Use freediameter conf file for hss

hss/hss.conf

@@ -0,0 +1,264 @@
+# This is a sample configuration file for freeDiameter daemon.
+
+# Most of the options can be omitted, as they default to reasonable values.
+# Only TLS-related options must be configured properly in usual setups.
+
+# It is possible to use "include" keyword to import additional files
+# e.g.: include "/etc/freeDiameter.d/*.conf"
+# This is exactly equivalent as copy & paste the content of the included file(s) 
+# where the "include" keyword is found.
+
+
+##############################################################
+##  Peer identity and realm 
+
+# The Diameter Identity of this daemon.
+# This must be a valid FQDN that resolves to the local host.
+# Default: hostname's FQDN
+#Identity = "aaa.koganei.freediameter.net";
+Identity = "hss.EPC_DOMAIN";
+
+# The Diameter Realm of this daemon.
+# Default: the domain part of Identity (after the first dot).
+#Realm = "koganei.freediameter.net";
+Realm = "EPC_DOMAIN";
+
+##############################################################
+##  Transport protocol configuration
+
+# The port this peer is listening on for incoming connections (TCP and SCTP).
+# Default: 3868. Use 0 to disable.
+#Port = 3868;
+
+# The port this peer is listening on for incoming TLS-protected connections (TCP and SCTP).
+# See TLS_old_method for more information about TLS flavours.
+# Note: we use TLS/SCTP instead of DTLS/SCTP at the moment. This will change in future version of freeDiameter.
+# Default: 5868. Use 0 to disable.
+#SecPort = 5868;
+
+# Use RFC3588 method for TLS protection, where TLS is negociated after CER/CEA exchange is completed 
+# on the unsecure connection. The alternative is RFC6733 mechanism, where TLS protects also the 
+# CER/CEA exchange on a dedicated secure port.
+# This parameter only affects outgoing connections. 
+# The setting can be also defined per-peer (see Peers configuration section).
+# Default: use RFC6733 method with separate port for TLS.
+#TLS_old_method;
+
+# Disable use of TCP protocol (only listen and connect over SCTP)
+# Default : TCP enabled
+#No_TCP;
+
+# Disable use of SCTP protocol (only listen and connect over TCP)
+# Default : SCTP enabled
+#No_SCTP;
+# This option is ignored if freeDiameter is compiled with DISABLE_SCTP option.
+
+# Prefer TCP instead of SCTP for establishing new connections.
+# This setting may be overwritten per peer in peer configuration blocs.
+# Default : SCTP is attempted first.
+#Prefer_TCP;
+
+# Default number of streams per SCTP associations.
+# This setting may be overwritten per peer basis.
+# Default : 30 streams
+#SCTP_streams = 30;
+
+##############################################################
+##  Endpoint configuration
+
+# Disable use of IP addresses (only IPv6)
+# Default : IP enabled
+#No_IP;
+
+# Disable use of IPv6 addresses (only IP)
+# Default : IPv6 enabled
+#No_IPv6;
+
+# Specify local addresses the server must bind to
+# Default : listen on all addresses available.
+#ListenOn = "202.249.37.5";
+#ListenOn = "2001:200:903:2::202:1";
+#ListenOn = "fe80::21c:5ff:fe98:7d62%eth0";
+ListenOn = "HSS_IP";
+
+##############################################################
+##  Server configuration
+
+# How many Diameter peers are allowed to be connecting at the same time ?
+# This parameter limits the number of incoming connections from the time
+# the connection is accepted until the first CER is received.
+# Default: 5 unidentified clients in paralel.
+#ThreadsPerServer = 5;
+
+##############################################################
+##  TLS Configuration
+
+# TLS is managed by the GNUTLS library in the freeDiameter daemon.
+# You may find more information about parameters and special behaviors
+# in the relevant documentation.
+# http://www.gnu.org/software/gnutls/manual/
+
+# Credentials of the local peer
+# The X509 certificate and private key file to use for the local peer.
+# The files must contain PKCS-1 encoded RSA key, in PEM format.
+# (These parameters are passed to gnutls_certificate_set_x509_key_file function)
+# Default : NO DEFAULT
+#TLS_Cred = "<x509 certif file.PEM>" , "<x509 private key file.PEM>";
+#TLS_Cred = "/etc/ssl/certs/freeDiameter.pem", "/etc/ssl/private/freeDiameter.key";
+TLS_Cred = "/open5gs/install/etc/freeDiameter/hss.cert.pem", "/open5gs/install/etc/freeDiameter/hss.key.pem";
+
+# Certificate authority / trust anchors
+# The file containing the list of trusted Certificate Authorities (PEM list)
+# (This parameter is passed to gnutls_certificate_set_x509_trust_file function)
+# The directive can appear several times to specify several files.
+# Default : GNUTLS default behavior
+#TLS_CA = "<file.PEM>";
+TLS_CA = "/open5gs/install/etc/freeDiameter/cacert.pem";
+
+# Certificate Revocation List file
+# The information about revoked certificates.
+# The file contains a list of trusted CRLs in PEM format. They should have been verified before. 
+# (This parameter is passed to gnutls_certificate_set_x509_crl_file function)
+# Note: openssl CRL format might have interoperability issue with GNUTLS format.
+# Default : GNUTLS default behavior
+#TLS_CRL = "<file.PEM>";
+
+# GNU TLS Priority string
+# This string allows to configure the behavior of GNUTLS key exchanges 
+# algorithms. See gnutls_priority_init function documentation for information.
+# You should also refer to the Diameter required TLS support here:
+#   http://tools.ietf.org/html/rfc6733#section-13.1
+# Default : "NORMAL"
+# Example: TLS_Prio = "NONE:+VERS-TLS1.1:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL";
+#TLS_Prio = "NORMAL";
+
+# Diffie-Hellman parameters size
+# Set the number of bits for generated DH parameters
+# Valid value should be 768, 1024, 2048, 3072 or 4096.
+# (This parameter is passed to gnutls_dh_params_generate2 function, 
+# it usually should match RSA key size)
+# Default : 1024
+#TLS_DH_Bits = 1024;
+
+# Alternatively, you can specify a file to load the PKCS#3 encoded
+# DH parameters directly from. This accelerates the daemon start 
+# but is slightly less secure. If this file is provided, the
+# TLS_DH_Bits parameters has no effect.
+# Default : no default.
+#TLS_DH_File = "<file.PEM>";
+
+
+##############################################################
+##  Timers configuration
+
+# The Tc timer of this peer.
+# It is the delay before a new attempt is made to reconnect a disconnected peer.
+# The value is expressed in seconds. The recommended value is 30 seconds.
+# Default: 30
+#TcTimer = 30;
+
+# The Tw timer of this peer.
+# It is the delay before a watchdog message is sent, as described in RFC 3539.
+# The value is expressed in seconds. The default value is 30 seconds. Value must
+# be greater or equal to 6 seconds. See details in the RFC.
+# Default: 30
+#TwTimer = 30;
+
+##############################################################
+##  Applications configuration
+
+# Disable the relaying of Diameter messages?
+# For messages not handled locally, the default behavior is to forward the
+# message to another peer if any is available, according to the routing 
+# algorithms. In addition the "0xffffff" application is advertised in CER/CEA 
+# exchanges.
+# Default: Relaying is enabled.
+#NoRelay;
+
+# Number of server threads that can handle incoming messages at the same time.
+# Default: 4
+#AppServThreads = 4;
+
+# Other applications are configured by loaded extensions.
+
+##############################################################
+##  Extensions configuration
+
+#  The freeDiameter framework merely provides support for
+# Diameter Base Protocol. The specific application behaviors,
+# as well as advanced functions, are provided
+# by loadable extensions (plug-ins).
+#  These extensions may in addition receive the name of a 
+# configuration file, the format of which is extension-specific.
+#
+# Format:
+#LoadExtension = "/path/to/extension" [ : "/optional/configuration/file" ] ;
+#
+# Examples:
+#LoadExtension = "extensions/sample.fdx";
+#LoadExtension = "extensions/sample.fdx":"conf/sample.conf";
+
+# Extensions are named as follow:
+# dict_* for extensions that add content to the dictionary definitions.
+# dbg_*  for extensions useful only to retrieve more information on the framework execution.
+# acl_*  : Access control list, to control which peers are allowed to connect.
+# rt_*   : routing extensions that impact how messages are forwarded to other peers.
+# app_*  : applications, these extensions usually register callbacks to handle specific messages.
+# test_* : dummy extensions that are useful only in testing environments.
+
+
+# The dbg_msg_dump.fdx extension allows you to tweak the way freeDiameter displays some
+# information about some events. This extension does not actually use a configuration file
+# but receives directly a parameter in the string passed to the extension. Here are some examples:
+## LoadExtension = "dbg_msg_dumps.fdx" : "0x1111"; # Removes all default hooks, very quiet even in case of errors.
+## LoadExtension = "dbg_msg_dumps.fdx" : "0x2222"; # Display all events with few details.
+## LoadExtension = "dbg_msg_dumps.fdx" : "0x0080"; # Dump complete information about sent and received messages.
+# The four digits respectively control: connections, routing decisions, sent/received messages, errors.
+# The values for each digit are:
+#  0 - default - keep the default behavior
+#  1 - quiet   - remove any specific log
+#  2 - compact - display only a summary of the information
+#  4 - full    - display the complete information on a single long line
+#  8 - tree    - display the complete information in an easier to read format spanning several lines.
+
+LoadExtension = "/open5gs/install/lib/x86_64-linux-gnu/freeDiameter/dbg_msg_dumps.fdx" : "0x8888";
+LoadExtension = "/open5gs/install/lib/x86_64-linux-gnu/freeDiameter/dict_rfc5777.fdx";
+LoadExtension = "/open5gs/install/lib/x86_64-linux-gnu/freeDiameter/dict_mip6i.fdx";
+LoadExtension = "/open5gs/install/lib/x86_64-linux-gnu/freeDiameter/dict_nasreq.fdx";
+LoadExtension = "/open5gs/install/lib/x86_64-linux-gnu/freeDiameter/dict_nas_mipv6.fdx";
+LoadExtension = "/open5gs/install/lib/x86_64-linux-gnu/freeDiameter/dict_dcca.fdx";
+LoadExtension = "/open5gs/install/lib/x86_64-linux-gnu/freeDiameter/dict_dcca_3gpp.fdx";
+
+
+##############################################################
+##  Peers configuration
+
+#  The local server listens for incoming connections. By default,
+# all unknown connecting peers are rejected. Extensions can override this behavior (e.g., acl_wl).
+# 
+#  In addition to incoming connections, the local peer can
+# be configured to establish and maintain connections to some 
+# Diameter nodes and allow connections from these nodes.
+#  This is achieved with the ConnectPeer directive described below.
+#
+# Note that the configured Diameter Identity MUST match
+# the information received inside CEA, or the connection will be aborted.
+#
+# Format:
+#ConnectPeer = "diameterid" [ { parameter1; parameter2; ...} ] ;
+# Parameters that can be specified in the peer's parameter list:
+#  No_TCP; No_SCTP; No_IP; No_IPv6; Prefer_TCP; TLS_old_method;
+#  No_TLS;       # assume transparent security instead of TLS. DTLS is not supported yet (will change in future versions).
+#  Port = 5868;  # The port to connect to
+#  TcTimer = 30;
+#  TwTimer = 30;
+#  ConnectTo = "202.249.37.5";
+#  ConnectTo = "2001:200:903:2::202:1";
+#  TLS_Prio = "NORMAL";
+#  Realm = "realm.net"; # Reject the peer if it does not advertise this realm.
+# Examples:
+#ConnectPeer = "aaa.wide.ad.jp";
+#ConnectPeer = "old.diameter.serv" { TcTimer = 60; TLS_old_method; No_SCTP; Port=3868; } ;
+ConnectPeer = "mme.EPC_DOMAIN" { ConnectTo = "MME_IP"; Port = 3868; No_TLS; };
+
+##############################################################

hss/hss.yaml

@@ -6,22 +6,4 @@ logger:
 parameter:
 
 hss:
-    freeDiameter:
-      identity: hss.EPC_DOMAIN
-      realm: EPC_DOMAIN
-      port: 3868
-      sec_port: 5868
-      listen_on: HSS_IP
-      load_extension:
-        - module: /open5gs/install/lib/x86_64-linux-gnu/freeDiameter/dbg_msg_dumps.fdx
-          conf: 0x8888
-        - module: /open5gs/install/lib/x86_64-linux-gnu/freeDiameter/dict_rfc5777.fdx
-        - module: /open5gs/install/lib/x86_64-linux-gnu/freeDiameter/dict_mip6i.fdx
-        - module: /open5gs/install/lib/x86_64-linux-gnu/freeDiameter/dict_nasreq.fdx
-        - module: /open5gs/install/lib/x86_64-linux-gnu/freeDiameter/dict_nas_mipv6.fdx
-        - module: /open5gs/install/lib/x86_64-linux-gnu/freeDiameter/dict_dcca.fdx
-        - module: /open5gs/install/lib/x86_64-linux-gnu/freeDiameter/dict_dcca_3gpp.fdx
-      connect:
-        - identity: mme.EPC_DOMAIN
-          addr: MME_IP
-          port: 3868
+    freeDiameter: /open5gs/install/etc/freeDiameter/hss.conf

hss/hss_init.sh

@@ -33,10 +33,17 @@ export IP_ADDR=$(awk 'END{print $1}' /etc/hosts)
 [ ${#MNC} == 3 ] && EPC_DOMAIN="epc.mnc${MNC}.mcc${MCC}.3gppnetwork.org" || EPC_DOMAIN="epc.mnc0${MNC}.mcc${MCC}.3gppnetwork.org"
 
 cp /mnt/hss/hss.yaml install/etc/open5gs
-sed -i 's|HSS_IP|'$IP_ADDR'|g' install/etc/open5gs/hss.yaml
-sed -i 's|MME_IP|'$MME_IP'|g' install/etc/open5gs/hss.yaml
+cp /mnt/hss/hss.conf install/etc/freeDiameter
+cp /mnt/hss/make_certs.sh install/etc/freeDiameter
+
+sed -i 's|HSS_IP|'$HSS_IP'|g' install/etc/freeDiameter/hss.conf
+sed -i 's|MME_IP|'$MME_IP'|g' install/etc/freeDiameter/hss.conf
+sed -i 's|EPC_DOMAIN|'$EPC_DOMAIN'|g' install/etc/freeDiameter/hss.conf
+sed -i 's|EPC_DOMAIN|'$EPC_DOMAIN'|g' install/etc/freeDiameter/make_certs.sh
 sed -i 's|MONGO_IP|'$MONGO_IP'|g' install/etc/open5gs/hss.yaml
-sed -i 's|EPC_DOMAIN|'$EPC_DOMAIN'|g' install/etc/open5gs/hss.yaml
+
+# Generate TLS certificates
+./install/etc/freeDiameter/make_certs.sh install/etc/freeDiameter
 
 # Sync docker time
 #ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone

hss/make_certs.sh

@@ -0,0 +1,29 @@
+#!/bin/sh
+
+if [ 1 -ne $# ]
+then
+    echo You must specify output directory : ./make_certs.sh ./freeDiameter
+
+    exit;
+fi
+
+rm -rf demoCA
+mkdir demoCA
+echo 01 > demoCA/serial
+touch demoCA/index.txt.attr
+touch demoCA/index.txt
+
+# Generate .rnd if it does not exist
+openssl rand -out /root/.rnd -hex 256
+
+# CA self certificate
+openssl req  -new -batch -x509 -days 3650 -nodes -newkey rsa:1024 -out $1/cacert.pem -keyout cakey.pem -subj /CN=ca.EPC_DOMAIN/C=KO/ST=Seoul/L=Nowon/O=Open5GS/OU=Tests
+
+#hss
+openssl genrsa -out $1/hss.key.pem 1024
+openssl req -new -batch -out hss.csr.pem -key $1/hss.key.pem -subj /CN=hss.EPC_DOMAIN/C=KO/ST=Seoul/L=Nowon/O=Open5GS/OU=Tests
+openssl ca -cert $1/cacert.pem -days 3650 -keyfile cakey.pem -in hss.csr.pem -out $1/hss.cert.pem -outdir . -batch
+
+rm -f 01.pem 02.pem 03.pem 04.pem
+rm -f cakey.pem
+rm -f hss.csr.pem