How to Configure the SBC as a Probe for Oracle Communications Session Monitor (Palladion), using the comm-monitor Feature

Asset ID:	1-71-1679579.1
Update Date:	2018-05-04
Keywords:

Solution Type Technical Instruction Sure

Solution 1679579.1 : How to Configure the SBC as a Probe for Oracle Communications Session Monitor (Palladion), using the comm-monitor Feature

Applies to:

Acme Packet Legacy Platform Software - Version D-Cz2.0.0 and later
Acme Packet 6300 - Version S-Cz7.1.2 and later
Oracle Communications Session Monitor - Version 3.3.90 to 4.0 [Release 3.0 to 4.0]
Acme Packet 1100 - Version E-Cz7.3.0 to E-Cz8.1.0 [Release E-Cz7.0 to E-Cz8.0]
Acme Packet 4500 - Version S-Cx6.4.x and later
Acme Packet OS

Goal

This document outlines the procedure for enabling the SBC to work as a probe for Oracle Communications Session Monitor (Palladion), using the "comm-monitor" configuration. It then continues with in-depth notes on monitoring Voice Quality, QoS, and enabling encryption between the components.

Solution

Basic setup

Before you start: if you would like to send data to OCSM using a network interface other than wancom0 (meaning a media interface), make sure that the media interface has at least one realm attached to it. Otherwise, the SBC will not be able to establish a connection (all incoming traffic will be blocked).

1. Login to the SBC and type 'enabled' to enter the editing part of the SBC

    'configure terminal'
    'system'
    'system-config'
    'select'
    'comm-monitor'
    'select'
    'state enabled'
    'monitor-collector'
    'address 1.2.3.4' replacing the IP with the IP address of your OCOM ME
    'port 4739'
    'network-interface wancom0:0'
    'done'
    'exit' which will return you to the comm-monitor section
    'qos-enable enabled'
    'sbc-grp-id 0'
    'done'
    'exit' which will return you to the system-config section
    'exit' taking you to system
    'exit' again to the configure terminal section
    'save'
    'activate-config'

2. If you are using a version >= 3.3.70.0.0 on the OCSM/Palladion Mediation Engine (ME), you can choose to leave the communication unencrypted (for this you should enable "Accept unsecure connections from SBCs" under https://IP/setup/-> Trusted Certificate), or set up encrypted communication between SBC and Palladion ME (see below)

IMPORTANT: You should NOT configure corresponding SBC in ME -> Settings -> Probes. As soon as SBC connects to the ME, the entry will automatically be populated in the Probes list, as displayed below:

sbc_as_probe

Note also the type of the probe being different for SBC (embedded) to the Palladion probe (standalone).

NOTE: If using ECZ750 or later, as per the Release Notes at:

https://docs.oracle.com/cd/E85013_01/doc/esbc_ecz750_releasenotes.pdf

====
Comm Monitor

ID Description

26260953 Enabling and adding Comm Monitor config for the first time can create a situation where the monitoring traffic (IPFIX
packets) does not reach the Enterprise Operations Monitor.

Workaround: Reboot the system.

====

Notes regarding Voice Quality

1. If you would like to see the MOS values for the calls coming from the SBC in OCSM/Palladion:

1.1 Make sure the respective realms have qos-enable set to enabled. To check:

'show configuration realm-config'

    (...)
          qos-enable                              enabled
    (...)

1.2 Make sure that you have QOS licensed on your SBC:

If you used a license key to activate the SBC license you can check this with command:

'show features'
Total session capacity: 150
Enabled features:
..., QOS, ...

If you used "setup product"/"setup entitlements" to provision the SBC, you can check is QOS is there with command:

# show entitlements
Provisioned Entitlements:
-------------------------
Session Border Controller Base : enabled
Session Capacity : 32000
Accounting : enabled
IPv4 - IPv6 Interworking : enabled
IWF (SIP-H323) : enabled
Load Balancing : enabled
Policy Server : enabled
Quality of Service : enabled <---------------
Routing : enabled
SIPREC Session Recording : enabled
IMS-AKA Endpoints : 0
IPSec Trunking Sessions : 0
MSRP B2BUA Sessions : 0

Note that starting with version 7.2.0 you are able to self-provision Quality of Service if you have purchased it by running "setup product"/"setup entitlements"

1.3 Check that SBC is equipped with a QOS enabled NIU.

If you have an Oracle SBC 1100, 4600, 6100 or 6300 you can skip this step - for these products, all NIUs are QOS enabled by default, and QOS will not show in the output of 'show prom-info all'

'show prom-info all'
...
Contents of PHY
Assy, 4 Port SFP with QOS <--------------- for Oracle SBCs other than 1100, 4600, 6100 or 6300, check for QOS here
Oracle Part Number: 00000000
Oracle Rev: 00
Acme Packet Part Number: 002-0616-58
Serial Number: 151404040712
FunctionalRev: 03.10
BoardRev: 03.00
PCB Family Type: Quad port GiGE SFP PHY
ID: 4 Port GiGE w/QoS <---------------
Format Rev: 16
Options: 0
Manufacturer: Unknown manufacturer
Week/Year: 04/2014
Sequence Number: 040712

If QOS is enabled and setup correctly, you will be able see the MOS in the Calls list OCSM/Palladion:

And if you double-click on the call you can see more voice quality-related information under the Voice Quality tab:

2. Note that the voice quality for calls coming from the SBC will not show up under the Voice Quality tab unless 'Interim QOS reports' are enabled (see the next chapter for further details regarding the 'Interim QOS reports') :

This tab will only show the voice quality for calls that are coming from dedicated OCSM/Palladion probes and for SBC Probes if the OCSM and SBC version support the 'Interim QOS reports' (see the next chapter for further details regarding the 'Interim QOS reports').

3. Note that if you double-click on the calls coming from the SBC you will have empty Voice Quality Details tab unless 'Interim QOS reports' are enabled (see the next chapter for further details regarding the 'Interim QOS reports').

This tab will only show the voice quality details for calls that are coming from dedicated OCSM/Palladion probes and for SBC Probes if the OCSM and SBC version support the 'Interim QOS reports' (see the next chapter for further details regarding the 'Interim QOS reports').

4. There is a known issue regarding VQ with several recent versions of SBC/ESBC and OCSM version lower then 3.3.92.0.0. If the SBC/ESBC has been set up as explained above and VQ is not working, upgrade your OCSM to the latest version (or any version starting with 3.3.92.0.0)

5. The VQ reports from SBC do not support the scenario when latching is disabled for a stream, because in that case the SBC does not have access to the stream source IP address (media flows completely independent from the host subsystem). Please note the most common cases in which latching is disabled for a stream:

-if latching is globally disabled in media-manager
-even if latching is globally enabled in media-manager, there are still specific cases of streams for which latching gets dynamically disabled - this happens for example when media has been successfully negotiated for a call, but subsequently the source of the media flow changes (e.g. using a re-INVITE)

Here is how to tell if latching is disabled for a particular call/stream:

a)While the call/stream is established, execute the following command on the SBC: show nat by-addr <src IP> <dest IP> (<dest IP> is optional )
b)The previous command will output flow information with index numbers.
c)Execute the following command: show nat by-index <start index> <end index> . The <start index> and <end index> should be the index(es) output by step (b). If only one index was output by the command in step (b), then specify the same value for <start index> and <end index>

If this output shows Flow type: Unresolved non-latching media flow (MEDIA) and the Src IP:Port is 0.0.0.0, then it means latching is disabled for this stream

------------------------------------------------------------------------------ 
test_SBC# show nat by-add 11.11.11.3 
 
Index   Prot   Intf:Vlan  Src IP:Port                   Dst IP:Port 
------------------------------------------------------------------------------ 
341     udp    I=0/2:0    0.0.0.0:0                     10.81.24.60:16620 
               O=0/0:999  11.11.11.3:16580              192.34.115.112:19189 
test_SBC# show nat by-index 341 341 
-------------------------------------------------------------------------------- 
NAT host index (ppx flow id) 341, flowId 0x155 : 
Flow type: Unresolved latching media flow (MEDIA) 
KEY: src info   : 0.0.0.0/0 : 0/0 
KEY: dst info   : 10.81.24.60/32 : 16620/15 
KEY: ingres info: slot/port 0/2 (intf 2),  vlan 0,  proto udp(17) 
   
RES:  src result: sa 11.11.11.3 : 16580 
RES:  dst result: da 192.34.115.112 : 19189

Interim QOS (10 seconds chunks) reports

Starting from version 3.3.92.0.0 of OCSM the support for interim QOS reports was added. This feature allows VQ reports from the SBC to be sent every 10 seconds to OCSM MEs. This feature is similar to the reports that are sourced from OCSM Probes, supporting the following:

10 second chunks reports in the 'Media Quality Details' tab in the
Voice Quality graph showing the overall MOS levels stats
when viewing flow diagram for the non-finished calls to see the RTP flows as arrows

Please note what is needed on the SBC side for this feature:

only supported on 3900, 4600 & 6300 platforms
available on the Enterprise stream (so the version name with Ecz) and starting from version ECZ730m1p1 (ECZ750p1 and later is required for 3900) AND the Scz stream starting from S-CZ8.0.0p1 release and later.
needs enabling using a new config element called 'interim-qos-update' under system > system-config > comm-monitor

Please see how to turn the interim QOS reports on (assuming the point 1 of Basic setup chapter was already done):

'configure terminal'
'system'
'system-config'
'select'
'comm-monitor'
'select'
'interim-qos-update enabled'
'done'
'done'
'exit'
'exit'
'exit'
'save'
'activate-config'

Set up encrypted communication between SBC and Palladion ME

If you want to secure communication between SBC and Palladion ME, you can have communication encrypted over TLS, following the steps described right below. For each node (SBC, Palladion ME) you will create a certificate signature request, have it signed and then upload the signed certificate to each node. You can use a third party Certificate Authority to have your certificates signed, or, if you want to sign them yourself, you can follow the steps described in the Appendix, at the far bottom of this document.

On SBC command line, verify that you have TLS feature licensed, and create SBC certificate, executing the commands below:

# show features
Total session capacity: 250
Enabled features:
250 sessions, SIP, H323, IWF, QOS, ACP, Routing, Load Balancing,
High Availability, Software TLS, ENUM, DoS, IDS,
IDS Advanced, Session Recording, Policy Director

# configure terminal
(configure)# security
(security)# certificate-record
(certificate-record)# name tls-ocsm
(certificate-record)# country DE
(certificate-record)# state Berlin
(certificate-record)# locality Berlin
(certificate-record)# organization "OCSM_CA"
(certificate-record)# common-name vSBC
(certificate-record)# key-size 2048
(certificate-record)# done
certificate-record
name tls-ocsm
country DE
state Berlin
locality Berlin
organization OCSM
unit
common-name vSBC
key-size 2048
alternate-name
trusted enabled
key-usage-list digitalSignature
keyEncipherment
extended-key-usage-list serverAuth
options
last-modified-by admin@10.165.125.250
last-modified-date 2014-09-30 13:33:53

(certificate-record)# exit
(security)# exit
(configure)# exit
# generate-certificate-request tls-ocsm
Generating Certificate Signing Request. This can take several minutes....

WARNING: Configuration changed, run "save-config" command.
# save-config
checking configuration
Save-Config received, processing.
waiting for request to finish
Request to 'SAVE-CONFIG' has Finished,
Save complete
Currently active and saved configurations do not match!
To sync & activate, run 'activate-config' or 'reboot activate'.
# activate-config
Activate-Config received, processing.
waiting for request to finish
Request to 'ACTIVATE-CONFIG' has Finished,
Activate Complete

Sign the Certificate Request (you can have it signed with a Certificate Authority or see 'APPENDIX: How to sign your own certificates' below). Import the signed certificate:

# import-certificate try-all tls-ocsm

IMPORTANT:
Please enter the certificate in the PEM format.
Terminate the certificate with ";" to exit.......

Certificate imported successfully....
WARNING: Configuration changed, run "save-config" command.

# save-config
# activate-config

Create a corresponding tls profile

# configure terminal
(configure)# security
(security)# tls-profile
(tls-profile)# name tls-ocsm
(tls-profile)# end-entity-certificate tls-ocsm
done
tls-profile
name tls-ocsm
end-entity-certificate tls-ocsm
trusted-ca-certificates
cipher-list ALL
verify-depth 10
mutual-authenticate disabled
tls-version compatibility
options
cert-status-check disabled
cert-status-profile-list
ignore-dead-responder disabled
last-modified-by admin@10.165.125.250
last-modified-date 2014-09-30 13:39:42
(tls-profile)#
(tls-profile)# exit
(security)# exit
(configure)# exit
# save-config
# activate-config

Create a certificate entry for the Certificate Authority

# configure terminal
(configure)# security
(security)# certificate-record
(certificate-record)# name OCSM-Root-CA
(certificate-record)# country DE
(certificate-record)# state Berlin
(certificate-record)# locality Berlin
(certificate-record)# organization OCSM
(certificate-record)# common-name "OCSM Root CA"
(certificate-record)# key-size 2048
(certificate-record)# done
certificate-record
name OCSM-Root-CA
country DE
state Berlin
locality Berlin
organization OCSM
unit
common-name OCSM Root CA
key-size 2048
alternate-name
trusted enabled
key-usage-list digitalSignature
keyEncipherment
extended-key-usage-list serverAuth
options
last-modified-by admin@10.165.125.250
last-modified-date 2014-09-30 18:29:56

Import the certificate of the Certificate Authority used to sign your certificate requests (cacert.pem if you are signing your own certificates

# import-certificate try-all OCSM-Root-CA

IMPORTANT:
Please enter the certificate in the PEM format.
Terminate the certificate with ";" to exit.......

Certificate imported successfully....
WARNING: Configuration changed, run "save-config" command.

# save-config
# activate-config

Add the Certificate Authority name to the trusted Certificate Authority field in the tls-profile created for connecting to Palladion ME

# configure terminal
(configure)# security
(security)# tls-profile
(tls-profile)# select
<name>:
1: name=tls-ocsm

selection: 1
(tls-profile)# trusted-ca-certificates OCSM-Root-CA

(tls-profile)# done
tls-profile
name tls-ocsm
end-entity-certificate tls-ocsm
trusted-ca-certificates OCSM-Root-CA
cipher-list ALL
verify-depth 10
mutual-authenticate disabled
tls-version compatibility
options
cert-status-check disabled
cert-status-profile-list
ignore-dead-responder disabled
last-modified-by admin@10.165.125.250
last-modified-date 2014-09-30 19:55:36

(tls-profile)#

On Palladion ME, you need to sign the Palladion ME Certificate Request, and load the Certificate Authority Certificate to Palladion, as Trusted certificate.

Go to PSA ( https://<IP address>/setup/ ) and Download Certificate Signature Request from Server Certificate -> Download request

After you have your request signed, load it Using field 3. by pressing Browse button. Verify that the certificate authority is properly displayed in the details tab at the bottom of the page.

tls_server_cert

Following, in PSA, go to Trusted Certificate tab, and upload your Certificate Authority certificate (cacert.pem file if you are following guide in Appendix and sign your own certificates).

tls_trusted_cert

Now, you have to configure SBC with the right information to connect to Palladion server, as follows.

# configure terminal
(configure)# system
(system)# system-config
(system-config)# select
(system-config)# comm-monitor
(comm-monitor)# select
(comm-monitor)# tls-profile tls-ocsm
(comm-monitor)# monitor-collector
(monitor-collector)# address <palladion serverIP address>
(monitor-collector)# port 4740
(monitor-collector)# network-interface wancom0:0
(monitor-collector)# done
(comm-monitor)# done
comm-monitor
state enabled
sbc-grp-id 0
tls-profile tls-ocsm
qos-enable enabled
monitor-collector
address 10.165.75.213
port 4740
network-interface wancom0:0
(comm-monitor)#

Note: In case configuration uses a media network interface in comm-monitor to connect to OCSM (e.g. M00, M10, etc.), make sure that there is at least one realm associated to the specific network interface over which SBC will connect to OCSM. This way, the network interface will be able to populate a proper access list for the OCSM target IP, and establish connection properly.

Save and activate configuration on the SBC once more, to trigger connection establishment, and you should be viewing the SBC connected as a probe over TLS, in Palladion Settings -> Probes page.

tls_probe_connected

You could also verify this from the log on the SBC (make sure that log-level is at least INFO, in order to be able to view the corresponding logs)

# show logfile log.commMonitord

Sep 30 13:31:04.216 [SERVICE] TLS:InitializeTLSSession, cipher is set to ALL: in tls profile: tls-ocsm
Sep 30 13:31:04.216 [CONFIG] ACTIVATE-CONFIG Version 86 DONE; elapsed=0.777
Sep 30 13:31:04.217 [SERVICE] TLS Handshake: client >>> TLS 1.0 Handshake[length 004b], ClientHello
Sep 30 13:31:04.218 [SERVICE] TLS Handshake: client <<< TLS 1.0 Handshake[length 0051], ServerHello
Sep 30 13:31:04.218 [SERVICE] TLS Handshake: client <<< TLS 1.0 Handshake[length 06cb], Certificate
Sep 30 13:31:04.219 [SERVICE] Depth:1 Cert Subject DN:/C=DE/L=Berlin/O=OCSM_CA/CN=OCSM Root CA
Sep 30 13:31:04.219 [SERVICE] Cert Issuer: /C=DE/L=Berlin/O=OCSM_CA/CN=OCSM Root CA
Sep 30 13:31:04.219 [SERVICE] TLS (VerifyCallback): self-signed cert is allowed.
Sep 30 13:31:04.219 [SERVICE] TLS (VerifyCallback): Found trusted CA with subject dn:/C=DE/L=Berlin/O=OCSM_CA/CN=OCSM Root CA, issuer dn:/C=DE/L=Berlin/O=OCSM_CA/CN=OCSM Root CA
Sep 30 13:31:04.219 [SERVICE] ptls->checkTrust: cert /C=DE/L=Berlin/O=OCSM_CA/CN=OCSM Root CA matches a trusted cert in TLS profile tls-ocsm
Sep 30 13:31:04.219 [SERVICE] TLS (VerifyCallback): CA cert: /C=DE/L=Berlin/O=OCSM_CA/CN=OCSM Root CA is trusted
Sep 30 13:31:04.219 [SERVICE] Depth:1 Cert Subject DN:/C=DE/L=Berlin/O=OCSM_CA/CN=OCSM Root CA
Sep 30 13:31:04.219 [SERVICE] Cert Issuer: /C=DE/L=Berlin/O=OCSM_CA/CN=OCSM Root CA
Sep 30 13:31:04.219 [SERVICE] TLS (VerifyCallback): certificate at chain depth 1 is trusted.
Sep 30 13:31:04.219 [SERVICE] Depth:0 Cert Subject DN:/CN=10.165.75.213
Sep 30 13:31:04.219 [SERVICE] Cert Issuer: /C=DE/L=Berlin/O=OCSM_CA/CN=OCSM Root CA
Sep 30 13:31:04.219 [SERVICE] TLS (VerifyCallback): certificate at chain depth 0 is trusted.
Sep 30 13:31:04.219 [SERVICE] TLS Handshake: client <<< TLS 1.0 Handshake[length 0054], CertificateRequest
Sep 30 13:31:04.219 [SERVICE] TLS Handshake: client <<< TLS 1.0 Handshake[length 0004], ServerHelloDone
Sep 30 13:31:04.219 [SERVICE] TLS Handshake: client >>> TLS 1.0 Handshake[length 06f2], Certificate
Sep 30 13:31:04.220 [SERVICE] TLS Handshake: client >>> TLS 1.0 Handshake[length 0106], ClientKeyExchange
Sep 30 13:31:04.242 [SERVICE] TLS Handshake: client >>> TLS 1.0 Handshake[length 0106], CertificateVerify
Sep 30 13:31:04.242 [SERVICE] TLS Handshake: client >>> TLS 1.0 ChangeCipherSpec[length 0001]
Sep 30 13:31:04.242 [SERVICE] TLS Handshake: client >>> TLS 1.0 Handshake[length 0010], Finished
Sep 30 13:31:04.249 [SERVICE] TLS Handshake: client <<< TLS 1.0 ChangeCipherSpec[length 0001]
Sep 30 13:31:04.249 [SERVICE] TLS Handshake: client <<< TLS 1.0 Handshake[length 0010], Finished
Sep 30 13:31:04.249 [SERVICE] CommMonitorSocket : CheckAndRecvTLS, TLS Recv return SUCCESS, connected

APPENDIX: How to sign your own certificates

If you are not using an established Certificate Authority, you can sign your own certificates. It is important to take extreme care of the specific parameters used here, since some simple typo may cause communication between SBC and Palladion ME to fail. If you are using a third party CA, you will just need to send them the certificate requests, and they will provide you back the signed certificates.

On a Linux system, make sure openssl libraries are installed.

$ mkdir openssl_cert && cd openssl_cert
$ cp /etc/ssl/openssl.cnf openssl_ocsm.cnf

$ vim openssl_ocsm.cnf

[ CA_default ]

dir = ./OCSM_CA

stateOrProvinceName = optional
organizationName = optional

// You will need to adjust the optional attributes to the certificate request used. You may need to mark additional attributes as optional

[ req ]
default_bits = 2048

[ req_distinguished_name ]
localityName_default = Berlin

0.organizationName_default = OCSM_CA

$ mkdir OCSM_CA && cd OCSM_CA
$ chmod 700 .
$ mkdir certs private newcerts csr
$ echo 01 > serial
$ touch index.txt

# Generate a private key for your certificate authority -- you have to select a passphrase to encrypt your private key with
$ openssl req -new -x509 -days 3650 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -config ../openssl_ocsm.cnf
Generating a 2048 bit RSA private key
...............................................................................+++
...............................................................................................+++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) [Berlin]:
Organization Name (eg, company) [OCSM_CA]:
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:OCSM Root CA
Email Address []:.

# copy the Certificate request to a local file
$ mkdir OCSM_CA/csr
$ vim ./OCSM_CA/csr/vSBC.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICxTCCAa0CAQAwTTELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0G
A1UEBxMGQmVybGluMQ0wCwYDVQQKEwRPQ1NNMQ0wCwYDVQQDEwR2U0JDMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqAVRRdyAPmmoP+7qzw7tRSENJgpf
kaGndO/XCUbH28PGU9wpoHFQ864Qli1v4svImdGGKekQKAQYFFQ2g4T+0Vk9BYCJ
PWRgL97KyQfufuSIXrKH4rauXyqM7Bqjp/m3muhxiC0ooikfg/Q9x7bnbyfBwm23
2iXhkhrr/4sDK8rq3Ef0KpmsJtCudj0+MCVjqyPi1mAI2EVLBHhiI5ZCdbtc/Bbi
G+GO/Ofz7RSmi6C9aieRcT9oHorYJCbR2SyV51gOEKM0eNhMlzn4Q7l0r9g80SOh
ueI1ZtdMfqrXcO7JtRP/mWtLfWSGE/HWciZMO85ntPMDrdJmu7KlZscVKQIDAQAB
oDMwMQYJKoZIhvcNAQkOMSQwIjALBgNVHQ8EBAMCBaAwEwYDVR0lBAwwCgYIKwYB
BQUHAwEwDQYJKoZIhvcNAQEFBQADggEBAIKgzlI/0c9YsOlEmYaGPYJk7U6sFPQI
/AnXU3VZemc88JeHL8NDtJrJgvXaz3zInmsL2QUxw2rs+Okd8+GFtzwXVIki1ezz
mBwp8GxKvdPtHFolMkz49UV0BcklIAajI4sjPcqsfmi3qFai04u+L8wpfXoeCxpt
eC5TC59OEhm6Q/s6jDcZatRM0zMHGi13VqpoW/GMO6E4MqxEF9ekMU4Luvv+qBC5
2WApHmL5bGHAJDjxEfz/9azOaXUhVyiOoa8ILNQRs352WcXx46j0pys9TiHwlwFQ
cocVZk3FbUb3Vme5M83dnmkxg5Gog83lnW5RdLEoVTXGo9tF/t3KOEc=
-----END CERTIFICATE REQUEST-----

# Sign certificate request
$ openssl ca -config openssl_ocsm.cnf -out OCSM_CA/certs/vSBC.cert -infiles OCSM_CA/csr/vSBC.csr

$ cat ./OCSM_CA/certs/vSBC.cert
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=DE, ST=Some-State, L=Berlin, O=OCSM_CA
Validity
Not Before: Sep 30 12:45:06 2014 GMT
Not After : Sep 30 12:45:06 2015 GMT
Subject: C=DE, ST=Berlin, O=OCSM, CN=vSBC
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a8:05:51:45:dc:80:3e:69:a8:3f:ee:ea:cf:0e:
ed:45:21:0d:26:0a:5f:91:a1:a7:74:ef:d7:09:46:
c7:db:c3:c6:53:dc:29:a0:71:50:f3:ae:10:96:2d:
6f:e2:cb:c8:99:d1:86:29:e9:10:28:04:18:14:54:
36:83:84:fe:d1:59:3d:05:80:89:3d:64:60:2f:de:
ca:c9:07:ee:7e:e4:88:5e:b2:87:e2:b6:ae:5f:2a:
8c:ec:1a:a3:a7:f9:b7:9a:e8:71:88:2d:28:a2:29:
1f:83:f4:3d:c7:b6:e7:6f:27:c1:c2:6d:b7:da:25:
e1:92:1a:eb:ff:8b:03:2b:ca:ea:dc:47:f4:2a:99:
ac:26:d0:ae:76:3d:3e:30:25:63:ab:23:e2:d6:60:
08:d8:45:4b:04:78:62:23:96:42:75:bb:5c:fc:16:
e2:1b:e1:8e:fc:e7:f3:ed:14:a6:8b:a0:bd:6a:27:
91:71:3f:68:1e:8a:d8:24:26:d1:d9:2c:95:e7:58:
0e:10:a3:34:78:d8:4c:97:39:f8:43:b9:74:af:d8:
3c:d1:23:a1:b9:e2:35:66:d7:4c:7e:aa:d7:70:ee:
c9:b5:13:ff:99:6b:4b:7d:64:86:13:f1:d6:72:26:
4c:3b:ce:67:b4:f3:03:ad:d2:66:bb:b2:a5:66:c7:
15:29
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
BC:77:62:E5:87:97:9A:F8:1D:5D:C4:F0:10:4B:BE:02:82:90:72:50
X509v3 Authority Key Identifier:
keyid:8E:56:3A:7A:E6:30:0C:3F:A6:DC:97:F7:AC:61:27:CA:8E:51:19:D1

Signature Algorithm: sha256WithRSAEncryption
23:ca:b7:36:73:54:70:d8:df:72:e3:e7:a4:e7:82:a8:64:e9:
9d:1c:b8:dd:6e:c6:1f:50:02:b6:ac:9a:83:4c:f4:8c:48:43:
a0:29:6d:8c:e4:0b:bf:d3:9e:d2:27:18:3d:38:4d:56:2d:0b:
bf:a4:3e:3b:05:68:d0:39:85:1c:70:e8:19:15:0e:ae:15:df:
ee:6f:be:61:85:ff:54:0b:d3:38:01:f7:bb:e7:71:21:54:d8:
2d:7d:65:12:7c:d3:c3:77:2e:bd:2f:7d:5c:ca:74:97:b1:09:
87:92:c6:50:4a:67:2c:7e:bc:20:de:2f:8f:c5:9f:46:d0:ed:
b5:5a:36:a1:32:d0:eb:fd:8d:16:44:73:4d:c7:4d:de:a6:51:
73:38:55:76:b1:fa:1d:92:e9:4a:69:ca:1e:ef:01:b9:42:ce:
af:32:b5:40:d1:5a:db:f3:a0:cd:c2:2b:9f:c8:f9:9a:f4:ea:
54:45:9b:35:32:e2:6c:45:24:29:aa:7a:6a:95:a7:45:81:db:
46:f1:dc:b7:aa:44:cb:b0:64:3b:61:a0:ea:ba:80:d9:8a:ef:
87:de:c0:ee:31:ed:b2:da:32:c0:75:f6:03:a6:ef:a7:54:ba:
2b:c3:f2:8b:fc:5f:c7:67:0b:34:b6:ea:80:46:f5:b0:1a:41:
bb:f0:07:e0
-----BEGIN CERTIFICATE-----
MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJERTET
MBEGA1UECAwKU29tZS1TdGF0ZTEPMA0GA1UEBwwGQmVybGluMRAwDgYDVQQKDAdP
Q1NNX0NBMB4XDTE0MDkzMDEyNDUwNloXDTE1MDkzMDEyNDUwNlowPDELMAkGA1UE
BhMCREUxDzANBgNVBAgTBkJlcmxpbjENMAsGA1UEChMET0NTTTENMAsGA1UEAxME
dlNCQzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKgFUUXcgD5pqD/u
6s8O7UUhDSYKX5Ghp3Tv1wlGx9vDxlPcKaBxUPOuEJYtb+LLyJnRhinpECgEGBRU
NoOE/tFZPQWAiT1kYC/eyskH7n7kiF6yh+K2rl8qjOwao6f5t5rocYgtKKIpH4P0
Pce2528nwcJtt9ol4ZIa6/+LAyvK6txH9CqZrCbQrnY9PjAlY6sj4tZgCNhFSwR4
YiOWQnW7XPwW4hvhjvzn8+0UpougvWonkXE/aB6K2CQm0dksledYDhCjNHjYTJc5
+EO5dK/YPNEjobniNWbXTH6q13DuybUT/5lrS31khhPx1nImTDvOZ7TzA63SZruy
pWbHFSkCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNT
TCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFLx3YuWHl5r4HV3E8BBL
vgKCkHJQMB8GA1UdIwQYMBaAFI5WOnrmMAw/ptyX96xhJ8qOURnRMA0GCSqGSIb3
DQEBCwUAA4IBAQAjyrc2c1Rw2N9y4+ek54KoZOmdHLjdbsYfUAK2rJqDTPSMSEOg
KW2M5Au/057SJxg9OE1WLQu/pD47BWjQOYUccOgZFQ6uFd/ub75hhf9UC9M4Afe7
53EhVNgtfWUSfNPDdy69L31cynSXsQmHksZQSmcsfrwg3i+PxZ9G0O21WjahMtDr
/Y0WRHNNx03eplFzOFV2sfodkulKacoe7wG5Qs6vMrVA0Vrb86DNwiufyPma9OpU
RZs1MuJsRSQpqnpqladFgdtG8dy3qkTLsGQ7YaDquoDZiu+H3sDuMe2y2jLAdfYD
pu+nVLorw/KL/F/HZws0tuqARvWwGkG78Afg
-----END CERTIFICATE-----

Take the Certificate issued above and load it on the SBC

You can also sign Palladion ME certificate request. Download the generated csr file, and sign it the same way:

$ openssl ca -config openssl_ocsm.cnf -out OCSM_CA/certs/palladion.cert -infiles OCSM_CA/csr/palladion_-CN=<ip-address>.csr

Then upload the signed certificate, palladion.cert, on the PSA page.

Q&As

Does SBC as a probe work if the SIP packets are encrypted with TLS?

Answer: Yes, the SBC as a probe feature works even if the SIP packets are encrypted with TLS

Attachments

This solution has no attachment