Content for TS 33.122 Word version: 18.4.0
6.6 Security procedures for CAPIF-3/4/5 reference points
6.7 Security procedures for updating security method
6.8 Security procedure for API invoker offboarding
6.9 Security procedures for CAPIF-7/7e reference points
6.10 Security procedures for CAPIF-3e/4e/5e reference points
...
...
6.6 Security procedures for CAPIF-3/4/5 reference points p. 21
To ensure security of the interfaces between CAPIF entities within a trusted domain, namely CAPIF-3, CAPIF-4, CAPIF-5:
- TLS shall be used to provide integrity protection, replay protection and confidentiality protection. The support of TLS is mandatory. Security profiles for TLS implementation and usage shall follow the provisions given in TS 33.310, Annex E.
- Certificate based mutual authentication shall be performed between the CAPIF entities using TLS. Certificate based authentication shall follow the profiles given in clauses 6.1.3a and 6.1.4a of TS 33.310. The structure of the PKI used for the certificate is out of scope of the present document.
6.7 Security procedures for updating security method p. 21
As specified in TS 23.222, the CAPIF core function shall receive updates to AEF authentication and authorization method from API publishing function. In case that the AEF updates its authentication and authorization method and API invoker uses the old authentication and authorization method to invoke the service API, the AEF shall send a failure response to the API invoker with an indicator that indicates the authentication and authorization method used by the API invoker is incorrect. The API invoker shall contact the CAPIF core function to get the updated authentication and authorization method. Then the API invoker shall invoke the service API using the updated authentication and authorization method.
6.8 Security procedure for API invoker offboarding p. 21
Pre-conditions:
- The API invoker has been onboarded successfully.
Step 0.
TLS session is established successfully between the CAPIF core function and the API invoker.
Step 1.
An event occurs within the API invoker to trigger the offboarding action.
Step 2.
The API invoker shall send Offboard API invoker request message to the CAPIF core function, including the CAPIF core function specific API invoker ID which was assigned by the CAPIF core function during the onboarding procedure.
Step 3.
The CAPIF core function shall verify the API invoker ID received in step 2 and check that the corresponding profile exists for this API invoker. With successful verification of the API invoker ID and its profile, the CAPIF core function shall cancel the enrolment of the API invoker and delete the API invoker profile. This includes deletion of API invoker certificate, service API authentication and authorization information, and onboard secret (if applicable). Depending on the operator policy, the CAPIF core function may retain the information of the offboarded API invoker.
Step 4.
The CAPIF core function sends Offboard API invoker response message, indicating the successful offboarding of the API invoker.
Step 5.
The API invoker shall delete the information, such as API invoker ID, Service API authentication / authorization information, API invoker certificate, Onboard_Secret (if applicable).
Step 6.
The CAPIF core function shall tear down the TLS session with the API invoker.
Step 7.
The CAPIF core function shall send Event notification message to the API exposing function to indicate that this API invoker is no longer valid.
Step 8.
The API exposing function shall delete the security related information associated with this API invoker depending on the method that was used previously to authenticate the API invoker, e.g. AEF PSK (TLS-PSK method as described in subclause 6.5.2.1), root certificate to validate the API invoker certificate (PKI method as described in subclause 6.5.2.2), access token (OAuth 2.0 method as described in subclause 6.5.2.3 of the present document, respectively).
Step 9.
The API exposing function shall tear down the TLS connection with the API invoker.
Step 10.
The API exposing function shall return Event notification acknowledge message to indicate that the security related information associated with this API invoker is successfully deleted and thus the API invoker no longer an acknowledged user.
6.9 Security procedures for CAPIF-7/7e reference points |R16| p. 23
To ensure security of the interfaces between API Exposing functions (Topology hiding entities and destination AEF handling service APIs), namely CAPIF-7 and CAPIF-7e:
- Security procedures as specified in clause 6.4 of this specification for CAPIF-2 reference point shall be used for secure communication, authentication and authorization, between the AEFs belonging to same trust domain over CAPIF-7 reference point.
- Security procedures as specified in the clause 6.5 of this specification for CAPIF-2e reference point shall be used for secure communication, authentication and authorization, between the AEFs belonging to different trust domains over CAPIF-7e reference point.
6.10 Security procedures for CAPIF-3e/4e/5e reference points |R16| p. 23
To ensure security of the interfaces between CAPIF entities between different trusted domains (CCF domain and API Provider Domain), namely CAPIF-3e, CAPIF-4e, and CAPIF-5e:
- 3GPP TS 33.210 shall be applied to secure messages on the reference points specified otherwise; and
- 3GPP TS 33.310 may be applied regarding the use of certificates with the security mechanisms of TS 33.210 unless otherwise specified in the present document.
