Security Shield Deployment Process and Procedures

3 Security Shield Deployment Process and Procedures

Obtaining and installing the Oracle® Communications Security Shield Cloud Service (Security Shield) service requires a multi-step process that includes tasks for you to perform in the Oracle Cloud and on premises. New customers must take steps to establish and set up their Oracle Cloud account in addition to the procedures for installing the Security Shield service. See the following topics to guide you through the process.

Topics:

Security Shield Deployment Process

The high-level process for deploying the Oracle® Communications Security Shield Cloud Service (Security Shield) includes the following steps. You will perform some steps in the Oracle Cloud and others on-premises.

Oracle Cloud—Contact your Oracle Cloud sales representative to establish a subscription for Security Shield and activate your account. (Security Shield is not available for purchase online in the Oracle Marketplace.) See Establish a Security Shield Subscription.
On premises—Log on to Oracle Service Delivery Cloud at edelivery.oracle.com using the Customer Support Identifier number that you received in your Oracle Cloud Welcome email and download the Security Shield software. (Cloud Communication Service and Security Shield SPL file) See Download the Cloud Communication Service Software from MOS.
On-premises—Generate the TLS certificates for the Cloud Communication Service. The installation script requires a pem file and a key file for both the LAN side and the WAN side. Configure TLS Certificates for the Cloud Communication Service.
On premises—Install the Cloud Communication Service with the install, configure, and activate scripts provided in the software download. See either Install, Configure, and Activate the Cloud Communication Service.
On-premises—Generate the TLS certificate for the Session Border Controller and install it on the SBC. Configure TLS Certificates for the OCSBC.
On premises—Install the Security Shield SPL on the Session Border Controller (SBC) and enable Security Shield on the SBC, which registers the SBC with the Cloud Communication Service. See Configure the Session Border Controller for the Security Shield Service.

The following diagram illustrates the deployment process and shows the parameters you need to set in each Security Shield component to establish the service.

This diagram illustrates the steps listed above. It shows the parameters you need to set in each component.

Next Steps

Oracle Cloud—Log on to theSecurity Shield Dashboard and customize the threat protection settings. See "Customize the Security Shield Autonomous Threat Protection Settings" in the Security Shield User's Guide.
Oracle Cloud—Log on to the Security Shield Dashboard and create managed phone number lists. See the "Add Phone Numbers to Policy Rules" in the Security Shield User's Guide.

Establish a Security Shield Subscription

To obtain the Oracle® Communications Security Shield Cloud Service (Security Shield), contact Oracle Cloud Sales to purchase a Cloud Services Agreement and the Security Shield service subscription. Oracle does not offer the Security Shield service as an online purchase in the Oracle Cloud Marketplace. You must purchase through Oracle Sales.

Establishing an Security Shield service subscription is a multi-step process. Use the information provided in the following links to guide you through the process.

Go to Oracle Communications Security Shield Cloud and click Contact Sales for information about how to purchase a subscription to Security Shield.
Go to Activate Your Cloud Account for instructions to activate your subscription.
Go to Oracle Cloud Infrastructure Identity and Access Management for information about how to manage your Users and Groups, Identity Domains, Applications, Administration, and more.

Next Steps

Download the Security Shield Software

Download the Security Shield Software

Before you can install the Cloud Communications Service (CCS) and the OCSSC SPL plug-in file on-premises, you must download the software on to the host. Only authorized customers with a valid password may download the software. Note that the download includes both the CCS software and the Oracle® Communications Security Shield Cloud Service (Security Shield) SPL plug-in file that you must install on the Session Border Controller.

The following procedure explains how to download the CCS software and SPL plug-in file from Oracle Software Delivery Cloud.

Note:

If you prefer, you can download the CCS software and SPL plug-in file from My Oracle Support (MOS). See Download the Cloud Communication Service Software from MOS.

Procedure

Log on to https://edelivery.oracle.com with the Customer Support Identifier number that you received in your "Welcome" email from Oracle.
Search for Cloud Communications Service software.
Add the Cloud Communications Service software to your shopping cart.
Check out and download the Cloud Communications Service software file to your host.
Oracle creates the /opt/oracle directory and necessary sub-directories on the host for the CCS software.

Next Steps

Install, Configure, and Activate the Cloud Communication Service

Configure TLS Certificates for the Cloud Communication Service

The Cloud Communication Service (CCS) uses TLS to encrypt and secure your data on the Local Area Network between CCS and the Session Border Controller (SBC) and on the Wide Area Network (WAN) between CCS and Oracle® Communications Security Shield Cloud Service (Security Shield). The WAN and LAN connections both require a pem format certficate file and its matching key file. You also need the intermediateCA certificate file when you run the activate script in the "Install, Configure, and Activate the Cloud Communication Service" procedure.

Use the following procedure to generate the required pem and key TLS certificates for your LAN and WAN.

Create a san.cnf file with your local information and set the IP.1 parameter to the IP address you want the CCS to use on the LAN side.

{req}
default_bits = 2048
distinguished_name = req_distinguished_name
req-extensions = req_ext
[req_distinguished_name]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (For example, city)
organizationName = Organization Name (For example,company)
commonName = Common Name (For example, server FQDN or YOUR name)
{req_ext]
subjectAltName = @alt_names
[alt_names]
IP.1 = <CCS LAN-side IP Address>

Use OpenSSL to generate the Certificate Signing Request and key file using the san.cnf file you created above.

openssl req -out <path where to create sslcert.csr> -newkey rsa:2048 -nodes -keyout
 <path where to create lan-key.pem> -config <path to san.cnf>

Use OpenSSL to generate a signed certificate pem file for the associated Certificate Signing Request, setting the expiration period you want with the -days parameter (the following CA is for the LAN-side signing CA).
```
openssl ca -config <path to openssl.cnf> -extensions server_cert -days <set certificate
      expiration in days> -notext -md sha256 -in <path to sslcert.csr>  -out <path where to create
      lan-cert.pem>
```
Verify the certificate information and that the certificate states the correct IP address in the IP.1 field.
```
openssl x509 -noout -text -in <path to lan-cert.pem>
```

Modify the san.cnf file and change the IP.1 parameter to the IP address you want the CCS to use for the WAN side. The common name is the FQDN to use for the WAN-side.

[ req ]           
default_bits = 2048           
distinguished_name = req_distinguished_name          
req_extensions     = req_ext           
[ req_distinguished_name ]           
countryName = Country Name (2 letter code)           
stateOrProvinceName = State or Province Name (full name)           
localityName = Locality Name (For example, city)           
organizationName = Organization Name (For example, company)           
commonName = Common Name (For example, server FQDN or YOUR name)           
[ req_ext ]           
subjectAltName = @alt_names           
[alt_names]           
IP.1 = CCS WAN SIDE IP ADDRESS

Use OpenSSL to generate the Certificate Signing Request and key file using the san.cnf file created above.

openssl req -out <path where to create sslcert.csr> -newkey rsa:2048 -nodes -keyout <path where
      to create wan-key.pem> -config <path to san.cnf>

Send the sslcert.csr to a trusted CA for signing. Oracle assumes that the returned certificate is named wan-cert.pem.
Verify the certificate information and that the certificate states the correct IP address in the IP.1 field.
```
 openssl x509 -noout -text -in <path to wan-cert.pem>
```

Next steps

Acquire the intermediateCA certificate. (LAN-side signing CA "lan-ca-cert.pem")
Run the CCS activation script which requires the LAN and WAN certificates and matching keys, plus the LAN-side signing CA certfiicate. Install, Configure, and Activate the Cloud Communication Service.

Install, Configure, and Activate the Cloud Communication Service

The Cloud Communication Service (CCS) installation procedure requires the archive file containing the installation, configuration, and activation scripts that you downloaded from Oracle onto your host hardware.

Oracle recommends running the three scripts consecutively in one session the first time you install CCS. For that reason, this procedure includes the prerequisites and steps for running the scripts sequentially. Oracle recommends that you install the CCS behind Network Address Translation (NAT) or a firewall. See CCS Configuration Behind NAT or a Firewall.

CCS Installation Prerequisites

Do the following before performing the CCS installation procedure.

System Prerequisites

Ensure that the host meets Operation System and resource requirements. Version Requirements for External Components.
Install Perl v5.16.3 or higher on the host.
Ensure that you have Root access or equivalent Super User privileges.
Ensure that the Docker (v18.09.1 or higher) or Podman (v4.4.1 or higher) package is installed and that the daemon is running as a service if you use Docker.
Ensure that you synchronize the CCS Docker host and the Session Border Controller with the Network Time Protocol (NTP) server, if you use Docker.

Installation Script Prerequisites

Ensure that there is no CCS installation existing on the hardware. See the last step in this procedure for instructions.
Download the archive file (ccs-<version>.tgz) from Oracle Service Delivery Cloud at edelivery.oracle.com, which includes all of the scripts, to the host server.

Configuration Script Prerequisites

Generate the local API key and local API alternate key. See the Security Shield Security and Privacy Guide for instructions for generating keys.
Host WAN FQDN provided by the customer
Host WAN IP Address provided by the customer
Host LAN IP Address provided by the customer
Identity Domain FQDN provided by Security Shield through the Cloud Communications Service Configuration link on the Settings tab
Identity Domain ID provided by Security Shield through the Cloud Communications Service Configuration link on the Settings tab
Security Shield FQDN provided by Security Shield through the Cloud Communications Service Configuration link on the Settings tab
Security Shield Tenant ID provided by Security Shield through the Cloud Communications Service Configuration link on the Settings tab
Security Shield API Key provided by the customer (the CCS API key)
Security Shield API Key Alternate provided by the customer
CCS Client ID provided by Security Shield through the Cloud Communications Service Configuration link on the Settings tab
CCS Client Secret provided by Security Shield through the Cloud Communications Service Configuration link on the Settings tab

Activation Script Prerequisites

CCS is installed and not activated
CCS JSON configuration (cfg.json) provided by customer from prior configuration step
LAN/OAM server certificate provided by customer
LAN/OAM server private key provided by customer
LAN/OAM server signing certificate provided by customer
(Optional)—WAN server certificate provided by customer. Use when you want ground-to-cloud communication, which allows mid-call updates. Omit when you do not want cloud-to-ground communication, which does not allow mid-call updates.
(Optional)—WAN server private key provided by customer. Use when you want ground-to-cloud communication,which allows mid-call updates. Omit when you do not want cloud-to-ground communication, which does not allow mid-call updates.

Note:

See the Security Shield Security and Privacy Guide for information about certificate management and deploying CCS behind Network Address Translation (NAT) or a firewall.

Procedure

The CCS installation script sets the defaults for the LAN, WAN, and OAM server instances to the address of 0.0.0.0 and the ports to 8000, 443, and 2000, respectively. After you execute config.pl, CCS creates the cfg.json file and sets the WAN listening port to the default 443. If you provide the WAN certificate and private key in the activate.pl script configuration, the WAN listening port remains 443. If you do not provide the WAN certificate and private key, CCS changes the port to 9000.

If you modify the WAN port in cfg.json to any value other than 443 or 9000, CCS retains that value even when you provide the WAN certificate and private key. Ensure that if you change the default ports, they do not conflict with the Oracle Management Cloud Engine (OMCE) ports.

Note:

If you change the Cloud Communication Service (CCS) public IP address (WAN interface), it may take up to twenty four hours for mid-call updates to resume.

In the following procedure, wait for each script to finish running successfully before running the next one.

Note:

The Cloud Communication Service (CCS) does not support simultaneous use of the same CCS instance by different services, for example Security Shield and Oracle Session Delivery Manager Cloud (OSDMC). You must configure each CCS instance to support only one service.

Log on to the server at root.
Unpack the ccs-<version>.<build>.tgz archive.
```
tar -xvzf ccs-<version>.<build>.tgz
```
The system creates the ccs-<version> directory and copies the unpacked files there in the following directory tree.
- /opt/oracle
- /opt/oracle/ccs
- /opt/oracle/ccs/.build (hidden)
- /opt/oracle/ccs/.version (hidden)
- /opt/oracle/ccs/api
- /opt/oracle/ccs/api/KeyRsp.v1.json
- /opt/oracle/ccs/api/RegReq.v1.json
- /opt/oracle/ccs/api/RegRspv1.json
- /opt/oracle/ccs/api/TokenRsp.v1.json
- /opt/oracle/ccs/cfg
- /opt/oracle/ccs/cfg.v1.json
- /opt/oracle/ccs/img
- /opt/oracle/ccs/img/ccs-<version>.<build>.tar
- /opt/oracle/ccs/log
- /opt/oracle/ccs/perl
- /opt/oracle/ccs/perl/activate.pl
- /opt/oracle/ccs/perl/config.pl
- /opt/oracle/ccs/perl/deactivate.pl
- /opt/oracle/ccs/perl/uninstall.pl
- /opt/oracle/ccs/ssl
- /opt/oracle/ccs/ssl/ca
- /opt/oracle/ccs/ssl/ca/c_rehash
- /opt/oracle/ccs/ssl/ca/DigiCertGlobalRootCA.cer
- /opt/oracle/ccs/ssl/ca/DigiCertSHA256GlobalCaG2.cer
- /opt/oracle/ccs/ssl/ca/DigiCertSHA256GlobalRootG2.cer
- /opt/oracle/ccs/ssl/ca/DigiCertSHA2SecureServerCA.cer
At the prompt, do the following:
1. Type cd ccs-<version>, and press Enter.
2. Type ls
3. Type ./ccs-<version>.<build> /install.pl
```
# cd ccs-<version>
# ls
# ccs install.pl upgrade.pl
```

At the prompt, type ./install.pl, and press Enter.

The system checks for an existing installation and, if none exits, asks if you want to proceed with the installation.

# ./install.pl
------------------------------------------------------
Oracle Cloud Communications Service, (c) 2020 Oracle
CCS <version> activate.pl @ <date> <time>
------------------------------------------------------
Checking pre-conditions...
OK.
Use Docker or Podman (d/p) :
Proceed with install (y/n) :

Type d for Docker or p for Podman and type y.
The system installs CCS in the /opt/oracle/ directory and displays a success message upon completion.
```
Installing...
Success.
```

At the prompt, type /opt/oracle/ccs/perl/config.pl, press Enter, and specify each of the following attributes.

# /opt/oracle/ccs/perl/config.pl
-------------------------------------------------------------------------------
Oracle Cloud Communications Service, (c) 2020 Oracle
CCS <version> <build> config.pl @ <date> <time>
-------------------------------------------------------------------------------
Please specify each attribute...
Host WAN FQDN             : host-wan-fqdn
Host WAN IP address       : host-wan-IP
Host LAN IP address       : host-lan-ip
Identity Domain FQDN      : idcs-fqdn
Identity Domain ID        : idcs-tenant-id
OCSSC subscriber (y/n)    : y
Security Shield FQDN      : ocssc-fqdn
Security Shield Tenant ID : occsc-tenantid
Security Shield API Key   : ocssc-apikey
Security Shield API Key Alternate   : ocssc-apialternate-key
Security Shield CCS Client ID       : ocssc-idcs-clientid      
Security Shield CCS Client Secret   : ocssc-idcs-clientsecret
OSDMC subscriber (y/n)    : n
Proceed with config (y/n) : y
Generating local cfg.json...
Success.
# ls cfg.json
cfg.json

Host WAN FQDN

Set the host FQDN from your WAN-FQDN and Registration Client-Device-Name.

Host WAN IP address

Set the host WAN IP address. (Provided by the customer.)

Host LAN IP address

Set the host LAN IP address. (Provided by the customer.)

Identity Domain FQDN

Set the Identity Domain FQDN (Provided by Security Shield through the Cloud Communications Service Configuration link on the Settings tab.)

Identity Domain ID

Set the Identity Domain ID (Provided by Security Shield through the Cloud Communications Service Configuration link on the Settings tab.)

Security Shield subscriber (y/n)

Type y.

Security Shield FQDN

Set the OCSSC FQDN (Provided by Security Shield through the Cloud Communications Service Configuration link on the Settings tab.)

Security Shield Tenant ID

Set the OCSSC tenant ID (Provided by Security Shield through the Cloud Communications Service Configuration link on the Settings tab.)

Security Shield API Key

Set the local OCSSC API key that you generated. Valid syntax: alphanumeric. Oracle recommends using the UUID.

Security Shield API Key Alternate

Set the local OCSSC API key that you generated.

Security Shield CCS Client ID

Set the CCS Client ID (Provided by Security Shield through the Cloud Communications Service Configuration link on the Settings tab.)

Security Shield CCS Client ID Secret

Set the CCS client ID secret. (Provided by Security Shield through the Cloud Communications Service Configuration link on the Settings tab.)

OSDMC subscriber (y/n)

Type n.

After you enter "n" for OSDMC subscriber, the system asks if you want to proceed with the configuration.

Proceed with config (y/n) :

Type y, and press Enter.
The system generates the cfg.json file.
```
Generating local cfg.json...
Success.
```

At the prompt, type /opt/oracle/ccs/perl/activate.pl, and press Enter.

The system verifies that an installed CCS exists.

# /opt/oracle/ccs/perl/activate.pl
-------------------------------------------------------------------------------
Oracle Cloud Communications Service, (c) 2020 Oracle
CCS <version> <build> activate.pl @ <date> <time>
-------------------------------------------------------------------------------
Checking pre-conditions...
Ok.
Please specify import path for each file...
CCS JSON configuration              : ./cfg.json
LAN /OAM server certificate         : ./lan-cert.pem
LAN /OAM private key                : ./lan-key.pem
LAN /OAM server signing certificate : ./lan-ca-cert.pem
WAN server certificate              : ./wan-cert.pem
WAN server private key              : ./wan-key.pem
Proceed with activate (y/n) : y
Importing...
Activating...
Success.

Specify the relative or absolute path to the locations for the following files. The following example uses a relative path to the required files. You can use a file name of your own choosing,but the certificate file names must match those from the Configure TLS Certificates for the Cloud Communication Service procedure. The path is relative to wherever you choose to execute the activate.pl script.

Note:

See the Security Shield Security and Privacy Guide for information about certificates and keys.

CCS JSON configuration

./cfg/cfg.json (This is the file you generated in step 6 and 7.)

LAN /OAM server certificate

./ssl/lan-cert.pem. (Provided by the customer.)

LAN /OAM server private key

./ssl/lan-key.pem. (Provided by the customer.)

LAN /OAM server signing certificate

./ssl/lan-ca-cert.pem. (Provided by the customer.)

(Optional) WAN server certificate

To enable mid-call updates: ./ssl/wan-cert.pem. (Provided by the customer.)
To disable mid-call updates: Leave empty.

(Optional) WAN server private key

To enable mid-call updates: ./ssl/wan-key.pem. (Provided by the customer.)
To disable mid-call updates: Leave empty.

The system asks if you want to proceed with the activation.

Type: y.

The system displays the status of the activation.

Proceed with activate? y/n : y
Importing...
Activating...
Success,  ccs-<build>.<version> is up and running.

CONTAINER ID  IMAGE                                                               COMMAND              CREATED                 STATUS               PORTS            NAMES
5ab14bc101bf  example.com:/apps/cgbu/cocssc/ccs-core:ccs-<build>.<version>  --cfg=/mnt/cfg/cf...  Less than a second ago  Up Less than a second              <ccs-build>.<version>

(Optional) Use Docker or Podman to check your work.

Run the appropriate command, as shown below in the following examples.

# docker image ls
REPOSITORY                                       TAG                IMAGE ID       CREATED     SIZE
example.com:/apps/cgbu/ocssc/ccs-core    ccs-<version> <build>   74e9303190d3   12 hours ago  132MB

# podman image ls
REPOSITORY                                       TAG            IMAGE ID      CREATED      SIZE
example.com:/apps/cgbu/ocssc/ccs-core  ccs-<build>.<version>  72c445e6016a  22 hours ago  158 MB

At the prompt type: docker ps or podman ps, and press Enter to list the running images. The following code blocks show examples.

# docker ps
CONTAINER ID       IMAGE            COMMAND                CREATED       STATUS         PORTS             NAMES
0fa66a7dc1bb    74e9303190d3  "ccs.exe --config /m..."   6 hours ago   Up 3 hours                ccs-<build>.<version>

# podman ps
CONTAINER ID                            IMAGE                                      COMMAND           CREATED       STATUS        PORTS             NAMES
fc59a256efb0  example.com:/apps/cgbu/ocssc/ccs-core :ccs-<build>.<version>  --cfg=/mnt/cfg/cf...  4 minutes ago  Up 4 minutes              ccs-<build>.<version>

Configure TLS Certificates for the OCSBC

The process for configuring a certificate on the Oracle Communications Session Border Controller (OCSBC) requires the following steps.

Configure a certificate record on the SBC. See Configure a Certificate Record.
Generate a certificate request by the SBC. See Generate a Certificate Request.
Import the certificate into the SBC. See Import a Certificate Using SFTP or Import a Certificate Using the ACLI.
Reboot the system.

Configure a Certificate Record

Use the certificate-record object to add a certificate record to the Oracle® Communications Security Shield Cloud Service (Security Shield). The certificate record configuration represents either the end-entity or the Certificate Authority (CA) certificate on the Security Shield.

When you configure a certificate for the E-SBC, the name that you enter must be the same as the name that you use when you generate a certificate request. If configuring for an end stations CA certificate for mutual authentication, the certificate name must be the same name used during the import procedure.

If this certificate record is used to present an end-entity certificate, associate a private key with this certificate record by using a certificate request.
If this certificate record is created to hold a CA certificate or certificate in PKCS12 format, a private key is not required.

Access the certificate-record configuration element.

ORACLE# configure terminal
ORACLE(configure)# security
ORACLE(security)# certificate-record
ORACLE(certificate-record)#

Do the following:

name—Enter the name of the certificate record. Required.

country—Enter the name of the country. Default: U.S.

state—Enter the name of the state of for the country. Default: MA.

locality—Enter the name of the locality for the state. Default: Burlington.

organization—Enter the name of the organization holding the certificate. Default: Engineering.

unit—Enter the name of the unit for the holding the certificate within the organization.

common-name—Enter the common name for the certificate record.

key-size—Enter the size of the key for the certificate. Default:1024 Valid values: 512 | 2048 | 4096.

alternate-name—Enter the alternate name of the certificate holder.

key-usage-list—Enter the usage extensions you want to use with this certificate record. This parameter can be configured with multiple values, and it defaults to the combination of digitalSignature and keyEncipherment. For a list of possible values and their descriptions, see "Key Usage Control."

extended-key-usage-list—Enter the extended key usage extensions you want to use with this certificate record. Default: serverAuth. For a list of possible values and their descriptions, see "Key Usage Control."
Type done to save your configuration.

To verify a certificate record, see "Security" in the ACLI Configuration Guide.

Generate a Certificate Request

Using the ACLI generate-certificate-request <record-name> command allows you to generate a private key and a certificate request in PKCS10 PEM format.

Note:

You can only perform this task after you configure a certificate record.

The Oracle® Communications Security Shield Cloud Service (Security Shield) stores the private key that is generated in the certificate record configuration in 3DES encrypted form with an internally generated password. The Security Shield displays the PKCS10 request in PEM (Base64) form.

You use this command for certificate record configurations that hold end-entity certificates. If you have configured the certificate record to hold a CA certificate, then you do not need to generate a certificate request because the CA publishes its certificate in the public domain. You import a CA certificate by using the ACLI import-certficate <certficate-record-name> command.

The generate-certificate-request command sends information to the CA to generate the certificate, but you cannot have Internet connectivity from the Security Shield to the Internet. You can access the Internet through a browser such as Internet Explorer if it is available, or you can save the certificate request to a disk and then submit it to the CA.

To run the applicable command, you must use the value you entered in the name parameter of the certificate record configuration. You run the command from the main Superuser mode command line, and then save and activate the configuration.

ACMEPACKET# security certificate request acmepacket 
Generating Certificate Signing Request. This can take several 
minutes.... 

-----BEGIN CERTIFICATE REQUEST----- 

MIIB2jCCAUMCAQAwYTELMAkGA1UEBhMCdXMxCzAJBgNVBAgTAk1BMRMwEQYDVQQH 
EwpCdXJsaW5ndG9uMRQwEgYDVQQKEwtFbmdpbmVlcmluZzEMMAoGA1UECxMDYWJj 
MQwwCgYDVQQDEwNhYmMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALOMLHo8 
/qIOddIDVuqot0Y72l/BfH8lolRKmhZQ4e7sS+zZHzbG8phzmzhfOSECnZiA2bEo 
f+Nti7e7Uof4lLwiYl9fvhURfzhENOKThAPKPiJCzBBglTITHTYal00Cq2fj5A8B 
ZcuAHj7Vp5wP2zpz6EUTFpqTDMLVdwJGJrElAgMBAAGgOTAMBgNVHRExBRMDZGVm 
MCkGA1UdDzEiEyBkaWdpdGFsU2lnbmF0dXJlLGtleUVuY2lwaGVybWVudDANBgkq 
hkiG9w0BAQUFAAOBgQAtel4ZSLI8gqgMzodbYwgUHUGqTGeDzQDhJV5fKUXWeMFz 
JsTmWn5Gy/kR4+Nq274G14fnk00fTAfMtgQ5aL3gM43TqaPOTZjJ6qgwuRKhoBPI 
7hkovkgAxHge7wClghiAp/ELdl7tQ515k04BMd5f/fxG7nNiu8iEg7PO0OIBgg== 
-----END CERTIFICATE REQUEST----- 
WARNING: Configuration changed, run "save-config" command. 
ACMEPACKET# save config 
copying file /code/config/dataDoc.gz -> /code/config/dataDoc_3.gz 
copying file /code/config/tmp/editing/dataDoc.gz -> 
/code/config/dataDoc.gz 
Save complete 
ACMEPACKET# activate config 
activate complete

Import a Certificate Using the ACLI

For an end-entity certificate, after a certificate is generated using the ACLI security certificate request command, submit the request to a CA for generation of a certificate in PKCS7 or X509v3 format. When the certificate has been generated, you can import it into the Oracle® Communications Security Shield Cloud Service (Security Shield) using the security certificate import command.

The syntax is:

ACMEPACKET # security certificate import [try-all | pkcs7 | pkcs12 |
x509] [certificate-record file-name]

To import a certificate:

When you use the import-certificate <certificate-record-name> command, you can specify whether you want to use PKCS7, PKCS12, X509v3 format, or try all. In the command line, you enter the command, the format specification, and the name of the certificate record. The Security Shield prompts you to enter the certificate in PEM format. Paste the certificate in the ACLI. For example:

ACMEPACKET# security certificate import try-all acmepacket
The following displays:
Please enter the certificate in the PEM format.
Terminate the certificate with ";" to exit.......
-----BEGIN CERTIFICATE----
VMIIDHzCCAoigAwIBAgIIAhMCUACEAHEwDQYJKoZIhvcNAQEFBQAwcDELMAkGA1UE
BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4w
DAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBB
dXRob3JpdHkwHhcNMDUwNDEzMjEzNzQzWhcNMDgwNDEyMjEzNzQzWjBUMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCTUExEzARBgNVBAcTCkJ1cmxpbmd0b24xFDASBgNV
BAoTC0VuZ2luZWVyaW5nMQ0wCwYDVQQDEwRhY21lMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQCXjIeOyFKAUB3rKkKK/+59LT+rlGuW7Lgc1V6+hfTSr0co+ZsQ
bHFUWAA15qXUUBTLJG13QN5VfG96f7gGAbWayfOS9Uymold3JPCUDoGgb2E7m8iu
vtq7gwjSeKNXAw/y7yWy/c04FmUD2U0pZX0CNIR3Mns5OAxQmq0bNYDhawIDAQAB
o4HdMIHaMBEGA1UdEQQKMAiCBnBrdW1hcjAJBgNVHRMEAjAAMB0GA1UdDgQWBBTG
tpodxa6Kmmn04L3Kg62t8BZJHTCBmgYDVR0jBIGSMIGPgBRrRhcU6pR2JYBUbhNU
2qHjVBShtqF0pHIwcDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx
ETAPBgNVBAcTCFNhbiBKb3NlMQ4wDAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lw
aXQgVGVzdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHmCAQAwDQYJKoZIhvcNAQEFBQAD
gYEAbEs8nUCi+cA2hC/lM49Sitvh8QmpL81KONApsoC4Em24L+DZwz3uInoWjbjJ
QhefcUfteNYkbuMH7LAK0hnDPvW+St4rQGVK6LJhZj7/yeLXmYWIPUY3Ux4OGVrd
2UgV/B2SOqH9Nf+FQ+mNZOlL7EuF4IxSz9/69LuYlXqKsG4=
-----END CERTIFICATE-----;
Certificate imported successfully....
WARNING: Configuration changed, run "save-config" command.

Enter save-config to save the configuration.

ACMEPACKET# save-config
copying file /code/config/dataDoc.gz -> /code/config/dataDoc_3.gz 
copying file /code/config/tmp/editing/dataDoc.gz -> 
/code/config/dataDoc.gz 
Save complete

Enter activate-config to activate as the current configuration.
```
ACMEPACKET# activate-config
activate complete
```
Note:
For importing a certificate using SFTP, see the Security section of the ACLI Configuration Guide for your Security Shield model.

Import a Certificate Using SFTP

You can put the certificate file in the directory /ramdrv and execute the import-certificate command, or you can paste the certificate in PEM/Base64 format into the ACLI. If you paste the certificate, you may have to copy and paste it a portion at a time, rather than pasting the whole certificate at once.

SFTP the certificate file to the Oracle® Communications Security Shield Cloud Service (Security Shield) (directory /ramdrv). For the following example, suppose the name of the certificate file is cert.pem.

When the certificate is successfully transferred to the Security Shield, run the import-certificate command.

The syntax is:

ACMEPACKET# import-certificate [try-all|pkcs7|x509] [certificate-record file-name]

Example results:

ACMEPACKET# import-certificate try-all acme cert.pem
Certificate imported successfully....
WARNING: Configuration changed, run "save-config" command.

Save the configuration.

ACMEPACKET# save-config
Save-Config received, processing.
waiting 1200 for request to finish
Request to 'SAVE-CONFIG' has Finished,
Save complete
Currently active and saved configurations do not match!
To sync & activate, run 'activate-config' or 'reboot activate'.

Synchronize and activate the configurations.

ACMEPACKET# activate-config
Activate-Config received, processing.
waiting 120000 for request to finish
Add LI Flows
LiSysClientMgr::handleNotifyReq
H323 Active Stack Cnt:  0
Request to 'ACTIVATE-CONFIG' has Finished,
Activate Complete
ACMEPACKET#

Configure the Session Border Controller for the Security Shield Service

Specify the following information on the Session Border Controller (SBC) to complete the Oracle® Communications Security Shield Cloud Service (Security Shield) installation by setting security parameters and SPL options for communications between the SBC and Oracle® Communications Security Shield Cloud Service components.

Prerequisites

Create the TLS profile that you want to use for the Security Shield HTTP client and server. See "Configure a TLS Profile" in the ACLI Configuration Guide.
Create the authentication profile that you want to use for the Security Shield HTTP client and server. See the "Security" chapter in the ACLI Configuration Guide.
Install the Security Shield SPL plug-in, which is included in the CCS download package. See Add the Security Shield SPL Plug-in.

Procedure

Go to Configuration on the SBC.

Go to System, HTTP Client, and set the following parameters.

Name

Set the name of the HTTP client.

State

Set to enable. Default: Enable.

Realm

Set the name of the realm to send requests on.

IP Address

Set the IP address of the HTTP client.

TLS Profile

Set the TLS profile that want this HTTP client to use.

Auth Profile

Set the name of the authentication profile that you want the HTTP client to use.

Go to System, HTTP Server, and set the following parameters.

Name

Set the name of the HTTP server.

State

Set to enable. Default: Enable.

Realm

Set the name of the realm to send requests on.

IP Address

Set the IP address of the HTTP server.

Inactivity Timeout

Specify the amount of time for the system to wait before timing out for inactivity. Default: 5 minutes. Valid values: 0-20 minutes.

HTTP State

Set to enable HTTP.

HTTP Port

Set the number of the HTTP port. Default: 80. Valid values: 1-65535.

Caution: Do not use port 80 for Cz8.3.0.x Enterprise releases. Port 80 conflicts with the appweb server settings, resulting in unexpected behavior. Specify a different HTTP port here.

HTTPS State

Set to enable HTTPS.

HTTPS Port

Set the number of the HTTPS port. Default: 443. Valid values: 1-65535.

Caution: Do not use port 443 for Cz8.3.0.x Enterprise releases. Port 443 conflicts with the appweb server settings, resulting in unexpected behavior. Specify a different HTTPS port here. This restriction does not apply to any Enterprise releases newer than 8.3.x, for example 8.4.x and 9.x.x.

TLS Profile

Set the TLS profile that you want this HTTP server to use.

Auth Profile

Set the name of the authentication profile that you want the HTTP server to use.

Go to Security, Authentication Profile, and set the following parameters.

Name

Set the name for this profile.

Authentication Scheme

Set the authentication scheme. Default: Bearer.

Pre-shared Key

Set the encrypted password for this profile.

Go to Media Manager, Realm Config, SPL Options, and add ocssEnabled to enable the Security Shield service in the security lookups for each realm that you want to use the Security Shield service.
Under Session Router, SIP Config, SPL Options enter the ocss-service-address for each CCS instance (up to three) in curly brackets. Note : {ipAddr1:port1; httpClientConfigName} can repeat up to a total of three times for three different CCSes with different IP:port options and optionally different httpClient Names (you can use the same client for all three CCSes).
The SPL Option
```
ocss-server-config=httpServerConfigName ,ocss-service-address={ipAddr1:port1;
      httpClientConfigName} {ipAddr2:port2; httpClientConfigName} {ipAddr3:port3; httpClientConfigName3}
```
Configured Example
```
ocss-service-address={192.168.100.105:8060;httpClientConf}{192.168.100.106:8050;httpClientConf}{192.168.100.107:8000;httpClientConf2},ocss-server-config=httpServerConf
```

Next steps

Log on to theSecurity Shield Dashboard and customize the threat protection settings. See "Customize theSecurity Shield Autonomous Threat Protection Settings" in the Security Shield User's Guide.
Log on to the Security Shield Dashboard and create managed phone number lists. See the "Add Phone Numbers to Policy Rules" in the Security Shield User's Guide.

Support for On-Premises Resilience and High Availability

You can configure the Session Border Controller (SBC) to connect to as many as three Cloud Communication Service (CCS) instances simultaneously to provide resilience and continuity of service when one or more CCS instances stops responding or the SBC loses connectivity to CCS or the Oracle® Communications Security Shield Cloud Service (Security Shield).

Connectivity

The SBC tests connectivity all the way to the Security Shield application by sending a "connection check" message to Security Shield through each of the CCS configured instances at one-second intervals. The SBC allows a maximum of 500ms (round trip) for the response from Security Shield before marking the check test as unsuccessful. After three consecutive unsuccessful connection check tests, Security Shield removes the CCS from use for lookup requests. Security Shield continues sending connection check requests to the removed CCS at the specified interval. When Security Shield receives a successful connection check response, the SBC returns the CCS the pool of available CCS instances.

Lookup Requests

Security Shield selects only one CCS for lookup requests, even when more than one CCS is available. For every lookup request, using the CCS configuration order as the prioritized search order, the SBC searches for the first CCS in service and chooses it for sending the request. The SBC always attempts to use the highest priority CCS instance for requests. As CCS instances move in and out of service, there may be transient periods where the SBC sends requests to different CCS instances in the SBC configuration.

Note:

The SBC uses the "hunt" strategy for selection based on the order in which you configured the CCS instances in the SBC configuration.

SBC to CCS Registrations

The SBC registers with only one CCS at a time. Using the same priority list used for lookup requests, the SBC registers with the highest priority CCS available. When the CCS registered to the SBC does not pass the connection check and is taken out of service, the SBC hunts for another CCS. As seen in the Device Status tile on the Security Shield Dashboard, the SBC registration will move from one CCS to another and its registration time will update. Each SBC registration is independent of any other SBC. It is possible that even with identical prioritization of CCS instances in their configurations, SBCs in your network may temporarily register with different CCS instances.

CCS Registration

The CCS registers directly with Security Shield and reports any registered SBCs. Upon completion of the initial registration with Security Shield, the CCS sends periodic registration updates at ten second intervals with one exception. The exception occurs when there are changes to an SBC registration, which results in an immediate CCS registration update to Security Shield.

When registered, the CCS registration time does not update on the Security Shield Device Status tile unless the registration expires. If the registration expires because Security Shield does not receive a registration refresh, the next registration request received by Security Shield results in updating the registration time with the current time.

Device Status and the Activity Log

On the Security Shield Dashboard, the Device Status tile refreshes the registration status of devices at ten second intervals. The following example of the Device Status tile shows the types of information provided.

This screen capture shows the Device Status tile on the Security Shield Dashboard. From left to right the columns are Device Name, Type, Software Version, Initial Registration, Status, and Action.

Be aware that although changes are occurring at the SBC and CCS instance, it is possible that the changes do not appear in the Device Status tile at the moment you view the tile due to the ten second refresh rate. Topology changes, even those that revert quickly, for example in less than one second, will display in the activity log. The following example of the Activity Log shows topology changes noted in the Category column. The Object ID and Action columns display additional information about the topology changes.

This screen capture shows the activity log. From left to right the columns are Timestamp, User, Category, Object ID, and Action.

Configuration

To configure connections to the CCS, you must specify the ocss-service-address for the CCS instances you want connected to the SBC. From either the ACLI or the Web GUI, go to Configuration, Session Router, sip-config, spl-options. In the spl-options field, enter the ocss-service-address for each CCS instance.

You can configure an HTTPS Client for each instance, which allows you to use different clients for connectivity with each CCS including specific certificates for each CCS.

The following example shows the configuration for supporting three CCS instances, where each instance is enclosed in curly brackets. Note that 192.168.100.105;httpClientConf is the CCS LAN side IP address that the Session Border Controller will try to connect to using the HTTP client configuration "httpClientConf".

ocss-service-address={192.168.100.105:8060;httpClientConf}{192.168.100.106:8050;httpClientConf}{192.168.100.107:8000;httpClientConf2},ocss-server-config=httpServerConf