The NAF Authentication Filter is configured using the properties file ${rem.home}/sentinel-gaa-zn-config.properties.

The default location for ${rem.home} is the rem_home directory in your Apache Tomcat installation, see UNRESOLVABLE BXREF: standalone-installation-of-the-naf-filter#set-up-tomcat[Set up Tomcat].

For example, if Tomcat is installed in /home/user/RhinoSDK/apache-tomcat-8.0.30, the filter will load the file /home/user/RhinoSDK/apache-tomcat-8.0.30/rem_home/sentinel-gaa-zn-config.properties.

If the sentinel-gaa-zn-config.properties file is not found, the filter will use default values for its properties. Otherwise, properties found in the file (described below) will override the defaults.

Filter properties

Property Name Description Default Value
sentinel.gaa.zn-cassandra-contact-points

Comma-separated list of Cassandra node addresses to connect to initially.

127.0.0.1
sentinel.gaa.zn-cassandra-port

The port to use to connect to Cassandra nodes.

9042
sentinel.gaa.zn-cassandra-keyspace

The name of the Cassandra keyspace that stores GAA bootstrap information.

opencloud_gaa_bootstrap_info
sentinel.gaa.naf-service-type

The GAA Service Type for this NAF. Defaults to service type 0 (unspecified service type). See 3GPP TS 29.109 Annex B.

0
sentinel.gaa.naf-service-id

The GAA Service Identifier for this NAF. This value is operator-specific. Uniquely identifies a service (such as XCAP) within the operator’s network.

This value has to match the service-id returned by the HSS in the subscriber’s GUSS.

Note that some HSS automatically populate the GUSS service-id with the same value as the GUSS service-type.

Must be an integer value.

0
sentinel.gaa.naf-group

The optional NAF Group this NAF belongs to. NAF groups are operator specific. Default is the empty string (no NAF group).

""
sentinel.gaa.zn-reconnection-policy

The two policies available for connection/re-connection (reconnection.policy) are:

  • constant — the driver attempts to connect with a fixed period. The reconnection.constant.delay property is the period (measured in seconds).

  • exponential — the driver attempts to connect with an increasing period.

constant
sentinel.gaa.zn-cassandra-reconnection-constant-delay-sec

How long (s) between attempts to connect to the Cassandra DB (constant). Acceptable values are 5s to 60s.

10
sentinel.gaa.zn-cassandra-reconnection-exponential-initial-delay-sec

The first delay (s) before attempting to connect to the Cassandra DB (exponential). Acceptable values are 1s to 24s.

1
sentinel.gaa.zn-cassandra-reconnection-exponential-max-delay-sec

Subsequent delay (s) = 2 x previous delay, capped by max delay (s) (exponential). Acceptable values are 16s to 128s.

32
sentinel.gaa.zn-cassandra-socket-connect-timeout

How long (ms) to establish a new connection to a Cassandra node before giving up.

4000
sentinel.gaa.zn-cassandra-socket-read-timeout

How long (ms) for a given Cassandra node to answer a query.

4000
sentinel.gaa.zn-cassandra-socket-keepalive

True/False/not-set. Whether to enable TCP keepalive. The default, (not-set), means the value used is the default from the underlying Netty transport.

not-set
sentinel.gaa.zn-cassandra-socket-reuseaddress

True/False/not-set. Whether reuse-address is enabled. The default, (not-set), means the value used is the default from the underlying Netty transport.

not-set
sentinel.gaa.zn-cassandra-socket-solinger

The linger-on-close timeout. The default, (-1 == not set), means the value used is the default from the underlying Netty transport.

 -1
sentinel.gaa.zn-cassandra-socket-tcpnodelay

Whether to disable Nagle’s algorithm.

True
sentinel.gaa.zn-cassandra-socket-receivebuffersize

Sets a hint to the size of the underlying buffers for incoming network I/O. The default, (-1 == not set), means the value used is the default from the underlying Netty transport.

-1
sentinel.gaa.zn-cassandra-socket-sendbuffersize

Sets a hint to the size of the underlying buffers for outgoing network I/O. The default, (-1 == not set), means the value used is the default from the underlying Netty transport.

-1
sentinel.gaa.zn-cassandra-lb-recipe

Select the load-balancing approach to use. Allowed values include: round-robin, dc-aware-round-robin, latency-aware-round-robin, latency-aware-dc-aware-round-robin. A value of use-default uses the driver default.

use-default
sentinel.gaa.zn-cassandra-lb-latencyaware-exclusionthreshold

How much worse the average latency of a node must be compared to the fastest performing node for it to be penalized. Must be greater than 1.0. A value of 0 means use the driver default.

0.0
sentinel.gaa.zn-cassandra-lb-latencyaware-scale

Dictates the weight of a latency measurement to previous measurements in average latency. The value must be greater than 0. A value of 0 means use the driver default.

0
sentinel.gaa.zn-cassandra-policy-protocol-usessl-jdk

If SSL should be used (using jdk built-in engine).

false
sentinel.gaa.zn-cassandra-policy-protocol-usessl-netty

If SSL should be used (defer to the Netty layer).

false
sentinel.gaa.max-nonce-count

The number of times the same nonce can be used. Must be greater than 0.

100
 sentinel.gaa.nonce-lifetime

The lifetime of a nonce, in milliseconds.

 180000
 sentinel.gaa.nonce-cache-capacity

The maximum number of nonce records to keep in memory. Must be greater than 0.

 100000
 sentinel.gaa.nonce-storage

The storage mechanism used for nonces. Can be local for storage in memory only or cassandra for storage in Cassandra.

 cassandra
 sentinel.gaa.nonce-cassandra-keyspace

The name of the cassandra keyspace used to store nonces when cassandra is set for sentinel.gaa.nonce-storage. Defaults to opencloud_nonce_info

 opencloud_nonce_info
 sentinel.gaa.trusted-ips

The comma-separated list of IP addresses which represent the trusted network interface(s) of the NAF Authentication Filter. Requests received on any of these IP addresses will not be required to supply valid authentication credentials.

This allows the NAF Authentication Filter to handle requests from internal clients that do not support the authentication protocols.

 ""
 sentinel.gaa.trusted-source-ips

A comma-separated list of IP addresses from which all traffic will be trusted. Requests received from any of these IP addresses will not be required to supply valid authentication credentials.

 sentinel.gaa.read-ua-cipher-suite-name-from-header
 A boolean value that defaults to false.

This tells the naf filter to extract the cipher from header X-Ua-OpenSSL-Cipher-Suite. This is helpful when UI-Nginx

 connection used a different cipher as compared to the Nginx-NAF connection.

false

This allows the NAF Authentication Filter to handle requests from internal clients that do not support the authentication protocols.

 ""
 sentinel.gaa.force-auth-on-paths

The comma-separated list of URL path prefixes for which authentication should always be enforced. This has precedence over the sentinel.gaa.trusted-ips and sentinel.gaa.trusted-source-ips settings.

 /rem/auth-check

Modifying filter properties

To modify one or more properties, create the ${rem.home}/sentinel-gaa-zn-config.properties file if it does not already exist. Then edit the file and specify properties using the usual Java property syntax. Below is an example sentinel-gaa-zn-config.properties file:

Example
sentinel.gaa.zn-cassandra-contact-points = cassandra-1.home.net, cassandra-2.home.net,
sentinel.gaa.naf-service-id = 42
sentinel.gaa.naf-group = XCAP_1
Note Changes to this file take effect when Tomcat is restarted.
Previous page Next page