You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

In this section:

New CLI in 12.1.0R0

SBX-125210 Support for Importing PEM Files and Keys to SBC PKI

The SBC supports importing PEM and DER file types and PrivateKey. To use this functionality, keep the file in an external directory on an active SBC. To support the encrypted private keys, a prompt is raised for the passPhrase when the private key is imported. The imported privateKeys and related fields, such as passPhrases, are stored in a container database (CDB) to ensure robust security. The parameter keyFileName allows importing keys separately. In previous versions, the SBC did not support the p12 file import if the FIPS mode was used. Validation is added in the SBC 12.1 build to reject the p12 file import with a reason if the FIPS mode is used.

The parameter keyFileName, is added to allow importing keys separately.

Command Syntax

Example
% set system security pki certificate <certificate name>
    keyFileName <1-255 characters>
 
% show system security pki

% delete system security pki


Command Parameters

ParameterLength/RangeDefaultDescriptionM/O
keyFileName

0 to 255

N/A

The name of the file containing the private key in DER/PEM format.

O

Configuration Examples

Importing PEM/DER certificates and keys:

set system security pki certificate newcert type local fileName mycert.pem keyFileName mycert.key passPhrase sonus
Commit complete.

The PEM/DER keys are supported:

set system security pki certificate newcert4 type local fileName mycert.pem keyFileName mycert.key.der
Commit complete.

The PKCS12 certificates are not supported in FIPS mode:

set system security pki certificate myp12 state enabled type local fileName mycert.p12 passPhrase sonus
Aborted: 'system security pki certificate': PKCS12 certs are not supported in FIPS mode, please provide both cert and key as PEM/DER.

Importing encrypted keys without passphrase fails:

set system security pki certificate newcert3 type local fileName mycert.pem keyFileName mycert.key.enc
Aborted: 'system security pki certificate': Failed to read private key, please verify key/passphrase

SBX-120401 Add support for IPv6 for RADIUS server

The configuration object "vsaVendorType" is added to RADIUS Authentication.

Command Syntax

Example
% set oam radiusAuthentication radiusServer <serverName>
    authenticationMethod <pap | peapmschapv2>
    mgmtInterfaceGroup <string>
    priority <#>
    radiusNasIp <x.x.x.x>
    radiusServerIp <x.x.x.x>
    radiusServerPort <#>
    radiusSharedSecret <8-128>
    state <disabled | enabled>
	vsaVendorType <none | 0-255>


Command Parameters

ParameterLength/RangeDefaultDescriptionM/O
vsaVendorType

none | 0-225

none

Select "none" to allow all VSA vendor-types, or a number between 0-225 to only allow the group name to get returned in a VSA with that vendor-type.

O


Configuration Examples

set oam radiusAuthentication radiusServer defaultServer vsaVendorType 123
commit

SBX-113574 CNF SIPREC Support

SIPREC commands are created or updated to support CNe pods. As well, SIPREC commands are updated to accept GUID as a key alongside GCID on the SBC CNe. On the SBC CNe, the OAM pod will execute action commands.

The following GUID commands are added to Request Global:

  • startRecordByGuid
  • stopRecordByGuid

The following GCID commands are updated for the SBC CNe:

  • startRecord
  • stopRecord

"Globally Unique Identifier" (GUID) Commands

Command Syntax

startRecordByGuid
% request service SC podName <SC podName | ALL> global siprec startRecordByGuid GUID <GUID> callLeg ingress numOfStreams <1 | 2> srsIpAddress <SRS IP ADDRESS> srsFqdn1 <FQDN> srsPort <SRS PORT> transport <tcp | udp> trunkGroup <TRUNK GROUP NAME> srsIpAddress2 <SRS IP ADDRESS> srsFqdn2 <secondary FQDN> srsPort2 <SRS Port> transport2 <tcp | udp> trunkGroup2 <SIP Trunk Group>


stopRecordByGuid
% request service SC podName <SC podName | ALL> global siprec stopRecordByGuid GUID <GUID> recorderAddress <IP Address> recorderFqdn <FQDN> recorderPort <Port Number> recorderId <recording session ID>

Command Description

CommandDescription

startRecordByGuid

Use this command and its sub-parameters to define and initiate a SIPREC recording session identified with GUID.

    • callLeg – Call leg associated with this recording session.
      • egress
      • ingress
    • GUID – GUID of call to start recording.

    • numOfStreams – The number of simultaneous streaming to different Session Recording Server (SRS) IP addresses. (default = 1).

    • srsFqdn1 – The FQDN of the SRS server to use for this recording, up to 63 characters. If you specify both an FQDN and individual IP address, the IP address takes precedence.
    • srsFqdn2 – The FQDN of a secondary SRS server to use if the media stream is forked, up to 63 characters.

    • srsIpAddress  The IP address of the primary recording server.

    • srsIpAddress2  The IP address of the secondary recording server to which the media stream is forked. (only applies when numOfStreams = 2)

    • srsPort – The IP port number of the primary recording server.

    • srsPort2 – The IP port number of the secondary recording server to which the media stream is forked. (only applies when numOfStreams = 2)

    • transport – The transport protocol for recording sessions on the primary SRS IP.

      • tcp
      • udp (default)

    • transport2 – The transport protocol for recording sessions on the secondary SRS IP (only applies when numOfStreams = 2)

      • tcp

      • udp (default)

    • trunkGroup  – The name of the SIPREC trunk group towards primary SRS IP for this recording session.

    • trunkGroup2   The name of the SIPREC trunk group towards secondary SRS IP for this recording session. (only applies when numOfStreams = 2)

stopRecordByGuid

Use this command and its sub-parameters to halt a recording session identified with GUID.

    • GUID – GUID of the call to stop recording.
    • recorderAddress – The IP address of the recorder to stop the recording of a GUID value.
    • recorderFqdn – The FQDN of the SRS server on which to stop a recording, up to 63 characters.
    • recorderId –  The unique identifier of the recording session to stop.   You can determine the recorderId for a session using the show table global SipRecStatus command.
    • recorderPort – The port number of the recorder to stop the recording of a GUID value.


Note

Commands which take GUID as key need not specify the SC podName and use "ALL" option for podName to trigger the command.

Configuration Examples

Example - startRecordByGuid
request service SC podName ALL global siprec startRecordByGuid GUID 1234567 callLeg ingress numOfStreams 1 srsIpAddress 123.45.67.89 srsFqdn1 exampledomain.com srsPort 7321 transport udp trunkGroup exampleTrunkGroup 
commit
Example - stopRecordByGuid
request service SC podName ALL global siprec stopRecordByGuid GUID 1234567 recorderAddress 123.45.67.89 recorderFqdn exampledomain.com recorderPort 1 recorderId testID
commit

"Global Call Identifier" (GCID) Commands

Command Syntax

startRecord
% request service SC podName <SC podName> global siprec startRecord gcid <gcid> callLeg ingress numOfStreams <1 | 2> srsIpAddress <SRS IP ADDRESS> srsFqdn1 <FQDN> srsPort <SRS PORT> transport <tcp | udp> trunkGroup <TRUNK GROUP NAME> srsIpAddress2 <SRS IP ADDRESS> srsFqdn2 <secondary FQDN> srsPort2 <SRS Port> transport2 <tcp | udp> trunkGroup2 <SIP Trunk Group>


stopRecord
% request service SC podName <SC podName> global siprec stopRecord gcid <gcid> recorderAddress <IP Address> recorderFqdn <FQDN> recorderPort <Port Number> recorderId <recording session ID>

Command Description

CommandDescription

startRecord

Use this command and its sub-parameters to define and initiate a SIPREC recording session identified with GCID.

    • callLeg – Call leg associated with this recording session.
      • egress
      • ingress
    • gcid – GCID of call to start recording.

    • numOfStreams – The number of simultaneous streaming to different Session Recording Server (SRS) IP addresses. (default = 1).

    • srsFqdn1 – The FQDN of the SRS server to use for this recording, up to 63 characters. If you specify both an FQDN and individual IP address, the IP address takes precedence.
    • srsFqdn2 – The FQDN of a secondary SRS server to use if the media stream is forked, up to 63 characters.

    • srsIpAddress  The IP address of the primary recording server.

    • srsIpAddress2  The IP address of the secondary recording server to which the media stream is forked. (only applies when numOfStreams = 2)

    • srsPort – The IP port number of the primary recording server.

    • srsPort2 – The IP port number of the secondary recording server to which the media stream is forked. (only applies when numOfStreams = 2)

    • transport – The transport protocol for recording sessions on the primary SRS IP.

      • tcp
      • udp (default)

    • transport2 – The transport protocol for recording sessions on the secondary SRS IP (only applies when numOfStreams = 2)

      • tcp

      • udp (default)

    • trunkGroup  – The name of the SIPREC trunk group towards primary SRS IP for this recording session.

    • trunkGroup2   The name of the SIPREC trunk group towards secondary SRS IP for this recording session. (only applies when numOfStreams = 2)

stopRecord

Use this parameter and its sub-parameters to halt a recording session identified with GCID.

    • GCID – GCID of the call to stop recording.
    • recorderAddress – The IP address of the recorder to stop the recording of a GCID value.
    • recorderFqdn – The FQDN of the SRS server on which to stop a recording, up to 63 characters.
    • recorderId –  The unique identifier of the recording session to stop.   You can determine the recorderId for a session using the show table global SipRecStatus command.
    • recorderPort – The port number of the recorder to stop the recording of a GCID value.
Note

Commands which take GCID as key must specify the SC podName on which the call is hosted.

Configuration Examples

Example - startRecord
request service SC podName testPod global siprec startRecord gcid 1234567 callLeg ingress numOfStreams 1 srsIpAddress 123.45.67.89 srsFqdn1 exampledomain.com srsPort 7321 transport udp trunkGroup exampleTrunkGroup
commit
Example - stopRecord
request service SC podName testPod global siprec stopRecord gcid 1234567 recorderAddress 123.45.67.89 recorderFqdn exampledomain.com recorderPort 1 recorderId testID
commit

SBX-112973 MS Teams Tenant Number Configuration

The SBC is enhanced to send the tenant number in the INPUT DATA to the PES, derived from the REFER SIP message's FROM header. A trunk group option, "Send Refer Transferor Number To PSX" controls this activity. When enabled, the INPUT DATA contains the tenant number from the REFER message. A trunk group parameter, sendReferTransferorNumberToPSX, is added to control sending the transferor number in the INPUT DATA for the PES from the REFER SIP message. 

When the control is enabled, the SBC exhibits the same behavior as the Diversion. If the control sendReferTransferorNumberToPSX is enabled and the REFER Transferor number is sent to the PSX, the next INVITE’s To header is mapped from the Redirection Origination Number and becomes different from the RURI, unless the following control is set:

% set profiles signaling ipSignalingProfile <IPSP_NAME> egressIpAttributes sipHeadersAndParameters sipToHeaderMapping calledNumber

Command Syntax

Example
% set addressContext <addressContext name> zone <ZONE NAME> sipTrunkGroup <TG NAME> services sendReferTransferorNumberToPSX <disabled | enabled>

Command Parameters

ParameterLength/RangeDefaultDescriptionM/O
sendReferTransferorNumberToPSX    

N/A

disabled

Use this parameter to send the transferor party number to the PSX.

  • disabled
  • enabled
O

Configuration Examples

set addressContext default zone SIP_ZONE_AS sipTrunkGroup SIP_TG_AS_V4 services sendReferTransferorNumberToPSX enabled

SBX-105149 IPsec Phase 2 support for SHA2 on SWe

SBC SWe only: To support SHA2, the following three options are added to "integrity" in the IPsec Protection Profile:

  • hmacSha256
  • hmacSha384
  • hmacSha512

Command Syntax

SHA2 - Example
% set profiles security ipsecProtectionProfile <profile> espAlgorithms integrity <hmacMd5 | hmacSha1 | hmacSha256 | hmacSha384 | hmacSha512>

Command Parameters

SBC SWe only: To support SHA2, the following three options are added to "integrity":

  • hmacSha256
  • hmacSha384
  • hmacSha512
ParameterLength/RangeDefaultDescriptionM/O
integrity

n/a

hmacSha1

The IKE Protection Profile Integrity Cipher.

  • hmacMd5
  • hmacSha1 (default)
  • hmacSha256
  • hmacSha384
  • hmacSha512
O

Configuration Example

SHA2 - Configuration Example
set profiles security ipsecProtectionProfile exampleProfile espAlgorithms integrity hmacSha512
commit

SBX-94531 Port speed says 1Gbps for SR-IOV interface in VMWare

The following two CLI commands are altered to hide the "Packet Port Speed" entry:

  • show table system serverAdmin
  • show table system serverStatus

Users can still access packet port speed information by entering the following command:

  • show table system ethernetPort packetPortStatus

Configuration Examples

WITHOUT FEATURE: "serverAdmin" command
show table system serverAdmin 
       ACTUAL                     DEVICE
       CE      COREDUMP           SMART   MODULAR                PKT PORT     HW SUB
NAME   NAME    PROFILE   ROLE     ATTRIB  TYPE     HW TYPE       SPEED        TYPE
---------------------------------------------------------------------------------------
sbc1  sbc1    default    primary   0      false    ConnexIP5000  speed1Gbps  virtual
Note

Observe how the "PKT PORT SPEED" entry in the config example above is now hidden in the example with the feature applied below.  

WITH FEATURE: "serverAdmin" command
show table system serverAdmin
      ACTUAL                     DEVICE
      CE      COREDUMP           SMART   MODULAR                HW SUB
NAME  NAME    PROFILE   ROLE     ATTRIB  TYPE     HW TYPE       TYPE
--------------------------------------------------------------------------
sbc1  sbc1    default   primary   0      false    ConnexIP5000  virtual
  • No labels