 |
| |
Once the CE is in production, security and maintenance becomes really important. In this chapter, we’ll go through a set of best practices for any production system.
The CE runs a wide range of services. Some of them need to interact with the user, while some others need to interact with the administrator or with nobody at all. Assuming that we trust the CE server for outgoing connections, we’ll focus only on incoming traffic to define the services that need to be open for interaction.
Table 3. Subscribers
| Service | Default port | Config option |
|---|---|---|
Customer self care interface | 443 TCP | www_csc→apache→port |
SIP | 5060 UDP | kamailio→port |
SIP | 5060 TCP | kamailio→port + kamailio→disable_tcp (Disabled by default) |
RTP | 30000-40000 UDP | rtpproxy→minport + rtpproxy→maxport |
Table 4. Administrators
| Service | Default port | Config option |
|---|---|---|
SSH/SFTP | 22 TCP | NA |
Administrator interface | 1443 TCP | www_admin→apache→port |
Provisioning interfaces | 2443 TCP | ossbss→apache→port |
The CE comes with some default passwords the user should change during the deployment of the system. They have been explained in the previous chapters of this document.
![[Important]](../images/icons/important.png){kind=icon} | |
Many NGCP services use MySQL backend. Users and passwords for these services are created during the installation. These passwords are unique for each installation, and the connections are restricted to localhost. You should not change these users and passwords. |
The CE provides default, self-signed SSL certificates for SSL connections. These certificates are common for every installation. Before going to production state, the system administrator should provide SSL certificates for the web services. These certificates can either be shared by all web interfaces (provisioning, administrator interface and customer self care interface), or separate ones for each them can be used.
Set the path to the new certificates in /etc/ngcp-config/config.yml:
The CE can be integrated with most of the existing backup solutions. While it does not provide any backup system by default, any Debian compatible system can be installed. It’s not the scope of this chapter to go through backup system configuration. We’ll focus on which information needs to be saved.
The minimum set of information to be backed up is:
This is the most important data in the system. All subscriber information, billing, CDRs, user preferences etc. are stored in the MySQL server. A periodical dump of all the databases should be performed.
/etc/ngcp-config/config.yml, /etc/ngcp-config/constants.yml, /etc/mysql/debian.cnf and /etc/mysql/sipwise.cnf files, where your specific system configurations are stored, should be included in the backup as well.
The directory /home/jail/home/cdrexport contains the exported CDRs the system has generated so far. It depends on your local call data retention policy whether or not to remove these files after exporting them to an external system.
Any custom configurations, like modified templates or additionally implemented services which are not provided by the CE.
In the worst case scenario, when the system needs to be recovered from a total loss, you only need 4 steps to get back online:
| | ||
 |