sysmocom
/
open5gs
forked from acouzens/open5gs
11
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[SBI] HTTP2-TLS verification - ConfFile Changed 

You should add the following configuration if you would not use TLS.

sbi:
    server:
      no_tls: true
    client:
      no_tls: true
This commit is contained in:
Sukchan Lee 2023-02-18 10:58:29 +09:00
parent 3e61c5984d
commit 05fbaf6958
33 changed files with 1986 additions and 897 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
configs/310014.yaml.in
View File

@ -2,13 +2,14 @@ db_uri: mongodb://localhost/open5gs
logger:
tls:
enabled: no
sbi:
server:
no_tls: true
cacert: @build_configs_dir@/open5gs/tls/ca.crt
key: @build_configs_dir@/open5gs/tls/testserver.key
cert: @build_configs_dir@/open5gs/tls/testserver.crt
client:
no_tls: true
cacert: @build_configs_dir@/open5gs/tls/ca.crt
key: @build_configs_dir@/open5gs/tls/testclient.key
cert: @build_configs_dir@/open5gs/tls/testclient.crt

5
configs/csfb.yaml.in
View File

@ -2,13 +2,14 @@ db_uri: mongodb://localhost/open5gs
logger:
tls:
enabled: no
sbi:
server:
no_tls: true
cacert: @build_configs_dir@/open5gs/tls/ca.crt
key: @build_configs_dir@/open5gs/tls/testserver.key
cert: @build_configs_dir@/open5gs/tls/testserver.crt
client:
no_tls: true
cacert: @build_configs_dir@/open5gs/tls/ca.crt
key: @build_configs_dir@/open5gs/tls/testclient.key
cert: @build_configs_dir@/open5gs/tls/testclient.crt

5
configs/non3gpp.yaml.in
View File

@ -2,13 +2,14 @@ db_uri: mongodb://localhost/open5gs
logger:
tls:
enabled: no
sbi:
server:
no_tls: true
cacert: @build_configs_dir@/open5gs/tls/ca.crt
key: @build_configs_dir@/open5gs/tls/testserver.key
cert: @build_configs_dir@/open5gs/tls/testserver.crt
client:
no_tls: true
cacert: @build_configs_dir@/open5gs/tls/ca.crt
key: @build_configs_dir@/open5gs/tls/testclient.key
cert: @build_configs_dir@/open5gs/tls/testclient.crt

203
configs/open5gs/amf.yaml.in
View File

@ -1,73 +1,91 @@
#
# logger:
#
# o Set OGS_LOG_INFO to all domain level
# - If `level` is omitted, the default level is OGS_LOG_INFO)
# - If `domain` is omitted, the all domain level is set from 'level'
# (Nothing is needed)
# (Default values are used, so no configuration is required)
#
# o Set OGS_LOG_ERROR to all domain level
# - `level` can be set with none, fatal, error, warn, info, debug, trace
# logger:
# level: error
#
# o Set OGS_LOG_DEBUG to mme/emm domain level
# logger:
# level: debug
# domain: mme,emm
#
# o Set OGS_LOG_TRACE to all domain level
# logger:
# level: trace
# domain: core,ngap,nas,gmm,sbi,amf,event,tlv,mem,sock
# domain: core,sbi,ausf,event,tlv,mem,sock
#
logger:
file: @localstatedir@/log/open5gs/amf.log
#
# tls:
# enabled: auto|yes|no
# - auto: Default. Use TLS only if key/cert is available
# - yes: Use TLS always;
# reject if no key/cert available
# - no: Don't use TLS if there is an key/cert available
# o TLS enable/disable
# sbi:
# server|client:
# no_tls: false|true
# - false: (Default) Use TLS
# - true: TLS disabled
#
# o Server-side Key and Certficiate
# o Verification enable/disable
# sbi:
# server|client:
# no_verify: false|true
# - false: (Default) Verify the PEER
# - true: Skip the verification step
#
# o Server-side does not use TLS
# sbi:
# server:
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
# no_tls: true
#
# o Client-side does not use TLS
# o Client-side skips the verification step
# sbi:
# client:
# enabled: no
# no_verify: true
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
#
# o Use the specified certificate to verify client
# o Use the specified certificate while verifying the client
# sbi:
# server
# cacert: /etc/open5gs/tls/ca.crt
#
# o Use the specified certificate to verify server
# o Use the specified certificate while verifying the server
# sbi:
# client
# cacert: /etc/open5gs/tls/ca.crt
#
tls:
enabled: no
sbi:
server:
no_tls: true
cacert: @sysconfdir@/open5gs/tls/ca.crt
key: @sysconfdir@/open5gs/tls/amf.key
cert: @sysconfdir@/open5gs/tls/amf.crt
client:
no_tls: true
cacert: @sysconfdir@/open5gs/tls/ca.crt
key: @sysconfdir@/open5gs/tls/amf.key
cert: @sysconfdir@/open5gs/tls/amf.crt
#
# amf:
#
# <SBI Server>
#
# o SBI Server(http://<all address available>:80)
# sbi:
# server:
# no_tls: true
# amf:
# sbi:
#
# o SBI Server(http://<any address>:7777)
# sbi:
# server:
# no_tls: true
# amf:
# sbi:
# - addr:
# - 0.0.0.0
@ -75,17 +93,17 @@ tls:
# port: 7777
#
# o SBI Server(https://<all address available>:443)
# tls:
# sbi:
# server:
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
# amf:
# sbi:
#
# o SBI Server(http://127.0.0.5:80, http://[::1]:80)
# tls:
# enabled: no
# o SBI Server(https://127.0.0.5:443, https://[::1]:443) without verification
# sbi:
# server:
# no_verify: true
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
# amf:
@ -94,29 +112,48 @@ tls:
# - addr: ::1
#
# o SBI Server(https://amf.open5gs.org:443)
# Use the specified certificate to verify client
# Use the specified certificate while verifying the client
#
# tls:
# sbi:
# server:
# cacert: /etc/open5gs/tls/ca.crt
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
# amf:
# sbi:
# - name: amf.open5gs.org
#
# o SBI Server(http://127.0.0.5:7777)
# sbi:
# server:
# no_tls: true
# amf:
# sbi:
# - addr: 127.0.0.5
# port: 7777
#
# o SBI Server(http://<eth0 IP address>:80)
# sbi:
# server:
# no_tls: true
# amf:
# sbi:
# - dev: eth0
#
# o Provide custom SBI address to be advertised to NRF
# sbi:
# server:
# no_tls: true
# amf:
# sbi:
# - dev: eth0
# advertise: open5gs-amf.svc.local
#
# o Another example of advertising on NRF
# sbi:
# server:
# no_tls: true
# amf:
# sbi:
# - addr: localhost
# advertise:
@ -127,6 +164,10 @@ tls:
# - tcp_nodelay : true
# - so_linger.l_onoff : false
#
# sbi:
# server:
# no_tls: true
# amf:
# sbi:
# addr: 127.0.0.5
# option:
@ -138,9 +179,11 @@ tls:
# <NF Service>
#
# o NF Service Name(Default : all NF services available)
# amf:
# service_name:
#
# o NF Service Name(Only some NF services are available)
# amf:
# service_name:
# - namf-comm
#
@ -148,12 +191,21 @@ tls:
#
# o (Default) If you do not set Query Parameter as shown below,
#
# sbi:
# server:
# no_tls: true
# amf:
# sbi:
# - addr: 127.0.0.5
# port: 7777
#
# - 'service-names' is included.
#
# o Service-Names are not included
# sbi:
# server:
# no_tls: true
# amf:
# sbi:
# - addr: 127.0.0.5
# port: 7777
@ -172,6 +224,10 @@ tls:
#
# o (Default) If you do not set Delegated Discovery as shown below,
#
# sbi:
# server:
# no_tls: true
# amf:
# sbi:
# - addr: 127.0.0.5
# port: 7777
@ -179,6 +235,10 @@ tls:
# - Use SCP if SCP avaiable. Otherwise NRF is used.
# => App fails if both NRF and SCP are unavailable.
#
# sbi:
# server:
# no_tls: true
# amf:
# sbi:
# - addr: 127.0.0.5
# port: 7777
@ -194,23 +254,28 @@ tls:
# <NGAP Server>>
#
# o NGAP Server(all address available)
# amf:
# ngap:
#
# o NGAP Server(0.0.0.0:38412)
# amf:
# ngap:
# addr: 0.0.0.0
#
# o NGAP Server(127.0.0.5:38412, [::1]:38412)
# amf:
# ngap:
# - addr: 127.0.0.5
# - addr: ::1
#
# o NGAP Server(different port)
# amf:
# ngap:
# - addr: 127.0.0.5
# port: 38413
#
# o NGAP Server(address available in `eth0` interface)
# amf:
# ngap:
# dev: eth0
#
@ -218,6 +283,7 @@ tls:
# - sctp_nodelay : true
# - so_linger.l_onoff : false
#
# amf:
# ngap:
# addr: 127.0.0.5
# option:
@ -237,6 +303,7 @@ tls:
# - sinit_max_attempts : 4
# - sinit_max_init_timeo : 8000(8secs)
#
# amf:
# ngap:
# addr: 127.0.0.5
# option:
@ -254,6 +321,7 @@ tls:
# <Metrics Server>
#
# o Metrics Server(http://<any address>:9090)
# amf:
# metrics:
# - addr: 0.0.0.0
# port: 9090
@ -261,6 +329,7 @@ tls:
# <GUAMI>
#
# o Multiple GUAMI
# amf:
# guami:
# - plmn_id:
# mcc: 999
@ -279,6 +348,7 @@ tls:
# <TAI>
#
# o Multiple TAI
# amf:
# tai:
# - plmn_id:
# mcc: 001
@ -310,6 +380,7 @@ tls:
# <PLMN Support>
#
# o Multiple PLMN Support
# amf:
# plmn_support:
# - plmn_id:
# mcc: 999
@ -325,16 +396,19 @@ tls:
#
# <Network Name>
#
# amf:
# network_name:
# full: Open5GS
# short: Next
#
# <AMF Name>
#
# amf:
# amf_name: amf1.open5gs.amf.5gc.mnc70.mcc999.3gppnetwork.org
#
# <Relative Capacity> - Default(255)
#
# amf:
# relative_capacity: 100
#
amf:
@ -371,19 +445,22 @@ amf:
full: Open5GS
amf_name: open5gs-amf0
#
# scp:
#
# <SBI Client>>
#
# o SBI Client(http://127.0.1.10:7777)
# sbi:
# client:
# no_tls: true
# scp:
# sbi:
# addr: 127.0.1.10
# port: 7777
#
# o SBI Client(https://127.0.1.10:443, https://[::1]:443)
# tls:
# o SBI Client(https://127.0.1.10:443, https://[::1]:443) without verification
# sbi:
# client:
# no_verify: true
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
# scp:
@ -392,11 +469,13 @@ amf:
# - addr: ::1
#
# o SBI Client(https://scp.open5gs.org:443)
# Use the specified certificate to verify server
# Use the specified certificate while verifying the server
#
# tls:
# sbi:
# client:
# cacert: /etc/open5gs/tls/ca.crt
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
# scp:
# sbi:
# - name: scp.open5gs.org
@ -404,6 +483,10 @@ amf:
# o SBI Client(http://[fd69:f21d:873c:fb::1]:80)
# If prefer_ipv4 is true, http://127.0.1.10:80 is selected.
#
# sbi:
# client:
# no_tls: true
# scp:
# sbi:
# addr:
# - 127.0.1.10
@ -413,6 +496,10 @@ amf:
# - tcp_nodelay : true
# - so_linger.l_onoff : false
#
# sbi:
# client:
# no_tls: true
# scp:
# sbi:
# addr: 127.0.1.10
# option:
@ -427,19 +514,22 @@ scp:
- addr: 127.0.1.10
port: 7777
#
# nrf:
#
# <SBI Client>>
#
# o SBI Client(http://127.0.0.10:7777)
# sbi:
# client:
# no_tls: true
# nrf:
# sbi:
# addr: 127.0.0.10
# port: 7777
#
# o SBI Client(https://127.0.0.10:443, https://[::1]:443)
# tls:
# o SBI Client(https://127.0.0.10:443, https://[::1]:443) without verification
# sbi:
# client:
# no_verify: true
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
# nrf:
@ -448,11 +538,13 @@ scp:
# - addr: ::1
#
# o SBI Client(https://nrf.open5gs.org:443)
# Use the specified certificate to verify server
# Use the specified certificate while verifying the server
#
# tls:
# sbi:
# client:
# cacert: /etc/open5gs/tls/ca.crt
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
# nrf:
# sbi:
# - name: nrf.open5gs.org
@ -469,6 +561,10 @@ scp:
# - tcp_nodelay : true
# - so_linger.l_onoff : false
#
# sbi:
# client:
# no_tls: true
# nrf:
# sbi:
# addr: 127.0.0.10
# option:
@ -484,26 +580,28 @@ scp:
# - ::1
# port: 7777
#
# parameter:
#
# o Disable use of IPv4 addresses (only IPv6)
# no_ipv4: true
# parameter:
# no_ipv4: true
#
# o Disable use of IPv6 addresses (only IPv4)
# no_ipv6: true
# parameter:
# no_ipv6: true
#
# o Prefer IPv4 instead of IPv6 for estabishing new GTP connections.
# prefer_ipv4: true
# parameter:
# prefer_ipv4: true
#
parameter:
#
# max:
#
# o Maximum Number of UE
# o Maximum Number of UE
# max:
# ue: 1024
# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI)
#
# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI)
# max:
# peer: 64
#
max:
@ -514,35 +612,40 @@ max:
#
usrsctp:
#
# time:
#
# o NF Instance Heartbeat (Default : 0)
# NFs will not send heart-beat timer in NFProfile
# NRF will send heart-beat timer in NFProfile
# (Default values are used, so no configuration is required)
#
# o NF Instance Heartbeat (20 seconds)
# NFs will send heart-beat timer (20 seconds) in NFProfile
# NRF can change heart-beat timer in NFProfile
#
# time:
# nf_instance:
# heartbeat: 20
#
# o Message Wait Duration (Default : 10,000 ms = 10 seconds)
# (Default values are used, so no configuration is required)
#
# o Message Wait Duration (3000 ms)
# time:
# message:
# duration: 3000
#
# o Handover Wait Duration (Default : 300 ms)
# Time to wait for AMF to send UEContextReleaseCommand
# to the source gNB after receiving HandoverNotify
# (Default values are used, so no configuration is required)
#
# o Handover Wait Duration (500ms)
# time:
# handover:
# duration: 500
#
# o Timers of 5GS mobility/session management
# time:
# t3502:
# value: 720 # 12 minutes * 60 = 720 seconds
# t3512:

196
configs/open5gs/ausf.yaml.in
View File

@ -1,20 +1,21 @@
#
# logger:
#
# o Set OGS_LOG_INFO to all domain level
# - If `level` is omitted, the default level is OGS_LOG_INFO)
# - If `domain` is omitted, the all domain level is set from 'level'
# (Nothing is needed)
# (Default values are used, so no configuration is required)
#
# o Set OGS_LOG_ERROR to all domain level
# - `level` can be set with none, fatal, error, warn, info, debug, trace
# logger:
# level: error
#
# o Set OGS_LOG_DEBUG to mme/emm domain level
# logger:
# level: debug
# domain: mme,emm
#
# o Set OGS_LOG_TRACE to all domain level
# logger:
# level: trace
# domain: core,sbi,ausf,event,tlv,mem,sock
#
@ -22,52 +23,69 @@ logger:
file: @localstatedir@/log/open5gs/ausf.log
#
# tls:
# enabled: auto|yes|no
# - auto: Default. Use TLS only if key/cert is available
# - yes: Use TLS always;
# reject if no key/cert available
# - no: Don't use TLS if there is an key/cert available
# o TLS enable/disable
# sbi:
# server|client:
# no_tls: false|true
# - false: (Default) Use TLS
# - true: TLS disabled
#
# o Server-side Key and Certficiate
# o Verification enable/disable
# sbi:
# server|client:
# no_verify: false|true
# - false: (Default) Verify the PEER
# - true: Skip the verification step
#
# o Server-side does not use TLS
# sbi:
# server:
# key: /etc/open5gs/tls/ausf.key
# cert: /etc/open5gs/tls/ausf.crt
# no_tls: true
#
# o Client-side does not use TLS
# o Client-side skips the verification step
# sbi:
# client:
# enabled: no
# key: /etc/open5gs/tls/ausf.key
# cert: /etc/open5gs/tls/ausf.crt
# no_verify: true
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
#
# o Use the specified certificate to verify client
# o Use the specified certificate while verifying the client
# sbi:
# server
# cacert: /etc/open5gs/tls/ca.crt
#
# o Use the specified certificate to verify server
# o Use the specified certificate while verifying the server
# sbi:
# client
# cacert: /etc/open5gs/tls/ca.crt
#
tls:
enabled: no
sbi:
server:
no_tls: true
cacert: @sysconfdir@/open5gs/tls/ca.crt
key: @sysconfdir@/open5gs/tls/ausf.key
cert: @sysconfdir@/open5gs/tls/ausf.crt
client:
no_tls: true
cacert: @sysconfdir@/open5gs/tls/ca.crt
key: @sysconfdir@/open5gs/tls/ausf.key
cert: @sysconfdir@/open5gs/tls/ausf.crt
#
# ausf:
#
# <SBI Server>
#
# o SBI Server(http://<all address available>:80)
# sbi:
# server:
# no_tls: true
# ausf:
# sbi:
#
# o SBI Server(http://<any address>:7777)
# sbi:
# server:
# no_tls: true
# ausf:
# sbi:
# - addr:
# - 0.0.0.0
@ -75,17 +93,17 @@ tls:
# port: 7777
#
# o SBI Server(https://<all address available>:443)
# tls:
# sbi:
# server:
# key: /etc/open5gs/tls/ausf.key
# cert: /etc/open5gs/tls/ausf.crt
# ausf:
# sbi:
#
# o SBI Server(http://127.0.0.11:80, http://[::1]:80)
# tls:
# enabled: no
# o SBI Server(https://127.0.0.11:443, https://[::1]:443) without verification
# sbi:
# server:
# no_verify: true
# key: /etc/open5gs/tls/ausf.key
# cert: /etc/open5gs/tls/ausf.crt
# ausf:
@ -94,29 +112,48 @@ tls:
# - addr: ::1
#
# o SBI Server(https://ausf.open5gs.org:443)
# Use the specified certificate to verify client
# Use the specified certificate while verifying the client
#
# tls:
# sbi:
# server:
# cacert: /etc/open5gs/tls/ca.crt
# key: /etc/open5gs/tls/ausf.key
# cert: /etc/open5gs/tls/ausf.crt
# ausf:
# sbi:
# - name: ausf.open5gs.org
#
# o SBI Server(http://127.0.0.11:7777)
# sbi:
# server:
# no_tls: true
# ausf:
# sbi:
# - addr: 127.0.0.11
# port: 7777
#
# o SBI Server(http://<eth0 IP address>:80)
# sbi:
# server:
# no_tls: true
# ausf:
# sbi:
# - dev: eth0
#
# o Provide custom SBI address to be advertised to NRF
# sbi:
# server:
# no_tls: true
# ausf:
# sbi:
# - dev: eth0
# advertise: open5gs-ausf.svc.local
#
# o Another example of advertising on NRF
# sbi:
# server:
# no_tls: true
# ausf:
# sbi:
# - addr: localhost
# advertise:
@ -127,6 +164,10 @@ tls:
# - tcp_nodelay : true
# - so_linger.l_onoff : false
#
# sbi:
# server:
# no_tls: true
# ausf:
# sbi:
# addr: 127.0.0.11
# option:
@ -138,9 +179,11 @@ tls:
# <NF Service>
#
# o NF Service Name(Default : all NF services available)
# ausf:
# service_name:
#
# o NF Service Name(Only some NF services are available)
# ausf:
# service_name:
# - nausf-auth
#
@ -148,12 +191,21 @@ tls:
#
# o (Default) If you do not set Query Parameter as shown below,
#
# sbi:
# server:
# no_tls: true
# ausf:
# sbi:
# - addr: 127.0.0.11
# port: 7777
#
# - 'service-names' is included.
#
# o Service-Names are not included
# sbi:
# server:
# no_tls: true
# ausf:
# sbi:
# - addr: 127.0.0.11
# port: 7777
@ -172,6 +224,10 @@ tls:
#
# o (Default) If you do not set Delegated Discovery as shown below,
#
# sbi:
# server:
# no_tls: true
# ausf:
# sbi:
# - addr: 127.0.0.11
# port: 7777
@ -179,6 +235,10 @@ tls:
# - Use SCP if SCP avaiable. Otherwise NRF is used.
# => App fails if both NRF and SCP are unavailable.
#
# sbi:
# server:
# no_tls: true
# ausf:
# sbi:
# - addr: 127.0.0.11
# port: 7777
@ -196,32 +256,37 @@ ausf:
- addr: 127.0.0.11
port: 7777
#
# scp:
#
# <SBI Client>>
#
# o SBI Client(http://127.0.1.10:7777)
# sbi:
# client:
# no_tls: true
# scp:
# sbi:
# addr: 127.0.1.10
# port: 7777
#
# o SBI Client(https://127.0.1.10:443, https://[::1]:443)
# tls:
# o SBI Client(https://127.0.1.10:443, https://[::1]:443) without verification
# sbi:
# client:
# key: /etc/open5gs/tls/ausf.key
# cert: /etc/open5gs/tls/ausf.crt
# no_verify: true
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
# scp:
# sbi:
# - addr: 127.0.1.10
# - addr: ::1
#
# o SBI Client(https://scp.open5gs.org:443)
# Use the specified certificate to verify server
# Use the specified certificate while verifying the server
#
# tls:
# sbi:
# client:
# cacert: /etc/open5gs/tls/ca.crt
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
# scp:
# sbi:
# - name: scp.open5gs.org
@ -229,6 +294,10 @@ ausf:
# o SBI Client(http://[fd69:f21d:873c:fb::1]:80)
# If prefer_ipv4 is true, http://127.0.1.10:80 is selected.
#
# sbi:
# client:
# no_tls: true
# scp:
# sbi:
# addr:
# - 127.0.1.10
@ -238,6 +307,10 @@ ausf:
# - tcp_nodelay : true
# - so_linger.l_onoff : false
#
# sbi:
# client:
# no_tls: true
# scp:
# sbi:
# addr: 127.0.1.10
# option:
@ -252,32 +325,37 @@ scp:
- addr: 127.0.1.10
port: 7777
#
# nrf:
#
# <SBI Client>>
#
# o SBI Client(http://127.0.0.10:7777)
# sbi:
# client:
# no_tls: true
# nrf:
# sbi:
# addr: 127.0.0.10
# port: 7777
#
# o SBI Client(https://127.0.0.10:443, https://[::1]:443)
# tls:
# o SBI Client(https://127.0.0.10:443, https://[::1]:443) without verification
# sbi:
# client:
# key: /etc/open5gs/tls/ausf.key
# cert: /etc/open5gs/tls/ausf.crt
# no_verify: true
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
# nrf:
# sbi:
# - addr: 127.0.0.10
# - addr: ::1
#
# o SBI Client(https://nrf.open5gs.org:443)
# Use the specified certificate to verify server
# Use the specified certificate while verifying the server
#
# tls:
# sbi:
# client:
# cacert: /etc/open5gs/tls/ca.crt
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
# nrf:
# sbi:
# - name: nrf.open5gs.org
@ -294,6 +372,10 @@ scp:
# - tcp_nodelay : true
# - so_linger.l_onoff : false
#
# sbi:
# client:
# no_tls: true
# nrf:
# sbi:
# addr: 127.0.0.10
# option:
@ -309,47 +391,51 @@ scp:
# - ::1
# port: 7777
#
# parameter:
#
# o Disable use of IPv4 addresses (only IPv6)
# no_ipv4: true
# parameter:
# no_ipv4: true
#
# o Disable use of IPv6 addresses (only IPv4)
# no_ipv6: true
# parameter:
# no_ipv6: true
#
# o Prefer IPv4 instead of IPv6 for estabishing new GTP connections.
# prefer_ipv4: true
# parameter:
# prefer_ipv4: true
#
parameter:
#
# max:
#
# o Maximum Number of UE
# o Maximum Number of UE
# max:
# ue: 1024
# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI)
#
# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI)
# max:
# peer: 64
#
max:
#
# time:
#
# o NF Instance Heartbeat (Default : 0)
# NFs will not send heart-beat timer in NFProfile
# NRF will send heart-beat timer in NFProfile
# (Default values are used, so no configuration is required)
#
# o NF Instance Heartbeat (20 seconds)
# NFs will send heart-beat timer (20 seconds) in NFProfile
# NRF can change heart-beat timer in NFProfile
#
# time:
# nf_instance:
# heartbeat: 20
#
# o Message Wait Duration (Default : 10,000 ms = 10 seconds)
# (Default values are used, so no configuration is required)
#
# o Message Wait Duration (3000 ms)
# time:
# message:
# duration: 3000
time:

200
configs/open5gs/bsf.yaml.in
View File

@ -1,75 +1,93 @@
db_uri: mongodb://localhost/open5gs
#
# logger:
#
# o Set OGS_LOG_INFO to all domain level
# - If `level` is omitted, the default level is OGS_LOG_INFO)
# - If `domain` is omitted, the all domain level is set from 'level'
# (Nothing is needed)
# (Default values are used, so no configuration is required)
#
# o Set OGS_LOG_ERROR to all domain level
# - `level` can be set with none, fatal, error, warn, info, debug, trace
# logger:
# level: error
#
# o Set OGS_LOG_DEBUG to mme/emm domain level
# logger:
# level: debug
# domain: mme,emm
#
# o Set OGS_LOG_TRACE to all domain level
# logger:
# level: trace
# domain: core,sbi,bsf,event,tlv,mem,sock
# domain: core,sbi,ausf,event,tlv,mem,sock
#
logger:
file: @localstatedir@/log/open5gs/bsf.log
#
# tls:
# enabled: auto|yes|no
# - auto: Default. Use TLS only if key/cert is available
# - yes: Use TLS always;
# reject if no key/cert available
# - no: Don't use TLS if there is an key/cert available
# o TLS enable/disable
# sbi:
# server|client:
# no_tls: false|true
# - false: (Default) Use TLS
# - true: TLS disabled
#
# o Server-side Key and Certficiate
# o Verification enable/disable
# sbi:
# server|client:
# no_verify: false|true
# - false: (Default) Verify the PEER
# - true: Skip the verification step
#
# o Server-side does not use TLS
# sbi:
# server:
# key: /etc/open5gs/tls/bsf.key
# cert: /etc/open5gs/tls/bsf.crt
# no_tls: true
#
# o Client-side does not use TLS
# o Client-side skips the verification step
# sbi:
# client:
# enabled: no
# key: /etc/open5gs/tls/bsf.key
# cert: /etc/open5gs/tls/bsf.crt
# no_verify: true
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
#
# o Use the specified certificate to verify client
# o Use the specified certificate while verifying the client
# sbi:
# server
# cacert: /etc/open5gs/tls/ca.crt
#
# o Use the specified certificate to verify server
# o Use the specified certificate while verifying the server
# sbi:
# client
# cacert: /etc/open5gs/tls/ca.crt
#
tls:
enabled: no
sbi:
server:
no_tls: true
cacert: @sysconfdir@/open5gs/tls/ca.crt
key: @sysconfdir@/open5gs/tls/bsf.key
cert: @sysconfdir@/open5gs/tls/bsf.crt
client:
no_tls: true
cacert: @sysconfdir@/open5gs/tls/ca.crt
key: @sysconfdir@/open5gs/tls/bsf.key
cert: @sysconfdir@/open5gs/tls/bsf.crt
#
# bsf:
#
# <SBI Server>
#
# o SBI Server(http://<all address available>:80)
# sbi:
# server:
# no_tls: true
# bsf:
# sbi:
#
# o SBI Server(http://<any address>:7777)
# sbi:
# server:
# no_tls: true
# bsf:
# sbi:
# - addr:
# - 0.0.0.0
@ -77,48 +95,67 @@ tls:
# port: 7777
#
# o SBI Server(https://<all address available>:443)
# tls:
# sbi:
# server:
# key: /etc/open5gs/tls/bsf.key
# cert: /etc/open5gs/tls/bsf.crt
# bsf:
# sbi:
#
# o SBI Server(http://127.0.0.5:80, http://[::1]:80)
# tls:
# enabled: no
# o SBI Server(https://127.0.0.15:443, https://[::1]:443) without verification
# sbi:
# server:
# no_verify: true
# key: /etc/open5gs/tls/bsf.key
# cert: /etc/open5gs/tls/bsf.crt
# bsf:
# sbi:
# - addr: 127.0.0.5
# - addr: 127.0.0.15
# - addr: ::1
#
# o SBI Server(https://bsf.open5gs.org:443)
# Use the specified certificate to verify client
# Use the specified certificate while verifying the client
#
# tls:
# sbi:
# server:
# cacert: /etc/open5gs/tls/ca.crt
# key: /etc/open5gs/tls/bsf.key
# cert: /etc/open5gs/tls/bsf.crt
# bsf:
# sbi:
# - name: bsf.open5gs.org
#
# o SBI Server(http://127.0.0.15:7777)
# sbi:
# server:
# no_tls: true
# bsf:
# sbi:
# - addr: 127.0.0.15
# port: 7777
#
# o SBI Server(http://<eth0 IP address>:80)
# sbi:
# server:
# no_tls: true
# bsf:
# sbi:
# - dev: eth0
#
# o Provide custom SBI address to be advertised to NRF
# sbi:
# server:
# no_tls: true
# bsf:
# sbi:
# - dev: eth0
# advertise: open5gs-bsf.svc.local
#
# o Another example of advertising on NRF
# sbi:
# server:
# no_tls: true
# bsf:
# sbi:
# - addr: localhost
# advertise:
@ -129,6 +166,10 @@ tls:
# - tcp_nodelay : true
# - so_linger.l_onoff : false
#
# sbi:
# server:
# no_tls: true
# bsf:
# sbi:
# addr: 127.0.0.15
# option:
@ -140,9 +181,11 @@ tls:
# <NF Service>
#
# o NF Service Name(Default : all NF services available)
# bsf:
# service_name:
#
# o NF Service Name(Only some NF services are available)
# bsf:
# service_name:
# - nbsf-management
#
@ -150,12 +193,21 @@ tls:
#
# o (Default) If you do not set Query Parameter as shown below,
#
# sbi:
# server:
# no_tls: true
# bsf:
# sbi:
# - addr: 127.0.0.15
# port: 7777
#
# - 'service-names' is included.
#
# o Service-Names are not included
# sbi:
# server:
# no_tls: true
# bsf:
# sbi:
# - addr: 127.0.0.15
# port: 7777
@ -174,6 +226,10 @@ tls:
#
# o (Default) If you do not set Delegated Discovery as shown below,
#
# sbi:
# server:
# no_tls: true
# bsf:
# sbi:
# - addr: 127.0.0.15
# port: 7777
@ -181,6 +237,10 @@ tls:
# - Use SCP if SCP avaiable. Otherwise NRF is used.
# => App fails if both NRF and SCP are unavailable.
#
# sbi:
# server:
# no_tls: true
# bsf:
# sbi:
# - addr: 127.0.0.15
# port: 7777
@ -198,32 +258,37 @@ bsf:
- addr: 127.0.0.15
port: 7777
#
# scp:
#
# <SBI Client>>
#
# o SBI Client(http://127.0.1.10:7777)
# sbi:
# client:
# no_tls: true
# scp:
# sbi:
# addr: 127.0.1.10
# port: 7777
#
# o SBI Client(https://127.0.1.10:443, https://[::1]:443)
# tls:
# o SBI Client(https://127.0.1.10:443, https://[::1]:443) without verification
# sbi:
# client:
# key: /etc/open5gs/tls/bsf.key
# cert: /etc/open5gs/tls/bsf.crt
# no_verify: true
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
# scp:
# sbi:
# - addr: 127.0.1.10
# - addr: ::1
#
# o SBI Client(https://scp.open5gs.org:443)
# Use the specified certificate to verify server
# Use the specified certificate while verifying the server
#
# tls:
# sbi:
# client:
# cacert: /etc/open5gs/tls/ca.crt
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
# scp:
# sbi:
# - name: scp.open5gs.org
@ -231,6 +296,10 @@ bsf:
# o SBI Client(http://[fd69:f21d:873c:fb::1]:80)
# If prefer_ipv4 is true, http://127.0.1.10:80 is selected.
#
# sbi:
# client:
# no_tls: true
# scp:
# sbi:
# addr:
# - 127.0.1.10
@ -240,6 +309,10 @@ bsf:
# - tcp_nodelay : true
# - so_linger.l_onoff : false
#
# sbi:
# client:
# no_tls: true
# scp:
# sbi:
# addr: 127.0.1.10
# option:
@ -254,32 +327,37 @@ scp:
- addr: 127.0.1.10
port: 7777
#
# nrf:
#
# <SBI Client>>
#
# o SBI Client(http://127.0.0.10:7777)
# sbi:
# client:
# no_tls: true
# nrf:
# sbi:
# addr: 127.0.0.10
# port: 7777
#
# o SBI Client(https://127.0.0.10:443, https://[::1]:443)
# tls:
# o SBI Client(https://127.0.0.10:443, https://[::1]:443) without verification
# sbi:
# client:
# key: /etc/open5gs/tls/bsf.key
# cert: /etc/open5gs/tls/bsf.crt
# no_verify: true
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
# nrf:
# sbi:
# - addr: 127.0.0.10
# - addr: ::1
#
# o SBI Client(https://nrf.open5gs.org:443)
# Use the specified certificate to verify server
# Use the specified certificate while verifying the server
#
# tls:
# sbi:
# client:
# cacert: /etc/open5gs/tls/ca.crt
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
# nrf:
# sbi:
# - name: nrf.open5gs.org
@ -296,6 +374,10 @@ scp:
# - tcp_nodelay : true
# - so_linger.l_onoff : false
#
# sbi:
# client:
# no_tls: true
# nrf:
# sbi:
# addr: 127.0.0.10
# option:
@ -311,47 +393,51 @@ scp:
# - ::1
# port: 7777
#
# parameter:
#
# o Disable use of IPv4 addresses (only IPv6)
# no_ipv4: true
# parameter:
# no_ipv4: true
#
# o Disable use of IPv6 addresses (only IPv4)
# no_ipv6: true
# parameter:
# no_ipv6: true
#
# o Prefer IPv4 instead of IPv6 for estabishing new GTP connections.
# prefer_ipv4: true
# parameter:
# prefer_ipv4: true
#
parameter:
#
# max:
#
# o Maximum Number of UE
# o Maximum Number of UE
# max:
# ue: 1024
# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI)
#
# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI)
# max:
# peer: 64
#
max:
#
# time:
#
# o NF Instance Heartbeat (Default : 0)
# NFs will not send heart-beat timer in NFProfile
# NRF will send heart-beat timer in NFProfile
# (Default values are used, so no configuration is required)
#
# o NF Instance Heartbeat (20 seconds)
# NFs will send heart-beat timer (20 seconds) in NFProfile
# NRF can change heart-beat timer in NFProfile
#
# time:
# nf_instance:
# heartbeat: 20
#
# o Message Wait Duration (Default : 10,000 ms = 10 seconds)
# (Default values are used, so no configuration is required)
#
# o Message Wait Duration (3000 ms)
# time:
# message:
# duration: 3000
time:

39
configs/open5gs/hss.yaml.in
View File

@ -1,24 +1,25 @@
db_uri: mongodb://localhost/open5gs
#
# logger:
#
# o Set OGS_LOG_INFO to all domain level
# - If `level` is omitted, the default level is OGS_LOG_INFO)
# - If `domain` is omitted, the all domain level is set from 'level'
# (Nothing is needed)
# (Default values are used, so no configuration is required)
#
# o Set OGS_LOG_ERROR to all domain level
# - `level` can be set with none, fatal, error, warn, info, debug, trace
# logger:
# level: error
#
# o Set OGS_LOG_DEBUG to mme/emm domain level
# logger:
# level: debug
# domain: mme,emm
#
# o Set OGS_LOG_TRACE to all domain level
# logger:
# level: trace
# domain: core,fd,hss,event,mem,sock
# domain: core,sbi,ausf,event,tlv,mem,sock
#
logger:
file: @localstatedir@/log/open5gs/hss.log
@ -26,29 +27,37 @@ logger:
hss:
freeDiameter: @sysconfdir@/freeDiameter/hss.conf
# sms_over_ims: "sip:smsc.mnc001.mcc001.3gppnetwork.org:7060;transport=tcp"
#
# parameter:
# hss:
# sms_over_ims: "sip:smsc.mnc001.mcc001.3gppnetwork.org:7060;transport=tcp"
#
#
# o Disable use of IPv4 addresses (only IPv6)
# no_ipv4: true
# parameter:
# no_ipv4: true
#
# o Disable use of IPv6 addresses (only IPv4)
# no_ipv6: true
# parameter:
# no_ipv6: true
#
# o Prefer IPv4 instead of IPv6 for estabishing new GTP connections.
# prefer_ipv4: true
# parameter:
# prefer_ipv4: true
#
# o Use MongoDB Change Stream
# parameter:
# use_mongodb_change_stream: true
#
parameter:
# use_mongodb_change_stream: true
#
# max:
#
# o Maximum Number of UE
# o Maximum Number of UE
# max:
# ue: 1024
# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI)
#
# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI)
# max:
# peer: 64
#
max:

109
configs/open5gs/mme.yaml.in
View File

@ -1,49 +1,53 @@
#
# logger:
#
# o Set OGS_LOG_INFO to all domain level
# - If `level` is omitted, the default level is OGS_LOG_INFO)
# - If `domain` is omitted, the all domain level is set from 'level'
# (Nothing is needed)
# (Default values are used, so no configuration is required)
#
# o Set OGS_LOG_ERROR to all domain level
# - `level` can be set with none, fatal, error, warn, info, debug, trace
# logger:
# level: error
#
# o Set OGS_LOG_DEBUG to mme/emm domain level
# logger:
# level: debug
# domain: mme,emm
#
# o Set OGS_LOG_TRACE to all domain level
# logger:
# level: trace
# domain: core,s1ap,nas,fd,gtp,mme,emm,esm,event,tlv,mem,sock
# domain: core,sbi,ausf,event,tlv,mem,sock
#
logger:
file: @localstatedir@/log/open5gs/mme.log
#
# mme:
#
# <S1AP Server>>
#
# o S1AP Server(all address available)
# mme:
# s1ap:
#
# o S1AP Server(0.0.0.0:36412)
# mme:
# s1ap:
# addr: 0.0.0.0
#
# o S1AP Server(127.0.0.2:36412, [::1]:36412)
# mme:
# s1ap:
# - addr: 127.0.0.2
# - addr: ::1
#
# o S1AP Server(different port)
# mme:
# s1ap:
# - addr: 127.0.0.2
# port: 36413
#
# o S1AP Server(address available in `eth0` interface)
# mme:
# s1ap:
# dev: eth0
#
@ -51,6 +55,7 @@ logger:
# - sctp_nodelay : true
# - so_linger.l_onoff : false
#
# mme:
# s1ap:
# addr: 127.0.0.2
# option:
@ -70,6 +75,7 @@ logger:
# - sinit_max_attempts : 4
# - sinit_max_init_timeo : 8000(8secs)
#
# mme:
# s1ap:
# addr: 127.0.0.2
# option:
@ -87,9 +93,11 @@ logger:
# <GTP-C Server>>
#
# o GTP-C Server(all address available)
# mme:
# gtpc:
#
# o GTP-C Server(127.0.0.2:2123, [::1]:2123)
# mme:
# gtpc:
# - addr: 127.0.0.2
# - addr: ::1
@ -97,6 +105,7 @@ logger:
# <SGsAP>
#
# o Single MSC/VLR(127.0.0.2)
# mme:
# sgsap:
# addr: 127.0.0.2
# map:
@ -123,6 +132,7 @@ logger:
# lac: 43692
#
# o Multiple MSC/VLR
# mme:
# sgsap:
# - addr: 127.0.0.2
# port: 29119
@ -178,6 +188,7 @@ logger:
# <Metrics Server>
#
# o Metrics Server(http://<any address>:9090)
# mme:
# metrics:
# - addr: 0.0.0.0
# port: 9090
@ -185,6 +196,7 @@ logger:
# <GUMMEI>
#
# o Multiple GUMMEI
# mme:
# gummei:
# - plmn_id:
# mcc: 001
@ -205,6 +217,7 @@ logger:
# <TAI>
#
# o Multiple TAI
# mme:
# tai:
# - plmn_id:
# mcc: 001
@ -235,17 +248,17 @@ logger:
#
#
# <Network Name>
#
# mme:
# network_name:
# full: Open5GS
# short: Next
#
# <MME Name>
#
# mme:
# mme_name: open5gs-mme0
#
# <Relative Capacity> - Default(255)
#
# mme:
# relative_capacity: 100
#
mme:
@ -275,8 +288,6 @@ mme:
full: Open5GS
mme_name: open5gs-mme0
#
# sgwc:
#
# <GTP-C Client>
#
@ -284,17 +295,20 @@ mme:
#
# o One SGW is defined.
# If prefer_ipv4 is not true, [fd69:f21d:873c:fa::2] is selected.
# sgwc:
# gtpc:
# addr:
# - 127.0.0.3
# - fd69:f21d:873c:fa::2
#
# o Two SGW are defined. MME selects SGW with round-robin manner per UE
# sgwc:
# gtpc:
# - addr: 127.0.0.3
# - addr: fd69:f21d:873c:fa::2
#
# o Three SGW are defined. MME selects SGW with round-robin manner per UE
# sgwc:
# gtpc:
# - addr
# - 127.0.0.3
@ -306,30 +320,32 @@ mme:
#
# <SGW Selection Mode>
#
# o Round-Robin
# o Round-Robin
# sgwc:
# gtpc:
# addr: 127.0.0.3
# addr: 127.0.2.2
# addr: 127.0.4.2
#
# gtpc:
# addr: 127.0.0.3
# addr: 127.0.2.2
# addr: 127.0.4.2
#
# o SGW selection by eNodeB TAC
# o SGW selection by eNodeB TAC
# (either single TAC or multiple TACs, DECIMAL representation)
#
# gtpc:
# - addr: 127.0.0.3
# tac: 26000
# - addr: 127.0.2.2
# tac: [25000, 27000, 28000]
# sgwc:
# gtpc:
# - addr: 127.0.0.3
# tac: 26000
# - addr: 127.0.2.2
# tac: [25000, 27000, 28000]
#
# o SGW selection by e_cell_id(28bit)
# (either single or multiple e_cell_id, HEX representation)
#
# gtpc:
# - addr: 127.0.0.3
# e_cell_id: abcde01
# - addr: 127.0.2.2
# e_cell_id: [12345, a9413, 98765]
# sgwc:
# gtpc:
# - addr: 127.0.0.3
# e_cell_id: abcde01
# - addr: 127.0.2.2
# e_cell_id: [12345, a9413, 98765]
#
sgwc:
gtpc:
@ -344,15 +360,18 @@ sgwc:
# - To use a different APN for each SMF, specify gtpc.apn as the APN name.
# - If the HSS uses WebUI to set the SMF IP for each UE,
# you can use a specific SMF node for each UE.
# (Default values are used, so no configuration is required)
#
# o Two SMF are defined. 127.0.0.4:2123 is used.
# [fd69:f21d:873c:fa::3]:2123 is ignored.
# smf:
# gtpc:
# - addr: 127.0.0.4
# - addr: fd69:f21d:873c:fa::3
#
# o One SMF is defined. if prefer_ipv4 is not true,
# [fd69:f21d:873c:fa::3] is selected.
# smf:
# gtpc:
# - addr:
# - 127.0.0.4
@ -361,6 +380,7 @@ sgwc:
# o Two SMF are defined with a different APN.
# - Note that if SMF IP for UE is configured in HSS,
# the following configurion for this UE is ignored.
# smf:
# gtpc:
# - addr: 127.0.0.4
# apn: internet
@ -368,6 +388,7 @@ sgwc:
# apn: volte
#
# o If APN is omitted, the default APN uses the first SMF node.
# smf:
# gtpc:
# - addr: 127.0.0.4
# - addr: 127.0.0.5
@ -378,31 +399,28 @@ smf:
- 127.0.0.4
- ::1
#
# parameter:
#
# o Disable use of IPv4 addresses (only IPv6)
# no_ipv4: true
# parameter:
# no_ipv4: true
#
# o Disable use of IPv6 addresses (only IPv4)
# no_ipv6: true
# parameter:
# no_ipv6: true
#
# o Prefer IPv4 instead of IPv6 for estabishing new GTP connections.
# prefer_ipv4: true
#
# o Use OAI UE
# - Remove HashMME in Security-mode command message
# - Use the length 1 of EPS network feature support in Attach accept message
# use_openair: true
# parameter:
# prefer_ipv4: true
#
parameter:
#
# max:
#
# o Maximum Number of UE
# o Maximum Number of UE
# max:
# ue: 1024
# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI)
#
# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI)
# max:
# peer: 64
#
max:
@ -413,24 +431,27 @@ max:
#
usrsctp:
#
# time:
#
# o Message Wait Duration (Default : 10,000 ms = 10 seconds)
# (Default values are used, so no configuration is required)
#
# o Message Wait Duration (3000 ms)
# time:
# message:
# duration: 3000
#
# o Handover Wait Duration (Default : 300 ms)
# Time to wait for MME to send UEContextReleaseCommand
# to the source eNB after receiving HandoverNotify
# (Default values are used, so no configuration is required)
#
# o Handover Wait Duration (500ms)
# time:
# handover:
# duration: 500
#
# o Timers of EPS mobility/session management
# time:
# t3402:
# value: 720 # 12 minutes * 60 = 720 seconds
# t3412:

177
configs/open5gs/nrf.yaml.in
View File

@ -1,73 +1,91 @@
#
# logger:
#
# o Set OGS_LOG_INFO to all domain level
# - If `level` is omitted, the default level is OGS_LOG_INFO)
# - If `domain` is omitted, the all domain level is set from 'level'
# (Nothing is needed)
# (Default values are used, so no configuration is required)
#
# o Set OGS_LOG_ERROR to all domain level
# - `level` can be set with none, fatal, error, warn, info, debug, trace
# logger:
# level: error
#
# o Set OGS_LOG_DEBUG to mme/emm domain level
# logger:
# level: debug
# domain: mme,emm
#
# o Set OGS_LOG_TRACE to all domain level
# logger:
# level: trace
# domain: core,sbi,nrf,event,mem,sock
# domain: core,sbi,ausf,event,tlv,mem,sock
#
logger:
file: @localstatedir@/log/open5gs/nrf.log
#
# tls:
# enabled: auto|yes|no
# - auto: Default. Use TLS only if key/cert is available
# - yes: Use TLS always;
# reject if no key/cert available
# - no: Don't use TLS if there is an key/cert available
# o TLS enable/disable
# sbi:
# server|client:
# no_tls: false|true
# - false: (Default) Use TLS
# - true: TLS disabled
#
# o Server-side Key and Certficiate
# o Verification enable/disable
# sbi:
# server|client:
# no_verify: false|true
# - false: (Default) Verify the PEER
# - true: Skip the verification step
#
# o Server-side does not use TLS
# sbi:
# server:
# key: /etc/open5gs/tls/nrf.key
# cert: /etc/open5gs/tls/nrf.crt
# no_tls: true
#
# o Client-side does not use TLS
# o Client-side skips the verification step
# sbi:
# client:
# enabled: no
# key: /etc/open5gs/tls/nrf.key
# cert: /etc/open5gs/tls/nrf.crt
# no_verify: true
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
#
# o Use the specified certificate to verify client
# o Use the specified certificate while verifying the client
# sbi:
# server
# cacert: /etc/open5gs/tls/ca.crt
#
# o Use the specified certificate to verify server
# o Use the specified certificate while verifying the server
# sbi:
# client
# cacert: /etc/open5gs/tls/ca.crt
#
tls:
enabled: no
sbi:
server:
no_tls: true
cacert: @sysconfdir@/open5gs/tls/ca.crt
key: @sysconfdir@/open5gs/tls/nrf.key
cert: @sysconfdir@/open5gs/tls/nrf.crt
client:
no_tls: true
cacert: @sysconfdir@/open5gs/tls/ca.crt
key: @sysconfdir@/open5gs/tls/nrf.key
cert: @sysconfdir@/open5gs/tls/nrf.crt
#
# nrf:
#
# <SBI Server>
#
# o SBI Server(http://<all address available>:80)
# sbi:
# server:
# no_tls: true
# nrf:
# sbi:
#
# o SBI Server(http://<any address>:7777)
# sbi:
# server:
# no_tls: true
# nrf:
# sbi:
# - addr:
# - 0.0.0.0
@ -75,47 +93,81 @@ tls:
# port: 7777
#
# o SBI Server(https://<all address available>:443)
# tls:
# sbi:
# server:
# key: /etc/open5gs/tls/nrf.key
# cert: /etc/open5gs/tls/nrf.crt
# nrf:
# sbi:
#
# o SBI Server(http://127.0.0.5:80, http://[::1]:80)
# tls:
# enabled: no
# o SBI Server(https://127.0.0.10:443, https://[::1]:443) without verification
# sbi:
# server:
# no_verify: true
# key: /etc/open5gs/tls/nrf.key
# cert: /etc/open5gs/tls/nrf.crt
# nrf:
# sbi:
# - addr: 127.0.0.5
# - addr: 127.0.0.10
# - addr: ::1
#
# o SBI Server(https://nrf.open5gs.org:443)
# Use the specified certificate to verify client
# Use the specified certificate while verifying the client
#
# tls:
# sbi:
# server:
# cacert: /etc/open5gs/tls/ca.crt
# key: /etc/open5gs/tls/nrf.key
# cert: /etc/open5gs/tls/nrf.crt
# nrf:
# sbi:
# - name: nrf.open5gs.org
#
# o SBI Server(http://127.0.0.10:7777)
# sbi:
# server:
# no_tls: true
# nrf:
# sbi:
# - addr: 127.0.0.10
# port: 7777
#
# o SBI Server(http://<eth0 IP address>:80)
# sbi:
# server:
# no_tls: true
# nrf:
# sbi:
# dev: eth0
# - dev: eth0
#
# o Provide custom SBI address to be advertised to NRF
# sbi:
# server:
# no_tls: true
# nrf:
# sbi:
# - dev: eth0
# advertise: open5gs-nrf.svc.local
#
# o Another example of advertising on NRF
# sbi:
# server:
# no_tls: true
# nrf:
# sbi:
# - addr: localhost
# advertise:
# - 127.0.0.99
# - ::1
#
# o SBI Option (Default)
# - tcp_nodelay : true
# - so_linger.l_onoff : false
#
# sbi:
# server:
# no_tls: true
# nrf:
# sbi:
# addr: 127.0.0.10
# option:
@ -127,9 +179,11 @@ tls:
# <NF Service>
#
# o NF Service Name(Default : all NF services available)
# nrf:
# service_name:
#
# o NF Service Name(Only some NF services are available)
# nrf:
# service_name:
# - nnrf-nfm
# - nnrf-disc
@ -141,32 +195,37 @@ nrf:
- ::1
port: 7777
#
# scp:
#
# <SBI Client>>
#
# o SBI Client(http://127.0.1.10:7777)
# sbi:
# client:
# no_tls: true
# scp:
# sbi:
# addr: 127.0.1.10
# port: 7777
#
# o SBI Client(https://127.0.1.10:443, https://[::1]:443)
# tls:
# o SBI Client(https://127.0.1.10:443, https://[::1]:443) without verification
# sbi:
# client:
# key: /etc/open5gs/tls/nrf.key
# cert: /etc/open5gs/tls/nrf.crt
# no_verify: true
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
# scp:
# sbi:
# - addr: 127.0.1.10
# - addr: ::1
#
# o SBI Client(https://scp.open5gs.org:443)
# Use the specified certificate to verify server
# Use the specified certificate while verifying the server
#
# tls:
# sbi:
# client:
# cacert: /etc/open5gs/tls/ca.crt
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
# scp:
# sbi:
# - name: scp.open5gs.org
@ -174,6 +233,10 @@ nrf:
# o SBI Client(http://[fd69:f21d:873c:fb::1]:80)
# If prefer_ipv4 is true, http://127.0.1.10:80 is selected.
#
# sbi:
# client:
# no_tls: true
# scp:
# sbi:
# addr:
# - 127.0.1.10
@ -183,6 +246,10 @@ nrf:
# - tcp_nodelay : true
# - so_linger.l_onoff : false
#
# sbi:
# client:
# no_tls: true
# scp:
# sbi:
# addr: 127.0.1.10
# option:
@ -197,62 +264,74 @@ scp:
- addr: 127.0.1.10
port: 7777
#
# parameter:
#
# o Disable use of IPv4 addresses (only IPv6)
# no_ipv4: true
# parameter:
# no_ipv4: true
#
# o Disable use of IPv6 addresses (only IPv4)
# no_ipv6: true
# parameter:
# no_ipv6: true
#
# o Prefer IPv4 instead of IPv6 for estabishing new GTP connections.
# prefer_ipv4: true
# parameter:
# prefer_ipv4: true
#
parameter:
#
# max:
#
# o Maximum Number of UE
# o Maximum Number of UE
# max:
# ue: 1024
# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI)
#
# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI)
# max:
# peer: 64
#
max:
#
# time:
#
# o NF Instance Heartbeat (Default : 10 seconds)
# (Default values are used, so no configuration is required)
#
# o NF Instance Heartbeat (Disabled)
# time:
# nf_instance:
# heartbeat: 0
#
# o NF Instance Heartbeat (5 seconds)
# time:
# nf_instance:
# heartbeat: 5
#
# o NF Instance Validity (Default : 3600 seconds = 1 hour)
# (Default values are used, so no configuration is required)
#
# o NF Instance Validity (10 seconds)
# time:
# nf_instance:
# validity: 10
#
# o Subscription Validity (Default : 86400 seconds = 1 day)
# (Default values are used, so no configuration is required)
#
# o Subscription Validity (Disabled)
# time:
# subscription:
# validity: 0
#
# o Subscription Validity (3600 seconds = 1 hour)
# time:
# subscription:
# validity: 3600
#
# o Message Wait Duration (Default : 10,000 ms = 10 seconds)
# (Default values are used, so no configuration is required)
#
# o Message Wait Duration (3000 ms)
# time:
# message:
# duration: 3000
time:

223
configs/open5gs/nssf.yaml.in
View File

@ -1,73 +1,91 @@
#
# logger:
#
# o Set OGS_LOG_INFO to all domain level
# - If `level` is omitted, the default level is OGS_LOG_INFO)
# - If `domain` is omitted, the all domain level is set from 'level'
# (Nothing is needed)
# (Default values are used, so no configuration is required)
#
# o Set OGS_LOG_ERROR to all domain level
# - `level` can be set with none, fatal, error, warn, info, debug, trace
# logger:
# level: error
#
# o Set OGS_LOG_DEBUG to mme/emm domain level
# logger:
# level: debug
# domain: mme,emm
#
# o Set OGS_LOG_TRACE to all domain level
# logger:
# level: trace
# domain: core,sbi,nssf,event,tlv,mem,sock
# domain: core,sbi,ausf,event,tlv,mem,sock
#
logger:
file: @localstatedir@/log/open5gs/nssf.log
#
# tls:
# enabled: auto|yes|no
# - auto: Default. Use TLS only if key/cert is available
# - yes: Use TLS always;
# reject if no key/cert available
# - no: Don't use TLS if there is an key/cert available
# o TLS enable/disable
# sbi:
# server|client:
# no_tls: false|true
# - false: (Default) Use TLS
# - true: TLS disabled
#
# o Server-side Key and Certficiate
# o Verification enable/disable
# sbi:
# server|client:
# no_verify: false|true
# - false: (Default) Verify the PEER
# - true: Skip the verification step
#
# o Server-side does not use TLS
# sbi:
# server:
# key: /etc/open5gs/tls/nssf.key
# cert: /etc/open5gs/tls/nssf.crt
# no_tls: true
#
# o Client-side does not use TLS
# o Client-side skips the verification step
# sbi:
# client:
# enabled: no
# key: /etc/open5gs/tls/nssf.key
# cert: /etc/open5gs/tls/nssf.crt
# no_verify: true
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
#
# o Use the specified certificate to verify client
# o Use the specified certificate while verifying the client
# sbi:
# server
# cacert: /etc/open5gs/tls/ca.crt
#
# o Use the specified certificate to verify server
# o Use the specified certificate while verifying the server
# sbi:
# client
# cacert: /etc/open5gs/tls/ca.crt
#
tls:
enabled: no
sbi:
server:
no_tls: true
cacert: @sysconfdir@/open5gs/tls/ca.crt
key: @sysconfdir@/open5gs/tls/nssf.key
cert: @sysconfdir@/open5gs/tls/nssf.crt
client:
no_tls: true
cacert: @sysconfdir@/open5gs/tls/ca.crt
key: @sysconfdir@/open5gs/tls/nssf.key
cert: @sysconfdir@/open5gs/tls/nssf.crt
#
# nssf:
#
# <SBI Server>
#
# o SBI Server(http://<all address available>:80)
# sbi:
# server:
# no_tls: true
# nssf:
# sbi:
#
# o SBI Server(http://<any address>:7777)
# sbi:
# server:
# no_tls: true
# nssf:
# sbi:
# - addr:
# - 0.0.0.0
@ -75,48 +93,67 @@ tls:
# port: 7777
#
# o SBI Server(https://<all address available>:443)
# tls:
# sbi:
# server:
# key: /etc/open5gs/tls/nssf.key
# cert: /etc/open5gs/tls/nssf.crt
# nssf:
# sbi:
#
# o SBI Server(http://127.0.0.5:80, http://[::1]:80)
# tls:
# enabled: no
# o SBI Server(https://127.0.0.14:443, https://[::1]:443) without verification
# sbi:
# server:
# no_verify: true
# key: /etc/open5gs/tls/nssf.key
# cert: /etc/open5gs/tls/nssf.crt
# nssf:
# sbi:
# - addr: 127.0.0.5
# - addr: 127.0.0.14
# - addr: ::1
#
# o SBI Server(https://nssf.open5gs.org:443)
# Use the specified certificate to verify client
# Use the specified certificate while verifying the client
#
# tls:
# sbi:
# server:
# cacert: /etc/open5gs/tls/ca.crt
# key: /etc/open5gs/tls/nssf.key
# cert: /etc/open5gs/tls/nssf.crt
# nssf:
# sbi:
# - name: nssf.open5gs.org
#
# o SBI Server(http://127.0.0.14:7777)
# sbi:
# server:
# no_tls: true
# nssf:
# sbi:
# - addr: 127.0.0.14
# port: 7777
#
# o SBI Server(http://<eth0 IP address>:80)
# sbi:
# server:
# no_tls: true
# nssf:
# sbi:
# - dev: eth0
#
# o Provide custom SBI address to be advertised to NRF
# sbi:
# server:
# no_tls: true
# nssf:
# sbi:
# - dev: eth0
# advertise: open5gs-nssf.svc.local
#
# o Another example of advertising on NRF
# sbi:
# server:
# no_tls: true
# nssf:
# sbi:
# - addr: localhost
# advertise:
@ -127,6 +164,10 @@ tls:
# - tcp_nodelay : true
# - so_linger.l_onoff : false
#
# sbi:
# server:
# no_tls: true
# nssf:
# sbi:
# addr: 127.0.0.14
# option:
@ -141,6 +182,7 @@ tls:
# - NRF[http://::1:7777/nnrf-nfm/v1/nf-instances]
# NSSAI[SST:1]
#
# nssf:
# nsi:
# - addr: ::1
# port: 7777
@ -157,6 +199,7 @@ tls:
# 2. NRF[http://127.0.0.10:7777/nnrf-nfm/v1/nf-instances]
# NSSAI[SST:1, SD:009000]
#
# nssf:
# nsi:
# - addr: ::1
# port: 7777
@ -177,6 +220,7 @@ tls:
# - tcp_nodelay : true
# - so_linger.l_onoff : false
#
# nssf:
# nsi:
# addr: ::1
# option:
@ -188,9 +232,11 @@ tls:
# <NF Service>
#
# o NF Service Name(Default : all NF services available)
# nssf:
# service_name:
#
# o NF Service Name(Only some NF services are available)
# nssf:
# service_name:
# - nnssf-nsselection
#
@ -198,12 +244,21 @@ tls:
#
# o (Default) If you do not set Query Parameter as shown below,
#
# sbi:
# server:
# no_tls: true
# nssf:
# sbi:
# - addr: 127.0.0.14
# port: 7777
#
# - 'service-names' is included.
#
# o Service-Names are not included
# sbi:
# server:
# no_tls: true
# nssf:
# sbi:
# - addr: 127.0.0.14
# port: 7777
@ -222,6 +277,10 @@ tls:
#
# o (Default) If you do not set Delegated Discovery as shown below,
#
# sbi:
# server:
# no_tls: true
# nssf:
# sbi:
# - addr: 127.0.0.14
# port: 7777
@ -229,6 +288,10 @@ tls:
# - Use SCP if SCP avaiable. Otherwise NRF is used.
# => App fails if both NRF and SCP are unavailable.
#
# sbi:
# server:
# no_tls: true
# nssf:
# sbi:
# - addr: 127.0.0.14
# port: 7777
@ -251,32 +314,37 @@ nssf:
s_nssai:
sst: 1
#
# scp:
#
# <SBI Client>>
#
# o SBI Client(http://127.0.1.10:7777)
# sbi:
# client:
# no_tls: true
# scp:
# sbi:
# addr: 127.0.1.10
# port: 7777
#
# o SBI Client(https://127.0.1.10:443, https://[::1]:443)
# tls:
# o SBI Client(https://127.0.1.10:443, https://[::1]:443) without verification
# sbi:
# client:
# key: /etc/open5gs/tls/nssf.key
# cert: /etc/open5gs/tls/nssf.crt
# no_verify: true
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
# scp:
# sbi:
# - addr: 127.0.1.10
# - addr: ::1
#
# o SBI Client(https://scp.open5gs.org:443)
# Use the specified certificate to verify server
# Use the specified certificate while verifying the server
#
# tls:
# sbi:
# client:
# cacert: /etc/open5gs/tls/ca.crt
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
# scp:
# sbi:
# - name: scp.open5gs.org
@ -284,6 +352,10 @@ nssf:
# o SBI Client(http://[fd69:f21d:873c:fb::1]:80)
# If prefer_ipv4 is true, http://127.0.1.10:80 is selected.
#
# sbi:
# client:
# no_tls: true
# scp:
# sbi:
# addr:
# - 127.0.1.10
@ -293,6 +365,10 @@ nssf:
# - tcp_nodelay : true
# - so_linger.l_onoff : false
#
# sbi:
# client:
# no_tls: true
# scp:
# sbi:
# addr: 127.0.1.10
# option:
@ -307,32 +383,37 @@ scp:
- addr: 127.0.1.10
port: 7777
#
# nrf:
#
# <SBI Client>>
#
# o SBI Client(http://127.0.0.10:7777)
# sbi:
# client:
# no_tls: true
# nrf:
# sbi:
# addr: 127.0.0.10
# port: 7777
#
# o SBI Client(https://127.0.0.10:443, https://[::1]:443)
# tls:
# o SBI Client(https://127.0.0.10:443, https://[::1]:443) without verification
# sbi:
# client:
# key: /etc/open5gs/tls/nssf.key
# cert: /etc/open5gs/tls/nssf.crt
# no_verify: true
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
# nrf:
# sbi:
# - addr: 127.0.0.10
# - addr: ::1
#
# o SBI Client(https://nrf.open5gs.org:443)
# Use the specified certificate to verify server
# Use the specified certificate while verifying the server
#
# tls:
# sbi:
# client:
# cacert: /etc/open5gs/tls/ca.crt
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
# nrf:
# sbi:
# - name: nrf.open5gs.org
@ -345,6 +426,22 @@ scp:
# - 127.0.0.10
# - fd69:f21d:873c:fa::1
#
# o SBI Option (Default)
# - tcp_nodelay : true
# - so_linger.l_onoff : false
#
# sbi:
# client:
# no_tls: true
# nrf:
# sbi:
# addr: 127.0.0.10
# option:
# tcp_nodelay: false
# so_linger:
# l_onoff: true
# l_linger: 10
#
#nrf:
# sbi:
# - addr:
@ -352,55 +449,51 @@ scp:
# - ::1
# port: 7777
#
# parameter:
#
# o Disable use of IPv4 addresses (only IPv6)
# no_ipv4: true
# parameter:
# no_ipv4: true
#
# o Disable use of IPv6 addresses (only IPv4)
# no_ipv6: true
# parameter:
# no_ipv6: true
#
# o Prefer IPv4 instead of IPv6 for estabishing new GTP connections.
# prefer_ipv4: true
# parameter:
# prefer_ipv4: true
#
parameter:
#
# max:
#
# o Maximum Number of UE
# o Maximum Number of UE
# max:
# ue: 1024
# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI)
#
# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI)
# max:
# peer: 64
#
max:
#
# time:
#
# o NF Instance Heartbeat (Default : 0)
# NFs will not send heart-beat timer in NFProfile
# NRF will send heart-beat timer in NFProfile
# (Default values are used, so no configuration is required)
#
# o NF Instance Heartbeat (20 seconds)
# NFs will send heart-beat timer (20 seconds) in NFProfile
# NRF can change heart-beat timer in NFProfile
#
# time:
# nf_instance:
# heartbeat: 20
#
# o NF Instance Heartbeat (Disabled)
# nf_instance:
# heartbeat: 0
#
# o NF Instance Heartbeat (10 seconds)
# nf_instance:
# heartbeat: 10
#
# o Message Wait Duration (Default : 10,000 ms = 10 seconds)
# (Default values are used, so no configuration is required)
#
# o Message Wait Duration (3000 ms)
# time:
# message:
# duration: 3000
time:

139
configs/open5gs/pcf.yaml.in
View File

@ -1,75 +1,93 @@
db_uri: mongodb://localhost/open5gs
#
# logger:
#
# o Set OGS_LOG_INFO to all domain level
# - If `level` is omitted, the default level is OGS_LOG_INFO)
# - If `domain` is omitted, the all domain level is set from 'level'
# (Nothing is needed)
# (Default values are used, so no configuration is required)
#
# o Set OGS_LOG_ERROR to all domain level
# - `level` can be set with none, fatal, error, warn, info, debug, trace
# logger:
# level: error
#
# o Set OGS_LOG_DEBUG to mme/emm domain level
# logger:
# level: debug
# domain: mme,emm
#
# o Set OGS_LOG_TRACE to all domain level
# logger:
# level: trace
# domain: core,sbi,pcf,event,tlv,mem,sock
# domain: core,sbi,ausf,event,tlv,mem,sock
#
logger:
file: @localstatedir@/log/open5gs/pcf.log
#
# tls:
# enabled: auto|yes|no
# - auto: Default. Use TLS only if key/cert is available
# - yes: Use TLS always;
# reject if no key/cert available
# - no: Don't use TLS if there is an key/cert available
# o TLS enable/disable
# sbi:
# server|client:
# no_tls: false|true
# - false: (Default) Use TLS
# - true: TLS disabled
#
# o Server-side Key and Certficiate
# o Verification enable/disable
# sbi:
# server|client:
# no_verify: false|true
# - false: (Default) Verify the PEER
# - true: Skip the verification step
#
# o Server-side does not use TLS
# sbi:
# server:
# key: /etc/open5gs/tls/pcf.key
# cert: /etc/open5gs/tls/pcf.crt
# no_tls: true
#
# o Client-side does not use TLS
# o Client-side skips the verification step
# sbi:
# client:
# enabled: no
# key: /etc/open5gs/tls/pcf.key
# cert: /etc/open5gs/tls/pcf.crt
# no_verify: true
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
#
# o Use the specified certificate to verify client
# o Use the specified certificate while verifying the client
# sbi:
# server
# cacert: /etc/open5gs/tls/ca.crt
#
# o Use the specified certificate to verify server
# o Use the specified certificate while verifying the server
# sbi:
# client
# cacert: /etc/open5gs/tls/ca.crt
#
tls:
enabled: no
sbi:
server:
no_tls: true
cacert: @sysconfdir@/open5gs/tls/ca.crt
key: @sysconfdir@/open5gs/tls/pcf.key
cert: @sysconfdir@/open5gs/tls/pcf.crt
client:
no_tls: true
cacert: @sysconfdir@/open5gs/tls/ca.crt
key: @sysconfdir@/open5gs/tls/pcf.key
cert: @sysconfdir@/open5gs/tls/pcf.crt
#
# pcf:
#
# <SBI Server>
#
# o SBI Server(http://<all address available>:80)
# sbi:
# server:
# no_tls: true
# pcf:
# sbi:
#
# o SBI Server(http://<any address>:7777)
# sbi:
# server:
# no_tls: true
# pcf:
# sbi:
# - addr:
# - 0.0.0.0
@ -77,48 +95,67 @@ tls:
# port: 7777
#
# o SBI Server(https://<all address available>:443)
# tls:
# sbi:
# server:
# key: /etc/open5gs/tls/pcf.key
# cert: /etc/open5gs/tls/pcf.crt
# pcf:
# sbi:
#
# o SBI Server(http://127.0.0.5:80, http://[::1]:80)
# tls:
# enabled: no
# o SBI Server(https://127.0.0.13:443, https://[::1]:443) without verification
# sbi:
# server:
# no_verify: true
# key: /etc/open5gs/tls/pcf.key
# cert: /etc/open5gs/tls/pcf.crt
# pcf:
# sbi:
# - addr: 127.0.0.5
# - addr: 127.0.0.13
# - addr: ::1
#
# o SBI Server(https://pcf.open5gs.org:443)
# Use the specified certificate to verify client
# Use the specified certificate while verifying the client
#
# tls:
# sbi:
# server:
# cacert: /etc/open5gs/tls/ca.crt
# key: /etc/open5gs/tls/pcf.key
# cert: /etc/open5gs/tls/pcf.crt
# pcf:
# sbi:
# - name: pcf.open5gs.org
#
# o SBI Server(http://127.0.0.13:7777)
# sbi:
# server:
# no_tls: true
# pcf:
# sbi:
# - addr: 127.0.0.13
# port: 7777
#
# o SBI Server(http://<eth0 IP address>:80)
# sbi:
# server:
# no_tls: true
# pcf:
# sbi:
# - dev: eth0
#
# o Provide custom SBI address to be advertised to NRF
# sbi:
# server:
# no_tls: true
# pcf:
# sbi:
# - dev: eth0
# advertise: open5gs-pcf.svc.local
#
# o Another example of advertising on NRF
# sbi:
# server:
# no_tls: true
# pcf:
# sbi:
# - addr: localhost
# advertise:
@ -129,6 +166,10 @@ tls:
# - tcp_nodelay : true
# - so_linger.l_onoff : false
#
# sbi:
# server:
# no_tls: true
# pcf:
# sbi:
# addr: 127.0.0.13
# option:
@ -140,9 +181,11 @@ tls:
# <NF Service>
#
# o NF Service Name(Default : all NF services available)
# pcf:
# service_name:
#
# o NF Service Name(Only some NF services are available)
# pcf:
# service_name:
# - npcf-am-policy-control
# - npcf-smpolicycontrol
@ -181,6 +224,10 @@ tls:
#
# o (Default) If you do not set Delegated Discovery as shown below,
#
# sbi:
# server:
# no_tls: true
# pcf:
# sbi:
# - addr: 127.0.0.13
# port: 7777
@ -188,6 +235,10 @@ tls:
# - Use SCP if SCP avaiable. Otherwise NRF is used.
# => App fails if both NRF and SCP are unavailable.
#
# sbi:
# server:
# no_tls: true
# pcf:
# sbi:
# - addr: 127.0.0.13
# port: 7777
@ -200,9 +251,11 @@ tls:
# o Don't use SCP server => App fails if no NRF available.
# delegated: no
#
#
# <Metrics Server>
#
# o Metrics Server(http://<any address>:9090)
# pcf:
# metrics:
# - addr: 0.0.0.0
# port: 9090
@ -324,47 +377,51 @@ scp:
# - ::1
# port: 7777
#
# parameter:
#
# o Disable use of IPv4 addresses (only IPv6)
# no_ipv4: true
# parameter:
# no_ipv4: true
#
# o Disable use of IPv6 addresses (only IPv4)
# no_ipv6: true
# parameter:
# no_ipv6: true
#
# o Prefer IPv4 instead of IPv6 for estabishing new GTP connections.
# prefer_ipv4: true
# parameter:
# prefer_ipv4: true
#
parameter:
#
# max:
#
# o Maximum Number of UE
# o Maximum Number of UE
# max:
# ue: 1024
# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI)
#
# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI)
# max:
# peer: 64
#
max:
#
# time:
#
# o NF Instance Heartbeat (Default : 0)
# NFs will not send heart-beat timer in NFProfile
# NRF will send heart-beat timer in NFProfile
# (Default values are used, so no configuration is required)
#
# o NF Instance Heartbeat (20 seconds)
# NFs will send heart-beat timer (20 seconds) in NFProfile
# NRF can change heart-beat timer in NFProfile
#
# time:
# nf_instance:
# heartbeat: 20
#
# o Message Wait Duration (Default : 10,000 ms = 10 seconds)
# (Default values are used, so no configuration is required)
#
# o Message Wait Duration (3000 ms)
# time:
# message:
# duration: 3000
time:

30
configs/open5gs/pcrf.yaml.in
View File

@ -1,50 +1,54 @@
db_uri: mongodb://localhost/open5gs
#
# logger:
#
# o Set OGS_LOG_INFO to all domain level
# - If `level` is omitted, the default level is OGS_LOG_INFO)
# - If `domain` is omitted, the all domain level is set from 'level'
# (Nothing is needed)
# (Default values are used, so no configuration is required)
#
# o Set OGS_LOG_ERROR to all domain level
# - `level` can be set with none, fatal, error, warn, info, debug, trace
# logger:
# level: error
#
# o Set OGS_LOG_DEBUG to mme/emm domain level
# logger:
# level: debug
# domain: mme,emm
#
# o Set OGS_LOG_TRACE to all domain level
# logger:
# level: trace
# domain: core,fd,pcrf,event,mem,sock
# domain: core,sbi,ausf,event,tlv,mem,sock
#
logger:
file: @localstatedir@/log/open5gs/pcrf.log
pcrf:
freeDiameter: @sysconfdir@/freeDiameter/pcrf.conf
#
# parameter:
#
# o Disable use of IPv4 addresses (only IPv6)
# no_ipv4: true
# parameter:
# no_ipv4: true
#
# o Disable use of IPv6 addresses (only IPv4)
# no_ipv6: true
# parameter:
# no_ipv6: true
#
# o Prefer IPv4 instead of IPv6 for estabishing new GTP connections.
# prefer_ipv4: true
# parameter:
# prefer_ipv4: true
#
parameter:
#
# max:
#
# o Maximum Number of UE
# o Maximum Number of UE
# max:
# ue: 1024
# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI)
#
# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI)
# max:
# peer: 64
#
max:

217
configs/open5gs/scp.yaml.in
View File

@ -1,75 +1,93 @@
db_uri: mongodb://localhost/open5gs
#
# logger:
#
# o Set OGS_LOG_INFO to all domain level
# - If `level` is omitted, the default level is OGS_LOG_INFO)
# - If `domain` is omitted, the all domain level is set from 'level'
# (Nothing is needed)
# (Default values are used, so no configuration is required)
#
# o Set OGS_LOG_ERROR to all domain level
# - `level` can be set with none, fatal, error, warn, info, debug, trace
# logger:
# level: error
#
# o Set OGS_LOG_DEBUG to mme/emm domain level
# logger:
# level: debug
# domain: mme,emm
#
# o Set OGS_LOG_TRACE to all domain level
# logger:
# level: trace
# domain: core,sbi,scp,event,tlv,mem,sock
# domain: core,sbi,ausf,event,tlv,mem,sock
#
logger:
file: @localstatedir@/log/open5gs/scp.log
#
# tls:
# enabled: auto|yes|no
# - auto: Default. Use TLS only if key/cert is available
# - yes: Use TLS always;
# reject if no key/cert available
# - no: Don't use TLS if there is an key/cert available
# o TLS enable/disable
# sbi:
# server|client:
# no_tls: false|true
# - false: (Default) Use TLS
# - true: TLS disabled
#
# o Server-side Key and Certficiate
# o Verification enable/disable
# sbi:
# server|client:
# no_verify: false|true
# - false: (Default) Verify the PEER
# - true: Skip the verification step
#
# o Server-side does not use TLS
# sbi:
# server:
# key: /etc/open5gs/tls/scp.key
# cert: /etc/open5gs/tls/scp.crt
# no_tls: true
#
# o Client-side does not use TLS
# o Client-side skips the verification step
# sbi:
# client:
# enabled: no
# key: /etc/open5gs/tls/scp.key
# cert: /etc/open5gs/tls/scp.crt
# no_verify: true
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
#
# o Use the specified certificate to verify client
# o Use the specified certificate while verifying the client
# sbi:
# server
# cacert: /etc/open5gs/tls/ca.crt
#
# o Use the specified certificate to verify server
# o Use the specified certificate while verifying the server
# sbi:
# client
# cacert: /etc/open5gs/tls/ca.crt
#
tls:
enabled: no
sbi:
server:
no_tls: true
cacert: @sysconfdir@/open5gs/tls/ca.crt
key: @sysconfdir@/open5gs/tls/scp.key
cert: @sysconfdir@/open5gs/tls/scp.crt
client:
no_tls: true
cacert: @sysconfdir@/open5gs/tls/ca.crt
key: @sysconfdir@/open5gs/tls/scp.key
cert: @sysconfdir@/open5gs/tls/scp.crt
#
# scp:
#
# <SBI Server>
#
# o SBI Server(http://<all address available>:80)
# sbi:
# server:
# no_tls: true
# scp:
# sbi:
#
# o SBI Server(http://<any address>:7777)
# sbi:
# server:
# no_tls: true
# scp:
# sbi:
# - addr:
# - 0.0.0.0
@ -77,48 +95,67 @@ tls:
# port: 7777
#
# o SBI Server(https://<all address available>:443)
# tls:
# sbi:
# server:
# key: /etc/open5gs/tls/scp.key
# cert: /etc/open5gs/tls/scp.crt
# scp:
# sbi:
#
# o SBI Server(http://127.0.0.5:80, http://[::1]:80)
# tls:
# enabled: no
# o SBI Server(https://127.0.1.10:443, https://[::1]:443) without verification
# sbi:
# server:
# no_verify: true
# key: /etc/open5gs/tls/scp.key
# cert: /etc/open5gs/tls/scp.crt
# scp:
# sbi:
# - addr: 127.0.0.5
# - addr: 127.0.1.10
# - addr: ::1
#
# o SBI Server(https://scp.open5gs.org:443)
# Use the specified certificate to verify client
# Use the specified certificate while verifying the client
#
# tls:
# sbi:
# server:
# cacert: /etc/open5gs/tls/ca.crt
# key: /etc/open5gs/tls/scp.key
# cert: /etc/open5gs/tls/scp.crt
# scp:
# sbi:
# - name: scp.open5gs.org
#
# o SBI Server(http://127.0.1.10:7777)
# sbi:
# server:
# no_tls: true
# scp:
# sbi:
# - addr: 127.0.1.10
# port: 7777
#
# o SBI Server(http://<eth0 IP address>:80)
# sbi:
# server:
# no_tls: true
# scp:
# sbi:
# - dev: eth0
#
# o Provide custom SBI address to be advertised to NRF
# sbi:
# server:
# no_tls: true
# scp:
# sbi:
# - dev: eth0
# advertise: open5gs-scp.svc.local
#
# o Another example of advertising on NRF
# sbi:
# server:
# no_tls: true
# scp:
# sbi:
# - addr: localhost
# advertise:
@ -129,6 +166,10 @@ tls:
# - tcp_nodelay : true
# - so_linger.l_onoff : false
#
# sbi:
# server:
# no_tls: true
# scp:
# sbi:
# addr: 127.0.1.10
# option:
@ -141,6 +182,10 @@ tls:
#
# o (Default) If you do not set Delegated Discovery as shown below,
#
# sbi:
# server:
# no_tls: true
# scp:
# sbi:
# - addr: 127.0.1.10
# port: 7777
@ -148,6 +193,10 @@ tls:
# - Use SCP if SCP avaiable. Otherwise NRF is used.
# => App fails if both NRF and SCP are unavailable.
#
# sbi:
# server:
# no_tls: true
# scp:
# sbi:
# - addr: 127.0.1.10
# port: 7777
@ -165,82 +214,104 @@ scp:
- addr: 127.0.1.10
port: 7777
#
# next_scp:
#
# <Next hop SCP>
#
# o SBI Client(http://127.0.1.11:7777)
# o SBI Client(http://127.0.1.10:7777)
# sbi:
# client:
# no_tls: true
# next_scp:
# sbi:
# addr: 127.0.1.11
# addr: 127.0.1.10
# port: 7777
#
# o SBI Client(https://127.0.1.11:443, https://[::1]:443)
# tls:
# o SBI Client(https://127.0.1.10:443, https://[::1]:443) without verification
# sbi:
# client:
# key: /etc/open5gs/tls/next-scp.key
# cert: /etc/open5gs/tls/next-scp.crt
# scp:
# no_verify: true
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
# next_scp:
# sbi:
# - addr: 127.0.1.11
# - addr: 127.0.1.10
# - addr: ::1
#
# o SBI Client(http://next-scp.open5gs.org:443)
# Use the specified certificate to verify server
# o SBI Client(https://scp.open5gs.org:443)
# Use the specified certificate while verifying the server
#
# tls:
# sbi:
# client:
# cacert: /etc/open5gs/tls/ca.crt
# scp:
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
# next_scp:
# sbi:
# - name: scp.open5gs.org
#
# o SBI Client(http://[fd69:f21d:873c:fb::1]:80)
# If prefer_ipv4 is true, http://127.0.1.11:80 is selected.
# If prefer_ipv4 is true, http://127.0.1.10:80 is selected.
#
# sbi:
# client:
# no_tls: true
# next_scp:
# sbi:
# addr:
# - 127.0.1.11
# - 127.0.1.10
# - fd69:f21d:873c:fb::1
#
# o SBI Option (Default)
# - tcp_nodelay : true
# - so_linger.l_onoff : false
#
# sbi:
# client:
# no_tls: true
# next_scp:
# sbi:
# addr: 127.0.1.11
# addr: 127.0.1.10
# option:
# tcp_nodelay: false
# so_linger:
# l_onoff: true
# l_linger: 10
#
#
# nrf:
#
# <SBI Client>>
#
# o SBI Client(http://127.0.0.10:7777)
# sbi:
# client:
# no_tls: true
# nrf:
# sbi:
# addr: 127.0.0.10
# port: 7777
#
# o SBI Client(https://127.0.0.10:443, http://nrf.open5gs.org:80)
# o SBI Client(https://127.0.0.10:443, https://[::1]:443) without verification
# sbi:
# client:
# no_verify: true
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
# nrf:
# sbi:
# - addr: 127.0.0.10
# tls:
# key: /etc/open5gs/tls/scp.key
# cert: /etc/open5gs/tls/scp.crt
# - name: nrf.open5gs.org
# - addr: ::1
#
# o SBI Client(https://nrf.open5gs.org:443)
# Use the specified certificate to verify peer
# Use the specified certificate while verifying the server
#
# sbi:
# client:
# cacert: /etc/open5gs/tls/ca.crt
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
# nrf:
# sbi:
# - name: nrf.open5gs.org
# tls:
# cacert: /etc/open5gs/tls/ca.crt
#
# o SBI Client(http://[fd69:f21d:873c:fa::1]:80)
# If prefer_ipv4 is true, http://127.0.0.10:80 is selected.
@ -254,6 +325,10 @@ scp:
# - tcp_nodelay : true
# - so_linger.l_onoff : false
#
# sbi:
# client:
# no_tls: true
# nrf:
# sbi:
# addr: 127.0.0.10
# option:
@ -269,47 +344,51 @@ nrf:
- ::1
port: 7777
#
# parameter:
#
# o Disable use of IPv4 addresses (only IPv6)
# no_ipv4: true
# parameter:
# no_ipv4: true
#
# o Disable use of IPv6 addresses (only IPv4)
# no_ipv6: true
# parameter:
# no_ipv6: true
#
# o Prefer IPv4 instead of IPv6 for estabishing new GTP connections.
# prefer_ipv4: true
# parameter:
# prefer_ipv4: true
#
parameter:
#
# max:
#
# o Maximum Number of UE
# o Maximum Number of UE
# max:
# ue: 1024
# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI)
#
# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI)
# max:
# peer: 64
#
max:
#
# time:
#
# o NF Instance Heartbeat (Default : 0)
# NFs will not send heart-beat timer in NFProfile
# NRF will send heart-beat timer in NFProfile
# (Default values are used, so no configuration is required)
#
# o NF Instance Heartbeat (20 seconds)
# NFs will send heart-beat timer (20 seconds) in NFProfile
# NRF can change heart-beat timer in NFProfile
#
# time:
# nf_instance:
# heartbeat: 20
#
# o Message Wait Duration (Default : 10,000 ms = 10 seconds)
# (Default values are used, so no configuration is required)
#
# o Message Wait Duration (3000 ms)
# time:
# message:
# duration: 3000
time:

52
configs/open5gs/sgwc.yaml.in
View File

@ -1,32 +1,32 @@
#
# logger:
#
# o Set OGS_LOG_INFO to all domain level
# - If `level` is omitted, the default level is OGS_LOG_INFO)
# - If `domain` is omitted, the all domain level is set from 'level'
# (Nothing is needed)
# (Default values are used, so no configuration is required)
#
# o Set OGS_LOG_ERROR to all domain level
# - `level` can be set with none, fatal, error, warn, info, debug, trace
# logger:
# level: error
#
# o Set OGS_LOG_DEBUG to mme/emm domain level
# logger:
# level: debug
# domain: mme,emm
#
# o Set OGS_LOG_TRACE to all domain level
# logger:
# level: trace
# domain: core,pfcp,gtp,sgwc,event,tlv,mem,sock
# domain: core,sbi,ausf,event,tlv,mem,sock
#
logger:
file: @localstatedir@/log/open5gs/sgwc.log
#
# sgwc:
#
# <GTP-C Server>
#
# o GTP-C Server(127.0.0.3:2123, [fd69:f21d:873c:fa::2]:2123)
# sgwc:
# gtpc:
# addr:
# - 127.0.0.3
@ -34,6 +34,7 @@ logger:
#
# o On SGW, Same Configuration(127.0.0.3:2123,
# [fd69:f21d:873c:fa::2]:2123) as below.
# sgwc:
# gtpc:
# - addr: 127.0.0.3
# - addr: fd69:f21d:873c:fa::2
@ -41,6 +42,7 @@ logger:
# o GTP-C Option (Default)
# - so_bindtodevice : NULL
#
# sgwc:
# gtpc:
# addr: 127.0.0.3
# option:
@ -49,17 +51,20 @@ logger:
# <PFCP Server>
#
# o PFCP Server(127.0.0.3:8805, ::1:8805)
# sgwc:
# pfcp:
# - addr: 127.0.0.3
# - addr: ::1
#
# o PFCP-U Server(127.0.0.1:2152, [::1]:2152)
# sgwc:
# pfcp:
# name: localhost
#
# o PFCP Option (Default)
# - so_bindtodevice : NULL
#
# sgwc:
# pfcp:
# addr: 127.0.0.3
# option:
@ -71,13 +76,11 @@ sgwc:
pfcp:
- addr: 127.0.0.3
#
# sgwu:
#
# <PFCP Client>>
#
# o PFCP Client(127.0.0.6:8805)
#
# sgwu:
# pfcp:
# addr: 127.0.0.6
#
@ -122,41 +125,46 @@ sgwu:
pfcp:
- addr: 127.0.0.6
#
# parameter:
#
# o Disable use of IPv4 addresses (only IPv6)
# no_ipv4: true
# parameter:
# no_ipv4: true
#
# o Disable use of IPv6 addresses (only IPv4)
# no_ipv6: true
# parameter:
# no_ipv6: true
#
# o Prefer IPv4 instead of IPv6 for estabishing new GTP connections.
# prefer_ipv4: true
# parameter:
# prefer_ipv4: true
#
# o Disable selection of SGW-U PFCP in Round-Robin manner
# no_pfcp_rr_select: true
# parameter:
# no_pfcp_rr_select: true
#
parameter:
#
# max:
#
# o Maximum Number of UE
# ue: 1024
# max:
# ue: 1024
#
# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI)
# peer: 64
# max:
# peer: 64
#
# o Maximum Number of GTP peer nodes per SGWC/SMF
# gtp_peer: 64
# max:
# gtp_peer: 64
#
max:
#
# time:
#
# o Message Wait Duration (Default : 10,000 ms = 10 seconds)
# (Default values are used, so no configuration is required)
#
# o Message Wait Duration (3000 ms)
# time:
# message:
# duration: 3000
time:

48
configs/open5gs/sgwu.yaml.in
View File

@ -1,43 +1,45 @@
#
# logger:
#
# o Set OGS_LOG_INFO to all domain level
# - If `level` is omitted, the default level is OGS_LOG_INFO)
# - If `domain` is omitted, the all domain level is set from 'level'
# (Nothing is needed)
# (Default values are used, so no configuration is required)
#
# o Set OGS_LOG_ERROR to all domain level
# - `level` can be set with none, fatal, error, warn, info, debug, trace
# logger:
# level: error
#
# o Set OGS_LOG_DEBUG to mme/emm domain level
# logger:
# level: debug
# domain: mme,emm
#
# o Set OGS_LOG_TRACE to all domain level
# logger:
# level: trace
# domain: core,pfcp,gtp,sgwu,event,tlv,mem,sock
# domain: core,sbi,ausf,event,tlv,mem,sock
#
logger:
file: @localstatedir@/log/open5gs/sgwu.log
#
# sgwu:
#
# <PFCP Server>
#
# o PFCP Server(127.0.0.6:8805, ::1:8805)
# sgwu:
# pfcp:
# - addr: 127.0.0.6
# - addr: ::1
#
# o PFCP-U Server(127.0.0.1:2152, [::1]:2152)
# sgwu:
# pfcp:
# - name: localhost
#
# o PFCP Option (Default)
# - so_bindtodevice : NULL
#
# sgwu:
# pfcp:
# addr: 127.0.0.6
# option:
@ -51,10 +53,12 @@ logger:
# - addr: ::1
#
# o GTP-U Server(127.0.0.1:2152, [::1]:2152)
# sgwu:
# gtpu:
# - name: localhost
#
# o User Plane IP Resource information
# sgwu:
# gtpu:
# - addr:
# - 127.0.0.6
@ -70,20 +74,24 @@ logger:
# source_interface: 1
#
# o Provide custom SGW-U GTP-U address to be advertised inside S1AP messages
# sgwu:
# gtpu:
# - addr: 10.4.128.21
# advertise: 172.24.15.30
#
# sgwu:
# gtpu:
# - addr: 10.4.128.21
# advertise:
# - 127.0.0.1
# - ::1
#
# sgwu:
# gtpu:
# - addr: 10.4.128.21
# advertise: sgw1.epc.mnc001.mcc001.3gppnetwork.org
#
# sgwu:
# gtpu:
# - dev: ens3
# advertise: sgw1.epc.mnc001.mcc001.3gppnetwork.org
@ -91,6 +99,7 @@ logger:
# o GTP-U Option (Default)
# - so_bindtodevice : NULL
#
# sgwu:
# gtpu:
# addr: 127.0.0.6
# option:
@ -102,48 +111,49 @@ sgwu:
gtpu:
- addr: 127.0.0.6
#
# sgwc:
#
# <PFCP Client>>
#
# o PFCP Client(127.0.0.3:8805)
#
# sgwc:
# pfcp:
# addr: 127.0.0.3
#
sgwc:
#
# parameter:
#
# o Disable use of IPv4 addresses (only IPv6)
# no_ipv4: true
# parameter:
# no_ipv4: true
#
# o Disable use of IPv6 addresses (only IPv4)
# no_ipv6: true
# parameter:
# no_ipv6: true
#
# o Prefer IPv4 instead of IPv6 for estabishing new GTP connections.
# prefer_ipv4: true
# parameter:
# prefer_ipv4: true
#
parameter:
#
# max:
#
# o Maximum Number of UE
# ue: 1024
# max:
# ue: 1024
#
# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI)
# peer: 64
# max:
# peer: 64
#
max:
#
# time:
#
# o Message Wait Duration (Default : 10,000 ms = 10 seconds)
# (Default values are used, so no configuration is required)
#
# o Message Wait Duration (3000 ms)
# time:
# message:
# duration: 3000
time:

256
configs/open5gs/smf.yaml.in
View File

@ -1,73 +1,91 @@
#
# logger:
#
# o Set OGS_LOG_INFO to all domain level
# - If `level` is omitted, the default level is OGS_LOG_INFO)
# - If `domain` is omitted, the all domain level is set from 'level'
# (Nothing is needed)
# (Default values are used, so no configuration is required)
#
# o Set OGS_LOG_ERROR to all domain level
# - `level` can be set with none, fatal, error, warn, info, debug, trace
# logger:
# level: error
#
# o Set OGS_LOG_DEBUG to mme/emm domain level
# logger:
# level: debug
# domain: mme,emm
#
# o Set OGS_LOG_TRACE to all domain level
# logger:
# level: trace
# domain: core,fd,pfcp,gtp,smf,event,tlv,mem,sock
# domain: core,sbi,ausf,event,tlv,mem,sock
#
logger:
file: @localstatedir@/log/open5gs/smf.log
#
# tls:
# enabled: auto|yes|no
# - auto: Default. Use TLS only if key/cert is available
# - yes: Use TLS always;
# reject if no key/cert available
# - no: Don't use TLS if there is an key/cert available
# o TLS enable/disable
# sbi:
# server|client:
# no_tls: false|true
# - false: (Default) Use TLS
# - true: TLS disabled
#
# o Server-side Key and Certficiate
# o Verification enable/disable
# sbi:
# server|client:
# no_verify: false|true
# - false: (Default) Verify the PEER
# - true: Skip the verification step
#
# o Server-side does not use TLS
# sbi:
# server:
# key: /etc/open5gs/tls/smf.key
# cert: /etc/open5gs/tls/smf.crt
# no_tls: true
#
# o Client-side does not use TLS
# o Client-side skips the verification step
# sbi:
# client:
# enabled: no
# key: /etc/open5gs/tls/smf.key
# cert: /etc/open5gs/tls/smf.crt
# no_verify: true
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
#
# o Use the specified certificate to verify client
# o Use the specified certificate while verifying the client
# sbi:
# server
# cacert: /etc/open5gs/tls/ca.crt
#
# o Use the specified certificate to verify server
# o Use the specified certificate while verifying the server
# sbi:
# client
# cacert: /etc/open5gs/tls/ca.crt
#
tls:
enabled: no
sbi:
server:
no_tls: true
cacert: @sysconfdir@/open5gs/tls/ca.crt
key: @sysconfdir@/open5gs/tls/smf.key
cert: @sysconfdir@/open5gs/tls/smf.crt
client:
no_tls: true
cacert: @sysconfdir@/open5gs/tls/ca.crt
key: @sysconfdir@/open5gs/tls/smf.key
cert: @sysconfdir@/open5gs/tls/smf.crt
#
# smf:
#
# <SBI Server>
#
# o SBI Server(http://<all address available>:80)
# sbi:
# server:
# no_tls: true
# smf:
# sbi:
#
# o SBI Server(http://<any address>:7777)
# sbi:
# server:
# no_tls: true
# smf:
# sbi:
# - addr:
# - 0.0.0.0
@ -75,48 +93,67 @@ tls:
# port: 7777
#
# o SBI Server(https://<all address available>:443)
# tls:
# sbi:
# server:
# key: /etc/open5gs/tls/smf.key
# cert: /etc/open5gs/tls/smf.crt
# smf:
# sbi:
#
# o SBI Server(http://127.0.0.5:80, http://[::1]:80)
# tls:
# enabled: no
# o SBI Server(https://127.0.0.4:443, https://[::1]:443) without verification
# sbi:
# server:
# no_verify: true
# key: /etc/open5gs/tls/smf.key
# cert: /etc/open5gs/tls/smf.crt
# smf:
# sbi:
# - addr: 127.0.0.5
# - addr: 127.0.0.4
# - addr: ::1
#
# o SBI Server(https://smf.open5gs.org:443)
# Use the specified certificate to verify client
# Use the specified certificate while verifying the client
#
# tls:
# sbi:
# server:
# cacert: /etc/open5gs/tls/ca.crt
# key: /etc/open5gs/tls/smf.key
# cert: /etc/open5gs/tls/smf.crt
# smf:
# sbi:
# - name: smf.open5gs.org
#
# o SBI Server(http://127.0.0.4:7777)
# sbi:
# server:
# no_tls: true
# smf:
# sbi:
# - addr: 127.0.0.4
# port: 7777
#
# o SBI Server(http://<eth0 IP address>:80)
# sbi:
# server:
# no_tls: true
# smf:
# sbi:
# - dev: eth0
#
# o Provide custom SBI address to be advertised to NRF
# sbi:
# server:
# no_tls: true
# smf:
# sbi:
# - dev: eth0
# advertise: open5gs-smf.svc.local
#
# o Another example of advertising on NRF
# sbi:
# server:
# no_tls: true
# smf:
# sbi:
# - addr: localhost
# advertise:
@ -127,6 +164,10 @@ tls:
# - tcp_nodelay : true
# - so_linger.l_onoff : false
#
# sbi:
# server:
# no_tls: true
# smf:
# sbi:
# addr: 127.0.0.4
# option:
@ -135,12 +176,15 @@ tls:
# l_onoff: true
# l_linger: 10
#
#
# <NF Service>
#
# o NF Service Name(Default : all NF services available)
# smf:
# service_name:
#
# o NF Service Name(Only some NF services are available)
# smf:
# service_name:
# - nsmf-pdusession
#
@ -148,12 +192,21 @@ tls:
#
# o (Default) If you do not set Query Parameter as shown below,
#
# sbi:
# server:
# no_tls: true
# smf:
# sbi:
# - addr: 127.0.0.4
# port: 7777
#
# - 'service-names' is included.
#
# o Service-Names are not included
# sbi:
# server:
# no_tls: true
# smf:
# sbi:
# - addr: 127.0.0.4
# port: 7777
@ -172,6 +225,10 @@ tls:
#
# o (Default) If you do not set Delegated Discovery as shown below,
#
# sbi:
# server:
# no_tls: true
# smf:
# sbi:
# - addr: 127.0.0.4
# port: 7777
@ -179,6 +236,10 @@ tls:
# - Use SCP if SCP avaiable. Otherwise NRF is used.
# => App fails if both NRF and SCP are unavailable.
#
# sbi:
# server:
# no_tls: true
# smf:
# sbi:
# - addr: 127.0.0.4
# port: 7777
@ -191,21 +252,23 @@ tls:
# o Don't use SCP server => App fails if no NRF available.
# delegated: no
#
#
# <PFCP Server>
#
# o PFCP Server(127.0.0.4:8805, ::1:8805)
# smf:
# pfcp:
# - addr: 127.0.0.4
# - addr: ::1
#
# o PFCP-U Server(127.0.0.1:2152, [::1]:2152)
# smf:
# pfcp:
# name: localhost
#
# o PFCP Option (Default)
# - so_bindtodevice : NULL
#
# smf:
# pfcp:
# addr: 127.0.0.4
# option:
@ -214,6 +277,7 @@ tls:
# <GTP-C Server>
#
# o GTP-C Server(127.0.0.4:2123, [fd69:f21d:873c:fa::3]:2123)
# smf:
# gtpc:
# addr:
# - 127.0.0.4
@ -221,6 +285,7 @@ tls:
#
# o On SMF, Same configuration
# (127.0.0.4:2123, [fd69:f21d:873c:fa::3]:2123).
# smf:
# gtpc:
# - addr: 127.0.0.4
# - addr: fd69:f21d:873c:fa::3
@ -228,6 +293,7 @@ tls:
# o GTP-C Option (Default)
# - so_bindtodevice : NULL
#
# smf:
# gtpc:
# addr: 127.0.0.4
# option:
@ -236,17 +302,20 @@ tls:
# <GTP-U Server>>
#
# o GTP-U Server(127.0.0.4:2152, [::1]:2152)
# smf:
# gtpu:
# - addr: 127.0.0.4
# - addr: ::1
#
# o GTP-U Server(127.0.0.1:2152, [::1]:2152)
# smf:
# gtpu:
# name: localhost
#
# o GTP-U Option (Default)
# - so_bindtodevice : NULL
#
# smf:
# gtpu:
# addr: 127.0.0.4
# option:
@ -255,6 +324,7 @@ tls:
# <Metrics Server>
#
# o Metrics Server(http://<any address>:9090)
# smf:
# metrics:
# - addr: 0.0.0.0
# port: 9090
@ -262,10 +332,12 @@ tls:
# <Subnet for UE Pool>
#
# o IPv4 Pool
# smf:
# subnet:
# addr: 10.45.0.1/16
#
# o IPv4/IPv6 Pool
# smf:
# subnet:
# - addr: 10.45.0.1/16
# - addr: 2001:db8:cafe::1/48
@ -274,6 +346,7 @@ tls:
# o Specific DNN/APN(e.g 'ims') uses 10.46.0.1/16, 2001:db8:babe::1/48
# ; If the UE has unknown DNN/APN(not internet/ims), SMF/UPF will crash.
#
# smf:
# subnet:
# - addr: 10.45.0.1/16
# dnn: internet
@ -287,6 +360,7 @@ tls:
# o Specific DNN/APN with the FALLBACK SUBNET(10.47.0.1/16)
# ; Note that put the FALLBACK SUBNET last to avoid SMF/UPF crash.
#
# smf:
# subnet:
# - addr: 10.45.0.1/16
# dnn: internet
@ -295,22 +369,26 @@ tls:
# - addr: 10.50.0.1/16 ## FALLBACK SUBNET
#
# o Pool Range Sample
# smf:
# subnet:
# - addr: 10.45.0.1/24
# range: 10.45.0.100-10.45.0.200
#
# smf:
# subnet:
# - addr: 10.45.0.1/24
# range:
# - 10.45.0.5-10.45.0.50
# - 10.45.0.100-
#
# smf:
# subnet:
# - addr: 10.45.0.1/24
# range:
# - -10.45.0.200
# - 10.45.0.210-10.45.0.220
#
# smf:
# subnet:
# - addr: 10.45.0.1/16
# range:
@ -325,6 +403,7 @@ tls:
#
# o Primary/Secondary can be configured. Others are ignored.
#
# smf:
# dns:
# - 8.8.8.8
# - 8.8.4.4
@ -343,6 +422,7 @@ tls:
#
# o Proxy Call Session Control Function
#
# smf:
# p-cscf:
# - 127.0.0.1
# - ::1
@ -356,6 +436,7 @@ tls:
# reject subscribers if no OCS available among Diameter peers
# o no: Don't use Gy interface if there is an OCS available
#
# smf:
# ctf:
# enabled: auto|yes|no
#
@ -368,6 +449,7 @@ tls:
# Note that if there is no SmfInfo, any AMF can select this SMF.
#
# o S-NSSAI[SST:1] and DNN[internet] - At least 1 DNN is required in S-NSSAI
# smf:
# info:
# - s_nssai:
# - sst: 1
@ -375,6 +457,7 @@ tls:
# - internet
#
# o S-NSSAI[SST:1 SD:009000] and DNN[internet or ims]
# smf:
# info:
# - s_nssai:
# - sst: 1
@ -384,6 +467,7 @@ tls:
# - ims
#
# o S-NSSAI[SST:1] and DNN[internet] and TAI[PLMN-ID:99970 TAC:1]
# smf:
# info:
# - s_nssai:
# - sst: 1
@ -400,6 +484,7 @@ tls:
# - S-NSSAI[SST:2 SD:000080] and DNN[internet or ims]
# - S-NSSAI[SST:4] and DNN[internet] and TAI[PLMN-ID:99970 TAC:10-20,30-40]
#
# smf:
# info:
# - s_nssai:
# - sst: 1
@ -430,6 +515,7 @@ tls:
# - 30-40
#
# o Complex Example
# smf:
# info:
# - s_nssai:
# - sst: 1
@ -497,6 +583,7 @@ tls:
# If you set the security_indication in smf.yaml,
# this information is delivered using PDU Session Resource Request Transfer IE
#
# smf:
# security_indication:
# integrity_protection_indication: required|preferred|not-needed
# confidentiality_protection_indication: required|preferred|not-needed
@ -532,35 +619,48 @@ smf:
enabled: auto
freeDiameter: @sysconfdir@/freeDiameter/smf.conf
#
# scp:
#
# <SBI Client>>
#
# o SBI Client(http://127.0.1.10:7777)
# sbi:
# client:
# no_tls: true
# scp:
# sbi:
# addr: 127.0.1.10
# port: 7777
#
# o SBI Client(https://127.0.1.10:443, http://scp.open5gs.org:80)
# o SBI Client(https://127.0.1.10:443, https://[::1]:443) without verification
# sbi:
# client:
# no_verify: true
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
# scp:
# sbi:
# - addr: 127.0.1.10
# tls:
# key: /etc/open5gs/tls/smf.key
# cert: /etc/open5gs/tls/smf.crt
# - name: scp.open5gs.org
# - addr: ::1
#
# o SBI Client(https://scp.open5gs.org:443)
# Use the specified certificate to verify peer
# Use the specified certificate while verifying the server
#
# sbi:
# client:
# cacert: /etc/open5gs/tls/ca.crt
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
# scp:
# sbi:
# - name: scp.open5gs.org
# tls:
# cacert: /etc/open5gs/tls/ca.crt
#
# o SBI Client(http://[fd69:f21d:873c:fb::1]:80)
# If prefer_ipv4 is true, http://127.0.1.10:80 is selected.
#
# sbi:
# client:
# no_tls: true
# scp:
# sbi:
# addr:
# - 127.0.1.10
@ -570,6 +670,10 @@ smf:
# - tcp_nodelay : true
# - so_linger.l_onoff : false
#
# sbi:
# client:
# no_tls: true
# scp:
# sbi:
# addr: 127.0.1.10
# option:
@ -584,32 +688,37 @@ scp:
- addr: 127.0.1.10
port: 7777
#
# nrf:
#
# <SBI Client>>
#
# o SBI Client(http://127.0.0.1:7777)
# o SBI Client(http://127.0.0.10:7777)
# sbi:
# client:
# no_tls: true
# nrf:
# sbi:
# addr: 127.0.0.10
# port: 7777
#
# o SBI Client(https://127.0.0.10:443, https://[::1]:443)
# tls:
# o SBI Client(https://127.0.0.10:443, https://[::1]:443) without verification
# sbi:
# client:
# key: /etc/open5gs/tls/smf.key
# cert: /etc/open5gs/tls/smf.crt
# no_verify: true
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
# nrf:
# sbi:
# - addr: 127.0.0.10
# - addr: ::1
#
# o SBI Client(https://nrf.open5gs.org:443)
# Use the specified certificate to verify server
# Use the specified certificate while verifying the server
#
# tls:
# sbi:
# client:
# cacert: /etc/open5gs/tls/ca.crt
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
# nrf:
# sbi:
# - name: nrf.open5gs.org
@ -626,6 +735,10 @@ scp:
# - tcp_nodelay : true
# - so_linger.l_onoff : false
#
# sbi:
# client:
# no_tls: true
# nrf:
# sbi:
# addr: 127.0.0.10
# option:
@ -641,13 +754,11 @@ scp:
# - ::1
# port: 7777
#
# upf:
#
# <PFCP Client>>
#
# o PFCP Client(127.0.0.7:8805)
#
# upf:
# pfcp:
# addr: 127.0.0.7
#
@ -697,56 +808,63 @@ upf:
pfcp:
- addr: 127.0.0.7
#
# parameter:
#
# o Disable use of IPv4 addresses (only IPv6)
# no_ipv4: true
# parameter:
# no_ipv4: true
#
# o Disable use of IPv6 addresses (only IPv4)
# no_ipv6: true
# parameter:
# no_ipv6: true
#
# o Prefer IPv4 instead of IPv6 for estabishing new GTP connections.
# prefer_ipv4: true
# parameter:
# prefer_ipv4: true
#
# o Disable selection of UPF PFCP in Round-Robin manner
# no_pfcp_rr_select: true
# parameter:
# no_pfcp_rr_select: true
#
# o Legacy support for pre-release LTE 11 devices
# - Omits adding local address in packet filters for compatibility
# no_ipv4v6_local_addr_in_packet_filter: true
# parameter:
# no_ipv4v6_local_addr_in_packet_filter: true
#
parameter:
#
# max:
#
# o Maximum Number of UE
# ue: 1024
# max:
# ue: 1024
#
# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI)
# peer: 64
# max:
# peer: 64
#
# o Maximum Number of GTP peer nodes per SGWC/SMF
# gtp_peer: 64
# max:
# gtp_peer: 64
#
max:
#
# time:
#
# o NF Instance Heartbeat (Default : 0)
# NFs will not send heart-beat timer in NFProfile
# NRF will send heart-beat timer in NFProfile
# (Default values are used, so no configuration is required)
#
# o NF Instance Heartbeat (20 seconds)
# NFs will send heart-beat timer (20 seconds) in NFProfile
# NRF can change heart-beat timer in NFProfile
#
# time:
# nf_instance:
# heartbeat: 20
#
# o Message Wait Duration (Default : 10,000 ms = 10 seconds)
# (Default values are used, so no configuration is required)
#
# o Message Wait Duration (3000 ms)
# time:
# message:
# duration: 3000
#
@ -754,8 +872,10 @@ max:
# Time to wait for SMF to send
# PFCP Session Modification Request(Remove Indirect Tunnel) to the UPF
# after sending Nsmf_PDUSession_UpdateSMContext Response(hoState:COMPLETED)
# (Default values are used, so no configuration is required)
#
# o Handover Wait Duration (500ms)
# time:
# handover:
# duration: 500
time:

208
configs/open5gs/udm.yaml.in
View File

@ -1,60 +1,72 @@
#
# logger:
#
# o Set OGS_LOG_INFO to all domain level
# - If `level` is omitted, the default level is OGS_LOG_INFO)
# - If `domain` is omitted, the all domain level is set from 'level'
# (Nothing is needed)
# (Default values are used, so no configuration is required)
#
# o Set OGS_LOG_ERROR to all domain level
# - `level` can be set with none, fatal, error, warn, info, debug, trace
# logger:
# level: error
#
# o Set OGS_LOG_DEBUG to mme/emm domain level
# logger:
# level: debug
# domain: mme,emm
#
# o Set OGS_LOG_TRACE to all domain level
# logger:
# level: trace
# domain: core,sbi,udm,event,tlv,mem,sock
# domain: core,sbi,ausf,event,tlv,mem,sock
#
logger:
file: @localstatedir@/log/open5gs/udm.log
#
# tls:
# enabled: auto|yes|no
# - auto: Default. Use TLS only if key/cert is available
# - yes: Use TLS always;
# reject if no key/cert available
# - no: Don't use TLS if there is an key/cert available
# o TLS enable/disable
# sbi:
# server|client:
# no_tls: false|true
# - false: (Default) Use TLS
# - true: TLS disabled
#
# o Server-side Key and Certficiate
# o Verification enable/disable
# sbi:
# server|client:
# no_verify: false|true
# - false: (Default) Verify the PEER
# - true: Skip the verification step
#
# o Server-side does not use TLS
# sbi:
# server:
# key: /etc/open5gs/tls/udm.key
# cert: /etc/open5gs/tls/udm.crt
# no_tls: true
#
# o Client-side does not use TLS
# o Client-side skips the verification step
# sbi:
# client:
# enabled: no
# key: /etc/open5gs/tls/udm.key
# cert: /etc/open5gs/tls/udm.crt
# no_verify: true
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
#
# o Use the specified certificate to verify client
# o Use the specified certificate while verifying the client
# sbi:
# server
# cacert: /etc/open5gs/tls/ca.crt
#
# o Use the specified certificate to verify server
# o Use the specified certificate while verifying the server
# sbi:
# client
# cacert: /etc/open5gs/tls/ca.crt
#
tls:
enabled: no
sbi:
server:
no_tls: true
cacert: @sysconfdir@/open5gs/tls/ca.crt
key: @sysconfdir@/open5gs/tls/udm.key
cert: @sysconfdir@/open5gs/tls/udm.crt
client:
no_tls: true
cacert: @sysconfdir@/open5gs/tls/ca.crt
key: @sysconfdir@/open5gs/tls/udm.key
cert: @sysconfdir@/open5gs/tls/udm.crt
@ -114,15 +126,21 @@ hnet:
scheme: 2
key: @sysconfdir@/open5gs/hnet/secp256r1-6.key
#
# udm:
#
# <SBI Server>
#
# o SBI Server(http://<all address available>:80)
# sbi:
# server:
# no_tls: true
# udm:
# sbi:
#
# o SBI Server(http://<any address>:7777)
# sbi:
# server:
# no_tls: true
# udm:
# sbi:
# - addr:
# - 0.0.0.0
@ -130,48 +148,67 @@ hnet:
# port: 7777
#
# o SBI Server(https://<all address available>:443)
# tls:
# sbi:
# server:
# key: /etc/open5gs/tls/udm.key
# cert: /etc/open5gs/tls/udm.crt
# udm:
# sbi:
#
# o SBI Server(http://127.0.0.5:80, http://[::1]:80)
# tls:
# enabled: no
# o SBI Server(https://127.0.0.12:443, https://[::1]:443) without verification
# sbi:
# server:
# no_verify: true
# key: /etc/open5gs/tls/udm.key
# cert: /etc/open5gs/tls/udm.crt
# udm:
# sbi:
# - addr: 127.0.0.5
# - addr: 127.0.0.12
# - addr: ::1
#
# o SBI Server(https://udm.open5gs.org:443)
# Use the specified certificate to verify client
# Use the specified certificate while verifying the client
#
# tls:
# sbi:
# server:
# cacert: /etc/open5gs/tls/ca.crt
# key: /etc/open5gs/tls/udm.key
# cert: /etc/open5gs/tls/udm.crt
# udm:
# sbi:
# - name: udm.open5gs.org
#
# o SBI Server(http://127.0.0.12:7777)
# sbi:
# server:
# no_tls: true
# udm:
# sbi:
# - addr: 127.0.0.12
# port: 7777
#
# o SBI Server(http://<eth0 IP address>:80)
# sbi:
# server:
# no_tls: true
# udm:
# sbi:
# - dev: eth0
#
# o Provide custom SBI address to be advertised to NRF
# sbi:
# server:
# no_tls: true
# udm:
# sbi:
# - dev: eth0
# advertise: open5gs-udm.svc.local
#
# o Another example of advertising on NRF
# sbi:
# server:
# no_tls: true
# udm:
# sbi:
# - addr: localhost
# advertise:
@ -182,6 +219,10 @@ hnet:
# - tcp_nodelay : true
# - so_linger.l_onoff : false
#
# sbi:
# server:
# no_tls: true
# udm:
# sbi:
# addr: 127.0.0.12
# option:
@ -193,9 +234,11 @@ hnet:
# <NF Service>
#
# o NF Service Name(Default : all NF services available)
# udm:
# service_name:
#
# o NF Service Name(Only some NF services are available)
# udm:
# service_name:
# - nudm-sdm
# - nudm-uecm
@ -205,12 +248,21 @@ hnet:
#
# o (Default) If you do not set Query Parameter as shown below,
#
# sbi:
# server:
# no_tls: true
# udm:
# sbi:
# - addr: 127.0.0.12
# port: 7777
#
# - 'service-names' is included.
#
# o Service-Names are not included
# sbi:
# server:
# no_tls: true
# udm:
# sbi:
# - addr: 127.0.0.12
# port: 7777
@ -229,6 +281,10 @@ hnet:
#
# o (Default) If you do not set Delegated Discovery as shown below,
#
# sbi:
# server:
# no_tls: true
# udm:
# sbi:
# - addr: 127.0.0.12
# port: 7777
@ -236,6 +292,10 @@ hnet:
# - Use SCP if SCP avaiable. Otherwise NRF is used.
# => App fails if both NRF and SCP are unavailable.
#
# sbi:
# server:
# no_tls: true
# udm:
# sbi:
# - addr: 127.0.0.12
# port: 7777
@ -253,35 +313,48 @@ udm:
- addr: 127.0.0.12
port: 7777
#
# scp:
#
# <SBI Client>>
#
# o SBI Client(http://127.0.1.10:7777)
# sbi:
# client:
# no_tls: true
# scp:
# sbi:
# addr: 127.0.1.10
# port: 7777
#
# o SBI Client(https://127.0.1.10:443, http://scp.open5gs.org:80)
# o SBI Client(https://127.0.1.10:443, https://[::1]:443) without verification
# sbi:
# client:
# no_verify: true
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
# scp:
# sbi:
# - addr: 127.0.1.10
# tls:
# key: /etc/open5gs/tls/udm.key
# cert: /etc/open5gs/tls/udm.crt
# - name: scp.open5gs.org
# - addr: ::1
#
# o SBI Client(https://scp.open5gs.org:443)
# Use the specified certificate to verify peer
# Use the specified certificate while verifying the server
#
# sbi:
# client:
# cacert: /etc/open5gs/tls/ca.crt
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
# scp:
# sbi:
# - name: scp.open5gs.org
# tls:
# cacert: /etc/open5gs/tls/ca.crt
#
# o SBI Client(http://[fd69:f21d:873c:fb::1]:80)
# If prefer_ipv4 is true, http://127.0.1.10:80 is selected.
#
# sbi:
# client:
# no_tls: true
# scp:
# sbi:
# addr:
# - 127.0.1.10
@ -291,6 +364,10 @@ udm:
# - tcp_nodelay : true
# - so_linger.l_onoff : false
#
# sbi:
# client:
# no_tls: true
# scp:
# sbi:
# addr: 127.0.1.10
# option:
@ -305,32 +382,37 @@ scp:
- addr: 127.0.1.10
port: 7777
#
# nrf:
#
# <SBI Client>>
#
# o SBI Client(http://127.0.0.10:7777)
# sbi:
# client:
# no_tls: true
# nrf:
# sbi:
# addr: 127.0.0.10
# port: 7777
#
# o SBI Client(https://127.0.0.10:443, https://[::1]:443)
# tls:
# o SBI Client(https://127.0.0.10:443, https://[::1]:443) without verification
# sbi:
# client:
# key: /etc/open5gs/tls/udm.key
# cert: /etc/open5gs/tls/udm.crt
# no_verify: true
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
# nrf:
# sbi:
# - addr: 127.0.0.10
# - addr: ::1
#
# o SBI Client(https://nrf.open5gs.org:443)
# Use the specified certificate to verify server
# Use the specified certificate while verifying the server
#
# tls:
# sbi:
# client:
# cacert: /etc/open5gs/tls/ca.crt
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
# nrf:
# sbi:
# - name: nrf.open5gs.org
@ -347,6 +429,10 @@ scp:
# - tcp_nodelay : true
# - so_linger.l_onoff : false
#
# sbi:
# client:
# no_tls: true
# nrf:
# sbi:
# addr: 127.0.0.10
# option:
@ -362,47 +448,51 @@ scp:
# - ::1
# port: 7777
#
# parameter:
#
# o Disable use of IPv4 addresses (only IPv6)
# no_ipv4: true
# parameter:
# no_ipv4: true
#
# o Disable use of IPv6 addresses (only IPv4)
# no_ipv6: true
# parameter:
# no_ipv6: true
#
# o Prefer IPv4 instead of IPv6 for estabishing new GTP connections.
# prefer_ipv4: true
# parameter:
# prefer_ipv4: true
#
parameter:
#
# max:
#
# o Maximum Number of UE
# o Maximum Number of UE
# max:
# ue: 1024
# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI)
#
# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI)
# max:
# peer: 64
#
max:
#
# time:
#
# o NF Instance Heartbeat (Default : 0)
# NFs will not send heart-beat timer in NFProfile
# NRF will send heart-beat timer in NFProfile
# (Default values are used, so no configuration is required)
#
# o NF Instance Heartbeat (20 seconds)
# NFs will send heart-beat timer (20 seconds) in NFProfile
# NRF can change heart-beat timer in NFProfile
#
# time:
# nf_instance:
# heartbeat: 20
#
# o Message Wait Duration (Default : 10,000 ms = 10 seconds)
# (Default values are used, so no configuration is required)
#
# o Message Wait Duration (3000 ms)
# time:
# message:
# duration: 3000
time:

243
configs/open5gs/udr.yaml.in
View File

@ -1,75 +1,93 @@
db_uri: mongodb://localhost/open5gs
#
# logger:
#
# o Set OGS_LOG_INFO to all domain level
# - If `level` is omitted, the default level is OGS_LOG_INFO)
# - If `domain` is omitted, the all domain level is set from 'level'
# (Nothing is needed)
# (Default values are used, so no configuration is required)
#
# o Set OGS_LOG_ERROR to all domain level
# - `level` can be set with none, fatal, error, warn, info, debug, trace
# logger:
# level: error
#
# o Set OGS_LOG_DEBUG to mme/emm domain level
# logger:
# level: debug
# domain: mme,emm
#
# o Set OGS_LOG_TRACE to all domain level
# logger:
# level: trace
# domain: core,sbi,udr,event,tlv,mem,sock
# domain: core,sbi,ausf,event,tlv,mem,sock
#
logger:
file: @localstatedir@/log/open5gs/udr.log
#
# tls:
# enabled: auto|yes|no
# - auto: Default. Use TLS only if key/cert is available
# - yes: Use TLS always;
# reject if no key/cert available
# - no: Don't use TLS if there is an key/cert available
# o TLS enable/disable
# sbi:
# server|client:
# no_tls: false|true
# - false: (Default) Use TLS
# - true: TLS disabled
#
# o Server-side Key and Certficiate
# o Verification enable/disable
# sbi:
# server|client:
# no_verify: false|true
# - false: (Default) Verify the PEER
# - true: Skip the verification step
#
# o Server-side does not use TLS
# sbi:
# server:
# key: /etc/open5gs/tls/udr.key
# cert: /etc/open5gs/tls/udr.crt
# no_tls: true
#
# o Client-side does not use TLS
# o Client-side skips the verification step
# sbi:
# client:
# enabled: no
# key: /etc/open5gs/tls/udr.key
# cert: /etc/open5gs/tls/udr.crt
# no_verify: true
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
#
# o Use the specified certificate to verify client
# o Use the specified certificate while verifying the client
# sbi:
# server
# cacert: /etc/open5gs/tls/ca.crt
#
# o Use the specified certificate to verify server
# o Use the specified certificate while verifying the server
# sbi:
# client
# cacert: /etc/open5gs/tls/ca.crt
#
tls:
enabled: no
sbi:
server:
no_tls: true
cacert: @sysconfdir@/open5gs/tls/ca.crt
key: @sysconfdir@/open5gs/tls/udr.key
cert: @sysconfdir@/open5gs/tls/udr.crt
client:
no_tls: true
cacert: @sysconfdir@/open5gs/tls/ca.crt
key: @sysconfdir@/open5gs/tls/udr.key
cert: @sysconfdir@/open5gs/tls/udr.crt
#
# udr:
#
# <SBI Server>
#
# o SBI Server(http://<all address available>:80)
# sbi:
# server:
# no_tls: true
# bsf:
# sbi:
#
# o SBI Server(http://<any address>:7777)
# sbi:
# server:
# no_tls: true
# bsf:
# sbi:
# - addr:
# - 0.0.0.0
@ -77,48 +95,67 @@ tls:
# port: 7777
#
# o SBI Server(https://<all address available>:443)
# tls:
# sbi:
# server:
# key: /etc/open5gs/tls/udr.key
# cert: /etc/open5gs/tls/udr.crt
# udr:
# key: /etc/open5gs/tls/bsf.key
# cert: /etc/open5gs/tls/bsf.crt
# bsf:
# sbi:
#
# o SBI Server(http://127.0.0.5:80, http://[::1]:80)
# tls:
# enabled: no
# o SBI Server(https://127.0.0.15:443, https://[::1]:443) without verification
# sbi:
# server:
# key: /etc/open5gs/tls/udr.key
# cert: /etc/open5gs/tls/udr.crt
# udr:
# no_verify: true
# key: /etc/open5gs/tls/bsf.key
# cert: /etc/open5gs/tls/bsf.crt
# bsf:
# sbi:
# - addr: 127.0.0.5
# - addr: 127.0.0.15
# - addr: ::1
#
# o SBI Server(https://udr.open5gs.org:443)
# Use the specified certificate to verify client
# o SBI Server(https://bsf.open5gs.org:443)
# Use the specified certificate while verifying the client
#
# tls:
# sbi:
# server:
# cacert: /etc/open5gs/tls/ca.crt
# udr:
# key: /etc/open5gs/tls/bsf.key
# cert: /etc/open5gs/tls/bsf.crt
# bsf:
# sbi:
# - name: udr.open5gs.org
# - name: bsf.open5gs.org
#
# o SBI Server(http://127.0.0.20:7777)
# o SBI Server(http://127.0.0.15:7777)
# sbi:
# server:
# no_tls: true
# bsf:
# sbi:
# - addr: 127.0.0.20
# - addr: 127.0.0.15
# port: 7777
#
# o SBI Server(http://<eth0 IP address>:80)
# sbi:
# server:
# no_tls: true
# bsf:
# sbi:
# - dev: eth0
#
# o Provide custom SBI address to be advertised to NRF
# sbi:
# server:
# no_tls: true
# bsf:
# sbi:
# - dev: eth0
# advertise: open5gs-udr.svc.local
# advertise: open5gs-bsf.svc.local
#
# o Another example of advertising on NRF
# sbi:
# server:
# no_tls: true
# bsf:
# sbi:
# - addr: localhost
# advertise:
@ -129,20 +166,27 @@ tls:
# - tcp_nodelay : true
# - so_linger.l_onoff : false
#
# sbi:
# server:
# no_tls: true
# bsf:
# sbi:
# addr: 127.0.0.20
# addr: 127.0.0.15
# option:
# tcp_nodelay: false
# so_linger:
# l_onoff: true
# l_linger: 10
#
#
# <NF Service>
#
# o NF Service Name(Default : all NF services available)
# udr:
# service_name:
#
# o NF Service Name(Only some NF services are available)
# udr:
# service_name:
# - nudr-dr
#
@ -150,12 +194,21 @@ tls:
#
# o (Default) If you do not set Query Parameter as shown below,
#
# sbi:
# server:
# no_tls: true
# udr:
# sbi:
# - addr: 127.0.0.20
# port: 7777
#
# - 'service-names' is included.
#
# o Service-Names are not included
# sbi:
# server:
# no_tls: true
# udr:
# sbi:
# - addr: 127.0.0.20
# port: 7777
@ -174,6 +227,10 @@ tls:
#
# o (Default) If you do not set Delegated Discovery as shown below,
#
# sbi:
# server:
# no_tls: true
# udr:
# sbi:
# - addr: 127.0.0.20
# port: 7777
@ -181,6 +238,10 @@ tls:
# - Use SCP if SCP avaiable. Otherwise NRF is used.
# => App fails if both NRF and SCP are unavailable.
#
# sbi:
# server:
# no_tls: true
# udr:
# sbi:
# - addr: 127.0.0.20
# port: 7777
@ -198,35 +259,48 @@ udr:
- addr: 127.0.0.20
port: 7777
#
# scp:
#
# <SBI Client>>
#
# o SBI Client(http://127.0.1.10:7777)
# sbi:
# client:
# no_tls: true
# scp:
# sbi:
# addr: 127.0.1.10
# port: 7777
#
# o SBI Client(https://127.0.1.10:443, http://scp.open5gs.org:80)
# o SBI Client(https://127.0.1.10:443, https://[::1]:443) without verification
# sbi:
# client:
# no_verify: true
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
# scp:
# sbi:
# - addr: 127.0.1.10
# tls:
# key: /etc/open5gs/tls/udr.key
# cert: /etc/open5gs/tls/udr.crt
# - name: scp.open5gs.org
# - addr: ::1
#
# o SBI Client(https://scp.open5gs.org:443)
# Use the specified certificate to verify peer
# Use the specified certificate while verifying the server
#
# sbi:
# client:
# cacert: /etc/open5gs/tls/ca.crt
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
# scp:
# sbi:
# - name: scp.open5gs.org
# tls:
# cacert: /etc/open5gs/tls/ca.crt
#
# o SBI Client(http://[fd69:f21d:873c:fb::1]:80)
# If prefer_ipv4 is true, http://127.0.1.10:80 is selected.
#
# sbi:
# client:
# no_tls: true
# scp:
# sbi:
# addr:
# - 127.0.1.10
@ -236,6 +310,10 @@ udr:
# - tcp_nodelay : true
# - so_linger.l_onoff : false
#
# sbi:
# client:
# no_tls: true
# scp:
# sbi:
# addr: 127.0.1.10
# option:
@ -250,32 +328,37 @@ scp:
- addr: 127.0.1.10
port: 7777
#
# nrf:
#
# <SBI Client>>
#
# o SBI Client(http://127.0.0.10:7777)
# sbi:
# client:
# no_tls: true
# nrf:
# sbi:
# addr: 127.0.0.10
# port: 7777
#
# o SBI Client(https://127.0.0.10:443, https://[::1]:443)
# tls:
# o SBI Client(https://127.0.0.10:443, https://[::1]:443) without verification
# sbi:
# client:
# key: /etc/open5gs/tls/udr.key
# cert: /etc/open5gs/tls/udr.crt
# no_verify: true
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
# nrf:
# sbi:
# - addr: 127.0.0.10
# - addr: ::1
#
# o SBI Client(https://nrf.open5gs.org:443)
# Use the specified certificate to verify server
# Use the specified certificate while verifying the server
#
# tls:
# sbi:
# client:
# cacert: /etc/open5gs/tls/ca.crt
# key: /etc/open5gs/tls/amf.key
# cert: /etc/open5gs/tls/amf.crt
# nrf:
# sbi:
# - name: nrf.open5gs.org
@ -292,6 +375,10 @@ scp:
# - tcp_nodelay : true
# - so_linger.l_onoff : false
#
# sbi:
# client:
# no_tls: true
# nrf:
# sbi:
# addr: 127.0.0.10
# option:
@ -307,55 +394,51 @@ scp:
# - ::1
# port: 7777
#
# parameter:
#
# o Disable use of IPv4 addresses (only IPv6)
# no_ipv4: true
# parameter:
# no_ipv4: true
#
# o Disable use of IPv6 addresses (only IPv4)
# no_ipv6: true
# parameter:
# no_ipv6: true
#
# o Prefer IPv4 instead of IPv6 for estabishing new GTP connections.
# prefer_ipv4: true
# parameter:
# prefer_ipv4: true
#
parameter:
#
# max:
#
# o Maximum Number of UE
# o Maximum Number of UE
# max:
# ue: 1024
# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI)
#
# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI)
# max:
# peer: 64
#
max:
#
# time:
#
# o NF Instance Heartbeat (Default : 0)
# NFs will not send heart-beat timer in NFProfile
# NRF will send heart-beat timer in NFProfile
# (Default values are used, so no configuration is required)
#
# o NF Instance Heartbeat (20 seconds)
# NFs will send heart-beat timer (20 seconds) in NFProfile
# NRF can change heart-beat timer in NFProfile
#
# time:
# nf_instance:
# heartbeat: 20
#
# o NF Instance Heartbeat (Disabled)
# nf_instance:
# heartbeat: 0
#
# o NF Instance Heartbeat (10 seconds)
# nf_instance:
# heartbeat: 10
#
# o Message Wait Duration (Default : 10,000 ms = 10 seconds)
# (Default values are used, so no configuration is required)
#
# o Message Wait Duration (3000 ms)
# time:
# message:
# duration: 3000
time:

59
configs/open5gs/upf.yaml.in
View File

@ -1,43 +1,45 @@
#
# logger:
#
# o Set OGS_LOG_INFO to all domain level
# - If `level` is omitted, the default level is OGS_LOG_INFO)
# - If `domain` is omitted, the all domain level is set from 'level'
# (Nothing is needed)
# (Default values are used, so no configuration is required)
#
# o Set OGS_LOG_ERROR to all domain level
# - `level` can be set with none, fatal, error, warn, info, debug, trace
# logger:
# level: error
#
# o Set OGS_LOG_DEBUG to mme/emm domain level
# logger:
# level: debug
# domain: mme,emm
#
# o Set OGS_LOG_TRACE to all domain level
# logger:
# level: trace
# domain: core,pfcp,gtp,upf,event,tlv,mem,sock
# domain: core,sbi,ausf,event,tlv,mem,sock
#
logger:
file: @localstatedir@/log/open5gs/upf.log
#
# upf:
#
# <PFCP Server>
#
# o PFCP Server(127.0.0.7:8805, ::1:8805)
# upf:
# pfcp:
# - addr: 127.0.0.7
# - addr: ::1
#
# o PFCP-U Server(127.0.0.1:2152, [::1]:2152)
# upf:
# pfcp:
# name: localhost
#
# o PFCP Option (Default)
# - so_bindtodevice : NULL
#
# upf:
# pfcp:
# addr: 127.0.0.7
# option:
@ -46,15 +48,18 @@ logger:
# <GTP-U Server>>
#
# o GTP-U Server(127.0.0.7:2152, [::1]:2152)
# upf:
# gtpu:
# - addr: 127.0.0.7
# - addr: ::1
#
# o GTP-U Server(127.0.0.1:2152, [::1]:2152)
# upf:
# gtpu:
# name: localhost
#
# o User Plane IP Resource information
# upf:
# gtpu:
# - addr:
# - 127.0.0.7
@ -70,20 +75,24 @@ logger:
# source_interface: 1
#
# o Provide custom UPF GTP-U address to be advertised inside NGAP messages
# upf:
# gtpu:
# - addr: 10.4.128.21
# advertise: 172.24.15.30
#
# upf:
# gtpu:
# - addr: 10.4.128.21
# advertise:
# - 127.0.0.1
# - ::1
#
# upf:
# gtpu:
# - addr: 10.4.128.21
# advertise: upf1.5gc.mnc001.mcc001.3gppnetwork.org
#
# upf:
# gtpu:
# - dev: ens3
# advertise: upf1.5gc.mnc001.mcc001.3gppnetwork.org
@ -91,6 +100,7 @@ logger:
# o GTP-U Option (Default)
# - so_bindtodevice : NULL
#
# upf:
# gtpu:
# addr: 127.0.0.7
# option:
@ -104,6 +114,7 @@ logger:
# o IPv4 Pool
# $ sudo ip addr add 10.45.0.1/16 dev ogstun
#
# upf:
# subnet:
# addr: 10.45.0.1/16
#
@ -111,6 +122,7 @@ logger:
# $ sudo ip addr add 10.45.0.1/16 dev ogstun
# $ sudo ip addr add 2001:db8:cafe::1/48 dev ogstun
#
# upf:
# subnet:
# - addr: 10.45.0.1/16
# - addr: 2001:db8:cafe::1/48
@ -125,6 +137,7 @@ logger:
#
# ; If the UE has unknown DNN/APN(not internet/ims), SMF/UPF will crash.
#
# upf:
# subnet:
# - addr: 10.45.0.1/16
# dnn: internet
@ -138,6 +151,7 @@ logger:
# o Specific DNN/APN with the FALLBACK SUBNET(10.47.0.1/16)
# ; Note that put the FALLBACK SUBNET last to avoid SMF/UPF crash.
#
# upf:
# subnet:
# - addr: 10.45.0.1/16
# dnn: internet
@ -151,6 +165,7 @@ logger:
# $ sudo ip addr add 10.46.0.1/16 dev ogstun3
# $ sudo ip addr add 2001:db8:babe::1/48 dev ogstun3
#
# upf:
# subnet:
# - addr: 10.45.0.1/16
# dnn: internet
@ -167,6 +182,7 @@ logger:
# <Metrics Server>
#
# o Metrics Server(http://<any address>:9090)
# upf:
# metrics:
# - addr: 0.0.0.0
# port: 9090
@ -183,51 +199,52 @@ upf:
- addr: 127.0.0.7
port: 9090
#
# smf:
#
# <PFCP Client>>
#
# o PFCP Client(127.0.0.4:8805)
#
# smf:
# pfcp:
# addr: 127.0.0.4
#
smf:
#
# parameter:
#
# o Number of output streams per SCTP associations.
# sctp_streams: 30
# parameter:
# sctp_streams: 30
#
# o Disable use of IPv4 addresses (only IPv6)
# no_ipv4: true
# parameter:
# no_ipv4: true
#
# o Disable use of IPv6 addresses (only IPv4)
# no_ipv6: true
# parameter:
# no_ipv6: true
#
# o Prefer IPv4 instead of IPv6 for estabishing new GTP connections.
# prefer_ipv4: true
# parameter:
# prefer_ipv4: true
#
parameter:
#
# max:
#
# o Maximum Number of UE
# ue: 1024
# max:
# ue: 1024
#
# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI)
# peer: 64
# max:
# peer: 64
#
max:
#
# time:
#
# o Message Wait Duration (Default : 10,000 ms = 10 seconds)
# (Default values are used, so no configuration is required)
#
# o Message Wait Duration (3000 ms)
# time:
# message:
# duration: 3000
time:

5
configs/sample.yaml.in
View File

@ -2,13 +2,14 @@ db_uri: mongodb://localhost/open5gs
logger:
tls:
enabled: no
sbi:
server:
no_tls: true
cacert: @build_configs_dir@/open5gs/tls/ca.crt
key: @build_configs_dir@/open5gs/tls/testserver.key
cert: @build_configs_dir@/open5gs/tls/testserver.crt
client:
no_tls: true
cacert: @build_configs_dir@/open5gs/tls/ca.crt
key: @build_configs_dir@/open5gs/tls/testclient.key
cert: @build_configs_dir@/open5gs/tls/testclient.crt

5
configs/slice.yaml.in
View File

@ -2,13 +2,14 @@ db_uri: mongodb://localhost/open5gs
logger:
tls:
enabled: no
sbi:
server:
no_tls: true
cacert: @build_configs_dir@/open5gs/tls/ca.crt
key: @build_configs_dir@/open5gs/tls/testserver.key
cert: @build_configs_dir@/open5gs/tls/testserver.crt
client:
no_tls: true
cacert: @build_configs_dir@/open5gs/tls/ca.crt
key: @build_configs_dir@/open5gs/tls/testclient.key
cert: @build_configs_dir@/open5gs/tls/testclient.crt

5
configs/srsenb.yaml.in
View File

@ -2,13 +2,14 @@ db_uri: mongodb://localhost/open5gs
logger:
tls:
enabled: no
sbi:
server:
no_tls: true
cacert: @build_configs_dir@/open5gs/tls/ca.crt
key: @build_configs_dir@/open5gs/tls/testserver.key
cert: @build_configs_dir@/open5gs/tls/testserver.crt
client:
no_tls: true
cacert: @build_configs_dir@/open5gs/tls/ca.crt
key: @build_configs_dir@/open5gs/tls/testclient.key
cert: @build_configs_dir@/open5gs/tls/testclient.crt

5
configs/volte.yaml.in
View File

@ -2,13 +2,14 @@ db_uri: mongodb://localhost/open5gs
logger:
tls:
enabled: no
sbi:
server:
no_tls: true
cacert: @build_configs_dir@/open5gs/tls/ca.crt
key: @build_configs_dir@/open5gs/tls/testserver.key
cert: @build_configs_dir@/open5gs/tls/testserver.crt
client:
no_tls: true
cacert: @build_configs_dir@/open5gs/tls/ca.crt
key: @build_configs_dir@/open5gs/tls/testclient.key
cert: @build_configs_dir@/open5gs/tls/testclient.crt

5
configs/vonr.yaml.in
View File

@ -2,13 +2,14 @@ db_uri: mongodb://localhost/open5gs
logger:
tls:
enabled: no
sbi:
server:
no_tls: true
cacert: @build_configs_dir@/open5gs/tls/ca.crt
key: @build_configs_dir@/open5gs/tls/testserver.key
cert: @build_configs_dir@/open5gs/tls/testserver.crt
client:
no_tls: true
cacert: @build_configs_dir@/open5gs/tls/ca.crt
key: @build_configs_dir@/open5gs/tls/testclient.key
cert: @build_configs_dir@/open5gs/tls/testclient.crt

61
lib/app/ogs-context.c
View File

@ -532,6 +532,67 @@ int ogs_app_context_parse_config(void)
} else
ogs_warn("unknown key `%s`", time_key);
}
} else if (!strcmp(root_key, "sbi")) {
ogs_yaml_iter_t tls_iter;
ogs_yaml_iter_recurse(&root_iter, &tls_iter);
while (ogs_yaml_iter_next(&tls_iter)) {
const char *tls_key = ogs_yaml_iter_key(&tls_iter);
ogs_assert(tls_key);
if (!strcmp(tls_key, "server")) {
ogs_yaml_iter_t server_iter;
ogs_yaml_iter_recurse(&tls_iter, &server_iter);
while (ogs_yaml_iter_next(&server_iter)) {
const char *server_key =
ogs_yaml_iter_key(&server_iter);
ogs_assert(server_key);
if (!strcmp(server_key, "no_tls")) {
self.sbi.server.no_tls =
ogs_yaml_iter_bool(&server_iter);
} else if (!strcmp(server_key, "no_verify")) {
self.sbi.server.no_verify =
ogs_yaml_iter_bool(&server_iter);
} else if (!strcmp(server_key, "cacert")) {
self.sbi.server.cacert =
ogs_yaml_iter_value(&server_iter);
} else if (!strcmp(server_key, "cert")) {
self.sbi.server.cert =
ogs_yaml_iter_value(&server_iter);
} else if (!strcmp(server_key, "key")) {
self.sbi.server.key =
ogs_yaml_iter_value(&server_iter);
} else
ogs_warn("unknown key `%s`", server_key);
}
} else if (!strcmp(tls_key, "client")) {
ogs_yaml_iter_t client_iter;
ogs_yaml_iter_recurse(&tls_iter, &client_iter);
while (ogs_yaml_iter_next(&client_iter)) {
const char *client_key =
ogs_yaml_iter_key(&client_iter);
ogs_assert(client_key);
if (!strcmp(client_key, "no_tls")) {
self.sbi.client.no_tls =
ogs_yaml_iter_bool(&client_iter);
} else if (!strcmp(client_key, "no_verify")) {
self.sbi.client.no_verify =
ogs_yaml_iter_bool(&client_iter);
} else if (!strcmp(client_key, "cacert")) {
self.sbi.client.cacert =
ogs_yaml_iter_value(&client_iter);
} else if (!strcmp(client_key, "cert")) {
self.sbi.client.cert =
ogs_yaml_iter_value(&client_iter);
} else if (!strcmp(client_key, "key")) {
self.sbi.client.key =
ogs_yaml_iter_value(&client_iter);
} else
ogs_warn("unknown key `%s`", client_key);
}
} else
ogs_warn("unknown key `%s`", tls_key);
}
}
}

20
lib/app/ogs-context.h
View File

@ -28,6 +28,12 @@
extern "C" {
#endif
typedef enum {
OGS_SBI_TLS_ENABLED_AUTO = 0,
OGS_SBI_TLS_ENABLED_YES,
OGS_SBI_TLS_ENABLED_NO,
} ogs_sbi_tls_enabled_mode_e;
typedef struct ogs_app_context_s {
const char *version;
@ -171,15 +177,23 @@ typedef struct ogs_app_context_s {
struct metrics {
uint64_t max_specs;
} metrics;
struct {
struct {
bool no_tls;
bool no_verify;
const char *cacert;
const char *cert;
const char *key;
} server, client;
} sbi;
} ogs_app_context_t;
int ogs_app_context_init(void);
void ogs_app_context_final(void);
ogs_app_context_t *ogs_app(void);
bool ogs_app_tls_server_enabled(void);
bool ogs_app_tls_client_enabled(void);
int ogs_app_context_parse_config(void);
#ifdef __cplusplus

20
lib/sbi/client.c
View File

@ -384,8 +384,24 @@ static connection_t *connection_add(
curl_easy_setopt(conn->easy, CURLOPT_BUFFERSIZE, OGS_MAX_SDU_LEN);
curl_easy_setopt(conn->easy, CURLOPT_SSL_VERIFYPEER, 0);
curl_easy_setopt(conn->easy, CURLOPT_SSL_VERIFYHOST, 0);
if (ogs_app()->sbi.client.no_tls == false) {
ogs_assert(ogs_app()->sbi.client.key);
ogs_assert(ogs_app()->sbi.client.cert);
curl_easy_setopt(conn->easy, CURLOPT_SSLKEY,
ogs_app()->sbi.client.key);
curl_easy_setopt(conn->easy, CURLOPT_SSLCERT,
ogs_app()->sbi.client.cert);
if (ogs_app()->sbi.client.no_verify == false) {
if (ogs_app()->sbi.client.cacert) {
curl_easy_setopt(conn->easy, CURLOPT_CAINFO,
ogs_app()->sbi.client.cacert);
}
} else {
curl_easy_setopt(conn->easy, CURLOPT_SSL_VERIFYPEER, 0);
curl_easy_setopt(conn->easy, CURLOPT_SSL_VERIFYHOST, 0);
}
}
/* HTTP Method */
if (strcmp(request->h.method, OGS_SBI_HTTP_METHOD_PUT) == 0 ||

139
lib/sbi/context.c
View File

@ -120,44 +120,6 @@ ogs_sbi_context_t *ogs_sbi_self(void)
return &self;
}
bool ogs_app_tls_server_enabled(void)
{
if (self.tls.enabled == OGS_SBI_TLS_ENABLED_AUTO) {
if (self.tls.server.key && self.tls.server.cert)
return true;
else
return false;
} else if (self.tls.enabled == OGS_SBI_TLS_ENABLED_YES) {
ogs_assert(self.tls.server.key);
ogs_assert(self.tls.server.cert);
return true;
} else if (self.tls.enabled == OGS_SBI_TLS_ENABLED_NO) {
return false;
} else {
ogs_error("Unknown TLS enabled mode [%d]", self.tls.enabled);
return false;
}
}
bool ogs_app_tls_client_enabled(void)
{
if (self.tls.enabled == OGS_SBI_TLS_ENABLED_AUTO) {
if (self.tls.client.key && self.tls.client.cert)
return true;
else
return false;
} else if (self.tls.enabled == OGS_SBI_TLS_ENABLED_YES) {
ogs_assert(self.tls.client.key);
ogs_assert(self.tls.client.cert);
return true;
} else if (self.tls.enabled == OGS_SBI_TLS_ENABLED_NO) {
return false;
} else {
ogs_error("Unknown TLS enabled mode [%d]", self.tls.enabled);
return false;
}
}
static int ogs_sbi_context_prepare(void)
{
self.sbi_port = OGS_SBI_HTTP_PORT;
@ -166,8 +128,6 @@ static int ogs_sbi_context_prepare(void)
self.content_encoding = "gzip";
#endif
self.tls.enabled = OGS_SBI_TLS_ENABLED_AUTO;
return OGS_OK;
}
@ -221,27 +181,29 @@ static int ogs_sbi_context_validation(
ogs_assert_if_reached();
}
if (self.tls.enabled == OGS_SBI_TLS_ENABLED_YES) {
if (!self.tls.server.key) {
ogs_error("No Server Key");
if (ogs_app()->sbi.server.no_tls == false) {
if (!ogs_app()->sbi.server.key) {
ogs_error("TLS enabled but no server key");
return OGS_ERROR;
}
if (!self.tls.server.cert) {
ogs_error("No Server Certificate");
return OGS_ERROR;
}
if (!self.tls.client.key) {
ogs_error("No Client Key");
return OGS_ERROR;
}
if (!self.tls.client.cert) {
ogs_error("No Client Certificate");
if (!ogs_app()->sbi.server.cert) {
ogs_error("TLS enabled but no server certificate");
return OGS_ERROR;
}
}
if (ogs_app()->sbi.client.no_tls == false) {
if (!ogs_app()->sbi.client.key) {
ogs_error("TLS enabled but no client key");
return OGS_ERROR;
}
if (!ogs_app()->sbi.client.cert) {
ogs_error("TLS enabled but no client certificate");
return OGS_ERROR;
}
}
return OGS_OK;
}
@ -622,7 +584,7 @@ int ogs_sbi_context_parse_config(
if (addr == NULL) continue;
client = ogs_sbi_client_add(
ogs_app_tls_client_enabled() == true ?
ogs_app()->sbi.client.no_tls == false ?
OpenAPI_uri_scheme_https :
OpenAPI_uri_scheme_http,
addr);
@ -728,7 +690,7 @@ int ogs_sbi_context_parse_config(
if (addr == NULL) continue;
client = ogs_sbi_client_add(
ogs_app_tls_client_enabled() == true ?
ogs_app()->sbi.client.no_tls == false ?
OpenAPI_uri_scheme_https :
OpenAPI_uri_scheme_http,
addr);
@ -741,65 +703,6 @@ int ogs_sbi_context_parse_config(
YAML_SEQUENCE_NODE);
}
}
} else if (!strcmp(root_key, "tls")) {
ogs_yaml_iter_t tls_iter;
ogs_yaml_iter_recurse(&root_iter, &tls_iter);
while (ogs_yaml_iter_next(&tls_iter)) {
const char *tls_key = ogs_yaml_iter_key(&tls_iter);
ogs_assert(tls_key);
if (!strcmp(tls_key, "enabled")) {
const char *v = ogs_yaml_iter_value(&tls_iter);
if (!strcmp(v, "auto"))
self.tls.enabled = OGS_SBI_TLS_ENABLED_AUTO;
else if (!strcmp(v, "yes"))
self.tls.enabled = OGS_SBI_TLS_ENABLED_YES;
else if (!strcmp(v, "no"))
self.tls.enabled = OGS_SBI_TLS_ENABLED_NO;
else
ogs_warn("unknown 'tls.enabled' value `%s`", v);
} else if (!strcmp(tls_key, "server")) {
ogs_yaml_iter_t server_iter;
ogs_yaml_iter_recurse(&tls_iter, &server_iter);
while (ogs_yaml_iter_next(&server_iter)) {
const char *server_key =
ogs_yaml_iter_key(&server_iter);
ogs_assert(server_key);
if (!strcmp(server_key, "cacert")) {
self.tls.server.cacert =
ogs_yaml_iter_value(&server_iter);
} else if (!strcmp(server_key, "cert")) {
self.tls.server.cert =
ogs_yaml_iter_value(&server_iter);
} else if (!strcmp(server_key, "key")) {
self.tls.server.key =
ogs_yaml_iter_value(&server_iter);
} else
ogs_warn("unknown key `%s`", server_key);
}
} else if (!strcmp(tls_key, "client")) {
ogs_yaml_iter_t client_iter;
ogs_yaml_iter_recurse(&tls_iter, &client_iter);
while (ogs_yaml_iter_next(&client_iter)) {
const char *client_key =
ogs_yaml_iter_key(&client_iter);
ogs_assert(client_key);
if (!strcmp(client_key, "cacert")) {
self.tls.client.cacert =
ogs_yaml_iter_value(&client_iter);
} else if (!strcmp(client_key, "cert")) {
self.tls.client.cert =
ogs_yaml_iter_value(&client_iter);
} else if (!strcmp(client_key, "key")) {
self.tls.client.key =
ogs_yaml_iter_value(&client_iter);
} else
ogs_warn("unknown key `%s`", client_key);
}
} else
ogs_warn("unknown key `%s`", tls_key);
}
} else if (!strcmp(root_key, "hnet")) {
ogs_yaml_iter_t hnet_array, hnet_iter;
ogs_yaml_iter_recurse(&root_iter, &hnet_array);
@ -1480,7 +1383,7 @@ ogs_sbi_nf_service_t *ogs_sbi_nf_service_build_default(
ogs_uuid_format(id, &uuid);
nf_service = ogs_sbi_nf_service_add(nf_instance, id, name,
ogs_app_tls_server_enabled() == true ?
ogs_app()->sbi.server.no_tls == false ?
OpenAPI_uri_scheme_https :
OpenAPI_uri_scheme_http);
ogs_assert(nf_service);
@ -1571,7 +1474,7 @@ static ogs_sbi_client_t *nf_instance_find_client(
ogs_sockaddr_t *addr = NULL;
OpenAPI_uri_scheme_e scheme = OpenAPI_uri_scheme_NULL;
scheme = ogs_app_tls_client_enabled() == true ?
scheme = ogs_app()->sbi.client.no_tls == false ?
OpenAPI_uri_scheme_https : OpenAPI_uri_scheme_http;
if (nf_instance->fqdn)

15
lib/sbi/context.h
View File

@ -46,24 +46,9 @@ typedef struct ogs_sbi_discovery_config_s {
bool prefer_requester_nf_instance_id;
} ogs_sbi_discovery_config_t;
typedef enum {
OGS_SBI_TLS_ENABLED_AUTO = 0,
OGS_SBI_TLS_ENABLED_YES,
OGS_SBI_TLS_ENABLED_NO,
} ogs_sbi_tls_enabled_mode_e;
typedef struct ogs_sbi_context_s {
ogs_sbi_discovery_config_t discovery_config; /* SCP Discovery Delegated */
struct {
ogs_sbi_tls_enabled_mode_e enabled;
struct {
const char *cacert;
const char *cert;
const char *key;
} server, client;
} tls;
#define OGS_HOME_NETWORK_PKI_VALUE_MIN 1
#define OGS_HOME_NETWORK_PKI_VALUE_MAX 254

4
lib/sbi/conv.c
View File

@ -340,7 +340,7 @@ char *ogs_sbi_server_uri(ogs_sbi_server_t *server, ogs_sbi_header_t *h)
advertise = server->node.addr;
ogs_assert(advertise);
return ogs_uridup(ogs_app_tls_server_enabled() == true, advertise, h);
return ogs_uridup(ogs_app()->sbi.server.no_tls == false, advertise, h);
}
char *ogs_sbi_client_uri(ogs_sbi_client_t *client, ogs_sbi_header_t *h)
@ -348,7 +348,7 @@ char *ogs_sbi_client_uri(ogs_sbi_client_t *client, ogs_sbi_header_t *h)
ogs_assert(client);
return ogs_uridup(
ogs_app_tls_client_enabled() == true &&
ogs_app()->sbi.client.no_tls == false &&
client->scheme == OpenAPI_uri_scheme_https,
client->node.addr, h);
}

181
lib/sbi/nghttp2-server.c
View File

@ -119,7 +119,8 @@ static void server_final(void)
#ifndef OPENSSL_NO_NEXTPROTONEG
static int next_proto_cb(SSL *ssl, const unsigned char **data,
unsigned int *len, void *arg) {
unsigned int *len, void *arg)
{
static unsigned char next_proto_list[256];
(void)ssl;
(void)arg;
@ -136,7 +137,8 @@ static int next_proto_cb(SSL *ssl, const unsigned char **data,
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
static int alpn_select_proto_cb(SSL *ssl, const unsigned char **out,
unsigned char *outlen, const unsigned char *in,
unsigned int inlen, void *arg) {
unsigned int inlen, void *arg)
{
int rv;
(void)ssl;
(void)arg;
@ -150,18 +152,75 @@ static int alpn_select_proto_cb(SSL *ssl, const unsigned char **out,
}
#endif /* OPENSSL_VERSION_NUMBER >= 0x10002000L */
static SSL_CTX *create_ssl_ctx(const char *key_file, const char *cert_file) {
static int ssl_ctx_set_proto_versions(SSL_CTX *ssl_ctx, int min, int max)
{
#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
if (SSL_CTX_set_min_proto_version(ssl_ctx, min) != 1 ||
SSL_CTX_set_max_proto_version(ssl_ctx, max) != 1) {
return -1;
}
return 0;
#else /* !(OPENSSL_VERSION_NUMBER >= 0x1010000fL) */
long int opts = 0;
// TODO We depends on the ordering of protocol version macro in
// OpenSSL.
if (min > TLS1_VERSION) {
opts |= SSL_OP_NO_TLSv1;
}
if (min > TLS1_1_VERSION) {
opts |= SSL_OP_NO_TLSv1_1;
}
if (min > TLS1_2_VERSION) {
opts |= SSL_OP_NO_TLSv1_2;
}
if (max < TLS1_2_VERSION) {
opts |= SSL_OP_NO_TLSv1_2;
}
if (max < TLS1_1_VERSION) {
opts |= SSL_OP_NO_TLSv1_1;
}
SSL_CTX_set_options(ssl_ctx, opts);
return 0;
#endif /* OPENSSL_VERSION_NUMBER >= 0x1010000fL */
}
static SSL_CTX *create_ssl_ctx(const char *key_file, const char *cert_file)
{
SSL_CTX *ssl_ctx;
uint64_t ssl_opts;
ogs_assert(key_file);
ogs_assert(cert_file);
ssl_ctx = SSL_CTX_new(TLS_server_method());
if (!ssl_ctx) {
ogs_error("Could not create SSL/TLS context: %s", ERR_error_string(ERR_get_error(), NULL));
return NULL;
}
SSL_CTX_set_options(ssl_ctx,
SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
SSL_OP_NO_COMPRESSION |
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
ssl_opts = (SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) |
SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION |
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
SSL_OP_SINGLE_ECDH_USE | SSL_OP_SINGLE_DH_USE |
SSL_OP_CIPHER_SERVER_PREFERENCE
#if OPENSSL_VERSION_NUMBER >= 0x10101000L
// The reason for disabling built-in anti-replay in
// OpenSSL is that it only works if client gets back
// to the same server. The freshness check
// described in
// https://tools.ietf.org/html/rfc8446#section-8.3
// is still performed.
| SSL_OP_NO_ANTI_REPLAY
#endif /* OPENSSL_VERSION_NUMBER >= 0x10101000L */
;
SSL_CTX_set_options(ssl_ctx, ssl_opts);
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
if (SSL_CTX_set1_curves_list(ssl_ctx, "P-256") != 1) {
ogs_error("SSL_CTX_set1_curves_list failed: %s", ERR_error_string(ERR_get_error(), NULL));
@ -169,6 +228,37 @@ static SSL_CTX *create_ssl_ctx(const char *key_file, const char *cert_file) {
}
#endif /* !(OPENSSL_VERSION_NUMBER >= 0x30000000L) */
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
if (SSL_CTX_set_default_verify_paths(ssl_ctx) != 1) {
ogs_warn("Could not load system trusted ca certificates: %s",
ERR_error_string(ERR_get_error(), NULL));
}
#define OGS_TLS_MIN_VERSION TLS1_VERSION
#ifdef TLS1_3_VERSION
#define OGS_TLS_MAX_VERSION TLS1_3_VERSION
#else /* !TLS1_3_VERSION */
#define OGS_TLS_MAX_VERSION TLS1_2_VERSION
#endif /* TLS1_3_VERSION */
if (ssl_ctx_set_proto_versions(
ssl_ctx, OGS_TLS_MIN_VERSION, OGS_TLS_MAX_VERSION) != 0) {
ogs_error("Could not set TLS versions [%d:%d]",
OGS_TLS_MIN_VERSION, OGS_TLS_MAX_VERSION);
return NULL;
}
#define DEFAULT_CIPHER_LIST \
"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-" \
"AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-" \
"POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-" \
"AES256-GCM-SHA384"
if (SSL_CTX_set_cipher_list(ssl_ctx, DEFAULT_CIPHER_LIST) == 0) {
ogs_error("%s", ERR_error_string(ERR_get_error(), NULL));
return NULL;
}
if (SSL_CTX_use_PrivateKey_file(ssl_ctx, key_file, SSL_FILETYPE_PEM) != 1) {
ogs_error("Could not read private key file - key_file=%s", key_file);
return NULL;
@ -177,6 +267,11 @@ static SSL_CTX *create_ssl_ctx(const char *key_file, const char *cert_file) {
ogs_error("Could not read certificate file - cert_file=%s ", cert_file);
return NULL;
}
if (SSL_CTX_check_private_key(ssl_ctx) != 1) {
ogs_error("SSL_CTX_check_private_key failed: %s",
ERR_error_string(ERR_get_error(), NULL));
return NULL;
}
#ifndef OPENSSL_NO_NEXTPROTONEG
SSL_CTX_set_next_protos_advertised_cb(ssl_ctx, next_proto_cb, NULL);
@ -189,6 +284,22 @@ static SSL_CTX *create_ssl_ctx(const char *key_file, const char *cert_file) {
return ssl_ctx;
}
static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
{
if (!preverify_ok) {
int err = X509_STORE_CTX_get_error(ctx);
int depth = X509_STORE_CTX_get_error_depth(ctx);
if (err == X509_V_ERR_CERT_HAS_EXPIRED && depth == 0) {
ogs_error("The client certificate has expired, but is accepted by "
"configuration");
return 1;
}
ogs_error("client certificate verify error:num=%d:%s:depth=%d",
err, X509_verify_cert_error_string(err), depth);
}
return preverify_ok;
}
static int server_start(ogs_sbi_server_t *server,
int (*cb)(ogs_sbi_request_t *request, void *data))
{
@ -201,21 +312,67 @@ static int server_start(ogs_sbi_server_t *server,
ogs_assert(addr);
/* Create SSL CTX */
if (ogs_app_tls_server_enabled() == true) {
ogs_assert(ogs_sbi_self()->tls.server.key);
ogs_assert(ogs_sbi_self()->tls.server.cert);
if (ogs_app()->sbi.server.no_tls == false) {
server->ssl_ctx = create_ssl_ctx(
ogs_sbi_self()->tls.server.key,
ogs_sbi_self()->tls.server.cert);
ogs_app()->sbi.server.key,
ogs_app()->sbi.server.cert);
if (!server->ssl_ctx) {
ogs_error("Cannot create SSL CTX");
return OGS_ERROR;
}
if (ogs_app()->sbi.server.no_verify == false) {
if (ogs_app()->sbi.server.cacert) {
STACK_OF(X509_NAME) *cert_names = NULL;
if (SSL_CTX_load_verify_locations(server->ssl_ctx,
ogs_app()->sbi.server.cacert, NULL) != 1) {
ogs_error("Could not load trusted ca certificates "
"from %s:%s", ogs_app()->sbi.server.cacert,
ERR_error_string(ERR_get_error(), NULL));
if (server->ssl_ctx)
SSL_CTX_free(server->ssl_ctx);
return OGS_ERROR;
}
/*
* It is heard that SSL_CTX_load_verify_locations() may leave
* error even though it returns success. See
* http://forum.nginx.org/read.php?29,242540
*/
cert_names = SSL_load_client_CA_file(
ogs_app()->sbi.server.cacert);
if (!cert_names) {
ogs_error("Could not load ca certificates from %s:%s",
ogs_app()->sbi.server.cacert,
ERR_error_string(ERR_get_error(), NULL));
if (server->ssl_ctx)
SSL_CTX_free(server->ssl_ctx);
return OGS_ERROR;
}
SSL_CTX_set_client_CA_list(server->ssl_ctx, cert_names);
}
SSL_CTX_set_verify(
server->ssl_ctx,
SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
verify_callback);
}
}
sock = ogs_tcp_server(addr, server->node.option);
if (!sock) {
ogs_error("Cannot start SBI server");
if (server->ssl_ctx)
SSL_CTX_free(server->ssl_ctx);
return OGS_ERROR;
}

2
src/nssf/context.c
View File

@ -344,7 +344,7 @@ char *nssf_nsi_nrf_uri(nssf_nsi_t *nsi)
h.api.version = (char *)OGS_SBI_API_V1;
h.resource.component[0] = (char *)OGS_SBI_RESOURCE_NAME_NF_INSTANCES;
return ogs_uridup(ogs_app_tls_server_enabled() == true, nsi->addr, &h);
return ogs_uridup(ogs_app()->sbi.server.no_tls == false, nsi->addr, &h);
}
int get_nsi_load()

2
tests/af/context.c
View File

@ -302,7 +302,7 @@ void af_sess_associate_pcf_client(af_sess_t *sess)
ogs_assert(sess);
scheme = ogs_app_tls_client_enabled() == true ?
scheme = ogs_app()->sbi.client.no_tls == false ?
OpenAPI_uri_scheme_https : OpenAPI_uri_scheme_http;
if (sess->pcf.fqdn && strlen(sess->pcf.fqdn))