Versions Compared

Old Version 1

changes.mady.by.user Ribbon Communications

Saved on

compared with

New Version Current

changes.mady.by.user Ribbon Communications

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Add_workflow_for_techpubs
AUTH2UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26cb8305e9, userName='null'}
AUTH1UserResourceIdentifier{userKey=8a00a0c86820e56901685f374974002d8a00a0c86e9b2550016ec54396b5000a, userName='null'}
JIRAIDAUTHSBX-86241126746
REV5UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26cd5909df8a00a02355cd1c2f0155cd26cb8305e9, userName='null'}
REV6UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26cb8305e98a00a02355cd1c2f0155cd26cd5909df, userName='null'}
REV3UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26cc2a0770, userName='null'}REV4UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26c7f900958a00a0c8703aa74901703d55fda30002, userName='null'}
REV1UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26ca3103e5, userName='null'}REV2UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26cd880a3a8a00a0c8703aa74901703d55fda30002, userName='null'}


Panel

In this section:

Table of Contents
maxLevel4



Info
iconfalse

Related articles:

Children Display


Use the following topics to configure your network to send 

Spacevars
0series4
 media quality statistics as well as Security and Audit logs to 
Spacevars
0company
 Analytics.

Report Media Quality Statistics to Ribbon Analytics

Multiexcerpt include
MultiExcerptNamemediaProbe-Protect_overview
PageWithExcerptProtect - CLI

The Media Probe feature facilitates monitoring and management of voice quality by the SBC Core and Ribbon Analytics. Use the following example configurations to establish communication with, and send media quality statistics (RTP/RTCP) and DTMF packets to, 

Spacevars
0company
 Analytics using the Media Probe feature.

Configuring SBC Core using CLI for Ribbon Analytics

Media Probe CLI

The Media Probe functionality is added to the System Media configuration to capture and report on media quality statistics (RTP/RTCP) and DTMF packets. Configuration details are explained below. 

Command Syntax

Code Block
% set system media mediaProbe
	dscpValue <0-63>
	encryptionType <None>
	format <rtcp>
	mediaProbeAddressContext <addressContext>
	mediaProbeIpInterfaceGroup <mediaIpInterfaceGroup>
	protocolType <udp>
	reportingInterval <1-8>
	state <disabled | enabled>


Command Parameters

Info
titleNote

While configuring system media, the parameter mediaProbe is optional because its default state is disabled. However, when configuring the parameter mediaProbe, ensure to configure all values (or accept defaults, where applicable).


ParameterDescription
mediaProbe

The object that captures and reports media quality statistics (RTP/RTCP) and DTMF packets. Media Probe accepts the following values:

  • dscpValue <DSCP value> – The DSCP value for Media Probe RTCP application packets. Range: 0-63. Default = 0.
  • encryptionType – The encryption type used towards the Ribbon Analytics server. Currently, the SBC does not support any encryption.
    • none (Default).
  • format – The Media Probe format used to report qCDR (quality CDR capturing QoS statistics associated for a leg for each RTP-based stream). Currently, the SBC only supports RTCP.
    • rtcp
  • mediaProbeAddressContext – Address Context associated with the Media Probe IP Interface Group.
  • mediaProbeIpInterfaceGroup – Media IP Interface Group used to transmit Media Probe packets to the remote Ribbon Analytics server.
  • protocolType – The network protocol used to transfer the data to the remote server. Currently, the SBC supports only UDP
    • udp 
  • reportingInterval <1-8> – The interval at which RTCP application packets are sent to the remote Ribbon Analytics server, expressed as an integral multiple of the Media RTCP Control senderReportInterval value (configurable to 5-120 seconds). Default is "1". 
    For example, if senderReportInterval is set to 5 seconds, then
    • set reportingInterval to "1" to send media probe packets every 5 seconds (senderReportInterval x 1).
    • set reportingInterval to "8" to send media probe packets every 40 seconds (senderReportInterval x 8).
  • state – Use this flag to enable/disable the system-wide Media Probe state. If the state is set to enabled, the Media Probe captures and reports media quality statistics (RTP/RTCP) and DTMF packets. If the state is set to disabled (default), the Media Probe does not capture and report media quality statistics (RTP/RTCP) and DTMF packets.
    • disabled (default)
    • enabled

Configuration Example

Code Block
titleCommand Example: system media mediaProbe
set system media mediaProbe dscpValue 0 encryptionType none format rtcp mediaProbeAddressContext ADDR_CONTEXT_1 mediaProbeIpInterfaceGroup INGRESS_LIG protocolType udp reportingInterval 1 state enabled
commit

show system media mediaProbe
state                      enabled;
reportingInterval          1;
protocolType               udp;
encryptionType             none;
format                     rtcp;
dscpValue                  0;
mediaProbeAddressContext   ADDR_CONTEXT_1;
mediaProbeIpInterfaceGroup INGRESS_LIG;

Protect CLI

The Protect functionality is added to the System configuration to allow the SBC to communicate to the Ribbon Analytics server. 

Command Syntax

Code Block
% set system protect
	clusterName <Cluster name>
	serverAddress <DIG IP Address of the Ribbon Analytics Server>
	serverPort <port number>

Command Parameters

ParameterLength/RangeDescription
clusterName1-255 characters

<cluster name> – Specify the Ribbon Analytics cluster name.

serverAddress1-255 characters<IP Address> – Specify the DIG IP Address of the Ribbon Analytics server.
serverPort 1-255 characters

<port number> – Enter the Ribbon Analytics server port number.

Configuration Example

Code Block
titleCommand Example: system protect
set system protect serverAddress 10.50.100.10 serverPort 5558 clusterName default
commit

show system protect
serverAddress              10.50.100.10;
serverPort                 5558;
clusterName                default;
Configuring

Enabling DoD Mode on the SBC Core

using EMA

for Ribbon Analytics

Media Probe

Use the Media Probe object to capture and report media quality statistics (RTP/RTCP) and DTMF packets.

EMA UI path: All > System > Media > Media Probe

Caption
0Figure
1Media Probe

Image Removed

Media Probe Parameters

The Media Probe fields are described below.

Info
titleNote

While configuring System Media, the parameter Media Probe is optional because its default state is "Disabled". However, when configuring the parameter Media Probe, ensure to configure all values (or accept defaults, where applicable).

Configure the following fields:

Caption
0Table
1Media Probe
FieldLength/RangeDescription

following section to use Ribbon Analytics on the SBC Core while DoD mode is enabled. 

  1. Remove iptables rule for 2024 that was added on DoD enable. Run the following command as root from a linux shell.

    Code Block
    iptables -D INPUT -i mgt0 -p tcp --syn --dport 2024 -m connlimit --connlimit-above 0 -j REJECT


  2. Add an ACL rule to allow connection from specific IP used by Ribbon Analytics to port 2024. Run the following command from the CLI in config mode.

    Code Block
    set addressContext default ipAccessControlList rule RARule sourceIpAddress <IP> destinationPort 2024 action accept sourceAddressPrefixLength 32 precedence 5 state enabled


  3. Add ACL rule to override the default allow rule and disallow connections to port 2024. Run the following command from CLI in config mode.

    Code Block
    set addressContext default ipAccessControlList rule rejectAll action discard sourceIpAddress 0.0.0.0 destinationPort 2024 precedence 100 state enabled


Info
titleNote

The precedence value for the rejectAll rule is 100. Precedence value of any additional ALLOW rules for extra IPs should be less than 100.

Configuring SBC Core using EMA for Ribbon Analytics

Media Probe

Use the Media Probe object to

StateN/AUse this flag to enable/disable the system-wide Media Probe state. If the state is set to Enabled, the Media Probe captures and reports media quality statistics (RTP/RTCP) and DTMF packets. If the state is set to Disabled (default), the Media Probe does not

capture and report media quality statistics (RTP/RTCP) and DTMF packets.

  • Disabled (default)
  • Enabled
Reporting Interval 1-8

The interval at which RTCP application packets are sent to the remote Ribbon Analytics server, expressed as an integral multiple of the Media RTCP Control Sender Report Interval value (configurable to 5-120 seconds). Default is "1". 

For example, if Sender Report Interval is set to 5 seconds, then

  • set Reporting Interval to "1" to send media probe packets every 5 seconds (Sender Report Interval x 1).
  • set Reporting Interval to "8" to send media probe packets every 40 seconds (Sender Report Interval x 8).
Protocol TypeN/A

The network protocol used to transfer the data to the remote server.

Currently, the SBC supports only UDP. 

Encryption Type N/A

The encryption type used towards the Ribbon Analytics server.

Currently, the SBC does not support any encryption. Default is "None".

FormatN/A

The Media Probe format used to report qCDR (quality CDR capturing QoS statistics associated for a leg for each RTP-based stream).

Currently, the SBC only supports RTCP.

DSCP Value 0-63

The DSCP value for Media Probe RTCP application packets. Default = 0.

Media Probe Address ContextN/AThe Address Context associated with the Media Probe IP Interface Group.Media Probe IP Interface Group N/A

The Media IP Interface Group used to transmit Media Probe packets to the remote Ribbon Analytics server.

EMA UI path: All > System > Media > Media Probe

Image Added

Media Probe Parameters

The Media Probe fields are described below.

Info
titleNote

While configuring System Media, the parameter Media Probe is optional because its default state is "Disabled". However, when configuring the parameter Media Probe, ensure to configure all values (or accept defaults, where applicable).

Configure the following fields:

FieldLength/RangeDescription
StateN/A

Use this flag to enable/disable the system-wide Media Probe state. If the state is set to Enabled, the Media Probe captures and reports media quality statistics (RTP/RTCP) and DTMF packets. If the state is set to Disabled (default), the Media Probe does not capture and report media quality statistics (RTP/RTCP) and DTMF packets.

  • Disabled (default)
  • Enabled
Reporting Interval 1-8

The interval at which RTCP application packets are sent to the remote Ribbon Analytics server, expressed as an integral multiple of the Media RTCP Control Sender Report Interval value (configurable to 5-120 seconds). Default is "1". 

For example, if Sender Report Interval is set to 5 seconds, then

  • set Reporting Interval to "1" to send media probe packets every 5 seconds (Sender Report Interval x 1).
  • set Reporting Interval to "8" to send media probe packets every 40 seconds (Sender Report Interval x 8).
Protocol TypeN/A

The network protocol used to transfer the data to the remote server.

Currently, the SBC supports only UDP. 

Encryption Type N/A

The encryption type used towards the Ribbon Analytics server.

Currently, the SBC does not support any encryption. Default is "None".

FormatN/A

The Media Probe format used to report qCDR (quality CDR capturing QoS statistics associated for a leg for each RTP-based stream).

Currently, the SBC only supports RTCP.

DSCP Value 0-63

The DSCP value for Media Probe RTCP application packets. Default = 0.

Media Probe Address ContextN/AThe Address Context associated with the Media Probe IP Interface Group.
Media Probe IP Interface Group N/A

The Media IP Interface Group used to transmit Media Probe packets to the remote Ribbon Analytics server.


Protect

Use the System > Protect object to allow the SBC to communicate to the Ribbon Analytics server.

EMA UI pathAll > System > Protect

Image Added

Protect Parameters

Configure the following fields.

ParameterLength/RangeDescription
Server Address 1-255 characters

Specify the DIG IP Address of the Analytics server.

Server Port 1-255 characters

Enter the Analytics server port number.

Cluster Name1-255 characters

The Ribbon Analytics cluster name, which is currently set to the static value of "default".


Configuration and Verification Steps

StepAction
Ribbon Analytics Prerequisites
  1. Enable the  Packet Capture (PCIG) Interface on the Ribbon Analytics system. If this was not done during installation, use the "Enabling the PCIG Interface After Installation or Upgrade" procedure in Ribbon SBC Core MVQ Metrics.
  2. In Ribbon Analytics, note the DIG IP, port, and Cluster name. These are required later for configuring the SBC Core to send data to Analytics.

SBC Core Configuration Steps




Configure the SBC to communicate with Ribbon Analytics. 

Configure the Protect functionality to establish communication with Ribbon Analytics and the Media probe functionality to collect QoS statistics and send the statistics to Analytics. Ensure to set the variables correctly to send the QoS statistics to Ribbon Analytics.

Note: To use the EMA, refer to the procedure in System - Protect and System - Media - Media Probe.

To configure via the CLI, refer to the procedure in Protect - CLI  and Media System - CLI.

To configure the Protect functionality, execute the following commands (refer to the procedure in Protect - CLI):

Protect

Use the System > Protect object to allow the SBC to communicate to the Ribbon Analytics server.

EMA UI pathAll > System > Protect

Caption
0Figure
1Protect

Image Removed

Protect Parameters

Configure the following fields.

Caption
0Table
1System - Protect
ParameterLength/RangeDescriptionServer Address 1-255 characters

Specify the DIG IP Address of the Analytics server.

Server Port 1-255 characters

Enter the Analytics server port number.

Cluster Name1-255 characters

The Ribbon Analytics cluster name, which is currently set to the static value of "default".

Configuration and Verification Steps

SBC Core Configuration Steps

StepAction
Ribbon Analytics Prerequisites
  1. Enable the  Packet Capture (PCIG) Interface on the Ribbon Analytics system. If this was not done during installation, use the "Enabling the PCIG Interface After Installation or Upgrade" procedure in Ribbon SBC Core MVQ Metrics.
  2. In Ribbon Analytics, note the DIG IP, port, and Cluster name. These are required later for configuring the SBC Core to send data to Analytics.

Configure the SBC to communicate with Ribbon Analytics. 

Configure the Protect functionality to establish communication with Ribbon Analytics and the Media probe functionality to collect QoS statistics and send the statistics to Analytics. Ensure to set the variables correctly to send the QoS statistics to Ribbon Analytics.

Note: To use the EMA, refer to the procedure in System - Protect and System - Media - Media Probe.

To configure via the CLI, refer to the procedure in Protect - CLI  and Media System - CLI.

To configure the Protect functionality, execute the following commands (refer to the procedure in Protect - CLI):

% set system protect serverAddress <Ribbon Analytics DIG IP address> serverPort <Ribbon Analytics port #> clusterName <Ribbon Analytics clusterName>
% commit

To configure the Media Probe functionality, execute the following commands (refer to the procedure in Media System - CLI):

% set system media mediaProbe dscpValue 0 encryptionType none format rtcp mediaProbeAddressContext ADDR_CONTEXT_1 mediaProbeIpInterfaceGroup INGRESS_LIG protocolType udp reportingInterval <integral multiple: 1-8> state enabled
% commit

Verify Ribbon Analytics functionality

The SBC Core devices that push data to Ribbon Analytics are added automatically to the list of devices in the Ribbon Analytics system. You do not have to add them manually. Verify if the SBC appears automatically in the Ribbon Analytics device list.

Statistics

Media Probe License Availability

Service Authorised Cur Stats

On the SBC, go to All > Global > Service Authorised Cur StatsThe Service Authorisation Cur Stats window displays.

Use the Service Authorisation Cur Stats window to view current global statistics that report which licensed features are authorized for use on the SBC. A value of 0 indicates the feature license is not available. If the Media Probe Authorisation column is set to "1", the MEDIA-PROBE license is available.

Caption0Figure1Service Authorisation Cur Stats Window - Partial

Image Modified

Service Authorised Int Stats

On the SBC main screen, go to All > Global > Service Authorised Int Stats. The Service Authorisation Int Stats window displays.

Use the Service Authorisation Int Stats window to view global statistics for a series of time intervals that report which licensed features are authorized for use on the SBC. A value of 0 indicates the feature license is not available.

Caption
0Figure
1Service Authorisation Int Stats Window - Partial

Image Removed

Image Added


The statistics Media Probe Authorisation displays The statistics Media Probe Authorisation displays under the objects "Service Authorised Cur Stats" and "Service Authorised Int Stats".

Caption0Table

1Media Probe Authorisation

StatisticsDescription
Media Probe Authorisation

This statistic is set based on whether Media Probe is enabled/authorized.

  • 1 – enabled/authorized
  • 0 – disabled/not authorized



Service Authorised Cur Stats

Code Block
titleService Authorised Cur Stats
> show status global serviceAuthorisedCurStats mediaProbeAuthorisation
serviceAuthorisedCurStats entry {
    licenseMode                    nodeLocked;
    encryptAuthorisation           1;
    srtpAuthorisation              1;
    enhancedVideoAuthorisation     1;
    amrnbLegAuthorisation          1;
    amrwbLegAuthorisation          1;
    evrcLegAuthorisation           1;
    niceRecAuthorisation           1;
    mrfSessionsAuthorisation       1;
    sipRecAuthorisation            1;
    transcodeAuthorisation         1;
    pdcsAuthorisation              1;
    liSessionsAuthorisation        1;
    sbcRtuSessionsAuthorisation    1;
    dspG722SessionsAuthorisation   1;
    gmp4x1SessionsAuthorisation    1;
    sipISessionsAuthorisation      1;
    sip323SessionsAuthorisation    1;
    gmp1x10SessionsAuthorisation   1;
    polRtuSessionsAuthorisation    1;
    psxRtuSessionsAuthorisation    1;
    capacityLicenseAuthorisation   0;
    e911SessionsAuthorisation      1;
    enumSessionsAuthorisation      1;
    swInstanceLicenseAuthorisation 1;
    evsLegAuthorisation            1;
    silkLegAuthorisation           1;
    slbAuthorisation               1;
    slbSessionsAuthorisation       1;
    mediaProbeAuthorisation        1;
}
[ok][<YYYY-MM-DD HH:MM:SS>]


Info
titleNote

Similar result displays for the corresponding show table command, but in a tabular format.


Service Authorised Int Stats

Code Block
titleService Authorised Int Stats
> show status global serviceAuthorisedIntStats mediaProbeAuthorisation
serviceAuthorisedIntStats 646 entry {
    intervalValid                  true;
    time                           581362;
    licenseMode                    nodeLocked;
    encryptAuthorisation           1;
    srtpAuthorisation              1;
    enhancedVideoAuthorisation     1;
    amrnbLegAuthorisation          1;
    amrwbLegAuthorisation          1;
    evrcLegAuthorisation           1;
    niceRecAuthorisation           1;
    mrfSessionsAuthorisation       1;
    sipRecAuthorisation            1;
    transcodeAuthorisation         1;
    pdcsAuthorisation              1;
    liSessionsAuthorisation        1;
    sbcRtuSessionsAuthorisation    1;
    dspG722SessionsAuthorisation   1;
    gmp4x1SessionsAuthorisation    1;
    sipISessionsAuthorisation      1;
    sip323SessionsAuthorisation    1;
    gmp1x10SessionsAuthorisation   1;
    polRtuSessionsAuthorisation    1;
    psxRtuSessionsAuthorisation    1;
    capacityLicenseAuthorisation   0;
    e911SessionsAuthorisation      1;
    enumSessionsAuthorisation      1;
    swInstanceLicenseAuthorisation 1;
    evsLegAuthorisation            1;
    silkLegAuthorisation           1;
    slbAuthorisation               1;
    slbSessionsAuthorisation       1;
    mediaProbeAuthorisation        1;
}
[ok][<YYYY-MM-DD HH:MM:SS>]
Info
titleNote

Similar result displays for the corresponding show table command, but in a tabular format.

License

Depending upon the licensing type, install the following license to use the Media Probe feature.

  • NWDL: MEDIA-PROBE-D license
  • Node Locked: MEDIA-PROBE license

Push SEC and AUD logs to Ribbon Analytics

The

Spacevars
0series4
routinely logs and reports invalid login attempts for access to all its accounts and interfaces. These logs and reports serve as an important data set for Ribbon Analytics, which warns administrators when many invalid attempts are seen across the network. The event reporting notes the IP and port from which the invalid attempt was made, and makes logs available in the SEC and AUD logs.

The 

Spacevars
0product
currently logs this information along with the remote IP to the file auth.log. The 
Spacevars
0product
 also pushes the auth.log via syslogd so that Ribbon Analytics can access messages.

If the 

Spacevars
0product
is configured with a call trace filter to capture all SIP PDU messages in the trace log, then you must update the settings for the fields diskThrottleLimit, eventLogValidation, fileSize and messageQueueSize using the information provided in the Event Log - CLI page.

Info
titleNote

 To configure the SBC to push SEC and AUD logs to Ribbon Analytics, refer to the "Type Admin" topic at Event Log - CLI.

pagebreak

}
[ok][<YYYY-MM-DD HH:MM:SS>]


Info
titleNote

Similar result displays for the corresponding show table command, but in a tabular format.

License

Depending upon the licensing type, install the following license to use the Media Probe feature.

  • NWDL: MEDIA-PROBE-D license
  • Node Locked: MEDIA-PROBE license

Push SEC and AUD logs to Ribbon Analytics

The

Spacevars
0series4
routinely logs and reports invalid login attempts for access to all its accounts and interfaces. These logs and reports serve as an important data set for Ribbon Analytics, which warns administrators when many invalid attempts are seen across the network. The event reporting notes the IP and port from which the invalid attempt was made, and makes logs available in the SEC and AUD logs.

The 

Spacevars
0product
currently logs this information along with the remote IP to the file auth.log. The 
Spacevars
0product
 also pushes the auth.log via syslogd so that Ribbon Analytics can access messages.

If the 

Spacevars
0product
is configured with a call trace filter to capture all SIP PDU messages in the trace log, then you must update the settings for the fields diskThrottleLimit, eventLogValidation, fileSize and messageQueueSize using the information provided in the Event Log - CLI page.


Info
titleNote

 To configure the SBC to push SEC and AUD logs to Ribbon Analytics, refer to the "Type Admin" topic at Event Log - CLI.

Improve Traffic Between Ribbon Analytics and SBC

Include Page
_IP_Access_Control_List_a_Condition_for_Using_Fill_Rate_and_Bucket_Size
_IP_Access_Control_List_a_Condition_for_Using_Fill_Rate_and_Bucket_Size

Using the default Access Control List (ACL) rules, Ribbon Analytics traffic can be throttled when trying to collect files from the

Spacevars
0product
. Using the CLI, follow these steps to improve traffic:

  1. Update operatorAggregatePolicer with a fillRate of "30000" and a bucketSize of "250."

    Code Block
    titleExample
    set addressContext default operatorAggregatePolicer fillRate 30000 bucketSize 250


  2. Create a new user ACL for the traffic between Ribbon Analytics and the

    Spacevars
    0product
    using the following parameters:

    Code Block
    titleACL Parameters
    admin@PTBF05> show table addressContext default ipAccessControlList rule RA
	precedence                     7003;
	protocol                       any;
	mgmtIpInterfaceGroup           mgmtGroup;
	sourceIpAddress                <RA IP>;
	sourceAddressPrefixLength      32;
	destinationIpAddress           <SBC IP>;
	destinationAddressPrefixLength 32;
	sourcePort                     any;
	destinationPort                any;
	action                         accept;
	fillRate                       30000;
	bucketSize                     unlimited;
	state                          enabled;
	aggregatePolicer               OPERATOR;


Generating SSH Keys for Default Users 

The following section outlines how to generate SSH keys for Default Users on the

Spacevars
0product

Generating a SSH Key on a Non-cloud Based SBC

The following steps outline how to generate SSH keys from the command line on a non-cloud based

Spacevars
0product
. The second section also outlines how to install the SSH keys to a linuxadmin user:

  1. Input the following command: ssh-keygen -f <filename>.pem -t rsa

    Info
    titleNote

    To add a password to the key, enter a passphrase in the fields provided. To decline adding a password, leave the fields blank.


  2. Extract the public key from the newly generated private key using the following command: ssh-keygen -y -f <keyname>

    Code Block
    titleExample
    jmulcock@jmulcock01:~$ ssh-keygen -f example.pem -t rsa
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in example.pem
Your public key has been saved in example.pem.pub
The key fingerprint is:
SHA256:caJAkQzCTgQjSKim//234Rzz4ReGSnUDpR6/t8UQ6Qc jmulcock@jmulcock01
The key's randomart image is:
+---[RSA 3072]----+
|%o.ooo       ..  |
|+= .o       .. . |
|+   .   o . o.E  |
|.o   . . + ..+oo |
|o     . S  ..o+..|
|.         . . o= |
| .       .+.....+|
|  .  .   oo* ...o|
|   .. ....+.o. . |
+----[SHA256]-----+


Copying and installing a SSH key to the linuxadmin user

  1. Run the following command: ssh-copy-id -i <key name> -p2024 linuxadmin@<SBC Mgt IP> 
  2. Enter the password for the linuxadmin user.

  3. Perform a login test using the following command: ssh -i <key name> -p2024 linuxadmin@<SBC Mgt IP>

    Warning

    The user must install the key on all SBC instances (e.g. in a HA setup, install the key on both the active and standby instances).


    Info

    To authenticate a public key, refer to:


    Code Block
    titleExample
    jmulcock@jmulcock01:~$ ssh-copy-id -i example.pem -p2024 linuxadmin@10.31.243.20
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "example.pem.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
######################
#
This system is restricted to authorized users only.
Unauthorized access or access attempts to this system
or services are prohibited. All user activity is logged.
Evidence of unauthorized use collected during monitoring
may be provided to appropriate personnel for
administrative, criminal or other adverse action.
#
######################
linuxadmin@10.31.243.20's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh -p '2024' 'linuxadmin@10.31.243.20'"
and check to make sure that only the key(s) you wanted were added.

jmulcock@jmulcock01:~$ ssh -p 2024 -i example.pem linuxadmin@10.31.243.20
######################
#
This system is restricted to authorized users only.
Unauthorized access or access attempts to this system
or services are prohibited. All user activity is logged.
Evidence of unauthorized use collected during monitoring
may be provided to appropriate personnel for
administrative, criminal or other adverse action.
#
######################
Last login: Thu May  4 15:27:53 BST 2023 from 172.26.223.243 on ssh
Ribbon ConnexIP OS 10.01.00-A004 GNU/Linux
linuxadmin@SBXUK20-1:~$


Public Cloud Key Generation

The following steps outline how to generate keys for public clouds. When creating keys for public clouds, two options are available:

  1. Allow terraform to generate the keys:
    1. IAC provides the option to generate the key for the linuxadmin user.
    2. Terraform tfvars will contain a variable like 'generate_ssh_key'.
  2. In AWS, use the AWS console to generate the key:
    1. Go to EC2 → Key Pairs
    2. Select Create Key Pair
    3. On screen
      1. Enter Name
      2. Select .pem
      3. Select Create key pair
      4. Save the private key somewhere.

SBC SSH Keys in Public Clouds

This section will outline how the SSH keys are handled on the SBC for linuxadmin and admin users for public clouds. All keys supplied to the cloud/instance are the public keys. The creator is responsible for storing the keys on the private side. Key types are always RSA. Any updates require the SBC instance to be rebooted to take effect.

For more information on updating SSH keys, refer to: Recovering SSH Key Access in Public Cloud and Updating User Data in Azure

AWS

Storage

  • Linuxadmin - Stored in AWS Key Pairs (Orchestration)
    • The key is generated by AWS Key Pairs via the console, or the user can import a public key.
  • Admin - User Data

Orchestration

  • Linuxadmin - Supplied as Key Name, extracted by cloud init
  • Admin - Supplied in value for the 'AdminSshKey' key in user data

Update

  • Linuxadmin - Update not supported (as it is not supported in AWS itself)
  • Admin - Update Value of 'AdminSshKey' in User Data

GCP

Storage

  • Linuxadmin - Part of instance Metadata
  • Admin - User Data

Orchestration

  • Linuxadmin - In SSH Keys section:
    • Block Project Wide SSH Keys
    • Supply key in the form ssh-rsa ... linuxadmin
  • Admin - Supplied in value for the 'AdminSshKey' key in user data

Update

  • Linuxadmin - Update the key against Username 'linuxadmin' in SSH keys
  • Admin - Update Value of 'AdminSshKey' in User Data

Azure

Storage

  • Linuxadmin - Part of instance Metadata (Orchestration) or User Data (Update)
  • Admin - Custom Data (Orchestration) or User Data (Update)

Orchestration

  • Linuxadmin -Suplied via --ssh-key-values flag
  • Admin - Supplied in value for the 'AdminSshKey' key in Custom Data

Update

  • Linuxadmin - Attach User Data to the Azure instance, and add the updated key as: "LinuxadminSshKey": "ssh-rsa YYYYYY",
  • Admin - Attach User Data to the Azure instance, and update value of 'AdminSshKey'