2 OCCM Rest Specification
This chapter provides information about REST specifications used in Oracle Communications Cloud Native Core, Certificate Management
OCCM can be configured using Helm configurations, REST APIs, and Cloud Native Configuration Console (CNC Console). REST configurations can also be performed using the Cloud Native Configuration (CNC) Console.
For HELM configurations, see Oracle Communications Cloud Native Core, Certificate Management Installation, Upgrade, and Fault Recovery Guide.
For the configurations using CNC Console, see Oracle Communications Cloud Native Core, Certificate Management User Guide.
For installing OCCM in an existing NF deployment, see 'Introducing OCCM on an Existing NF Deployment' section in the Oracle Communications Cloud Native Core, Certificate Management User Guide.
2.1 OCCM Issuers
OCCM Issuers Data Model
Table 2-1 OCCM Issuers Request Parameters
Field Name | Data Type | Description |
---|---|---|
name | String | This is a mandatory parameter. Name of CA |
server | String | This is a mandatory parameter.
Domain URL of CA Note: The user must provide the port where the CA server is running, otherwise application will take it as default port 80. |
recipientDN | String | This is a mandatory parameter.
Distinguished name(DN) of the CMP server(usually the addressed CA). Used in the recipient field of CMP request message headers. The argument must be formatted as /type0=value0/type1=value1/type2=.... Special characters may be escaped by \ (backslash); whitespace is retained. Empty values are permitted, but the corresponding type will not be included. Giving a single / will lead to an empty sequence of RDNs (a NULL-DN). Multi-valued RDNs can be formed by placing a + character instead of a / between the AttributeValueAssertions (AVAs) that specify the members of the set. Example:
|
issuerDN | String | This is an optional parameter.
X509 issuer Distinguished Name of the CA server to place in the requested certificate template in IR/KUR. The argument must be formatted as /type0=value0/type1=value1/type2=.... Special characters may be escaped by \ (backslash); whitespace is retained. Empty values are permitted, but the corresponding type will not be included. Giving a single / will lead to an empty sequence of RDNs (a NULL-DN). Multi-valued RDNs can be formed by placing a + character instead of a / between the AttributeValueAssertions (AVAs) that specify the members of the set. Example:
|
totalTimeOut | String | This is a mandatory parameter.
Maximum total number of seconds a CMP transaction may take. Default Value: 720 seconds. Max value: 21600 seconds. Note: totalTimeOut should always be greater than messageTimeout. |
messageTimeout | String | This is a mandatory parameter.
Number of seconds a CMP request-response message round trip is allowed to take before a timeout error is returned. Default Value 120 seconds. Max is 600 seconds. Imp Note: messageTimeout should always be less than totalTimeOut. |
cmpProtectionOccmCert | Object | This is a mandatory parameter except when OCCM certificate is manually configured. CMP client authentication options for OCCM certficate |
cmpProtectionOccmCert.type | Enum | This is a mandatory parameter.
MAC or
SIGNATURE
Possible values: MAC SIGNATURE |
cmpProtectionOccmCert.digestAlgorithm | Enum | This is a mandatory parameter except when
cmpProtectionOccmCert.type selected is MAC.
Supported digest to use. Default Value: SHA256 Possible values:SHA256, SHA384, SHA512 |
cmpProtectionOccmCert.macAlgorithm | Enum | This is a mandatory parameter except when
cmpProtectionOccmCert.type selected is SIGNATURE)
MAC algorithm to use. Possible values: HMACSHA256 HMACSHA384 HMACSHA512 |
cmpProtectionOccmCert.macK8sSecretIn | Object | This is a mandatory parameter except when
cmpProtectionOccmCert.type selected is SIGNATURE.
Kubernetes secret input details for MAC based authentication of OCCM cert. |
cmpProtectionOccmCert.macK8sSecretIn.namespace | String | This is a mandatory parameter. Kubernetes secret namespace where MAC secret is present. |
cmpProtectionOccmCert.macK8sSecretIn.namespace | String | This is a mandatory parameter. Name of Kubernetes secret holding MAC secret (pre-shared key) and reference information. |
cmpProtectionOccmCert.macK8sSecretIn.passKey | String | This is a mandatory parameter.
Kubernetes secret data key against which MAC secret is provided. |
cmpProtectionOccmCert.macK8sSecretIn.refKey | String | This is an optional parameter.
Kubernetes secret data key against which reference string is provided. |
cmpProtectionOccmCert.signK8sSecretIn | Object | This is a mandatory parameter except when cmpProtectionOccmCert.type selected is MAC. Kubernetes secret input details for Signature based authentication of OCCM cert. |
cmpProtectionOccmCert.signK8sSecretIn.name | String | This is a mandatory parameter. Kubernetes secret namespace where OCCM Sign secret is present. |
cmpProtectionOccmCert.signK8sSecretIn.name | String | This is a mandatory parameter. Name of Kubernetes secret holding pre-configured private key and certificate. |
cmpProtectionOccmCert.signK8sSecretIn.key | String | This is a mandatory parameter. Kubernetes secret data key against which the pre-configured private key file (private key file for the client's current CMP signer certificate) is provided. |
cmpProtectionOccmCert.signK8sSecretIn.cert | String | This is a mandatory parameter. Kubernetes secret data key against which the pre-configured certificate (client's current CMP signer certificate) is provided. |
cmpProtectionOccmCert.signK8sSecretIn.extraCerts | Object | This is a mandatory parameter. List of Kubernetes secret data keys against which the certificates to append in the extraCerts field can be provided. They can be used as the default CMP signer certificate chain to include. |
cmpProtectionOtherCert | Object | This is a mandatory parameter.
CMP client authentication options for Other(NF) certficate |
cmpProtectionOtherCert.type | Enum | This is a mandatory parameter. Possible Value: SIGNATURE |
cmpProtectionOtherCert.digestAlgorithm | Enum | This is a mandatory parameter.
Supported digest to use.
Default Value: SHA256
Possible values:SHA256, SHA384, SHA512 |
cmpProtectionOtherCert.signK8sSecretIn | Object | This is a mandatory parameter.
Kubernetes secret input details for Signature based authentication of Other (NF) cert. |
cmpProtectionOtherCert.signK8sSecretIn.namespace | String | This is a mandatory parameter. Kubernetes secret namespace where NF Sign secret is present. |
cmpProtectionOtherCert.signK8sSecretIn.name | String | This is a mandatory parameter. Name of Kubernetes secret holding OCCM key and cert information. |
cmpProtectionOtherCert.signK8sSecretIn.key | String | This is a mandatory parameter. Kubernetes secret data key against which OCCM key is provided/created based on whether OCCM cert is created in manual or automatic mode. |
cmpProtectionOtherCert.signK8sSecretIn.cert | String | This is a mandatory parameter. Kubernetes secret data key against which OCCM certificate is provided/created based on whether OCCM cert is created in manual or automatic mode. |
cmpProtectionOtherCert.signK8sSecretIn.extraCerts | Array | This is a mandatory parameter. List of Kubernetes secret data keys against which the certificates to append in the extraCerts field can be provided or will be created (if received from CA) along with the OCCM cert, based on whether OCCM cert is created in manual or automatic mode. |
occmTrustStoreK8sSecretIn | Object | This is a mandatory parameter. Kubernetes secret input which holds OCCM trust store information(CA certificates). Used to validate CMP response messages. |
occmTrustStoreK8sSecretIn.namespace | String | This is a mandatory parameter. Kubernetes secret namespace where OCCM trust store secret is present. |
occmTrustStoreK8sSecretIn.name | String | This is a mandatory parameter. Name of Kubernetes OCCM trust store secret. |
occmTrustStoreK8sSecretIn.rootCACerts | List<String> | This is an optional parameter except if
occmTrustStoreK8sSecretIn.serverCert is provided.
The certificate(s), typically of root CAs, the client shall use as trust anchors when validating the certificate issued by CA. Note: If server cert is present this is ignored. |
occmTrustStoreK8sSecretIn.intCACerts | List<String> | This is an optional parameter. Any non-trusted intermediate CA certificate(s) to use when validating newly enrolled certificates. |
occmTrustStoreK8sSecretIn.serverCert | String | This is a mandatory parameter except if
occmTrustStoreK8sSecretIn.rootCACerts is provided.
CMP/CA server's certificate to expect and directly trust when validating the certificate issued by CA. Note: If this is present root CA certs will be ignored. |
uuid | String | Unique ID for logging and tracking purpose |
tlsConfig.enableTLS | boolean | This is an optional parameter.
This field when set true "-tls_used" will be included in openssl cmp cmd for TLS communication with CA. Server URL should include https scheme Possible values:true, false |
tlsConfig.tlsTrustStoreK8sSecretItem.namespace | String | This parameter is mandatory when enableTLS is set to
true and optional when enableTLS is set to false.
Kubernetes secret namespace where TLS trust store secret is present. |
tlsConfig.tlsTrustStoreK8sSecretItem.name | String | This parameter is mandatory when enableTLS is set to
true and optional when enableTLS is set to false.
Name of Kubernetes TLS trust store secret. |
tlsConfig.tlsTrustStoreK8sSecretItem.tlsTrustedCerts | List<String> | This parameter is mandatory when enableTLS is set to
true and optional when enableTLS is set to false.
Certificate(s) used for validating the certificate presented by CA(s) during TLS handshake. |
Table 2-2 OCCM Issuers Response Codes
Response codes | Data type | Cardinality | Description |
---|---|---|---|
202 Accepted | Object (Issuers) | 1 | This is a mandatory parameter Object (Issuers) |
200 OK | Object (Issuers) Or List(Issuers) | 1 | This is a mandatory parameter Object (Issuers) Or List(Issuers) matching criteria |
400 Bad request | Problem Details | 1 | This is a mandatory parameter Input does not match to process request |
500 Internal Server Error | Problem Details | 1 | This is a mandatory parameter Something went wrong |
409 Conflict | Problem Details | 1 | This is a mandatory parameter Record already exists |
404 Not Found | Problem Details | 1 | This is a mandatory parameter Queried Object(Issuer) not present |
Note:
OCCM Issuers response body data model varies based on REST operation status.
OCCM Issuers JSON Payload
{
"name": "",
"server": "",
"recipientDN": "",
"issuerDN": "",
"totalTimeout": "",
"messageTimeout": "",
"cmpProtectionOccmCert": {
"type": null,
"digestAlgorithm": null,
"macAlgorithm": null,
"macK8sSecretIn": {
"namespace": "",
"name": "",
"passKey": "",
"refKey": ""
},
"signK8sSecretIn": {
"namespace": "",
"name": "",
"key": "",
"cert": "",
"extraCerts": []
}
},
"cmpProtectionOtherCert": {
"type": "",
"digestAlgorithm": "",
"signK8sSecretIn": {
"namespace": "",
"name": "",
"key": "",
"cert": "",
"extraCerts": []
}
},
"occmTrustStoreK8sSecretIn": {
"namespace": "",
"name": "",
"rootCACerts": [],
"intCACerts": [],
"serverCert": ""
},
"tlsConfig":{
"enableTLS":true,
"tlsTrustStoreK8sSecretItem":{
"namespace": "",
"name": "",
"tlsTrustedCerts":[]
}
}
2.1.1 Fetch All Issuers
OCCM Uses the GET operation to fetch all issuer details.
Resource URI:/occm-config/v1/issuers
Table 2-3 Data structures supported by the GET Response Body on this resource
Response codes | Data type | Cardinality | Description |
---|---|---|---|
200 OK | Object (Issuers) | 1 | This is a mandatory parameter. Object (Issuers) matching criteria |
500 Internal Server Error | Problem Details | 1 | This is a mandatory parameter. Something went wrong |
$ curl --location --request GET 'http://{host}:{port}/occm-config/v1/issuers' \
--header 'Oc-Cncc-Id: Cluster1' \
--header 'Oc-Cncc-Instance-Id: Cluster1-OCCM-instance1' \
--header 'Authorization: Bearer eyJhbGciOiJSUzI1Ni'
200 OK Response Body: '[{
"uuid": "d692b217-00ca-433b-819d-cb038dba256b",
"name": "CA-thrust-05",
"server": "https://thrust5:8445/ejbca/publicweb/cmp/occmalias",
"recipientDN": "/CN=ManagementCA",
"issuerDN": "",
"totalTimeout": "120",
"messageTimeout": "30",
"cmpProtectionOccmCert": {
"type": "MAC",
"digestAlgorithm": null,
"macAlgorithm": null,
"macK8sSecretIn": {
"namespace": "occncc-thrust5-01",
"name": "macsecret",
"passKey": "pwd",
"refKey": "ref"
},
"signK8sSecretIn": {
"namespace": "",
"name": "",
"key": "",
"cert": "",
"extraCerts": []
}
},
"cmpProtectionOtherCert": {
"type": "SIGNATURE",
"digestAlgorithm": "SHA384",
"signK8sSecretIn": {
"namespace": "occncc-thrust5-01",
"name": "ca-occm-key-cert-secret-thrust-5102",
"key": "occmkey.pem",
"cert": "occm.cer",
"extraCerts": []
}
},
"occmTrustStoreK8sSecretIn": {
"namespace": "occncc-thrust5-01",
"name": "ca-occm-tls-trust-store-secret-thrust-5",
"rootCACerts": [
"ManagementCA-chain.pem"
],
"intCACerts": [],
"serverCert": ""
},
"tlsConfig": {
"enableTLS": true,
"tlsTrustStoreK8sSecretItem": {
"namespace": "occncc-thrust5-01",
"name": "ca-occm-tls-trust-store-secret-thrust-5",
"tlsTrustedCerts": [
"ManagementCA-chain.pem",
"RootCA.pem"
]
}
}
},
{
"uuid": "897d6073-0bea-4525-b814-0fbda8b85563",
"name": "CA7",
"server": "https://thrust5:8445/ejbca/publicweb/cmp/occmalias",
"recipientDN": "/CN=ManagementCA",
"issuerDN": "",
"totalTimeout": "120",
"messageTimeout": "30",
"cmpProtectionOccmCert": {
"type": "MAC",
"digestAlgorithm": null,
"macAlgorithm": null,
"macK8sSecretIn": {
"namespace": "occncc-thrust5-01",
"name": "macsecret",
"passKey": "pwd",
"refKey": "ref"
},
"signK8sSecretIn": {
"namespace": "",
"name": "",
"key": "",
"cert": "",
"extraCerts": []
}
},
"cmpProtectionOtherCert": {
"type": "SIGNATURE",
"digestAlgorithm": "SHA384",
"signK8sSecretIn": {
"namespace": "occncc-thrust5-01",
"name": "ca-occm-key-cert-secret-thrust-5102",
"key": "occmkey.pem",
"cert": "occm.cer",
"extraCerts": []
}
},
"occmTrustStoreK8sSecretIn": {
"namespace": "occncc-thrust5-01",
"name": "ca-occm-tls-trust-store-secret-thrust-5",
"rootCACerts": [
"ManagementCA-chain.pem"
],
"intCACerts": [],
"serverCert": ""
},
"tlsConfig": {
"enableTLS": true,
"tlsTrustStoreK8sSecretItem": {
"namespace": "occncc-thrust5-01",
"name": "ca6-occm-tls-trust-store-secret",
"tlsTrustedCerts": [
"ManagementCA-chain.pem"
]
}
}
},
{
"uuid": "9c845672-ebee-4ce6-ad98-ce2e6e3fe1d5",
"name": "CA5",
"server": "http://thrust5:8445/ejbca/publicweb/cmp/occmalias",
"recipientDN": "/CN=ManagementCA",
"issuerDN": "",
"totalTimeout": "120",
"messageTimeout": "30",
"cmpProtectionOccmCert": {
"type": "MAC",
"digestAlgorithm": null,
"macAlgorithm": null,
"macK8sSecretIn": {
"namespace": "occncc-thrust5-01",
"name": "macsecret",
"passKey": "pwd",
"refKey": "ref"
},
"signK8sSecretIn": {
"namespace": "",
"name": "",
"key": "",
"cert": "",
"extraCerts": []
}
},
"cmpProtectionOtherCert": {
"type": "SIGNATURE",
"digestAlgorithm": "SHA384",
"signK8sSecretIn": {
"namespace": "occncc-thrust5-01",
"name": "ca-occm-key-cert-secret-thrust-5102",
"key": "occmkey.pem",
"cert": "occm.cer",
"extraCerts": []
}
},
"occmTrustStoreK8sSecretIn": {
"namespace": "occncc-thrust5-01",
"name": "ca-occm-tls-trust-store-secret-thrust-5",
"rootCACerts": [
"ManagementCA-chain.pem"
],
"intCACerts": [],
"serverCert": ""
},
"tlsConfig": {
"enableTLS": false,
"tlsTrustStoreK8sSecretItem": {
"namespace": "",
"name": "",
"tlsTrustedCerts": [
""
]
}
}
}
]'
2.1.2 Fetch Issuers by UUID
OCCM uses the GET operation to fetch issuers by UUID.
Resource URI:/occm-config/v1/issuers
Table 2-4 Path Parameter
Field Name | Data Type | Mandatory (M) or Optional (O) | Description |
---|---|---|---|
uuid | String | M | Uuid of the issuer to search. |
Data structures supported by the GET Response Body on this resource
Response codes | Data type | Cardinality | Description |
---|---|---|---|
200 OK | Object (Issuers) | 1 | This is a mandatory parameter. Object (Issuers) matching criteria |
500 Internal Server Error | Problem Details | 1 | This is a mandatory parameter. This indicates that something went wrong. |
$ curl --location --request GET 'http://{host}:{port}/occm-config/v1/issuers/4c5b4025-6c63-438c-bcd7-27b5bf8da4fd' \
--header 'Oc-Cncc-Id: Cluster1' \
--header 'Oc-Cncc-Instance-Id: Cluster1-OCCM-instance1' \
--header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIs'
200 OK Response Body: '{
"uuid": "4c5b4025-6c63-438c-bcd7-27b5bf8da4fd",
"name": "CA1",
"server": "http://ca1-openssl-mock.ns1.svc.thrust5:8080",
"recipientDN": "/CN=svc.thrust5",
"issuerDN": "/CN=svc.thrust5",
"totalTimeout": "720",
"messageTimeout": "120",
"cmpProtectionOccmCert": {
"type": null,
"digestAlgorithm": null,
"macAlgorithm": null,
"macK8sSecretIn": {
"namespace": "",
"name": "",
"passKey": "",
"refKey": ""
},
"signK8sSecretIn": {
"namespace": "",
"name": "",
"key": "",
"cert": "",
"extraCerts": []
}
},
"cmpProtectionOtherCert": {
"type": "SIGNATURE",
"digestAlgorithm": "SHA256",
"signK8sSecretIn": {
"namespace": "ns1",
"name": "ca1-occm-key-cert-secret",
"key": "occmkey.pem",
"cert": "occm.cer",
"extraCerts": []
}
},
"occmTrustStoreK8sSecretIn": {
"namespace": "ns1",
"name": "ca1-occm-trust-store-secret",
"rootCACerts": [
"caroot.cer"
],
"intCACerts": [
"intca.cer"
],
"serverCert": "server.cer"
},
"tlsConfig":{
"enableTLS":false,
"tlsTrustStoreK8sSecretItem":{
"namespace": "",
"name": "",
"tlsTrustedCerts":[""]
}
}
}'
2.1.3 Add Issuer Configurations
OCCM Uses the POST operation to add the issuers configurations using the request body.
Resource URI: /occm-config/v1/issuers
Table 2-5 Data structures supported by the POST Response Body on this resource
Response codes | Data type | Cardinality | Description |
---|---|---|---|
202 ACCEPTED | Issuers | 1 | This is a mandatory parameter. ssuers configuration data |
400 BAD REQUEST | Problem Details | 1 | This is a mandatory parameter. Returns Problem Details structure |
409 CONFLICT | Problem Details | 1 | This is a mandatory parameter. Record already exists |
$ curl --location --request POST 'http://{host}:{port}/occm-config/v1/issuers' \
--header 'Oc-Cncc-Id: Cluster1' \
--header 'Oc-Cncc-Instance-Id: Cluster1-OCCM-instance1' \
--header 'Authorization: Bearer LxuLeX9dihXDUcoFwDw' \
--header 'Content-Type: application/json' \
--data-raw '{
"name": "CA1",
"server": "http://ca1-openssl-mock.ns1.svc.thrust5:8080",
"recipientDN": "/CN=svc.thrust5",
"issuerDN": "/CN=svc.thrust5",
"totalTimeout": "60",
"messageTimeout": "30",
"cmpProtectionOccmCert": {
"type": null,
"digestAlgorithm": null,
"macAlgorithm": null,
"macK8sSecretIn": {
"namespace": "",
"name": "",
"passKey": "",
"refKey": ""
},
"signK8sSecretIn": {
"namespace": "",
"name": "",
"key": "",
"cert": "",
"extraCerts": []
}
},
"cmpProtectionOtherCert": {
"type": "SIGNATURE",
"digestAlgorithm": "SHA256",
"signK8sSecretIn": {
"namespace": "ns1",
"name": "ca1-occm-key-cert-secret",
"key": "occmkey.pem",
"cert": "occm.cer",
"extraCerts": []
}
},
"occmTrustStoreK8sSecretIn": {
"namespace": "ns1",
"name": "ca1-occm-trust-store-secret",
"rootCACerts": ["caroot.cer"],
"intCACerts": ["intca.cer"],
"serverCert": ""
},
"tlsConfig":{
"enableTLS":false,
"tlsTrustStoreK8sSecretItem":{
"namespace": "",
"name": "",
"tlsTrustedCerts":[""]
}
}
}'
Sample POST Response:
202 Accepted Response Body: '{
"uuid": "4c5b4025-6c63-438c-bcd7-27b5bf8da4fd",
"name": "CA1",
"server": "http://ca1-openssl-mock.ns1.svc.thrust5:8080",
"recipientDN": "/CN=svc.thrust5",
"issuerDN": "/CN=svc.thrust5",
"totalTimeout": "60",
"messageTimeout": "30",
"cmpProtectionOccmCert": {
"type": null,
"digestAlgorithm": null,
"macAlgorithm": null,
"macK8sSecretIn": {
"namespace": "",
"name": "",
"passKey": "",
"refKey": ""
},
"signK8sSecretIn": {
"namespace": "",
"name": "",
"key": "",
"cert": "",
"extraCerts": []
}
},
"cmpProtectionOtherCert": {
"type": "SIGNATURE",
"digestAlgorithm": "SHA256",
"signK8sSecretIn": {
"namespace": "ns1",
"name": "ca1-occm-key-cert-secret",
"key": "occmkey.pem",
"cert": "occm.cer",
"extraCerts": []
}
},
"occmTrustStoreK8sSecretIn": {
"namespace": "ns1",
"name": "ca1-occm-trust-store-secret",
"rootCACerts": ["caroot.cer"],
"intCACerts": ["intca.cer"],
"serverCert": ""
},
"tlsConfig":{
"enableTLS":false,
"tlsTrustStoreK8sSecretItem":{
"namespace": "",
"name": "",
"tlsTrustedCerts":[""]
}
}
}'
$ curl --location --request POST 'http://{host}:{port}/occm-config/v1/issuers' \
--header 'Oc-Cncc-Id: Cluster1' \
--header 'Oc-Cncc-Instance-Id: Cluster1-OCCM-instance1' \
--header 'Authorization: Bearer LxuLeX9dihXDUcoFwDw' \
--header 'Content-Type: application/json' \
--data-raw '{
"name": "CA-TLS-1",
"server": "https://thrust5:8445/ejbca/publicweb/cmp/occmalias",
"recipientDN": "/CN=svc.thrust5",
"issuerDN": "/CN=ManagementCA",
"totalTimeout": "60",
"messageTimeout": "30",
"cmpProtectionOccmCert": {
"type": null,
"digestAlgorithm": null,
"macAlgorithm": null,
"macK8sSecretIn": {
"namespace": "",
"name": "",
"passKey": "",
"refKey": ""
},
"signK8sSecretIn": {
"namespace": "",
"name": "",
"key": "",
"cert": "",
"extraCerts": []
}
},
"cmpProtectionOtherCert": {
"type": "SIGNATURE",
"digestAlgorithm": "SHA256",
"signK8sSecretIn": {
"namespace": "ns1",
"name": "ca1-occm-key-cert-secret",
"key": "occmkey.pem",
"cert": "occm.cer",
"extraCerts": []
}
},
"occmTrustStoreK8sSecretIn": {
"namespace": "ns1",
"name": "ca1-occm-trust-store-secret",
"rootCACerts": ["caroot.cer"],
"intCACerts": ["intca.cer"],
"serverCert": ""
},
"tlsConfig":{
"enableTLS":true,
"tlsTrustStoreK8sSecretItem":{
"namespace": "ns1",
"name": "occm-tls-trust-store-secret",
"tlsTrustedCerts":["ManagementCA-chain.pem"]
}
}
}'
202 Accepted Response Body: '{
"uuid": "4c5b4025-6c63-438c-bcd7-27b5bf8da4fd",
"name": "CA-TLS-1",
"server": "https://thrust5:8445/ejbca/publicweb/cmp/occmalias",
"recipientDN": "/CN=svc.thrust5",
"issuerDN": "/CN=ManagementCA",
"totalTimeout": "60",
"messageTimeout": "30",
"cmpProtectionOccmCert": {
"type": null,
"digestAlgorithm": null,
"macAlgorithm": null,
"macK8sSecretIn": {
"namespace": "",
"name": "",
"passKey": "",
"refKey": ""
},
"signK8sSecretIn": {
"namespace": "",
"name": "",
"key": "",
"cert": "",
"extraCerts": []
}
},
"cmpProtectionOtherCert": {
"type": "SIGNATURE",
"digestAlgorithm": "SHA256",
"signK8sSecretIn": {
"namespace": "ns1",
"name": "ca1-occm-key-cert-secret",
"key": "occmkey.pem",
"cert": "occm.cer",
"extraCerts": []
}
},
"occmTrustStoreK8sSecretIn": {
"namespace": "ns1",
"name": "ca1-occm-trust-store-secret",
"rootCACerts": ["caroot.cer"],
"intCACerts": ["intca.cer"],
"serverCert": ""
},
"tlsConfig":{
"enableTLS":true,
"tlsTrustStoreK8sSecretItem":{
"namespace": "ns1",
"name": "occm-tls-trust-store-secret",
"tlsTrustedCerts":["ManagementCA-chain.pem"]
}
}
}'
2.1.4 Update Issuer Configurations
OCCM uses the PUT operation to update the issuers configuration using the issuer uuid (in path parameter) and request body.
Resource URI: /occm-config/v1/issuers/{uuid}
- No certificate is attached to an issuer: If no certificate is attached to an issuer then updating all fields are allowed.
- Certificate is attached to an issuer: If any certificate is
attached to an issuer then updating following fields are allowed:
- server - Domain URL of CA
- tlsConfig - TLS Configuration:
- enableTLS - When set to true, HTTPS connection to CA is made. Ensure selecting scheme as HTTPS in server URL if this is set to true.
- tlsTrustStoreK8sSecretItem - TLS trust store secret
details such as
namespace - K8s namespace where TLS trust store secret is present
name - Kubernetes secret which holds TLS trust store information (CA certificates)
tlsTrustedCerts - Trusted certificate(s) to use for validating the TLS server certificate.
Table 2-6 Path Parameter
Name | Data Type | Mandatory (M) or Optional (O) | Cardinality | Description |
---|---|---|---|---|
uuid | String | M | 1 | Issuer uuid |
Table 2-7 Data structures supported by the PUT Response Body on this resource
Response codes | Data type | Cardinality | Description |
---|---|---|---|
200 OK | Issuers | 1 | This is a mandatory parameter. Issuers configuration data |
400 BAD REQUEST | Problem Details | 1 | This is a mandatory parameter. Invalid input is passed to process request. |
$ curl --location --request PUT 'http://{host}:{port}/occm-config/v1/issuers/4c5b4025-6c63-438c-bcd7-27b5bf8da4fd' \
--header 'Oc-Cncc-Id: Cluster1' \
--header 'Oc-Cncc-Instance-Id: Cluster1-OCCM-instance1' \
--header 'Authorization: Bearer LxuLeX9dihXDUcoFwDw' \
--header 'Content-Type: application/json' \
--data-raw '{
"uuid": "4c5b4025-6c63-438c-bcd7-27b5bf8da4fd",
"name": "CA1",
"server": "http://ca1-openssl-mock.ns1.svc.thrust5:8080",
"recipientDN": "/CN=svc.thrust5",
"issuerDN": "/CN=svc.thrust5",
"totalTimeout": "60",
"messageTimeout": "30",
"cmpProtectionOccmCert": {
"type": null,
"digestAlgorithm": null,
"macAlgorithm": null,
"macK8sSecretIn": {
"namespace": "",
"name": "",
"passKey": "",
"refKey": ""
},
"signK8sSecretIn": {
"namespace": "",
"name": "",
"key": "",
"cert": "",
"extraCerts": []
}
},
"cmpProtectionOtherCert": {
"type": "SIGNATURE",
"digestAlgorithm": "SHA256",
"signK8sSecretIn": {
"namespace": "ns1",
"name": "ca1-occm-key-cert-secret",
"key": "occmkey.pem",
"cert": "occm.cer",
"extraCerts": []
}
},
"occmTrustStoreK8sSecretIn": {
"namespace": "ns1",
"name": "ca1-occm-trust-store-secret",
"rootCACerts": ["caroot.cer"],
"intCACerts": ["intca.cer"],
"serverCert": ""
},
"tlsConfig":{
"enableTLS":false,
"tlsTrustStoreK8sSecretItem":{
"namespace": "",
"name": "",
"tlsTrustedCerts":[""]
}
}
}'
200 Success Response Body: '{
"uuid": "4c5b4025-6c63-438c-bcd7-27b5bf8da4fd",
"name": "CA1",
"server": "http://ca1-openssl-mock.ns1.svc.thrust5:8080",
"recipientDN": "/CN=svc.thrust5",
"issuerDN": "/CN=svc.thrust5",
"totalTimeout": "60",
"messageTimeout": "30",
"cmpProtectionOccmCert": {
"type": null,
"digestAlgorithm": null,
"macAlgorithm": null,
"macK8sSecretIn": {
"namespace": "",
"name": "",
"passKey": "",
"refKey": ""
},
"signK8sSecretIn": {
"namespace": "",
"name": "",
"key": "",
"cert": "",
"extraCerts": []
}
},
"cmpProtectionOtherCert": {
"type": "SIGNATURE",
"digestAlgorithm": "SHA256",
"signK8sSecretIn": {
"namespace": "ns1",
"name": "ca1-occm-key-cert-secret",
"key": "occmkey.pem",
"cert": "occm.cer",
"extraCerts": []
}
},
"occmTrustStoreK8sSecretIn": {
"namespace": "ns1",
"name": "ca1-occm-trust-store-secret",
"rootCACerts": ["caroot.cer"],
"intCACerts": ["intca.cer"],
"serverCert": ""
},
"tlsConfig":{
"enableTLS":false,
"tlsTrustStoreK8sSecretItem":{
"namespace": "",
"name": "",
"tlsTrustedCerts":[""]
}
}
}'
curl --location --request PUT 'http://{host}:{port}/occm-config/v1/issuers/4c5b4025-6c63-438c-bcd7-27b5bf8da4fd' \
--header 'Oc-Cncc-Id: Cluster1' \
--header 'Oc-Cncc-Instance-Id: Cluster1-OCCM-instance1' \
--header 'Authorization: Bearer LxuLeX9dihXDUcoFwDw' \
--header 'Content-Type: application/json' \
--data-raw '{
"uuid": "4c5b4025-6c63-438c-bcd7-27b5bf8da4fd",
"name": "CA-TLS-1",
"server": "https://thrust5:8445/ejbca/publicweb/cmp/occmalias",
"recipientDN": "/CN=svc.thrust5",
"issuerDN": "/CN=ManagementCA",
"totalTimeout": "60",
"messageTimeout": "30",
"cmpProtectionOccmCert": {
"type": null,
"digestAlgorithm": null,
"macAlgorithm": null,
"macK8sSecretIn": {
"namespace": "",
"name": "",
"passKey": "",
"refKey": ""
},
"signK8sSecretIn": {
"namespace": "",
"name": "",
"key": "",
"cert": "",
"extraCerts": []
}
},
"cmpProtectionOtherCert": {
"type": "SIGNATURE",
"digestAlgorithm": "SHA256",
"signK8sSecretIn": {
"namespace": "ns1",
"name": "ca1-occm-key-cert-secret",
"key": "occmkey.pem",
"cert": "occm.cer",
"extraCerts": []
}
},
"occmTrustStoreK8sSecretIn": {
"namespace": "ns1",
"name": "ca1-occm-trust-store-secret",
"rootCACerts": ["caroot.cer"],
"intCACerts": ["intca.cer"],
"serverCert": ""
},
"tlsConfig":{
"enableTLS":true,
"tlsTrustStoreK8sSecretItem":{
"namespace": "ns1",
"name": "occm-tls-trust-store-secret",
"tlsTrustedCerts":["ManagementCA-chain.pem"]
}
}
}'
200 Success Response Body: '{
"uuid": "4c5b4025-6c63-438c-bcd7-27b5bf8da4fd",
"name": "CA-TLS-1",
"server": "https://thrust5:8445/ejbca/publicweb/cmp/occmalias",
"recipientDN": "/CN=svc.thrust5",
"issuerDN": "/CN=ManagementCA",
"totalTimeout": "60",
"messageTimeout": "30",
"cmpProtectionOccmCert": {
"type": null,
"digestAlgorithm": null,
"macAlgorithm": null,
"macK8sSecretIn": {
"namespace": "",
"name": "",
"passKey": "",
"refKey": ""
},
"signK8sSecretIn": {
"namespace": "",
"name": "",
"key": "",
"cert": "",
"extraCerts": []
}
},
"cmpProtectionOtherCert": {
"type": "SIGNATURE",
"digestAlgorithm": "SHA256",
"signK8sSecretIn": {
"namespace": "ns1",
"name": "ca1-occm-key-cert-secret",
"key": "occmkey.pem",
"cert": "occm.cer",
"extraCerts": []
}
},
"occmTrustStoreK8sSecretIn": {
"namespace": "ns1",
"name": "ca1-occm-trust-store-secret",
"rootCACerts": ["caroot.cer"],
"intCACerts": ["intca.cer"],
"serverCert": ""
},
"tlsConfig":{
"enableTLS":true,
"tlsTrustStoreK8sSecretItem":{
"namespace": "ns1",
"name": "occm-tls-trust-store-secret",
"tlsTrustedCerts":["ManagementCA-chain.pem"]
}
}
}'
2.1.5 Delete Issuers Data
Note:
An issuer can only be deleted if there are no certificates referring to this issuer entry.Resource URI: /occm-config/v1/issuers/{uuid}
Table 2-8 Path Parameter
Name | Data Type | Mandatory (M) or Optional (O) | Cardinality | Description |
---|---|---|---|---|
uuid | String | M | 1 | Issuer uuid |
Table 2-9 Data structures supported by the DELETE Response Body on this resource
Response codes | Data type | Cardinality | Description |
---|---|---|---|
200 OK | Issuers | 1 | This is a mandatory parameter. Issuers configuration data |
400 Bad Request | Problem Details | 1 | This is a mandatory parameter. Input does not match to process request |
$ curl --location --request DELETE 'http://{host}:{port}/occm-config/v1/issuers/4c5b4025-6c63-438c-bcd7-27b5bf8da4fd' \
--header 'oc-cncc-id: Cluster1' \
--header oc-cncc-instance-id: Cluster1-OCCM-instance1' \
--header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIs.…...'
200 OK Response Body: '{
"uuid": "4c5b4025-6c63-438c-bcd7-27b5bf8da4fd", {
"name": "CA1",
"server": "http://ca1-openssl-mock.ns1.svc.thrust5:8080",
"recipientDN": "/CN=svc.thrust5",
"issuerDN": "/CN=svc.thrust5",
"totalTimeout": "60",
"messageTimeout": "30",
"cmpProtectionOccmCert": {
"type": null,
"digestAlgorithm": null,
"macAlgorithm": null,
"macK8sSecretIn": {
"namespace": "",
"name": "",
"passKey": "",
"refKey": ""
},
"signK8sSecretIn": {
"namespace": "",
"name": "",
"key": "",
"cert": "",
"extraCerts": []
}
},
"cmpProtectionOtherCert": {
"type": "SIGNATURE",
"digestAlgorithm": "SHA256",
"signK8sSecretIn": {
"namespace": "ns1",
"name": "ca1-occm-key-cert-secret",
"key": "occmkey.pem",
"cert": "occm.cer",
"extraCerts": []
}
},
"occmTrustStoreK8sSecretIn": {
"namespace": "ns1",
"name": "ca1-occm-trust-store-secret",
"rootCACerts": ["caroot.cer"],
"intCACerts": ["intca.cer"],
"serverCert": ""
},
"tlsConfig":{
"enableTLS":false,
"tlsTrustStoreK8sSecretItem":{
"namespace": "",
"name": "",
"tlsTrustedCerts":[""]
}
}
}'
2.2 OCCM Certificates
OCCM Certificates Data Model
Table 2-10 OCCM Certifiactes Request Parameters
Field Name | DataType | Description |
---|---|---|
name | String | This is a mandatory parameter. Name of the certificate |
lcmType | Enum | This is a mandatory parameter.
Possible Values: AUTOMATIC, MANUAL |
certType | Enum | This is a mandatory parameter.
Possible Values: OCCM, OTHER |
renewBefore | String | This is an optional parameter.
Number of days before the certificate expiry, when the certificate
will be renewed.
Default Value 14 Days Min: 1 days Max: [(validity i.e csr.days)-1] days |
certPurpose | String | This is an optional parameter. Purpose of certificate creation |
issuer | String | This is a mandatory parameter. Name of CA |
privateKey | Object | This is a mandatory parameter. Private key details like algorithm, key size and key encoding |
privateKey.keyAlgo | Enum | This is a mandatory parameter.
Private key algorithm to be used. Supported values: RSA and EC
Possible values:RSA, EC |
privateKey.keySize | Enum | This is an optional parameter.
The
number of bits in the generated key. Need to select a bit length of
at least 2048 when using RSA and 256 when using ECDSA. These are the
smallest key sizes allowed for SSL certificates.
Possible values: KEYSIZE_2048, KEYSIZE_4096 Default Value for RSA Key: 2048 bits |
privateKey.keyEncoding | Enum | This is a mandatory parameter.
The output format of a private key input source. Default Value: PEM Possible values:PEM, DER |
privateKey.ecCurve | Enum | This is an optional parameter.
The
EC curve to use if the key algorithm selected is EC.
Default Value: SECP384r1 Possible values: SECP256r1 SECP384r1 |
privateKey.keyFormat | String | This is a mandatory parameter. The output format of a private key input source. Default Value: PEM |
privateKey.privateKeyK8sSecretOut | Object | This is a mandatory parameter except in case of CMP Identity (OCCM) certificates, this field is optional since it is auto-populated from issuer Private key output location |
privateKey.privateKeyK8sSecretOut.namespace | String | This is a mandatory parameter except in case of CMP Identity (OCCM) certificates, this field is optional since it is auto-populated from issuer. Kubernetes namespace |
privateKey.privateKeyK8sSecretOut.name | String | This is a mandatory parameter except in case of CMP Identity (OCCM) certificates, this field is optional since it is auto-populated from issuer. Kubernetes secret name |
privateKey.privateKeyK8sSecretOut.key | String | This is a mandatory parameter except in case of CMP Identity (OCCM) certificates, this field is optional since it is auto-populated from issuer. Kubernetes secret key against which the key-pair will be stored. |
csr | Object | This is a mandatory parameter. Certificate Signing Request data |
csr.extendedKeyUsage | Object | This is a mandatory parameter. A multi-valued certificate extension containing a list of values indicating purposes for which the certificate public key can be used |
csr.extendedKeyUsage.critical | Boolean | This is an optional parameter.
When set to true, extended key usage extension will be marked as critical. Default Value: false Possible values: true false |
csr.extendedKeyUsage.extendedKeyUsageValues | List<Enum> | This is a mandatory parameter.
List of extendedKeyUsage values Default Value(s):CLIENT_AUTH, SERVER_AUTHPossible values: CLIENT_AUTH, SERVER_AUTH |
csr.keyUsage | Object | This is a mandatory parameter. A multi-valued certificate extension containing a list of names of the permitted key usages. |
csr.keyUsage.critical | Boolean | This is an optional parameter.
When set to true, key usage extension will be marked as critical. Possible values: true false |
csr.keyUsage.keyUsageValues | List<Enum> | This is a mandatory parameter.
List of keyUsage values Default Value: DIGITAL_SIGNATURE Possible values:DIGITAL_SIGNATURE, KEY_ENCIPHERMENT, NON_REPUDIATION |
csr.basicConstraints | Object | This is an optional parameter. This is a multi-valued extension which indicates whether a certificate is a CA certificate. The first value is CA followed by TRUE or FALSE |
csr.basicConstraints.critical | Boolean | This is an optional parameter.
When set to true, basicConstraints extension will be marked as critical. Possible values: true false |
csr.basicConstraints.basicConstraintsValue |
Enum | This is an optional parameter.
BasicConstraints value
Default Value: END_ENTITY Possible values: END_ENTITY |
csr.subject | Object | This is a mandatory parameter except if csr.subjectAltName is not provided. Information about company |
csr.subject.country | String | This is an optional parameter. Country code where company is legally located. |
csr.subject.state | String | This is an optional parameter. State where company is legally located. |
csr.subject.location | String | This is an optional parameter. The city or town where company is legally located. |
csr.subject.organization | String | This is an optional parameter. Your company's legally registered name. |
csr.subject.organizationUnit | String | This is an optional parameter. Name of your department within the organization. |
csr.subject.commonName | String | This is an optional parameter.
The Common Name (AKA CN) represents the server name to be protected by the SSL certificate. The certificate is valid only if the request hostname matches the certificate common name. |
csr.days. | String | This is a mandatory parameter.
Requested validity for the certificate i.e. Number of days requested for which the certificate will be valid. Default Value :365 Days Max Value: 1096 Min Value: 2 Days |
csr.subjectAltName | Object | This is an optional parameter. A multi-valued extension indicating all of the domain names, IP addresses, URIs etc that are secured by the certificate. |
csr.subjectAltName.critical | Boolean | This is an optional parameter.
When
set to true, subjectAltName extension will be marked as
critical.
Default Value: true Possible values: true false |
csr.subjectAltName.ipAddress | List<String> | This is an optional parameter. List of IP addresses. |
csr.subjectAltName.dns | List<String> | This is an optional parameter. List of domain names |
csr.subjectAltName.uriIdUrn | List<String> | This is an optional parameter. List of URI ID (URN of the NFInstanceId) |
csr.subjectAltName.uriIdApiRoot | List<String> | This is an optional parameter. Lost of uniform resource locater IDs |
csr.certK8sSecretOut | Object | This is a mandatory parameter except in case of CMP Identity (OCCM) certificate, this field is optional since it is auto-populated from issuer. Certificate output location. |
csr.certK8sSecretOut.namespace | String | This is a mandatory parameter except in case of CMP Identity (OCCM) certificate, this field is optional since it is auto-populated from issuer. Kubernetes secret namespace |
csr.certK8sSecretOut.name | String | This is a mandatory parameter except in case of CMP Identity (OCCM) certificate, this field is optional since it is auto-populated from issuer.. Kubernetes secret name |
csr.certK8sSecretOut.key | String | This is a mandatory parameter except in case of CMP Identity (OCCM) certificate, this field is optional since it is auto-populated from issuer.. Kubernetes secret key against which the certificate will be stored. |
csr.certChainK8sSecretOut | Object | This is a mandatory parameter. Certificate Chain output location. |
csr.certChainK8sSecretOut.namespace | String | This is an optional parameter. Kubernetes secret namespace |
csr.certChainK8sSecretOut.name | String | This is a mandatory parameter. Kubernetes secret name |
csr.certChainK8sSecretOut.key | String | This is an optional parameter. Kubernetes secret key against which the certificate chain will be stored. |
csr.mergeCertAndChain | boolean | This is an optional parameter.
When set to true, the complete chain containing the leaf certificate and the intermediate CA certificates obtained from CA will be written in the Kubernetes secret against the configured key. Default Value: false |
nf | String | This is a mandatory parameter. NF name |
uuid | String | Unique id for logging and tracking purpose |
overrideSecret | boolean | This is an optional parameter.
This flag is used to override the Kubernetes secret with new certificate. Default Value: false Possible values: true false |
caBundleK8sSecretIn | Object | This is an optional parameter.
CA bundle secret input details. Used to trust peer entities. |
caBundleK8sSecretIn.namespace | String | This is an optional parameter. Kubernetes secret namespace |
caBundleK8sSecretIn.name | String | This is an optional parameter.
Kubernetes secret name |
caBundleK8sSecretIn.key | String | This is an optional parameter.
Kubernetes secret key against which CA bundle certificate(s) will be stored. |
Table 2-11 OCCM Certificate Response Codes
Response codes | Data type | Cardinality | Description |
---|---|---|---|
200 OK | Object (Certs) Or List(Certs) | 1 | This is a mandatory parameter. Object Certs Or List (CertConfig) matching criteria |
201 CREATED | Object (Certs) | 1 | This is a mandatory parameter. Object Certs |
202 Accepted | String | 1 | This is a mandatory parameter. Return uuid |
400 Bad request | Problem Details | 1 | This is a mandatory parameter. Input does not match to process request |
500 Internal Server Error | Problem Details | 1 | This is a mandatory parameter. Something went wrong |
409 Conflict | Problem Details | 1 | This is a mandatory parameter. Record already exists |
Note:
OCCM Certificates response body data model varies based on REST operation status.
OCCM Certificate JSON payload
{
"name": "",
"lcmType": "",
"certType": "",
"renewBefore": "",
"certPurpose": "",
"issuer": "",
"privateKey": {
"keyAlgo": "",
"keySize": "",
"keyEncoding": "",
"ecCurve":"",
"privateKeyK8sSecretOut": {
"namespace": "",
"name": "",
"key": ""
}
},
"csr": {
"extendedKeyUsage": {
"critical" : "",
"extendedKeyUsageValues" : []
},
"keyUsage": {
"critical" : "",
"keyUsageValues" : []
},
"basicConstraints": {
"critical" : true,
"basicConstraintsValue" : ""
},
"subject": {
"country": "",
"state": "",
"location": "",
"organization": "",
"organizationUnit": "",
"commonName": ""
},
"days": "",
"subjectAltName": {
"critical" : "",
"ipAddress": [],
"dns": [],
"uriIdUrn": [],
"uriIdApiRoot": []
},
"certK8sSecretOut": {
"namespace": "",
"name": "",
"key": ""
},
"certChainK8sSecretOut": {
"namespace": "",
"name": "",
"key": ""
},
"mergeCertAndChain" : false
},
"caBundleK8sSecretIn": {
"namespace": "",
"name": "",
"key": ""
},
"nf": "",
"overrideSecret": false
}
2.2.1 Fetch all Certificate Configurations
OCCM Uses the GET operation to fetch all the certificate configurations.
Resource URI: /occm-config/v1/certs
Table 2-12 Data structures supported by the GET Response Body on this resource
Response codes | Data type | Cardinality | Description |
---|---|---|---|
200 OK | Object (Certs) Or List(Certs) | 1 | This is a mandatory parameter. List (CertConfig) matching criteria |
500 Internal Server Error | Problem Details | 1 | This is a mandatory parameter. Something went wrong |
\$ curl --location --request GET 'http://{host}:{port}/occm-config/v1/certs' \
--header 'Oc-Cncc-Id: Cluster1' \
--header 'Oc-Cncc-Instance-Id: Cluster1-OCCM-instance1' \
--header 'Authorization: Bearer eyJhbGciOiJSU.…...'
200 OK Response Body: '[
{
"uuid": "b4d896ac-689d-4e12-a76c-54c8de4ffe52",
"name": "NRFTLS12",
"lcmType": "AUTOMATIC",
"certType": "OTHER",
"renewBefore": "7",
"certPurpose": "NRF SBI",
"issuer": "CA21",
"privateKey": {
"keyAlgo": "RSA",
"keySize": "KEYSIZE_2048",
"keyEncoding": "PEM",
"ecCurve":"",
"privateKeyK8sSecretOut": {
"namespace": "occm",
"name": "nrf-tls-secret-54",
"key": "nrf.pem"
}
},
"csr": {
"extendedKeyUsage": {
"critical" : false,
"extendedKeyUsageValues" : [
"CLIENT_AUTH",
"SERVER_AUTH"
]
},
"keyUsage": {
"critical" : true,
"keyUsageValues" : [
"DIGITAL_SIGNATURE"
]
},
"basicConstraints": {
"critical" : true,
"basicConstraintsValue" : "END_ENTITY"
},
"subject": {
"country": "IN",
"state": "Karnataka",
"location": "Bengaluru",
"organization": "Oracle",
"organizationUnit": "OracleBU",
"commonName": "some.example.com"
},
"days": "365",
"subjectAltName": {
"critical" : null,
"ipAddress": [
"10.10.10.13",
"10.10.10.14"
],
"dns": [
"centos8-2.example.com",
"centos8-3.example.com"
],
"uriIdUrn": [
"urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6"
],
"uriIdApiRoot": [
]
},
"certK8sSecretOut": {
"namespace": "occm",
"name": "nrf-tls-secret-54",
"key": "nrf.cer"
},
"certChainK8sSecretOut": {
"namespace": "occm",
"name": "nrf-tls-secret-54",
"key": "nrfcertchain.cer"
},
"mergeCertAndChain" : false
},
"caBundleK8sSecretIn": {
"namespace": "occm",
"name": "nrf-cabu",
"key": "cabundle.cer"
},
"nf": "NRF",
"overrideSecret": false
} ]'
2.2.2 Fetch Certificate Configurations by UUID
OCCM Uses the GET operation to fetch the certificate configurations details by uuid.
Resource URI: /occm-config/v1/certs/{uuid}
Table 2-13 Path Parameter
Name | Data Type | Mandatory (M) or Optional (O) | Cardinality | Description |
---|---|---|---|---|
uuid | String | M | 1 | Fetches Certificate configuration for given UUID |
Table 2-14 Data structures supported by the GET Response Body on this resource
Response codes | Data type | Cardinality | Description |
---|---|---|---|
404 Not Found | Problem Details | 1 | This is a mandatory parameter. Input does not match to process request |
200 OK | Object (Certs) | 1 | This is a mandatory parameter. Object (CertConfig) matching criteria |
500 Internal Server Error | Problem Details | 1 | This is a mandatory parameter. Something went wrong |
400 Bad Request | Problem Details | 1 | This is a mandatory parameter. wrong Input |
$ curl --location --request GET 'http://{host}:{port}/occm-config/v1/certs/b4d896ac-689d-4e12-a76c-54c8de4ffe52' \
--header 'Oc-Cncc-Id: Cluster1' \
--header 'Oc-Cncc-Instance-Id: Cluster1-OCCM-instance1' \
--header 'Authorization: Bearer eyJhbGciOiJSU.…'
200 OK Response Body: '{
"uuid": "b4d896ac-689d-4e12-a76c-54c8de4ffe52",
"name": "NRFTLS12",
"lcmType": "AUTOMATIC",
"certType": "OTHER",
"renewBefore": "7",
"certPurpose": "NRF SBI",
"issuer": "CA21",
"privateKey": {
"keyAlgo": "RSA",
"keySize": "KEYSIZE_2048",
"keyEncoding": "PEM",
"ecCurve":"",
"privateKeyK8sSecretOut": {
"namespace": "occm",
"name": "nrf-tls-secret-54",
"key": "nrf.pem"
}
},
"csr": {
"extendedKeyUsage": {
"critical" : false,
"extendedKeyUsageValues" : [
"CLIENT_AUTH",
"SERVER_AUTH"
]
},
"keyUsage": {
"critical" : true,
"keyUsageValues" : [
"DIGITAL_SIGNATURE"
]
},
"basicConstraints": {
"critical" : true,
"basicConstraintsValue" : "END_ENTITY"
},
"subject": {
"country": "IN",
"state": "Karnataka",
"location": "Bengaluru",
"organization": "Oracle",
"organizationUnit": "OracleBU",
"commonName": "some.example.com"
},
"days": "365",
"subjectAltName": {
"critical" : null,
"ipAddress": [
"10.10.10.13",
"10.10.10.14"
],
"dns": [
"centos8-2.example.com",
"centos8-3.example.com"
],
"uriIdUrn": [
"urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6"
],
"uriIdApiRoot": [
]
},
"certK8sSecretOut": {
"namespace": "occm",
"name": "nrf-tls-secret-54",
"key": "nrf.cer"
},
"certChainK8sSecretOut": {
"namespace": "occm",
"name": "nrf-tls-secret-54",
"key": "nrfcertchain.cer"
} , "mergeCertAndChain":false
},
"caBundleK8sSecretIn": {
"namespace": "occm",
"name": "nrf-cabu",
"key": "cabundle.cer"
},
"nf": "NRF",
"overrideSecret": false
}'
2.2.3 Add Certificate Configurations
OCCM uses the POST operation to add the certificate configuration using the Request Body.
Resource URI: /occm-config/v1/certs
Table 2-15 Data structures supported by the POST Response Body on this resource
Response codes | Data type | Cardinality | Description |
---|---|---|---|
202 Accepted | Object (Certs) | 1 | This is a mandatory parameter. Unique identification of certs |
400 BAD REQUEST | Problem Details | 1 | This is a mandatory parameter. Returns Problem Details structure as defined in 3GPP TS 29.571 section 5.2.4.1 |
409 CONFLICT | Problem Details | 1 | This is a mandatory parameter. Record already exists |
$ curl --location --request POST 'http://{host}:{port}/occm-config/v1/certs' \
--header 'Oc-Cncc-Id: Cluster1' \
--header 'Oc-Cncc-Instance-Id: Cluster1-OCCM-instance1' \
--header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOisG_L6HnBo9IIGc4g' \
--header 'Content-Type: application/json' \
--data-raw '{
"name": "NRFTLS12",
"lcmType": "AUTOMATIC",
"certType": "OTHER",
"renewBefore": "7",
"certPurpose": "NRF SBI",
"issuer": "CA21",
"privateKey": {
"keyAlgo": "RSA",
"keySize": "KEYSIZE_2048",
"keyEncoding": "PEM",
"ecCurve":"",
"privateKeyK8sSecretOut": {
"namespace": "occm",
"name": "nrf-tls-secret-54",
"key": "nrf.pem"
}
},
"csr": {
"extendedKeyUsage": {
"critical" : false,
"extendedKeyUsageValues" : [
"CLIENT_AUTH",
"SERVER_AUTH"
]
},
"keyUsage": {
"critical" : true,
"keyUsageValues" : [
"DIGITAL_SIGNATURE"
]
},
"basicConstraints": {
"critical" : true,
"basicConstraintsValue" : "END_ENTITY"
},
"subject": {
"country": "IN",
"state": "Karnataka",
"location": "Bengaluru",
"organization": "Oracle",
"organizationUnit": "OracleBU",
"commonName": "some.example.com"
},
"days": "365",
"subjectAltName": {
"critical" : null,
"ipAddress": [
"10.10.10.13",
"10.10.10.14"
],
"dns": [
"centos8-2.example.com",
"centos8-3.example.com"
],
"uriIdUrn": [
"urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6"
],
"uriIdApiRoot": [
]
},
"certK8sSecretOut": {
"namespace": "occm",
"name": "nrf-tls-secret-54",
"key": "nrf.cer"
},
"certChainK8sSecretOut": {
"namespace": "occm",
"name": "nrf-tls-secret-54",
"key": "nrfcertchain.cer"
} ,
"mergeCertAndChain" : false
},
"caBundleK8sSecretIn": {
"namespace": "occm",
"name": "nrf-cabu",
"key": "cabundle.cer"
},
"nf": "NRF",
"overrideSecret": false
}'
$ 202 Accepted Response Body: '{
"uuid": "b4d896ac-689d-4e12-a76c-54c8de4ffe52",
"name": "NRFTLS12",
"lcmType": "AUTOMATIC",
"certType": "OTHER",
"renewBefore": "7",
"certPurpose": "NRF SBI",
"issuer": "CA21",
"privateKey": {
"keyAlgo": "RSA",
"keySize": "KEYSIZE_2048",
"keyEncoding": "PEM",
"ecCurve":"",
"privateKeyK8sSecretOut": {
"namespace": "occm",
"name": "nrf-tls-secret-54",
"key": "nrf.pem"
}
},
"csr": {
"extendedKeyUsage": {
"critical" : false,
"extendedKeyUsageValues" : [
"CLIENT_AUTH",
"SERVER_AUTH"
]
},
"keyUsage": {
"critical" : true,
"keyUsageValues" : [
"DIGITAL_SIGNATURE"
]
},
"basicConstraints": {
"critical" : true,
"basicConstraintsValue" : "END_ENTITY"
},
"subject": {
"country": "IN",
"state": "Karnataka",
"location": "Bengaluru",
"organization": "Oracle",
"organizationUnit": "OracleBU",
"commonName": "some.example.com"
},
"days": "365",
"subjectAltName": {
"critical" : null,
"ipAddress": [
"10.10.10.13",
"10.10.10.14"
],
"dns": [
"centos8-2.example.com",
"centos8-3.example.com"
],
"uriIdUrn": [
"urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6"
],
"uriIdApiRoot": [
]
},
"certK8sSecretOut": {
"namespace": "occm",
"name": "nrf-tls-secret-54",
"key": "nrf.cer"
},
"certChainK8sSecretOut": {
"namespace": "occm",
"name": "nrf-tls-secret-54",
"key": "nrfcertchain.cer"
} ,
"mergeCertAndChain" : false
},
"caBundleK8sSecretIn": {
"namespace": "occm",
"name": "nrf-cabu",
"key": "cabundle.cer"
},
"nf": "NRF",
"overrideSecret": false
}'
2.2.4 Recreate Certificates
OCCM uses the PUT operation to recreate certificates using existing certificate identified by its certificate UUID. You can recreate any certificate that was created successfully and whose status is READY, EXPIRED, or FAILED. To recreate a certificate, the certificate configuration must exist in OCCM. This enhances OCCM's usablity in managing certificate lifecycle operations. For example, if a certificate has been deleted, revoked or has expired, the operator can recreate it using existing configurations. The certificate configuration must exist in OCCM while triggering recreate request.
Resource URI: /occm-config/v1/certs/{uuid}/recreate
Table 2-16 Path Parameter
Name | Data type | Mandatory (M) or Optional (O) | Cardinality | Description |
---|---|---|---|---|
uuid | String | O | 1 | Certificate uuid |
Table 2-17 Data structures supported by the PUT Response Body on this resource
Response codes | Data Type | Cardinality | Description |
---|---|---|---|
202 Accepted | Object (Certificates) | 1 | This is a mandatory parameter. Unique Certificate Identity. |
404 Not Found | Problem Details | 1 | This is a mandatory parameter.
Certificate not found against the uuid. Returns Problem Details structure as defined in 3GPP TS 29.571 section 5.2.4.1 |
409 Conflict | Problem Details | 1 | This is a mandatory parameter.
Recreate is already in process for the uuid. Returns Problem Details structure as defined in 3GPP TS 29.571 section 5.2.4.1 |
curl --location --request PUT 'http://{host}:{port}/occm-config/v1/certs/9983d728-c618-41c3-b7f9-530d00fb7ab1/recreate' \
--header 'oc-cncc-id: Cluster1' \
--header 'oc-cncc-instance-id: Cluster1-occm-instance1' \
--header 'Authorization: Bearer eyJhbGciO........95adDrLUfcAQ'
202 Accepted Response Body: '{
"uuid": "9983d728-c618-41c3-b7f9-530d00fb7ab1",
"name": "NRF-TLS-1",
"lcmType": "AUTOMATIC",
"certType": "OTHER",
"renewBefore": "15",
"certPurpose": "NRF SBI",
"issuer": "CA1",
"privateKey": {
"keyAlgo": "EC",
"keySize": null,
"keyEncoding": "DER",
"ecCurve": "SECP256r1",
"keyFormat": null,
"privateKeyK8sSecretOut": {
"namespace": "ns1",
"name": "nrf-tls-secret",
"key": "nrfkey.pem"
}
},
"csr": {
"extendedKeyUsage": {
"critical": false,
"extendedKeyUsageValues": [
"CLIENT_AUTH",
"SERVER_AUTH"
]
},
"keyUsage": {
"critical": false,
"keyUsageValues": [
"DIGITAL_SIGNATURE",
"KEY_ENCIPHERMENT"
]
},
"basicConstraints": {
"critical": false,
"basicConstraintsValue": "END_ENTITY"
},
"subject": {
"country": "IN",
"state": "KA",
"location": "BLR",
"organization": "Oracle",
"organizationUnit": "CGBU",
"commonName": "occm"
},
"days": "365",
"subjectAltName": {
"critical": false,
"ipAddress": [
"10.10.10.13",
"10.10.10.14"
],
"dns": [
"centos8-2.example.com",
"centos8-3.example.com"
],
"uriIdApiRoot": null,
"uriIdUrn": [
"urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6"
]
},
"certK8sSecretOut": {
"namespace": "ns1",
"name": "nrf-tls-secret",
"key": "nrf.cer"
},
"certChainK8sSecretOut": {
"namespace": "ns1",
"name": "nrf-tls-secret",
"key": "nrfcertchain.cer"
} ,
"mergeCertAndChain" : false
},
"caBundleK8sSecretIn": {
"namespace": "",
"name": "",
"key": ""
},
"nf": "NRF",
"overrideSecret": false
}'
2.2.5 Edit Certificates
OCCM uses the PUT operation to updates the existing certificates identified by certificate UUID. It is only supported for end entity certificates.
Resource URI: /occm-config/v1/certs/{uuid}
Table 2-18 Path Parameter
Name | Data type | Mandatory (M) or Optional (O) | Cardinality | Description |
---|---|---|---|---|
uuid | String | M | 1 | Certificate uuid |
Data structures supported by the PUT Response Body in this resource
Response codes | Data type | Cardinality | Description |
---|---|---|---|
202 Accepted | Object (Certs) | 1 | This is a mandatory parameter. Unique Certificate Identity. |
404 Not Found | Problem Details | 1 | This is a mandatory parameter.
Certificate not found against the uuid. Returns Problem Details structure as defined in 3GPP TS 29.571 section 5.2.4.1 |
400 Bad Request | Problem Details | 1 | This is a mandatory parameter.
Invalid configuration. Returns Problem Details structure as defined in 3GPP TS 29.571 section 5.2.4.1 |
409 Conflict | Problem Details | 1 | This is a mandatory parameter.
Edit is already in process for the uuid. Returns Problem Details structure as defined in 3GPP TS 29.571 section 5.2.4.1 |
curl --location --request PUT 'http://{host}:{port}/occm-config/v1/certs/9983d728-c618-41c3-b7f9-530d00fb7ab1' \
--header 'oc-cncc-id: Cluster1' \
--header 'oc-cncc-instance-id: Cluster1-occm-instance1' \
--header 'Authorization: Bearer eyJhbGciO........95adDrLUfcAQ' \
--header 'Content-Type: application/json' \
--data-raw '{
"uuid": "9983d728-c618-41c3-b7f9-530d00fb7ab1",
"name": "NRF-TLS-1",
"lcmType": "AUTOMATIC",
"certType": "OTHER",
"renewBefore": "15",
"certPurpose": "NRF SBI",
"issuer": "CA1",
"privateKey": {
"keyAlgo": "EC",
"keySize": null,
"keyEncoding": "DER",
"ecCurve": "SECP256r1",
"keyFormat": null,
"privateKeyK8sSecretOut": {
"namespace": "ns1",
"name": "nrf-tls-secret",
"key": "nrfkey.pem"
}
},
"csr": {
"extendedKeyUsage": {
"critical": false,
"extendedKeyUsageValues": [
"CLIENT_AUTH",
"SERVER_AUTH"
]
},
"keyUsage": {
"critical": false,
"keyUsageValues": [
"DIGITAL_SIGNATURE",
"KEY_ENCIPHERMENT"
]
},
"basicConstraints": {
"critical": false,
"basicConstraintsValue": "END_ENTITY"
},
"subject": {
"country": "IN",
"state": "KA",
"location": "BLR",
"organization": "Oracle",
"organizationUnit": "CGBU",
"commonName": "occm"
},
"days": "365",
"subjectAltName": {
"critical": false,
"ipAddress": [
"10.10.10.13",
"10.10.10.14"
],
"dns": [
"centos8-2.example.com",
"centos8-3.example.com"
],
"uriIdApiRoot": null,
"uriIdUrn": [
"urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6"
]
},
"certK8sSecretOut": {
"namespace": "ns1",
"name": "nrf-tls-secret",
"key": "nrf.cer"
},
"certChainK8sSecretOut": {
"namespace": "ns1",
"name": "nrf-tls-secret",
"key": "nrfcertchain.cer"
},
"mergeCertAndChain" : false
},
"caBundleK8sSecretIn": {
"namespace": "",
"name": "",
"key": ""
},
"nf": "NRF",
"overrideSecret": false
}'
202 Accepted Response Body: '{
"uuid": "9983d728-c618-41c3-b7f9-530d00fb7ab1",
"name": "NRF-TLS-1",
"lcmType": "AUTOMATIC",
"certType": "OTHER",
"renewBefore": "15",
"certPurpose": "NRF SBI",
"issuer": "CA1",
"privateKey": {
"keyAlgo": "EC",
"keySize": null,
"keyEncoding": "DER",
"ecCurve": "SECP256r1",
"keyFormat": null,
"privateKeyK8sSecretOut": {
"namespace": "ns1",
"name": "nrf-tls-secret",
"key": "nrfkey.pem"
}
},
"csr": {
"extendedKeyUsage": {
"critical": false,
"extendedKeyUsageValues": [
"CLIENT_AUTH",
"SERVER_AUTH"
]
},
"keyUsage": {
"critical": false,
"keyUsageValues": [
"DIGITAL_SIGNATURE",
"KEY_ENCIPHERMENT"
]
},
"basicConstraints": {
"critical": false,
"basicConstraintsValue": "END_ENTITY"
},
"subject": {
"country": "IN",
"state": "KA",
"location": "BLR",
"organization": "Oracle",
"organizationUnit": "CGBU",
"commonName": "occm"
},
"days": "365",
"subjectAltName": {
"critical": false,
"ipAddress": [
"10.10.10.13",
"10.10.10.14"
],
"dns": [
"centos8-2.example.com",
"centos8-3.example.com"
],
"uriIdApiRoot": null,
"uriIdUrn": [
"urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6"
]
},
"certK8sSecretOut": {
"namespace": "ns1",
"name": "nrf-tls-secret",
"key": "nrf.cer"
},
"certChainK8sSecretOut": {
"namespace": "ns1",
"name": "nrf-tls-secret",
"key": "nrfcertchain.cer"
} ,
"mergeCertAndChain" : false
},
"caBundleK8sSecretIn": {
"namespace": "",
"name": "",
"key": ""
},
"nf": "NRF",
"overrideSecret": false
}'
2.2.6 Delete Certificate Configuration Data
OCCM uses the DELETE operation to delete the certificate configuration data based on certificate UUID.
Resource URI: /occm-config/v1/certs/{uuid}
Table 2-19 Path Parameter
Name | Data type | Mandatory (M) or Optional (O) | Cardinality | Description |
---|---|---|---|---|
uuid | String | M | 1 | Unique identification of certificates. |
Table 2-20 Data structures supported by the DELETE Response Body on this resource
Data type | Mandatory (M) or Optional (O) | Cardinality | Response codes | Description |
---|---|---|---|---|
Object (Certificates) | M | 1 | 202 ACCEPTED | This is a mandatory parameter. Certificate configuration data |
Problem Details | M | 1 | 404 Not Found | This is a mandatory parameter.
Certificate not found against the UUID |
$ curl --location --request DELETE 'http://{host}:{port}/occm-config/v1/certs/b4d896ac-689d-4e12-a76c-54c8de4ffe52' \
--header 'Oc-Cncc-Id: Cluster1' \
--header 'Oc-Cncc-Instance-Id: Cluster1-OCCM-instance1' \
--header 'Authorization: Bearer eyJhbGciOiJSUzI1Ni.…'
202 ACCEPTED Response Body: '{
"uuid": "b4d896ac-689d-4e12-a76c-54c8de4ffe52",
"name": "NRFTLS12",
"lcmType": "AUTOMATIC",
"certType": "OTHER",
"renewBefore": "7",
"certPurpose": "NRF SBI",
"issuer": "CA21",
"privateKey": {
"keyAlgo": "RSA",
"keySize": "KEYSIZE_2048",
"keyEncoding": "PEM",
"ecCurve":"",
"privateKeyK8sSecretOut": {
"namespace": "occm",
"name": "nrf-tls-secret-54",
"key": "nrf.pem"
}
},
"csr": {
"extendedKeyUsage": {
"critical" : false,
"extendedKeyUsageValues" : [
"CLIENT_AUTH",
"SERVER_AUTH"
]
},
"keyUsage": {
"critical" : true,
"keyUsageValues" : [
"DIGITAL_SIGNATURE"
]
},
"basicConstraints": {
"critical" : true,
"basicConstraintsValue" : "END_ENTITY"
},
"subject": {
"country": "IN",
"state": "Karnataka",
"location": "Bengaluru",
"organization": "Oracle",
"organizationUnit": "OracleBU",
"commonName": "some.example.com"
},
"days": "365",
"subjectAltName": {
"critical" : null,
"ipAddress": [
"10.10.10.13",
"10.10.10.14"
],
"dns": [
"centos8-2.example.com",
"centos8-3.example.com"
],
"uriIdUrn": [
"urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6"
],
"uriIdApiRoot": [
]
},
"certK8sSecretOut": {
"namespace": "occm",
"name": "nrf-tls-secret-54",
"key": "nrf.cer"
},
"certChainK8sSecretOut": {
"namespace": "occm",
"name": "nrf-tls-secret-54",
"key": "nrfcertchain.cer"
} ,
"mergeCertAndChain" : false
},
"caBundleK8sSecretIn": {
"namespace": "occm",
"name": "nrf-cabu",
"key": "cabundle.cer"
},
"nf": "NRF",
"overrideSecret": false
}'
2.2.7 OCCM Certificate Bulk Migrate
Certificate Bulk Migrate Data Model
Table 2-21 OCCM Certificates Bulk Migrate Request Parameters
Field Name | Data Type | Description |
---|---|---|
uuid | String | This is an optional parameter. Unique identifier for each Bulk Certificate Migration. This must be kept empty in the request. |
sourceIssuerName | String | This is a mandatory parameter. Name of the issuer whose linked certificates are migrated. |
destinationIssuerName | String | This is a mandatory parameter. Name of the issuer to which the certificates are migrated. |
bulkMigrateInitiatedOnCerts | List<Object> | This is an optional parameter. List of certificates which will be migrated from source to destination issuer. This must be kept empty in the request. |
bulkMigrateSkippedOnCerts | List<Object> | This is an optional parameter. List of certificates on which the migration is skipped because the certificate status is other than ready, expired, or another recreate is in process. This must be kept empty in the request. |
Table 2-22 OCCM Certificates Bulk Migrate Response Codes
Response codes | Data Type | Cardinality | Description |
---|---|---|---|
200 OK | Object (Certificates Bulk Migrate) Or List (Certificates Bulk Migrate ) | 1 | This is a mandatory parameter. Object (Certificates Bulk Migrate) Or List(Certificates Bulk Migrate) matching criteria. |
202 Accepted | Object (Certificates Bulk Migrate) | 1 | This is a mandatory parameter. Object (Certificates Bulk Migrate) |
400 Bad request | Problem Details | 1 | This is a mandatory parameter. Input does not match with the processed request |
500 Internal Server Error | Problem Details | 1 | This is a mandatory parameter. This is displayed when something goes wrong |
409 Conflict | Problem Details | 1 | This is a mandatory parameter. Bulk certificate migration already in process. |
2.2.7.1 Fetch All the Certificate Bulk Migrate Configurations
Fetch All the Certs Bulk Migrate
OCCM uses the GET operation to fetch all the Certs Bulk Migrate.
Resource URI: /occm-config/v1/certs/bulk-migrate
Table 2-23 Path Parameter
Name | Data type | Mandatory (M) or Optional (O) | Cardinality | Description |
---|---|---|---|---|
uuid | String | M | 1 | Certificate Bulk Migrate uuid |
Table 2-24 Data structures supported by the GET Response Body on this resource
Response codes | Data type | Cardinality | Description |
---|---|---|---|
200 OK | List(Certs Bulk Migrate) | 1 | This is a mandatory parameter. List (Certs Bulk Migrate) matching criteria |
500 Internal Server Error | Problem Details | 1 | This is a mandatory parameter. Something went wrong |
$ curl --location --request GET 'http://{host}:{port}/occm-config/v1/certs/bulk-migrate' \
--header 'Oc-Cncc-Id: Cluster1' \
--header 'Oc-Cncc-Instance-Id: Cluster1-OCCM-instance1' \
--header 'Authorization: Bearer eyJhbGciOiJSUzI1Ni'
200 OK Response Body: '[{
"uuid": "51e40d19-c195-4be1-aedd-ced93ded6b62",
"sourceIssuerName": "CA1",
"destinationIssuerName": "CA2",
"bulkMigrateInitiatedOnCerts": [
{
"certUUID": "b7390498-dc44-4f2b-9f0c-86b67fb81c70",
"certName": "NRF1"
},
{
"certUUID": "134801cd-c7ef-4d0c-af52-49419128b981",
"certName": "NRF2"
},
{
"certUUID": "d57d19be-e2cd-4b65-a4f1-5bf26cd2be7d",
"certName": "NRF3"
}
],
"bulkMigrateSkippedOnCerts": []
},
{
"uuid": "89e40d19-c195-4be1-aedd-ced93ded6b62",
"sourceIssuerName": "CA3",
"destinationIssuerName": "CA4",
"bulkMigrateInitiatedOnCerts": [
{
"certUUID": "a9390498-dc44-5e2b-9f0c-86b67fb81c70",
"certName": "NRF4"
},
{
"certUUID": "154801cd-c7ef-5e0c-af52-49419128b981",
"certName": "NRF5"
},
{
"certUUID": "d97d19be-e2cd-4b65-pqf1-5bf26cd2be7d",
"certName": "NRF6"
}
],
"bulkMigrateSkippedOnCerts": []
}
]'
2.2.7.2 Fetch the Certificate Bulk Migrate Configurations by uuid
Fetch the Certificates Bulk Migrate by uuid
OCCM uses the GET operation to fetch all Certificates Bulk Migrate by uuid.
Resource URI: /occm-config/v1/certs/bulk-migrate/{uuid}
Table 2-25 Path Variable
Field Name | Data Type | Description |
---|---|---|
uuid | String | uuid of the Certificates Bulk Migrate. |
Table 2-26 Data structures supported by the GET Response Body on this resource
Response codes | Data Type | Cardinality | Description |
---|---|---|---|
200 OK | Object (Certificates Bulk Migrate) | 1 | This is a mandatory parameter. Object (Certificates Bulk Migrate) matching criteria. |
404 NOT FOUND | Object (Certificates Bulk Migrate) | 1 | This is a mandatory parameter. Object (Certificates Bulk Migrate) not found against the uuid. |
500 Internal Server Error | Problem Details | 1 | This is a mandatory parameter. Something went wrong |
$ curl --location --request GET 'http://{host}:{port}/occm-config/v1/certs/bulk-migrate/51e40d19-c195-4be1-aedd-ced93ded6b62' \
--header 'Oc-Cncc-Id: Cluster1' \
--header 'Oc-Cncc-Instance-Id: Cluster1-OCCM-instance1' \
--header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIs'
200 OK Response Body: '{
"uuid": "51e40d19-c195-4be1-aedd-ced93ded6b62",
"sourceIssuerName": "CA1",
"destinationIssuerName": "CA2",
"bulkMigrateInitiatedOnCerts": [
{
"certUUID": "b7390498-dc44-4f2b-9f0c-86b67fb81c70",
"certName": "NRF1"
},
{
"certUUID": "134801cd-c7ef-4d0c-af52-49419128b981",
"certName": "NRF2"
},
{
"certUUID": "d57d19be-e2cd-4b65-a4f1-5bf26cd2be7d",
"certName": "NRF3"
}
],
"bulkMigrateSkippedOnCerts": []
}'
2.2.7.3 Create the Certificate Bulk Migrate Configurations Using Request Body
Create Certs Bulk Migrate Using Request Body
OCCM uses the POST operation to create Certs Bulk Migrate using request body.
Resource URI: /occm-config/v1/certs/bulk-migrate
Table 2-27 Data structures supported by the POST Response Body on this resource
Response codes | Data type | Cardinality | Description |
---|---|---|---|
202 ACCEPTED | Object (Certs Bulk Migrate) | 1 | This is a mandatory parameter. Bulk certificate migration request is accepted. |
400 BAD REQUEST | Problem Details | 1 | This is a mandatory parameter. Input do not match with the process request. |
500 INTERNAL SERVER ERROR | Problem Details | 1 | This is a mandatory parameter. Something went wrong |
$ curl --location --request POST 'http://{host}:{port}/occm-config/v1/certs/bulk-migrate' \
--header 'Oc-Cncc-Id: Cluster1' \
--header 'Oc-Cncc-Instance-Id: Cluster1-OCCM-instance1' \
--header 'Authorization: Bearer LxuLeX9di....hXDUcoFwDw' \
--header 'Content-Type: application/json' \
--data-raw '{
"sourceIssuerName": "CA1",
"destinationIssuerName": "CA2"
}'
202 Success Response Body: '{
"uuid": "51e40d19-c195-4be1-aedd-ced93ded6b62",
"sourceIssuerName": "CA1",
"destinationIssuerName": "CA2",
"bulkMigrateInitiatedOnCerts": [
{
"certUUID": "b7390498-dc44-4f2b-9f0c-86b67fb81c70",
"certName": "NRF1"
},
{
"certUUID": "134801cd-c7ef-4d0c-af52-49419128b981",
"certName": "NRF2"
},
{
"certUUID": "d57d19be-e2cd-4b65-a4f1-5bf26cd2be7d",
"certName": "NRF3"
}
],
"bulkMigrateSkippedOnCerts": []
}'
2.2.7.4 Delete the Certificate Bulk Migrate Configurations by uuid
Delete the Certificates Bulk Migrate by uuid
OCCM uses the DELETE operation to delete the Certificates Bulk Migrate by uuid.
Resource URI: /occm-config/v1/certs/bulk-migrate/{uuid}
Table 2-28 Query Parameters
Field Name | Mandatory (M) or Optional (O) | Cardinality | Data Type | Description |
---|---|---|---|---|
uuid | O | 1 | String | uuid of the Certificates Bulk Migrate configuration. |
Table 2-29 Data structures supported by the DELETE Response Body on this resource
Response codes | Data type | Cardinality | Description |
---|---|---|---|
200 OK | Certificates Bulk Migrate | 1 | This is a mandatory parameter. Certificates Bulk Migrate configuration data. |
400 Bad Request | Problem Details | 1 | This is a mandatory parameter. Input does not match with the processed request. |
$ curl --location --request DELETE 'http://{host}:{port}/occm-config/v1/certs/bulk-migrate/51e40d19-c195-4be1-aedd-ced93ded6b62' \
--header 'Oc-Cncc-Id: Cluster1' \
--header 'Oc-Cncc-Instance-Id: Cluster1-OCCM-instance1' \
--header 'Authorization: Bearer eyJhbGciOi.......g-atjhQ'
200 OK Response Body: '{
"uuid": "51e40d19-c195-4be1-aedd-ced93ded6b62",
"sourceIssuerName": "CA1",
"destinationIssuerName": "CA2",
"bulkMigrateInitiatedOnCerts": [
{
"certUUID": "b7390498-dc44-4f2b-9f0c-86b67fb81c70",
"certName": "NRF1"
},
{
"certUUID": "134801cd-c7ef-4d0c-af52-49419128b981",
"certName": "NRF2"
},
{
"certUUID": "d57d19be-e2cd-4b65-a4f1-5bf26cd2be7d",
"certName": "NRF3"
}
],
"bulkMigrateSkippedOnCerts": []
}'
2.3 OCCM Logging Resource
2.3.1 Fetch Logging Configuration for a Service
OCCM uses the GET operation to fetch the logging configuration for a service
Resource URI:/occm-config/v1/occm/logging
curl --location --request GET 'http://{host}:{port}/occm-config/v1/occm/logging' \
--header 'oc-cncc-id: Cluster1' \
--header 'oc-cncc-instance-id: Cluster1-occm-instance1' \
--header 'Authorization: Bearer eyJhbGciOiJSUzI1NiI...' \
--data-raw ''
200 OK Response Body: '{
"appLogLevel": "INFO",
"packageLogLevel": [
{
"packageName": "root",
"logLevelForPackage": "ERROR"
}
]
}'
2.3.2 Fetch Logging Configurations for All Services
OCCM uses the GET operation to fetch logging configurations for all services.
Resource URI:/occm-config/v1/all/logging
curl --location --request GET 'http://{host}:{port}/occm-config/v1/all/logging' \
--header 'oc-cncc-id: Cluster1' \
--header 'oc-cncc-instance-id: Cluster1-occm-instance1' \
--header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAi...'
200 OK Response Body: '[
{
"occm": "{\"appLogLevel\":\"INFO\",\"packageLogLevel\":[{\"packageName\":\"root\",\"logLevelForPackage\":\"ERROR\"}]}"
}
]'
2.3.3 Update Logging Configurations for a Service
OCCM uses the PUT operation to update logging configurations for a service.
Resource URI:/occm-config/v1/occm/logging
curl --location --request PUT 'http://{host}:{port}/occm-config/v1/occm/logging' \
--header 'oc-cncc-id: Cluster1' \
--header 'oc-cncc-instance-id: Cluster1-occm-instance1' \
--header 'Authorization: Bearer eyJhbGc...h8bJI_Owc_nb_hA' \
--header 'Content-Type: application/json' \
--data-raw '{
"appLogLevel":"INFO",
"packageLogLevel":[
{
"packageName":"root",
"logLevelForPackage":"ERROR"
}
]
}'
200 OK