3 OCSSC Deployment Process and Procedures

Obtaining and installing the Oracle Communications Security Shield Cloud Service (OCSSC) service requires a multi-step process that includes tasks for you to perform in the Oracle Cloud and on premises. New customers must take steps to establish and set up their Oracle Cloud account in addition to the procedures for installing the OCSSC service. See the following topics to guide you through the process.

OCSSC Deployment Process

The high-level process for deploying the Oracle Communications Security Shield Cloud Service (OCSSC) includes the following steps. You will perform some steps in the Oracle Cloud and others on-premises.

  1. Oracle Cloud—Contact your Oracle Cloud sales representative to establish a subscription for OCSSC and activate your account. (OCSSC is not available for purchase online in the Oracle Marketplace.) See Establish an Oracle Communications Security Shield Cloud Service Subscription.
  2. On premises—Log on to Oracle Service Delivery Cloud at edelivery.oracle.com using the Customer Support Identifier number that you received in your Oracle Cloud Welcome email and download the OCSSC software. (Cloud Communication Service and OCSSC SPL file) See Download the OCSSC Software.
  3. On-premises—Generate the TLS certificates for the Cloud Communication Service. The installation script requires a pem file and a key file for both the LAN side and the WAN side. Configure TLS Certificates for the Cloud Communication Service.
  4. On premises—Install the Cloud Communication Service with the install, configure, and activate scripts provided in the software download. See Install, Configure, and Activate the Cloud Communication Service.
  5. On-premises—Generate the TLS certificate for the Session Border Controller and install it on the SBC. Configure TLS Certificates for the OCSBC.
  6. On premises—Install the OCSSC SPL on the Session Border Controller (SBC) and enable OCSSC on the SBC, which registers the SBC with the Cloud Communication Service. See Configure the Session Border Controller for the OCSSC Service.

The following diagram illustrates the deployment process and shows the parameters you need to set in each OCSSC component to establish the service.

This diagram illustrates the steps listed above. It shows the parameters you need to set in each component.

Next Steps

  • Oracle Cloud—Log on to theOCSSC Dashboard and customize the threat protection settings. See "Customize the OCSS Autonomous Threat Protection Settings" in the OCSSC User's Guide.
  • Oracle Cloud—Log on to the OCSSC Dashboard and create managed phone number lists. See the "Add Phone Numbers to Policy Rules" in the OCSSC User's Guide.

Establish an Oracle Communications Security Shield Cloud Service Subscription

To obtain the Oracle Communications Security Shield Cloud Service (OCSSC), contact Oracle Cloud Sales to purchase a Cloud Services Agreement and the OCSSC service subscription. Oracle does not offer the OCSSC service as an online purchase in the Oracle Cloud Marketplace. You must purchase through Oracle Sales.

Establishing an OCSSC service subscription is a multi-step process. Use the information provided in the following links to guide you through the process.
  1. Go to Oracle Communications Security Shield Cloud and click Contact Us for information about how to purchase a subscription to OCSSC.
  2. Go to Activate Your Cloud Account for instructions to activate your subscription.
  3. Go to Oracle Cloud Infrastructure Identity and Access Management for information about how to manage your Users and Groups, Identity Domains, Applications, Administration, and more.

Download the OCSSC Software

Before you can install the Cloud Communications Service (CCS) and the OCSSC SPL plug-in file on-premises, you must download the software on to the host. Only authorized customers with a valid password may download the software. Note that the download includes both the CCS software and the Oracle Communications Security Shield Cloud Service (OCSSC) SPL plug-in file that you must install on the Session Border Controller.

The following procedure explains how to download the CCS software and SPL plug-in file from Oracle Software Delivery Cloud.

Note:

If you prefer, you can download the CCS software and SPL plug-in file from My Oracle Support (MOS). See Download the Cloud Communication Service Software from MOS.

Procedure

  1. Log on to https://edelivery.oracle.com with the Customer Support Identifier number that you received in your "Welcome" email from Oracle.
  2. Search for Cloud Communications Service software.
  3. Add the Cloud Communications Service software to your shopping cart.
  4. Check out and download the Cloud Communications Service software file to your host.
    Oracle creates the /opt/oracle directory and necessary sub-directories on the host for the CCS software.

Configure TLS Certificates for the Cloud Communication Service

The Cloud Communication Service (CCS) uses TLS to encrypt and secure your data on the Local Area Network between CCS and the Session Border Controller (SBC) and on the Wide Area Network (WAN) between CCS and Oracle Communications Security Shield Cloud Service (OCSSC). The WAN and LAN connections both require a pem format certficate file and its matching key file. You also need the intermediateCA certificate file when you run the activate script in the "Install, Configure, and Activate the Cloud Communication Service" procedure.

Use the following procedure to generate the required pem and key TLS certificates for your LAN and WAN.
  1. Create a san.cnf file with your local information and set the IP.1 parameter to the IP address you want the CCS to use on the LAN side.
    {req}
    default_bits = 2048
    distinguished_name = req_distinguished_name
    req-extensions = req_ext
    [req_distinguished_name]
    countryName = Country Name (2 letter code)
    stateOrProvinceName = State or Province Name (full name)
    localityName = Locality Name (For example, city)
    organizationName = Organization Name (For example,company)
    commonName = Common Name (For example, server FQDN or YOUR name)
    {req_ext]
    subjectAltName = @alt_names
    [alt_names]
    IP.1 = <CCS LAN-side IP Address>
  2. Use OpenSSL to generate the Certificate Signing Request and key file using the san.cnf file you created above.
    openssl req -out <path where to create sslcert.csr> -newkey rsa:2048 -nodes -keyout
     <path where to create lan-key.pem> -config <path to san.cnf>
  3. Use OpenSSL to generate a signed certificate pem file for the associated Certificate Signing Request, setting the expiration period you want with the -days parameter (the following CA is for the LAN-side signing CA).
    openssl ca -config <path to openssl.cnf> -extensions server_cert -days <set certificate
          expiration in days> -notext -md sha256 -in <path to sslcert.csr>  -out <path where to create
          lan-cert.pem>
  4. Verify the certificate information and that the certificate states the correct IP address in the IP.1 field.
    openssl x509 -noout -text -in <path to lan-cert.pem>
  5. Modify the san.cnf file and change the IP.1 parameter to the IP address you want the CCS to use for the WAN side. The common name is the FQDN to use for the WAN-side.
    [ req ]           
    default_bits = 2048           
    distinguished_name = req_distinguished_name          
    req_extensions     = req_ext           
    [ req_distinguished_name ]           
    countryName = Country Name (2 letter code)           
    stateOrProvinceName = State or Province Name (full name)           
    localityName = Locality Name (For example, city)           
    organizationName = Organization Name (For example, company)           
    commonName = Common Name (For example, server FQDN or YOUR name)           
    [ req_ext ]           
    subjectAltName = @alt_names           
    [alt_names]           
    IP.1 = CCS WAN SIDE IP ADDRESS
  6. Use OpenSSL to generate the Certificate Signing Request and key file using the san.cnf file created above.
    openssl req -out <path where to create sslcert.csr> -newkey rsa:2048 -nodes -keyout <path where
          to create wan-key.pem> -config <path to san.cnf>
  7. Send the sslcert.csr to a trusted CA for signing. Oracle assumes that the returned certificate is named wan-cert.pem.
  8. Verify the certificate information and that the certificate states the correct IP address in the IP.1 field.
     openssl x509 -noout -text -in <path to wan-cert.pem>
Next steps

Install, Configure, and Activate the Cloud Communication Service

The Cloud Communication Service (CCS) installation procedure requires the archive file containing the installation, configuration, and activation scripts that you downloaded from Oracle onto your host hardware. Oracle recommends running the three scripts consecutively in one session the first time you install CCS. For that reason, this procedure includes the prerequisites and steps for running the scripts sequentially. Oracle recommends that you install the CCS behind Network Address Translation (NAT) or a firewall. See "CCS Configuration behind NAT or a Firewall".

CCS Installation Prerequisites

Do the following before performing the CCS installation procedure.

System Prerequisites
  • Ensure that the host meets Operation System and resource requirements. Version Requirements for External Components.
  • Install Perl v5.16.3 or higher on the host.
  • Ensure that you have Root access or equivalent Super User privileges.
  • Ensure that the Docker package is installed and that the daemon is running as a service.
  • Ensure that you synchronize the CCS Docker host and the Session Border Controller with the Network Time Protocol (NTP) server.
Installation Script Prerequisites
  • Ensure that there is no CCS installation existing on the hardware. See the last step in this procedure for instructions.
  • Download the archive file (ccs-<version>.tgz) from Oracle Service Delivery Cloud at edelivery.oracle.com, which includes all of the scripts, to the host server.
Configuration Script Prerequisites
  • See Upgrade Information for the 21.3.0.0.0 Release.
  • Generate the local API key and local API alternate key. See the OCSSC Security and Privacy Guide for instructions for generating keys.
  • Host WAN FQDN provided by the customer
  • Host WAN IP Address provided by the customer
  • Host LAN IP Address provided by the customer
  • Identity Domain FQDN provided by OCSSC through the Cloud Communications Service Configuration link on the Settings tab
  • Identity Domain ID provided by OCSSC through the Cloud Communications Service Configuration link on the Settings tab
  • OCSSC FQDN provided by OCSSC through the Cloud Communications Service Configuration link on the Settings tab
  • OCSSC Tenant ID provided by OCSSC through the Cloud Communications Service Configuration link on the Settings tab
  • OCSSC API Key provided by the customer (the CCS API key)
  • OCSSC API Key Alternate provided by the customer
  • CCS Client ID provided by OCSSC through the Cloud Communications Service Configuration link on the Settings tab
  • CCS Client Secret provided by OCSSC through the Cloud Communications Service Configuration link on the Settings tab
Activation Script Prerequisites
  • CCS is installed and not activated
  • CCS JSON configuration (cfg.json) provided by customer from prior configuration step
  • LAN/OAM server certificate provided by customer
  • LAN/OAM server private key provided by customer
  • LAN/OAM server signing certificate provided by customer
  • (Optional)—WAN server certificate provided by customer. Use when you want ground-to-cloud communication, which allows mid-call updates. Omit when you do not want cloud-to-ground communication, which does not allow mid-call updates. See Enable or Disable Mid-Call Updates.
  • (Optional)—WAN server private key provided by customer. Use when you want ground-to-cloud communication,which allows mid-call updates. Omit when you do not want cloud-to-ground communication, which does not allow mid-call updates. See Enable or Disable Mid-Call Updates.

Note:

See the OCSSC Security and Privacy Guide for information about certificate management and deploying CCS behind Network Address Translation (NAT) or a firewall.

Procedure

The CCS installation script sets the defaults for the LAN, WAN, and OAM server instances to the address of 0.0.0.0 and the ports to 8000, 443, and 2000, respectively. After you execute config.pl, CCS creates the cfg.json file and sets the WAN listening port to the default 443. If you provide the WAN certificate and private key in the activate.pl script configuration, the WAN listening port remains 443. If you do not provide the WAN certificate and private key, CCS changes the port to 9000.

If you modify the WAN port in cfg.json to any value other than 443 or 9000, CCS retains that value even when you provide the WAN certificate and private key. Ensure that if you change the default ports, they do not conflict with the Oracle Management Cloud Engine (OMCE) ports.

Note:

If you change the Cloud Communication Service (CCS) public IP address (WAN interface), it may take up to twenty four hours for mid-call updates to resume.

In the following procedure, wait for each script to finish running successfully before running the next one.

Note:

The Cloud Communication Service (CCS) does not support simultaneous use of the same CCS instance by different services, for example OCSSC and Oracle Session Delivery Manager Cloud (OSDMC). You must configure each CCS instance to support only one service.
  1. Log on to the server at root.
  2. Unpack the ccs-<version>.<build>.tgz archive.
    tar -xvzf ccs-<version>.<build>.tgz
    The system creates the ccs-<version> directory and copies the unpacked files there in the following directory tree.
    • /opt/oracle
    • /opt/oracle/ccs
    • /opt/oracle/ccs/.build (hidden)
    • /opt/oracle/ccs/.version (hidden)
    • /opt/oracle/ccs/api
    • /opt/oracle/ccs/api/KeyRsp.v1.json
    • /opt/oracle/ccs/api/RegReq.v1.json
    • /opt/oracle/ccs/api/RegRspv1.json
    • /opt/oracle/ccs/api/TokenRsp.v1.json
    • /opt/oracle/ccs/cfg
    • /opt/oracle/ccs/cfg.v1.json
    • /opt/oracle/ccs/img
    • /opt/oracle/ccs/img/ccs-<version>.<build>.tar
    • /opt/oracle/ccs/log
    • /opt/oracle/ccs/perl
    • /opt/oracle/ccs/perl/activate.pl
    • /opt/oracle/ccs/perl/config.pl
    • /opt/oracle/ccs/perl/deactivate.pl
    • /opt/oracle/ccs/perl/uninstall.pl
    • /opt/oracle/ccs/ssl
    • /opt/oracle/ccs/ssl/ca
    • /opt/oracle/ccs/ssl/ca/c_rehash
    • /opt/oracle/ccs/ssl/ca/DigiCertGlobalRootCA.cer
    • /opt/oracle/ccs/ssl/ca/DigiCertSHA256GlobalCaG2.cer
    • /opt/oracle/ccs/ssl/ca/DigiCertSHA256GlobalRootG2.cer
    • /opt/oracle/ccs/ssl/ca/DigiCertSHA2SecureServerCA.cer
  3. At the prompt, do the following:
    1. Type cd ccs-<version>, and press Enter.
    2. Type ls
    3. Type ./ccs-<version>.<build> /install.pl
    # cd ccs-<version>
    # ls
    # ccs install.pl
  4. At the prompt, type ./install.pl, and press Enter.
    The system checks for an existing installation and, if none exits, asks if you want to proceed with the installation.
    # ./install.pl
    ------------------------------------------------------
    Oracle Cloud Communications Service, (c) 2020 Oracle
    CCS <version> activate.pl @ <date> <time>
    ------------------------------------------------------
    Checking pre-conditions...
    OK.
    Proceed with install (y/n) :
  5. Type y.
    The system installs CCS in the /opt/oracle/ directory and displays a success message upon completion.
    Installing...
    Success.
  6. At the prompt, type /opt/oracle/ccs/perl/config.pl, press Enter, and specify each of the following attributes.
    # /opt/oracle/ccs/perl/config.pl
    -------------------------------------------------------------------------------
    Oracle Cloud Communications Service, (c) 2020 Oracle
    CCS <version> <build> config.pl @ <date> <time>
    -------------------------------------------------------------------------------
    Please specify each attribute...
    Host WAN FQDN             : host-wan-fqdn
    Host WAN IP address       : host-wan-IP
    Host LAN IP address       : host-lan-ip
    Identity Domain FQDN      : idcs-fqdn
    Identity Domain ID        : idcs-tenant-id
    OCSSC subscriber (y/n)    : y
    OCSSC FQDN                : ocssc-fqdn
    OCSSC Tenant ID           : occsc-tenantid
    OCSSC API Key             : ocssc-apikey
    OCSSC API Key Alternate   : ocssc-apialternate-key
    OCSSC CCS Client ID       : ocssc-idcs-clientid      
    OCSSC CCS Client Secret   : ocssc-idcs-clientsecret
    OSDMC subscriber (y/n)    : n
    Proceed with config (y/n) : y
    Generating local cfg.json...
    Success.
    # ls cfg.json
    cfg.json
    After you enter "n" for OSDMC subscriber, the system asks if you want to proceed with the configuration.
    Proceed with config (y/n) : 
  7. Type y, and press Enter.
    The system generates the cfg.json file.
    Generating local cfg.json...
    Success.
  8. At the prompt, type /opt/oracle/ccs/perl/activate.pl, and press Enter.
    The system verifies that an installed CCS exists.
    # /opt/oracle/ccs/perl/activate.pl
    -------------------------------------------------------------------------------
    Oracle Cloud Communications Service, (c) 2020 Oracle
    CCS <version> <build> activate.pl @ <date> <time>
    -------------------------------------------------------------------------------
    Checking pre-conditions...
    Ok.
    Please specify import path for each file...
    CCS JSON configuration              : ./cfg.json
    LAN /OAM server certificate         : ./lan-cert.pem
    LAN /OAM private key                : ./lan-key.pem
    LAN /OAM server signing certificate : ./lan-ca-cert.pem
    WAN server certificate              : 
    WAN server private key              : 
    Proceed with activate (y/n) : y
    Importing...
    Activating...
    Success.
  9. Specify the relative or absolute path to the locations for the following files. The following example uses a relative path to the required files. You can use a file name of your own choosing,but the certificate file names must match those from the Configure TLS Certificates for the Cloud Communication Service procedure. The path is relative to wherever you choose to execute the activate.pl script.

    Note:

    See the OCSSC Security and Privacy Guide for information about certificates and keys.
    The system asks if you want to proceed with the activation.
  10. Type: y.
    The system displays the status of the activation.
    Proceed with activate? y/n : y
    Importing...
    Activating...
    Success.
  11. (Optional) Use Docker to check your work.
    1. At the prompt type: docker image ls, and press Enter to list the CCS instances. In the list, look for "ccs_image" and under TAG look for "latest", which is the newly activated installation. The following code block shows an example.
      # docker image ls
      REPOSITORY                                              TAG                     IMAGE ID       CREATED       SIZE
      example.com:7744/apps/cgbu/cgbu-osdmc/common/ccs-core   ccs-<version> <build>   74e9303190d3   12 hours ago  132MB
      
    2. At the prompt type: docker ps, and press Enter to list the running images. In the list, under "IMAGE", look for "ccs-image" and look under STATUS for the newest one. The following code block shows an example.
      # docker ps
      CONTAINER ID    IMAGE         COMMAND                    CREATED       STATUS         PORTS      NAMES
      0fa66a7dc1bb    74e9303190d3  "ccs.exe --config /m..."   6 hours ago   Up 3 hours                ccs-1.0.0.38
Enable or Disable Mid-Call Updates

In some circumstances you might want the Oracle Communications Security Shield Cloud Service (OCSSC) to reassess calls and make mid-call updates to change the enforcement action, which might result in call termination. In other circumstances you might not want the OCSSC to make mid-call updates to avoid call termination. You can enable or disable mid-call updates by entering or omitting the WAN certificate and private key paths in the Cloud Communication Service (CCS) activate.pl script.

The following instructions assume that you have not manually configured a port other than 443 or 9000 for CCS, which are the respective default ports that CCS uses for enabling and disabling mid-call updates. When you configure a port other than 443 or 9000, CCS uses that port and allows mid-call updates regardless of the WAN server certificate and WAN server private key settings.

Note:

If you change the Cloud Communication Service (CCS) public IP address (WAN interface), it may take up to twenty four hours for mid-call updates to resume.

Enable or Disable Mid-Call Updates

In the CCS activate.pl script, do one of the following:
  • To enable mid-call updates, provide the path to the WAN certificate and private key you want to use.
  • To disable mid-call updates, do not provide any WAN certificate and private key information.

See "Scenarios for Enabling or Disabling Mid-Call Updates" in the OCSSC User's Guide.

Configure TLS Certificates for the OCSBC

The process for configuring a certificate on the Oracle Communications Session Border Controller (OCSBC) requires the following steps.

  1. Configure a certificate record on the SBC. See Configure a Certificate Record.
  2. Generate a certificate request by the SBC. See Generate a Certificate Request.
  3. Import the certificate into the SBC. See Import a Certificate Using SFTP or Import a Certificate Using the ACLI.
  4. Reboot the system.
Configure a Certificate Record

Use the certificate-record object to add a certificate record to the Oracle Communications Security Shield Cloud Service (OCSSC). The certificate record configuration represents either the end-entity or the Certificate Authority (CA) certificate on the OCSSC.

When you configure a certificate for the E-SBC, the name that you enter must be the same as the name that you use when you generate a certificate request. If configuring for an end stations CA certificate for mutual authentication, the certificate name must be the same name used during the import procedure.

  • If this certificate record is used to present an end-entity certificate, associate a private key with this certificate record by using a certificate request.
  • If this certificate record is created to hold a CA certificate or certificate in PKCS12 format, a private key is not required.
  1. Access the certificate-record configuration element.
    ORACLE# configure terminal
    ORACLE(configure)# security
    ORACLE(security)# certificate record
    ORACLE(certificate-record)# 
  2. Do the following:

    name—Enter the name of the certificate record. Required.

    country—Enter the name of the country. Default: U.S.

    state—Enter the name of the state of for the country. Default: MA.

    locality—Enter the name of the locality for the state. Default: Burlington.

    organization—Enter the name of the organization holding the certificate. Default: Engineering.

    unit—Enter the name of the unit for the holding the certificate within the organization.

    common-name—Enter the common name for the certificate record.

    key-size—Enter the size of the key for the certificate. Default:1024 Valid values: 512 | 2048 | 4096.

    alternate-name—Enter the alternate name of the certificate holder.

    key-usage-list—Enter the usage extensions you want to use with this certificate record. This parameter can be configured with multiple values, and it defaults to the combination of digitalSignature and keyEncipherment. For a list of possible values and their descriptions, see "Key Usage Control."

    extended-key-usage-list—Enter the extended key usage extensions you want to use with this certificate record. Default: serverAuth. For a list of possible values and their descriptions, see "Key Usage Control."

  3. Type done to save your configuration.

To verify a certificate record, see "Security" in the ACLI Configuration Guide.

Generate a Certificate Request

Using the ACLI generate-certificate-request <record-name> command allows you to generate a private key and a certificate request in PKCS10 PEM format.

Note:

You can only perform this task after you configure a certificate record.

The Oracle Communications Security Shield Cloud Service (OCSSC) stores the private key that is generated in the certificate record configuration in 3DES encrypted form with an internally generated password. The OCSSC displays the PKCS10 request in PEM (Base64) form.

You use this command for certificate record configurations that hold end-entity certificates. If you have configured the certificate record to hold a CA certificate, then you do not need to generate a certificate request because the CA publishes its certificate in the public domain. You import a CA certificate by using the ACLI import-certficate <certficate-record-name> command.

The generate-certificate-request command sends information to the CA to generate the certificate, but you cannot have Internet connectivity from the OCSSC to the Internet. You can access the Internet through a browser such as Internet Explorer if it is available, or you can save the certificate request to a disk and then submit it to the CA.

To run the applicable command, you must use the value you entered in the name parameter of the certificate record configuration. You run the command from the main Superuser mode command line, and then save and activate the configuration.

ACMEPACKET# security certificate request acmepacket 
Generating Certificate Signing Request. This can take several 
minutes.... 

-----BEGIN CERTIFICATE REQUEST----- 

MIIB2jCCAUMCAQAwYTELMAkGA1UEBhMCdXMxCzAJBgNVBAgTAk1BMRMwEQYDVQQH 
EwpCdXJsaW5ndG9uMRQwEgYDVQQKEwtFbmdpbmVlcmluZzEMMAoGA1UECxMDYWJj 
MQwwCgYDVQQDEwNhYmMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALOMLHo8 
/qIOddIDVuqot0Y72l/BfH8lolRKmhZQ4e7sS+zZHzbG8phzmzhfOSECnZiA2bEo 
f+Nti7e7Uof4lLwiYl9fvhURfzhENOKThAPKPiJCzBBglTITHTYal00Cq2fj5A8B 
ZcuAHj7Vp5wP2zpz6EUTFpqTDMLVdwJGJrElAgMBAAGgOTAMBgNVHRExBRMDZGVm 
MCkGA1UdDzEiEyBkaWdpdGFsU2lnbmF0dXJlLGtleUVuY2lwaGVybWVudDANBgkq 
hkiG9w0BAQUFAAOBgQAtel4ZSLI8gqgMzodbYwgUHUGqTGeDzQDhJV5fKUXWeMFz 
JsTmWn5Gy/kR4+Nq274G14fnk00fTAfMtgQ5aL3gM43TqaPOTZjJ6qgwuRKhoBPI 
7hkovkgAxHge7wClghiAp/ELdl7tQ515k04BMd5f/fxG7nNiu8iEg7PO0OIBgg== 
-----END CERTIFICATE REQUEST----- 
WARNING: Configuration changed, run "save-config" command. 
ACMEPACKET# save config 
copying file /code/config/dataDoc.gz -> /code/config/dataDoc_3.gz 
copying file /code/config/tmp/editing/dataDoc.gz -> 
/code/config/dataDoc.gz 
Save complete 
ACMEPACKET# activate config 
activate complete
Import a Certificate Using the ACLI

For an end-entity certificate, after a certificate is generated using the ACLI security certificate request command, submit the request to a CA for generation of a certificate in PKCS7 or X509v3 format. When the certificate has been generated, you can import it into the Oracle Communications Security Shield Cloud Service (OCSSC) using the security certificate import command.

The syntax is:

ACMEPACKET # security certificate import [try-all | pkcs7 | pkcs12 |
x509] [certificate-record file-name]

To import a certificate:

  1. When you use the import-certificate <certificate-record-name> command, you can specify whether you want to use PKCS7, PKCS12, X509v3 format, or try all. In the command line, you enter the command, the format specification, and the name of the certificate record. The OCSSC prompts you to enter the certificate in PEM format. Paste the certificate in the ACLI. For example:
    ACMEPACKET# security certificate import try-all acmepacket
    The following displays:
    Please enter the certificate in the PEM format.
    Terminate the certificate with ";" to exit.......
    -----BEGIN CERTIFICATE----
    VMIIDHzCCAoigAwIBAgIIAhMCUACEAHEwDQYJKoZIhvcNAQEFBQAwcDELMAkGA1UE
    BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4w
    DAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBB
    dXRob3JpdHkwHhcNMDUwNDEzMjEzNzQzWhcNMDgwNDEyMjEzNzQzWjBUMQswCQYD
    VQQGEwJVUzELMAkGA1UECBMCTUExEzARBgNVBAcTCkJ1cmxpbmd0b24xFDASBgNV
    BAoTC0VuZ2luZWVyaW5nMQ0wCwYDVQQDEwRhY21lMIGfMA0GCSqGSIb3DQEBAQUA
    A4GNADCBiQKBgQCXjIeOyFKAUB3rKkKK/+59LT+rlGuW7Lgc1V6+hfTSr0co+ZsQ
    bHFUWAA15qXUUBTLJG13QN5VfG96f7gGAbWayfOS9Uymold3JPCUDoGgb2E7m8iu
    vtq7gwjSeKNXAw/y7yWy/c04FmUD2U0pZX0CNIR3Mns5OAxQmq0bNYDhawIDAQAB
    o4HdMIHaMBEGA1UdEQQKMAiCBnBrdW1hcjAJBgNVHRMEAjAAMB0GA1UdDgQWBBTG
    tpodxa6Kmmn04L3Kg62t8BZJHTCBmgYDVR0jBIGSMIGPgBRrRhcU6pR2JYBUbhNU
    2qHjVBShtqF0pHIwcDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx
    ETAPBgNVBAcTCFNhbiBKb3NlMQ4wDAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lw
    aXQgVGVzdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHmCAQAwDQYJKoZIhvcNAQEFBQAD
    gYEAbEs8nUCi+cA2hC/lM49Sitvh8QmpL81KONApsoC4Em24L+DZwz3uInoWjbjJ
    QhefcUfteNYkbuMH7LAK0hnDPvW+St4rQGVK6LJhZj7/yeLXmYWIPUY3Ux4OGVrd
    2UgV/B2SOqH9Nf+FQ+mNZOlL7EuF4IxSz9/69LuYlXqKsG4=
    -----END CERTIFICATE-----;
    Certificate imported successfully....
    WARNING: Configuration changed, run "save-config" command.
  2. Enter save-config to save the configuration.
    ACMEPACKET# save-config
    copying file /code/config/dataDoc.gz -> /code/config/dataDoc_3.gz 
    copying file /code/config/tmp/editing/dataDoc.gz -> 
    /code/config/dataDoc.gz 
    Save complete
  3. Enter activate-config to activate as the current configuration.
    ACMEPACKET# activate-config
    activate complete

    Note:

    For importing a certificate using SFTP, see the Security section of the ACLI Configuration Guide for your OCSSC model.
Import a Certificate Using SFTP

You can put the certificate file in the directory /ramdrv and execute the import-certificate command, or you can paste the certificate in PEM/Base64 format into the ACLI. If you paste the certificate, you may have to copy and paste it a portion at a time, rather than pasting the whole certificate at once.

  1. SFTP the certificate file to the Oracle Communications Security Shield Cloud Service (OCSSC) (directory /ramdrv). For the following example, suppose the name of the certificate file is cert.pem.
  2. When the certificate is successfully transferred to the OCSSC, run the import-certificate command.

    The syntax is:

    ACMEPACKET# import-certificate [try-all|pkcs7|x509] [certificate-record file-name]

    Example results:

    ACMEPACKET# import-certificate try-all acme cert.pem
    Certificate imported successfully....
    WARNING: Configuration changed, run "save-config" command.
  3. Save the configuration.
    ACMEPACKET# save-config
    Save-Config received, processing.
    waiting 1200 for request to finish
    Request to 'SAVE-CONFIG' has Finished,
    Save complete
    Currently active and saved configurations do not match!
    To sync & activate, run 'activate-config' or 'reboot activate'.
  4. Synchronize and activate the configurations.
    ACMEPACKET# activate-config
    Activate-Config received, processing.
    waiting 120000 for request to finish
    Add LI Flows
    LiSysClientMgr::handleNotifyReq
    H323 Active Stack Cnt:  0
    Request to 'ACTIVATE-CONFIG' has Finished,
    Activate Complete
    ACMEPACKET#

Configure the Session Border Controller for the OCSSC Service

Specify the following information on the Session Border Controller (SBC) to complete the Oracle Communications Security Shield Cloud Service (OCSSC) installation by setting security parameters and SPL options for communications between the SBC and Oracle Communications Security Shield Cloud Service components.

Prerequisites
  • Create the TLS profile that you want to use for the OCSSC HTTP client and server. See "Configure a TLS Profile" in the ACLI Configuration Guide.
  • Create the authentication profile that you want to use for the OCSSC HTTP client and server. See the "Security" chapter in the ACLI Configuration Guide.
  • Install the OCSSC SPL plug-in, which is included in the CCS download package. See Add the OCSS SPL Plug-in.

Procedure

  1. Go to Configuration on the SBC.
  2. Go to System, HTTP Client, and set the following parameters.
  3. Go to System, HTTP Server, and set the following parameters.
  4. Go to Security, Authentication Profile, and set the following parameters.
  5. Go to Media Manager, Realm Config, SPL Options, and add ocssEnabled to enable the OCSSC service in the security lookups for each realm that you want to use the OCSSC service.
  6. Under Session Router, SIP Config, SPL Options enter the ocss-service-address for each CCS instance (up to three) in curly brackets. Note : {ipAddr1:port1; httpClientConfigName} can repeat up to a total of three times for three different CCSes with different IP:port options and optionally different httpClient Names (you can use the same client for all three CCSes).
    The SPL Option
    ocss-server-config=httpServerConfigName ,ocss-service-address={ipAddr1:port1;
          httpClientConfigName} {ipAddr2:port2; httpClientConfigName} {ipAddr3:port3; httpClientConfigName3}
    Configured Example
    ocss-service-address={192.168.100.105:8060;httpClientConf}{192.168.100.106:8050;httpClientConf}{192.168.100.107:8000;httpClientConf2},ocss-server-config=httpServerConf
Next steps
  • Log on to theOCSSC Dashboard and customize the threat protection settings. See "Customize the OCSS Autonomous Threat Protection Settings" in the OCSSC User's Guide.
  • Log on to the OCSSC Dashboard and create managed phone number lists. See the "Add Phone Numbers to Policy Rules" in the OCSSC User's Guide.
Support for On-Premises Resilience and High Availability

You can configure the Session Border Controller (SBC) to connect to as many as three Cloud Communication Service (CCS) instances simultaneously to provide resilience and continuity of service when one or more CCS instances stops responding or the SBC loses connectivity to CCS or the Oracle Communications Security Shield Cloud Service.

To configure connections to the CCS, you must specify the ocss-service-address for the CCS instances you want connected to the SBC. From either the ACLI or the Web GUI, go to Configuration, Session Router, sip-config, spl-options. In the spl-options field, enter the ocss-service-address for each CCS instance.

You can configure an HTTPS Client for each instance, which allows you to use different clients for connectivity with each CCS including specific certificates for each CCS.

The following example shows the configuration for supporting three CCS instances, where each instance is enclosed in curly brackets. Note that 192.168.100.105;httpClientConf is the CCS LAN side IP address that the Session Border Controller will try to connect to using the HTTP client configuration "httpClientConf".
ocss-service-address={192.168.100.105:8060;httpClientConf}{192.168.100.106:8050;httpClientConf}{192.168.100.107:8000;httpClientConf2},ocss-server-config=httpServerConf