2 CNC Console Features

This sections describes the features supported by CNC Console.

2.1 Support for Network Functions

CNC Console GUI provides a user interface to configure and manage the following Network Functions (NFs):

Oracle Communications Cloud Native Core, Binding Support Function (BSF)

BSF provides the following functions:
  • Allows PCF users to register, update, and remove the binding information.
  • Allows NF consumers to retrieve the binding information.
CNC Console provides an interface to configure global and service parameters in BSF.

For more information about configuring parameters, see the Configuring BSF Using CNC Console section in Oracle Communications Cloud Native Core, Binding Support Function User Guide.

Note:

: The performance and capacity of the CNC Console system may vary based on the call model, feature or interface configuration, and underlying CNE and hardware environment.

Oracle Communications Network Analytics Data Director (OCNADD)

OCNADD is a Network Data Broker (NDB) in the 5G core network. It receives the network traffic data from various sources such as 5G NFs, Non-5G nodes, and third-party producers, and sends the filtered and consolidated data securely to the subscribed consumers, which are third party consumer applications or platforms.

Data collection is a complex task in a 5G Service Based Architecture (SBA). The data is collected to provide meaningful insights to the customers. The OCNADD can filter, replicate, aggregate data, and route these data feeds to third party consumers who have subscribed to the feeds. OCNADD ensures data security, low latency, and redundancy while collecting and processing the data feeds. The OCNADD enables the Communications Service Providers (CSP) to correlate and transform the acquired data as per their data feed configuration to create comprehensive dashboards and Key Performance Indicators (KPIs). This enables them to achieve meaningful insights about all functions in the 5G network. This information can be used for monetizing, providing good quality service for the user, reducing downtime, ensuring easy network scalability, and minimizing losses. The OCNADD generated data feed can be beneficial for monitoring and troubleshooting during a network failure. OCNADD is a crucial function that aids in creating self-healing networks.

Oracle Communications Cloud Native Core, Network Repository Function (NRF)

NRF provides the following functions:

  • Maintains the profiles of the available NF instances and their supported services in the 5G core network.
  • Allows consumer NF instances to discover other provider's NF instances in the 5G core network.
  • Allows NF instances to track the status of other NF instances.
  • Provides OAuth2 based Access Token service for consumer NF authorization.
  • Provides specific NF Type selection based on subscriber identity.
  • Supports forwarding of messages from one NRF to another NRF.
  • Supports georedundancy to ensure service availability.

The NRF interacts with every other NF in the 5G core network and it supports the above functions through the following services:

  • Management Service
  • Discovery Service
  • Access Token Service

CNC Console provides an interface to configure global and service parameters in NRF.

For more information about configuring parameters, see the Configuring NRF Using CNC Console section in Oracle Communications Cloud Native Core, Network Repository Function User Guide.

Oracle Communications Cloud Native Core, Network Slice Selection Function (NSSF)

NSSF provides the following functions:

Network slices allow the users to select customized networks with different functionalities (such as mobility) and performance requirements (such as latency, availability, and reliability). Network slices differ in features supported and NF optimizations. In such cases, network slices may have different S-NSSAIs with different slice and service types. The user can deploy instances of multiple network slices delivering the same features but for different groups of User Equipments (UEs). These instances deliver different committed services as they are dedicated to a customer. The network slices may have different S-NSSAIs with the same slice or service type but different slice differentiators. The NSSF fulfills the requirement for determining the individual NF pertaining to a slice.

NSSF is a functional element that supports the following functionalities:
  • NSSF enables the Access and Mobility Management Function (AMF) to perform initial registration and Protocol Data Unit (PDU) session establishment.
  • AMF can retrieve NRF, NSI ID, and target AMFs as part of UE initial registration and PDU establishment procedure.
  • NSSF uses an NF Service Consumer (AMF) to update the S-NSSAIs that AMF supports and notifies of any changes in the status.
  • NSSF selects the network slicing instance (NSI) and determines the authorized Network Slice Selection Assistance Information (NSSAIs) and AMF to serve the UE.
  • NSSF interaction with NRF allows retrieving specific NF services to be used for registration request.

NSSF provides the following information when queried by the AMF:

  • Allowed NSSAIs
  • Configured NSSAIs
  • Restricted NSSAIs
  • Candidate AMF List (in case of registration)
  • Network Slice instance ID (for PDU session establishment)
  • Slice-level NRF information (for PDU Connectivity)

NSSF supports the above functions through the following NSSF services:

  • NS Selection service (Nnssf_NSSelection): This service is used by an NF Service Consumer (AMF) to retrieve the information related to network slice. It enables network slice selection in the serving Home Public Land Mobile Network (HPLMN).
  • NS Availability Service (Nnssf_NSAvailability): This service stores and maintains list of supported S-NSSAIs per TA. It allows NF service Consumer (AMF) to update and subscribe the above data and get notifications for any addition or deletion of supported S-NSSAIs.

Oracle Communications Networks Data Analytics Function (NWDAF)

The NWDAF enables the operator to collect and analyze the data in the network through an analytics function. The 5G technology requires prescriptive analytics to drive closed-loop automation and self-healing networks. In a 5G network, the consumers of data are 5G NFs, Application Functions (AFs), and Operations, Administration, and Maintenance (OAM) and the data producers are NFs. The NWDAF supports the following functions:

  • NWDAF collects data from Access and Mobility Management Function (AMF), Session Management Function (SMF), and Network Repository Function (NRF) in the network. The data is collected directly from the NFs or through the Network Exposure Function (OCNEF).
  • The NWDAF is designed to provide analytics information to consumer such as NFs, AFs and OAM.

A 5G network contains a vast number of devices and sensors generating an enormous amount of data. The NWDAF function allows the Communications Service Providers (CSPs) to efficiently monitor, manage, automate, and optimize their network operations by the data collected and analytics generated across the network. The NWDAF also helps the CSPs in achieving the operational efficiency and provides an enhanced service experience.

The analytics information provided by the NWDAF is either statistical information based on past events or predictive information. This analytics information is used to balance the resources on the network. The NWDAF can predict the User Equipment (UE) location and also detect if the UE is in an abnormal location. Based on the collected analytics information, the CSPs can roll out new services or modify the existing services without waiting for a maintenance window in the network. This ensures significantly fewer chances of network experiencing downtime.

An NWDAF consumer can avail analytics information for different analytic events. Alternatively, the consumers can subscribe or unsubscribe for specific analytics information as a one-time event or periodically get notified when a specifically defined event (for example, a threshold is breached) is detected.

The NRF discovers the NWDAF instances for the NF consumers in the network. The NWDAF information can also be locally configured on the NF consumers. The NWDAF selection function in the consumer NF selects an NWDAF instance among available NWDAF instances. Different NWDAF instances present in the 5G network can be configured to provide a specific type of analytics information. This information about the NWDAF instance is described in the NWDAF profile stored in the NRF. The consumer NFs that need specific analytics types query the NRF and include the Analytics ID based on the required data.

Oracle Communications Cloud Native Core, Converged Policy (Policy)

Policy is an NF for policy control decision and flow based charging control. It consists of the following functions:
  • Policy rules for application and service data flow detection, gating, QoS, and flow based charging to the Session Management Function (SMF).
  • Access and Mobility Management related policies to the Access and Mobility Management Function (AMF).
  • UE Route Selection Policies (URSP) rules to User Equipement (UE) through AMF.
  • Access to subscription information relevant for policy decisions in a Unified Data Repository (UDR).
  • Network control for service data flow detection, gating, and Quality of Service (QoS).
  • Flow based charging towards the Policy and Charging Enforcement Function (PCEF).
  • Receiving session and media related information from Application Function (AF) and informing AF of traffic plane events.
  • Provision of Policy and Charging Control (PCC) Rules to Policy and Charging Enforcement Function (PCEF) through the Gx reference point.
Policy supports the above functions through the following services:
  • Session Management Service
  • Access and Mobility Service
  • Policy Authorization Service
  • User Equipment (UE) Policy Service
  • PCRF Core Service

CNC Console provides an interface to configure policies and manageable objects in Policy.

For more information about configuring parameters, see the Configuring CNC Policy Using CNC Console section in Oracle Communications Cloud Native Core, Policy User Guide.

Provisioning Gateway (PROVGW)

Oracle Provisioning Gateway (PROVGW) for Subscriber Location Function (SLF) is implemented as a cloud native function. It supports:

  • HTTP1.1 over TLS.
  • Custom entities or fields in UDR mode over SOAP/XML interface.
  • Conversion of requests as defined in SEC.yaml configurations for SOAP/XML interface in UDR mode.
  • Auditor functionality in SLF mode.
  • OAM interface and configuration APIs to configure Ingress Gateway, Egress Gateway, and other Provisoning Gateway microservices.

It has two modes, which are as follows:

  • SLF mode: This mode is applicable when Provisioning Gateway is deployed with UDR for SLF usecase. You can configure Provisioning Gateway to connect to multiple segments of SLF, where each segment has two SLFs. This mode offers an HTTP2 based secured REST/JSON interface (through Ingress Gateway API) for SLF data provisioning. It relays the request received by the provisioning client (e.g. MTAS) to multiple 5G UDR or SLF segments. The response received from each UDR or SLF segment is then consolidated and the final response is sent to the provisioning system.

    You can deploy multiple Provisioning Gateways in the same segment or across multiple segments, where each one is stateless and does not interact with each other. If one of the Provisioning Gateway goes down, MTAS can uses second Provisioning Gateway instance to continue provisioning SLF data on UDR.

  • UDR mode: This mode is applicable when deployed with UDR for converged policy database solution. In this mode, Provisioning Gateway supports SOAP/XML interface, which is similar to 4G UDR.

Oracle Communications Cloud Native Core, Service Communication Proxy (SCP)

SCP provides the following functionalities to other 5G Network Functions (NFs):

  • Routing/Selection: Routing rules, refresh cache, and handle application failures and redirects.
    • Dynamic Discovery: The 5G topology is determined from Network Repository Function (NRF) and creation of routing rules.
    • Static Configuration: Enables NF Profiles configuration.
  • Load Balancing: Load balancing based on static capacity, NF Type, NF Specific, and NF Priority as mentioned in the NF Profile.
  • NF Subscription: Subscription for all NF types.
  • Circuit Breaking: Initiated on a per FQDN basis when outstanding transactions exceed a configurable value.
  • Message Priority: Message Priority assignment and override based on the 3GPP-SBI-Message-Priority header.
  • Congestion and Overload: Uniform load balancing and routing strategy across the network and protects the pod from overload related to various system resources.

CNC Console provides an interface to configure the SCP features.

For more information about configuring parameters, see the Configuring SCP Using CNC Console section in Oracle Communications Cloud Native Core, Service Communication Proxy User Guide.

Oracle Communications Cloud Native Core, Security Edge Protection Proxy (SEPP)

SEPP supports the following functionalities:

  • Protects application layer control plane messages and sensitive data between two NFs belonging to different PLMNs that use the N32 interface to communicate with each other. The N32 interface is used between the SEPPs of a VPLMN and a HPLMN in roaming scenarios. 3GPP has specified N32 to be considered as two separate interfaces: N32-c and N32-f.
    • N32-c is the control plane interface between the SEPPs for performing the initial handshake and negotiating the parameters to be applied for the actual N32 message forwarding.
    • N32-f is the forwarding interface between the SEPPs, that is used for forwarding the communication between the Network Function (NF) service consumer and the NF service producer after applying the application level security protection.
  • Provides secure communication of Inter PLMN messages from Consumer NF to Producer NF using TLS protection mode (HTTP over TLS).
  • Supports configuration of roaming partner profiles using REST API.
  • Performs mutual authentication and negotiation of cipher suites with the SEPP in the roaming partner’s network.
  • Handles key management aspects that involve setting up the required cryptographic keys needed for securing messages on the N32 interface between two SEPPs.
  • Provides a single point of access and control to internal NFs.
  • Validates inbound traffic as to whether it is from an authorized external PLMN.
  • Supports cross-layer validation of source and destination addresses and identifiers to provide anti-spoofing capabilities.

CNC Console provides an interface to configure different services in SEPP.

For more information about configuring parameters, see the Configuring SEPP Using CNC Console section in Oracle Communications Cloud Native Core, Security Edge Protection Proxy User Guide.

Oracle Communications Cloud Native Core, Unified Data Repository (UDR)

Oracle's 5G UDR:
  • Leverages a common Oracle Communications Cloud Native Framework.
  • Is compliant with 3GPP 29.505 Release 15 specifications UDM.
  • Is compliant with 3GPP 29.519 Release 16 (backward compatible with Release 15) specifications for PCF.
  • Has tiered architecture providing separation between the connectivity, business logic, and data layers.
  • Uses Oracle MySQL NDB Cluster CGE Edition as backend database in the Data Tier.
  • Registers with NRF in the 5G network so that the other NFs in the network can discover UDR through NRF.
  • Registers UDR with services like DR-SERVICE and GROUP-ID-MAP.

CNC Console provides an interface to configure global and service parameters in UDR.

For more information about configuring parameters, see the Configuring UDR Using CNC Console section in Oracle Communications Cloud Native Core, Unified Data Repository User Guide.

Oracle Communications Cloud Native Core, Certificate Management (OCCM)

Oracle Communications Cloud Native core, Certificate Management (OCCM) is an automated solution for managing the certificates needed for Oracle 5G Network Functions (NFs). OCCM constantly monitors and renews the certificates based on their validity or expiry period.

As 3GPP recommends using separate certificates based on the client or server mode and the type of workflow, it leads to many certificates in the network. Automated certificate management eliminates any possibilities of network disruption due to expired certificates. In SBA network deployments, the Network Functions (NFs) are required to support multiple operator certificates for different purposes and interfaces. This amounts to hundreds of certificates in the network with varying validity periods and difficulty in monitoring and renewing the certificates manually. Therefore, automation of certificate management becomes important to avoid network disruptions due to expired certificates.

OCCM integrates with the Certificate Authority(s) using Certificate Management Protocol Version 2 (CMPv2) and RFC4210 to facilitate the following certificate management operations:

  • Operator-initiated certificate creation
  • Operator-initiated certificate recreation
  • Automatic certificate monitoring and renewal

CNC Console provides an interface to configure different services in OCCM. For more information, see OCCM Supported Features in the Oracle Communications Cloud Native Core, Certificate Management User Guide.

Oracle Communications Cloud Native Core, Network Exposure Function (NEF)

Oracle Communications Cloud Native Core, Network Exposure Function (NEF) is a key component of the 5G Service Based Architecture. It provides a platform to securely expose the network services and capabilities offered by the 5G Network Functions (NFs) to either third-party applications or the internal Application Functions (AFs). Located between the 5G core network and third-party applications or AFs, NEF enables the external application administrators to customize the network for providing innovative services to their end-users. The applications communicate through NEF to access the internal data of the 5G core network.

NEF performs the following functions:

  • Facilitates robust and secure exposure of network services, such as voice, data connectivity, charging, subscriber data, IoT, and so on to trusted third-party applications or AFs.
  • Provides programmable environment access of 5G network to both internal and external application administrators through a set of northbound RESTful APIs.
  • Enables AF to securely provide information to 3GPP network to authenticate, authorize, and assist in throttling the AF.
  • Translates the information received from the AF to the internal 3GPP NFs, and vice versa.
  • Provides support to expose information collected from other 3GPP NFs to the AF.
  • Monitors User Equipment (UEs) related events present in the 5G system and makes the event information available for external exposure. For example, monitoring of user location and services.

CNC Console provides an interface to configure different services in NEF. For more information, see Oracle Communications Cloud Native Core, Network Exposure Function User Guide

Managing CNC Console Support for NF GUI

Observe

For information on Metrics and KPIs, see CNC Console Metrics, and CNC Console KPIs sections.

Maintain

If you encounter alerts at system or application levels, see CNC Console Alerts section for resolution steps.

In case the alert still persists, perform the following:
  1. Collect the logs: For more information on how to collect logs, see CNC Console Logs.
  2. Raise a service request: See My Oracle Support for more information on how to raise a service request.

2.2 Support for CNE Common Services

Note:

Not applicable for OCI deployment.

CNC Console Common Services GUI provides an option to enable cards (hyperlinks) for CNE Common services and OSO services.

When CNC Console is integrated with common services, it provides an additional layer of security through authentication and authorization for common services that don't have their own authentication mechanism. CNC Console also provides the user a single login for all common services as per your assigned roles.

CNC Console Common Services GUI provides an option to enable cards (hyperlinks) for OCCNE Common services such as Grafana, Kibana, Jaeger, Prometheus, AlertManager, Promxy, OpenSearch, and Jaeger-ES.

OSO Common Services

CNC Console Common Services GUI also provides an option to enable cards (hyperlinks) for OSO services such as Prometheus and AlertManager.

Managing Common Service Support (OSO Cards and CNE Cards)

Enable and Configure

Prometheus and Alertmanager GUIs can be accessed using the CNC Console. For more information on accessing Prometheus and Alertmanager GUIs using CNC Console, refer to Oracle Communications Cloud Native Configuration Console User Guide.

Observe

For information on Metrics and KPIs, see CNC Console Metrics, and CNC Console KPIs sections.

Maintain

If you encounter alerts at system or application levels, see CNC Console Alerts section for resolution steps.

In case the alert still persists, perform the following:
  1. Collect the logs: For more information on how to collect logs, see CNC Console Logs.
  2. Raise a service request: See My Oracle Support for more information on how to raise a service request.

2.3 LDAP Integration

Note:

For OCI: See the OCI Active Directory Integration section.

The Lightweight Directory Access Protocol (LDAP) is a protocol that defines the technique for accessing the directory data.

Figure 2-1 LDAP


LDAP

The CNC Console IAM is used as an integration platform to connect it into existing Lightweight Directory Access Protocol (LDAP) and Active Directory (AD) servers.

CNC Console IAM can combine existing external user databases having user and credential details. You can integrate the CNC Console IAM to perform validation of these user credentials and pull in the identity information.

CNC Console IAM provides LDAP over TLS support to securely communicate with external LDAP and active directory servers.

CNC Console IAM also supports Lightweight Directory Access Protocol Secure (LDAPS) between the client and server to make the communication secure.

Managing LDAP Integration

Enable and Configure

For enabling and configuring LDAP integration feature, see Integrating CNC Console LDAP Server with CNC Console IAM

Observe

For information on Metrics and KPIs, seeCNC Console Metrics, and CNC Console KPIs sections.

Maintain

If you encounter alerts at system or application levels, see CNC Console Alerts section for resolution steps.

In case the alert still persists, perform the following:
  1. Collect the logs: For more information on how to collect logs, see CNC Console Logs.
  2. Raise a service request: See My Oracle Support for more information on how to raise a service request.

2.4 SAML 2.0 Integration

Note:

For OCI: See the OCI SAML Integration section.

SAML (Security Assertion Markup Language) enables applications to authenticate a user using an identity provider. CNC Console can broker identity providers based on the SAML v2.0 protocol.

Managing SAML 2.0 Integration with CNC Console

Enable and Configure

For enabling and configuring SAML 2.0 feature integration with CNC Console, see Integrating SAML SSO with CNC Console IAM section.

Observe

For information on Metrics and KPIs, see CNC Console Metrics, and CNC Console KPIs sections.

Maintain

If you encounter alerts at system or application levels, see CNC Console Alerts section for resolution steps.

In case the alert still persists, perform the following:
  1. Collect the logs: For more information on how to collect logs, see CNC Console Logs.
  2. Raise a service request: See My Oracle Support for more information on how to raise a service request.

2.5 Logging Support

Note:

Logging for CNC Console IAM is not applicable for OCI deployment.
The CNC Console logs are categorized into the following types:
  • Regular logs
  • Audit logs
  • Security logs

Regular Logs

These logs contain all kinds of error messages, warnings, or other events written within the application which provide logical, high level information about the application and ongoing events.

Example:

{"level": "INFO","message": "Started GatewayApplication in 10.748 seconds (JVM running for 12.825)"}
{"level": "INFO","message": "Creating plain httpClient"}
{"level": "INFO","message": "Creating plain restTemplate"}
{"level": "ERROR","message": "Can't get cfgs of topic public.dynamic.datamodel,  exception is:\n
javax.ws.rs.ProcessingException: java.net.ConnectException: Connection refused (Connection
        refused)"}

Audit Logs

These logs contain user related information and the activity within the system.

Security Logs

These logs contain the header, payload, method, scheme, URI, and other details for all requests and the corresponding responses.

Disabling Security Logs

By default, Security Log is enabled for both CCNC Core and CNCC IAM. To disable, set securityLogEnabled flag to false in custom-core_values.yaml and custom-iam_values.yaml files.
# CNCC configuration
cncc:
  enabled: false
  enablehttp1: false
  securityLogEnabled: false

Log Levels

The log level indicates the level of the logs.

The default log levels for CNC Console Core are as follows:


ingress-gateway:
  log:
    level:
      cncc:
        root: WARN
        audit: INFO
        security: INFO

The default log levels for CNC Console IAM are as follows:


ingress-gateway:
  log:
    level:
      cncc:
        root: WARN
        security: INFO

Managing Security Logs and Audit Logs

Enable and Configure

For enabling and configuring Security Logs and User Activity Logs, see CNC Console Logs section.

Observe

For information on Metrics and KPIs, see CNC Console Metrics, and CNC Console KPIs sections.

Maintain

If you encounter alerts at system or application levels, see CNC Console Alerts section for resolution steps.

In case the alert still persists, perform the following:
  1. Collect the logs: For more information on how to collect logs, see CNC Console Logs.
  2. Raise a service request: See My Oracle Support for more information on how to raise a service request.

2.6 Support for Multi Cluster Deployment

Note:

Not supported for OCI deployment.

Multicluster deployment is a method of deploying an application on or across multiple Kubernetes clusters for improving availability, isolation, and scalability.

Support for Multicluster Deployment for NFs

CNC Console supports NF deployment across Kubernetes clusters using Manager CNC Console IAM (M-CNCC IAM), Manager CNC Console Core (M-CNCC Core), and Agent CNC Console Core (A-CNCC Core). In a multicluster deployment, CNC Console can manage NFs and OCCNE common services deployed in remote Kubernetes clusters.

Support for Multiple Instances of NFs within a cluster

CNC Console supports multiple instances of NFs within a Kubernetes cluster using Manager CNC Console IAM (M-CNCC IAM), Manager CNC Console Core (M-CNCC Core), and Agent CNC Console Core (A-CNCC Core).

Support for multicluster deployment mTLS configuration is added to provide secure communication between CNC Console Master and Agent.

Selecting the Instance

CNC Console multicluster deployment has introduced a drop-down on header pane for selecting the instance.

Values configured in M-CNCC Core instances section get displayed in the drop down. The naming convention used for instance drop-down display is <owner>.<type>.<instance id>

Figure 2-2 Selecting the Instance

img/mimc1.png
Once the user selects the required instance from the drop-down, the corresponding menu gets loaded.

Figure 2-3 Loading the Menu

img/mimc2.png

The common service instances configured in the instances section gets displayed in the drop-down.img/mc_ug4.png

For more details on multicluster configurations, see CNC Console Multi-Cluster Configurations section in Oracle Communications Cloud Native Configuration Console, Installation, Upgrade, and Fault Recovery Guide.

2.7 cnDBTier Integration

CNC Console is integrated with cnDBTier in a containerized Oracle Communications Cloud Native Environment. For more information, see Oracle Communications cnDBTier Installation Guide.

2.8 TLS Certificate Support

Transport Layer Security (TLS) certificates or Secure Sockets Layer (SSL) are essential to securing internet browser connections and transactions through data encryption. TLS or SSL is the standard security technology that works behind the scenes to keep the online transactions and logins secure. HTTPS provides secure and encrypted communication. It ensures that the information you send and receive, such as passwords, or personal data, is protected from being intercepted by malicious parties. HTTPS achieves this security through TLS. CNC Console supports one-way TLS and mTLS (mutual TLS). With one-way TLS, only the website you’re connecting to is verified, ensuring that your data is securely transmitted to the server. With mTLS, both your device, and the website verify each others identities, adding an extra layer of trust and security to the communication. mTLS provides a stronger authentication process to ensure that you’re securely connecting to the intended website, and not falling victim to impersonation or man-in-the-middle attacks.

This feature enables the extension of identity validation from the Transport layer to the Application layer. It also provides a mechanism to validate the NF FQDN presence in TLS certificate as added by the Service Mesh against the NF Profile FQDN present in the request.

Steps to Enable HTTPS

Certificate Creation

To create certificate, you must have the following files:

  • ECDSA private key and CA signed certificate of OCNRF (if initial algorithm is ES256)
  • Rivest, Shamir, Adleman (RSA) private key and CA signed certificate of OCNRF (if initial algorithm is RSA256)
  • TrustStore password file
  • KeyStore password file
  • CA certificate

Secret Creation

Run the following command to create a secret:
$ kubectl create secret generic occnccaccesstoken-secret --from-file=ecdsa_private_key_pkcs8.pem --from-file=rsa_private_key_pkcs1.pem --from-file=trustStorePassword.txt --from-file=keyStorePassword.txt --from-file=ecdsa_occncc_certificate.crt--from-file=rsa_occncc_certificate.crt -n occncc

Certificate and Key Exchange

Once the connection is established between the client and the server, they can send messages securely to each other using the agreed algorithm and keys. The TLS handshake has the following phases:

  • Hello
  • Certificate Exchange
  • Key Exchange

The client generates a random key to be used for the main symmetric algorithm. The client encrypts the key using an algorithm also agreed upon the server’s public key (found on its SSL certificate). The client sends this encrypted key to the server, where it is decrypted using the server’s private key. The parties are notified that they are talking to the right person, and have secretly agreed on a key to symmetrically encrypt the data that they are about to send each other. The HTTP requests and responses can be sent by forming a plain text message, and then encrypting and sending it. The other party is the only one who knows how to decrypt this message, and so man-in-the-middle attackers are unable to read or modify any requests that they may intercept.

CNC Console supports the following cipher suites: 

- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

2.9 Service Mesh Communication

Note:

Not applicable for OCI deployment.

CNC Console leverages the Istio or Envoy service mesh (Aspen Service Mesh) for all internal and external communication. The service mesh integration provides Console-NF communication and allows API gateway to co-work with service mesh. The service mesh integration supports these services by deploying a special sidecar proxy in the environment to intercept all network communication between microservices.

For more information, see CNC Console Configuration to Support ASM and OSO in Oracle Communications Cloud Native Configuration Console Installation and Upgrade Guide.

2.10 Support for IPv4 or IPv6

CNC Console can be deployed on CNE that supports dual stack networking. Applications or NFs can establish connections with pods and services in a Kubernetes cluster using IPv4 or IPv6. CNC Console can be configured to use either IPv4 or IPv6. By default, IPv4 is used if no configuration is provided.

2.11 CNC Console GUI Session Timeout

The duration (in seconds) before a CNC Console GUI session times out and the user has to log in again can be configured using the ingress-gateway.cncc.core.sessionTimeout parameter in the custom_values.yaml file.

By default, the session time out value is set to 1800 seconds. However, you can set it to any value between 300 and 7200 seconds.

Note:

The value of the CNC Console IAM SSO session idle timeout configuration is not considered for CNC Console Core session management.

2.12 Network Policies

Note:

Not applicable for OCI deployment.

Network Policies are an application-centric construct that allow you to specify how a pod communicates with various network entities. They create pod-level rules to control communication between cluster pods and services, and determine which pods and services can access one another inside a cluster.

Previously, the pods under CNC Console deployment could be contacted by any other pods in the Kubernetes cluster without any restrictions. Now, Network Policies provide namespace-level isolation, which allow secure communications to and from CNC Console with rules defined in the respective network policies. Network policies enforce access restrictions for all the applicable data flows, except communication from Kubernetes node to pod for invoking container probe. For example, CNC Console internal microservices cannot be contacted directly by any other pods.

Managing Support for Network Policies

Enable

To use this feature, network policies must be applied to the namespace where CNC Console is applied.

Configure

You can configure this feature using Helm. For information about Configuring Network Policy for CNC Console Deployment, see Cloud Native Configuration Console Installation, Upgrade, and Fault Recovery Guide.

Observe

There are no specific metrics and alerts required for the Support of Network Policy functionality.