Home NEF

4.2.2.1 Security functional requirements on the NEF deriving from 3GPP specifications -- TS 33.501 [2]

 Home NEF17.0.0
 33519-h00 33519-i00  
Test Name TC_CP_AUTH_AF_NEF
Threat Reference

TR 33.926 [5], clause I.2.2.2, No authorization on northbound APIs
Requirement Name

Authorization on application function
Requirement Reference

TS 33.501 [2], clause 12.4
Requirement Description

"The NEF shall authorize the requests from Application Function using OAuth-based authorization mechanism, the specific authorization mechanisms shall follow the provisions given in RFC 6749 [43]" as specified in TS 33.501 [2], clause 12.4.
Test Purpose

To verify that the NEF can authenticate application function and establish TLS connection towards the application server with certificate based authentication, and may authenticate application function and establish TLS connection towards the application server with pre-shared key based authentication.
Pre-Conditions

  • The NEF network product shall be connected in emulated/real network environments.

  • In order to establish TLS connections to the NEF network product, the application function shall offer a feature that is supported by the NEF network product, including protocol version and combination of cryptographic algorithms.

  • The application function and the NEF network product shall support certificate based authentication, and may support pre-shared key based authentication.

  • If the NEF network product does not support CAPIF as specified in clause 6.2.5.1 in TS 23.501 [3], the certificates or the pre-shared key shall be provisioned in the NEF network product.

  • If the NEF network product supports CAPIF, the certificates or the pre-shared key shall be provisioned in the CAPIF core function, the CAPIF core function shall be able to select appropriate authentication method as defined in the sub-clause 6.5.2 in TS 33.122 [4].
Execution Steps

  1. If certificate based authentication is used, provision correct certificate on the application function, if pre-shared key based authentication is used, provision same pre-shared key on the application function.

  2. The application function shall initiate establishment of TLS connection towards the NEF network product, and check whether a TLS connection is established successfully.

  3. If certificate based authentication is used, provision incorrect certificate on the application function, if pre-shared key based authentication is used, provision different pre-shared key on the application function.

  4. The application function shall initiate establishment of TLS connection towards the NEF network product, and check whether no new TLS connection is established.
Expected Results

Only one TLS connection is established at step 2.
Expected Format of Evidence

Evidence suitable for the interface, e.g., Screenshot containing the operational results.

4.2.2.1.2 Authorization on northbound APIs
PDFs c7cf2cb5b58fe60e563899f2a4ac8fbf

4.2.2.1(2) Security functional requirements on the NEF deriving from 3GPP specifications -- TS 33.501 [2]

 Home NEF17.0.0
 33519-h00 33519-i00  
Test Name TC_CP_AUTHOR_AF_NEF
Threat Reference

TR 33.926 [5], clause I.2.2.2, No authorization on northbound APIs
Requirement Name

Authorization on application function
Requirement Reference

TS 33.501 [2], clause 12.4
Requirement Description

"The NEF shall authorize the requests from Application Function using OAuth-based authorization mechanism, the specific authorization mechanisms shall follow the provisions given in RFC 6749 [43]" as specified in TS 33.501 [2], clause 12.4.
Test Purpose

To verify that the NEF can authorize application function.
Pre-Conditions

  • The NEF network product shall be connected in emulated/real network environments.

  • The application function and the NEF network product shall support OAuth-based authorization mechanism.

  • An authorization server (e.g. NRF, or CAPIF core function) that supports OAuth2 protocol to authorize NEF northbound APIs using the "Client Credentials" authorization grant has been deployed.

  • The TLS connection between the NEF network product and the application function has been established.

  • The authorization server is configured to grant the application function to access a northbound API of the NEF network product, called NEF northbound API A.
Execution Steps

Test 1: without token:

  1. The application function invokes Obtain_Authorization service towards the authorization server to get a token from the authorization server for accessing the NEF northbound API A.

  2. The application function invokes NEF northbound API A.

  3. The tester triggers the application function to invoke another northbound API of the NEF network product, called NEF northbound API B, without token.

Test 2: With incorrect token:

  1. The application function invokes Obtain_Authorization service towards the authorization server to get a token from the authorization server for accessing the NEF northbound API A.

  2. The application function invokes NEF northbound API A.

  3. The tester triggers the application function to invoke the NEF northbound API B with a fake token.
Expected Results

The invoking of NEF northbound API A succeeds, while the invoking of NEF northbound API B fails.
Expected Format of Evidence

Evidence suitable for the interface, e.g., Screenshot containing the operational results.
PDFs f97dab867481a8c2e0d724d7ecf92a8e