6 Accessing NF Configurations Through Curl and Postman
6.1 For Non OCI Deployment
This section describes how CNC Console accesses NF resources through curl or postman.
6.1.1 Generate Access Tokens
CNC Console IAM provides a REST API for generating and refreshing access tokens.
You must use the cncc-api-access client for accessing NF resources through REST APIs. For security reasons, Direct Access Grants Enabled is set to OFF by default.
Perform the following steps to set Direct Access Grants Enabled to ON:
- Log in to CNC Console IAM with valid credentials.
- Click the cncc realm.
- On the right pane, click Clients. The following screen
appears:
Figure 6-1 Clients
- Click cncc-api-access. The following screen appears:
Figure 6-2 cncc-api-access
- Navigate to the Capability config section in the Settings tab and
select the Direct Access Grants checkbox. Click Save.
Figure 6-3 Direct Access Grants
Perform the following procedure to generate the access tokens:
- Acquire an access token from CNC Console IAM by sending a POST
request to the following URL:
http://${cncc-iam-ingress-extrenal-ip}:${cncc-iam-ingress-service-port}/cncc/auth/realms/${realm}/protocol/openid-connect/tokenFor example:
http://10.75.182.79:8080/cncc/auth/realms/cncc/protocol/openid-connect/token - The body of the request must be x-www-form-url encoded as
follows:
'client_id': 'your_client_id', 'username': 'your_username', 'password': 'your_password', 'grant_type': 'password' Example: 'client_id': 'cncc-api-access', 'username': 'user1', 'password': '******', 'grant_type': 'password' - The curl command to access the token is as follows:
curl --location --request POST 'http://${cncc-iam-ingress-extrenal-ip}:${cncc-iam-ingress-service-port}/cncc/auth/realms/cncc/protocol/openid-connect/token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'grant_type=password' \ --data-urlencode 'username=user1' \ --data-urlencode 'password=<password value>' \ --data-urlencode 'client_id=cncc-api-access' - In response, you will get an access_token and a
refresh_token. The response is as follows:
{ "access_token": "eyJhbGciOiJSUzI1NiIsI................._LcCZYwDQJJTloj2PJ8y1WjO9l2Q", "expires_in": 300, "refresh_expires_in": 1800, "refresh_token": "eyJhbGciOiJIUzI1NiIs ................ldUIiwia2lkIiA6ICI3YTFlYvKPF-ZIg", "token_type": "bearer", "not-before-policy": 0, "session_state": "6c42d978-14ac-4793-a1e3-789cfbdb2b74", "scope": "email profile" }Note:
M-CNCC IAM IP or FQDN which is used to generate access token, and M-CNCC IAM IP or FQDN which is specified in custom-cncc_values.yaml must be the same.
6.1.2 Refresh Access Tokens
Perform the following procedure to refresh the access tokens:
If the access_token has expired, it can be refreshed by sending a POST request to the same URL as above; but the POST method must have the refresh token instead of username and password. The format is as follows:'client_id': 'your_client_id',
'refresh_token': refresh_token_from_previous_request,
'grant_type': 'refresh_token'
Example:
'client_id': 'cncc-api-access',
'refresh_token': 'eyJhbGciOiJIUzI1NiIs ................ldUIiwia2lkIiA6ICI3YTFlYvKPF-ZIg',
'grant_type': 'refresh_token'In response, you will receive a new access_token and refresh_token.
6.1.3 Accessing NF Resources
Perform the following procedure to access NF resources:
To access NF resources, you must use the access token in every request to an NF resource by placing it in the Authorization header.
The following headers must be included while sending the API request:
- Authorization: The access token should be used in every request to a NF resource by placing it in the Authorization header
- oc-cncc-id: M-CNCC uses the oc-cncc-id header to find the agent or manager owning the instance.
- oc-cncc-instance-id: A-CNCC Core (or M-CNCC Core ) uses the oc-cncc-instance-id header to find the NF instance for routing.
Note:
In case of Policy and BSF NFs, additional API prefixes are needed to access NF resources through console and these prefixes differ from one endpoint to another. Few of the additional API prefixes are the following:- Policy: "/policyapi"
- BSF: "/bsfapi" For other prefixes and for more information please refer to respective NF documentation.
Using the CNC Console IAM API, the following headers must be passed in curl or postman request while accessing NF resource:
curl --location --request GET 'http://${cncc-mcore-ingress-external-ip}:${cncc-mcore-ingress-service-port}/<NF API URI>' \
--header 'oc-cncc-id: oc-cncc-id value' \
--header 'oc-cncc-instance-id: oc-cncc-instance-id value' \
--header 'Authorization: Bearer <token>'For example, using SCP Canary Release API, the following headers must be passed in curl or postman request while accessing NF resource:
curl --location --request GET 'http://${cncc-mcore-ingress-external-ip}:${cncc-mcore-ingress-service-port}/ocscp/scpc-configuration/v1/canaryrelease ' \
--header 'oc-cncc-id: Cluster1' \
--header 'oc-cncc-instance-id: Cluster1-scp-instance1' \
--header 'Authorization: Bearer <token>'6.2 For OCI Deployment
Overview
OCI IAM provides a secure option for direct API access to CNC Console resources by providing an OCI IAM access token.
This section provides details on the following token generation and CNC Console-NF Resource access.
- Access tokens
- Refresh tokens
- NF Resource Access
6.2.1 Access Token Generation Using User Credentials
Access Token Generation Using User Credentials
curl --location --request POST 'https://<oci-iam-domain-url>/oauth2/v1/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic <Base64 encoding of client credentials>' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=testuser' \
--data-urlencode 'password=••••••' \
--data-urlencode 'scope=urn:opc:idm:__myscopes__ offline_access'The attributes used in this request are:
| Attribute | Description | ||||
| <oci-iam-domain-url> | OCI IAM Domain URL. For more information, see the Identity Access Management section in the Oracle Communication Cloud Native Configuration Console Installation, Upgrade, and Fault Recovery Guide. | ||||
| <Base64 encoding of client credentials> |
|
||||
| grant_type |
The way to gets an access token. Value: password |
||||
| username | Username of the OCI IAM user used for login. | ||||
| password | Password of the OCI IAM user used for login. | ||||
| scope |
The way to limit the amount of access that is granted to an access token. Values:
|
In response, we'll get an access_token and refresh_token.
{
"access_token": "eyJhbGciOiJSUzI1NiIsI................._LcCZYwDQJJTloj2PJ8y1WjO9l2Q",
"expires_in": 300,
"token_type": "bearer",
"refresh_token": "AgAgYWEyMzQ5MGM4YTRj.................FEgVm3XXS_y05UzUHIwrdlyQtsc="
}
6.2.2 Access Token Generation Using Refresh Token
Access token generation using Refresh Token
curl --location --requestPOST 'https://<oci-iam-domain-url>/oauth2/v1/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic <Base64 encoding of client credentials in the format "clientId:clientSceret">' \
--data-urlencode 'grant_type=refresh_token' \
--data-urlencode 'refresh_token=<refresh_token>'The attributes used in this request are these
| Attribute | Description | ||||
| <oci-iam-domain-url> | OCI IAM Domain URL.
For information on identity and access management, see the OCI Identity and Access Management section in the Oracle Communication Cloud Native Configuration Console Installation, Upgrade, and Fault Recovery Guide.. |
||||
| <Base64 encoding of client credentials> |
|
||||
| grant_type |
The way to get an access token. Value: refresh_token |
||||
| refresh_token | The actual refresh_token received while generating access_token as part of Access Token generation using User Credentials. |
In response, we'll get an access_token and refresh_token.
{
"access_token": "eyJhbGciOiJSUzI1NiIsI................._LcCZYwDQJJTloj2PJ8y1WjO9l2Q",
"expires_in": 300,
"token_type": "bearer",
"refresh_token": "AgAgYWEyMzQ5MGM4YTRj.................FEgVm3XXS_y05UzUHIwrdlyQtsc="
}Note:
By default, access tokens expire after one hour. This expiry period can be changed in the configuration of the trusted application you configured in OCI IAM. Once your access token expires, you will need to refresh it. You can use the refresh token that was provided to you with your access token.6.2.3 NF Resource Access Through CNC Console
NF Resource Access via CNC Console
curl --location --request GET 'http://<cncc_mcore_igw_url>:<cncc_mcore_igw_port>/<nf_resource_path>' \
--header 'oc-cncc-id: <oc-cncc-id>' \
--header 'oc-cncc-instance-id: <oc-cncc-instance-id>' \
--header 'Authorization: Bearer <oci_iam_access_token>'curl --location --request GET 'http://<cncc_mcore_igw_url>:<cncc_mcore_igw_port>/ocscp/scpc-configuration/v1/canaryrelease ' \
--header 'oc-cncc-id: Cluster1' \
--header 'oc-cncc-instance-id: Cluster1-scp-instance1' \
--header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsI................._LcCZYwDQJJTloj2PJ8y1WjO9l2Q'The attributes used in this request are these
| Attribute | Description |
|---|---|
| <oci-iam-access-token> | OCI IAM Access token of the OCI IAM User. See Access Token generation using User Credentials. |
| <cncc_mcore_igw_url> | CNC Console Manager Ingress Gateway URL. See the Accessing M-CNCC Core section in the Oracle Communication Cloud Native Configuration Console Installation, Upgrade, and Fault Recovery Guide. |
| <oc-cncc-id> | Unique M-CNCC ID per site or cluster (global.self.cnccId). See the CNC Console Instance Configuration Options section in the Oracle Communication Cloud Native Configuration Console Installation, Upgrade, and Fault Recovery Guide. |
| <oc-cncc-instance-id> | Unique Instance ID of NF per site or cluster (global.instances). See the CNC Console Instance Configuration Options section in the Oracle Communication Cloud Native Configuration Console Installation, Upgrade, and Fault Recovery Guide. |
| <nf_resource_path> | Request path to NF resource. |