Post-Install Configuration
Introduction
Once installation has completed, some configuration is required to connect the N-Squared Flow Editor to your OCNCC/OC3C system. The following instructions are the bare minimum changes you will need to make. For further configuration options, see the configuration section.
Master XML Configuration
The file /etc/jarvis/n2fe.xml
file must have its default placeholder values updated.
Note that environment specific installations may have this file named n2fe-prod.xml
,
or similar.
The following sections cover the minimum changes required to ensure N2FE is accessible in your environment.
Database Configuration
Database access can be configured using a direct username and password or using Oracle Wallets. We recommend Oracle Wallets for security.
OCNCC SMS Access via Username and Password
In the configuration file /etc/jarvis/n2fe.xml
, locate the following lines:
<database
name="smf-global"
connect="dbi:Oracle:host=SMS-DB-HOST;port=1521;sid=SMF"
username="smf"
password="SMF-PASSWORD"
>
and
<database
name="smf"
connect="dbi:Oracle:host=SMS-DB-HOST;port=1521;sid=SMF"
>
The following values should be updated to:
SMS-DB-HOST
: a DNS-resolvable value for the SMS database server that N2FE should communicate with for reading and storing flow and customer information. An IP address is also suitable.SMF-PASSWORD
: the password for the SMF database user on the SMS platform.
OCNCC SMS Access via Oracle Wallets
Access to the OCNCC database can be configured to use the Oracle Wallet infrastructure. For security, we recommend this approach as in doing so N2FE may access the OCNCC Oracle database without the storage of plain text username and passwords in the N2FE configuration file.
Steps:
Create the Wallet Directory
As root:
mkdir /var/www/oracle_wallet
Create the Oracle Wallet
As root:
cd /var/www/oracle_wallet
export TNS_ADMIN=`pwd`
mkstore -wrl `pwd` -create
At this point, enter a password. This password is required to update the wallet store, but not necessary for Oracle reading it.
mkstore -wrl `pwd` -createCredential SMF smf <smf_password>
This adds the username, password and TNS entry for the OCNCC SMF to connect to. The user should be smf
(unless it’s access level is reproduced under another role). The TNS entry SMF
should be reused for the
TNS name in the next step.
Create a tnsnames.ora File
Create a file called tnsnames.ora
and set its content to be:
SMF =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = ocncc-sms)(PORT = 1521))
)
(CONNECT_DATA =
(SERVICE_NAME = SMF)
)
)
Update the first SMF =
to be the same TNS name as used when creating the wallet entry in the previous
step. Update the host ocncc-sms
to be the correct hostname/IP of the SMS (or SCAN IP, or any other
details for access, such as load balanced access). If the OCNCC SMS database has a different service
name than SMF
, update the final SERVICE_NAME
reference as required.
Create a sqlnet.ora File
Create a file called sqlnet.ora
and set its content to be:
SQLNET.WALLET_OVERRIDE = TRUE
WALLET_LOCATION =
(SOURCE=
(METHOD = FILE)
(METHOD_DATA = (DIRECTORY=/var/www/oracle_wallet/)
)
)
Update Ownership
Ensure that only the Apache user can read the Oracle wallet files:
cd /var/www/oracle_wallet
chown httpd:httpd * .
chmod go-rx .
Configure Apache’s TNS Configuration
Edit the configuration file for Jarvis:
vi /etc/apache2/conf.d/jarvis.conf
and configure the environment for Jarvis to refer to the location of the files created:
<Location /jarvis-agent>
SetEnv TNS_ADMIN /var/www/oracle_wallet/
</Location>
Configure N2FE
In the configuration file /etc/jarvis/n2fe.xml
, locate the following lines:
<database
name="smf-global"
connect="dbi:Oracle:host=SMS-DB-HOST;port=1521;sid=SMF"
username="smf"
password="SMF-PASSWORD"
>
and
<database
name="smf"
connect="dbi:Oracle:host=SMS-DB-HOST;port=1521;sid=SMF"
>
The following values should be updated to:
- Change the
connect
string to readdbi:Oracle:<TNS name>
where<TNS name>
is the name used intnsnames.ora
- e.g.SMF
. - Set
username
andpassword
to be empty.
For example:
<database name="smf-global" connect="dbi:Oracle:SMF" username="" password="" >
Session Security
Jarvis allows for session security to be increased by configuring a number of configuration parameters.
In the configuration file, locate the following lines:
<!--
Enable these parameters for additional security in the session cookie.
<parameter name="Path" value="/"/>
<parameter name="Domain" value=""/>
<parameter name="Secure" value="yes"/>
-->
Each of the parameters can be added and removed as required from the session configuration.
The supported parameters are as follows.
Name | Default | Description |
---|---|---|
Path | / |
Configure the path attributed to the served cookie. Any requests made that do not used the defined sub path will be rejected. For most N2FE configurations using /jarvis-agent/ is sufficient to capture all requests made from the client. |
Domain | $ENV{HTTP_HOST} |
Configure the domain attributed to the served cookie. Any requests made by the client will only serve the cookie if the users current domain matches the configured domain. If cross_origin_protection is enabled the domain will also be used to match against the users window origin or referrer when making requests. Any non matching requests will be rejected. |
Secure | no |
If secure is set to yes then all cookies will only be transmitted over a secure https connection. |
License File
N2FE must have a license file provided to operate in an unrestricted manner. Contact N-Squared Support to arrange the delivery of a license file for your deployment.
Once you have received the license move it into the n2fe directory:
mv license.xml /var/lib/n2fe/
The location of this file may be altered by looking for the following line in /etc/jarvis/n2fe.xml
:
<parameter name="license" value="/var/lib/n2fe/license.xml"/>
and changing the path of this configuration parameter.
Automatic Control Plan Backups
Some NCC configurations are setup to automatically remove old control plan versions on save. N2FE provides a backup mechanism that may be executed before each save to backup the existing control plan.
By default this functionality is disabled but may be enabled via the PreSave
hook configuration in the Jarvis configuration file.
In order to utilize this functionality the SMS node must be running a PI server with an endpoint listening for SOAP based traffic.
To activate this functionality edit the following configuration in /etc/jarvis/n2fe.xml
. Uncommenting and modifying placeholders as required:
<!--
Define the presave hook when saving control flows.
This may perform up to two actions before saving the control flow.
* (Always) Executing the NCC security response challenge.
* (If configured) Send a message to the NCC PI and request a backup be created of the requested control flow.
-->
<hook module="PreSave">
<!--
<parameter name="pi_uri" value="http://SMS_NODE_RUNNING_PI:PI_PORT_SETUP_FOR_SOAP_ACTIONS/"/>
<parameter name="pi_username" value="OPTIONAL_USERNAME"/>
<parameter name="pi_password" value="OPTIONAL_PASSWORD"/>
-->
</hook>
OCNCC Configuration
To integrate N2FE to OC3C/OCNCC, additional configuration is crucial. See the
Oracle Communications Network Charging and Control or Convergent Charging Controller
configuration section for further information.
It is also recommended that the security recommendations for Apache are implemented.