Installation and Start-Up

After you have completed the hardware installation procedures outlined in the the relevant Hardware Installation Guide, you are ready to establish a connection to your Oracle® Enterprise Session Border Controller. Then you can load the software image you want to use and establish basic operating parameters.

Hardware Installation Process

Installing the Oracle® Enterprise Session Border Controller hardware in a rack requires the following process.

  1. Unpack the Oracle® Enterprise Session Border Controller hardware.
  2. Install the Oracle® Enterprise Session Border Controller hardware into the rack.
  3. Install the power supplies.
  4. Install the fan modules.
  5. Install the physical interface cards.
  6. Cable the Oracle® Enterprise Session Border Controller hardware.

    Note:

    Complete installation procedures fully and note the safety warnings to prevent physical harm to yourself and damage to the Oracle® Enterprise Session Border Controller hardware.

    For more information, see the hardware documentation.

Connecting to Your Oracle® Enterprise Session Border Controller

You can connect to your Oracle® Enterprise Session Border Controller either through a direct console connection, or by creating a remote SSH session. Both of these access methods provide you with the full range of configuration, monitoring, and management options.

Note:

By default, SSH and SFTP connections to your Oracle® Enterprise Session Border Controller are enabled.

Create a Console Connection

Using a serial connection, you can connect your laptop or PC directly to the Acme Packet hardware. If you use a laptop, you must take appropriate steps to ensure grounding.

One end of the cable plugs into your terminal, and the other end plugs into the RJ-45 Console port on the NIU (or management ports area on the Acme Packet 6300).

To make a console connection to your hardware:

  1. Set the connection parameters for your terminal to the default boot settings:
    • Baud rate: 115,200 bits/second
    • Data bits: 8
    • Parity: No
    • Stop bit: 1
    • Flow control: None
  2. Connect a serial cable to between your PC and the hardware's console port.
  3. Apply power to the hardware.
  4. Enter the appropriate password information when prompted to log into User mode of the ACLI.

    You can set the amount of time it takes for your console connection to time out by setting the console-timeout parameter in the system configuration. If your connection times out, the login sequence appears again and prompts you for your passwords. The default for this field is 0, which means that no time-out is being enforced.

SSH Remote Connections

Connect to the Oracle® Enterprise Session Border Controller (Enterprise SBC) using SSH. The Enterprise SBC supports five concurrent SSH and SFTP sessions. Only one SSH session may be in configuration mode at a time.

To SSH to your Enterprise SBC, you need to know the IP address of its administrative interface (wancom0/eth0). The wancom0/eth0 IP address of your Enterprise SBC is found by checking the IP Address value in the boot parameters or visible from the front panel display.

You can manage incoming SSH connections from the ACLI:

  • SSH service is enabled by default.
  • To view the users who are currently logged into the system, use the ACLI show users command. You can see the ID, timestamp, connection source, and privilege level for active connections.
  • From Superuser mode in the ACLI, you can terminate the connections of other users in order to free up connections. Use the kill <sftp | ssh | web> command with the corresponding connection ID.
  • If you reboot your Enterprise SBC from a SSH session, you lose IP access and therefore your connection.

There are two ways to use SSH to connect to the Enterprise SBC. Either connect via SSH without specifying users and SSH user passwords, or initiate the SSH connection using custom SSH credentials.

Note:

Old SSH and SFTP clients that use weak ciphers may not be able to connect to the Enterprise SBC. If a verbose connection log shows the server and client cannot agree on a cipher, upgrade your client.
Accessing the System Via User and Admin Accounts

You may access the Oracle® Enterprise Session Border Controller via SSH connection without specifying users and SSH user passwords.

  1. Open your SSH client (with an open source client, etc.).
  2. At the prompt in the SSH client, type the ssh command, a Space, the IPv4 address of your Oracle® Enterprise Session Border Controller, and then press Enter.

    The SSH client prompts you for a password before connecting to the Oracle® Enterprise Session Border Controller. Enter the Oracle® Enterprise Session Border Controller’s User mode password. After it is authenticated, an SSH session is initiated and you can continue with tasks in User mode or enable Superuser mode.

Manage SSH Keys

Use the ssh-key command to manage SSH keys for the Enterprise SBC.

Add an SSH Authorized Key

To authenticate to the Enterprise SBC using public key authentication rather than a password, use the ssh-key command with the authorized-key import argument.

  1. On the SSH client, convert the public key of the SSH client into RFC 4716 format.

    Note:

    Valid RSA key sizes are 2048, 3072, or 4096 bytes. The only valid DSA key size is 1024 bytes.
    To do this on Oracle Linux, use the ssh-keygen command. 
    [bob@client ~]$ ssh-keygen -e -f .ssh/id_rsa.pub 
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "4096-bit RSA, converted by bob@client from OpenSSH"
AAAAB3NzaC1yc2EAAAADAQABAAACAQDOTDujYoQXzjTt9I8YvJMvfSVlWZ6iDzfRx06R3l
Rj/lrjxlWDMc/Y/uEd2sJ+5wdlCnJPREOuCGbU8S6295486D1kbu76cEDxE+adca3/9+qo
7FQVugkRJBD0ZOj/3qcuKDOh6ZsalF9LaaNMPNWNiQ5n3bWBnQ1tMMEes58JvoNgjn9FOz
hbOdOe91K/OdRA0/YzrguaCA6/vE/tUP+xDD/GOu7KyvN1dsgo1vnYZLG7p8vGgt61eTyC
V6qMEkceGatQvfiBb4XZCeODtC2KBv4pbJpt1zPKOpF4XFb2LferPxAL9rsSRSUOk9tZNc
x1GM3+UUYwT9dF8bcUfomZCKd07kzPh206nZr/uCElXVtCqghgVRQW8uiFRh6ycVWY/pBq
uhPfihKHilZEahOOc08ax14XTK89ovJzjbHezaV/NghkfWpn3W7gDNJTbLbxpbrLDkJBPJ
IltJ5QqwVK/Hi+69x9CxFOkyNpxWFexHPIeq4q0liPoah42MBPAQl30bWULgBP+K0ugzqQ
cSPAhi9FMq6ZVFTmaiPX8JH8JAceswd500x9jMmV91obzTZmXAQsfVpi0asxRhfficEIfs
UJ/FHwW2p13YmDVH1AjVmCDn9T46I05Cq+ImrUBX+JAEa6yQU6R6/s7maVDqpdtkpFp0ql
CWQHHw9J1fYS4w==
---- END SSH2 PUBLIC KEY ----
[user@client ~]$
  2. On the Enterprise SBC, use the ssh-key command with the authorized-key import argument.
    The command syntax: 
    ssh-key authorized-key import <name> <class>
    The <name> parameter is the identifier for the SSH client. The <class> is one of the two authorization classes on the Enterprise SBC: either user or admin.
    ORACLE# ssh-key authorized-key import bob admin    

IMPORTANT:
        Please paste SSH public key in the format defined in RFC 4716.
        Terminate the key with ";" to exit.......

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "4096-bit RSA, converted by bob@client from OpenSSH"
AAAAB3NzaC1yc2EAAAADAQABAAACAQDOTDujYoQXzjTt9I8YvJMvfSVlWZ6iDzfRx06R3l
Rj/lrjxlWDMc/Y/uEd2sJ+5wdlCnJPREOuCGbU8S6295486D1kbu76cEDxE+adca3/9+qo
7FQVugkRJBD0ZOj/3qcuKDOh6ZsalF9LaaNMPNWNiQ5n3bWBnQ1tMMEes58JvoNgjn9FOz
hbOdOe91K/OdRA0/YzrguaCA6/vE/tUP+xDD/GOu7KyvN1dsgo1vnYZLG7p8vGgt61eTyC
V6qMEkceGatQvfiBb4XZCeODtC2KBv4pbJpt1zPKOpF4XFb2LferPxAL9rsSRSUOk9tZNc
x1GM3+UUYwT9dF8bcUfomZCKd07kzPh206nZr/uCElXVtCqghgVRQW8uiFRh6ycVWY/pBq
uhPfihKHilZEahOOc08ax14XTK89ovJzjbHezaV/NghkfWpn3W7gDNJTbLbxpbrLDkJBPJ
IltJ5QqwVK/Hi+69x9CxFOkyNpxWFexHPIeq4q0liPoah42MBPAQl30bWULgBP+K0ugzqQ
cSPAhi9FMq6ZVFTmaiPX8JH8JAceswd500x9jMmV91obzTZmXAQsfVpi0asxRhfficEIfs
UJ/FHwW2p13YmDVH1AjVmCDn9T46I05Cq+ImrUBX+JAEa6yQU6R6/s7maVDqpdtkpFp0ql
CWQHHw9J1fYS4w==
---- END SSH2 PUBLIC KEY ----;

    Note:

    If the Admin Security entitlement is enabled, the SSH client keys must be at least 2048 bits.

    Note:

    Oracle recommends keys be at least 2048 bits.
  3. Save and activate the configuration.
Export an Authorized Key

To export a previously imported SSH public key, use the ssh-key command with the authorized-key export argument.

  1. List the available ssh-key elements.
    ORACLE# show running-config ssh-key                  
ssh-key
        name                                    bob
        type                                    authorized-key
        encryption-type                         rsa
        size                                    4096
        last-modified-by                        admin@10.0.0.20
        last-modified-date                      2020-05-12 13:58:39
ssh-key
        name                                    alice
        type                                    authorized-key
        encryption-type                         rsa
        size                                    4096
        last-modified-by                        admin@10.0.0.37
        last-modified-date                      2020-05-12 14:23:47
ssh-key
        name                                    logserver
        type                                    known-host
        encryption-type                         rsa
        size                                    2048
        last-modified-by                        admin@10.0.0.37
        last-modified-date                      2020-05-11 15:18:36
  2. For any ssh-key element whose type is authorized-key, use the ssh-key authorized-key export <name> command to export the user's public key.
    ORACLE# ssh-key authorized-key export bob
public-key 'bob' (RFC 4716/SECSH format):

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "4096-bit rsa"
AAAAB3NzaC1yc2EAAAADAQABAAACAQDOTDujYoQXzjTt9I8YvJMvfSVlWZ6iDzfRx06R3l
Rj/lrjxlWDMc/Y/uEd2sJ+5wdlCnJPREOuCGbU8S6295486D1kbu76cEDxE+adca3/9+qo
7FQVugkRJBD0ZOj/3qcuKDOh6ZsalF9LaaNMPNWNiQ5n3bWBnQ1tMMEes58JvoNgjn9FOz
hbOdOe91K/OdRA0/YzrguaCA6/vE/tUP+xDD/GOu7KyvN1dsgo1vnYZLG7p8vGgt61eTyC
V6qMEkceGatQvfiBb4XZCeODtC2KBv4pbJpt1zPKOpF4XFb2LferPxAL9rsSRSUOk9tZNc
x1GM3+UUYwT9dF8bcUfomZCKd07kzPh206nZr/uCElXVtCqghgVRQW8uiFRh6ycVWY/pBq
uhPfihKHilZEahOOc08ax14XTK89ovJzjbHezaV/NghkfWpn3W7gDNJTbLbxpbrLDkJBPJ
IltJ5QqwVK/Hi+69x9CxFOkyNpxWFexHPIeq4q0liPoah42MBPAQl30bWULgBP+K0ugzqQ
cSPAhi9FMq6ZVFTmaiPX8JH8JAceswd500x9jMmV91obzTZmXAQsfVpi0asxRhfficEIfs
UJ/FHwW2p13YmDVH1AjVmCDn9T46I05Cq+ImrUBX+JAEa6yQU6R6/s7maVDqpdtkpFp0ql
CWQHHw9J1fYS4w==
---- END SSH2 PUBLIC KEY ----

ORACLE#
Delete an Authorized Key

To delete a previously imported SSH public key, use the ssh-key command with the authorized-key delete argument.

  1. List the available ssh-key elements.
    ORACLE# show running-config ssh-key                  
ssh-key
        name                                    bob
        type                                    authorized-key
        encryption-type                         rsa
        size                                    4096
        last-modified-by                        admin@10.0.0.20
        last-modified-date                      2020-05-12 13:58:39
ssh-key
        name                                    alice
        type                                    authorized-key
        encryption-type                         rsa
        size                                    4096
        last-modified-by                        admin@10.0.0.37
        last-modified-date                      2020-05-12 14:23:47
ssh-key
        name                                    logserver
        type                                    known-host
        encryption-type                         rsa
        size                                    2048
        last-modified-by                        admin@10.0.0.37
        last-modified-date                      2020-05-11 15:18:36
  2. For any ssh-key element whose type is authorized-key, use the ssh-key authorized-key delete <name> command to delete the user's public key.
    ORACLE# ssh-key authorized-key delete bob    
SSH public key deleted successfully....
WARNING: Configuration changed, run "save-config" command to save it
and run "activate-config" to activate the changes
ORACLE#
  3. Save and activate the configuration.
Add an SSH Known Host Key

For the Enterprise SBC to authenticate over SSH to an SFTP server, the public key of the SFTP server needs to be imported into the known_hosts file of the Enterprise SBC.

  1. Convert the public key of the SFTP server into RFC 4716 format.
    There are two ways to do this.
    1. SSH to the SFTP server and run the ssh-keygen command on the server's host key.

      For OpenSSH implementations, host keys are generally found at /etc/ssh/ssh_host_rsa_key.pub. Other SSH implementations may differ. To do this on Oracle Linux, use the ssh-keygen command. 

      [user@logserver ~]$ ssh-keygen -e -f /etc/ssh/ssh_host_rsa_key.pub 
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "2048-bit RSA, converted by user@logserver from OpenSSH"
AAAAB3NzaC1yc2EAAAADAQABAAABAQDwifpOpBKoDhzJXglzdoOfZ39TiU7jhygbPGQTw0
j3zISW57PRbSulVw1hBHwqJwZZc6nr1JXaiHN7ieYT/96QCXQ56JH9Lcjej6iHplfhJO44
qIgZIlRtD0e5y6YBzDgcI3T8J6n0jHwksvwKttObk8SoZl1mqE4xPXSiTVB1PzMNxF0dWV
rgvGK227PsOfPLypL3RhnmqFbVRIhMKW7a80p7I+T6mAoq8UdzejbyhEK+e0Ge3F9i1g49
oHWHNnSvU64F1ADybbZrclvvt8vofIzraGMBRjLs5Yl8bbdId/4UBci1fONmIUzxVse5NM
PwNj0cjvNPS1/LOcKUgQxN
---- END SSH2 PUBLIC KEY ----
[user@logserver ~]$
    2. Run the ssh-keyscan command from a Linux client and convert that key with the ssh-keygen command.
      ssh-keyscan -t rsa 10.0.0.6 | sed 's/.*ssh/ssh/' > key.pub
ssh-keygen -ef key.pub
  2. On the Enterprise SBC, use the ssh-key command to import the host key of the SFTP server into the known_hosts file of the Enterprise SBC.

    The command syntax: 

    ssh-key known-host import <name>

    For SFTP to work properly, the <name> parameter must be the valid and reachable IP address of the SFTP server.

    The following example shows adding multiple servers with different IP addresses. Note that you must add each server in an individual command.
    ssh-key known-host import 10.10.10.1
ssh-key known-host import 192.168.1.1
    Alternatively, you may prepend a server "alias" to the start of the IP address string as follows.
    ssh-key known-host import serverA@10.10.10.1
ssh-key known-host import serverB@192.168.1.1

    If you need to have multiple server aliases that have the same IP address, you can do the following.

    ssh-key known-host import serverA@10.10.10.1
ssh-key known-host import serverB@10.10.10.1
  3. Paste the public key with the bracketing Begin and End markers at the cursor point.
  4. Enter a semi-colon (;) to signal the end of the imported host key.

    The entire import sequence is shown below. 

    ORACLE# ssh-key known-host import 10.0.0.12

IMPORTANT:
        Please paste SSH public key in the format defined in RFC 4716.
        Terminate the key with ";" to exit.......

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "2048-bit RSA, converted by user@logserver from OpenSSH"
AAAAB3NzaC1yc2EAAAADAQABAAABAQDJXglzdiU7jhywifpOpBKoDhoOfZ39TzgbPGQTw0
j357PRbSulHwaiHN7zEVw1hBISWie6nrQ56JH9Lcjej1JX96QCYT/qJwZZcX6iHplfhJO4
q8J6nIlRtD0e5y60jHwgZYBzDksvwKk8SSiTVB10ttObdWVoZl1mqPzMNxFE4xPXIgcI3T
rgvGKR27PsOfPLy80p7IpLhnmqFjbyhEK+e0KW7a+T6mbV23RIhMzeAoq8UdGe3F9i1g49
oHWs5mDybHNnBRjLbZrcSvU64F1AMlvvtUzxVse5NM8vofIzraGIYl8bbdId/4UBci1fON
PwNPS1/LONj0cjvcKUgQxN
---- END SSH2 PUBLIC KEY ----;

SSH public key imported successfully....
WARNING: Configuration changed, run "save-config" command to save it
and run "activate-config" to activate the changes

    Import both the RSA key and the DSA key if you are not sure which one the SFTP server uses.

  5. Save and activate the configuration.
Delete an SSH Known Hosts Key

Delete expired SSH keys from the known_hosts file of the Enterprise SBC.

  1. List the available ssh-key elements.
    ORACLE# show running-config ssh-key                  
ssh-key
        name                                    bob
        type                                    authorized-key
        encryption-type                         rsa
        size                                    4096
        last-modified-by                        admin@10.0.0.20
        last-modified-date                      2020-05-12 13:58:39
ssh-key
        name                                    alice
        type                                    authorized-key
        encryption-type                         rsa
        size                                    4096
        last-modified-by                        admin@10.0.0.37
        last-modified-date                      2020-05-12 14:23:47
ssh-key
        name                                    10.0.0.12
        type                                    known-host
        encryption-type                         rsa
        size                                    2048
        last-modified-by                        admin@10.0.0.37
        last-modified-date                      2020-05-11 15:18:36
  2. Use the ssh-key command to remove a key whose type is known-host.

    The command syntax: 

    ssh-key known-host delete <name>

    The <name> parameter is an alias or handle assigned to the imported host key.

    ORACLE# ssh-key known-host delete 10.0.0.12
  3. Save and activate the configuration.
Add a Certificate Authority Key

When authenticating with certificates, clients send certificates to establish their identity and authorization. The public key of the Certificate Authority (CA) used for signing these client certificates must be imported into the Enterprise SBC.

  1. On the server you'll use for a certificate authority, create a keys directory for storing keys.
    [user@host ~]$ mkdir keys
[user@host ~]$ cd keys/
  2. Generate an SSH key pair to use for signing certificates.
    [user@host keys]$ ssh-keygen -t rsa -b 4096 -f ./ca_key
  3. Export the CA key to RFC 4716 format.
    [user@host keys]$ ssh-keygen -ef ./ca_key.pub
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "4096-bit RSA, converted by user@host from OpenSSH"
AAAAB3NzaC1yc2EAAAADAQABAAACAQDOTDujYoQXzjTt9I8YvJMvfSVlWZ6iDzfRx06R3l
Rj/lrjxlWDMc/Y/uEd2sJ+5wdlCnJPREOuCGbU8S6295486D1kbu76cEDxE+adca3/9+qo
7FQVugkRJBD0ZOj/3qcuKDOh6ZsalF9LaaNMPNWNiQ5n3bWBnQ1tMMEes58JvoNgjn9FOz
hbOdOe91K/OdRA0/YzrguaCA6/vE/tUP+xDD/GOu7KyvN1dsgo1vnYZLG7p8vGgt61eTyC
V6qMEkceGatQvfiBb4XZCeODtC2KBv4pbJpt1zPKOpF4XFb2LferPxAL9rsSRSUOk9tZNc
x1GM3+UUYwT9dF8bcUfomZCKd07kzPh206nZr/uCElXVtCqghgVRQW8uiFRh6ycVWY/pBq
uhPfihKHilZEahOOc08ax14XTK89ovJzjbHezaV/NghkfWpn3W7gDNJTbLbxpbrLDkJBPJ
IltJ5QqwVK/Hi+69x9CxFOkyNpxWFexHPIeq4q0liPoah42MBPAQl30bWULgBP+K0ugzqQ
cSPAhi9FMq6ZVFTmaiPX8JH8JAceswd500x9jMmV91obzTZmXAQsfVpi0asxRhfficEIfs
UJ/FHwW2p13YmDVH1AjVmCDn9T46I05Cq+ImrUBX+JAEa6yQU6R6/s7maVDqpdtkpFp0ql
CWQHHw9J1fYS4w==
---- END SSH2 PUBLIC KEY ----
[user@host keys]$
  4. Import the CA key into the Enterprise SBC using the ssh-key command with the ca-key import argument.
    The command syntax:
    ssh-key ca-key import <key-name> <class>
    The <key-name> parameter is the key identifier or key ID that will be used when signing client keys as the value of the -I argument in the ssh-keygen command. The <class> is one of the two authorization classes on the Enterprise SBC: either user or admin.
    ORACLE# ssh-key ca-key import rootCA admin    

IMPORTANT:
        Please paste SSH public key in the format defined in RFC 4716.
        Terminate the key with ";" to exit.......

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "4096-bit RSA, converted by user@server from OpenSSH"
AAAAB3NzaC1yc2EAAAADAQABAAACAQDOTDujYoQXzjTt9I8YvJMvfSVlWZ6iDzfRx06R3l
Rj/lrjxlWDMc/Y/uEd2sJ+5wdlCnJPREOuCGbU8S6295486D1kbu76cEDxE+adca3/9+qo
7FQVugkRJBD0ZOj/3qcuKDOh6ZsalF9LaaNMPNWNiQ5n3bWBnQ1tMMEes58JvoNgjn9FOz
hbOdOe91K/OdRA0/YzrguaCA6/vE/tUP+xDD/GOu7KyvN1dsgo1vnYZLG7p8vGgt61eTyC
V6qMEkceGatQvfiBb4XZCeODtC2KBv4pbJpt1zPKOpF4XFb2LferPxAL9rsSRSUOk9tZNc
x1GM3+UUYwT9dF8bcUfomZCKd07kzPh206nZr/uCElXVtCqghgVRQW8uiFRh6ycVWY/pBq
uhPfihKHilZEahOOc08ax14XTK89ovJzjbHezaV/NghkfWpn3W7gDNJTbLbxpbrLDkJBPJ
IltJ5QqwVK/Hi+69x9CxFOkyNpxWFexHPIeq4q0liPoah42MBPAQl30bWULgBP+K0ugzqQ
cSPAhi9FMq6ZVFTmaiPX8JH8JAceswd500x9jMmV91obzTZmXAQsfVpi0asxRhfficEIfs
UJ/FHwW2p13YmDVH1AjVmCDn9T46I05Cq+ImrUBX+JAEa6yQU6R6/s7maVDqpdtkpFp0ql
CWQHHw9J1fYS4w==
---- END SSH2 PUBLIC KEY ----;

    Note:

    If the Admin Security entitlement is enabled, the key must be at least 2048 bits.
  5. Save and activate the configuration.
  6. For each SSH client, copy the client's public key into the keys directory.
    [user@host keys]$ scp acme@client1.com:.ssh/id_rsa.pub ./id_rsa.pub
  7. Sign the key with the ssh-keygen command.
    Use the following arguments:
    • Use -s to identify the private key of the CA key used to sign.
    • Use -z to specify the serial number to be embedded in the certificate to distinguish this certificate from others signed by the same CA.
    • Use -n to specify the username of the client to be included in the certificate.
    • Use -I to specify the key ID. This key ID must match the <key-name> specified when importing the signing CA key into the Enterprise SBC.
    • Use -V to set the validity interval. To set the validity for one year, starting the previous day, use -1d:+52w.

    Important:

    The username passed with the -n argument of the ssh-keygen command must match the username used to authenticate.

    Note:

    If the type attribute of the authentication element is set to local, the username passed with the -n argument must be set to admin. 
    [user@host keys]$ ssh-keygen -s ca_key -z 1 -n admin -I rootCA -V -1d:+52w id_rsa.pub
Signed user key id_rsa.pub: id "rootCA" serial 1 for admin valid from 2020-06-21T09:26:41 to 2021-06-21T09:26:41
[user@host keys]$
  8. Copy the certificate to the client's .ssh directory.
    [user@host keys]$ scp id_rsa-cert.pub acme@client1.com:.ssh/
  9. Verify the SSH client can connect with the certificate.
Delete a Certificate Authority Key

To delete a previously imported Certificate Authority (CA) key, use the ssh-key command with the ca-key delete argument.

  1. List the available ssh-key elements.
    ORACLE# show running-config ssh-key                  
ssh-key
        name                                    bob
        type                                    authorized-key
        encryption-type                         rsa
        size                                    4096
        last-modified-by                        admin@10.0.0.20
        last-modified-date                      2020-05-12 13:58:39
ssh-key
        name                                    alice
        type                                    authorized-key
        encryption-type                         rsa
        size                                    4096
        last-modified-by                        admin@10.0.0.37
        last-modified-date                      2020-05-12 14:23:47
ssh-key
        name                                    rootCA
        type                                    ca-key
        encryption-type                         rsa
        size                                    4096
        last-modified-by                        admin@10.0.0.37
        last-modified-date                      2020-05-11 15:18:36
  2. For any ssh-key element whose type is ca-key, use the ssh-key ca-key delete <key-name> command to delete the CA key.
    ORACLE# ssh-key ca-key delete rootCA    
SSH public key deleted successfully....
WARNING: Configuration changed, run "save-config" command to save it
and run "activate-config" to activate the changes
ORACLE#
  3. Save and activate the configuration.
Revoke a User Key

To revoke access to a specific user whose public key was signed by your CA key, import the user's public key into the revocation list.

  1. On the Enterprise SBC, use the ssh-key command with the ca-user-revoke import argument.
    The command syntax: 
    ssh-key ca-user-revoke import <key-name>
    The <key-name> parameter uniquely identifies the key you want to revoke.
    ORACLE# ssh-key ca-user-revoke import bob

IMPORTANT:
        Please paste SSH public key in the format defined in RFC 4716.
        Terminate the key with ";" to exit.......

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "4096-bit RSA, converted by user@server from OpenSSH"
AAAAB3NzaC1yc2EAAAADAQABAAACAQDOTDujYoQXzjTt9I8YvJMvfSVlWZ6iDzfRx06R3l
Rj/lrjxlWDMc/Y/uEd2sJ+5wdlCnJPREOuCGbU8S6295486D1kbu76cEDxE+adca3/9+qo
7FQVugkRJBD0ZOj/3qcuKDOh6ZsalF9LaaNMPNWNiQ5n3bWBnQ1tMMEes58JvoNgjn9FOz
hbOdOe91K/OdRA0/YzrguaCA6/vE/tUP+xDD/GOu7KyvN1dsgo1vnYZLG7p8vGgt61eTyC
V6qMEkceGatQvfiBb4XZCeODtC2KBv4pbJpt1zPKOpF4XFb2LferPxAL9rsSRSUOk9tZNc
x1GM3+UUYwT9dF8bcUfomZCKd07kzPh206nZr/uCElXVtCqghgVRQW8uiFRh6ycVWY/pBq
uhPfihKHilZEahOOc08ax14XTK89ovJzjbHezaV/NghkfWpn3W7gDNJTbLbxpbrLDkJBPJ
IltJ5QqwVK/Hi+69x9CxFOkyNpxWFexHPIeq4q0liPoah42MBPAQl30bWULgBP+K0ugzqQ
cSPAhi9FMq6ZVFTmaiPX8JH8JAceswd500x9jMmV91obzTZmXAQsfVpi0asxRhfficEIfs
UJ/FHwW2p13YmDVH1AjVmCDn9T46I05Cq+ImrUBX+JAEa6yQU6R6/s7maVDqpdtkpFp0ql
CWQHHw9J1fYS4w==
---- END SSH2 PUBLIC KEY ----;
  2. Save and activate the configuration.
The user's key is added to the revocation list. When authenticating to the Enterprise SBC, the user may no longer use his or her key or certificate, even though that key was signed by the CA key.
Unrevoke a Revoked User Key

If a user key is added to the revocation list, that user will not be able to authenticate to the Enterprise SBC. To delete a key from the revocation list, use the ssh-key command with the ca-user-revoke delete argument.

  1. List the available ssh-key elements.
    ORACLE# show running-config ssh-key                  
ssh-key
        name                                    bob
        type                                    authorized-key
        encryption-type                         rsa
        size                                    4096
        last-modified-by                        admin@10.0.0.20
        last-modified-date                      2020-05-12 13:58:39
ssh-key
        name                                    alice
        type                                    authorized-key
        encryption-type                         rsa
        size                                    4096
        last-modified-by                        admin@10.0.0.37
        last-modified-date                      2020-05-12 14:23:47
ssh-key
        name                                    alice
        type                                    ca-user-revoke
        encryption-type                         rsa
        size                                    4096
        last-modified-by                        admin@10.0.0.37
        last-modified-date                      2020-05-11 15:18:36
  2. For any ssh-key element whose type is ca-user-revoke, use the ssh-key ca-user-revoke delete <key-name> command to delete the CA key.
    ORACLE# ssh-key ca-user-revoke delete alice    
SSH public key deleted successfully....
WARNING: Configuration changed, run "save-config" command to save it
and run "activate-config" to activate the changes
ORACLE#
  3. Save and activate the configuration.
Once the user key is removed from the revocation list, the functionality of any existing key is restored.
Configure SSH Ciphers

The ssh-config configuration element controls which ciphers the Enterprise SBC offers during SSH session negotiation when the Enterprise SBC acts as an SSH server. The ciphers offered when the Enterprise SBC acts as an SSH client are not configurable.

Each command takes an argument which is either a single word or a comma-separated list within double quotes. Type ? to see the available algorithms for this release.

  1. Access the ssh-config configuration element. 
    ORACLE# configure terminal
ORACLE(configure)# security
ORACLE(security)# ssh-config
  2. encr-algorithms—Select the ciphers for SSH encryption.
  3. hmac-algorithms—Select the HMAC algorithm.
  4. keyex-algorithms—Select the Diffie-Hellman key exchange algorithm.
  5. hostkey-algorithms—Select the algorithm for generating host keys.
  6. Type done.
  7. Save and activate the configuration.
Verify SSH Ciphers

After configuring which ciphers the Oracle® Enterprise Session Border Controller offers during SSH negotiations, verify the settings from an SSH client by starting a new SSH session with verbosity level 2.

  1. SSH to the Enterprise SBC with verbosity level 2. 
    ssh -vv user@10.0.0.1
  2. Confirm the Enterprise SBC offers the selected ciphers. 
    debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256
debug2: kex_parse_kexinit: ssh-rsa
debug2: kex_parse_kexinit: AEAD_AES_256_GCM,aes256-ctr
debug2: kex_parse_kexinit: AEAD_AES_256_GCM,aes256-ctr
debug2: kex_parse_kexinit: hmac-sha2-256
debug2: kex_parse_kexinit: hmac-sha2-256
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:

System Boot

When your Oracle® Enterprise Session Border Controller boots, the following information about the tasks and settings for the system appear in your terminal window.

  • System boot parameters
  • From what location the software image is being loaded: an external device or internal flash memory
  • Requisite tasks that the system is starting
  • Log information: established levels and where logs are being sent
  • Any errors that might occur during the loading process

After the loading process is complete, the ACLI login prompt appears.