WO2023231631A1 - 认证方法及通信装置 - Google Patents

认证方法及通信装置 Download PDF

Info

Publication number
WO2023231631A1
WO2023231631A1 PCT/CN2023/089467 CN2023089467W WO2023231631A1 WO 2023231631 A1 WO2023231631 A1 WO 2023231631A1 CN 2023089467 W CN2023089467 W CN 2023089467W WO 2023231631 A1 WO2023231631 A1 WO 2023231631A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
party
management service
management
equipment
Prior art date
Application number
PCT/CN2023/089467
Other languages
English (en)
French (fr)
Inventor
赵娴
曹龙雨
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2023231631A1 publication Critical patent/WO2023231631A1/zh

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the present application relates to the field of communications, and in particular, to an authentication method and a communications device.
  • Non-public network also known as private network or private network, refers to a network established to meet non-public needs.
  • the NPN established by the operator can be used by third parties (such as vertical industry customers and slicing customers). Without the permission of the third party, ordinary terminal equipment cannot access the NPN.
  • 3GPP 3rd Generation Partnership Project
  • SNPN stand-alone non-public network
  • PNI-NPN public network integrated non-public network
  • the third party can perform network management based on the network management capabilities opened by the operator; or, the third party can also outsource some of the network management capabilities opened by the operator to other parties with network operations.
  • the company or enterprise that orchestrates and manages services (referred to as the management service outsourcer) realizes network management through the management service outsourcer.
  • third parties and management service outsourcers use open network management capabilities, they need to conduct identity authentication and authentication with the operator. Only after successful identity authentication and authentication can the third party and management service outsourcers call the corresponding management services, and then based on The management service called implements network management.
  • operators can authenticate third-party identities based on tenant registration requests sent by third parties, but cannot support identity authentication for management service outsourcers. As a result, management service outsourcers cannot call management services and implement management services. Management of networks serving third parties.
  • This application provides an authentication method and communication device, which can solve the problem of operators being unable to support identity authentication for management service outsourcing parties.
  • the first aspect is to provide an authentication method.
  • the method includes: an open control management function entity receives information from a management service outsourcing party device of a third-party device, wherein the management service outsourcing party device is used to call network management capabilities open to the third-party device.
  • the open control management function entity determines the information used to authenticate the identity of the management service outsourcing party's equipment based on the information of the management service outsourcing party's equipment.
  • the open control management function entity sends information to the management service outsourcing party's equipment for authenticating the identity of the management service outsourcing party's equipment.
  • the open control management function entity can generate and send information for authenticating the identity of the management service outsourcing party's equipment based on the information of the management service outsourcing party's equipment sent by the third-party device.
  • the open control management function entity can determine whether the authenticated device is a management service outsourcer based on the received authentication information and the information used to authenticate the device identity of the management service outsourcer. equipment to achieve certification of management service outsourcing parties. Therefore, based on the information of the management service outsourcer's equipment and the open control management function entity, it can not only realize tenant management, but also realize the operator's certification of the management service outsourcer, thereby improving the network management capabilities of third parties and achieving better results. Refined network management.
  • the method described in the first aspect may further include: the open control management function entity receiving authentication information from the first device.
  • the open control management function entity determines that the first device is the management service outsourcing party's equipment.
  • the open control management function entity can determine whether the first device requesting authentication is the management service outsourcer's device based on the information used to authenticate the identity of the management service outsourcer's device, thereby realizing the authentication of the management service outsourcer's device and improving the authentication efficiency. reliability.
  • the method described in the first aspect may further include: the open control management function entity sending first indication information to the first device, where the first indication information is used to indicate successful authentication of the first device.
  • the first device can obtain the authentication result based on the first indication information. If the authentication result is successful, the first device can request the open control management function entity to call the management service, thereby managing the network serving the third party. , which can optimize the network management of third-party networks.
  • the information about the management service outsourcing party's equipment may include the IP address of the management service outsourcing party's equipment.
  • the open control management function entity sends information used to authenticate the identity of the management service outsourcer's device, which may include: the open control management function entity sends information used to authenticate the management service outsourcer's device to the management service outsourcer's device based on the IP address of the management service outsourcer's device. Device identity information.
  • the open control management function entity can send information for authenticating the identity of the management service outsourcing party's equipment to the management service outsourcing party's equipment based on the identification of the management service outsourcing party's equipment, which can improve management service outsourcing. Certification efficiency of party equipment.
  • the information about the management service outsourcing party's equipment includes management service information that can be called by the management service outsourcing party's equipment.
  • the open control management function entity can determine the calling information of the management service outsourcing party's equipment based on the information of the management service outsourcing party's equipment, and manage the calling information of the management service outsourcing party's equipment, which can avoid calling errors or exceeding the calling authority, and improve Reliability of open network management.
  • the method described in the first aspect may further include: the open control management function entity receiving second indication information from the third-party device.
  • the second instruction information is used to instruct the open control management function entity to perform one or more operations of adding, deleting, modifying or querying the information of the management service outsourcing party's equipment.
  • the open control management function entity can also update the information of the management service outsourcing party's equipment in real time based on the second instruction information, and further can update the information used to authenticate the identity of the management service outsourcing party's equipment, thereby improving the reliability of the authentication.
  • the second aspect is to provide an authentication method.
  • the method includes: the third-party device sends information about the management service outsourcing party's device to the open control management function entity.
  • the management service outsourcing party's equipment is used to call the network management capabilities open to third-party equipment.
  • the third-party device receives information from the open control management function entity for authenticating the identity of the management service outsourcer's device.
  • the information used to authenticate the identity of the management service outsourcing party's equipment is determined based on the information of the management service outsourcing party's equipment.
  • the third-party device sends information used to authenticate the identity of the management service outsourcer's device to the management service outsourcer's device.
  • the information about the management service outsourcing party's equipment includes management service information that can be called by the management service outsourcing party's equipment.
  • the method described in the second aspect may further include: the third-party device receives first indication information from the first device, the first indication information is used to indicate that the first device is successfully authenticated, and the first device is Manage service outsourced equipment.
  • the method described in the second aspect may further include: the third-party device sends second instruction information to the open control management function entity, and the second instruction information is used to instruct the open control management function entity to outsource the management service. Perform one or more operations of adding, deleting, modifying or querying the information of the party's device.
  • the third aspect is to provide an authentication method.
  • the method includes: a first device obtains authentication information, wherein the first device is a management service outsourcing device, and the management service outsourcing device is used to call network management capabilities open to third-party devices.
  • the first device sends authentication information to the open control management function entity.
  • the authentication information includes information used to authenticate the identity of the device of the management service outsourcer.
  • Obtaining authentication information by the first device may include: the first device receives information from the open control management function entity for authenticating the identity of the management service outsourcing party's device.
  • the authentication information includes information used to authenticate the identity of the device of the management service outsourcer.
  • Obtaining authentication information by the first device may include: the first device receives information from a third-party device used to authenticate the identity of the management service outsourcing party's device.
  • the method described in the third aspect may further include: the first device receiving first indication information from the open control management function entity, where the first indication information is used to indicate that the first device is successfully authenticated.
  • the method described in the third aspect may further include: the first device sending the first indication information to the third party device.
  • a fourth aspect provides a communication device.
  • the device includes: processing module and transceiver module.
  • the transceiver module is used to receive information from the management service outsourcing party's equipment of the third-party device, and the management service outsourcing party's equipment is used to call the network management capabilities open to the third-party equipment.
  • the processing module is used to determine the information used to authenticate the identity of the management service outsourcing party's equipment based on the information of the management service outsourcing party's equipment.
  • the transceiver module is also used to send information to the management service outsourcing party's equipment for authenticating the identity of the management service outsourcing party's equipment.
  • the transceiver module is configured to receive authentication information from the first device.
  • a processing module configured to determine that the first device is the management service outsourcing party device when the authentication information matches the information used to authenticate the identity of the management service outsourcing party device.
  • the transceiver module is configured to send first indication information to the first device, and the first indication information is used to indicate that the first device is successfully authenticated.
  • the information about the management service outsourcing party's equipment may include the IP address of the management service outsourcing party's equipment.
  • the transceiver module is used to send information for authenticating the identity of the management service outsourcing party's device to the management service outsourcing party's device based on the IP address of the management service outsourcing party's device.
  • the information about the management service outsourcing party's equipment includes management service information that can be called by the management service outsourcing party's equipment.
  • the transceiver module is used to receive second instruction information from a third-party device, and the second instruction information is used to instruct the open control management functional entity to add, delete, and modify the information of the management service outsourcing party's equipment. or one or more operations in a query.
  • the transceiver module may include a sending module and a receiving module.
  • the sending module is used to implement the sending function of the communication device described in the fourth aspect
  • the receiving module is used to implement the receiving function of the communication device described in the fourth aspect.
  • the communication device described in the fourth aspect may further include a storage module that stores programs or instructions.
  • the processing module executes the program or instruction
  • the communication device can execute the method described in the first aspect.
  • the communication device described in the fourth aspect may be a network device, such as an open control management functional entity, or may be a chip (system) or other components or components that can be installed in the network device, or may include a network device.
  • the device of the equipment is not limited in this application.
  • a communication device in a fifth aspect, includes: sending module and receiving module.
  • the sending module is used to send information about the management service outsourcing party's equipment to the open control management function entity, and the management service outsourcing party's equipment is used to call the network management capabilities opened to the device.
  • the receiving module is configured to receive information from the open control management function entity used to authenticate the identity of the management service outsourcer's equipment, and the information used to authenticate the identity of the management service outsourcer's equipment is determined based on the information of the management service outsourcer's equipment.
  • the sending module is also used to send information used to authenticate the identity of the management service outsourcing party's equipment to the management service outsourcing party's equipment.
  • the information about the management service outsourcing party's equipment includes management service information that can be called by the management service outsourcing party's equipment.
  • the receiving module is also configured to receive first indication information from the first device, where the first indication information is used to indicate that the first device is successfully authenticated, and the first device is a management service outsourcing party device.
  • the sending module is also used to send second instruction information to the open control management functional entity.
  • the second instruction information is used to instruct the open control management functional entity to add or delete information about the management service outsourcing party's equipment.
  • the sending module and the receiving module can also be integrated into one module, such as a transceiving module.
  • the transceiver module is used to implement the sending function and receiving function of the communication device described in the fifth aspect.
  • the communication device may further include a processing module.
  • the processing module is used to implement the processing function of the communication device described in the fifth aspect.
  • the communication device may further include a storage module that stores programs or instructions.
  • the processing module executes the program or instruction, the communication device can execute the method described in the second aspect.
  • the communication device described in the fifth aspect may be a network device, such as a third-party device, or may be a chip (system) or other component or component that can be disposed in the network device, or may include a network device. device, this application does not limit this.
  • a sixth aspect provides a communication device.
  • the device includes: processing module and transceiver module.
  • the processing module is used to obtain authentication information, wherein the device is a management service outsourcing party device, and the management service outsourcing party device is used to call network management capabilities open to third-party devices.
  • Transceiver module used to implement open control management functions body sends authentication information.
  • the authentication information may include information used to authenticate the identity of the device of the management service outsourcer.
  • the transceiver module is used to receive information from the open control management function entity for authenticating the identity of the management service outsourcing party's equipment.
  • the authentication information may include information used to authenticate the identity of the device of the management service outsourcer.
  • the transceiver module is used to receive information from a third-party device used to authenticate the identity of the management service outsourcer's device.
  • the transceiver module is configured to receive first indication information from the open control management function entity, where the first indication information is used to indicate successful device authentication.
  • the transceiver module is used to send first indication information to a third-party device.
  • the transceiver module may include a sending module and a receiving module.
  • the sending module is used to implement the sending function of the communication device described in the sixth aspect
  • the receiving module is used to implement the receiving function of the communication device described in the sixth aspect.
  • the communication device may further include a storage module that stores programs or instructions.
  • the processing module executes the program or instruction, the communication device can execute the method described in the third aspect.
  • the communication device described in the sixth aspect may be a network device, such as the first device, or it may be a chip (system) or other component or component that can be disposed in the network device, or it may be a device that includes a network device. device, this application does not limit this.
  • a communication device in a seventh aspect, includes: a processor coupled with a memory. Among them, memory is used to store computer programs. The processor is configured to execute a computer program stored in the memory, so that the communication device executes the method described in any one of the first to third aspects.
  • the communication device described in the seventh aspect may further include a transceiver.
  • the transceiver can be a transceiver circuit or an interface circuit.
  • the transceiver can be used for the communication device described in the seventh aspect to communicate with other communication devices.
  • the communication device described in the seventh aspect may be the open control management functional entity described in the first aspect or the third-party device described in the second aspect or the first device described in the third aspect, or may be configured Chips (systems) or other components or components in the open control management functional entity or third-party equipment or first equipment, or devices containing the open control management functional entity or third-party equipment or first equipment.
  • the eighth aspect provides an authentication system.
  • the authentication system may include open control management functional entities, third-party equipment and management service outsourcer equipment.
  • the authentication system described in the eighth aspect may further include: a first device.
  • a computer-readable storage medium stores computer programs or instructions, which when the computer program or instructions are run on the computer, cause the computer to perform the method described in any one of the first to third aspects.
  • a tenth aspect a computer program product.
  • the computer program product includes: a computer program or instructions. When the computer program or instructions are run on a computer, the computer performs the method described in any one of the first to third aspects.
  • Figure 1 is a schematic structural diagram of a network management capability that is open to the outside world
  • Figure 2 is a schematic diagram of the connection of each logical management function in a management domain
  • Figure 3 is a schematic diagram of a tenant registration process
  • FIG. 4 is a schematic diagram of the architecture of the authentication system provided by the embodiment of this application.
  • Figure 5 is a schematic diagram of the architecture of wireless network capability opening based on open control management functional entities provided by the embodiment of the present application;
  • Figure 6 is a schematic flow chart of an authentication method provided by an embodiment of the present application.
  • Figure 7 is a schematic flow chart of another authentication method provided by an embodiment of the present application.
  • Figure 8 is a schematic flow chart of another authentication method provided by an embodiment of the present application.
  • FIG. 9 is a schematic flow chart of another authentication method provided by an embodiment of the present application.
  • Figure 10 is a schematic structural diagram of a communication device provided by an embodiment of the present application.
  • Figure 11 is a schematic structural diagram of another communication device provided by an embodiment of the present application.
  • Figure 12 is a schematic structural diagram of another communication device provided by an embodiment of the present application.
  • NPN can also be called a dedicated network or private network, which refers to a network established to meet non-public needs.
  • the NPN established by the operator can be used by third parties (such as vertical industry customers and slicing customers). Without the permission of the third party, ordinary terminal equipment cannot access the NPN.
  • third parties such as vertical industry customers and slicing customers. Without the permission of the third party, ordinary terminal equipment cannot access the NPN.
  • the following two types of NPN are defined in the 3GPP standard: SNPN and PNI-NPN.
  • SNPN refers to the network functions operated by operators and not dependent on the public land mobile network (public land mobile network, PLMN).
  • PLMN public land mobile network
  • MNO Managed Mode completely managed by the mobile network operator (mobile network operator, MNO), and vertical industries do not participate in NPN management.
  • management service outsourcers For the above two management modes, MNO-Vertical Managed Mode and Vertical Managed Mode, vertical industries can outsource SNPN's network management capabilities to other companies with network operations, orchestration and management services (hereinafter referred to as management service outsourcers).
  • PNI-NPN refers to a non-public network deployed with the support of PLMN.
  • the NPN management modes for PNI-NPN include the above-mentioned MNO Managed Mode and MNO-Vertical Managed Mode.
  • MNO-Vertical Managed Mode management mode vertical industries can also outsource the network management capabilities of PNI-NPN to management service outsourcers.
  • EMF Exposure governance management function
  • EGMF is a logical management function proposed by 3GPP to open network management capabilities to the outside world in the management domain.
  • the opening of network management capabilities to the outside world means that operators open network management capabilities to external third-party customers, such as vertical industry customers, slicing customers, sharing operators, etc.
  • Third-party customers can also be called tenants of the operator.
  • Third-party customers can manage the tenant's network through the network management system based on the operator's open network management capabilities (such as obtaining performance data of the tenant's network, configuring network parameters for the tenant's network, etc.).
  • the network management system of third-party customers can be a third-party operation, administration and maintenance (OAM) system, or a shared operator management system, etc.
  • OAM administration and maintenance
  • EGMF was proposed in the hope of realizing the opening of operation and maintenance management information on the network side through EGMF, such as configuration information, performance measurement information, alarm/error information, etc.
  • Figure 1 shows a schematic structural diagram of opening network management capabilities to the outside world.
  • the management function (management function, MnF) 1 can be, for example, an operator that provides network services and can provide the corresponding management service (management service, MnS).
  • MnS refers to the network management capability that the operator can open to the outside world.
  • MnF2 can, for example, It is a shared operator.
  • MnF2 and third-party customers (such as vertical industry customers) can be understood as customers who are not directly trusted by the management domain where MnF1 is located (such as the operator's management domain) but have been authorized (that is, the operator's tenants).
  • MnF2 and To implement network management, third-party customers need to call MnS provided by MnF1.
  • third-party customers can call the MnS provided by MnF1 through EGMF1
  • MnF2 can call the MnS provided by MnF1 through EGMF2, so that MnF2 and third-party customers can implement network management of service tenants.
  • Cross-domain management can correspond to the network management system (NMS), which is responsible for the unified management of multiple network element management systems.
  • Logical management functions deployed at the cross-domain layer such as network slice management function (NSMF), provide various management services, and various management services can be opened to the outside world through EGMF.
  • NSMF network slice management function
  • Single domain management can correspond to the element management system (EMS) and is responsible for managing the fifth generation (5th generation, 5G) base station or 5G core network.
  • EMS element management system
  • 5G fifth generation
  • 5G fifth generation
  • RAN wireless access network
  • core network core network
  • CN core network
  • Logical management functions deployed at a single domain layer such as network slice subnet management function (NSSMF) and management data analytics function (MDAF), are used to implement 5G base stations or 5G core networks.
  • NSS network slice subnet management function
  • MDAF management data analytics function
  • Management services can provide various management services, and various management services can be opened to the outside world through EGMF.
  • FIG. 2 shows a schematic connection diagram of various logical management functions in a management domain.
  • the management domain includes NSMF, NSSMF, MDAF, EGMF, communication service management function (CSMF), network function management function function (NFMF) and network function (NF).
  • NSMF NSSMF
  • MDAF EGMF
  • NFMF NFMF
  • NSMF NSSMF
  • MDAF EGMF
  • NFMF NFMF
  • NSMF NSSMF
  • MDAF EGMF
  • NFMF NFMF
  • NF NFMF
  • EGMF can open the MnS provided by each logical management function to the outside world.
  • EGMF is a management function used to implement management service invocation.
  • the open network management capabilities in the embodiments of this application can be implemented by invoking cross-domain or single-domain management services.
  • the third party needs to conduct identity authentication with the operator. After the identity authentication is successful, the third party can call the corresponding management service to manage the service network. .
  • FIG. 3 shows a schematic flow chart of tenant registration.
  • Third-party customers can implement identity authentication through this tenant registration process.
  • the operator and the tenant (such as a third party) complete the signing of a business agreement offline.
  • the content of the business agreement can include the network service guarantee provided by the operator to the tenant and the network that can be opened to the tenant. Management capabilities, or network resource information that tenants can obtain or operate, etc., and complete the configuration of tenant contract information in the operator's network management system.
  • the tenant registration process includes:
  • the third-party device sends a tenant registration request to the communication network management device.
  • the communication network management device receives the tenant registration request from the third-party device.
  • the third-party device is used to call the network management function opened by the operator to manage the service network.
  • the third-party device is deployed with a network management system corresponding to the third-party customer, such as a third-party OAM system.
  • the communication network management device is used to manage network services deployed by operators.
  • the communication network management equipment is deployed with an operator management system corresponding to the operator.
  • the operator management system can include a business support system (business support system, BSS) and an operations support system (operations support system, OSS).
  • BSS business support system
  • OSS operations support system
  • the above-mentioned EGMF can deploy the On the OSS layer of communication network management equipment.
  • BSS and OSS operations support system
  • the specific functions of BSS and OSS can be found in relevant existing technical descriptions and will not be described again here.
  • the communication network management device may be a device including the above-mentioned EGMF, or a device including the open control management functional entity in the following embodiments.
  • the tenant registration request carries the third-party customer's identification (operator identification, operator ID) and tenant description information (tenant profile).
  • the identification of the third-party customer may be the name of the third-party customer, such as the name of a vertical industry enterprise; or the identification of the third-party customer may also be a digital identification representing the third-party customer.
  • the tenant description information is used to represent the description file of the third-party customer's basic information.
  • the tenant description information may include management service information signed between a third party and the operator, or the tenant's service level specification (SLS) requirements, etc.
  • SLS requirements can include indicator requirements such as latency, reliability, resource isolation, the number of accessible terminal devices, or the type of data that can be obtained.
  • the communication network management device performs identity authentication on the third-party device according to the tenant registration request.
  • the communication network management device after receiving the tenant registration request, queries and obtains the corresponding tenant signing information from the locally configured tenant signing information according to the third-party customer identification carried in the tenant registration request, and then obtains the corresponding tenant signing information based on the tenant signing information. Authenticate the identity of the third-party device to verify the legitimacy of the third-party device.
  • the communication network management device allocates a unique tenant ID (tenant ID) to the third-party device.
  • the identity of the third-party device is not successfully authenticated (which can also be understood as identity authentication failure)
  • the communication network management device will not allocate a corresponding tenant identity to the third-party device.
  • the communication network management device sends a tenant registration response to the third-party device.
  • the third-party device receives the tenant registration response from the communication network management device.
  • the tenant registration response carries the tenant registration result.
  • the tenant registration result indicates that the third-party device registration is successful or the identity authentication is successful; or, when the third-party device identity is not successfully authenticated, the tenant registration result indicates that the third-party device identity is not successfully authenticated.
  • the result indicates that the third-party device failed to register or authenticate.
  • the tenant registration result can be characterized by 1 bit. For example, “0" indicates that the third-party device is successfully registered or the identity authentication is successful, “1” indicates that the third-party device fails to be registered or the identity authentication fails; or, “1” indicates that the third-party device is successfully registered or the identity authentication is successful, “ 0” indicates that the third-party device registration failed or the identity authentication failed, which is not specifically limited in the embodiment of this application.
  • the tenant registration response in addition to the tenant registration result, may also include the tenant identification.
  • the tenant registration response when the identity authentication of the third-party device is successful, may include the tenant identification in addition to the tenant registration result; when the identity authentication of the third-party device fails, the tenant registration response The response may include the tenant registration result, but not the tenant identification; this is not specifically limited in this embodiment of the application.
  • the embodiment of the present application provides an authentication method that can solve the problem that the operator cannot support the identity authentication of the management service outsourcing party, and can realize the management service outsourcing party's verification of the service within the control scope of the operator's management system.
  • the third-party network is operated, maintained and managed, thereby optimizing the third-party business application.
  • the technical solutions of the embodiments of this application can be applied to various communication systems, such as: long term evolution (long term evolution, LTE) system, LTE frequency division duplex (FDD) system, LTE time division duplex (time division duplex) , TDD) system, universal mobile telecommunication system (UMTS), global interoperability for microwave access (WiMAX) communication system, 5G system or new radio (NR) system, etc.
  • LTE long term evolution
  • FDD frequency division duplex
  • TDD time division duplex
  • UMTS universal mobile telecommunication system
  • WiMAX global interoperability for microwave access
  • 5G system involved in this application includes a non-standalone (NSA) 5G system or a standalone (SA) 5G system.
  • SA standalone
  • the technical solution provided by this application can also be applied to future communication systems, such as the sixth generation mobile communication system.
  • the communication system applicable to the embodiments of this application may also be a PLMN network, a device-to-device (D2D) communication system, a machine to machine (M2M) communication system, the Internet of Things (IoT) ) communication system or other communication system, etc., the embodiments of this application do not specifically limit this.
  • D2D device-to-device
  • M2M machine to machine
  • IoT Internet of Things
  • FIG 4 is a schematic architectural diagram of an authentication system applied to the authentication method according to the embodiment of the present application.
  • the authentication system includes third-party equipment, open control management functional entities and management service outsourcing party equipment.
  • third-party equipment corresponds to third-party customers
  • third-party customers are customers who use network services provided by operators, such as vertical industry customers, slicing customers, sharing operators, etc.
  • third-party customers can refer to enterprises or organizations that rent network services provided by operators (hereinafter referred to as tenants).
  • Third-party equipment is used to manage network services provided by operators to third-party customers.
  • the open control management functional entity corresponds to the operator and is used to realize the identity authentication of third-party equipment and management service outsourcing equipment, and to open the network management capabilities provided by the operator to the outside world.
  • the management service outsourcing party's equipment corresponds to the management service outsourcing party, which is a network management agency that has signed a management service outsourcing contract with a third-party customer. That is, the third-party customer outsources part of the network management capabilities provided by the operator, and the management service outsourcing party's equipment is used to call or manage the network management capabilities outsourced by the third-party customer.
  • the above-mentioned third-party equipment, the open control management function entity and the management service outsourcing party equipment can communicate directly with each other, or can communicate through forwarding by other equipment, which is not limited in the embodiment of the present application.
  • the open control management function entity receives information from the management service outsourcing party's equipment of the third-party device.
  • the management service outsourcing party's equipment is used to call the network management capabilities open to the third-party device.
  • the open control management function entity receives information from the management service outsourcing party's equipment.
  • the information of the device determines the information used to authenticate the identity of the management service outsourcer's device, and then the open control management function entity sends the information used to authenticate the identity of the management service outsourcer's device to the management service outsourcer's device.
  • the specific implementation process of this solution please refer to the following method embodiments.
  • management service outsourcing party equipment may be one or more.
  • third-party customers can outsource the network management capabilities provided by the operator to one or more outsourcers.
  • the authentication system provided by the embodiment of the present application also includes a first device.
  • the first device may be the management service outsourcing party's equipment, or it may not be the management service outsourcing party's equipment.
  • the first device may send authentication information to the open control management function entity.
  • the open control management function entity determines that the first device is the management service outsourcing party's device.
  • the first device If the authentication is successful, the first device can call the network management capabilities opened by the operator to third-party devices.
  • the open control management function entity determines that the first device is not the management service outsourcing party's equipment, and the first device authenticates Failure, the first device cannot call the network management capabilities opened by the operator to third-party devices.
  • the specific implementation process please refer to the following method embodiments.
  • the above-mentioned third-party device, management service outsourcing party device or first device may be a network device.
  • the network equipment includes but is not limited to: access in wireless fidelity (WiFi) systems Access point (AP), such as home gateway, router, server, switch, bridge, etc., evolved Node B (eNB), wireless network controller (radio network controller, RNC), Node B (Node B) B, NB), base station controller (BSC), base transceiver station (BTS), home base station (for example, home evolved NodeB, or home Node B, HNB), baseband unit (baseband unit, BBU), wireless relay node, wireless backhaul node, transmission point (transmission and reception point, TRP or transmission point, TP), etc., can also be 5G, such as gNB in the new radio (new radio, NR) system, Or, a transmission point (TRP or TP), one or a group (including multiple antenna panels) of antenna panels of a base station in a 5G system
  • 5G such
  • the open control management functional entity may be an open control management functional entity located across domains (hereinafter referred to as a cross-domain open control management functional entity), or it may be an open control management functional entity located in a single domain (hereinafter referred to as a single domain). Domain opening control management functional entity).
  • the open control management function entity can be deployed on the communication network management device shown in Figure 3, or can be deployed separately on other network devices, which is not limited in the embodiments of the present application.
  • the authentication system provided by the embodiments of the present application can be applied in a wireless network capability opening architecture based on open control management functional entities.
  • the third-party device in Figure 4 may be a third-party device in the wireless network capability opening architecture based on the open control management functional entity;
  • the management service outsourcing party device may be the wireless network capability opening architecture based on the open control management functional entity
  • the open control management function entity can be the open control management function entity corresponding to the cross-domain management device or the single domain management device in the wireless network capability opening architecture based on the open control management function entity.
  • This application does not limit this.
  • FIG. 5 is an architectural diagram of a wireless network capability opening based on an opening control management function entity provided by an embodiment of the present application.
  • the wireless network capability opening architecture based on open control management functional entities includes third-party equipment, open management service consumer entities, cross-domain management equipment and single-domain management equipment.
  • single domain management equipment includes RAN domain management equipment and CN domain management equipment.
  • third-party equipment and open management service consumer entities can communicate with cross-domain management equipment, RAN domain management equipment and CN domain management through representational state transfer (REST) application programming interface (API) Device communication.
  • REST representational state transfer
  • API application programming interface
  • the cross-domain management device is deployed with an open control management function entity and a network slice management function entity.
  • the RAM domain management device is deployed with an open control management function entity, a management data analysis function entity and a network slice subnet management function.
  • Entities, network functions deployed on each management device can provide different MnS, and third-party devices and open management service consumer entities can implement network management by calling MnS. It can be understood that other management function entities may also be deployed on the cross-domain management device and the single-domain management device, and this is not limited in the embodiments of the present application.
  • the open control management functional entity may be the EGMF shown in Figure 1 or Figure 2
  • the network slice management functional entity may be the NSMF shown in Figure 2
  • the management data analysis functional entity may be the MDAF shown in Figure 2
  • the network slice subnet management function entity may be the NSSMF shown in Figure 2.
  • cross-domain management device or single-domain management device may be the communication network shown in Figure 3 above.
  • Network management equipment can be used by operators to manage the network services provided.
  • the devices or functional nodes included in the system shown in Figure 4 or Figure 5 are only exemplary descriptions and do not limit the embodiments of the present application.
  • the system shown in Figure 4 or Figure 5 may also include other network elements or devices or functional nodes that have interactive relationships with the devices or functional nodes illustrated in the figure, which are not specifically limited here.
  • the authentication method provided by the embodiment of this application is based on the ability of a third party to sign a contract with a network service producer (network service producer, NSP) or a network operator (network operation producer, NOP) (hereinafter referred to as the operator).
  • NSP network service producer
  • NOP network operation producer
  • operators provide network services (such as NPN or slicing networks) to third parties.
  • Operators can sign business contracts with third parties and open some network management capabilities to third parties so that third parties can manage the service network. .
  • the management service outsourcing party's equipment can be understood as the equipment used by the management service outsourcing party for network management
  • the third-party equipment can be understood as the equipment used by the third party for network management
  • the third party when an operator provides network services to a third party, the third party can implement network management through third-party equipment based on the signed business contract (such as the network management capabilities provided by the operator to the third party). Furthermore, the third party can also outsource the operator's open network management capabilities to other agents with network management capabilities, that is, management service outsourcing parties. It is understandable that when a third party outsources the operator's open network management capabilities, the third party also needs to sign a business contract with the management service outsourcer regarding the network management capabilities that the management service outsourcer can use and the third party's management demands. The management service outsourcer can manage the third-party network through the management service outsourcer's equipment based on the signed business contract.
  • the embodiment of this application provides an authentication method that can realize the identity authentication of the management service outsourcer by the operator.
  • Figure 6 is a schematic flowchart of an authentication method provided by an embodiment of the present application.
  • the authentication method includes the following steps:
  • the third-party device sends information about the management service outsourcing party's device to the open control management function entity.
  • the open control management function entity receives information from the management service outsourcing party's equipment of the third-party equipment.
  • the management service outsourcing party's equipment is used to call the network management capabilities open to third-party equipment.
  • the invoked network management capability may also represent the invoked management service.
  • the information about the management service outsourcing party's equipment may include management service information that can be called by the management service outsourcing party's equipment and the identification of the management service outsourcing party's equipment.
  • the management service information that can be called by the management service outsourcing party's equipment represents the management service information signed between the management service outsourcing party's equipment and the third-party equipment.
  • the management service information signed between the operator and a third party includes one or more of discovery services, configuration services, performance measurement services, or fault alarm services.
  • the management services outsourced by a third party to the management service outsourcing party may be management services signed between the operator and the third party.
  • the management services outsourced by the third party to the management service outsourcer may be the management services that the third party orders from the operator or may be a subset of the management services that the third party orders from the operator.
  • the management services outsourced by the third party to the management services outsourcer include performance measurement services and fault management services. If the fault alarm service is provided, the management service outsourcer device can call the performance measurement service and fault alarm service after successful identity authentication, thereby realizing the network management capabilities of network performance measurement and fault alarm.
  • the identification of the management service outsourcing party's equipment may be the name of the management service outsourcing party (such as the name of the enterprise) or the name of the management service outsourcing party's equipment, or may represent the management service outsourcing party or the management service outsourcing party's equipment.
  • the digital identification may also be the IP address of the management service outsourcing party's equipment, which is not limited in the embodiments of this application.
  • the information about the management service outsourcing party's equipment may include information about one or more management service outsourcing party's equipment, which is not limited in the embodiment of the present application.
  • the management services that can be called by each management service outsourcing party's equipment may be different.
  • the management service that can be called by the management service outsourcing party device 1 is the discovery service
  • the management services that can be called by the management service outsourcing party device 2 are the performance measurement service and the fault alarm service.
  • the information about the equipment of the management service outsourcer may be empty.
  • the third-party device when the third party has not completed the tenant registration, can also send the information of the third-party device to the open control management functional entity.
  • the open control management functional entity receives information from the third party.
  • Information about third-party devices may include the management service information signed with the operator, the third-party customer's identification (operator ID) and the tenant description information (tenant profile), which are used for identity authentication of the third-party device.
  • the relevant description of the third-party customer's identification (operator ID) and tenant profile (tenant profile) can be found in the relevant content in S301 above, and will not be described again here.
  • the relevant implementation of this solution please refer to the method embodiment shown in Figure 7 below, which will not be described again here.
  • the third-party device when a third party completes tenant registration, can also send a tenant ID (tenant ID) to the open control management function entity.
  • the open control management function entity receives the tenant ID from the third party.
  • the tenant ID of the third party is used to facilitate the open control management function entity to determine the information of the management service outsourcing party corresponding to the tenant based on the tenant ID.
  • the open control management function entity stores information about the third-party device.
  • the third-party equipment can send the second instruction information to the open control management function entity, and accordingly, the open control management function entity receives
  • the second instruction information from the third-party device is used to instruct the open control management function entity to perform one or more operations of adding, deleting, modifying or querying the information of the management service outsourcing party's device. For example, after the third-party device completes tenant registration and the third-party device implements network management on its own for a period of time, the third party outsources the management service to the management service outsourcer, or the third party adds additional management services to the original management service outsourcer.
  • the second instruction information carries information about the added management service outsourcing equipment.
  • the third-party equipment completes the tenant registration and has a corresponding management service outsourcer.
  • the third party cancels all or part of the contract with the management service outsourcer or the contract expires and no longer outsources the contract.
  • the second instruction message It contains the deleted information of the management service outsourcer.
  • the open control management function entity determines the information used to authenticate the identity of the management service outsourcing party's equipment based on the information of the management service outsourcing party's equipment.
  • the information used to authenticate the identity of the management service outsourcing party's equipment may include the tenant ID and verification information, and the verification information may be a token, a key, etc., which is not limited in the embodiments of this application.
  • the open control management function entity can determine whether there is a management service outsourcing party's equipment based on the information of the management service outsourcing party's equipment, thereby determining whether it is the management service outsourcing party's equipment. Generate verification information. For example, if the information about the management service outsourcing party's equipment is not empty, the open control management function entity can determine the identity of the third party's management service outsourcing party's equipment based on the identification of the management service outsourcing party's equipment in the information about the management service outsourcing party's equipment. number, that is, the number of management service outsourcers, thereby generating verification information for different management service outsourcer devices. In other words, each management service outsourcer device corresponds to one verification information.
  • the open control management function entity can create a tenant instance, which is used to store information about third parties and management service outsourcers.
  • the attributes corresponding to the tenant instance can include information about third-party equipment and information about management service outsourcers' equipment.
  • the tenant ID when the third party has not completed the tenant registration, the tenant ID is the open control management function entity. Based on the information of the third-party device, after successful identity authentication and authentication of the third-party device, the tenant ID is assigned to the third party.
  • the unique identifier in the management domain please refer to the above-mentioned S302-S303, which will not be described again here.
  • the open control management function entity sends information used to authenticate the identity of the management service outsourcing party's equipment to the management service outsourcing party's equipment.
  • the management service outsourcing party's equipment receives information from the open control management function entity for authenticating the identity of the management service outsourcing party's equipment.
  • the open control management function entity can send information to the third-party device for authenticating the identity of the management service outsourcing party's device.
  • the third-party device receives information from the open control management function entity for authenticating the identity of the management service outsourcing party's device.
  • the third-party device sends information used to authenticate the identity of the management service outsourcing party's device to the management service outsourcing party's device.
  • the management service outsourcing party's device receives information from the third-party device for authenticating the identity of the management service outsourcing party's device.
  • the management service outsourcing party's equipment can complete identity authentication based on the information used to authenticate the identity of the management service outsourcing party's equipment.
  • the identification of the management service outsourcing party's equipment is the IP address of the management service outsourcing party's equipment, or the information about the management service outsourcing party's equipment also includes the Internet connection of the management service outsourcing party's equipment.
  • IP Internet protocol
  • the open control management function entity can send information used to authenticate the identity of the management service outsourcing party's device to the management service outsourcing party's device based on the IP address of the management service outsourcing party's device.
  • the open control management function entity can not only realize the management of third-party equipment and the management service outsourcer's equipment based on the information of the management service outsourcer's equipment sent by the third-party equipment, but also can Based on the information of the management service outsourcing party's equipment, the information used by the management service outsourcing party's equipment to authenticate the identity of the management service outsourcing party's equipment is generated and sent, so that the management service outsourcing party's equipment can be authenticated based on the information used to authenticate the identity of the management service outsourcing party's equipment. Certification can improve the reliability of network management, thereby allowing management service outsourcing equipment to implement real-time and refined wireless network information monitoring for third-party networks, and improve the network management efficiency of third-party equipment.
  • the authentication method provided by the embodiment of this application also includes the following steps:
  • the first device sends authentication information to the open control management function entity.
  • open control management The functional entity receives authentication information from the first device.
  • the first device can be understood as a device to be authenticated that requests to call the management service.
  • the authentication information includes the above information used to authenticate the identity of the management service outsourcing device.
  • the first device before the first device sends authentication information to the open control management function entity, the first device can receive information from the open control management function entity for authenticating the identity of the management service outsourcing party's device. .
  • the first device before the first device sends authentication information to the open control management function entity, the first device may receive information from a third-party device used to authenticate the identity of the management service outsourcing party's device.
  • the authentication information does not include the above-mentioned information used to authenticate the identity of the management service outsourcing party's device, or the authentication information includes the information used to authenticate the management service outsourcing party.
  • the information on the identity of the service outsourcing party's equipment is wrong or false, and this is not limited in the embodiments of this application.
  • the open control management function entity determines that the first device is the management service outsourcer device.
  • the open control management function entity compares the authentication information with information used to authenticate the identity of the device of the outsourced management service outsourcing party.
  • the control management function entity can determine that the first device is the management service outsourcing party device, and at this time, the identity authentication of the first device can be regarded as successful. Further, the open control management function entity may update the authentication status of the management service outsourcing party device corresponding to the first device, for example, the authentication status is updated from "unauthenticated" to "authenticated”.
  • the open control management function entity sends the first instruction information to the first device.
  • the first device receives the first indication information from the open control management function entity.
  • the first indication information is used to indicate that the first device is successfully authenticated, that is, the first indication information represents the authentication result of the first device.
  • the first instruction information may carry invocation information corresponding to the management service, such as configuration information for invoking the management service, so that the first device requests the management domain to invoke the management service based on the invocation information.
  • the first device sends the first instruction information to the third-party device.
  • the third-party device receives the first indication information from the first device.
  • the third-party device can determine that the identity authentication of the first device is successful according to the first indication information, and determine that the first device can call the corresponding management service for network management without the need for the third-party device to perform the corresponding management service.
  • the management services signed by the third party and the operator include discovery services, configuration services, performance measurement services, and fault alarm services.
  • the management services outsourced to the first device include performance measurement services and fault alarm services, and the first device returns identity authentication.
  • the first indication of success is that the third-party device no longer needs to call the performance measurement service and fault alarm service for related network management, so that the management service type performed by the third-party device can be updated at any time.
  • S607 is an optional step. For example, if the first device fails to authenticate, the first device may not send the first indication information to the third-party device.
  • the first device when the first device calls the corresponding management service, it can call it from the management function entity that provides the corresponding management service through the open control management function entity, or it can directly call the management function entity that provides the corresponding management service.
  • the embodiment of this application does not limit this.
  • the first device when the first device calls the management service provided by the network slice subnet management function entity, it may first send a call request to the open control management function entity, and the open control management function entity calls the corresponding service from the network slice subnet management function entity based on the call request. After the management service is sent to the first device.
  • the first device sends a calling request to the network slice subnet management function entity to obtain the management service provided by the network slice subnet management function entity.
  • the above S605 can be replaced with the information used to authenticate the identity of the management service outsourcing party's equipment in the authentication information and open control management function entity
  • the open control management function entity determines that the first device is not the management service outsourcing party's device.
  • the authentication information does not carry the tenant ID and verification information, or the tenant ID carried in the authentication information is different from the tenant ID used to authenticate the identity of the management service outsourcing party's equipment, and/or the authentication information contains The verification information carried is different from the verification information used to authenticate the identity of the management service outsourcing party's equipment.
  • the open control management function entity determines that the first device is not the management service outsourcing party's equipment. At this time, it can be regarded as the first device identity authentication authentication. fail. In this case, the above-mentioned S606-S607 may no longer be executed, or the above-mentioned S606 may be executed without executing the above-mentioned S607. At this time, the open control management function entity may also use the first indication information to indicate that the first device fails to authenticate, or may use other indication information. Indicates that the first device fails to authenticate, which is not limited in the embodiments of this application.
  • the open control management function entity can be based on the information of the management service outsourcer device sent by the third-party device, and can not only implement the third-party device and the management service outsourcer device based on the information of the management service outsourcer device.
  • the management can also generate and send information based on the information of the management service outsourcing party's equipment to authenticate the identity of the management service outsourcing party's equipment, which can improve the reliability of network management and allow the management service outsourcing party's equipment to Serve third-party networks to achieve real-time and refined wireless network information monitoring and improve network management efficiency of third-party devices.
  • the open control management function entity receives the authentication information of the device to be authenticated (the first device), and can identify the authentication information based on the information used to authenticate the identity of the management service outsourcing party's device, thereby completing the authentication of the management service outsourcing party's device. , improve the reliability of certification.
  • the open control management function entity may also send first indication information to indicate the authentication result, so that the first device can call the management service and implement management of the network serving the third party.
  • the authentication scheme provided by the embodiment of this application will be described in detail below in conjunction with specific application scenarios.
  • the authentication method provided by the embodiment of this application can be applied in a tenant registration scenario, where the open control management function entity can be the EGMF in Figure 1 or Figure 2.
  • FIG. 7 shows a schematic flowchart of another authentication method provided by an embodiment of the present application.
  • the authentication method includes the following steps:
  • the third-party device sends a tenant registration request to the open control management function entity.
  • the open control management function entity receives the tenant registration request from the third-party device.
  • the tenant registration request carries information about the third-party device and the information about the management service outsourcer's device.
  • the relevant descriptions of the information of the third-party equipment and the information of the management service outsourcing party's equipment can be found in the above-mentioned description in S601, and will not be described again here.
  • the open control management function entity determines the information used to authenticate the identity of the management service outsourcer's device according to the tenant registration request.
  • the open control management function entity creates a tenant instance based on the information of the third-party device in the tenant registration request and the information of the management service outsourcing party's device.
  • the attributes corresponding to the tenant instance may include the information of the third-party device. Identification, management service information ordered by third parties and operators, identification of equipment of the management service outsourcer, management service information ordered by the management service outsourcer and third parties, etc.
  • the open control management function entity can perform identity authentication and authentication on the third-party device based on the information of the third-party device in the tenant registration request. After the third-party device authentication is successful, the tenant ID is generated, and then the tenant ID is generated based on the information of the management service outsourcing party's device. The information generates verification information, so that information used to authenticate the identity of the management service outsourcer's device can be obtained.
  • the specific process please refer to the above-mentioned S602 related content and will not be repeated here.
  • the open control management function entity sends a tenant registration response to the third-party device.
  • the third-party device receives the tenant registration response from the open control management function entity.
  • the tenant registration response carries information used to authenticate the identity of the management service outsourcer's device.
  • the third-party device sends a tenant verification information notification to the management service outsourcing party's device.
  • the management service outsourcer device receives the tenant verification information notification from the third-party device.
  • the tenant verification information notification carries information used to authenticate the identity of the management service outsourcer's equipment.
  • the first device sends an identity authentication request to the open control management function entity.
  • the open control management function entity receives the identity authentication request from the first device.
  • the identity authentication request carries authentication information.
  • the authentication information includes information used to authenticate the identity of the management service outsourcing party device, and the first device can obtain the information used to authenticate the management service outsourcing party device identity based on S704.
  • the authentication information does not include the information used to authenticate the identity of the management service outsourcing party's device, or the information used to authenticate the management service outsourcing party's device's identity is wrong. or false, this application does not limit this.
  • the open control management function entity authenticates the first device according to the identity authentication request.
  • the open control management function entity determines whether the first device is a management service outsourcing party device based on the comparison of the authentication information in the identity authentication request with the information used to authenticate the identity of the management service outsourcing party device.
  • the specific process please refer to the relevant description in S605 above, and will not be described again here.
  • the open control management function entity sends an identity authentication response to the first device.
  • the first device receives the identity authentication response from the open control management function entity.
  • the identity authentication response carries the first indication information.
  • first indication information please refer to the relevant content in S606 mentioned above, which will not be described again here.
  • the first device sends a tenant registration result notification to the third-party device.
  • the third-party device receives the tenant registration result notification from the first device.
  • the tenant registration result notification carries first instruction information. It can be understood that the authentication result of the third-party device may also be indicated by the first indication information, or may be indicated by other indication information, which is not limited.
  • the tenant registration result notification may not carry the first indication information.
  • S708 please refer to S607 above.
  • the first device when the first device calls the corresponding management service, it can call it from the management function entity that provides the corresponding management service through the open control management function entity, or it can directly call the management function entity that provides the corresponding management service.
  • the body call is not limited in comparison with the embodiments of this application.
  • the first device when the first device calls the management service provided by the network slice subnet management function entity, it may first send a call request to the open control management function entity, and the open control management function entity calls the corresponding service from the network slice subnet management function entity based on the call request. Management service, sent to the first device.
  • the first device sends a calling request to the network slice subnet management function entity to obtain the management service provided by the network slice subnet management function entity.
  • the open control management function entity in S706 above determines that the first device is not the management service outsourcing party's device, that is, the authentication information does not match the information used to authenticate the identity of the management service outsourcing party's device.
  • the authentication information does not carry the tenant ID.
  • verification information, or the tenant ID carried in the authentication information is different from the tenant ID used to authenticate the identity of the management service outsourcing party's equipment, and/or the verification information carried in the authentication information is different from the tenant ID used to authenticate the management service outsourcer.
  • the verification information of the identity information of the outsourced device is different, and the open control management function entity determines that the first device is not the device of the management service outsourcer.
  • the identity authentication of the first device fails.
  • the above-mentioned S707-S708 may no longer be executed, or the above-mentioned S707 may be executed without executing the above-mentioned S708.
  • the first indication information carried in the identity authentication response in S707 indicates that the first device failed to authenticate, or may carry other The indication information indicates that the first device fails to authenticate, which is not limited in the embodiments of this application.
  • the registration authentication authentication of third parties and management service outsourcers can be completed through the open control management function entity, and the operator's authentication of third parties and management service outsourcers can be realized. manage.
  • FIG. 8 is a schematic flowchart of yet another authentication method provided by an embodiment of the present application.
  • the authentication method includes the following steps:
  • the third-party device sends a tenant registration request to the open control management function entity.
  • the open control management function entity receives the tenant registration request from the third-party device.
  • the difference between the tenant registration request and the above-mentioned S701 is that the information about the management service outsourcing party's equipment carried in the tenant registration request also includes the IP address of the management service outsourcing party's equipment, or the management service in the information about the management service outsourcing party's equipment.
  • the identification of the outsourcing party's equipment is the IP address of the management service outsourcing party's equipment.
  • the open control management function entity determines the information used to authenticate the identity of the management service outsourcer's device according to the tenant registration request.
  • the open control management function entity sends a tenant verification information notification to the management service outsourcing party's equipment.
  • the management service outsourcer device receives the tenant verification information notification from the open control management function entity.
  • the tenant verification information notification carries information used to authenticate the identity of the management service outsourcer's equipment. Since the tenant registration request in S801 above carries the IP address of the management service outsourcing party's device, after the open control management function entity generates the information used to authenticate the identity of the management service outsourcing party's device, it can directly report to the management based on the IP address of the management service outsourcing party's device. The service outsourcing party's device sends a tenant verification information notification, so that the management service outsourcing party's device can obtain information used to authenticate the identity of the management service outsourcing party's device. Compared with the above implementation process of S703 and S704, the authentication efficiency can be improved.
  • the first device sends an identity authentication request to the open control management function entity.
  • the open control management function entity receives the identity authentication request from the first device.
  • the open control management function entity authenticates the first device according to the identity authentication request.
  • the open control management function entity sends an identity authentication response to the first device.
  • the first device receives the identity authentication response from the open control management function entity.
  • the first device sends a tenant registration result notification to the third-party device.
  • the open control management function entity can directly send an identity verification information notification to the management service outsourcing party device, so that the management service outsourcing party device can obtain the authentication information, This can improve the authentication efficiency of the management service outsourcing party's equipment, and further improve the efficiency of the management service outsourcing party's network management.
  • the authentication of the management service outsourcing party's equipment is implemented in the process of third-party equipment authentication. Furthermore, the authentication method provided by the embodiment of this application can also be applied after the third-party device completes the tenant registration request.
  • the third-party device does not have a signed management service outsourcer device before completing the tenant registration request. That is to say, the information of the management service outsourcer device in the tenant registration request can be empty, and the network management can be implemented by itself after completing the tenant registration request. After a period of time, the network management is outsourced. At this time, there is corresponding management service outsourcing party equipment.
  • the third-party device can send second instruction information to the open control management function entity to update the information of the management service outsourcing party equipment, thereby realizing Updated identity authentication and authentication of the management service outsourcer's equipment.
  • the management service outsourcer when the third-party device completes the tenant registration request, there is a signed management service outsourcer device, and after the third-party device and the contracted management service outsourcer device jointly implement network management for a period of time, the management service outsourcer is added or reduced.
  • the third-party device can also send the second instruction information to the open control management function entity to update the information of the management service outsourcing party's equipment, thereby realizing the identity authentication of the updated management service outsourcing party's equipment.
  • the following embodiments of this application take as an example a scenario in which a third-party device has not signed a management service outsourcing contract before completing the tenant registration request. After completing the tenant registration request, it implements network management for a period of time and then outsources the network management. Details Another implementation method of the authentication method provided by the embodiment of this application is described.
  • the open control management functional entity may be the EGMF in Figure 1 or Figure 2.
  • Figure 9 shows a schematic flowchart of yet another authentication method provided by an embodiment of the present application.
  • the authentication method includes the following steps:
  • the third-party device sends a tenant information update request to the open control management function entity.
  • the open control management function entity receives the tenant information update request from the third-party device.
  • the tenant information update request carries the tenant ID, information about the management service outsourcing party's equipment, and second instruction information.
  • the information about the management service outsourcing party's equipment includes the added information about the management service outsourcing party's equipment.
  • the second instruction information is used to instruct the open control management function entity to add information about the management service outsourcing party's equipment.
  • the tenant ID and the information of the management service outsourcing party's equipment can also be included in the second instruction information, or the information of the management service outsourcing party's equipment is included in the second instruction information, and the tenant ID is not included in the second instruction information.
  • the embodiment of the present application does not limit this.
  • the open control management function entity updates the management service outsourcing party's equipment according to the tenant information update request. information, and determine the information used to authenticate the identity of the management service outsourcer's equipment.
  • the information used to authenticate the identity of the management service outsourcer's device may include the tenant ID and verification information.
  • the open control management function entity updates the tenant instance corresponding to the tenant ID according to the tenant ID carried in the tenant information update request, the information of the management service outsourcing party's equipment and the second instruction information, For example, add information about the equipment of the management service outsourcer, and generate verification information based on the added information about the equipment of the management service outsourcer.
  • the specific process of generating verification information please refer to the relevant content of S602 or S702 or S802 above, and will not be described again here.
  • the open control management function entity can be based on the newly added or deleted management services. For the information of the outsourced party's equipment, add or delete the corresponding information used to authenticate the identity of the management service outsourced party's equipment. You can also re-determine the identity of all management service outsourced party's equipment for authentication management after the information of the management service outsourced party's equipment is updated. Information about the identity of the service outsourcing party's equipment is not limited in this embodiment of the application.
  • the open control management function entity sends information used to authenticate the identity of the management service outsourcing party's equipment to the management service outsourcing party's equipment.
  • the open control management function entity sends a tenant information update response to the third-party device.
  • the third-party device receives the tenant information update response from the open control management function entity.
  • the tenant information update response carries information used to authenticate the identity of the management service outsourcer's equipment.
  • the third-party device then sends a tenant information update notification to the management service outsourcer device.
  • the management service outsourcer device receives the tenant information update notification from the third-party device.
  • the tenant information update notification carries information used to authenticate the management service outsourcer device. Identity information.
  • For the specific implementation process please refer to the relevant content in S603 or S703-S704 mentioned above, and will not be described again here.
  • the open control management function entity can directly send an identity verification information notification to the management service outsourcer's device.
  • the management service outsourcing party's equipment receives the identity verification information notification from the open control management function entity, and the identity verification information notification carries information used to authenticate the identity of the management service outsourcing party's equipment.
  • the specific implementation process please refer to the relevant content in S603 or S803 mentioned above, and will not be described again here.
  • the first device sends an identity authentication request to the open control management function entity.
  • the open control management function entity receives the identity authentication request from the first device.
  • the open control management function entity authenticates the first device according to the identity authentication request.
  • the open control management function entity sends an identity authentication response to the first device.
  • the first device receives the identity authentication response from the open control management function entity.
  • the first device sends tenant information update result feedback to the third-party device.
  • the third-party device receives the tenant information update result feedback from the first device.
  • the tenant information update result feedback carries first indication information.
  • first indication information please refer to the relevant content in S606 or S708 or S807, which will not be described again here.
  • the open control management function entity can transmit the management service outsourcer information through the tenant information update message, and can update the authentication information according to the changes in the management service outsourcer equipment information, and then complete the operator's management service Authentication and verification of the outsourced party's identity can improve the reliability of network management.
  • the open control management function entity can generate and send information for authenticating the identity of the management service outsourcing party's equipment based on the information of the management service outsourcing party's equipment sent by the third-party device, before performing management services.
  • the open control management function entity can determine whether the certified equipment is the management service outsourcing party's equipment based on the received authentication information and the information used to authenticate the identity of the management service outsourcing party's equipment, thereby realizing the outsourcing of management services.
  • Party’s certification is the certification.
  • the authentication method provided by the embodiment of the present application is described in detail above with reference to Figures 4-9.
  • the communication device used to perform the authentication method provided by the embodiment of the present application will be described in detail below with reference to Figures 10-12.
  • FIG. 10 is a schematic structural diagram of a communication device provided by an embodiment of the present application.
  • the communication device 1000 includes: a processing module 1001 and a transceiver module 1002.
  • FIG. 10 shows only the main components of the communication device.
  • the communication device 1000 may be adapted to the system shown in Figure 4 or Figure 5 to perform the functions of the open control management functional entity in the method shown in any one of Figures 6-9.
  • the transceiver module 1002 is used to receive information from the management service outsourcing party's equipment from a third-party device.
  • the management service outsourcing party's equipment is used to call network management capabilities open to third-party equipment.
  • the information about the management service outsourcing party's equipment includes management services. Management service information that can be called by the outsourced device.
  • the processing module 1001 is configured to determine information used to authenticate the identity of the management service outsourcing party's equipment based on the information of the management service outsourcing party's equipment.
  • the transceiver module 1002 is also used to send information to the management service outsourcing party device for authenticating the identity of the management service outsourcing party device.
  • the transceiver module 1002 is configured to receive authentication information from the first device.
  • the processing module 1001 is configured to determine that the first device is the management service outsourcing party device when the authentication information matches the information used to authenticate the identity of the management service outsourcing party device.
  • the transceiver module 1002 is configured to send first indication information to the first device, and the first indication information is used to indicate that the first device is successfully authenticated.
  • the information about the management service outsourcing party's equipment may include the IP address of the management service outsourcing party's equipment.
  • the transceiver module 1002 is configured to send information for authenticating the identity of the management service outsourcing party device to the management service outsourcing party device according to the IP address of the management service outsourcing party device.
  • the transceiver module 1002 is used to receive second instruction information from a third-party device.
  • the second instruction information is used to instruct the open control management function entity to add, delete, or delete information about the management service outsourcing party's device.
  • the transceiver module 1002 may include a sending module (not shown in Figure 10) and a receiving module (not shown in Figure 10).
  • the sending module is used to realize the sending function of the communication device 1000
  • the receiving module is used to realize the receiving function of the communication device 1000.
  • the communication device 1000 may also include a storage module (not shown in FIG. 10), which stores programs or instructions.
  • the processing module 1001 executes the program or instruction, the communication device 1000 can To perform the function of the open control management functional entity in the method shown in any one of Figures 6 to 9.
  • the communication device 1000 may be a network device, a chip (system) or other components or components that can be disposed in the network device, or a device including a network device, which is not limited in this application.
  • the technical effects of the communication device 1000 can be referred to the technical effects of the authentication method shown in FIGS. 6 to 9 , which will not be described again here.
  • the communication device 1000 may be applicable to the system shown in FIG. 4 or FIG. 5 , and perform the first-party device or the management service outsourcing party device in any of the methods shown in FIGS. 6-9 function.
  • the processing module 1001 is used to obtain authentication information, wherein the communication device 1000 is a management service outsourcing device, and the management service outsourcing device is used to call network management capabilities open to third-party devices.
  • the transceiver module 1002 is used to send authentication information to the open control management function entity.
  • the authentication information may include information used to authenticate the identity of the device of the management service outsourcer.
  • the transceiver module 1002 is configured to receive information from the open control management function entity for authenticating the identity of the management service outsourcing party's equipment.
  • the authentication information may include information used to authenticate the identity of the device of the management service outsourcer.
  • the transceiver module 1002 is configured to receive information from a third-party device for authenticating the identity of the management service outsourcing party's device.
  • the transceiver module 1002 is configured to receive first indication information from the open control management function entity, where the first indication information is used to indicate successful device authentication.
  • the transceiver module 1002 is configured to send first indication information to a third-party device.
  • the transceiver module 1002 may include a sending module (not shown in Figure 10) and a receiving module (not shown in Figure 10).
  • the sending module is used to realize the sending function of the communication device 1000
  • the receiving module is used to realize the receiving function of the communication device 1000.
  • the communication device 1000 may also include a storage module (not shown in FIG. 10), which stores programs or instructions.
  • the processing module 1001 executes the program or instruction, the communication device 1000 can perform the function of the first device or the management service outsourcing party device in the method shown in any one of Figures 6-9.
  • the communication device 1000 may be a network device, a chip (system) or other components or components that can be disposed in the network device, or a device including a network device, which is not limited in this application.
  • the technical effects of the communication device 1000 can be referred to the technical effects of the authentication method shown in FIGS. 6 to 9 , which will not be described again here.
  • FIG. 11 is a schematic structural diagram of another communication device provided by an embodiment of the present application.
  • the communication device 1100 includes: a sending module 1101 and a receiving module 1102.
  • FIG. 11 shows only the main components of the communication device.
  • the communication device 1000 may be adapted to the system shown in FIG. 4 or FIG. 5 to perform the functions of the third-party device in the method shown in any one of FIGS. 6-9.
  • the sending module 1101 is used to send the information of the management service outsourcing party's equipment to the open control management function entity.
  • the management service outsourcing party's equipment is used to call the network management capabilities open to the device.
  • the information of the management service outsourcing party's equipment includes management service outsourcing. Management service information that can be called by the device.
  • the receiving module 1102 is configured to receive information used to authenticate the identity of the management service outsourcing party's equipment from the open control management function entity, and the information used to authenticate the identity of the management service outsourcing party's equipment is determined based on the information of the management service outsourcing party's equipment.
  • the sending module 1101 is also used to send information used to authenticate the identity of the management service outsourcing party's equipment to the management service outsourcing party's equipment.
  • the receiving module 1102 is also configured to receive first indication information from the first device, where the first indication information is used to indicate that the first device is successfully authenticated, and the first device is a management service outsourcing party device.
  • the sending module 1101 is also used to send second instruction information to the open control management function entity.
  • the second instruction information is used to instruct the open control management function entity to add information about the management service outsourcing party's equipment.
  • the sending module 1101 and the receiving module 1102 can also be integrated into one module, such as a transceiving module (not shown in Figure 11).
  • the transceiver module is used to implement the sending function and receiving function of the communication device 1100.
  • the communication device 1101 may also include a processing module 1103.
  • the processing module 1103 is used to implement the processing function of the communication device 1100 .
  • the communication device 1100 may also include a storage module (not shown in FIG. 11), which stores programs or instructions.
  • the processing module executes the program or instruction, the communication device 1100 can perform the functions of the third-party device in the method shown in any one of Figures 6-9.
  • the communication device 1100 may be a network device, such as a third-party device, or may be a chip (system) or other component or assembly that can be disposed in the network device, or may be a device including network devices. This application describes This is not limited.
  • the technical effects of the communication device 1100 can be referred to the technical effects of the authentication method shown in FIGS. 6 to 9 , which will not be described again here.
  • FIG. 12 is a schematic structural diagram of yet another communication device provided by an embodiment of the present application.
  • the communication device may be a network device, such as the above-mentioned open control management functional entity, a third-party device, a first device or a management service outsourcing party device, or may be a chip (system) or other components or components that can be installed on the network device.
  • the communication device 1200 may include a processor 1201 .
  • the communication device 1200 may also include a memory 1202 and/or a transceiver 1203.
  • the processor 1201 is coupled to the memory 1202 and the transceiver 1203, for example, through a communication bus.
  • the processor 1201 is the control center of the communication device 1200, and may be a processor or a collective name for multiple processing elements.
  • the processor 1201 is one or more central processing units (CPUs), may also be an application specific integrated circuit (ASIC), or may be configured to implement one or more embodiments of the present application.
  • An integrated circuit such as one or more microprocessors (digital signal processor, DSP), or one or more field programmable gate arrays (field programmable gate array, FPGA).
  • the processor 1201 can perform various functions of the communication device 1200 by running or executing software programs stored in the memory 1202 and calling data stored in the memory 1202, for example, performing the functions shown in FIGS. 6-9 above. Methods.
  • the processor 1201 may include one or more CPUs, such as CPU0 and CPU1 are shown in Figure 12.
  • the communication device 1200 may also include multiple processors, such as the processor 1201 and the processor 1204 shown in FIG. 12 .
  • processors can be a single-core processor (single-CPU) or a multi-core processor (multi-CPU).
  • a processor here may refer to one or more devices, circuits, and/or processing cores for processing data (eg, computer program instructions).
  • the memory 1202 is used to store the software program for executing the solution of the present application, and is controlled by the processor 1201 for execution.
  • the memory 1202 is used to store the software program for executing the solution of the present application, and is controlled by the processor 1201 for execution.
  • the memory 1202 may be a read-only memory (ROM) or other type of static storage device that can store static information and instructions, a random access memory (random access memory (RAM)) or a random access memory (RAM) that can store information and instructions.
  • ROM read-only memory
  • RAM random access memory
  • RAM random access memory
  • RAM random access memory
  • RAM random access memory
  • Other types of dynamic storage devices for instructions can also be electrically erasable programmable read-only memory (EEPROM), compact disc read-only memory (CD-ROM) or other optical discs Storage, optical disc storage (including compressed optical discs, laser discs, optical discs, digital versatile discs, Blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or can be used to carry or store desired program code in the form of instructions or data structures and any other media capable of being accessed by a computer, without limitation.
  • the memory 1202 may be integrated with the processor 1201, or may exist independently and be coupled to the processor 1201 through the interface circuit (not shown in Figure 12
  • the communication device 1200 is a terminal device, and the transceiver 1203 can be used to communicate with a network device or with another terminal device.
  • the communication device 1200 is a network device, and the transceiver 1203 can be used to communicate with a terminal device or with another network device.
  • the transceiver 1203 may include a receiver and a transmitter (not shown separately in Figure 12). Among them, the receiver is used to implement the receiving function, and the transmitter is used to implement the sending function.
  • the transceiver 1203 can be integrated with the processor 1201, or can exist independently and be coupled to the processor 1201 through the interface circuit (not shown in Figure 12) of the communication device 1200. This is not the case in the embodiment of this application. Specific limitations.
  • the structure of the communication device 1200 shown in Figure 12 does not constitute a limitation on the communication device.
  • the actual communication device may include more or less components than shown in the figure, or some components may be combined, or Different component arrangements.
  • the embodiment of this application also provides an authentication system.
  • the certification system includes open control management functional entities, third-party equipment and management service outsourced equipment.
  • the authentication system may also include: a first device.
  • the processor in the embodiment of the present application can be a central processing unit (CPU), and the processor can also be other general-purpose processors, digital signal processors (DSP), special-purpose integrated processors, etc. Circuit (application specific integrated circuit, ASIC), off-the-shelf programmable gate array (field programmable gate array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
  • a general purpose processor may be a microprocessor or the processor may be Any regular processor etc.
  • non-volatile memory may be volatile memory or non-volatile memory, or may include both volatile and non-volatile memory.
  • non-volatile memory can be read-only memory (ROM), programmable ROM (PROM), erasable programmable read-only memory (erasable PROM, EPROM), electrically removable memory. Erase electrically programmable read-only memory (EPROM, EEPROM) or flash memory.
  • Volatile memory can be random access memory (RAM), which is used as an external cache.
  • RAM random access memory
  • static random access memory static random access memory
  • DRAM dynamic random access memory
  • RAM synchronous dynamic random access memory
  • SDRAM synchronous dynamic random access memory
  • double data rate SDRAM double data rate SDRAM
  • DDR SDRAM double data rate SDRAM
  • enhanced SDRAM enhanced synchronous dynamic random access memory
  • SLDRAM synchronous connection dynamic random access memory access memory
  • direct rambus RAM direct rambus RAM, DR RAM
  • the above embodiments may be implemented in whole or in part by software, hardware (such as circuits), firmware, or any other combination.
  • the above-described embodiments may be implemented in whole or in part in the form of a computer program product.
  • the computer program product includes one or more computer instructions or computer programs. When the computer instructions or computer programs are loaded or executed on the computer, the processes or functions described in the embodiments of the present application are generated in whole or in part.
  • the computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable devices.
  • the computer instructions may be stored in or transmitted from one computer-readable storage medium to another, e.g., the computer instructions may be transferred from a website, computer, server, or data center Transmit to another website, computer, server or data center through wired (such as infrared, wireless, microwave, etc.) means.
  • the computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server or a data center that contains one or more sets of available media.
  • the available media may be magnetic media (eg, floppy disk, hard disk, tape), optical media (eg, DVD), or semiconductor media.
  • the semiconductor medium may be a solid state drive.
  • At least one refers to one or more, and “plurality” refers to two or more.
  • At least one of the following” or similar expressions thereof refers to any combination of these items, including any combination of a single item (items) or a plurality of items (items).
  • at least one of a, b, or c can mean: a, b, c, a-b, a-c, b-c, or a-b-c, where a, b, c can be single or multiple .
  • the size of the sequence numbers of the above-mentioned processes does not mean the order of execution.
  • the execution order of each process should be determined by its functions and internal logic, and should not be used in the embodiments of the present application.
  • the implementation process constitutes any limitation.
  • the disclosed systems, devices and methods can be implemented in other ways.
  • the device embodiments described above are only illustrative.
  • the division of the units is only a logical function division. In actual implementation, there may be other division methods.
  • multiple units or components may be combined or can be integrated into another system, or some features can be ignored, or not implemented.
  • the coupling or direct coupling or communication connection between each other shown or discussed may be through some interfaces, and the indirect coupling or communication connection of the devices or units may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or they may be distributed to multiple network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
  • each functional unit in each embodiment of the present application can be integrated into one processing unit, each unit can exist physically alone, or two or more units can be integrated into one unit.
  • the functions are implemented in the form of software functional units and sold or used as independent products, they can be stored in a computer-readable storage medium.
  • the technical solution of the present application is essentially or the part that contributes to the existing technology or the part of the technical solution can be embodied in the form of a software product.
  • the computer software product is stored in a storage medium, including Several instructions are used to cause a computer device (which can be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in various embodiments of this application.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM), random access memory (RAM), magnetic disk or optical disk and other media that can store program code. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Telephonic Communication Services (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

本申请提供一种认证方法及通信装置,能够解决运营商无法支持对管理服务外包方的身份鉴权认证的问题,可以应用于5G通信系统中。该方法包括:开放控制管理功能实体接收来自第三方设备的管理服务外包方设备的信息,其中,管理服务外包方设备用于调用开放给第三方设备的网络管理能力;开放控制管理功能实体根据管理服务外包方设备的信息确定用于认证管理服务外包方设备身份的信息;开放控制管理功能实体发送向管理服务外包方设备用于认证管理服务外包方设备身份的信息。开放控制管理功能实体可以基于管理服务外包方设备的信息生成认证信息,实现对管理服务外包方设备身份的鉴权认证。

Description

认证方法及通信装置
本申请要求于2022年05月30日提交国家知识产权局、申请号为202210599239.X、申请名称为“认证方法及通信装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。
技术领域
本申请涉及通信领域,尤其涉及一种认证方法及通信装置。
背景技术
非公共网络(non-public network,NPN),也可以称为专用网络或私有网络,是指为了满足非公共需求而建立的网络。运营商建立的NPN可以为第三方(如垂直行业客户、切片使用客户)使用,没有第三方的允许,普通终端设备无法接入NPN。在第三代合作伙伴计划(3rd Generation Partnership Project,3GPP)标准中定义了如下两种类型的NPN:独立非公共网络(stand-alone non-public network,SNPN)和公共网络集成非公共网络(public network integrated non-public network,PNI-NPN)。
对于SNPN和PNI-NPN两种类型的NPN,第三方可以基于运营商开放的网络管理能力进行网络管理;或者,第三方也可以将运营商开放的部分网络管理能力,外包给其他有网络运营、编排和管理服务的公司或企业(简称为管理服务外包方),通过管理服务外包方实现网络管理。第三方和管理服务外包方在使用开放的网络管理能力时,需要与运营商进行身份鉴权认证,在身份鉴权认证成功后,第三方和管理服务外包方才可以调用对应的管理服务,再基于调用的管理服务实现网络管理。目前,运营商可以基于第三方发送的租户注册请求实现对第三方身份的鉴权认证,但无法支持对管理服务外包方的身份鉴权认证,从而使得管理服务外包方无法调用管理服务,实现对为第三方服务的网络的管理。
发明内容
本申请提供一种认证方法及通信装置,能够解决运营商无法支持对管理服务外包方的身份鉴权认证的问题。
为达到上述目的,本申请采用如下技术方案:
第一方面,提供一种认证方法。该方法包括:开放控制管理功能实体接收来自第三方设备的管理服务外包方设备的信息,其中,管理服务外包方设备用于调用开放给第三方设备的网络管理能力。开放控制管理功能实体根据管理服务外包方设备的信息确定用于认证管理服务外包方设备身份的信息。开放控制管理功能实体发送向管理服务外包方设备用于认证管理服务外包方设备身份的信息。
基于第一方面所述的认证方法,开放控制管理功能实体可以根据第三方设备发送的管理服务外包方设备的信息生成并发送用于认证管理服务外包方设备身份的信息,在进行管理服务外包方设备的认证时,开放控制管理功能实体可以基于收到的认证信息,与用于认证管理服务外包方设备身份的信息确定认证的设备是否为管理服务外包 方设备,从而实现对管理服务外包方的认证。由此,基于管理服务外包方设备的信息和开放控制管理功能实体,既可以实现租户管理,也可以实现运营商对管理服务外包方的认证,进而可以提高对第三方的网络管理能力,实现更精细化的网络管理。
进一步地,第一方面所述的方法还可以包括:开放控制管理功能实体接收来自第一设备的认证信息。在认证信息与用于认证管理服务外包方设备身份的信息匹配的情况下,开放控制管理功能实体确定第一设备为管理服务外包方设备。如此,开放控制管理功能实体可以基于用于认证管理服务外包方设备身份的信息,判断请求认证的第一设备是否为管理服务外包方设备,从而实现对管理服务外包方设备的认证,提高认证的可靠性。
一种可能的设计方案中,第一方面所述的方法还可以包括:开放控制管理功能实体向第一设备发送第一指示信息,第一指示信息用于指示第一设备认证成功。如此,第一设备可以基于第一指示信息获取认证结果,在认证结果为认证成功的情况下,第一设备可以向开放控制管理功能实体请求调用管理服务,从而实现对服务第三方的网络进行管理,可以优化服务第三方网络的网络管理。
一种可能的设计方案中,管理服务外包方设备的信息可以包括管理服务外包方设备的IP地址。开放控制管理功能实体发送用于认证管理服务外包方设备身份的信息,可以包括:开放控制管理功能实体根据管理服务外包方设备的IP地址,向管理服务外包方设备发送用于认证管理服务外包方设备身份的信息。如此,开放控制管理功能实体可以基于管理服务外包方设备的信息中的管理服务外包方设备的标识,向管理服务外包方设备发送用于认证管理服务外包方设备身份的信息,可以提高管理服务外包方设备的认证效率。
一种可能的设计方案中,管理服务外包方设备的信息包括管理服务外包方设备能调用的管理服务信息。如此,开放控制管理功能实体可以基于管理服务外包方设备的信息确定该管理服务外包方设备的调用信息,对该管理服务外包方设备的调用信息进行管理,可以避免调用出错或超出调用权限,提高网络开放管理的可靠性。
一种可能的设计方案中,第一方面所述的方法还可以包括:开放控制管理功能实体接收来自第三方设备的第二指示信息。其中,第二指示信息用于指示开放控制管理功能实体对管理服务外包方设备的信息进行增加、删除、修改或查询中的一项或多项操作。如此,开放控制管理功能实体还可以基于第二指示信息实时更新管理服务外包方设备的信息,进而可以更新用于认证管理服务外包方设备身份的信息,提高认证的可靠性。
第二方面,提供一种认证方法。该方法包括:第三方设备向开放控制管理功能实体发送管理服务外包方设备的信息。其中,管理服务外包方设备用于调用开放给第三方设备的网络管理能力。第三方设备接收来自开放控制管理功能实体的用于认证管理服务外包方设备身份的信息。其中,用于认证管理服务外包方设备身份的信息根据管理服务外包方设备的信息确定。第三方设备向管理服务外包方设备发送用于认证管理服务外包方设备身份的信息。
一种可能的设计方案中,管理服务外包方设备的信息包括管理服务外包方设备能调用的管理服务信息。
一种可能的设计方案中,第二方面所述的方法还可以包括:第三方设备接收来自第一设备的第一指示信息,第一指示信息用于指示第一设备认证成功,第一设备为管理服务外包方设备。
一种可能的设计方案中,第二方面所述的方法还可以包括:第三方设备向开放控制管理功能实体发送第二指示信息,第二指示信息用于指示开放控制管理功能实体对管理服务外包方设备的信息进行增加、删除、修改或查询中的一项或多项操作。
第三方面,提供一种认证方法。该方法包括:第一设备获取认证信息,其中,第一设备为管理服务外包方设备,管理服务外包方设备用于调用开放给第三方设备的网络管理能力。第一设备向开放控制管理功能实体发送认证信息。
一种可能的设计方案中,认证信息包括用于认证管理服务外包方设备身份的信息。第一设备获取认证信息,可以包括:第一设备接收来自开放控制管理功能实体的用于认证管理服务外包方设备身份的信息。
另一种可能的设计方案中,认证信息包括用于认证管理服务外包方设备身份的信息。第一设备获取认证信息,可以包括:第一设备接收来自第三方设备的用于认证管理服务外包方设备身份的信息。
一种可能的设计方案中,第三方面所述的方法还可以包括:第一设备接收来自开放控制管理功能实体的第一指示信息,第一指示信息用于指示第一设备认证成功。
一种可能的设计方案中,第三方面所述的方法还可以包括:第一设备向第三方设备发送第一指示信息。
此外,第二方面和第三方面所述的方法的技术效果可以参考第一方面所述的方法的技术效果,此处不再赘述。
第四方面,提供一种通信装置。该装置包括:处理模块和收发模块。其中,收发模块,用于接收来自第三方设备的管理服务外包方设备的信息,管理服务外包方设备用于调用开放给第三方设备的网络管理能力。处理模块,用于根据管理服务外包方设备的信息确定用于认证管理服务外包方设备身份的信息。收发模块,还用于发送向管理服务外包方设备用于认证管理服务外包方设备身份的信息。
进一步地,收发模块,用于接收来自第一设备的认证信息。处理模块,用于在认证信息与用于认证管理服务外包方设备身份的信息匹配的情况下,确定第一设备为管理服务外包方设备。
一种可能的设计方案中,收发模块,用于向第一设备发送第一指示信息,第一指示信息用于指示第一设备认证成功。
一种可能的设计方案中,管理服务外包方设备的信息可以包括管理服务外包方设备的IP地址。收发模块,用于根据管理服务外包方设备的IP地址,向管理服务外包方设备发送用于认证管理服务外包方设备身份的信息。
一种可能的设计方案中,管理服务外包方设备的信息包括管理服务外包方设备能调用的管理服务信息。
一种可能的设计方案中,收发模块,用于接收来自第三方设备的第二指示信息,第二指示信息用于指示开放控制管理功能实体对管理服务外包方设备的信息进行增加、删除、修改或查询中的一项或多项操作。
可选地,收发模块可以包括发送模块和接收模块。其中,发送模块用于实现第四方面所述的通信装置的发送功能,接收模块用于实现第四方面所述的通信装置的接收功能。
可选地,第四方面所述的通信装置还可以包括存储模块,该存储模块存储有程序或指令。当该处理模块执行该程序或指令时,使得该通信装置可以执行第一方面所述的方法。
需要说明的是,第四方面所述的通信装置可以是网络设备,如开放控制管理功能实体,也可以是可设置于网络设备中的芯片(系统)或其他部件或组件,还可以是包含网络设备的装置,本申请对此不做限定。
此外,第四方面所述的通信装置的技术效果可以参考第一方面所述的方法的技术效果,此处不再赘述。
第五方面,提供一种通信装置。该装置包括:发送模块和接收模块。其中,发送模块,用于向开放控制管理功能实体发送管理服务外包方设备的信息,管理服务外包方设备用于调用开放给装置的网络管理能力。接收模块,用于接收来自开放控制管理功能实体的用于认证管理服务外包方设备身份的信息,用于认证管理服务外包方设备身份的信息根据管理服务外包方设备的信息确定。发送模块,还用于向管理服务外包方设备发送用于认证管理服务外包方设备身份的信息。
一种可能的设计方案中,管理服务外包方设备的信息包括管理服务外包方设备能调用的管理服务信息。
一种可能的设计方案中,接收模块,还用于接收来自第一设备的第一指示信息,第一指示信息用于指示第一设备认证成功,第一设备为管理服务外包方设备。
一种可能的设计方案中,发送模块,还用于向开放控制管理功能实体发送第二指示信息,第二指示信息用于指示开放控制管理功能实体对管理服务外包方设备的信息进行增加、删除、修改或查询中的一项或多项操作。
可选地,发送模块和接收模块也可以集成为一个模块,如收发模块。其中,收发模块用于实现第五方面所述的通信装置的发送功能和接收功能。
可选地,第五方面所述的通信装置还可以包括处理模块。其中,处理模块用于实现第五方面所述的通信装置的处理功能。
可选地,第五方面所述的通信装置还可以包括存储模块,该存储模块存储有程序或指令。当处理模块执行该程序或指令时,使得该通信装置可以执行第二方面所述的方法。
需要说明的是,第五方面所述的通信装置可以是网络设备,如第三方设备,也可以是可设置于网络设备中的芯片(系统)或其他部件或组件,还可以是包含网络设备的装置,本申请对此不做限定。
此外,第五方面所述的通信装置的技术效果可以参考第一方面所述的方法的技术效果,此处不再赘述。
第六方面,提供一种通信装置。该装置包括:处理模块和收发模块。其中,处理模块,用于获取认证信息,其中,装置为管理服务外包方设备,管理服务外包方设备用于调用开放给第三方设备的网络管理能力。收发模块,用于向开放控制管理功能实 体发送认证信息。
一种可能的设计方案中,认证信息可以包括用于认证管理服务外包方设备身份的信息。收发模块,用于接收来自开放控制管理功能实体的用于认证管理服务外包方设备身份的信息。
另一种可能的设计方案中,认证信息可以包括用于认证管理服务外包方设备身份的信息。收发模块,用于接收来自第三方设备的用于认证管理服务外包方设备身份的信息。
一种可能的设计方案中,收发模块,用于接收来自开放控制管理功能实体的第一指示信息,第一指示信息用于指示装置认证成功。
一种可能的设计方案中,收发模块,用于向第三方设备发送第一指示信息。
可选地,收发模块可以包括发送模块和接收模块。其中,发送模块用于实现第六方面所述的通信装置的发送功能,接收模块用于实现第六方面所述的通信装置的接收功能。
可选地,第六方面所述的通信装置还可以包括存储模块,该存储模块存储有程序或指令。当该处理模块执行该程序或指令时,使得该通信装置可以执行第三方面所述的方法。
需要说明的是,第六方面所述的通信装置可以是网络设备,如第一设备,也可以是可设置于网络设备中的芯片(系统)或其他部件或组件,还可以是包含网络设备的装置,本申请对此不做限定。
此外,第六方面所述的通信装置的技术效果可以参考第一方面所述的方法的技术效果,此处不再赘述。
第七方面,提供一种通信装置。该装置包括:处理器,处理器与存储器耦合。其中,存储器,用于存储计算机程序。处理器,用于执行存储器中存储的计算机程序,以使得通信装置执行如第一方面至第三方面任一所述的方法。
在一种可能的设计方案中,第七方面所述的通信装置还可以包括收发器。该收发器可以为收发电路或接口电路。该收发器可以用于第七方面所述的通信装置与其他通信装置通信。
在本申请中,第七方面所述的通信装置可以为第一方面所述的开放控制管理功能实体或第二方面所述的第三方设备或第三方面所述的第一设备,或者可设置于该开放控制管理功能实体或第三方设备或第一设备中的芯片(系统)或其他部件或组件,或者包含该开放控制管理功能实体或第三方设备或第一设备的装置。
此外,第七方面所述的通信装置的技术效果可以参考第一方面所述的方法的技术效果,此处不再赘述。
第八方面,提供一种认证系统。该认证系统可以包括开放控制管理功能实体、第三方设备和管理服务外包方设备。
可选地,第八方面所述的认证系统还可以包括:第一设备。
第九方面,提供一种计算机可读存储介质。该计算机可读存储介质存储有计算机程序或指令,当计算机程序或指令在计算机上运行时,使得计算机执行如第一方面至第三方面任一所述的方法。
第十方面,一种计算机程序产品,计算机程序产品包括:计算机程序或指令,当计算机程序或指令在计算机上运行时,使得计算机执行如第一方面至第三方面任一所述的方法。
附图说明
图1为一种网络管理能力对外开放的结构示意图;
图2为一种管理域中各逻辑管理功能的连接示意图;
图3为一种租户注册的流程示意图;
图4为本申请实施例提供的认证系统的架构示意图;
图5为本申请实施例提供的基于开放控制管理功能实体的无线网络能力开放的架构示意图;
图6为本申请实施例提供的一种认证方法的流程示意图;
图7为本申请实施例提供的另一种认证方法的流程示意图;
图8为本申请实施例提供的又一种认证方法的流程示意图;
图9为本申请实施例提供的又一种认证方法的流程示意图;
图10为本申请实施例提供的一种通信装置的结构示意图;
图11为本申请实施例提供的另一种通信装置的结构示意图;
图12为本申请实施例提供的又一种通信装置的结构示意图。
具体实施方式
为方便理解,下面先对本申请实施例涉及的相关技术进行说明。
1、NPN
NPN也可以称为专用网络或私有网络,是指为了满足非公共需求而建立的网络。运营商建立的NPN可以为第三方(如垂直行业客户、切片使用客户)使用,没有第三方的允许,普通终端设备无法接入NPN。在3GPP标准中定义了如下两种类型的NPN:SNPN和PNI-NPN。
其中,SNPN是指由运营商运营且不依赖于公共陆地移动网(public land mobile network,PLMN)提供的网络功能。面向SNPN的NPN管理模式有如下三种:
(1)MNO Managed Mode:完全由移动网络运营商(mobile network operator,MNO)管理,垂直行业不参与NPN管理。
(2)MNO-Vertical Managed Mode:由移动网络运营商和垂直行业共同管理。
(3)Vertical Managed Mode:完全由垂直行业自行管理,移动网络运营商不参与NPN管理。
针对上述MNO-Vertical Managed Mode和Vertical Managed Mode两种管理模式,垂直行业可以将SNPN的网络管理能力外包给其他有网络运营、编排和管理服务的公司(以下简称管理服务外包方)。
而PNI-NPN是指在PLMN支持下部署的非公共网络。面向PNI-NPN的NPN管理模式有上述MNO Managed Mode和MNO-Vertical Managed Mode两种,针对MNO-Vertical Managed Mode管理模式,垂直行业也可以将PNI-NPN的网络管理能力外包给管理服务外包方。
2、开放控制管理功能(exposure governance management function,EGMF)
EGMF是3GPP提出的在管理域实现网络管理能力对外开放的一个逻辑管理功能。网络管理能力对外开放是指运营商将网络管理的能力开放给外部第三方客户,如垂直行业客户、切片使用客户、共享运营商等,第三方客户也可以称为运营商的租户。第三方客户可以基于运营商开放的网络管理能力,通过网络管理系统实现对服务租户的网络进行管理(如获取服务租户网络的性能数据、对服务租户的网络进行网络参数配置等)。第三方客户的网络管理系统可以是第三方操作、管理和维护(operation,administration and maintenance,OAM)系统、或者共享运营商管理系统等。例如,在切片管理或者面向垂直行业的私有网络的场景下,切片使用客户或垂直行业客户希望通过网络管理能力开放从运营商处获得一定的网络管理能力,从而可以参与切片网络或私有网络的管理或数据分析。
EGMF的提出是希望通过EGMF实现网络侧的运维管理信息的开放,如配置信息、性能测量信息、告警/错误信息等开放。下面结合图1简要说明一下EGMF实现网络开放的过程。
示例性地,图1示出了一种网络管理能力对外开放的结构示意图。其中,管理功能(management function,MnF)1例如可以是提供网络服务的运营商,可以提供对应的管理服务(management service,MnS),MnS是指运营商可以对外开放的网络管理能力,MnF2例如可以是共享运营商,MnF2和第三方客户(如垂直行业客户)可以理解为不被MnF1所在管理域(如运营商的管理域)直接信任但已授权的客户(即运营商的租户),MnF2和第三方客户要实现网络管理,需要调用MnF1提供的MnS。
如图1所示,第三方客户可以通过EGMF1来实现对MnF1提供的MnS的调用,MnF2可以通过EGMF2来实现对MnF1提供的MnS的调用,从而MnF2和第三方客户可以实现对服务租户的网络管理。
3、跨域管理(cross domain management)
跨域管理可以与网络管理系统(network management system,NMS)对应,负责对多个网元管理系统进行统一管理。部署在跨域层的逻辑管理功能,如网络切片管理功能(network slice management function,NSMF),提供各类管理服务,各类管理服务可以通过EGMF对外开放。
4、单域管理(domain management)
单域管理可以与网元管理系统(element management system,EMS)对应,负责管理第五代(5th generation,5G)基站或者5G核心网。如,无线接入网(radio access network,RAN)域管理、核心网(core network,CN)域管理。部署在单域层的逻辑管理功能,如网络切片子网管理功能(network slice subnet management function,NSSMF)、管理数据分析功能(management data analytics function,MDAF),用于实现5G基站或5G核心网的管理服务,可以提供各类管理服务,各类管理服务可以通过EGMF对外开放。
示例性地,图2示出了一种管理域中各逻辑管理功能的连接示意图。如图2所示,该管理域中包括NSMF、NSSMF、MDAF、EGMF、通信服务管理功能(communication service management function,CSMF)、网络功能管理功能(network function management  function,NFMF)和网络功能(network function,NF)。
其中,NSMF、NSSMF、MDAF、EGMF、NFMF和NF分别提供不同类型的MnS,EGMF可以对外开放各逻辑管理功能提供的MnS。
可以理解的是,EGMF是用于实现管理服务调用的管理功能,本申请实施例中的开放的网络管理能力可以通过调用跨域或者单域的管理服务实现。
目前,在第三方使用运营商开放的网络管理能力时,需要第三方与运营商进行身份鉴权认证,在身份鉴权认证成功后,第三方才可以调用对应的管理服务以实现服务网络的管理。
示例性地,图3示出了一种租户注册的流程示意图。第三方客户可以通过该租户注册流程实现身份鉴权认证。值得说明的是,在进行租户注册之前,运营商与租户(如第三方)在线下完成商务协议签订,商务协议签订的内容可以包括运营商提供给租户的网络服务保障、可开放给租户的网络管理能力、或者租户可获取或操作的网络资源信息等,并在运营商的网络管理系统中完成租户签约信息的配置。进一步地,如图3所示,该租户注册流程包括:
S301、第三方设备向通信网络管理设备发送租户注册请求。
相应的,通信网络管理设备接收来自第三方设备的租户注册请求。
其中,第三方设备用于调用运营商开放的网络管理功能对服务网络进行管理,第三方设备上部署有第三方客户对应的网络管理系统,如第三方OAM系统。
其中,通信网络管理设备用于对运营商部署的网络服务进行管理。通信网络管理设备上部署有运营商对应的运营商管理系统,该运营商管理系统可以包括业务支持系统(business support system,BSS)和运营支撑系统(operations support system,OSS),上述EGMF可以部署该通信网络管理设备的OSS层上。BSS与OSS的具体功能可以参见相关现有技术描述,此处不再赘述。可以理解的是,该通信网络管理设备可以是包含上述EGMF的设备,或者是包括下述实施例中的开放控制管理功能实体的设备。
本申请实施例中,租户注册请求中携带有第三方客户的标识(operator identification,operator ID)和租户描述信息(tenant profile)。
示例性地,该第三方客户的标识可以是第三方客户的名称,如垂直行业企业名称;或者,该第三方客户的标识也可以是表示该第三方客户的数字标识等。
其中,租户描述信息用于表示第三方客户基本信息的描述文件。示例性地,租户描述信息可以包括第三方与运营商签订的管理服务信息、或者租户的服务等级规范(service level specification,SLS)需求等。其中,SLS需求可以包括时延、可靠性、资源隔离性、可接入终端设备的数量、或者可获取数据类型等指标需求。
S302、通信网络管理设备根据租户注册请求对第三方设备进行身份鉴权认证。
示例性地,通信网络管理设备收到租户注册请求后,根据租户注册请求中携带的第三方客户的标识,从本地配置的租户签约信息中查询并获取对应的租户签约信息,再根据租户签约信息对第三方设备的身份进行鉴权,以验证第三方设备的合法性。
进一步地,若第三方设备身份鉴权成功,通信网络管理设备为第三方设备分配唯一的租户标识(tenant ID)。或者,若第三方设备身份未鉴权成功(也可以理解为身份鉴权失败),则通信网络管理设备不会为第三方设备分配相应的租户标识。
S303、通信网络管理设备向第三方设备发送租户注册响应。
相应的,第三方设备接收来自通信网络管理设备的租户注册响应。其中,该租户注册响应携带有租户注册结果。
本申请实施例中,在第三方设备身份鉴权成功的情况下,租户注册结果表示第三方设备注册成功或身份鉴权成功;或者,在第三方设备身份未鉴权成功的情况下,租户注册结果表示第三方设备注册失败或鉴权失败。
一种可能的实现方式中,租户注册结果可以通过1比特进行表征。例如,“0”表示第三方设备注册成功或身份鉴权成功,“1”表示第三方设备注册失败或身份鉴权失败;或者,“1”表示第三方设备注册成功或身份鉴权成功,“0”表示第三方设备注册失败或身份鉴权失败,本申请实施例对此不做具体限定。
可选地,本申请实施例中,租户注册响应中除了包括租户注册结果,还可以包括租户标识。或者,本申请实施例中,在第三方设备身份鉴权成功的情况下,租户注册响应中除了包括租户注册结果,还可以包括租户标识;在第三方设备身份鉴权失败的情况下,租户注册响应中可以包括租户注册结果,不包括租户标识;本申请实施例对此不做具体限定。
由此可见,第三方在使用运营商开放的网络管理能力时,运营商可以基于第三方设备发送的租户注册请求实现对第三方身份的鉴权认证。然而,在第三方将运营商开放的部分网络管理能力,外包给其他网络管理方(即管理服务外包方)的情况下,基于图3示出的租户注册请求流程,运营商无法支持对管理服务外包方的身份鉴权认证,从而使得管理服务外包方无法调用管理服务,实现对服务第三方的网络的管理。
因此,本申请实施例提供了一种认证方法,可以解决运营商无法支持对管理服务外包方的身份鉴权认证的问题,可以实现管理服务外包方在运营商管理系统的控制范围内对服务第三方的网络进行运营维护管理,从而可以优化第三方的业务应用。
下面将结合附图,对本申请中的技术方案进行描述。
本申请实施例的技术方案可以应用于各种通信系统,例如:长期演进(long term evolution,LTE)系统、LTE频分双工(frequency division duplex,FDD)系统、LTE时分双工(time division duplex,TDD)系统、通用移动通信系统(universal mobile telecommunication system,UMTS)、全球互联微波接入(worldwide interoperability for microwave access,WiMAX)通信系统、5G系统或新无线(new radio,NR)系统等。其中,本申请中涉及的5G系统包括非独立组网(non-standalone,NSA)的5G系统或独立组网(standalone,SA)的5G系统。本申请提供的技术方案还可以应用于未来的通信系统,如第六代移动通信系统。本申请实施例适用的通信系统还可以是PLMN网络、设备到设备(device-to-device,D2D)通信系统、机器到机器(machine to machine,M2M)通信系统、物联网(Internet of Things,IoT)通信系统或者其他通信系统等,本申请实施例对此不做具体限定。
本申请将围绕可包括多个设备、组件、模块等的系统来呈现各个方面、实施例或特征。应当理解和明白的是,各个系统可以包括另外的设备、组件、模块等,并且/或者可以并不包括结合附图讨论的所有设备、组件、模块等。此外,还可以使用这些方案的组合。
另外,在本申请实施例中,“示例地”、“例如”等词用于表示作例子、例证或说明。本申请中被描述为“示例”的任何实施例或设计方案不应被解释为比其它实施例或设计方案更优选或更具优势。确切而言,使用示例的一词旨在以具体方式呈现概念。
本申请实施例中,“信息(information)”,“信号(signal)”,“消息(message)”,“信道(channel)”、“信令(singaling)”有时可以混用,应当指出的是,在不强调其区别时,其所要表达的含义是一致的。“的(of)”,“相应的(corresponding,relevant)”和“对应的(corresponding)”有时可以混用,应当指出的是,在不强调其区别时,其所要表达的含义是一致的。
图4为本申请实施例的认证方法应用的一个认证系统的架构示意图。如图4所示,该认证系统包括第三方设备、开放控制管理功能实体和管理服务外包方设备。
其中,第三方设备与第三方客户对应,第三方客户为使用运营商提供的网络服务的客户,如垂直行业客户、切片使用客户、共享运营商等。换言之,第三方客户可以指租用运营商提供的网络服务的企业或组织(以下简称租户)。第三方设备用于对运营商提供给第三方客户的网络服务进行管理。开放控制管理功能实体与运营商对应,用于实现对第三方设备和管理服务外包方设备的身份鉴权认证,以及对运营商提供的网络管理能力的对外开放。管理服务外包方设备与管理服务外包方对应,该管理服务外包方为与第三方客户签订了管理服务外包合同的网络管理代维方。也就是,第三方客户将运营商提供的一部分网络管理能力外包出去,管理服务外包方设备用于对第三方客户外包出去的网络管理能力进行调用或管理。
上述第三方设备、开放控制管理功能实体和管理服务外包方设备两两之间可以直接通信,也可以通过其他设备的转发进行通信,本申请实施例对此不做限定。
其中,开放控制管理功能实体接收来自第三方设备的管理服务外包方设备的信息,该管理服务外包方设备用于调用开放给第三方设备的网络管理能力,开放控制管理功能实体根据管理服务外包方设备的信息确定用于认证管理服务外包方设备身份的信息,进而,开放控制管理功能实体向管理服务外包方设备发送用于认证管理服务外包方设备身份的信息。该方案的具体实现过程可以参见下述方法实施例。
值得说明的是,上述管理服务外包方设备可以是一个或多个。换言之,第三方客户可以将运营商提供的网络管理能力外包给一个或多个外包方。
可选地,本申请实施例提供的认证系统还包括第一设备。第一设备可以是管理服务外包方设备,也可以不是管理服务外包方设备。示例性地,第一设备可以向开放控制管理功能实体发送认证信息。一种可能的设计方案中,在认证信息与用于认证管理服务外包方设备身份的信息匹配的情况下,开放控制管理功能实体确定第一设备为管理服务外包方设备,此时,第一设备认证成功,第一设备可以调用运营商开放给第三方设备的网络管理能力。另一种可能的设计方案中,在认证信息与用于认证管理服务外包方设备身份的信息不匹配的情况下,开放控制管理功能实体确定第一设备不是管理服务外包方设备,第一设备认证失败,第一设备不能调用运营商开放给第三方设备的网络管理能力。具体实现过程可以参见下述方法实施例。
本申请实施例中,上述第三方设备、管理服务外包方设备或者第一设备可以是网络设备。该网络设备包括但不限于:无线保真(wireless fidelity,WiFi)系统中的接入 点(access point,AP),如家庭网关、路由器、服务器、交换机、网桥等,演进型节点B(evolved Node B,eNB)、无线网络控制器(radio network controller,RNC)、节点B(Node B,NB)、基站控制器(base station controller,BSC)、基站收发台(base transceiver station,BTS)、家庭基站(例如,home evolved NodeB,或home Node B,HNB)、基带单元(baseband unit,BBU),无线中继节点、无线回传节点、传输点(transmission and reception point,TRP或者transmission point,TP)等,还可以为5G,如,新空口(new radio,NR)系统中的gNB,或,传输点(TRP或TP),5G系统中的基站的一个或一组(包括多个天线面板)天线面板,或者,还可以为构成gNB或传输点的网络节点,如基带单元(BBU),或,分布式单元(distributed unit,DU)、具有基站功能的路边单元(road side unit,RSU)等。
本申请实施例中,开放控制管理功能实体可以是位于跨域的开放控制管理功能实体(以下简称跨域开放控制管理功能实体),也可以是位于单域的开放控制管理功能实体(以下简称单域开放控制管理功能实体)。该开放控制管理功能实体可以部署在图3示出的通信网络管理设备上,也可以单独部署在其他网络设备上,本申请实施例对此不做限定。
示例性地,本申请实施例提供的认证系统可以应用于基于开放控制管理功能实体的无线网络能力开放架构中。例如,图4中的第三方设备可以是该基于开放控制管理功能实体的无线网络能力开放架构中的第三方设备;管理服务外包方设备可以是该基于开放控制管理功能实体的无线网络能力开放架构中的开放管理服务消费者实体;开放控制管理功能实体可以是该基于开放控制管理功能实体的无线网络能力开放架构中的跨域管理设备或者单域管理设备对应的开放控制管理功能实体,本申请实施例对此不做限定。
示例性地,图5为本申请实施例提供的一种基于开放控制管理功能实体的无线网络能力开放的架构示意图。该基于开放控制管理功能实体的无线网络能力开放架构包括第三方设备、开放管理服务消费者实体、跨域管理设备和单域管理设备。其中,单域管理设备包括RAN域管理设备和CN域管理设备。其中,第三方设备、开放管理服务消费者实体可以通过表述性状态传递(representational state transfer,REST)应用程序编程接口(application programming interface,API)与跨域管理设备、RAN域管理设备和CN域管理设备通信。
如图5所示,跨域管理设备上部署有开放控制管理功能实体和网络切片管理功能实体,RAM域管理设备上部署有开放控制管理功能实体、管理数据分析功能实体和网络切片子网管理功能实体,各管理设备上部署的网络功能可以提供不同的MnS,第三方设备和开放管理服务消费者实体可以通过调用MnS实现网络管理。可以理解的是,跨域管理设备和单域管理设备上还可以部署有其他管理功能实体,本申请实施例对此不做限定。
其中,开放控制管理功能实体可以是上述图1或图2中示出的EGMF,网络切片管理功能实体可以是图2中示出的NSMF,管理数据分析功能实体可以是图2中示出的MDAF,网络切片子网管理功能实体可以是图2中示出的NSSMF。
值得说明的是,上述跨域管理设备或单域管理设备可以为上述图3示出的通信网 络管理设备,可以用于运营商对提供的网络服务进行管理。
应理解,上述图4或图5所示的系统中包括的设备或功能节点只是示例性的描述,并不对本申请实施例构成限定。事实上,图4或图5所示的系统中还可以包含其他与图中示意的设备或功能节点具有交互关系的网元或设备或功能节点,这里不作具体限定。
下面将结合图6-图8对本申请实施例提供的认证方法进行具体阐述。
值得说明的是,本申请实施例提供的认证方法是基于第三方已与网络服务商(network service producer,NSP)或者是网络运营商(network operation producer,NOP)(以下简称为运营商)签订能力开放商务合同的前提实施的。也就是说,运营商提供网络服务(如NPN或切片网络)给第三方,运营商可以与第三方签订商务合同,开放部分网络管理能力给第三方,以便于第三方可以实现对服务网络的管理。
另外,本申请实施例中,管理服务外包方设备可以理解为管理服务外包方用于进行网络管理的设备,第三方设备可以理解为第三方用于进行网络管理的设备。
也就是说,在运营商提供网络服务给第三方的情况下,第三方可以基于签订的商务合同(如运营商提供给第三方的网络管理能力)通过第三方设备实现网络管理。进一步地,第三方也可以将运营商开放的网络管理能力外包给其他具备网络管理能力的代维方,即管理服务外包方。可以理解的是,第三方将运营商开放的网络管理能力外包出去时,第三方也需要与管理服务外包方就管理服务外包方能调用的网络管理能力以及第三方的管理诉求等签订商务合同,管理服务外包方可以基于签订的商务合同通过管理服务外包方设备实现服务第三方网络的管理。
其中,在管理服务外包方通过管理服务外包方设备调用相应的网络管理能力时,管理服务外包方设备也需要通过运营商的身份鉴权认证。为此,本申请实施例提供一种认证方法,可以实现运营商对管理服务外包方的身份鉴权认证。
示例性地,以图4的认证系统为例,图6为本申请实施例提供的一种认证方法的流程示意图。该认证方法包括如下步骤:
S601、第三方设备向开放控制管理功能实体发送管理服务外包方设备的信息。相应的,开放控制管理功能实体接收来自第三方设备的管理服务外包方设备的信息。
其中,管理服务外包方设备用于调用开放给第三方设备的网络管理能力。该调用的网络管理能力也可以表示调用的管理服务。
可选地,本申请实施例中,管理服务外包方设备的信息可以包括该管理服务外包方设备能调用的管理服务信息和管理服务外包方设备的标识。
其中,管理服务外包方设备能调用的管理服务信息表示管理服务外包方设备与第三方设备签订的管理服务信息。例如,运营商与第三方签订的管理服务信息包括发现服务、配置服务、性能测量服务、或者故障告警服务中的一个或多个等。
可以理解的是,本申请实施例中,第三方外包给管理服务外包方的管理服务可以是运营商与第三方签订的管理服务。换言之,该第三方外包给管理服务外包方的管理服务可以为第三方向运营商订购的管理服务或者可以为第三方向运营商订购的管理服务的子集。
示例性地,假设第三方外包给管理服务外包方的管理服务包括性能测量服务和故 障告警服务,则管理服务外包方设备在身份认证成功后,可以调用性能测量服务和故障告警服务两个管理服务,从而可以实现对网络性能测量和故障告警的网络管理能力。
本申请实施例中,管理服务外包方设备的标识可以是管理服务外包方的名称(如企业名称)或管理服务外包方设备的名称,也可以是表示管理服务外包方或管理服务外包方设备的数字标识,还可以是管理服务外包方设备的IP地址,本申请实施例对此不做限定。
值得说明的是,本申请实施例中,管理服务外包方可以是一个或多个,对应的,管理服务外包方设备也可以是一个或多个。进一步地,管理服务外包方设备的信息可以包括一个或多个管理服务外包方设备的信息,本申请实施例对此不做限定。此外,每一个管理服务外包方设备能调用的管理服务可以各不相同。例如,管理服务外包方设备1可以调用的管理服务为发现服务,管理服务外包方设备2可以调用的管理服务为性能测量服务和故障告警服务。在一种可能的情形中,若第三方未将管理服务外包出去,该管理服务外包方设备的信息可以为空。
可选地,本申请实施例中,在第三方未完成租户注册的情况下,第三方设备还可以向开放控制管理功能实体发送第三方设备的信息,相应的,开放控制管理功能实体接收来自第三方设备的第三方设备的信息。其中,该第三方设备的信息可以包括与运营商签订的管理服务信息、第三方客户的标识(operator ID)和租户描述信息(tenant profile),用于第三方设备进行身份鉴权认证。该第三方客户的标识(operator ID)和租户描述信息(tenant profile)的相关描述可以参见上述S301中的相关内容,此处不再赘述。该方案的相关实现具体可以参见下述图7示出的方法实施例,在此不再赘述。
可选地,本申请实施例中,在第三方完成租户注册的情况下,第三方设备还可以向开放控制管理功能实体发送租户ID(tenant ID),相应的,开放控制管理功能实体接收来自第三方的租户ID,以便于开放控制管理功能实体根据该租户ID确定对应租户的管理服务外包方的信息。可以理解的是,在此情况下,开放控制管理功能实体存储有第三方设备的信息。该方案的相关实现具体可以参见下述图8示出的方法实施例,在此不再赘述。
在一种可能的情形下,在第三方完成租户注册,且管理服务外包方设备发生变化时,第三方设备可以向开放控制管理功能实体发送第二指示信息,相应的,开放控制管理功能实体接收来自第三方设备的第二指示信息,第二指示信息用于指示开放控制管理功能实体对管理服务外包方设备的信息进行增加、删除、修改或查询中的一项或多项操作。例如,第三方设备完成租户注册,且第三方设备自行实施网络管理一段时间后,第三方将管理服务外包给管理服务外包方,或者是第三方在原有管理服务外包方的基础上,又增加了其他管理服务外包方,此时第二指示信息中携带有增加的管理服务外包设备的信息。又例如,第三方设备完成租户注册,且有对应的管理服务外包方,但第三方取消全部或部分已签订的管理服务外包方的签约或者是合约到期不再外包,此时第二指示信息中携带有删减的管理服务外包方的信息。该方案的相关实现具体可以参见下述图9示出的方法实施例,在此不再赘述。
S602、开放控制管理功能实体根据管理服务外包方设备的信息确定用于认证管理服务外包方设备身份的信息。
其中,用于认证管理服务外包方设备身份的信息可以包括租户ID和验证信息,验证信息可以是令牌(token)、或者密钥等,本申请实施例对此不做限定。
示例性地,开放控制管理功能实体接收到管理服务外包方设备的信息后,可以根据该管理服务外包方设备的信息确定是否有管理服务外包方设备的存在,从而确定是否为管理服务外包方设备生成验证信息。例如,该管理服务外包方设备的信息不为空,开放控制管理功能实体可以根据管理服务外包方设备的信息中的管理服务外包方设备的标识,确定该第三方的管理服务外包方设备的个数,也就是管理服务外包方的个数,从而为不同的管理服务外包方设备生成验证信息。换言之,每一个管理服务外包方设备对应一个验证信息。
另外,开放控制管理功能实体可以创建租户实例,该租户实例用于存储第三方和管理服务外包方的信息,该租户实例对应的属性可以包括第三方设备的信息和管理服务外包方设备的信息。
本申请实施例中,在第三方未完成租户注册的情况下,租户ID为开放控制管理功能实体基于该第三方设备的信息,对第三方设备进行身份鉴权认证后成功后,为第三方分配的在管理域中的唯一标识。具体过程可以参见上述S302-S303,此处不再赘述。
S603、开放控制管理功能实体向管理服务外包方设备发送用于认证管理服务外包方设备身份的信息。相应的,管理服务外包方设备接收来自开放控制管理功能实体的用于认证管理服务外包方设备身份的信息。
一种可能的设计方案中,开放控制管理功能实体可以向第三方设备发送用于认证管理服务外包方设备身份的信息。相应的,第三方设备接收来自开放控制管理功能实体的用于认证管理服务外包方设备身份的信息。
进一步地,第三方设备向管理服务外包方设备发送用于认证管理服务外包方设备身份的信息。相应的,管理服务外包方设备接收来自第三方设备的用于认证管理服务外包方设备身份的信息。该管理服务外包方设备可以基于用于认证管理服务外包方设备身份的信息完成身份认证。
又一种可能的设计方案中,在管理服务外包方设备的标识为管理服务外包方设备的IP地址的情况下,或者是管理服务外包方设备的信息还包括管理服务外包方设备的网际互连协议(internet protocol,IP)地址的情况下,开放控制管理功能实体可以根据管理服务外包方设备的IP地址,向管理服务外包方设备发送用于认证管理服务外包方设备身份的信息。
基于上述方案,开放控制管理功能实体可以基于第三方设备发送的管理服务外包方设备的信息,不仅可以基于管理服务外包方设备的信息实现对第三方设备和管理服务外包方设备的管理,还可以基于管理服务外包方设备的信息生成并向发送管理服务外包方设备用于认证管理外包方设备身份的信息,从而可以基于该用于认证管理外包方设备身份的信息实现对管理服务外包方设备的认证,可以提高网络管理的可靠性,进而可以允许管理服务外包方设备对服务第三方的网络实现实时和精细化的无线网络信息监控,提高第三方设备的网络管理效率。
进一步地,如图6所示,本申请实施例提供的认证方法还包括如下步骤:
S604、第一设备向开放控制管理功能实体发送认证信息。相应的,开放控制管理 功能实体接收来自第一设备的认证信息。
其中,本申请实施例中,第一设备可以理解为请求调用管理服务的待认证设备。
本申请实施例中,若第一设备为管理服务外包方设备,则该认证信息包括上述用于认证所述管理服务外包方设备身份的信息。该场景下,一种可能的设计方案中,在第一设备向开放控制管理功能实体发送认证信息之前,第一设备可以接收来自开放控制管理功能实体的用于认证管理服务外包方设备身份的信息。另一种可能的设计方案中,在第一设备向开放控制管理功能实体发送认证信息之前,第一设备可以接收来自第三方设备的用于认证管理服务外包方设备身份的信息。
本申请实施例中,若第一设备不是管理服务外包方设备,则该认证信息中不包括上述用于认证管理服务外包方设备身份的信息,或者是认证信息中包括的用于认证所述管理服务外包方设备身份的信息是错误或假的,本申请实施例对此不做限定。
S605、在认证信息与开放控制管理功能实体中用于认证管理服务外包方设备身份的信息匹配的情况下,开放控制管理功能实体确定第一设备为管理服务外包方设备。
示例性地,开放控制管理功能实体接收到第一设备的认证信息后,将认证信息与用于认证管理服务外包方设备身份的信息进行比较。
其中,若认证信息与用于认证管理服务外包方设备身份的信息匹配,如认证信息中的租户ID、验证信息与用于认证管理服务外包方设备身份的信息的租户ID、验证信息相同,开放控制管理功能实体可以确定第一设备为管理服务外包方设备,此时可以视为第一设备身份鉴权认证成功。进一步地,开放控制管理功能实体可以更新第一设备对应的管理服务外包方设备的鉴权状态,例如,鉴权状态由“未鉴权”更新为“已鉴权”。
S606、开放控制管理功能实体向第一设备发送第一指示信息。相应的,第一设备接收来自开放控制管理功能实体的第一指示信息。
其中,第一指示信息用于指示第一设备认证成功,即该第一指示信息表示第一设备的认证结果。该第一指示信息中可以携带有对应管理服务的调用信息,如调用管理服务的配置信息,以便于第一设备根据该调用信息向管理域请求调用管理服务。
S607、第一设备向第三方设备发送第一指示信息。相应的,第三方设备接收来自第一设备的第一指示信息。
示例性地,第三方设备可以根据该第一指示信息确定第一设备身份鉴权认证成功,确定第一设备可以调用相应的管理服务进行网络管理,无需由第三方设备执行对应的管理服务。例如,第三方与运营商签订的管理服务包括发现服务、配置服务、性能测量服务、故障告警服务,外包给第一设备的管理服务包括性能测量服务和故障告警服务,且第一设备返回身份认证成功的第一指示信息,此时第三方设备无需再调用性能测量服务和故障告警服务进行相关网络管理,以便于随时更新第三方设备执行的管理服务类型。
可以理解的是,S607为可选步骤,如在第一设备认证失败的情况下,第一设备可以不向第三方设备发送第一指示信息。
进一步地,第一设备调用对应的管理服务,可以通过开放控制管理功能实体从提供对应管理服务的管理功能实体调用,也可以直接向提供对应管理服务的管理功能实 体调用,本申请实施例对此不做限定。例如,第一设备调用网络切片子网管理功能实体提供的管理服务,可以先向开放控制管理功能实体发送调用请求,开放控制管理功能实体基于该调用请求从网络切片子网管理功能实体调用对应的管理服务后发送给第一设备。又例如,第一设备向网络切片子网管理功能实体发送调用请求,以获取网络切片子网管理功能实体提供的管理服务。
值得说明的是,若认证信息与用于认证管理服务外包方设备身份的信息不匹配,上述S605可以替换为,在认证信息与开放控制管理功能实体中用于认证管理服务外包方设备身份的信息不匹配的情况下,开放控制管理功能实体确定第一设备不是管理服务外包方设备。例如,该认证信息中未携带租户ID、验证信息,或者是,该认证信息中携带的租户ID与用于认证管理服务外包方设备身份的信息的租户ID不相同,和/或者该认证信息中携带的验证信息与用于认证管理服务外包方设备身份的信息的验证信息不相同,开放控制管理功能实体确定第一设备不是管理服务外包方设备,此时可以视为第一设备身份鉴权认证失败。在此情况下,可不再执行上述S606-S607,或者是执行上述S606不执行上述S607,此时开放控制管理功能实体也可以用第一指示信息指示第一设备认证失败,也可以用其他指示信息指示第一设备认证失败,本申请实施例对此不做限定。
基于图6示出的认证方法,开放控制管理功能实体可以基于第三方设备发送的管理服务外包方设备的信息,不仅可以基于管理服务外包方设备的信息实现对第三方设备和管理服务外包方设备的管理,还可以基于管理服务外包方设备的信息生成并向发送管理服务外包方设备用于认证管理外包方设备身份的信息,可以提高网络管理的可靠性,进而可以允许管理服务外包方设备对服务第三方的网络实现实时和精细化的无线网络信息监控,提高第三方设备的网络管理效率。进一步地,开放控制管理功能实体接收待认证设备(第一设备)的认证信息,可以基于该用于认证管理外包方设备身份的信息对认证信息进行鉴别,进而完成对管理服务外包方设备的认证,提高认证的可靠性。在第一设备认证成功的情况下,开放控制管理功能实体还可以发送第一指示信息,用于指示认证结果,以便于第一设备调用管理服务,实现对服务第三方的网络的管理。
下面结合具体的应用场景对本申请实施例提供的认证方案进行详细说明。本申请实施例提供的认证方法可以应用于租户注册场景中,其中,开放控制管理功能实体可以是图1或图2中的EGMF。
示例性地,图7示出了本申请实施例提供的另一种认证方法的流程示意图,该认证方法包括如下步骤:
S701、第三方设备向开放控制管理功能实体发送租户注册请求。相应的,开放控制管理功能实体接收来自第三方设备的租户注册请求。
其中,租户注册请求中携带有第三方设备的信息和管理服务外包方设备的信息。第三方设备的信息和管理服务外包方设备的信息的相关描述可以参见上述S601中的相关描述,此处不再赘述。
S702、开放控制管理功能实体根据租户注册请求确定用于认证管理服务外包方设备身份的信息。
示例性地,开放控制管理功能实体接收到租户注册请求后,根据租户注册请求中第三方设备的信息和管理服务外包方设备的信息创建租户实例,该租户实例对应的属性可以包括第三方设备的标识、第三方与运营商订购的管理服务信息、管理服务外包方设备的标识、管理服务外包方与第三方订购的管理服务信息等。
进一步地,开放控制管理功能实体可以根据租户注册请求中第三方设备的信息对第三方设备进行身份鉴权认证,第三方设备鉴权认证成功后,生成租户ID,再根据管理服务外包方设备的信息生成验证信息,从而可以得到用于认证管理服务外包方设备身份的信息。具体过程可以参见上述S602的相关内容,此处不再赘述。
S703、开放控制管理功能实体向第三方设备发送租户注册响应。相应的,第三方设备接收来自开放控制管理功能实体的租户注册响应。
其中,租户注册响应携带有用于认证管理服务外包方设备身份的信息。
S704、第三方设备向管理服务外包方设备发送租户验证信息通知。相应的,管理服务外包方设备接收来自第三方设备的租户验证信息通知。
其中,租户验证信息通知携带有用于认证管理服务外包方设备身份的信息。
S705、第一设备向开放控制管理功能实体发送身份鉴权认证请求。相应的,开放控制管理功能实体接收来自第一设备的身份鉴权认证请求。
其中,身份鉴权认证请求携带有认证信息。
若第一设备为管理服务外包方设备,则该认证信息包括用于认证所述管理服务外包方设备身份的信息,第一设备可以基于S704获取用于认证管理服务外包方设备身份的信息。
若第一设备不是管理服务外包方设备,则该认证信息中不包括用于认证所述管理服务外包方设备身份的信息,或者是该用于认证所述管理服务外包方设备身份的信息是错误的或假的,本申请对此不做限定。
S706、开放控制管理功能实体根据身份鉴权认证请求对第一设备进行认证。
示例性地,开放控制管理功能实体根据身份鉴权认证请求中的认证信息与用于认证管理服务外包方设备身份的信息对比,确定第一设备是否为管理服务外包方设备。具体过程可以参见上述S605中的相关描述,此处不再赘述。
S707、开放控制管理功能实体向第一设备发送身份鉴权认证响应。相应的,第一设备接收来自开放控制管理功能实体的身份鉴权认证响应。
其中,身份鉴权认证响应携带有第一指示信息。第一指示信息的相关描述可以参见上述S606中的相关内容,此处不再赘述。
S708、第一设备向第三方设备发送租户注册结果通知。相应的,第三方设备接收来自第一设备的租户注册结果通知。
其中,租户注册结果通知携带有第一指示信息。可以理解的是,第三方设备的认证结果也可以由第一指示信息指示,也可以用其他指示信息指示,对此不做限定。
另外,如在第一设备认证失败的情况下,租户注册结果通知中可以不携带第一指示信息。S708的具体过程可以参见上述S607。
进一步地,第一设备调用对应的管理服务,可以通过开放控制管理功能实体从提供对应管理服务的管理功能实体调用,也可以直接向提供对应管理服务的管理功能实 体调用,本申请实施例对比不做限定。例如,第一设备调用网络切片子网管理功能实体提供的管理服务,可以先向开放控制管理功能实体发送调用请求,开放控制管理功能实体基于该调用请求从网络切片子网管理功能实体调用对应的管理服务,发送给第一设备。又例如,第一设备向网络切片子网管理功能实体发送调用请求,获取网络切片子网管理功能实体提供的管理服务。
另外,若上述S706中开放控制管理功能实体确定第一设备不是管理服务外包方设备,即认证信息与用于认证管理服务外包方设备身份的信息不匹配,例如,该认证信息中未携带租户ID、验证信息,或者是,该认证信息中携带的租户ID与用于认证管理服务外包方设备身份的信息的租户ID不相同,和/或者该认证信息中携带的验证信息与用于认证管理服务外包方设备身份的信息的验证信息不相同,开放控制管理功能实体确定第一设备不是管理服务外包方设备,此时可以视为第一设备身份鉴权认证失败。在此情况下,可不再执行上述S707-S708,或者是执行上述S707不执行上述S708,此时S707中身份鉴权认证响应中携带的第一指示信息指示第一设备认证失败,或者可以携带其他指示信息指示第一设备认证失败,本申请实施例对此不做限定。
基于图7示出的认证方法,基于租户注册流程,可以通过开放控制管理功能实体完成对第三方和管理服务外包方的注册鉴权认证,以及可以实现运营商对第三方和管理服务外包方的管理。
在租户注册场景中,本申请实施例提供的认证方法可以通过另一种实现方式实现。示例性地,图8为本申请实施例提供的又一种认证方法的流程示意图,该认证方法包括如下步骤:
S801、第三方设备向开放控制管理功能实体发送租户注册请求。相应的,开放控制管理功能实体接收来自第三方设备的租户注册请求。
其中,租户注册请求与上述S701中不同的是,租户注册请求中携带的管理服务外包方设备的信息还包括管理服务外包方设备的IP地址,或者是管理服务外包方设备的信息中的管理服务外包方设备的标识为管理服务外包方设备的IP地址。其他相关内容可以参见上述S701中的相关描述,此处不再赘述。
S802、开放控制管理功能实体根据租户注册请求确定用于认证管理服务外包方设备身份的信息。
S803的具体过程可以参见上述S602或S702中的相关描述,此处不再赘述。
S803、开放控制管理功能实体向管理服务外包方设备发送租户验证信息通知。相应的,管理服务外包方设备接收来自开放控制管理功能实体的租户验证信息通知。
其中,租户验证信息通知携带有用于认证管理服务外包方设备身份的信息。由于上述S801中租户注册请求携带有管理服务外包方设备的IP地址,开放控制管理功能实体生成用于认证管理服务外包方设备身份的信息后,可以根据管理服务外包方设备的IP地址直接向管理服务外包方设备发送租户验证信息通知,从而管理服务外包方设备可以得到用于认证管理服务外包方设备身份的信息。相比于上述S703和S704的实现过程,可以提高认证效率。
S804、第一设备向开放控制管理功能实体发送身份鉴权认证请求。相应的,开放控制管理功能实体接收来自第一设备的身份鉴权认证请求。
S805、开放控制管理功能实体根据身份鉴权认证请求对第一设备进行认证。
S806、开放控制管理功能实体向第一设备发送身份鉴权认证响应。相应的,第一设备接收来自开放控制管理功能实体的身份鉴权认证响应。
S807、第一设备向第三方设备发送租户注册结果通知。
上述S804-S807的具体实现过程可以参见上述S705-S708中的相关描述,此处不再赘述。
基于图8示出的认证方法,相比于图7示出的认证方法,开放控制管理功能实体可以直接向管理服务外包方设备发送身份验证信息通知,使得管理服务外包方设备能够得到认证信息,从而可以提高管理服务外包方设备的认证效率,进一步提高了管理服务外包方网络管理的效率。
上述图7和图8示出的认证方法,管理服务外包方设备的认证是在第三方设备认证的过程中实现的。进一步地,本申请实施例提供的认证方法还可以应用于第三方设备完成租户注册请求后实现。
例如,第三方设备在完成租户注册请求之前未有签订的管理服务外包方设备,也就是说在租户注册请求中管理服务外包方设备的信息可以为空,在完成租户注册请求后自行实施网络管理一段时间后,将网络管理外包出去,此时有对应的管理服务外包方设备,第三方设备可以向开放控制管理功能实体发送第二指示信息,用于更新管理服务外包方设备的信息,从而实现更新后的管理服务外包方设备的身份鉴权认证。
又例如,第三方设备在完成租户注册请求时有签订的管理服务外包方设备,且第三方设备与签订的管理服务外包方设备共同实施网络管理一段时间后,新增或减少了管理服务外包方设备,第三方设备也可以向开放控制管理功能实体发送第二指示信息,用于更新管理服务外包方设备的信息,从而实现更新后的管理服务外包方设备的身份鉴权认证。
下面本申请实施例以第三方设备在完成租户注册请求之前未有签订的管理服务外包方设备,在完成租户注册请求后自行实施网络管理一段时间后,将网络管理外包出去的场景为例,详细说明本申请实施例提供的认证方法的又一种实现方式。其中,开放控制管理功能实体可以是图1或图2中的EGMF。
示例性地,图9示出了本申请实施例提供的又一种认证方法的流程示意图,该认证方法包括如下步骤:
S901、第三方设备向开放控制管理功能实体发送租户信息更新请求。相应的,开放控制管理功能实体接收来自第三方设备的租户信息更新请求。
其中,租户信息更新请求携带有租户ID、管理服务外包方设备的信息和第二指示信息。其中,管理服务外包方设备的信息包括增加的管理服务外包方设备的信息。第二指示信息用于指示开放控制管理功能实体对管理服务外包方设备的信息进行增加操作。
一种可能的设计方案中,租户ID、管理服务外包方设备的信息也可以包括在第二指示信息中,或者是管理服务外包方设备的信息包括在第二指示信息中,租户ID不包括在第二指示信息中,本申请实施例对此不做限定。
S902、开放控制管理功能实体根据租户信息更新请求更新管理服务外包方设备的 信息,并确定用于认证管理服务外包方设备身份的信息。
其中,用于认证管理服务外包方设备身份的信息可以包括租户ID和验证信息。
示例性地,开放控制管理功能实体在收到租户信息更新请求后,根据该租户信息更新请求携带的租户ID、管理服务外包方设备的信息和第二指示信息,更新对应租户ID的租户实例,如添加管理服务外包方设备的信息,并根据增加的管理服务外包方设备的信息生成验证信息。生成验证信息具体过程可以参见上S602或S702或S802的相关内容,此处不再赘述。
值得说明的是,对于第三方设备租户注册时有签订的管理服务外包方设备,在新增或删除的管理服务外包方设备的情况下,开放控制管理功能实体可以根据新增或删除的管理服务外包方设备的信息,新增或删除对应的用于认证管理服务外包方设备身份的信息,也可以在管理服务外包方设备的信息更新后,重新确定所有管理服务外包方设备的用于认证管理服务外包方设备身份的信息,本申请实施例对此不做限定。
S903、开放控制管理功能实体向管理服务外包方设备发送用于认证管理服务外包方设备身份的信息。
一种可能的设计方案中,开放控制管理功能实体向第三方设备发送租户信息更新响应。相应的,第三方设备接收来自开放控制管理功能实体的租户信息更新响应。其中,租户信息更新响应携带有用于认证管理服务外包方设备身份的信息。再由第三方设备向管理服务外包方设备发送租户信息更新通知,相应的,管理服务外包方设备接收来自第三方设备的租户信息更新通知,该租户信息更新通知携带有用于认证管理服务外包方设备身份的信息。具体实现过程可以参见上述S603或S703-S704中的相关内容,此处不再赘述。
另一种可能的设计方案中,开放控制管理功能实体可以直接向管理服务外包方设备发送身份验证信息通知。相应的,管理服务外包方设备接收来自开放控制管理功能实体的身份验证信息通知,该身份验证信息通知携带有用于认证管理服务外包方设备身份的信息。具体实现过程可以参见上述S603或S803中的相关内容,此处不再赘述。
S904、第一设备向开放控制管理功能实体发送身份鉴权认证请求。相应的,开放控制管理功能实体接收来自第一设备的身份鉴权认证请求。
S905、开放控制管理功能实体根据身份鉴权认证请求对第一设备进行认证。
S906、开放控制管理功能实体向第一设备发送身份鉴权认证响应。相应的,第一设备接收来自开放控制管理功能实体的身份鉴权认证响应。
上述S904-S906的具体实现过程可以参见上述S604-S606或S705-S707或S804-S806中的相关内容,此处不再赘述。
S907、第一设备向第三方设备发送租户信息更新结果反馈。相应的,第三方设备接收来自第一设备的租户信息更新结果反馈。
其中,租户信息更新结果反馈携带有第一指示信息。第一指示信息的相关描述可以参见上述S606或S708或S807中的相关内容,此处不再赘述。
基于图9示出的认证方法,开放控制管理功能实体可以通过租户信息更新消息传递管理服务外包方信息,并可以根据管理服务外包方设备的信息的变化更新认证信息,继而完成运营商对管理服务外包方身份的鉴权验证,可以提高网络管理的可靠性。
使得说明的是,上述“租户验证信息通知”、“租户鉴权认证请求”等消息名称也可以替换为其他消息名称,本申请实施例对此不做限定。
基于图6-图9示出的认证方法,开放控制管理功能实体可以根据第三方设备发送的管理服务外包方设备的信息生成并发送用于认证管理服务外包方设备身份的信息,在进行管理服务外包方设备的认证时,开放控制管理功能实体可以基于收到的认证信息,与用于认证管理服务外包方设备身份的信息确定认证的设备是否为管理服务外包方设备,从而实现对管理服务外包方的认证。由此,基于管理服务外包方设备的信息和开放控制管理功能实体,既可以实现租户管理,也可以实现运营商对管理服务外包方的认证,进而可以提高对第三方的网络管理能力,实现更精细化的网络管理。
以上结合图4-图9详细说明了本申请实施例提供的认证方法。以下结合图10-图12详细说明用于执行本申请实施例提供的认证方法的通信装置。
示例性地,图10是本申请实施例提供的一种通信装置的结构示意图。如图10所示,通信装置1000包括:处理模块1001和收发模块1002。为了便于说明,图10仅示出了该通信装置的主要部件。
一些实施例中,通信装置1000可适用于图4或图5中所示出的系统中,执行如图6-图9任一所示的方法中开放控制管理功能实体的功能。
其中,收发模块1002,用于接收来自第三方设备的管理服务外包方设备的信息,管理服务外包方设备用于调用开放给第三方设备的网络管理能力,管理服务外包方设备的信息包括管理服务外包方设备能调用的管理服务信息。
处理模块1001,用于根据管理服务外包方设备的信息确定用于认证管理服务外包方设备身份的信息。
收发模块1002,还用于发送向管理服务外包方设备用于认证管理服务外包方设备身份的信息。
进一步地,收发模块1002,用于接收来自第一设备的认证信息。
处理模块1001,用于在认证信息与用于认证管理服务外包方设备身份的信息匹配的情况下,确定第一设备为管理服务外包方设备。
一种可能的设计方案中,收发模块1002,用于向第一设备发送第一指示信息,第一指示信息用于指示第一设备认证成功。
一种可能的设计方案中,管理服务外包方设备的信息可以包括管理服务外包方设备的IP地址。收发模块1002,用于根据管理服务外包方设备的IP地址,向管理服务外包方设备发送用于认证管理服务外包方设备身份的信息。
一种可能的设计方案中,收发模块1002,用于接收来自第三方设备的第二指示信息,第二指示信息用于指示开放控制管理功能实体对管理服务外包方设备的信息进行增加、删除、修改或查询中的一项或多项操作。
可选地,收发模块1002可以包括发送模块(图10中未示出)和接收模块(图10中未示出)。其中,发送模块用于实现通信装置1000的发送功能,接收模块用于实现通信装置1000的接收功能。
可选地,通信装置1000还可以包括存储模块(图10中未示出),该存储模块存储有程序或指令。当该处理模块1001执行该程序或指令时,使得该通信装置1000可 以执行如图6-图9任一所示的方法中开放控制管理功能实体的功能。
需要说明的是,通信装置1000可以是网络设备,也可以是可设置于网络设备中的芯片(系统)或其他部件或组件,还可以是包含网络设备的装置,本申请对此不做限定。
此外,通信装置1000的技术效果可以参考图6-图9所示的认证方法的技术效果,此处不再赘述。
另一些实施例中,通信装置1000可适用于图4或图5中所示出的系统中,执行如图6-图9中任一所示的方法中第一方设备或管理服务外包方设备的功能。
其中,处理模块1001,用于获取认证信息,其中,通信装置1000为管理服务外包方设备,管理服务外包方设备用于调用开放给第三方设备的网络管理能力。
收发模块1002,用于向开放控制管理功能实体发送认证信息。
一种可能的设计方案中,认证信息可以包括用于认证管理服务外包方设备身份的信息。收发模块1002,用于接收来自开放控制管理功能实体的用于认证管理服务外包方设备身份的信息。
另一种可能的设计方案中,认证信息可以包括用于认证管理服务外包方设备身份的信息。收发模块1002,用于接收来自第三方设备的用于认证管理服务外包方设备身份的信息。
一种可能的设计方案中,收发模块1002,用于接收来自开放控制管理功能实体的第一指示信息,第一指示信息用于指示装置认证成功。
一种可能的设计方案中,收发模块1002,用于向第三方设备发送第一指示信息。
可选地,收发模块1002可以包括发送模块(图10中未示出)和接收模块(图10中未示出)。其中,发送模块用于实现通信装置1000的发送功能,接收模块用于实现通信装置1000的接收功能。
可选地,通信装置1000还可以包括存储模块(图10中未示出),该存储模块存储有程序或指令。当该处理模块1001执行该程序或指令时,使得该通信装置1000可以执行如图6-图9中任一所示的方法中第一设备或管理服务外包方设备的功能。
需要说明的是,通信装置1000可以是网络设备,也可以是可设置于网络设备中的芯片(系统)或其他部件或组件,还可以是包含网络设备的装置,本申请对此不做限定。
此外,通信装置1000的技术效果可以参考图6-图9所示的认证方法的技术效果,此处不再赘述。
示例性地,图11为本申请实施例提供的另一种通信装置的结构示意图。如图11所示,通信装置1100包括:发送模块1101和接收模块1102。为了便于说明,图11仅示出了该通信装置的主要部件。
通信装置1000可适用于图4或图5中所示出的系统中,执行如图6-图9中任一所示的方法中第三方设备的功能。
其中,发送模块1101,用于向开放控制管理功能实体发送管理服务外包方设备的信息,管理服务外包方设备用于调用开放给装置的网络管理能力,管理服务外包方设备的信息包括管理服务外包方设备能调用的管理服务信息。
接收模块1102,用于接收来自开放控制管理功能实体的用于认证管理服务外包方设备身份的信息,用于认证管理服务外包方设备身份的信息根据管理服务外包方设备的信息确定。
发送模块1101,还用于向管理服务外包方设备发送用于认证管理服务外包方设备身份的信息。
一种可能的设计方案中,接收模块1102,还用于接收来自第一设备的第一指示信息,第一指示信息用于指示第一设备认证成功,第一设备为管理服务外包方设备。
一种可能的设计方案中,发送模块1101,还用于向开放控制管理功能实体发送第二指示信息,第二指示信息用于指示开放控制管理功能实体对管理服务外包方设备的信息进行增加、删除、修改或查询中的一项或多项操作。
可选地,发送模块1101和接收模块1102也可以集成为一个模块,如收发模块(图11中未示出)。其中,收发模块用于实现通信装置1100的发送功能和接收功能。
可选地,通信装置1101还可以包括处理模块1103。其中,处理模块1103用于实现通信装置1100的处理功能。
可选地,通信装置1100还可以包括存储模块(图11中未示出),该存储模块存储有程序或指令。当处理模块执行该程序或指令时,使得该通信装置1100可以执行如图6-图9中任一所示的方法中第三方设备的功能。
需要说明的是,通信装置1100可以是网络设备,如第三方设备,也可以是可设置于网络设备中的芯片(系统)或其他部件或组件,还可以是包含网络设备的装置,本申请对此不做限定。
此外,通信装置1100的技术效果可以参考图6-图9所示的认证方法的技术效果,此处不再赘述。
示例性地,图12为本申请实施例提供的又一种通信装置的结构示意图。该通信装置可以是网络设备,如上述开放控制管理功能实体、第三方设备、第一设备或管理服务外包方设备,也可以是可设置于网络设备的芯片(系统)或其他部件或组件。如图12所示,通信装置1200可以包括处理器1201。可选地,通信装置1200还可以包括存储器1202和/或收发器1203。其中,处理器1201与存储器1202和收发器1203耦合,如可以通过通信总线连接。
下面结合图12对通信装置1200的各个构成部件进行具体的介绍:
其中,处理器1201是通信装置1200的控制中心,可以是一个处理器,也可以是多个处理元件的统称。例如,处理器1201是一个或多个中央处理器(central processing unit,CPU),也可以是特定集成电路(application specific integrated circuit,ASIC),或者是被配置成实施本申请实施例的一个或多个集成电路,例如:一个或多个微处理器(digital signal processor,DSP),或,一个或者多个现场可编程门阵列(field programmable gate array,FPGA)。
可选地,处理器1201可以通过运行或执行存储在存储器1202内的软件程序,以及调用存储在存储器1202内的数据,执行通信装置1200的各种功能,例如执行上述图6-图9所示的方法。
在具体的实现中,作为一种实施例,处理器1201可以包括一个或多个CPU,例如 图12中所示出的CPU0和CPU1。
在具体实现中,作为一种实施例,通信装置1200也可以包括多个处理器,例如图12中所示的处理器1201和处理器1204。这些处理器中的每一个可以是一个单核处理器(single-CPU),也可以是一个多核处理器(multi-CPU)。这里的处理器可以指一个或多个设备、电路、和/或用于处理数据(例如计算机程序指令)的处理核。
其中,所述存储器1202用于存储执行本申请方案的软件程序,并由处理器1201来控制执行,具体实现方式可以参考上述方法实施例,此处不再赘述。
可选地,存储器1202可以是只读存储器(read-only memory,ROM)或可存储静态信息和指令的其他类型的静态存储设备,随机存取存储器(random access memory,RAM)或者可存储信息和指令的其他类型的动态存储设备,也可以是电可擦可编程只读存储器(electrically erasable programmable read-only memory,EEPROM)、只读光盘(compact disc read-only memory,CD-ROM)或其他光盘存储、光碟存储(包括压缩光碟、激光碟、光碟、数字通用光碟、蓝光光碟等)、磁盘存储介质或者其他磁存储设备、或者能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质,但不限于此。存储器1202可以和处理器1201集成在一起,也可以独立存在,并通过通信装置1200的接口电路(图12中未示出)与处理器1201耦合,本申请实施例对此不作具体限定。
收发器1203,用于与其他通信装置之间的通信。例如,通信装置1200为终端设备,收发器1203可以用于与网络设备通信,或者与另一个终端设备通信。又例如,通信装置1200为网络设备,收发器1203可以用于与终端设备通信,或者与另一个网络设备通信。
可选地,收发器1203可以包括接收器和发送器(图12中未单独示出)。其中,接收器用于实现接收功能,发送器用于实现发送功能。
可选地,收发器1203可以和处理器1201集成在一起,也可以独立存在,并通过通信装置1200的接口电路(图12中未示出)与处理器1201耦合,本申请实施例对此不作具体限定。
需要说明的是,图12中示出的通信装置1200的结构并不构成对该通信装置的限定,实际的通信装置可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件布置。
此外,通信装置1200的技术效果可以参考上述方法实施例所述的方法的技术效果,此处不再赘述。
本申请实施例还提供一种认证系统。该认证系统包括开放控制管理功能实体、第三方设备和管理服务外包方设备。
可选地,认证系统还可以包括:第一设备。
应理解,在本申请实施例中的处理器可以是中央处理单元(central processing unit,CPU),该处理器还可以是其他通用处理器、数字信号处理器(digital signal processor,DSP)、专用集成电路(application specific integrated circuit,ASIC)、现成可编程门阵列(field programmable gate array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是 任何常规的处理器等。
还应理解,本申请实施例中的存储器可以是易失性存储器或非易失性存储器,或可包括易失性和非易失性存储器两者。其中,非易失性存储器可以是只读存储器(read-only memory,ROM)、可编程只读存储器(programmable ROM,PROM)、可擦除可编程只读存储器(erasable PROM,EPROM)、电可擦除可编程只读存储器(electrically EPROM,EEPROM)或闪存。易失性存储器可以是随机存取存储器(random access memory,RAM),其用作外部高速缓存。通过示例性但不是限制性说明,许多形式的随机存取存储器(random access memory,RAM)可用,例如静态随机存取存储器(static RAM,SRAM)、动态随机存取存储器(DRAM)、同步动态随机存取存储器(synchronous DRAM,SDRAM)、双倍数据速率同步动态随机存取存储器(double data rate SDRAM,DDR SDRAM)、增强型同步动态随机存取存储器(enhanced SDRAM,ESDRAM)、同步连接动态随机存取存储器(synchlink DRAM,SLDRAM)和直接内存总线随机存取存储器(direct rambus RAM,DR RAM)。
上述实施例,可以全部或部分地通过软件、硬件(如电路)、固件或其他任意组合来实现。当使用软件实现时,上述实施例可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令或计算机程序。在计算机上加载或执行所述计算机指令或计算机程序时,全部或部分地产生按照本申请实施例所述的流程或功能。所述计算机可以为通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可用介质集合的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质(例如,软盘、硬盘、磁带)、光介质(例如,DVD)、或者半导体介质。半导体介质可以是固态硬盘。
应理解,本文中术语“和/或”,仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况,其中A,B可以是单数或者复数。另外,本文中字符“/”,一般表示前后关联对象是一种“或”的关系,但也可能表示的是一种“和/或”的关系,具体可参考前后文进行理解。
本申请中,“至少一个”是指一个或者多个,“多个”是指两个或两个以上。“以下至少一项(个)”或其类似表达,是指的这些项中的任意组合,包括单项(个)或复数项(个)的任意组合。例如,a,b,或c中的至少一项(个),可以表示:a,b,c,a-b,a-c,b-c,或a-b-c,其中a,b,c可以是单个,也可以是多个。
应理解,在本申请的各种实施例中,上述各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本申请实施例的实施过程构成任何限定。
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功 能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。
在本申请所提供的几个实施例中,应该理解到,所揭露的系统、装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。
所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(read-only memory,ROM)、随机存取存储器(random access memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。

Claims (29)

  1. 一种认证方法,其特征在于,所述方法包括:
    开放控制管理功能实体接收来自第三方设备的管理服务外包方设备的信息,所述管理服务外包方设备用于调用开放给所述第三方设备的网络管理能力,所述管理服务外包方设备的信息包括所述管理服务外包方设备能调用的管理服务信息;
    所述开放控制管理功能实体根据所述管理服务外包方设备的信息确定用于认证所述管理服务外包方设备身份的信息;
    所述开放控制管理功能实体向所述管理服务外包方设备发送所述用于认证所述管理服务外包方设备身份的信息。
  2. 根据权利要求1所述的方法,其特征在于,所述方法还包括:
    所述开放控制管理功能实体接收来自第一设备的认证信息;
    在所述认证信息与所述用于认证所述管理服务外包方设备身份的信息匹配的情况下,所述开放控制管理功能实体确定所述第一设备为所述管理服务外包方设备。
  3. 根据权利要求2所述的方法,其特征在于,所述方法还包括:
    所述开放控制管理功能实体向所述第一设备发送第一指示信息,所述第一指示信息用于指示所述第一设备认证成功。
  4. 根据权利要求1-3中任一项所述的方法,其特征在于,所述管理服务外包方设备的信息包括所述管理服务外包方设备的网际互连协议IP地址;
    所述开放控制管理功能实体发送所述用于认证所述管理服务外包方设备身份的信息,包括:
    所述开放控制管理功能实体根据所述管理服务外包方设备的IP地址,向所述管理服务外包方设备发送所述用于认证所述管理服务外包方设备身份的信息。
  5. 根据权利要求1-4中任一项所述的方法,其特征在于,所述方法还包括:
    所述开放控制管理功能实体接收来自所述第三方设备的第二指示信息,所述第二指示信息用于指示所述开放控制管理功能实体对所述管理服务外包方设备的信息进行增加、删除、修改或查询中的一项或多项操作。
  6. 一种认证方法,其特征在于,所述方法包括:
    第三方设备向开放控制管理功能实体发送管理服务外包方设备的信息,所述管理服务外包方设备用于调用开放给所述第三方设备的网络管理能力,所述管理服务外包方设备的信息包括所述管理服务外包方设备能调用的管理服务信息;
    所述第三方设备接收来自所述开放控制管理功能实体的用于认证所述管理服务外包方设备身份的信息,所述用于认证所述管理服务外包方设备身份的信息根据所述管理服务外包方设备的信息确定;
    所述第三方设备向所述管理服务外包方设备发送所述用于认证所述管理服务外包方设备身份的信息。
  7. 根据权利要求6所述的方法,其特征在于,所述方法还包括:
    所述第三方设备接收来自第一设备的第一指示信息,所述第一指示信息用于指示所述第一设备认证成功,所述第一设备为所述管理服务外包方设备。
  8. 根据权利要求6或7所述的方法,其特征在于,所述方法还包括:
    所述第三方设备向所述开放控制管理功能实体发送第二指示信息,所述第二指示信息用于指示所述开放控制管理功能实体对所述管理服务外包方设备的信息进行增加、删除、修改或查询中的一项或多项操作。
  9. 一种认证方法,其特征在于,所述方法包括:
    第一设备获取认证信息,其中,所述第一设备为管理服务外包方设备,所述管理服务外包方设备用于调用开放给第三方设备的网络管理能力;
    所述第一设备向开放控制管理功能实体发送所述认证信息。
  10. 根据权利要求9所述的方法,其特征在于,所述认证信息包括用于认证所述管理服务外包方设备身份的信息;
    所述第一设备获取认证信息,包括:
    所述第一设备接收来自所述开放控制管理功能实体的用于认证所述管理服务外包方设备身份的信息。
  11. 根据权利要求9所述的方法,其特征在于,所述认证信息包括用于认证所述管理服务外包方设备身份的信息;
    所述第一设备获取认证信息,包括:
    所述第一设备接收来自所述第三方设备的用于认证所述管理服务外包方设备身份的信息。
  12. 根据权利要求9-11中任一项所述的方法,其特征在于,所述方法还包括:
    所述第一设备接收来自所述开放控制管理功能实体的第一指示信息,所述第一指示信息用于指示所述第一设备认证成功。
  13. 根据权利要求12所述的方法,其特征在于,所述方法还包括:
    所述第一设备向所述第三方设备发送所述第一指示信息。
  14. 一种通信装置,其特征在于,所述装置包括:处理模块和收发模块;其中,
    所述收发模块,用于接收来自第三方设备的管理服务外包方设备的信息,所述管理服务外包方设备用于调用开放给所述第三方设备的网络管理能力,所述管理服务外包方设备的信息包括所述管理服务外包方设备能调用的管理服务信息;
    所述处理模块,用于根据所述管理服务外包方设备的信息确定用于认证所述管理服务外包方设备身份的信息;
    所述收发模块,还用于向所述管理服务外包方设备发送所述用于认证所述管理服务外包方设备身份的信息。
  15. 根据权利要求14所述的装置,其特征在于,
    所述收发模块,用于接收来自第一设备的认证信息;
    所述处理模块,用于在所述认证信息与所述用于认证所述管理服务外包方设备身份的信息匹配的情况下,确定所述第一设备为所述管理服务外包方设备。
  16. 根据权利要求15所述的装置,其特征在于,
    所述收发模块,用于向所述第一设备发送第一指示信息,所述第一指示信息用于指示所述第一设备认证成功。
  17. 根据权利要求14-16中任一项所述的装置,其特征在于,所述管理服务外包方 设备的信息包括所述管理服务外包方设备的网际互连协议IP地址;
    所述收发模块,用于根据所述管理服务外包方设备的IP地址,向所述管理服务外包方设备发送所述用于认证所述管理服务外包方设备身份的信息。
  18. 根据权利要求14-17中任一项所述的装置,其特征在于,
    所述收发模块,用于接收来自所述第三方设备的第二指示信息,所述第二指示信息用于指示所述开放控制管理功能实体对所述管理服务外包方设备的信息进行增加、删除、修改或查询中的一项或多项操作。
  19. 一种通信装置,其特征在于,所述装置包括:发送模块和接收模块;其中,
    所述发送模块,用于向开放控制管理功能实体发送管理服务外包方设备的信息,所述管理服务外包方设备用于调用开放给所述装置的网络管理能力,所述管理服务外包方设备的信息包括所述管理服务外包方设备能调用的管理服务信息;
    所述接收模块,用于接收来自所述开放控制管理功能实体的用于认证所述管理服务外包方设备身份的信息,所述用于认证所述管理服务外包方设备身份的信息根据所述管理服务外包方设备的信息确定;
    所述发送模块,还用于向所述管理服务外包方设备发送所述用于认证所述管理服务外包方设备身份的信息。
  20. 根据权利要求19所述的装置,其特征在于,
    所述接收模块,还用于接收来自第一设备的第一指示信息,所述第一指示信息用于指示所述第一设备认证成功,所述第一设备为所述管理服务外包方设备。
  21. 根据权利要求19或20所述的装置,其特征在于,
    所述发送模块,还用于向所述开放控制管理功能实体发送第二指示信息,所述第二指示信息用于指示所述开放控制管理功能实体对所述管理服务外包方设备的信息进行增加、删除、修改或查询中的一项或多项操作。
  22. 一种通信装置,其特征在于,所述装置包括:处理模块和收发模块;其中,
    所述处理模块,用于获取认证信息,其中,所述装置为管理服务外包方设备,所述管理服务外包方设备用于调用开放给第三方设备的网络管理能力;
    所述收发模块,用于向开放控制管理功能实体发送所述认证信息。
  23. 根据权利要求22所述的装置,其特征在于,所述认证信息包括用于认证所述管理服务外包方设备身份的信息;
    所述收发模块,用于接收来自所述开放控制管理功能实体的用于认证所述管理服务外包方设备身份的信息。
  24. 根据权利要求22所述的装置,其特征在于,所述认证信息包括用于认证所述管理服务外包方设备身份的信息;
    所述收发模块,用于接收来自所述第三方设备的用于认证所述管理服务外包方设备身份的信息。
  25. 根据权利要求22-24中任一项所述的装置,其特征在于,
    所述收发模块,用于接收来自所述开放控制管理功能实体的第一指示信息,所述第一指示信息用于指示所述装置认证成功。
  26. 根据权利要求25所述的装置,其特征在于,
    所述收发模块,用于向所述第三方设备发送所述第一指示信息。
  27. 一种通信装置,其特征在于,包括:处理器,所述处理器与存储器耦合;
    所述存储器,用于存储计算机程序;
    所述处理器,用于执行所述存储器中存储的所述计算机程序,以使得所述通信装置执行如权利要求1-13中任一项所述的方法。
  28. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质存储有计算机程序或指令,当所述计算机程序或指令在计算机上运行时,使得所述计算机执行如权利要求1-13中任一项所述的方法。
  29. 一种计算机程序产品,其特征在于,所述计算机程序产品包括:计算机程序或指令,当所述计算机程序或指令在计算机上运行时,使得所述计算机执行如权利要求1-13中任一项所述的方法。
PCT/CN2023/089467 2022-05-30 2023-04-20 认证方法及通信装置 WO2023231631A1 (zh)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210599239.X 2022-05-30
CN202210599239.XA CN117201046A (zh) 2022-05-30 2022-05-30 认证方法及通信装置

Publications (1)

Publication Number Publication Date
WO2023231631A1 true WO2023231631A1 (zh) 2023-12-07

Family

ID=89002124

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/089467 WO2023231631A1 (zh) 2022-05-30 2023-04-20 认证方法及通信装置

Country Status (2)

Country Link
CN (1) CN117201046A (zh)
WO (1) WO2023231631A1 (zh)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101316165A (zh) * 2007-05-29 2008-12-03 中国移动通信集团公司 实现应用系统与通信网络通信的方法及服务器
US20150373004A1 (en) * 2014-06-23 2015-12-24 Oracle International Corporation System and method for supporting security in a multitenant application server environment
CN106878084A (zh) * 2017-02-28 2017-06-20 新华三技术有限公司 一种权限控制方法和装置
CN112350841A (zh) * 2019-08-08 2021-02-09 华为技术有限公司 一种管理数据的获取方法及装置

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101316165A (zh) * 2007-05-29 2008-12-03 中国移动通信集团公司 实现应用系统与通信网络通信的方法及服务器
US20150373004A1 (en) * 2014-06-23 2015-12-24 Oracle International Corporation System and method for supporting security in a multitenant application server environment
CN106878084A (zh) * 2017-02-28 2017-06-20 新华三技术有限公司 一种权限控制方法和装置
CN112350841A (zh) * 2019-08-08 2021-02-09 华为技术有限公司 一种管理数据的获取方法及装置

Also Published As

Publication number Publication date
CN117201046A (zh) 2023-12-08

Similar Documents

Publication Publication Date Title
US10361843B1 (en) Native blockchain platform for improving workload mobility in telecommunication networks
EP3664370B1 (en) Network function information management method and related device
US10505718B1 (en) Systems, devices, and techniques for registering user equipment (UE) in wireless networks using a native blockchain platform
US11606722B2 (en) Network slice deployment method and apparatus
EP3648432B1 (en) Discovery method and device for network function service
US20230292123A1 (en) Authenticating radio access network components using distributed ledger technology
WO2021037175A1 (zh) 一种网络切片的管理方法及相关装置
WO2020048469A1 (zh) 一种通信的方法及装置
WO2019041809A1 (zh) 基于服务化架构的注册方法及装置
WO2021197347A1 (zh) 通信系统、方法及装置
CN111182546B (zh) 接入无线网络的方法、设备及系统
CN112788593B (zh) 安全策略的更新方法及装置、系统
US20240048986A1 (en) Communication method and apparatus
CN115462108A (zh) 无密码无线认证
WO2021138822A1 (zh) 签约信息获取方法及装置
WO2023246942A1 (zh) 通信方法及装置
WO2020253343A1 (zh) 一种管理服务的发现方法及装置
WO2023231631A1 (zh) 认证方法及通信装置
US20130159526A1 (en) Method of handling access control information and related communication device
EP2244497A1 (en) Radio communication system and authentication processing unit selecting method
WO2024032226A1 (zh) 通信方法和通信装置
WO2023051189A1 (zh) 一种管理服务的通信方法和装置
WO2023011158A1 (zh) 一种证书管理方法和装置
US20240224214A1 (en) User equipment clusters for network registration and authentication
WO2024065503A1 (en) Negotiation of authentication procedures in edge computing

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23814817

Country of ref document: EP

Kind code of ref document: A1