Post-Install Configuration

Introduction

Once installation has completed, some configuration is required to connect the N-Squared Flow Editor to your OCNCC/OC3C system. The following instructions are the bare minimum changes you will need to make. For further configuration options, see the configuration section.

Master XML Configuration

The file /etc/jarvis/n2fe.xml file must have its default placeholder values updated. Note that environment specific installations may have this file named n2fe-prod.xml, or similar.

The following sections cover the minimum changes required to ensure N2FE is accessible in your environment.

Database Configuration

Database access can be configured using a direct username and password or using Oracle Wallets. We recommend Oracle Wallets for security.

OCNCC SMS Access via Username and Password

In the configuration file /etc/jarvis/n2fe.xml, locate the following lines:

<database 
    name="smf-global" 
    connect="dbi:Oracle:host=SMS-DB-HOST;port=1521;sid=SMF"
    username="smf"
    password="SMF-PASSWORD"
>

and

<database
    name="smf"
    connect="dbi:Oracle:host=SMS-DB-HOST;port=1521;sid=SMF"
>

The following values should be updated to:

OCNCC SMS Access via Oracle Wallets

Access to the OCNCC database can be configured to use the Oracle Wallet infrastructure. For security, we recommend this approach as in doing so N2FE may access the OCNCC Oracle database without the storage of plain text username and passwords in the N2FE configuration file.

Steps:

Create the Wallet Directory

As root:

mkdir /var/www/oracle_wallet

Create the Oracle Wallet

As root:

cd /var/www/oracle_wallet
export TNS_ADMIN=`pwd`
mkstore -wrl `pwd` -create

At this point, enter a password. This password is required to update the wallet store, but not necessary for Oracle reading it.

mkstore -wrl `pwd` -createCredential SMF smf <smf_password>

This adds the username, password and TNS entry for the OCNCC SMF to connect to. The user should be smf (unless it’s access level is reproduced under another role). The TNS entry SMF should be reused for the TNS name in the next step.

Create a tnsnames.ora File

Create a file called tnsnames.ora and set its content to be:

SMF =
  (DESCRIPTION =
    (ADDRESS_LIST =
      (ADDRESS = (PROTOCOL = TCP)(HOST = ocncc-sms)(PORT = 1521))
    )
    (CONNECT_DATA =
       (SERVICE_NAME = SMF)
    )
 )

Update the first SMF = to be the same TNS name as used when creating the wallet entry in the previous step. Update the host ocncc-sms to be the correct hostname/IP of the SMS (or SCAN IP, or any other details for access, such as load balanced access). If the OCNCC SMS database has a different service name than SMF, update the final SERVICE_NAME reference as required.

Create a sqlnet.ora File

Create a file called sqlnet.ora and set its content to be:

SQLNET.WALLET_OVERRIDE = TRUE
WALLET_LOCATION =
 (SOURCE=
   (METHOD = FILE)
    (METHOD_DATA = (DIRECTORY=/var/www/oracle_wallet/)
   )
 )

Update Ownership

Ensure that only the Apache user can read the Oracle wallet files:

cd /var/www/oracle_wallet
chown httpd:httpd * .
chmod go-rx .

Configure Apache’s TNS Configuration

Edit the configuration file for Jarvis:

vi /etc/apache2/conf.d/jarvis.conf

and configure the environment for Jarvis to refer to the location of the files created:

<Location /jarvis-agent>
    SetEnv TNS_ADMIN /var/www/oracle_wallet/
</Location>

Configure N2FE

In the configuration file /etc/jarvis/n2fe.xml, locate the following lines:

<database 
    name="smf-global" 
    connect="dbi:Oracle:host=SMS-DB-HOST;port=1521;sid=SMF"
    username="smf"
    password="SMF-PASSWORD"
>

and

<database
    name="smf"
    connect="dbi:Oracle:host=SMS-DB-HOST;port=1521;sid=SMF"
>

The following values should be updated to:

For example:

<database name="smf-global" connect="dbi:Oracle:SMF" username="" password="" >

Session Security

Jarvis allows for session security to be increased by configuring a number of configuration parameters.

In the configuration file, locate the following lines:

<!--
    Enable these parameters for additional security in the session cookie.
    <parameter name="Path" value="/"/>
    <parameter name="Domain" value=""/>
    <parameter name="Secure" value="yes"/>
-->

Each of the parameters can be added and removed as required from the session configuration.

The supported parameters are as follows.

Name Default Description
Path / Configure the path attributed to the served cookie. Any requests made that do not used the defined sub path will be rejected.
For most N2FE configurations using /jarvis-agent/ is sufficient to capture all requests made from the client.
Domain $ENV{HTTP_HOST} Configure the domain attributed to the served cookie. Any requests made by the client will only serve the cookie if the users current domain matches the configured domain.
If cross_origin_protection is enabled the domain will also be used to match against the users window origin or referrer when making requests. Any non matching requests will be rejected.
Secure no If secure is set to yes then all cookies will only be transmitted over a secure https connection.

License File

N2FE must have a license file provided to operate in an unrestricted manner. Contact N-Squared Support to arrange the delivery of a license file for your deployment.

Once you have received the license move it into the n2fe directory:

mv license.xml /var/lib/n2fe/

The location of this file may be altered by looking for the following line in /etc/jarvis/n2fe.xml:

<parameter name="license" value="/var/lib/n2fe/license.xml"/> 

and changing the path of this configuration parameter.

Automatic Control Plan Backups

Some NCC configurations are setup to automatically remove old control plan versions on save. N2FE provides a backup mechanism that may be executed before each save to backup the existing control plan. By default this functionality is disabled but may be enabled via the PreSave hook configuration in the Jarvis configuration file.

In order to utilize this functionality the SMS node must be running a PI server with an endpoint listening for SOAP based traffic.

To activate this functionality edit the following configuration in /etc/jarvis/n2fe.xml. Uncommenting and modifying placeholders as required:

<!--
    Define the presave hook when saving control flows.
    This may perform up to two actions before saving the control flow.
        * (Always) Executing the NCC security response challenge.
        * (If configured) Send a message to the NCC PI and request a backup be created of the requested control flow.
-->
<hook module="PreSave">
    <!--
        <parameter name="pi_uri"      value="http://SMS_NODE_RUNNING_PI:PI_PORT_SETUP_FOR_SOAP_ACTIONS/"/>
        <parameter name="pi_username" value="OPTIONAL_USERNAME"/>
        <parameter name="pi_password" value="OPTIONAL_PASSWORD"/>
    -->
</hook>

OCNCC Configuration

To integrate N2FE to OC3C/OCNCC, additional configuration is crucial. See the
Oracle Communications Network Charging and Control or Convergent Charging Controller configuration section for further information.

It is also recommended that the security recommendations for Apache are implemented.