5 Accessing OCCM Resources Through Curl and Postman
CNC Console provides a secure option for accessing OCCM resources through curl and postman using the CNC Console IAM access token. This section describes how to generate access tokens and access OCCM APIs.
5.1 Generate Access Tokens
CNC Console IAM provides a REST API for generating and refreshing access tokens.
To generate access tokens:
- Send a POST request to the following URL to get an access token from
CNC Console IAM:
http://${cncc-iam-ingress-extrenal-ip}:${cncc-iam-ingress-service-port}/cncc/auth/realms/${realm}/protocol/openid-connect/tokenFor example:
https://{host}:{port}/cncc/auth/realms/cncc/protocol/openid-connect/token - The body of the request must be x-www-form-urlencoded encoded as follows:
'client_id': 'your_client_id', 'username': 'your_username', 'password': 'your_password', 'grant_type': 'password'For example:'client_id': 'cncc-api-access', 'username': 'user1', 'password': '********', 'grant_type': 'password' - Run the following curl command to generate access
tokens:
curl --location --request POST 'http://{host}:{port}/cncc/auth/realms/cncc/protocol/openid-connect/token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'grant_type=password' \ --data-urlencode 'username=user1' \ --data-urlencode 'password=********' \ --data-urlencode 'client_id=cncc-api-access' - In response, you will get an access_token and a
refresh_token:
{ "access_token": "eyJhbGc...O9l2Q", "expires_in": 300, "refresh_expires_in": 1800, "refresh_token": "eyJhbG...5vKPF-ZIg", "token_type": "bearer", "not-before-policy": 0, "session_state": "6c42d978-14ac-4793-a1e3-789cfbdb2b74", "scope": "email profile" }
5.2 Refresh Access Tokens
If the access token has expired, you can refresh it by sending a POST request to the same URL, but containing the refresh token instead of username and password:
Perform the following procedure to refresh the access tokens:
If the access_token has expired, it can be refreshed by sending a POST request to the same URL as above; but the POST method must have the refresh token instead of username and password. The format is as follows:'client_id': 'your_client_id',
'refresh_token': refresh_token_from_previous_request,
'grant_type': 'refresh_token'For
Example:
'client_id': 'cncc-api-access',
'refresh_token': 'eyJhbGciOiJIU...dKnmFb5vKPF-ZIg',
'grant_type': 'refresh_token'In response, you will receive a new access_token and refresh_token.
5.3 Issuer Configuration API Access
You need the CNC Console IAM access tokens to access the OCCM Issuer APIs through CNC Console.
You must include the following headers when you send an API request:
- Authorization: The access token must be used in every request to a NF resource by placing it in the Authorization header.
- oc-cncc-id: M-CNCC uses the oc-cncc-id header to find the agent or manager owning the instance.
- oc-cncc-instance-id: A-CNCC Core (or M-CNCC Core ) uses the oc-cncc-instance-id header to find the NF instance for routing.
Following headers must be passed in the curl or postman request while accessing the OCCM Issuers resource:
HTTP
Request:
curl --request POST 'http://${occm-external-ip}:${occm-service-port}/occm-config/v1/issuers/'
--header 'Content-Type: application/json'
--header 'oc-cncc-id: Cluster1'
--header 'oc-cncc-instance-id: Cluster1-occm-instance1'
--header 'Authorization: Bearer <Token>'
--data-raw '{
"name": "CA1",
"server": "http://ca1-openssl-mock.ns1.svc.thrust5:8090",
"recipientDN": "/CN=x.company.com",
"issuerDN": "/CN=x.company.com",
"totalTimeout": "720",
"messageTimeout": "120",
"cmpProtectionOccmCert": {
"type": null,
"digestAlgorithm": null,
"macAlgorithm": null,
"macK8sSecretIn": {
"namespace": "",
"name": "",
"passKey": "",
"refKey": ""
},
"signK8sSecretIn": {
"namespace": "",
"name": "",
"key": "",
"cert": "",
"extraCerts": []
}
},
"cmpProtectionOtherCert": {
"type": "SIGNATURE",
"digestAlgorithm": "SHA256",
"signK8sSecretIn": {
"namespace": "ns1",
"name": "ca1-cmp-identity-secret",
"key": "cmpkey.pem",
"cert": "cmpcert.pem",
"extraCerts": []
}
},
"occmTrustStoreK8sSecretIn": {
"namespace": "ns1",
"name": "ca1-occm-trust-store-secret",
"rootCACerts": [
"caroot.pem"
],
"intCACerts": [
"intcacert.pem"
],
"serverCert": "servercert.pem"
},
"tlsConfig": {
"enableTLS": false,
"tlsTrustStoreK8sSecretItem": {
"namespace": "",
"name": "",
"tlsTrustedCerts": []
}
}
}'HTTPS
Request
curl --request POST 'http://${occm-external-ip}:${occm-service-port}/occm-config/v1/issuers/'
--header 'Content-Type: application/json'
--header 'oc-cncc-id: Cluster1'
--header 'oc-cncc-instance-id: Cluster1-occm-instance1'
--header 'Authorization: Bearer <Token>'
--data-raw '{
"name": "CA1",
"server": "https://ca1-openssl-mock.ns1.svc.thrust5:8443",
"recipientDN": "/CN=x.company.com",
"issuerDN": "/CN=x.company.com",
"totalTimeout": "720",
"messageTimeout": "120",
"cmpProtectionOccmCert": {
"type": null,
"digestAlgorithm": null,
"macAlgorithm": null,
"macK8sSecretIn": {
"namespace": "",
"name": "",
"passKey": "",
"refKey": ""
},
"signK8sSecretIn": {
"namespace": "",
"name": "",
"key": "",
"cert": "",
"extraCerts": []
}
},
"cmpProtectionOtherCert": {
"type": "SIGNATURE",
"digestAlgorithm": "SHA256",
"signK8sSecretIn": {
"namespace": "ns1",
"name": "ca1-cmp-identity-secret",
"key": "cmpkey.pem",
"cert": "cmpcert.pem",
"extraCerts": []
}
},
"occmTrustStoreK8sSecretIn": {
"namespace": "ns1",
"name": "ca1-occm-trust-store-secret",
"rootCACerts": [
"caroot.pem"
],
"intCACerts": [
"intcacert.pem"
],
"serverCert": "servercert.pem"
},
"tlsConfig": {
"enableTLS": true,
"tlsTrustStoreK8sSecretItem": {
"namespace": "ns1",
"name": "ca1-tls-trust-store-secret",
"tlsTrustedCerts": ["caroot.cer"]
}
}
}'5.4 Certificate Configuration API Access
You need the CNC Console IAM access token that you generated to access OCCM
Certificates Configuration
API:
curl --request POST 'http://${occm-external-ip}:${occm-service-port}/occm-config/v1/certs/'
--header 'Content-Type: application/json'
--header 'oc-cncc-id: Cluster1'
--header 'oc-cncc-instance-id: Cluster1-occm-instance1'
--header 'Authorization: Bearer <Token>'
--data-raw ' {
"name": "NRF TLS Cert",
"lcmType": "AUTOMATIC",
"certType": "OTHER",
"renewBefore": "14",
"certPurpose": "NRF SBI",
"issuer": "CA1",
"privateKey": {
"keyAlgo": "RSA",
"keySize": "KEYSIZE_2048",
"keyEncoding": "PEM",
"ecCurve": null,
"privateKeyK8sSecretOut": {
"namespace": "ns1",
"name": "nrf-tls-secret",
"key": "nrfkey.pem"
}
},
"csr": {
"extendedKeyUsage": {
"critical": false,
"extendedKeyUsageValues": [
"CLIENT_AUTH",
"SERVER_AUTH"
]
},
"keyUsage": {
"critical": true,
"keyUsageValues": [
"DIGITAL_SIGNATURE"
]
},
"basicConstraints": {
"critical": false,
"basicConstraintsValue": "END_ENTITY"
},
"subject": {
"country": "IN",
"state": "KA",
"location": "BLR",
"organization": "Oracle",
"organizationUnit": "CGBU",
"commonName": "a.company.com"
},
"days": "365",
"subjectAltName": {
"critical": false,
"ipAddress": [
"10.10.10.20",
"10.10.10.21"
],
"dns": [
"y.company.com",
"z.company.com"
],
"uriIdApiRoot": null,
"uriIdUrn": [
"urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6"
]
},
"certK8sSecretOut": {
"namespace": "ns1",
"name": "nrf-tls-secret",
"key": "nrfcert.pem"
},
"certChainK8sSecretOut": {
"namespace": "ns1",
"name": "nrf-tls-secret",
"key": "nrfcertchain.pem"
},
"mergeCertAndChain" : false
},
"caBundleK8sSecretIn": {
"namespace": "ns1",
"name": "ca-bundle-secret",
"key": "ca-bundle.pem"
},
"nf": "NRF",
"overrideSecret": false
}'5.5 Bulk Certificate Migration API Access
You need the CNC Console IAM access token that you generated to access bulk
certificate migration
APIs.
curl --request POST 'http://${occm-external-ip}:${occm-service-port}/occm-config/v1/certs/bulk-migrate'
--header 'Content-Type: application/json'
--header 'oc-cncc-id: Cluster1'
--header 'oc-cncc-instance-id: Cluster1-occm-instance1'
--header 'Authorization: Bearer <Token>'
--data-raw ' {
"sourceIssuerName": "CA1",
"destinationIssuerName": "CA2"
}'5.6 Logging API Access
You need the CNC Console IAM access token that you generated to access OCCM Logging APIs.
curl --location --request PUT 'http://host:port/occm-config/v1/occm/logging' \
--header 'oc-cncc-id: Cluster1' \
--header 'oc-cncc-instance-id: Cluster1-occm-instance1' \
--header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIs...' \
--header 'Content-Type: application/json' \
--data-raw '{
"appLogLevel": "DEBUG",
"packageLogLevel": [
{
"packageName": "root",
"logLevelForPackage": "ERROR"
}