout": "",
"cmpProtectionOccmCert": {
"type": null,
"digestAlgorithm": null,
"macAlgorithm": null,
"macK8sSecretIn": {
"namespace": "",
"name": "",
"passKey": "",
"refKey": ""
},
"signK8sSecretIn": {
"namespace": "",
"name": "",
"key": "",
"cert": "",
"extraCerts": []
}
},
"cmpProtectionOtherCert": {
"type": "",
"digestAlgorithm": "",
"signK8sSecretIn": {
"namespace": "",
"name": "",
"key": "",
"cert": "",
"extraCerts": []
}
},
"occmTrustStoreK8sSecretIn": {
"namespace": "",
"name": "",
"rootCACerts": [],
"intCACerts": [],
"serverCert": ""
}
}2.1.1 Fetch All Issuers
OCCM Uses the GET operation to fetch all issuer details.
Resource URI:/occm-config/v1/issuers
Data structures supported by the GET Response Body on this resource
| Response codes | Data type | Cardinality | Description |
|---|---|---|---|
| 200 OK | Object (Issuers) | 1 | This is a mandatory parameter. Object (Issuers) matching criteria |
| 500 Internal Server Error | Problem Details | 1 | This is a mandatory parameter. Something went wrong |
Sample GET
Request:
$ curl --location --request GET 'http://{host}:{port}/occm-config/v1/issuers' \
--header 'Oc-Cncc-Id: Cluster1' \
--header 'Oc-Cncc-Instance-Id: Cluster1-OCCM-instance1' \
--header 'Authorization: Bearer eyJhbGciOiJSUzI1Ni'Sample GET
Response:
200 OK Response Body: '[
{
"uuid": "3dd25d28-dd85-4d2c-baf5-c62438a96751",
"name": "CA7",
"server": "http://ca7-openssl-mock.ns1.svc.thrust5:8084",
"recipientDN": "/CN=svc.thrust5",
"issuerDN": "/CN=svc.thrust5",
"totalTimeout": "60",
"messageTimeout": "30",
"cmpProtectionOccmCert": {
"type": null,
"digestAlgorithm": null,
"macAlgorithm": null,
"macK8sSecretIn": {
"namespace": "",
"name": "",
"passKey": "",
"refKey": ""
},
"signK8sSecretIn": {
"namespace": "",
"name": "",
"key": "",
"cert": "",
"extraCerts": []
}
},
"cmpProtectionOtherCert": {
"type": "SIGNATURE",
"digestAlgorithm": "SHA256",
"signK8sSecretIn": {
"namespace": "ns1",
"name": "ca2-occm-key-cert-secret",
"key": "occmkey.pem",
"cert": "occm.cer",
"extraCerts": []
}
},
"occmTrustStoreK8sSecretIn": {
"namespace": "ns1",
"name": "ca2-occm-trust-store-secret",
"rootCACerts": [
"caroot.cer"
],
"intCACerts": [
"intca.cer"
],
"serverCert": ""
}
},
{
"uuid": "bd0aa96d-7a49-48e4-8ade-cf3ec0637971",
"name": "CA-SIGN",
"server": "http://ca-occm-sign-openssl-mock.ns1.svc.thrust5:8089",
"recipientDN": "/CN=svc.thrust5",
"issuerDN": "",
"totalTimeout": "720",
"messageTimeout": "120",
"cmpProtectionOccmCert": {
"type": "SIGNATURE",
"digestAlgorithm": "SHA256",
"macAlgorithm": null,
"macK8sSecretIn": {
"namespace": "",
"name": "",
"passKey": "",
"refKey": ""
},
"signK8sSecretIn": {
"namespace": "ns1",
"name": "occm-sign-cmp-secret",
"key": "cmpkey.pem",
"cert": "cmp.cer",
"extraCerts": []
}
},
"cmpProtectionOtherCert": {
"type": "SIGNATURE",
"digestAlgorithm": "SHA256",
"signK8sSecretIn": {
"namespace": "ns1",
"name": "occm-sign-secret-ca-sign",
"key": "occmkey.pem",
"cert": "occm.cer",
"extraCerts": []
}
},
"occmTrustStoreK8sSecretIn": {
"namespace": "ns1",
"name": "occm-manual-occm-trust-store-secret",
"rootCACerts": [],
"intCACerts": [],
"serverCert": "server.cer"
}
},
{
"uuid": "b80fcc11-d036-4920-9740-719fca190cb6",
"name": "CA001",
"server": "http://ca1-openssl-mock.ns1.svc.thrust5:8086",
"recipientDN": "/CN=svc.thrust5",
"issuerDN": "/CN=svc.thrust5",
"totalTimeout": "60",
"messageTimeout": "30",
"cmpProtectionOccmCert": {
"type": null,
"digestAlgorithm": null,
"macAlgorithm": null,
"macK8sSecretIn": {
"namespace": "",
"name": "",
"passKey": "",
"refKey": ""
},
"signK8sSecretIn": {
"namespace": "",
"name": "",
"key": "",
"cert": "",
"extraCerts": []
}
},
"cmpProtectionOtherCert": {
"type": "SIGNATURE",
"digestAlgorithm": "SHA256",
"signK8sSecretIn": {
"namespace": "ns1",
"name": "ca1-occm-key-cert-secret",
"key": "occmkey.pem",
"cert": "occm.cer",
"extraCerts": []
}
},
"occmTrustStoreK8sSecretIn": {
"namespace": "ns1",
"name": "ca1-occm-trust-store-secret",
"rootCACerts": [
"caroot.cer"
],
"intCACerts": [
"intca.cer"
],
"serverCert": ""
}
},
{
"uuid": "a082ca83-09c9-47ee-909c-fb37c21a5457",
"name": "CA365",
"server": "http://ca365-openssl-mock.ns1.svc.thrust5:8082",
"recipientDN": "/CN=svc.thrust5",
"issuerDN": "/CN=svc.thrust5",
"totalTimeout": "60",
"messageTimeout": "30",
"cmpProtectionOccmCert": {
"type": null,
"digestAlgorithm": null,
"macAlgorithm": null,
"macK8sSecretIn": {
"namespace": "",
"name": "",
"passKey": "",
"refKey": ""
},
"signK8sSecretIn": {
"namespace": "",
"name": "",
"key": "",
"cert": "",
"extraCerts": []
}
},
"cmpProtectionOtherCert": {
"type": "SIGNATURE",
"digestAlgorithm": "SHA256",
"signK8sSecretIn": {
"namespace": "ns1",
"name": "ca2-occm-key-cert-secret",
"key": "occmkey.pem",
"cert": "occm.cer",
"extraCerts": []
}
},
"occmTrustStoreK8sSecretIn": {
"namespace": "ns1",
"name": "ca2-occm-trust-store-secret",
"rootCACerts": [
"caroot.cer"
],
"intCACerts": [
"intca.cer"
],
"serverCert": ""
}
},
{
"uuid": "d7374019-0346-41c1-9098-c64d4efd879f",
"name": "CA180",
"server": "http://ca180-openssl-mock.ns1.svc.thrust5:8085",
"recipientDN": "/CN=svc.thrust5",
"issuerDN": "/CN=svc.thrust5",
"totalTimeout": "60",
"messageTimeout": "30",
"cmpProtectionOccmCert": {
"type": null,
"digestAlgorithm": null,
"macAlgorithm": null,
"macK8sSecretIn": {
"namespace": "",
"name": "",
"passKey": "",
"refKey": ""
},
"signK8sSecretIn": {
"namespace": "",
"name": "",
"key": "",
"cert": "",
"extraCerts": []
}
},
"cmpProtectionOtherCert": {
"type": "SIGNATURE",
"digestAlgorithm": "SHA256",
"signK8sSecretIn": {
"namespace": "ns1",
"name": "ca2-occm-key-cert-secret",
"key": "occmkey.pem",
"cert": "occm.cer",
"extraCerts": []
}
},
"occmTrustStoreK8sSecretIn": {
"namespace": "ns1",
"name": "ca2-occm-trust-store-secret",
"rootCACerts": [
"caroot.cer"
],
"intCACerts": [
"intca.cer"
],
"serverCert": ""
}
},
{
"uuid": "c653b88b-a4c6-44fc-a37d-0c79fd64bbde",
"name": "CA-MANUAL",
"server": "http://ca-occm-manual-openssl-mock.ns1.svc.thrust5:8087",
"recipientDN": "/CN=svc.thrust5",
"issuerDN": "/CN=svc.thrust5",
"totalTimeout": "720",
"messageTimeout": "120",
"cmpProtectionOccmCert": {
"type": null,
"digestAlgorithm": null,
"macAlgorithm": null,
"macK8sSecretIn": {
"namespace": "",
"name": "",
"passKey": "",
"refKey": ""
},
"signK8sSecretIn": {
"namespace": "",
"name": "",
"key": "",
"cert": "",
"extraCerts": []
}
},
"cmpProtectionOtherCert": {
"type": "SIGNATURE",
"digestAlgorithm": "SHA256",
"signK8sSecretIn": {
"namespace": "ns1",
"name": "occm-manual-occm-key-cert-secret",
"key": "occmkey.pem",
"cert": "occm.cer",
"extraCerts": []
}
},
"occmTrustStoreK8sSecretIn": {
"namespace": "ns1",
"name": "occm-manual-occm-trust-store-secret",
"rootCACerts": [
"caroot.cer"
],
"intCACerts": [
"intca.cer"
],
"serverCert": ""
}
},
{
"uuid": "04158b65-b4d4-4e96-a03b-d4270fcba7c7",
"name": "CA-MAC",
"server": "http://ca-occm-mac-openssl-mock.ns1.svc.thrust5:8080",
"recipientDN": "/CN=svc.thrust5",
"issuerDN": "/CN=svc.thrust5",
"totalTimeout": "720",
"messageTimeout": "120",
"cmpProtectionOccmCert": {
"type": "MAC",
"digestAlgorithm": null,
"macAlgorithm": "HMACSHA256",
"macK8sSecretIn": {
"namespace": "ns1",
"name": "occm-mac-secret",
"passKey": "passKey",
"refKey": "refKey"
},
"signK8sSecretIn": {
"namespace": "",
"name": "",
"key": "",
"cert": "",
"extraCerts": []
}
},
"cmpProtectionOtherCert": {
"type": "SIGNATURE",
"digestAlgorithm": "SHA256",
"signK8sSecretIn": {
"namespace": "ns1",
"name": "occm-mac-occm-key-cert-secret",
"key": "occmkey.pem",
"cert": "occm.cer",
"extraCerts": []
}
},
"occmTrustStoreK8sSecretIn": {
"namespace": "ns1",
"name": "occm-manual-occm-trust-store-secret",
"rootCACerts": [
"caroot.cer"
],
"intCACerts": [
"intca.cer"
],
"serverCert": ""
}
},
{
"uuid": "15418946-9519-495a-9dae-6f43e6bd06e8",
"name": "CA1",
"server": "http://ca1-openssl-mock.ns1.svc.thrust5:8080",
"recipientDN": "/CN=svc.thrust5",
"issuerDN": "/CN=svc.thrust5",
"totalTimeout": "720",
"messageTimeout": "120",
"cmpProtectionOccmCert": {
"type": null,
"digestAlgorithm": null,
"macAlgorithm": null,
"macK8sSecretIn": {
"namespace": "",
"name": "",
"passKey": "",
"refKey": ""
},
"signK8sSecretIn": {
"namespace": "",
"name": "",
"key": "",
"cert": "",
"extraCerts": []
}
},
"cmpProtectionOtherCert": {
"type": "SIGNATURE",
"digestAlgorithm": "SHA256",
"signK8sSecretIn": {
"namespace": "ns1",
"name": "ca1-occm-key-cert-secret",
"key": "occmkey.pem",
"cert": "occm.cer",
"extraCerts": []
}
},
"occmTrustStoreK8sSecretIn": {
"namespace": "ns1",
"name": "ca1-occm-trust-store-secret",
"rootCACerts": [
"caroot.cer"
],
"intCACerts": [
"intca.cer"
],
"serverCert": "server.cer"
}
}]'2.1.2 Fetch Issuers by Name
OCCM uses the GET operation to fetch issuers by name.
Resource URI:/occm-config/v1/issuers
Data structures supported by the GET Response Body on this resource
| Response codes | Data type | Cardinality | Description |
|---|---|---|---|
| 200 OK | Object (Issuers) | 1 | This is a mandatory parameter. Object (Issuers) matching criteria |
| 500 Internal Server Error | Problem Details | 1 | This is a mandatory parameter. Something went wrong |
Sample GET
Request:
$ curl --location --request GET 'http://{host}:{port}/occm-config/v1/issuers/4c5b4025-6c63-438c-bcd7-27b5bf8da4fd' \
--header 'Oc-Cncc-Id: Cluster1' \
--header 'Oc-Cncc-Instance-Id: Cluster1-OCCM-instance1' \
--header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIs'Sample GET
Response:
200 OK Response Body: '{
"uuid": "4c5b4025-6c63-438c-bcd7-27b5bf8da4fd",
"name": "CA1",
"server": "http://ca1-openssl-mock.ns1.svc.thrust5:8080",
"recipientDN": "/CN=svc.thrust5",
"issuerDN": "/CN=svc.thrust5",
"totalTimeout": "720",
"messageTimeout": "120",
"cmpProtectionOccmCert": {
"type": null,
"digestAlgorithm": null,
"macAlgorithm": null,
"macK8sSecretIn": {
"namespace": "",
"name": "",
"passKey": "",
"refKey": ""
},
"signK8sSecretIn": {
"namespace": "",
"name": "",
"key": "",
"cert": "",
"extraCerts": []
}
},
"cmpProtectionOtherCert": {
"type": "SIGNATURE",
"digestAlgorithm": "SHA256",
"signK8sSecretIn": {
"namespace": "ns1",
"name": "ca1-occm-key-cert-secret",
"key": "occmkey.pem",
"cert": "occm.cer",
"extraCerts": []
}
},
"occmTrustStoreK8sSecretIn": {
"namespace": "ns1",
"name": "ca1-occm-trust-store-secret",
"rootCACerts": [
"caroot.cer"
],
"intCACerts": [
"intca.cer"
],
"serverCert": "server.cer"
}
}'2.1.3 Add Issuer Configurations
OCCM Uses the POST operation to add the issuers configurations using the request body.
Resource URI: /occm-config/v1/issuers
Data structures supported by the POST Response Body on this resource
| Response codes | Data type | Cardinality | Description |
|---|---|---|---|
| 202 ACCEPTED | Issuers | 1 | This is a mandatory parameter. ssuers configuration data |
| 400 BAD REQUEST | Problem Details | 1 | This is a mandatory parameter. Returns Problem Details structure |
| 409 CONFLICT | Problem Details | 1 | This is a mandatory parameter. Record already exists |
Sample POST
Request:
$ curl --location --request POST 'http://{host}:{port}/occm-config/v1/issuers' \
--header 'Oc-Cncc-Id: Cluster1' \
--header 'Oc-Cncc-Instance-Id: Cluster1-OCCM-instance1' \
--header 'Authorization: Bearer LxuLeX9dihXDUcoFwDw' \
--header 'Content-Type: application/json' \
--data-raw '{
"name": "CA1",
"server": "http://ca1-openssl-mock.ns1.svc.thrust5:8086",
"recipientDN": "/CN=svc.thrust5",
"issuerDN": "/CN=svc.thrust5",
"totalTimeout": "60",
"messageTimeout": "30",
"cmpProtectionOccmCert": {
"type": null,
"digestAlgorithm": null,
"macAlgorithm": null,
"macK8sSecretIn": {
"namespace": "",
"name": "",
"passKey": "",
"refKey": ""
},
"signK8sSecretIn": {
"namespace": "",
"name": "",
"key": "",
"cert": "",
"extraCerts": []
}
},
"cmpProtectionOtherCert": {
"type": "SIGNATURE",
"digestAlgorithm": "SHA256",
"signK8sSecretIn": {
"namespace": "ns1",
"name": "ca1-occm-key-cert-secret",
"key": "occmkey.pem",
"cert": "occm.cer",
"extraCerts": []
}
},
"occmTrustStoreK8sSecretIn": {
"namespace": "ns1",
"name": "ca1-occm-trust-store-secret",
"rootCACerts": ["caroot.cer"],
"intCACerts": ["intca.cer"],
"serverCert": ""
}
}'Sample POST
Response:
200 Success Response Body: '{
"uuid": "4c5b4025-6c63-438c-bcd7-27b5bf8da4fd",
"name": "CA1",
"server": "http://ca1-openssl-mock.ns1.svc.thrust5:8086",
"recipientDN": "/CN=svc.thrust5",
"issuerDN": "/CN=svc.thrust5",
"totalTimeout": "60",
"messageTimeout": "30",
"cmpProtectionOccmCert": {
"type": null,
"digestAlgorithm": null,
"macAlgorithm": null,
"macK8sSecretIn": {
"namespace": "",
"name": "",
"passKey": "",
"refKey": ""
},
"signK8sSecretIn": {
"namespace": "",
"name": "",
"key": "",
"cert": "",
"extraCerts": []
}
},
"cmpProtectionOtherCert": {
"type": "SIGNATURE",
"digestAlgorithm": "SHA256",
"signK8sSecretIn": {
"namespace": "ns1",
"name": "ca1-occm-key-cert-secret",
"key": "occmkey.pem",
"cert": "occm.cer",
"extraCerts": []
}
},
"occmTrustStoreK8sSecretIn": {
"namespace": "ns1",
"name": "ca1-occm-trust-store-secret",
"rootCACerts": ["caroot.cer"],
"intCACerts": ["intca.cer"],
"serverCert": ""
}
}'2.1.4 Update Issuer Configurations
OCCM uses the PUT Operation to update the issuers configuration using the
issuer uuid (in path variable) and request body.
Note:
You can update the issuer as long as it is not in use by any certificate.Resource URI: /occm-config/v1/issuers/{uuid}
Data structures supported by the PUT Response Body on this resource
| Response codes | Data type | Cardinality | Description |
|---|---|---|---|
| 200 OK | Issuers | 1 | This is a mandatory parameter. Issuers configuration data |
| 400 BAD REQUEST | Problem Details | 1 | This is a mandatory parameter. Invalid input is passed to process request. |
Sample PUT
Request:
$ curl --location --request PUT 'http://{host}:{port}/occm-config/v1/issuers/4c5b4025-6c63-438c-bcd7-27b5bf8da4fd' \
--header 'oc-cncc-id: Cluster1' \
--header 'oc-cncc-instance-id: Cluster1-OCCM-instance1' \
--header 'Authorization: Bearer LxuLeX9dihXDUcoFwDw.....' \
--header 'Content-Type: application/json' \
--data-raw '{
"uuid": "4c5b4025-6c63-438c-bcd7-27b5bf8da4fd",
"name": "CA1",
"server": "http://ca1-openssl-mock.ns1.svc.thrust5:8085",
"recipientDN": "/CN=svc.thrust5",
"issuerDN": "/CN=svc.thrust5",
"totalTimeout": "60",
"messageTimeout": "30",
"cmpProtectionOccmCert": {
"type": null,
"digestAlgorithm": null,
"macAlgorithm": null,
"macK8sSecretIn": {
"namespace": "",
"name": "",
"passKey": "",
"refKey": ""
},
"signK8sSecretIn": {
"namespace": "",
"name": "",
"key": "",
"cert": "",
"extraCerts": []
}
},
"cmpProtectionOtherCert": {
"type": "SIGNATURE",
"digestAlgorithm": "SHA256",
"signK8sSecretIn": {
"namespace": "ns1",
"name": "ca1-occm-key-cert-secret",
"key": "occmkey.pem",
"cert": "occm.cer",
"extraCerts": []
}
},
"occmTrustStoreK8sSecretIn": {
"namespace": "ns1",
"name": "ca1-occm-trust-store-secret",
"rootCACerts": ["caroot.cer"],
"intCACerts": ["intca.cer"],
"serverCert": ""
}
}'Sample PUT
Response:
200 Success Response Body: '{
"uuid": "4c5b4025-6c63-438c-bcd7-27b5bf8da4fd",
"name": "CA1",
"server": "http://ca1-openssl-mock.ns1.svc.thrust5:8085",
"recipientDN": "/CN=svc.thrust5",
"issuerDN": "/CN=svc.thrust5",
"totalTimeout": "60",
"messageTimeout": "30",
"cmpProtectionOccmCert": {
"type": null,
"digestAlgorithm": null,
"macAlgorithm": null,
"macK8sSecretIn": {
"namespace": "",
"name": "",
"passKey": "",
"refKey": ""
},
"signK8sSecretIn": {
"namespace": "",
"name": "",
"key": "",
"cert": "",
"extraCerts": []
}
},
"cmpProtectionOtherCert": {
"type": "SIGNATURE",
"digestAlgorithm": "SHA256",
"signK8sSecretIn": {
"namespace": "ns1",
"name": "ca1-occm-key-cert-secret",
"key": "occmkey.pem",
"cert": "occm.cer",
"extraCerts": []
}
},
"occmTrustStoreK8sSecretIn": {
"namespace": "ns1",
"name": "ca1-occm-trust-store-secret",
"rootCACerts": ["caroot.cer"],
"intCACerts": ["intca.cer"],
"serverCert": ""
}
}'2.1.5 Delete Issuers Data
OCCM uses the DELETE operation to delete the Issuers data based on query
parameters.
Note:
An issuer can only be deleted if there are no certificates referring to this issuer entry.Resource URI: /occm-config/v1/issuers/{uuid}
Data structures supported by the DELETE Response Body on this resource
| Response codes | Data type | Cardinality | Description |
|---|---|---|---|
| 200 OK | Issuers | 1 | This is a mandatory parameter. Issuers configuration data |
| 400 Bad Request | Problem Details | 1 | This is a mandatory parameter. Input does not match to process request |
Sample DELETE
Request:
$ curl --location --request DELETE 'http://{host}:{port}/occm-config/v1/issuers/4c5b4025-6c63-438c-bcd7-27b5bf8da4fd' \
--header 'oc-cncc-id: Cluster1' \
--header oc-cncc-instance-id: Cluster1-OCCM-instance1' \
--header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIs.…...' Sample DELETE
Response:
200 OK Response Body: '{
"uuid": "4c5b4025-6c63-438c-bcd7-27b5bf8da4fd", {
"name": "CA1",
"server": "http://ca1-openssl-mock.ns1.svc.thrust5:8086",
"recipientDN": "/CN=svc.thrust5",
"issuerDN": "/CN=svc.thrust5",
"totalTimeout": "60",
"messageTimeout": "30",
"cmpProtectionOccmCert": {
"type": null,
"digestAlgorithm": null,
"macAlgorithm": null,
"macK8sSecretIn": {
"namespace": "",
"name": "",
"passKey": "",
"refKey": ""
},
"signK8sSecretIn": {
"namespace": "",
"name": "",
"key": "",
"cert": "",
"extraCerts": []
}
},
"cmpProtectionOtherCert": {
"type": "SIGNATURE",
"digestAlgorithm": "SHA256",
"signK8sSecretIn": {
"namespace": "ns1",
"name": "ca1-occm-key-cert-secret",
"key": "occmkey.pem",
"cert": "occm.cer",
"extraCerts": []
}
},
"occmTrustStoreK8sSecretIn": {
"namespace": "ns1",
"name": "ca1-occm-trust-store-secret",
"rootCACerts": ["caroot.cer"],
"intCACerts": ["intca.cer"],
"serverCert": ""
}
}'2.2 OCCM Certificates
OCCM Certificates Data Model
Table 2-3 OCCM Certifiactes Request Parameters
| Field Name | DataType | Description |
|---|---|---|
| name | String | This is a mandatory parameter. Name of the certificate |
| lcmType | Enum | This is a mandatory parameter. AUTOMATIC, MANUAL |
| certType | Enum | This is a mandatory parameter. OCCM, OTHER |
| renewBefore | String | This is an optional parameter.
Number of days before the certificate expiry, when the certificate
will be renewed.
Default Value 14 Days Min: 1 days Max: [(validity i.e csr.days)-1] days |
| certPurpose | String | This is an optional parameter. Purpose of certificate creation |
| issuer | String | This is a mandatory parameter. Name of CA |
| privateKey | Object | This is a mandatory parameter. Private key details like algorithm, key size and key encoding |
| privateKey.keyAlgo | Enum | This is a mandatory parameter. Private key algorithm to be used.Supported values : RSA and EC |
| privateKey.keySize | Enum | This is an optional parameter. The number of bits in the generated key. Need to select a bit length of at least 2048 when using RSA and 256 when using ECDSA. These are the smallest key sizes allowed for SSL certificates. Default Value for RSA Key: 2048 bits |
| privateKey.keyEncoding | Enum | This is an optional parameter.
The output format of a private key input source. Default Value: PEM |
| privateKey.ecCurve | Enum | This is an optional parameter.
The
EC curve to use if the key algorithm selected is EC.
Default Value: secp384r1 |
| privateKey.keyFormat | String | This is a mandatory parameter. The output format of a private key input source. Default Value: PEM |
| privateKey.privateKeyK8sSecretOut | Object | This is a mandatory parameter except in case of OCCM certificates, this field is optional since it is auto-populated from issuer Private key output location |
| privateKey.privateKeyK8sSecretOut.namespace | String | This is a mandatory parameter except in case of OCCM certificates, this field is optional since it is auto-populated from issuer. Kubernetes namespace |
| privateKey.privateKeyK8sSecretOut.name | String | This is a mandatory parameter except in case of OCCM certificates, this field is optional since it is auto-populated from issuer. Kubernetes secret name |
| privateKey.privateKeyK8sSecretOut.key | String | This is a mandatory parameter except in case of OCCM certificates, this field is optional since it is auto-populated from issuer. Kubernetes secret key against which the key-pair will be stored. |
| csr | Object | This is a mandatory parameter. Certificate Signing Request data |
| csr.extendedKeyUsage | Object | This is a mandatory parameter. A multi-valued certificate extension containing a list of values indicating purposes for which the certificate public key can be used |
| csr.extendedKeyUsage.critical | Boolean | This is an optional parameter.
When set to true, extended key usage extension will be marked as critical. |
| csr.extendedKeyUsage.extendedKeyUsageValues | List<Enum> | This is a mandatory parameter.
List of extendedKeyUsage values |
| csr.keyUsage | Object | This is a mandatory parameter. A multi-valued certificate extension containing a list of names of the permitted key usages. |
| csr.keyUsage.critical | Boolean | This is an optional parameter.
When set to true, key usage extension will be marked as critical. |
| csr.keyUsage.keyUsageValues | List<Enum> | This is a mandatory parameter.
List of keyUsage values |
| csr.basicConstraints | Object | This is an optional parameter. This is a multi-valued extension which indicates whether a certificate is a CA certificate. The first value is CA followed by TRUE or FALSE |
| csr.basicConstraints.critical | Boolean | This is an optional parameter.
When set to true, basicConstraints extension will be marked as critical. |
|
csr.basicConstraints.basicConstraintsValue |
Enum | This is an optional parameter. BasicConstraints value |
| csr.subject | Object | This is an optional parameter except if csr.subjectAltName is not provided. Information about company |
| csr.subject.country | String | This is an optional parameter. Country code where company is legally located. |
| csr.subject.state | String | This is an optional parameter. State where company is legally located. |
| csr.subject.location | String | This is an optional parameter. The city or town where company is legally located. |
| csr.subject.organization | String | This is an optional parameter. Your company's legally registered name. |
| csr.subject.organizationUnit | String | This is an optional parameter. Name of your department within the organization. |
| csr.subject.commonName | String | This is an optional parameter.
The Common Name (AKA CN) represents the server name to be protected by the SSL certificate. The certificate is valid only if the request hostname matches the certificate common name. |
| csr.days. | String | This is a mandatory parameter.
Requested validity for the certificate i.e. Number of days requested for which the certificate will be valid. Default Value :365 Days Max Value: 1065 Min Value: 2 Days |
| csr.subjectAltName | Object | This is an optional parameter except if csr.subject is not provided. A multi-valued extension indicating all of the domain names, IP addresses, URIs etc that are secured by the certificate. |
| csr.subjectAltName.critical | Boolean | This is an optional parameter. When set to true, subjectAltName extension will be marked as critical. |
| csr.subjectAltName.ipAddress | List<String> | This is an optional parameter. List of IP addresses. |
| csr.subjectAltName.dns | List<String> | This is an optional parameter. List of domain names |
| csr.subjectAltName.uriIdUrn | List<String> | This is an optional parameter. List of URI ID (URN of the NFInstanceId) |
| csr.subjectAltName.uriIdApiRoot | List<String> | This is an optional parameter. Lost of uniform resource locater IDs |
| csr.certK8sSecretOut | Object | This is a mandatory parameter except in case of OCCM certificate, this field is optional since it is auto-populated from issuer. Certificate output location. |
| csr.certK8sSecretOut.namespace | String | This is a mandatory parameter except in case of OCCM certificate, this field is optional since it is auto-populated from issuer. Kubernetes secret namespace |
| csr.certK8sSecretOut.name | String | This is a mandatory parameter except in case of OCCM certificate, this field is optional since it is auto-populated from issuer.. Kubernetes secret name |
| csr.certK8sSecretOut.key | String | This is a mandatory parameter except in case of OCCM certificate, this field is optional since it is auto-populated from issuer.. Kubernetes secret key against which the certificate will be stored. |
| csr.certChainK8sSecretOut | Object | This is a mandatory parameter. Certificate Chain output location. |
| csr.certChainK8sSecretOut.namespace | String | This is an optional parameter. Kubernetes secret namespace |
| csr.certChainK8sSecretOut.name | String | This is a mandatory parameter. Kubernetes secret name |
| csr.certChainK8sSecretOut.key | String | This is an optional parameter. Kubernetes secret key against which the certificate chain will be stored. |
| nf | String | This is a mandatory parameter. NF name |
| uuid | String | Unique id for logging and tracking purpose |
| overrideSecret | boolean | This is an optional parameter.
This flag is used to override the Kubernetes secret with new certificate. By default it will be false. |
| caBundleK8sSecretIn | Object | This is an optional parameter.
CA bundle secret input details. Used to trust peer entities. |
| caBundleK8sSecretIn.namespace | String | This is an optional parameter. Kubernetes secret namespace |
| caBundleK8sSecretIn.name | String | This is an optional parameter.
Kubernetes secret name |
| caBundleK8sSecretIn.key | String | This is an optional parameter.
Kubernetes secret key against which CA bundle certificate(s) will be stored. |
Table 2-4 OCCM Certificate Response Codes
| Response codes | Data type | Cardinality | Description |
|---|---|---|---|
| 200 OK | Object (Certs) Or List(Certs) | 1 | This is a mandatory parameter. Object Certs Or List (CertConfig) matching criteria |
| 201 CREATED | Object (Certs) | 1 | This is a mandatory parameter. Object Certs |
| 202 Accepted | String | 1 | This is a mandatory parameter. Return uuid |
| 400 Bad request | Problem Details | 1 | This is a mandatory parameter. Input does not match to process request |
| 500 Internal Server Error | Problem Details | 1 | This is a mandatory parameter. Something went wrong |
| 409 Conflict | Problem Details | 1 | This is a mandatory parameter. Record already exists |
Note:
OCCM Certificates response body data model varies based on REST operation status.
OCCM Certificate JSON payload
{
"name": "",
"lcmType": "",
"certType": "",
"renewBefore": "",
"certPurpose": "",
"issuer": "",
"privateKey": {
"keyAlgo": "",
"keySize": "",
"keyEncoding": "",
"ecCurve":"",
"privateKeyK8sSecretOut": {
"namespace": "",
"name": "",
"key": ""
}
},
"csr": {
"extendedKeyUsage": {
"critical" : "",
"extendedKeyUsageValues" : []
},
"keyUsage": {
"critical" : "",
"keyUsageValues" : []
},
"basicConstraints": {
"critical" : true,
"basicConstraintsValue" : ""
},
"subject": {
"country": "",
"state": "",
"location": "",
"organization": "",
"organizationUnit": "",
"commonName": ""
},
"days": "",
"subjectAltName": {
"critical" : "",
"ipAddress": [],
"dns": [],
"uriIdUrn": [],
"uriIdApiRoot": []
},
"certK8sSecretOut": {
"namespace": "",
"name": "",
"key": ""
},
"certChainK8sSecretOut": {
"namespace": "",
"name": "",
"key": ""
}
},
"caBundleK8sSecretIn": {
"namespace": "",
"name": "",
"key": ""
},
"nf": "",
"overrideSecret": false
}2.2.1 Fetch all Certificate Configurations
OCCM Uses the GET operation to fetch all the certificate configurations.
Resource URI: /occm-config/v1/certs
Data structures supported by the GET Response Body on this resource
| Response codes | Data type | Cardinality | Description |
|---|---|---|---|
| 200 OK | Object (CertConfig) Or List(CertConfig) | 1 | This is a mandatory parameter. List (CertConfig) matching criteria |
| 500 Internal Server Error | Problem Details | 1 | This is a mandatory parameter. Something went wrong |
Sample GET
Request:
\$ curl --location --request GET 'http://{host}:{port}/occm-config/v1/certs' \
--header 'Oc-Cncc-Id: Cluster1' \
--header 'Oc-Cncc-Instance-Id: Cluster1-OCCM-instance1' \
--header 'Authorization: Bearer eyJhbGciOiJSU.…...'Sample GET
Response:
200 OK Response Body: '[
{
"uuid": "b4d896ac-689d-4e12-a76c-54c8de4ffe52",
"name": "NRFTLS12",
"lcmType": "AUTOMATIC",
"certType": "OTHER",
"renewBefore": "7",
"certPurpose": "NRF SBI",
"issuer": "CA21",
"privateKey": {
"keyAlgo": "RSA",
"keySize": "KEYSIZE_2048",
"keyEncoding": "PEM",
"ecCurve":"",
"privateKeyK8sSecretOut": {
"namespace": "occm",
"name": "nrf-tls-secret-54",
"key": "nrf.pem"
}
},
"csr": {
"extendedKeyUsage": {
"critical" : false,
"extendedKeyUsageValues" : [
"CLIENT_AUTH",
"SERVER_AUTH"
]
},
"keyUsage": {
"critical" : true,
"keyUsageValues" : [
"DIGITAL_SIGNATURE"
]
},
"basicConstraints": {
"critical" : true,
"basicConstraintsValue" : "END_ENTITY"
},
"subject": {
"country": "IN",
"state": "Karnataka",
"location": "Bengaluru",
"organization": "Oracle",
"organizationUnit": "OracleBU",
"commonName": "some.example.com"
},
"days": "365",
"subjectAltName": {
"critical" : null,
"ipAddress": [
"10.10.10.13",
"10.10.10.14"
],
"dns": [
"centos8-2.example.com",
"centos8-3.example.com"
],
"uriIdUrn": [
"urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6"
],
"uriIdApiRoot": [
]
},
"certK8sSecretOut": {
"namespace": "occm",
"name": "nrf-tls-secret-54",
"key": "nrf.cer"
},
"certChainK8sSecretOut": {
"namespace": "occm",
"name": "nrf-tls-secret-54",
"key": "nrfcertchain.cer"
}
},
"caBundleK8sSecretIn": {
"namespace": "occm",
"name": "nrf-cabu",
"key": "cabundle.cer"
},
"nf": "NRF",
"overrideSecret": false
} ]'2.2.2 Fetch Certificate Configurations by UUID
OCCM Uses the GET operation to fetch the certificate configurations details by uuid.
Resource URI: /occm-config/v1/certs/{uuid}
Data structures supported by the GET Response Body on this resource
| Response codes | Data type | Cardinality | Description |
|---|---|---|---|
| 404 Not Found | Problem Details | 1 | This is a mandatory parameter. Input does not match to process request |
| 200 OK | Object (Certs) | 1 | This is a mandatory parameter. Object (CertConfig) matching criteria |
| 500 Internal Server Error | Problem Details | 1 | This is a mandatory parameter. Something went wrong |
| 400 Bad Request | Problem Details | 1 | This is a mandatory parameter. wrong Input |
Samnple Get
Request:
$ curl --location --request GET 'http://{host}:{port}/occm-config/v1/certs/b4d896ac-689d-4e12-a76c-54c8de4ffe52' \
--header 'Oc-Cncc-Id: Cluster1' \
--header 'Oc-Cncc-Instance-Id: Cluster1-OCCM-instance1' \
--header 'Authorization: Bearer eyJhbGciOiJSU....Sample Get
Response:
200 OK Response Body: '{
"uuid": "b4d896ac-689d-4e12-a76c-54c8de4ffe52",
"name": "NRFTLS12",
"lcmType": "AUTOMATIC",
"certType": "OTHER",
"renewBefore": "7",
"certPurpose": "NRF SBI",
"issuer": "CA21",
"privateKey": {
"keyAlgo": "RSA",
"keySize": "KEYSIZE_2048",
"keyEncoding": "PEM",
"ecCurve":"",
"privateKeyK8sSecretOut": {
"namespace": "occm",
"name": "nrf-tls-secret-54",
"key": "nrf.pem"
}
},
"csr": {
"extendedKeyUsage": {
"critical" : false,
"extendedKeyUsageValues" : [
"CLIENT_AUTH",
"SERVER_AUTH"
]
},
"keyUsage": {
"critical" : true,
"keyUsageValues" : [
"DIGITAL_SIGNATURE"
]
},
"basicConstraints": {
"critical" : true,
"basicConstraintsValue" : "END_ENTITY"
},
"subject": {
"country": "IN",
"state": "Karnataka",
"location": "Bengaluru",
"organization": "Oracle",
"organizationUnit": "OracleBU",
"commonName": "some.example.com"
},
"days": "365",
"subjectAltName": {
"critical" : null,
"ipAddress": [
"10.10.10.13",
"10.10.10.14"
],
"dns": [
"centos8-2.example.com",
"centos8-3.example.com"
],
"uriIdUrn": [
"urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6"
],
"uriIdApiRoot": [
]
},
"certK8sSecretOut": {
"namespace": "occm",
"name": "nrf-tls-secret-54",
"key": "nrf.cer"
},
"certChainK8sSecretOut": {
"namespace": "occm",
"name": "nrf-tls-secret-54",
"key": "nrfcertchain.cer"
}
},
"caBundleK8sSecretIn": {
"namespace": "occm",
"name": "nrf-cabu",
"key": "cabundle.cer"
},
"nf": "NRF",
"overrideSecret": false
}'2.2.3 Add Certificate Configurations
OCCM uses the POST operation to add the certificate configuration using the Request Body.
Resource URI: /occm-config/v1/certs
Data structures supported by the POST Response Body on this resource
| Response codes | Data type | Cardinality | Description |
|---|---|---|---|
| 202 Accepted | String | 1 | This is a mandatory parameter. Unique identification of certs |
| 400 BAD REQUEST | Problem Details | 1 | This is a mandatory parameter. Returns Problem Details structure as defined in 3GPP TS 29.571 section 5.2.4.1 |
| 409 CONFLICT | Problem Details | 1 | This is a mandatory parameter. Record already exists |
Sample POST request:
$ curl --location --request POST 'http://{host}:{port}/occm-config/v1/certs' \
--header 'Oc-Cncc-Id: Cluster1' \
--header 'Oc-Cncc-Instance-Id: Cluster1-OCCM-instance1' \
--header 'Authorization: Bearer eyJhbGciOiJSUzI1Ni.….…..' \
--header 'Content-Type: application/json' \
--data-raw '{
"name": "NRFTLS12",
"lcmType": "AUTOMATIC",
"certType": "OTHER",
"renewBefore": "7",
"certPurpose": "NRF SBI",
"issuer": "CA21",
"privateKey": {
"keyAlgo": "RSA",
"keySize": "KEYSIZE_2048",
"keyEncoding": "PEM",
"ecCurve":"",
"privateKeyK8sSecretOut": {
"namespace": "occm",
"name": "nrf-tls-secret-54",
"key": "nrf.pem"
}
},
"csr": {
"extendedKeyUsage": {
"critical" : false,
"extendedKeyUsageValues" : [
"CLIENT_AUTH",
"SERVER_AUTH"
]
},
"keyUsage": {
"critical" : true,
"keyUsageValues" : [
"DIGITAL_SIGNATURE"
]
},
"basicConstraints": {
"critical" : true,
"basicConstraintsValue" : "END_ENTITY"
},
"subject": {
"country": "IN",
"state": "Karnataka",
"location": "Bengaluru",
"organization": "Oracle",
"organizationUnit": "OracleBU",
"commonName": "some.example.com"
},
"days": "365",
"subjectAltName": {
"critical" : null,
"ipAddress": [
"10.10.10.13",
"10.10.10.14"
],
"dns": [
"centos8-2.example.com",
"centos8-3.example.com"
],
"uriIdUrn": [
"urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6"
],
"uriIdApiRoot": [
]
},
"certK8sSecretOut": {
"namespace": "occm",
"name": "nrf-tls-secret-54",
"key": "nrf.cer"
},
"certChainK8sSecretOut": {
"namespace": "occm",
"name": "nrf-tls-secret-54",
"key": "nrfcertchain.cer"
}
},
"caBundleK8sSecretIn": {
"namespace": "occm",
"name": "nrf-cabu",
"key": "cabundle.cer"
},
"nf": "NRF",
"overrideSecret": false
}' Sample POST Response
$ 202 Accepted Response Body: '{
"uuid": "b4d896ac-689d-4e12-a76c-54c8de4ffe52",
"name": "NRFTLS12",
"lcmType": "AUTOMATIC",
"certType": "OTHER",
"renewBefore": "7",
"certPurpose": "NRF SBI",
"issuer": "CA21",
"privateKey": {
"keyAlgo": "RSA",
"keySize": "KEYSIZE_2048",
"keyEncoding": "PEM",
"ecCurve":"",
"privateKeyK8sSecretOut": {
"namespace": "occm",
"name": "nrf-tls-secret-54",
"key": "nrf.pem"
}
},
"csr": {
"extendedKeyUsage": {
"critical" : false,
"extendedKeyUsageValues" : [
"CLIENT_AUTH",
"SERVER_AUTH"
]
},
"keyUsage": {
"critical" : true,
"keyUsageValues" : [
"DIGITAL_SIGNATURE"
]
},
"basicConstraints": {
"critical" : true,
"basicConstraintsValue" : "END_ENTITY"
},
"subject": {
"country": "IN",
"state": "Karnataka",
"location": "Bengaluru",
"organization": "Oracle",
"organizationUnit": "OracleBU",
"commonName": "some.example.com"
},
"days": "365",
"subjectAltName": {
"critical" : null,
"ipAddress": [
"10.10.10.13",
"10.10.10.14"
],
"dns": [
"centos8-2.example.com",
"centos8-3.example.com"
],
"uriIdUrn": [
"urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6"
],
"uriIdApiRoot": [
]
},
"certK8sSecretOut": {
"namespace": "occm",
"name": "nrf-tls-secret-54",
"key": "nrf.cer"
},
"certChainK8sSecretOut": {
"namespace": "occm",
"name": "nrf-tls-secret-54",
"key": "nrfcertchain.cer"
}
},
"caBundleK8sSecretIn": {
"namespace": "occm",
"name": "nrf-cabu",
"key": "cabundle.cer"
},
"nf": "NRF",
"overrideSecret": false
}'2.2.4 Delete Certificate Configuration Data
OCCM uses the DELETE operation to delete the certificate configuration data based on query parameters.
Resource URI: /occm-config/v1/certs/{uuid}
Data structures supported by the DELETE Response Body on this resource
| Data type | P | Cardinality | Response codes | Description |
|---|---|---|---|---|
| Cert | M | 1 | 200 OK | This is a mandatory parameter. Certificate configuration data |
| Problem Details | M | 1 | 400 Bad Request | This is a mandatory parameter. Input does not match to process request |
Sample DELETE Request:
$ curl --location --request DELETE 'http://{host}:{port}/occm-config/v1/certs/b4d896ac-689d-4e12-a76c-54c8de4ffe52' \
--header 'Oc-Cncc-Id: Cluster1' \
--header 'Oc-Cncc-Instance-Id: Cluster1-OCCM-instance1' \
--header 'Authorization: Bearer eyJhbGciOiJSUzI1Ni.…' Sample
Response:
200 OK Response Body: '{
"uuid": "b4d896ac-689d-4e12-a76c-54c8de4ffe52",
"name": "NRFTLS12",
"lcmType": "AUTOMATIC",
"certType": "OTHER",
"renewBefore": "7",
"certPurpose": "NRF SBI",
"issuer": "CA21",
"privateKey": {
"keyAlgo": "RSA",
"keySize": "KEYSIZE_2048",
"keyEncoding": "PEM",
"ecCurve":"",
"privateKeyK8sSecretOut": {
"namespace": "occm",
"name": "nrf-tls-secret-54",
"key": "nrf.pem"
}
},
"csr": {
"extendedKeyUsage": {
"critical" : false,
"extendedKeyUsageValues" : [
"CLIENT_AUTH",
"SERVER_AUTH"
]
},
"keyUsage": {
"critical" : true,
"keyUsageValues" : [
"DIGITAL_SIGNATURE"
]
},
"basicConstraints": {
"critical" : true,
"basicConstraintsValue" : "END_ENTITY"
},
"subject": {
"country": "IN",
"state": "Karnataka",
"location": "Bengaluru",
"organization": "Oracle",
"organizationUnit": "OracleBU",
"commonName": "some.example.com"
},
"days": "365",
"subjectAltName": {
"critical" : null,
"ipAddress": [
"10.10.10.13",
"10.10.10.14"
],
"dns": [
"centos8-2.example.com",
"centos8-3.example.com"
],
"uriIdUrn": [
"urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6"
],
"uriIdApiRoot": [
]
},
"certK8sSecretOut": {
"namespace": "occm",
"name": "nrf-tls-secret-54",
"key": "nrf.cer"
},
"certChainK8sSecretOut": {
"namespace": "occm",
"name": "nrf-tls-secret-54",
"key": "nrfcertchain.cer"
}
},
"caBundleK8sSecretIn": {
"namespace": "occm",
"name": "nrf-cabu",
"key": "cabundle.cer"
},
"nf": "NRF",
"overrideSecret": false
}'2.3 OCCM Logging Resource
2.3.1 Fetch Logging Configuration for a Service
OCCM uses the GET operation to fetch the logging configuration for a service
Resource URI:/occm-config/vi/occm/logging
Sample GET
request:
curl --location --request GET 'http://10.121.30.39:30777/occm-config/v1/occm/logging' \
--header 'oc-cncc-id: Cluster1' \
--header 'oc-cncc-instance-id: Cluster1-occm-instance1' \
--header 'Authorization: Bearer eyJhbGciOiJSUzI1NiI...' \
--data-raw ''Sample Response:
{"appLogLevel":"INFO","packageLogLevel":[{"packageName":"root","logLevelForPackage":"ERROR"},{"packageName":"org.springframework","logLevelForPackage":"WARN"}]}2.3.2 Fetch Logging Configurations for All Services
OCCM uses the GET operation to fetch logging configurations for all services.
Resource URI:/occm-config/vi/all/logging
Sample GET
Request:
curl --location --request GET 'http://{host}:{port}/occm-config/v1/all/logging' \
--header 'oc-cncc-id: Cluster1' \
--header 'oc-cncc-instance-id: Cluster1-occm-instance1' \
--header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAi...'
Sample Response:
[
{
"occm": "{\"appLogLevel\":\"INFO\",\"packageLogLevel\":[{\"packageName\":\"root\",\"logLevelForPackage\":\"ERROR\"},{\"packageName\":\"org.springframework\",\"logLevelForPackage\":\"WARN\"}]}"
}
]2.3.3 Update Logging Configurations for a Service
OCCM uses the PUT operation to update logging configurations for a service.
Resource URI:/occm-config/vi/occm/logging
Sample PUT Request:
curl --location --request PUT 'http://{host}:{port}/occm-config/v1/occm/logging' \
--header 'oc-cncc-id: Cluster1' \
--header 'oc-cncc-instance-id: Cluster1-occm-instance1' \
--header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiS...' \
--header 'Content-Type: application/json' \
--data-raw '{
"appLogLevel": "DEBUG",
"packageLogLevel": [
{
"packageName": "root",
"logLevelForPackage": "ERROR"
},
{
"packageName": "org.springframework",
"logLevelForPackage": "WARN"
}
]
}'Sample Response:
201 Created