Page History
Panel | ||||
---|---|---|---|---|
In this section:
|
New CLI in
1112.
10.0R0
SBX-
8652275851 Support
for TLS 1.3 on SBC CoreThe flagv1_3
is added to the TLS Profile to configure TLS 1.3 support. In addition, three Ciphersuites are added to support TLS 1.3.RFC 7044 for SIP History-Info
Four flags and an Ingress IP heading are added to the IP Signaling Profile.
Two flags are set at Egress:
supportRFC7044
applyHistoryInfoPrivacy
Two flags are set at Ingress:
supportRFC7044Ingress
applyHistoryInfoPrivacyIngress
Lastly, an Ingress IP heading is added to support the above two Ingress flags:
- ingressHistoryInformation
Command Syntax
Code Block | ||
---|---|---|
| ||
% set profiles security tlsProfile <tls profile name> v1_3 <disabled | enabled> signaling ipSignalingProfile <profile name> egressIpAttributes sipHeadersAndParameters callForwarding historyInformation includeHistoryInformation <disable | enable> supportRFC7044 <disable | enable> |
Code Block | ||
---|---|---|
| ||
% set profiles signaling ipSignalingProfile <profile name> egressIpAttributes sipHeadersAndParameters callForwarding historyInformation includeHistoryInformation <disable | enable> applyHistoryInfoPrivacy <disable | enable> |
Code Block | ||
---|---|---|
| ||
% set profiles signaling ipSignalingProfile <profile name> ingressIpAttributes ingressHistoryInformation supportRFC7044Ingress <disable | enable> |
Code Block | ||
---|---|---|
| ||
% set profiles signaling ipSignalingProfile <profile name> ingressIpAttributes ingressHistoryInformation applyHistoryInfoPrivacyIngress <disable | enable> security tlsProfile <tls profile name> cipherSuite <cipherSuite1/2/3> tls_aes_128_gcm_sha256 tls_aes_256_gcm_sha384 tls_chacha20_poly1305_sha256 |
Command Parameters
Parameter |
---|
Description | M/O |
---|
v1_3
n/a
| Enable this flag to set the History-Info header's behavior in accordance with RFC-7044.
| O |
| Enable this flag to |
disabled
enabled
tls_aes_128_gcm_sha256
tls_aes_256_gcm_sha384
anonymize the History-Info header.
| O | |
| Enable this flag to set the History-Info header's behavior in accordance with RFC-7044 towards the Ingress leg.
| O |
| Enable this flag to anonymize the History-Info header towards the Ingress leg.
| O |
ingressHistoryInformation | Use this heading to enable the following flags:
|
tls_chacha20_poly1305_sha256
O |
Configuration Examples
Code Block | ||
---|---|---|
| ||
set profiles securitysignaling tlsProfileipSignalingProfile defaultTlsProfile v1_3 enabled set profiles security tlsProfile defaultTlsProfile cipherSuite1 tls_aes_128_gcm_sha256 DEFAULT_SIP egressIpAttributes sipHeadersAndParameters callForwarding historyInformation includeHistoryInformation enable supportRFC7044 enable commit |
Code Block | ||
---|---|---|
| ||
set profiles securitysignaling tlsProfileipSignalingProfile defaultTlsProfileDEFAULT_SIP cipherSuite2 tls_aes_256_gcm_sha384 set profiles security tlsProfile defaultTlsProfile cipherSuite3 tls_chacha20_poly1305_sha256 commit |
SBX-93114 SIP Registrar Functionality Support
The SBC Core is enhanced to support SIP Registrar functionality for SIP end points. This feature allows the Ribbon SBC to act as an Access SBC with Registrar functionality in a single deployment.
SIP TG - Signaling - SIP Local Registrar - CLI
The CLI object sipLocalRegistrar
to support the SIP Registrar functionality is added to the CLI in this release.
Command Syntax
The following CLI shows how to enable the SIP Local Registrar functionality.
Code Block | ||
---|---|---|
| ||
set addressContext <name> zone <name> sipTrunkGroup <name> signaling sipLocalRegistrar <disabled | enabled> |
Command Parameters
sipLocalRegistrar
disabled
Use this flag to enable the SIP Local Registrar functionality. When enabled, messages are sent to the SIP Local Registrar.
disabled
(default)enabled
egressIpAttributes sipHeadersAndParameters callForwarding historyInformation includeHistoryInformation enable applyHistoryInfoPrivacy enable
commit |
Code Block | ||
---|---|---|
| ||
set profiles signaling ipSignalingProfile DEFAULT_SIP ingressIpAttributes ingressHistoryInformation supportRFC7044Ingress enable
commit |
Code Block | ||
---|---|---|
| ||
set profiles signaling ipSignalingProfile DEFAULT_SIP ingressIpAttributes ingressHistoryInformation applyHistoryInfoPrivacyIngress enable
commit |
SBX-116105 Support for Linear 16 (L16) on SBC
Codec Entry
The codec "l16-16" is added to Codec Entry. Select "l16-16" to enable transcoding for the L16 codec.
Command Example
Code Block | ||
---|---|---|
| ||
set addressContext <name> zone <name> sipTrunkGroup <name> signaling sipLocalRegistrar <disabled | enabled> |
For more information, refer to SIP TG - Signaling - SIP Local Registrar - CLI.
Signaling - Global - CLI - SIP Local Registrar ObjectCommand Syntax
Code Block | ||
---|---|---|
| ||
% set globalprofiles signalingmedia sipLocalRegistrar codecEntry <name> expires <15-65535> codec <codec type: minExpires<15l16-65535>16> sipRegSubscriberProfile <aor Name> sipRegAdminState <active | inactive>packetSize <10 | 20> sipRegSendChallenge <challengeForNone | challengeForRegister | challengeForRegisterAndInvite> sipRegAuthRealm <authentication Realm> sipRegAuthUserName <authentication UserName> sipRegAuthPassword <authentication Password> % show global signaling sipLocalRegistrar sipRegSubscriberProfile <aor Name> expires minExpirespreferredRtpPayloadType <0-127> |
Command Parameters
Codec |
---|
Description | M/O |
---|
expires
|
| Select to allow transcoding for the L16 codec. | O |
minExpires
The Min-Expiry value used for Registration.
If REGISTER is received with Expires value less than this field, 423 Error is generated
sipRegSubscriberProfile
sipRegAdminState
Defines if Subscriber state is active or inactive. The choices are:
active
(default)inactive
sipRegSendChallenge
Defines how the Authentication Challenge is sent.
challengeForNone
- Authentication challenge is not initiated for any of the messages.challengeForRegister
- Authentication challenge is initiated for REGISTER messages only.challengeForRegisterAndInvite
-
sipRegAuthRealm
sipRegAuthUserName
sipRegAuthPassword
DES3 (triple Digital Encryption Standard) encrypted string authentication password for SIP local registration. All ASCII characters from 33 to 126 (except 34 - double quotes) are allowed.
Note:
If Authentication Password contains ASCII characters, enclose the entire password string with double quotes (" ") .
Example using double quotes:
"Password1:@\#:########~%&*@#"
Since the SBC Registrar supports bulk load configuration, the length of the password string is not validated at the time of entry into the database. The Admin must make sure that length is within the prescribed range (6-32 characters). For such out of bound passwords, authentication can fail with 403 error response.
Command Example
Code Block | ||
---|---|---|
| ||
set global signaling sipLocalRegistrar expires 3500
set global signaling sipLocalRegistrar minExpires 300
set global signaling sipLocalRegistrar sipRegSubscriberProfile testUser@example.com sipRegAdminState active sipRegSendChallenge challengeForRegisterAndInvite sipRegAuthRealm example.com sipRegAuthUserName testUser sipRegAuthPassword password1
show global signaling sipLocalRegistrar sipRegSubscriberProfile testUser@example.com
sipRegAuthUserName testUser;
sipRegAuthRealm example.com;
sipRegAuthPassword $7$FZ5ju2oDUvNyLs8MvuBYmoCo55fOBhnu;
sipRegAdminState active;
sipRegSendChallenge challengeForRegisterAndInvite;
show global signaling sipLocalRegistrar expires
expires 3500
show global signaling sipLocalRegistrar minExpires
minExpires 300
show status global sipLocalRegistrar
sipLocalRegistrarRegStatus 53056@10.xx.xx.70 {
state active;
contactURI sip:53056@10.xx.1xx.xx:5xx0;
expirationTime 3600;
creationTime 2022-09-08T10:23:29+00:00;
refreshTime 0000-00-00T00:00:00+00:00;
remainingTime 3493;
}
sipLocalRegistrarRegCountStatistics entry {
sipRegAttemptCount 1;
sipRegChallengedCount 1;
sipRegStableCount 1;
sipRegFailed403Count 0;
sipRegFailed404Count 0;
sipRegFailed503Count 0;
sipRegFailedOthersCount 0;
}
request global sipLocalRegistrar sipRegCountReset
request global sipLocalRegistrar sipRegistrationDeleteByAor sipRegAor 53056@10.xx.xx.70
result success |
For more information, refer to Signaling - Global - CLI.
Configuration Examples
Code Block | ||
---|---|---|
| ||
set profiles media codecEntry NewCodec codec l16-16 packetSize 20 preferredRtpPayloadType 96
commit |
Codec Routing Priority
The codec "L16" is added to Codec Routing Priority. Select "L16" to enable codec routing priority for the L16 codec.
Command Syntax
Code Block | ||
---|---|---|
| ||
% set profiles media codecRoutingPriority <codec: L16> |
Command Parameters
Codec | Description | M/O |
---|---|---|
| Select to enable codec routing priority for the L16 codec. | O |
Configuration Examples
Code Block | ||
---|---|---|
| ||
set profiles media codecRoutingPriority L16 entry L16
commit |
Packet Service Profile Entity
The codec "l16" is added to the Codec list for Packet Service Profile Entity. Select "l16" at "This Leg" and/or "Other Leg" to enable transcoding for the L16 codec.
Command Syntax
Code Block | ||
---|---|---|
| ||
% set profiles media packetServiceProfile <unique_profile_name> packetToPacketControl
codecsAllowedForTranscoding
otherLeg <l16>
thisLeg <l16> |
Command Parameters
Codec | Description | M/O |
---|---|---|
| Select to allow transcoding for the L16 codec. | O |
Configuration Examples
Code Block | ||
---|---|---|
| ||
set profiles media packetServiceProfile TEST_1 packetToPacketControl codecsAllowedForTranscoding otherLeg l16
set profiles media packetServiceProfile TEST_1 packetToPacketControl codecsAllowedForTranscoding thisLeg l16
commit |
SBX-118127 SHAKEN Fields in CDR for Identity Header Passthrough
This feature adds the CLI parameter storeIdentityHdrtoCdr
to the SIP Trunk Group > Services CLI. This CLI configuration is used to decide which identity headers are captured in the CDR.
Command Syntax
Code Block | ||
---|---|---|
| ||
% requestset addressContext global<address sipLocalRegistrarcontext sipLocalRegistrarRegDeleteByAorname> <aor Name> % request global sipLocalRegistrar sipRegCountResetzone <ZONE> sipTrunkGroup <TG> services storeIdentityHdrtoCdr |
Command Parameters
Parameter | Length/Range | Default | Description | M/O |
---|
sipLocalRegistrarRegDeleteByAor
storeIdentityHdrtoCdr | N/A |
Use this flag to delete an AOR entry from the Registrar.
sipRegCountReset
Use this parameter to reset the count of statistics.
title | Note |
---|
none | The SBC stores the base64 decoded Identity headers received and sent in the SIP INVITE message. Use this flag to specify the Identity headers to store in the CDR record.
|
The aor Name
in the CLI above represents the AOR of the user (1-127 characters).
For more information, refer to Request Global - CLI.
SIP Local Registrar - Show CLI
Command Syntax
Code Block | ||
---|---|---|
| ||
% show status global sipLocalRegistrar
sipActiveLocalRegistrarRegStatus
sipLocalRegistrarRegCountStatistics
sipLocalRegistrarRegCountCurStats
sipLocalRegistrarRegCountIntStats
% show table global sipLocalRegistrar sipLocalRegistrarRegCountStatistics |
Command Parameters
sipActiveLocalRegistrarRegStatus
Shows the status of the AOR registered with the Registrar. If the AOR name is not provided, this shows the data for all the AORs registered at Registrar.
sipLocalRegistrarRegCountStatistics
Shows the attempt/stable/failed counts for registrations received at the Registrar.
The statistics displays the following fields.
sipRegAttemptCount
– The total count of the register attempts.sipRegChallengedCount
– The count of the challenged register attempts.sipRegStableCount
– The count of the currently active and stable registered users.sipRegFailed403Count
– The count of the registers failed with a 403 SIP response code.sipRegFailed404Count
– The count of the registers failed with a 404 SIP response code.sipRegFailed503Count
– The count of the registers failed with a 503 SIP response code.sipRegFailedOthersCount
– The count of the registers failed with other SIP response codes.
sipLocalRegistrarRegCountCurStats
sipLocalRegistrarRegCountIntStats
The high water mark of total number of stable registrations for the reporting interval.
For more information, refer to Show Status Global.
SBX-111375 LDAP AD authentication support
The parameter ldapConfigurationMode
is added to the ldapAuthentication
configuration for the user to choose the "advanced" mode option to configure the newly-added parameters.
Command Syntax
Code Block | ||
---|---|---|
| ||
% set oam ldapAuthentication ldapConfigurationMode <advanced | legacy>
|
Code Block | ||
---|---|---|
| ||
% set oam ldapAuthentication ldapServer <serverName>
bindMethod <sasl | simple>
binddn <name>
groupNameAttribute <groupName, or empty string>
ldapServerAddress <IPv4, IPv6 or FQDN>
ldapServerPort <valid port>
priority <1-25>
saslMechanism <digest-md5 | plain>
searchbase <1-255 characters>
state <disabled | enabled>
transport <ldaps | tcp | tls> |
Code Block | ||
---|---|---|
| ||
% set oam ldapAuthentication ldapServer <serverName>
bindMethod <sasl | simple>
binddn <name>
ldapServerAddress <IPv4, IPv6 or FQDN>
ldapServerPort <valid port>
priority <1-25>
returnAttribute <1-255 characters>
saslMechanism <digest-md5 | plain>
searchFilter <1-255 characters>
searchbase <1-255 characters>
state <disabled | enabled>
systemPassword <password>
systemUsername <1-255 characters>
transport <ldaps | tcp | tls> |
Command Parameters
ldapAuthentication (New Parameter)
The ldapConfigurationMode
parameter is added to the LDAP Authentication configuration to specify legacy or advanced modes.
ldapConfigurationMode
n/a
The configuration mode for the LDAP client.
legacy
– Use this option for legacy LDAP behavior.advanced
– Use this option to support Microsoft Active Directory (AD) services.
ldapServer (Updated Parameters)
The following parameters are updated in this release (for both 'legacy' and 'advanced' modes):
ldapServerAddress
IPv4 address
IPv6 address
FQDN
The IPv4 address, IPv6 address or FQDN of the server as a hostname. The supported formats are:
- IPv4 address (In dot notation)
- IPv6 address (In hex-colon notation)
- FQDN
priority
<priority #>
– The server priority, where '1' is the highest priority.saslMechanism
The SASL mechanism to use.
digest-md5
– Use this option to send the username and password as a hash so they are now viewable on the wire even if the transport is TCP.plain
(default)
ldapServer (New Parameters)
The following new LDAP Sever parameters are available when ldapConfigurationMode
is set to advanced
:
returnAttribute
The attribute returned from the search for the group name of the LDAP user.
For example, in the above query, if cn is specified as the return attribute, then the returned attribute will be: users
. The query may return multiple users
searchFilter
The LDAP filter used to search for the group name of the LDAP user. Specify {0} in the search filter to specify the user in the searchFilter.
For example: (&(objectClass=group)(member=cn={0},CN=Users,DC=example,DC=tst))
systemPassword
The password for the LDAP user with Administrative privileges systemUser
). Leave blank if the systemUsername
is not specified.
When more than one SHAKEN header arrives in the Ingress INVITE, then the following is the order of precedence in which the Identity header is picked:
| O |
Configuration Example
Code Block | ||
---|---|---|
| ||
set addressContext default zone <ZONE_IN> sipTrunkGroup <TG_IN> services storeIdentityHdrtoCdr shaken,rph |
For more information, refer to SIP Trunk Group - Services - CLI.
SBX-122231 FIPS 140-3 Support in SBC
In the CLI to enable FIPS mode, the parameter fips-140-2 is changed to fips-140-3.
Command Syntax
Code Block |
---|
% set system admin <SYSTEM NAME> fips-140-3 mode <disabled | enabled>
|
Command Parameters
Parameter | Length/Range | Default | Description |
---|---|---|---|
fips-140-3 mode | N/A | disabled | Use this object to enable FIPS-140-3 mode.
NOTE: Once you enable fips-140-3 mode, you cannot manually disable it. A fresh software installation is required to set the FIPS-140-3 mode back to 'disabled'. |
Configuration Example
Code Block |
---|
set system admin vsbcSystem fips-140-3 mode enabled |
For more information, refer to FIPS-140-3 - CLI.
systemUsername
An LDAP user with Administrative privileges – Leave blank, or enter a user name.
Info | ||
---|---|---|
| ||
If The |
Configuration Example
An example of LDAP Authentication using the "advanced" mode is provided below:
language | none |
---|