Configuring HDR via the ACLI

Enabling HDR Collection

You access the parameters that enable and support HDR using the ACLI system-config path.

To enable HDR collection:

In Superuser mode, type configure terminal and press Enter.
```
ORACLE# configure terminal
```

Type system and press Enter.

ORACLE(configure)# system
ORACLE(system)#

Type system-config and press Enter.

ORACLE(system)# system-config
ORACLE(system-config)#

Enter collect and press Enter. From here, you can type a question mark (?) to see individual parameters for the configuration.
```
ORACLE(system-config)# collect
ORACLE(collect)#
```

Setting Global Collection

You access the collection configuration through the ACLI system-configuration menu. Once in the collection configuration, you can establish the global settings for HDR collection.

To set HDR global collection:

In Superuser mode, navigate to the collect parameter level in the ACLI.

ORACLE# configure terminal
ORACLE(configure)# system
ORACLE(system)# system-config
ORACLE(system-config)# collect
ORACLE(collect)#

Set global collection parameters as applicable. Parameters include:
- sample-interval—Enter the time in minutes for how often you want the OCSBC to sample data records. The default is 5. The valid range is:
  - Minimum—1
  - Maximum—120
- push-interval—Enter the time in minutes for how often you want the OCSBC to send collected records to push receiver(s). The default is 15. The valid range is:
  - Minimum—1
  - Maximum—120
- boot-state—Set this parameter to enabled to start group collection, or to disabled to prevent the OCSBC from collecting HDR statistics. This parameter does not go into effect until the system is rebooted. You can also use the ACLI request collect start command to start collection; using this command, you can start collection for all groups, or for one specified group. The default is disabled. Valid values are:
  - enabled | disabled
- start-time—Enter the exact date and time (for your local timezone) when you want the OCSBC to start HDR collection. You can enter now to set the start-time to the current time, or you can specify a time in the future. If you specify a time, it must be in the format yyyy-mm-dd-hh:mm:ss, where: yyyy is the year, mm is the month, dd is the day, hh in the hour, mm is the minutes, and ss is the second (24-hour clock). The default is now.
- end-time—Enter the exact date and time (for your local timezone) when you want the OCSBC to finish HDR collection. You can enter never to set the time to never end, or you can specify an end time in the future. If you specify a time, it must be in the format yyyy-mm-dd-hh:mm:ss, where: yyyy is the year, mm is the month, dd is the day, hh in the hour, mm is the minutes, and ss is the second (24-hour clock). The default is never.
- push-success-trap-state—Set this parameter to enabled if you want the OCSBC to send a trap confirming successful data pushes to HDR servers. Default is disabled. Valid values are:
  - enabled | disabled

Setting HDR for an HA Node

If you are using the HDR feature on a High Availability (HA) node (or redundant pair of OCSBCs), several parameters in the collection configuration must be set for HDR to perform properly.

Oracle recommends strongly that you do not change these parameters from their defaults for a normal HA node configuration. Therefore, if you need to change them to support HDR, you should do so with caution.

To set HDR support across an HA node:

In Superuser mode, navigate to the collect parameter level in the ACLI.

ORACLE# configure terminal
ORACLE(configure)# system
ORACLE(system)# system-config
ORACLE(system-config)# collect
ORACLE(collect)#

Set HDR collection parameters for an HA node as applicable. Parameters include:
- red-collect-state—The Red-collect-state parameter enables the HDR data files to be replicated from the Active to the standby. This functionality ensures no data loss in case the HDR files are not pushed off of the Active before a failover. The data that is pushed to the Standby is generated on the Active SBC and reflects the Active's operating state .
  
  Set the state of HA support for the collector function. The default is disabled. Valid values are:
  - enabled | disabled
  Note:
  Changing the red-collect-state setting does not take effect until SBC is rebooted. This parameter is not RTC supported.
- red-max-trans—Enter the maximum number of HA synchronized transactions to maintain on the active system in the HA node. The default is 1000. The valid range is:
  - Minimum—0
  - Maximum—999999999
- red-sync-start-time—Enter the amount of time, in milliseconds, that the active OCSBC checks to confirm that it is still the active system in the HA node. If the active system is still adequately healthy, this timer resets itself. If for any reason the active has become the standby, it starts to checkpoint with the newly active system when this timer expires. The default is 5000. The valid range is:
  - Minimum—0
  - Maximum—999999999
- red-sync-comp-time—Enter amount of time, in milliseconds, that determines how frequently after synchronization the standby OCSBC checkpoints with the active OCSBC. The first interval occurs after initial synchronizations of the systems; this is the timeout for subsequent synchronization requests. The default is 1000. The valid range is:
  - Minimum—0
  - Maximum—999999999

Setting Multiple Collection Groups

You can configure the OCSBC to collect multiple groups of statistics. Collection group settings are accessible through the collection configuration. For specific group names, group statistics, and values, see HDR Groups and Group Statistics.

The sample-interval, start-time, and end-time parameters that you set for multiple collection groups override the same parameters set for global collection.

Note:

For multiple collection groups, the sample-interval value must always be smaller than the global collection parameter value for push-interval.

To set multiple collection groups:

Access the group-settings configuration element.

ORACLE# configure terminal
ORACLE(configure)# system
ORACLE(system)# system-config
ORACLE(system-config)# collect
ORACLE(collect)#group-settings
ORACLE(group-settings)#

group-name—Enter the group name corresponding to the records that you want to collect; there are 25 possible groups for which the OCSBC can collect data. The system group name is the default for this parameter. For additional group names, see HDR Groups and Group Statistics.
sample-interval—Enter the time in minutes for how often you want the OCSBC to sample data records for the specified group. The default is 5. The valid range is:
- Minimum—1
- Maximum—120
boot-state—Set this parameter to enabled to start group collection, or to disabled to prevent the OCSBC from collecting HDR statistics for this group. This parameter does not go into effect until the system is rebooted. You can also use the ACLI request collect start command to start collection; using this command, you can start collection for all groups, or for one specified group. The default is disabled. Valid values are:
- enabled | disabled
start-time—Enter the exact date and time (for your local timezone) when you want the OCSBC to start collecting records for this group. You can enter now to set the start-time to the current time, or you can specify a time in the future. If you specify a time, it must be in the format yyyy-mm-dd-hh:mm:ss, where: yyyy is the year, mm is the month, dd is the day, hh in the hour, mm is the minutes, and ss is the second (24-hour clock). The default is now.
end-time—Enter the exact date and time (for your local timezone) when you want the OCSBC to stop collecting records for this group. You can enter never to set the time to never end, or you can specify an end time in the future. If you specify a time, it must be in the format yyyy-mm-dd-hh:mm:ss, where: yyyy is the year, mm is the month, dd is the day, hh in the hour, mm is the minutes, and ss is the second (24-hour clock). The default is never.
Type done to save your configuration.

Setting Servers as Push Receivers

You can configure multiple push receivers that represent FTP or SFTP destination servers for which the OCSBC pushes records. Push receiver settings are accessible through the collection configuration.

If you configure more than one server, the OCSBC sends data to all of the servers. If one server fails, the OCSBC generates an SNMP trap. The OCSBC makes 3 attempts to send data to the failed server. If the server cannot receive the data, the OCSBC clears the data for that server. For example, if there are four servers configured, and the OCSBC successfully pushes data to three of them, the OCSBC generates a trap indicating the fourth server is down and after 3 attempts to send the data, the data is cleared.

To set servers as push receivers:

In Superuser mode, navigate to the collect parameter level in the ACLI.

ORACLE# configure terminal
ORACLE(configure)# system
ORACLE(system)# system-config
ORACLE(system-config)# collect
ORACLE(collect)#

Access the push receiver (push-receiver) parameters.
```
ORACLE(collect)# push-receiver
ORACLE(push-receiver)#
```
- address—Enter the IP address of the push receiver (server) to which you want records sent. The default for this parameter is 0.0.0.0.
- username—Enter the username that the OCSBC uses when it tries to send records to this push server using FTP. There is no default for this parameter.
- password—Enter the password (corresponding to the username) that the OCSBC uses when it sends records to this push server using FTP. There is no default for this parameter. Enter this password parameter using the following procedure:
  - Type the parameter name password, and then press Enter.
```
ORACLE(push-receiver)# password
```
  - Enter the password that the OCSBC uses to send records to the push server. The display does not echo the password you enter.
```
Enter password: [enter the password]
```
  - Enter the password again to confirm that you entered the password correctly. If the passwords match, the user prompt displays to continue the push server configuration.
```
Enter password again: [enter the password again]
ORACLE(push-receiver)#
```
    If the passwords do not match, an error message displays. Repeat Steps a through c to set the password.
```
Error:  Password mismatch - aborted.
ORACLE(push-receiver)#
```
- data-store—Enter the directory on the push receiver where you want collected data placed. There is no default for this parameter.
- protocol—Set this parameter to the protocol with which to send HDR collection record files. Default is FTP. Valid values are:
  - FTP | SFTP
Note:
Public key authentication is not available when you choose SFTP. Instead, the OCSBC uses password authentication. However, for SFTP to work, it is still required that you load the SFTP’s host public key on the OCSBC.

Creating a Public Key Profile

The Secure Shell (SSH) and related Secure Shell File Transfer (SFTP) protocols provide for the secure transfer of audit files and for the secure transfer of management traffic across the wancom0 interface. When using password or public key authentication with push receiver configurations, use the procedures described below to create your profiles.

Create your profile by configuring:

SSH Properties
Import an SSH Host Key
Create the public key profile

The following two tasks are required for public key authentication mode only.

Generate an SSH Key Pair
Copy the OCSBC public key to the SFTP server

After the above, you can use this profile within the context of your FTP push configuration.

SSH Operations

SSH Version 2.0, the only version supported on the OCSBC, is defined by a series of five RFCs.

RFC 4250, The Secure Shell (SSH) Protocol Assigned Numbers
RFC 4251, The Secure Shell (SSH) Protocol Architecture
RFC 4252, The Secure Shell (SSH) Authentication Protocol
RFC 4253, The Secure Shell (SSH) Transport Layer Protocol
RFC 4254, The Secure Shell (SSH) Connection Protocol

RFCs 4252 and 4253 are most relevant to OCSBC operations.

The transport layer protocol (RFC 4253) provides algorithm negotiation and key exchange. The key exchange includes server authentication and results in a cryptographically secured connection that provides integrity, confidentiality and optional compression. Forward security is provided through a Diffie-Hellman key agreement. This key agreement results in a shared session key. The rest of the session is encrypted using a symmetric cipher, currently 128-bitAES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. The client selects the encryption algorithm to use from those offered by the server. Additionally, session integrity is provided through a crypto-graphic message authentication code (hmac-md5, hmac-sha1, umac-64 or hmac-ripemd160).

The authentication protocol (RFC 4252) uses this secure connection provided and supported by the transport layer. It provides several mechanisms for user authentication. Two modes are supported by the OCSBC: traditional password authentication and public-key authentication.

ACLI Instructions and Examples

This section provides ACLI procedures for SFTP push configurations, including SSH property configuration, certificate import, and public key profile configuration on your OCSBC.

Configuring SSH Properties

The single instance ssh-config configuration element specifies SSH re-keying thresholds.

From admin mode, use the following command path to access the ssh configuration element:

ORACLE# configure terminal
ORACLE(configure)# security
ORACLE(security)# admin-security
ORACLE(admin-security)# ssh-config
ORACLE(ssh-config)#

ssh configuration element properties are shown below with their default values

rekey-interval        60 
rekey-byte-count      31

rekey-interval—specifies the maximum allowed interval, in minutes, between SSH key negotiations
Allowable values are integers within the range 60 through 600, with a default of 60 (minutes). Shorter lifetimes provide more secure connections.

Works in conjunction with rekey-byte-count, which sets a packet-based threshold, to trigger an SSH renegotiation. If either trigger is activated, an SSH renegotiation is begun.

Retain the default value, or specify a new value.
```
ORACLE(ssh-config)# rekey-interval 20
ORACLE(ssh-config) 
```
rekey-byte-count—specifies the maximum allowed send and receive packet count, in powers of 2, between SSH key negotiations
Allowable values are integers within the range 20 (1,048,576 packets) through 31 (2,147,483,648 packets), with a default of 31 (2^31). Smaller packet counts provide more secure connections.

Works in conjunction with rekey-interval, which sets a time-based threshold, to trigger an SSH renegotiation. If either trigger is activated, an SSH renegotiation is begun.

Retain the default value, or specify a new value.
```
ORACLE(ssh-config)# rekey-packet-count 24
ORACLE(ssh-config) 
```
A sample SSH configuration appears below:
```
ORACLE(ssh-config)# rekey-interval 20 
ORACLE(ssh-config)# done 
ORACLE(ssh-config)# exit 
ORACLE(admin-security)# 
```
Specifies a key renegotiation every 20 minutes, or at the reception/transmission of 2,147,483,648 packets, whichever comes first.

Import an SSH host Key

Importing a host key requires access to the SFTP server or servers which receive audit log transfers. Access is generally most easily accomplished with a terminal emulation program such as PuTTY, SecureCRT, or TeraTerm.

Use a terminal emulation program to access the SSH file system on a configured SFTP server.
Copy the server’s base64 encoded public file making sure in include the Begin and End markers as specified by RFC 4716, The Secure Shell (SSH) Public Key File Format.

For OpenSSH implementations host files are generally found at /etc/ssh/ssh_host_dsa_key.pub, or /etc/ssh/sss_host_rsa.pub. Other SSH implementations can differ.
From admin mode use the ssh-pub-key command to import the host key to the OCSBC.
For importing a host key, this command takes the format:
```
ssh-pub-key import known-host <name>
```
where name is an alias or handle assigned to the imported host key, generally the server name or a description of the server function.
```
ORACLE# ssh-pub-key import known-host fedallah

IMPORTANT:
Please paste ssh public key in the format defined in rfc4716.
Terminate the key with ";" to exit.......
```
Paste the public key with the bracketing Begin and End markers at the cursor point.
Enter a semi-colon (;) to signal the end of the imported host key.

Follow directions to save and activate the configuration.

The entire import sequence is shown below.

ORACLE# ssh-pub-key import known-host fedallah

IMPORTANT:
    Please paste ssh public key in the format defined in rfc4716.
    Terminate the key with ";" to exit.......

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "2048-bit RSA, converted from OpenSSH by klee@acme54"
AAAAB3NzaC1yc2EAAAABIwAAAQEA7OBf08jJe7MSMgerjDTgZpbPblrX4n17LQJgPC7clL
cDGEtKSiVt5MjcSav3v6AEN2pYZihOxd2Zzismpoo019kkJ56s/IjGstEzqXMKHKUr9mBV
qvqIEOTqbowEi5sz2AP31GUjQTCKZRF1XOQx8A44vHZCum93/jfNRsnWQ1mhHmaZMmT2LS
hOr4J/Nlp+vpsvpdrolV6Ftz5eiVfgocxrDrjNcVtsAMyLBpDdL6e9XebQzGSS92TPuKP/
yqzLJ2G5NVFhxdw5i+FvdHz1vBdvB505y2QPj/iz1u3TA/3O7tyntBOb7beDyIrg64Azc8
G7E3AGiH49LnBtlQf/aw==
---- END SSH2 PUBLIC KEY ----
;
SSH public key imported successfully....
WARNING: Configuration changed, run "save-config" command to save it
and run "activate-config" to activate the changes
ORACLE# save-config
checking configuration
---------------------------------------------------------------------
...
...
...
---------------------------------------------------------------------
Save-Config received, processing.
waiting for request to finish
Request to 'SAVE-CONFIG' has Finished,
Save complete
Currently active and saved configurations do not match!
To sync & activate, run 'activate-config' or 'reboot activate'.
ORACLE# activate-config
Activate-Config received, processing.
waiting for request to finish
SD is not QOS-capable
Request to 'ACTIVATE-CONFIG' has Finished,
Activate Complete
ORACLE#

It is important to note that it is often difficult to determine whether the server is using RSA or DSA keys for your application. Unless you can definitively determine this, bear in mind that you need to try importing both.

View a Public key on the OCSBC

You can use the show security ssh-pub-key command to display information about SSH keys imported to the OCSBC with the ssh-pub-key command; you cannot display information about keys generated by the ssh-pub-key command.

ORACLE# show security ssh-pub-key brief
login-name:
	acme74
finger-print:
	51:2f:f1:dd:79:9e:64:85:6f:22:3d:fe:99:1f:c8:21
finger-print-raw:
	0a:ba:d8:ef:bb:b4:41:d0:dd:42:b0:6f:6b:50:97:31

login-name:
	fedallah
finger-print:
	c4:a0:eb:79:5b:19:01:f1:9c:50:b3:6a:6a:7c:63:d5
finger-print-raw:
	ac:27:58:14:a9:7e:83:fd:61:c0:5c:c8:ef:78:e0:9c
ORACLE#

This command displays summary information for all SSH imported keys.

login-name: contains the name assigned to the RSA or DSA public key when it was first imported.
finger-print: contains the output of an MD5 hash computed across the base64-encoded public key.
finger-print-raw: contains the output of an MD5 hash computed across the binary form of the public key

ORACLE# show security ssh-pub-key brief fedallah 
login-name: 
	fedallah 
finger-print: 
	c4:a0:eb:79:5b:19:01:f1:9c:50:b3:6a:6a:7c:63:d5 
finger-print-raw: 
	ac:27:58:14:a9:7e:83:fd:61:c0:5c:c8:ef:78:e0:9c 
ORACLE#

This command displays summary information for a specific SSH public key (in this case fedallah).

ORACLE# show security ssh-pub-key detail fedallah 
host-name: 
	fedallah 
comment: 
	"2048-bit RSA, converted from OpenSSH by klee@acme54" 
finger-print: 
	c4:a0:eb:79:5b:19:01:f1:9c:50:b3:6a:6a:7c:63:d5 
finger-print-raw: 
	ac:27:58:14:a9:7e:83:fd:61:c0:5c:c8:ef:78:e0:9c 
pub-key: 

AAAAB3NzaC1yc2EAAAABIwAAAQEA7OBf08jJe7MSMgerjDTgZpbPblrX4n17LQJgPC7clLcDGEtKSiVt5MjcSav3v6AEN2pYZihOxd2Zzismpoo019kkJ56s/IjGstEzqXMKHKUr9mBVqvqIEOTqbowEi5sz2AP31GUjQTCKZRF1XOQx8A44vHZCum93/jfNRsnWQ1mhHmaZMmT2LShOr4J/Nlp+vpsvpdrolV6Ftz5eiVfgocxrDrjNcVtsAMyLBpDdL6e9XebQzGSS92TPuKP/yqzLJ2G5NVFhxdw5i+FvdHz1vBdvB505y2QPj/iz1u3TA/3O7tyntBOb7beDyIrg64Azc8G7E3AGiH49LnBtlQf/aw== 

modulus: (256) 
ECE05FD3C8C97BB3123207AB8C34E06696CF6E5AD7E27D7B2D02603C2EDC94B703184B4A4A256DE4C8DC49ABF7BFA004376A5866284EC5DD99CE2B26A68A34D7D924279EACFC88C6B2D133A9730A1CA52BF66055AAFA8810E4EA6E8C048B9B33D803F7D4652341308A6511755CE431F00E38BC7642BA6F77FE37CD46C9D64359A11E66993264F62D284EAF827F365A7EBE9B2FA5DAE8955E85B73E5E8957E0A1CC6B0EB8CD715B6C00CC8B0690DD2FA7BD5DE6D0CC6492F764CFB8A3FFCAACCB2761B9355161C5DC398BE16F747CF5BC176F079D39CB640F8FF8B3D6EDD303FDCEEEDCA7B4139BEDB783C88AE0EB803373C1BB137006887E3D2E706D9507FF6B 
exponent: (1) 
23 
ORACLE#

This command displays detailed information for specific SSH public key (in this case fedallah, an RSA key).

host-name: contains the name assigned to the RSA key when it was first imported
finger-print: contains the output of an MD5 hash computed across the base64-encoded RSA public key
finger-print-raw: contains the output of an MD5 hash computed across the binary form of the RSA public key
public key: contains the base64-encoded RSA key
modulus: contains the hexadecimal modulus (256) of the RSA key
exponent: (also known as public exponent or encryption exponent) contains an integer value that is used during the RSA key generation algorithm. Commonly used values are 17 and 65537. A prime exponent greater than 2 is generally used for more efficient key generation.

ORACLE# show security ssh-pub-key detail acme74 
host-name: 
	acme74 
comment: 
	DSA Public Key 
finger-print: 
	51:2f:f1:dd:79:9e:64:85:6f:22:3d:fe:99:1f:c8:21 
finger-print-raw: 
	0a:ba:d8:ef:bb:b4:41:d0:dd:42:b0:6f:6b:50:97:31 
pub-key: 

AAAAB3NzaC1kc3MAAACBAPY8ZOHY2yFSJA6XYC9HRwNHxaehvx5wOJ0rzZdzoSOXxbETW6ToHv8D1UJ/z+zHo9Fiko5XybZnDIaBDHtblQ+Yp7StxyltHnXF1YLfKD1G4T6JYrdHYI14Om1eg9e4NnCRleaqoZPF3UGfZia6bXrGTQf3gJq2e7Yisk/gF+1VAAAAFQDb8D5cvwHWTZDPfX0D2s9Rd7NBvQAAAIEAlN92+Bb7D4KLYk3IwRbXblwXdkPggA4pfdtW9vGfJ0/RHd+NjB4eo1D+0dix6tXwYGN7PKS5R/FXPNwxHPapcj9uL1Jn2AWQ2dsknf+i/FAAvioUPkmdMc0zuWoSOEsSNhVDtX3WdvVcGcBq9cetzrtOKWOocJmJ80qadxTRHtUAAACBAN7CY+KKv1gHpRzFwdQm7HK9bb1LAo2KwaoXnadFgeptNBQeSXG1vO+JsvphVMBJc9HSn24VYtYtsMu74qXviYjziVucWKjjKEb11juqnF0GDlB3VVmxHLmxnAz643WK42Z7dLM5sY29ouezv4Xz2PuMch5VGPP+CDqzCM4loWgV 

p: (128) 
F63C64E1D8DB2152240E97602F47470347C5A7A1BF1E70389D2BCD9773A12397C5B1135BA4E81EFF03D5427FCFECC7A3D162928E57C9B6670C86810C7B5B950F98A7B4ADC7296D1E75C5D582DF283D46E13E8962B747608D783A6D5E83D7B836709195E6AAA193C5DD419F6626BA6D7AC64D07F7809AB67BB622B24FE017ED55 

q: (20) 
DBF03E5CBF01D64D90CF7D7D03DACF5177B341BD 

g: (128) 
94DF76F816FB0F828B624DC8C116D76E5C177643E0800E297DDB56F6F19F274FD11DDF8D8C1E1EA350FED1D8B1EAD5F060637B3CA4B947F1573CDC311CF6A9723F6E2F5267D80590D9DB249DFFA2FC5000BE2A143E499D31CD33B96A12384B12361543B57DD676F55C19C06AF5C7ADCEBB4E2963A8709989F34A9A7714D11ED5 

pub_key: (128) 
DEC263E28ABF5807A51CC5C1D426EC72BD6DBD4B028D8AC1AA179DA74581EA6D34141E4971B5BCEF89B2FA6154C04973D1D29F6E1562D62DB0CBBBE2A5EF8988F3895B9C58A8E32846F5D63BAA9C5D060E50775559B11CB9B19C0CFAE3758AE3667B74B339B18DBDA2E7B3BF85F3D8FB8C721E5518F3FE083AB308CE25A16815 
ORACLE#

This command displays detailed information for specific SSH public key (in this case acme74, a DSA key).

host name: contains the name assigned to the DSA public key when it was first imported
comment: contains any comments associated with the DSA key
finger-print: contains the output of an MD5 hash computed across the base64-encoded DSA public key
finger-print-raw: contains the output of an MD5 hash computed across the binary form of the DSA public key
public key: contains the base64 encoded DSA key
p: contains the first of two prime numbers used for key generation
q: contains the second of two prime numbers used for key generation
g: contains an integer that together with p and q are the inputs to the DSA key generation algorithm

ORACLE# show security ssh-pub-key detail 
... 
... 
... 
ORACLE#

This command displays detailed information for all SSH imported keys.