6 Configuring RADIUS Signaling Server Units

The following sections describe how to configure Service Broker RADIUS SSUs using the Service Broker Administration Console and Java MBeans.

About the RADIUS SSU

Using the RADIUS SSU, Service Broker receives RADIUS accounting and access requests from the network and forwards these requests to an appropriate application.

When configuring the RADIUS SSU, you set up the following:

• Incoming routing rules, which define the IM to which the RADIUS SSU forwards accounting and access RADIUS requests. See "Configuring Incoming Routing Rules" for more information.

• Providing a custom dictionary, which define vendor-specific AVPs. See "Providing a Custom Dictionary" for more information.

• Server parameters, which define how the RADIUS SSU receives RADIUS requests. See "Configuring Server Parameters" for more information.

• RADIUS clients, which define the RADIUS clients from which the RADIUS SSU receives requests. See "Setting Up RADIUS Clients" for more information.

• Proxy realms, which define the realm and servers to which the RADIUS SSU routes incoming RADIUS requests when you do not want to use the local realm. See "Configuring Proxy Realm" for more information.

Configuring Incoming Routing Rules

Incoming routing rules define the IM to which the RADIUS SSU routes RADIUS requests received from the network. You configure rules for the following types of requests:

• Accounting requests. See "Configuring Incoming Routing Rules for Accounting Requests" for more information.

• Access requests. See "Specifying the Service Broker Component for Dispatching Access Requests" for more information.

Configuring Incoming Routing Rules for Accounting Requests

When an accounting event occurs, a RADIUS client sends an accounting request to Server Broker which acts as a RADIUS server. You can define the IM to which the RADIUS SSU further routes the accounting request based on the local realm set in the request.

You can configure incoming routing rules for accounting requests using the Administration Console or Java MBeans.

Configuring Incoming Routing Rules with the Administration Console

To configure RADIUS SSU Accounting parameters:

1. In the navigation tree in the domain navigation pane, expand the OCSB node.

2. Expand the Signaling Tier node.

3. Select the SSU RADIUS node.

4. In the SSU RADIUS tab, click the Accounting subtab.

5. At the bottom of the Incoming Routing Rules pane, click the New button.

   The New dialog box appears.

6. Fill in the fields of the New dialog box described in Table 6-1.

   Table 6-1 RADIUS Accounting Incoming Routing Parameters

   Field	Descriptions
   Name	Specifies a unique routing rule name.
   Local Realm	Specifies the value to match against the Local Realm. Example: user-name@isp.net If a RADIUS accounting request arrives containing only a user name but without a Local Realm, the RADIUS SSU discards the request. To prevent the request from being discarded when no Local Realm is specified, set this field to any. The RADIUS SSU then forwards the request to the destination specified in the Alias field. Important: When typing any into the Local Realm field, you must use only lower case, as follows: any. Do not type Any or ANY.
   Alias	Specifies the URL of the destination IM to which the RADIUS message is dispatched. The alias has the following format: SSU:IM-instance-name.IM-type@domain-id IM-instance-name: IM instance name you specified when you added this IM in the IM configuration pane. IM-type: Type of IM instance. domain-id: Name of the Processing Domain or Processing Domain Group where the relevant IM or application is deployed. This parameter is required only when your Service Broker deployment includes two or more Processing Domains. Use the name given to the domain when it was created. This name is specified by the axia.domain.id property. To set a Processing Domain Group, you must specify the group name. See "Managing Processing Domain Groups" in the Oracle Communications Service Broker Processing Domain Configuration Guide for more information. Example: SSU:imocf.IMOCF@ocsb.1

   
   

7. Click OK.

Configuring Incoming Routing Rules with Java MBeans

Figure 6-1 shows the hierarchy of the configuration MBeans that you use to configure incoming routing rules for accounting requests. See "RADIUS SSU Configuration MBeans Reference" for the object names of these MBeans.

Figure 6-1 Incoming Routing Rules for Accounting Requests Configuration MBeans

Each incoming routing rule is represented by RadiusAccountingIncomingRoutingRuleMBean. You need to create a separate instance of RadiusAccountingIncomingRoutingRuleMBean for each rule.

To create an incoming routing rule for an accounting request:

1. Create an instance of RadiusAccountingIncomingRoutingRuleMBean by invoking the following operation of RadiusAccountingIncomingRoutingRulesMBean:

   ObjectName createRadiusAccountingIncomingRoutingRule(string IncomingRuleName)
   

2. Set the following attributes of the newly created instance of RadiusAccountingIncomingRoutingRuleMBean:

   • LocalRealm

   • Alias

   See Table 6-1 for more information about these attributes.

Specifying the Service Broker Component for Dispatching Access Requests

To request authorization for access to a RADIUS server, a Network Access Server (NAS) sends a RADIUS access request to Service Broker which acts as a RADIUS server. You can specify the Service Broker component to which the RADIUS SSU dispatches the access request.

You can specify this component using the Administration Console or Java MBeans.

Specifying the Service Broker Component with the Administration Console

To specify the Service Broker component:

1. In the navigation tree in the domain navigation pane, expand the OCSB node.

2. Expand the Signaling Tier node.

3. Select the SSU RADIUS node.

4. In the SSU RADIUS tab, click the Access subtab.

5. In the Radius Access Inbound Destination field, enter the address of the Service Broker component to which you want to dispatch the RADIUS Access request.

   The address has the following format: ssu:domain

   domain: The name of the domain to which the request is despatched.

   For example: ssu:ocsb

   If you leave this field empty, the request is not routed through Service Broker.

6. Click Apply.

Specifying the Service Broker Component with Java MBeans

Figure 6-2 shows the hierarchy of configuration MBeans that you use to specify the Service Broker component to which the RADIUS SSU dispatches access requests. See "RADIUS SSU Configuration MBeans Reference" for the object names of these MBeans.

Figure 6-2 Access Requests Configuration MBeans

To specify the Service Broker component:

• Set the AccessDestination attribute of RadiusAccessIncomingRoutingRuleMBean to the address of the Service Broker component to which the RADIUS SSU needs to route the access request. See

  The address has the following format: ssu:domain

  domain: The name of the domain to which the request is despatched.

  For example: ssu:ocsb

  If you leave this field empty, the request is not routed through Service Broker.

Providing a Custom Dictionary

By default, Service Broker uses the standard RADIUS dictionary defined in the RFC 2865 (see http://www.ietf.org/rfc/rfc2865.txt for more information). If you need Service Broker to recognize additional vendor-specific AVPs, you can provide Service Broker with a custom dictionary.

You can provide a custom dictionary file using the Administration Console or Java MBeans.

Providing a Custom Dictionary File with the Administration Console

To provide a custom dictionary file:

1. In the navigation tree in the domain navigation pane, expand OCSB.

2. Expand the Signaling Tier node.

3. Select the RADIUS SSU node.

4. Click the RADIUS Custom Dictionary tab.

5. In the Custom dictionary file field, enter the path of the custom dictionary file located on your local file system.

Providing a Custom Dictionary File with Java MBeans

Figure 6-3 shows the hierarchy of the configuration MBeans that you use to provide a custom dictionary file. See "RADIUS SSU Configuration MBeans Reference" for the object names of these MBeans.

Figure 6-3 Custom Dictionary Configuration MBeans

To provide a custom dictionary file:

1. Create an instance of customDictionaryMBean by invoking the following operation of ServerMBean:

   void addCustomDictionary()
   

2. Set the path attribute of the newly created instance of customDictionaryMBean to the path of your custom dictionary file located on your local file system.

Configuring Server Parameters

To receive RADIUS authentication and accounting requests from the network, you configure the following:

• Server parameters, which define how the RADIUS SSU receives RADIUS requests. See "Configuring Server Parameters" for more information.

• NAS port range, which defines the range of NASs ports from which the RADIUS SSU can receive accounting authentication and accounting requests. See "Specifying the NAS Port Range" for more information.

Configuring Server Parameters

You set up server parameters to define how the RADIUS SSU receives RADIUS requests. You can set up server parameters using the Administration Console or Java MBeans.

Configuring Server Parameters with the Administration Console

To configure server parameters:

1. In the navigation tree in the domain navigation pane, expand OCSB.

2. Expand the Signaling Tier node.

3. Select the RADIUS SSU node.

4. Click the RADIUS tab.

5. Click the Server Configuration subtab and then the Server tab.

6. Click New.

   The New dialog box appears.

7. Fill in the fields described in Table 6-2.

   Table 6-2 Server Parameters

   Field	Description
   Target managed server	Specifies the target managed server.
   IP Address	Specifies the IP address that the RADIUS SSU uses to listen for RADIUS messages.
   Authentication Port	Specifies the port that the RADIUS SSU uses to receive RADIUS authentication messages.
   Accounting Port	Specifies the port that the RADIUS SSU uses to receive RADIUS accounting messages.
   UDP Connection timeout	Specifies the UDP connection timeout in seconds.
   Retransmission detection time	Specifies the period of time during which the RADIUS SSU considers incoming RADIUS messages retransmissions if these messages have the same ID received and are sent by the same peer. The RADIUS SSU ignores these messages. If you set the retransmissionTime parameter to 0, the RADIUS SSU does not recognize these messages as retransmissions.
   Root CA Store key	Specifies the root CA keystore key. You provide this key to the credential store that contains root CA certificates.
   Server Key Store key	Specifies the server keystore. You provide this key to the credential store that contains server certificates.

   
   

Configuring Server Parameters with Java MBeans

Figure 6-4 shows the hierarchy of the configuration MBeans that you use to configure server parameters. See "RADIUS SSU Configuration MBeans Reference" for object names of these MBeans.

Figure 6-4 RADIUS Server Configuration MBeans

When you create an instance of ServerMBean, the set of child MBeans are created. Each child MBean represents a single parameter of the server.

To set up a server:

1. Create an instance of ServerMBean by invoking the following operation of RadiusConfigMBean:

   void addServer()
   

   ServerMBean is created with the following child MBeans:

   • accountingPortMBean

   • authenticationPortMBean

   • retransmissionTimeMBean

   • targetMBean

   • udpConnectionTimeoutMBean

2. Create additional child MBeans of ServerMBean by invoking the following operations of ServerMBean:

   void addListenAddress()
   void addRootCAStoreKey()
   void addServerKeyStoreKey()
   

3. Set the attributes of the child MBeans as described in Table 6-3.

   Table 6-3 ServerMBean Child MBeans and Their Attributes

   MBean	Attribute
   listenAddressMBean	listenAddress
   rootCAStoreKeyMBean	rootCAStoreKey
   serverKeyStoreKeyMBean	serverKeyStoreKey
   authenticationPortMBean	authenticationPort
   accountingPortMBean	accountingPort
   udpConnectionTimeoutMBean	udpConnectionTimeout
   retransmissionTimeMBean	retransmissionTime
   targetMBean	target

   
   

   See Table 6-2 for more information about these attributes.

Specifying the NAS Port Range

You can configure Service Broker to receive RADIUS requests from those NASs whose port is a certain range. To specify the range, you define the lower and upper limits of the range.

You can specify the NAS port range using the Administration Console or Java MBeans.

Specifying the NAS Port Range with the Administration Console

To specify the port range:

1. In the navigation tree in the domain navigation pane, expand OCSB.

2. Expand the Signaling Tier node.

3. Select the RADIUS SSU node.

4. Click the RADIUS tab and then the Server Configuration subtab.

5. In the Valid NAS Port Range tab, fill in the fields as described in Table 6-4.

   Table 6-4 Valid NAS Port Range Parameters

   Field	Description
   Min Value of NAS Port	Specifies the lower limit of the range.
   Max Value of NAS Port	Specifies the upper limit of the range.

   
   

Specifying the NAS Port Range with Java MBeans

Figure 6-5 shows the hierarchy of the configuration MBeans that you use to specify the NAS port range. See "RADIUS SSU Configuration MBeans Reference" for the object names of these MBeans.

Figure 6-5 NAS Range Configuration MBeans

To specify the NAS port range:

1. Create an instance of validNasPortMBean by invoking the following operation of ServerMBean:

   void addValidNasPort()
   

   validNasPortMBean is created with the following child MBeans:

   • minValueMBean

   • maxValueMBean

2. Set the attributes of the child MBeans as described in Table 6-5.

   Table 6-5 validNasPort Child MBeans and Their Attributes

   MBean	Attribute
   minValueMBean	minValue
   maxValueMBean	maxValue

   
   

Setting Up RADIUS Clients

A RADIUS client is a a network entity from which the RADIUS SSU receives accounting and access requests. To enable the RADIUS SSU to establish communication with RADIUS clients, you need to define a set of settings for each RADIUS client.

This set of settings consists of the following:

• Client profiles, which contain the address, NAS identifier, and shared secret keys that the RADIUS SSU uses for communication with the RADIUS client. See "Setting Up a Client Profile" for more information.

• AVPs that the RADIUS SSU needs to copy from a request to a response. See "Specifying AVPs to Be Copied from a Request to a Response" for more information.

The Online Mediation Controller is provided with the client profile and AVPs for a default client profile. You can use the default profile as is. In addition, you can set up configuration settings for additional RADIUS clients.

Setting Up a Client Profile

To receive RADIUS requests, you define the RADIUS clients from which the RADIUS SSU receives accounting and access requests.

A client profile defines RADIUS clients from which the RADIUS SSU receives accounting and access requests.

The Online Mediation Controller is provided with a default client profile. You can edit the settings of the default profile and create new profiles using the Administration Console or Java MBeans.

Setting Up a Client Profile with the Administration Console

To set up a client profile:

1. In the navigation tree in the domain navigation pane, expand OCSB.

2. Expand the Signaling Tier node.

3. Select the RADIUS SSU node.

4. Click the RADIUS tab and then the Client Profile tab.

5. Click the Client Profile tab.

6. Click New.

   The New dialog box appears.

7. Fill in the fields described in Table 6-6.

   Table 6-6 Client Profile Parameters

   Field	Description
   Client Address	Specifies the IP address of the RADIUS client from which the RADIUS SSU receives requests. If you want to define a range of addresses to receive requests from a group of RADIUS clients, you can use a regular expression. For example, if you want to define that the RADIUS SSU receives requests from the clients whose IP addresses start from 10.148, you can set the clientAddress parameter to 10.148.*.*
   Client NAS Identifier	Specified the ID of the Network Access Server (NAS) from which the RADIUS SSU receives accounting and access requests. If you want to define a range of IDs to receive requests from a group of NASs, you can use a regular expression. For example, if you want to define that the RADIUS SSU receives requests from the NASs whose IDs is in the oracle.com domain, you can set the clientNasId to *.oracle.com.
   Authentication Shared Secret Key	Specifies the key that you associated with the password that the RADIUS SSU uses for authentication requests. You associate keys and passwords using the Credential Store tab. See "Associating Passwords with Keys" for more information.
   Accounting Shared Secret Key	Specifies the key that you associated with the password that the RADIUS SSU uses for accounting requests. You associate keys and passwords using the Credential Store tab. See "Associating Passwords with Keys" for more information.

   
   

Setting Up a Client Profile with Java MBeans

Figure 6-6 shows the hierarchy of the configuration MBeans that you use to configure a client profile. See "RADIUS SSU Configuration MBeans Reference" for the object names of these MBeans.

Figure 6-6 ClientProfile Configuration MBeans

After an instance of ClientProfileMBean is created, you can create the set of child MBeans. Each child MBean represents a single parameter of the profile.

To set up a client profile:

1. Create an instance of ClientProfileMBean by invoking the following operation of RadiusConfigMBean:

   void addClientProfile()
   

2. Create child MBeans of ClientProfileMBean by invoking the following operations of ClientProfileMBean:

   void addClientAddress()
   void addClientNasId()
   void addCheckAVPFilter()
   void addReturnAVPFilter()
   

3. Set the attributes of the child MBeans as described in Table 6-7.

   Table 6-7 ClientProfileMBean Child MBeans and Their Attributes

   MBean	Attribute
   clientAddressMBean	clientAddress
   clientNasIdMBean	clientNasId
   checkAVPFilterMBean	checkAVPFilter
   returnAVPFilterMBean	returnAVPFilter

   
   

   See Table 6-6 for more information about these attributes.

Specifying AVPs to Be Copied from a Request to a Response

You can specify the AVPS that the RADIUS SSU needs to copy from a request to a response. In the default client profile, the RADIUS SSU copies the following AVPs:

• User-Name

• Acct-Session-Id

You can add more AVPs to the default client profile or to a new client profile that you created using the Administration Console or Java MBeans.

Specifying AVPs to Be Copied with the Administration Console

To specify the AVPs:

1. In the navigation tree in the domain navigation pane, expand OCSB.

2. Expand the Signaling Tier node.

3. Select the RADIUS SSU node.

4. Click the RADIUS tab and then the Client Profile tab.

5. Click the Avps to copy from Response to Request tab.

6. Click New.

   The New dialog box appears.

7. In the New dialog box, in the Attribute Name field, enter the name of the AVP that the RADIUS SSU needs to copy.

8. Click OK.

   The new AVP appears in the configuration screen.

Specifying AVPs to Be Copied with Java MBeans

Figure 6-7 shows the hierarchy of the configuration MBeans that you use to specify AVPs that the RADIUS SSU needs to copy from a request to a response. See "RADIUS SSU Configuration MBeans Reference" for the object names of these MBeans.

Figure 6-7 RADIUS AVPs Configuration MBeans

To specify the AVPs that the RADIUS SSU needs to copy:

1. Create an instance of returnAVPFilterMBean by invoking the following operation of ClientProfileMBean:

   void addReturnAVPFilter()
   

2. Create an instance of possibleAttributeNameMBean by invoking the following operation of returnAVPFilterMBean:

   void addPossibleAttributeName()
   

   The new instance of possibleAttributeNameMBean is created with the child MBean attributeNameMBean.

3. Set the attributeName of the attributeNameMBean to the name of the AVP that the RADIUS SSU needs to copy from the request to a response.

Configuring Proxy Realm

You can configure the RADIUS SSU to forward accounting and access requests to a proxy server. You can define the proxy server to which the RADIUS SSU routes a request based on the user name specified in the incoming request.

When you configure a proxy server, you define the following:

• Proxy realm, which defines a realm to which the RADIUS SSU routes a request based on the User-Name AVP. See "Configuring Proxy Realm" for more information.

• Target server, which defines the server address and ports in the specified realm. See "Configuring Target Servers" for more information.

Configuring Proxy Realm

A proxy realm defines the realm to which the RADIUS SSU routes an accounting or access request. You can set up conditions for routing a request to a specific realm based on the User-Name AVP specified in the incoming request.

You configure a proxy realm using the Administration Console or Java MBeans.

Configuring Proxy Realm with the Administration Console

To configure a proxy realm:

1. In the navigation tree in the domain navigation pane, expand OCSB.

2. Expand the Signaling Tier node.

3. Select the RADIUS SSU node.

4. Click the RADIUS tab.

5. Click the Proxy Realm subtab and then the Proxy Realm tab.

6. Click New.

   The New dialog box appears.

7. Fill in the fields described in Table 6-8.

   Table 6-8 Proxy Realm Parameters

   Field	Description
   Name	Specifies the name of the proxy realm.
   Username Match Criteria	Specifies the User-Name AVP to be set in the incoming request. If this AVP matches the value of the userNameMatchCriteria parameter, the RADIUS SSU routes the request to the realm specified in the name parameter. To define a range of possible names, you can use regular expressions.
   Authentication Shared Secret Key	Specifies the key that you associated with the password that the RADIUS SSU uses for authentication requests. You associate keys and passwords using the Credential Store tab. See "Associating Passwords with Keys" for more information.
   Accounting Shared Secret Key	Specifies the key that you associated with the password that the RADIUS SSU uses for accounting requests. You associate keys and passwords using the Credential Store tab. See "Associating Passwords with Keys" for more information.
   Request Timeout	Specifies the period of time, in seconds, that the RADIUS SSU waits for a response from the target RADIUS server.
   Number Of Retries	Specifies the number of attempts that the RADIUS SSU tries to send a RADIUS request to the target RADIUS server.

   
   

Configuring Proxy Realm with Java MBeans

Figure 6-8 shows the hierarchy of the configuration MBeans that you use to configure a proxy realm. See "RADIUS SSU Configuration MBeans Reference" for the object names of these MBeans.

Figure 6-8 Proxy Realm Configuration MBeans

When you create an instance of ProxyRealmMBean, the set of child MBeans is automatically created. Each child MBean represents a single parameter of the proxy realm.

To set up a proxy realm:

1. Create an instance of ProxyRealmMBean by invoking the following operation of RadiusConfigMBean:

   void addProxyRealm()
   

   ProxyRealmMBean is created with the following child MBeans:

   • accountingSharedSecretKeyMBean

   • authenticationSharedSecretKeyMBean

   • nameMBean

   • numOfRetriesMBean

   • requestTimeoutMBean

   • userNameMatchCriteriaMBean

2. Set the attributes of the child MBeans as described in Table 6-9.

   Table 6-9 ProxyRealmMBean Child MBeans and Their Attributes

   MBean	Attribute
   accountingSharedSecretKeyMBean	accountingSharedSecretKey
   authenticationSharedSecretKeyMBean	authenticationSharedSecretKey
   nameMBean	name
   numOfRetriesMBean�	numOfRetries
   requestTimeoutMBean	requestTimeout
   userNameMatchCriteriaMBean	userNameMatchCriteria

   
   

   See Table 6-8 for more information about these attributes.

Configuring Target Servers

A target server defines a server in the realm to which the RADIUS SSU routes an accounting or access request when the User-Name AVP set in the request matches the value set in the proxy realm configuration.

You can configure a target server using the Administration Console or Java MBeans.

Configuring Target Servers with the Administration Console

To configure a target server:

1. In the navigation tree in the domain navigation pane, expand OCSB.

2. Expand the Signaling Tier node.

3. Select the RADIUS SSU node.

4. Click the RADIUS tab.

5. Click the Proxy Realm Configuration subtab and then the Target Servers tab.

6. In the Parent list, select the proxy realm for which you set up the server. The list displays the proxy realms that you configured using the ProxyRealm tab. See "Configuring Proxy Realm with the Administration Console" for more information.

7. Click New.

   The New dialog box appears.

8. Fill in the fields described in Table 6-10.

   Table 6-10 TargetServers Parameters

   Field	Description
   Server Address	Specifies the IP address of the proxy server.
   Authentication port	Specifies the port that the RADIUS SSU uses to receive RADIUS authentication messages.
   Accounting port	Specifies the port that the RADIUS SSU uses to receive RADIUS access messages.

   
   

Configuring Target Servers with Java MBeans

Figure 6-9 shows the hierarchy of the configuration MBeans that you use to configure target servers. See "RADIUS SSU Configuration MBeans Reference" for the object names of these MBeans.

Figure 6-9 TargetServer Configuration MBeans

When you create an instance of targetServerMBean, the set of child MBeans is automatically created. Each child MBean represents a single parameter of the target server.

To set up a target server:

1. Create an instance of ProxyRealmMBean by invoking the following operation of RadiusConfigMBean:

   void addProxyRealm()
   

2. Create an instance of targetServerMBean by invoking the following operation of ProxyRealmMBean:

   void addTargetServer()
   

   targetServerMBean is created with the following child MBeans:

   • serverAddressMBean

   • authenticationPortMBean

   • accountingPortMBean

3. Set the attributes of the child MBeans as described in Table 6-11.

   Table 6-11 targetServerMBean Child MBeans and Their Attributes

   MBean	Attribute
   serverAddressMBean	serverAddress
   authenticationPortMBean	authenticationPort
   accountingPortMBean	accountingPort

   
   

   See Table 6-10 for more information about these attributes.

Configuring the Credential Store

To allow Service Broker to establish connection with a RADIUS client or server, you need to provide a valid password.Service Broker stores these passwords in the credential store.

Associating Passwords with Keys

Each password that Service Broker stores in the credential store must have a key. You define a key when specifying a password.Then you use the key when setting up a RADIUS client or a server in the RADIUS SSU. You can use the same key for multiple clients or servers. For example, this can be useful when you use the same password for authentication, accounting, and proxy configuration.

To associate a password with a key:

1. In the navigation tree in the domain navigation pane, expand OCSB.

2. Expand the Signaling Tier node.

3. Select the RADIUS SSU node.

4. Click the RADIUS tab.

5. Click the Credential Store subtab.

6. In the Password area, in the Key field, enter a key that you want to associate with the password.

7. In the Password field, enter the password for connection with a RADIUS client or server.

8. Do one of the following:

   • If you want the RADIUS SSU to include credentials in outgoing requests and thus, authenticate to an external entity, clear the One-way check box.

   • If you want the RADIUS SSU to include credentials in incoming requests only, select the One-way check box.

Setting Up the Key Store Password and URL

The RADIUS SSU stores connections and their passwords in the encrypted file known as Credential Store. You specify the name and location of the Credential Store file using the Java system property javax.net.ssl.keyStore. See "Configuring Security", Oracle Communications Server Broker System Administrator's Guide for more information.

You can set up the key store password using the Administration Console or Java MBeans.

Setting Up the Key Store Password with the Administration Console

To set up the key store password:

1. In the navigation tree in the domain navigation pane, expand OCSB.

2. Expand the Signaling Tier node.

3. Select the RADIUS SSU node.

4. Click the RADIUS tab and then the Credential Store subtab.

5. In the KeyStore area, fill in the fields described in Table 6-12:

   Table 6-12 KeyStore Fields

   Field	Descriptions
   Key	Specifies a key under which the keystore is stored.
   KeyStore Password	Specifies the password that protects the keystore.
   KeyStore URL	Specifies the URL of the keystore file on a hard drive.

   
   

Setting Up the KeyStore Password with Java MBeans

To set up the credential store password with Java MBeans, you use the CredentialStoreMBean.

To set up the key store password:

• Invoke the following operation of CredentialStoreMBean:

  void setKeystore (string Key, string KeystorePassword, string KeystoreURL)
  

  See Table 6-12 for more information about these parameters.

Managing Keys in the Credential Store

You can check whether a key exists in the Credential store and delete keys. You can manage keys using the Administration Console or Java MBeans.

Managing Keys in the Credential Store with the Administration Console

To check whether a key exists in the credential store:

1. In the navigation tree in the domain navigation pane, expand OCSB.

2. Expand the Signaling Tier node.

3. Select the RADIUS SSU node.

4. Click the RADIUS tab and then the Credential Store subtab.

5. In the General area, in the Key field, enter the key whose existence you want to check.

6. Click Contains Key?.

   The message which informs you whether the key exists, appears.

7. To close the message, click OK.

To delete a specified key from the credential store:

• In the Credential Store tab, in the General area, in the Key field, enter the key and then click Delete Key

To delete all keys from the credential store:

• In the Credential Store tab, in the General area, click Delete All Keys.

Managing Keys in the Credential Store with Java MBeans

To manage keys in the credential store with Java MBeans, you use the CredentialStoreMBean.

To check whether a key exists in the credential store:

• Invoke the following operations of CredentialStoreMBean:

  boolean containsKey (string Key)
  

To delete a specified key from the credential store:

• Invoke the following operations of CredentialStoreMBean

  void deleteKey (string Key)
  

To delete all keys from the credential store:

• Invoke the following operations of CredentialStoreMBean:

  void clear ()
  

RADIUS SSU Configuration MBeans Reference

The following sections provide reference information for the RADIUS SSU configuration MBeans.

Note:

MBeans described in this guide may include additional advanced attributes, which are not described in the guide. Advanced attributes are reserved for internal use. Do not change these attributes.

---

RadiusSsuMBean

RadiusSsuMBean is a container for instances of RadiusIncomingRoutingRulesMBean.

Object Name

com.convergin:Type=RadiusSsu,Version=MBean_Version,Location=AdminServer,Name=ssuradius.ssuradius

Factory Method

Created automatically

Attributes

None

Operations

ObjectName getRadiusIncomingRoutingRulesMBean()

Returns a reference to the instance of RadiusIncomingRoutingRulesMBean

---

RadiusIncomingRoutingRulesMBean

RadiusIncomingRoutingRulesMBean represents the container for all the incoming routing rules that define how the RADIUS SSU routes incoming RADIUS requests.

Object Name

com.convergin:Type=RadiusIncomingRoutingRules,Version=MBean_Version,Location=AdminServer,Name=ssuradius.radius_inbound_routing

Factory Method

Created automatically

Attributes

None

Operations

ObjectName getRadiusAccountingIncomingRoutingRules()

Returns a reference to the instance of RadiusAccountingIncomingRoutingRulesMBean

ObjectName getRadiusAccessIncomingRoutingRules

Returns a reference to the instance of RadiusAccessIncomingRoutingRulesMBean

---

RadiusAccountingIncomingRoutingRulesMBean

RadiusAccountingIncomingRoutingRulesMBean represents the container for all the accounting incoming routing rules that define how the RADIUS SSU routes accounting incoming RADIUS messages to internal Server Broker IMs.

Object Name

com.convergin:Type=RadiusAccountingIncomingRoutingRules,Version=MBean_Version,Location=AdminServer,Name=ssuradius.radius_accounting_inbound_routing

Factory Method

Created automatically

Attributes

None

Operations

ObjectName getRadiusAccountingIncomingRoutingRule()

Returns a reference to the instance of RadiusAccountingRoutingRuleMBean

ObjectName createRadiusAccountingIncomingRoutingRule()

Creates an instance of RadiusAccountingIncomingRoutingRuleMBean that enables you to create an individual rule.

void destroyRadiusAccountingIncomingRoutingRule()

Destroys an instance of RadiusAccountingIncomingRoutingRuleMBean

ObjectName lookupRadiusAccountingIncomingRoutingRule()

Searches for an instance of RadiusAccountingIncomingRoutingRuleMBean.

---

RadiusAccountingIncomingRoutingRuleMBean

Each instance of RadiusAccountingIncomingRoutingRuleMBean represents a single accounting incoming routing rule.

Object Name

com.convergin:Type=RadiusAccountingIncomingRoutingRule,Version=MBean_Version,Location=AdminServer,Name=ssuradius.RuleName

Factory Method

RadiusAccountingIncomingRoutingRules.createRadiusAccountingIncomingRoutingRule()

Attributes

• Name

• LocalRealm

• Alias

For more information on each of these parameters, see Table 6-1.

Operations

None

---

RadiusAccessIncomingRoutingRuleMBean

Each instance of RadiusAccessIncomingRoutingRuleMBean represents a single access incoming routing rule.

Object Name

com.convergin:Type=RadiusAccessIncomingRoutingRule,Version=MBean_Version,Location=AdminServer,Name=ssuradius.radius_access_inbound_routing

Factory Method

RadiusAccessIncomingRoutingRules.createRadiusAccessIncomingRoutingRule()

Attributes

AccessDestination

Operations

None

---

RadiusConfigMBean

RadiusConfigMBean is the root MBean for configuring the RADIUS settings.

Object Name

oracle:type=oracle.axia.cm.ConfigurationMBean,name=oracle.axia.protocol.radius.adapter,version=MBean_Version,name0=radiusConfig

Factory Method

Created automatically.

Attributes

None

Operations

void addServer()

Creates a new instance of ServerMBean.

void removeServer()

Deletes an instance of ServerMBean.

void addClientProfile()

Creates a new instance of ClientProfileMBean.

void removeClientProfile()

Deletes an instance of ClientProfileMBean.

void addServiceMapping()

Creates a new instance of ServiceMappingMBean.

void removeServiceMapping()

Deletes an instance of ServiceMappingMBean.

void addLocalRealm()

Creates a new instance of LocalRealmMBean.

void removeLocalRealm()

Deletes an instance of LocalRealmMBean.

void addProxyRealm()

Creates a new instance of ProxyRealmMBean.

void removeProxyRealm()

Deletes an instance of ProxyRealmMBean.

---

ServerMBean

ServerMBean is the root MBean that you use to define how the RADIUS SSU receive authentication and accounting requests.

Object Name

oracle:type=oracle.axia.cm.ConfigurationMBean,name=oracle.axia.protocol.radius.adapter,version=MBean_Version,name0=radiusConfig,name1=server[0]

Factory Method

RadiusConfig.addServer()

Attributes

None

Operations

void cloneIt()

Creates a copy of the instance of ServerMBean.

void addListenAddress()

Creates a new instance of ListenAddressMBean.

void removeListenAddress()

Deletes an instance of ListenAddressMBean.

void addRootCAStoreKey()

Creates an instance of RootCAStoreKeyMBean.

void removeRootCAStoreKey()

Deletes an instance of RootCAStoreKeyMBean.

void addServerKeyStoreKey()

Creates a new instance of ServerKeyStoreKeyMBean.

void removeServerKeyStoreKey()

Deletes an instance of ServerKeyStoreKeyMBean.

void addCustomDictionary()

Creates a new instance of CustomDictionaryMBean.

void removeCustomDictionary()

Deletes an instance of CustomDictionaryMBean.

---

customDictionaryMBean

Using customDictionaryMBean, you specify a custom dictionary file that defines vendor-specific AVPs.

Object Name

oracle:type=oracle.axia.cm.ConfigurationMBean,name=oracle.axia.protocol.radius.adapter,version=MBean_Version,name0=radiusConfig,name1=server[0], name2=customDictionary

Factory Method

server.addCustomDictionary()

Attributes

path

Operations

None

---

AccountingPortMBean

Specifies the port to receive RADIUS accounting messages.

Object Name

oracle:type=oracle.axia.cm.ConfigurationMBean,name=oracle.axia.protocol.radius.adapter,version=MBean_Version,name0=radiusConfig,name1=server[0], name2=accountingPort

Factory Method

Created automatically.

Attributes

accountingPort

Operations

None

---

authenticationPortMBean

Specifies the port to receive RADIUS authentication messages.

Object Name

oracle:type=oracle.axia.cm.ConfigurationMBean,name=oracle.axia.protocol.radius.adapter,version=MBean_Version,name0=radiusConfig,name1=server[0], name2=authenticationPort

Factory Method

Created automatically.

Attributes

authenticationPort

Operations

None

---

retransmissionTimeMBean

Specifies the time within which the incoming radius messages with the same Id, from the same peer are considered retransmissions and ignored. A value of 0 means, retransmissions are not detected.

Object Name

oracle:type=oracle.axia.cm.ConfigurationMBean,name=oracle.axia.protocol.radius.adapter,version=MBean_Version,name0=radiusConfig,name1=server[0], name2=retransmissionTime

Factory Method

Created automatically.

Attributes

retransmissionTime

Operations

None

---

targetMBean

Specifies the target managed server.

Object Name

oracle:type=oracle.axia.cm.ConfigurationMBean,name=oracle.axia.protocol.radius.adapter,version=MBean_Version,name0=radiusConfig,name1=server[0],name2=target

Factory Method

Created automatically.

Attributes

target

Operations

None

---

udpConnectionTimeoutMBean

Specifies the UDP connection timeout value in seconds.

Object Name

oracle:type=oracle.axia.cm.ConfigurationMBean,name=oracle.axia.protocol.radius.adapter,version=MBean_Version,name0=radiusConfig,name1=server[0], name2=udpConnectionTimeout

Factory Method

Created automatically.

Attributes

udpConnectionTimeout

Operations

None

---

listenAddressMBean

The IP address to listen for RADIUS messages.

Object Name

oracle:type=oracle.axia.cm.ConfigurationMBean,name=oracle.axia.protocol.radius.adapter,version=MBean_Version,name0=radiusConfig,name1=server[0], name2=listenAddress

Factory Method

Server.addListenAddress()

Attributes

listenAddress

Operations

None

---

RootCAStoreKeyMBean

The root CA keystore key. Credential store should be provisioned with the root CA certs with this key

Object Name

oracle:type=oracle.axia.cm.ConfigurationMBean,name=oracle.axia.protocol.radius.adapter,version=MBean_Version,name0=radiusConfig,name1=server[0], name2=rootCAStoreKey

Factory Method

Server.addRootCAStoreKey()

Attributes

rootCAStoreKey

Operations

None

---

serverKeyStoreKeyMBean

The server keystore. Credential store should be provisioned with server certs with this key

Object Name

oracle:type=oracle.axia.cm.ConfigurationMBean,name=oracle.axia.protocol.radius.adapter,version=MBean_Version,name0=radiusConfig,name1=server[0], name2=serverKeyStoreKey

Factory Method

Server.addServerKeyStoreKey()

Attributes

serverKeyStoreKey

Operations

None

---

ClientProfileMBean

ClientProfileMBean is the root MBean for configuring RADIUS client profiles.

Object Name

oracle:type=oracle.axia.cm.ConfigurationMBean,name=oracle.axia.protocol.radius.adapter,version=MBean_Version,name0=radiusConfig,name1=clientProfile[0]

Factory Method

radiusConfig.addClientProfile()

Attributes

None

Operations

void cloneIt()

Creates a copy of the instance of ClientProfileMBean.

void addClientAddress()

Creates a new instance of ClientAddressMBean.

void removeClientAddress()

Deletes an instance of ClientAddressMBean.

void addClientNasId()

Creates an instance of ClientNasIdMBean.

void removeClientNasId()

Deletes an instance of ClientNasIdMBean.

void addCheckAVPFilter()

Creates an instance of CheckAVPFilterMBean.

void removeCheckAVPFilter()

Deletes an instance of CheckAVPFilterMBean.

void addReturnAVPFilter()

Creates an instance of ReturnAVPFilterMBean.

void removeReturnAVPFilter()

Deletes an instance of ReturnAVPFilterMBean.

---

accountingSharedSecretKeyMBean

Credential store key for the shared secret for accounting. Credential store must be configured with this key and the password. Password will be retrieved from the Credential store at runtime using this key.

Object Name

oracle:type=oracle.axia.cm.ConfigurationMBean,name=oracle.axia.protocol.radius.adapter,version=MBean_Version,name0=radiusConfig,name1=clientProfile[0], name2=accountingSharedSecretKey

Factory Method

Created automatically.

Attributes

accountingSharedSecretKey

Operations

None

---

authenticationSharedSecretKeyMBean

Credential store key for the shared secret for authentication. Credential store must be configured with this key and the password. Password will be retrieved from the Credential store at runtime using this key.

Object Name

oracle:type=oracle.axia.cm.ConfigurationMBean,name=oracle.axia.protocol.radius.adapter,version=MBean_Version,name0=radiusConfig,name1=clientProfile[0], name2=authenticationSharedSecretKey

Factory Method

Created automatically.

Attributes

authenticationSharedSecretKey

Operations

None

---

clientAddressMBean

A regular expression that matches the IP addresses of a group of RADIUS clients.

Object Name

oracle:type=oracle.axia.cm.ConfigurationMBean,name=oracle.axia.protocol.radius.adapter,version=MBean_Version,name0=radiusConfig,name1=clientProfile[0], name2=clientAddress

Factory Method

ClientProfile.addClientAddress()

Attributes

clientAddress

Operations

None

---

clientNasIdMBean

A regular expression that matches the NAS-Identifier field of a group of RADIUS clients.

Object Name

oracle:type=oracle.axia.cm.ConfigurationMBean,name=oracle.axia.protocol.radius.adapter,version=MBean_Version,name0=radiusConfig,name1=clientProfile[0], name2=clientNasId

Factory Method

ClientProfile.addClientNasId()

Attributes

clientNasId

Operations

None

---

returnAVPFilterMBean

returnAVPFilterMBean is a root MBean that you use to specify the AVPs that the RADIUS SSU needs to copy from a request to a response. For each AVP, you need to create a separate instance of possibleAttributeNameMBean.

Object Name

oracle:type=oracle.axia.cm.ConfigurationMBean,name=oracle.axia.protocol.radius.adapter,version=MBean_Version,name0=radiusConfig,name1=clientProfile[0], name2=returnAVPFilter[0]

Factory Method

clientProfile.addReturnAVPFilter()

Attributes

None

Operations

void cloneIt()

Creates a copy of the current instance of returnAVPFilterMBean.

void addPossibleAttributeName()

Creates an instance of possibleAttributeNameMBean.

void removePossibleAttributeName(int AttributeNameID)

Destroys the specified instance of possibleAttributeNameMBean.

---

possibleAttributeNameMBean

possibleAttributeNameMBean represents a single AVP that the RADIUS SSU needs to copy from a request to a response. For each AVP, you need to create a separate instance of possibleAttributeNameMBean using returnAVPFilterMBean. possibleAttributeNameMBean is created with an instance of attributeNameMBean that you use to specify the name of an AVP.

Object Name

oracle:type=oracle.axia.cm.ConfigurationMBean,name=oracle.axia.protocol.radius.adapter,version=MBean_Version,name0=radiusConfig,name1=clientProfile[0], name2=returnAVPFilter[0],name3=possibleAttributeName[0]

Factory Method

returnAVPFilter.addPossibleAttributeName()

Attributes

None

Operations

void cloneIt()

Creates a copy of the current instance of possibleAttributeNameMBean.

---

attributeNameMBean

Using attributeNameMBean, you specify the name of an AVP that the RADIUS SSU needs to copy from a request to a response.

Object Name

oracle:type=oracle.axia.cm.ConfigurationMBean,name=oracle.axia.protocol.radius.adapter,version=MBean_Version,name0=radiusConfig,name1=clientProfile[0], name2=returnAVPFilter[0],name3=possibleAttributeName[0],name4=attributeName

Factory Method

Created automatically.

Attributes

attributeName

See "Specifying AVPs to Be Copied from a Request to a Response" for more information about this attribute.

Operations

None

---

proxyRealmMBean

proxyRealmMBean is the root MBean for configuring proxy realm.

Object Name

oracle:type=oracle.axia.cm.ConfigurationMBean,name=oracle.axia.protocol.radius.adapter,version=MBean_Version,name0=radiusConfig,name1=proxyRealm[0]

Factory Method

radiusConfig.addProxyRealm()

Attributes

None

Operations

void cloneIt()

Creates a copy of the instance of proxyRealmMBean.

void addTargetServer()

Creates an instance of TargetServerMBean.

void removeTargetServer()

Deletes an instance of TargetServerMBean.

---

accountingSharedSecretKeyMBean

Credential store key for the shared secret for accounting. Credential store must be configured with this key and the password. Password will be retrieved from the Credential store at runtime using this key.

Object Name

oracle:type=oracle.axia.cm.ConfigurationMBean,name=oracle.axia.protocol.radius.adapter,version=MBean_Version,name0=radiusConfig,name1=proxyRealm[0], name2=accountingSharedSecretKey

Factory Method

Created automatically.

Attributes

accountingSharedSecretKey

Operations

None

---

authenticationSharedSecretKeyMBean

Credential store key for the shared secret for authentication. Credential store must be configured with this key and the password. Password will be retrieved from the Credential store at runtime using this key.

Object Name

oracle:type=oracle.axia.cm.ConfigurationMBean,name=oracle.axia.protocol.radius.adapter,version=MBean_Version,name0=radiusConfig,name1=proxyRealm[0], name2=authenticationSharedSecretKey

Factory Method

Created automatically.

Attributes

authenticationSharedSecretKey

Operations

None

---

nameMBean

The name of the proxy realm.

Object Name

oracle:type=oracle.axia.cm.ConfigurationMBean,name=oracle.axia.protocol.radius.adapter,version=MBean_Version,name0=radiusConfig,name1=proxyRealm[0], name2=name

Factory Method

Created automatically.

Attributes

name

Operations

None

---

numOfRetriesMBean

Number of attempts to send a RADIUS request to the target RADIUS server.

Object Name

oracle:type=oracle.axia.cm.ConfigurationMBean,name=oracle.axia.protocol.radius.adapter,version=MBean_Version,name0=radiusConfig,name1=proxyRealm[0], name2=numOfRetries

Factory Method

Created automatically.

Attributes

numOfRetries

Operations

None

---

requestTimeoutMBean

Timeout value in seconds to wait for response from the target RADIUS server.

Object Name

oracle:type=oracle.axia.cm.ConfigurationMBean,name=oracle.axia.protocol.radius.adapter,version=MBean_Version,name0=radiusConfig,name1=proxyRealm[0],name2=requestTimeout

Factory Method

Created automatically.

Attributes

requestTimeout

Operations

None

---

userNameMatchCriteriaMBean

A regular expression for mapping RADIUS requests to the realm based on the User-Name attribute.

Object Name

oracle:type=oracle.axia.cm.ConfigurationMBean,name=oracle.axia.protocol.radius.adapter,version=MBean_Version,name0=radiusConfig,name1=proxyRealm[0], name2=userNameMatchCriteria

Factory Method

Created automatically.

Attributes

userNameMatchCriteria

Operations

None

---

targetServerMBean

targerServerMBean enables you to define parameters of the server in the realm to which the RADIUS SSU routes an accounting or access request when the User-Name AVP set in the request matches the value set in the proxy realm configuration.

Object Name

oracle:type=oracle.axia.cm.ConfigurationMBean,name=oracle.axia.protocol.radius.adapter,version=MBean_Version,name0=radiusConfig,name1=proxyRealm[0], name2=targetServer[0]

Factory Method

Created automatically.

Attributes

None

Operations

void cloneIt()

Creates a copy of the instance of proxyRealmMBean.

---

serverAddressMBean

serverAddressMBean enables you to specify the IP address of the proxy server.

Object Name

oracle:type=oracle.axia.cm.ConfigurationMBean,name=oracle.axia.protocol.radius.adapter,version=MBean_Version,name0=radiusConfig,name1=proxyRealm[0], name2=targetServer[0],name3=serverAddress

Factory Method

Created automatically.

Attributes

serverAddress

Operations

None

---

authenticationPortMBean

authenticationPortMBean enables you to specify the port that the RADIUS SSU uses to receive RADIUS authentication messages.

Object Name

oracle:type=oracle.axia.cm.ConfigurationMBean,name=oracle.axia.protocol.radius.adapter,version=MBean_Version,name0=radiusConfig,name1=proxyRealm[0], name2=targetServer[0],name3=authenticationPort

Factory Method

Created automatically.

Attributes

authenticationPort

Operations

None

---

accountingPortMBean

accountingPortMBean enables you to specify the port that the RADIUS SSU uses to receive RADIUS access messages.

Object Name

oracle:type=oracle.axia.cm.ConfigurationMBean,name=oracle.axia.protocol.radius.adapter,version=MBean_Version,name0=radiusConfig,name1=proxyRealm[0], name2=targetServer[0],name3=accountingPort

Factory Method

Created automatically.

Attributes

accountingPort

Operations

None

---

CredentialStoreMBean

CredentialStoreMBean enables you to set up passwords for connections with RADIUS clients and the credential store. In addition, you can use CredentialStoreMBean to manage keys in the credential store.

Object Name

oracle:type=oracle.axia.cm.ConfigurationMBean,name=oracle.axia.protocol.radius.adapter,version=MBean_Version,name0=CredentialStore

Factory Method

Created automatically

Attributes

None

Operations

void setPassword()

Sets a password for the specified key

boolean validatePassword()

Validate a password against a password stored for the specified key

void setKeystore()

Validate a password against a password stored for the specified key

boolean containsKey()

Return true if the key exists in the credential store

void deleteKey()

Delete a key

void clear()

Remove all entries