TSC Server Configuration
TSC server configuration consists of the following steps; each step is identified as required or optional.
TSCF Global Configuration
TSCF global configuration specifies the handling of idle tunnel connections. By default, the TSC server transitions an idle tunnel client from the active to the persistent state after an idle period of 300 seconds. Assuming the tunnel remains idle for an additional 330 seconds, the TSC server then transitions the tunnel from the persistent to the closed state—tearing the tunnel down and releasing its resources. If this behavior is consistent with your deployment, no changes are required or encouraged at the TSCF global configuration level. If local network conditions require modification, adjust the keepalive-timer, keepalive-timer-datagram, and tunnel-persistence-time parameters as described below.
TSCF global configuration also enables and manages high-availability (HA) topologies — topologies in which a pair of SBCs operate in tandem, one in the active and the other in the backup role to provide reliable redundant operational availability. By default, HA is disabled. If your SBC operates in standalone mode (not part of an HA pair), you can safely ignore all HA parameters and simply retain default values. If operating as part of an HA pair, use the red-port parameter to enable HA as described in the following procedure. After enabling HA, Oracle Communications recommends the retention of default values for other HA parameters (red-max-trans, red-sync-start-time, and red-sync-comp-time) unless unusual local conditions require otherwise. Prior to modifying HA parameters, you should refer to the ACLI Configuration Guide for more detailed HA information.
Use the following procedure to perform TSCF global configuration.
TSCF Protocol Policy Configuration
Use the following procedure to configure TSCF policy-based forwarding services.
Policy-based forwarding requires the creation of a tscf-protocol-policy and the assignment of that policy to a tscf-address-pool.
TSCF Address Pool Configuration
During the configuration stage as described in TSCF Overview, the TSC server assigns a tunnel IP address to the client application. These assigned addresses are obtained by the TSC server from a tscf-address-pool, a configuration object that contains an IP address list. The IP address list contains one or more IP address ranges. Each address range consists of contiguous IP addresses, and can contain a minimum of 1, or a maximum of 262,144 list entries for IPv4 or IPv6.
The address range size, the list size, and the size of the tscf-address-pool are constrained by the same maximum value. Consequently, while the IP address list can contain one or several ranges, the total number of IP addresses contained in the individual address ranges cannot exceed 262,144.
Use the following required procedure to configure a tscf-address-pool configuration object. Later, you will assign the address pool to a specific TSCF interface.
TSCF Data Flow Configuration
Use the following procedure to configure an optional tscf-data-flow object. If you are not using tscf-data-flows to provide to provide static egress routes, this procedure can be safely ignored.
TLS Profile Configuration
Use the following required procedure to configure a tls-profile configuration object that identifies the cryptographic resources, specifically certificates and protocols, required for tunnel creation. Later, you will assign the tls-profile to a specific TSC port.
TSCF OCSP Configuration
The following steps provide instruction on using the ACLI to configure OCSP-based certificate revocation services.
Providing OCSP services requires the creation of a secure TLS connection between a TSC port and one or more OCSP responders. This configuration is a three-step process.
- Create one or more certificate-status-profiles. Each certificate-status-profile provides the information and cryptographic resources required to access a single OCSP responder.
- Assign one or more certificate-status-profiles to a tls-profile. This tls-profile enables OCSP services and provides a list of one or more OCSP responders.
- Assign the tls-profile to a TSCF port to enable OCSP service on that port.
Assign the tls-profile to a TSCF port
- From superuser mode, use the following command sequence to access tscf-port configuration mode. While in this mode, you assign an existing TLS profile to a TSCF port.
- Use the select command to identify a specific tscf port that will support OCSP requests and responses.
- Use the tls-profile parameter to assign an OCSP-enabled tls-profile to the current TSCF port enabled.
- Use done, exit, and verify-config to complete configuration.
- If necessary, repeat this procedure to prepare other TSCF ports for OCSP-based certificate checking support.
Sample OCSP Configurations
certificate-status-profile configuration
A sample certificate-status-profile configuration follows:
ACMEPACKET# show running-config cert-status-profile
cert-status-profile
name OCSP_Symantic
ip-address 192.0.2.100
hostname
port 8080
type OCSP
trans-proto HTTP
requestor-cert signOCSP
responder-cert SymanticPublic-1
trusted-cas
realm-id wancom0
retry-count 1
dead-time 60
last-modified-by admin@console
last-modified-date 2014-07-24 18:25:25
task done
ACMEPACKET#
This configuration creates a certificate-status-profile named OCSP_Symantic. The profile identifies an OCSP responder located at 192.0.2.100:8080. The required responder-cert parameter specifies the CA public certificate used by the TSC server to verify the signed OCSP response. The optional requester-cert parameter indicates that the OCSP responder requires signed requests, and identifies the certificate used by the TSC server to digitally sign OCSP requests. The optional dead-time parameter imposes a 60 second quarantine if the OCSP responder is unreachable. Retention of default values for the realm-id and retry-count parameters specify OCSP responder access via the wancom0 management interface and a retry count of 1.
tls-profile configuration
A sample tls-profile configuration follows:
ACMEPACKET# show running-config tls-profile
tls-profile
name TLS_OCSP
end-entity-certificate TSCFCert_1
trusted-ca-certificates CA_Symantic
CA_Thawte
CA_Entrust
CA_DigiSign
cipher-list All
verify-depth 10
mutual-authenticate enabled
tls-version compatibility
cert-status-check enabled
cert-status-profile-list OCSP_Symantic
OCSP_Thawte
ignore-dead-responder disabled
allow-self-signed-cert disabled
last-modified-by admin@console
last-modified-date 2014-07-24 19:40:37
task done
ACMEPACKET#
This configuration creates a tls-profile named TLS_OCSP. The profile uses the mutual-authenticate parameter to enable mutual authentication between the TSC server and the OCSP responders, the cert-status-check parameter to enable OCSP services, and the cert-status-profile-list parameter to identify three OCSP responders.
sample portion of a tscf-interface/tscf-port configuration
A sample portion of a tscf-interface/tscf-port configuration follows:
ACMEPACKET# show running-config tscf-interface
tscf-interface
realm-id access
state enabled
max-tunnels 200000
local-address-pools pool1
nagle-state enabled
assigned-services SIP,redundancy,DDT,
server-keepalive
tscf-port
address 172.16.21.2
port 443
transport-protocol TLS
tls-profile TLS_OCSP
...
...
...
last-modified-by admin@console
last-modified-date 2014-07-24 19:51:03
task done
ACMEPACKET#
This configuration enables OCSP support on the TSCF port 172.16.21.2:443.
Monitoring OCSP Operations
The TSC server generates an SNMP trap when a configured OCSP responder becomes Operations unreachable. It generates second trap when connectivity is re-established with a previously unreachable OCSP responder.
The show security ocsp stats ACLI command provides OCSP operational counts.TSCF Interface Configuration
TSCF interface configuration specifies the SBC IP address that is accessed by TSC clients to initiate tunnel creation, assigns resources that facilitate tunnel creation, identifies specific TSCF services offered by the interface, and limits the number of supported tunnels.
Use the following procedure to configure a TSCF interface—keeping in mind that a TSCF interface and SIP interface cannot coexist on the same network interface.
TSCF DoS Protection Configuration
Use the following procedure to configure DoS protection as described in Denial of Service. DoS protection is assigned via the realm that supports the TSCF port.