SBA Gateway Security
SBA Gateway supports HTTP BASIC authentication and TLS Mutual Authentication.
HTTP BASIC Authentication
If you are using HTTP BASIC authentication, you must ensure that:
- The underlying transport mechanism is secure (for example using TLS, which can be used without mutual authentication).
- The username/password is configured on the NF instances using a secure mechanism, such as Kubernetes Secrets.
To enable HTTP BASIC authentication, configure the gateway.security.basicAuth
parameters. For more information, see the discussion about SBA Gateway
configuration in this guide.
Figure 1 shows TLS used to secure the connection between the NF Consumer and SBA Gateway.
SBA Gateway checks every incoming request for the following header:
Authorization: Basic <Base64 Encoded username:password>
If the credentials match, SBA Gateway allows the request to proceed. If the credentials do not match, a 401 Unauthorized response is sent.
TLS Mutual Authentication
When TLS Mutual Authentication is enabled, a secure private root key is used to sign certificates used by the NF producers and consumers. The root public certificate is pre-installed on all NF instances. If TLS mAuth is enabled, SBA Gateway only allows an incoming connection if it receives a certificate that it can validate against the root certificate. Figure 2 shows TLS mAuth exchange in a sample public key infrastructure (PKI) deployment.
To enable TLS Mutual Authentication, configure the
gateway.security.tls
parameters as defined in the Configuration
section.
For TLS mAuth configuration, SBA Gateway requires that the correct keys and certificates are installed in a Keystore and Truststore.