TRA Virtual Server TLS Configuration
Specify virtual server (VS) configuration options for Transport Layer Security (TLS) to define communication between the Traffic Routing Agent(TRA) and an upstream Diameter client using the TLS protocol. The supported protocol versions are TLSv1.3 and TLSv1.2.
TLS VS Connection Configuration
You configure an TLS connection between the TRA and an upstream virtual server (VS) by setting the following configuration in the tra_config_network_topology.xml file:
- Set
secured=truein the<vs>definition, for example:<virtual-servers> <vs name="SySec" vsopt="SSL_VsOpt" vip="vipExtern" port="17553" protocol="diameter" pool="allPool" downstream-port="3868" preferred-fqdn="ccsaz1.tra.fra.all.default.5gc.mnc007.mcc262.3gppnetwork.org" fqdn-validate="false" secured="true"/> </vs> </virtual-servers> - Add the TLS security configuration options in the
<virtual-servers-options>section for the VS, for example:<virtual-servers-options> <vsopt name="SSL_VsOpt" security-require-client-certificate="false" security-raw-cipher-list="CAMELLIA128-SHA" security-allowed-ssl-versions="tlsv1.1,tlsv1.2" diam-cea-host-ip-addr="10.170.154.36" diam-origin-realm="5gc.mnc007.mcc262.3gppnetwork.org" /> </virtual-servers-options>Note: The TRA does not allow multiple certificates, private keys, and pem files to co-exist in the same directory. This means that each VS requires its own directory for the certificate, private key, and pem file. - If at least one virtual server is defined as secured, you must disable TRA memory locking. To disable, add the following line to the parameters section of the
tra_config.xml configuration file:
lock-process-memory="off"For more information TRA configuration parameters, see the discussion about configuring TRA tra_config.xml parameters in MATRIXX Installation and Upgrade.
For more information about TRA virtual server configuration, see the discussion about TRA virtual server (VS) reference in MATRIXX Installation and Upgrade.
Dynamic TLS Certificate Reloading
The TRA can dynamically detect that a new certificate has been configured and reload that certificate for upstream and downstream connections, with the following restrictions:
- There is one and only one file in the certificate authority (CA) directory, if a CA is used. (The file can contain more than one CA.)
- The new certificate file has the same name as the file it replaces.
- Only hard-linked files are detected. Soft-linked files are not detected because they do not appear to have been modified.
TLS VS Configuration Options
TLS VS Configuration Options lists the available options.
| TLS Option | Configuration Section | Description |
|---|---|---|
| secured | <vs> | (Boolean) When set to true, enables TLS connections for a virtual server. Defaults to false. |
| security-own-certificate-path | <virtual-servers-options> | (String) The path to the directory containing the security certificate, including the private key and (potentially) the pem file, (with DH parameters if
Diffie-Hellman is used), for the VS. The default value is /opt/tra/custom/tra_certificate. |
| security-require-client-certificate | <virtual-servers-options> | (Boolean) When set to true, a valid client certificate is required from the client over a TLS connection. Validity of the client certificate is
determined by the server according to a set of trusted CAs found in the server directory specified in security-trusted-certificates-path. |
| security-trusted-certificates-path | <virtual-servers-options> | (String) The path to the directory containing the root CAs for the VS. Defaults to /opt/tra/custom/trusted_certificates/. |
| security-disallowed-ssl-versions | <virtual-servers-options> | (String) Comma-separated list of TLS versions that the VS does not accept for TLS connections. |
| security-raw-cipher-list | <virtual-servers-options> | (String) The TLS ciphers that the VS uses for TLS connections, for example: CAMELLIA128-SHA. Defaults to an empty string. |
| security-force-quiet-shutdown | <virtual-servers-options> | (Boolean) By default (false) the standard TLS shutdown behavior is used, where the parties send out close notify alert messages for
a clean shutdown when a TLS connection finishes. When set to true, the TLS connection is considered to be shutdown on connection closure, and a
close notify alert message is not sent to the peer. |
| security-allow-any-tcp-traffic | <virtual-servers-options> | (Boolean) By default (false) only TLS connections using the Diameter protocol are supported. When set to true, upstream MDC and TCP
protocols can also be secured using the TLS security level. |
| security-check-cert-only-for-reload | <virtual-servers-options> | When set to true, only the certificate file is checked for modification. If it has been modified, SSL/TLS related files (certificate, private key,
and pem file) are reloaded. When set to false, all files are checked for modifications. If any are modified, they are all reloaded. The default value
is false. |
| security-minimum-interval-for-stat-in-millis | <virtual-servers-options> | The minimum time interval, in milliseconds, that must pass before checking if SSL/TLS related files (certificate, private key, and pem) have changed. If set to 0, files are checked before each connection. The default value is 250. |