NAPTR Follow-Up Queries for A Records

The OCSBC can issue a query for either S or A records, based on the response to an OCSBC request within a NAPTR resource record. This happens if the OCSBC needs more information to reach its target FQDN. Previously, the system always issued queries for S records.

External Policy Server Unreachable Alarm

The OCSBC issues an alarm when a connection to an external policy server configured for RACF or CLF fails. The OCSBC assigns these policy servers with a status of Inactive when:

• The TCP connection is closed by a RST or FIN.
• The Diameter CER/CEA exchange is not successful.
• The number of Diameter message timeouts exceeds the configured value.

Prior to this software version, the system raised an alarm only when all external policy servers in an HA cluster became unreachable. With this software version, the OCSBC issues this alarm when a connection to any member of a cluster fails. The OCSBC establishes an HA cluster when it receives multiple address as resolution to an FQDN request for a single external-policy server configured with an FQDN from a DNS server.

The ANSSI R226 Compliance and SIPREC Entitlements

The OCSBC supports self-entitlement for most product features. Be aware that the new ANSSI R226 Compliance entitlement interacts with the SIPREC entitlement to perform an ANSSI R226 function. When you enable ANSSI R226 Compliance, the OCSBC removes the SIPREC entitlement and any associated configuration.

The use of SIPREC is against ANSSI R226 Compliance. If, subsequently, you want to use SIPREC, you must obtain and install a SIPREC license.

You cannot simply disable the ANSSI R226 Compliance entitlement. After enabling ANSSI R226 Compliance the only way to remove it is to "zeroize" the OCSBC. See the Factory Reset section in the Administrative Security Essentials Guide.

The ANSSI R226 Compliance Entitlement and Boot Parameter Security

When the ANSSI R226 Compliance entitlement is set, the OCSBC ignores attempts to modify security related boot flags from the ACLI. The OCSBC still supports changing security related bootflags through the bootloader.

After enabling ANSSI R226 Compliance, the only way to remove the entitlement is to "zeroize" the OCSBC.

SNMPv3

With this software version, you configure SNMP traps within the context of the OCSBC's comprehensive SNMPv3 support.

The secure-traps value is removed from the snmp-agent-mode parameter, which is part of the system-config.

In addition, the elimination of secure-traps means that the following protocols are deprecated for use by SNMP:

• DES privacy protocol
• MD5 and SHA authentication protocols

To configure traps, refer to SNMP configuration information in the MIB Reference Guide.

TLS1.0

TLS 1.0 sessions fail to negotiate when the tls-version parameter is set to compatibility. To advertise TLS1.0 during session negotiation, navigate to the security-config element and set the options parameter to +sslmin=tls1.0.

ORACLE(security-config)# options +sslmin=tls1.0

HMR Regex Matching Changes

The PCRE (Perl Compatible Regular Expression) engine was updated in 8.1 and consequently the match-value value of \, is no longer valid. In previous releases, the PCRE engine used \, to match any character, including a NUL character. The newer PCRE engine does not support \,.

Separate from the PCRE, the SBC supports the non-standard \,+ to match one or more characters, including NUL characters. If your HMR rule for 8.0 or earlier depends on \, (for example, \,*), use either the standard .* to match any character zero or more times, excluding NUL characters, or use \,+ to match any character, including NUL characters, one or more times.

Voltage Monitoring

Starting in S-Cz8.1.0m1p6 and later, apEnvMonVoltageStatusValue in the ap-env-monitor.mib file is not supported. Voltage can still be monitored through the ACLI show voltage command.