6.4 State Transition Diagrams

29.198-033GPPOpen Service Access (OSA) Application Programming Interface (API)Part 3: FrameworkTS

This clause contains the State Transition Diagrams for the objects that implement the Framework interfaces on the gateway side. The State Transition Diagrams show the behaviour of these objects. For each state the methods that can be invoked by the client are shown. Methods not shown for a specific state are not relevant for that state and will return an exception. Apart from the methods that can be invoked by the client also events internal to the gateway or related to network events are shown together with the resulting event or action performed by the gateway. These internal events are shown between quotation marks.

6.4.1 Trust and Security Management State Transition Diagrams

6.4.1.1 State Transition Diagrams for IpInitial

Figure : State Transition Diagram for IpInitial

6.4.1.2 State Transition Diagrams for IpAPILevelAuthentication

Figure : STD for IpAPILevelAuthentication: Client authenticates Framework using initiateAuthenticationWithVersion() and challenge() method combination

6.4.1.2.1 Idle State

When the client has invoked the IpInitial initiateAuthenticationWithVersion method, an object implementing the IpAPILevelAuthentication interface is created. The client now has to select the authentication mechanism to be used using selectAuthenticationMechanism.

6.4.1.2.2 Authenticating Framework State

When entering this state, the client requests the Framework to authenticate itself. The client invokes the challenge method on the Framework. The Framework may either buffer the requests and respond when the client has been authenticated, or respond immediately, depending on policy. When the client has processed the response from the authenticate request on the Framework, the response is analysed. If the response is valid but the authentication process is not yet complete, then another authenticate request or challenge is sent to the Framework. If the response is valid and the authentication process has been completed, then a transition to the state Framework Authenticated is made and the Framework is informed of its success by invoking authenticationSucceeded. At any time the Framework may abort the authentication process by calling abortAuthentication on the client’s APILevelAuthentication interface. The client may also call selectAuthenticationMechanism to choose another hash algorithm.

6.4.1.2.3 Framework Authenticated State

This state is entered when the client indicates that the Framework has been authenticated, by calling authenticationSucceeded on the Framework’s IpAPILevelAuthentication interface. The client may at any time request re-authentication of the Framework by calling the challenge method, resulting in a transition back to Authenticating Framework state. The client may also call selectAuthenticationMechanism to choose another hash algorithm.

6.4.1.2.4 Authenticating Client State

When entering this state, the Framework requests the client to authenticate itself. The Framework invokes the challenge method on the client. When the Framework has processed the response from the authenticate request or challenge on the client, the response is analysed. If the response is valid but the authentication process is not yet complete, then another authenticate request or challenge is sent to the client. If the response is valid and the authentication process has been completed, then a transition to the state Client Authenticated is made, the client is informed of its success by invoking authenticationSucceeded. In case the response is not valid, the Authentication object is destroyed. This implies that the client has to re-initiate the authentication by calling once more the initiateAuthenticationWithVersion method on the IpInitial interface. At any time the client may abort the authentication process by calling abortAuthentication on the Framework’s IpAPILevelAuthentication interface. The client may also call selectAuthenticationMechanism to choose another hash algorithm.

6.4.1.2.5 Client Authenticated State

In this state the client is considered authenticated and is now allowed to request access to the IpAccess interface If the framework decides to re-authenticate the client, then the challenge is sent to the client and a transition back to the AuthenticatingClient state occurs. The client may also call selectAuthenticationMechanism to choose another hash algorithm.

Figure : STD for IpAPILevelAuthentication: Framework authenticates Client using initiateAuthenticationWithVersion() and challenge() method combination

6.4.1.2.6 Idle State

When the client has invoked the IpInitial initiateAuthenticationWithVersion method, an object implementing the IpAPILevelAuthentication interface is created. The client now has to select the authentication mechanism to be used using selectAuthenticationMechanism.

6.4.1.2.7 Authenticating Framework State

When entering this state, the client requests the Framework to authenticate itself. The client invokes the challenge method on the Framework. The Framework may either buffer the requests and respond when the client has been authenticated, or respond immediately, depending on policy. When the client has processed the response from the authenticate request on the Framework, the response is analysed. If the response is valid but the authentication process is not yet complete, then another authenticate request or challenge is sent to the Framework. If the response is valid and the authentication process has been completed, then a transition to the state Framework Authenticated is made and the Framework is informed of its success by invoking authenticationSucceeded. At any time the Framework may abort the authentication process by calling abortAuthentication on the client’s APILevelAuthentication interface. The client may also call selectAuthenticationMechanism to choose another hash algorithm.

6.4.1.2.8 Framework Authenticated State

This state is entered when the client indicates that the Framework has been authenticated, by calling authenticationSucceeded on the Framework’s IpAPILevelAuthentication interface. The client may at any time request re-authentication of the Framework by calling the challenge method, resulting in a transition back to Authenticating Framework state. The client may also call selectAuthenticationMechanism to choose another hash algorithm.

6.4.1.2.9 Authenticating Client State

When entering this state, the Framework requests the client to authenticate itself. The Framework invokes the challenge method on the client. When the Framework has processed the response from the authenticate request or challenge on the client, the response is analysed. If the response is valid but the authentication process is not yet complete, then another authenticate request or challenge is sent to the client. If the response is valid and the authentication process has been completed, then a transition to the state Client Authenticated is made, the client is informed of its success by invoking authenticationSucceeded. In case the response is not valid, the Authentication object is destroyed. This implies that the client has to re-initiate the authentication by calling once more the initiateAuthenticationWithVersion method on the IpInitial interface. At any time the client may abort the authentication process by calling abortAuthentication on the Framework’s IpAPILevelAuthentication interface. The client may also call selectAuthenticationMechanism to choose another hash algorithm.

6.4.1.2.10 Client Authenticated State

In this state the client is considered authenticated and is now allowed to request access to the IpAccess interface If the framework decides to re-authenticate the client, then the challenge is sent to the client and a transition back to the AuthenticatingClient state occurs. The client may also call selectAuthenticationMechanism to choose another hash algorithm.

6.4.1.3 State Transition Diagrams for IpAccess

Figure : State Transition Diagram for IpAccess

6.4.1.3.1 Active State

When the client requests access to the Framework on the IpAuthentication (IpAPILevelAuthentication) interface, an object implementing the IpAccess interface is created. The client can now request other Framework interfaces, including Service Discovery, Integrity Management, Service Subscription etc., and if at any point these framework interfaces are no longer required, to relinquish these. In addition the client can select the signing algorithm that shall be used during the access session in cases where a digital signature is required. When the client is no longer interested in using the interfaces it calls the terminateAccess method. This results in the destruction of all interface objects used by the client. In case the network operator decides that the client has no longer access to the interfaces the same will happen.