7 Security
29.1163GPPRelease 18Representational state transfer over xMB reference point between content provider and BM-SCTS
7.1 Overview
All xMB-C and xMB-U traffic shall only be sent over secured transport channels that are established after successful authentication and authorization as described in clauses 4.4.2, 4.4.3 and 7.2.
7.2 Authentication & Authorization
(D)TLS as defined in 3GPP TS 33.246 [24] shall be used to authenticate both ends of the connection.
The BM-SC shall support at least one of the two following modes for authorization of the Content Provider: domain-based or user-based, as defined in 3GPP TS 26.348 [33]. Authorization shall be performed after the successful completion of (D)TLS authentication. Domain-based authorization, as defined in Annex O.2 of 3GPP TS 33.246 [24], corresponds to the granting of access rights for service and/or session resource management at a coarse-grained level of the Content Provider, as identified by its administrative domain name in the subject field of the Content Provider certificate. User-based authorization, as defined in Annex O.2 of 3GPP TS 33.246 [24], corresponds to the granting of access rights for service/session resource management at a finer-grain level of an individual representative of the Content Provider. User-based authorization, if performed, shall occur after successful domain based authorization, and is based on HTTP Digest authentication of username and password as specified in IETF RFC 7616 [43]. Detailed specification of the authorization procedure and affiliated mechanisms (for example, pre-establishment of agreement between the Content Provider and mobile operator on domain- and user-based access rights, management of username and password credentials, etc.) are outside the scope of this specification, in order to allow flexibility of implementations which conform to the mechanism described herein.
Authorization of the BM-SC by the Content Provider shall be based on the same mechanisms as described above for BM-SC authorization of the Content Provider.