Security Properties

Security-Related Configuration Properties describes the properties for SBA Gateway security configuration.

Table 1. Security-Related Configuration Properties
Property	Description
gateway.security.basicAuth.enabled	When set to `true`, enables basic authentication to use services in the gateway. Define a username and password, which matched by the AuthProvider to a username and password defined in a map. The default value is `false`.
gateway.security.basicAuth.username	When `gateway.security.basicAuth.enabled` is set to `true`, specifies a username to be handled by the AuthProvider to match the username defined in a map.
gateway.security.basicAuth.password	When `gateway.security.basicAuth.enabled` is set to `true`, specifies a password to be handled by the AuthProvider to match the password defined in a map.
gateway.security.tls.enabled	When set to `true`, enables Transport Layer Security (TLS), that is HTTP/SSL. The default value is `true`. The default value is `false`.
gateway.security.tls.host	The interface on which to listen for incoming secure connections.
gateway.security.tls.port	Ther secure HTTP port.
gateway.security.tls.securityType	Specifies either a certificate or a Java key store for HTTPS connections. The default value is `keyStore`.
gateway.security.tls.keystore.type	When `gateway.security.tls.securityType` is set to `keyStore`, this specifies the key store type containing the signed network function certificate. SBA Gateway looks for this path on in the file system first, then the classpath. The default value is `JKS`.
gateway.security.tls.keystore.password	The key store password.
gateway.security.tls.keystore.path	The path to the key store. The default value is /opt/mtx/conf/keystore/keystore.jks.
gateway.security.tls.truststore.type	The trust store type containing the root certificate. The default value is `JKS`.
gateway.security.tls.truststore.password	The trust store password.
gateway.security.tls.truststore.path	The path to the trust store. The default value is /opt/mtx/conf/keystore/truststore.jks.
gateway.security.tls.cert.certPath	The path to the certificate. The default value is /opt/mtx/conf/keystore/cert.crt.
gateway.security.tls.cert.keyPath	The path to the key. The default value is /opt/mtx/conf/keystore/cert.key.
gateway.security.tls.trustcert.certPath	The path to the certificate in the trust store. The default value is /opt/mtx/conf/keystore/trustcert.crt.
gateway.security.tls.trustcert.keyPath	The path to the key in the trust store. The default value is /opt/mtx/conf/keystore/cert.key.
gateway.security.tls.mutualAuth.enabled	When set to `true`, two-way authentication is enabled. The default value is `true`.
gateway.security.tls.insecure	When set to `true`, all TLS certificates are trusted. The default value is `false`. Note: Trusting all TLS certificates must be used in testing environments only.
gateway.security.oauth.enabled	When set to `true`, If OAuth is enabled and configured to expect keys signed using RSA keys, the network function tries to verify a token using a certificate. Normally this is the certificate of the NRF. The network function is configured to look for the certificate used for token verification by looking in the configured keystore for an alias. The default value is `false`.
gateway.security.oauth.jwtSigningKeyType	Specifies whether to use a pre-shared secret (HMAC) or a public/private key pair (RSA). The default value is `HMAC`.
gateway.security.oauth.hmac.key	The pre-shared secret. Must be at least 32 bytes long.
gateway.security.oauth.hmac.type	The secret type, either `PLAIN` or `base64`. The default value is `PLAIN`.
gateway.security.oauth.keystore.type	The OAuth key store type containing the OAuth secret. The default value is `JKS`.
gateway.security.oauth.keystore.path	The path to the OAuth key store. The network function looks for this path on in the file system first, then the classpath. The default value is /opt/mtx/conf/keystore/truststore.jks.
gateway.security.oauth.keystore.password	The OAuth keystore password.
gateway.security.oauth.keystore.nrfCertAlias	The NRF certificate alias. The `keytool` command alias parameter must match this value. The default value is `nrf`.
gateway.security.oauth.keystore.nrfCertSubjectMatch	The RDN field in the certificate subject to match with the issuer of an access token. The default value is `CN`.
gateway.security.oauth.certificate.keyPath	The path to the OAuth certificate key. The default value is /opt/mtx/conf/keystore/cert.key.
gateway.security.oauth.certificate.nrfCertAlias	The OAuth NRF certificate alias. The default value is `nrf`.
gateway.security.oauth.certificate.algorithm	The OAuth certificate algorithm. The default value is `RSA`.
gateway.security.oauth.allowedNfInstanceIds	A list of allowed NF instance IDs.

The following gateway.yaml excerpt shows the common configuration default values (where defaults exist) for these properties:

# Settings Related to the SBA Gateway on which a Network Function runs
gateway:

  security:

    # HTTP Basic Authentication Settings
    basicAuth:
      enabled: false
      username: username
      password: password

    # Transport Layer Security (TLS) i.e. HTTP / SSL
    tls:
      enabled: false
      # Interface on which to listen for incoming secure connections
      host: 0.0.0.0
      # Secure port
      # Setting to zero will also disable TLS (takes precedent over enabled)
      port: 9099
      # Defines if we will be loading a cert or java key store for https
      securityType: keyStore
      # Key store containing signed Network Function certificate.
      # NOTE: SBA will look for this path on the filesystem first. If it is not found it will search the classpath.
      keystore:
        type: JKS
        path: /opt/mtx/conf/keystore/keystore.jks
        password: password
      # Trust store containing Root Certificate.
      truststore:
        type: JKS
        path: /opt/mtx/conf/keystore/truststore.jks
        password: password
      # Key store containing signed Network Function certificate.
      # NOTE: SBA will look for this path on the filesystem second. If it is not found it will search the classpath.
      cert:
        certPath: /opt/mtx/conf/keystore/cert.crt
        keyPath: /opt/mtx/conf/keystore/cert.key
      trustcert:
        certPath: /opt/mtx/conf/keystore/trustcert.crt
        keyPath: /opt/mtx/conf/keystore/trustcert.key
      # Is TLS Mutual Auth Authentication enabled
      # Is TLS Mutual Auth Authentication enabled
      mutualAuth:
        enabled: true

      # Should all TLS certificates be trusted? (insecure - for testing only)
      insecure: false

    # OAuth
    oauth:
      enabled: false
      # HMAC/RSA - Use a pre-shared secret or public/private key pair
      jwtSigningKeyType: HMAC
      hmac:
        key: secret_that_must_be_at_least_32_bytes_long
        type: PLAIN # plain/base64
      # NOTE: SBA will look for this path on the filesystem first. If it is not found it will search the classpath.
      keystore:
        type: JKS
        path: /opt/mtx/conf/keystore/truststore.jks
        password: password
        nrfCertAlias: nrf
        # Which RDN field in the certificate subject to match against
        # the issuer of an access token (CommonName by default)
        nrfCertSubjectMatch: CN
      certificate:
        keyPath: /opt/mtx/conf/keystore/cert.key
        nrfCertAlias: nrf
        algorithm: RSA
      # List of allowed NF instance IDs
      allowedNfInstanceIds: []

For more information about these configuration properties, see the discussion about SBA Gateway security in MATRIXX Security.