TSCF Server Configuration
TSC server configuration consists of the following steps; each step is identified as required or optional.
TSCF Global Configuration
TSCF global configuration specifies the handling of idle tunnel connections. By default, the TSC server transitions an idle tunnel client from the active to the persistent state after an idle period of 300 seconds. Assuming the tunnel remains idle for an additional 330 seconds, the TSC server then transitions the tunnel from the persistent to the closed state—tearing the tunnel down and releasing its resources. If this behavior is consistent with your deployment, no changes are required or encouraged at the TSCF global configuration level. If local network conditions require modification, adjust the keepalive-timer, keepalive-timer-datagram, and tunnel-persistence-time parameters as described below.
TSCF global configuration also enables and manages high-availability (HA) topologies — topologies in which a pair of SBCs operate in tandem, one in the active and the other in the backup role to provide reliable redundant operational availability. By default, HA is disabled. If your SBC operates in standalone mode (not part of an HA pair), you can safely ignore all HA parameters and simply retain default values. If operating as part of an HA pair, use the red-port parameter to enable HA as described in the following procedure. After enabling HA, Oracle Communications recommends the retention of default values for other HA parameters (red-max-trans, red-sync-start-time, and red-sync-comp-time) unless unusual local conditions require otherwise. Prior to modifying HA parameters, you should refer to the ACLI Configuration Guide for more detailed HA information.
Use the following procedure to perform TSCF global configuration.
TSCF Protocol Policy Configuration
Use the following procedure to configure TSCF policy-based forwarding services.
Policy-based forwarding requires the creation of a tscf-protocol-policy and the assignment of that policy to a tscf-address-pool.
TSCF Address Pool Configuration
During the configuration stage as described in TSCF Overview, the TSC server assigns a tunnel IP address to the client application. These assigned addresses are obtained by the TSC server from a tscf-address-pool, a configuration object that contains an IP address list. The IP address list contains one or more IP address ranges. Each address range consists of contiguous IP addresses, and can contain a minimum of 1, or a maximum of 262,144 list entries for IPv4 or IPv6.
The address range size, the list size, and the size of the tscf-address-pool are constrained by the same maximum value. Consequently, while the IP address list can contain one or several ranges, the total number of IP addresses contained in the individual address ranges cannot exceed 262,144.
Use the following required procedure to configure a tscf-address-pool configuration object. Later, you will assign the address pool to a specific TSCF interface.
TSCF Data Flow Configuration
Use the following procedure to configure an optional tscf-data-flow object. If you are not using tscf-data-flows to provide to provide static egress routes, this procedure can be safely ignored.
TLS Profile Configuration
Use the following required procedure to configure a tls-profile configuration object that identifies the cryptographic resources, specifically certificates and protocols, required for tunnel creation. Later, you will assign the tls-profile to a specific TSC port.
TSCF OCSP Configuration
The following steps provide instruction on using the ACLI to configure OCSP-based certificate revocation services.
Providing OCSP services requires the creation of a secure TLS connection between a TSC port and one or more OCSP responders. This configuration is a three-step process.
- Create one or more certificate-status-profiles. Each certificate-status-profile provides the information and cryptographic resources required to access a single OCSP responder.
- Assign one or more certificate-status-profiles to a tls-profile. This tls-profile enables OCSP services and provides a list of one or more OCSP responders.
- Assign the tls-profile to a TSCF port to enable OCSP service on that port.
Assign the tls-profile to a TSCF port
- From superuser mode, use the following command sequence to access tscf-port configuration mode. While in this mode, you assign an existing TLS profile to a TSCF port.
- Use the select command to identify a specific tscf port that will support OCSP requests and responses.
- Use the tls-profile parameter to assign an OCSP-enabled tls-profile to the current TSCF port enabled.
- Use done, exit, and verify-config to complete configuration.
- If necessary, repeat this procedure to prepare other TSCF ports for OCSP-based certificate checking support.
Sample OCSP Configurations
certificate-status-profile configuration
A sample certificate-status-profile configuration follows:
ACMEPACKET# show running-config cert-status-profile cert-status-profile name OCSP_Symantic ip-address 192.0.2.100 hostname port 8080 type OCSP trans-proto HTTP requestor-cert signOCSP responder-cert SymanticPublic-1 trusted-cas realm-id wancom0 retry-count 1 dead-time 60 last-modified-by admin@console last-modified-date 2014-07-24 18:25:25 task done ACMEPACKET#
This configuration creates a certificate-status-profile named OCSP_Symantic. The profile identifies an OCSP responder located at 192.0.2.100:8080. The required responder-cert parameter specifies the CA public certificate used by the TSC server to verify the signed OCSP response. The optional requester-cert parameter indicates that the OCSP responder requires signed requests, and identifies the certificate used by the TSC server to digitally sign OCSP requests. The optional dead-time parameter imposes a 60 second quarantine if the OCSP responder is unreachable. Retention of default values for the realm-id and retry-count parameters specify OCSP responder access via the wancom0 management interface and a retry count of 1.
tls-profile configuration
A sample tls-profile configuration follows:
ACMEPACKET# show running-config tls-profile tls-profile name TLS_OCSP end-entity-certificate TSCFCert_1 trusted-ca-certificates CA_Symantic CA_Thawte CA_Entrust CA_DigiSign cipher-list All verify-depth 10 mutual-authenticate enabled tls-version compatibility cert-status-check enabled cert-status-profile-list OCSP_Symantic OCSP_Thawte ignore-dead-responder disabled allow-self-signed-cert disabled last-modified-by admin@console last-modified-date 2014-07-24 19:40:37 task done ACMEPACKET#
This configuration creates a tls-profile named TLS_OCSP. The profile uses the mutual-authenticate parameter to enable mutual authentication between the TSC server and the OCSP responders, the cert-status-check parameter to enable OCSP services, and the cert-status-profile-list parameter to identify three OCSP responders.
sample portion of a tscf-interface/tscf-port configuration
A sample portion of a tscf-interface/tscf-port configuration follows:
ACMEPACKET# show running-config tscf-interface tscf-interface realm-id access state enabled max-tunnels 200000 local-address-pools pool1 nagle-state enabled assigned-services SIP,redundancy,DDT, server-keepalive tscf-port address 172.16.21.2 port 443 transport-protocol TLS tls-profile TLS_OCSP ... ... ... last-modified-by admin@console last-modified-date 2014-07-24 19:51:03 task done ACMEPACKET#
This configuration enables OCSP support on the TSCF port 172.16.21.2:443.
Monitoring OCSP Operations
The TSC server generates an SNMP trap when a configured OCSP responder becomes Operations unreachable. It generates second trap when connectivity is re-established with a previously unreachable OCSP responder.
The show security ocsp stats ACLI command provides OCSP operational counts.TSCF Interface Configuration
TSCF interface configuration specifies the SBC IP address that is accessed by TSC clients to initiate tunnel creation, assigns resources that facilitate tunnel creation, identifies specific TSCF services offered by the interface, and limits the number of supported tunnels.
- a TSCF interface must be physically supported by an ETC NIU with a minimum of 8GB of installed DRAM
- a TSCF interface and SIP interface cannot coexist on the same network interface
TSCF DoS Protection Configuration
Use the following procedure to configure DoS protection as described in Denial of Service. DoS protection is assigned via the realm that supports the TSCF port.