1. Security Edge Protection Proxy (SEPP) Cloud Native Installation Guide
  2. Installing SEPP

2 Installing SEPP

This chapter describes how to install SEPP on a Cloud Native Environment (CNE).

Prerequisites

The 5G SEPP requires the following environment:
  • Kubernetes Cluster should available with Kube DNS configured to talk to operator's DNS server.
  • Service FQDN of SEPP should be discoverable from outside of cluster (i.e. publicly exposed if ingress messages to SEPP can come from outside of K8S).
  • Operator should have his own repository for storing the SEPP images and repository should be accessible from his Kubernetes cluster.
  • Master/Management node should have installed with jq tool, later which will be used by config map content parsing tools.

The following software must be installed:

Software Version
Kubernetes v1.15.3
HELM v2.14.3

Additional software that needs to be deployed as per the requirement of the services:

Software Chart Version Notes
elasticsearch 5.5.4 Needed for Logging Area
elastic-curator 5.5.4 Needed for Logging Area
elastic-exporter 1.0.2 Needed for Logging Area
logs 2.0.7 Needed for Logging Area
kibana 6.7.0 Needed for Logging Area
grafana 6.1.6 Needed for Metrics Area
prometheus 9.1.2 Needed for Metrics Area
prometheus-node-exporter 0.17.0 Needed for Metrics Area
metallb 0.7.3 Needed for External IP
metrics-server 0.3.1 Needed for Metric Server
tracer 0.8.3 Needed for Tracing Area

Note:

Install the specified software items before proceeding, if any of the above services are needed and the respective software is not already installed in CNE.
To check the installed software items, execute: 
helm ls

Use the helm command with admin.conf file, if requried:

helm --kubeconfig admin.conf

Installation Sequence

This section provides the procedure in which SEPP must be installed.

Creating namespace

Following is the procedure to create the namespace and verify it.

  1. Execute the following command to create namespace:
    $ kubectl create namespace <required namespace>
    Example:
    $ kubectl create namespace seppsvc

Creating secrets for enabling HTTPS

Creation of secrets for enabling HTTPS in OCSEPP ocegress gateway

This section explains the steps to create secret for HTTPS related details. This section must be executed before enabling HTTPS in OCSEPP Egress gateway.

Note:

The passwords for TrustStore and KeyStore are stored in respective password files below.
To create kubernetes secret for HTTPS, following files are required:-
  • ECDSA private key and CA signed certificate of OCSEPP (if initialAlgorithm is ES256)
  • RSA private key and CA signed certificate of OCSEPP (if initialAlgorithm is RSA256)
  • TrustStore password file
  • KeyStore password file
  • CA certificate

Note:

Creation process for private keys, certificates and passwords is on discretion of user/operator.

  1. Execute the following command to create secret: 
    $ kubectl create secret generic <ocegress-secret-name> --fromfile=<ssl_ecdsa_private_key.pem> --from-file=<rsa_private_key_pkcs1.pem> --fromfile=<ssl_truststore.txt> --from-file=<ssl_keystore.txt> --from-file=<caroot.cer> --fromfile=<ssl_rsa_certificate.crt> --from-file=<ssl_ecdsa_certificate.crt> -n <Namespace of OCSEPP ocegress Gateway secret>

    Note:

    Note down the command used during the creation of kubernetes secret, this command will be used for updates in future.
    Example: The names used below are same as provided in custom values.yaml in OCSEPP deployment. 
    $ kubectl create secret generic ocegress-secret --fromfile=ssl_ecdsa_private_key.pem --from-file=rsa_private_key_pkcs1.pem --fromfile=ssl_truststore.txt --from-file=ssl_keystore.txt --from-file=caroot.cer --fromfile=ssl_rsa_certificate.crt --from-file=ssl_ecdsa_certificate.crt -n ocsepp
  2. Verify the secret created using the following command:
    $ kubectl describe secret <ocegress-secret-name> -n <Namespace of OCSEPP ocegress Gateway secret>
    Example: 
    $ kubectl describe secret ocegress-secret -n ocsepp

Creating secret for n32fIpx

Following is the procedure to create secret for N32f-IPX:
  1. Execute the following command to create a ECDSA private key with p256 curve:
    openssl ecparam -name prime256v1 -genkey -noout -out ecdsa_private_key.pem
  2. Execute the following command to convert the private key in .pem format and also in PKCS8 Encoded:
    openssl pkcs8 -topk8 -nocrypt -in private.key -outform pem -out ecdsa_private_key_pkcs8.pem
  3. Execute the following command to create the secret for that private key:
    kubectl create secret generic ocsepp-ipx-secret --from-file=ecdsa_private_key_pkcs8.pem -n seppsvc

Installation Tasks

This section describes the tasks that the user needs to follow for installing SEPP.

Following is the procedure to install SEPP:
  1. Login to MOS using the appropriate login credentials.
  2. Select Product & Updates tab.
  3. In Patch Search console select Product or Family (Advanced) tab.
  4. Enter Oracle Communications Cloud Native Core - 5G in Product field and select the product from the Product drop-down.
  5. Select Oracle Communications Cloud Native Security Edge Protection Proxy <release_number> in Release field.
  6. Click Search. The Patch Advanced Search Results list appears.
  7. Select the required patch from the list. The Patch Details window appears.
  8. Click on Download. File Download window appears.
  9. Click on the <p********_<release_number>_Tekelec>.zip file.
  10. Click on the zip file to download the network function patch.
  11. Unzip the file to the system where you want to install the network function. You can find the SEPP package as follows:

    ReleaseName-pkg-Releasenumber.tgz

    where:

    ReleaseName is a name which is used to track this installation instance.

    Releasenumber is the release number.

    For example, ocsepp-pkg-1.3.0.0.0.tgz
  12. Untar the SEPP package file to get SEPP docker image tar file:
    tar -xvzf ReleaseName-pkg-Releasenumber.tgz
  13. Load the ocsepp-images-<release_number>.tar file into the Docker system:
    docker load --input /IMAGE_PATH/ocsepp-images-<release_number>.tar
  14. Verify that the image is loaded correctly by entering this command:
     docker images
  15. Execute the following commands to push the docker images to docker registry: 
    docker tag <image-name>:<image-tag> <docker-repo>/ <image-name>:<image-tag>
    docker push <docker-repo>/<image-name>:<image-tag>
  16. Untar the helm files: 
    tar -xvzf ocsepp-<release_number>.tgz
  17. Create the customize ocsepp-custom-values-1.3.0.yaml file with the required input parameters. To customize the file, refer to <customization chapter>
  18. Go to the extracted OCSEPP package as explained in:
    cd ocsepp-<release_number>
  19. Install OCSEPP by executing the following command:
    helm install ocsepp-helm-repo/ocsepp -f ocsepp-custom-values.yaml --name ocsepp --namespace seppsvc --version <helm version>