Add support for server certificates at M4d #9
Assignees
Labels
enhancement
New feature or request
Comments
rjb1000
changed the title
|
Certificates (for the purposes here a certificate includes the public certificate, private key and any intermediate CA certificates) would normally be pushed from the AF to the AS via the M3 interface. At present we don't have an M3 interface, so until we do I propose that the the certificates are configured using a JSON configuration file which is a simple mapping of certificate Ids to PEM files on the local system. Later on this mapping will be derived from certificates registered with the AS via M3 and will require the AS to store the certificates locally and maintain this mapping. Example This will then allow the ContentHostingConfiguration to reference the certificate to provide an https distribution point: ...or for both HTTP and HTTPS: The certificates JSON file can be provided as an optional second command line option to the application server process: This maintains compatibility with MVP#1. If a "certificateId" property is present in the ContentHostingConfiguration that does not match an Id from the certificates file (or if the certificates filename is not given) then the program will abort with a configuration error. |
|
@davidjwbbc: To emphasise that (In the longer term, it would be nice for our implementation of the M1 Server Certificates Provisioning API to extract the certificate serial number from the X.509 PEM bundle and use the ASCII hex representation of that, padded out to 40 nybbles, as the value of |
davidjwbbc
added a commit
to 5G-MAG/rt-common-shared
that referenced
this issue
Oct 12, 2022
This forms part of 5G-MAG/rt-5gms-application-server#9. The Certificates.json file is a simple manifest file which maps certificate Ids to the filename of the PEM file which holds the public certificate and private key. Relative filenames in the file will be treated as being relative to the Certificates.json file itself. The make_self_signed_certs.py Python script will take a ContentHostingConfiguration and Certificates JSON files and will create a self-signed certificate PEM file using the canonicalDomainName and domainNameAlias from the ContentHostingConfiguration to fill in the Subject Common Name and subjectAltName extensions, and place the resulting certificate in the file indicated by the Certificates JSON file. It will only create certificates for those distribution points mentioned in the ContentHostingConfiguration. The ContentHostingConfiguration_Big-Buck-Bunny_pull-ingest_https.json file is an example ContentHostingConfiguration to create an HTTPS distribution point instead of HTTP. The ContentHostingConfiguration_Big-Buck-Bunny_pull-ingest_http_and_https.json file is an example ContentHostingConfiguration to create distribution points for both HTTP and HTTPS from the same pull ingest.
davidjwbbc
added a commit
to davidjwbbc/rt-5gms-application-server
that referenced
this issue
Oct 12, 2022
Closes 5G-MAG#9. This will use an optional second command line parameter to specify a Certificates JSON file. This file is a simple map of certificate ID to certificate file path. If a relative path is used in the mapping then it will be treated as relative to the Certificates JSON file. This allows certificates to be easily located with Certificates JSON file. If the ContentHostingConfiguration references a certificate, by its ID, in a distributionConfiguration, then an HTTPS distribution will be created using the certificate and key in the file pointed to by the Certificates JSON file. Multiple distribution points can be provided to use different server certificates or to provide both HTTP and HTTPS distribution points for the same ingest material. Instructions to run the examples have been provided in the `docs/README.md` file.
davidjwbbc
added a commit
to davidjwbbc/rt-5gms-application-server
that referenced
this issue
Oct 12, 2022
Closes 5G-MAG#9. This will use an optional second command line parameter to specify a Certificates JSON file. This file is a simple map of certificate ID to certificate file path. If a relative path is used in the mapping then it will be treated as relative to the Certificates JSON file. This allows certificates to be easily located with Certificates JSON file. If the ContentHostingConfiguration references a certificate, by its ID, in a distributionConfiguration, then an HTTPS distribution will be created using the certificate and key in the file pointed to by the Certificates JSON file. Multiple distribution points can be provided to use different server certificates or to provide both HTTP and HTTPS distribution points for the same ingest material. Instructions to run the examples have been provided in the `docs/README.md` file.
davidjwbbc
added a commit
to 5G-MAG/rt-common-shared
that referenced
this issue
Oct 12, 2022
This forms part of 5G-MAG/rt-5gms-application-server#9. The Certificates.json file is a simple manifest file which maps certificate Ids to the filename of the PEM file which holds the public certificate and private key. Relative filenames in the file will be treated as being relative to the Certificates.json file itself. The make_self_signed_certs.py Python script will take a ContentHostingConfiguration and Certificates JSON files and will create a self-signed certificate PEM file using the canonicalDomainName and domainNameAlias from the ContentHostingConfiguration to fill in the Subject Common Name and subjectAltName extensions, and place the resulting certificate in the file indicated by the Certificates JSON file. It will only create certificates for those distribution points mentioned in the ContentHostingConfiguration. The ContentHostingConfiguration_Big-Buck-Bunny_pull-ingest_https.json file is an example ContentHostingConfiguration to create an HTTPS distribution point instead of HTTP. The ContentHostingConfiguration_Big-Buck-Bunny_pull-ingest_http_and_https.json file is an example ContentHostingConfiguration to create distribution points for both HTTP and HTTPS from the same pull ingest.
davidjwbbc
moved this from Backlog
to In Progress
in 5GMS: M3 link (AF to AS RESTful OpenAPI)
davidjwbbc
added a commit
that referenced
this issue
Oct 17, 2022
Closes #9. This will use an optional second command line parameter to specify a Certificates JSON file. This file is a simple map of certificate ID to certificate file path. If a relative path is used in the mapping then it will be treated as relative to the Certificates JSON file. This allows certificates to be easily located with Certificates JSON file. If the ContentHostingConfiguration references a certificate, by its ID, in a distributionConfiguration, then an HTTPS distribution will be created using the certificate and key in the file pointed to by the Certificates JSON file. Multiple distribution points can be provided to use different server certificates or to provide both HTTP and HTTPS distribution points for the same ingest material. Instructions to run the examples have been provided in the `docs/README.md` file.
davidjwbbc
moved this from In Progress
to Done
in 5GMS: M3 link (AF to AS RESTful OpenAPI)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Feature description
Each X.509 server certificate [8] presented by the 5GMSd AS at reference point M4d or at reference point xMB-U is represented by a Server Certificate resource at M1d.
Relevant specifications and corresponding sections
26.501 - 5G Media Streaming (5GMS); General description and architecture (Release 17)
26.512 - 5G Media Streaming (5GMS); Protocols (Release 17)
The text was updated successfully, but these errors were encountered: