Configuring HTTP/2 TLS for SBA Interfaces

This section describes the commands for configuring the HTTP/2 TLS support for SBA interfaces.

Configuring CA Certificates

Use the following sample configuration to configure the CA certificates:

config 
   nf-tls ca-certificates certificate_name 
      cert-data certificate_data 
   exit 
exit 

NOTES:

  • nf-tls ca-certificates certificate_name : Specifies the CA certificate name.

  • cert-data certificate_data : Specifies the CA certificate data in the PEM format.

Configuring Server or Client Certificates

Use the following sample configuration to configure the server or client certificates:

config 
   nf-tls certificates certificate_name 
      cert-data certificate_data 
      private-key certificate_private_key 
   exit 
exit 

NOTES:

  • nf-tls ca-certificates certificate_name : Specifies the CA certificate name.

  • cert-data certificate data : Specifies the CA certificate data in the PEM format.

  • private-key certificate_private_key : Specifies the CA certificate private key in the PKCS 8 format.

To obtain a private key from a certificate, perform the following the steps:

  1. Convert the certificate from PEM to PKCS12 format.

    openssl pkcs12 -export -out pkcscertificate.p12 -inkey certificatekey.pem in inputcertificate.pem 
  2. Extract the private key from PKCS12 certificate created in the preceding step.

    openssl pkcs12 -in pkcscertificate.p12 nocerts -nodes -out privatekey.pem 
  3. Convert the private key to PKCS8 key.

    openssl pkcs8 -in privatekey.pem -topk8 -nocrypt -out privatekey.p8 

To enable HTTPS, the rest-endpoint uri-scheme is configured to HTTPS. The default value of the uri-scheme is HTTP. If the uri-scheme is configured as HTTPS, then the SMF requires the server certificate name.

Associating Configured Certificate to Interface

Use the following sample configuration to associate a configured certificate to an interface. You can view the configured certificate names through the nf-tls certificates CLI command.

config 
   endpoint sbi certificate-name configured_certificate_name 
   exit 
exit 

NOTES:

  • endpoint sbi certificate-name configured_certificate_name : Shows the list of configured certificate names.

SMF uses the server certificate name for the SBI messages. These certificates are used during the starting of smf-rest-ep pod to configure SSL context for the REST SBI server. When SMF as a client initiates requests, such as N7, N10, and nNRF requests, the protocol is mentioned in the endpoint profile.

Configuring Mutual TLS for SBI Interfaces

To configure mutual TLS for SBI interfaces, use the following sample configuration:

config 
   instance instance-id instance_id 
      endpoint sbi   
         interface [ bfd | bgp | coa-nas | geo-external | geo-internal | gtpu | n4 | n7 | n10 | n11 | n16 | n40 | nrf | s2b | s5 | s5e | s8 | s11 | sxa | x1 | x2 ]    
            mtls-enable [ true | false ] 
               certificate name [ clientCert | prem-server-cert | serverCert | x1client | x1server ] 
            end 

NOTES:

  • endpoint sbi : Configure the endpoint for the LI interface.

  • interface [ bfd | bgp | coa-nas | geo-external | geo-internal | gtpu | n4 | n7 | n10 | n11 | n16 | n40 | nrf | s2b | s5 | s5e | s8 | s11 | sxa | x1 | x2 ] : Specify the SBI interface for the configured endpoint.

  • mtls-enable [ true | false ] : Configure mTLS to provide a transport layer encryption between the nodes for the security compliance purposes. By default, the value of mtls-enable is configured to false .

  • certificate name [ clientCert | prem-server-cert | serverCert | x1client | x1server ] : Specify the alias name for certificate from the available options. SMF uses the certificate name for HTTPS messages. The certificate name is used during the start-up of REST-EP pods to configure the SSL context and TLS handshake when messages are exchanged on the SBI interfaces.