23.1273GPPRelease 6TSVirtual Home Environment (VHE) / Open Service Access (OSA)
In order to be able to implement future applications/end user services that are not yet known today, a highly flexible Framework for Services is required. The Open Service Access (OSA) enables applications implementing the services to make use of network functionality. Network functionality offered to applications is defined in terms of a set of Service Capability Features (SCFs). These SCFs provide functionality of network capabilities which is accessible to applications through the standardised OSA interface upon which service developers can rely when designing new services (or enhancements/variants of already existing ones).
The aim of OSA is to provide a standardised, extendible and scalable interface that allows for inclusion of new functionality in the network in future releases with a minimum impact on the applications using the OSA interface.
Network functionality offered to applications is defined as a set of Service Capability Features (SCFs) in the OSA API, which are supported by different Service Capability Servers (SCS). These SCFs provide access to the network capabilities on which the application developers can rely when designing new applications (or enhancements/variants of already existing ones). The different features of the different SCSs can be combined as appropriate. The exact addressing (parameters, type and error values) of these features is described in stage 3 descriptions. These descriptions (defined using OMG Interface Description Language™) are open and accessible to application developers, who can design services in any programming language, while the underlying core network functions use their specific protocols.
The standardised OSA API shall be secure, it is independent of vendor specific solutions and independent of programming languages, operating systems etc used in the service capabilities. Furthermore, the OSA API is independent of the location within the home environment where service capabilities are implemented and independent of supported service capabilities in the network.
To make it possible for application developers to rapidly design new and innovative applications, an architecture with open interfaces is imperative. By using object-oriented techniques, for example CORBA, SOAP, etc., it is possible to use different operating systems and programming languages in application servers and service capability servers. The service capability servers serve as gateways between the network entities and the applications.
The OSA API is based on lower layers using main stream information technology and protocols. The middleware and protocols (for example CORBA/IIOP, SOAP/XML, other XML based protocols etc.) and lower layer protocols (for example TCP, IP, etc.) should provide security mechanisms to encrypt data (for example TLS, IP sec, etc.).
5.1 Overview of the Open Service Access
The Open Service Access consists of three parts:
– Applications: e.g. VPN, conferencing, location based applications. These applications are implemented in one or more Application Servers;
– Framework: providing applications with basic mechanisms that enable them to make use of the service capabilities in the network. Examples of framework functions are Authentication and Discovery. Before an application can use the network functionality made available through Service Capability Features, authentication between the application and framework is needed. After authentication, the discovery function enables the application to find out which network service capability features are provided by the Service Capability Servers. The network service capability features are accessed by the methods defined in the OSA interfaces;
– Service Capability Servers: providing the applications with service capability features, which are abstractions from underlying network functionality. Examples of service capability features offered by the Service Capability Servers are Call Control and User Location. Similar service capability features may possibly be provided by more than one Service Capability Server. For example, Call Control functionality might be provided by SCSs on top of CAMEL and MExE.
The OSA service capability features are specified in terms of a number of interfaces and their methods. The interfaces are divided into two groups:
– framework interfaces;
– network interfaces.
NOTE: The CAMEL Service Environment does not provide the service logic execution environment for applications using the OSA API, since these applications are executed in Application Servers.
Figure 1: Overview of Open Service Access
The present document, together with the associated stage 3 specification, defines the OSA API and the OSA internal API between the framework and the service capability servers. OSA does not mandate any specific platform or programming language.
The Service Capability Servers that provide the OSA interfaces are functional entities that can be distributed across one or more physical nodes. For example, the User Location interfaces and Call Control interfaces might be implemented on a single physical entity or distributed across different physical entities. Furthermore, a service capability server can be implemented on the same physical node as a network functional entity or in a separate physical node. For example, Call Control interfaces might be implemented on the same physical entity as the CAMEL protocol stack (i.e. in the CSE) or on a different physical entity.
Several options exist:
The OSA interfaces are implemented in one or more physical entity, but separate from the physical network entities. Figure 2 shows the case where the OSA interfaces are implemented in one physical entity, called "gateway" in the figure. Figure 3 shows the case where the SCSs are distributed across several "gateways".
Figure 2: SCSs and network functional entities implemented in separate physical entities
Figure 3: SCSs and network functional entities implemented in separate physical entities,
SCSs distributed across several ‘gateways’
The OSA interfaces are implemented in the same physical entities as the traditional network entities (e.g. HSS, CSE), see figure 4.
Figure 4: SCSs and network functional entities implemented in same physical entities
Option 3 is the combination of option 1 and option 2, i.e. a hybrid solution.
Figure 5: Hybrid implementation (combination of option 1 and 2)
It shall be noted that in all cases there is only one framework. This framework may reside within one of the physical entities containing an SCS or in a separate physical entity.
From the application point of view, it shall make no difference which implementation option is chosen, i.e. in all cases the same network functionality is perceived by the application. The applications shall always be provided with the same set of interfaces and a common access to framework and service capability feature interfaces. It is the framework that will provide the applications with an overview of available service capability features and how to make use of them.
5.2 Basic mechanisms in the Open Service Access
This subclause explains which basic mechanisms are executed in OSA prior to offering and activating applications.
Some of the mechanisms are applied only once (e.g. establishment of service agreement), others are applied each time a user subscription is made to an application (e.g. enabling the call attempt event for a new user).
Basic mechanisms between Application and Framework:
– Authentication: Once an off-line service agreement exists, the application can access the authentication function. The authentication model of OSA is a peer-to-peer model. The application must authenticate the framework and vice versa. The application must be authenticated before it is allowed to use any other OSA function.
– Authorisation: Authorisation is distinguished from authentication in that authorisation is the action of determining what a previously authenticated application is allowed to do. Authentication must precede authorisation. Once authenticated, an application is authorised to access certain service capability features.
– Discovery of framework functions and network service capability features: After successful authentication, applications can obtain available framework functions and use the discovery function to obtain information on authorised network service capability features. The Discovery function can be used at any time after successful authentication.
– Establishment of service agreement: Before any application can interact with a network service capability feature, a service agreement must be established. A service agreement may consist of an off-line (e.g. by physically exchanging documents) and an on-line part. The application has to sign the on-line part of the service agreement before it is allowed to access any network service capability feature.
– Access to network service capability features: The framework must provide access control functions to authorise the access to service capability features or service data for any API method from an application, with the specified security level, context, domain, etc.
Basic mechanism between Framework and Service Capability Server:
– Registering of network service capability features. SCFs offered by a Service Capability Server can be registered at the Framework. In this way the Framework can inform the Applications upon request about available service capability features (Discovery). For example, this mechanism is applied when installing or upgrading a Service Capability Server.
Basic mechanisms between Application Server and Service Capability Server:
– Request of event notifications. This mechanism is applied when a user has subscribed to an application and that application needs to be invoked upon receipt of events from the network related to the user. For example, when a user subscribes to an incoming call screening application, the application needs to be invoked when the user receives a call. It will therefore request to be notified when a call setup is performed, with the user number as Called Party Number.
5.3 Handling of end-user related security
Once OSA basic mechanisms have ensured that an application has been authenticated and authorised to use network service capability features, it is important to also handle end-user related security aspects. These aspects consist of the following.
– End-user authorisation to applications, limiting the access of end-users to the applications they are subscribed to.
– Application authorisation to end-users, limiting the usage by applications of network capabilities to authorised (i.e. subscribed) end-users.
– End-user’s privacy, allowing the user to set privacy options.
These aspects are addressed in the following subclauses.
5.3.1 End-user authorisation to applications
An end-user is authorised to use an application only when he or she is subscribed to it.
In the case where the end-user has subscribed to the application before the application accesses the network SCFs, then the subscription is part of the Service Level Agreement signed between the HE and the HE-VASP.
After the application has been granted access to network SCFs, subscriptions are controlled by the Home Environment. Depending on the identity of an authenticated and authorised end-user, the Home Environment may use any relevant policy to define and possibly restrict the list of services to which a particular end-user can subscribe. At any time, the Home Environment may decide, unilaterally or after agreement with the HE-VASP, to cancel a particular subscription.
Service subscription and activation information need to be shared between the Home Environment and the HE-VASP, so that the HE-VASP knows which end-users are entitled to use its services. Appropriate online and/or offline synchronisation mechanisms (e.g. SLA re-negotiation) can be used between the HE and the HE-VASP, which are not specified in OSA release 5.
End-to-end interaction between a subscribed end-user and an application may require the usage of appropriate authentication and authorisation mechanisms between the two, which are independent from the OSA API, and therefore not in the scope of OSA standardisation.
5.3.2 Application authorisation to end-users
The Home Environment is entitled to provide service capabilities to an application with regard to a specific end-user if the following conditions are met:
1) the end-user is subscribed to the application;
2) the end-user has activated the application;
3) the usage of this network service capability does not violate the end-users privacy settings (see next subclause).
The service capability server ensures that the above conditions are met whenever an application attempts to use a service capability feature for a given end-user, and to respond to the application accordingly, possibly using relevant error parameters). The mechanism used by the SCS to ensure this is internal to the HE (e.g. access to user profile) and is not standardised in OSA release 5.
5.3.3 End-user’s privacy
The Home Environment may permit an end-user to set privacy options. For instance, it may permit the end-user to decide whether his or her location may be provided to 3rd parties, or whether he or she accepts information to be pushed to his or her terminal. Such privacy settings may have an impact on the ability of the network to provide service capability features to applications (e.g. user location, user interaction). Thus, even if an application is authorised to use an SCF and the end-user is subscribed to this application and this application is activated, privacy settings may still prevent the HE from fulfilling an application request.
The service capability server ensures that a given application request does not violate an end-users privacy settings or that the application has relevant privileges to override them (e.g. for emergency reasons). The mechanism used by the SCS to ensure this is internal to the HE and is not standardised in OSA release 5.