27 Securing ECE Communications

Learn how to secure communications within your Oracle Communications Elastic Charging Engine (ECE) cloud native system and between ECE and external applications.

Topics in this document:

Enabling SSL Communication When Separate Clusters for BRM and ECE

If BRM and ECE are located in different Kubernetes clusters or cloud native environments, enable SSL communication between BRM and the External Manager (EM) Gateway.

To enable SSL communication:

  1. In the CM configuration file (BRM_home/sys/cm/pin.conf), set the em_pointer parameter to the host name and port of either the emgateway service or the load balancer: 

    - cm em_pointer ece ip hostname port

    where hostname is the worker node IP or LoadBalancer IP, and port is the emgateway service node port or LoadBalancer exposed port.

  2. In your override-values.yaml file for oc-cn-ece-helm-chart, set the emgateway.serviceFqdn key to the dedicated worker node IP or load balancer IP.

    The emgateway pod can be scheduled on specific worker nodes using nodeSelector.

  3. If this is the first time you are deploying ECE, run the helm install command: 

    helm install EceReleaseName oc-cn-ece-helm-chart --namespace BrmNameSpace --values OverrideValuesFile

  4. If you have already deployed ECE, do the following:

    1. Delete the .brm_wallet_date hidden files from the ece-wallet-pvcLocation/brmwallet directory, where ece-wallet-pvcLocation is the directory for the wallet PVC.

    2. Move the ece-wallet-pvcLocation/brmwallet/server directory to server_bkp.

    3. Perform a rolling restart of the ecs1 pod by incrementing the restartCount key in your override-values.yaml file and then running a helm upgrade command. See "Rolling Restart of ECE Pods" for more information.

    4. Delete the emgateway pods. This enables the pods to read the updated BRM Server wallet entries.

    5. Run the helm upgrade command to update the ECE Helm chart: 

      helm upgrade EceReleaseName oc-cn-ece-helm-chart --values OverrideValuesFile --namespace BrmNameSpace

Using a Custom TLS Certificate for Secure Connections

To configure ECE to use a custom TLS certificate for communicating with external service providers, set these keys in the override-values.yaml file for oc-cn-ece-helm-chart:

  • charging.customSSLWallet: Set this to true.

  • charging.secretCustomWallet.name: Set this to the Secret name.

  • charging.emGatewayConfigurations.emGatewayConfigurationList.emGateway1Config.wallet: Set this to /home/charging/wallet/custom/cwallet.sso.

  • charging.emGatewayConfigurations.emGatewayConfigurationList.emGateway2Config.wallet: Set this to the custom wallet path.

  • charging.brmWalletServerLocation: Set this to the custom wallet path.

  • charging.brmWalletClientLocation: Set this to the custom wallet path.

  • charging.brmWalletLocation: Set this to the custom wallet path.

  • charging.radiusGatewayConfigurations.wallet: Set this to the custom wallet path.

  • charging.connectionConfigurations.BRMConnectionConfiguration.brmwallet: Set this to the custom wallet path.

Note:

If the custom wallet is deployed after ECE is installed, perform a Helm upgrade. You can update the wallet location configured for ECE pods such as radiusgateway, emgateway, and brmgateway by using JMX.

Securing Communication Between the CHF and NRF, PCF, and SMF

You can enable secure communication between the HTTP Gateway (CHF) and the NRF, PCF, and SMF in one of these ways:

Securing Communication Using KeyStores Mounted in the Helm Chart

To enable secure communication between the HTTP Gateway (CHF) and the NRF, PCF, and SMF using KeyStores mounted in the Helm chart:

  1. Generate your SSL TrustStore and Identity KeyStore certificates for the NRF, PCF, and SMF.

  2. Move the SSL TrustStore and Identity KeyStore certificate files to the oc-cn-ece-helm-chart/secrets/httpgateway directory.

    When you perform a Helm install or upgrade, the ECE Helm chart mounts the TrustStore and Identity KeyStores inside the httpgateway pods as a Kubernetes Secret.

  3. Open your override-values.yaml file for oc-cn-ece-helm-chart.

  4. Enable SSL-based communication between the CHF and the PCF, NRF, and SMF by setting the following keys under httpgateway.httpgatewayList.httpGatewayConfiguration:

    • pcfSSLEnabled: Set this to true to enable SSL-based communication between the CHF and PCF.

    • nrfSSLEnabled: Set this to true to enable SSL-based communication between the CHF and NRF.

    • smfSSLEnabled: Set this to true to enable SSL-based communication between the CHF and SMF.

    • httpSSLType: Specify the type of SSL communication: oneway or twoway.

  5. Specify the name and location of the TrustStore and Identity KeyStore files by setting the following keys under httpgateway:

    • httpIdentityKeystore: Specify the path to the Identity KeyStore certificate files.

    • httpIdentityKeystoreType: Specify the type of SSL Identity KeyStore: PKCS12 or SSO.

    • httpTruststore: Specify the path to the SSL TrustStore files.

    • httpTruststoreType: Specify the type of SSL TrustStore file: PKCS12 or SSO.

  6. If your ECE cloud native services route communication between the CHF and other network functions through an Oracle Services Communications Proxy (SCP), do the following:

    1. In the httpgateway.httgatewayList.httpGatewayConfiguration.scpAuthorities key, enter the URL of the primary and secondary SCP authority, delimited by commas.

      For example: scpAuthorities="scp1.example.com,scp2.example.com".

    2. Ensure that the oc-cn-ece-helm-chart/secrets/httpgateway/ directory contains the SCP SSL KeyStore certificates rather than PCF and SMF certificates.

    See "Configuring Communication through SCP" in ECE Implementing Charging for more information about SCP.

  7. Run the helm install or helm upgrade command to update the ECE Helm chart.

    The KeyStores are mounted inside the httpgateway pod as a Kubernetes Secret at /home/charging/mnt/secrets/httpgateway/server_ssl.

Securing Communication Using External Kubernetes Secrets

To enable secure communication between the HTTP Gateway (CHF) and the NRF, PCF, and SMF using external Kubernetes Secrets:

  1. Create your KeyStore certificates for the NRF, PCF, and SMF as Secrets in your Kubernetes cluster.

    Note:

    If communication is routed through an Oracle Services Communications Proxy (SCP), create SCP-related certificates instead.

    For information about creating Kubernetes Secrets, see "Managing Secrets" in the Kubernetes documentation.

  2. Open your override-values.yaml file for oc-cn-ece-helm-chart.

  3. Specify the external Kubernetes Secrets by setting the following keys under httpgateway:

    • extHttpIdentityKeystoreSecret: Specify the name of the external Kubernetes Secret containing the HTTP Identity KeyStore.

    • httpIdentityKeystore: Specify the name of the Identity KeyStore certificate file contained in the external Kubernetes Secret.

    • httpTruststore: Specify the name of the SSL TrustStore file contained in the external Kubernetes Secret.

    • extHttpTruststoreSecret: Specify the name of the external Kubernetes Secret containing the HTTP TrustStore.

  4. If your ECE cloud native services route communication between the CHF and other network functions through an Oracle Services Communications Proxy (SCP), set the httpgateway.httgatewayList.httpGatewayConfiguration.scpAuthorities key to the URL of the primary and secondary SCP authority, delimited by commas.

    For example: scpAuthorities="scp1.example.com,scp2.example.com".

    See "Configuring Communication through SCP" in ECE Implementing Charging for more information about SCP.

  5. Perform a helm install of the ECE Helm chart:

    helm install EceReleaseName oc-cn-ece-helm-chart --namespace BrmNameSpace --values OverrideValuesFile

    where:

    • EceReleaseName is the release name for oc-cn-ece-helm-chart and is used to track this installation instance. It must be different from the one used for the BRM Helm chart.

    • BrmNameSpace is the namespace in which BRM Kubernetes objects reside for the BRM Helm chart.

    • OverrideValuesFile is the path to a YAML file that overrides the default configurations in the oc-cn-ece-helm-chart/values.yaml file.