11 ECE REST API Security

Learn how to enable OAuth 2.0 for 5G services and set up security for the Oracle Communications Elastic Charging Engine (ECE) REST API.

Topics in this document:

For more information, see REST API for Elastic Charging Engine.

About ECE REST API Security

The ECE REST API uses the OAuth 2.0 security protocol to authenticate a 5G client’s identity and authorize it to access the ECE REST API. It does this by validating an OAuth access token that is passed in the header of every HTTP/HTTPS request to the ECE REST API.

The 5G client must pass this OAuth access token in the header of every HTTP/HTTPS request sent to the ECE REST API.

To set up authentication and authorization for the 5G client, you use Oracle Access Management.

About the OAuth 2.0 Flow in HTTP Gateway

The Charging Function (CHF) acts as a resource server for other Network Functions (NF), such as Policy Control Function (PCF) and Session Management Function (SMF). When you enable OAuth 2.0 support, the CHF manages the authentication of incoming requests from the NFs.

When PCF and SMF want to communicate with CHF, they must first obtain an authentication token from the OAuth 2.0 authorization server (Network Resource Function). This authorization server provides a JSON Web Token (JWT) with a private key.

The claims in the private key should include:

  • NF Instance ID of NRF (the issuer)

  • NF Instance Id of the NF Service consumer (subject)

  • One or more NF Instance IDs for the requested NF Service Producers (audience)

  • Expected service names (scope)

  • Optionally "additional scope" information.

Once the NF obtains a token and makes a call to CHF, the JWT token should be present in the header. When CHF receives the request, it authenticates the token by verifying the key and the claims in the JWT payload.

The CHF sends the following responses after validating the token:

  • If the token validation fails, the CHF will return a 401 Unauthorized error or a 403 Forbidden error. This means that the token is missing, invalid, expired or the scope is wrong.
  • If the token is valid, the CHF will return a 200 OK code with an appropriate response.

Setting Up OAuth for the ECE REST API with Oracle Access Management

Setting up OAuth for the ECE REST API using Oracle Access Management involves these high-level steps:

  1. Installing the Oracle Access Management software. For the list of supported versions, see BRM Compatibility Matrix.

    For more information about installing the Oracle Access Management software, see Oracle Fusion Middleware Installing and Configuring Oracle Identity and Access Management.

  2. Installing the Oracle Unified Directory software with the HTTP port enabled. For the list of supported versions, see BRM Compatibility Matrix.

    For more information about installing Oracle Unified Directory, see Oracle Fusion Middleware Installing Oracle Unified Directory.

  3. Enabling OAuth Services for ECE REST API

  4. Creating an OAuth Identity Domain for ECE REST API

  5. Creating a Resource Server for ECE REST API

  6. Creating an OAuth Client for the ECE REST API

  7. Requesting an OAuth Access Token from Oracle Access Management

Enabling OAuth Services for ECE REST API

Enable OAuth services in Oracle Access Management as described in "Managing Common Services and Certificate Validation" in Oracle Fusion Middleware Administering Oracle Access Management. Ensure that the following services are enabled:

  • Access Manager

  • OAuth

Creating an OAuth Identity Domain for ECE REST API

You create an OAuth identity domain to control the authentication and authorization of users who can sign in to the ECE REST API, and what features they can access. You create all artifacts, such as the resource server and OAuth client, under the identity domain.

To create an identity domain, submit a request to the Add a new OAuth Identity Domain endpoint of the Oracle Access Manager OAuth REST API. See "Add a new OAuth Identity Domain" in REST API for OAuth in Oracle Access Manager for more information about this endpoint.

The following shows an example cURL command for creating an identity domain named ECE_Domain, with the OUD identity provider (for Oracle Unified Directory): 

curl -i --header 'Content-Type: application/json' 
--header 'Authorization:Basic encoded_admin'
--request POST http//oam_host:oam_port/oam/services/rest/ssa/api/v1/oauthpolicyadmin/oauthidentitydomain
--data-raw '{"name":"ECE_Domain","identityProvider":"OUD","description":"Identity Domain for ECE REST API","tokenSettings":[
{"tokenType":"ACCESS_TOKEN","tokenExpiry":3600,"lifeCycleEnabled":false,"refreshTokenEnabled":false,"refreshTokenExpiry":86400,"refreshTokenLifeCycleEnabled":false}]'

where:

  • encoded_admin is the base64-encoded format of the Oracle Access Management administrator user name and password.
  • oam_host:oam_port is the host name and port for the Oracle Access Management server.

If the identity domain was created successfully, you will see a response similar to this:

Sucessfully created entity - OAuthIdentityDomain, detail - OAuth Identity Domain :: Name - ECE_Domain, Id - 19f85bc53b49561ea52f039474c2c4b,
Description - Identity Domain for ECE REST API, TrustStore Identifiers - ECE_Domain,Identity Provider - OUD, TokenSettings -
[{"tokenType":"ACCESS_TOKEN","tokenExpiry":3600,"lifeCycleEnabled":false,"refreshTokenEnabled":false,"refreshTokenExpiry":86400,"refreshTokenLifeCycleEnabled":false}],

Creating a Resource Server for ECE REST API

A resource server hosts the protected resources. It must be capable of accepting and responding to resource requests using OAuth access tokens.

To create a resource server, submit a request to the Add a new Resource Server endpoint of the Oracle Access Management OAuth REST API. See "Add a new Resource Server" in REST API for OAuth in Oracle Access Manager for more information about this endpoint.

The following shows an example of creating a resource server named NetworkFunctionServiceProducer with all and read scopes, an identity domain named ECE_Domain, and static and dynamic customer attributes: 

curl -k -u wls_admin:password -H 'Content-Type: application/json' 'http://oam_host:oam_port/oam/services/rest/ssa/api/v1/oauthpolicyadmin/application'
-d '{"name":"NetworkFunctionServiceProducer","description":"Resource server for ECE REST API",
"scopes":[{"scopeName":"all","description":"All permissions"},{"scopeName":"read","description":"Read permissions"}],
"tokenAttributes":[{"attrName":"sessionId","attrValue":"$session.id","attrType":"DYNAMIC"},{"attrName":"resSrvAttr","attrValue":"RESOURCECONST","attrType":"STATIC"}],"idDomain":"ECE_Domain","audienceClaim":{"subjects":["ab0"]}}'

where:

  • wls_admin:password is the administrator user name and password for Oracle WebLogic Server.
  • resource_server is the name of the resource server that you want to create.
  • scopeN is the name of a scope.

After the scopes are defined under the resource server, refer to them as resource_server.scope for subsequent tasks, such as creating the OAuth client and requesting an OAuth token. For example, NetworkFunctionServiceProducer.all.

If the resource server is created successfully, you will see a response similar to this:

Successfully created entity - OAuthResourceServer, detail - IdentityDomain="ECE_Domain",Name=" NetworkFunctionServiceProducer.all ",Description="Resource server for ECE REST API",
resourceServerId="4953a4f4-8c3f-41fd-99b5-837cfa9f9ecb",resourceServerNameSpacePrefix=" NetworkFunctionServiceProducer.",audienceClaim="{"subjects":["ab0"]}",
resServerType="CUSTOM_RESOURCE_SERVER",Scopes="[{"scopeName":"all","description":"All permissions"},{"scopeName":"read","description":"Read permissions"}]",
tokenAttributes="[{"attrName":"sessionId","attrValue":"$session.id","attrType":DYNAMIC},{"attrName":"resSrvAttr","attrValue":"RESOURCECONST","attrType":STATIC}]

Creating an OAuth Client for the ECE REST API

You create an OAuth client for the ECE REST API to authenticate requests.

To create an OAuth client, submit a request to the Add a new OAuth Client endpoint of the Oracle Access Management OAuth REST API. See "Add a new OAuth Client" in REST API for OAuth in Oracle Access Manager for more information about this endpoint.

The following shows an example cURL request for creating a confidential OAuth client named NetworkFunctionServiceConsumer with the NetworkFunctionServiceProducer.all and default NetworkFunctionServiceProducer.read scopes, an identity domain named ECE_Domain, and some custom attributes. 

curl -k -u wls_admin:password -H 'Content-Type: application/json''http://oam_host:oam_port/oam/services/rest/ssa/api/v1/oauthpolicyadmin/client'
-d'{"attributes":[{"attrName":"customAttribute1","attrValue":"Custom Value1","attrType":"static"},{"attrName":"customAttribute2","attrValue":"Custom Value2","attrType":"static"}],
"secret":"client_secret","id":"client_id","scopes":[" NetworkFunctionServiceProducer.all "," NetworkFunctionServiceProducer. read "],"clientType":"CONFIDENTIAL_CLIENT",
"idDomain":"ECE_Domain","description":"ECE RSM OAuth client","name":"ECERSMClient","grantTypes":["CLIENT_CREDENTIALS"], 
"defaultScope":" NetworkFunctionServiceProducer. read ","redirectURIs":[{"url":"http://redirect_host:redirect_port/oauth/callback","isHttps":true}]}'

where:

  • client_id and client_secret are the client ID and client password.

  • redirect_host:redirect_port is the URL for your client application.

If the client is created successfully, the response will be similar to this:

Sucessfully created entity - OAuthClient, detail - OAuth Client - uid = 4b37dd63-08dd-45b5-b5a5-c1e788cb2ff2, name = ECERSMClient, id =  ECERSMClientId,
identityDomain = ECE_RSM_Domain, description = ECE RSM OAuth client, secret = ECERSMPassword, clientType = CONFIDENTIAL_CLIENT, grantTypes = [CLIENT_CREDENTIALS],
attributes = [{"attrName":"customAttribute1","attrValue":"Custom  Value1","attrType":STATIC},{"attrName":"customAttribute2","attrValue":"Custom  Value2","attrType":STATIC},{"attrName":"sessionId","attrValue":"session.id","attrType":DYNAMIC},
{"attrName":"resSrvAttr","attrValue":"RESOURCECONST","attrType":STATIC}],  scopes =
[NetworkFunctionServiceProducer.all, NetworkFunctionServiceProducer. read], defaultScope = ECERSMResourceServer.read, redirectURIs = [{"url":"http://redirect_host:redirect_port/oauth/callback","isHttps":true}]

Requesting an OAuth Access Token from Oracle Access Management

You create an access token for OAuth authentication by submitting a request to the Create Access Token Flow endpoint of the Oracle Access Management OAuth REST API. For more information, see "Create Access Token Flow" in REST API for OAuth in Oracle Access Manager.

To request an OAuth access token, use cURL to send an HTTP/HTTPS request to the Oracle Access Management URL:

curl -i --header 'Authorization: Basic encoded_admin'
--header "Content-Type: application/x-www-form-urlencoded;charset=UTF-8"
--header "X-OAUTH-IDENTITY-DOMAIN-NAME: identity_domain"
--request POST http://oam_host:oam_port/oauth2/rest/token 
--data-urlencode "grant_type=CLIENT_CREDENTIALS&scope=resource_server.scope"

where:

  • encoded_admin is the base64-encoded format of the Oracle Access Management administrator user name and password.

  • identity_domain is the name of the OAuth identity domain created in Oracle Access Management for ECE REST API.

  • oam_host:oam_port is the host name and port for the Oracle Access Management server.

  • resource_server is the name of the Oracle Access Management resource server created for ECE REST API.

  • scope is the name of a scope.

The following shows an example cURL request for creating an OAuth access token for the ECE_domain identity domain, NetworkFunctionServiceProducer resource server, and all scope: 

curl --location --header 'Authorization: Basic encoded_admin'
--header "Content-Type: application/x-www-form-urlencoded;charset=UTF-8"
--header "X-OAUTH-IDENTITY-DOMAIN-NAME: ECE_Domain" 
--request POST http://oam_host:oam_port/oauth2/rest/token
--data-urlencode "grant_type=CLIENT_CREDENTIALS&scope=NetworkFunctionServiceProducer.all"

If the request is successful, Oracle Access Management returns something similar to this:

{"access_token":"access_token",
"token_type":"Bearer","expires_in":3600}

Your client must pass this OAuth access token in the header of every HTTP/HTTPS request sent to the ECE REST API.

Enabling OAuth 2.0 Authentication in HTTP Gateway

You can enable HTTP Gateway in the application to enable or disable OAuth 2.0 support. You can enable or disable OAuth 2.0 in both on-premises and cloud-native environments.

Note:

If you have enabled the OAuth 2.0 functionality, an SSL connection must be present between the Network Functions and the Network Repository Function.

Enabling OAuth 2.0 in On-Premises Systems

You can enable OAuth 2.0 in your HTTP Gateway on-premises system during the ECE installation process or at runtime. To enable it during the ECE installation process, see "Installing a Standalone ECE System" in ECE Installation Guide.

To enable OAuth 2.0 in an on-premises environment while ECE is running:

  1. Access the ECE configuration MBeans in a JMX editor, such as JConsole.

    See "Accessing ECE Configuration MBeans" in ECE Implementing Charging.

  2. Expand the ECE Configuration node.

  3. Expand charging.httpGatewayConfigurations.

  4. Expand Attributes.

  5. Specify values for the following fields:

    • nrfPublicKeyLocation: Enter the path to the public key of the Network Repository Function.

    • nrfJwtAlgorithm: Enter the algorithm used by the Network Repository Function to create the JSON Web Token (JWT).

  6. Expand charging.HttpGatewayConfigurations.name, where name is the name of the HTTP Gateway instance.

  7. Expand Attributes.

  8. Set the oauth2Enabled attribute to true. If OAuth2enabled is set to true, you must send an access token in the header.

Note:

When you make access tokens by asymmetric cryptography, the following JWT Algorithms are supported:

  • RSA

  • ECDSA

Enabling OAuth 2.0 in Cloud Native Deployments

To enable OAuth 2.0 in cloud native deployments, do the following:

  1. Move the public key to the oc-cn-ece-helm-chart/secrets/httpgateway directory.

    After deployment, the public key is mounted in the httpgateway pod as a Kubernetes Secret.

  2. Set the following keys in your override-values.yaml file for oc-cn-ece-helm-chart:

    • httpgateway.httpgatewayList.httpGatewayConfiguration.oauth2Enabled: Set this to true If oauth2Enabled is set to true, you must ensure that all incoming requests have an access token in the header. If the access token is missing, you will receive an error message.

    • httpgateway.nrfPublicKeyLocation: Set this to the name of the public key file.

    • httpgateway.nrfJwtAlgorithm: Set this to the algorithm used to create the Network Repository Function public key. The default is RSA.

  3. Run the helm install command to deploy the ECE Helm chart: 

    helm install EceReleaseName oc-cn-ece-helm-chart --namespace BrmNameSpace --values OverrideValuesFile

    where:

    • EceReleaseName is the release name for oc-cn-ece-helm-chart and is used to track this installation instance. It must be different from the one used for the BRM Helm chart.

    • BrmNameSpace is the namespace in which BRM Kubernetes objects reside for the BRM Helm chart.

    • OverrideValuesFile is the path to a YAML file that overrides the default configurations in the oc-cn-ece-helm-chart/values.yaml file.