Security Configuration

The Oracle® Enterprise Session Border Controller (E-SBC) can provide security for VoIP and other multi-media services. E-SBC security includes access control, DoS attack, and overload protection, which help to secure service and protect the network infrastructure. E-SBC security lets legitimate users place a call during attack conditions, while protecting the service itself.

E-SBC security includes the Net-SAFE framework's numerous features and architecture designs. Net-SAFE is a requirements framework for the components required to provide protection for the E-SBC, the service provider's infrastructure equipment (proxies, gateways, call agents, application servers, and so on), and the service itself. You can configure the following security objects from the Configuration tab on the Web GUI.

auth-params	Configure authentication protocol, strategy, and servers.
authentication	Configure RADIUS and TACACS authentication.
cert-status-profile	Configure the information needed to contact an Online Certificate Status Protocol (OCSP) responder for certificate status.
certficate-record	Create a certificate record for either a CA or end entity.
dpd-params	Configure parameters to re-establish connections with unreachable Internet Key Exchange (IKE) peers.
ipsec-global-config	Configure global IPsec for authenticating and encrypting packets in communication sessions.
media-sec-policy	Create a media security policy.
password-policy	Create a password policy.
sdes-profile	Create a Session Description Protocol Security Descriptions (SDES) profile for media streams.
security-association	Configure a manual security association.
security-config	Configure security for VoIP and other multi-media services.
security-policy	Create a security policy.
sipura-profile	Create a SIPURA/Linksys profile.
tls-global	Configure session caching to allow a previously authenticated client to re-connect with the unique session identifier from the previous session.
tls-profile	Create a profile to define communications security for running SIP over TLS.

Note:

Click Show Advanced in the navigation pane to display all of the Security objects in the preceding list.

Audit Logs

The Oracle® Enterprise Session Border Controller (E-SBC) can record user actions in audit logs by way of the Web GUI. The audit logs record the creation, modification, and deletion of all user-accessible configuration elements, as well as attempted access to critical security data such as public keys. For each logged event, the system provides the associated user-id, date, time, event type, and success or failure data.

You can configure the system to record audit log information in either verbose mode or brief mode. Verbose mode captures the system configuration after every change, and displays both the previous settings and the new settings in addition to the event details. Brief mode displays only the event details. Although you can specify the recording mode, you cannot specify which actions the system records. The following list describes the actions that the system records.

Global	Log on and log off. Save a template configuration. Click Complete in a Wizard.
Home tab	Add, reset, and save. Change Widget settings.
Configuration tab	Save and activate a configuration. Discard a configuration. Add, edit, delete, and copy configuration changes. Run the generate and import certificate commands.
Widgets tab	Export from a Widget. Add a Widget to favorites. Clear, clear all on alarm, add, and delete license.
System tab	Add audit entries to the system file management actions, such as upload, download, restore, backup, add, edit, and delete. Force an HA switch over. Run the Show Support Information command. Run the Upgrade Software wizard. Download and view an audit log.
Monitor and Trace tab	Export the summary. Export the session detail.

The system writes audit log events in Comma Separated Values (CSV) lists in the following format:

{TimeStamp,
src-user@address:port,Category,EventType,Result,Resource,Prev,
Detail}

The following list describes each value written to an audit log event.

TimeStamp	Shows the time when the system wrote the event to the audit log.
src-user@address:port	Identifies the system that wrote the audit log line.
Category	Classifies the event as: Configuration Security System
EventType	Identifies the action that caused the event as: Activate-config Acquire-config Create Data-access Delete Halt Login Logout Modify Reboot Save-config
Result	Identifies the outcome of the event as: Failure Success
Resource	Describes the action within the event. Some of the numerous actions that the system can log include: Authentication Banner (Means that someone edited the log on banner text.) Download <filename> Generate public key Reboot Upload <filename>
Prev—(verbose mode)	Displays the setting prior to this change.
Details—(verbose mode)	Displays additional information about the change, depending on the following event types: Create—displays “New = element added." Data-access—displays “Element = accessed element.” Delete—displays “Element = deleted element.” Modify—displays “Previous = oldValue New = newValue.”

As the E-SBC records audit log data, users with admin privileges can read, copy, and download that information from the Web GUI. No one can delete or edit the original log. You can View, Refresh, and Download audit logs by way of the System tab. When you click File Management, the system displays the File Type drop-down list, which includes "Audit Log" as a selection.

You can configure the system to transfer audit log files to an SFTP server by way of secure FTP push, when conditions satisfy one of the following specifications.

• The specified amount of time since the last transfer elapsed.
• The size of the audit log reached the specified threshold. (Measured in Megabytes)
• The size of the audit log reached the specified percentage of the allocated storage space.

The E-SBC transfers the audit logs to a designated directory on the target SFTP server. The audit log file is stored on the target SFTP server with a filename in the following format: audit<timestamp>. The timestamp is a 12-digit string the YYYYMMDDHHMM format.

Use the following process to configure transferring audit logs to an SFTP server.

1. Configure secure FTP push. See "Secure FTP Push Configuration."
2. Configure audit logging. See "Configure Audit Logging."

Secure FTP Push Configuration

You can configure the Oracle® Enterprise Session Border Controller (E-SBC) to securely send audit log files to an SFTP push receiver for storage. Configure secure FTP push before you configure audit logging.

You can configure the Oracle® Enterprise Session Border Controller (E-SBC) to log on to a push receiver using one of the following authentication methods to create a secure connection.

Password

Configure a username and password, and leave the public-key parameter blank. Note that you must also import the host key from the SFTP server to the E-SBC for this type of authentication.

Public key

Set the public-key parameter to a configured public key record name including an account username, and configure the SFTP server with the public key pair from the E-SBC.

It is also common for the SFTP server to run the Linux operating system. For Linux, the command ssh-keygen-e creates the public key that you need to import to the E-SBC. The ssh-keygen-e command sequence requires you to specify the file export type, as follows.

[linux-vpn-1 ~]# ssh-keygen -e
Enter file in which the key is (/root/.ssh/id_rsa/): /etc/ssh/ssh_host_rsa_key.pub

If you cannot access the SFTP server directly, but you can access it from another Linux host, use the ssh-keyscan command to get the key. An example command line follows.

root@server:~$ssh-keyscan -t dsa sftp.server.com

Configure Secure FTP Push with Public Key Authentication

For increased security when sending files from the Oracle® Enterprise Session Border Controller (E-SBC) to an SFTP server, you can choose authentication by public key exchange rather than by password. To use a public key exchange, you must configure public key profiles on both devices and import the key from each device into the other.

The following list of tasks shows the process for configuring authentication by public key between the E-SBC and an SFTP server. For each step in the process, see the corresponding topic for detailed instructions.

1. Generate an RSA public key on the E-SBC. See "Generate an RSA Public Key."
2. Create a DSA public key on the SFTP server. See "Generate a DSA Public Key."
3. Import the DSA public key from the SFTP server into the E-SBC using the known-host option in the Import Key dialog. See "Import a DSA Public Key."
4. Add the RSA public key to the authorized_keys file in the .ssh directory on the SFTP server. See "Copy the RSA Public Key to the SFTP Server."

Generate an RSA Public Key

Add a public key profile on the Oracle® Enterprise Session Border Controller (E-SBC) and generate an RSA key. You will later import the RSA key into the SFTP server to enable authentication by way of public key exchange with the E-SBC.

1. From the Web GUI, click Configuration, Security, Public key.
2. On the Public Key page, click Add.
3. In the Add Public Key dialog, do the following:

   Name	Enter the name of this profile.
   Type	Select RSA.
   Size	Enter one of the following: 512 1024 2048 4096

4. Click OK to create the public key profile.
   The system displays the Public Key list box including the new profile.
5. Save and activate the configuration.
6. Select the newly created profile, and click Generate key.
   The E-SBC displays the key in the Generate Key text box for you to copy to the SFTP server.
7. Save the configuration.

• Generate a DSA public key.

Generate a DSA Public Key

Generate and save a DSA public key on the SFTP server. You will later import the DSA key into the Oracle® Enterprise Session Border Controller (E-SBC) to enable authentication by way of public key exchange with the SFTP server.

1. Run the following command on the SFTP server:

   ssh-keygen -e -f /etc/ssh/ssh_host_dsa_key.pub | tee sftp_host_dsa_key.pub

2. Save the key to the authorized_keys file in the .ssh directory on the SFTP server.

• Import the DSA key into the E-SBC.

Import a DSA Public Key

Import a DSA public key from the SFTP server into the Oracle® Enterprise Session Border Controller (E-SBC).

• Generate and save a DSA public key on the SFTP server.

Perform the following procedure on the E-SBC and select "known-host" for type.

1. Access the SSH file system on the SFTP server by way of a terminal emulation program.
2. On the SFTP server, copy the base64 encoded public file. Be sure to include the Begin and End markers, as specified by RFC 4716 The Secure Shell (SSH) Public Key File Format.

   For OpenSSH implementations host files are generally found at /etc/ssh/ssh_host_dsa_key.pub, or /etc/ssh/sss_host_rsa.pub. Other SSH implementations can differ.

3. On the E-SBC, click Configuration, Security, Public Key.
4. On the Public key page, click Import key, and do the following.

   Type	Select known-host.
   Name	Enter a name for your profile, which the E-SBC displays in public key drop-down lists.
   SSH public key	Paste the DSA public key from the SFTP server into the text box. Ensure that the text of the key ends with a semi-colon.

5. Click Import.
   The E-SBC imports the key and makes it available for configuration as the public key on an external device.

Copy the RSA public key to the SFTP server.

Copy the RSA Public Key to the SFTP Server

Copy the RSA public key from the from the Oracle® Enterprise Session Border Controller (E-SBC) to the authorized_keys file in the .ssh directory on the SFTP server.

• Confirm that the .ssh directory exists on the SFTP server.
• Confirm the following permissions: Chmod 700 for .ssh and Chmod 600 for authorized_keys.

When adding the RSA key to the authorized_keys file, ensure that no spaces occur inside the key. Insert one space between the ssh-rsa prefix and the key. Insert one space between the key and the suffix. For example, ssh-rsa <key> root@1.1.1.1.

1. Access the SSH file system on a configured SFTP server with a terminal emulation program.
2. Copy the RSA key to the SFTP server, using a text editor such as vi or emacs, and paste the RSA key to the end of the authorized_keys file.

Configure Audit Logging

The Oracle® Enterprise Session Border Controller (E-SBC) provides a means of tracking user actions through Audit Logs. You can specify how the system records audit log information, and where to send the logs for archiving. You can configure the system to record in either brief or verbose mode. Verbose mode captures the system configuration after every change, and displays both the previous and new settings in addition to the event details. Brief mode displays only the event details.

• Configure one or more push receivers to receive the audit logs. See the documentation for the receiver.
• If you want to use public keys for authentication between the E-SBC and the push receiver, configure public key profiles on both devices before configuring audit logging. See "Configure Secure File Transfer with Public Keys."

1. Log on to the E-SBC, and click Configuration, Security, Security, Admin-Security , Audit Logging.
2. On the Audit Logging page, do the following:

   State	Select to enable event recording in the audit log.
   Detail level	Select brief (default) or verbose output.
   Audit trail	Enables logging every command that is processed by the E-SBC. enabled: Logs all commands that the E-SBC can process. disabled: Logs only relevant information. Default: disabled
   Audit record output	Indicates how the E-SBC logs audit records. syslog: The E-SBC logs audit records over syslog. file: The E-SBC logs audit records to a file. both: The E-SBC logs audit records over both syslog and to a file. Default: file
   File transfer time	Specify the amount of time, in hours, from the completion of the last transfer to the beginning of the next transfer. This determines when a file transfer occurs unless the Max storage space or Max file size triggers the transfer first. Range: 0-65535. Default: 720. Note: 0 disables this parameter.
   Max storage space	Specify the maximum amount of space that the audit log can consume on the E-SBC in MB. Range: 0-32. Default: 32. Minimum: 0 Maximum: 32 (default)
   Percentage full	Use in conjunction with Max storage space to specify the percent of the Max storage space that triggers file transfer. This determines when a file transfer occurs unless the File transfer time or Max file size triggers the transfer first. range; 0-99. Default: 75. Note: 0 disables this parameter.
   Max file size	Set the maximum size in Mega Bytes that the audit log can be before the system transfers the file. This determines when a file transfer occurs unless the Max storage space or Max file size triggers the transfer first. Range 0-10. Default: 5. Note: 0 disables this parameter.
   Storage path	Specifies the directory that houses the audit log. Default: /code/audit .
   Push receiver	Add a push receiver and configure the following parameters for sending audit log files from the E-SBC to the receiver: Server—Enter the IP address of the FTP/SFTP server to which you want the E-SBC to push audit log files. Default: 0.0.0.0. Port—Enter the port number on the FTP/SFTP server to which the E-SBC will send audit log files. Range: 1-65535. Default: 22 Remote path—Enter the pathname to send the audit log files to the push receiver. Files are placed in this location on the FTP/SFTP server. Value: <string> remote pathname. Filename prefix—Enter the filename prefix to prepend to the audit log files that the E-SBC sends to the push receiver. The E-SBC does not rename local files. Values: <string> prefix for filenames. Username—Enter the username the E-SBC uses to connect to this push receiver. Auth type—Select the authentication methodology. Password (default) or public key. Do one of the following: Password—When you set the Auth type to password, click Set to enter and confirm the password used to access this push receiver. Public key—When you set the Auth type to public key, select the public key profile that you want from the drop-down list.

3. Click OK.
4. Save the configuration.

Configure Login Timeouts

The single instance ssh-config configuration element specifies SSH re-keying thresholds.

Use the following procedure to set the SSH and TCP timeout values.

1. Access the ssh-config element.
   Configuration, security, admin-security, ssh-config.
2. In ssh-config, do the following:

   rekey interval	Set the time in minutes after which the E-SBC rekeys an SSH or SFTP session. Range: 60-600. Default: 60.
   rekey byte count	Set the number of bytes transmitted, in powers of 2, before re-keying an SSH or SFTP session. For example, entering a value of 24 sets this parameter to 2^24 (16777216) bytes. Range: 20-31. Default: 31.
   proto neg time	Set the time in seconds to complete the SSH protocol negotiation, establishing the secure connection. Range: 30-60. Default: 60.
   keep alive enable	Enable the TCP keepalive timer. Valid Values: enabled | disabled. Default: enabled.
   keep alive idle timer	Set the interval in seconds between the last data packet sent and the first keepalive probe. Range: 15-1800. Default: 15.
   keep alive interval	Set the interval in seconds between two successful keepalive transmissions. Range: 15-120. Default: 15.
   keep alive retries	Set the number of retransmission attempts before the E-SBC declares the remote end unavailable. Range: 2-10. Default: 2.

3. Save the configuration.

TACACS+ Authentication

The Web GUI supports TACACS+ authentication.

TACACS+ provides access control for routers, network access servers, and other networked computing devices by way of one or more centralized servers. The Oracle® Enterprise Session Border Controller (E-SBC), supports TACACS+ authentication and limited accounting services. For accounting services support, the E-SBC supports only authentication success and failure. The E-SBC does not support TACACS+ authentication.

Add TACACS+ Authentication and Servers

To configure TACACS+, you enable TACACS+ client services and specify one or more TACACS+ servers.

1. Access the Login Authentication configuration object.
   Configuration, Security, Authentication.
2. On the Modify Authentication page, do the following:

   Source port	Range: 1645-1812. Default: 1812.
   Type	Select TACACS from the drop-down list.
   Protocol	Select acsii for the authentication protocol.
   TACACS accounting	Select to enable accounting of admin operations. Default: enabled.
   Server assigned privilege	Select to allow only Admin users to use configuration commands. Default: Disabled.
   Allow local authentication	Select to enable local authentication. Default: Disabled.
   Login as Admin	Select to enable logging in as Admin.
   Management strategy	Select an authentication management strategy from the drop-down list. Use either Hunt or Round-Robin when using multiple TACACS+ servers. Use Hunt when using a single TACACS+ server. Default: Hunt.
   Management servers	Click Add, and do the following to add one or more authentication management servers: Enter the IP address of a management server. (Optional) Click Apply / Add Another. OK.
   TACACS servers	Click Add, and do the following: Address—Enter the IP address of this server. Port—Enter the port number of the server you want to receive TACACS+ client requests. Range: 1025-65535. Default: 49. State—Select to enable this server. Default: Enabled. Secret—Enter and confirm the 16-digit string for the shared secret used by the TACACS+ client and the server to encrypt and decrypt TACACS+ messages. Dead time—Enter the time, in seconds, for the quarantine period imposed upon a TACACS+ server that becomes unreachable. Range: 10-10000 seconds. Default: 10. Authentication methods—Add one or more authentication methods. Default: all.

3. Click OK.
4. Save the configuration.

Security Settings

Security configuration from the web GUI consists of creating the building blocks used to establish TLS-secured paths for signaling traffic.

The process includes the following steps.

1. Configure Certificate Records.
2. Configure TLS Profiles, which utilize your certificate records.
3. Apply TLS Profiles to SIP Interfaces.

The dialogs available from the Security button allow you to perform the first two steps. You apply TLS profiles to SIP interfaces using controls within the SIP Interface dialog.

Certificate Configuration Process

You can perform the following certificate management tasks from the Web GUI in either Basic Mode or Expert Mode. The process for configuring certificates on the Oracle® Enterprise Session Border Controller (E-SBC) includes the following steps:

1. Configure a Certificate Record on the E-SBC. See Add a Certificate Record.
2. Generate a Certificate request by the E-SBC. See Generate a Certificate Request.
3. Import a Certificate into the E-SBC. See Import a Certificate.
4. Reboot the system.

Create a Certificate Record

Use the certificate-record element to add certificate records to the Oracle® Enterprise Session Border Controller (E-SBC).

A certificate record represents either the end-entity or the Certificate Authority (CA) certificate on the E-SBC. When you configure a certificate for the E-SBC, the name that you enter must be the same as the name that you use to generate a certificate request. If configuring for an end stations CA certificate for mutual authentication, the certificate name must be the same name used during the import procedure.

• If this certificate record is used to present an end-entity certificate, associate a private key with this certificate record by using a certificate request.
• If this certificate record is created to hold a CA certificate or certificate in pkcs12 format, a private key is not required.

1. Access the certificate-record object.
   Configuration, security, admin-security, certificate-record.
2. On the Certificate record page, click Add.
3. On the Add certificate record page, click Show advanced, and do the following:

   Name	Enter the name of this certificate record.
   Country	Enter the country name abbreviation. For example, CA for Canada. Range: 2 characters.
   State	Enter the region abbreviation. For example, QC for Quebec. Range: 2 characters.
   Locality	Enter the name of the locality in the region. For example, Quebec City. Range:1-128 characters.
   Organization	Enter the name of the organization. For example, Office of Information Technology. 1-64 characters.
   Unit	Enter the name of the unit in the organization. For example, Global Network Security. 1-64 characters.
   Common name	Enter the common name for the certificate record. For example, your name. Range: 1-64 characters.
   Key algor	Set a key algorithm. Valid algorithms: rsa | ecdsa.
   Digest algor	Set a digest algorithm. Valid values: sha1 | sha256 | sha384.
   Key size	For the RSA key algorithm, set the RSA key size. Valid key size: 512 | 1024 | 2048 | 4096.
   Ecdsa key size	For the ECDSA key algorithm, set the ECDSA key size. Valid key size: p256 | p384.
   Alternate name	(Optional) Enter one or more alternative names for the certificate holder.
   Trusted	Do one of the following: Select to make the certificate trusted. (Default) Deselect to make the certificate un-trusted.
   Key usage list	Click Add and select a key that you want to use with this certificate record from the drop-down list, and do one of the following: Click OK. Click Apply/Add Another, add another key , and click OK. Repeat as needed. This parameter defaults to the combination of digitalSignature and keyEncipherment. For a list of other valid values and their descriptions, see the section “Key Usage Control” in the ACLI Configuration Guide.
   Extended key usage list	Click Add, select an extended key that you want to use with this certificate record from the drop-down list, and do one of the following: Click OK. Click Apply/Add Another, add another extended key, and click OK. Repeat as needed. This parameter defaults to serverAuth. For a list of other valid values and their descriptions, see the section “Key Usage Control” in the ACLI Configuration Guide.
   Options	Set any optional features or parameters that you want.

4. Click OK.
5. Save the configuration.

• Create TLS profiles, using the certificate records to further define the encryption behavior and to provide an entity that you can apply to a SIP interface.

Generate a Certificate Request

Use the certificate-record element to select a certificate record and generate a certificate request.

• Confirm that the certificate record exists.

To get a certificate authorized by a Certificate Authority (CA), you must generate a certificate request from the certificate record on the device and send it to the CA.

1. From the Web GUI, click Configuration, security, certificate-record.
   The system displays a list of certificate records.
2. Select the certificate record for the device.
3. Click Generate.
   The system creates the request and displays it in a dialog.
4. Copy the information from the dialog and send it to your CA as a text file.

• When the CA replies with the certificate, import the certificate to the device with the corresponding certificate record.

Import a Certificate

Use the certificate-record element to import a certificate into the Oracle® Enterprise Session Border Controller (E-SBC).

Use this procedure to import either a device certificate or an end-station CA certificate for a mutual authentication deployment. You must import the certificate to the corresponding certificate record for the E-SBC. End-station CA certificates may or may not need to be imported against a pre-configured certificate record.

1. From the Web GUI, click Configuration, security, certificate record.
2. Select the certificate record for the device.
3. Click Import.
   The system displays a dialog from which you can import the certificate.
4. Select one of the following format types from the Format drop down list:
   • pkcs7
   • x509
   • Try-all. The system tries all possible formats until it can import the certificate.
5. Browse to the certificate file, and select the certificate to import.
6. Click Import.
   TheE-SBC imports the certificate.
7. Reboot the system.

• Apply the corresponding certificate record to the intended SIP interface.

SDES Configuration for a Media Stream

Configuring a Session Description Protocol Security Descriptions (SDES) profile for a media stream is a way to negotiate the key for Secure Real-time Transport Protocol (SRTP). The SDES profile provides confidentiality, message authentication, and replay protection for RTP media and control traffic. SDES profile configuration on the Oracle® Enterprise Session Border Controller (E-SBC) includes the following steps.

1. Create at least one SDES profile that specifies the parameter values to negotiate during the offer-answer exchange.
2. Create at least one Media Security Policy that specifies the key exchange protocols and protocol specific profiles.
3. Assign the appropriate Media Security Policy to the appropriate realm.
4. Create an interface-specific security policy that enables the E-SBC to identify inbound and outbound media streams treated as SRTP and SRTCP.

TLS Profile Configuration

The Transport Layer Security (TLS) profile specifies the information required to run SIP over TLS.

TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections at the Application layer for the Transport layer, using asymmetric cryptography for key exchange, symmetric encryption for confidentiality and message authentication codes for message integrity.

Create a TLS profile, using your certificate records, to further define the encryption behavior and create the configuration element that you apply to the SIP interface. You can configure an end entity certificate and a trusted Certification Authority (CA) certificate for a TLS policy. CA certificates are issued by a CA to itself or to a second CA for the purpose of creating a defined relationship between the two entities. A certificate that is issued by a CA to itself is referred to as a trusted root certificate, because it is intended to establish a point of ultimate trust for a CA hierarchy. Once the trusted root has been established, it can be used to authorize subordinate CAs to issue certificates on its behalf.

Suite B and Cipher List Support

The Oracle® Enterprise Session Border Controller (E-SBC) supports full control of selecting the ciphers that you want to use for Transport Layer Security (TLS). The system defaults to DEFAULT for the Cipher List parameter in the TLS Profile configuration. Oracle recommends that you delete ALL and add only the particular ciphers that you want, choosing the most secure ciphers for your deployment.

To support Suite B, the E-SBC certificate-record configuration includes the following parameters:

• key-algor—Public key algorithm. Supports RSA and ECDSA. Default: RSA Security. You must select ECDSA to support suite B.
• ecdsa-key-size—ECDSA key size. Supports p256 and p384.

Configure the list of ciphers that you want to use from the Cipher List element in the TLS Profile configuration. The system provides a drop-down list of all supported ciphers. One-by-one, you can add as many ciphers as your deployment requires.

TLS Cipher Updates

Note the following changes to the DEFAULT cipher list.

Oracle recommends the following ciphers, and includes them in the DEFAULT cipher list:

• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_RSA_WITH_AES_256_CBC_SHA256
• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA384

Oracle supports the following ciphers, but does not include them in the DEFAULT cipher list:

• TLS_RSA_WITH_AES_256_GCM_SHA384
• TLS_RSA_WITH_AES_128_GCM_SHA256
• TLS_RSA_WITH_AES_128_CBC_SHA
• TLS_RSA_WITH_3DES_EDE_CBC_SHA

Oracle supports the following ciphers for debugging purposes, only:

• TLS_RSA_WITH_NULL_SHA256 (debug only)
• TLS_RSA_WITH_NULL_SHA (debug only)
• TLS_RSA_WITH_NULL_MD5 (debug only)

Oracle supports the following ciphers, but considers them not secure. They are not included in the DEFAULT cipher-list, but they are included when you set tls-profile, cipher-list to ALL. Note that they trigger verify-config error messages.

• TLS_DHE_RSA_WITH_AES_256_CBC_SHA
• TLS_RSA_WITH_AES_256_CBC_SHA
• TLS_DHE_RSA_WITH_AES_128_CBC_SHA
• TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

Note:

You configure TLS ciphers by way of the cipher-list parameter in tls-profile.

Securing Communications Between the E-SBC and SDM with TLS

You can use the Transport Layer Security (TLS) protocol to secure the communications link between the Oracle® Enterprise Session Border Controller (E-SBC) and the Oracle Communications Session Delivery Manager (SDM). Note that the systems use Acme Control Protocol (ACP) for this messaging.

To configure the E-SBC to use TLS for this ACP messaging:

1. Configure a TLS profile. The tls-profile object is located under security, where you add certificates, select cipher lists, and specify the TLS version for each profile.
2. Configure system-config element's acp-tls-profile parameter to specify this TLS profile.

The acp-tls-profile parameter is empty by default, which means that ACP over TLS is disabled. When ACP over TLS is disabled, the SDM establishes a TCP connection with the E-SBC. When the acp-tls-profile parameter specifies a valid TLS profile, the E-SBC negotiates a TLS connection with SDM.

Note:

This feature requires SDM version 8.1 and above.

Add a TLS Profile

Use the tls-profile element to specify the parameters for running SIP over Transport Layer Security (TLS).

• Add one or more certificate records to the Oracle® Enterprise Session Border Controller that you need for this profile.

Create a TLS profile, using your certificate records, to further define encryption behavior and create the configuration element that you apply to the SIP interface. You can configure an end-entity certificate and a trusted Certification Authority (CA) certificate for a TLS profile.

1. From Web GUI, click Configuration, security, tls-profile.
2. On the TLS profile page, click Add.
3. On the Add TLS profile page, click Show advanced, and do the following:

   Name	Enter a name for the TLS profile, for example, TLS1.
   End entity certificate	Enter the name of the end-entity certificate record for the TLS session.
   Trusted ca certificates	Add the names of the trusted CA certificate records.
   Cipher list	Add cipher lists.
   Verify depth	Enter the verify depth for mutual authentications.
   Mutual authenticate	Select to enable mutual authentication.
   TLS version	Select a TLS version for this profile from the drop down list.
   Options	Add optional features and parameters.
   Cert status check	Select to enable checking the status of the certificate.
   Cert status profile list	Add one or more lists of certificate status profiles for status requests.
   Ignore dead responder	Select to ignore a dead certificate status responder.
   Allow self signed cert	Select to allow a self-signed certificate.

4. Click OK.
5. Save the configuration.

TLS Session Caching

Transport Layer Security (TLS) session caching allows the Oracle® Enterprise Session Border Controller to cache key information for TLS connections, and to set the length of time that the information is cached.

When TLS session caching is not enabled, the Oracle® Enterprise Session Border Controller and a TLS client perform the handshake portion of the authentication sequence in which they exchange a shared secret and encryption keys are generated. One result of the successful handshake is the creation of a unique session identifier. When an established TLS connection is torn down and the client wants to reinstate it, this entire process is repeated. Because the process is resource-intensive, you can enable TLS session caching to avoid repeating the handshake process for previously authenticated clients to preserve valuable Oracle® Enterprise Session Border Controller resources.

When TLS session caching is enabled on the Oracle® Enterprise Session Border Controller, a previously authenticated client can request re-connection using the unique session identifier from the previous session. The Oracle® Enterprise Session Border Controller checks its cache, finds the session identifier, and reinstates the client. This process reduces the handshake to three messages, which preserves system resources.

If the client offers an invalid session identifier, for example, one that the Oracle® Enterprise Session Border Controller has never seen or one that has been deleted from its cache, the system does not allow the re-connection. The system negotiates the connection as a new connection.

Configure TLS-Global Session Caching

Use the tls-global element to enable tls-global session caching to allow the Oracle® Enterprise Session Border Controller (E-SBC) to cache the session identifier for possible re-connection with a former client.

• Configure a TLS profile.

Session caching is a global setting for all TLS operations on the E-SBC. You must enable session caching and set the session cache timeout. Note that the number 0 disables session cache timeout. When the session cache timeout is disabled, cache entries never age and they remain until you delete them. RFC 2246, the TLS Protocol Version 1.0, recommends setting session cache timeout to the maximum of 24 hours.

1. From the Web GUI, click Configuration, Configuration, security, tls-global.
2. On the Add TLS global page, do the following:

   Session caching	Select to enable.
   Session cache timeout	Enter the number of hours to cache TLS sessions for re-connection. Range: 0-24.

3. Click OK.
4. Save the configuration.

Configure an SPL Plugin

Use the spl-config element to configure the parameters for integrating System Programming Language (SPL) plugin extensions with the Oracle® Enterprise Session Border Controller (E-SBC).

• Confirm that the SPL engine is installed on the E-SBC.
• Plan the order in which you configure multiple SPL plugins because the E-SBC executes the SPL plugins in the order of configuration.

Note:

The E-SBC includes all SPL plugins, except for Comfort Noise Generation. You must manually upload the Comfort Noise Generation SPL plugin to the E-SBC performing the following procedure.

1. From the Web GUI, click Configuration, system, spl-config.
2. On the spl config / plugins page, do the following:

   Spl options	Enter values for optional SPL parameters and features in a comma separated list enclosed in double quotation marks.
   Plugins	Click Add, and do the following: State. Select to enable the SPL plugin on the E-SBC. Name. Specify the name of the SPL plugin. Click OK.

3. Click OK.
4. Save the configuration.

• Execute the SPL plugin file.
• Synchronize the SPL across HA pairs.