In this section:

New CLI in 11.1.0R0

SBX-86522 Support for TLS 1.3 on SBC Core

The flag v1_3 is added to the TLS Profile to configure TLS 1.3 support. In addition, three Ciphersuites are added to support TLS 1.3.

Command Syntax

Example
% set profiles security tlsProfile <tls profile name> v1_3 <disabled | enabled>
% set profiles security tlsProfile <tls profile name> cipherSuite <cipherSuite1/2/3>
   tls_aes_128_gcm_sha256
   tls_aes_256_gcm_sha384
   tls_chacha20_poly1305_sha256
Command Parameters
ParameterLength/RangeDefaultDescriptionM/O
v1_3

n/a

disabled

Enable this flag to configure the SBC to support TLS 1.3 on the ingress and egress legs.

  • disabled
  • enabled
O
tls_aes_128_gcm_sha256n/an/aTLS 1.3 CiphersuiteO
tls_aes_256_gcm_sha384n/an/aTLS 1.3 CiphersuiteO
tls_chacha20_poly1305_sha256n/an/aTLS 1.3 CiphersuiteO
Configuration Examples
set profiles security tlsProfile defaultTlsProfile v1_3 enabled
set profiles security tlsProfile defaultTlsProfile cipherSuite1 tls_aes_128_gcm_sha256
set profiles security tlsProfile defaultTlsProfile cipherSuite2 tls_aes_256_gcm_sha384
set profiles security tlsProfile defaultTlsProfile cipherSuite3 tls_chacha20_poly1305_sha256
commit

SBX-93114 SIP Registrar Functionality Support

The SBC Core is enhanced to support SIP Registrar functionality for SIP end points. This feature allows the Ribbon SBC to act as an Access SBC with Registrar functionality in a single deployment.

SIP TG - Signaling - SIP Local Registrar - CLI

The CLI object sipLocalRegistrar to support the SIP Registrar functionality is added to the CLI in this release.

Command Syntax

The following CLI shows how to enable the SIP Local Registrar functionality.

sipTrunkGroup - signaling - sipLocalRegistrar - CLI
set addressContext <name> zone <name> sipTrunkGroup <name> signaling sipLocalRegistrar <disabled | enabled>
Command Parameters
ParameterLength/RangeDefaultDescription
sipLocalRegistrarN/Adisabled

Use this flag to enable the SIP Local Registrar functionality. When enabled, messages are sent to the SIP Local Registrar.

  • disabled (default)
  • enabled
Command Example
sipTrunkGroup - signaling - sipLocalRegistrar - CLI Example
set addressContext <name> zone <name> sipTrunkGroup <name> signaling sipLocalRegistrar <disabled | enabled>

For more information, refer to SIP TG - Signaling - SIP Local Registrar - CLI.

Signaling - Global - CLI - SIP Local Registrar Object

Command Syntax
SIP Local Registrar
% set global signaling sipLocalRegistrar
    expires <15-65535>
    minExpires<15-65535>
    sipRegSubscriberProfile <aor Name>
        sipRegAdminState <active | inactive>
        sipRegSendChallenge <challengeForNone | challengeForRegister | challengeForRegisterAndInvite>
        sipRegAuthRealm <authentication Realm>
        sipRegAuthUserName <authentication UserName>
        sipRegAuthPassword <authentication Password>

% show global signaling sipLocalRegistrar
	sipRegSubscriberProfile <aor Name>
	expires 
	minExpires
Command Parameters
ParameterLength/RangeDefaultDescriptionM/O
expires

15-65535

3600

The Expiry value used for Registration.

O
minExpires15-6553530

The Min-Expiry value used for Registration.

If REGISTER is received with Expires value less than this field, 423 Error is generated

O
sipRegSubscriberProfile1-127 charactersN/AThis represents the Address Of Record (AOR) of the user. This is the mandatory key against which the binding is created. The AOR uses the "user@host" format. For example, testUser@example.com. Also see CLI example below.M
sipRegAdminStateN/Aactive 

Defines if Subscriber state is active or inactive. The choices are:

  • active (default)
  • inactive
O
sipRegSendChallengeN/AchallengeForNone

Defines how the Authentication Challenge is sent.

  • challengeForNone - Authentication challenge is not initiated for any of the messages.
  • challengeForRegister - Authentication challenge is initiated for REGISTER messages only.
  • challengeForRegisterAndInvite - Authentication challenge is initiated for REGISTER/INVITE messages (re-INVITE would not be challenged).
O
sipRegAuthRealm   1-127 charactersN/ATh Authorization realm for SIP registration.O
sipRegAuthUserName1-127 charactersN/AThe Authorization user name for SIP registration.O
sipRegAuthPassword   6-32 charactersN/A

DES3 (triple Digital Encryption Standard) encrypted string authentication password for SIP local registration. All ASCII characters from 33 to 126 (except 34 - double quotes) are allowed.

Note:

If Authentication Password contains ASCII characters, enclose the entire password string with double quotes (" ") .

Example using double quotes: 

"Password1:@\#:########~%&*@#"

Since the SBC Registrar supports bulk load configuration, the length of the password string is not validated at the time of entry into the database. The Admin must make sure that length is within the prescribed range (6-32 characters). For such out of bound passwords, authentication can fail with 403 error response.

O
Command Example
sipLocalRegistrar Configuration Examples
set global signaling sipLocalRegistrar expires 3500
set global signaling sipLocalRegistrar minExpires 300

set global signaling sipLocalRegistrar sipRegSubscriberProfile testUser@example.com sipRegAdminState active sipRegSendChallenge challengeForRegisterAndInvite sipRegAuthRealm example.com sipRegAuthUserName testUser sipRegAuthPassword password1

show global signaling sipLocalRegistrar sipRegSubscriberProfile testUser@example.com
      sipRegAuthUserName  testUser;
      sipRegAuthRealm     example.com;
      sipRegAuthPassword  $7$FZ5ju2oDUvNyLs8MvuBYmoCo55fOBhnu;
      sipRegAdminState    active;
      sipRegSendChallenge challengeForRegisterAndInvite;

show global signaling sipLocalRegistrar expires
expires 3500

show global signaling sipLocalRegistrar minExpires
minExpires 300

show status global sipLocalRegistrar
sipLocalRegistrarRegStatus 53056@10.xx.xx.70 {
    state          active;
    contactURI     sip:53056@10.xx.1xx.xx:5xx0;
    expirationTime 3600;
    creationTime   2022-09-08T10:23:29+00:00;
    refreshTime    0000-00-00T00:00:00+00:00;
    remainingTime  3493;
}
sipLocalRegistrarRegCountStatistics entry {
    sipRegAttemptCount      1;
    sipRegChallengedCount   1;
    sipRegStableCount       1;
    sipRegFailed403Count    0;
    sipRegFailed404Count    0;
    sipRegFailed503Count    0;
    sipRegFailedOthersCount 0;
}

request global sipLocalRegistrar sipRegCountReset

request global sipLocalRegistrar sipRegistrationDeleteByAor sipRegAor 53056@10.xx.xx.70
result success

For more information, refer to Signaling - Global - CLI.

SIP Local Registrar - Request CLI

Command Syntax
sipLocalRegistrar - Request CLI
% request global sipLocalRegistrar sipLocalRegistrarRegDeleteByAor <aor Name>

% request global sipLocalRegistrar sipRegCountReset
Command Parameters
ParameterLength/RangeDefaultDescription
sipLocalRegistrarRegDeleteByAorN/AN/A

Use this  flag to delete an AOR entry from the Registrar.

sipRegCountResetN/AN/A

Use this parameter to reset the count of statistics.

Note

This resets all the counters except for stable registration. Stable registrations are displayed per real time numbers.

Note

The aor Name in the CLI above represents the AOR of the user (1-127 characters).

For more information, refer to Request Global - CLI.

SIP Local Registrar - Show CLI

Command Syntax
sipLocalRegistrar - Show CLI
% show status global sipLocalRegistrar 
	sipActiveLocalRegistrarRegStatus
	sipLocalRegistrarRegCountStatistics
	sipLocalRegistrarRegCountCurStats
	sipLocalRegistrarRegCountIntStats


% show table global sipLocalRegistrar sipLocalRegistrarRegCountStatistics
Command Parameters
ParameterLength/RangeDefaultDescription
sipActiveLocalRegistrarRegStatusN/AN/A

Shows the status of the AOR registered with the Registrar. If the AOR name is not provided, this shows the data for all the AORs registered at Registrar.

sipLocalRegistrarRegCountStatisticsN/AN/A

Shows the attempt/stable/failed counts for registrations received at the Registrar.

The statistics displays the following fields.

  • sipRegAttemptCount – The total count of the register attempts.
  • sipRegChallengedCount – The count of the challenged register attempts.
  • sipRegStableCount – The count of the currently active and stable registered users.
  • sipRegFailed403Count – The count of the registers failed with a 403 SIP response code.
  • sipRegFailed404Count – The count of the registers failed with a 404 SIP response code.
  • sipRegFailed503Count – The count of the registers failed with a 503 SIP response code.
  • sipRegFailedOthersCount – The count of the registers failed with other SIP response codes.
sipLocalRegistrarRegCountCurStatsN/AN/AThe high water mark of total number of stable registrations for the current interval.
sipLocalRegistrarRegCountIntStatsN/AN/A

The high water mark of total number of stable registrations for the reporting interval.

For more information, refer to Show Status Global.

SBX-111375 LDAP AD authentication support

The parameter ldapConfigurationMode is added to the ldapAuthentication configuration for the user to choose the "advanced" mode option to configure the newly-added parameters.

Command Syntax
New ldapConfigurationMode Syntax
% set oam ldapAuthentication ldapConfigurationMode <advanced | legacy>
ldapServer Syntax (Legacy Mode)
% set oam ldapAuthentication ldapServer <serverName> 
	bindMethod <sasl | simple>
	binddn <name>   
	groupNameAttribute <groupName, or empty string>
	ldapServerAddress <IPv4, IPv6 or FQDN> 
	ldapServerPort <valid port>
	priority <1-25>
	saslMechanism <digest-md5 | plain>
	searchbase <1-255 characters>
	state <disabled | enabled>
	transport <ldaps | tcp | tls>


ldapServer Syntax (Advanced Mode)
% set oam ldapAuthentication ldapServer <serverName> 
	bindMethod <sasl | simple>
	binddn <name>
	ldapServerAddress <IPv4, IPv6 or FQDN>
	ldapServerPort <valid port>
	priority <1-25>
	returnAttribute <1-255 characters>
	saslMechanism <digest-md5 | plain>
	searchFilter <1-255 characters>
	searchbase <1-255 characters>
	state <disabled | enabled>
	systemPassword <password>
    systemUsername <1-255 characters>
	transport <ldaps | tcp | tls>
Command Parameters

ldapAuthentication (New Parameter)

The ldapConfigurationMode parameter is added to the LDAP Authentication configuration to specify legacy or advanced modes.

ParameterLength/RangeDefaultDescriptionM/O
ldapConfigurationMode

n/a

legacy

The configuration mode for the LDAP client.

  • legacy Use this option for legacy LDAP behavior.
  • advanced Use this option to support Microsoft Active Directory (AD) services. 
O

ldapServer (Updated Parameters)

The following parameters are updated in this release (for both 'legacy' and 'advanced' modes):

ParameterLength/RangeDescriptionM/O

ldapServerAddress     

IPv4 address

IPv6 address

FQDN

The IPv4 address, IPv6 address or FQDN of the server as a hostname. The supported formats are:

  • IPv4 address (In dot notation)
  • IPv6 address (In hex-colon notation)
  • FQDN
M
priority1-25<priority #> – The server priority, where '1' is the highest priority.M
saslMechanismN/A

The SASL mechanism to use.

  • digest-md5 – Use this option to send the username and password as a hash so they are now viewable on the wire even if the transport is TCP.
  • plain (default)
O

ldapServer (New Parameters)

The following new LDAP Sever parameters are available when ldapConfigurationMode is set to advanced:

ParameterLength/RangeDescriptionM/O

returnAttribute

1-255 characters

The attribute returned from the search for the group name of the LDAP user.

For example, in the above query, if cn is specified as the return attribute, then the returned attribute will be: users. The query may return multiple users

O

searchFilter

1-255 characters

The LDAP filter used to search for the group name of the LDAP user. Specify {0} in the search filter to specify the user in the searchFilter. 

For example: (&(objectClass=group)(member=cn={0},CN=Users,DC=example,DC=tst))

O

systemPassword

string

The password for the LDAP user with Administrative privileges systemUser). Leave blank if the systemUsername is not specified.

O

systemUsername

1-255 characters

An LDAP user with Administrative privileges   Leave blank, or enter a user name.

Note

If ldapConfigurationMode = advanced, the SBC LDAP client binds with the provided systemUsername and systemPassword. This allows the LDAP query specified in the searchFilter to  access the records needed to ascertain the group of the user under authentication.

The systemUsername and systemPassword are optional.  If a systemUsername is not specified, the SBC performs the search specified in searchFilter using the user's credentials.  If a systemUsername is specified, you cannot leave the systemPassword field blank.

O
Configuration Example

An example of LDAP Authentication using the "advanced" mode is provided below:

set oam ldapAuthentication ldapConfigurationMode advanced 
set oam ldapAuthentication ldapServer ldap1 priority 1
set oam ldapAuthentication ldapServer ldap1 state enabled
set oam ldapAuthentication ldapServer ldap1 bindMethod simple
set oam ldapAuthentication ldapServer ldap1 saslMechanism plain
set oam ldapAuthentication ldapServer ldap1 systemUsername CN=Administrator,CN=Users,DC=mdroot,DC=tst
set oam ldapAuthentication ldapServer ldap1 systemPassword xxxyyyzzz
set oam ldapAuthentication ldapServer ldap1 transport ldaps
set oam ldapAuthentication ldapServer ldap1 binddn "cn={0},CN=Users,dc=mdroot,dc=tst"
set oam ldapAuthentication ldapServer ldap1 searchbase CN=Builtin,DC=mdroot,DC=tst
set oam ldapAuthentication ldapServer ldap1 ldapServerAddress rdc1.mdroot.tst
set oam ldapAuthentication ldapServer ldap1 ldapServerPort 636
set oam ldapAuthentication ldapServer ldap1 searchFilter (&(objectClass=group)(member=CN=Administrator,CN=Users,DC=mdroot,DC=tst))
set oam ldapAuthentication ldapServer ldap1 returnAttribute cn
commit