Home
MATRIXX 5G Integration
SBA Gateway Security
SBA Gateway supports HTTP BASIC authentication and TLS Mutual Authentication.

Welcome
Release Notes
Architecture Overview
MATRIXX Cloud Native Installation and Configuration
MATRIXX Cloud Native Integration
Implementing MATRIXX in a Cloud
Installation and Configuration
MATRIXX Digital Commerce Upgrade
MATRIXX Security
MATRIXX Engine Administration
MATRIXX Web App Administration
MATRIXX Engine Integration
Call Control Framework Integration
MATRIXX Diameter Integration
MATRIXX 5G Integration
- About MATRIXX 5G Integration
  MATRIXX 5G Integration provides an architectural overview of how to integrate your 5G core network with the MATRIXX Digital Commerce platform. This guide also provides descriptions for the Service-Based Architecture (SBA) Gateway and messaging. In addition, this document provides information about security configuration (secured and not secured).
- 5G Standards
  MATRIXX Digital Commerce includes support for Diameter (CS networks supported with CAMEL Gateway) and SBA interface standards on a single platform.
- MATRIXX SBA Gateway Overview
  MATRIXX 5G Integration provides information about integrating MATRIXX Digital Commerce with 5G network consumers using MATRIXX Service Based Architecture (SBA) Gateway and messaging services. Upgrades and version pinning are also covered.
- Installing MATRIXX SBA Gateway
  For information about installing 5G network functions in an installation with Docker and Kubernetes, see the discussion about installing Docker in MATRIXX Cloud Native Installation and Upgrade.
- Administering the SBA Gateway
  You administer the SBA Gateway by configuring its logging and monitoring features.
- Configuring SBA Gateway
  Common Service-Based Architecture (SBA) configuration, CHF configuration, overriding default configuration options, and mapping configuration are discussed below.
- 5G Event Streaming
  SBA Gateway uses Kafka to stream HTTP requests and MATRIXX Engine HTTP responses to a Kafka broker. SBA Gateway 5G Events applications convert the received JSON to the ASN.1 binary format for export to Kafka applications.
- Creating a Mapping Configuration
  The following documentation provides information on how to create a mapping configuration. For a list of MATRIXX-supported 5G messages mappings from MDC to OpenAPI, see the discussion about MATRIXX 5G message mapping.
- SBA Gateway Security
  SBA Gateway supports HTTP BASIC authentication and TLS Mutual Authentication.
  - Public Key Infrastructure for TLS/OAuth
    The following instructions provide examples of how to configure a Public Key Infrastructure (PKI) for use with SBA Gateway network functions.
- API for 5G Integration
  The URI, mapping, and OpenAPI specification are configurable, and only the HTTP method and mapping filename are not.
- Throttling
  SBA Gateway can be throttled to protect the platform against overload conditions.
- Appendixes
MATRIXX Monitoring and Logging
Pricing and Rating
MATRIXX Pay Now
MATRIXX Policy
MATRIXX Event Streaming
Subscriber Management
Subscriber Management (SubMan) API
MATRIXX Business API SDK
My MATRIXX Help
MATRIXX Backoffice Customer Tool Help
Third-Party Licenses
Glossary

SBA Gateway Security

SBA Gateway supports HTTP BASIC authentication and TLS Mutual Authentication.

HTTP BASIC Authentication

Note: The 5GC specifications recommend TLS Mutual Authentication.

If you are using HTTP BASIC authentication, you must ensure that:

The underlying transport mechanism is secure (for example using TLS, which can be used without mutual authentication).
The username/password is configured on the NF instances using a secure mechanism, such as Kubernetes Secrets.

To enable HTTP BASIC authentication, configure the gateway.security.basicAuth parameters. For more information, see the discussion about SBA Gateway configuration in this guide.

Figure 1 shows TLS used to secure the connection between the NF Consumer and SBA Gateway.

TLS is used to secure the connection between the NF and SBA Gateway. — Figure 1. TLS Flow for NF and SBA Gateway

Note: The username and password are not encrypted in HTTP BASIC.

SBA Gateway checks every incoming request for the following header:

Authorization: Basic <Base64 Encoded username:password>

If the credentials match, SBA Gateway allows the request to proceed. If the credentials do not match, a 401 Unauthorized response is sent.

Note: This behavior can be disabled if another transport security mechanism is in place.

TLS Mutual Authentication

When TLS Mutual Authentication is enabled, a secure private root key is used to sign certificates used by the NF producers and consumers. The root public certificate is pre-installed on all NF instances. If TLS mAuth is enabled, SBA Gateway only allows an incoming connection if it receives a certificate that it can validate against the root certificate. Figure 2 shows TLS mAuth exchange in a sample public key infrastructure (PKI) deployment.

A secure private root key is used to sign certificates used by the NF producers and consumers — Figure 2. Example Public Key Infrastructure (PKI)

To enable TLS Mutual Authentication, configure the gateway.security.tls parameters as defined in the Configuration section.

For TLS mAuth configuration, SBA Gateway requires that the correct keys and certificates are installed in a Keystore and Truststore.