diff --git a/configs/310014.yaml.in b/configs/310014.yaml.in index 79a38bf86..aefd5ec06 100644 --- a/configs/310014.yaml.in +++ b/configs/310014.yaml.in @@ -2,13 +2,14 @@ db_uri: mongodb://localhost/open5gs logger: -tls: - enabled: no +sbi: server: + no_tls: true cacert: @build_configs_dir@/open5gs/tls/ca.crt key: @build_configs_dir@/open5gs/tls/testserver.key cert: @build_configs_dir@/open5gs/tls/testserver.crt client: + no_tls: true cacert: @build_configs_dir@/open5gs/tls/ca.crt key: @build_configs_dir@/open5gs/tls/testclient.key cert: @build_configs_dir@/open5gs/tls/testclient.crt diff --git a/configs/csfb.yaml.in b/configs/csfb.yaml.in index 6ec6b1f08..2ac2fa61c 100644 --- a/configs/csfb.yaml.in +++ b/configs/csfb.yaml.in @@ -2,13 +2,14 @@ db_uri: mongodb://localhost/open5gs logger: -tls: - enabled: no +sbi: server: + no_tls: true cacert: @build_configs_dir@/open5gs/tls/ca.crt key: @build_configs_dir@/open5gs/tls/testserver.key cert: @build_configs_dir@/open5gs/tls/testserver.crt client: + no_tls: true cacert: @build_configs_dir@/open5gs/tls/ca.crt key: @build_configs_dir@/open5gs/tls/testclient.key cert: @build_configs_dir@/open5gs/tls/testclient.crt diff --git a/configs/non3gpp.yaml.in b/configs/non3gpp.yaml.in index 3c0c4c023..8d51c8814 100644 --- a/configs/non3gpp.yaml.in +++ b/configs/non3gpp.yaml.in @@ -2,13 +2,14 @@ db_uri: mongodb://localhost/open5gs logger: -tls: - enabled: no +sbi: server: + no_tls: true cacert: @build_configs_dir@/open5gs/tls/ca.crt key: @build_configs_dir@/open5gs/tls/testserver.key cert: @build_configs_dir@/open5gs/tls/testserver.crt client: + no_tls: true cacert: @build_configs_dir@/open5gs/tls/ca.crt key: @build_configs_dir@/open5gs/tls/testclient.key cert: @build_configs_dir@/open5gs/tls/testclient.crt diff --git a/configs/open5gs/amf.yaml.in b/configs/open5gs/amf.yaml.in index 99c36c72f..6ac06e0e5 100644 --- a/configs/open5gs/amf.yaml.in +++ b/configs/open5gs/amf.yaml.in @@ -1,73 +1,91 @@ # -# logger: -# # o Set OGS_LOG_INFO to all domain level # - If `level` is omitted, the default level is OGS_LOG_INFO) # - If `domain` is omitted, the all domain level is set from 'level' -# (Nothing is needed) +# (Default values are used, so no configuration is required) # # o Set OGS_LOG_ERROR to all domain level # - `level` can be set with none, fatal, error, warn, info, debug, trace +# logger: # level: error # # o Set OGS_LOG_DEBUG to mme/emm domain level +# logger: # level: debug # domain: mme,emm # # o Set OGS_LOG_TRACE to all domain level +# logger: # level: trace -# domain: core,ngap,nas,gmm,sbi,amf,event,tlv,mem,sock +# domain: core,sbi,ausf,event,tlv,mem,sock # logger: file: @localstatedir@/log/open5gs/amf.log # -# tls: -# enabled: auto|yes|no -# - auto: Default. Use TLS only if key/cert is available -# - yes: Use TLS always; -# reject if no key/cert available -# - no: Don't use TLS if there is an key/cert available +# o TLS enable/disable +# sbi: +# server|client: +# no_tls: false|true +# - false: (Default) Use TLS +# - true: TLS disabled # -# o Server-side Key and Certficiate +# o Verification enable/disable +# sbi: +# server|client: +# no_verify: false|true +# - false: (Default) Verify the PEER +# - true: Skip the verification step +# +# o Server-side does not use TLS +# sbi: # server: -# key: /etc/open5gs/tls/amf.key -# cert: /etc/open5gs/tls/amf.crt +# no_tls: true # -# o Client-side does not use TLS +# o Client-side skips the verification step +# sbi: # client: -# enabled: no +# no_verify: true # key: /etc/open5gs/tls/amf.key # cert: /etc/open5gs/tls/amf.crt # -# o Use the specified certificate to verify client +# o Use the specified certificate while verifying the client +# sbi: # server # cacert: /etc/open5gs/tls/ca.crt # -# o Use the specified certificate to verify server +# o Use the specified certificate while verifying the server +# sbi: # client # cacert: /etc/open5gs/tls/ca.crt # -tls: - enabled: no +sbi: server: + no_tls: true cacert: @sysconfdir@/open5gs/tls/ca.crt key: @sysconfdir@/open5gs/tls/amf.key cert: @sysconfdir@/open5gs/tls/amf.crt client: + no_tls: true cacert: @sysconfdir@/open5gs/tls/ca.crt key: @sysconfdir@/open5gs/tls/amf.key cert: @sysconfdir@/open5gs/tls/amf.crt -# -# amf: # # # # o SBI Server(http://:80) +# sbi: +# server: +# no_tls: true +# amf: # sbi: # # o SBI Server(http://:7777) +# sbi: +# server: +# no_tls: true +# amf: # sbi: # - addr: # - 0.0.0.0 @@ -75,17 +93,17 @@ tls: # port: 7777 # # o SBI Server(https://:443) -# tls: +# sbi: # server: # key: /etc/open5gs/tls/amf.key # cert: /etc/open5gs/tls/amf.crt # amf: # sbi: # -# o SBI Server(http://127.0.0.5:80, http://[::1]:80) -# tls: -# enabled: no +# o SBI Server(https://127.0.0.5:443, https://[::1]:443) without verification +# sbi: # server: +# no_verify: true # key: /etc/open5gs/tls/amf.key # cert: /etc/open5gs/tls/amf.crt # amf: @@ -94,29 +112,48 @@ tls: # - addr: ::1 # # o SBI Server(https://amf.open5gs.org:443) -# Use the specified certificate to verify client +# Use the specified certificate while verifying the client # -# tls: +# sbi: # server: # cacert: /etc/open5gs/tls/ca.crt +# key: /etc/open5gs/tls/amf.key +# cert: /etc/open5gs/tls/amf.crt # amf: # sbi: # - name: amf.open5gs.org # # o SBI Server(http://127.0.0.5:7777) +# sbi: +# server: +# no_tls: true +# amf: # sbi: # - addr: 127.0.0.5 # port: 7777 # # o SBI Server(http://:80) +# sbi: +# server: +# no_tls: true +# amf: # sbi: # - dev: eth0 # # o Provide custom SBI address to be advertised to NRF +# sbi: +# server: +# no_tls: true +# amf: # sbi: # - dev: eth0 # advertise: open5gs-amf.svc.local # +# o Another example of advertising on NRF +# sbi: +# server: +# no_tls: true +# amf: # sbi: # - addr: localhost # advertise: @@ -127,6 +164,10 @@ tls: # - tcp_nodelay : true # - so_linger.l_onoff : false # +# sbi: +# server: +# no_tls: true +# amf: # sbi: # addr: 127.0.0.5 # option: @@ -138,9 +179,11 @@ tls: # # # o NF Service Name(Default : all NF services available) +# amf: # service_name: # # o NF Service Name(Only some NF services are available) +# amf: # service_name: # - namf-comm # @@ -148,12 +191,21 @@ tls: # # o (Default) If you do not set Query Parameter as shown below, # +# sbi: +# server: +# no_tls: true +# amf: # sbi: # - addr: 127.0.0.5 # port: 7777 # # - 'service-names' is included. # +# o Service-Names are not included +# sbi: +# server: +# no_tls: true +# amf: # sbi: # - addr: 127.0.0.5 # port: 7777 @@ -172,6 +224,10 @@ tls: # # o (Default) If you do not set Delegated Discovery as shown below, # +# sbi: +# server: +# no_tls: true +# amf: # sbi: # - addr: 127.0.0.5 # port: 7777 @@ -179,6 +235,10 @@ tls: # - Use SCP if SCP avaiable. Otherwise NRF is used. # => App fails if both NRF and SCP are unavailable. # +# sbi: +# server: +# no_tls: true +# amf: # sbi: # - addr: 127.0.0.5 # port: 7777 @@ -194,23 +254,28 @@ tls: # > # # o NGAP Server(all address available) +# amf: # ngap: # # o NGAP Server(0.0.0.0:38412) +# amf: # ngap: # addr: 0.0.0.0 # # o NGAP Server(127.0.0.5:38412, [::1]:38412) +# amf: # ngap: # - addr: 127.0.0.5 # - addr: ::1 # # o NGAP Server(different port) +# amf: # ngap: # - addr: 127.0.0.5 # port: 38413 # # o NGAP Server(address available in `eth0` interface) +# amf: # ngap: # dev: eth0 # @@ -218,6 +283,7 @@ tls: # - sctp_nodelay : true # - so_linger.l_onoff : false # +# amf: # ngap: # addr: 127.0.0.5 # option: @@ -237,6 +303,7 @@ tls: # - sinit_max_attempts : 4 # - sinit_max_init_timeo : 8000(8secs) # +# amf: # ngap: # addr: 127.0.0.5 # option: @@ -254,6 +321,7 @@ tls: # # # o Metrics Server(http://:9090) +# amf: # metrics: # - addr: 0.0.0.0 # port: 9090 @@ -261,6 +329,7 @@ tls: # # # o Multiple GUAMI +# amf: # guami: # - plmn_id: # mcc: 999 @@ -279,6 +348,7 @@ tls: # # # o Multiple TAI +# amf: # tai: # - plmn_id: # mcc: 001 @@ -310,6 +380,7 @@ tls: # # # o Multiple PLMN Support +# amf: # plmn_support: # - plmn_id: # mcc: 999 @@ -325,16 +396,19 @@ tls: # # # +# amf: # network_name: # full: Open5GS # short: Next # # # +# amf: # amf_name: amf1.open5gs.amf.5gc.mnc70.mcc999.3gppnetwork.org # # - Default(255) # +# amf: # relative_capacity: 100 # amf: @@ -371,19 +445,22 @@ amf: full: Open5GS amf_name: open5gs-amf0 -# -# scp: # # > # # o SBI Client(http://127.0.1.10:7777) +# sbi: +# client: +# no_tls: true +# scp: # sbi: # addr: 127.0.1.10 # port: 7777 # -# o SBI Client(https://127.0.1.10:443, https://[::1]:443) -# tls: +# o SBI Client(https://127.0.1.10:443, https://[::1]:443) without verification +# sbi: # client: +# no_verify: true # key: /etc/open5gs/tls/amf.key # cert: /etc/open5gs/tls/amf.crt # scp: @@ -392,11 +469,13 @@ amf: # - addr: ::1 # # o SBI Client(https://scp.open5gs.org:443) -# Use the specified certificate to verify server +# Use the specified certificate while verifying the server # -# tls: +# sbi: # client: # cacert: /etc/open5gs/tls/ca.crt +# key: /etc/open5gs/tls/amf.key +# cert: /etc/open5gs/tls/amf.crt # scp: # sbi: # - name: scp.open5gs.org @@ -404,6 +483,10 @@ amf: # o SBI Client(http://[fd69:f21d:873c:fb::1]:80) # If prefer_ipv4 is true, http://127.0.1.10:80 is selected. # +# sbi: +# client: +# no_tls: true +# scp: # sbi: # addr: # - 127.0.1.10 @@ -413,6 +496,10 @@ amf: # - tcp_nodelay : true # - so_linger.l_onoff : false # +# sbi: +# client: +# no_tls: true +# scp: # sbi: # addr: 127.0.1.10 # option: @@ -427,19 +514,22 @@ scp: - addr: 127.0.1.10 port: 7777 -# -# nrf: # # > # # o SBI Client(http://127.0.0.10:7777) +# sbi: +# client: +# no_tls: true +# nrf: # sbi: # addr: 127.0.0.10 # port: 7777 # -# o SBI Client(https://127.0.0.10:443, https://[::1]:443) -# tls: +# o SBI Client(https://127.0.0.10:443, https://[::1]:443) without verification +# sbi: # client: +# no_verify: true # key: /etc/open5gs/tls/amf.key # cert: /etc/open5gs/tls/amf.crt # nrf: @@ -448,11 +538,13 @@ scp: # - addr: ::1 # # o SBI Client(https://nrf.open5gs.org:443) -# Use the specified certificate to verify server +# Use the specified certificate while verifying the server # -# tls: +# sbi: # client: # cacert: /etc/open5gs/tls/ca.crt +# key: /etc/open5gs/tls/amf.key +# cert: /etc/open5gs/tls/amf.crt # nrf: # sbi: # - name: nrf.open5gs.org @@ -469,6 +561,10 @@ scp: # - tcp_nodelay : true # - so_linger.l_onoff : false # +# sbi: +# client: +# no_tls: true +# nrf: # sbi: # addr: 127.0.0.10 # option: @@ -484,26 +580,28 @@ scp: # - ::1 # port: 7777 -# -# parameter: # # o Disable use of IPv4 addresses (only IPv6) -# no_ipv4: true +# parameter: +# no_ipv4: true # # o Disable use of IPv6 addresses (only IPv4) -# no_ipv6: true +# parameter: +# no_ipv6: true # # o Prefer IPv4 instead of IPv6 for estabishing new GTP connections. -# prefer_ipv4: true +# parameter: +# prefer_ipv4: true # parameter: # -# max: -# -# o Maximum Number of UE +# o Maximum Number of UE +# max: # ue: 1024 -# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI) +# +# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI) +# max: # peer: 64 # max: @@ -514,35 +612,40 @@ max: # usrsctp: -# -# time: # # o NF Instance Heartbeat (Default : 0) # NFs will not send heart-beat timer in NFProfile # NRF will send heart-beat timer in NFProfile +# (Default values are used, so no configuration is required) # # o NF Instance Heartbeat (20 seconds) # NFs will send heart-beat timer (20 seconds) in NFProfile # NRF can change heart-beat timer in NFProfile # +# time: # nf_instance: # heartbeat: 20 # # o Message Wait Duration (Default : 10,000 ms = 10 seconds) +# (Default values are used, so no configuration is required) # # o Message Wait Duration (3000 ms) +# time: # message: # duration: 3000 # # o Handover Wait Duration (Default : 300 ms) # Time to wait for AMF to send UEContextReleaseCommand # to the source gNB after receiving HandoverNotify +# (Default values are used, so no configuration is required) # # o Handover Wait Duration (500ms) +# time: # handover: # duration: 500 # # o Timers of 5GS mobility/session management +# time: # t3502: # value: 720 # 12 minutes * 60 = 720 seconds # t3512: diff --git a/configs/open5gs/ausf.yaml.in b/configs/open5gs/ausf.yaml.in index 54e314a33..9d81a7820 100644 --- a/configs/open5gs/ausf.yaml.in +++ b/configs/open5gs/ausf.yaml.in @@ -1,20 +1,21 @@ # -# logger: -# # o Set OGS_LOG_INFO to all domain level # - If `level` is omitted, the default level is OGS_LOG_INFO) # - If `domain` is omitted, the all domain level is set from 'level' -# (Nothing is needed) +# (Default values are used, so no configuration is required) # # o Set OGS_LOG_ERROR to all domain level # - `level` can be set with none, fatal, error, warn, info, debug, trace +# logger: # level: error # # o Set OGS_LOG_DEBUG to mme/emm domain level +# logger: # level: debug # domain: mme,emm # # o Set OGS_LOG_TRACE to all domain level +# logger: # level: trace # domain: core,sbi,ausf,event,tlv,mem,sock # @@ -22,52 +23,69 @@ logger: file: @localstatedir@/log/open5gs/ausf.log # -# tls: -# enabled: auto|yes|no -# - auto: Default. Use TLS only if key/cert is available -# - yes: Use TLS always; -# reject if no key/cert available -# - no: Don't use TLS if there is an key/cert available +# o TLS enable/disable +# sbi: +# server|client: +# no_tls: false|true +# - false: (Default) Use TLS +# - true: TLS disabled # -# o Server-side Key and Certficiate +# o Verification enable/disable +# sbi: +# server|client: +# no_verify: false|true +# - false: (Default) Verify the PEER +# - true: Skip the verification step +# +# o Server-side does not use TLS +# sbi: # server: -# key: /etc/open5gs/tls/ausf.key -# cert: /etc/open5gs/tls/ausf.crt +# no_tls: true # -# o Client-side does not use TLS +# o Client-side skips the verification step +# sbi: # client: -# enabled: no -# key: /etc/open5gs/tls/ausf.key -# cert: /etc/open5gs/tls/ausf.crt +# no_verify: true +# key: /etc/open5gs/tls/amf.key +# cert: /etc/open5gs/tls/amf.crt # -# o Use the specified certificate to verify client +# o Use the specified certificate while verifying the client +# sbi: # server # cacert: /etc/open5gs/tls/ca.crt # -# o Use the specified certificate to verify server +# o Use the specified certificate while verifying the server +# sbi: # client # cacert: /etc/open5gs/tls/ca.crt # -tls: - enabled: no +sbi: server: + no_tls: true cacert: @sysconfdir@/open5gs/tls/ca.crt key: @sysconfdir@/open5gs/tls/ausf.key cert: @sysconfdir@/open5gs/tls/ausf.crt client: + no_tls: true cacert: @sysconfdir@/open5gs/tls/ca.crt key: @sysconfdir@/open5gs/tls/ausf.key cert: @sysconfdir@/open5gs/tls/ausf.crt -# -# ausf: # # # # o SBI Server(http://:80) +# sbi: +# server: +# no_tls: true +# ausf: # sbi: # # o SBI Server(http://:7777) +# sbi: +# server: +# no_tls: true +# ausf: # sbi: # - addr: # - 0.0.0.0 @@ -75,17 +93,17 @@ tls: # port: 7777 # # o SBI Server(https://:443) -# tls: +# sbi: # server: # key: /etc/open5gs/tls/ausf.key # cert: /etc/open5gs/tls/ausf.crt # ausf: # sbi: # -# o SBI Server(http://127.0.0.11:80, http://[::1]:80) -# tls: -# enabled: no +# o SBI Server(https://127.0.0.11:443, https://[::1]:443) without verification +# sbi: # server: +# no_verify: true # key: /etc/open5gs/tls/ausf.key # cert: /etc/open5gs/tls/ausf.crt # ausf: @@ -94,29 +112,48 @@ tls: # - addr: ::1 # # o SBI Server(https://ausf.open5gs.org:443) -# Use the specified certificate to verify client +# Use the specified certificate while verifying the client # -# tls: +# sbi: # server: # cacert: /etc/open5gs/tls/ca.crt +# key: /etc/open5gs/tls/ausf.key +# cert: /etc/open5gs/tls/ausf.crt # ausf: # sbi: # - name: ausf.open5gs.org # # o SBI Server(http://127.0.0.11:7777) +# sbi: +# server: +# no_tls: true +# ausf: # sbi: # - addr: 127.0.0.11 # port: 7777 # # o SBI Server(http://:80) +# sbi: +# server: +# no_tls: true +# ausf: # sbi: # - dev: eth0 # # o Provide custom SBI address to be advertised to NRF +# sbi: +# server: +# no_tls: true +# ausf: # sbi: # - dev: eth0 # advertise: open5gs-ausf.svc.local # +# o Another example of advertising on NRF +# sbi: +# server: +# no_tls: true +# ausf: # sbi: # - addr: localhost # advertise: @@ -127,6 +164,10 @@ tls: # - tcp_nodelay : true # - so_linger.l_onoff : false # +# sbi: +# server: +# no_tls: true +# ausf: # sbi: # addr: 127.0.0.11 # option: @@ -138,9 +179,11 @@ tls: # # # o NF Service Name(Default : all NF services available) +# ausf: # service_name: # # o NF Service Name(Only some NF services are available) +# ausf: # service_name: # - nausf-auth # @@ -148,12 +191,21 @@ tls: # # o (Default) If you do not set Query Parameter as shown below, # +# sbi: +# server: +# no_tls: true +# ausf: # sbi: # - addr: 127.0.0.11 # port: 7777 # # - 'service-names' is included. # +# o Service-Names are not included +# sbi: +# server: +# no_tls: true +# ausf: # sbi: # - addr: 127.0.0.11 # port: 7777 @@ -172,6 +224,10 @@ tls: # # o (Default) If you do not set Delegated Discovery as shown below, # +# sbi: +# server: +# no_tls: true +# ausf: # sbi: # - addr: 127.0.0.11 # port: 7777 @@ -179,6 +235,10 @@ tls: # - Use SCP if SCP avaiable. Otherwise NRF is used. # => App fails if both NRF and SCP are unavailable. # +# sbi: +# server: +# no_tls: true +# ausf: # sbi: # - addr: 127.0.0.11 # port: 7777 @@ -196,32 +256,37 @@ ausf: - addr: 127.0.0.11 port: 7777 -# -# scp: # # > # # o SBI Client(http://127.0.1.10:7777) +# sbi: +# client: +# no_tls: true +# scp: # sbi: # addr: 127.0.1.10 # port: 7777 # -# o SBI Client(https://127.0.1.10:443, https://[::1]:443) -# tls: +# o SBI Client(https://127.0.1.10:443, https://[::1]:443) without verification +# sbi: # client: -# key: /etc/open5gs/tls/ausf.key -# cert: /etc/open5gs/tls/ausf.crt +# no_verify: true +# key: /etc/open5gs/tls/amf.key +# cert: /etc/open5gs/tls/amf.crt # scp: # sbi: # - addr: 127.0.1.10 # - addr: ::1 # # o SBI Client(https://scp.open5gs.org:443) -# Use the specified certificate to verify server +# Use the specified certificate while verifying the server # -# tls: +# sbi: # client: # cacert: /etc/open5gs/tls/ca.crt +# key: /etc/open5gs/tls/amf.key +# cert: /etc/open5gs/tls/amf.crt # scp: # sbi: # - name: scp.open5gs.org @@ -229,6 +294,10 @@ ausf: # o SBI Client(http://[fd69:f21d:873c:fb::1]:80) # If prefer_ipv4 is true, http://127.0.1.10:80 is selected. # +# sbi: +# client: +# no_tls: true +# scp: # sbi: # addr: # - 127.0.1.10 @@ -238,6 +307,10 @@ ausf: # - tcp_nodelay : true # - so_linger.l_onoff : false # +# sbi: +# client: +# no_tls: true +# scp: # sbi: # addr: 127.0.1.10 # option: @@ -252,32 +325,37 @@ scp: - addr: 127.0.1.10 port: 7777 -# -# nrf: # # > # # o SBI Client(http://127.0.0.10:7777) +# sbi: +# client: +# no_tls: true +# nrf: # sbi: # addr: 127.0.0.10 # port: 7777 # -# o SBI Client(https://127.0.0.10:443, https://[::1]:443) -# tls: +# o SBI Client(https://127.0.0.10:443, https://[::1]:443) without verification +# sbi: # client: -# key: /etc/open5gs/tls/ausf.key -# cert: /etc/open5gs/tls/ausf.crt +# no_verify: true +# key: /etc/open5gs/tls/amf.key +# cert: /etc/open5gs/tls/amf.crt # nrf: # sbi: # - addr: 127.0.0.10 # - addr: ::1 # # o SBI Client(https://nrf.open5gs.org:443) -# Use the specified certificate to verify server +# Use the specified certificate while verifying the server # -# tls: +# sbi: # client: # cacert: /etc/open5gs/tls/ca.crt +# key: /etc/open5gs/tls/amf.key +# cert: /etc/open5gs/tls/amf.crt # nrf: # sbi: # - name: nrf.open5gs.org @@ -294,6 +372,10 @@ scp: # - tcp_nodelay : true # - so_linger.l_onoff : false # +# sbi: +# client: +# no_tls: true +# nrf: # sbi: # addr: 127.0.0.10 # option: @@ -309,47 +391,51 @@ scp: # - ::1 # port: 7777 -# -# parameter: # # o Disable use of IPv4 addresses (only IPv6) -# no_ipv4: true +# parameter: +# no_ipv4: true # # o Disable use of IPv6 addresses (only IPv4) -# no_ipv6: true +# parameter: +# no_ipv6: true # # o Prefer IPv4 instead of IPv6 for estabishing new GTP connections. -# prefer_ipv4: true +# parameter: +# prefer_ipv4: true # parameter: # -# max: -# -# o Maximum Number of UE +# o Maximum Number of UE +# max: # ue: 1024 -# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI) +# +# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI) +# max: # peer: 64 # max: -# -# time: # # o NF Instance Heartbeat (Default : 0) # NFs will not send heart-beat timer in NFProfile # NRF will send heart-beat timer in NFProfile +# (Default values are used, so no configuration is required) # # o NF Instance Heartbeat (20 seconds) # NFs will send heart-beat timer (20 seconds) in NFProfile # NRF can change heart-beat timer in NFProfile # +# time: # nf_instance: # heartbeat: 20 # # o Message Wait Duration (Default : 10,000 ms = 10 seconds) +# (Default values are used, so no configuration is required) # # o Message Wait Duration (3000 ms) +# time: # message: # duration: 3000 time: diff --git a/configs/open5gs/bsf.yaml.in b/configs/open5gs/bsf.yaml.in index d28482d29..25c8b8bd4 100644 --- a/configs/open5gs/bsf.yaml.in +++ b/configs/open5gs/bsf.yaml.in @@ -1,75 +1,93 @@ db_uri: mongodb://localhost/open5gs -# -# logger: # # o Set OGS_LOG_INFO to all domain level # - If `level` is omitted, the default level is OGS_LOG_INFO) # - If `domain` is omitted, the all domain level is set from 'level' -# (Nothing is needed) +# (Default values are used, so no configuration is required) # # o Set OGS_LOG_ERROR to all domain level # - `level` can be set with none, fatal, error, warn, info, debug, trace +# logger: # level: error # # o Set OGS_LOG_DEBUG to mme/emm domain level +# logger: # level: debug # domain: mme,emm # # o Set OGS_LOG_TRACE to all domain level +# logger: # level: trace -# domain: core,sbi,bsf,event,tlv,mem,sock +# domain: core,sbi,ausf,event,tlv,mem,sock # logger: file: @localstatedir@/log/open5gs/bsf.log # -# tls: -# enabled: auto|yes|no -# - auto: Default. Use TLS only if key/cert is available -# - yes: Use TLS always; -# reject if no key/cert available -# - no: Don't use TLS if there is an key/cert available +# o TLS enable/disable +# sbi: +# server|client: +# no_tls: false|true +# - false: (Default) Use TLS +# - true: TLS disabled # -# o Server-side Key and Certficiate +# o Verification enable/disable +# sbi: +# server|client: +# no_verify: false|true +# - false: (Default) Verify the PEER +# - true: Skip the verification step +# +# o Server-side does not use TLS +# sbi: # server: -# key: /etc/open5gs/tls/bsf.key -# cert: /etc/open5gs/tls/bsf.crt +# no_tls: true # -# o Client-side does not use TLS +# o Client-side skips the verification step +# sbi: # client: -# enabled: no -# key: /etc/open5gs/tls/bsf.key -# cert: /etc/open5gs/tls/bsf.crt +# no_verify: true +# key: /etc/open5gs/tls/amf.key +# cert: /etc/open5gs/tls/amf.crt # -# o Use the specified certificate to verify client +# o Use the specified certificate while verifying the client +# sbi: # server # cacert: /etc/open5gs/tls/ca.crt # -# o Use the specified certificate to verify server +# o Use the specified certificate while verifying the server +# sbi: # client # cacert: /etc/open5gs/tls/ca.crt # -tls: - enabled: no +sbi: server: + no_tls: true cacert: @sysconfdir@/open5gs/tls/ca.crt key: @sysconfdir@/open5gs/tls/bsf.key cert: @sysconfdir@/open5gs/tls/bsf.crt client: + no_tls: true cacert: @sysconfdir@/open5gs/tls/ca.crt key: @sysconfdir@/open5gs/tls/bsf.key cert: @sysconfdir@/open5gs/tls/bsf.crt -# -# bsf: # # # # o SBI Server(http://:80) +# sbi: +# server: +# no_tls: true +# bsf: # sbi: # # o SBI Server(http://:7777) +# sbi: +# server: +# no_tls: true +# bsf: # sbi: # - addr: # - 0.0.0.0 @@ -77,48 +95,67 @@ tls: # port: 7777 # # o SBI Server(https://:443) -# tls: +# sbi: # server: # key: /etc/open5gs/tls/bsf.key # cert: /etc/open5gs/tls/bsf.crt # bsf: # sbi: # -# o SBI Server(http://127.0.0.5:80, http://[::1]:80) -# tls: -# enabled: no +# o SBI Server(https://127.0.0.15:443, https://[::1]:443) without verification +# sbi: # server: +# no_verify: true # key: /etc/open5gs/tls/bsf.key # cert: /etc/open5gs/tls/bsf.crt # bsf: # sbi: -# - addr: 127.0.0.5 +# - addr: 127.0.0.15 # - addr: ::1 # # o SBI Server(https://bsf.open5gs.org:443) -# Use the specified certificate to verify client +# Use the specified certificate while verifying the client # -# tls: +# sbi: # server: # cacert: /etc/open5gs/tls/ca.crt +# key: /etc/open5gs/tls/bsf.key +# cert: /etc/open5gs/tls/bsf.crt # bsf: # sbi: # - name: bsf.open5gs.org # # o SBI Server(http://127.0.0.15:7777) +# sbi: +# server: +# no_tls: true +# bsf: # sbi: # - addr: 127.0.0.15 # port: 7777 # # o SBI Server(http://:80) +# sbi: +# server: +# no_tls: true +# bsf: # sbi: # - dev: eth0 # # o Provide custom SBI address to be advertised to NRF +# sbi: +# server: +# no_tls: true +# bsf: # sbi: # - dev: eth0 # advertise: open5gs-bsf.svc.local # +# o Another example of advertising on NRF +# sbi: +# server: +# no_tls: true +# bsf: # sbi: # - addr: localhost # advertise: @@ -129,6 +166,10 @@ tls: # - tcp_nodelay : true # - so_linger.l_onoff : false # +# sbi: +# server: +# no_tls: true +# bsf: # sbi: # addr: 127.0.0.15 # option: @@ -140,9 +181,11 @@ tls: # # # o NF Service Name(Default : all NF services available) +# bsf: # service_name: # # o NF Service Name(Only some NF services are available) +# bsf: # service_name: # - nbsf-management # @@ -150,12 +193,21 @@ tls: # # o (Default) If you do not set Query Parameter as shown below, # +# sbi: +# server: +# no_tls: true +# bsf: # sbi: # - addr: 127.0.0.15 # port: 7777 # # - 'service-names' is included. # +# o Service-Names are not included +# sbi: +# server: +# no_tls: true +# bsf: # sbi: # - addr: 127.0.0.15 # port: 7777 @@ -174,6 +226,10 @@ tls: # # o (Default) If you do not set Delegated Discovery as shown below, # +# sbi: +# server: +# no_tls: true +# bsf: # sbi: # - addr: 127.0.0.15 # port: 7777 @@ -181,6 +237,10 @@ tls: # - Use SCP if SCP avaiable. Otherwise NRF is used. # => App fails if both NRF and SCP are unavailable. # +# sbi: +# server: +# no_tls: true +# bsf: # sbi: # - addr: 127.0.0.15 # port: 7777 @@ -198,32 +258,37 @@ bsf: - addr: 127.0.0.15 port: 7777 -# -# scp: # # > # # o SBI Client(http://127.0.1.10:7777) +# sbi: +# client: +# no_tls: true +# scp: # sbi: # addr: 127.0.1.10 # port: 7777 # -# o SBI Client(https://127.0.1.10:443, https://[::1]:443) -# tls: +# o SBI Client(https://127.0.1.10:443, https://[::1]:443) without verification +# sbi: # client: -# key: /etc/open5gs/tls/bsf.key -# cert: /etc/open5gs/tls/bsf.crt +# no_verify: true +# key: /etc/open5gs/tls/amf.key +# cert: /etc/open5gs/tls/amf.crt # scp: # sbi: # - addr: 127.0.1.10 # - addr: ::1 # # o SBI Client(https://scp.open5gs.org:443) -# Use the specified certificate to verify server +# Use the specified certificate while verifying the server # -# tls: +# sbi: # client: # cacert: /etc/open5gs/tls/ca.crt +# key: /etc/open5gs/tls/amf.key +# cert: /etc/open5gs/tls/amf.crt # scp: # sbi: # - name: scp.open5gs.org @@ -231,6 +296,10 @@ bsf: # o SBI Client(http://[fd69:f21d:873c:fb::1]:80) # If prefer_ipv4 is true, http://127.0.1.10:80 is selected. # +# sbi: +# client: +# no_tls: true +# scp: # sbi: # addr: # - 127.0.1.10 @@ -240,6 +309,10 @@ bsf: # - tcp_nodelay : true # - so_linger.l_onoff : false # +# sbi: +# client: +# no_tls: true +# scp: # sbi: # addr: 127.0.1.10 # option: @@ -254,32 +327,37 @@ scp: - addr: 127.0.1.10 port: 7777 -# -# nrf: # # > # # o SBI Client(http://127.0.0.10:7777) +# sbi: +# client: +# no_tls: true +# nrf: # sbi: # addr: 127.0.0.10 # port: 7777 # -# o SBI Client(https://127.0.0.10:443, https://[::1]:443) -# tls: +# o SBI Client(https://127.0.0.10:443, https://[::1]:443) without verification +# sbi: # client: -# key: /etc/open5gs/tls/bsf.key -# cert: /etc/open5gs/tls/bsf.crt +# no_verify: true +# key: /etc/open5gs/tls/amf.key +# cert: /etc/open5gs/tls/amf.crt # nrf: # sbi: # - addr: 127.0.0.10 # - addr: ::1 # # o SBI Client(https://nrf.open5gs.org:443) -# Use the specified certificate to verify server +# Use the specified certificate while verifying the server # -# tls: +# sbi: # client: # cacert: /etc/open5gs/tls/ca.crt +# key: /etc/open5gs/tls/amf.key +# cert: /etc/open5gs/tls/amf.crt # nrf: # sbi: # - name: nrf.open5gs.org @@ -296,6 +374,10 @@ scp: # - tcp_nodelay : true # - so_linger.l_onoff : false # +# sbi: +# client: +# no_tls: true +# nrf: # sbi: # addr: 127.0.0.10 # option: @@ -311,47 +393,51 @@ scp: # - ::1 # port: 7777 -# -# parameter: # # o Disable use of IPv4 addresses (only IPv6) -# no_ipv4: true +# parameter: +# no_ipv4: true # # o Disable use of IPv6 addresses (only IPv4) -# no_ipv6: true +# parameter: +# no_ipv6: true # # o Prefer IPv4 instead of IPv6 for estabishing new GTP connections. -# prefer_ipv4: true +# parameter: +# prefer_ipv4: true # parameter: # -# max: -# -# o Maximum Number of UE +# o Maximum Number of UE +# max: # ue: 1024 -# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI) +# +# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI) +# max: # peer: 64 # max: -# -# time: # # o NF Instance Heartbeat (Default : 0) # NFs will not send heart-beat timer in NFProfile # NRF will send heart-beat timer in NFProfile +# (Default values are used, so no configuration is required) # # o NF Instance Heartbeat (20 seconds) # NFs will send heart-beat timer (20 seconds) in NFProfile # NRF can change heart-beat timer in NFProfile # +# time: # nf_instance: # heartbeat: 20 # # o Message Wait Duration (Default : 10,000 ms = 10 seconds) +# (Default values are used, so no configuration is required) # # o Message Wait Duration (3000 ms) +# time: # message: # duration: 3000 time: diff --git a/configs/open5gs/hss.yaml.in b/configs/open5gs/hss.yaml.in index b6c13b9de..b9ec60e3f 100644 --- a/configs/open5gs/hss.yaml.in +++ b/configs/open5gs/hss.yaml.in @@ -1,24 +1,25 @@ db_uri: mongodb://localhost/open5gs -# -# logger: # # o Set OGS_LOG_INFO to all domain level # - If `level` is omitted, the default level is OGS_LOG_INFO) # - If `domain` is omitted, the all domain level is set from 'level' -# (Nothing is needed) +# (Default values are used, so no configuration is required) # # o Set OGS_LOG_ERROR to all domain level # - `level` can be set with none, fatal, error, warn, info, debug, trace +# logger: # level: error # # o Set OGS_LOG_DEBUG to mme/emm domain level +# logger: # level: debug # domain: mme,emm # # o Set OGS_LOG_TRACE to all domain level +# logger: # level: trace -# domain: core,fd,hss,event,mem,sock +# domain: core,sbi,ausf,event,tlv,mem,sock # logger: file: @localstatedir@/log/open5gs/hss.log @@ -26,29 +27,37 @@ logger: hss: freeDiameter: @sysconfdir@/freeDiameter/hss.conf -# sms_over_ims: "sip:smsc.mnc001.mcc001.3gppnetwork.org:7060;transport=tcp" - # -# parameter: +# hss: +# sms_over_ims: "sip:smsc.mnc001.mcc001.3gppnetwork.org:7060;transport=tcp" +# + # # o Disable use of IPv4 addresses (only IPv6) -# no_ipv4: true +# parameter: +# no_ipv4: true # # o Disable use of IPv6 addresses (only IPv4) -# no_ipv6: true +# parameter: +# no_ipv6: true # # o Prefer IPv4 instead of IPv6 for estabishing new GTP connections. -# prefer_ipv4: true +# parameter: +# prefer_ipv4: true +# +# o Use MongoDB Change Stream +# parameter: +# use_mongodb_change_stream: true # parameter: -# use_mongodb_change_stream: true # -# max: -# -# o Maximum Number of UE +# o Maximum Number of UE +# max: # ue: 1024 -# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI) +# +# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI) +# max: # peer: 64 # max: diff --git a/configs/open5gs/mme.yaml.in b/configs/open5gs/mme.yaml.in index 871c7006c..75d5d9017 100644 --- a/configs/open5gs/mme.yaml.in +++ b/configs/open5gs/mme.yaml.in @@ -1,49 +1,53 @@ # -# logger: -# # o Set OGS_LOG_INFO to all domain level # - If `level` is omitted, the default level is OGS_LOG_INFO) # - If `domain` is omitted, the all domain level is set from 'level' -# (Nothing is needed) +# (Default values are used, so no configuration is required) # # o Set OGS_LOG_ERROR to all domain level # - `level` can be set with none, fatal, error, warn, info, debug, trace +# logger: # level: error # # o Set OGS_LOG_DEBUG to mme/emm domain level +# logger: # level: debug # domain: mme,emm # # o Set OGS_LOG_TRACE to all domain level +# logger: # level: trace -# domain: core,s1ap,nas,fd,gtp,mme,emm,esm,event,tlv,mem,sock +# domain: core,sbi,ausf,event,tlv,mem,sock # logger: file: @localstatedir@/log/open5gs/mme.log -# -# mme: # # > # # o S1AP Server(all address available) +# mme: # s1ap: # # o S1AP Server(0.0.0.0:36412) +# mme: # s1ap: # addr: 0.0.0.0 # # o S1AP Server(127.0.0.2:36412, [::1]:36412) +# mme: # s1ap: # - addr: 127.0.0.2 # - addr: ::1 # # o S1AP Server(different port) +# mme: # s1ap: # - addr: 127.0.0.2 # port: 36413 # # o S1AP Server(address available in `eth0` interface) +# mme: # s1ap: # dev: eth0 # @@ -51,6 +55,7 @@ logger: # - sctp_nodelay : true # - so_linger.l_onoff : false # +# mme: # s1ap: # addr: 127.0.0.2 # option: @@ -70,6 +75,7 @@ logger: # - sinit_max_attempts : 4 # - sinit_max_init_timeo : 8000(8secs) # +# mme: # s1ap: # addr: 127.0.0.2 # option: @@ -87,9 +93,11 @@ logger: # > # # o GTP-C Server(all address available) +# mme: # gtpc: # # o GTP-C Server(127.0.0.2:2123, [::1]:2123) +# mme: # gtpc: # - addr: 127.0.0.2 # - addr: ::1 @@ -97,6 +105,7 @@ logger: # # # o Single MSC/VLR(127.0.0.2) +# mme: # sgsap: # addr: 127.0.0.2 # map: @@ -123,6 +132,7 @@ logger: # lac: 43692 # # o Multiple MSC/VLR +# mme: # sgsap: # - addr: 127.0.0.2 # port: 29119 @@ -178,6 +188,7 @@ logger: # # # o Metrics Server(http://:9090) +# mme: # metrics: # - addr: 0.0.0.0 # port: 9090 @@ -185,6 +196,7 @@ logger: # # # o Multiple GUMMEI +# mme: # gummei: # - plmn_id: # mcc: 001 @@ -205,6 +217,7 @@ logger: # # # o Multiple TAI +# mme: # tai: # - plmn_id: # mcc: 001 @@ -235,17 +248,17 @@ logger: # # # -# +# mme: # network_name: # full: Open5GS # short: Next # # -# +# mme: # mme_name: open5gs-mme0 # # - Default(255) -# +# mme: # relative_capacity: 100 # mme: @@ -275,8 +288,6 @@ mme: full: Open5GS mme_name: open5gs-mme0 -# -# sgwc: # # # @@ -284,17 +295,20 @@ mme: # # o One SGW is defined. # If prefer_ipv4 is not true, [fd69:f21d:873c:fa::2] is selected. +# sgwc: # gtpc: # addr: # - 127.0.0.3 # - fd69:f21d:873c:fa::2 # # o Two SGW are defined. MME selects SGW with round-robin manner per UE +# sgwc: # gtpc: # - addr: 127.0.0.3 # - addr: fd69:f21d:873c:fa::2 # # o Three SGW are defined. MME selects SGW with round-robin manner per UE +# sgwc: # gtpc: # - addr # - 127.0.0.3 @@ -306,30 +320,32 @@ mme: # # # -# o Round-Robin +# o Round-Robin +# sgwc: +# gtpc: +# addr: 127.0.0.3 +# addr: 127.0.2.2 +# addr: 127.0.4.2 # -# gtpc: -# addr: 127.0.0.3 -# addr: 127.0.2.2 -# addr: 127.0.4.2 -# -# o SGW selection by eNodeB TAC +# o SGW selection by eNodeB TAC # (either single TAC or multiple TACs, DECIMAL representation) # -# gtpc: -# - addr: 127.0.0.3 -# tac: 26000 -# - addr: 127.0.2.2 -# tac: [25000, 27000, 28000] +# sgwc: +# gtpc: +# - addr: 127.0.0.3 +# tac: 26000 +# - addr: 127.0.2.2 +# tac: [25000, 27000, 28000] # # o SGW selection by e_cell_id(28bit) # (either single or multiple e_cell_id, HEX representation) # -# gtpc: -# - addr: 127.0.0.3 -# e_cell_id: abcde01 -# - addr: 127.0.2.2 -# e_cell_id: [12345, a9413, 98765] +# sgwc: +# gtpc: +# - addr: 127.0.0.3 +# e_cell_id: abcde01 +# - addr: 127.0.2.2 +# e_cell_id: [12345, a9413, 98765] # sgwc: gtpc: @@ -344,15 +360,18 @@ sgwc: # - To use a different APN for each SMF, specify gtpc.apn as the APN name. # - If the HSS uses WebUI to set the SMF IP for each UE, # you can use a specific SMF node for each UE. +# (Default values are used, so no configuration is required) # # o Two SMF are defined. 127.0.0.4:2123 is used. # [fd69:f21d:873c:fa::3]:2123 is ignored. +# smf: # gtpc: # - addr: 127.0.0.4 # - addr: fd69:f21d:873c:fa::3 # # o One SMF is defined. if prefer_ipv4 is not true, # [fd69:f21d:873c:fa::3] is selected. +# smf: # gtpc: # - addr: # - 127.0.0.4 @@ -361,6 +380,7 @@ sgwc: # o Two SMF are defined with a different APN. # - Note that if SMF IP for UE is configured in HSS, # the following configurion for this UE is ignored. +# smf: # gtpc: # - addr: 127.0.0.4 # apn: internet @@ -368,6 +388,7 @@ sgwc: # apn: volte # # o If APN is omitted, the default APN uses the first SMF node. +# smf: # gtpc: # - addr: 127.0.0.4 # - addr: 127.0.0.5 @@ -378,31 +399,28 @@ smf: - 127.0.0.4 - ::1 -# -# parameter: # # o Disable use of IPv4 addresses (only IPv6) -# no_ipv4: true +# parameter: +# no_ipv4: true # # o Disable use of IPv6 addresses (only IPv4) -# no_ipv6: true +# parameter: +# no_ipv6: true # # o Prefer IPv4 instead of IPv6 for estabishing new GTP connections. -# prefer_ipv4: true -# -# o Use OAI UE -# - Remove HashMME in Security-mode command message -# - Use the length 1 of EPS network feature support in Attach accept message -# use_openair: true +# parameter: +# prefer_ipv4: true # parameter: # -# max: -# -# o Maximum Number of UE +# o Maximum Number of UE +# max: # ue: 1024 -# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI) +# +# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI) +# max: # peer: 64 # max: @@ -413,24 +431,27 @@ max: # usrsctp: -# -# time: # # o Message Wait Duration (Default : 10,000 ms = 10 seconds) +# (Default values are used, so no configuration is required) # # o Message Wait Duration (3000 ms) +# time: # message: # duration: 3000 # # o Handover Wait Duration (Default : 300 ms) # Time to wait for MME to send UEContextReleaseCommand # to the source eNB after receiving HandoverNotify +# (Default values are used, so no configuration is required) # # o Handover Wait Duration (500ms) +# time: # handover: # duration: 500 # # o Timers of EPS mobility/session management +# time: # t3402: # value: 720 # 12 minutes * 60 = 720 seconds # t3412: diff --git a/configs/open5gs/nrf.yaml.in b/configs/open5gs/nrf.yaml.in index f2f488000..176ba4a29 100644 --- a/configs/open5gs/nrf.yaml.in +++ b/configs/open5gs/nrf.yaml.in @@ -1,73 +1,91 @@ # -# logger: -# # o Set OGS_LOG_INFO to all domain level # - If `level` is omitted, the default level is OGS_LOG_INFO) # - If `domain` is omitted, the all domain level is set from 'level' -# (Nothing is needed) +# (Default values are used, so no configuration is required) # # o Set OGS_LOG_ERROR to all domain level # - `level` can be set with none, fatal, error, warn, info, debug, trace +# logger: # level: error # # o Set OGS_LOG_DEBUG to mme/emm domain level +# logger: # level: debug # domain: mme,emm # # o Set OGS_LOG_TRACE to all domain level +# logger: # level: trace -# domain: core,sbi,nrf,event,mem,sock +# domain: core,sbi,ausf,event,tlv,mem,sock # logger: file: @localstatedir@/log/open5gs/nrf.log # -# tls: -# enabled: auto|yes|no -# - auto: Default. Use TLS only if key/cert is available -# - yes: Use TLS always; -# reject if no key/cert available -# - no: Don't use TLS if there is an key/cert available +# o TLS enable/disable +# sbi: +# server|client: +# no_tls: false|true +# - false: (Default) Use TLS +# - true: TLS disabled # -# o Server-side Key and Certficiate +# o Verification enable/disable +# sbi: +# server|client: +# no_verify: false|true +# - false: (Default) Verify the PEER +# - true: Skip the verification step +# +# o Server-side does not use TLS +# sbi: # server: -# key: /etc/open5gs/tls/nrf.key -# cert: /etc/open5gs/tls/nrf.crt +# no_tls: true # -# o Client-side does not use TLS +# o Client-side skips the verification step +# sbi: # client: -# enabled: no -# key: /etc/open5gs/tls/nrf.key -# cert: /etc/open5gs/tls/nrf.crt +# no_verify: true +# key: /etc/open5gs/tls/amf.key +# cert: /etc/open5gs/tls/amf.crt # -# o Use the specified certificate to verify client +# o Use the specified certificate while verifying the client +# sbi: # server # cacert: /etc/open5gs/tls/ca.crt # -# o Use the specified certificate to verify server +# o Use the specified certificate while verifying the server +# sbi: # client # cacert: /etc/open5gs/tls/ca.crt # -tls: - enabled: no +sbi: server: + no_tls: true cacert: @sysconfdir@/open5gs/tls/ca.crt key: @sysconfdir@/open5gs/tls/nrf.key cert: @sysconfdir@/open5gs/tls/nrf.crt client: + no_tls: true cacert: @sysconfdir@/open5gs/tls/ca.crt key: @sysconfdir@/open5gs/tls/nrf.key cert: @sysconfdir@/open5gs/tls/nrf.crt -# -# nrf: # # # # o SBI Server(http://:80) +# sbi: +# server: +# no_tls: true +# nrf: # sbi: # # o SBI Server(http://:7777) +# sbi: +# server: +# no_tls: true +# nrf: # sbi: # - addr: # - 0.0.0.0 @@ -75,47 +93,81 @@ tls: # port: 7777 # # o SBI Server(https://:443) -# tls: +# sbi: # server: # key: /etc/open5gs/tls/nrf.key # cert: /etc/open5gs/tls/nrf.crt # nrf: # sbi: # -# o SBI Server(http://127.0.0.5:80, http://[::1]:80) -# tls: -# enabled: no +# o SBI Server(https://127.0.0.10:443, https://[::1]:443) without verification +# sbi: # server: +# no_verify: true # key: /etc/open5gs/tls/nrf.key # cert: /etc/open5gs/tls/nrf.crt # nrf: # sbi: -# - addr: 127.0.0.5 +# - addr: 127.0.0.10 # - addr: ::1 # # o SBI Server(https://nrf.open5gs.org:443) -# Use the specified certificate to verify client +# Use the specified certificate while verifying the client # -# tls: +# sbi: # server: # cacert: /etc/open5gs/tls/ca.crt +# key: /etc/open5gs/tls/nrf.key +# cert: /etc/open5gs/tls/nrf.crt # nrf: # sbi: # - name: nrf.open5gs.org # # o SBI Server(http://127.0.0.10:7777) +# sbi: +# server: +# no_tls: true +# nrf: # sbi: # - addr: 127.0.0.10 # port: 7777 # # o SBI Server(http://:80) +# sbi: +# server: +# no_tls: true +# nrf: # sbi: -# dev: eth0 +# - dev: eth0 +# +# o Provide custom SBI address to be advertised to NRF +# sbi: +# server: +# no_tls: true +# nrf: +# sbi: +# - dev: eth0 +# advertise: open5gs-nrf.svc.local +# +# o Another example of advertising on NRF +# sbi: +# server: +# no_tls: true +# nrf: +# sbi: +# - addr: localhost +# advertise: +# - 127.0.0.99 +# - ::1 # # o SBI Option (Default) # - tcp_nodelay : true # - so_linger.l_onoff : false # +# sbi: +# server: +# no_tls: true +# nrf: # sbi: # addr: 127.0.0.10 # option: @@ -127,9 +179,11 @@ tls: # # # o NF Service Name(Default : all NF services available) +# nrf: # service_name: # # o NF Service Name(Only some NF services are available) +# nrf: # service_name: # - nnrf-nfm # - nnrf-disc @@ -141,32 +195,37 @@ nrf: - ::1 port: 7777 -# -# scp: # # > # # o SBI Client(http://127.0.1.10:7777) +# sbi: +# client: +# no_tls: true +# scp: # sbi: # addr: 127.0.1.10 # port: 7777 # -# o SBI Client(https://127.0.1.10:443, https://[::1]:443) -# tls: +# o SBI Client(https://127.0.1.10:443, https://[::1]:443) without verification +# sbi: # client: -# key: /etc/open5gs/tls/nrf.key -# cert: /etc/open5gs/tls/nrf.crt +# no_verify: true +# key: /etc/open5gs/tls/amf.key +# cert: /etc/open5gs/tls/amf.crt # scp: # sbi: # - addr: 127.0.1.10 # - addr: ::1 # # o SBI Client(https://scp.open5gs.org:443) -# Use the specified certificate to verify server +# Use the specified certificate while verifying the server # -# tls: +# sbi: # client: # cacert: /etc/open5gs/tls/ca.crt +# key: /etc/open5gs/tls/amf.key +# cert: /etc/open5gs/tls/amf.crt # scp: # sbi: # - name: scp.open5gs.org @@ -174,6 +233,10 @@ nrf: # o SBI Client(http://[fd69:f21d:873c:fb::1]:80) # If prefer_ipv4 is true, http://127.0.1.10:80 is selected. # +# sbi: +# client: +# no_tls: true +# scp: # sbi: # addr: # - 127.0.1.10 @@ -183,6 +246,10 @@ nrf: # - tcp_nodelay : true # - so_linger.l_onoff : false # +# sbi: +# client: +# no_tls: true +# scp: # sbi: # addr: 127.0.1.10 # option: @@ -197,62 +264,74 @@ scp: - addr: 127.0.1.10 port: 7777 -# -# parameter: + # # o Disable use of IPv4 addresses (only IPv6) -# no_ipv4: true +# parameter: +# no_ipv4: true # # o Disable use of IPv6 addresses (only IPv4) -# no_ipv6: true +# parameter: +# no_ipv6: true # # o Prefer IPv4 instead of IPv6 for estabishing new GTP connections. -# prefer_ipv4: true +# parameter: +# prefer_ipv4: true # parameter: # -# max: -# -# o Maximum Number of UE +# o Maximum Number of UE +# max: # ue: 1024 -# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI) +# +# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI) +# max: # peer: 64 # max: # -# time: # # o NF Instance Heartbeat (Default : 10 seconds) +# (Default values are used, so no configuration is required) # # o NF Instance Heartbeat (Disabled) +# time: # nf_instance: # heartbeat: 0 # # o NF Instance Heartbeat (5 seconds) +# time: # nf_instance: # heartbeat: 5 # # o NF Instance Validity (Default : 3600 seconds = 1 hour) +# (Default values are used, so no configuration is required) # # o NF Instance Validity (10 seconds) +# time: # nf_instance: # validity: 10 # # o Subscription Validity (Default : 86400 seconds = 1 day) +# (Default values are used, so no configuration is required) # # o Subscription Validity (Disabled) +# time: # subscription: # validity: 0 # # o Subscription Validity (3600 seconds = 1 hour) +# time: # subscription: # validity: 3600 # # o Message Wait Duration (Default : 10,000 ms = 10 seconds) +# (Default values are used, so no configuration is required) # # o Message Wait Duration (3000 ms) +# time: # message: # duration: 3000 time: diff --git a/configs/open5gs/nssf.yaml.in b/configs/open5gs/nssf.yaml.in index d4c69f2f6..b6c0557c5 100644 --- a/configs/open5gs/nssf.yaml.in +++ b/configs/open5gs/nssf.yaml.in @@ -1,73 +1,91 @@ # -# logger: -# # o Set OGS_LOG_INFO to all domain level # - If `level` is omitted, the default level is OGS_LOG_INFO) # - If `domain` is omitted, the all domain level is set from 'level' -# (Nothing is needed) +# (Default values are used, so no configuration is required) # # o Set OGS_LOG_ERROR to all domain level # - `level` can be set with none, fatal, error, warn, info, debug, trace +# logger: # level: error # # o Set OGS_LOG_DEBUG to mme/emm domain level +# logger: # level: debug # domain: mme,emm # # o Set OGS_LOG_TRACE to all domain level +# logger: # level: trace -# domain: core,sbi,nssf,event,tlv,mem,sock +# domain: core,sbi,ausf,event,tlv,mem,sock # logger: file: @localstatedir@/log/open5gs/nssf.log # -# tls: -# enabled: auto|yes|no -# - auto: Default. Use TLS only if key/cert is available -# - yes: Use TLS always; -# reject if no key/cert available -# - no: Don't use TLS if there is an key/cert available +# o TLS enable/disable +# sbi: +# server|client: +# no_tls: false|true +# - false: (Default) Use TLS +# - true: TLS disabled # -# o Server-side Key and Certficiate +# o Verification enable/disable +# sbi: +# server|client: +# no_verify: false|true +# - false: (Default) Verify the PEER +# - true: Skip the verification step +# +# o Server-side does not use TLS +# sbi: # server: -# key: /etc/open5gs/tls/nssf.key -# cert: /etc/open5gs/tls/nssf.crt +# no_tls: true # -# o Client-side does not use TLS +# o Client-side skips the verification step +# sbi: # client: -# enabled: no -# key: /etc/open5gs/tls/nssf.key -# cert: /etc/open5gs/tls/nssf.crt +# no_verify: true +# key: /etc/open5gs/tls/amf.key +# cert: /etc/open5gs/tls/amf.crt # -# o Use the specified certificate to verify client +# o Use the specified certificate while verifying the client +# sbi: # server # cacert: /etc/open5gs/tls/ca.crt # -# o Use the specified certificate to verify server +# o Use the specified certificate while verifying the server +# sbi: # client # cacert: /etc/open5gs/tls/ca.crt # -tls: - enabled: no +sbi: server: + no_tls: true cacert: @sysconfdir@/open5gs/tls/ca.crt key: @sysconfdir@/open5gs/tls/nssf.key cert: @sysconfdir@/open5gs/tls/nssf.crt client: + no_tls: true cacert: @sysconfdir@/open5gs/tls/ca.crt key: @sysconfdir@/open5gs/tls/nssf.key cert: @sysconfdir@/open5gs/tls/nssf.crt -# -# nssf: # # # # o SBI Server(http://:80) +# sbi: +# server: +# no_tls: true +# nssf: # sbi: # # o SBI Server(http://:7777) +# sbi: +# server: +# no_tls: true +# nssf: # sbi: # - addr: # - 0.0.0.0 @@ -75,48 +93,67 @@ tls: # port: 7777 # # o SBI Server(https://:443) -# tls: +# sbi: # server: # key: /etc/open5gs/tls/nssf.key # cert: /etc/open5gs/tls/nssf.crt # nssf: # sbi: # -# o SBI Server(http://127.0.0.5:80, http://[::1]:80) -# tls: -# enabled: no +# o SBI Server(https://127.0.0.14:443, https://[::1]:443) without verification +# sbi: # server: +# no_verify: true # key: /etc/open5gs/tls/nssf.key # cert: /etc/open5gs/tls/nssf.crt # nssf: # sbi: -# - addr: 127.0.0.5 +# - addr: 127.0.0.14 # - addr: ::1 # # o SBI Server(https://nssf.open5gs.org:443) -# Use the specified certificate to verify client +# Use the specified certificate while verifying the client # -# tls: +# sbi: # server: # cacert: /etc/open5gs/tls/ca.crt +# key: /etc/open5gs/tls/nssf.key +# cert: /etc/open5gs/tls/nssf.crt # nssf: # sbi: # - name: nssf.open5gs.org # # o SBI Server(http://127.0.0.14:7777) +# sbi: +# server: +# no_tls: true +# nssf: # sbi: # - addr: 127.0.0.14 # port: 7777 # # o SBI Server(http://:80) +# sbi: +# server: +# no_tls: true +# nssf: # sbi: # - dev: eth0 # # o Provide custom SBI address to be advertised to NRF +# sbi: +# server: +# no_tls: true +# nssf: # sbi: # - dev: eth0 # advertise: open5gs-nssf.svc.local # +# o Another example of advertising on NRF +# sbi: +# server: +# no_tls: true +# nssf: # sbi: # - addr: localhost # advertise: @@ -127,6 +164,10 @@ tls: # - tcp_nodelay : true # - so_linger.l_onoff : false # +# sbi: +# server: +# no_tls: true +# nssf: # sbi: # addr: 127.0.0.14 # option: @@ -141,6 +182,7 @@ tls: # - NRF[http://::1:7777/nnrf-nfm/v1/nf-instances] # NSSAI[SST:1] # +# nssf: # nsi: # - addr: ::1 # port: 7777 @@ -157,6 +199,7 @@ tls: # 2. NRF[http://127.0.0.10:7777/nnrf-nfm/v1/nf-instances] # NSSAI[SST:1, SD:009000] # +# nssf: # nsi: # - addr: ::1 # port: 7777 @@ -177,6 +220,7 @@ tls: # - tcp_nodelay : true # - so_linger.l_onoff : false # +# nssf: # nsi: # addr: ::1 # option: @@ -188,9 +232,11 @@ tls: # # # o NF Service Name(Default : all NF services available) +# nssf: # service_name: # # o NF Service Name(Only some NF services are available) +# nssf: # service_name: # - nnssf-nsselection # @@ -198,12 +244,21 @@ tls: # # o (Default) If you do not set Query Parameter as shown below, # +# sbi: +# server: +# no_tls: true +# nssf: # sbi: # - addr: 127.0.0.14 # port: 7777 # # - 'service-names' is included. # +# o Service-Names are not included +# sbi: +# server: +# no_tls: true +# nssf: # sbi: # - addr: 127.0.0.14 # port: 7777 @@ -222,6 +277,10 @@ tls: # # o (Default) If you do not set Delegated Discovery as shown below, # +# sbi: +# server: +# no_tls: true +# nssf: # sbi: # - addr: 127.0.0.14 # port: 7777 @@ -229,6 +288,10 @@ tls: # - Use SCP if SCP avaiable. Otherwise NRF is used. # => App fails if both NRF and SCP are unavailable. # +# sbi: +# server: +# no_tls: true +# nssf: # sbi: # - addr: 127.0.0.14 # port: 7777 @@ -251,32 +314,37 @@ nssf: s_nssai: sst: 1 -# -# scp: # # > # # o SBI Client(http://127.0.1.10:7777) +# sbi: +# client: +# no_tls: true +# scp: # sbi: # addr: 127.0.1.10 # port: 7777 # -# o SBI Client(https://127.0.1.10:443, https://[::1]:443) -# tls: +# o SBI Client(https://127.0.1.10:443, https://[::1]:443) without verification +# sbi: # client: -# key: /etc/open5gs/tls/nssf.key -# cert: /etc/open5gs/tls/nssf.crt +# no_verify: true +# key: /etc/open5gs/tls/amf.key +# cert: /etc/open5gs/tls/amf.crt # scp: # sbi: # - addr: 127.0.1.10 # - addr: ::1 # # o SBI Client(https://scp.open5gs.org:443) -# Use the specified certificate to verify server +# Use the specified certificate while verifying the server # -# tls: +# sbi: # client: # cacert: /etc/open5gs/tls/ca.crt +# key: /etc/open5gs/tls/amf.key +# cert: /etc/open5gs/tls/amf.crt # scp: # sbi: # - name: scp.open5gs.org @@ -284,6 +352,10 @@ nssf: # o SBI Client(http://[fd69:f21d:873c:fb::1]:80) # If prefer_ipv4 is true, http://127.0.1.10:80 is selected. # +# sbi: +# client: +# no_tls: true +# scp: # sbi: # addr: # - 127.0.1.10 @@ -293,6 +365,10 @@ nssf: # - tcp_nodelay : true # - so_linger.l_onoff : false # +# sbi: +# client: +# no_tls: true +# scp: # sbi: # addr: 127.0.1.10 # option: @@ -307,32 +383,37 @@ scp: - addr: 127.0.1.10 port: 7777 -# -# nrf: # # > # # o SBI Client(http://127.0.0.10:7777) +# sbi: +# client: +# no_tls: true +# nrf: # sbi: # addr: 127.0.0.10 # port: 7777 # -# o SBI Client(https://127.0.0.10:443, https://[::1]:443) -# tls: +# o SBI Client(https://127.0.0.10:443, https://[::1]:443) without verification +# sbi: # client: -# key: /etc/open5gs/tls/nssf.key -# cert: /etc/open5gs/tls/nssf.crt +# no_verify: true +# key: /etc/open5gs/tls/amf.key +# cert: /etc/open5gs/tls/amf.crt # nrf: # sbi: # - addr: 127.0.0.10 # - addr: ::1 # # o SBI Client(https://nrf.open5gs.org:443) -# Use the specified certificate to verify server +# Use the specified certificate while verifying the server # -# tls: +# sbi: # client: # cacert: /etc/open5gs/tls/ca.crt +# key: /etc/open5gs/tls/amf.key +# cert: /etc/open5gs/tls/amf.crt # nrf: # sbi: # - name: nrf.open5gs.org @@ -345,6 +426,22 @@ scp: # - 127.0.0.10 # - fd69:f21d:873c:fa::1 # +# o SBI Option (Default) +# - tcp_nodelay : true +# - so_linger.l_onoff : false +# +# sbi: +# client: +# no_tls: true +# nrf: +# sbi: +# addr: 127.0.0.10 +# option: +# tcp_nodelay: false +# so_linger: +# l_onoff: true +# l_linger: 10 +# #nrf: # sbi: # - addr: @@ -352,55 +449,51 @@ scp: # - ::1 # port: 7777 -# -# parameter: # # o Disable use of IPv4 addresses (only IPv6) -# no_ipv4: true +# parameter: +# no_ipv4: true # # o Disable use of IPv6 addresses (only IPv4) -# no_ipv6: true +# parameter: +# no_ipv6: true # # o Prefer IPv4 instead of IPv6 for estabishing new GTP connections. -# prefer_ipv4: true +# parameter: +# prefer_ipv4: true # parameter: # -# max: -# -# o Maximum Number of UE +# o Maximum Number of UE +# max: # ue: 1024 -# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI) +# +# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI) +# max: # peer: 64 # max: -# -# time: # # o NF Instance Heartbeat (Default : 0) # NFs will not send heart-beat timer in NFProfile # NRF will send heart-beat timer in NFProfile +# (Default values are used, so no configuration is required) # # o NF Instance Heartbeat (20 seconds) # NFs will send heart-beat timer (20 seconds) in NFProfile # NRF can change heart-beat timer in NFProfile # +# time: # nf_instance: # heartbeat: 20 # -# o NF Instance Heartbeat (Disabled) -# nf_instance: -# heartbeat: 0 -# -# o NF Instance Heartbeat (10 seconds) -# nf_instance: -# heartbeat: 10 -# # o Message Wait Duration (Default : 10,000 ms = 10 seconds) +# (Default values are used, so no configuration is required) # # o Message Wait Duration (3000 ms) +# time: # message: # duration: 3000 time: diff --git a/configs/open5gs/pcf.yaml.in b/configs/open5gs/pcf.yaml.in index c79038485..939ade8d4 100644 --- a/configs/open5gs/pcf.yaml.in +++ b/configs/open5gs/pcf.yaml.in @@ -1,75 +1,93 @@ db_uri: mongodb://localhost/open5gs -# -# logger: # # o Set OGS_LOG_INFO to all domain level # - If `level` is omitted, the default level is OGS_LOG_INFO) # - If `domain` is omitted, the all domain level is set from 'level' -# (Nothing is needed) +# (Default values are used, so no configuration is required) # # o Set OGS_LOG_ERROR to all domain level # - `level` can be set with none, fatal, error, warn, info, debug, trace +# logger: # level: error # # o Set OGS_LOG_DEBUG to mme/emm domain level +# logger: # level: debug # domain: mme,emm # # o Set OGS_LOG_TRACE to all domain level +# logger: # level: trace -# domain: core,sbi,pcf,event,tlv,mem,sock +# domain: core,sbi,ausf,event,tlv,mem,sock # logger: file: @localstatedir@/log/open5gs/pcf.log # -# tls: -# enabled: auto|yes|no -# - auto: Default. Use TLS only if key/cert is available -# - yes: Use TLS always; -# reject if no key/cert available -# - no: Don't use TLS if there is an key/cert available +# o TLS enable/disable +# sbi: +# server|client: +# no_tls: false|true +# - false: (Default) Use TLS +# - true: TLS disabled # -# o Server-side Key and Certficiate +# o Verification enable/disable +# sbi: +# server|client: +# no_verify: false|true +# - false: (Default) Verify the PEER +# - true: Skip the verification step +# +# o Server-side does not use TLS +# sbi: # server: -# key: /etc/open5gs/tls/pcf.key -# cert: /etc/open5gs/tls/pcf.crt +# no_tls: true # -# o Client-side does not use TLS +# o Client-side skips the verification step +# sbi: # client: -# enabled: no -# key: /etc/open5gs/tls/pcf.key -# cert: /etc/open5gs/tls/pcf.crt +# no_verify: true +# key: /etc/open5gs/tls/amf.key +# cert: /etc/open5gs/tls/amf.crt # -# o Use the specified certificate to verify client +# o Use the specified certificate while verifying the client +# sbi: # server # cacert: /etc/open5gs/tls/ca.crt # -# o Use the specified certificate to verify server +# o Use the specified certificate while verifying the server +# sbi: # client # cacert: /etc/open5gs/tls/ca.crt # -tls: - enabled: no +sbi: server: + no_tls: true cacert: @sysconfdir@/open5gs/tls/ca.crt key: @sysconfdir@/open5gs/tls/pcf.key cert: @sysconfdir@/open5gs/tls/pcf.crt client: + no_tls: true cacert: @sysconfdir@/open5gs/tls/ca.crt key: @sysconfdir@/open5gs/tls/pcf.key cert: @sysconfdir@/open5gs/tls/pcf.crt -# -# pcf: # # # # o SBI Server(http://:80) +# sbi: +# server: +# no_tls: true +# pcf: # sbi: # # o SBI Server(http://:7777) +# sbi: +# server: +# no_tls: true +# pcf: # sbi: # - addr: # - 0.0.0.0 @@ -77,48 +95,67 @@ tls: # port: 7777 # # o SBI Server(https://:443) -# tls: +# sbi: # server: # key: /etc/open5gs/tls/pcf.key # cert: /etc/open5gs/tls/pcf.crt # pcf: # sbi: # -# o SBI Server(http://127.0.0.5:80, http://[::1]:80) -# tls: -# enabled: no +# o SBI Server(https://127.0.0.13:443, https://[::1]:443) without verification +# sbi: # server: +# no_verify: true # key: /etc/open5gs/tls/pcf.key # cert: /etc/open5gs/tls/pcf.crt # pcf: # sbi: -# - addr: 127.0.0.5 +# - addr: 127.0.0.13 # - addr: ::1 # # o SBI Server(https://pcf.open5gs.org:443) -# Use the specified certificate to verify client +# Use the specified certificate while verifying the client # -# tls: +# sbi: # server: # cacert: /etc/open5gs/tls/ca.crt +# key: /etc/open5gs/tls/pcf.key +# cert: /etc/open5gs/tls/pcf.crt # pcf: # sbi: # - name: pcf.open5gs.org # # o SBI Server(http://127.0.0.13:7777) +# sbi: +# server: +# no_tls: true +# pcf: # sbi: # - addr: 127.0.0.13 # port: 7777 # # o SBI Server(http://:80) +# sbi: +# server: +# no_tls: true +# pcf: # sbi: # - dev: eth0 # # o Provide custom SBI address to be advertised to NRF +# sbi: +# server: +# no_tls: true +# pcf: # sbi: # - dev: eth0 # advertise: open5gs-pcf.svc.local # +# o Another example of advertising on NRF +# sbi: +# server: +# no_tls: true +# pcf: # sbi: # - addr: localhost # advertise: @@ -129,6 +166,10 @@ tls: # - tcp_nodelay : true # - so_linger.l_onoff : false # +# sbi: +# server: +# no_tls: true +# pcf: # sbi: # addr: 127.0.0.13 # option: @@ -140,9 +181,11 @@ tls: # # # o NF Service Name(Default : all NF services available) +# pcf: # service_name: # # o NF Service Name(Only some NF services are available) +# pcf: # service_name: # - npcf-am-policy-control # - npcf-smpolicycontrol @@ -181,6 +224,10 @@ tls: # # o (Default) If you do not set Delegated Discovery as shown below, # +# sbi: +# server: +# no_tls: true +# pcf: # sbi: # - addr: 127.0.0.13 # port: 7777 @@ -188,6 +235,10 @@ tls: # - Use SCP if SCP avaiable. Otherwise NRF is used. # => App fails if both NRF and SCP are unavailable. # +# sbi: +# server: +# no_tls: true +# pcf: # sbi: # - addr: 127.0.0.13 # port: 7777 @@ -200,9 +251,11 @@ tls: # o Don't use SCP server => App fails if no NRF available. # delegated: no # +# # # # o Metrics Server(http://:9090) +# pcf: # metrics: # - addr: 0.0.0.0 # port: 9090 @@ -324,47 +377,51 @@ scp: # - ::1 # port: 7777 -# -# parameter: # # o Disable use of IPv4 addresses (only IPv6) -# no_ipv4: true +# parameter: +# no_ipv4: true # # o Disable use of IPv6 addresses (only IPv4) -# no_ipv6: true +# parameter: +# no_ipv6: true # # o Prefer IPv4 instead of IPv6 for estabishing new GTP connections. -# prefer_ipv4: true +# parameter: +# prefer_ipv4: true # parameter: # -# max: -# -# o Maximum Number of UE +# o Maximum Number of UE +# max: # ue: 1024 -# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI) +# +# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI) +# max: # peer: 64 # max: -# -# time: # # o NF Instance Heartbeat (Default : 0) # NFs will not send heart-beat timer in NFProfile # NRF will send heart-beat timer in NFProfile +# (Default values are used, so no configuration is required) # # o NF Instance Heartbeat (20 seconds) # NFs will send heart-beat timer (20 seconds) in NFProfile # NRF can change heart-beat timer in NFProfile # +# time: # nf_instance: # heartbeat: 20 # # o Message Wait Duration (Default : 10,000 ms = 10 seconds) +# (Default values are used, so no configuration is required) # # o Message Wait Duration (3000 ms) +# time: # message: # duration: 3000 time: diff --git a/configs/open5gs/pcrf.yaml.in b/configs/open5gs/pcrf.yaml.in index 688d6b1ac..eb38fd941 100644 --- a/configs/open5gs/pcrf.yaml.in +++ b/configs/open5gs/pcrf.yaml.in @@ -1,50 +1,54 @@ db_uri: mongodb://localhost/open5gs -# -# logger: # # o Set OGS_LOG_INFO to all domain level # - If `level` is omitted, the default level is OGS_LOG_INFO) # - If `domain` is omitted, the all domain level is set from 'level' -# (Nothing is needed) +# (Default values are used, so no configuration is required) # # o Set OGS_LOG_ERROR to all domain level # - `level` can be set with none, fatal, error, warn, info, debug, trace +# logger: # level: error # # o Set OGS_LOG_DEBUG to mme/emm domain level +# logger: # level: debug # domain: mme,emm # # o Set OGS_LOG_TRACE to all domain level +# logger: # level: trace -# domain: core,fd,pcrf,event,mem,sock +# domain: core,sbi,ausf,event,tlv,mem,sock +# logger: file: @localstatedir@/log/open5gs/pcrf.log pcrf: freeDiameter: @sysconfdir@/freeDiameter/pcrf.conf -# -# parameter: # # o Disable use of IPv4 addresses (only IPv6) -# no_ipv4: true +# parameter: +# no_ipv4: true # # o Disable use of IPv6 addresses (only IPv4) -# no_ipv6: true +# parameter: +# no_ipv6: true # # o Prefer IPv4 instead of IPv6 for estabishing new GTP connections. -# prefer_ipv4: true +# parameter: +# prefer_ipv4: true # parameter: # -# max: -# -# o Maximum Number of UE +# o Maximum Number of UE +# max: # ue: 1024 -# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI) +# +# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI) +# max: # peer: 64 # max: diff --git a/configs/open5gs/scp.yaml.in b/configs/open5gs/scp.yaml.in index 548d48361..bbee47cb0 100644 --- a/configs/open5gs/scp.yaml.in +++ b/configs/open5gs/scp.yaml.in @@ -1,75 +1,93 @@ db_uri: mongodb://localhost/open5gs -# -# logger: # # o Set OGS_LOG_INFO to all domain level # - If `level` is omitted, the default level is OGS_LOG_INFO) # - If `domain` is omitted, the all domain level is set from 'level' -# (Nothing is needed) +# (Default values are used, so no configuration is required) # # o Set OGS_LOG_ERROR to all domain level # - `level` can be set with none, fatal, error, warn, info, debug, trace +# logger: # level: error # # o Set OGS_LOG_DEBUG to mme/emm domain level +# logger: # level: debug # domain: mme,emm # # o Set OGS_LOG_TRACE to all domain level +# logger: # level: trace -# domain: core,sbi,scp,event,tlv,mem,sock +# domain: core,sbi,ausf,event,tlv,mem,sock # logger: file: @localstatedir@/log/open5gs/scp.log # -# tls: -# enabled: auto|yes|no -# - auto: Default. Use TLS only if key/cert is available -# - yes: Use TLS always; -# reject if no key/cert available -# - no: Don't use TLS if there is an key/cert available +# o TLS enable/disable +# sbi: +# server|client: +# no_tls: false|true +# - false: (Default) Use TLS +# - true: TLS disabled # -# o Server-side Key and Certficiate +# o Verification enable/disable +# sbi: +# server|client: +# no_verify: false|true +# - false: (Default) Verify the PEER +# - true: Skip the verification step +# +# o Server-side does not use TLS +# sbi: # server: -# key: /etc/open5gs/tls/scp.key -# cert: /etc/open5gs/tls/scp.crt +# no_tls: true # -# o Client-side does not use TLS +# o Client-side skips the verification step +# sbi: # client: -# enabled: no -# key: /etc/open5gs/tls/scp.key -# cert: /etc/open5gs/tls/scp.crt +# no_verify: true +# key: /etc/open5gs/tls/amf.key +# cert: /etc/open5gs/tls/amf.crt # -# o Use the specified certificate to verify client +# o Use the specified certificate while verifying the client +# sbi: # server # cacert: /etc/open5gs/tls/ca.crt # -# o Use the specified certificate to verify server +# o Use the specified certificate while verifying the server +# sbi: # client # cacert: /etc/open5gs/tls/ca.crt # -tls: - enabled: no +sbi: server: + no_tls: true cacert: @sysconfdir@/open5gs/tls/ca.crt key: @sysconfdir@/open5gs/tls/scp.key cert: @sysconfdir@/open5gs/tls/scp.crt client: + no_tls: true cacert: @sysconfdir@/open5gs/tls/ca.crt key: @sysconfdir@/open5gs/tls/scp.key cert: @sysconfdir@/open5gs/tls/scp.crt -# -# scp: # # # # o SBI Server(http://:80) +# sbi: +# server: +# no_tls: true +# scp: # sbi: # # o SBI Server(http://:7777) +# sbi: +# server: +# no_tls: true +# scp: # sbi: # - addr: # - 0.0.0.0 @@ -77,48 +95,67 @@ tls: # port: 7777 # # o SBI Server(https://:443) -# tls: +# sbi: # server: # key: /etc/open5gs/tls/scp.key # cert: /etc/open5gs/tls/scp.crt # scp: # sbi: # -# o SBI Server(http://127.0.0.5:80, http://[::1]:80) -# tls: -# enabled: no +# o SBI Server(https://127.0.1.10:443, https://[::1]:443) without verification +# sbi: # server: +# no_verify: true # key: /etc/open5gs/tls/scp.key # cert: /etc/open5gs/tls/scp.crt # scp: # sbi: -# - addr: 127.0.0.5 +# - addr: 127.0.1.10 # - addr: ::1 # # o SBI Server(https://scp.open5gs.org:443) -# Use the specified certificate to verify client +# Use the specified certificate while verifying the client # -# tls: +# sbi: # server: # cacert: /etc/open5gs/tls/ca.crt +# key: /etc/open5gs/tls/scp.key +# cert: /etc/open5gs/tls/scp.crt # scp: # sbi: # - name: scp.open5gs.org # # o SBI Server(http://127.0.1.10:7777) +# sbi: +# server: +# no_tls: true +# scp: # sbi: # - addr: 127.0.1.10 # port: 7777 # # o SBI Server(http://:80) +# sbi: +# server: +# no_tls: true +# scp: # sbi: # - dev: eth0 # # o Provide custom SBI address to be advertised to NRF +# sbi: +# server: +# no_tls: true +# scp: # sbi: # - dev: eth0 # advertise: open5gs-scp.svc.local # +# o Another example of advertising on NRF +# sbi: +# server: +# no_tls: true +# scp: # sbi: # - addr: localhost # advertise: @@ -129,6 +166,10 @@ tls: # - tcp_nodelay : true # - so_linger.l_onoff : false # +# sbi: +# server: +# no_tls: true +# scp: # sbi: # addr: 127.0.1.10 # option: @@ -141,6 +182,10 @@ tls: # # o (Default) If you do not set Delegated Discovery as shown below, # +# sbi: +# server: +# no_tls: true +# scp: # sbi: # - addr: 127.0.1.10 # port: 7777 @@ -148,6 +193,10 @@ tls: # - Use SCP if SCP avaiable. Otherwise NRF is used. # => App fails if both NRF and SCP are unavailable. # +# sbi: +# server: +# no_tls: true +# scp: # sbi: # - addr: 127.0.1.10 # port: 7777 @@ -165,82 +214,104 @@ scp: - addr: 127.0.1.10 port: 7777 -# -# next_scp: -# # # -# o SBI Client(http://127.0.1.11:7777) +# o SBI Client(http://127.0.1.10:7777) +# sbi: +# client: +# no_tls: true +# next_scp: # sbi: -# addr: 127.0.1.11 +# addr: 127.0.1.10 # port: 7777 # -# o SBI Client(https://127.0.1.11:443, https://[::1]:443) -# tls: +# o SBI Client(https://127.0.1.10:443, https://[::1]:443) without verification +# sbi: # client: -# key: /etc/open5gs/tls/next-scp.key -# cert: /etc/open5gs/tls/next-scp.crt -# scp: +# no_verify: true +# key: /etc/open5gs/tls/amf.key +# cert: /etc/open5gs/tls/amf.crt +# next_scp: # sbi: -# - addr: 127.0.1.11 +# - addr: 127.0.1.10 # - addr: ::1 # -# o SBI Client(http://next-scp.open5gs.org:443) -# Use the specified certificate to verify server +# o SBI Client(https://scp.open5gs.org:443) +# Use the specified certificate while verifying the server # -# tls: +# sbi: # client: # cacert: /etc/open5gs/tls/ca.crt -# scp: +# key: /etc/open5gs/tls/amf.key +# cert: /etc/open5gs/tls/amf.crt +# next_scp: # sbi: # - name: scp.open5gs.org # # o SBI Client(http://[fd69:f21d:873c:fb::1]:80) -# If prefer_ipv4 is true, http://127.0.1.11:80 is selected. +# If prefer_ipv4 is true, http://127.0.1.10:80 is selected. # +# sbi: +# client: +# no_tls: true +# next_scp: # sbi: # addr: -# - 127.0.1.11 +# - 127.0.1.10 # - fd69:f21d:873c:fb::1 # # o SBI Option (Default) # - tcp_nodelay : true # - so_linger.l_onoff : false # +# sbi: +# client: +# no_tls: true +# next_scp: # sbi: -# addr: 127.0.1.11 +# addr: 127.0.1.10 # option: # tcp_nodelay: false # so_linger: # l_onoff: true # l_linger: 10 # - # -# nrf: + # # > # # o SBI Client(http://127.0.0.10:7777) +# sbi: +# client: +# no_tls: true +# nrf: # sbi: # addr: 127.0.0.10 # port: 7777 # -# o SBI Client(https://127.0.0.10:443, http://nrf.open5gs.org:80) +# o SBI Client(https://127.0.0.10:443, https://[::1]:443) without verification +# sbi: +# client: +# no_verify: true +# key: /etc/open5gs/tls/amf.key +# cert: /etc/open5gs/tls/amf.crt +# nrf: # sbi: # - addr: 127.0.0.10 -# tls: -# key: /etc/open5gs/tls/scp.key -# cert: /etc/open5gs/tls/scp.crt -# - name: nrf.open5gs.org +# - addr: ::1 # # o SBI Client(https://nrf.open5gs.org:443) -# Use the specified certificate to verify peer +# Use the specified certificate while verifying the server # +# sbi: +# client: +# cacert: /etc/open5gs/tls/ca.crt +# key: /etc/open5gs/tls/amf.key +# cert: /etc/open5gs/tls/amf.crt +# nrf: # sbi: # - name: nrf.open5gs.org -# tls: -# cacert: /etc/open5gs/tls/ca.crt # # o SBI Client(http://[fd69:f21d:873c:fa::1]:80) # If prefer_ipv4 is true, http://127.0.0.10:80 is selected. @@ -254,6 +325,10 @@ scp: # - tcp_nodelay : true # - so_linger.l_onoff : false # +# sbi: +# client: +# no_tls: true +# nrf: # sbi: # addr: 127.0.0.10 # option: @@ -269,47 +344,51 @@ nrf: - ::1 port: 7777 -# -# parameter: # # o Disable use of IPv4 addresses (only IPv6) -# no_ipv4: true +# parameter: +# no_ipv4: true # # o Disable use of IPv6 addresses (only IPv4) -# no_ipv6: true +# parameter: +# no_ipv6: true # # o Prefer IPv4 instead of IPv6 for estabishing new GTP connections. -# prefer_ipv4: true +# parameter: +# prefer_ipv4: true # parameter: # -# max: -# -# o Maximum Number of UE +# o Maximum Number of UE +# max: # ue: 1024 -# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI) +# +# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI) +# max: # peer: 64 # max: -# -# time: # # o NF Instance Heartbeat (Default : 0) # NFs will not send heart-beat timer in NFProfile # NRF will send heart-beat timer in NFProfile +# (Default values are used, so no configuration is required) # # o NF Instance Heartbeat (20 seconds) # NFs will send heart-beat timer (20 seconds) in NFProfile # NRF can change heart-beat timer in NFProfile # +# time: # nf_instance: # heartbeat: 20 # # o Message Wait Duration (Default : 10,000 ms = 10 seconds) +# (Default values are used, so no configuration is required) # # o Message Wait Duration (3000 ms) +# time: # message: # duration: 3000 time: diff --git a/configs/open5gs/sgwc.yaml.in b/configs/open5gs/sgwc.yaml.in index 87710d1d6..c3ab48fd8 100644 --- a/configs/open5gs/sgwc.yaml.in +++ b/configs/open5gs/sgwc.yaml.in @@ -1,32 +1,32 @@ # -# logger: -# # o Set OGS_LOG_INFO to all domain level # - If `level` is omitted, the default level is OGS_LOG_INFO) # - If `domain` is omitted, the all domain level is set from 'level' -# (Nothing is needed) +# (Default values are used, so no configuration is required) # # o Set OGS_LOG_ERROR to all domain level # - `level` can be set with none, fatal, error, warn, info, debug, trace +# logger: # level: error # # o Set OGS_LOG_DEBUG to mme/emm domain level +# logger: # level: debug # domain: mme,emm # # o Set OGS_LOG_TRACE to all domain level +# logger: # level: trace -# domain: core,pfcp,gtp,sgwc,event,tlv,mem,sock +# domain: core,sbi,ausf,event,tlv,mem,sock # logger: file: @localstatedir@/log/open5gs/sgwc.log -# -# sgwc: # # # # o GTP-C Server(127.0.0.3:2123, [fd69:f21d:873c:fa::2]:2123) +# sgwc: # gtpc: # addr: # - 127.0.0.3 @@ -34,6 +34,7 @@ logger: # # o On SGW, Same Configuration(127.0.0.3:2123, # [fd69:f21d:873c:fa::2]:2123) as below. +# sgwc: # gtpc: # - addr: 127.0.0.3 # - addr: fd69:f21d:873c:fa::2 @@ -41,6 +42,7 @@ logger: # o GTP-C Option (Default) # - so_bindtodevice : NULL # +# sgwc: # gtpc: # addr: 127.0.0.3 # option: @@ -49,17 +51,20 @@ logger: # # # o PFCP Server(127.0.0.3:8805, ::1:8805) +# sgwc: # pfcp: # - addr: 127.0.0.3 # - addr: ::1 # # o PFCP-U Server(127.0.0.1:2152, [::1]:2152) +# sgwc: # pfcp: # name: localhost # # o PFCP Option (Default) # - so_bindtodevice : NULL # +# sgwc: # pfcp: # addr: 127.0.0.3 # option: @@ -71,13 +76,11 @@ sgwc: pfcp: - addr: 127.0.0.3 -# -# sgwu: # # > # # o PFCP Client(127.0.0.6:8805) -# +# sgwu: # pfcp: # addr: 127.0.0.6 # @@ -122,41 +125,46 @@ sgwu: pfcp: - addr: 127.0.0.6 -# -# parameter: # # o Disable use of IPv4 addresses (only IPv6) -# no_ipv4: true +# parameter: +# no_ipv4: true # # o Disable use of IPv6 addresses (only IPv4) -# no_ipv6: true +# parameter: +# no_ipv6: true # # o Prefer IPv4 instead of IPv6 for estabishing new GTP connections. -# prefer_ipv4: true +# parameter: +# prefer_ipv4: true # # o Disable selection of SGW-U PFCP in Round-Robin manner -# no_pfcp_rr_select: true +# parameter: +# no_pfcp_rr_select: true # parameter: -# -# max: # # o Maximum Number of UE -# ue: 1024 +# max: +# ue: 1024 +# # o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI) -# peer: 64 +# max: +# peer: 64 +# # o Maximum Number of GTP peer nodes per SGWC/SMF -# gtp_peer: 64 +# max: +# gtp_peer: 64 # max: -# -# time: # # o Message Wait Duration (Default : 10,000 ms = 10 seconds) +# (Default values are used, so no configuration is required) # # o Message Wait Duration (3000 ms) +# time: # message: # duration: 3000 time: diff --git a/configs/open5gs/sgwu.yaml.in b/configs/open5gs/sgwu.yaml.in index 8ccf94378..3f028babb 100644 --- a/configs/open5gs/sgwu.yaml.in +++ b/configs/open5gs/sgwu.yaml.in @@ -1,43 +1,45 @@ # -# logger: -# # o Set OGS_LOG_INFO to all domain level # - If `level` is omitted, the default level is OGS_LOG_INFO) # - If `domain` is omitted, the all domain level is set from 'level' -# (Nothing is needed) +# (Default values are used, so no configuration is required) # # o Set OGS_LOG_ERROR to all domain level # - `level` can be set with none, fatal, error, warn, info, debug, trace +# logger: # level: error # # o Set OGS_LOG_DEBUG to mme/emm domain level +# logger: # level: debug # domain: mme,emm # # o Set OGS_LOG_TRACE to all domain level +# logger: # level: trace -# domain: core,pfcp,gtp,sgwu,event,tlv,mem,sock +# domain: core,sbi,ausf,event,tlv,mem,sock # logger: file: @localstatedir@/log/open5gs/sgwu.log -# -# sgwu: # # # # o PFCP Server(127.0.0.6:8805, ::1:8805) +# sgwu: # pfcp: # - addr: 127.0.0.6 # - addr: ::1 # # o PFCP-U Server(127.0.0.1:2152, [::1]:2152) +# sgwu: # pfcp: # - name: localhost # # o PFCP Option (Default) # - so_bindtodevice : NULL # +# sgwu: # pfcp: # addr: 127.0.0.6 # option: @@ -51,10 +53,12 @@ logger: # - addr: ::1 # # o GTP-U Server(127.0.0.1:2152, [::1]:2152) +# sgwu: # gtpu: # - name: localhost # # o User Plane IP Resource information +# sgwu: # gtpu: # - addr: # - 127.0.0.6 @@ -70,20 +74,24 @@ logger: # source_interface: 1 # # o Provide custom SGW-U GTP-U address to be advertised inside S1AP messages +# sgwu: # gtpu: # - addr: 10.4.128.21 # advertise: 172.24.15.30 # +# sgwu: # gtpu: # - addr: 10.4.128.21 # advertise: # - 127.0.0.1 # - ::1 # +# sgwu: # gtpu: # - addr: 10.4.128.21 # advertise: sgw1.epc.mnc001.mcc001.3gppnetwork.org # +# sgwu: # gtpu: # - dev: ens3 # advertise: sgw1.epc.mnc001.mcc001.3gppnetwork.org @@ -91,6 +99,7 @@ logger: # o GTP-U Option (Default) # - so_bindtodevice : NULL # +# sgwu: # gtpu: # addr: 127.0.0.6 # option: @@ -102,48 +111,49 @@ sgwu: gtpu: - addr: 127.0.0.6 -# -# sgwc: # # > # # o PFCP Client(127.0.0.3:8805) -# +# sgwc: # pfcp: # addr: 127.0.0.3 # sgwc: -# -# parameter: # # o Disable use of IPv4 addresses (only IPv6) -# no_ipv4: true +# parameter: +# no_ipv4: true # # o Disable use of IPv6 addresses (only IPv4) -# no_ipv6: true +# parameter: +# no_ipv6: true # # o Prefer IPv4 instead of IPv6 for estabishing new GTP connections. -# prefer_ipv4: true +# parameter: +# prefer_ipv4: true # parameter: -# -# max: # # o Maximum Number of UE -# ue: 1024 +# max: +# ue: 1024 +# # o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI) -# peer: 64 +# max: +# peer: 64 # max: # -# time: # # o Message Wait Duration (Default : 10,000 ms = 10 seconds) +# (Default values are used, so no configuration is required) # # o Message Wait Duration (3000 ms) +# time: # message: # duration: 3000 time: diff --git a/configs/open5gs/smf.yaml.in b/configs/open5gs/smf.yaml.in index 32f6f76e5..724115ef1 100644 --- a/configs/open5gs/smf.yaml.in +++ b/configs/open5gs/smf.yaml.in @@ -1,73 +1,91 @@ # -# logger: -# # o Set OGS_LOG_INFO to all domain level # - If `level` is omitted, the default level is OGS_LOG_INFO) # - If `domain` is omitted, the all domain level is set from 'level' -# (Nothing is needed) +# (Default values are used, so no configuration is required) # # o Set OGS_LOG_ERROR to all domain level # - `level` can be set with none, fatal, error, warn, info, debug, trace +# logger: # level: error # # o Set OGS_LOG_DEBUG to mme/emm domain level +# logger: # level: debug # domain: mme,emm # # o Set OGS_LOG_TRACE to all domain level +# logger: # level: trace -# domain: core,fd,pfcp,gtp,smf,event,tlv,mem,sock +# domain: core,sbi,ausf,event,tlv,mem,sock # logger: file: @localstatedir@/log/open5gs/smf.log # -# tls: -# enabled: auto|yes|no -# - auto: Default. Use TLS only if key/cert is available -# - yes: Use TLS always; -# reject if no key/cert available -# - no: Don't use TLS if there is an key/cert available +# o TLS enable/disable +# sbi: +# server|client: +# no_tls: false|true +# - false: (Default) Use TLS +# - true: TLS disabled # -# o Server-side Key and Certficiate +# o Verification enable/disable +# sbi: +# server|client: +# no_verify: false|true +# - false: (Default) Verify the PEER +# - true: Skip the verification step +# +# o Server-side does not use TLS +# sbi: # server: -# key: /etc/open5gs/tls/smf.key -# cert: /etc/open5gs/tls/smf.crt +# no_tls: true # -# o Client-side does not use TLS +# o Client-side skips the verification step +# sbi: # client: -# enabled: no -# key: /etc/open5gs/tls/smf.key -# cert: /etc/open5gs/tls/smf.crt +# no_verify: true +# key: /etc/open5gs/tls/amf.key +# cert: /etc/open5gs/tls/amf.crt # -# o Use the specified certificate to verify client +# o Use the specified certificate while verifying the client +# sbi: # server # cacert: /etc/open5gs/tls/ca.crt # -# o Use the specified certificate to verify server +# o Use the specified certificate while verifying the server +# sbi: # client # cacert: /etc/open5gs/tls/ca.crt # -tls: - enabled: no +sbi: server: + no_tls: true cacert: @sysconfdir@/open5gs/tls/ca.crt key: @sysconfdir@/open5gs/tls/smf.key cert: @sysconfdir@/open5gs/tls/smf.crt client: + no_tls: true cacert: @sysconfdir@/open5gs/tls/ca.crt key: @sysconfdir@/open5gs/tls/smf.key cert: @sysconfdir@/open5gs/tls/smf.crt -# -# smf: # # # # o SBI Server(http://:80) +# sbi: +# server: +# no_tls: true +# smf: # sbi: # # o SBI Server(http://:7777) +# sbi: +# server: +# no_tls: true +# smf: # sbi: # - addr: # - 0.0.0.0 @@ -75,48 +93,67 @@ tls: # port: 7777 # # o SBI Server(https://:443) -# tls: +# sbi: # server: # key: /etc/open5gs/tls/smf.key # cert: /etc/open5gs/tls/smf.crt # smf: # sbi: # -# o SBI Server(http://127.0.0.5:80, http://[::1]:80) -# tls: -# enabled: no +# o SBI Server(https://127.0.0.4:443, https://[::1]:443) without verification +# sbi: # server: +# no_verify: true # key: /etc/open5gs/tls/smf.key # cert: /etc/open5gs/tls/smf.crt # smf: # sbi: -# - addr: 127.0.0.5 +# - addr: 127.0.0.4 # - addr: ::1 # # o SBI Server(https://smf.open5gs.org:443) -# Use the specified certificate to verify client +# Use the specified certificate while verifying the client # -# tls: +# sbi: # server: # cacert: /etc/open5gs/tls/ca.crt +# key: /etc/open5gs/tls/smf.key +# cert: /etc/open5gs/tls/smf.crt # smf: # sbi: # - name: smf.open5gs.org # # o SBI Server(http://127.0.0.4:7777) +# sbi: +# server: +# no_tls: true +# smf: # sbi: # - addr: 127.0.0.4 # port: 7777 # # o SBI Server(http://:80) +# sbi: +# server: +# no_tls: true +# smf: # sbi: # - dev: eth0 # # o Provide custom SBI address to be advertised to NRF +# sbi: +# server: +# no_tls: true +# smf: # sbi: # - dev: eth0 # advertise: open5gs-smf.svc.local # +# o Another example of advertising on NRF +# sbi: +# server: +# no_tls: true +# smf: # sbi: # - addr: localhost # advertise: @@ -127,6 +164,10 @@ tls: # - tcp_nodelay : true # - so_linger.l_onoff : false # +# sbi: +# server: +# no_tls: true +# smf: # sbi: # addr: 127.0.0.4 # option: @@ -135,12 +176,15 @@ tls: # l_onoff: true # l_linger: 10 # +# # # # o NF Service Name(Default : all NF services available) +# smf: # service_name: # # o NF Service Name(Only some NF services are available) +# smf: # service_name: # - nsmf-pdusession # @@ -148,12 +192,21 @@ tls: # # o (Default) If you do not set Query Parameter as shown below, # +# sbi: +# server: +# no_tls: true +# smf: # sbi: # - addr: 127.0.0.4 # port: 7777 # # - 'service-names' is included. # +# o Service-Names are not included +# sbi: +# server: +# no_tls: true +# smf: # sbi: # - addr: 127.0.0.4 # port: 7777 @@ -172,6 +225,10 @@ tls: # # o (Default) If you do not set Delegated Discovery as shown below, # +# sbi: +# server: +# no_tls: true +# smf: # sbi: # - addr: 127.0.0.4 # port: 7777 @@ -179,6 +236,10 @@ tls: # - Use SCP if SCP avaiable. Otherwise NRF is used. # => App fails if both NRF and SCP are unavailable. # +# sbi: +# server: +# no_tls: true +# smf: # sbi: # - addr: 127.0.0.4 # port: 7777 @@ -191,21 +252,23 @@ tls: # o Don't use SCP server => App fails if no NRF available. # delegated: no # -# # # # o PFCP Server(127.0.0.4:8805, ::1:8805) +# smf: # pfcp: # - addr: 127.0.0.4 # - addr: ::1 # # o PFCP-U Server(127.0.0.1:2152, [::1]:2152) +# smf: # pfcp: # name: localhost # # o PFCP Option (Default) # - so_bindtodevice : NULL # +# smf: # pfcp: # addr: 127.0.0.4 # option: @@ -214,6 +277,7 @@ tls: # # # o GTP-C Server(127.0.0.4:2123, [fd69:f21d:873c:fa::3]:2123) +# smf: # gtpc: # addr: # - 127.0.0.4 @@ -221,6 +285,7 @@ tls: # # o On SMF, Same configuration # (127.0.0.4:2123, [fd69:f21d:873c:fa::3]:2123). +# smf: # gtpc: # - addr: 127.0.0.4 # - addr: fd69:f21d:873c:fa::3 @@ -228,6 +293,7 @@ tls: # o GTP-C Option (Default) # - so_bindtodevice : NULL # +# smf: # gtpc: # addr: 127.0.0.4 # option: @@ -236,17 +302,20 @@ tls: # > # # o GTP-U Server(127.0.0.4:2152, [::1]:2152) +# smf: # gtpu: # - addr: 127.0.0.4 # - addr: ::1 # # o GTP-U Server(127.0.0.1:2152, [::1]:2152) +# smf: # gtpu: # name: localhost # # o GTP-U Option (Default) # - so_bindtodevice : NULL # +# smf: # gtpu: # addr: 127.0.0.4 # option: @@ -255,6 +324,7 @@ tls: # # # o Metrics Server(http://:9090) +# smf: # metrics: # - addr: 0.0.0.0 # port: 9090 @@ -262,10 +332,12 @@ tls: # # # o IPv4 Pool +# smf: # subnet: # addr: 10.45.0.1/16 # # o IPv4/IPv6 Pool +# smf: # subnet: # - addr: 10.45.0.1/16 # - addr: 2001:db8:cafe::1/48 @@ -274,6 +346,7 @@ tls: # o Specific DNN/APN(e.g 'ims') uses 10.46.0.1/16, 2001:db8:babe::1/48 # ; If the UE has unknown DNN/APN(not internet/ims), SMF/UPF will crash. # +# smf: # subnet: # - addr: 10.45.0.1/16 # dnn: internet @@ -287,6 +360,7 @@ tls: # o Specific DNN/APN with the FALLBACK SUBNET(10.47.0.1/16) # ; Note that put the FALLBACK SUBNET last to avoid SMF/UPF crash. # +# smf: # subnet: # - addr: 10.45.0.1/16 # dnn: internet @@ -295,22 +369,26 @@ tls: # - addr: 10.50.0.1/16 ## FALLBACK SUBNET # # o Pool Range Sample +# smf: # subnet: # - addr: 10.45.0.1/24 # range: 10.45.0.100-10.45.0.200 # +# smf: # subnet: # - addr: 10.45.0.1/24 # range: # - 10.45.0.5-10.45.0.50 # - 10.45.0.100- # +# smf: # subnet: # - addr: 10.45.0.1/24 # range: # - -10.45.0.200 # - 10.45.0.210-10.45.0.220 # +# smf: # subnet: # - addr: 10.45.0.1/16 # range: @@ -325,6 +403,7 @@ tls: # # o Primary/Secondary can be configured. Others are ignored. # +# smf: # dns: # - 8.8.8.8 # - 8.8.4.4 @@ -343,6 +422,7 @@ tls: # # o Proxy Call Session Control Function # +# smf: # p-cscf: # - 127.0.0.1 # - ::1 @@ -356,6 +436,7 @@ tls: # reject subscribers if no OCS available among Diameter peers # o no: Don't use Gy interface if there is an OCS available # +# smf: # ctf: # enabled: auto|yes|no # @@ -368,6 +449,7 @@ tls: # Note that if there is no SmfInfo, any AMF can select this SMF. # # o S-NSSAI[SST:1] and DNN[internet] - At least 1 DNN is required in S-NSSAI +# smf: # info: # - s_nssai: # - sst: 1 @@ -375,6 +457,7 @@ tls: # - internet # # o S-NSSAI[SST:1 SD:009000] and DNN[internet or ims] +# smf: # info: # - s_nssai: # - sst: 1 @@ -384,6 +467,7 @@ tls: # - ims # # o S-NSSAI[SST:1] and DNN[internet] and TAI[PLMN-ID:99970 TAC:1] +# smf: # info: # - s_nssai: # - sst: 1 @@ -400,6 +484,7 @@ tls: # - S-NSSAI[SST:2 SD:000080] and DNN[internet or ims] # - S-NSSAI[SST:4] and DNN[internet] and TAI[PLMN-ID:99970 TAC:10-20,30-40] # +# smf: # info: # - s_nssai: # - sst: 1 @@ -430,6 +515,7 @@ tls: # - 30-40 # # o Complex Example +# smf: # info: # - s_nssai: # - sst: 1 @@ -497,6 +583,7 @@ tls: # If you set the security_indication in smf.yaml, # this information is delivered using PDU Session Resource Request Transfer IE # +# smf: # security_indication: # integrity_protection_indication: required|preferred|not-needed # confidentiality_protection_indication: required|preferred|not-needed @@ -532,35 +619,48 @@ smf: enabled: auto freeDiameter: @sysconfdir@/freeDiameter/smf.conf -# -# scp: # # > # # o SBI Client(http://127.0.1.10:7777) +# sbi: +# client: +# no_tls: true +# scp: # sbi: # addr: 127.0.1.10 # port: 7777 # -# o SBI Client(https://127.0.1.10:443, http://scp.open5gs.org:80) +# o SBI Client(https://127.0.1.10:443, https://[::1]:443) without verification +# sbi: +# client: +# no_verify: true +# key: /etc/open5gs/tls/amf.key +# cert: /etc/open5gs/tls/amf.crt +# scp: # sbi: # - addr: 127.0.1.10 -# tls: -# key: /etc/open5gs/tls/smf.key -# cert: /etc/open5gs/tls/smf.crt -# - name: scp.open5gs.org +# - addr: ::1 # # o SBI Client(https://scp.open5gs.org:443) -# Use the specified certificate to verify peer +# Use the specified certificate while verifying the server # +# sbi: +# client: +# cacert: /etc/open5gs/tls/ca.crt +# key: /etc/open5gs/tls/amf.key +# cert: /etc/open5gs/tls/amf.crt +# scp: # sbi: # - name: scp.open5gs.org -# tls: -# cacert: /etc/open5gs/tls/ca.crt # # o SBI Client(http://[fd69:f21d:873c:fb::1]:80) # If prefer_ipv4 is true, http://127.0.1.10:80 is selected. # +# sbi: +# client: +# no_tls: true +# scp: # sbi: # addr: # - 127.0.1.10 @@ -570,6 +670,10 @@ smf: # - tcp_nodelay : true # - so_linger.l_onoff : false # +# sbi: +# client: +# no_tls: true +# scp: # sbi: # addr: 127.0.1.10 # option: @@ -584,32 +688,37 @@ scp: - addr: 127.0.1.10 port: 7777 -# -# nrf: # # > # -# o SBI Client(http://127.0.0.1:7777) +# o SBI Client(http://127.0.0.10:7777) +# sbi: +# client: +# no_tls: true +# nrf: # sbi: # addr: 127.0.0.10 # port: 7777 # -# o SBI Client(https://127.0.0.10:443, https://[::1]:443) -# tls: +# o SBI Client(https://127.0.0.10:443, https://[::1]:443) without verification +# sbi: # client: -# key: /etc/open5gs/tls/smf.key -# cert: /etc/open5gs/tls/smf.crt +# no_verify: true +# key: /etc/open5gs/tls/amf.key +# cert: /etc/open5gs/tls/amf.crt # nrf: # sbi: # - addr: 127.0.0.10 # - addr: ::1 # # o SBI Client(https://nrf.open5gs.org:443) -# Use the specified certificate to verify server +# Use the specified certificate while verifying the server # -# tls: +# sbi: # client: # cacert: /etc/open5gs/tls/ca.crt +# key: /etc/open5gs/tls/amf.key +# cert: /etc/open5gs/tls/amf.crt # nrf: # sbi: # - name: nrf.open5gs.org @@ -626,6 +735,10 @@ scp: # - tcp_nodelay : true # - so_linger.l_onoff : false # +# sbi: +# client: +# no_tls: true +# nrf: # sbi: # addr: 127.0.0.10 # option: @@ -641,13 +754,11 @@ scp: # - ::1 # port: 7777 -# -# upf: # # > # # o PFCP Client(127.0.0.7:8805) -# +# upf: # pfcp: # addr: 127.0.0.7 # @@ -697,56 +808,63 @@ upf: pfcp: - addr: 127.0.0.7 -# -# parameter: # # o Disable use of IPv4 addresses (only IPv6) -# no_ipv4: true +# parameter: +# no_ipv4: true # # o Disable use of IPv6 addresses (only IPv4) -# no_ipv6: true +# parameter: +# no_ipv6: true # # o Prefer IPv4 instead of IPv6 for estabishing new GTP connections. -# prefer_ipv4: true +# parameter: +# prefer_ipv4: true # # o Disable selection of UPF PFCP in Round-Robin manner -# no_pfcp_rr_select: true +# parameter: +# no_pfcp_rr_select: true # # o Legacy support for pre-release LTE 11 devices # - Omits adding local address in packet filters for compatibility -# no_ipv4v6_local_addr_in_packet_filter: true +# parameter: +# no_ipv4v6_local_addr_in_packet_filter: true # parameter: -# -# max: # # o Maximum Number of UE -# ue: 1024 +# max: +# ue: 1024 +# # o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI) -# peer: 64 +# max: +# peer: 64 +# # o Maximum Number of GTP peer nodes per SGWC/SMF -# gtp_peer: 64 +# max: +# gtp_peer: 64 # max: -# -# time: # # o NF Instance Heartbeat (Default : 0) # NFs will not send heart-beat timer in NFProfile # NRF will send heart-beat timer in NFProfile +# (Default values are used, so no configuration is required) # # o NF Instance Heartbeat (20 seconds) # NFs will send heart-beat timer (20 seconds) in NFProfile # NRF can change heart-beat timer in NFProfile -# +# time: # nf_instance: # heartbeat: 20 # # o Message Wait Duration (Default : 10,000 ms = 10 seconds) +# (Default values are used, so no configuration is required) # # o Message Wait Duration (3000 ms) +# time: # message: # duration: 3000 # @@ -754,8 +872,10 @@ max: # Time to wait for SMF to send # PFCP Session Modification Request(Remove Indirect Tunnel) to the UPF # after sending Nsmf_PDUSession_UpdateSMContext Response(hoState:COMPLETED) +# (Default values are used, so no configuration is required) # # o Handover Wait Duration (500ms) +# time: # handover: # duration: 500 time: diff --git a/configs/open5gs/udm.yaml.in b/configs/open5gs/udm.yaml.in index dc3401b2a..e1486c06a 100644 --- a/configs/open5gs/udm.yaml.in +++ b/configs/open5gs/udm.yaml.in @@ -1,60 +1,72 @@ # -# logger: -# # o Set OGS_LOG_INFO to all domain level # - If `level` is omitted, the default level is OGS_LOG_INFO) # - If `domain` is omitted, the all domain level is set from 'level' -# (Nothing is needed) +# (Default values are used, so no configuration is required) # # o Set OGS_LOG_ERROR to all domain level # - `level` can be set with none, fatal, error, warn, info, debug, trace +# logger: # level: error # # o Set OGS_LOG_DEBUG to mme/emm domain level +# logger: # level: debug # domain: mme,emm # # o Set OGS_LOG_TRACE to all domain level +# logger: # level: trace -# domain: core,sbi,udm,event,tlv,mem,sock +# domain: core,sbi,ausf,event,tlv,mem,sock # logger: file: @localstatedir@/log/open5gs/udm.log # -# tls: -# enabled: auto|yes|no -# - auto: Default. Use TLS only if key/cert is available -# - yes: Use TLS always; -# reject if no key/cert available -# - no: Don't use TLS if there is an key/cert available +# o TLS enable/disable +# sbi: +# server|client: +# no_tls: false|true +# - false: (Default) Use TLS +# - true: TLS disabled # -# o Server-side Key and Certficiate +# o Verification enable/disable +# sbi: +# server|client: +# no_verify: false|true +# - false: (Default) Verify the PEER +# - true: Skip the verification step +# +# o Server-side does not use TLS +# sbi: # server: -# key: /etc/open5gs/tls/udm.key -# cert: /etc/open5gs/tls/udm.crt +# no_tls: true # -# o Client-side does not use TLS +# o Client-side skips the verification step +# sbi: # client: -# enabled: no -# key: /etc/open5gs/tls/udm.key -# cert: /etc/open5gs/tls/udm.crt +# no_verify: true +# key: /etc/open5gs/tls/amf.key +# cert: /etc/open5gs/tls/amf.crt # -# o Use the specified certificate to verify client +# o Use the specified certificate while verifying the client +# sbi: # server # cacert: /etc/open5gs/tls/ca.crt # -# o Use the specified certificate to verify server +# o Use the specified certificate while verifying the server +# sbi: # client # cacert: /etc/open5gs/tls/ca.crt # -tls: - enabled: no +sbi: server: + no_tls: true cacert: @sysconfdir@/open5gs/tls/ca.crt key: @sysconfdir@/open5gs/tls/udm.key cert: @sysconfdir@/open5gs/tls/udm.crt client: + no_tls: true cacert: @sysconfdir@/open5gs/tls/ca.crt key: @sysconfdir@/open5gs/tls/udm.key cert: @sysconfdir@/open5gs/tls/udm.crt @@ -114,15 +126,21 @@ hnet: scheme: 2 key: @sysconfdir@/open5gs/hnet/secp256r1-6.key -# -# udm: # # # # o SBI Server(http://:80) +# sbi: +# server: +# no_tls: true +# udm: # sbi: # # o SBI Server(http://:7777) +# sbi: +# server: +# no_tls: true +# udm: # sbi: # - addr: # - 0.0.0.0 @@ -130,48 +148,67 @@ hnet: # port: 7777 # # o SBI Server(https://:443) -# tls: +# sbi: # server: # key: /etc/open5gs/tls/udm.key # cert: /etc/open5gs/tls/udm.crt # udm: # sbi: # -# o SBI Server(http://127.0.0.5:80, http://[::1]:80) -# tls: -# enabled: no +# o SBI Server(https://127.0.0.12:443, https://[::1]:443) without verification +# sbi: # server: +# no_verify: true # key: /etc/open5gs/tls/udm.key # cert: /etc/open5gs/tls/udm.crt # udm: # sbi: -# - addr: 127.0.0.5 +# - addr: 127.0.0.12 # - addr: ::1 # # o SBI Server(https://udm.open5gs.org:443) -# Use the specified certificate to verify client +# Use the specified certificate while verifying the client # -# tls: +# sbi: # server: # cacert: /etc/open5gs/tls/ca.crt +# key: /etc/open5gs/tls/udm.key +# cert: /etc/open5gs/tls/udm.crt # udm: # sbi: # - name: udm.open5gs.org # # o SBI Server(http://127.0.0.12:7777) +# sbi: +# server: +# no_tls: true +# udm: # sbi: # - addr: 127.0.0.12 # port: 7777 # # o SBI Server(http://:80) +# sbi: +# server: +# no_tls: true +# udm: # sbi: # - dev: eth0 # # o Provide custom SBI address to be advertised to NRF +# sbi: +# server: +# no_tls: true +# udm: # sbi: # - dev: eth0 # advertise: open5gs-udm.svc.local # +# o Another example of advertising on NRF +# sbi: +# server: +# no_tls: true +# udm: # sbi: # - addr: localhost # advertise: @@ -182,6 +219,10 @@ hnet: # - tcp_nodelay : true # - so_linger.l_onoff : false # +# sbi: +# server: +# no_tls: true +# udm: # sbi: # addr: 127.0.0.12 # option: @@ -193,9 +234,11 @@ hnet: # # # o NF Service Name(Default : all NF services available) +# udm: # service_name: # # o NF Service Name(Only some NF services are available) +# udm: # service_name: # - nudm-sdm # - nudm-uecm @@ -205,12 +248,21 @@ hnet: # # o (Default) If you do not set Query Parameter as shown below, # +# sbi: +# server: +# no_tls: true +# udm: # sbi: # - addr: 127.0.0.12 # port: 7777 # # - 'service-names' is included. # +# o Service-Names are not included +# sbi: +# server: +# no_tls: true +# udm: # sbi: # - addr: 127.0.0.12 # port: 7777 @@ -229,6 +281,10 @@ hnet: # # o (Default) If you do not set Delegated Discovery as shown below, # +# sbi: +# server: +# no_tls: true +# udm: # sbi: # - addr: 127.0.0.12 # port: 7777 @@ -236,6 +292,10 @@ hnet: # - Use SCP if SCP avaiable. Otherwise NRF is used. # => App fails if both NRF and SCP are unavailable. # +# sbi: +# server: +# no_tls: true +# udm: # sbi: # - addr: 127.0.0.12 # port: 7777 @@ -253,35 +313,48 @@ udm: - addr: 127.0.0.12 port: 7777 -# -# scp: # # > # # o SBI Client(http://127.0.1.10:7777) +# sbi: +# client: +# no_tls: true +# scp: # sbi: # addr: 127.0.1.10 # port: 7777 # -# o SBI Client(https://127.0.1.10:443, http://scp.open5gs.org:80) +# o SBI Client(https://127.0.1.10:443, https://[::1]:443) without verification +# sbi: +# client: +# no_verify: true +# key: /etc/open5gs/tls/amf.key +# cert: /etc/open5gs/tls/amf.crt +# scp: # sbi: # - addr: 127.0.1.10 -# tls: -# key: /etc/open5gs/tls/udm.key -# cert: /etc/open5gs/tls/udm.crt -# - name: scp.open5gs.org +# - addr: ::1 # # o SBI Client(https://scp.open5gs.org:443) -# Use the specified certificate to verify peer +# Use the specified certificate while verifying the server # +# sbi: +# client: +# cacert: /etc/open5gs/tls/ca.crt +# key: /etc/open5gs/tls/amf.key +# cert: /etc/open5gs/tls/amf.crt +# scp: # sbi: # - name: scp.open5gs.org -# tls: -# cacert: /etc/open5gs/tls/ca.crt # # o SBI Client(http://[fd69:f21d:873c:fb::1]:80) # If prefer_ipv4 is true, http://127.0.1.10:80 is selected. # +# sbi: +# client: +# no_tls: true +# scp: # sbi: # addr: # - 127.0.1.10 @@ -291,6 +364,10 @@ udm: # - tcp_nodelay : true # - so_linger.l_onoff : false # +# sbi: +# client: +# no_tls: true +# scp: # sbi: # addr: 127.0.1.10 # option: @@ -305,32 +382,37 @@ scp: - addr: 127.0.1.10 port: 7777 -# -# nrf: # # > # # o SBI Client(http://127.0.0.10:7777) +# sbi: +# client: +# no_tls: true +# nrf: # sbi: # addr: 127.0.0.10 # port: 7777 # -# o SBI Client(https://127.0.0.10:443, https://[::1]:443) -# tls: +# o SBI Client(https://127.0.0.10:443, https://[::1]:443) without verification +# sbi: # client: -# key: /etc/open5gs/tls/udm.key -# cert: /etc/open5gs/tls/udm.crt +# no_verify: true +# key: /etc/open5gs/tls/amf.key +# cert: /etc/open5gs/tls/amf.crt # nrf: # sbi: # - addr: 127.0.0.10 # - addr: ::1 # # o SBI Client(https://nrf.open5gs.org:443) -# Use the specified certificate to verify server +# Use the specified certificate while verifying the server # -# tls: +# sbi: # client: # cacert: /etc/open5gs/tls/ca.crt +# key: /etc/open5gs/tls/amf.key +# cert: /etc/open5gs/tls/amf.crt # nrf: # sbi: # - name: nrf.open5gs.org @@ -347,6 +429,10 @@ scp: # - tcp_nodelay : true # - so_linger.l_onoff : false # +# sbi: +# client: +# no_tls: true +# nrf: # sbi: # addr: 127.0.0.10 # option: @@ -362,47 +448,51 @@ scp: # - ::1 # port: 7777 -# -# parameter: # # o Disable use of IPv4 addresses (only IPv6) -# no_ipv4: true +# parameter: +# no_ipv4: true # # o Disable use of IPv6 addresses (only IPv4) -# no_ipv6: true +# parameter: +# no_ipv6: true # # o Prefer IPv4 instead of IPv6 for estabishing new GTP connections. -# prefer_ipv4: true +# parameter: +# prefer_ipv4: true # parameter: # -# max: -# -# o Maximum Number of UE +# o Maximum Number of UE +# max: # ue: 1024 -# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI) +# +# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI) +# max: # peer: 64 # max: -# -# time: # # o NF Instance Heartbeat (Default : 0) # NFs will not send heart-beat timer in NFProfile # NRF will send heart-beat timer in NFProfile +# (Default values are used, so no configuration is required) # # o NF Instance Heartbeat (20 seconds) # NFs will send heart-beat timer (20 seconds) in NFProfile # NRF can change heart-beat timer in NFProfile # +# time: # nf_instance: # heartbeat: 20 # # o Message Wait Duration (Default : 10,000 ms = 10 seconds) +# (Default values are used, so no configuration is required) # # o Message Wait Duration (3000 ms) +# time: # message: # duration: 3000 time: diff --git a/configs/open5gs/udr.yaml.in b/configs/open5gs/udr.yaml.in index d7fdf69b2..b27aaa6f3 100644 --- a/configs/open5gs/udr.yaml.in +++ b/configs/open5gs/udr.yaml.in @@ -1,75 +1,93 @@ db_uri: mongodb://localhost/open5gs -# -# logger: # # o Set OGS_LOG_INFO to all domain level # - If `level` is omitted, the default level is OGS_LOG_INFO) # - If `domain` is omitted, the all domain level is set from 'level' -# (Nothing is needed) +# (Default values are used, so no configuration is required) # # o Set OGS_LOG_ERROR to all domain level # - `level` can be set with none, fatal, error, warn, info, debug, trace +# logger: # level: error # # o Set OGS_LOG_DEBUG to mme/emm domain level +# logger: # level: debug # domain: mme,emm # # o Set OGS_LOG_TRACE to all domain level +# logger: # level: trace -# domain: core,sbi,udr,event,tlv,mem,sock +# domain: core,sbi,ausf,event,tlv,mem,sock # logger: file: @localstatedir@/log/open5gs/udr.log # -# tls: -# enabled: auto|yes|no -# - auto: Default. Use TLS only if key/cert is available -# - yes: Use TLS always; -# reject if no key/cert available -# - no: Don't use TLS if there is an key/cert available +# o TLS enable/disable +# sbi: +# server|client: +# no_tls: false|true +# - false: (Default) Use TLS +# - true: TLS disabled # -# o Server-side Key and Certficiate +# o Verification enable/disable +# sbi: +# server|client: +# no_verify: false|true +# - false: (Default) Verify the PEER +# - true: Skip the verification step +# +# o Server-side does not use TLS +# sbi: # server: -# key: /etc/open5gs/tls/udr.key -# cert: /etc/open5gs/tls/udr.crt +# no_tls: true # -# o Client-side does not use TLS +# o Client-side skips the verification step +# sbi: # client: -# enabled: no -# key: /etc/open5gs/tls/udr.key -# cert: /etc/open5gs/tls/udr.crt +# no_verify: true +# key: /etc/open5gs/tls/amf.key +# cert: /etc/open5gs/tls/amf.crt # -# o Use the specified certificate to verify client +# o Use the specified certificate while verifying the client +# sbi: # server # cacert: /etc/open5gs/tls/ca.crt # -# o Use the specified certificate to verify server +# o Use the specified certificate while verifying the server +# sbi: # client # cacert: /etc/open5gs/tls/ca.crt # -tls: - enabled: no +sbi: server: + no_tls: true cacert: @sysconfdir@/open5gs/tls/ca.crt key: @sysconfdir@/open5gs/tls/udr.key cert: @sysconfdir@/open5gs/tls/udr.crt client: + no_tls: true cacert: @sysconfdir@/open5gs/tls/ca.crt key: @sysconfdir@/open5gs/tls/udr.key cert: @sysconfdir@/open5gs/tls/udr.crt -# -# udr: # # # # o SBI Server(http://:80) +# sbi: +# server: +# no_tls: true +# bsf: # sbi: # # o SBI Server(http://:7777) +# sbi: +# server: +# no_tls: true +# bsf: # sbi: # - addr: # - 0.0.0.0 @@ -77,48 +95,67 @@ tls: # port: 7777 # # o SBI Server(https://:443) -# tls: +# sbi: # server: -# key: /etc/open5gs/tls/udr.key -# cert: /etc/open5gs/tls/udr.crt -# udr: +# key: /etc/open5gs/tls/bsf.key +# cert: /etc/open5gs/tls/bsf.crt +# bsf: # sbi: # -# o SBI Server(http://127.0.0.5:80, http://[::1]:80) -# tls: -# enabled: no +# o SBI Server(https://127.0.0.15:443, https://[::1]:443) without verification +# sbi: # server: -# key: /etc/open5gs/tls/udr.key -# cert: /etc/open5gs/tls/udr.crt -# udr: +# no_verify: true +# key: /etc/open5gs/tls/bsf.key +# cert: /etc/open5gs/tls/bsf.crt +# bsf: # sbi: -# - addr: 127.0.0.5 +# - addr: 127.0.0.15 # - addr: ::1 # -# o SBI Server(https://udr.open5gs.org:443) -# Use the specified certificate to verify client +# o SBI Server(https://bsf.open5gs.org:443) +# Use the specified certificate while verifying the client # -# tls: +# sbi: # server: # cacert: /etc/open5gs/tls/ca.crt -# udr: +# key: /etc/open5gs/tls/bsf.key +# cert: /etc/open5gs/tls/bsf.crt +# bsf: # sbi: -# - name: udr.open5gs.org +# - name: bsf.open5gs.org # -# o SBI Server(http://127.0.0.20:7777) +# o SBI Server(http://127.0.0.15:7777) +# sbi: +# server: +# no_tls: true +# bsf: # sbi: -# - addr: 127.0.0.20 +# - addr: 127.0.0.15 # port: 7777 # # o SBI Server(http://:80) +# sbi: +# server: +# no_tls: true +# bsf: # sbi: # - dev: eth0 # # o Provide custom SBI address to be advertised to NRF +# sbi: +# server: +# no_tls: true +# bsf: # sbi: # - dev: eth0 -# advertise: open5gs-udr.svc.local +# advertise: open5gs-bsf.svc.local # +# o Another example of advertising on NRF +# sbi: +# server: +# no_tls: true +# bsf: # sbi: # - addr: localhost # advertise: @@ -129,20 +166,27 @@ tls: # - tcp_nodelay : true # - so_linger.l_onoff : false # +# sbi: +# server: +# no_tls: true +# bsf: # sbi: -# addr: 127.0.0.20 +# addr: 127.0.0.15 # option: # tcp_nodelay: false # so_linger: # l_onoff: true # l_linger: 10 # +# # # # o NF Service Name(Default : all NF services available) +# udr: # service_name: # # o NF Service Name(Only some NF services are available) +# udr: # service_name: # - nudr-dr # @@ -150,12 +194,21 @@ tls: # # o (Default) If you do not set Query Parameter as shown below, # +# sbi: +# server: +# no_tls: true +# udr: # sbi: # - addr: 127.0.0.20 # port: 7777 # # - 'service-names' is included. # +# o Service-Names are not included +# sbi: +# server: +# no_tls: true +# udr: # sbi: # - addr: 127.0.0.20 # port: 7777 @@ -174,6 +227,10 @@ tls: # # o (Default) If you do not set Delegated Discovery as shown below, # +# sbi: +# server: +# no_tls: true +# udr: # sbi: # - addr: 127.0.0.20 # port: 7777 @@ -181,6 +238,10 @@ tls: # - Use SCP if SCP avaiable. Otherwise NRF is used. # => App fails if both NRF and SCP are unavailable. # +# sbi: +# server: +# no_tls: true +# udr: # sbi: # - addr: 127.0.0.20 # port: 7777 @@ -198,35 +259,48 @@ udr: - addr: 127.0.0.20 port: 7777 -# -# scp: # # > # # o SBI Client(http://127.0.1.10:7777) +# sbi: +# client: +# no_tls: true +# scp: # sbi: # addr: 127.0.1.10 # port: 7777 # -# o SBI Client(https://127.0.1.10:443, http://scp.open5gs.org:80) +# o SBI Client(https://127.0.1.10:443, https://[::1]:443) without verification +# sbi: +# client: +# no_verify: true +# key: /etc/open5gs/tls/amf.key +# cert: /etc/open5gs/tls/amf.crt +# scp: # sbi: # - addr: 127.0.1.10 -# tls: -# key: /etc/open5gs/tls/udr.key -# cert: /etc/open5gs/tls/udr.crt -# - name: scp.open5gs.org +# - addr: ::1 # # o SBI Client(https://scp.open5gs.org:443) -# Use the specified certificate to verify peer +# Use the specified certificate while verifying the server # +# sbi: +# client: +# cacert: /etc/open5gs/tls/ca.crt +# key: /etc/open5gs/tls/amf.key +# cert: /etc/open5gs/tls/amf.crt +# scp: # sbi: # - name: scp.open5gs.org -# tls: -# cacert: /etc/open5gs/tls/ca.crt # # o SBI Client(http://[fd69:f21d:873c:fb::1]:80) # If prefer_ipv4 is true, http://127.0.1.10:80 is selected. # +# sbi: +# client: +# no_tls: true +# scp: # sbi: # addr: # - 127.0.1.10 @@ -236,6 +310,10 @@ udr: # - tcp_nodelay : true # - so_linger.l_onoff : false # +# sbi: +# client: +# no_tls: true +# scp: # sbi: # addr: 127.0.1.10 # option: @@ -250,32 +328,37 @@ scp: - addr: 127.0.1.10 port: 7777 -# -# nrf: # # > # # o SBI Client(http://127.0.0.10:7777) +# sbi: +# client: +# no_tls: true +# nrf: # sbi: # addr: 127.0.0.10 # port: 7777 # -# o SBI Client(https://127.0.0.10:443, https://[::1]:443) -# tls: +# o SBI Client(https://127.0.0.10:443, https://[::1]:443) without verification +# sbi: # client: -# key: /etc/open5gs/tls/udr.key -# cert: /etc/open5gs/tls/udr.crt +# no_verify: true +# key: /etc/open5gs/tls/amf.key +# cert: /etc/open5gs/tls/amf.crt # nrf: # sbi: # - addr: 127.0.0.10 # - addr: ::1 # # o SBI Client(https://nrf.open5gs.org:443) -# Use the specified certificate to verify server +# Use the specified certificate while verifying the server # -# tls: +# sbi: # client: # cacert: /etc/open5gs/tls/ca.crt +# key: /etc/open5gs/tls/amf.key +# cert: /etc/open5gs/tls/amf.crt # nrf: # sbi: # - name: nrf.open5gs.org @@ -292,6 +375,10 @@ scp: # - tcp_nodelay : true # - so_linger.l_onoff : false # +# sbi: +# client: +# no_tls: true +# nrf: # sbi: # addr: 127.0.0.10 # option: @@ -307,55 +394,51 @@ scp: # - ::1 # port: 7777 -# -# parameter: # # o Disable use of IPv4 addresses (only IPv6) -# no_ipv4: true +# parameter: +# no_ipv4: true # # o Disable use of IPv6 addresses (only IPv4) -# no_ipv6: true +# parameter: +# no_ipv6: true # # o Prefer IPv4 instead of IPv6 for estabishing new GTP connections. -# prefer_ipv4: true +# parameter: +# prefer_ipv4: true # parameter: # -# max: -# -# o Maximum Number of UE +# o Maximum Number of UE +# max: # ue: 1024 -# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI) +# +# o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI) +# max: # peer: 64 # max: -# -# time: # # o NF Instance Heartbeat (Default : 0) # NFs will not send heart-beat timer in NFProfile # NRF will send heart-beat timer in NFProfile +# (Default values are used, so no configuration is required) # # o NF Instance Heartbeat (20 seconds) # NFs will send heart-beat timer (20 seconds) in NFProfile # NRF can change heart-beat timer in NFProfile # +# time: # nf_instance: # heartbeat: 20 # -# o NF Instance Heartbeat (Disabled) -# nf_instance: -# heartbeat: 0 -# -# o NF Instance Heartbeat (10 seconds) -# nf_instance: -# heartbeat: 10 -# # o Message Wait Duration (Default : 10,000 ms = 10 seconds) +# (Default values are used, so no configuration is required) # # o Message Wait Duration (3000 ms) +# time: # message: # duration: 3000 time: diff --git a/configs/open5gs/upf.yaml.in b/configs/open5gs/upf.yaml.in index 788f9e17d..be842cc69 100644 --- a/configs/open5gs/upf.yaml.in +++ b/configs/open5gs/upf.yaml.in @@ -1,43 +1,45 @@ # -# logger: -# # o Set OGS_LOG_INFO to all domain level # - If `level` is omitted, the default level is OGS_LOG_INFO) # - If `domain` is omitted, the all domain level is set from 'level' -# (Nothing is needed) +# (Default values are used, so no configuration is required) # # o Set OGS_LOG_ERROR to all domain level # - `level` can be set with none, fatal, error, warn, info, debug, trace +# logger: # level: error # # o Set OGS_LOG_DEBUG to mme/emm domain level +# logger: # level: debug # domain: mme,emm # # o Set OGS_LOG_TRACE to all domain level +# logger: # level: trace -# domain: core,pfcp,gtp,upf,event,tlv,mem,sock +# domain: core,sbi,ausf,event,tlv,mem,sock # logger: file: @localstatedir@/log/open5gs/upf.log -# -# upf: # # # # o PFCP Server(127.0.0.7:8805, ::1:8805) +# upf: # pfcp: # - addr: 127.0.0.7 # - addr: ::1 # # o PFCP-U Server(127.0.0.1:2152, [::1]:2152) +# upf: # pfcp: # name: localhost # # o PFCP Option (Default) # - so_bindtodevice : NULL # +# upf: # pfcp: # addr: 127.0.0.7 # option: @@ -46,15 +48,18 @@ logger: # > # # o GTP-U Server(127.0.0.7:2152, [::1]:2152) +# upf: # gtpu: # - addr: 127.0.0.7 # - addr: ::1 # # o GTP-U Server(127.0.0.1:2152, [::1]:2152) +# upf: # gtpu: # name: localhost # # o User Plane IP Resource information +# upf: # gtpu: # - addr: # - 127.0.0.7 @@ -70,20 +75,24 @@ logger: # source_interface: 1 # # o Provide custom UPF GTP-U address to be advertised inside NGAP messages +# upf: # gtpu: # - addr: 10.4.128.21 # advertise: 172.24.15.30 # +# upf: # gtpu: # - addr: 10.4.128.21 # advertise: # - 127.0.0.1 # - ::1 # +# upf: # gtpu: # - addr: 10.4.128.21 # advertise: upf1.5gc.mnc001.mcc001.3gppnetwork.org # +# upf: # gtpu: # - dev: ens3 # advertise: upf1.5gc.mnc001.mcc001.3gppnetwork.org @@ -91,6 +100,7 @@ logger: # o GTP-U Option (Default) # - so_bindtodevice : NULL # +# upf: # gtpu: # addr: 127.0.0.7 # option: @@ -104,6 +114,7 @@ logger: # o IPv4 Pool # $ sudo ip addr add 10.45.0.1/16 dev ogstun # +# upf: # subnet: # addr: 10.45.0.1/16 # @@ -111,6 +122,7 @@ logger: # $ sudo ip addr add 10.45.0.1/16 dev ogstun # $ sudo ip addr add 2001:db8:cafe::1/48 dev ogstun # +# upf: # subnet: # - addr: 10.45.0.1/16 # - addr: 2001:db8:cafe::1/48 @@ -125,6 +137,7 @@ logger: # # ; If the UE has unknown DNN/APN(not internet/ims), SMF/UPF will crash. # +# upf: # subnet: # - addr: 10.45.0.1/16 # dnn: internet @@ -138,6 +151,7 @@ logger: # o Specific DNN/APN with the FALLBACK SUBNET(10.47.0.1/16) # ; Note that put the FALLBACK SUBNET last to avoid SMF/UPF crash. # +# upf: # subnet: # - addr: 10.45.0.1/16 # dnn: internet @@ -151,6 +165,7 @@ logger: # $ sudo ip addr add 10.46.0.1/16 dev ogstun3 # $ sudo ip addr add 2001:db8:babe::1/48 dev ogstun3 # +# upf: # subnet: # - addr: 10.45.0.1/16 # dnn: internet @@ -167,6 +182,7 @@ logger: # # # o Metrics Server(http://:9090) +# upf: # metrics: # - addr: 0.0.0.0 # port: 9090 @@ -183,51 +199,52 @@ upf: - addr: 127.0.0.7 port: 9090 -# -# smf: # # > # # o PFCP Client(127.0.0.4:8805) -# +# smf: # pfcp: # addr: 127.0.0.4 # smf: -# -# parameter: # # o Number of output streams per SCTP associations. -# sctp_streams: 30 +# parameter: +# sctp_streams: 30 # # o Disable use of IPv4 addresses (only IPv6) -# no_ipv4: true +# parameter: +# no_ipv4: true # # o Disable use of IPv6 addresses (only IPv4) -# no_ipv6: true +# parameter: +# no_ipv6: true # # o Prefer IPv4 instead of IPv6 for estabishing new GTP connections. -# prefer_ipv4: true +# parameter: +# prefer_ipv4: true # parameter: -# -# max: # # o Maximum Number of UE -# ue: 1024 +# max: +# ue: 1024 +# # o Maximum Number of Peer(S1AP/NGAP, DIAMETER, GTP, PFCP or SBI) -# peer: 64 +# max: +# peer: 64 # max: -# -# time: # # o Message Wait Duration (Default : 10,000 ms = 10 seconds) +# (Default values are used, so no configuration is required) # # o Message Wait Duration (3000 ms) +# time: # message: # duration: 3000 time: diff --git a/configs/sample.yaml.in b/configs/sample.yaml.in index 2b9862ddc..96a484622 100644 --- a/configs/sample.yaml.in +++ b/configs/sample.yaml.in @@ -2,13 +2,14 @@ db_uri: mongodb://localhost/open5gs logger: -tls: - enabled: no +sbi: server: + no_tls: true cacert: @build_configs_dir@/open5gs/tls/ca.crt key: @build_configs_dir@/open5gs/tls/testserver.key cert: @build_configs_dir@/open5gs/tls/testserver.crt client: + no_tls: true cacert: @build_configs_dir@/open5gs/tls/ca.crt key: @build_configs_dir@/open5gs/tls/testclient.key cert: @build_configs_dir@/open5gs/tls/testclient.crt diff --git a/configs/slice.yaml.in b/configs/slice.yaml.in index 267dfcc91..9852526d8 100644 --- a/configs/slice.yaml.in +++ b/configs/slice.yaml.in @@ -2,13 +2,14 @@ db_uri: mongodb://localhost/open5gs logger: -tls: - enabled: no +sbi: server: + no_tls: true cacert: @build_configs_dir@/open5gs/tls/ca.crt key: @build_configs_dir@/open5gs/tls/testserver.key cert: @build_configs_dir@/open5gs/tls/testserver.crt client: + no_tls: true cacert: @build_configs_dir@/open5gs/tls/ca.crt key: @build_configs_dir@/open5gs/tls/testclient.key cert: @build_configs_dir@/open5gs/tls/testclient.crt diff --git a/configs/srsenb.yaml.in b/configs/srsenb.yaml.in index 4b5d6332d..2ec2ed989 100644 --- a/configs/srsenb.yaml.in +++ b/configs/srsenb.yaml.in @@ -2,13 +2,14 @@ db_uri: mongodb://localhost/open5gs logger: -tls: - enabled: no +sbi: server: + no_tls: true cacert: @build_configs_dir@/open5gs/tls/ca.crt key: @build_configs_dir@/open5gs/tls/testserver.key cert: @build_configs_dir@/open5gs/tls/testserver.crt client: + no_tls: true cacert: @build_configs_dir@/open5gs/tls/ca.crt key: @build_configs_dir@/open5gs/tls/testclient.key cert: @build_configs_dir@/open5gs/tls/testclient.crt diff --git a/configs/volte.yaml.in b/configs/volte.yaml.in index 1adcf0b5a..82149f2a2 100644 --- a/configs/volte.yaml.in +++ b/configs/volte.yaml.in @@ -2,13 +2,14 @@ db_uri: mongodb://localhost/open5gs logger: -tls: - enabled: no +sbi: server: + no_tls: true cacert: @build_configs_dir@/open5gs/tls/ca.crt key: @build_configs_dir@/open5gs/tls/testserver.key cert: @build_configs_dir@/open5gs/tls/testserver.crt client: + no_tls: true cacert: @build_configs_dir@/open5gs/tls/ca.crt key: @build_configs_dir@/open5gs/tls/testclient.key cert: @build_configs_dir@/open5gs/tls/testclient.crt diff --git a/configs/vonr.yaml.in b/configs/vonr.yaml.in index 19ab3d9e4..316350307 100644 --- a/configs/vonr.yaml.in +++ b/configs/vonr.yaml.in @@ -2,13 +2,14 @@ db_uri: mongodb://localhost/open5gs logger: -tls: - enabled: no +sbi: server: + no_tls: true cacert: @build_configs_dir@/open5gs/tls/ca.crt key: @build_configs_dir@/open5gs/tls/testserver.key cert: @build_configs_dir@/open5gs/tls/testserver.crt client: + no_tls: true cacert: @build_configs_dir@/open5gs/tls/ca.crt key: @build_configs_dir@/open5gs/tls/testclient.key cert: @build_configs_dir@/open5gs/tls/testclient.crt diff --git a/lib/app/ogs-context.c b/lib/app/ogs-context.c index 7e4565952..d9967c69d 100644 --- a/lib/app/ogs-context.c +++ b/lib/app/ogs-context.c @@ -532,6 +532,67 @@ int ogs_app_context_parse_config(void) } else ogs_warn("unknown key `%s`", time_key); } + } else if (!strcmp(root_key, "sbi")) { + ogs_yaml_iter_t tls_iter; + ogs_yaml_iter_recurse(&root_iter, &tls_iter); + while (ogs_yaml_iter_next(&tls_iter)) { + const char *tls_key = ogs_yaml_iter_key(&tls_iter); + ogs_assert(tls_key); + if (!strcmp(tls_key, "server")) { + ogs_yaml_iter_t server_iter; + ogs_yaml_iter_recurse(&tls_iter, &server_iter); + + while (ogs_yaml_iter_next(&server_iter)) { + const char *server_key = + ogs_yaml_iter_key(&server_iter); + ogs_assert(server_key); + if (!strcmp(server_key, "no_tls")) { + self.sbi.server.no_tls = + ogs_yaml_iter_bool(&server_iter); + } else if (!strcmp(server_key, "no_verify")) { + self.sbi.server.no_verify = + ogs_yaml_iter_bool(&server_iter); + } else if (!strcmp(server_key, "cacert")) { + self.sbi.server.cacert = + ogs_yaml_iter_value(&server_iter); + } else if (!strcmp(server_key, "cert")) { + self.sbi.server.cert = + ogs_yaml_iter_value(&server_iter); + } else if (!strcmp(server_key, "key")) { + self.sbi.server.key = + ogs_yaml_iter_value(&server_iter); + } else + ogs_warn("unknown key `%s`", server_key); + } + } else if (!strcmp(tls_key, "client")) { + ogs_yaml_iter_t client_iter; + ogs_yaml_iter_recurse(&tls_iter, &client_iter); + + while (ogs_yaml_iter_next(&client_iter)) { + const char *client_key = + ogs_yaml_iter_key(&client_iter); + ogs_assert(client_key); + if (!strcmp(client_key, "no_tls")) { + self.sbi.client.no_tls = + ogs_yaml_iter_bool(&client_iter); + } else if (!strcmp(client_key, "no_verify")) { + self.sbi.client.no_verify = + ogs_yaml_iter_bool(&client_iter); + } else if (!strcmp(client_key, "cacert")) { + self.sbi.client.cacert = + ogs_yaml_iter_value(&client_iter); + } else if (!strcmp(client_key, "cert")) { + self.sbi.client.cert = + ogs_yaml_iter_value(&client_iter); + } else if (!strcmp(client_key, "key")) { + self.sbi.client.key = + ogs_yaml_iter_value(&client_iter); + } else + ogs_warn("unknown key `%s`", client_key); + } + } else + ogs_warn("unknown key `%s`", tls_key); + } } } diff --git a/lib/app/ogs-context.h b/lib/app/ogs-context.h index 92b23ee04..b5edf9b0e 100644 --- a/lib/app/ogs-context.h +++ b/lib/app/ogs-context.h @@ -28,6 +28,12 @@ extern "C" { #endif +typedef enum { + OGS_SBI_TLS_ENABLED_AUTO = 0, + OGS_SBI_TLS_ENABLED_YES, + OGS_SBI_TLS_ENABLED_NO, +} ogs_sbi_tls_enabled_mode_e; + typedef struct ogs_app_context_s { const char *version; @@ -171,15 +177,23 @@ typedef struct ogs_app_context_s { struct metrics { uint64_t max_specs; } metrics; + + struct { + struct { + bool no_tls; + bool no_verify; + const char *cacert; + const char *cert; + const char *key; + } server, client; + } sbi; + } ogs_app_context_t; int ogs_app_context_init(void); void ogs_app_context_final(void); ogs_app_context_t *ogs_app(void); -bool ogs_app_tls_server_enabled(void); -bool ogs_app_tls_client_enabled(void); - int ogs_app_context_parse_config(void); #ifdef __cplusplus diff --git a/lib/sbi/client.c b/lib/sbi/client.c index c1d8d7128..a22ee5baf 100644 --- a/lib/sbi/client.c +++ b/lib/sbi/client.c @@ -384,8 +384,24 @@ static connection_t *connection_add( curl_easy_setopt(conn->easy, CURLOPT_BUFFERSIZE, OGS_MAX_SDU_LEN); - curl_easy_setopt(conn->easy, CURLOPT_SSL_VERIFYPEER, 0); - curl_easy_setopt(conn->easy, CURLOPT_SSL_VERIFYHOST, 0); + if (ogs_app()->sbi.client.no_tls == false) { + ogs_assert(ogs_app()->sbi.client.key); + ogs_assert(ogs_app()->sbi.client.cert); + curl_easy_setopt(conn->easy, CURLOPT_SSLKEY, + ogs_app()->sbi.client.key); + curl_easy_setopt(conn->easy, CURLOPT_SSLCERT, + ogs_app()->sbi.client.cert); + + if (ogs_app()->sbi.client.no_verify == false) { + if (ogs_app()->sbi.client.cacert) { + curl_easy_setopt(conn->easy, CURLOPT_CAINFO, + ogs_app()->sbi.client.cacert); + } + } else { + curl_easy_setopt(conn->easy, CURLOPT_SSL_VERIFYPEER, 0); + curl_easy_setopt(conn->easy, CURLOPT_SSL_VERIFYHOST, 0); + } + } /* HTTP Method */ if (strcmp(request->h.method, OGS_SBI_HTTP_METHOD_PUT) == 0 || diff --git a/lib/sbi/context.c b/lib/sbi/context.c index fe586b278..0156359d8 100644 --- a/lib/sbi/context.c +++ b/lib/sbi/context.c @@ -120,44 +120,6 @@ ogs_sbi_context_t *ogs_sbi_self(void) return &self; } -bool ogs_app_tls_server_enabled(void) -{ - if (self.tls.enabled == OGS_SBI_TLS_ENABLED_AUTO) { - if (self.tls.server.key && self.tls.server.cert) - return true; - else - return false; - } else if (self.tls.enabled == OGS_SBI_TLS_ENABLED_YES) { - ogs_assert(self.tls.server.key); - ogs_assert(self.tls.server.cert); - return true; - } else if (self.tls.enabled == OGS_SBI_TLS_ENABLED_NO) { - return false; - } else { - ogs_error("Unknown TLS enabled mode [%d]", self.tls.enabled); - return false; - } -} - -bool ogs_app_tls_client_enabled(void) -{ - if (self.tls.enabled == OGS_SBI_TLS_ENABLED_AUTO) { - if (self.tls.client.key && self.tls.client.cert) - return true; - else - return false; - } else if (self.tls.enabled == OGS_SBI_TLS_ENABLED_YES) { - ogs_assert(self.tls.client.key); - ogs_assert(self.tls.client.cert); - return true; - } else if (self.tls.enabled == OGS_SBI_TLS_ENABLED_NO) { - return false; - } else { - ogs_error("Unknown TLS enabled mode [%d]", self.tls.enabled); - return false; - } -} - static int ogs_sbi_context_prepare(void) { self.sbi_port = OGS_SBI_HTTP_PORT; @@ -166,8 +128,6 @@ static int ogs_sbi_context_prepare(void) self.content_encoding = "gzip"; #endif - self.tls.enabled = OGS_SBI_TLS_ENABLED_AUTO; - return OGS_OK; } @@ -221,27 +181,29 @@ static int ogs_sbi_context_validation( ogs_assert_if_reached(); } - if (self.tls.enabled == OGS_SBI_TLS_ENABLED_YES) { - - if (!self.tls.server.key) { - ogs_error("No Server Key"); + if (ogs_app()->sbi.server.no_tls == false) { + if (!ogs_app()->sbi.server.key) { + ogs_error("TLS enabled but no server key"); return OGS_ERROR; } - if (!self.tls.server.cert) { - ogs_error("No Server Certificate"); - return OGS_ERROR; - } - - if (!self.tls.client.key) { - ogs_error("No Client Key"); - return OGS_ERROR; - } - if (!self.tls.client.cert) { - ogs_error("No Client Certificate"); + if (!ogs_app()->sbi.server.cert) { + ogs_error("TLS enabled but no server certificate"); return OGS_ERROR; } } + if (ogs_app()->sbi.client.no_tls == false) { + if (!ogs_app()->sbi.client.key) { + ogs_error("TLS enabled but no client key"); + return OGS_ERROR; + } + if (!ogs_app()->sbi.client.cert) { + ogs_error("TLS enabled but no client certificate"); + return OGS_ERROR; + } + } + + return OGS_OK; } @@ -622,7 +584,7 @@ int ogs_sbi_context_parse_config( if (addr == NULL) continue; client = ogs_sbi_client_add( - ogs_app_tls_client_enabled() == true ? + ogs_app()->sbi.client.no_tls == false ? OpenAPI_uri_scheme_https : OpenAPI_uri_scheme_http, addr); @@ -728,7 +690,7 @@ int ogs_sbi_context_parse_config( if (addr == NULL) continue; client = ogs_sbi_client_add( - ogs_app_tls_client_enabled() == true ? + ogs_app()->sbi.client.no_tls == false ? OpenAPI_uri_scheme_https : OpenAPI_uri_scheme_http, addr); @@ -741,65 +703,6 @@ int ogs_sbi_context_parse_config( YAML_SEQUENCE_NODE); } } - } else if (!strcmp(root_key, "tls")) { - ogs_yaml_iter_t tls_iter; - ogs_yaml_iter_recurse(&root_iter, &tls_iter); - while (ogs_yaml_iter_next(&tls_iter)) { - const char *tls_key = ogs_yaml_iter_key(&tls_iter); - ogs_assert(tls_key); - if (!strcmp(tls_key, "enabled")) { - const char *v = ogs_yaml_iter_value(&tls_iter); - if (!strcmp(v, "auto")) - self.tls.enabled = OGS_SBI_TLS_ENABLED_AUTO; - else if (!strcmp(v, "yes")) - self.tls.enabled = OGS_SBI_TLS_ENABLED_YES; - else if (!strcmp(v, "no")) - self.tls.enabled = OGS_SBI_TLS_ENABLED_NO; - else - ogs_warn("unknown 'tls.enabled' value `%s`", v); - } else if (!strcmp(tls_key, "server")) { - ogs_yaml_iter_t server_iter; - ogs_yaml_iter_recurse(&tls_iter, &server_iter); - - while (ogs_yaml_iter_next(&server_iter)) { - const char *server_key = - ogs_yaml_iter_key(&server_iter); - ogs_assert(server_key); - if (!strcmp(server_key, "cacert")) { - self.tls.server.cacert = - ogs_yaml_iter_value(&server_iter); - } else if (!strcmp(server_key, "cert")) { - self.tls.server.cert = - ogs_yaml_iter_value(&server_iter); - } else if (!strcmp(server_key, "key")) { - self.tls.server.key = - ogs_yaml_iter_value(&server_iter); - } else - ogs_warn("unknown key `%s`", server_key); - } - } else if (!strcmp(tls_key, "client")) { - ogs_yaml_iter_t client_iter; - ogs_yaml_iter_recurse(&tls_iter, &client_iter); - - while (ogs_yaml_iter_next(&client_iter)) { - const char *client_key = - ogs_yaml_iter_key(&client_iter); - ogs_assert(client_key); - if (!strcmp(client_key, "cacert")) { - self.tls.client.cacert = - ogs_yaml_iter_value(&client_iter); - } else if (!strcmp(client_key, "cert")) { - self.tls.client.cert = - ogs_yaml_iter_value(&client_iter); - } else if (!strcmp(client_key, "key")) { - self.tls.client.key = - ogs_yaml_iter_value(&client_iter); - } else - ogs_warn("unknown key `%s`", client_key); - } - } else - ogs_warn("unknown key `%s`", tls_key); - } } else if (!strcmp(root_key, "hnet")) { ogs_yaml_iter_t hnet_array, hnet_iter; ogs_yaml_iter_recurse(&root_iter, &hnet_array); @@ -1480,7 +1383,7 @@ ogs_sbi_nf_service_t *ogs_sbi_nf_service_build_default( ogs_uuid_format(id, &uuid); nf_service = ogs_sbi_nf_service_add(nf_instance, id, name, - ogs_app_tls_server_enabled() == true ? + ogs_app()->sbi.server.no_tls == false ? OpenAPI_uri_scheme_https : OpenAPI_uri_scheme_http); ogs_assert(nf_service); @@ -1571,7 +1474,7 @@ static ogs_sbi_client_t *nf_instance_find_client( ogs_sockaddr_t *addr = NULL; OpenAPI_uri_scheme_e scheme = OpenAPI_uri_scheme_NULL; - scheme = ogs_app_tls_client_enabled() == true ? + scheme = ogs_app()->sbi.client.no_tls == false ? OpenAPI_uri_scheme_https : OpenAPI_uri_scheme_http; if (nf_instance->fqdn) diff --git a/lib/sbi/context.h b/lib/sbi/context.h index 9d7aea286..60c9860d5 100644 --- a/lib/sbi/context.h +++ b/lib/sbi/context.h @@ -46,24 +46,9 @@ typedef struct ogs_sbi_discovery_config_s { bool prefer_requester_nf_instance_id; } ogs_sbi_discovery_config_t; -typedef enum { - OGS_SBI_TLS_ENABLED_AUTO = 0, - OGS_SBI_TLS_ENABLED_YES, - OGS_SBI_TLS_ENABLED_NO, -} ogs_sbi_tls_enabled_mode_e; - typedef struct ogs_sbi_context_s { ogs_sbi_discovery_config_t discovery_config; /* SCP Discovery Delegated */ - struct { - ogs_sbi_tls_enabled_mode_e enabled; - struct { - const char *cacert; - const char *cert; - const char *key; - } server, client; - } tls; - #define OGS_HOME_NETWORK_PKI_VALUE_MIN 1 #define OGS_HOME_NETWORK_PKI_VALUE_MAX 254 diff --git a/lib/sbi/conv.c b/lib/sbi/conv.c index 4790e5ef2..ad14fd6f8 100644 --- a/lib/sbi/conv.c +++ b/lib/sbi/conv.c @@ -340,7 +340,7 @@ char *ogs_sbi_server_uri(ogs_sbi_server_t *server, ogs_sbi_header_t *h) advertise = server->node.addr; ogs_assert(advertise); - return ogs_uridup(ogs_app_tls_server_enabled() == true, advertise, h); + return ogs_uridup(ogs_app()->sbi.server.no_tls == false, advertise, h); } char *ogs_sbi_client_uri(ogs_sbi_client_t *client, ogs_sbi_header_t *h) @@ -348,7 +348,7 @@ char *ogs_sbi_client_uri(ogs_sbi_client_t *client, ogs_sbi_header_t *h) ogs_assert(client); return ogs_uridup( - ogs_app_tls_client_enabled() == true && + ogs_app()->sbi.client.no_tls == false && client->scheme == OpenAPI_uri_scheme_https, client->node.addr, h); } diff --git a/lib/sbi/nghttp2-server.c b/lib/sbi/nghttp2-server.c index 9b66d0bb0..d9e3fa2e5 100644 --- a/lib/sbi/nghttp2-server.c +++ b/lib/sbi/nghttp2-server.c @@ -119,7 +119,8 @@ static void server_final(void) #ifndef OPENSSL_NO_NEXTPROTONEG static int next_proto_cb(SSL *ssl, const unsigned char **data, - unsigned int *len, void *arg) { + unsigned int *len, void *arg) +{ static unsigned char next_proto_list[256]; (void)ssl; (void)arg; @@ -136,7 +137,8 @@ static int next_proto_cb(SSL *ssl, const unsigned char **data, #if OPENSSL_VERSION_NUMBER >= 0x10002000L static int alpn_select_proto_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen, const unsigned char *in, - unsigned int inlen, void *arg) { + unsigned int inlen, void *arg) +{ int rv; (void)ssl; (void)arg; @@ -150,18 +152,75 @@ static int alpn_select_proto_cb(SSL *ssl, const unsigned char **out, } #endif /* OPENSSL_VERSION_NUMBER >= 0x10002000L */ -static SSL_CTX *create_ssl_ctx(const char *key_file, const char *cert_file) { +static int ssl_ctx_set_proto_versions(SSL_CTX *ssl_ctx, int min, int max) +{ +#if OPENSSL_VERSION_NUMBER >= 0x1010000fL + if (SSL_CTX_set_min_proto_version(ssl_ctx, min) != 1 || + SSL_CTX_set_max_proto_version(ssl_ctx, max) != 1) { + return -1; + } + return 0; +#else /* !(OPENSSL_VERSION_NUMBER >= 0x1010000fL) */ + long int opts = 0; + + // TODO We depends on the ordering of protocol version macro in + // OpenSSL. + if (min > TLS1_VERSION) { + opts |= SSL_OP_NO_TLSv1; + } + if (min > TLS1_1_VERSION) { + opts |= SSL_OP_NO_TLSv1_1; + } + if (min > TLS1_2_VERSION) { + opts |= SSL_OP_NO_TLSv1_2; + } + + if (max < TLS1_2_VERSION) { + opts |= SSL_OP_NO_TLSv1_2; + } + if (max < TLS1_1_VERSION) { + opts |= SSL_OP_NO_TLSv1_1; + } + + SSL_CTX_set_options(ssl_ctx, opts); + + return 0; +#endif /* OPENSSL_VERSION_NUMBER >= 0x1010000fL */ +} + +static SSL_CTX *create_ssl_ctx(const char *key_file, const char *cert_file) +{ SSL_CTX *ssl_ctx; + uint64_t ssl_opts; + + ogs_assert(key_file); + ogs_assert(cert_file); ssl_ctx = SSL_CTX_new(TLS_server_method()); if (!ssl_ctx) { ogs_error("Could not create SSL/TLS context: %s", ERR_error_string(ERR_get_error(), NULL)); return NULL; } - SSL_CTX_set_options(ssl_ctx, - SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | - SSL_OP_NO_COMPRESSION | - SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION); + + ssl_opts = (SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) | + SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION | + SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | + SSL_OP_SINGLE_ECDH_USE | SSL_OP_SINGLE_DH_USE | + SSL_OP_CIPHER_SERVER_PREFERENCE +#if OPENSSL_VERSION_NUMBER >= 0x10101000L + // The reason for disabling built-in anti-replay in + // OpenSSL is that it only works if client gets back + // to the same server. The freshness check + // described in + // https://tools.ietf.org/html/rfc8446#section-8.3 + // is still performed. + | SSL_OP_NO_ANTI_REPLAY +#endif /* OPENSSL_VERSION_NUMBER >= 0x10101000L */ + ; + + + SSL_CTX_set_options(ssl_ctx, ssl_opts); + #if OPENSSL_VERSION_NUMBER >= 0x30000000L if (SSL_CTX_set1_curves_list(ssl_ctx, "P-256") != 1) { ogs_error("SSL_CTX_set1_curves_list failed: %s", ERR_error_string(ERR_get_error(), NULL)); @@ -169,6 +228,37 @@ static SSL_CTX *create_ssl_ctx(const char *key_file, const char *cert_file) { } #endif /* !(OPENSSL_VERSION_NUMBER >= 0x30000000L) */ + SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY); + SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS); + + if (SSL_CTX_set_default_verify_paths(ssl_ctx) != 1) { + ogs_warn("Could not load system trusted ca certificates: %s", + ERR_error_string(ERR_get_error(), NULL)); + } + +#define OGS_TLS_MIN_VERSION TLS1_VERSION +#ifdef TLS1_3_VERSION +#define OGS_TLS_MAX_VERSION TLS1_3_VERSION +#else /* !TLS1_3_VERSION */ +#define OGS_TLS_MAX_VERSION TLS1_2_VERSION +#endif /* TLS1_3_VERSION */ + if (ssl_ctx_set_proto_versions( + ssl_ctx, OGS_TLS_MIN_VERSION, OGS_TLS_MAX_VERSION) != 0) { + ogs_error("Could not set TLS versions [%d:%d]", + OGS_TLS_MIN_VERSION, OGS_TLS_MAX_VERSION); + return NULL; + } + +#define DEFAULT_CIPHER_LIST \ + "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-" \ + "AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-" \ + "POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-" \ + "AES256-GCM-SHA384" + if (SSL_CTX_set_cipher_list(ssl_ctx, DEFAULT_CIPHER_LIST) == 0) { + ogs_error("%s", ERR_error_string(ERR_get_error(), NULL)); + return NULL; + } + if (SSL_CTX_use_PrivateKey_file(ssl_ctx, key_file, SSL_FILETYPE_PEM) != 1) { ogs_error("Could not read private key file - key_file=%s", key_file); return NULL; @@ -177,6 +267,11 @@ static SSL_CTX *create_ssl_ctx(const char *key_file, const char *cert_file) { ogs_error("Could not read certificate file - cert_file=%s ", cert_file); return NULL; } + if (SSL_CTX_check_private_key(ssl_ctx) != 1) { + ogs_error("SSL_CTX_check_private_key failed: %s", + ERR_error_string(ERR_get_error(), NULL)); + return NULL; + } #ifndef OPENSSL_NO_NEXTPROTONEG SSL_CTX_set_next_protos_advertised_cb(ssl_ctx, next_proto_cb, NULL); @@ -189,6 +284,22 @@ static SSL_CTX *create_ssl_ctx(const char *key_file, const char *cert_file) { return ssl_ctx; } +static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) +{ + if (!preverify_ok) { + int err = X509_STORE_CTX_get_error(ctx); + int depth = X509_STORE_CTX_get_error_depth(ctx); + if (err == X509_V_ERR_CERT_HAS_EXPIRED && depth == 0) { + ogs_error("The client certificate has expired, but is accepted by " + "configuration"); + return 1; + } + ogs_error("client certificate verify error:num=%d:%s:depth=%d", + err, X509_verify_cert_error_string(err), depth); + } + return preverify_ok; +} + static int server_start(ogs_sbi_server_t *server, int (*cb)(ogs_sbi_request_t *request, void *data)) { @@ -201,21 +312,67 @@ static int server_start(ogs_sbi_server_t *server, ogs_assert(addr); /* Create SSL CTX */ - if (ogs_app_tls_server_enabled() == true) { - ogs_assert(ogs_sbi_self()->tls.server.key); - ogs_assert(ogs_sbi_self()->tls.server.cert); + if (ogs_app()->sbi.server.no_tls == false) { + server->ssl_ctx = create_ssl_ctx( - ogs_sbi_self()->tls.server.key, - ogs_sbi_self()->tls.server.cert); + ogs_app()->sbi.server.key, + ogs_app()->sbi.server.cert); if (!server->ssl_ctx) { ogs_error("Cannot create SSL CTX"); return OGS_ERROR; } + + if (ogs_app()->sbi.server.no_verify == false) { + if (ogs_app()->sbi.server.cacert) { + STACK_OF(X509_NAME) *cert_names = NULL; + + if (SSL_CTX_load_verify_locations(server->ssl_ctx, + ogs_app()->sbi.server.cacert, NULL) != 1) { + ogs_error("Could not load trusted ca certificates " + "from %s:%s", ogs_app()->sbi.server.cacert, + ERR_error_string(ERR_get_error(), NULL)); + + if (server->ssl_ctx) + SSL_CTX_free(server->ssl_ctx); + + return OGS_ERROR; + } + + /* + * It is heard that SSL_CTX_load_verify_locations() may leave + * error even though it returns success. See + * http://forum.nginx.org/read.php?29,242540 + */ + cert_names = SSL_load_client_CA_file( + ogs_app()->sbi.server.cacert); + if (!cert_names) { + ogs_error("Could not load ca certificates from %s:%s", + ogs_app()->sbi.server.cacert, + ERR_error_string(ERR_get_error(), NULL)); + + if (server->ssl_ctx) + SSL_CTX_free(server->ssl_ctx); + + return OGS_ERROR; + } + SSL_CTX_set_client_CA_list(server->ssl_ctx, cert_names); + } + + SSL_CTX_set_verify( + server->ssl_ctx, + SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE | + SSL_VERIFY_FAIL_IF_NO_PEER_CERT, + verify_callback); + } } sock = ogs_tcp_server(addr, server->node.option); if (!sock) { ogs_error("Cannot start SBI server"); + + if (server->ssl_ctx) + SSL_CTX_free(server->ssl_ctx); + return OGS_ERROR; } diff --git a/src/nssf/context.c b/src/nssf/context.c index 084410608..d71e344e7 100644 --- a/src/nssf/context.c +++ b/src/nssf/context.c @@ -344,7 +344,7 @@ char *nssf_nsi_nrf_uri(nssf_nsi_t *nsi) h.api.version = (char *)OGS_SBI_API_V1; h.resource.component[0] = (char *)OGS_SBI_RESOURCE_NAME_NF_INSTANCES; - return ogs_uridup(ogs_app_tls_server_enabled() == true, nsi->addr, &h); + return ogs_uridup(ogs_app()->sbi.server.no_tls == false, nsi->addr, &h); } int get_nsi_load() diff --git a/tests/af/context.c b/tests/af/context.c index 473bd201e..69840ee00 100644 --- a/tests/af/context.c +++ b/tests/af/context.c @@ -302,7 +302,7 @@ void af_sess_associate_pcf_client(af_sess_t *sess) ogs_assert(sess); - scheme = ogs_app_tls_client_enabled() == true ? + scheme = ogs_app()->sbi.client.no_tls == false ? OpenAPI_uri_scheme_https : OpenAPI_uri_scheme_http; if (sess->pcf.fqdn && strlen(sess->pcf.fqdn))