Introduction
These release notes provide a comprehensive overview of the new features, enhanced functionalities, and resolved issues found in version 3.3 of SRE. Additionally, it includes the details of the patch versions associated with release 3.3.
What's new in SRE 3.3
Call processing
SRE-managed STIR/SHAKEN
The SRE has been enhanced to handle the necessary headers for implementing STIR/SHAKEN. For originating service providers, an authentication service can be built using the SRE. It can generate a proper Identity header, encoded with a private key, and add it to the outbound SIP message. Similarly, for terminating service providers, a verification service can be implemented. The SRE can extract the Identity header from the received INVITE message and validate it with the corresponding public certificate.
To support these functions, new nodes have been added to handle JSON Web Tokens (JWT), the technology behind the digital certificates of STIR/SHAKEN:
- Encode JWT: This node encodes a JSON payload suitable for STIR/SHAKEN using a private key and a certificate for decoding.
- Decode JWT: This node decodes a JWT into a JSON object for later validation.
Additionally, two other nodes have been introduced to manage Identity headers:
- Generate Identity: This node generates a suitable Identity header from an input JWT and a certificate URL.
- Extract Identity: This node extracts the Identity header from the SIP message and separates the JWT and certificate URL into two distinct variables.
Kamailio-managed STIR/SHAKEN
The SRE can also implement STIR/SHAKEN, managed by Kamailio. In this scenario, Kamailio will construct the Identity header on the originating service provider side and extract the Identity header on the terminating service provider side. A new node has been added to instruct Kamailio to generate a new Identity header:
- Add Identity header: This node instructs Kamailio to generate the Identity header by specifying the certificate URL and the attestation level.
On the terminating service provider side, Kamailio will validate the received INVITE with an Identity header against the certificate and pass the validation information through the call descriptor variables.
Call forking
The SRE now can fork calls to multiple destinations, causing them to ring simultaneously. To facilitate this functionality, a new output node called "SIP relay with forking" has been introduced. This node allows for the provision of a list of request URIs from a records list and facilitates the proxying of the INVITE to all the specified destinations. Similar to the "SIP relay node," this new node supports various options such as CD persistence, recursion, and more.
Custom SIP endpoints
Custom SIP endpoints can now be configured based on a set of criteria, such as:
- method
- source
- destination
- From
- R-URI
- regular expression
With this mechanism, it is possible to trigger different SLs directly from the global configuration. Before, such behavior was only possible by using SL nodes to analyze the incoming calls and dispatching these calls to SSLs inside a single entry point.
Service Logic Editor
Editor interface
The background grid automatically expands as nodes are moved to the edges.
In the simulation timeline, the top headers are now frozen, enabling vertical scrolling of variable values while keeping the header lines visible.
Detailed node logging
A new logging system has been integrated into the SLE, enhancing the level of detail available for specific nodes (e.g., query nodes) regarding the processing performed by each node. This additional information can be accessed through the tooltip when hovering over a simulation step or by opening the simulation step modal (pop-up).
Logging of actions
A new logging system has been added to the SLE so that the actions with non-immediate effects (e.g. header manipulations, ...) are logged for such nodes.
Service logic import
The service logic import tool has been enhanced to allow you to specify the import suffix.
Simulations import and export
It is now possible to export and import simulations, along with the groups they belong to. This can either be applied to all simulations or simulations filtered through some criteria.
New nodes
A new node has been introduced to facilitate the rotation of a list of records. This functionality enables the swapping of columns and rows from an input records list to generate an output records list.
Additionally, a new node has been implemented to extract specific portions of the SIP message, such as headers and/or body, using regular expressions. This node provides flexibility in extracting SDP data or header parameters directly, thereby reducing the number of required nodes.
Furthermore, two new nodes have been included to enable the conversion between records lists objects and JSON objects.
To enhance alarm monitoring, a new node has been incorporated to check the current status of an alarm.
Finally, an additional output node called "custom SIP response" has been introduced. This node allows users to specify both the response code and the reason header of the SIP response sent back to the network.
Improved nodes
A new option has been introduced in the "set variables" node, allowing the skipping of updates for existing variables. This feature is useful for setting default values for variables that are currently undefined.
The "extract SIP header" node has been improved to include the capability of storing header repetitions into a records list when specified.
The "aggregate column" node has been enhanced with a new "count" operator, enabling the calculation of the total number of rows in a records list.
Datamodel Editor
Editor Interface
The delete table button has been moved up next to the tables re-order buttons.
An exit confirmation alert is displayed if the datamodel is not saved.
Table changes tracking
A new option has been implemented to enable or disable change tracking on a per-table basis. When this feature is enabled, the system will automatically include additional columns in the table to track changes. These columns will capture the record insert time, record update time, and user information, indicating the user who performed the operation. This tracking functionality applies to changes made through the GUI, REST API, and batch provisioning methods.
IPv6 validator
A new IPv6 validator has been added to the DME and ensures validation of IPv6 addresses inside data admin pages.
Datamodel diagram export
An option has been added to export the datamodel relationship diagram as PDF, both from the GUI datamodel versioning page and from the sre-admin tool.
Datamodel versioning
The datamodel versioning page has undergone improvements to enhance user experience. Now, the DM versions are displayed in reverse order, allowing you to conveniently access the most recent versions first and easily navigate to older versions. In addition, we have introduced helpful links that enable quick jumps to the first, last, and active versions for added efficiency.
Data administration
A new option has been added in the system configuration to disable the batch provisioning option "replace all". This may prevent human errors from mistakenly uploading a corrupt CSV file.
A new button (next to the Edit button) has been added on the records search page to clone an existing record.
Statistics
New statistics engine
The statistics engine has been completely redesigned and is now based on InfluxDB, a time-series database. This DB runs on both EMs. Statistics are no longer stored in the PostgreSQL database and so, are no longer replicated to the call processor servers, which greatly reduces the replication activity.
In addition to this new back end, the dashboard has been redesigned to let the administrator customize the dashboard by adding/removing tabs and adding/removing rows of panels on each of these tabs.
For each panel, the administrator can select which data to display, from the set of available metrics and how to display it:
Service logic node statistics switch
A new option has been added to disable the generation of service logic node statistics. By enabling this option, only summary statistics related to requests and responses will be available in the dashboard. Disabling the generation of detailed statistics can significantly improve performance, particularly in systems with heavy loads and complex service logic configurations.
Provisioning metrics
Releases 3.3.3+
New counters have been added to monitor the provisioning operations from REST, CSV and GUI. Counters have also been added to monitor the number of records per table. These counters are available on the dashboard and in graphs.
HTTP & ENUM performance metrics
Releases 3.3.3+
New metrics have been added to monitor the service logic processing time for the HTTP & ENUM interfaces. These metrics are available on the dashboard and in graphs.
Alarms
A new monitor has been added to monitor the number of records per table and trigger an alarm if the number of records per table varies over the defined percentage threshold. This threshold can be configured per table.
A new monitor has been added to check the validity of TLS certificates and trigger an alarm if the time-to-expire is below a configurable threshold.
Cluster, node, and resource have been added for the Pacemaker cluster subsystem.
A new alarm will be triggered if the CDR collector (running on EM) is not reachable from a CDR sender (running on CP).
Releases 3.3.3+
New alarms have been added to monitor the ENUM processing performance, along with configurable minor, major and critical thresholds.
Operations & maintenance
Call termination API
A new REST API endpoint has been implemented, providing the capability for an external system to terminate an active call. When triggered, the SRE will initiate BYE transactions to both the caller and the callee, ensuring the call is effectively terminated. To control access to this API using token-based authentication, the new endpoint has been included in the access token definition.
Kamilio interface logs
Kamailio interface logs can now be forwarded to the local syslog subsystem instead of the local interface.log file.
Security & auditing
Force user password change
An option has been added to force password change on the next user login attempt.
REST API audit logging
In order to enhance auditing capabilities, dedicated audit logging has been implemented for the REST API. This ensures that all operations originating from the REST API are logged in a separate and dedicated file. By doing so, you can easily track and monitor actions performed through the REST API, enabling better visibility and accountability.
Per datamodel access rights
The role definition now allows setting access rights per datamodel, rather than globally for all datamodels.
Enhanced LDAP login integration
The LDAP login integration has been enhanced to allow manipulation of usernames and flexible filtering of users, based on configurable criteria. This allows restricting access to the GUI to selected users.
Login brute force detection
Login brute force detection and throttling have been implemented. The threshold can be configured in the system settings and when the client performs too many failed login attempts, the origin IP address will be blacklisted for a predefined duration.
GUI
The platform title is configurable in the system settings and allows identifying the current environment in case there are several environments.
Miscellaneous enhancements
The following is a list of minor enhancements which do not affect the main functionality of SRE:
- added graphviz and SNMP installation to VM image generation script
- added custom SIP endpoint migration tool for upgrade
- adapted "sre" PostgreSQL user creation to allow datamodel creation
- added NFV image generation helper scripts
- enabled automatic installation of crontab on RPM install
- added support for MongoDB 4.x and 5.x
- added CAC configuration to SREaaS deployment playbooks
- added ability to update multiple DNS zones
- added RPM packaging for RHEL 8
- added a new parameter to set debug topics from config instead of environment variables
- added command sre-admin monitor DB activity to retrieve current DB activity
- added tool to replay PCAPs to validate call processing
- updated jquery library
Patch versions release notes
Release 3.3.1
| Pull id | Fix |
|---|---|
| 1271 | fixed MongoDB monitoring to query localhost; implemented re-use of DB connections |
| 1257 | added accounting refresh in case of re-INVITE or UPDATE |
| 1253 | added sre-admin option to test the performance of a service logic |
| 1251 | fixed datamodel migrations between column both indexed/unique and column unique only |
| 1247 | fixed escaping of HTML to avoid XSS on data admin, users, roles, saved simulations, simulations groups, service logics, releases, configuration settings |
| 1242 | fixed display of EM's on dashboard; fixed display and improved performance of counters and stats tabs |
Release 3.3.2
| Pull id | Fix |
|---|---|
| 1283 | fixed profile access rights after brand-new datamodel creation & activation |
| 1280 | fixed conversion of XML response into JSON for node HTTP XML query |
| 1276 | hotfix/delete_custom_endpoint |
| 1266 | disabled display of tracebacks in case of GUI exceptions by default |
| 1264 | added InfluxDB to SREaaS deploy scripts |
Release 3.3.3
| Pull id | Fix |
|---|---|
| 1357 | added alarms for ENUM performance |
| 1355 | fixed SIP agent port shown as N/A in SIP agents list |
| 1351 | fixed edit multiple records page to set boolean columns to NULL |
| 1343 | fixed service logic INVITE performance alarm to 60 secs window |
| 1333 | added provisioning counters (requests and records affected) for REST/CSV/GUI actions; added new dashboard graphs for provisioning counters; added performance stats for interfaces ENUM & HTTP; added new dashboard graphs for ENUM & HTTP performance |
| 1332 | added OCI London region to SREaaS deployment scripts |
| 1329 | added option to configure different tokens for influxDB hosts |
| 1326 | adapted ansible to manage several OCI regions |
| 1324 | modified parameter CAC purge timeout to update it without restart |
| 1322 | fixed node DB query when no fields are extracted |
| 1319 | fixed caching of HTTP query nodes in order to use expanded body as caching key |
| 1312 | improved cluster details in dashboard |
| 1308 | fixed DB replication status data & alarms |
| 1305 | fixed concurrent access to accounting events store for ENUM and HTTP processors |
| 1294 | fixed DNS zone reload mechanism for process sre-dns-updater when a brand new zone, never referenced before, is added |
Release 3.3.4
| Pull id | Fix |
|---|---|
| 1384 | fixed zone records generation in case of TXT records with spaces |
| 1379 | sle: fixed simulation path highlighting when multiple links originate from the same source node |
| 1377 | gui: hidden button "forgot password" when LDAP authentication is configured |
| 1374 | gui: fixed caching of datamodel when identical tables are present inside different services |
| 1371 | dashboard: fixed calculation of now counters and samples |
| 1366 | dashboard: added missing SIP responses to build-in dashboard graphs |
| 1365 | dashboard: fixed duplicate display of hosts as both EM and CP |
| 1360 | fixed missing dashboard.json for SREaaS |
Release 3.3.5
| Pull id | Fix |
|---|---|
| 1440 | fix XSS vulnerabilities |
| 1435 | added optimizations for InfluxDB connections and records writing |
| 1432 | added option to define custom SIP endpoints matching any port |
| 1427 | fixed datamodel diagram export when special characters are used for names |
| 1418 | decreased timeout for InfluxDB commands |
| 1406 | added table label to CSV provisioning pages |
| 1395 | fixed tel URI handling when URI starts with < |
| 1392 | added record delete operations to GUI audit log |
| 1388 | added operators "is NULL" and "is not NULL" for data admin search page |
Release 3.3.6
| Pull id | Fix |
|---|---|
| 1460 | fixed relationship diagram |
| 1457 | corrected node "extract SIP header" when multiple headers share the same suffix |
| 1454 | adapted REST audit log to ease parsing |
| 1450 | fixed stop of interim CDR generation in case of end event |
Upgrade from 3.2
Note
If you are coming from a release prior to 3.2, refer to the release notes for that release to perform the intermediate steps.
The upgrade of the 3.2 platform can be done by using the new RPM.
Copy the RPM locally on all SRE nodes.
The upgrade should be performed node by node, starting first from the Element managers and then proceeding with the Call processors.
Element managers
InfluxDB installation
Before proceeding with the SRE software upgrade itself, run the following commands to install InfluxDB on both EM.
# cat <<EOF | sudo tee /etc/yum.repos.d/influxdb.repo
[influxdb]
name = InfluxDB Repository - RHEL \$releasever
baseurl = https://repos.influxdata.com/rhel/\$releasever/\$basearch/stable
enabled = 1
gpgcheck = 1
gpgkey = https://repos.influxdata.com/influxdata-archive_compat.key
EOF
# yum install -y influxdb2-2.4.0-1 influxdb2-client-2.4.0-1
# systemctl start influxd
# influx setup -u influxuser -p influxuser -t <secret-token> -o influxorg -b bucket -r 1h
(it will ask for confirmation)
# influx bucket delete -n bucket
Note
To install on nodes without internet access, you can obtain Influx RPMs by downloading them from internal NAS or from software delivery portal here under the folder:
Supporting_packages/dependencies SRE 3.3
SRE RPM update
To launch the upgrade, on all EMs do:
# yum install /<path>/sre.3.3.x-y.x86_64.rpm
You must upgrade the internal DB schema. Therefore on the master EM node only, run:
# /opt/sre/bin/sre-admin db upgrade
The DB schema change will be applied to the other nodes through standard DB replication.
After you need to restart SRE on both EMs with:
# systemctl restart sre
In SRE GUI in Settings->Element Managers set:
- Stats DB token to the secret token you previously choose
- Stats DB org to influxorg
Once these changes have been performed, restart the sre-manager with the command
# /opt/sre/bin/supervisorctl restart sre-manager
Call processors
Call processors must be upgraded one by one.
If the call processor runs the SIP stack, perform the following steps:
- Take the CP offline from the GUI (System->Node operational status->out-of-service). Alternatively, you can set the CP out-of-service from the SIP client equipment (e.g. SBC, ...). Check traffic has stopped on the CP by checking with tcpdump, sngrep or the dashboard statistics.
- Shutdown Kamailio with:
# systemctl stop kamailio
- Upgrade Kamailio to the latest stable 5.5 version if not already in this version (main package and kamailio-python package).
# yum install --disablerepo=kamailio --enablerepo=kamailio-5.5 kamailio kamailio-python
- Upgrade SRE from the RPM with the same command used for EM:
# yum install /<path>/sre.3.3.x-y.x86_64.rpm
- Copy the file /opt/sre/etc/kamailio/kamailio.cfg to /etc/kamailio
- Adapt the file /etc/kamailio/kamailio.cfg depending on the deployment (usually only the line listen, which contains the listening address of your Kamailio instance)
- Restart Kamailio with:
systemctl start kamailio
- Enable traffic from the GUI (System->Node operational status->in-service)
If the call processor runs the ENUM interface or the HTTP interface, perform these steps:
- If the client equipment allows putting the SRE CP out-of-service so that no requests are sent to it, proceed in this way.
- Upgrade SRE from the RPM with the same command used for EM:
# yum install /<path>/sre.3.3.x-y.x86_64.rpm
After the upgrade is done at least on 1 CP node, make sure the CP is handling requests in the expected way, as in the previous release. Verify that CDRs are created on EMs (if enabled) for the requests handled by this CP.
If this is confirmed, proceed to the next CP node.
Downgrade from 3.3 to 3.2
You must downgrade the internal DB schema. Therefore on the master EM node run as user postgres:
# psql
and use the following commands:
# postgres=# \c sre
# sre=# ALTER TABLE web_user DROP COLUMN email CASCADE;
# sre=# ALTER TABLE web_user DROP COLUMN changepwd CASCADE;
Install the previous rpm on all EMs and CPS with the command:
# yum downgrade /<path>/sre.3.2.x-y.x86_64.rpm
On CPs restore the previous Kamailio configuration file and restart kamailio with:
# systemctl restart kamailio
Patch upgrade path from 3.3.x
To upgrade to a target patch release, the Admin needs to check the upgrade path to know which actions to take.
It is important to highlight that an action needed at a patch level 3.3.N is also needed for direct upgrade to 3.3.N+1, 3.3.N+2, ...
| Patch release | Needed actions |
|---|---|
| 3.3.1 | None |
| 3.3.2 | None |
| 3.3.3 | None |
| 3.3.4 | None |
In addition to the listed needed actions:
On all nodes, do as root:
# yum update /<path>/sre.3.3.x.-y.x86_64.rpm
Verify always the possible differences of the following files with the diff command:
# diff /etc/kamailio/kamailio.cfg /opt/sre/etc/kamailio/kamailio.cfg
# diff -y /etc/cron.d/<crontab file for sre> /opt/sre/etc/crontab
If any difference is observed, verify with Netaxis Support/R&D.