Information contained in this document is believed to be accurate and reliable at the time
of printing. However, due to ongoing product improvements and revisions, AudioCodes
cannot guarantee accuracy of printed material after the Date Published nor can it accept
responsibility for errors or omissions. Updates to this document can be downloaded from
This document is subject to change without notice.
Date Published: March-11-2021
WEEE EU Directive
Pursuant to the WEEE EU Directive, electronic and electrical waste must not be disposed of
with unsorted waste. Please contact your local recycling authority for disposal of this product.
Customer Support
Customer technical support and services are provided by AudioCodes or by an authorized
AudioCodes Service Partner. For more information on how to buy technical support for
AudioCodes products and for contact information, please visit our website at https://www.au-
AudioCodes continually strives to produce high quality documentation. If you have any
comments (suggestions or errors) regarding this document, please fill out the Documentation
Feedback form on our website at https://online.audiocodes.com/documentation-feedback.
Stay in the Loop with AudioCodes
Document Name
OVOC Documents
Migration from EMS and SEM Ver. 7.2 to One Voice Operations Center
One Voice Operations Center IOM Manual
One Voice Operations Center Product Description
- ii -
Notice
OVOC | Integration with Northbound Interfaces
Document Name
One Voice Operations Center User’s Manual
Device Manager Pro Administrator's Manual
One Voice Operations Center Alarms Monitoring Guide
One Voice Operations Center Performance Monitoring Guide
One Voice Operations Center Security Guidelines
One Voice Operations Center Integration with Northbound Interfaces
Device Manager for Third-Party Vendor Products Administrator's Manual
Device Manager Agent Installation and Configuration Guide
ARM User’s Manual
Documents for Managed Devices
Mediant 500 MSBR User's Manual
Mediant 500L MSBR User's Manual
Mediant 500Li MSBR User's Manual
Mediant 500L Gateway and E-SBC User's Manual
Mediant 800B Gateway and E-SBC User’s Manual
Mediant 800 MSBR User’s Manual
Mediant 1000B Gateway and E-SBC User’s Manual
Mediant 1000B MSBR User’s Manual
Mediant 2600 E-SBC User's Manual
Mediant 3000 User’s Manual
Mediant 4000 SBC User's Manual
Mediant 9000 SBC User's Manual
Mediant Software SBC User's Manual
- iii -
Notice
OVOC | Integration with Northbound Interfaces
Document Revision Record
LTRTDescription
19226Update to Section:MGs Topology List; Alarm Forwarding Data Formats; OVOC
Server Backup and Restore; Data Analytics API
Section:Step 6 Configuring AudioCodes Azure Active Directory (Operator
Authentication) moved to IOM
- iv -
Content
OVOC | Integration with Northbound Interfaces
Table of Contents
1 Overview1
2 OVOC Integration2
OVOC Integration Elements2
OVOC Topology File2
Alarms2
Gateway Status3
Security3
Configuration and Maintenance3
MIB Folder3
NBIF Folder3
3 Topology Files6
MGs Topology List6
Topology.xml File7
4 Managing PM Files9
Saving PM Filter Queries9
Creating PM Data File10
5 Fault Management11
Alarms and Events Forwarding to the NMS11
Forwarding Alarms from OVOC Server to the NMS12
Forwarding Alarms Directly from Devices to NMS20
Alarm Aggregation20
Examples of Aggregated Alarms20
Alarm Forwarding Data Formats22
OVOC Server Alarm Settings28
Alarms Automatic Clearing (on Startup)28
Alarms Automatic Clearing Period (Days)29
Events Clearing Mechanism29
Alarm Suppression Mechanism29
Alarms Sequence Numbering29
SNMP Alarms Synchronization32
Resynchronization (Resync) Mechanism32
OVOC Keep-alive34
Status / State Management via Devices SNMP Interface37
6 Voice Quality Reports38
7 OVOC Server Backup and Restore41
8 Data Analytics API44
9 Security47
Network Communication Protocols47
OVOC User Identity Management48
- v -
Content
Authentication and Authorization using a Radius Server48
Configuring Radius Server Client49
Configuring RADIUS Server50
Authentication and Authorization using an LDAP Server51
Authentication and Authorization using Microsoft Azure52
Step 6 Configuring AudioCodes Azure Active Directory (Operator Authentication)53
OVOC | Integration with Northbound Interfaces
HTTPS Connection60
10 Data Analytics API Database Tables61
Main Table Views61
Type Views75
- vi -
Content
OVOC | Integration with Northbound Interfaces
This page is intentionally left blank.
- vii -
CHAPTER1 Overview
1Overview
AudioCodes One Voice Operations Center OVOC delivers a comprehensive management tools
suite comprising of base platform and add-on modular applications for the management,
monitoring and operation of converged VoIP and data networks implemented in large-scale
cloud or premise-based unified communications deployments using AudioCodes devices. The
products that are managed by the OC include the Session Border Controllers (SBC), Media
Gateways, Microsoft Survivable Branch Appliances (SBA), Multi Service Business Router
(MSBR), residential gateways and devices .OVOC also integrates with the Microsoft Skype for
Business environment platforms.
The Network Operations Center's core product, the Operations Center OC manages these
products in a centralized device inventory via a Web client, enabling integrative network
operations. The following describes the key products in the OC suite:
■ The One Voice Operations Center: The OVOC is an advanced solution for remote
standards-based management of AudioCodes products within VoP networks, covering all
areas vital for their efficient operation, administration, management and security. A single
user interface provides real time information including network and device component
status, activity logs and alarms. Complete End-to-End network control includes data on all
devices, all locations, all sizes, all network functions and services and full control over the
network, including services, updates, upgrades, and operations. The OVOC is in
AudioCodes’ assessment, the best tool to manage AudioCodes devices. However, it does
not replace the NMS and OSS management systems, which displays to operators a
comprehensive view of the network, including other vendors’ equipment. After defining
and initially provisioning a device via the device's embedded Web server tool, operators
will usually work with an NMS / OSS for day-to-day maintenance. Only in the event of
problems with a device or when significant maintenance tasks must be performed, will
operators open the OVOC and work directly with it. Consequently, the OVOC provides
APIs for faults monitoring (alarms) and security integration with a higher level
management system.
OVOC | Integration with Northbound Interfaces
■ Voice Quality Management: Voice Quality Management involves the analyze of real-time
Voice Quality statistics, which enables the rapid identification of the metrics responsible
for degradation in the quality of any VoIP call made over the network nodes including
AudioCodes devices and links. It provides an accurate diagnostic and troubleshooting tool
for analyzing quality problems in response to VoIP user criticism. It proactively prevents
VoIP quality degradation and optimizes quality of experience for VoIP users. In addition, it
integrates with Microsoft Skype for Business monitoring server to provide end-to-end
VoIP quality monitoring on Microsoft Skype for Business deployments. In addition, Voice
Quality integrates and monitors with endpoints reporting RFC 6035 SIP PUBLISH packets.
■ The Device Manager Pro: Enables enterprise network administrators to effortlessly and
effectively set up, configure and update up to 30000 400HD Series IP phones in globally
distributed corporations. These phones can upload configuration files from the OVOC
server and send status updates over the REST protocol.
- 1 -
CHAPTER2 OVOC Integration
2OVOC Integration
This document describes how to integrate the network elements of AudioCodes One Voice
Operation Center (OVOC) with northbound interfaces. This includes the integration of alarms
and events that are generated by the managed elements, the XML files polling and the
Topology file. The figure below illustrates this integration.
Figure 2-1:OVOC Integration Overview
OVOC | Integration with Northbound Interfaces
OVOC Integration Elements
This section describes the integration elements.
OVOC Topology File
The OVOC Topology file includes a snapshot of all the devices that are defined in the OVOC
application. This file is located on the OVOC server and is available for the higher level
management system (see Topology Files).
Alarms
Alarms are forwarded to the NMS as SNMP notifications (traps). These alarms can be
forwarded using one of the following methods:
■ Forwarded by the OVOC application to the NMS server (for all the network elements and
the OVOC itself).
- 2 -
CHAPTER2 OVOC Integration
■ Sent directly by each one of the network elements directly to the NMS server. In this case,
there is the possibility to enable OVOC alarms. For example, when a connection between
the OVOC server and device is established or lost, traps are forwarded to the NMS server.
For detailed information, see Fault Management.
Gateway Status
The status of a device can be determined based on the set of supported IETF Management
Information Base (MIB-II) tables (described in the SNMP Reference Guide).
Security
Security integration covers two main areas: Users Management and Network Communication
protocols.
■ OVOC Users Management (Authentication and Authorization) locally in the OVOC
database or via a centralized RADIUS server or LDAP server.
■ Network Communication Protocols:
OVOC | Integration with Northbound Interfaces
●HTTP/HTTPS:
◆NBIF Client- OVOC server connection is secured by default over HTTPS port 443
using AudioCodes default certificates or custom certificates
◆File transfer
●SNMPv2 and SNMPv3: For Maintenance actions and Faults
●SSH/SFTP/SCP: used for File transfer
For detailed information, see OVOC Server Backup and Restore
Configuration and Maintenance
A REST API will be available in a future release for performing configuration and maintenance
actions from the NMS and running automation scripts using REST API URLs. For more
information, contact your AudioCodes representative.
MIB Folder
AudioCodes MIB files are located under the following folder:
All OVOC and device information available for the NMS and other Northbound interfaces
including Topology and Backup data is located in the OVOC server machine under the folder
/NBIF. This folder can be accessed using HTTPS browsing by entering the URL https://<OVOC
server IP>/NBIF in your Web browser.
- 3 -
CHAPTER2 OVOC Integration
●The customer’s Web browser must have installed the appropriate X.509
certificates signed by the same Certificate Authority (CA) as the OVOC server
web browser certificates. Choose the appropriate certificate, and then click OK.
●For more information on the implementation of X.509 certificates, refer to the
OVOC Security Guidelines.
●HTTP/S access to the NBIF folder requires a user name and password. This is
required for multi-tenancy support where only authorized tenants should be able to
access the NBIF folder. The Default user name is “nbif” and the default password
“pass_1234”. This password can be changed using the OVOC server Manager, for
more information, refer to Section Change HTTP/S Authentication Password for
NBIF Directory in the OVOC Server IOM.
The 'NBIF' folder content opens; double-click each one of the folders to list its contents.
Double-click each file to open its contents.
OVOC | Integration with Northbound Interfaces
Figure 2-2:NBIF Parent Directory
Figure 2-3:NBIF Topology Directory
- 4 -
CHAPTER2 OVOC Integration
The 'NBIF' folder contains the following sub-folders:
■ SEM: this folder contains Scheduled Reports. For more information, see Voice Quality
Reports
■ alarms: this folder contains a file saved by the OVOC user (Actions > Save Alarms To File'
which is available in the Active Alarms/History Alarms and Journal pages) where the action
result displays no less than 1500 records. This file is created for local user requests and
must not be collected by higher level Management or Backup systems.
■ emsBackup: this folder contains the daily and weekly backup of the OVOC server. For
more information, see OVOC Server Backup and Restore.
■ ippmanager (Device Manager): this folder contains the following folders:
●generate: contains the device firmware files
●regioncache: contains the device global cfg files
●sess: contains system folder for sessions management
●templates: contains the device cfg template files
OVOC | Integration with Northbound Interfaces
●tmp: contains system folder for temporary files
■ mgBackup: this folder contains the backed up device INI and CLI configuration files.
■ mgDebug: this folder contains Syslog and Packets debug information.
■ Mgmt_ca: this folder contains the default certificate files for the OVOCManaged devices
and the OVOC Root CA file.
■ pmFiles:this folder contains the output XMLfile for Performance Monitoring data that is
collected per polling interval according to the PMProfile and output to XMLfile according
to the filter settings.
■ topology: A Summary file of all the devices and their basic properties defined in the OVOC
application. The summary file is located under the 'topology' folder and is always named
MGsTopologyList.csv. For more information, see Topology Files.
- 5 -
CHAPTER3 Topology Files
3Topology Files
Topology files are created and maintained by the OVOC application. These file includes
updated information on the OVOC topology. The following files are generated by the OVOC
server:
■ MGsTopologyList.csv (see below)
■ Topology.xml file (see Topology.xml File)
Both the 'MGsTopologyList.csv' and the Topology.xml file can be retrieved using one of the
following methods:
■ Using the ‘Collect Logs’ option in the EMS Server Manager
■ By FTP or SFTP protocol
■ Via Telnet or SSH using 'nbif' user with user nbif, pass_1234
The Topology.xml must be generated manually using the Topology Export procedure
(described below in Topology.xml File).
OVOC | Integration with Northbound Interfaces
MGs Topology List
The MGsTopologyList.csv file is used by the NMS system to synchronize the list of devices that
are currently managed by the OVOC for the purposes of Alarms Forwarding integration. For
example, if a specific device has not been receiving alarms, you can verify in the topology file,
whether the relevant device is displayed in the list of connected gateways.
The Topology file is automatically updated upon the addition /removal of a device or upon
updates to the device's properties, such as name, IP address or region modification. The OVOC
sends 'acEMSTopologyUpdateEvent' (Topology Update) for changes in the definition or update
of a device and sends 'acEMSTopologyFileEvent (Topology File Generated) for a topology file
update. These events are displayed in the OVOC Alarm Browser and in the NMS Alarm Browser
when the 'OVOC Events Forwarding' check box is selected in the Trap Configuration
'Destination Rule Configuration' dialog.
When multiple devices are added, the Topology file is updated approximately once per minute
as the entire operation may take more than a few minutes. For detailed information on the
exact event fields, refer to the OVOC Alarms Guide.
The file header is composed of two lines commencing with “;” file format version, and column
names. Each row in the file represents a device in the OVOC tree and includes the following
information:
■ Device Serial Number (displays either 32-bit and 64-bit serial numbers for SBC devices)
according to the device firmware version and configuration settings in the externals/configurationProperties/generalConfig file for the include_serial_string.
■ IP Address
■ FQDN
- 6 -
CHAPTER3 Topology Files
■ Node Name
■ Region Name
■ Description
■ Product Type
■ Software Version
■ Connection Status – Connected / Not Connected – represent the ability of OVOC
application to communicate with the device
■ Administrative State – Locked / Unlocked / Shutting Down
■ Operational State – Enabled / Disabled
■ Mismatch State – No Mismatch / Software Version Unsupported / Software Mismatch /
Hardware Mismatch.
■ Last Change Time
■ Protocol Type –SIP
OVOC | Integration with Northbound Interfaces
■ Reset Needed
■ SBA FQDN Name
■ SBA IP Address
■ SNMP Version – options are SNMPv2/SNMPv3
■ SNMP Read – encrypted SNMP read community
■ SNMP Write – encrypted SNMP write community
■ SNMP User Profile - SNMP v3 user credentials in format: (EnginID;Se-
curityName;SecurityLevel;AuthProtocol;PrivacyKey)
■ Gateway User – user name for MG web access
■ Gateway Password– user password for device web access
■ HTTPS Enabled – 0-disabled/1-enabled HTTPS access to the device
■ Tenant Name
See an example Excel file view in the figure below.
Figure 3-1:Topology File-Excel View
Topology.xml File
The Topology.xml file backs up the following data:
- 7 -
CHAPTER3 Topology Files
■ Tenants/Regions/Sites
■ AudioCodes devices
■ Skype for Business devices
■ Generic devices
■ Links
■ SBAs/CloudBond/CCE Appliances
■ License Pool configuration for each managed device
➢ To export the OVOC topology xml file:
1. Log in to the OVOC server platform as 'root' user with password root (default password is
root):
su – root
OVOC | Integration with Northbound Interfaces
2. Change directory to /ACEMS/server_7.4.xxx:
cd /ACEMS/server_7.4.xxx
3. Execute topologyExport.pl script:
./topologyExport.pl
- 8 -
CHAPTER4 Managing PM Files
4Managing PM Files
Performance Monitoring data can be retrieved as follows:
■ Data files can be generated for polled data according to PM profile for each polling interval
(see Creating PM Data File)
■ Filter queries can be saved to an XMLfile which you can save to an external location (see
Saving PM Filter Queries)
Performance Monitoring parameters can be managed using SNMP and REST API.
Saving PM Filter Queries
You can save PMfilter queries to a CSVfile by selecting the option Save Device PM Data.
OVOC | Integration with Northbound Interfaces
➢ To save PMfilter queries:
1. In the OVOC Web, open the Network Devices page (Network tab >Devices menu).
2. Select the device whose data you wish to extract and click Show.
3. Verify that the device is currently being polled.
4. Click the Statistics tab and add a new filter.
5. Click Save Device PMData.
Filter output is saved to a CSV file; save the file to the desired external location. See
example file below.
Figure 4-1:PMData File
- 9 -
CHAPTER4 Managing PM Files
Creating PM Data File
A PM data file can be automatically generated when the option "Create Data File" is selected in
the PM Profile in the OVOC Web. The data file is generated for polled data for each polling
interval for all parameters that are defined in the profile. These files can be retrieved from the
NBIF directory (see NBIF Folder).
➢ To create a PM data file:
1. In the OVOC Web, open the Add PMProfile screen (Statistics > PM Profiles > Add).
2. Select the 'Create Data File' check box.
See example XML format in XML editor below.
Figure 4-2:Performance Monitoring XMLOutput
OVOC | Integration with Northbound Interfaces
- 10 -
CHAPTER5 Fault Management
5Fault Management
AudioCodes devices report their faults (alarms and events) and state changes
(Administrative/Operative state) via SNMP notification traps. Both standard and proprietary
traps are supported. AudioCodes proprietary traps have the same variable bindings set. Each
alarm includes information required by the ITU- T X.733 standard. Operative and
Administrative states are managed according to the ITU-T X.731 standard. See the OVOC
Alarms Guide for the exact list of standard, MG proprietary and OVOC proprietary traps that
are supported for each device. For each trap description, it’s indicated whether the trap is
defined as an alarm or an event.
Alarms and Events Forwarding to the NMS
Alarms can be forwarded to the NMS using one of the following methods:
■ Alarms and events are forwarded by the OVOC application to the NMS for all network
elements (devices, IP Phones and endpoints (purple-colored path in the figure below) or
only Management alarms and events are forwarded (green-colored path in the figure
below).
OVOC | Integration with Northbound Interfaces
■ Each one of the network elements (devices and devices) sends its own alarms directly to
the NMS (blue-colored path in the figure below). The device can send alarms to several
destinations (the exact number of destinations depends on the device type). For example,
the device can send alarms to the OVOC and NMS. You can configure each destination
with a different trap port.
Traps are forwarded to the NMS as SNMPv2 or SNMPv3 Notifications. The SNMPv3 protocol
provides more sophisticated security mechanisms than SNMPv2c. It implements a user-based
security model (USM), allowing both authentication and encryption of the requests sent
between the OVOC Manager and their agents, as well as user-based access control. SNMP can
be configured in the OVOC at the global level using an SNMP Connectivity template, at the
tenant level (Tenant SNMP Profile). You must configure identical SNMP settings on all managed
devices.
Although the OVOC can forward alarms and events in several formats (SNMP Notifications, Mail and Syslog), alarms and events are always sent to an NMS as SNMP
notifications for purposes of NMS integration.
- 11 -
CHAPTER5 Fault Management
OVOC | Integration with Northbound Interfaces
Figure 5-1:Alarm and Event Forwarding
Forwarding Alarms from OVOC Server to the NMS
This section describes how to configure alarms forwarding from the OVOC server to the NMS.
➢ To forward alarms from the OVOC to the NMS:
1. Open the Alarms Forwarding page (Alarms > Forwarding).
Rule NameDefine an intuitive name, to be displayed in the alarm summary
- 13 -
CHAPTER5 Fault Management
ParameterDescription
OVOC | Integration with Northbound Interfaces
screen.
Forward matching
alarms/events -or-
Prevent forwarding
matching
alarms/events
Allows or prevents forwarding alarms as Emails or Syslog
depending on the option you select from the 'Destination Type'
dropdown under the Destination tab. If for example you select
Prevent forwarding matching alarms/events and then select
Minor Alarms from the 'Severities' dropdown under the Rule
Conditions tab, then minor alarms are not forwarded.
Enable/Disable RuleEnables or disables the rule if the parameters and conditions
configured under this tab as well as under Rule Conditions and
Destinations are met.
TenantFrom the dropdown, select System – all tenants; the rule will
then apply to all tenants and to all regions/links/devices/sites
under all tenants.
Next to 'Attachments', you'll then view:
all Tenant/s, all Region/s, all Device/s, all Link/s, all Site/s
Click View to view all tenants in a collapsed tree; expand the
branches to view and select specific regions/links/devices/sites
to apply the rule to.
Alternatively: Select from the dropdown a specific tenant; the
rule will be applied only to regions/links/devices/sites under
that specified tenant.
Tenants|Regions
Devices|Sites|Links
Click View to view only that specified tenant displayed in the
tree. You can expand the tenant to view and select specific
regions/links/devices/sites under it.
Click a button to apply the rule to that entity and the entities
under it. The buttons filter the System – all tenants option
described above. For example, if you want the rule to be applied
to all tenants but only to devices under all tenants, click the
Devices button. Next to 'Attachments' you'll then view:
0 Tenant/s, 0 Region/s, all Device/s, 0 Link/s, 0 Site/s
If you click the View link, you'll view all tenants and all devices
under them displayed in a collapsed tree. After expanding the
tree and selecting specific entities, 'All Devices' will change to n
devices as follows:
- 14 -
CHAPTER5 Fault Management
ParameterDescription
OVOC | Integration with Northbound Interfaces
3. Click OK or optionally click the Rule Conditions tab.
- 15 -
CHAPTER5 Fault Management
Figure 5-3:Alarms – Forwarding – Rule Conditions
OVOC | Integration with Northbound Interfaces
4. Configure using the table below as a reference:
Determines the format in which the alarm or event will be
forwarded.
From the dropdown, select
■ SNMP
- 18 -
CHAPTER5 Fault Management
ParameterDescription
7. Select SNMP. Configure the parameters that are displayed using the table below as a
reference.
Table 5-4: Forwarding Alarms - Destination - SNMP
ParameterDescription
OVOC | Integration with Northbound Interfaces
■ MAIL
■ SYSLOG
Destination Host
IP Address
Enter the destination NMS host IP address to which to forward
alarms. Make sure you receive the alarms and events in the specified
IP address on the port specified below.
Destination Host
Port
Enter the destination host port to which to forward alarms. Make
sure you receive the alarms and events on the specified port in the IP
address specified above.
In the 'Destination Host port' field, enter the port number of the
destination host (the default SNMP port for trap reception is 162).
SNMP v2/SNMP
v3
Select either SNMP v2 or SNMP v3. Default: SNMP v3. Forwards only
those alarms that are in the format of the SNMP version you select.
Note: ensure that you configure identical SNMPv2 or SNMPv3
account details on the NMS.
Trap Community[Only available if SNMP v2 is selected above].
Note: OVOC by default sends SNMPv2c traps with the field 'SNMPv2c
Trap Community' set to public.
Security NameEnter the name of the operator.
Security LevelFrom the dropdown select either:
■ No security
■ Authentication
■ Authentication & Privacy
See the table below for OVOC-Syslog mapping.
Authentication
Protocol
Only available if you select Authentication or Authentication &
Privacy from the list above. Select either:
■ No Protocol
■ MD5
■ SHA
- 19 -
CHAPTER5 Fault Management
ParameterDescription
OVOC | Integration with Northbound Interfaces
Authentication
Key
Privacy ProtocolFrom the drop-down list, select the SNMP v3 operator's privacy
Only available if you select MD5 or SHA from the list above.
protocol.
■ None
■ DES
■ AES-128
Privacy KeyEnter the privacy key. Keys can be entered in the form of a text
password or long hex string. Keys are always persisted as long hex
strings and keys are localized.
Forwarding Alarms Directly from Devices to NMS
Alarms are forwarded directly from the network element to the NMS over SNMPv2 or SNMPv3.
On the managed devices, configure the NMS Trap Destination and identical SNMPv2 or
SNMPv3 account settings. On the NMS, also configure identical SNMPv2 or SNMPv3 account
settings. If you wish to forward alarms directly from devices to the NMS; however, forward
alarms from the other network elements via the OVOC server, then you can configure the
alarm forwarding rules accordingly as described in Alarms and Events Forwarding to the NMS.
Alarm Aggregation
An aggregated list of alarm notifications can be forwarded from OVOC in a batch in a single
email with the alarm filter settings according to the Forwarding rule. "Max number of alarms to
aggregate in single Email" sets the maximum number of alarms to aggregate into a single mail
and "Email alarms aggregation time interval (seconds)" sets the time interval between sending
the batch of alarms. For example, if the number of alarms to aggregate is set to 10, the time
interval is set to 60 seconds and then after 60 seconds there are only 5 alarms raised according
to the forwarding rule, then 5 alarms are forwarded.
Examples of Aggregated Alarms
The following shows examples of alarm alerts that are sent from OVOCto an NMS.
Alarms are separated by ***** Info****
Subject: OVOC received 10 new alarms
***** Event Info *****
Alarm Name: OVOC server Started
Date & Time: 1:12:54 PM Aug 8, 2018
- 20 -
CHAPTER5 Fault Management
Source: OVOC Mgmt
Source Description:
Severity: major
Unique ID: 0
Alarm Type: communicationsAlarm
Alarm Probable Cause : other
Description: Server Startup
Additional Info 1:
Additional Info 2:
Additional Info 3:
***** System Info *****
System Name: OVOC Mgmt
OVOC | Integration with Northbound Interfaces
System IP Address: 172.17.118.148
******************************
***** Alarm Info *****
Alarm Name: License Pool Infra Alarm
Date & Time: 12:13:03 PM Aug 6, 2018
Source: Board#1
Source Description:
Severity: clear
Unique ID: 12
Alarm Type: communicationsAlarm
Alarm Probable Cause : keyExpired
Description: Alarm cleared: License Pool Alarm. Device was unable to access the License Server.
Additional Info 1:
Additional Info 2:
Additional Info 3:
***** Device Info *****
Device Name: 172.17.118.51
Device Tenant: Eran
Device Region: Tel Aviv
Device IP Address: 172.17.118.51
- 21 -
CHAPTER5 Fault Management
Device Type: Mediant 500 MSBR
Device Serial: 5856696
Device Description:
Alarm Forwarding Data Formats
The table below describes the data format for the MIBfields that are forwarded to Northbound destinations.
MIB NameDescription
OVOC | Integration with Northbound Interfaces
Table 5-5: Data Fields for Alarm Forwarding
Name (1)
TextualDescription(2)
Source (3)
Severity (4)
■ Integer 0..1000
■ The Alarm/event number as listed by product (usually
matches the last digit in the trap OID)
■ OCTET STRING 0..200
■ Summary of the reported issue that is sent in acEMSTrapG-
lobalsTextualDescription varbind
■ OCTET STRING 0..255
■ (Devices + OVOC: currently defined as 0..100)
■ The entity source of the problem, usually in the following
format:
✔ Trunk#1
✔ SEM/Link#2
✔ Entity1#x/Entity2#y/Entity3#z
■ cleared(0)
UniqID (5)
■ indeterminate(1)
■ warning(2)
■ minor(3)
■ major(4)
■ critical(5)
■ Integer 0..32000
■ The running number of alarms since the installation of the
OVOC instance.
■ The value of this number should be managed by the
- 22 -
CHAPTER5 Fault Management
MIB NameDescription
OVOC | Integration with Northbound Interfaces
system separately for alarms and events.
■ The OVOC application uses this number to recognize if
alarms were missed and to retrieve them using the Carriergrade system.
■ The forwarded information includes OVOC alarms
sequencing for NMS carrier-grade alarms: where the
running number events: always -1
Type (6)
ProbableCause (7)
■ other(0)
■ communicationsAlarm(1)
■ qualityOfServiceAlarm(2)
■ processingErrorAlarm(3)
■ equipmentAlarm(4)
■ environmentalAlarm(5)
■ integrityViolation(6)
■ operationalViolation(7)
■ physicalViolation(8)
■ securityServiceOrMechanismViolation(9)
■ timeDomainViolation(10)
■ other(0)
■ adapterError(1)
■ applicationSubsystemFailure(2)
■ bandwidthReduced(3)
■ callEstablishmentError(4)
■ communicationsProtocolError(5)
■ communicationsSubsystemFailure(6)
■ configurationOrCustomizationError(7)
■ congestion(8)
■ corruptData(9)
■ cpuCyclesLimitExceeded(10)
■ dataSetOrModemError(11)
- 23 -
CHAPTER5 Fault Management
MIB NameDescription
OVOC | Integration with Northbound Interfaces
■ degradedSignal(12)
■ dteDceInterfaceError(13)
■ enclosureDoorOpen(14)
■ equipmentMalfunction(15)
■ excessiveVibration(16)
■ fileError(17)
■ fireDetected(18)
■ floodDetected(19)
■ framingError(20)
■ heatingVentCoolingSystemProblem(21)
■ humidityUnacceptable(22)
■ inputOutputDeviceError(23)
■ inputDeviceError(24)
■ lanError(25)
■ leakDetected(26)
■ localNodeTransmissionError(27)
■ lossOfFrame(28)
■ lossOfSignal(29)
■ materialSupplyExhausted(30)
■ multiplexerProblem(31)
■ outOfMemory(32)
■ ouputDeviceError(33)
■ performanceDegraded(34)
■ powerProblem(35)
■ pressureUnacceptable(36)
■ processorProblem(37)
■ pumpFailure(38)
■ queueSizeExceeded(39)
■ receiveFailure(40)
■ receiverFailure(41)
- 24 -
CHAPTER5 Fault Management
MIB NameDescription
OVOC | Integration with Northbound Interfaces
■ remoteNodeTransmissionError(42)
■ resourceAtOrNearingCapacity(43)
■ responseTimeExecessive(44)
■ retransmissionRateExcessive(45)
■ softwareError(46)
■ softwareProgramAbnormallyTerminated(47)
■ softwareProgramError(48)
■ storageCapacityProblem(49)
■ temperatureUnacceptable(50)
■ thresholdCrossed(51)
■ timingProblem(52)
■ toxicLeakDetected(53)
■ transmitFailure(54)
■ transmitterFailure(55)
■ underlyingResourceUnavailable(56)
■ versionMismatch(57)
■ authenticationFailure(58)
■ breachOfConfidentiality(59)
■ cableTamper(60)
■ delayedInformation(61)
■ denialOfService(62)
■ duplicateInformation(63)
■ informationMissing(64)
■ informationModificationDetected(65)
■ informationOutOfSequence(66)
■ intrusionDetection(67)
■ keyExpired(68)
■ nonRepudiationFailure(69)
■ outOfHoursActivity(70)
■ outOfService(71)
- 25 -
CHAPTER5 Fault Management
MIB NameDescription
OVOC | Integration with Northbound Interfaces
■ proceduralError(72)
■ unauthorizedAccessAttempt(73)
■ unexpectedInformation(74)
AdditionalInfo1 (8)
■ OCTET STRING 0..255
■ (Devices + OVOC: currently defined as 0..100)
This field is used by the system to provide additional
information regarding the reported alarm/event.
AdditionalInfo2 (9)
■ OCTET STRING 0..255
■ (Devices + OVOC: currently defined as 0..100)
This field is used by the system to provide additional
information regarding the reported alarm/event.
AdditionalInfo3 (10)
■ OCTET STRING 0..255
■ This field is used be the system to provide additional
information regarding the reported alarm/event
■ The forwarded information is filled in the following format:
■ Tenant: <Tenant Name> - exists only when the entity has
tenant
■ Region: <Region Name> - exists only when the entity has
region
■ OCTET STRING 0..255
■ (Devices + OVOC: currently defined as 0..100)
■ This field should not be filled by any of the products, as its
reserved for OVOC when the alarm/event is forwarded.
The information is filled in the following format:
■ Until Version 7.4:
MG Type: <Device Type>, MG Serial: <primary device serial number>, <secondary device serial number>
<secondary device serial number> is applicable for HA devices
only
■ Until Version 7.6:
DeviceDescription(15)
Device Type: <Device Type>
Empty if entity not a device
■ OCTET STRING 0..255
■ This field should not be filled by any of the products, as its
reserved for OVOCwhen the alarm/event is forwarded.
The information is filled in the following format:
- 27 -
CHAPTER5 Fault Management
MIB NameDescription
OVOC | Integration with Northbound Interfaces
<Device Description> OR <SBA Description>
<SBA Description> is provisioned in the device details under SBA
definition rubric.
A free text description field can also be globally configured in
the OVOCServer Configuration page (System > Administration
> OVOC Server > Configuration)for all OVOC System alarms.
This text is then sent to trap destinations in alarm forwarding in
the varbind acEMSTrapGlobalsDeviceDescription field for all
system alarms. For example, OVOC Disk Space alarm.
The hard-coded text description of the alarm that is
sent in the TextualDescription (2) acEMSTrapGlobalsTextualDescription varbind (see above) is a
separate description field that is different for each
alarm OID.
SystemSerialNumber
(16)
From Version 7.6:
OCTET STRING 0..255
The information is filled in the following format:
■ For Stand-alone systems:<Device serial number>
■ For HASystems:format <device serial #1>_<device serial
#2>)
Device Serial Number (displays either 32-bit and 64-bit serial
numbers for SBC devices) according to the device's firmware
version and configuration settings in the
externals/configurationProperties/generalConfig file for the
include_serial_string.
OVOC Server Alarm Settings
This section describes the global alarm settings on the OVOC server.
Alarms Automatic Clearing (on Startup)
The Active Alarms page is cleared of all the current alarms for a specific device upon system GW
startup (cold start event). Critical, Major, Minor, Warning or Info alarms are automatically
cleared from the Active Alarms Page (and transferred to the Alarms History page) when a Clear
alarm is generated by the same entity (source) and the same device. This feature prevents
older alarms from congesting the Active Alarms page. This feature is configured in the Alarms
page (System tab > Configuration > Alarms).
- 28 -
CHAPTER5 Fault Management
Alarms Automatic Clearing Period (Days)
The operator can also configure the automatic clearing of Active alarms (disabled by default)
according to a time period. When the Automatic Clearing feature is enabled, alarms are cleared
by default every 30 days.
When the OVOC application performs automatic clearing, it moves the cleared Alarms to the
Alarms History page with the text indication 'Automatic Cleared'. This feature is configured in
the Alarms page (System tab > Configuration > Alarms).
Events Clearing Mechanism
Events are informative messages for OVOC and device actions (usually with low severity).
Device events (originating from the device) are automatically cleared from the Active Alarms
page upon GW startup (cold start event); however, device events originating in the OVOC (e.g.
adding a gateway) are not cleared upon device reset. The OVOC consequently employs a
mechanism to automatically clear these events from the Alarms page (by default this feature is
enabled and events are cleared every three days). This feature prevents old events from
congesting the Active Alarms page. When automatic clearing is performed, the cleared Events
are moved to the Alarm History page with the text indication 'Automatic Cleared'. This feature
is configured in the Alarms page (System tab > Configuration > Alarms).
OVOC | Integration with Northbound Interfaces
Alarm Suppression Mechanism
This option enables the generating of the 'Alarm Suppression' alarm when the OVOC server
identifies that the number of alarms of the same type and from the same source, generated in
a time period, is greater than the number defined in the threshold. At this point, these alarms
are not added to the database and are not forwarded to configured destinations. This feature
is configured in the Alarms page (System tab > Configuration > Alarms).
Alarms Sequence Numbering
1. When receiving alarms directly from the devices and endpoints:
●These alarms and events have a different scala of sequence numbers. These sequence
numbers are placed at 'TrapGlobalsUniqID' varbindings (respectively
'tgTrapGlobalsUniqID', 'acBoardTrapGlobalsUniqID').
●OVOC alarms have a sequence number scala. Events are always sent with
'acEMSTrapGlobalsUniqID -1'.
2. When the OVOC server forwards device and OVOC alarms:
●Cold Start Trap is the only standard event that is forwarded by the OVOC application.
All other standard events are not forwarded.
●Each one of the alarms and events are forwarded with the original Notification OID
and variable bindings OIDs.
- 29 -
CHAPTER5 Fault Management
●The original content of 'TrapGlobalsUniqID' varbinding (respectively
'tgTrapGlobalsUniqID', 'acBoardTrapGlobalsUniqID' and 'acEMSTrapGlobalsUniqID') is
updated as follows:
◆For all the forwarded events, the 'TrapGlobalsUniqID' is set to -1.
◆For all the forwarded alarms, the original 'TrapGlobalsUniqID' is replaced with the
OVOC sequence number, allowing the NMS to follow the forwarded alarms
sequencing. The original device 'TrapGlobalsUniqID' is applied to
'TrapGlobalsAdditionalInfo3' varbinding.
◆For all the forwarded alarms and events, 'TrapGlobalsAdditionalInfo3' varbinding
(respectively 'tgTrapGlobals AdditionalInfo3', 'acBoardTrapGlobals
AdditionalInfo3' and 'acEMSTrapGlobals' 'AdditionalInfo3') is updated as follows:
original device IP address and device 'TrapGlobalsUniqID' in the following format:
GATEWAY_IP:x ,GATEWAY_TRAP_ID:y
A carrier-grade alarm system is characterized by the following:
OVOC | Integration with Northbound Interfaces
■ Active Alarms
The device can determine which alarms are currently active by maintaining an Active
Alarms table. When an alarm is raised, it is added to the active alarms list. Upon alarm
clearing, it is removed from the active alarms list.
The maximal size of the active alarms for each of the product is shown in the table below:
Table 5-6: Maximum Active Alarms according to Device
When the active alarms list exceeds its maximum size, an enterprise Active Alarms
Overflow alarm is sent to the Management system.
- 30 -
CHAPTER5 Fault Management
●The device sends a cold start trap to indicate that it is starting up. This allows the
management system to synchronize its view of the device's active alarms.
●Two views of active alarms table are supported by devices:
◆Standard MIB: alarmActiveTable and alarmActiveVariableTable in the IETF ALARM
MIB for all the devices.
◆Enterprise MIB:
n acActiveAlarmTable in the AC-ALARM-MIB mib for devices products.
n AudioCodes.acProducts.acEMS.acEMSConfiguration.acFaults (see SNMP
■ History Alarms
The device allows the recovery of lost alarm raise and clear notifications by maintaining a
log history alarms table. Each time an alarm-type trap (raise or clear) is sent, the CarrierGrade Alarm System adds it to the alarms history list. The trap contains a unique
Sequence Number. Each time a trap is sent, this number is incremented. The device allows
detection of lost alarms and clear notifications by managing an alarm sequence number
and displaying the current number.
OVOC | Integration with Northbound Interfaces
Alarms Synchronization below).
The maximal size of the history alarms table is defined as follows:
Table 5-7: Maximum Active Alarms according to Device
When the history alarm list exceeds its maximum size, it starts overriding the oldest
alarms in the list in cyclic order.
●The following views of log history alarms table are supported by the devices:
◆Standard MIB: 'nlmLogTable' and 'nlmLogVariableTable' in the NOTIFICATION-
LOG-MIB for all the devices.
◆Enterprise MIB:
- 31 -
CHAPTER5 Fault Management
n acAlarmHistoryTable in the 'AC-ALARM-MIB mib' for CPE and MP products.
SNMP Alarms Synchronization
A carrier-grade alarm system provides a reliable alarm reporting mechanism that takes into
account Operations Center system or network layer outages, and transport layer outages,
such as SNMP over UDP. During such outages, alarms may be raised, however not forwarded.
This mechanism is implemented at SNMP agent level, and serves OVOC, NMS, or higher level
management system synchronization. During the OVOC server synchronization process, the
OVOC server can recover such missed alarms from its database (events are not synchronized)
and then forward them to the NMS according to the following:
■ History alarms: By default, synchronization is performed with the Alarms History table.
When only a partial Alarms History table is retrieved from the OVOC server database, the
OVOC server notifies the user with one of the following events: 'Synchronizing Alarms
Event' and 'Synchronizing Active Alarms Event'. For more information, see the OVOC
Alarms Guide.
■ Active alarms: By default, synchronization is not performed with the Active Alarms table;
however, a mechanism can be implemented to perform random synchronization of this
table (see below).
OVOC | Integration with Northbound Interfaces
Resynchronization (Resync) Mechanism
The Resync mechanism enables you to perform random requests to retrieve the Active alarms
table when there are network problems (as described above) or a discontinuation of the alarm
sequence is detected.
This feature implements an SNMP agent on the OVOC server with the MIB AudioCodes.acProducts.acEMS.acEMSConfiguration.acFaults with the following fields:
Each SNMP message should be processed in the order shown in the table above
When the acFaultsFwdUpdate field is set to 1, the SNMP agent reads the acFaultsFwdHostIp &
acFaultsFwdHostPort fields and searches for all active SNMP Alarm Forwarding rules according
to the configured ‘Destination Host IP Address’ and ‘Destination Host Port’. It then resends all
the current Active alarms according to SNMPv2/SNMPv3 account credentials and the other
- 32 -
CHAPTER5 Fault Management
criteria defined in the rule. If a specific rule is not active (Enable/Disable check box is clear),
then alarms are not sent to this destination.
●The acFaultsFwdHostIp & acFaultsFwdHostPort parameters should be re-set
each time after the Resync action is performed (they are set to default after each
Resync action).
●The OVOC SNMP agent supports only SNMPv2 get/set commands. However,
alarms can still be forwarded when configured with either SNMPv2 or SNMPv3
credentials in the alarm forwarding rule definition.
●The SNMP port used for this SNMP agent may be configured using the EMS
Server Manager (Network Configuration > SNMP Agent > SNMP Agent Listener
Port), instead of using the standard SNMP port number (161).
●When the SNMP agent is restarted, the acFaultsFwdHostIp &
acFaultsFwdHostPort parameters need to be reset.
●The Resync feature is applicable only for alarms and is not relevant for events.
The figure below illustrates the Resync flow process:
OVOC | Integration with Northbound Interfaces
Figure 5-5:Resync Flow
The following steps describe the flow illustrated in the figure above:
1. The NMS executes SNMP SET to acFaultsFwdHostIp & acFaultsFwdHostPort
2. The NMS executes SNMP SET to acFaultsFwdUpdate to 1 (acFaultsFwdHostIp &
acFaultsFwdHostPort & acFaultsFwdUpdate are & set back to 0 automatically).
3. The OVOC server responds confirming successful SNMP SET.
4. The OVOC server finds all relevant Alarm Forwarding rules by acFaultsFwdHostIp &
acFaultsFwdHostPort.
5. The OVOC server sends an event regarding the start of re-sending of all active alarms
(acOvocReSyncEvent 1.3.6.1.4.1.5003.9.20.3.2.0.58) with Severity Indeterminate and
'TrapGlobalsUniqID' set to -1.
6. The OVOC server resends all active alarms according to the configured forwarding rules.
7. The OVOC server sends an event informing the end of resynchronization with Severity
clear and 'TrapGlobalsUniqID' set to -1.
- 33 -
CHAPTER5 Fault Management
●Alarms are not cleared from the Active alarms table when the OVOC server is
reset.
●When a device is deleted or removed from the OVOC Web client, its active alarms
are also removed from the Active Active alarms table.
●Alarms are forwarded in the sequence order that they were received on the OVOC
server.
●SNMP traps are sent from source port 1164-1174 on the OVOC server.
●The Resync operation can be performed on up to three simultaneously active
SNMP forwarding rules.
●The Resync operation can send up to 5000 of the last received alarms.
●New alarms raised during the Resync operation are also forwarded.
●There can be up to two concurrent Resync processes. If more than two processes
are simultaneously active i.e. more than two users are concurrently attempting to
perform this operation, then all the additional attempts (greater than two) fail and an
error is sent to the log file (see below).
●Resync operation log failures are written to the log ‘alarmsReSync.csv’
(/var/log/ems).
OVOC | Integration with Northbound Interfaces
OVOC Keep-alive
You can configure the OVOC to generate SNMP Keep-alive traps toward the SNMP destination.
When the “OVOC Keep-Alive” check box is checked, this trap is sent from the OVOC to a
configured destination according to a configured interval (default 60 seconds). You can send
the Keep-alive trap to the desired SNMP destination, according to an existing configured
forwarding destination rule.
➢ To configure OVOC Keep-alive:
1. In the OVOC Web menu, open the Alarms page (System > Configuration > Alarms).
- 34 -
CHAPTER5 Fault Management
OVOC | Integration with Northbound Interfaces
Figure 5-6:OVOC Keep-alive
2. Select the OVOC Keep-Alive check box.
3. Open the Alarm Forwarding Rule page (Alarms > Forwarding); the Alarm Forwarding Rules
Configuration window is displayed:
Figure 5-7:Alarm Forwarding Configuration
4. Select the SNMP forwarding rule and then click Edit.
- 35 -
CHAPTER5 Fault Management
OVOC | Integration with Northbound Interfaces
Figure 5-8:Alarms Forwarding Rule Dialog
5. Ensure that the ‘Enable/Disable Rule’ check box is selected for each destination that you
wish to forward the OVOC Keep-alive trap.
6. In the Alarm Names pane, click the Alarms Filter and ensure that the "OVOC Keep-Alive"
alarm is selected.
- 36 -
CHAPTER5 Fault Management
OVOC | Integration with Northbound Interfaces
Figure 5-9:Destination Rule Configuration
Status / State Management via Devices SNMP Interface
For details regarding supported SNMP MIBs, refer to the SNMP Reference Guide for Gateways-
SBCs-MSBRs.
- 37 -
CHAPTER6 Voice Quality Reports
6Voice Quality Reports
Both template and custom Voice Quality reports can be generated for devices, links and URIs
for Tenants, Regions and Elements. You can export the report's definitions to JSONformat
from the Reports screen in the OVOC Web interface. The figure below shows an example of an
exported JSONfile.
The generation of customized Voice Quality Reports requires a license. For more
information, contact your AudioCodes representative.
OVOC | Integration with Northbound Interfaces
- 38 -
CHAPTER6 Voice Quality Reports
OVOC | Integration with Northbound Interfaces
Figure 6-1:Voice Quality Reports
- 39 -
CHAPTER6 Voice Quality Reports
You can also save the output of the run reports to a CSV or PDF file.
OVOC | Integration with Northbound Interfaces
Figure 6-2:Run Report
- 40 -
CHAPTER7 OVOC Server Backup and Restore
OVOC | Integration with Northbound Interfaces
7OVOC Server Backup and Restore
There are four main backup processes that run on the OVOC server:
■ Weekly backup: runs once a week at a pre-configured date & time (default is Saturday
02:00). In this process, the whole database is backed up into several “RMAN” files that are
located in /data/NBIF/emsBackup/RmanBackup directory. In addition, several other
configuration and software files are backed up to the archive file emsServerBackup_
<version>_<time&date>.tar in the /data/NBIF/emsBackup directory. In general, this TAR
file contains the entire /data/NBIF directory’s content, with the exception of the
'emsBackup' directory, OVOC Software Manager content and server_xxx directory
content.
To change the weekly backup’s time and date, refer to Section "Change Schedule Backup
Time" in the OVOC IOM.
■ Daily backup: runs daily except on the day scheduled for the weekly backup (see above).
The daily backup process backs up the last 24 hours. There are no changes in the TAR file
in this process.
■ Cassandra backup: runs daily (runs prior to the above) and backs up the last 24 hours to
the archive file cassandraBackup_<version>_<date>_<snapshotId>_<Role>_
numberOfNodes.tar.gz. When working in Service Provider Cluster, backup of the cluster
node servers (VQMand PM) is performed on the Management server. Cassandra backup
files are generated separately for both the VQM and PMserver and must be copied
separately to the respective server node machine (see below
■ Configuration backup: runs daily and backs up to the archive file ovocConfigBackup_
<version>_<time&date>.tar.gz
Daily and weekly backups run one hour after the Cassandra backup. For example, if the
backup time is 2:00, the Cassandra backup runs at 2:00 and the Weekly/Daily and Configuration backups runs at 3:00.
●The Backup process does not backup configurations performed using EMS Server
Manager, such as networking and security.
●RmanBackup files are deleted during the OVOC server upgrade.
●It is highly recommended to maintain all backup files on an external machine.
These files can be transferred outside the server directly from their default location
by SCP or SFTP client using 'acems' user.
Backup OVOC Server
➢ to backup the OVOCserver:
1. Copy the following backup files to an external machine:
1. In the EMS Server Manager, choose the Restore option.
2. Install (or upgrade) OVOC to the same version from which the backup files were created.
The Linux version must also be identical between the source and target machines.
3. Use the EMS Server Manager to perform all the required configurations, such as
Networking and Security, as was previously configured on the source machine.
4. Make sure all server processes are up in EMS Server Manager / Status menu and the
server functions properly.
5. Copy all the files you backed up to /data/NBIF directory by SCP or SFTP client using the
'acems' user. Overwrite existing files if required.
6. Choose one of the following options:
●Configuration Restore:Restores OVOC topology and OVOC Web configuration
●Full Restore: Restores OVOC topology, OVOCWeb configuration and data that is
retrieved from managed devices.
For more information, refer to Section "OVOC Server Restore"in the OVOC IOMmanual.
When operating in Service Provider Cluster:
●The restore cluster should be with identical system specifications as the backed
up server i.e. the same number of VQM/PM servers.
- 42 -
CHAPTER7 OVOC Server Backup and Restore
●Following restore, restart slaves and then wait up to 24 hours for Cassandra DB
data(call details and PM details) to synchronize on all servers.
OVOC | Integration with Northbound Interfaces
- 43 -
CHAPTER8 Data Analytics API
8Data Analytics API
The Analytic API Voice Quality license enables access to specially designed views with selected
data from the OVOC database for the purpose of integration with Northbound third-party
interfaces. Customers can connect to the OVOC database using third-party DB access clients
and retrieve topology and statistics. This data can then be used in management interfaces
such as Power BI and Splunk to generate customized dashboards, reports and other
representative management data. Customers can combine data from AudioCodes OVOC and
enterprise voice or third-party data monitoring tools such as HPOpenView for data such as the
following:
■ Receive Alerts from HPOpenView
■ Calls tariffs
■ Data layer statistics
■ User information from corporate directory
OVOC | Integration with Northbound Interfaces
The following data is accessible from OVOC (details of retrieved DB tables are shown below):
■ Network Topology including Tenants, Regions, Devices, Non-ACL Devices, Links
■ QoE Statistics including Calls, Nodes and Links Summaries
■ Active and History Alarms
Adedicated DBoperator("Analytics")is used for securing connection to the OVOC server over
port 1521. This port must be open on the customer firewall once this feature is enabled (for
more details, refer to the OVOC IOM).
●Multi-Tenancy is not supported for this feature.
●All data is read-only.
●Data is retrieved for the last 24 hours; it's recommended to synchronize daily with
the OVOC database, save this data to an external server and then run the
Analytics tool on this server.
●Backup and restore is not applicable for this feature.
➢ To connect to the OVOC server:
1. Open your DBaccess client.
2. Configure the following parameters:
●OVOC server IPaddress
●OVOC server port: 1521
●Username:Analytics
●Service Name:DBEMS
An example databaseschema retrieved from an access client is displayed below:
- 44 -
CHAPTER8 Data Analytics API
The following OVOC database tables are retrieved (for details, see Data Analytics API Database
Tables):
■ Main Table Views:
●View Name: NODES_VIEW
●View Name: LINKS_VIEW
OVOC | Integration with Northbound Interfaces
Figure 8-1:Example Database schema
●View Name: CALLS_VIEW
●View Name: ALARMS_VIEW
●View Name: NODES_SUMMARY_VIEW
●View Name: LINKS_SUMMARY_VIEW
■ Type Views:
●Type Name: DisableEnableType
●Type Name: MGType
●Type Name: ItuPerceivedSeverity
●Type Name: ConnectionType
●Type Name: MismatchType
●Type Name: SemConnectionState
●Type Name: StatusType
●Type Name: VQThresholdStatus
●Type Name: SipMessageStatusType
●Type Name: NoYesType
●Type Name: NetworkState
●Type Name: ManagedType
●Type Name: FailSuccessType
●Type Name: BackupStatusType
●Type Name: ItuEntityAdministrativeState
- 45 -
CHAPTER8 Data Analytics API
●Type Name: AlarmStatusType
●Type Name: AlarmNameType
●Type Name: QualityLevelType
●Type Name: CallCauseType
●Type Name: CallOriginatorType
●Type Name: TerminationReasonType
●Type Name: TerminationReasonDetailsType
●Type Name: MediaType
●Type Name: EndpointType
●Type Name: CallSourceType
●Type Name: PstnTermReasonType
●Type Name: LinkType
OVOC | Integration with Northbound Interfaces
●Type Name: LinkDirection
- 46 -
CHAPTER9 Security
9Security
The following aspects are relevant for the NMS application when integrating the OVOC and the
managed device:
■ Network Communication Protocols (see below)
■ OVOC Users Management (Authentication and Authorization) (see OVOC User Identity
Management)
■ HTTPS Connection (see HTTPS Connection )
For detailed information, refer to the OVOC Security Guidelines document.
Network Communication Protocols
OVOC | Integration with Northbound Interfaces
The following describes the different OVOC network communication protocols:
■ OVOC client - server communication is secured using an HTTPS tunnel with a single HTTPS
port.
■ OVOC server – managed devices communication can be secured as follows:
●Devices:
◆SNMPv3 for Maintenance Actions and Faults Management
◆HTTPS for file transfer and for Single Sign-to the managed device
■ OVOC server secure access:
●Secure access to the OVOC server machine is possible via SSH and SFTP protocols for
performing maintenance actions and accessing files.
●SNMPv3 traps can be forwarded from the OVOC server machine to another SNMP
Trap Manager.
●OVOC User Authentication and Authorization is performed either via the OVOC
Application local database, or via a centralized user database on RADIUS, LDAP or
Microsoft Azure (see OVOC User Identity Management) according to the Security
profile configured by the OVOC Administrator.
●Syslog messages and emails sent from the OVOC server to a northbound interface
are not secured.
●Single sign-on is not supported for devices located behind a NAT, unless the Cloud
Architecture feature is enabled, in which case, SBC device connections can be
secured over an HTTP/S Tunnel Overlay network (refer to the IOMmanual and the
Security Guidelines for more information).
●An SSH connection from the OVOC server to the device is not supported.
- 47 -
CHAPTER9 Security
OVOC User Identity Management
By default, OVOC users are managed in the OVOC server's local database. Users can also be
managed via a centralized RADIUS or LDAP server or using Microsoft Azure. The figure below
illustrates these options.
OVOC | Integration with Northbound Interfaces
Figure 9-1:OVOC User Management
■ For information on the local OVOC users database, refer to the OVOC User’s Manual
■ For OVOC user authentication with RADIUS server, see Authentication and Authorization
using a Radius Server
■ For OVOC user authentication with LDAPserver, see Authentication and Authorization
using an LDAP Server
■ For OVOC user authentication with Microsoft Azure, see Authentication and Authorization
using Microsoft Azure
Authentication and Authorization using a Radius Server
Customers may enhance the security and capabilities of logging into the OVOC application by
using a Remote Authentication Dial-In User Service (RADIUS) to store numerous usernames,
passwords and access level attributes. This feature allows multiple user management on a
centralized platform. RADIUS (RFC 2865) is a standard authentication protocol that defines a
method for contacting a pre-defined server and verifying a given name and password pair
against a remote database in a secure manner.
- 48 -
CHAPTER9 Security
When accessing the OVOC application, users must provide a valid username and password of
up to 128 Unicode characters. OVOC doesn’t store the username and password; however,
forwards them to the pre- configured RADIUS server for authentication (acceptance or
rejection). If the login attempt to the RADIUS server fails, OVOC attempts to connect with the
same credentials to the local database. An additional fallback mechanism 'Combined
Authentication Mode' can also be implemented (for information, refer to the OVOC User's
Manual)
OVOC supports the provisioning of up to three Radius servers for redundancy purposes.
When the first server does not respond, the OVOC proceeds to the second server, and then to
the third server. OVOC will always start working with the previously responded server that is
indicated as the Current Active Radius servers.
Configuring Radius Server Client
This section describes an example of a RADIUS server configuration. You must configure the
OVOC server as a RADIUS client to perform authentication and authorization of OVOC users
using the RADIUS server from the OVOC application.
OVOC | Integration with Northbound Interfaces
The example configuration is based on FreeRADIUS, which can be downloaded from the
following location: www.freeradius.org. Follow the directions on this site for information on
installing and configuring the server.
If you use a RADIUS server from a different vendor, refer to the appropriate vendor
documentation.
➢ To set up OVOC RADIUS client using FreeRADIUS:
1. Define the OVOC server as an authorized client of the RADIUS server with a predefined
'shared secret' (a password used to secure communication) and a 'vendor ID'. The figure
below displays an example of the file 'clients.conf' (FreeRADIUS client configuration).
Example of the File clients.conf (FreeRADIUS Client Configuration)
2. If access levels are required, set up a VSA dictionary for the RADIUS server and select an
attribute ID that represents each user's access level. The following example shows a
dictionary file for FreeRADIUS that defines the attribute 'ACL-Auth-Level' with ID=35.
Example of a Dictionary File for FreeRADIUS (FreeRADIUS Client Configuration)
#
# AudioCodes VSA dictionary
#
- 49 -
CHAPTER9 Security
VENDOR AudioCodes 5003
ATTRIBUTE ACL-Auth-Level 35 integer AudioCodes
VALUE ACL-Auth-Level ACL-Auth-Monitor 50
VALUE ACL-Auth-Level ACL-Auth-Operator 100
VALUE ACL-Auth-Level ACL-Auth-Admin 200
3. In the RADIUS server, define the list of users who are authorized to use the device, using
one of the password authentication methods supported by the OVOC server
implementation. The following example shows a user configuration file for FreeRADIUS
using a plain-text password.
Example of a User Configuration File for FreeRADIUS Using a Plain-Text Password
# users - local user configuration database
john Auth-Type := Local, User-Password == "qwerty"
4. Record and retain the IP address, port number, 'shared secret', vendor ID and VSA access
level identifier (if access levels are used) used by the RADIUS server.
5. Provision the relevant OVOC parameters according to the section below.
Configuring RADIUS Server
You can centrally configure authentication of OVOC operators using a RADIUS (Remote
Authentication Dial-In User Service) server. If you already have centralized user authentication
via a RADIUS server, it's recommended to implement it for OVOC operators as well. When the
RADIUS-authenticated operator logs into OVOC, they're assigned one of the OVOC security
levels, for example - 'Operator'. If it's not defined on the RADIUS server, OVOC by default
allows access for the RADIUS-authenticated operator, with 'Operator' permission.
➢ To configure using a RADIUS server.
1. In the OVOC Web, open the RADIUS Authentication Settings page (System tab > Security >
Authentication), and then from the Authentication Type drop-down list, select RADIUS.
- 50 -
CHAPTER9 Security
Figure 9-3:
OVOC | Integration with Northbound Interfaces
Figure 9-2:RADIUS Authentication and Authorization
2. For each one of the three RADIUS servers, define the IP address, port and Secret. Note,
that at least one RADIUS server must be provisioned.
These parameters will be used for each of the Radius Servers.
4. Configure other parameters as required according to your RADIUS server configuration.
For more information, refer to the OVOC User's Manual.
Authentication and Authorization using an LDAP Server
Authentication of OVOC operators can be centrally configured using a Lightweight Directory
Access Protocol (LDAP) server. If you already have centralized user authentication via an LDAP
server, it's recommended to implement it for OVOC operators as well. When an LDAPauthenticated operator logs into OVOC, they're assigned one of OVOC's security levels, e.g.,
'Operator'. The equivalent names for these security levels on the LDAP server are displayed in
the screen below. When one of these security levels is not defined on the LDAP server, OVOC
by default allows access to the LDAP-authenticated operator with 'Operator' permissions.
➢ To configure using an LDAP server.
1. In the OVOC Web, open the LDAP Authentication Settings page (System tab > Security >
Authentication), and then from the Authentication Type drop-down list, select LDAP.
- 51 -
CHAPTER9 Security
2. Configure parameters as required (refer to the OVOC User's Manual).
OVOC | Integration with Northbound Interfaces
Figure 9-4:LDAP Authentication and Authorization
Authentication and Authorization using Microsoft Azure
Authentication of OVOC operators can be centrally configured using the Microsoft Azure Active
Directory (AD). If you already have centralized user authentication via Azure AD, it's recommended to implement it for OVOC operators as well. When an Azure-authenticated operator
logs into the OVOC, they're assigned one of OVOC's security levels, e.g., 'Operator'. The equivalent names for these security levels in the Azure AD are displayed in the screen below . When
no security level is configured in the Azure AD, the parameter 'Default Operator Type and
Security Level' in OVOC's Authentication page (when 'Authentication Type' is AZURE) is applied.
➢ To configure authentication of OVOC operators using Azure AD:
1. Open the Authentication page (System > Administration > Security > Authentication), and
then from the 'Authentication Type' drop-down, select AZURE.
Figure 9-5:Azure Authentication
Figure 9-6:
2. Configure parameters are required (refer to OVOCUser's Manual).
- 52 -
CHAPTER9 Security
Step 6 Configuring AudioCodes Azure Active Directory (Operator Authentication)
This procedure describes how to configure security permissions for OVOCoperators who are
authenticated with Azure Active Directory (when the "Azure" authentication type is configured
in the OVOCWeb (Security >Authentication settings page).
➢ To configure Microsoft Azure:
1.Add Service Providers Account Domain:
a. Open the Microsoft 365 Admin Center.
b. Login to AudioCodes with administrator privileges (via office.com).
c. In the Navigation pane, select Setup > Domains
OVOC | Integration with Northbound Interfaces
Figure 9-7:Domains
2. Create a new Tenant in the Azure Portal: Sign into Azure portal as Global Administrator
and extract the Tenant ID of your directory (required for the OVOC Azure authentication
setup in OVOC Azure Configuration).
For details, see https://docs.microsoft.com/en-us/azure/active-
directory/develop/quickstart-create-new-tenant
3.Add Tenant Operators on AudioCodes Microsoft Azure:
●You must change passwords for new users upon first login via Azure portal sign-in
before logging in to OVOC.
●At this stage guest users you invite from another tenants/directories are not fully
A list of existing groups are displayed. Note that there are several predefined custom
security groups that have been predefined for OVOC displayed in the screen below with
‘EMS_’ prefix.
d. Click Add a group.
e. Select the Security option and then click Next.
Figure 9-9:Choose a Group Type
f.Enter the Service Provider Domain account name and then click Next.
- 54 -
CHAPTER9 Security
g. Review and finish adding group.
OVOC | Integration with Northbound Interfaces
Figure 9-10: Setup the Basics
Figure 9-11: Review and Finish
h. Click Create group. A confirmation screen is displayed:
Figure 9-12: New Group Created
- 55 -
CHAPTER9 Security
5.Add New Users:
a. In the Navigation pane, select Active Users.
b. Click Add a User.
c. Enter the details of the Service Provider account user.
OVOC | Integration with Northbound Interfaces
Figure 9-13: Create New User
d. Assign Product License (Choose country).
Figure 9-14: Assign Product Licenses
e. Select option create user without product license and then click Next.
- 56 -
CHAPTER9 Security
f.Click Finish adding.
g. Select option create user without product license and then click Next.
OVOC | Integration with Northbound Interfaces
Figure 9-15: Review and finish
Figure 9-16: Review and Finish
h. Click Finish adding
6.Add User Membership:add user membership to the predefined One Voice Live Security
groups and to the Security Group that you defined above.
a. In the Navigation pane, select Active Users and then select the new user that you
created above.
- 57 -
CHAPTER9 Security
b. Click Manage groups and then Add Membership.
OVOC | Integration with Northbound Interfaces
Figure 9-17: Add User Membership
Figure 9-18: Add Membership
c. Select the checkboxes adjacent to the required OVOC group permissions :
◆EMS_Tenant_Admin_Links
◆EMS_Tenant_Operator_Links
◆EMS_Tenant_Monitor_Links
d. Add membership to the Service Provider Account Group i.e. the Security Group that
you created above.
In the example below membership has been added to the ‘EMS_Operator’ and
‘SouthVoIP’ Group.
- 58 -
CHAPTER9 Security
OVOC | Integration with Northbound Interfaces
Figure 9-19: Add Membership
This Group Name corresponds to the “AD Authentication: Group Name” that is configured for the OVOC Tenant created for this account in OVOC.
e. Click Save and close.
Figure 9-20: Successful Membership Assignment
7.Register new WEB Application: See https://docs.microsoft.com/en-us/azure/active-
directory/develop/quickstart-register-app.
●The Redirect URI step should be configured like WEB and OVOC's login endpoint
should be specified as URI: https://<IP address>/ovoc/v1/security
●Generally for this step you should only keep the Client ID of your application that
you need to specify in OVOC Microsoft Azure authentication setup (see
Authentication and Authorization using Microsoft Azure
8. Create Client Secret for your Registered Application: See
https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-configureapp-access-web-apis#add-credentials-to-your-web-application. You must configure this
secret in Authentication and Authorization using Microsoft Azure.
- 59 -
CHAPTER9 Security
9. Grant API Permissions: Extend default application's permissions set and give admin
consent to all the existing permissions. Add and provide admin consent to such delegated
Microsoft Graph API related permissions: Group.Read.All.
The connection between the NBIF client and the OVOC server is by default secured over HTTPS
(port 443). This security is managed by the EMS Server Manager option ‘IP Phone Manager Pro
and NBIF Web pages Secured Communication’. You can secure this connection either using
AudioCodes default self-signed certificates or by applying custom certificates signed by an
external CA. For more information, refer to the OVOC Security Guidelines document.
The table below is divided into two columns for readability. In the database, there is a
singlecolumnfor“TypeValues”e.g.(.1.3.6.1.4.1.5003.9.10.1.21.2.0.41)
acSonetLineRDIAlarm.