Home
MATRIXX Security
Network Security
Network zones are stacked with increasing proximity to the open internet or DMZ. Each zone is traversed by ingress and egress points through an application or server, with appropriate authentication and authorization for connecting system traffic.
RS Gateway Security
RS Gateway uses Spring Security to authenticate clients using login ID and password credentials.
OAuth 2.0 Authentication
RS Gateway can authenticate clients (such as customer relationship management (CRM) software) with single sign-on using OAuth 2.0. The information here describes a generic implementation. For information about OAuth 2.0 and third-party identity and access management applications, see the discussion about OAuth 2.0 identity and access management.
OAuth 2.0 Authorization Errors
The following information describes the errors that can occur during OAuth 2.0 authorization.

Welcome
MATRIXX Release Notes
MATRIXX Architecture
MATRIXX Installation and Upgrade
MATRIXX Configuration
MATRIXX Security
- About MATRIXX Security
- Introduction to MATRIXX Cloud Native Security
  The information in MATRIXX Security is best-practice information and identifies MATRIXX-specific security considerations and implementations. For container-specific and Kubernetes security information, see the third-party documentation.
- Cloud Native Security
  The information here addresses cloud native security and includes recommendations for securing your cloud native implementation.
- Managing Certificates
  MATRIXX uses certificates signed by a trusted certificate authority, or validated by other means, to establish secure communications with another party with the corresponding private key.
- Enabling Transport Layer Security
  Transport Layer Security (TLS) provides secure internet connections by encrypting data sent between a browser, a website, and the website server to ensure that data is transmitted privately.
- Network Security
  Network zones are stacked with increasing proximity to the open internet or DMZ. Each zone is traversed by ingress and egress points through an application or server, with appropriate authentication and authorization for connecting system traffic.
  - MATRIXX Gateway Proxy
    MATRIXX includes Gateway Proxy that acts as a secure entry point for all network traffic that is not the result of subscriber usage. It sits between external applications and the Traffic Routing Agent (TRA).
  - RS Gateway Security
    RS Gateway uses Spring Security to authenticate clients using login ID and password credentials.
    - RS Gateway Basic Authentication
      When RS Gateway is configured not to accept anonymous requests, clients must send a login request with a username and password.
    - OAuth 2.0 Authentication
      RS Gateway can authenticate clients (such as customer relationship management (CRM) software) with single sign-on using OAuth 2.0. The information here describes a generic implementation. For information about OAuth 2.0 and third-party identity and access management applications, see the discussion about OAuth 2.0 identity and access management.
      - Configure OAuth 2.0 Security
        OAuth 2.0 is an authorization framework that uses authorization tokens to access HTTP resources. OAuth 2.0 can be used to check if a client can access RS Gateway in a distributed system by passing signed tokens with every request. Configure OAuth 2.0 security to enable single sign-on with an authorization server.
      - OAuth 2.0 Authorization Errors
        The following information describes the errors that can occur during OAuth 2.0 authorization.
    - URL Authorization
      Out-of-the-box, RS Gateway supports Create, Read, Update, and Delete authentication (CRUD-based authorization) using CRUD-based permissions on the RS Gateway APIs.
    - Add RS Gateway Users
      Unless anonymous access is enabled, all RS Gateway clients must be defined in rsgateway_users.yaml.
    - Configure Token Authentication
      You can configure customer-specific API keys to authenticate third-party applications with RS Gateway.
    - Configure RS Gateway for LDAP Authentication
      This example demonstrates a simple LDAP authentication for RS Gateway.
    - Use Kubernetes Secrets for RS Gateway TLS Certificates
      A TLS certificate can be retrieved from a Kubernetes secret and the certificate is automatically extracted, a keystore is generated, and the contents are added to the /sync/certs directory.
    - RS Gateway application.yaml Properties
      RS Gateway configuration is provided in YAML files.
    - RS Gateway Connection Properties
      You must configure RS Gateway to connect to the Gateway Proxy. Define these properties in a properties file (for example, rsgateway-site.yaml).
    - User Authentication and Password Management
      Use the /service/user service APIs to set, verify, and modify a user password.
  - Business API Gateway Security
    The Business API Gateway is a development framework that includes the Business API SDK, Rest Services Gateway (RS Gateway), Gateway Proxy, and application tier. It allows custom mobile applications, Web clients, and other custom implementations to integrate with MATRIXX.
  - SBA Gateway Security
    SBA Gateway supports TLS Mutual Authentication.
  - TMF Gateway Security
    TMF Gateway supports HTTP authentication through a configurable authorization URL.
  - TRA Security
    This section describes the general security configuration requirements for Traffic Routing Agent (TRA). These security requirements apply when virtual servers are defined and specified as secured.
  - Self-Signed Certificate Detection and Handling
    While self-signed certificates can be used in controlled environments such as internal testing, because they are not verified by a trusted certificate authority (CA) they must not be used in production environments. If the use of a self-signed certificate is intentional, such as for testing purposes, the MDC Gateway and Traffic Routing Agent (TRA) components include ways to override default handling.
  - Network Security Checklist
    The following is a list of best practices for network design and configuration.
- Application Security
  Application security includes configuring web applications and gateways.
- Database Security
  Depending on your MATRIXX environment, you can use multiple external databases.
- OAuth 2.0 Identity and Access Management
  MATRIXX supports third-party identity and access management application integration.
MATRIXX Integration
MATRIXX Diameter Integration
MATRIXX Call Control Framework Integration
MATRIXX TM Forum Integration
MATRIXX 5G Integration
MATRIXX 5G Event Streaming
MATRIXX Event Streaming
MATRIXX Administration
MATRIXX Web App Administration
MATRIXX Monitoring and Logging
MATRIXX Policy
MATRIXX Kafka CDR Consumer
MATRIXX Pricing and Rating
MATRIXX Pay Now
MATRIXX Subscriber Management
MATRIXX Subscriber Management API
MATRIXX Business API SDK
My MATRIXX Help
MATRIXX Backoffice Customer Tool Help
MATRIXX Third-Party Licenses
Glossary

OAuth 2.0 Authorization Errors

The following information describes the errors that can occur during OAuth 2.0 authorization.

OAuth 2.0 Authorization Errors describes the OAuth 2.0 authorization errors.

Table 1. OAuth 2.0 Authorization Errors
ERROR	DESCRIPTION
Internal Server Error	Returns a 500 error code. This error occurs when the issuer cannot be reached. The log includes the following: `org.springframework.security.oauth2.jwt.JwtDecoderInitializationException: Failed to lazily resolve the supplied JwtDecoder instance.`
invalid_request	The request is missing a required parameter, includes an invalid parameter value, or is otherwise malformed. One of the following errors. HTTPS is required. HTTP GET is required. HTTP POST is required. The `code_challenge` value was invalid, such as not being base64 encoded. Flow does not support and did not expect a `code_challenge` parameter. Out-of-band is not supported. The JSON Web Token (JWT) bearer and SAML assertion bearer flows require a `refresh_token` scope. Install and preauthorize the app. For the device flow, the device code specified in the polling request is invalid. For the username-password flow, the `scope` parameter isn’t supported. For the refresh token flow, the secret type is not supported.
invalid_scope	The requested scope is invalid, unknown, or malformed.
invalid_token	Occurs in the following situations with the indicated message: When the JWT token was encoded with a key that the issuer is not currently using: "An error occurred while attempting to decode the JWT: Signed JWT rejected: Another algorithm expected, or no matching key(s) found." The JWT token is expired: "An error occurred while attempting to decode the JWT: JWT expired at `<timestamp>`." The JWT token is malformed: "An error occurred while attempting to decode the JWT: Malformed payload." In all cases, the issuer can be reached but the token is bad.
server_error	The authorization server encountered an unexpected condition which prevented it from fulfilling the request.
temporarily_unavailable	The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server.
unauthorized_client	The client is not authorized to request an authorization code using this method.
unsupported_response_type	The authorization server does not support obtaining an authorization code using this method.