mTLS on SBA Interfaces

Feature Summary Revision History

Summary Data

Table 1. Summary Data
Applicable Product(s) or Functional Area PCF
Applicable Platform(s) SMI
Feature Default Setting Disabled – Configuration required to enable
Related Documentation Not Applicable

Revision History

Table 2. Revision History
Revision Details Release

First introduced.

2022.04.0

Feature Description

PCF supports Hypertext Transfer Protocol (HTTP) over Transport Layer Security (TLS) for provided Service Based Interfaces (SBI). PCF enables support to the TLS client authentication for NF consumers (SMF, AF) and authenticates itself with NFs (CHF, UDR, NRF).

Enabling and disabling mTLS: PCF supports the configuration option to enable and disable TLS client authentication for REST server endpoints when using HTTPS.

Certificate configuration: PCF configures with a single certificate and enabled with server authentication and client authentication. When mTLS enabled, PCF uses the same certificate for client authentication.

How it Works

This section describes how this feature works.

Standards Compilance

This feature complies with the following standards specifications:

  • 3GPP 29.510 "Network function repository services"

  • 3GPP 33.310 "Network Domain Security (NDS), Authentication Framework (AF)"

  • 3GPP 33.501 "Security architecture and procedures for 5G system"

Feature Configuration

To configure this feature, use the following configuration:

Configuring mTLS for REST Endpoints Using HTTPS

config 
   rest-endpoint mTLS [true|false] 
   end 

NOTES:

  • rest-endoint mTLS [true | false] —Specifies the rest endpoint for mTLS. For example, the specified default value is false.


Note


PCF does not support simultaneous enablement of HTTP and HTTPS on SBI interfaces. PCF configures with either HTTP or HTTPS since the URI scheme setting for the Rest endpoint is global.