Caveats in Communications Broker Release 5.0.0

The following items provide key information about upgrading and downgrading with Oracle Enterprise Communications Broker Release 5.0.0:

Upgrade and Downgrade Caveats

Platform-Specific Downgrade Limitations

Do not attempt to downgrade Communications Broker to a release not supported by your platform. See the section Supported Platforms Supported Platforms table for a matrix of platforms and supported releases.

Connection Failures with SSH/SFTP Clients

If you upgrade, and your older SSH or SFTP client stops working, check that the client supports the minimum ciphers required in the ssh-config element. The current default HMAC algorithm is hmac-sha2-256. The current key exchange algorithm is diffie-hellman-group14-sha256. If a verbose connection log of an SSH or SFTP client shows that it cannot agree on a cipher with the SBC, upgrade your client.

SSH Host Key Algorithms

Session Border Controller offers rsa-sha2-512 as the default host key algorithm. SSH clients that offer only a SHA1 hash algorithm, such as ssh-rsa, are not supported; your SSH client must offer a SHA2 hash algorithm. If you see an error message: "no matching host key type found", upgrade your SSH client to one that supports SHA2 host key algorithms.

Diffie-Hellman Key Size

For TLS negotiations on SIP interfaces, the default Diffie-Hellman key size offered by the Communications Broker is 1024 bits. The key size is set in the diffie-hellman-key-size attribute in the tls-global configuration element. Increasing the key size by setting the key size to 2048 bits significantly decreases performance.

Default TLS Version

Releases prior to Communications Broker Release 4.1.0, do not support TLS1.3. Release Communications Broker does not support TLS 1.0 or TLS1.1. If you are downgrading from Communications Broker Release 5.0.0 to a release prior to Release 5.0.0, set your tls-version to compatibility.

Downgrade Caveat for NTP Configurations using an FQDN

If you create a realm-configuration for providing resolution of FQDNs for NTP servers using the wancom0 interface, Oracle recommends that you remove this wancom0 realm-config before downgrading to a version that does not support FQDNs for NTP servers.

If you retain this configuration, you will lose SSH and GUI access after the downgrade. To recover from this issue, use console access to remove the wancom0 realm-config. Also, remove the wancom0 phy-interface and network-interface. If you configure FQDN resolution for NTP servers through a media interface, you can downgrade to a version that does not support this resolution without removing the configuration.

During LDAP configuration, Address of the record and look-up queries are not available

SDM: In LDAP configuration, address of the record and look-up queries are not available.

Workaround: Configuration using the Web GUI and ACLI

LDAP SNMP Trap Support

LDAP SNMP traps are not supported in P-CZ 5.0.0. Communications Broker 5.0.0 does not generate any LDAP failures for the following OID failures:
  • 1.3.6.1.4.1.9148.2.1.8.9 apSmgmtLDAPCap
  • 1.3.6.1.4.1.9148.3.2.4.2.10 apSysMgmtLDAPServerStatusGroup
  • 1.3.6.1.4.1.9148.3.2.4.3.15 apSysMgmtLDAPServerStatusNotificationsGroup

Logging Limitation

Setting Logging to DEBUG simultaneously with greater than 300k configuration degrades system performance. Be sure to set Logging to WARNING or NOTICE under this condition, and only use DEBUG when absolutely required.

LDAP Support

Only the default "ecb" network can support LDAP. Additional networks cannot.

Registrar Support

Only the default "ecb" network can act as the registrar. Additional networks cannot.

ECB Sync Compatibility

ECB Sync is supported only between nodes with the same configuration platforms. For example, X8-2 to X8-2, X9-2 to X9-2, VM to VM are supported. Both Communications Brokers participating in ECB Sync must have the same number of Cores.

Deprecated Ciphers

Below ciphers are not supported from this Release 5.0.0 :
  1. TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  2. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  3. TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  4. TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  5. TLS_RSA_WITH_AES_256_CBC_SHA256
  6. TLS_RSA_WITH_AES_256_GCM_SHA384
  7. TLS_RSA_WITH_AES_128_CBC_SHA256
  8. TLS_RSA_WITH_AES_128_CBC_SHA
  9. TLS_RSA_WITH_AES_128_GCM_SHA256
  10. TLS_AES_128_CCM_8_SHA256
  11. TLS_RSA_WITH_3DES_EDE_CBC_SHA
  12. TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  13. TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  14. TLS_RSA_WITH_AES_256_CBC_SHA
  15. TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  16. TLS_RSA_WITH_NULL_SHA256
  17. TLS_RSA_WITH_NULL_SHA
  18. TLS_RSA_WITH_NULL_MD5