Yamini has blogged about diameter configuration elements and Admin Cli commands here.

Diameter will be soon available as a pay for Addon module on Sailfin 2.0. Naman has written how to install and configure diameter on sailfin 2.0 here.

Here is a code snippet that shows how to subscribe to a user state using Sun Diameter Sh API . The Notifications from the Home subscriber server(HSS) can be received by a Message Driver Bean(MDB). The code snippet of the MDB is also shown below.

<br/> try {<br/> InitialContext context = new InitialContext();<br/> UserProfileServer hss = (UserProfileServer) context.lookup("openims");<br/> UserProfileConnection upc = hss.createConnection();<br/> SubscribeKey subScribeKey = new SubscribeKey();<br/> subScribeKey.addDataReference(DataReference.IMS_USER_STATE);<br/> subScribeKey.addServiceIndicator("default_sp");<br/> subScribeKey.setExpiryTime("5000");<br/> UserIdentity uID = new UserIdentity("sip:bob-AT-open-ims-DOT-test", UserIdentityType.PUBLIC_USER_ID);<br/> subScribeKey.setUserIdentity(uID);<br/> subScribeKey.validate();<br/> UserProfileSubscriptionResponse response = upc.subscribe(subScribeKey, false);<br/> ProfileData data = response.getProfileData();<br/> } catch (ConnectException ex) {<br/> Logger.getLogger(NotificationServlet.class.getName()).log(Level.SEVERE, null, ex);<br/> } catch (KeyValidationException ex) {<br/> Logger.getLogger(NotificationServlet.class.getName()).log(Level.SEVERE, null, ex);<br/> } catch (NamingException ex) {<br/> Logger.getLogger(NotificationServlet.class.getName()).log(Level.SEVERE, null, ex);<br/> }<br/>

<br/> @MessageDriven(mappedName = "SubscriptionNotifier",messageListenerInterface = com.sun.diameter.application.sh.api.UserProfileMessageListener.class,<br/> activationConfig = {<br/> @ActivationConfigProperty(propertyName = "DestinationType", propertyValue = "com.sun.diameter.application.sh.api.UserProfileMessageListener"),<br/> @ActivationConfigProperty(propertyName = "clientId", propertyValue = "SubscribeNotifierBean"),<br/> @ActivationConfigProperty(propertyName = "subscriptionName", propertyValue = "SubscribeNotifierBean")<br/> })<br/> public class SubscribeNotifierBean implements UserProfileMessageListener {<br/> public SubscribeNotifierBean() {<br/> }<br/> public void doPNR(UserProfileNotificationRequest upnr) {<br/> try {<br/> InitialContext context = new InitialContext();<br/> // one can use the the realm name obtained from the UserProfileNotificationRequest to map to appropriate<br/> //resource.<br/> UserProfileServer hss = (UserProfileServer) context.lookup("openims");<br/> hss.createConnection().sendPushNotificationResponse(upnr, 2001, false);<br/> } catch (ConnectException ex) {<br/> Logger.getLogger(SubscribeNotifierBean.class.getName()).log(Level.SEVERE, null, ex);<br/> } catch (NamingException ex) {<br/> Logger.getLogger(SubscribeNotifierBean.class.getName()).log(Level.SEVERE, null, ex);<br/> }<br/> }<br/>

The below Admin console snaps of Sailfin 2.0 show Home Subscriber server (pone) configured with Connector Pool(openims_pool) and Connector resource (openims)

Here are simple steps :
1.Using Sailfin 2.0 Admin console(Sailfin 2.0 also supports cli commands)
a)Create a Diameter application
b)Create a Diameter Peer ---- Diameter Peer screen also allows you to configure connector pool and resource.
2.Write a SIP Servlet with code snippet shown above
3.Write a MDB as shown above
4.Deploy the sar and jar and you should be done.

Here is a code snippet that shows how to read AVP’s that any of the response API’s does not directly expose.
In this case we see how to read Experimental Result Code AVP value.

<br/> UserProfileConnection upc = hss.createConnection();<br/> ReadProfileKey rpk = new ReadProfileKey();<br/> rpk.addDataReference(DataReference.IMS_USER_STATE);<br/> rpk.addServiceIndicator("default_sp");<br/> UserIdentity uID = new UserIdentity("sip:bob-AT-open-ims-DOT-test", UserIdentityType.PUBLIC_USER_ID);<br/> rpk.setUserIdentity(uID);<br/> rpk.validate();<br/> UserProfileReadResponse response = upc.read(rpk, false);<br/> if (response == null) {<br/> throw new RuntimeException("response is null");<br/> }<br/> ProfileData data = ((UDResponse) response).getProfileData();<br/> if (data != null) {<br/> System.out.println(count++ + ":" + new String(data.toBytes()));<br/> }<br/> ExperimentalResult result = (ExperimentalResult)response.getAVP(297);<br/> System.out.println((result.getExperimentalResultCode()));<br/>

Javadocs for Sun Diameter Online charging API's are now available here.

A nice set of scripts from http://code.google.com/p/syntaxhighlighter/
<br/> //Read User Profile information<br/> //Create a ReadProfile key identifying data to be read.<br/> ReadProfileKey rpk = new ReadProfileKey();<br/> UserIdentity uID = new UserIdentity("sip:bob-AT-open-ims-DOT-test", UserIdentityType.PUBLIC_USER_ID);<br/> rpk.addDataReference(DataReference.REPOSITORY_DATA);<br/> rpk.addServiceIndicator("default_sp");<br/> rpk.setUserIdentity(uID);<br/> //check if all the required information is present.<br/> rpk.validate();<br/> //get profile data<br/> UserProfileReadResponse profileResponse = upc.read(rpk, false);<br/> //now read the information.<br/> ProfileData profileData = ((UDResponse) profileResponse).getProfileData();<br/> JAXBContext context = JAXBContext.newInstance("com.sun.diameter.application.sh.userdata");<br/> JAXBElement<TShData> ob = (JAXBElement<TShData>) context.createUnmarshaller().unmarshal(new ByteArrayInputStream(profileData.toBytes()));<br/> //UPDATE userpfofile information using setter methods provided on JAXB objects and increment the sequence number....<br/> TTransparentData transData = (TTransparentData) ((ob.getValue()).getRepositoryData()).get(0);<br/> transData.setSequenceNumber(transData.getSequenceNumber() + 1);<br/> //Prepare to update the HSS with modified user profile information<br/> UpdateKey upk = new UpdateKey();<br/> upk.addDataReference(DataReference.REPOSITORY_DATA);<br/> upk.setUserIdentity(uID);<br/> upk.setServiceIndicator("default_sp");<br/> JAXBSource jxsource = new JAXBSource(context, ob);<br/> //update the HSS<br/> UserProfileUpdateResponse response = upc.update(upk, jxsource, false);<br/>

In the below code snippet we see how to read the user repository data from HSS,modify the data and update the HSS. Sh API makes this operation a breeze. OpenIMS HSS is one of the HSS server being used to test SH API's.

1.Look up HSS server
2.Create ReadProfileKey with required information and validate it to ensure required information to construct a valid message is there.
3.convert the retrieved profile data into JAXB objects
4.Update the profile data using setter methods provided by JAXB
5.Create a UpdateKey
6.send out the modified information.

.

Wrapping up development on Online and Offline charging API in Sailfin communication server. Here is a sample that shows a charging client accessing Ericsson Charging Server.

PartOne: Initial Request in Session based online charging.

View image to look at the source.

PartTwo: Update and Terminate Request in Session based online charging.
The below code snippet shows how to update a charging session and terminate one. The code snippet has comments to help you understand the code.

. 

Highlights of Diameter support in Sailfin
1.Easy to use API , interfaces provided for AVP's defined in 3GPP specs and RFC's
2.Easy to query additional AVP's in a Grouped AVP.
3.Easy to add new AVP support using dictionary or annotations.
4.Ability to send messages in a synchronous or asynchronous manner(Listener support to receive asynchronous responses)
5.Interfaces defined to build messages as per 3GPP specifications.
6.Easy to build custom messages as shown in the code snippet.
7.Diameter Resource adapter.
8.Sailfin Admin console and Admin GUI support for local/remote configuration
9.TLS support.

If you have questions write to dev-AT-sailfin.dev.java-DOT-net.

While I was looking at tools to generate code, I found Codemodel[codemodel.dev.java.net] to be a pretty good one. It is used by JAXB and by quite a number of internal projects within SUN. If you are not looking for a template based approach for generating JAVA code[as in http://apt-jelly.sourceforge.net/] I strongly recommend using Codemodel, nice thing I found in Codemodel is that generated code is nicely formatted , it was a onestop solution for me.

As we progressed through adding features to diameter module in sailfin, we felt the need to speed up the process of adding new application support into Diameter base protocol. Inorder to enable this we added few annotations and came up with a tool that uses metadata from the dictionary to generate the huge number of AVP's the 3GPP specs define.
Hoping to improve the tool as we progress.... Will publish the updated API's and Annotations soon...

Sailfin project will soon support Diameter protocol and will have API's to enable applications to use Sh,Ro,Rf functionality. As we progress towards providing Diameter support in Sailfin, we have released Sh API's to solicit your valuable feedback. In course of time we will publish API's for Ro and Rf applications too.

We encourage users to look at Javadocs and provide us feedback. Please write to us at dev-AT-sailfin.dev.java.net

P-Asserted-Identity authentication in Sailfin is based on RFC 3325 and requirements from JSR 289,

• Open sailfin administration console, default url will be http://localhost:4848
• Click on Configuration tab
• Click on Trust configurations

• Configuration as per JSR 289

• Implementation specific configuration

2.Securing methods

   JSR 289 defines security-constraint( auth-constraints and resource-collection) elements which enables users to configure SIP methods that need to be secured i,e accessed by authorized users.

please refer to sample sip.xml file for more details.

Implementation specific configuration

1.Configuring sun-sip.xml

properties trust-id-ref  and trust-auth-realm-ref, please refer to my previous blog entry to know learn about these properties.

Identity authentication and Digest authentication modules need NonceManager to cache call-id and nonce values respectively.
One can configure the max nonce age for these modules using NonceManager property under Security-Service element in domain.xml. maxNonceAge value is in milliseconds.
eg:
"property name="NonceManager" value="id=identity-nonce-config,maxNonceAge=350000;id=sip-nonce-config,maxNonceAge=3000"

NonceManager for Digest authentication module is sip-nonce-config whose default value is 600000 milliseconds.
NonceManager for identity authentication module is identity-nonce-config whose default value is 3600000 milliseconds.

Snapshot of configuring NonceManager using Admin UI is here

Introduction

           To learn what Identity authentication/RFC 4474 is all about read [1] and [2].

JSR 289 :

sip.xml has following additional elements under login-config.

<identity-assertion>

          <identity-assertion-scheme>Identity</identity-assertion-scheme>

          <identity-assertion-support></identity-assertion-support>

          <!-- SUPPORTED/REQUIRED are supported values for identity-assertion-support -->

</identity-assertion>

As per JSR 289 sailfin supports Identity authentication in two modes (SUPPORTED , REQUIRED). When SUPPORTED value is used then incoming SIP messages are processed as follows

  a) if Identity header is present then process it.

             b) if Identity header is not present then apply the authentication method configured in auth-method element.         

<login-config>

          <identity-assertion>

                  <identity-assertion-scheme>Identity</identity-assertion-scheme>

                  <identity-assertion-support>SUPPORTED</identity-assertion-support>

          </identity-assertion>

</login-config>

                                or

<login-config>

          <auth-method>DIGEST</auth-method>

          <realm-name>realmperapp</realm-name>

          <identity-assertion>

                  <identity-assertion-scheme>Identity</identity-assertion-scheme>

                  <identity-assertion-support>REQUIRED</identity-assertion-support>

         </identity-assertion>

                 </login-config>

Steps to configure Identity authentication module :

We will break the steps to configure Identity authentication module into following two steps,

1. Configuring security realm

2. Configuring security for SIP application

3. Add root certificate (Certificate Authority) of your public key used in the Identity message into cacerts.jks

Identity authentication module, will need a security realm with login-context value as “assertedRealm”. Follow below mentioned steps to configure the realm..

Steps :

rest of the values as per your database table structure, please refer to figures attached at the end of this blog.

Configuring security for SIP application :

To enable authentication and authorization of requests to an application, we need to configure following elements in sip.xml and sun-sip.xml

Elements in sip.xml (element are similar to web.xml except minor changes)

             <security-constraint>

             <login-config>

             <security-role>

please read the documentation / schema file to learn more about above elements, a sample configuration shown below means the following REGISTER and INVITE methods to SecurityTestServlet can be invoked by users with manager role and if the request MUST have Identity headers for authentication and authorization purpose.

             <security-constraint>

                     <display-name>UserConstraint</display-name>

                     <resource-collection>

                           <servlet-name>SecurityTestServlet</servlet-name>

                           <sip-method>REGISTER</sip-method>

                           <sip-method>INVITE</sip-method>

                     </resource-collection>

                     <auth-constraint>

                           <description>authentication-configuration</description>

                           <role-name>manager</role-name>

                     </auth-constraint>

             </security-constraint>

             <login-config>

                   <auth-method>DIGEST</auth-method>

                   <realm-name>realmperapp</realm-name>

                   <identity-assertion>

                          <identity-assertion-scheme>Identity</identity-assertion-scheme>

                          <identity-assertion-support>REQUIRED</identity-assertion-support>

                   </identity-assertion>

             </login-config>

             <security-role>

                    <description/>

                    <role-name>manager</role-name>

             </security-role>

Elements in sun-sip.xml

property “trust-auth-realm-ref “

element “security-role-mapping”

security-role-mapping element is same as security-role-mapping element in sun-web.xml , read this trus-auth-realm-ref refers to the Identity realm configured in domain.xml.

<sun-sip-app error-url="">

         <jsp-config>

              <property name="classdebuginfo" value="true">

                     <description>Enable debug info compilation in the generated servlet class</description>

              </property>

             <property name="mappedfile" value="true">

                   <description>Maintain a one-to-one correspondence between static content and the generated servlet class' java code</description>

               </property>

        </jsp-config>

        <property name="trust-auth-realm-ref" value="asserted_realm"/>

        <security-role-mapping>

                   <role-name>manager</role-name>

                   <principal-name>venu</principal-name>

                   <principal-name>jagan</principal-name>

                   <group-name>Management</group-name>

        </security-role-mapping>

 </sun-sip-app>

[1]http://www.tech-invite.com/Ti-sec-identity.html

[2]http://www.ietf.org/rfc/rfc4474.txt

[3]http://docs.sun.com/app/docs/doc/819-3669/bncbj?l=en&a=view&q=security-constraint

[4]

[5]

[6]

[7]

[8]

[9]

IdentityValidatorConfiguration :

property enables users to configure Identity (RFC 4474) authentication module in Sailfin, the property has name value pairs seperated by a comma as configuration parameters.This property can be configured under security element in domain.xml, use the Administration UI as shown here.

eg: maxClockSkew=30000, timestampFreshnessLimit=360000

• maxClockSkew

This sets the maximum difference allowed between the system clocks of the sender and recipient. The value is specified in milliseconds.

• timestampFreshnessLimit

Sets the maximum duration of time after which the timestamp becomes stale, the value MUST be specified in milliseconds and the default value is 600 seconds.

• enableRevocationCheck

if this flag is set to true, the default revocation checking mechanism of the underlying PKIX service provider will be used, by default value is false.

• certificateValidator

specifies the class name of custom certificate validator implemented by the user, this class must implement org.glassfish.comms.api.security.auth.CertificateValidator interface.