Tech-invite3GPPspaceIETFspace
21222324252627282931323334353637384‑5x

Content for  TS 23.222  Word version:  19.7.0

Top   Top   Up   Prev   Next
0…   4…   5…   6…   6.3…   6.4…   7…   8…   8.5…   8.8…   8.9…   8.13…   8.17…   8.21…   8.25…   8.26…   8.28…   8.30…   8.33…   8.36…   9…   10…   10.4…   10.7…   11…   A   B…   B.2…   B.3…   C…   D…
8.21 Monitoring service API invocation8.21.1 General8.21.2 Information flows8.21.2.1 Monitoring service API event notification8.21.2.2 Monitoring service API event notification acknowledgement8.21.3 Procedure8.22 Auditing service API invocation8.22.1 General8.22.2 Information flows8.22.2.1 Query service API log request8.22.2.2 Query service API log response8.22.3 Procedure8.23 CAPIF revoking API invoker authorization8.23.1 General8.23.2 Information flows8.23.2.1 Revoke API invoker authorization request8.23.2.2 Revoke API invoker authorization response8.23.2.3 Revoke API invoker authorization notify8.23.2.4 Revoke API invoker authorization notify acknowledgement8.23.3 Procedure for CAPIF revoking API invoker authorization initiated by AEF8.23.4 Procedure for CAPIF revoking API invoker authorization initiated by CAPIF core function8.24 API topology hiding management8.24.1 General8.24.2 Information flows8.24.2.1 API topology hiding notify8.24.3 Procedure
...

 

8.21  Monitoring service API invocationp. 76

8.21.1  Generalp. 76

The procedure in this subclause corresponds to the architectural requirements for monitoring service API invocation.

8.21.2  Information flowsp. 76

8.21.2.1  Monitoring service API event notificationp. 76

The information flow for the monitoring service API event notification from the CAPIF core function to the API management function is same as the event notification from the CAPIF core function to the subscribing entity. Table 8.8.2.3-1 describes the information elements which are included in the monitoring service API event notification.

8.21.2.2  Monitoring service API event notification acknowledgementp. 76

The information flow for the monitoring service API event notification acknowledgement from the API management function to the CAPIF core function is same as the event notification acknowledgement from subscribing entity to the CAPIF core function. Table 8.8.2.4-1 describes the information elements which are included in the monitoring service API event notification acknowledgement.

8.21.3  Procedurep. 76

Figure 8.21.3-1 illustrates the procedure for monitoring service API invocation.
Pre-condition:
  1. The API management function has subscribed to monitoring event including filters such as invoker's ID and IP address, service API name and version, input parameters, and invocation result.
Reproduction of 3GPP TS 23.222, Fig. 8.21.3-1: Procedure for monitoring service API invocation
Figure 8.21.3-1: Procedure for monitoring service API invocation
Up
Step 1.
The CAPIF core function monitors the service API invocations applying the monitoring filters specified before.
Step 2.
Detection of a monitoring event by the CAPIF core function triggers notification to the API management function with the details of the monitored event.
Step 3.
The API management function sends a monitoring service API event notification acknowledgement to the CAPIF core function for the notification received.
Up

8.22  Auditing service API invocationp. 77

8.22.1  Generalp. 77

The procedure in this subclause corresponds to the architectural requirements for auditing service API invocation. This procedure can be used for auditing of other CAPIF interactions i.e. service API invocation events, API invoker onboarding events and API invoker interactions with the CAPIF (e.g. authentication, authorization, discover service APIs) as well. The API management function can be within PLMN trust domain or within 3rd party trust domain.

8.22.2  Information flowsp. 77

8.22.2.1  Query service API log requestp. 77

Table 8.22.2.1-1 describes the information flow query service API log request from the API management function to the CAPIF core function.
Information element Status Description
Identity informationMIdentity information of the entity querying service API log request
Query informationMList of query filters such as invoker's ID and IP address, service API name and version, input parameters, and invocation result
Up

8.22.2.2  Query service API log responsep. 77

Table 8.22.2.2-1 describes the information flow query service API log response from the CAPIF core function to the API management function.
Information element Status Description
ResultMIndicates the success or failure of query service API log request
API invocation log informationO
(see NOTE)		API invocation log information such as API invoker's ID, IP address, service API name, version, invoked operation, input parameters, invocation result, time stamp information, Network Slice Info
NOTE:
Information element shall be present when result indicates success.
Up

8.22.3  Procedurep. 78

Figure 8.22.3-1 illustrates the procedure for auditing service API invocation.
Pre-conditions:
  1. Service API invocation logs are available at the CAPIF core function.
  2. Authorization details of the AMF are available with the CAPIF core function.
Reproduction of 3GPP TS 23.222, Fig. 8.22.3-1: Procedure for auditing service API invocation
Figure 8.22.3-1: Procedure for auditing service API invocation
Up
Step 1.
For auditing service API invocations, the API management function triggers query service API log request to the CAPIF core function.
Step 2.
Upon receiving the query service API log request, the CAPIF core function accesses the necessary service API log information for auditing purposes.
Step 3.
The CAPIF core function returns the log information to the API management function in the query service API log response.
Up

8.23  CAPIF revoking API invoker authorizationp. 78

8.23.1  Generalp. 78

The CAPIF controls the access of service API by the API invoker based on policy or usage limits. If the usage limits have exceeded, the authorization of the API invoker for accessing the service APIs is revoked. The decision to revoke the API invoker authorization may be triggered by the AEF or the CAPIF core function. The AEF can be within PLMN trust domain or within 3rd party trust domain.
In RNAA scenarios, the decision to revoke the API invoker authorization may be initiated by the CAPIF core function based on triggers at the CAPIF core function.
Up

8.23.2  Information flowsp. 79

8.23.2.1  Revoke API invoker authorization requestp. 79

Table 8.23.2.1-1 describes the information flow revoke API invoker authorization request from the API exposing function to the CAPIF core function or from the CAPIF core function to the API exposing function.
Information element Status Description
API invoker identity informationMThe information that determines the identity of the API invoker.
Service API identification listMThe identification information of the service API(s) for which the authorization is revoked.
Security informationO
(NOTE 1, 2)		Security information (as specified in TS 33.122) for authorization revocation.
CauseMThe cause for revoking the API invoker authorization (e.g., RO authorization revocation).
NOTE 1:
The security information may be included in the Revoke API invoker authorization request from the CAPIF core function to the API exposing function (i.e., it is not used in the request from the API exposing function to the CAPIF core function).
NOTE 2:
If the security information is not included, the revocation applies to all the permissions granted for the service API.
Up

8.23.2.2  Revoke API invoker authorization responsep. 79

Table 8.23.2.2-1 describes the information flow revoke API invoker authorization response from the CAPIF core function to the API exposing function or from the API exposing function to the CAPIF core function.
Information element Status Description
ResultMIndicates the success or failure of revoke API invoker authorization.
CauseOThe cause for the request failure.
Up

8.23.2.3  Revoke API invoker authorization notifyp. 79

Table 8.23.2.3-1 describes the information flow revoke API invoker authorization notify from the CAPIF core function to the API invoker.
Information element Status Description
API invoker identity informationMThe information that determines the identity of the API invoker whose authorization has been revoked.
Service API identification listMThe identification information of the service API(s) for which the authorization is revoked.
Security informationO
(NOTE)		Security information (as specified in TS 33.122) for authorization revocation.
CauseMThe cause for revoking the API invoker authorization (e.g., RO authorization revocation).
NOTE:
If the security information is not included, the revocation applies to all the permissions granted for the service API(s).
Up

8.23.2.4  Revoke API invoker authorization notify acknowledgement |R19|p. 80

Table 8.23.2.4-1 describes the information flow revoke API invoker authorization notify acknowledgement from the API Invoker to the CAPIF core function.
Information element Status Description
AcknowledgementMAcknowledgement for the revoke API invoker authorization notify received.
Up

8.23.3  Procedure for CAPIF revoking API invoker authorization initiated by AEFp. 80

Figure 8.23.3-1 illustrates the procedure for revoking API invoker authorization to access service API initiated by the AEF.
Pre-conditions:
  1. The API invoker is authenticated and authorized to use the service API.
  2. The AEF in the CAPIF is configured with the access policy to be applied to the service API invocation corresponding to the API invoker and the service API.
  3. Authorization details of the AEF are available with the CAPIF core function.
Reproduction of 3GPP TS 23.222, Fig. 8.23.3-1: Procedure for revoking API invoker authorization initiated by AEF
Figure 8.23.3-1: Procedure for revoking API invoker authorization initiated by AEF
Up
Step 1.
The AEF triggers the revocation of the API invoker authorization.
Step 2.
The AEF sends revoke API invoker authorization request to the CAPIF core function with the details of the API invoker and the service API.
Step 3.
Upon receiving the information to revoke the API invoker's authorization for service API invocation, the CAPIF core function invalidates the API invoker authorization corresponding to the service API.
Step 4.
The CAPIF core function sends a revoke API invoker authorization response to the AEF.
Step 5.
Upon successful revocation of API invoker authorization corresponding to the service API at the CAPIF core function, the AEF invalidates the API invoker authorization corresponding to the service API.
Step 6.
The CAPIF core function sends a revoke API invoker authorization notify to the API invoker whose authorization to access the service API has been revoked.
Up

8.23.4  Procedure for CAPIF revoking API invoker authorization initiated by CAPIF core functionp. 81

Figure 8.23.4-1 illustrates the procedure for revoking API invoker authorization to access service API initiated by the CAPIF core function. This procedure is also used for revoking API invoker authorization supporting RNAA scenarios.
Pre-conditions:
  1. The API invoker is authenticated and authorized to use the service API.
  2. The AEF in the CAPIF is configured with the access policy to be applied to the service API invocation corresponding to the API invoker and the service API.
Reproduction of 3GPP TS 23.222, Fig. 8.23.4-1: Procedure for revoking API invoker authorization initiated by CAPIF core function
Figure 8.23.4-1: Procedure for revoking API invoker authorization initiated by CAPIF core function
Up
Step 1.
The CAPIF core function is triggered to revoke the API invoker authorization.
Step 2.
The CAPIF core function sends revoke API invoker authorization request to the AEF with the details of the API invoker and the service API, and optionally, the security information as specified in clause 6.5.3.4 of TS 33.122.
Step 3.
Upon receiving the information to revoke the API invoker's authorization for service API invocation, the AEF invalidates the API invoker authorization corresponding to the service API or, if provided, the API invoker authorization corresponding to the received security information.
Step 4.
The AEF sends a revoke API invoker authorization response to the CAPIF core function.
Step 5.
The CAPIF core function invalidates the API invoker authorization corresponding to the service API or, if provided, to the received security information.
Step 6.
The CAPIF core function sends a revoke API invoker authorization notify to the API invoker whose authorization to access the service API has been revoked.
Up

8.24  API topology hiding management |R16|p. 82

8.24.1  Generalp. 82

The following procedure in this subclause corresponds to the architectural requirements on API topology hiding. The procedure in this subclause supports API topology hiding by dynamically configuring the address of the AEF providing the Service API to the AEF entry point providing the topology hiding. The API publishing function and the API exposing function can be within PLMN trust domain or within 3rd party trust domain.

8.24.2  Information flowsp. 82

8.24.2.1  API topology hiding notifyp. 82

Table 8.24.2.1-1 describes the information flow API topology hiding notify from the CAPIF core function to the API exposing function.
Information element Status Description
Service API identificationMThe identification information of the service API with the API topology hiding
API exposing function(s) informationMIndicates the one or more AEF(s) which provides the service API to apply the topology hiding including the interface details (e.g. IP address, port number, URI).
ActionMIndicates the notification action for the API topology hiding (created or revoked).
Up

8.24.3  Procedurep. 82

Figure 8.24.3-1 illustrates the procedure for API topology hiding management by API (un)publish function.
Pre-condition:
  1. Authorization details of the APF are available with the CAPIF core function.
  2. The API exposing function has subscribed to CAPIF event for API topology hiding status.
Reproduction of 3GPP TS 23.222, Fig. 8.24.3-1: API topology hiding via API (un)publish
Figure 8.24.3-1: API topology hiding via API (un)publish
Up
Step 1.
The API publishing function sends a service API publish request as described in subclause 8.3.2.1 or a service API unpublish request as described in subclause 8.4.2.1 to the CAPIF core function.
Step 2.
Upon receiving the service API (un)publish request, the CAPIF core function checks whether the API publishing function is authorized to perform the service API (un)publish. If authorized, based on the service APIs and policy:
  • For service API publish, the CCF applies the topology hiding by selecting an AEF providing the topology hiding as the entry point for service API invocation. The selected AEF information is stored with the service API information received from API publish function at the CAPIF core function (API registry).
  • For service API unpublish, the previously selected AEF as topology hiding entry point and the associated service API information at the CAPIF core function (API registry) are removed.
Step 3.
The CCF sends the API topology notify to the AEF selected as the entry point for service API invocation. The service API identification and the AEF(s) information which provides the service API details are included.
Step 4.
Upon receiving the notification, the AEF stores the received information for further service API invocation request forwarding if the action in the API topology notify indicates "created" or removes the stored API forwarding information if the action in the API topology notify indicates "revoked".
Step 5.
The CCF sends an API (un)publish response to the API publish function.
Up

Up   Top   ToC