1 Introduction to S-Cz9.0.0
- Specifications of supported platforms, virtual machine resources, and hardware requirements
- Overviews of the new features and enhancements
- Summaries of known issues, caveats, limitations, and behavioral changes
- Details about upgrades and patch equivalency
- Notes about documentation changes, behavioral changes, and interface changes
Supported Platforms
The Oracle Communications Session Border Controller (SBC) can run on a variety of physical and virtual platforms. It can also be run in public cloud environments. This section lists all supported platforms and high level requirements.
Supported Physical Platforms
The Oracle Communications Session Border Controller can be run on the following hardware platforms.
Acme Packet Platforms
- Acme Packet 3900
- Acme Packet 3950
- Acme Packet 4600
- Acme Packet 4900
- Acme Packet 6100
- Acme Packet 6300
- Acme Packet 6350
- Virtual Platforms
- Acme Packet 4600
- Acme Packet 6100
- Acme Packet 6300
- Netra Server X5-2
- Oracle Server X7-2
- Oracle Server X8-2
- Virtual Platforms
Supported Private Virtual Infrastructures and Public Clouds
The SBC can be run on the following Private Virtual Infrastructures, which include individual hypervisors as well as private clouds based on architectures such as VMware or Openstack.
Note:
The SBC does not support automatic, dynamic disk resizing.Note:
Virtual SBCs do not support media interfaces when media interfaces of different NIC models are attached. Media Interfaces are supported only when all media interfaces are of the same model, belong to the same Ethernet Controller, and have the same PCI Vendor ID and Device ID.Supported Hypervisors for Private Virtual Infrastructures
Oracle supports installation of SBC on the following hypervisors:
- KVM: Linux kernel version 3.10.0-123 or later, with KVM/QEMU (2.9.0_16 or later) and libvirt (3.9.0_14 or later)
- VMware: vSphere ESXi (Version 6.5 or later)
Compatibility with OpenStack Private Virtual Infrastructures
Oracle distributes Heat templates for the Newton and Pike versions of OpenStack. Use the Newton template when running either the Newton or Ocata versions of OpenStack. Use the Pike template when running Pike or a later version of OpenStack.
Supported Public Cloud Platforms
The SBC can be run on the following public cloud platforms.
- Oracle Cloud Infrastructure (OCI) - After
deployment, you can change the shape of your machine by, for example, adding
disks and interfaces. OCI Cloud Shapes and options validated in this release are
listed in the table below.
Shape OCPUs/VCPUs vNICs Tx/Rx Queues Max Forwarding Cores DoS Protection VM.Standard1.4 4/8 4 2 2 Y VM.Standard1.8 8/16 8 2 2 Y VM.Standard1.16 16/32 16 2 2 Y VM.Standard2.4 4/8 4 2 2 Y VM.Standard2.8 8/16 8 2 2 Y VM.Standard2.16 16/32 16 2 2 Y Networking using image mode [SR-IOV mode - Native] is supported on OCI. PV and Emulated modes are not currently supported.
- Amazon Web Services (EC2) - This table lists the AWS (ECs) instance sizes that apply to the SBC.
Instance Type vCPUs Memory (GB) Max NICs c5.xlarge 4 8 4 c5.2xlarge 8 16 4 c5.4xlarge 16 32 8 c5.9xlarge 36 72 8 c5.12xlarge 48 96 8 c5.18xlarge 72 144 15 c5n.xlarge 4 10.5 4 c5n.2xlarge 8 21 4 c5n.4xlarge 16 42 8 c5n.9xlarge 36 96 8 c5n.18xlarge 72 192 15 Driver support detail includes:
- ENA is supported on C5/C5n family only.
Note:
C5 instances use the Nitro hypervisor. - Microsoft Azure - The following table lists the
Azure instance sizes that you can use for the SBC.
Size (Fs series) vCPUs Memory Max NICs Standard_F4s 4 8 4 Standard_F8s 8 16 8 Standard_F16s 16 32 8 Size vCPUs Memory Max NICs Standard_F8s_v2 8 16 4 Standard_F16s_v2 16 32 4 Size types define architectural differences and cannot be changed after deployment. During deployment you choose a size for the OCSBC, based on pre-packaged Azure sizes. After deployment, you can change the detail of these sizes to, for example, add disks or interfaces. Azure presents multiple size options for multiple size types.
Azure sizes that support and expose hyperthreading to the user includes the version 2, F series.
For higher performance and capacity on media interfaces, use the Azure CLI to create a network interface with accelerated networking. You can also use the Azure GUI to enable accelerated networking.
Note:
The SBC does not support Data Disks deployed over any Azure instance sizes.Note:
v2 instances have hyperthreading enabled.Platform Hyperthreading Support
Of the supported hypervisors, only VMware does not expose SMT capability to the SBC. Of the supported clouds, OCI, AWS, and, for their FS-v2 sized, Azure enable SMT by default and expose it to the SBC.
DPDK Reference
The SBC relies on DPDK for packet processing and related functions. You may reference the Tested Platforms section of the DPDK release notes available at https://doc.dpdk.org. This information can be used in conjunction with this Release Notes document for you to set a baseline of:
- CPU
- Host OS and version
- NIC driver and version
- NIC firmware version
Note:
Oracle only qualifies a specific subset of platforms. Not all the hardware listed as supported by DPDK is enabled and supported in this software.- 20.11
Requirements for Machines on Private Virtual Infrastructures
In private virtual infrastructures, you choose the compute resources required by your deployment. This includes CPU core, memory, disk size, and network interfaces. Deployment details, such as the use of distributed DoS protection, dictate resource utilization beyond the defaults.
Default VSBC Resources
The default compute for the SBC image files is as follows:
- 4 CPU Cores
- 8 GB RAM
- 20 GB hard disk (pre-formatted)
- 8 interfaces as follows:
- 1 for management (wancom0 )
- 2 for HA (wancom1 and 2)
- 1 spare
- 4 for media
Interface Host Mode for Private Virtual Infrastructures
The SBC VNF supports interface architectures using Hardware Virtualization Mode - Paravirtualized (HVM-PV):
- ESXi - No manual configuration required.
- KVM - HVM mode is enabled by default. Specifying PV as the interface type results in HVM plus PV.
Supported Interface Input-Output Modes for Private Virtual Infrastructures
- Para-virtualized
- SR-IOV
- PCI Passthrough
- Emulated - Emulated is supported for management interfaces only.
Supported Ethernet Controller, Driver, and Traffic Type based on Input-Output Modes
Note:
Virtual SBCs do not support media interfaces when media interfaces of different NIC models are attached. Media Interfaces are supported only when all media interfaces are of the same model, belong to the same Ethernet Controller, and have the same PCI Vendor ID and Device ID.For KVM and VMware, accelerated media/signaling using SR-IOV and PCI-pt modes are supported for the following card types.
Ethernet Controller | Driver | SR-IOV | PCI Passthrough |
---|---|---|---|
Intel 82599 / X520 / X540 | ixgbe | M | M |
Intel i210 / i350 | igb | M | M |
Intel X710 / XL710 | i40e | M | M |
Intel X710 / XL710 / XXV710 | i40e, i40enFoot 1, iavfFoot 2 | M | M |
Mellanox Connect X-4 | mlx5 | M | M |
Footnote 1 This driver is not supported on KVM.
Footnote 2 iavf driver is support in SR-IOV n/w mode
For PV mode (default, all supported hypervisors), the following virtual network interface types are supported. You can use any make/model NIC card on the host as long as the hypervisor presents it to the VM as one of these vNIC types.
Virtual Network Interface | Driver | W/M |
---|---|---|
Emulated | e1000 | W |
KVM (PV) | virtio | W/M |
Hyper-V (PV) | NetVSC | M |
VMware (PV) | VMXNET3 | W/M |
Emulated NICs do not provide sufficient bandwidth/QoS, and are suitable for use as management only.
- W - wancom (management) interface
- M - media interface
Note:
Accelerated media/signaling using SR-IOV (VF) or PCI-pt (DDA) modes are not currently supported for Hyper-V when running on Private Virtual Infrastructures.CPU Core Resources for Private Virtual Infrastructures
The SBC S-Cz9.0.0 VNF requires an Intel Core i7 processor or higher, or a fully emulated equivalent including 64-bit SSSE3 and SSE4.2 support.
If the hypervisor uses CPU emulation (for example, qemu), Oracle recommends that you set the deployment to pass the full set of host CPU features to the VM.
PCIe Transcoding Card Requirements
For virtual SBC (vSBC) deployments, you can install an Artesyn SharpMedia™ PCIe-8120 media processing accelerator with either 4, 8, or 12 DSPs in the server chassis in a full-height, full-length PCI slot to provide high density media transcoding.
- VMWare and KVM are supported
- PCIe-pass-through mode is supported
- Each vSBC can support 2 PCIE 8120 cards and the server can support 4 PCIE 8120 cards.
- Each PCIe-8120 card supports only one vSBC instance
- Do not configure transcoding cores for software-based transcoding when using a PCIe media card.
Oracle Communications Session Router Recommendations for Netra and Oracle Servers
Oracle recommends the following resources when operating the OCSR, release S-Cz9.0.0 over Netra and Oracle Platforms.
Hardware recommendations for Netra Server X5-2
Processor | Memory |
---|---|
2 x Intel Xeon E5-2699 v3 CPUs | 32GB DDR4-2133 |
Hardware recommendations for Oracle Server X7-2
Processor | Memory |
---|---|
2 x 18-core Intel Xeon 6140 | 32GB DDR4 SDRAM |
Hardware recommendations for Oracle Server X8-2
Processor | Memory |
---|---|
2x 24-core Intel Platinum 8260 | 32GB DDR4 SDRAM |
Image Files and Boot Files
This software version distribution provides multiple products, based on your setup product configuration.
For Acme Packet Platforms
Use the following files for new installations and upgrades on Acme Packet platforms.
- Image file:
nnSCZ900.bz
- Bootloader file:
nnSCZ900.boot
For Virtual Platforms
This S-Cz9.0.0 release includes distributions suited for deployment over hypervisors. Download packages contain virtual machine templates for a range of virtual architectures. Use the following distributions to the Session Border Controller as a virtual machine:
nnSCZ900-img-vm_ovm.ova
—Open Virtualization Archive (.ova) distribution of the SBC VNF for Amazon EC2.nnSCZ900-img-vm_kvm.tgz
—Compressed image file including SBC VNF for KVM virtual machines, Oracle Cloud Infrastructure (OCI), EC2 Nitro, and AWS C4 and C5 instances.nnSCZ900-img-vm_vmware.ova
—Open Virtualization Archive (.ova) distribution of the SBC VNF for ESXi virtual machines.nnSCZ900p4_HOT.tar.gz
—The Heat Orchestration Templates used with OpenStack.nnSCZ900p4_tfStackBuilder.tar.gz
—The Terraform templates used to create an AWS AMI.
Each virtual machine package includes:
- Product software—Bootable image of the product allowing startup and operation as a virtual machine. Example formats include vmdk and qcow2.
usbc.ovf
—XML descriptor information containing metadata for the overall package, including identification, and default virtual machine resource requirements. The .ovf file format is specific to the supported hypervisor.legal.txt
—Licensing information, including the Oracle End-User license agreement (EULA) terms covering the use of this software, and third-party license notifications.
For Oracle Platforms supporting the Session Router
Use the following files for new installations and upgrades on COTS platforms.
- Image file:
nnSCZ900.bz
- Bootloader file:
nnSCZ900.boot
Image Files for Customers Requiring Lawful Intercept
Deployments requiring Lawful Intercept (LI) functionality must use the LI-specific image files. These image files are available in a separate media pack on MOS and OSDC. LI-specific image files can be identified by the "LI" notation before the file extension.
All subsequent patches follow naming conventions with the LI modifier.
Boot Loader Requirements
All platforms require the Stage 3 boot loader that accompanies the Oracle Communications Session Border Controller image file, as distributed. Install the boot loader according to the instructions in the Installation and Platform Preparation Guide.
Setup Product
Note:
The availability of a particular feature depends on your entitlements and configuration environment.ORACLE# setup product
--------------------------------------------------------------
WARNING:
Alteration of product alone or in conjunction with entitlement
changes will not be complete until system reboot
Last Modified
--------------------------------------------------------------
1 : Product : Uninitialized
Enter 1 to modify, d' to display, 's' to save, 'q' to exit. [s]: 1
Product
1 - Session Border Controller
2 - Session Router - Session Stateful
3 - Session Router - Transaction Stateful
4 - Subscriber-Aware Load Balancer
5 - Enterprise Session Border Controller
6 - Peering Session Border Controller
Enter choice : 1
Enter 1 to modify, d' to display, 's' to save, 'q' to exit. [s]: s
save SUCCESS
Note:
When configuring an HA pair, you must provision the same product type and features on each system.Upgrade Information
Supported Upgrade Paths (OCSBC, OESBC and OCSR)
The OCSBC, OESBC and the OCSR support the following in-service (hitless) upgrade and rollback paths:
- S-Cz8.2.0 to S-Cz9.0.0
- S-Cz8.3.0 to S-Cz9.0.0
- S-Cz8.4.0 to S-Cz9.0.0
- S-Cz8.4.0p3 to S-Cz9.0.0
- S-Cz8.4.0p5C (and newer) to S-Cz9.0.0
Note:
Do not upgrade to S-Cz9.0.0 directly from S-Cz8.4.0p4, S-Cz8.4.0p5 or any S-Cz8.4.0p5 OOC patches up to S-Cz8.4.0p5B. If running these versions, upgrade to S-Cz8.4.0p5C before upgrading to S-Cz9.0.0.
When upgrading to this release from a release older than the previous release, read all intermediate Release Notes for notification of incremental changes.
Upgrade Checklist
Before upgrading the Oracle Communications Session Border Controller software:
- Obtain the name and location of the target software image file from either Oracle Software Delivery Cloud, https://edelivery.oracle.com/, or My Oracle Support, https://support.oracle.com, as applicable.
- Provision platforms with the Oracle Communications Session Border Controller image file in the boot parameters.
- Run the check-upgrade-readiness command and examine its output for any recommendations or requirements prior to upgrade.
- Verify the integrity of your configuration using the ACLI verify-config command.
- Back up a well-working configuration. Name the file descriptively so you can fall back to this configuration easily.
- Refer to the Oracle Communications Session Border Controller Release Notes for any caveats involving software upgrades.
- Do not configure an entitlement change on the Oracle Communications Session Border Controller while simultaneously performing a software upgrade. These operations must be performed separately.
Upgrade and Downgrade Caveats
The following items provide key information about upgrading and downgrading with this software version.
Note:
Upgrading to this Release from releases earlier than S-Cz8.4.0:The S-Cz8.4.0 release included significant changes that hardened the security posture of the SBC. These changes required your careful evaluation regarding functionality when upgrading to S-Cz8.4.0. These changes are also applicable to customers upgrading from releases prior to S-Cz8.4.0 to this release. Take care to review this information in the S-Cz8.4.0 Release Notes: Upgrade and Downgrade Caveats
Upgrading to S-Cz9.0.0 with IKEv2 LI Tunnels
An HA upgrade to S-Cz9.0.0, when configured with LI Tunnels using IKEv2, can cause IPSec tunnels to fail if an IPsec rekey initiated from a peer has resulted in the IPSec SAs being out of sync across the HA pair. After an upgrade with these conditions, these LI tunnels do not function on the Active node.
Prior to upgrading these deployments determine whether the IKEv2/IPsec SA's are in sync on the Active and Standby node by running the ACLI command show security ipsec sad <network-interface>:vlan detail and check whether the SPI's are same on both the Active and standby node.
- If they are in sync, proceed with the upgrade.
- If the IPsec SA's are not in sync across the HA nodes, perform the
following procedure:
- If enabled, disable x2-keep-alive from the LI shell. (See procedures in LI documentation.)
- Upgrade the Standby node to S-Cz9.0.0.
- Wait until the pair reaches HA state.
- Configure the Active node to boot to S-Cz9.0.0. (Do not reboot this device yet.)
- Delete tunnels on the Active node, which is still running
the older software version, using one of the following commands from the
CLI
root.
security ipsec delete ike-interface <ike-interface IP address> all
security ipsec delete tunnel destIP <ipsec tunnels destination ip> spi <inbound spi>
- Ensure that tunnel(s) were deleted from both nodes. (If
necessary run this command one more time for any new
spi.)
show security ipsec sad <network interface name> detail
- Reboot the Active node.
- If the IKE interface is in INITIATOR mode, execute the
ping command to the applicable IPSec
endpoints on the newly Active (S-Cz9.0.0) node to establish new
tunnels.
If the IKE interface is in RESPONDER mode, have peers restart tunnels instead of executing the ping command.
- Upon completion of boot cycle of the standby node, verify HA state and proper tunnel synchronization.
Two downgrade procedures are presented below.
- Rollback after full Upgrade:
- HA pair is in highly available state with 840p1 version
- Reboot Standby node with downgraded version
- Wait until highly available state established
- Delete tunnels on the Active node using one of the following
commands from the CLI
root.
security ipsec delete ike-interface <ike-interface IP address> all
security ipsec delete tunnel destIP <ipsec tunnels destination ip> spi <inbound spi>
- Ensure that tunnel(s) were deleted from both nodes. (If
necessary run this command one more time for any new
spi.)
show security ipsec sad <network interface name> detail
- Reboot the Active node.
- If the IKE interface is in INITIATOR mode, execute the ping
command to the applicable IPSec endpoints on the newly Active
(Downgraded) node to establish new tunnels.
If the IKE interface is in RESPONDER mode, have peers restart tunnels instead of executing the ping command.
- Upon completion of boot cycle verify HA state and proper tunnel synchronization.
- Rollback after Upgrading the active node only:
- HA pair is in highly available state with Active node 9.0.0 and Standby node with old version
- Configure boot table on Active node with rollback version
- Delete tunnels on the Active node using one of the
following commands from the CLI
root.
security ipsec delete ike-interface <ike-interface IP address> all
security ipsec delete tunnel destIP <ipsec tunnels destination ip> spi <inbound spi>
- Ensure that tunnel(s) were deleted from both nodes. (If
necessary run this command one more time for any new
spi.)
show security ipsec sad <network interface name> detail
- Reboot the Active node.
- If the IKE interface is in INITIATOR mode, execute the ping
command to the applicable IPSec endpoints on the newly Active node to
establish new tunnels.
If the IKE interface is in RESPONDER mode, have peers restart tunnels instead of executing the ping command.
- Upon completion of boot cycle of verify HA state and proper tunnel synchronization
SSH Keys
Before upgrading from a pre-8.4 release to this release, delete any imported
public keys using the ssh-pub-key delete <key-name>
command.
Because the commands for SSH key management changed between 8.3 and 8.4, you will
not be able to delete old 8.3-type SSH keys using 8.4 (or later) commands. After
upgrading, re-import any required public keys. For example, if your SBC pushes records to an SFTP server, import
that server's public key as a known host.
If you're upgrading from 8.4 and you didn't previously import the public keys of your SFTP server, import them as a known-host key. Any public keys imported in 8.4 will be available in 9.0.
See "Manage SSH Keys" in the Configuration Guide.
TSCF Configurations from Prior Software Versions
A TSCF configuration that was present on your system before upgrade to this S-Cz9.0.0 release and above, which do not support TSM, may still be present in the configuration file if you do not remove it manually before upgrade. The system does not apply these TSCF configurations on a non-TSM release.
If you subsequently downgrade to a TSM supported release, however, the system applies the TSCF configuration.
Although there is no operational impact, Oracle recommends that you manually remove the TSCF configuration before you upgrade to a non-TSM supported release. If working with an HA pair, be sure your TSM configuration and feature setup is synchronized across the pair during an upgrade. Refer to the procedures in “Setting Up Product-Type, Features and Functionality” and “Setup Features on an HA Pair" in the ACLI configuration Guide.
Acme Packet 3950/4900 Slots
- 4 media interfaces: s0p0, s0p1, s0p2, and s0p3
- 2 10G interfaces: s0p4 and s0p5
- The optional TDM interface: s2p0
Because there is no slot 1, do not copy over a configuration which contains a phy-interface element that uses slot 1 unless you delete and reconfigure the phy-interfaces.
Encrypting the Surrogate Agent Password
If upgrading from any version prior to S-CZ8.4.0p5, run the spl
save acli encr-surrogate-passwords
command to save the surrogate-agent
passwords in an encrypted format. Later versions do not require this command.
- Run
backup-config
on both the active and standby SBC. - Upgrade the release on the standby SBC.
- Perform a failover so that the standby becomes the active.
- Encrypt surrogate-agent passwords on the new active SBC with the
command:
spl save acli encr-surrogate-passwords
- Upgrade the release on the new standby SBC.
You do not need to run the same spl
command on the new
standby SBC because it will sync with the
new active SBC.
Upgrade Version Caveat from Session Delivery Manager
The Session Delivery Manager cannot direct upgrades from SCZ910p6, SCZ900p8 or SCZ900p9 for HA deployments. See Knowledge Document # 2952935.1 for a detailed explanation.
Feature Entitlements
You enable the features that you purchased from Oracle, either by self-provisioning using the setup entitlements command, or installing a license key at the system, license configuration element.
This release uses the following self-provisioned entitlements and license keys to enable features.
The following table lists the features you enable with the setup entitlements command.
Feature | Type |
---|---|
Accounting | boolean |
Admin Security | boolean |
ANSSI R226 Compliance | boolean |
BFD | boolean |
IMS-AKA Endpoints | Integer |
IPSec Trunking Sessions | Integer |
IPv4 - IPv6 Interworking | boolean |
IWF (SIP-H323) | boolean |
Load Balancing | boolean |
MSRP B2BUA Sessions | Integer |
Policy Server | boolean |
Quality of Service | boolean |
Routing | boolean |
SIPREC Session Recording | boolean |
STIR/SHAKEN Client | boolean |
SRTP Sessions | Integer |
Transcode Codec AMR Capacity | Integer |
Transcode Codec AMRWB Capacity | Integer |
Transcode Codec EVRC Capacity | Integer |
Transcode Codec EVRCB Capacity | Integer |
Transcode Codec EVS Capacity | Integer |
Transcode Codec OPUS Capacity | Integer |
Transcode Codec SILK Capacity | Integer |
Feature | Type |
---|---|
Lawful Intercept | boolean |
R226 SIPREC | boolean |
The following tables lists the features for the Oracle Communications' Session Router (SR) you enable with the setup entitlements command. When setting up an SR, you choose between either the Session Stateful or the Transaction Stateful Session Routers. The Enterprise Session Router entitlements are the same.
This first SR table lists entitlements for the Session Stateful Session Router.
Feature | Type |
---|---|
Session Capacity | Number of sessions |
Accounting | Enabled or Disabled |
Load Balancing | Enabled or Disabled |
Policy Server | Enabled or Disabled |
Admin security | Enabled or Disabled |
ANSII R226 Compliance | Enabled or Disabled |
Data Integrity (FIPS 140-2 ) | Enabled or Disabled |
Note:
Do not enable the FIPS entitlement for the Oracle Session Router, service provider product.This second SR table lists entitlements for the Transaction Stateful Session Router.
Feature | Type |
---|---|
MPS Capacity | Number of sessions |
Admin security | Enabled or Disabled |
ANSII R226 Compliance | Enabled or Disabled |
Data Integrity (FIPS 140-2 ) | Enabled or Disabled |
Load Balancing | Enabled or Disabled |
Note:
Do not enable the FIPS entitlement for the Oracle Session Router, service provider product.Encryption for Virtual SBC
You must enable encryption for virtualized deployments with a license key. The following table lists which licenses are required for various encryption use cases.
Feature | License Key |
---|---|
IMS-AKA Endpoints | IPSec |
IPSec Trunking | IPSec |
SRTP Sessions | SRTP |
Transport Layer Security Sessions | TLS Foot 3 |
MSRP | TLS |
Footnote 3 The TLS license is only required for media and signaling. TLS for secure access, such as SSH, HTTPS, and SFTP is available without installing the TLS license key.
To enable the preceding features, you install a license key at the system, license configuration element. Request license keys at the License Codes website at http://www.oracle.com/us/support/licensecodes/acme-packet/index.html.
After you install the license keys, you must reboot the system to see them.
Upgrading To S-Cz9.0.0 From Previous Releases
When upgrading from a previous release to S-Cz9.0.0, your encryption entitlements carry forward and you do not need to install a new license key.
System Capacities
System capacities vary across the range of platforms that support the Oracle Communications Session Border Controller. To query the current system capacities for the platform you are using, execute the show platform limits command.
Transcoding Support
Based on the transcoding resources available, which vary by platform, different codecs may be transcoded from- and to-.
Platform | Supported Codecs (by way of codec-policy in the add-on-egress parameter) |
---|---|
|
|
|
Note that the pooled transcoding feature on the VNF uses external transcoding SBC, as defined in "Co-Product Support," for supported SBC for the Transcoding-SBC (T-SBC) role. |
Footnote 4 Hardware-based EVS SWB and EVS FB transcoding is supported for decode-only.
Coproduct Support
The following products and features run in concert with the Oracle Communications Session Border Controller (SBC) for their respective solutions. Oracle Communications Session Router support is also provided below. Contact your Sales representative for further support and requirement details.
Oracle Communications Operations Manager
- 4.2.0
- 4.3.0
- 4.4.0
Oracle Communications Session Delivery Manager
- 8.2.3
Note:
Customers who wish to run release S-Cz9.0.0 and higher need to load an updated XSD into OCSDM. This file can be found by searching My Oracle Support for Patch ID 32887468, which is the NNC-OCSDM XSD file for SCz9.0.0 with SDM 8.2.2/8.2.3.Oracle Communications Subscriber Aware Load Balancer
This S-Cz9.0.0 SBC release can interoperate as a cluster member with the following versions of the Subscriber Aware Load Balancer:
- Acme Packet 6100: S-Cz8.3.0
- v-SLB: S-Cz8.4.0, S-Cz9.0.0
Pooled Transcoding
- Acme Packet 4500: S-Cz7.4.0
- Acme Packet 4600: S-Cz8.3.0, S-Cz8.4.0
- Acme Packet 6300: S-Cz8.3.0, S-Cz8.4.0
- Acme Packet 6350: S-Cz8.3.0, S-Cz8.4.0
- Virtual Platforms with Artesyn SharpMedia™: S-Cz8.2.0, S-Cz8.3.0, S- Cz8.4.0, S-Cz9.0.0
- All platforms supported by the following releases: S-Cz8.2.0, S-Cz8.3.0, S-Cz8.4.0
- Acme Packet 4500 running S-Cz7.4.0
Oracle Communications Session Router and SDM
- 8.2.3
Oracle Communications Session Router and Operations Manager
- 4.2.0
- 4.3.0
- 4.4.0
TLS Cipher Updates
Note the following changes to the DEFAULT cipher list.
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_NULL_SHA256 (debug only)
- TLS_RSA_WITH_NULL_SHA (debug only)
- TLS_RSA_WITH_NULL_MD5 (debug only)
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA
- TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
To configure TLS ciphers, use the cipher-list attribute in the tls-profile configuration element.
WARNING:
When you set tls-version to either tlsv1 or tlsv11 and you want to use ciphers that Oracle considers not secure, you must manually add them to the cipher-list attribute.Note:
The default is TLSv1.2. Oracle supports TLS1.0 and TLS1.1 for backward compatibility, only, and they may be deprecated in the future. TLS 1.0 is planned to be deprecated in the next release.Documentation Changes
The following information lists and describes the changes made to the Oracle Communications Session Border Controller (SBC) documentation set for S-Cz9.0.0.
TSM Documentation
All TSM documentation is removed due to the feature being deprecated.
Platform Preparation and Installation Guide
The vSBC configuration and operation descriptions are moved from the Platform Preparation and Installation Guide to the System Configuration chapter of the ACLI Configuration Guide. This consolidates vSBC information.
An appendix has been added with reference information for users who want to deploy Heat templates on versions of OpenStack newer than Pike.
A new section has been added with reference to deploying on Azure with accelerated networking in Public Cloud Platforms chapter.
Accounting Guide
The Accounting Guide is re-organized to present the same content it presented before more clearly and effectively.
Security Guide
Known Issues and Caveats
Oracle has moved the Known Issues and Caveats section from the Release Notes to its own publication titled Oracle Communications Session Border Controller Known Issues S-Cz9.0.0.
Behavioral Changes
The following information documents the behavioral changes to the Oracle Communications Session Border Controller (SBC) in this software release.
SSH Keys
A new ssh-key command was introduced in 8.4. We recommended customers use this command to import public keys. In 9.0, however, customers must use the ssh-key command to manage SSH keys. For example, if you have an SFTP server that you push logs to, you must import your logging server's public key as a known host on the SBC.
TOS Configuration
By default, the SBC no longer passes DSCP codes in ingress packets to egress packets. You must configure a media-policy with desired TOS changes and affix those policies to the realms on which you want to define egress types of service. Without a media-policy, the SBC includes the default DSCP code, CS0 (Hex 0x00), as the DSCP code to all egress media packets.
Patches Included in This Release
The following information assures you that when upgrading, the S-Cz9.0.0 release includes defect fixes from neighboring patch releases.
Neighboring Patches Included
- S-Cz740m2p9
- S-Cz800p10
- S-Cz810m1p25B
- S-Cz810m1p26
- S-Cz810m1p18D
- S-Cz820p8
- S-Cz830m1p11
- S-Cz840p3
- S-Cz840p4
- S-Cz840p5
Supported SPL Engines
The S-Cz9.0.0 release supports the following SPL engine versions: C2.0.0, C2.0.1, C2.0.2, C2.0.9, C2.1.0, C2.1.1, C2.2.0, C2.2.1, C2.3.2, C3.0.0, C3.0.1, C3.0.2, C3.0.3, C3.0.4, C3.0.6, C3.0.7, C3.1.0, C3.1.1, C3.1.2, C3.1.3, C3.1.4, C3.1.5, C3.1.6, C3.1.7, C3.1.8, C3.1.9, C3.1.10, C3.1.11, C3.1.12, C3.1.13, C3.1.14, C3.1.15, C3.1.16, C3.1.17, C3.1.18, C3.1.19, C3.1.20, C3.1.21.