Professional Documents
Culture Documents
Am Cloud Connect Operation Overview 8AL91354ENAA 6 en
Am Cloud Connect Operation Overview 8AL91354ENAA 6 en
October 2021
8AL90354ENAA Ed. 6
Legal notice
www.al-enterprise.com The Alcatel-Lucent name and logo are trademarks of Nokia used under license by
ALE. To view other trademarks used by affiliated companies of ALE Holding, visit: www.al-
enterprise.com/en/legal/ trademarks-copyright. All other trademarks are the property of their respective
owners.
The information presented is subject to change without notice. Neither ALE Holding nor any of its affiliates
assumes any responsibility for inaccuracies contained herein.
© 2021 ALE International, ALE USA Inc. All rights reserved in all countries.
Disclaimer
While efforts were made to verify the completeness and accuracy of the information contained in this
documentation, this document is provided “as is”. To get more accurate content concerning Cross
Compatibilities, Product Limits, Software Policy and Feature Lists, please refer to the accurate documents
published on the Business Partner Web Site.
In the interest of continued product development, ALE International reserves the right to make
improvements to this documentation and the products it describes at any time, without notice or
obligation.
The CE mark indicates that this product conforms to the following Council Directives:
• 2014/53/EU for radio equipment
• 2014/35/EU and 2014/30/EU for non-radio equipment (including wired Telecom Terminal Equipment)
• 2014/34/EU for ATEX equipment
• 2011/65/EU (RoHS)
• 2012/19/EU (WEEE)
Table of
contents
Cloud Connect Operation Overview
Cloud Connect Operation (CCO) addresses the growing demand to accommodate new ways of delivering
Services and Products, regardless of commercial models (market segment, offer, GTM and distribution
mode).
Cloud Connect transforms Alcatel-Lucent Enterprise (ALE) products into “Connected Products”, in order
to help you:
• Upsell and leverage your ALE installed base, thanks to fleet analytics Keep
contact with deployed system / business analytics / usage monitoring
• Increase your margin through easier operations and reduce TCO
Simplify BP operations
• Increase your ARPU thanks to additional added value services
Target in future: Upcoming a la carte service such as Fraud Detection, Security Assessment,
Alarming, …
The CCO infrastructure provides a common infrastructure to efficiently deliver services. Systems are
securely connected to ALE CCO infrastructure over an IP infrastructure, to benefit from outcome-based
services hosted in the cloud.
The permanent and secured link particularly suits for remote management operations and enables further
value-added Cloud services.
Although the following examples are not exhaustive, such services notably encompass VPN opening
(OXO connect only) request for advanced system control, metrics collection, controlling a product right to
run, checking a product state…
For additional information about VPN and OXO Connect, refer to the document: Cloud Connect VPN
Server Reference Design for OXO Connect:
https://myportal.al-enterprise.com/alebp/s/PN/8AL91215ENAA
This document presents the reference design to be used for the VPN server configuration in the Cloud
Connect solution.
For additional information about OXE services, refer to the document: OmniPCX Enterprise - System
Services - 8AL91000USAJ – section 24 Cloud Connect Services.
https://businessportal.al-enterprise.com/8AL91000USAK
Overview
The Cloud Connect Operation Infrastructure (CCOi) hosts the set of services that BPs can run through
an ALE Web Portal. Cloud Connect Operation Infrastructure collects and processes information from both
connected systems, and ALE IS/IT databases such as eBuy and Business Store.
Cloud Connect infrastructure does also set up, maintain, and monitor the link towards connected systems
at customer premises. A unique identification of each connected product, combined with outgoing flows
from customer’s system towards ALE CCOi, leads to a state-of-the-art security level, besides a non-
intrusive solution on customer LAN.
The Cloud Connect Infrastructure is operated by Alcatel-Lucent Enterprise, with a hosting in UE.
ALE International (“ALE”) is committed to abide to the European Union General Data Protection Regulation
(“GDPR”) whereby the actions specified below are completed and will continuously be managed by ALE to
comply with the requirements of GDPR applicable to ALE. Reference: Affidavit for GDPR
compliancy_v010318.
To log to the CCOi, a product relies on a unique and immutable credential called CC-Product-ID,
computed by the ordering chain, and a password. It remains unchanged after upgrades. Only the
password may change over time.
FTR is in charge of setting up the “communication link” between the system at customer premises and
ALE CCOi; this notably means retrieve the secured credentials.
The FTR process behavior is product dependent:
• OXO: To retrieve this CC product identity 2 methods are possible for OXO connect:
BTS mode is Built To Stock mode.
BTCO mode is Built To Customer Order.
1) BTS mode with customer reference in OXO. The customer reference is fleet_ref+install_id. New from
OXO Connect R3.0.
Installer must enter in the OXO Connect product fleet_ref+install_id and the BP must associate the
same fleet_ref+install_id as in eLP for this installation.
The product has a hardware identification, the product when it connects to the FTR service delivers
it’s the fleet_ref and Install_id entered by the installer on the product and FTR retrieves the CC-
PRODUCT-ID from information provisioned by eLP (association of fleet_ref + install-id to CC-
PRODUCT-ID). The FTR sends the product identity (credential)
2) OXO Connect installation with the same CPU-id as the CPU-id declared in eLP by BP or by EMS
(BTCO) for this installation. mode with CPU-ID.
As the product has a Hardware identification: the product when it connects to the FTR service
delivers its Hardware Identifier (HW-ID/CPU-id) and the FTR service retrieves the CC-PRODUCT-ID
from information provisioned by the eLP (association of the HW-ID with the installation CC-
PRODUCT-ID). The FTR sends the product identity (credential).
OXO Connect in BTCO uses this method thanks to its CPUID. This method is also used when the BP
associated itself a CPU-ID in eLP before installation.
• OXE: since OXE is mainly deployed in pure software mode, the FTR needs to be done once the system
is installed; as the CC-suite-id credential is part of the OXE license file, no additional information is
required to run the FTR process. However, according to specific needs, the CC-suite- id might also be
manually entered at FTR start.
Once retrieved, credentials are used to log in to the CCOi.
To configure FTR parameters, see the product’s documentation. The FTR service is operated by ALE
infrastructure.
After FTR, the CCOi, for security reasons, manages:
• Modification of the password used by the product to log in to the Cloud Connect infrastructure
• Configuration: FTR allows the product to accept only messages from known services and reject all
others (unknown services, hackers…)
Connected (MLE) – blue: RTR is ok, obviously after a successful FTR (According to current
architecture constraints, such an information might be 24 hours late)
Not connected – grey: product not cloud connected to ALE.
Qualifying period (MLE- orange: means the RTR keep alive has not be seen for +72 hours,
and within a maximum duration of 20 days. A dedicate highlight needs to be displayed for
products owning a single CC_pdct_ID
Duplicated (MLE) – red: the CC_pdct_ID and unique token are already used by another
product, which either means a wrong use of this credential or a real hacking; products with the
same CC-pdct-ID will be set in qualifying period.
This status overcome the ”soon blocked” one.
Soon blocked (MLE) – red: means the RTR keep alive has not be seen for +20 days and has
not yet reach the “panic state” (=30 days): in other words it’s extremely urgent to react before
reaching the OXE “panic” mode.
An email notification is sent once a day to the address configurable in fleet dashboard in the
field Email Notification.
Blocked-Panic (MLE) –black: no connection from the product for +30days, means the product
is probably running in reduced mode (i.e. Mainly only emergency calls are allowed)
The only way to exit from panic state is to perform a successful FTR with pin code. In case of
detection of duplicated products, the right BP is able with ALE help desk support to perform a new
FTR, FTR with pin code, to legitimate the right product.
Fleet dashboard displays all BP’s products, so called BP’s fleet (Products with Cloud Connect
connectivity and products without Cloud Connect connectivity (OXE & OXO Connect). A snapshot of the
landing page is provided above.
List management:
• Create/Read Lists (OXE & OXO Connect) by BD admin in fleet dashboard
Add/Remove systems to list:
o Via selection of OXE systems in fleet dashboard by BP admin. An OXE is
associate to one or several lists name per configuration in the fleet dashboard by a
BP admin.
o Via OXO configuration of list references inside OXO connect. An OXO Connect is
associate to one fleet_ref/subfleet_ref per configuration in the OXO Connect
product by BP technician.
• BP admin gives lists visibility to BP user in Business store
Inside the fleet dashboard more description is available in the FAQ section.
b) OXE offer file: The user can select an OXE and retrieves the live “offer files” through a click:
downloaded files will be stored at usual browser location (eg “download folder”). The user can then
run an Actis quote, ensuring he owns the latest system configuration. He can also upload in OXE
the latest offer
c) OXE & OXO inventory: The user is able to select one or several systems to access
devices/terminal, Licenses, Trunk, Shelve/board details…
d) Access from fleet dashboard to OXO Connectivity: from fleet dashboard home page, by selected
one OXO Connect product access to the OXO connectivity application for detail of the selected
product and some actions like get offer file, VPN…
e) OXO Connect & OXE last incident date: The goal is just to have a field “Last Incident Date” in the
Home Page, indicating the date of the last incident collected on the product. The events are
collected by the Data collector. It will be possible of filtering and sorting on this fields.
f) OXO Connect walled garden view: CF FTR explanation
g) OXE remote console: A BP user with privileged “advanced”, can start a remote maintenance
operation from Fleet Dashboard, on any systems that are connected to ALE Cloud infrastructure
and owning a valid Support. This feature offers the equivalent of an OXE ssh or telnet remote
console, to be able to launch online commands or tools (e.g. MGR tool for configuration, incident
tool, …). Savings: no needs to go onsite nor to install a dedicated VPN per customer, quicker
reaction time to customer request.
For security reason, only one connection is possible at a time.
h) Software update: From Fleet dashboard it is possible for a BP with privileged advanced to ask for
a software update. A BP can request for a selected list of connected systems an update to the last
official version in the same release branch for the product specific markets.
5.1 CC-SUITE-ID
This ID is computed by eLP during the order process. The syntax of the CC-SUITE-ID
is:
ADCBE-FGHIJ-KLMNO-PQRST
A 23-character string where A..T represents a hexadecimal digit (from “0” to “9” and “A”
to “F”) in upper case. The 20 hexadecimal digits are packed 5 by 5 and separated by
hyphens “-“.
5.2 CC-PRODUCT-ID
This ID has the following syntax:
CC-SUITE-ID + “-“ + product-type
Example (for OXO Connect): af76e-05961-da1c1-de028 -1
 Product Comment
1 OXO-Main used for OXO Connect
3 OXE Virtualized or not
Cloud Connect Operations is part of the ISO27001:2013 certified perimeter of ALE International
https://www.al-enterprise.com/en/company/news/iso-27001
After the new edition Add the link to the document: OXO Connect & OXE-What about your data
The following chapter gives an overview and summarizes the main security aspect in CCO.
Server authentication: The PBX product, aka device, authenticates the CCO infra server thanks to its
server certificate. The server certificate is issued by ALE CCO Certificate Authority kept under the
responsibility of CTSO and installed by CC infra owner. The device embeds the required certificate
“trust store” related to this certificate authority. The trust store must be dedicated to the CC SW client
in the device.
Devices authentication: Since CC client authentication is performed through application link, there are
no requirement to use client certificates on products -> no trust store to manage on CC infra servers
8AL90354ENAA Ed. 6 - October 2021 – Cloud Connect Operation Overview 15/19
Chapter 6 Cloud Connect security
Security protocol: All traffic between product and server is relies on TLS. TLS configuration of XMPP
server follows up to date security standards: TLSv1.2.
Device software download: OXO Connect & OXE can get its software from the network through
HTTPs connection on a repository available from Internet. Encryption and authentication are not a
requirement on this link. Integrity controls mis provided thanks to signature based mechanisms on the
software installation.
The products OXO Connect & OXE will used additional external secured connections to ALE CCO
infrastructure
i. SOCKS5: strong payload encryption to deliver end to end data integrity and confidentiality
ii. IPSec: on demand restricted IPSec VPN outgoing connection from the customer site to the BP
network to maintain a full secure OAM&P link to the customer device.
6.3.5.2 Product OXO Connect & OXE: Application Protocol Security – XMPP
The whole stream between product and server is authenticated and encrypted with TLS
TLS configuration of XMPP server follows latest security standards, RFC 5246
There are Client Authentication (Product) and supports of security standards RFC 4422:
• RFC 5802 performed after TLS secured connection
• User authentication with SCRAM-SHA1 mechanism
• XMPP credentials (login + password) are unique and server-side generated with strong password
policies
• XMPP ACL enforced to prevent non-authorized IQs to be forged with Service application service file
provisioning
ALE International (“ALE”) is committed to abide to the European Union General Data Protection Regulation
(“GDPR”) whereby the actions specified below are completed and will continuously be managed by ALE to
comply with the requirements of GDPR applicable to ALE. Reference: Affidavit for GDPR
compliancy_v010318
After the new edition Add the link to the document: OXO Connect & OXE - What about your data
Alcatel-Lucent OXO Connect - What about your data?
END OF DOCUMENT