2 OCCM Rest Specification

This chapter provides information about REST specifications used in Oracle Communications Cloud Native Core, Certificate Management

OCCM can be configured using Helm configurations, REST APIs, and Cloud Native Configuration Console (CNC Console). REST configurations can also be performed using the Cloud Native Configuration (CNC) Console.

For HELM configurations, see Oracle Communications Cloud Native Core, Certificate Management Installation, Upgrade, and Fault Recovery Guide.

For the configurations using CNC Console, see Oracle Communications Cloud Native Core, Certificate Management User Guide.

For installing OCCM in an existing NF deployment, see 'Introducing OCCM on an Existing NF Deployment' section in the Oracle Communications Cloud Native Core, Certificate Management User Guide.

2.1 OCCM Issuers

OCCM Issuers Data Model

Table 2-1 OCCM Issuers Request Parameters

Field Name Data Type Description
name String This is a mandatory parameter.

Name of CA
server String This is a mandatory parameter.

Domain URL of CA

Note: The user must provide the port where the CA server is running, otherwise application will take it as default port 80.

recipientDN String This is a mandatory parameter.

Distinguished name(DN) of the CMP server(usually the addressed CA). Used in the recipient field of CMP request message headers.

The argument must be formatted as /type0=value0/type1=value1/type2=....

Special characters may be escaped by \ (backslash); whitespace is retained. Empty values are permitted, but the corresponding type will not be included. Giving a single / will lead to an empty sequence of RDNs (a NULL-DN). Multi-valued RDNs can be formed by placing a + character instead of a / between the AttributeValueAssertions (AVAs) that specify the members of the set. Example:

/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe

issuerDN String This is an optional parameter.

X509 issuer Distinguished Name of the CA server to place in the requested certificate template in IR/KUR.

The argument must be formatted as /type0=value0/type1=value1/type2=....

Special characters may be escaped by \ (backslash); whitespace is retained. Empty values are permitted, but the corresponding type will not be included. Giving a single / will lead to an empty sequence of RDNs (a NULL-DN). Multi-valued RDNs can be formed by placing a + character instead of a / between the AttributeValueAssertions (AVAs) that specify the members of the set. Example:

/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe

totalTimeOut String This is a mandatory parameter.

Maximum total number of seconds a CMP transaction may take.

Default Value: 720 seconds.

Max value: 21600 seconds.

Note: totalTimeOut should always be greater than messageTimeout.

messageTimeout String This is a mandatory parameter.

Number of seconds a CMP request-response message round trip is allowed to take before a timeout error is returned.

Default Value 120 seconds.

Max is 600 seconds.

Imp Note: messageTimeout should always be less than totalTimeOut.

cmpProtectionOccmCert Object This is a mandatory parameter except when OCCM certificate is manually configured.

CMP client authentication options for OCCM certficate
cmpProtectionOccmCert.type Enum This is a mandatory parameter.

MAC or SIGNATURE

Possible values:

MAC

SIGNATURE

cmpProtectionOccmCert.digestAlgorithm Enum This is a mandatory parameter except when cmpProtectionOccmCert.type selected is MAC.

Supported digest to use.

Default Value: SHA256

Possible values:SHA256, SHA384, SHA512

cmpProtectionOccmCert.macAlgorithm Enum This is a mandatory parameter except when cmpProtectionOccmCert.type selected is SIGNATURE)

MAC algorithm to use.

Possible values:

HMACSHA256

HMACSHA384

HMACSHA512

cmpProtectionOccmCert.macK8sSecretIn Object This is a mandatory parameter except when cmpProtectionOccmCert.type selected is SIGNATURE.

Kubernetes secret input details for MAC based authentication of OCCM cert.

cmpProtectionOccmCert.macK8sSecretIn.namespace String This is a mandatory parameter.

Kubernetes secret namespace where MAC secret is present.
cmpProtectionOccmCert.macK8sSecretIn.namespace String This is a mandatory parameter.

Name of Kubernetes secret holding MAC secret (pre-shared key) and reference information.
cmpProtectionOccmCert.macK8sSecretIn.passKey String This is a mandatory parameter.

Kubernetes secret data key against which MAC secret is provided.

cmpProtectionOccmCert.macK8sSecretIn.refKey String This is an optional parameter.

Kubernetes secret data key against which reference string is provided.

cmpProtectionOccmCert.signK8sSecretIn Object This is a mandatory parameter except when cmpProtectionOccmCert.type selected is MAC.

Kubernetes secret input details for Signature based authentication of OCCM cert.
cmpProtectionOccmCert.signK8sSecretIn.name String This is a mandatory parameter.

Kubernetes secret namespace where OCCM Sign secret is present.
cmpProtectionOccmCert.signK8sSecretIn.name String This is a mandatory parameter.

Name of Kubernetes secret holding pre-configured private key and certificate.
cmpProtectionOccmCert.signK8sSecretIn.key String This is a mandatory parameter.

Kubernetes secret data key against which the pre-configured private key file (private key file for the client's current CMP signer certificate) is provided.
cmpProtectionOccmCert.signK8sSecretIn.cert String This is a mandatory parameter.

Kubernetes secret data key against which the pre-configured certificate (client's current CMP signer certificate) is provided.
cmpProtectionOccmCert.signK8sSecretIn.extraCerts Object This is a mandatory parameter.

List of Kubernetes secret data keys against which the certificates to append in the extraCerts field can be provided. They can be used as the default CMP signer certificate chain to include.
cmpProtectionOtherCert Object This is a mandatory parameter.

CMP client authentication options for Other(NF) certficate

cmpProtectionOtherCert.type Enum This is a mandatory parameter.

Possible Value: SIGNATURE
cmpProtectionOtherCert.digestAlgorithm Enum This is a mandatory parameter.

Supported digest to use.

Default Value: SHA256

Possible values:SHA256, SHA384, SHA512

cmpProtectionOtherCert.signK8sSecretIn Object This is a mandatory parameter.

Kubernetes secret input details for Signature based authentication of Other (NF) cert.

cmpProtectionOtherCert.signK8sSecretIn.namespace String This is a mandatory parameter.

Kubernetes secret namespace where NF Sign secret is present.
cmpProtectionOtherCert.signK8sSecretIn.name String This is a mandatory parameter.

Name of Kubernetes secret holding OCCM key and cert information.
cmpProtectionOtherCert.signK8sSecretIn.key String This is a mandatory parameter.

Kubernetes secret data key against which OCCM key is provided/created based on whether OCCM cert is created in manual or automatic mode.
cmpProtectionOtherCert.signK8sSecretIn.cert String This is a mandatory parameter.

Kubernetes secret data key against which OCCM certificate is provided/created based on whether OCCM cert is created in manual or automatic mode.
cmpProtectionOtherCert.signK8sSecretIn.extraCerts Array This is a mandatory parameter.

List of Kubernetes secret data keys against which the certificates to append in the extraCerts field can be provided or will be created (if received from CA) along with the OCCM cert, based on whether OCCM cert is created in manual or automatic mode.
occmTrustStoreK8sSecretIn Object This is a mandatory parameter.

Kubernetes secret input which holds OCCM trust store information(CA certificates). Used to validate CMP response messages.
occmTrustStoreK8sSecretIn.namespace String This is a mandatory parameter.

Kubernetes secret namespace where OCCM trust store secret is present.
occmTrustStoreK8sSecretIn.name String This is a mandatory parameter.

Name of Kubernetes OCCM trust store secret.
occmTrustStoreK8sSecretIn.rootCACerts List<String> This is an optional parameter except if occmTrustStoreK8sSecretIn.serverCert is provided.

The certificate(s), typically of root CAs, the client shall use as trust anchors when validating the certificate issued by CA.

Note: If server cert is present this is ignored.

occmTrustStoreK8sSecretIn.intCACerts List<String> This is an optional parameter.

Any non-trusted intermediate CA certificate(s) to use when validating newly enrolled certificates.
occmTrustStoreK8sSecretIn.serverCert String This is a mandatory parameter except if occmTrustStoreK8sSecretIn.rootCACerts is provided.

CMP/CA server's certificate to expect and directly trust when validating the certificate issued by CA.

Note: If this is present root CA certs will be ignored.

uuid String Unique ID for logging and tracking purpose
tlsConfig.enableTLS boolean This is an optional parameter.

This field when set true "-tls_used" will be included in openssl cmp cmd for TLS communication with CA. Server URL should include https scheme

Possible values:true, false

tlsConfig.tlsTrustStoreK8sSecretItem.namespace String This parameter is mandatory when enableTLS is set to true and optional when enableTLS is set to false.

Kubernetes secret namespace where TLS trust store secret is present.

tlsConfig.tlsTrustStoreK8sSecretItem.name String This parameter is mandatory when enableTLS is set to true and optional when enableTLS is set to false.

Name of Kubernetes TLS trust store secret.

tlsConfig.tlsTrustStoreK8sSecretItem.tlsTrustedCerts List<String> This parameter is mandatory when enableTLS is set to true and optional when enableTLS is set to false.

Certificate(s) used for validating the certificate presented by CA(s) during TLS handshake.

Table 2-2 OCCM Issuers Response Codes

Response codes Data type Cardinality Description
202 Accepted Object (Issuers) 1 This is a mandatory parameter

Object (Issuers)
200 OK Object (Issuers) Or List(Issuers) 1 This is a mandatory parameter

Object (Issuers) Or List(Issuers) matching criteria
400 Bad request Problem Details 1 This is a mandatory parameter

Input does not match to process request
500 Internal Server Error Problem Details 1 This is a mandatory parameter

Something went wrong
409 Conflict Problem Details 1 This is a mandatory parameter

Record already exists
404 Not Found Problem Details 1 This is a mandatory parameter

Queried Object(Issuer) not present

Note:

OCCM Issuers response body data model varies based on REST operation status.

OCCM Issuers JSON Payload

{
    "name": "",
    "server": "",
    "recipientDN": "",
    "issuerDN": "",
    "totalTimeout": "",
    "messageTimeout": "",
    "cmpProtectionOccmCert": {
        "type": null,
        "digestAlgorithm": null,
        "macAlgorithm": null,
        "macK8sSecretIn": {
            "namespace": "",
            "name": "",
            "passKey": "",
            "refKey": ""
        },
        "signK8sSecretIn": {
            "namespace": "",
            "name": "",
            "key": "",
            "cert": "",
            "extraCerts": []
        }
    },
    "cmpProtectionOtherCert": {
        "type": "",
        "digestAlgorithm": "",
        "signK8sSecretIn": {
            "namespace": "",
            "name": "",
            "key": "",
            "cert": "",
            "extraCerts": []
        }
    },
    "occmTrustStoreK8sSecretIn": {
        "namespace": "",
        "name": "",
        "rootCACerts": [],
        "intCACerts": [],
        "serverCert": ""
    },
        "tlsConfig":{
            "enableTLS":true,
                "tlsTrustStoreK8sSecretItem":{
                    "namespace": "",
                    "name": "",
                    "tlsTrustedCerts":[]
                }
}

2.1.1 Fetch All Issuers

OCCM Uses the GET operation to fetch all issuer details.

Resource URI:/occm-config/v1/issuers

Table 2-3 Data structures supported by the GET Response Body on this resource

Response codes Data type Cardinality Description
200 OK Object (Issuers) 1 This is a mandatory parameter.

Object (Issuers) matching criteria
500 Internal Server Error Problem Details 1 This is a mandatory parameter.

Something went wrong
Sample GET Request:
$ curl --location --request GET 'http://{host}:{port}/occm-config/v1/issuers' \
--header 'Oc-Cncc-Id: Cluster1' \
--header 'Oc-Cncc-Instance-Id: Cluster1-OCCM-instance1' \
--header 'Authorization: Bearer eyJhbGciOiJSUzI1Ni'
Sample GET Response:
200 OK Response Body: '[{
        "uuid": "d692b217-00ca-433b-819d-cb038dba256b",
        "name": "CA-thrust-05",
        "server": "https://thrust5:8445/ejbca/publicweb/cmp/occmalias",
        "recipientDN": "/CN=ManagementCA",
        "issuerDN": "",
        "totalTimeout": "120",
        "messageTimeout": "30",
        "cmpProtectionOccmCert": {
            "type": "MAC",
            "digestAlgorithm": null,
            "macAlgorithm": null,
            "macK8sSecretIn": {
                "namespace": "occncc-thrust5-01",
                "name": "macsecret",
                "passKey": "pwd",
                "refKey": "ref"
            },
            "signK8sSecretIn": {
                "namespace": "",
                "name": "",
                "key": "",
                "cert": "",
                "extraCerts": []
            }
        },
        "cmpProtectionOtherCert": {
            "type": "SIGNATURE",
            "digestAlgorithm": "SHA384",
            "signK8sSecretIn": {
                "namespace": "occncc-thrust5-01",
                "name": "ca-occm-key-cert-secret-thrust-5102",
                "key": "occmkey.pem",
                "cert": "occm.cer",
                "extraCerts": []
            }
        },
        "occmTrustStoreK8sSecretIn": {
            "namespace": "occncc-thrust5-01",
            "name": "ca-occm-tls-trust-store-secret-thrust-5",
            "rootCACerts": [
                "ManagementCA-chain.pem"
            ],
            "intCACerts": [],
            "serverCert": ""
        },
        "tlsConfig": {
            "enableTLS": true,
            "tlsTrustStoreK8sSecretItem": {
                "namespace": "occncc-thrust5-01",
                "name": "ca-occm-tls-trust-store-secret-thrust-5",
                "tlsTrustedCerts": [
                    "ManagementCA-chain.pem",
                    "RootCA.pem"
                ]
            }
        }
    },
    {
        "uuid": "897d6073-0bea-4525-b814-0fbda8b85563",
        "name": "CA7",
        "server": "https://thrust5:8445/ejbca/publicweb/cmp/occmalias",
        "recipientDN": "/CN=ManagementCA",
        "issuerDN": "",
        "totalTimeout": "120",
        "messageTimeout": "30",
        "cmpProtectionOccmCert": {
            "type": "MAC",
            "digestAlgorithm": null,
            "macAlgorithm": null,
            "macK8sSecretIn": {
                "namespace": "occncc-thrust5-01",
                "name": "macsecret",
                "passKey": "pwd",
                "refKey": "ref"
            },
            "signK8sSecretIn": {
                "namespace": "",
                "name": "",
                "key": "",
                "cert": "",
                "extraCerts": []
            }
        },
        "cmpProtectionOtherCert": {
            "type": "SIGNATURE",
            "digestAlgorithm": "SHA384",
            "signK8sSecretIn": {
                "namespace": "occncc-thrust5-01",
                "name": "ca-occm-key-cert-secret-thrust-5102",
                "key": "occmkey.pem",
                "cert": "occm.cer",
                "extraCerts": []
            }
        },
        "occmTrustStoreK8sSecretIn": {
            "namespace": "occncc-thrust5-01",
            "name": "ca-occm-tls-trust-store-secret-thrust-5",
            "rootCACerts": [
                "ManagementCA-chain.pem"
            ],
            "intCACerts": [],
            "serverCert": ""
        },
        "tlsConfig": {
            "enableTLS": true,
            "tlsTrustStoreK8sSecretItem": {
                "namespace": "occncc-thrust5-01",
                "name": "ca6-occm-tls-trust-store-secret",
                "tlsTrustedCerts": [
                    "ManagementCA-chain.pem"
                ]
            }
        }
    },
    {
        "uuid": "9c845672-ebee-4ce6-ad98-ce2e6e3fe1d5",
        "name": "CA5",
        "server": "http://thrust5:8445/ejbca/publicweb/cmp/occmalias",
        "recipientDN": "/CN=ManagementCA",
        "issuerDN": "",
        "totalTimeout": "120",
        "messageTimeout": "30",
        "cmpProtectionOccmCert": {
            "type": "MAC",
            "digestAlgorithm": null,
            "macAlgorithm": null,
            "macK8sSecretIn": {
                "namespace": "occncc-thrust5-01",
                "name": "macsecret",
                "passKey": "pwd",
                "refKey": "ref"
            },
            "signK8sSecretIn": {
                "namespace": "",
                "name": "",
                "key": "",
                "cert": "",
                "extraCerts": []
            }
        },
        "cmpProtectionOtherCert": {
            "type": "SIGNATURE",
            "digestAlgorithm": "SHA384",
            "signK8sSecretIn": {
                "namespace": "occncc-thrust5-01",
                "name": "ca-occm-key-cert-secret-thrust-5102",
                "key": "occmkey.pem",
                "cert": "occm.cer",
                "extraCerts": []
            }
        },
        "occmTrustStoreK8sSecretIn": {
            "namespace": "occncc-thrust5-01",
            "name": "ca-occm-tls-trust-store-secret-thrust-5",
            "rootCACerts": [
                "ManagementCA-chain.pem"
            ],
            "intCACerts": [],
            "serverCert": ""
        },
        "tlsConfig": {
            "enableTLS": false,
            "tlsTrustStoreK8sSecretItem": {
                "namespace": "",
                "name": "",
                "tlsTrustedCerts": [
                    ""
                ]
            }
        }
    }
    ]'

2.1.2 Fetch Issuers by UUID

OCCM uses the GET operation to fetch issuers by UUID.

Resource URI:/occm-config/v1/issuers

Table 2-4 Path Parameter

Field Name Data Type Mandatory (M) or Optional (O) Description
uuid String M Uuid of the issuer to search.

Data structures supported by the GET Response Body on this resource

Response codes Data type Cardinality Description
200 OK Object (Issuers) 1 This is a mandatory parameter.

Object (Issuers) matching criteria
500 Internal Server Error Problem Details 1 This is a mandatory parameter.

This indicates that something went wrong.
Sample GET Request:

$ curl --location --request GET 'http://{host}:{port}/occm-config/v1/issuers/4c5b4025-6c63-438c-bcd7-27b5bf8da4fd' \
--header 'Oc-Cncc-Id: Cluster1' \
--header 'Oc-Cncc-Instance-Id: Cluster1-OCCM-instance1' \
--header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIs'
Sample GET Response:
200 OK Response Body: '{
        "uuid": "4c5b4025-6c63-438c-bcd7-27b5bf8da4fd",
        "name": "CA1",
        "server": "http://ca1-openssl-mock.ns1.svc.thrust5:8080",
        "recipientDN": "/CN=svc.thrust5",
        "issuerDN": "/CN=svc.thrust5",
        "totalTimeout": "720",
        "messageTimeout": "120",
        "cmpProtectionOccmCert": {
            "type": null,
            "digestAlgorithm": null,
            "macAlgorithm": null,
            "macK8sSecretIn": {
                "namespace": "",
                "name": "",
                "passKey": "",
                "refKey": ""
            },
            "signK8sSecretIn": {
                "namespace": "",
                "name": "",
                "key": "",
                "cert": "",
                "extraCerts": []
            }
        },
        "cmpProtectionOtherCert": {
            "type": "SIGNATURE",
            "digestAlgorithm": "SHA256",
            "signK8sSecretIn": {
                "namespace": "ns1",
                "name": "ca1-occm-key-cert-secret",
                "key": "occmkey.pem",
                "cert": "occm.cer",
                "extraCerts": []
            }
        },
        "occmTrustStoreK8sSecretIn": {
            "namespace": "ns1",
            "name": "ca1-occm-trust-store-secret",
            "rootCACerts": [
                "caroot.cer"
            ],
            "intCACerts": [
                "intca.cer"
            ],
            "serverCert": "server.cer"
        },
        "tlsConfig":{
            "enableTLS":false,
                "tlsTrustStoreK8sSecretItem":{
                    "namespace": "",
                    "name": "",
                    "tlsTrustedCerts":[""]
                }
        }
    }'

2.1.3 Add Issuer Configurations

OCCM Uses the POST operation to add the issuers configurations using the request body.

Resource URI: /occm-config/v1/issuers

Table 2-5 Data structures supported by the POST Response Body on this resource

Response codes Data type Cardinality Description
202 ACCEPTED Issuers 1 This is a mandatory parameter.

ssuers configuration data
400 BAD REQUEST Problem Details 1 This is a mandatory parameter.

Returns Problem Details structure
409 CONFLICT Problem Details 1 This is a mandatory parameter.

Record already exists
Sample POST Request when Enable TLS is False:
$ curl --location --request POST 'http://{host}:{port}/occm-config/v1/issuers' \
--header 'Oc-Cncc-Id: Cluster1' \
--header 'Oc-Cncc-Instance-Id: Cluster1-OCCM-instance1' \
--header 'Authorization: Bearer LxuLeX9dihXDUcoFwDw' \
--header 'Content-Type: application/json' \
--data-raw '{
    "name": "CA1",
    "server": "http://ca1-openssl-mock.ns1.svc.thrust5:8080",
    "recipientDN": "/CN=svc.thrust5",
    "issuerDN": "/CN=svc.thrust5",
    "totalTimeout": "60",
    "messageTimeout": "30",
    "cmpProtectionOccmCert": {
        "type": null,
        "digestAlgorithm": null,
        "macAlgorithm": null,
        "macK8sSecretIn": {
            "namespace": "",
            "name": "",
            "passKey": "",
            "refKey": ""
        },
        "signK8sSecretIn": {
            "namespace": "",
            "name": "",
            "key": "",
            "cert": "",
            "extraCerts": []
        }
    },
    "cmpProtectionOtherCert": {
        "type": "SIGNATURE",
        "digestAlgorithm": "SHA256",
        "signK8sSecretIn": {
            "namespace": "ns1",
            "name": "ca1-occm-key-cert-secret",
            "key": "occmkey.pem",
            "cert": "occm.cer",
            "extraCerts": []
        }
    },
    "occmTrustStoreK8sSecretIn": {
        "namespace": "ns1",
        "name": "ca1-occm-trust-store-secret",
        "rootCACerts": ["caroot.cer"],
        "intCACerts": ["intca.cer"],
        "serverCert": ""
    },
        "tlsConfig":{
            "enableTLS":false,
                "tlsTrustStoreK8sSecretItem":{
                    "namespace": "",
                    "name": "",
                    "tlsTrustedCerts":[""]
                }
        }
}'

Sample POST Response:

 202 Accepted Response Body: '{
    "uuid": "4c5b4025-6c63-438c-bcd7-27b5bf8da4fd",         
    "name": "CA1",
    "server": "http://ca1-openssl-mock.ns1.svc.thrust5:8080",
    "recipientDN": "/CN=svc.thrust5",
    "issuerDN": "/CN=svc.thrust5",
    "totalTimeout": "60",
    "messageTimeout": "30",
    "cmpProtectionOccmCert": {
        "type": null,
        "digestAlgorithm": null,
        "macAlgorithm": null,
        "macK8sSecretIn": {
            "namespace": "",
            "name": "",
            "passKey": "",
            "refKey": ""
        },
        "signK8sSecretIn": {
            "namespace": "",
            "name": "",
            "key": "",
            "cert": "",
            "extraCerts": []
        }
    },
    "cmpProtectionOtherCert": {
        "type": "SIGNATURE",
        "digestAlgorithm": "SHA256",
        "signK8sSecretIn": {
            "namespace": "ns1",
            "name": "ca1-occm-key-cert-secret",
            "key": "occmkey.pem",
            "cert": "occm.cer",
            "extraCerts": []
        }
    },
    "occmTrustStoreK8sSecretIn": {
        "namespace": "ns1",
        "name": "ca1-occm-trust-store-secret",
        "rootCACerts": ["caroot.cer"],
        "intCACerts": ["intca.cer"],
        "serverCert": ""
    },
        "tlsConfig":{
            "enableTLS":false,
                "tlsTrustStoreK8sSecretItem":{
                    "namespace": "",
                    "name": "",
                    "tlsTrustedCerts":[""]
                }
        }
}'
Sample POST request when Enable TLS is True (HTTPS):
$ curl --location --request POST 'http://{host}:{port}/occm-config/v1/issuers' \
--header 'Oc-Cncc-Id: Cluster1' \
--header 'Oc-Cncc-Instance-Id: Cluster1-OCCM-instance1' \
--header 'Authorization: Bearer LxuLeX9dihXDUcoFwDw' \
--header 'Content-Type: application/json' \
--data-raw '{
    "name": "CA-TLS-1",
    "server": "https://thrust5:8445/ejbca/publicweb/cmp/occmalias",
    "recipientDN": "/CN=svc.thrust5",
    "issuerDN": "/CN=ManagementCA",
    "totalTimeout": "60",
    "messageTimeout": "30",
    "cmpProtectionOccmCert": {
        "type": null,
        "digestAlgorithm": null,
        "macAlgorithm": null,
        "macK8sSecretIn": {
            "namespace": "",
            "name": "",
            "passKey": "",
            "refKey": ""
        },
        "signK8sSecretIn": {
            "namespace": "",
            "name": "",
            "key": "",
            "cert": "",
            "extraCerts": []
        }
    },
    "cmpProtectionOtherCert": {
        "type": "SIGNATURE",
        "digestAlgorithm": "SHA256",
        "signK8sSecretIn": {
            "namespace": "ns1",
            "name": "ca1-occm-key-cert-secret",
            "key": "occmkey.pem",
            "cert": "occm.cer",
            "extraCerts": []
        }
    },
    "occmTrustStoreK8sSecretIn": {
        "namespace": "ns1",
        "name": "ca1-occm-trust-store-secret",
        "rootCACerts": ["caroot.cer"],
        "intCACerts": ["intca.cer"],
        "serverCert": ""
    },
        "tlsConfig":{
            "enableTLS":true,
                "tlsTrustStoreK8sSecretItem":{
                    "namespace": "ns1",
                    "name": "occm-tls-trust-store-secret",
                    "tlsTrustedCerts":["ManagementCA-chain.pem"]
                }
        }
}'
Sample POST Response:
 202 Accepted Response Body: '{
    "uuid": "4c5b4025-6c63-438c-bcd7-27b5bf8da4fd",         
    "name": "CA-TLS-1",
    "server": "https://thrust5:8445/ejbca/publicweb/cmp/occmalias",
    "recipientDN": "/CN=svc.thrust5",
    "issuerDN": "/CN=ManagementCA",
    "totalTimeout": "60",
    "messageTimeout": "30",
    "cmpProtectionOccmCert": {
        "type": null,
        "digestAlgorithm": null,
        "macAlgorithm": null,
        "macK8sSecretIn": {
            "namespace": "",
            "name": "",
            "passKey": "",
            "refKey": ""
        },
        "signK8sSecretIn": {
            "namespace": "",
            "name": "",
            "key": "",
            "cert": "",
            "extraCerts": []
        }
    },
    "cmpProtectionOtherCert": {
        "type": "SIGNATURE",
        "digestAlgorithm": "SHA256",
        "signK8sSecretIn": {
            "namespace": "ns1",
            "name": "ca1-occm-key-cert-secret",
            "key": "occmkey.pem",
            "cert": "occm.cer",
            "extraCerts": []
        }
    },
    "occmTrustStoreK8sSecretIn": {
        "namespace": "ns1",
        "name": "ca1-occm-trust-store-secret",
        "rootCACerts": ["caroot.cer"],
        "intCACerts": ["intca.cer"],
        "serverCert": ""
    },
        "tlsConfig":{
            "enableTLS":true,
                "tlsTrustStoreK8sSecretItem":{
                    "namespace": "ns1",
                    "name": "occm-tls-trust-store-secret",
                    "tlsTrustedCerts":["ManagementCA-chain.pem"]
                }
        }
}'

2.1.4 Update Issuer Configurations

OCCM uses the PUT operation to update the issuers configuration using the issuer uuid (in path parameter) and request body.

Resource URI: /occm-config/v1/issuers/{uuid}

Update Issuer functionality depends the following:
  • No certificate is attached to an issuer: If no certificate is attached to an issuer then updating all fields are allowed.
  • Certificate is attached to an issuer: If any certificate is attached to an issuer then updating following fields are allowed:
    • server - Domain URL of CA
    • tlsConfig - TLS Configuration:
      • enableTLS - When set to true, HTTPS connection to CA is made. Ensure selecting scheme as HTTPS in server URL if this is set to true.
      • tlsTrustStoreK8sSecretItem - TLS trust store secret details such as

        namespace - K8s namespace where TLS trust store secret is present

        name - Kubernetes secret which holds TLS trust store information (CA certificates)

        tlsTrustedCerts - Trusted certificate(s) to use for validating the TLS server certificate.

Table 2-6 Path Parameter

Name Data Type Mandatory (M) or Optional (O) Cardinality Description
uuid String M 1 Issuer uuid

Table 2-7 Data structures supported by the PUT Response Body on this resource

Response codes Data type Cardinality Description
200 OK Issuers 1 This is a mandatory parameter.

Issuers configuration data
400 BAD REQUEST Problem Details 1 This is a mandatory parameter.

Invalid input is passed to process request.
Sample PUT Request when Enable TLS is False:
$ curl --location --request PUT 'http://{host}:{port}/occm-config/v1/issuers/4c5b4025-6c63-438c-bcd7-27b5bf8da4fd' \
--header 'Oc-Cncc-Id: Cluster1' \
--header 'Oc-Cncc-Instance-Id: Cluster1-OCCM-instance1' \
--header 'Authorization: Bearer LxuLeX9dihXDUcoFwDw' \
--header 'Content-Type: application/json' \
--data-raw '{
    "uuid": "4c5b4025-6c63-438c-bcd7-27b5bf8da4fd",
    "name": "CA1",
    "server": "http://ca1-openssl-mock.ns1.svc.thrust5:8080",
    "recipientDN": "/CN=svc.thrust5",
    "issuerDN": "/CN=svc.thrust5",
    "totalTimeout": "60",
    "messageTimeout": "30",
    "cmpProtectionOccmCert": {
        "type": null,
        "digestAlgorithm": null,
        "macAlgorithm": null,
        "macK8sSecretIn": {
            "namespace": "",
            "name": "",
            "passKey": "",
            "refKey": ""
        },
        "signK8sSecretIn": {
            "namespace": "",
            "name": "",
            "key": "",
            "cert": "",
            "extraCerts": []
        }
    },
    "cmpProtectionOtherCert": {
        "type": "SIGNATURE",
        "digestAlgorithm": "SHA256",
        "signK8sSecretIn": {
            "namespace": "ns1",
            "name": "ca1-occm-key-cert-secret",
            "key": "occmkey.pem",
            "cert": "occm.cer",
            "extraCerts": []
        }
    },
    "occmTrustStoreK8sSecretIn": {
        "namespace": "ns1",
        "name": "ca1-occm-trust-store-secret",
        "rootCACerts": ["caroot.cer"],
        "intCACerts": ["intca.cer"],
        "serverCert": ""
    },
        "tlsConfig":{
            "enableTLS":false,
                "tlsTrustStoreK8sSecretItem":{
                    "namespace": "",
                    "name": "",
                    "tlsTrustedCerts":[""]
                }
        }
}'
Sample PUT Response:
200 Success Response Body: '{
    "uuid": "4c5b4025-6c63-438c-bcd7-27b5bf8da4fd",
    "name": "CA1",
    "server": "http://ca1-openssl-mock.ns1.svc.thrust5:8080",
    "recipientDN": "/CN=svc.thrust5",
    "issuerDN": "/CN=svc.thrust5",
    "totalTimeout": "60",
    "messageTimeout": "30",
    "cmpProtectionOccmCert": {
        "type": null,
        "digestAlgorithm": null,
        "macAlgorithm": null,
        "macK8sSecretIn": {
            "namespace": "",
            "name": "",
            "passKey": "",
            "refKey": ""
        },
        "signK8sSecretIn": {
            "namespace": "",
            "name": "",
            "key": "",
            "cert": "",
            "extraCerts": []
        }
    },
    "cmpProtectionOtherCert": {
        "type": "SIGNATURE",
        "digestAlgorithm": "SHA256",
        "signK8sSecretIn": {
            "namespace": "ns1",
            "name": "ca1-occm-key-cert-secret",
            "key": "occmkey.pem",
            "cert": "occm.cer",
            "extraCerts": []
        }
    },
    "occmTrustStoreK8sSecretIn": {
        "namespace": "ns1",
        "name": "ca1-occm-trust-store-secret",
        "rootCACerts": ["caroot.cer"],
        "intCACerts": ["intca.cer"],
        "serverCert": ""
    },
        "tlsConfig":{
            "enableTLS":false,
                "tlsTrustStoreK8sSecretItem":{
                    "namespace": "",
                    "name": "",
                    "tlsTrustedCerts":[""]
                }
        }
}'
Sample PUT Request when Enable TLS is true:
curl --location --request PUT 'http://{host}:{port}/occm-config/v1/issuers/4c5b4025-6c63-438c-bcd7-27b5bf8da4fd' \
--header 'Oc-Cncc-Id: Cluster1' \
--header 'Oc-Cncc-Instance-Id: Cluster1-OCCM-instance1' \
--header 'Authorization: Bearer LxuLeX9dihXDUcoFwDw' \
--header 'Content-Type: application/json' \
--data-raw '{
    "uuid": "4c5b4025-6c63-438c-bcd7-27b5bf8da4fd",
    "name": "CA-TLS-1",
    "server": "https://thrust5:8445/ejbca/publicweb/cmp/occmalias",
    "recipientDN": "/CN=svc.thrust5",
    "issuerDN": "/CN=ManagementCA",
    "totalTimeout": "60",
    "messageTimeout": "30",
    "cmpProtectionOccmCert": {
        "type": null,
        "digestAlgorithm": null,
        "macAlgorithm": null,
        "macK8sSecretIn": {
            "namespace": "",
            "name": "",
            "passKey": "",
            "refKey": ""
        },
        "signK8sSecretIn": {
            "namespace": "",
            "name": "",
            "key": "",
            "cert": "",
            "extraCerts": []
        }
    },
    "cmpProtectionOtherCert": {
        "type": "SIGNATURE",
        "digestAlgorithm": "SHA256",
        "signK8sSecretIn": {
            "namespace": "ns1",
            "name": "ca1-occm-key-cert-secret",
            "key": "occmkey.pem",
            "cert": "occm.cer",
            "extraCerts": []
        }
    },
    "occmTrustStoreK8sSecretIn": {
        "namespace": "ns1",
        "name": "ca1-occm-trust-store-secret",
        "rootCACerts": ["caroot.cer"],
        "intCACerts": ["intca.cer"],
        "serverCert": ""
    },
        "tlsConfig":{
            "enableTLS":true,
                "tlsTrustStoreK8sSecretItem":{
                    "namespace": "ns1",
                    "name": "occm-tls-trust-store-secret",
                    "tlsTrustedCerts":["ManagementCA-chain.pem"]
                }
        }
}'
Sample PUT Response:
200 Success Response Body: '{
    "uuid": "4c5b4025-6c63-438c-bcd7-27b5bf8da4fd",
    "name": "CA-TLS-1",
    "server": "https://thrust5:8445/ejbca/publicweb/cmp/occmalias",
    "recipientDN": "/CN=svc.thrust5",
    "issuerDN": "/CN=ManagementCA",
    "totalTimeout": "60",
    "messageTimeout": "30",
    "cmpProtectionOccmCert": {
        "type": null,
        "digestAlgorithm": null,
        "macAlgorithm": null,
        "macK8sSecretIn": {
            "namespace": "",
            "name": "",
            "passKey": "",
            "refKey": ""
        },
        "signK8sSecretIn": {
            "namespace": "",
            "name": "",
            "key": "",
            "cert": "",
            "extraCerts": []
        }
    },
    "cmpProtectionOtherCert": {
        "type": "SIGNATURE",
        "digestAlgorithm": "SHA256",
        "signK8sSecretIn": {
            "namespace": "ns1",
            "name": "ca1-occm-key-cert-secret",
            "key": "occmkey.pem",
            "cert": "occm.cer",
            "extraCerts": []
        }
    },
    "occmTrustStoreK8sSecretIn": {
        "namespace": "ns1",
        "name": "ca1-occm-trust-store-secret",
        "rootCACerts": ["caroot.cer"],
        "intCACerts": ["intca.cer"],
        "serverCert": ""
    },
        "tlsConfig":{
            "enableTLS":true,
                "tlsTrustStoreK8sSecretItem":{
                    "namespace": "ns1",
                    "name": "occm-tls-trust-store-secret",
                    "tlsTrustedCerts":["ManagementCA-chain.pem"]
                }
        }
}'

2.1.5 Delete Issuers Data

OCCM uses the DELETE operation to delete the Issuers data based on issuer UUID.

Note:

An issuer can only be deleted if there are no certificates referring to this issuer entry.

Resource URI: /occm-config/v1/issuers/{uuid}

Table 2-8 Path Parameter

Name Data Type Mandatory (M) or Optional (O) Cardinality Description
uuid String M 1 Issuer uuid

Table 2-9 Data structures supported by the DELETE Response Body on this resource

Response codes Data type Cardinality Description
200 OK Issuers 1 This is a mandatory parameter.

Issuers configuration data
400 Bad Request Problem Details 1 This is a mandatory parameter.

Input does not match to process request
Sample DELETE Request:
$ curl --location --request DELETE 'http://{host}:{port}/occm-config/v1/issuers/4c5b4025-6c63-438c-bcd7-27b5bf8da4fd' \
--header 'oc-cncc-id: Cluster1' \
--header oc-cncc-instance-id: Cluster1-OCCM-instance1' \
--header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIs.…...'  
Sample DELETE Response:
200 OK Response Body: '{
    "uuid": "4c5b4025-6c63-438c-bcd7-27b5bf8da4fd",         {
    "name": "CA1",
    "server": "http://ca1-openssl-mock.ns1.svc.thrust5:8080",
    "recipientDN": "/CN=svc.thrust5",
    "issuerDN": "/CN=svc.thrust5",
    "totalTimeout": "60",
    "messageTimeout": "30",
    "cmpProtectionOccmCert": {
        "type": null,
        "digestAlgorithm": null,
        "macAlgorithm": null,
        "macK8sSecretIn": {
            "namespace": "",
            "name": "",
            "passKey": "",
            "refKey": ""
        },
        "signK8sSecretIn": {
            "namespace": "",
            "name": "",
            "key": "",
            "cert": "",
            "extraCerts": []
        }
    },
    "cmpProtectionOtherCert": {
        "type": "SIGNATURE",
        "digestAlgorithm": "SHA256",
        "signK8sSecretIn": {
            "namespace": "ns1",
            "name": "ca1-occm-key-cert-secret",
            "key": "occmkey.pem",
            "cert": "occm.cer",
            "extraCerts": []
        }
    },
    "occmTrustStoreK8sSecretIn": {
        "namespace": "ns1",
        "name": "ca1-occm-trust-store-secret",
        "rootCACerts": ["caroot.cer"],
        "intCACerts": ["intca.cer"],
        "serverCert": ""
    },
        "tlsConfig":{
            "enableTLS":false,
                "tlsTrustStoreK8sSecretItem":{
                    "namespace": "",
                    "name": "",
                    "tlsTrustedCerts":[""]
                }
        }
}'

2.2 OCCM Certificates

OCCM Certificates Data Model

Table 2-10 OCCM Certifiactes Request Parameters

Field Name DataType Description
name String This is a mandatory parameter.

Name of the certificate
lcmType Enum This is a mandatory parameter.

Possible Values:

AUTOMATIC, MANUAL
certType Enum This is a mandatory parameter.

Possible Values:

OCCM, OTHER
renewBefore String This is an optional parameter.

Number of days before the certificate expiry, when the certificate will be renewed.

Default Value 14 Days

Min: 1 days

Max: [(validity i.e csr.days)-1] days

certPurpose String This is an optional parameter.

Purpose of certificate creation
issuer String This is a mandatory parameter.

Name of CA
privateKey Object This is a mandatory parameter.

Private key details like algorithm, key size and key encoding
privateKey.keyAlgo Enum This is a mandatory parameter.

Private key algorithm to be used. Supported values: RSA and EC

Possible values:RSA, EC

privateKey.keySize Enum This is an optional parameter.

The number of bits in the generated key. Need to select a bit length of at least 2048 when using RSA and 256 when using ECDSA. These are the smallest key sizes allowed for SSL certificates.

Possible values: KEYSIZE_2048, KEYSIZE_4096

Default Value for RSA Key: 2048 bits
privateKey.keyEncoding Enum This is a mandatory parameter.

The output format of a private key input source.

Default Value: PEM

Possible values:PEM, DER
privateKey.ecCurve Enum This is an optional parameter.

The EC curve to use if the key algorithm selected is EC.

Default Value: SECP384r1

Possible values:

SECP256r1

SECP384r1

privateKey.keyFormat String This is a mandatory parameter.

The output format of a private key input source. Default Value: PEM
privateKey.privateKeyK8sSecretOut Object This is a mandatory parameter except in case of CMP Identity (OCCM) certificates, this field is optional since it is auto-populated from issuer

Private key output location
privateKey.privateKeyK8sSecretOut.namespace String This is a mandatory parameter except in case of CMP Identity (OCCM) certificates, this field is optional since it is auto-populated from issuer.

Kubernetes namespace
privateKey.privateKeyK8sSecretOut.name String This is a mandatory parameter except in case of CMP Identity (OCCM) certificates, this field is optional since it is auto-populated from issuer.

Kubernetes secret name
privateKey.privateKeyK8sSecretOut.key String This is a mandatory parameter except in case of CMP Identity (OCCM) certificates, this field is optional since it is auto-populated from issuer.

Kubernetes secret key against which the key-pair will be stored.
csr Object This is a mandatory parameter.

Certificate Signing Request data
csr.extendedKeyUsage Object This is a mandatory parameter.

A multi-valued certificate extension containing a list of values indicating purposes for which the certificate public key can be used
csr.extendedKeyUsage.critical Boolean This is an optional parameter.

When set to true, extended key usage extension will be marked as critical.

Default Value: false

Possible values:

true

false

csr.extendedKeyUsage.extendedKeyUsageValues List<Enum> This is a mandatory parameter.

List of extendedKeyUsage values

Default Value(s):CLIENT_AUTH, SERVER_AUTH

Possible values:

CLIENT_AUTH, SERVER_AUTH
csr.keyUsage Object This is a mandatory parameter.

A multi-valued certificate extension containing a list of names of the permitted key usages.
csr.keyUsage.critical Boolean This is an optional parameter.

When set to true, key usage extension will be marked as critical.

Possible values:

true

false

csr.keyUsage.keyUsageValues List<Enum> This is a mandatory parameter.

List of keyUsage values

Default Value: DIGITAL_SIGNATURE

Possible values:DIGITAL_SIGNATURE, KEY_ENCIPHERMENT, NON_REPUDIATION

csr.basicConstraints Object This is an optional parameter.

This is a multi-valued extension which indicates whether a certificate is a CA certificate. The first value is CA followed by TRUE or FALSE
csr.basicConstraints.critical Boolean This is an optional parameter.

When set to true, basicConstraints extension will be marked as critical.

Possible values:

true

false

csr.basicConstraints.basicConstraintsValue

Enum This is an optional parameter.

BasicConstraints value

Default Value: END_ENTITY

Possible values:

END_ENTITY
csr.subject Object This is a mandatory parameter except if csr.subjectAltName is not provided.

Information about company
csr.subject.country String This is an optional parameter.

Country code where company is legally located.
csr.subject.state String This is an optional parameter.

State where company is legally located.
csr.subject.location String This is an optional parameter.

The city or town where company is legally located.
csr.subject.organization String This is an optional parameter.

Your company's legally registered name.
csr.subject.organizationUnit String This is an optional parameter.

Name of your department within the organization.
csr.subject.commonName String This is an optional parameter.

The Common Name (AKA CN) represents the server name to be protected by the SSL certificate. The certificate is valid only if the request hostname matches the certificate common name.

csr.days. String This is a mandatory parameter.

Requested validity for the certificate i.e. Number of days requested for which the certificate will be valid.

Default Value :365 Days

Max Value: 1096

Min Value: 2 Days

csr.subjectAltName Object This is an optional parameter.

A multi-valued extension indicating all of the domain names, IP addresses, URIs etc that are secured by the certificate.
csr.subjectAltName.critical Boolean This is an optional parameter.

When set to true, subjectAltName extension will be marked as critical.

Default Value: true

Possible values:

true

false

csr.subjectAltName.ipAddress List<String> This is an optional parameter.

List of IP addresses.
csr.subjectAltName.dns List<String> This is an optional parameter.

List of domain names
csr.subjectAltName.uriIdUrn List<String> This is an optional parameter.

List of URI ID (URN of the NFInstanceId)
csr.subjectAltName.uriIdApiRoot List<String> This is an optional parameter.

Lost of uniform resource locater IDs
csr.certK8sSecretOut Object This is a mandatory parameter except in case of CMP Identity (OCCM) certificate, this field is optional since it is auto-populated from issuer.

Certificate output location.
csr.certK8sSecretOut.namespace String This is a mandatory parameter except in case of CMP Identity (OCCM) certificate, this field is optional since it is auto-populated from issuer.

Kubernetes secret namespace
csr.certK8sSecretOut.name String This is a mandatory parameter except in case of CMP Identity (OCCM) certificate, this field is optional since it is auto-populated from issuer..

Kubernetes secret name
csr.certK8sSecretOut.key String This is a mandatory parameter except in case of CMP Identity (OCCM) certificate, this field is optional since it is auto-populated from issuer..

Kubernetes secret key against which the certificate will be stored.
csr.certChainK8sSecretOut Object This is a mandatory parameter.

Certificate Chain output location.
csr.certChainK8sSecretOut.namespace String This is an optional parameter.

Kubernetes secret namespace
csr.certChainK8sSecretOut.name String This is a mandatory parameter.

Kubernetes secret name
csr.certChainK8sSecretOut.key String This is an optional parameter.

Kubernetes secret key against which the certificate chain will be stored.
csr.mergeCertAndChain boolean This is an optional parameter.

When set to true, the complete chain containing the leaf certificate and the intermediate CA certificates obtained from CA will be written in the Kubernetes secret against the configured key.

Default Value: false

nf String This is a mandatory parameter.

NF name
uuid String Unique id for logging and tracking purpose
overrideSecret boolean This is an optional parameter.

This flag is used to override the Kubernetes secret with new certificate.

Default Value: false

Possible values:

true

false

caBundleK8sSecretIn Object This is an optional parameter.

CA bundle secret input details. Used to trust peer entities.

caBundleK8sSecretIn.namespace String This is an optional parameter.

Kubernetes secret namespace
caBundleK8sSecretIn.name String This is an optional parameter.

Kubernetes secret name

caBundleK8sSecretIn.key String This is an optional parameter.

Kubernetes secret key against which CA bundle certificate(s) will be stored.

Table 2-11 OCCM Certificate Response Codes

Response codes Data type Cardinality Description
200 OK Object (Certs) Or List(Certs) 1 This is a mandatory parameter.

Object Certs Or List (CertConfig) matching criteria
201 CREATED Object (Certs) 1 This is a mandatory parameter.

Object Certs
202 Accepted String 1 This is a mandatory parameter.

Return uuid
400 Bad request Problem Details 1 This is a mandatory parameter.

Input does not match to process request
500 Internal Server Error Problem Details 1 This is a mandatory parameter.

Something went wrong
409 Conflict Problem Details 1 This is a mandatory parameter.

Record already exists

Note:

OCCM Certificates response body data model varies based on REST operation status.

OCCM Certificate JSON payload

{
     "name": "",
     "lcmType": "",
     "certType": "",
     "renewBefore": "",
     "certPurpose": "",
     "issuer": "",
     "privateKey": {
         "keyAlgo": "",
         "keySize": "",
         "keyEncoding": "",
         "ecCurve":"",
         "privateKeyK8sSecretOut": {
             "namespace": "",
             "name": "",
             "key": ""
     }
     },
    "csr": {
         "extendedKeyUsage": {
             "critical" : "",
             "extendedKeyUsageValues" : []
         },
        "keyUsage": {
             "critical" : "",
             "keyUsageValues" : []           
 
    },
         "basicConstraints": {
             "critical" : true,
             "basicConstraintsValue" : ""
         },
         "subject": {
             "country": "",
             "state": "",
             "location": "",
             "organization": "",
             "organizationUnit": "",
             "commonName": ""
         },
         "days": "",
         "subjectAltName": {
             "critical" : "",
             "ipAddress": [],
             "dns": [],
             "uriIdUrn": [],
             "uriIdApiRoot": []
         },
      "certK8sSecretOut": {
         "namespace": "",
         "name": "",
         "key": ""
     },
     "certChainK8sSecretOut": {
         "namespace": "",
         "name": "",
         "key": ""
     },
         "mergeCertAndChain" : false
     },
 
     "caBundleK8sSecretIn": {
         "namespace": "",
         "name": "",
         "key": ""
     },
 
     "nf": "",
     "overrideSecret": false
 }

2.2.1 Fetch all Certificate Configurations

OCCM Uses the GET operation to fetch all the certificate configurations.

Resource URI: /occm-config/v1/certs

Table 2-12 Data structures supported by the GET Response Body on this resource

Response codes Data type Cardinality Description
200 OK Object (Certs) Or List(Certs) 1 This is a mandatory parameter.

List (CertConfig) matching criteria
500 Internal Server Error Problem Details 1 This is a mandatory parameter.

Something went wrong
Sample GET Request:
\$ curl --location --request GET 'http://{host}:{port}/occm-config/v1/certs' \
--header 'Oc-Cncc-Id: Cluster1' \
--header 'Oc-Cncc-Instance-Id: Cluster1-OCCM-instance1' \
--header 'Authorization: Bearer eyJhbGciOiJSU.…...'
Sample GET Response:
200 OK Response Body:  '[
    {
    "uuid": "b4d896ac-689d-4e12-a76c-54c8de4ffe52",           
	"name": "NRFTLS12",
     "lcmType": "AUTOMATIC",
     "certType": "OTHER",
     "renewBefore": "7",
     "certPurpose": "NRF SBI",
     "issuer": "CA21",
     "privateKey": {
         "keyAlgo": "RSA",
         "keySize": "KEYSIZE_2048",
         "keyEncoding": "PEM",
         "ecCurve":"",
         "privateKeyK8sSecretOut": {
             "namespace": "occm",
             "name": "nrf-tls-secret-54",
             "key": "nrf.pem"
     }
     },
    "csr": {
         "extendedKeyUsage": {
             "critical" :  false,
             "extendedKeyUsageValues" : [
                 "CLIENT_AUTH",
                 "SERVER_AUTH"
         ]
         },
        "keyUsage": {
             "critical" : true,
             "keyUsageValues" : [
                "DIGITAL_SIGNATURE"

             ]

    },
         "basicConstraints": {
             "critical" : true,
             "basicConstraintsValue" : "END_ENTITY"
         },
         "subject": {
             "country": "IN",
             "state": "Karnataka",
             "location": "Bengaluru",
             "organization": "Oracle",
             "organizationUnit": "OracleBU",
             "commonName": "some.example.com"
         },
         "days": "365",
         "subjectAltName": {
             "critical" : null,
             "ipAddress": [
                 "10.10.10.13",
                 "10.10.10.14"
             ],
             "dns": [
                 "centos8-2.example.com",
                 "centos8-3.example.com"
             ],
             "uriIdUrn": [
                 "urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6"
             ],
             "uriIdApiRoot": [
             ]
         },
      "certK8sSecretOut": {
         "namespace": "occm",
         "name": "nrf-tls-secret-54",
         "key": "nrf.cer"
     },
     "certChainK8sSecretOut": {
         "namespace": "occm",
         "name": "nrf-tls-secret-54",
         "key": "nrfcertchain.cer"
     }, 
         "mergeCertAndChain" : false
     },

     "caBundleK8sSecretIn": {
         "namespace": "occm",
         "name": "nrf-cabu",
         "key": "cabundle.cer"
     },

     "nf": "NRF",
     "overrideSecret": false
 } ]'

2.2.2 Fetch Certificate Configurations by UUID

OCCM Uses the GET operation to fetch the certificate configurations details by uuid.

Resource URI: /occm-config/v1/certs/{uuid}

Table 2-13 Path Parameter

Name Data Type Mandatory (M) or Optional (O) Cardinality Description
uuid String M 1 Fetches Certificate configuration for given UUID

Table 2-14 Data structures supported by the GET Response Body on this resource

Response codes Data type Cardinality Description
404 Not Found Problem Details 1 This is a mandatory parameter.

Input does not match to process request
200 OK Object (Certs) 1 This is a mandatory parameter.

Object (CertConfig) matching criteria
500 Internal Server Error Problem Details 1 This is a mandatory parameter.

Something went wrong
400 Bad Request Problem Details 1 This is a mandatory parameter.

wrong Input
Samnple Get Request:
$ curl --location --request GET 'http://{host}:{port}/occm-config/v1/certs/b4d896ac-689d-4e12-a76c-54c8de4ffe52' \
--header 'Oc-Cncc-Id: Cluster1' \
--header 'Oc-Cncc-Instance-Id: Cluster1-OCCM-instance1' \
--header 'Authorization: Bearer eyJhbGciOiJSU.…'
Sample Get Response:
200 OK Response Body: '{
    "uuid": "b4d896ac-689d-4e12-a76c-54c8de4ffe52",       
	"name": "NRFTLS12",
     "lcmType": "AUTOMATIC",
     "certType": "OTHER",
     "renewBefore": "7",
     "certPurpose": "NRF SBI",
     "issuer": "CA21",
     "privateKey": {
         "keyAlgo": "RSA",
         "keySize": "KEYSIZE_2048",
         "keyEncoding": "PEM",
         "ecCurve":"",
         "privateKeyK8sSecretOut": {
             "namespace": "occm",
             "name": "nrf-tls-secret-54",
             "key": "nrf.pem"
     }
     },
    "csr": {
         "extendedKeyUsage": {
             "critical" :  false,
             "extendedKeyUsageValues" : [
                 "CLIENT_AUTH",
                 "SERVER_AUTH"
         ]
         },
        "keyUsage": {
             "critical" : true,
             "keyUsageValues" : [
            "DIGITAL_SIGNATURE" 

             ]

    },
         "basicConstraints": {
             "critical" : true,
             "basicConstraintsValue" : "END_ENTITY"
         },
         "subject": {
             "country": "IN",
             "state": "Karnataka",
             "location": "Bengaluru",
             "organization": "Oracle",
             "organizationUnit": "OracleBU",
             "commonName": "some.example.com"
         },
         "days": "365",
         "subjectAltName": {
             "critical" : null,
             "ipAddress": [
                 "10.10.10.13",
                 "10.10.10.14"
             ],
             "dns": [
                 "centos8-2.example.com",
                 "centos8-3.example.com"
             ],
             "uriIdUrn": [
                 "urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6"
             ],
             "uriIdApiRoot": [
             ]
         },
      "certK8sSecretOut": {
         "namespace": "occm",
         "name": "nrf-tls-secret-54",
         "key": "nrf.cer"
     },
     "certChainK8sSecretOut": {
         "namespace": "occm",
         "name": "nrf-tls-secret-54",
         "key": "nrfcertchain.cer"
     } ,        "mergeCertAndChain":false
   },

     "caBundleK8sSecretIn": {
         "namespace": "occm",
         "name": "nrf-cabu",
         "key": "cabundle.cer"
     },

     "nf": "NRF",
     "overrideSecret": false
 }'

2.2.3 Add Certificate Configurations

OCCM uses the POST operation to add the certificate configuration using the Request Body.

Resource URI: /occm-config/v1/certs

Table 2-15 Data structures supported by the POST Response Body on this resource

Response codes Data type Cardinality Description
202 Accepted Object (Certs) 1 This is a mandatory parameter.

Unique identification of certs
400 BAD REQUEST Problem Details 1 This is a mandatory parameter.

Returns Problem Details structure as defined in 3GPP TS 29.571 section 5.2.4.1
409 CONFLICT Problem Details 1 This is a mandatory parameter.

Record already exists
Sample POST request:
$ curl --location --request POST 'http://{host}:{port}/occm-config/v1/certs' \
--header 'Oc-Cncc-Id: Cluster1' \
--header 'Oc-Cncc-Instance-Id: Cluster1-OCCM-instance1' \
--header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOisG_L6HnBo9IIGc4g' \
--header 'Content-Type: application/json' \
--data-raw '{       
     "name": "NRFTLS12",
     "lcmType": "AUTOMATIC",
     "certType": "OTHER",
     "renewBefore": "7",
     "certPurpose": "NRF SBI",
     "issuer": "CA21",
     "privateKey": {
         "keyAlgo": "RSA",
         "keySize": "KEYSIZE_2048",
         "keyEncoding": "PEM",
         "ecCurve":"",
         "privateKeyK8sSecretOut": {
             "namespace": "occm",
             "name": "nrf-tls-secret-54",
             "key": "nrf.pem"
     }
     },
    "csr": {
         "extendedKeyUsage": {
             "critical" :  false,
             "extendedKeyUsageValues" : [
                 "CLIENT_AUTH",
                 "SERVER_AUTH"
         ]
         },
        "keyUsage": {
             "critical" : true,
             "keyUsageValues" : [
           "DIGITAL_SIGNATURE"          
        ]

    },
         "basicConstraints": {
             "critical" : true,
             "basicConstraintsValue" : "END_ENTITY"
         },
         "subject": {
             "country": "IN",
             "state": "Karnataka",
             "location": "Bengaluru",
             "organization": "Oracle",
             "organizationUnit": "OracleBU",
             "commonName": "some.example.com"
         },
         "days": "365",
         "subjectAltName": {
             "critical" : null,
             "ipAddress": [
                 "10.10.10.13",
                 "10.10.10.14"
             ],
             "dns": [
                 "centos8-2.example.com",
                 "centos8-3.example.com"
             ],
             "uriIdUrn": [
                 "urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6"
             ],
             "uriIdApiRoot": [
             ]
         },
      "certK8sSecretOut": {
         "namespace": "occm",
         "name": "nrf-tls-secret-54",
         "key": "nrf.cer"
     },
     "certChainK8sSecretOut": {
         "namespace": "occm",
         "name": "nrf-tls-secret-54",
         "key": "nrfcertchain.cer"
     } ,
         "mergeCertAndChain" : false
     },

     "caBundleK8sSecretIn": {
         "namespace": "occm",
         "name": "nrf-cabu",
         "key": "cabundle.cer"
     },

     "nf": "NRF",
     "overrideSecret": false
 }' 
Sample POST Response
$ 202 Accepted  Response Body: '{
    "uuid": "b4d896ac-689d-4e12-a76c-54c8de4ffe52",       
	"name": "NRFTLS12",
     "lcmType": "AUTOMATIC",
     "certType": "OTHER",
     "renewBefore": "7",
     "certPurpose": "NRF SBI",
     "issuer": "CA21",
     "privateKey": {
         "keyAlgo": "RSA",
         "keySize": "KEYSIZE_2048",
         "keyEncoding": "PEM",
         "ecCurve":"",
         "privateKeyK8sSecretOut": {
             "namespace": "occm",
             "name": "nrf-tls-secret-54",
             "key": "nrf.pem"
     }
     },
    "csr": {
         "extendedKeyUsage": {
             "critical" :  false,
             "extendedKeyUsageValues" : [
                 "CLIENT_AUTH",
                 "SERVER_AUTH"
         ]
         },
        "keyUsage": {
             "critical" : true,
             "keyUsageValues" : [
               "DIGITAL_SIGNATURE" 
             ]

    },
         "basicConstraints": {
             "critical" : true,
             "basicConstraintsValue" : "END_ENTITY"
         },
         "subject": {
             "country": "IN",
             "state": "Karnataka",
             "location": "Bengaluru",
             "organization": "Oracle",
             "organizationUnit": "OracleBU",
             "commonName": "some.example.com"
         },
         "days": "365",
         "subjectAltName": {
             "critical" : null,
             "ipAddress": [
                 "10.10.10.13",
                 "10.10.10.14"
             ],
             "dns": [
                 "centos8-2.example.com",
                 "centos8-3.example.com"
             ],
             "uriIdUrn": [
                 "urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6"
             ],
             "uriIdApiRoot": [
             ]
         },
      "certK8sSecretOut": {
         "namespace": "occm",
         "name": "nrf-tls-secret-54",
         "key": "nrf.cer"
     },
     "certChainK8sSecretOut": {
         "namespace": "occm",
         "name": "nrf-tls-secret-54",
         "key": "nrfcertchain.cer"
     } ,
         "mergeCertAndChain" : false
     },

     "caBundleK8sSecretIn": {
         "namespace": "occm",
         "name": "nrf-cabu",
         "key": "cabundle.cer"
     },

     "nf": "NRF",
     "overrideSecret": false
 }'

2.2.4 Recreate Certificates

OCCM uses the PUT operation to recreate certificates using existing certificate identified by its certificate UUID. You can recreate any certificate that was created successfully and whose status is READY, EXPIRED, or FAILED. To recreate a certificate, the certificate configuration must exist in OCCM. This enhances OCCM's usablity in managing certificate lifecycle operations. For example, if a certificate has been deleted, revoked or has expired, the operator can recreate it using existing configurations. The certificate configuration must exist in OCCM while triggering recreate request.

Resource URI: /occm-config/v1/certs/{uuid}/recreate

Table 2-16 Path Parameter

Name Data type Mandatory (M) or Optional (O) Cardinality Description
uuid String O 1 Certificate uuid

Table 2-17 Data structures supported by the PUT Response Body on this resource

Response codes Data Type Cardinality Description
202 Accepted Object (Certificates) 1 This is a mandatory parameter.

Unique Certificate Identity.
404 Not Found Problem Details 1 This is a mandatory parameter.

Certificate not found against the uuid. Returns Problem Details structure as defined in 3GPP TS 29.571 section 5.2.4.1

409 Conflict Problem Details 1 This is a mandatory parameter.

Recreate is already in process for the uuid. Returns Problem Details structure as defined in 3GPP TS 29.571 section 5.2.4.1

Sample PUT Request:
curl --location --request PUT 'http://{host}:{port}/occm-config/v1/certs/9983d728-c618-41c3-b7f9-530d00fb7ab1/recreate' \
--header 'oc-cncc-id: Cluster1' \
--header 'oc-cncc-instance-id: Cluster1-occm-instance1' \
--header 'Authorization: Bearer eyJhbGciO........95adDrLUfcAQ'
Sample Response:
202 Accepted Response Body: '{
    "uuid": "9983d728-c618-41c3-b7f9-530d00fb7ab1",
    "name": "NRF-TLS-1",
    "lcmType": "AUTOMATIC",
    "certType": "OTHER",
    "renewBefore": "15",
    "certPurpose": "NRF SBI",
    "issuer": "CA1",
    "privateKey": {
        "keyAlgo": "EC",
        "keySize": null,
        "keyEncoding": "DER",
        "ecCurve": "SECP256r1",
        "keyFormat": null,
        "privateKeyK8sSecretOut": {
            "namespace": "ns1",
            "name": "nrf-tls-secret",
            "key": "nrfkey.pem"
        }
    },
    "csr": {
        "extendedKeyUsage": {
            "critical": false,
            "extendedKeyUsageValues": [
                "CLIENT_AUTH",
                "SERVER_AUTH"
            ]
        },
        "keyUsage": {
            "critical": false,
            "keyUsageValues": [
                "DIGITAL_SIGNATURE",
                "KEY_ENCIPHERMENT"
            ]
        },
        "basicConstraints": {
            "critical": false,
            "basicConstraintsValue": "END_ENTITY"
        },
        "subject": {
            "country": "IN",
            "state": "KA",
            "location": "BLR",
            "organization": "Oracle",
            "organizationUnit": "CGBU",
            "commonName": "occm"
        },
        "days": "365",
        "subjectAltName": {
            "critical": false,
            "ipAddress": [
                "10.10.10.13",
                "10.10.10.14"
            ],
            "dns": [
                "centos8-2.example.com",
                "centos8-3.example.com"
            ],
            "uriIdApiRoot": null,
            "uriIdUrn": [
                "urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6"
            ]
        },
        "certK8sSecretOut": {
            "namespace": "ns1",
            "name": "nrf-tls-secret",
            "key": "nrf.cer"
        },
        "certChainK8sSecretOut": {
            "namespace": "ns1",
            "name": "nrf-tls-secret",
            "key": "nrfcertchain.cer"
        } ,
         "mergeCertAndChain" : false
 
    },
    "caBundleK8sSecretIn": {
        "namespace": "",
        "name": "",
        "key": ""
    },
    "nf": "NRF",
    "overrideSecret": false
}'

2.2.5 Edit Certificates

OCCM uses the PUT operation to updates the existing certificates identified by certificate UUID. It is only supported for end entity certificates.

Resource URI: /occm-config/v1/certs/{uuid}

Table 2-18 Path Parameter

Name Data type Mandatory (M) or Optional (O) Cardinality Description
uuid String M 1 Certificate uuid

Data structures supported by the PUT Response Body in this resource

Response codes Data type Cardinality Description
202 Accepted Object (Certs) 1 This is a mandatory parameter.

Unique Certificate Identity.
404 Not Found Problem Details 1 This is a mandatory parameter.

Certificate not found against the uuid. Returns Problem Details structure as defined in 3GPP TS 29.571 section 5.2.4.1

400 Bad Request Problem Details 1 This is a mandatory parameter.

Invalid configuration. Returns Problem Details structure as defined in 3GPP TS 29.571 section 5.2.4.1

409 Conflict Problem Details 1 This is a mandatory parameter.

Edit is already in process for the uuid. Returns Problem Details structure as defined in 3GPP TS 29.571 section 5.2.4.1

Sample PUT Request:
curl --location --request PUT 'http://{host}:{port}/occm-config/v1/certs/9983d728-c618-41c3-b7f9-530d00fb7ab1' \
--header 'oc-cncc-id: Cluster1' \
--header 'oc-cncc-instance-id: Cluster1-occm-instance1' \
--header 'Authorization: Bearer eyJhbGciO........95adDrLUfcAQ' \
--header 'Content-Type: application/json' \
--data-raw '{
    "uuid": "9983d728-c618-41c3-b7f9-530d00fb7ab1",
    "name": "NRF-TLS-1",
    "lcmType": "AUTOMATIC",
    "certType": "OTHER",
    "renewBefore": "15",
    "certPurpose": "NRF SBI",
    "issuer": "CA1",
    "privateKey": {
        "keyAlgo": "EC",
        "keySize": null,
        "keyEncoding": "DER",
        "ecCurve": "SECP256r1",
        "keyFormat": null,
        "privateKeyK8sSecretOut": {
            "namespace": "ns1",
            "name": "nrf-tls-secret",
            "key": "nrfkey.pem"
        }
    },
    "csr": {
        "extendedKeyUsage": {
            "critical": false,
            "extendedKeyUsageValues": [
                "CLIENT_AUTH",
                "SERVER_AUTH"
            ]
        },
        "keyUsage": {
            "critical": false,
            "keyUsageValues": [
                "DIGITAL_SIGNATURE",
                "KEY_ENCIPHERMENT"
            ]
        },
        "basicConstraints": {
            "critical": false,
            "basicConstraintsValue": "END_ENTITY"
        },
        "subject": {
            "country": "IN",
            "state": "KA",
            "location": "BLR",
            "organization": "Oracle",
            "organizationUnit": "CGBU",
            "commonName": "occm"
        },
        "days": "365",
        "subjectAltName": {
            "critical": false,
            "ipAddress": [
                "10.10.10.13",
                "10.10.10.14"
            ],
            "dns": [
                "centos8-2.example.com",
                "centos8-3.example.com"
            ],
            "uriIdApiRoot": null,
            "uriIdUrn": [
                "urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6"
            ]
        },
        "certK8sSecretOut": {
            "namespace": "ns1",
            "name": "nrf-tls-secret",
            "key": "nrf.cer"
        },
        "certChainK8sSecretOut": {
            "namespace": "ns1",
            "name": "nrf-tls-secret",
            "key": "nrfcertchain.cer"
        },
         "mergeCertAndChain" : false
    },
    "caBundleK8sSecretIn": {
        "namespace": "",
        "name": "",
        "key": ""
    },
    "nf": "NRF",
    "overrideSecret": false
}'
Sample Response:
202 Accepted Response Body: '{
    "uuid": "9983d728-c618-41c3-b7f9-530d00fb7ab1",
    "name": "NRF-TLS-1",
    "lcmType": "AUTOMATIC",
    "certType": "OTHER",
    "renewBefore": "15",
    "certPurpose": "NRF SBI",
    "issuer": "CA1",
    "privateKey": {
        "keyAlgo": "EC",
        "keySize": null,
        "keyEncoding": "DER",
        "ecCurve": "SECP256r1",
        "keyFormat": null,
        "privateKeyK8sSecretOut": {
            "namespace": "ns1",
            "name": "nrf-tls-secret",
            "key": "nrfkey.pem"
        }
    },
    "csr": {
        "extendedKeyUsage": {
            "critical": false,
            "extendedKeyUsageValues": [
                "CLIENT_AUTH",
                "SERVER_AUTH"
            ]
        },
        "keyUsage": {
            "critical": false,
            "keyUsageValues": [
                "DIGITAL_SIGNATURE",
                "KEY_ENCIPHERMENT"
            ]
        },
        "basicConstraints": {
            "critical": false,
            "basicConstraintsValue": "END_ENTITY"
        },
        "subject": {
            "country": "IN",
            "state": "KA",
            "location": "BLR",
            "organization": "Oracle",
            "organizationUnit": "CGBU",
            "commonName": "occm"
        },
        "days": "365",
        "subjectAltName": {
            "critical": false,
            "ipAddress": [
                "10.10.10.13",
                "10.10.10.14"
            ],
            "dns": [
                "centos8-2.example.com",
                "centos8-3.example.com"
            ],
            "uriIdApiRoot": null,
            "uriIdUrn": [
                "urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6"
            ]
        },
        "certK8sSecretOut": {
            "namespace": "ns1",
            "name": "nrf-tls-secret",
            "key": "nrf.cer"
        },
        "certChainK8sSecretOut": {
            "namespace": "ns1",
            "name": "nrf-tls-secret",
            "key": "nrfcertchain.cer"
        } ,
         "mergeCertAndChain" : false
 
    },
    "caBundleK8sSecretIn": {
        "namespace": "",
        "name": "",
        "key": ""
    },
    "nf": "NRF",
    "overrideSecret": false
}'

2.2.6 Delete Certificate Configuration Data

OCCM uses the DELETE operation to delete the certificate configuration data based on certificate UUID.

Resource URI: /occm-config/v1/certs/{uuid}

Table 2-19 Path Parameter

Name Data type Mandatory (M) or Optional (O) Cardinality Description
uuid String M 1 Unique identification of certificates.

Table 2-20 Data structures supported by the DELETE Response Body on this resource

Data type Mandatory (M) or Optional (O) Cardinality Response codes Description
Object (Certificates) M 1 202 ACCEPTED This is a mandatory parameter.

Certificate configuration data
Problem Details M 1 404 Not Found This is a mandatory parameter.

Certificate not found against the UUID

Sample DELETE Request:
$ curl --location --request DELETE 'http://{host}:{port}/occm-config/v1/certs/b4d896ac-689d-4e12-a76c-54c8de4ffe52' \
--header 'Oc-Cncc-Id: Cluster1' \
--header 'Oc-Cncc-Instance-Id: Cluster1-OCCM-instance1' \
--header 'Authorization: Bearer eyJhbGciOiJSUzI1Ni.…'  
Sample Response:
202 ACCEPTED Response Body: '{
    "uuid": "b4d896ac-689d-4e12-a76c-54c8de4ffe52",     
	"name": "NRFTLS12",
     "lcmType": "AUTOMATIC",
     "certType": "OTHER",
     "renewBefore": "7",
     "certPurpose": "NRF SBI",
     "issuer": "CA21",
     "privateKey": {
         "keyAlgo": "RSA",
         "keySize": "KEYSIZE_2048",
         "keyEncoding": "PEM",
         "ecCurve":"",
         "privateKeyK8sSecretOut": {
             "namespace": "occm",
             "name": "nrf-tls-secret-54",
             "key": "nrf.pem"
     }
     },
    "csr": {
         "extendedKeyUsage": {
             "critical" :  false,
             "extendedKeyUsageValues" : [
                 "CLIENT_AUTH",
                 "SERVER_AUTH"
         ]
         },
        "keyUsage": {
             "critical" : true,
             "keyUsageValues" : [
              "DIGITAL_SIGNATURE"              
            ]

    },
         "basicConstraints": {
             "critical" : true,
             "basicConstraintsValue" : "END_ENTITY"
         },
         "subject": {
             "country": "IN",
             "state": "Karnataka",
             "location": "Bengaluru",
             "organization": "Oracle",
             "organizationUnit": "OracleBU",
             "commonName": "some.example.com"
         },
         "days": "365",
         "subjectAltName": {
             "critical" : null,
             "ipAddress": [
                 "10.10.10.13",
                 "10.10.10.14"
             ],
             "dns": [
                 "centos8-2.example.com",
                 "centos8-3.example.com"
             ],
             "uriIdUrn": [
                 "urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6"
             ],
             "uriIdApiRoot": [
             ]
         },
      "certK8sSecretOut": {
         "namespace": "occm",
         "name": "nrf-tls-secret-54",
         "key": "nrf.cer"
     },
     "certChainK8sSecretOut": {
         "namespace": "occm",
         "name": "nrf-tls-secret-54",
         "key": "nrfcertchain.cer"
     } ,
         "mergeCertAndChain" : false
     },

     "caBundleK8sSecretIn": {
         "namespace": "occm",
         "name": "nrf-cabu",
         "key": "cabundle.cer"
     },

     "nf": "NRF",
     "overrideSecret": false
 }'

2.2.7 OCCM Certificate Bulk Migrate

Certificate Bulk Migrate Data Model

Table 2-21 OCCM Certificates Bulk Migrate Request Parameters

Field Name Data Type Description
uuid String This is an optional parameter. Unique identifier for each Bulk Certificate Migration. This must be kept empty in the request.
sourceIssuerName String This is a mandatory parameter. Name of the issuer whose linked certificates are migrated.
destinationIssuerName String This is a mandatory parameter. Name of the issuer to which the certificates are migrated.
bulkMigrateInitiatedOnCerts List<Object> This is an optional parameter. List of certificates which will be migrated from source to destination issuer. This must be kept empty in the request.
bulkMigrateSkippedOnCerts List<Object> This is an optional parameter. List of certificates on which the migration is skipped because the certificate status is other than ready, expired, or another recreate is in process. This must be kept empty in the request.

Table 2-22 OCCM Certificates Bulk Migrate Response Codes

Response codes Data Type Cardinality Description
200 OK Object (Certificates Bulk Migrate) Or List (Certificates Bulk Migrate ) 1 This is a mandatory parameter.

Object (Certificates Bulk Migrate) Or List(Certificates Bulk Migrate) matching criteria.
202 Accepted Object (Certificates Bulk Migrate) 1 This is a mandatory parameter.

Object (Certificates Bulk Migrate)
400 Bad request Problem Details 1 This is a mandatory parameter.

Input does not match with the processed request
500 Internal Server Error Problem Details 1 This is a mandatory parameter.

This is displayed when something goes wrong
409 Conflict Problem Details 1 This is a mandatory parameter.

Bulk certificate migration already in process.
2.2.7.1 Fetch All the Certificate Bulk Migrate Configurations

Fetch All the Certs Bulk Migrate

OCCM uses the GET operation to fetch all the Certs Bulk Migrate.

Resource URI: /occm-config/v1/certs/bulk-migrate

Table 2-23 Path Parameter

Name Data type Mandatory (M) or Optional (O) Cardinality Description
uuid String M 1 Certificate Bulk Migrate uuid

Table 2-24 Data structures supported by the GET Response Body on this resource

Response codes Data type Cardinality Description
200 OK List(Certs Bulk Migrate) 1 This is a mandatory parameter.

List (Certs Bulk Migrate) matching criteria
500 Internal Server Error Problem Details 1 This is a mandatory parameter.

Something went wrong
Sample GET Request:
$ curl --location --request GET 'http://{host}:{port}/occm-config/v1/certs/bulk-migrate' \
--header 'Oc-Cncc-Id: Cluster1' \
--header 'Oc-Cncc-Instance-Id: Cluster1-OCCM-instance1' \
--header 'Authorization: Bearer eyJhbGciOiJSUzI1Ni'
Sample GET Response:
200 OK Response Body: '[{
        "uuid": "51e40d19-c195-4be1-aedd-ced93ded6b62",
        "sourceIssuerName": "CA1",
        "destinationIssuerName": "CA2",
        "bulkMigrateInitiatedOnCerts": [
            {
                "certUUID": "b7390498-dc44-4f2b-9f0c-86b67fb81c70",
                "certName": "NRF1"
            },
            {
                "certUUID": "134801cd-c7ef-4d0c-af52-49419128b981",
                "certName": "NRF2"
            },
            {
                "certUUID": "d57d19be-e2cd-4b65-a4f1-5bf26cd2be7d",
                "certName": "NRF3"
            }
        ],
        "bulkMigrateSkippedOnCerts": [] 
     },
      
    {
         "uuid": "89e40d19-c195-4be1-aedd-ced93ded6b62",
        "sourceIssuerName": "CA3",
        "destinationIssuerName": "CA4",
        "bulkMigrateInitiatedOnCerts": [
            {
                "certUUID": "a9390498-dc44-5e2b-9f0c-86b67fb81c70",
                "certName": "NRF4"
            },
            {
                "certUUID": "154801cd-c7ef-5e0c-af52-49419128b981",
                "certName": "NRF5"
            },
            {
                "certUUID": "d97d19be-e2cd-4b65-pqf1-5bf26cd2be7d",
                "certName": "NRF6"
            }
        ],
        "bulkMigrateSkippedOnCerts": []  
    }
    ]'
2.2.7.2 Fetch the Certificate Bulk Migrate Configurations by uuid

Fetch the Certificates Bulk Migrate by uuid

OCCM uses the GET operation to fetch all Certificates Bulk Migrate by uuid.

Resource URI: /occm-config/v1/certs/bulk-migrate/{uuid}

URI path parameters supported by the GET method on this resource.

Table 2-25 Path Variable

Field Name Data Type Description
uuid String uuid of the Certificates Bulk Migrate.

Table 2-26 Data structures supported by the GET Response Body on this resource

Response codes Data Type Cardinality Description
200 OK Object (Certificates Bulk Migrate) 1 This is a mandatory parameter.

Object (Certificates Bulk Migrate) matching criteria.
404 NOT FOUND Object (Certificates Bulk Migrate) 1 This is a mandatory parameter.

Object (Certificates Bulk Migrate) not found against the uuid.
500 Internal Server Error Problem Details 1 This is a mandatory parameter.

Something went wrong
Sample GET Request:
$ curl --location --request GET 'http://{host}:{port}/occm-config/v1/certs/bulk-migrate/51e40d19-c195-4be1-aedd-ced93ded6b62' \
--header 'Oc-Cncc-Id: Cluster1' \
--header 'Oc-Cncc-Instance-Id: Cluster1-OCCM-instance1' \
--header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIs'
Sample GET Response:
200 OK Response Body: '{
        "uuid": "51e40d19-c195-4be1-aedd-ced93ded6b62",
        "sourceIssuerName": "CA1",
        "destinationIssuerName": "CA2",
        "bulkMigrateInitiatedOnCerts": [
            {
                "certUUID": "b7390498-dc44-4f2b-9f0c-86b67fb81c70",
                "certName": "NRF1"
            },
            {
                "certUUID": "134801cd-c7ef-4d0c-af52-49419128b981",
                "certName": "NRF2"
            },
            {
                "certUUID": "d57d19be-e2cd-4b65-a4f1-5bf26cd2be7d",
                "certName": "NRF3"
            }
        ],
        "bulkMigrateSkippedOnCerts": []
}'
2.2.7.3 Create the Certificate Bulk Migrate Configurations Using Request Body

Create Certs Bulk Migrate Using Request Body

OCCM uses the POST operation to create Certs Bulk Migrate using request body.

Resource URI: /occm-config/v1/certs/bulk-migrate

Table 2-27 Data structures supported by the POST Response Body on this resource

Response codes Data type Cardinality Description
202 ACCEPTED Object (Certs Bulk Migrate) 1 This is a mandatory parameter.

Bulk certificate migration request is accepted.
400 BAD REQUEST Problem Details 1 This is a mandatory parameter.

Input do not match with the process request.
500 INTERNAL SERVER ERROR Problem Details 1 This is a mandatory parameter.

Something went wrong
Sample POST Request:
$ curl --location --request POST 'http://{host}:{port}/occm-config/v1/certs/bulk-migrate' \
--header 'Oc-Cncc-Id: Cluster1' \
--header 'Oc-Cncc-Instance-Id: Cluster1-OCCM-instance1' \
--header 'Authorization: Bearer LxuLeX9di....hXDUcoFwDw' \
--header 'Content-Type: application/json' \
--data-raw '{
    "sourceIssuerName": "CA1",
    "destinationIssuerName": "CA2"
}'
Sample POST Response:
202 Success Response Body: '{
        "uuid": "51e40d19-c195-4be1-aedd-ced93ded6b62",
        "sourceIssuerName": "CA1",
        "destinationIssuerName": "CA2",
        "bulkMigrateInitiatedOnCerts": [
            {
                "certUUID": "b7390498-dc44-4f2b-9f0c-86b67fb81c70",
                "certName": "NRF1"
            },
            {
                "certUUID": "134801cd-c7ef-4d0c-af52-49419128b981",
                "certName": "NRF2"
            },
            {
                "certUUID": "d57d19be-e2cd-4b65-a4f1-5bf26cd2be7d",
                "certName": "NRF3"
            }
        ],
        "bulkMigrateSkippedOnCerts": []
}'
2.2.7.4 Delete the Certificate Bulk Migrate Configurations by uuid

Delete the Certificates Bulk Migrate by uuid

OCCM uses the DELETE operation to delete the Certificates Bulk Migrate by uuid.

Resource URI: /occm-config/v1/certs/bulk-migrate/{uuid}

URI query parameters supported by the DELETE method on this resource.

Table 2-28 Query Parameters

Field Name Mandatory (M) or Optional (O) Cardinality Data Type Description
uuid O 1 String uuid of the Certificates Bulk Migrate configuration.

Table 2-29 Data structures supported by the DELETE Response Body on this resource

Response codes Data type Cardinality Description
200 OK Certificates Bulk Migrate 1 This is a mandatory parameter.

Certificates Bulk Migrate configuration data.
400 Bad Request Problem Details 1 This is a mandatory parameter.

Input does not match with the processed request.
Sample DELETE Request:
$ curl --location --request DELETE 'http://{host}:{port}/occm-config/v1/certs/bulk-migrate/51e40d19-c195-4be1-aedd-ced93ded6b62' \
--header 'Oc-Cncc-Id: Cluster1' \
--header 'Oc-Cncc-Instance-Id: Cluster1-OCCM-instance1' \
--header 'Authorization: Bearer eyJhbGciOi.......g-atjhQ'  
Sample DELETE Response:
200 OK Response Body: '{
        "uuid": "51e40d19-c195-4be1-aedd-ced93ded6b62",
        "sourceIssuerName": "CA1",
        "destinationIssuerName": "CA2",
        "bulkMigrateInitiatedOnCerts": [
            {
                "certUUID": "b7390498-dc44-4f2b-9f0c-86b67fb81c70",
                "certName": "NRF1"
            },
            {
                "certUUID": "134801cd-c7ef-4d0c-af52-49419128b981",
                "certName": "NRF2"
            },
            {
                "certUUID": "d57d19be-e2cd-4b65-a4f1-5bf26cd2be7d",
                "certName": "NRF3"
            }
        ],
        "bulkMigrateSkippedOnCerts": []
}'

2.3 OCCM Logging Resource

2.3.1 Fetch Logging Configuration for a Service

OCCM uses the GET operation to fetch the logging configuration for a service

Resource URI:/occm-config/v1/occm/logging

Sample GET request:
curl --location --request GET 'http://{host}:{port}/occm-config/v1/occm/logging' \
--header 'oc-cncc-id: Cluster1' \
--header 'oc-cncc-instance-id: Cluster1-occm-instance1' \
--header 'Authorization: Bearer eyJhbGciOiJSUzI1NiI...' \
--data-raw ''
Sample Response:
200 OK Response Body: '{
    "appLogLevel": "INFO",
    "packageLogLevel": [
        {
            "packageName": "root",
            "logLevelForPackage": "ERROR"
        }
    ]
}'

2.3.2 Fetch Logging Configurations for All Services

OCCM uses the GET operation to fetch logging configurations for all services.

Resource URI:/occm-config/v1/all/logging

Sample GET Request:
curl --location --request GET 'http://{host}:{port}/occm-config/v1/all/logging' \
--header 'oc-cncc-id: Cluster1' \
--header 'oc-cncc-instance-id: Cluster1-occm-instance1' \
--header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAi...'
Sample Response:
200 OK Response Body: '[
    {
        "occm": "{\"appLogLevel\":\"INFO\",\"packageLogLevel\":[{\"packageName\":\"root\",\"logLevelForPackage\":\"ERROR\"}]}"
    }
]'

2.3.3 Update Logging Configurations for a Service

OCCM uses the PUT operation to update logging configurations for a service.

Resource URI:/occm-config/v1/occm/logging

Sample PUT Request:
curl --location --request PUT 'http://{host}:{port}/occm-config/v1/occm/logging' \
--header 'oc-cncc-id: Cluster1' \
--header 'oc-cncc-instance-id: Cluster1-occm-instance1' \
--header 'Authorization: Bearer eyJhbGc...h8bJI_Owc_nb_hA' \
--header 'Content-Type: application/json' \
--data-raw '{
    "appLogLevel":"INFO",
    "packageLogLevel":[
    {
        "packageName":"root",
        "logLevelForPackage":"ERROR"
        }
    ]
    }'
Sample Response:
200 OK