Professional Documents
Culture Documents
2
3
4
5
6
7
8
Release 3.0
NN42040-601, Document Revision: 04.AU
May 3, 2012
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
1
2 2012 Avaya Inc.
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Contents
Chapter 1: New in this release........................................................................................... 13
Features.................................................................................................................................................... 13
Other changes........................................................................................................................................... 13
Chapter 2: Introduction...................................................................................................... 19
Chapter 3: Platform security overview.............................................................................. 21
BIOS password control............................................................................................................................. 21
GRUB password control............................................................................................................................ 23
Administrative user account names.......................................................................................................... 23
Administrative user roles........................................................................................................................... 24
Primary role............................................................................................................................................... 24
Sudo access control.................................................................................................................................. 25
Platform user management tool................................................................................................................ 25
Administrative account timers................................................................................................................... 26
Account lockout......................................................................................................................................... 26
Password complexity................................................................................................................................ 27
Password changes........................................................................................................................... 29
Inactive platform account auditing............................................................................................................ 29
Root user access...................................................................................................................................... 30
Individual user accounts............................................................................................................................ 30
Preconfigured accounts............................................................................................................................ 31
Remote system accounts.......................................................................................................................... 31
Secure Shell and Common Access Card integration................................................................................ 32
Administrative user database backup....................................................................................................... 32
Platform warning banners......................................................................................................................... 33
Chapter 4: Platform administrator security management............................................... 35
Modifying password complexity rulesmenu........................................................................................... 36
Configuring the GRUB password.............................................................................................................. 37
Creating individual user accountsmenu................................................................................................ 37
Creating individual user accounts job aid......................................................................................... 38
Adding emergency users.......................................................................................................................... 39
Deleting a user accountmenu................................................................................................................ 40
Deleting a user accountmenu job aid........................................................................................... 41
Deleting emergency users........................................................................................................................ 41
Modifying user rolesmenu..................................................................................................................... 42
Changing the state of a user accountmenu........................................................................................... 43
Listing server user accountsmenu......................................................................................................... 44
Managing sudo accessmenu................................................................................................................. 45
Resetting a platform user account passwordmenu............................................................................... 46
Resetting a platform user account passwordCLI................................................................................... 46
Viewing the status of inactive account auditing......................................................................................... 47
Enabling inactive account auditing............................................................................................................ 47
Enabling inactive account auditing job aid....................................................................................... 48
Disabling inactive account auditing........................................................................................................... 48
Configuring platform warning banners...................................................................................................... 49
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Resetting the password for the Provisioning Manager admin account..................................................... 121
Resetting the password for a Provisioning Client administrator................................................................ 122
Changing your Provisioning Client password........................................................................................... 123
Chapter 11: Application security configuration............................................................... 125
Configuring the AS 5300 Element Manager with certificates for HTTPS.................................................. 125
Configuring the Provisioning Manager with certificates for HTTPS.......................................................... 126
Configuring the AS 5300 Element Manager Console with certificates for HTTPS and SIPCAC........... 127
Chapter 12: Certificate management overview................................................................ 129
Chapter 13: Certificate preparation................................................................................... 131
Generating a CSR..................................................................................................................................... 133
Generating a CSR job aid................................................................................................................ 133
Installing a CA or CA-signed certificate..................................................................................................... 134
Installing a CA or CA-signed certificate job aid................................................................................ 135
Exporting a PKCS12 file............................................................................................................................ 135
Installing custom certificates into the AS 5300 Element Manager keystore............................................. 136
Verifying that CA certificates import into the AS 5300 Element Manager truststore ................................. 137
Chapter 14: Certificate management................................................................................. 139
Listing all certificates................................................................................................................................. 139
Listing all certificates job aid............................................................................................................. 140
Installing a CA or CA-signed certificate..................................................................................................... 140
Installing a CA or CA-signed certificate job aid................................................................................ 140
Uninstalling a certificate............................................................................................................................ 141
Verifying a certificate chain....................................................................................................................... 141
Verifying a certificate chain job aid................................................................................................... 142
Importing a PKCS12 file............................................................................................................................ 142
Exporting a PKCS12 file............................................................................................................................ 143
Identifying the friendly name of a certificate.............................................................................................. 143
Identifying the friendly name of a certificate job aid......................................................................... 144
Identifying the subject of a certificate installed in the certificate databaseUnix..................................... 144
Identifying the subject field of a certificate installed in the certificate databaseUnix job aid......... 145
Identifying the subject of a certificate that is not installed in the certificate databaseUnix.................... 146
Identifying the subject field of a certificate that is not installed in the certificate databaseUnix job
aid..................................................................................................................................................... 146
Identifying the subject field of a certificate installed in the certificate databaseWindows...................... 147
Identifying the subject field of a certificate installed in the certificate databaseWindows job aid.. 147
Chapter 15: Core application certificate management.................................................... 149
Importing an internal certificate to the keystore........................................................................................ 149
Importing an internal certificate to the keystore job aid.................................................................... 150
Viewing an internal certificate in the keystore........................................................................................... 150
Removing an internal certificate from the keystore................................................................................... 151
Configuring the AS 5300 Element Manager with certificates for HTTPS and SIP.................................... 151
Configuring the AS 5300 Session Manager with certificates for HTTPS and SIP.................................... 152
Configuring HTTPS and SIP certificates for the Provisioning Manager.................................................... 153
Configuring the AS 5300 Element Manager Console with certificates for HTTPS and SIPCAC........... 154
Configuring the AS 5300 Element Manager Console with certificates for HTTPS and SIPmanual...... 155
Configuring the Avaya Aura AS 5300 Personal Agent with certificates for HTTPS and SIP .................... 156
Chapter 16: Truststore certificate management............................................................... 157
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
10
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
11
12
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
3The following sections detail what is new in Avaya Aura Application Server 5300 Security, NN42040-601
4for Avaya Aura Application Server 5300 Release 3.0
5Navigation
6
Features on page 13
Features
8
9
10
11
12
13
14
15
16
17
For more information about the features that are new for this release, see Avaya Aura
Application Server 5300 Release Delta, NN42040-201.
Other changes
18
19
Revision history
May 2012
Draft 04.AU
This document is issued for Avaya Aura Application Server 5300
Release 3.0.
Edited a few links in chapter navigation sections.
April 2012
Draft 04.AT
This document is issued for Avaya Aura Application Server 5300
Release 3.0.
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
13
February 2012
January 2012
November 2011
November 2011
October 2011
August 2011
August 2011
14
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Other changes
July 2011
July 2011
June 2011
June 2011
June 2011
May 2011
May 2011
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
15
February 2011
16
December 2010
September 2010
August 2010
June 2010
May 2010
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Other changes
April 2010
August 2008
July 2008
June 2008
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
17
18
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Chapter 2: Introduction
3This document contains the procedures required to configure and administer security for the Avaya Aura
4Application Server 5300.
5For more information about configuration and administration, see Avaya Aura Application Server 5300
6Configuration, NN42040-500 and Avaya Aura Application Server 5300 Administration, NN42040-600.
7For information about general provisioning tasks and procedures, see Avaya Aura Application Server
85300 Using the Provisioning Client, NN42040-112.
9
10
11
Important:
Throughout this document, the term system refers to the Avaya Aura Application Server 5300 unless
otherwise noted.
12Prerequisites
13
14
15
16Navigation
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
19
Introduction
10
11
12
13
14
20
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
1
2
3This section contains information related to platform security configuration, including platform
4administrator accounts, roles, and access.
5For information about initial Basic Input/Output System (BIOS) and RSA-II card configuration, see Avaya
6Aura Application Server 5300 Installation, NN42040-300.
7Navigation:
8
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
The planar BIOS includes options to configure both an Administrative and Power-on password.
For more information about password options and how to configure them, see the
documentation supplied with the server hardware.
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
21
1
2
3
The planar BIOS enables the user to configure both an Administrative and Power-on password.
The BIOS also refers to the Administrative password as the Privileged Access Password in
console messages displayed during BIOS initialization.
4
5
BIOS passwords are enforced at the end of BIOS initialization when the message BIOS
Installed Successfully displays.
6
7
The following table illustrates the password enforcement type performed by the BIOS at this
point in the BIOS execution.
BIOS Password Control
Password Configured
Power-on
password
Admin
Password Requirement
BIOS Entry
Requested (F1
pressed)
Standard Initialization
(F1 not pressed)
No
No
None
None
No
Yes
Admin
None
Yes
No
Power-on password
Power-on password
Yes
Yes
Power-on password
(limited access) or
Admin
Power-on password or
Admin
8
9
10
11
12
13
The administrator presses the F1 key during the early stages of BIOS initialization with
the intent of entering BIOS setup when BIOS initialization finishes. If at least one password
is configured, the password must be entered to enter into the BIOS setup. If both
passwords are configured, specifying the Power-on password gives the administrator only
limited access, where no BIOS configuration changes can be made.
14
15
16
17
The administrator does not press the F1 key during the early stages of BIOS initialization.
If a Power-on password is configured (not recommended), BIOS requires the
administrator to enter the password to allow the system to continue past the BIOS
initialization. If configured, the administrative password is also accepted.
18
19
If an Administrator password is configured, an administrator entering BIOS with only a Poweron password receives access to the following menus:
20
21
22
23
System InformationThis menu provides information such as the machine type and
model number, serial number, firmware levels, and installed system cards.
22
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
1
2
3
When configuring the Administrator password, changing the value of the Power-on password
changeable by user field to Yes provides limited BIOS access to the administrator. The
following are the additional menu items available:
System SecurityThis menu provides the facility to change or delete the Power-on
password.
4
5
The following general points also apply to Administrative and Power-on BIOS passwords:
6
7
9
10
If both passwords are configured, a forgotten Power-on password can be reset (deleted
and re-configured) by entering the BIOS with the Administrative password.
11
12
If a single password is set, and is forgotten, it cannot be recovered using the BIOS
menu.
13
14
If both the Administrative and Power-on password are set, and the Administrative
password is forgotten, it cannot be recovered using the BIOS menu.
15
16
Neither password is affected when you restore the configuration of the main BIOS to the
factory default configuration.
17
18
19
20
21
The Linux Grand Unified Bootloader (GRUB) allows you to configure a password to prevent
unauthorized access to the bootloader. Whenever you change the server password policy, you
should reset the GRUB bootloader password to comply with these new settings. For more
information, see Configuring the GRUB password on page 37.
22
23
24
25
When you create a new account for an administrator, you specify the account name and a
numeric user ID. For the numeric user ID, always enter zero (0). After you enter zero (0), the
system assigns the next available numeric ID.
26
27
The system security administrator defines the password requirements using the pwConfig
tool.
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
23
2
3
4
System Security Administrator (SSA)The SSA can perform system configuration and
specify security attributes such as:
5
6
7
- Password configuration
- User management
- Certificate management
10
- Access control
11
- Antivirus
12
13
- Network configuration
14
15
- System restoration
16
17
Security Auditor (SA)The SA can collect and view security audit logs and syslogs at the
platform level. The SA can also transfer the security logs off the server.
18
19
20
21
22
23
24
- a system restoreonly the SSA or root user can perform a system restore.
25
26
27
Database Administrator (DBA)The DBA can manage the database schemas and
database tools on servers on which the database resides. This role is not relevant on
servers that do not host the database.
28
29
30
Primary role
The primary role of the administrator defines the administrators primary group. The primary
role determines permissions and group ownership for any files that are generated by the
31
32
24
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
1
2
3
administrator. Any tools that extract or create files use the administrators primary role to
determine the appropriate group settings. The primary role is the first role assigned during
account creation. An SSA or root user can change the primary role for an administrator.
4
5
6
In the user management tool (userMgt) the primary role of an administrator is the first role that
appears in the list of assigned roles. For example, if the list appears as follows: SSA, AA, BA;
the primary role of the administrator is SSA.
7
8
9
10
11
All roles, other than the Backup Administrator, OSS Administrator, and Regional Patching
Administrator roles, are intended to manage some aspect of the system. Because of this and
the use of discretionary access groups to control access to system resources, administrators
with a primary role of SSA, SA, AA, or DBA have a primary GID that is traditionally reserved
for system accounts (less than 500).
12
13
14
15
By default, an administrator has access to all commands defined for each assigned role.
However, the root user can grant elevated privileges (such as root access) to an individual
administrator, if required.
16
17
The system records all commands that are run with sudo in /var/log/secure and only the
security administrator or security auditor can view these logs.
18
19
20
21
Only the root user can grant or deny all sudo level access to administrators. If you are already
logged on, before being granted sudo access, the sudo access is available the next time you
log on. The sudo menu option in the userMgt script is only visible when the script is run by the
root user.
22
23
24
Administrators who have sudo access need not know the root password of the system to invoke
root level commands; they use their own current passwords. The syntax for running commands
with sudo access is as follows:
25
26
27
The system prompts for your administrator password the first time, and again after 10 minutes,
if you do not enter any other sudo commands.
28
29
30
31
32
To run the user management tool (userMgt) you must be the Security System Administrator
(SSA) or the root user. With the userMgt tool, you can create and manage user accounts for
platform administrators. Figure 1: Main menu on page 26 shows the options available from
the main menu of the tool.
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
25
1
Figure 1: Main menu
2
3
4
5
Important:
Option [6] (from the main menu of the userMgt tool) is available only to the root user. To use
this option, an SSA with sudo access can su to root.
7
8
9
The idle session timer automatically logs off administrators that are not actively using their
sessions. After the configured time elapses without administrator activity, the session closes
automatically.
10
11
Changes to the idle session timer value do not effect currently existing sessions. Administrators
must log off and log back on for this configuration to take effect.
12
13
14
Use the pwConfig tool to specify the timeout value by configuring the Idle session timeout
(seconds) parameter. For more information, see Modifying password complexity rules
menu on page 36.
Account lockout
15
16
17
18
To reduce the effectiveness of password guessing attacks, you can configure account lockout
on the system. If you enable account lockout, the system temporarily locks an account after a
specified number of log on failures.
19
20
21
To enable account lockout, use the pwConfig tool to configure the 'Deny after this many log on
failures' parameter to a value other than zero. To subsequently disable account lockout, change
the value back to zero.
22
23
To configure the length of time that the account remains locked out, use the pwConfig tool to
configure the Unlock account duration (seconds) parameter. If you disable account lockout,
26
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Password complexity
1
2
the Unlock account duration parameter has no effect. For more information, see Modifying
password complexity rulesmenu on page 36.
3
4
5
6
7
8
If the system locks an account because of successive failed attempts to log on, the
administrator cannot log on to the system until the lockout period expires. An SSA can unlock
an administrators account, during the lockout period, by using the userMgt tool to disable and
subsequently enable the locked out administrator. Additionally, after three consecutive failed
access attempts, the SSH or SFTP connection terminates and the user must re-establish the
connection to log on.
After an account reaches the lockout threshold, the system generates a security log.
10
Password complexity
11
12
13
You can configure password policy rules to define the appropriate characters used for
administrator passwords. The administrator configures these passwords using either /usr/bin/
passwd or the userMgt tool.
14
15
The password complexity settings only affect subsequently configured passwords; they do not
affect current passwords.
16
17
18
19
20
21
Description
Minimum digits
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
27
Parameter
Description
Characters are: . @ - _ & ^ ? ! ( ) , / \ : ; ~ = + The system
rejects passwords that contain fewer special characters.
Default: 0
28
Maximum consecutive
repeat chars
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
22
23
You can modify the password complexity rules at any time; however, the configured rules apply
only to subsequently added administrator accounts.
1
2
3
4
5
Important:
If the default password complexity configuration values (as shown in the preceding table)
do not meet your site requirements, Avaya recommends that you change the values
immediately after installation and commissioning, and before you add administrators to the
system.
The following non-configurable parameters also apply to password complexity:
6
7
8
9
10
The system uses the Linux CrackLib library to ensure that the password is not based on
the username or on a dictionary word. This library manipulates the new password in
various ways to try and determine if the new password is based on the username or a
dictionary word.
11
12
Users must change their passwords during initial log on. Users cannot access the system
with the temporary passwords.
13
14
15
The root user password does not adhere to the password complexity rules. Ensure that only
a very limited number of individuals know the root password for the servers.
16
The backup and restore process includes all files related to password complexity.
Password changes
17
18
19
20
When administrators use the UNIX passwd command to change their passwords, or when they
change the password during log on (for initial or expired passwords), the system applies all of
the enabled password complexity rules.
21
When an SSA uses the userMgt tool to change a password, the following rules do not apply:
22
23
24
25
26
27
28
29
30
You can configure the system to automatically lock out inactive platform administrator accounts
after a period of inactivity. If an administrator is locked out, that administrator cannot login to
the platform without intervention by another administrator.
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
29
The system does not automatically delete locked out inactive administrator accounts. The site
administrator is responsible for monitoring locked out accounts and deleting them as
needed.
1
2
3
5
6
The root user must log on to the server using the console keyboard, video and mouse (KVM).
Root users must change their passwords on first logon after installation.
7
8
9
10
The password for this account is subject to password complexity rules. Because the initial
(during installation) password complexity rules are minimal, Avaya recommends that you
change the password for this account after you complete the procedure to configure (harden)
password complexity rules.
11
12
On the SIP Core servers, users assigned the System Security Administrator (SSA) role, in
addition to full-time Super User Do (sudo) access, have full root access.
13
14
Even though SSA/sudo users have unrestricted root-level privileges, their actions are logged
on the system security log because they are logged on under their individual user ID.
15
16
17
18
19
Individual user accounts allow for full accountability and monitoring of individual actions. If the
installer chooses this option during server installation, the System Security Administrator (SSA)
must create each individual user account after the installation is complete. For more
information about installation, see the installation method for your system.
20
21
You manage user accounts on a per-server basis. Therefore, the SSA must create identical
users on each server within the system.
22
23
The SSA uses the User Management Configuration tool to create, modify, and delete users.
The SSA configures the rules for administrator user names using the pwConfig tool.
24
25
26
27
Each individual user account has its own password, which is subject to the password
complexity rules. The SSA can disable or re-enable each individual user account as necessary.
Individual user accounts have a home directory in /home/<userid>. If the SSA removes the
user account, the home directory is also removed.
30
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Preconfigured accounts
Preconfigured accounts
During server installation, the installation software creates the following user accounts:
2
3
4
ntappadm: The primary role of this account is the Application Administrator (AA) role,
which replaces the avaya user found on previous systems.
ntdbadm: The primary role of this account is the database administrator (DBA) role.
6
7
8
9
ntsysadm: The primary role of this account is the System Security Administrator (SSA)
role. The ntsysadm account, by default, has ALL sudo root access. You can remove full
sudo access, if required, by invoking the userMgt tool as root. This account replaces the
sysadmin user found on previous systems.
10
ntsecadm: The primary role of this account is the security auditor (SA) role.
11
ntbackup: The primary role of this account is the backup administrator (BA) role.
12
13
14
ntossadm: The primary role of this account is the OSS administrator (OSS) role. An
Operational Support Server (OSS) uses this account to connect to an Avaya Aura
Application Server 5300 server to collect OSS logs.
15
For more information about installation, see the installation method for your system.
16
You can use the userMgt tool to manage all the preconfigured accounts.
17
18
Each preconfigured account uses "password" as the initial password. You must change the
initial password at first log on.
19
20
21
22
23
The user with the OSS role is protected using password authentication. This account is also
susceptible to lockout if the password is entered incorrectly and the account lockout is
configured for the system. To change the password on this account, log on as OSS, and type
the command: #>passwd. You can also use the userMgt tool to reset the password for this
account.
24
25
26
27
The SSA can create additional individual user accounts. Additional individual accounts are
subject to the same password complexity profile as the preconfigured accounts. The SSA user
can delete preconfigured accounts. All preconfigured accounts are backed up and restored
during backup and restore procedures.
28
29
30
31
The Avaya Aura Application Server 5300 system requires the following remote system
account: a user with OSS role: An Operational Support Server (OSS) uses this account to
connect to an Avaya Aura Application Server 5300 server to collect OSS logs.
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
31
1
2
The system automatically creates this account during installation. For more information, see
Preconfigured accounts on page 31.
4
5
6
Administrators use Secure Shell (SSH) for remote access and administration of the Linux
servers. The Avaya Aura Application Server 5300 comes with OpenSSH installed. OpenSSH
is an open-source application, which does not support two-factor authentication.
7
8
9
10
11
12
13
To satisfy requirements for two-factor authentication and Common Access Card (CAC)
integration, Avaya Aura Application Server 5300 also supports Attachmate Reflection for
Secure IT as an optional configuration. Attachmate Reflection is not included with Application
Server 5300. The purchase, installation and maintenance of Attachmate software are the
customers responsibility. To install Attachment Reflection for Secure IT, remove OpenSSH
during system installation and commissioning. For more information, see 106.1.5 AS5300 DoD
AttachMate Installation.
14
15
16
17
Attachmate Reflection for Secure IT includes both the Linux-based server side component and
the Windows-based client. Administrators can configure the Windows client to use certificates
on the CAC. and Reflection Group Policies so that all Reflection sessions meet Department of
Defense (DoD) Public Key Infrastructure (PKI) requirements.
18
The following changes occur when you configure DoD PKI mode:
19
20
The default Reflection configuration uses either CRL checking or an OCSP responder. In
DoD PKI mode, the option to use neither form of checking is disabled.
21
22
23
24
25
26
For a connection to succeed, the host name specified in the certificate must exactly match
the host name specified for your Reflection connection. Therefore, the certificate
configuration is automatic and cannot be modified.
27
28
29
30
31
32
The server backup job backs up the data from /admin, including the administrative user
database files. For more information about server backup, see Avaya Aura Application Server
5300 Backup and Restore Method and Avaya Aura Application Server 5300 Administration,
NN42040-600.
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
1
2
Prevent restoration of passwords that do not comply with the site password complexity policy.
Avaya recommends that you not back up the Administrator Database until after
3
4
You configure new passwords to comply with the site password complexity policy, for all
accounts not managed with the userMgt tool (for example, user with OSS role).
5
6
7
You ensure that the passwords for all accounts managed with the userMgt tool have
passwords that comply with the site password complexity policy. For example, users must
change the passwords for any account created before password policy configuration.
10
11
The /etc/issue banner appears before an administrator enters their username and
password to access the system using the console, SSH, or SFTP.
12
13
The /etc/motd banner appears after a successful log on to the system using the console
or SSH.
For more information, see Configuring platform warning banners on page 49.
14
15
16
17
18
Important:
Avaya recommends that you perform a backup after making changes to the warning banner
files. For more information, see Avaya Aura Application Server 5300 Backup and Restore
Method and Avaya Aura Application Server 5300 Administration, NN42040-600
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
33
34
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
4About
this task
5This section describes how to manage password complexity requirements, create individual user
6accounts, and manage administrator role assignments to control access to the Avaya Aura Application
7Server 5300 servers.
8Prerequisites:
9 You must be a Security System Administrator (SSA) or the root user to run the tools for platform
10 administrator security management.
11Navigation:
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
35
1
2
3
4
5
Use this procedure to use the script to modify password complexity rules to ensure that user
passwords are more secure. Password complexity rules apply only to subsequently configured
passwords.
Procedure
9
10
11
12
13
14
15
16
17
18
19
20
13. Enter a value for Deny after this many log on failures.
21
22
23
24
25
26
27
28
29
30
36
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
1
2
4
5
Use this procedure to configure the Linux Grand Unified Bootloader (GRUB) password. The
GRUB password prevents unauthorized access to the bootloader.
7
8
Procedure
1. Log on to the server as a user with SSA role.
9
10
11
12
13
14
15
16
17
18
19
If you add SSA administrators, you may need to add those users to the Avaya Media Server
EM Emergency Access list. For more information, see Adding emergency users on
page 39.
20
Procedure
21
22
23
24
25
26
27
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
37
2
3
6
7
8
9
10
Variable Definitions
11
Variable
12
Value
<userid>
<username>
<roles>
This value specifies the primary and any other roles for the user,
separated by commas (,).
<passwd>
13
14
15
This job aid lists and describes the system groups defined on the system, and provides the
role to groups mapping. The system groups are:
16
17
18
19
20
21
38
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Groups
SASecurity Auditor
ntsecgrp
AAApplication Administrator
ntappgrp, ntossgrp
BABackup Administrator
ntbackupgrp
DBADatabase Administrator
ntdbgrp, ntappgrp
ntossgrp
1
2
3
4
Add emergency users to allow them to access the Element Manager (EM) if the primary
security servers are down or cannot be reached.
The SSA or root user uses the emUser tool to list, add, or deny emergency users.
Procedure
9
10
11
12
13
5. Select the user that you want to add as an emergency user by selecting the
corresponding number and pressing Enter.
14
6. Enter Y to confirm that you want to add the user as an emergency user.
15
OR
16
17
18
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
39
1
2
3
4
You can delete individual users who no longer require access to the server. The User
Management Configuration tool does not manage the following system accounts, and you
cannot delete them:
root
ntappsw
9
10
If you delete administrators, you may need to delete them from the Avaya Media Server EM
Emergency Access list. For more information, see Deleting emergency users on page 41.
11
Procedure
12
13
14
15
16
17
18
5. From the list of users, select the user that you want to delete by entering the
corresponding number.
19
20
21
7. If the tool finds files owned by the admin to delete, the system displays a list. Choose
an action:
Choose to
Do this
Enter Y
Enter N
22
23
Variable Definitions
Variable
<username>
40
Value
This value is the name of the user account.
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
2
3
4
5
After deleting a user account, the system deletes the associated home directory (/home/
<admin>) and all files and directories within it. Additionally, the system searches for any files
owned by this admin outside of their home directory (/home/<admin>). If files are found and
the user has read and write permissions that are:
6
7
8
1. less than the group read and write permissions, then the system transfers the file
(without warning) to a no login system account and the file remains on the
system.
9
10
11
12
2. greater than or equal to the group read and write permissions, then the system
deletes the file (with warning and confirmation) because transferring the file to a no
login system account with these settings could render it unmanageable by any
admin users in the same group.
The following table shows the no login system account to which files are transferred, based
on the primary role of the deleted user account:
13
14
15
16
17
SSA
ntsysnl
SA
ntsecnl
AA
ntappnl
BA
ntbackupnl
DBA
ntdbnl
OSS
ntossnl
The system administrator must either leave these newly transferred files on the system or
remove them as is deemed necessary for the operation of the system. Prior to deletion, it is
important to determine if deleting files will hinder system operation.
18
19
20
21
Deny emergency users to prevent them from accessing the Element Manager (EM) if the
primary security servers are down or cannot be reached.
22
Procedure
23
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
41
5
6
5. Select the user that you want to deny as an emergency user by selecting the
corresponding number and pressing Enter.
7
8
6. Enter Y to confirm that you want to deny the user emergency access to the
server.
OR
9
10
11
12
13
14
15
16
Use this procedure to modify roles for a server administrator. You can also change the primary
role of the administrator.
17
Procedure
18
19
20
21
22
23
24
5. From the list of users, enter the corresponding number for the user account that you
want to modify.
25
26
6. Enter the corresponding number for the user's roles (primary role first), separated
by commas (,).
27
28
29
You receive a prompt to continue modifying roles for users or to return to the main
menu.
30
42
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Variable Definitions
Variable
Value
<username>
<roles>
This value contains the roles that you want to assign to the user
account. You must enter the primary role first, and separate multiple
roles with a comma (,). Example: SSA, AA
4
5
Disable a user's account to temporarily prevent access to the server with that account. Enable
the account to restore access.
6
7
If a user's account becomes locked because of failed attempts to log on, you can clear the lock
by disabling and then enabling the account again.
Procedure
1. Log on to the server as a user with SSA role.
11
12
13
14
15
5. Enter the corresponding number for the user account that you want to enable or
disable.
16
10
Do this
Enabled
Disabled
18
19
17
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
43
9. Choose an action:
Choose to
Do this
Enter Y
Enter N
Exit
Enter 8
3
4
5
6
7
You can view a list of users currently configured on the server. The display shows 20 entries
for each page, and lists the user name, userID, the user's configured state, and whether the
user has sudo access to the system.
Procedure
11
12
13
10
14
15
To choose this
Do this
Press Enter .
16
44
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
1
2
Use this procedure to grant or revoke sudo access for user accounts.
4
5
Procedure
7
8
11
12
13
14
6. Enter the corresponding number for the user account for which you want to grant
or deny sudo access.
15
10
16
17
Do this
Do this
9. Enter 9 to exit.
18
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
45
Variable Definitions
Variable
<username>
Value
This value is the name of user account.
2
3
4
5
6
You can use the userMgt tool to change passwords for platform administrators. If an
administrator is locked out of the server because of failed attempts to log on, you can use the
userMgt tool to reset the user account password and clear the lock.
Procedure
9
10
11
12
13
5. Enter the corresponding number for the user whose password you want to reset.
14
15
16
17
6. Enter a new password for the user account and confirm by entering the new
password again.
A prompt displays asking to reset a password for another user or return to the main
menu.
18
19
20
21
22
23
You can change your platform administrator password from the command line. You can also
use this procedure to change the passwords for the user with OSS role.
46
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Procedure
1
2
1. Log on to the server with the account for which you want to change the password.
3
4
3. At the prompt, enter the current UNIX (platform) password for the account.
4. At the prompt, enter the new UNIX (platform) password for the account.
5. At the prompt, re-enter the new UNIX (platform) password for the account.
9
10
11
12
Procedure
13
14
15
16
17
18
19
20
21
22
Procedure
23
24
25
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
47
4
5
7. For the Maximum number of inactive days before login account is locked
value, enter the number of days of account inactivity prior to account lock out.
This job aid lists and describes the parameters required to enable inactive account auditing.
Parameter
Maximum number of inactive days
before login account is locked
Value
Enter a number between 4 and 364.
10
11
12
Procedure
13
14
15
16
17
18
19
20
21
Important:
After you disable inactive account auditing, the system does not re-enable
previously locked out administrator accounts. You must manually re-enable any
locked out administrator accounts.
22
48
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
2
3
4
5
6
7
8
Use this procedure to configure warning banners to display a message before users enter their
user names and passwords, and another message after a successful log on. Warning banners
typically state the legal implications of logging on to a system.
Important:
Repeat this procedure for each server in your Application Server 5300 system.
Procedure
9
10
11
12
3. Connect to the server as a user with SSA role by using SFTP or SCP.
13
14
15
16
17
cp /var/tmp/<motd_filename> /etc/motd
18
Variable Definitions
19
Variable
Value
<issue_filename>
This value is the name of the text file that contains the message
that appears before log on.
<motd_filename>
This value is the name of the text file that contains the message
that appears after a successful log on.
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
49
50
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
4This section contains information about system security configuration and management.
5Navigation:
6
10
11
12
Antivirus on page 65
13
14
15
16
17
18
19
20
21
22
23
24
25
26
The AS 5300 Element Manager Console and the Avaya Aura Provisioning Client applications
maintain independent administrator accounts for configuration and management of the Avaya
Aura Application Server 5300. Although these applications do not share the same pool of
administrator accounts, they do share common security rules for password complexity,
password aging, password history, log on session constraints, and application warning
banners. You configure these rules by using the AS 5300 Element Manager Console.
27
28
For more information about how to use the AS 5300 Element Manager Console, see Avaya
Aura Application Server 5300 Configuration, NN42040-500.
29
30
If you modify the password rules and the passwords of existing administrators no longer comply
with the new rules, the system does not take any special action. Existing administrators are
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
51
1
2
3
allowed to continue to use their existing passwords until they expire. Password rules are only
enforced at the time of password creation. You can force administrators to change existing
passwords, for example, to comply with an updated password policy.
4
5
7
8
The following table lists the parameters that you use to configure password complexity for
administrator user accounts.
9Application
Description
This rule defines the minimum number of characters that
must be included in a password.
The range of values allowed is 4-32. Default value: 8
Note: The following restrictions apply:
The Minimum Password Length must be equal to or
greater than the total of the Minimum Lowercase
Characters, Minimum Uppercase Characters,
Minimum Digit Characters, and Minimum Special
Characters values.
If Check For Dictionary Words in Password is enabled,
the Minimum Password Length value must be 6 or
more.
Caution:
The system supports passwords up to a maximum of
511 characters. However, some phone clients limit the
maximum length of passwords. Verify the capabilities
of your phone before creating a long password.
Minimum Lowercase Characters This rule defines the minimum number of lowercase
characters that must be included in a valid password.
Lowercase characters are defined by the US-ASCII
character set, a-z.
The range of values allowed is 0-10. Default value: 2
Minimum Uppercase Characters This rule defines the minimum number of uppercase
characters that must be included in a valid password.
Uppercase characters are defined by the US-ASCII
character set, A-Z.
The range of values allowed is 0-10. Default value: 2
52
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Parameter
Description
Minimum Digits
Maximum Consecutive
Characters
Password History
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
53
Parameter
Description
The range of values allowed is 0180 days. Default
value: 90
Password aging
The following rules control the length of time that a password remains valid, and expiration
notification.
2
3
54
Description
Expiry Notification
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Parameter
Description
Life, and must be greater than the Minimum Password
Life.
The range of values allowed is 0-30 days. Default value:
7
1
2
3
When adding or editing an administrator account, the security administrator can override the
Maximum Password Life value, and thereby apply a different maximum life to an administrator's
password.
5
6
7
8
Log on session constraints control the length of time that a session can remain idle, before the
system forces the administrator to reauthenticate. You configure these rules separately for the
AS 5300 Element Manager ConsoleOpen Management Interface (OMI) and the Avaya Aura
Provisioning Client, by using the AS 5300 Element Manager Console.
10
11
12
13
14
15
16
Session Timeout: This rule defines the maximum number of minutes a session can be
idle before an administrator must reauthenticate. The range of values for this parameter
is 0-120. Configure the value to 0 (zero) to disable session timeout. You cannot disable
session timeout for the Avaya Aura Provisioning Client. For Configuration Management
clients (which include the AS 5300 Element Manager Console), after a session times out,
any write or maintenance operations require reauthentication; read operations continue
to function normally.
17
18
19
20
21
22
23
Failed Login Attempts before Lockout: This rule defines the maximum number of
successive failed attempts to log on, allowed before the system locks the administrator's
account. The range of values for this parameter is 0-10. Configure the value to 0 (zero)
to disable lockout and to allow an unlimited number of successive failed login attempts.
A value other than zero represents an inclusive number of attempts. Therefore, if the value
is 1 (one), a single failure causes the administrator's account to become immediately
locked. The system rejects further login attempts until the lockout duration expires.
24
25
26
Lockout Duration: This rule defines the number of minutes that an administrator's account
remains locked after reaching the maximum number of successive failed login attempts.
The range of values for this parameter is 1-60.
27
28
29
Warning banners display advisory warnings before and after log on, for all application
interfaces. Warning banners typically state the legal implications of logging on to a system.
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
55
By default, the system defines the following administrative user account roles for the AS 5300
Element Manager Console and Avaya Aura Provisioning Client.
2
3
Definition
Administrators assigned to this role are authorized for all AS 5300
Element Manager Console services. The default admin user is
assigned this role by default. Only a user with the secadmin role
can assign the secadmin role to another user or make
modifications to this account. You can delete the admin user only
if another user is assigned to the secadmin role. In addition, this
role has the following properties and limitations:
at least one secadmin account must be enabled (for example,
you cannot delete the default admin user unless another user is
assigned to the secadmin role)
only a user assigned to the secadmin role can add, modify or
delete another account assigned to the secadmin role
only a user assigned to the secadmin role can reset the
password of another user with secadmin role
users assigned to the secadmin role are immune to lockout
users assigned to the secadmin role can log on to the system
even if the Maximum session limit is reached
admin
no access
This is the default role. All new users are automatically assigned
to this role. Users assigned to this role have no authorization
privileges at the AS 5300 Element Manager Console except for
those services not requiring authorization.
56
Definition
SuperUser
secadmin
The default admin user is assigned to this role by default and has
full access to all provisioning data. In addition, this role has the
following properties and limitations:
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Role
Definition
at least one secadmin account must be enabled (for example,
you cannot delete the default admin user unless another user is
assigned to the secadmin role)
only a user assigned to the secadmin role can add, modify or
delete another account assigned to the secadmin role
only a user assigned to the secadmin role can reset the
password of another user with secadmin role
users assigned to the secadmin role are immune to lockout
users assigned to the secadmin role can log on to the system
even if the Maximum session limit is reached
2
3
4
The Security Administrator (SA) for the AS 5300 Element Manager Console and the Avaya
Aura Provisioning Client, is an administrator with the SA (for example, secadmin) role. An SA
has total control and access. The following rules apply to SAs:
If only one SA account exists in the system, you cannot delete or disable that account.
7
8
The SA user has complete access to every service provided by the AS 5300 Element
Manager Console (or by the OMI interface).
9
10
Only a SA user can add, update or delete another user account with the SA role. Only an
SA user can reset the password for another SA user.
11
12
13
14
15
The SA account is immune to lockout from failed login attempts. This exemption is
necessary to prevent denial of service attacks whereby a malicious system could lock out
the SA by initiating successive invalid log on attempts against SA account. Although the
SA account cannot be locked out, the system generates standard security logs for log on
failure.
16
17
18
19
20
21
22
23
Because of these capabilities, consider carefully, before assigning the SA role to another
administrator. However, Avaya recommends that every system have at least one other
administrator who is assigned the SA role in addition to the global administrator. This strategy
is useful as a backup in case the global administrator is unavailable, or in case the password
of the global administrator is forgotten.
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
57
1
2
3
4
5
You can update MCP SNMP Community Strings using the System Management user interface.
To change the SNMP Community String, you must create a new profile (you cannot modify
existing SNMP profiles) and then assign it to each server. For more information, see 105.1.3
AS5300 Security Hardening.
7
8
9
When you create or manage AS 5300 Element Manager administrative user roles, protect
access to the services used to control AS 5300 Element Manager security configuration. These
services include:
10
11
12
13
AdminUserService: This service controls the adding, editing, and removal of administrative
users (AS 5300 Element Manager Console administration menu item User Administration). It
also controls force-out operations and password administration (administration menu items
Set Administrator Password and Force Password Change).
14
15
16
17
18
19
20
21
22
23
24
25
26
DebugSecurityService: This service controls the management of debug roles and debug
security settings (AS 5300 Element Manager Console administration menu items Debug
Security Settings and Debug Role Assignment). Debugging control is supported only for Avaya
technicians, and debugging security access should be limited to the administrators who
interface with Avaya technicians.
27
28
29
Log onRulesService: This service controls the management of system log on rules for both the
Element and Provisioning Manager (AS 5300 Element Manager Console administration menu
item Log on Rules).
30
31
32
PasswordRulesService: This service controls the management of system password rules for
both the EM and Provisioning Manager (AS 5300 Element Manager Console administration
menu item Password Rules).
33
34
35
LogProcessingRulesService: This service controls Log Processing configuration for FPs (the
AS 5300 Element Manager and any Fault Performance Managers in the system). Part of the
configuration controlled by this service is the ability to configure where Security Logs are
58
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
1
2
3
stored, as well as which remote destinations these Security Logs can be pushed using FTP.
These points should be considered very carefully before granting write access to this service.
It is highly recommended that only Security Administrators have write access to this service.
4
5
6
7
LogBrowserFeedService: This service controls the configuration of the Log Browser Feed
functionality on the AS 5300 Element Manager. As the Log Browser Feed is available to anyone
that can log in to the AS 5300 Element Manager, care should be take to ensure the Log Browser
Feed is configured so that security logs are filtered out, if desired.
9
10
11
12
The following AS 5300 Element Manager Console roles exist: admin, no access, and
secadmin. You cannot modify these roles. The admin and secadmin roles allow access
to all services.
13
14
15
16
The following Avaya Aura Provisioning Client roles exist: SuperUser and secadmin. Both
roles allow access to all services You cannot delete or modify these roles. The secadmin
role has special treatments, whereas the SuperUser role is an ordinary role with all service
rights.
17
18
19
A single admin user exists with the secadmin role. This is the Security Administrator (SA).
You can change the admin users role, or delete the admin user account, but only if
another Security Administrator account exists in the system.
20
21
22
23
24
25
26
27
28
The Password History value is 1 (users cannot reuse their current password).
29
30
31
32
33
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
59
1
2
The session timeout for the Configuration Management interface is 0 minutes (no
timeout).
For the Avaya Aura Provisioning Client, the session timeout value is 15 minutes.
You can enable web server logs on the AS 5300 Element Manager and Provisioning
Manager.
8
9
10
11
After enabling web server logs, the system writes the logs to the NE application logs. These
logs are found in the following directory on the AS 5300 Element Manager servers:
12
13
14
During Database installation, the system creates a system-level account with a static name,
and randomly generates a password. A System Administrator (SSA) can reset the password
for the system-level account, should security policy require it. For more information, see
Database password management on page 75.
15
16
17
18
19
20
21
Schema account
22
Application account
23
24
60
For more information about how to change the passwords for these accounts, see Database
password management on page 75.
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Subscriber security
Subscriber security
2
3
4
5
The Avaya Aura Application Server 5300 system controls subscriber access with passwords.
Subscriber passwords are subject to password policy, which defines password protection
requirements. You associate a password policy with a domain to apply the policy to all
passwords for the subscribers of that domain.
6
7
You can create multiple password policies for an Avaya Aura Application Server 5300 system,
to associate with different domains. Two reserved password policies for the system exist:
8
9
Default: assigned to new domains as they are added to the system (if you do not specify
another password policy). You can modify the default policy.
10
11
No Policy: disables all password protection associated with password policy. You cannot
modify this policy.
You can configure the following subscriber password protection requirements:
12
13
14
15
16
A minimum password length that must be between 4 and 32 characters in length. The
specified value must be greater than the sum of the Minimum Number of Digits, Minimum
Number of Lowercase Characters, Minimum Number of Uppercase Characters and
Minimum Number of Special Characters.
17
18
19
20
21
22
23
24
25
A minimum of 0 to 10 special characters that must be present in the password. Valid special
characters are . @ - _ & ' ^ ? ! ( ) , / \ : ; ~ = +
26
27
28
A minimum of 0 to 10 characters in the password that must be different from the previous
password.
29
30
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
61
Subscriber password protection also includes the following password protection measures:
2
3
4
Initial password reset to force a subscriber to change the original password given by an
administrator to something only known to the subscriber
5
6
7
Subscriber lockout which temporarily locks all authorization attempts for a subscriber
when the number of failed authorizations reaches the configured threshold enforced as
follows:
10
11
12
13
An option to configure a Minimum Password Life value, which limits the frequency with
which subscribers can change their password.
14
15
An option to configure Expiry notification, which warns users whose password is soon to
expire.
16
17
An option to configure an Account inactivity period, which locks the account after a
specified number of consecutive days with no activity.
18
19
20
21
22
A password policy is not enforceable on subscribers until it is associated with a domain. When
a password policy is associated with a domain, all subscribers in that domain must conform to
that password policy. When you create a password policy, you can either select the policy
during the creation of a domain or update a domain and select the policy to use.
23
24
25
26
You can explicitly identify a password policy association when creating a new domain. You can
change the password policy of a domain through the domain modification process. If you do
not explicitly select a password policy when creating a new domain, the domain is given the
Default password policy.
27
28
29
30
31
32
33
When you create a new subscriber account, the initial password reset value for the domain
determines whether the newly created subscriber must change the initial password. Because
this determination occurs at the time of account creation, subsequent changes to the password
policy, or the movement of the subscriber from one domain to another, has no affect. Therefore,
any user that you create with the initial password reset value of false, can log on without
resetting the password, regardless of any subsequent changes to the value of that password
policy parameter.
34
35
36
37
If you move a subscriber from one domain to another domain, the subscriber must update the
password. The password is validated for conformance during any subsequent attempt to
access theAvaya Aura Application Server 5300 Personal Agent (by the subscriber) or any
subsequent data change attempted on the subscriber account by an administrator.
62
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Subscriber security
1
2
3
4
5
6
7
The password policy prevents subscribers from maintaining passwords that do not conform to
the password policy associated with the domain in which they are assigned (they can actually
have a noncompliant password for a while). They can keep their passwords as long as they
do not log on to their Avaya Aura Application Server 5300 Personal Agent account. If they log
on to their Avaya Aura Application Server 5300 Personal Agent with a nonconforming
password, they are directed to the password change page and cannot do anything on Avaya
Aura Application Server 5300 Personal Agent before changing their password.
8
9
10
11
12
If a subscriber password expires or changes during an active call, the call does not get
disconnected during re-registration. The AS 5300 Session Manager skips the credential
validation for the subscriber and sends a registration successful message, if the re-registration
request is received during an active call.
13
14
15
16
If AS 5300 UC Client sends a Register message where the Expires value exceeds one hour,
the SESM changes it to one hour (3600 seconds) to force the client to send the next reregistration earlier. If the next re-registration request is received while the user is not on an
active call, the authorization happens as normal.
17
Subscriber lockout
18
19
20
21
Password policy includes the Max Failed Attempts and LockoutDuration parameters. The
system evaluates each subscriber authorization attempt against the password policy for the
current domain, at the time that the authentication attempt occurs. The system manages
authorization attempts on a per network element basis as follows:
22
23
24
25
26
If the successive count of failed authorization attempts reaches the Maximum Failed Login
threshold, the subscriber is lockout for the number of seconds given by the value of
LockoutDuration and a log is generated:
27
ALERT 530 User ID: <<subscriber>> locked out for <<X>> seconds
28
29
If the value of Lockout Duration is 0, subscriber lockout is disabled. The system does not
lock out any subscribers, regardless of failed authorization attempts.
30
During lockout, any attempt to authorize the locked out subscriber fails.
31
32
33
Important:
The system manages authorization attempts internally, by each application. The count does
not persist after a failover.
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
63
1
2
If you update the password policy for the domain, or move a subscriber to a new domain, the
following points apply to the next failed authorization attempt:
3
4
5
If the new value of Maximum Failed Login is lower than the current number of failed
attempts for a subscriber, the system locks the subscriber out on the next failed
authorization attempt.
6
7
8
9
If the new value of Maximum Failed Login is higher than the current number of failed
attempts, the system locks the subscriber out after the number of failed attempts reaches
the new threshold. Any failed authorization attempts prior to the change contribute to the
total count.
10
11
If a subscriber is currently locked out, the changes do not affect that subscriber until after
the lockout duration expires
12
13
14Lockout
clearing
15
16
17
18
Generally, after a lockout occurs, the subscriber cannot log on until the lockout duration expires.
While the lockout duration does increase security, you can clear a lockout condition manually.
For more information, see Avaya Aura Application Server 5300 Using the Provisioning Client,
NN42040-112.
19
20
21
22
Important:
If the lockout clearing procedure becomes a common request, consider raising the Maximum
Failed Login value or lowering the Lockout Duration value, to provide a balance between
security and subscriber support.
23
Domain security
24
25
After you add new domains to a hardened system, you must modify the following to ensure
proper security.
26
27
28
Domain security profile: You must configure the domain security profile to Security
Enforced for both signaling and media. For more information, see 105.1.3 AS5300
Security Hardening.
29
30
PA HTTP port: You must turn off the PA HTTP port for each domain by configuring the PA
HTTP port to 0. For more information, see 105.1.3 AS5300 Security Hardening.
31
32
Subscriber password policy: You must configure the appropriate subscriber password
policy for each domain. For more information, see 105.1.3 AS5300 Security Hardening.
33
34
DSCP (non MLPP) configuration: You must assign the non-MLPP DSCP values for each
domain. For more information, see 105.1.3 AS5300 Security Hardening.
64
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Antivirus
Antivirus
2
3
4
5
6
7
Avaya recommends that you use Symantec AntiVirus for Linux as the antivirus software for
SIP core servers. Symantec AntiVirus for Linux is the only supported antivirus software. The
purchase, installation, and maintenance of this software, including any applicable licensing,
virus definition update subscriptions, and renewal agreements, is optional and the
responsibility of the system administrator. The SIP core installation package does not contain
any antivirus software or virus definition files.
8
9
For more information, see 106.2.99 AS5300 Symantec AntiVirus Installation and Antivirus
management on page 79.
10
11
12
13
The installation software contains a file system integrity (FSI) tool called fcheck. Use this tool
to monitor changes in the file system for unauthorized modifications. Only the user with SSA
role or the root user can run the fcheck tool commands.
14
15
16
17
With this tool, you can create FSI baselines for later verification, to detect unauthorized
changes to the file system. A baseline is the snapshot of all the system files including their size
and permissions, at the time of baseline creation. The verification process detects the following
changes:
18
19
20
21
22
23
24
The operating system (OS) and Avaya Aura Application Server 5300 software modify files and
directories as a normal function of operation. Baseline checking excludes all log files and log
directories, because of their nature (with respect to file system changes). The following OS
and Avaya Aura Application Server 5300 directories are included in baseline checking:
25
/var/mcp/dropbox /var/mcp/dropbox/.auditLoads_chksumCache
26
/var/mcp/run/<MCP_release>/SM_0/work
27
/var/mcp/run/<MCP_release>/loads_0
28
/var/mcp/run/<MCP_release>/loads_0/bin
29
30
/etc/ntp/ntp.drift
31
/etc/ntp/ntpstats/peerstats
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
65
/var/mcp/os/baselines
/opt/mcp/uvscan/result.txt
/opt/mcp/fcheck
4
5
Avaya recommends that you create FSI baselines weekly and after significant changes to the
file system (such as software installation).
Verification reports
After verification, fcheck reports findings of changes to the monitored files and directories, to
standard out (STDOUT). The tool reports file and directory changes by using the keyword stat
on file or dir. The tool checks the following file and directory attributes for changes: Inode
number, permission, file size, time of last status change, file UID, file GID, and file CRC
hash.
7
8
9
10
11
12
13
14
15
16
The system stores FSI baseline files in the /var/mcp/os/baselines directory. If the directory
contains more than 15 files, a warning message appears on the STDOUT when you run the
fcheck tool. The system also generates Syslog messages to remind you to backup the older
baselines files to prevent the partition from filling up.
17
18
19
You can list all of the baselines currently on the system; the file marked baseline is the one the
system uses for verification. You can also choose a new baseline file for verification (unset the
current file and set another).
20
21
22
23
Some files and directories on the system change on a regular basis. Because the verification
process would always report these files as changed, they are not good candidates for
monitoring. The excluded files and directories are as follows:
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
/opt/mcp/db/product/10.2.0/network/log/
/opt/mcp/db/oradata/mcpdb/
/opt/mcp/ossec/logs
/var/mcp/os/baselines/baseline.dbf
/var/mcp/oss/log/
/var/mcp/oss/om/
/var/mcp/oss/tmom/
/dev/core /dev/fd
/dev/stderr /dev/stdin
/dev/stdout
/var/mcp/db/data/mcpdb/
/var/mcp/db/data/adump/
/var/mcp/run/ned/ned.log
/var/mcp/spool/log/
/var/mcp/spool/om/
/var/mcp/spool/tmom/
66
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
HTTPS certificates
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
/var/mcp/ma/common/log/
/var/mcp/ma/platdata/CStore/
/var/mcp/ma/platdata/ConfMP/
/var/mcp/ma/platdata/EAM/
/var/mcp/ma/platdata/IvrMP/
/var/mcp/ma/platdata/MySQL/
/var/mcp/ma/platdata/PerfCounterAgent/
/var/mcp/ma/platdata/Reporter/
/var/mcp/ma/platdata/SoapServer/
/var/mcp/ma/platdata/StreamSource/
/var/mcp/ma/platdata/ase/
/var/mcp/ma/platdata/ccxml/
/var/mcp/ma/platdata/tmpdir/
/var/mcp/ma/platdata/vxmli/
/var/mcp/ma/JBoss/bin/cnd/
/var/mcp/ma/JBoss/server/default/log/
/
18
19
20
21
22
An SSA (for example, ntsysadm) can back up FSI baseline files to, or restore them from either
the local server, or a remote server. For more information, see 103.2.3 AS5300 Backup and
Restore and Avaya Aura Application Server 5300 Administration, NN42040-600.
Configuration file
23
24
The fcheck configuration file is located at /opt/mcp/fcheck. The fcheck tool uses the following
configuration attributes to specify the files and directories to be monitored:
25
26
Directory: specifies that the directory that need to be monitored. The forward slash (/) at
the end of the directory indicates recursive directory monitoring.
27
28
Exclusion: to exclude directories and files that are not intended for monitoring, such as
log files that are known to change frequently on an ongoing basis.
Important:
Use the configuration file only for troubleshooting purposes.
29
30
HTTPS certificates
31
32
33
34
35
36
After installation, a default self-signed certificate exists for all HTTPS communications. Avaya
recommends that you replace the certificate with a CA-signed certificate for each component
in the system. After you replace the certificates, you must configure the AS 5300 Element
Manager and the Provisioning Manager to use the new certificate. For more information, see
Application security configuration on page 125.
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
67
2
3
4
5
6
The AS 5300 Element Manager Console supports the usage of ActivClient Common Access
Card (CAC) PKCS11 library for Department of Defense (DoD) CAC integration. After you install
the ActivClient software and configure the AS 5300 Element Manager Console to use the CAC,
administrators must enter the personal identification number (PIN) from the CAC, as well as
their user name and password to authenticate.
7
8
9
For more information about how to configure the AS 5300 Element Manager Console to use
CAC, see Configuring the AS 5300 Element Manager Console with certificates for HTTPS and
SIPCAC on page 127.
For more information about how to use the AS 5300 Element Manager Console, see Avaya
Aura Application Server 5300 Configuration, NN42040-500.
10
11
12
13
14
15
16
The Application Server 5300 UC Client supports the usage of ActivClient Common Access
Card (CAC) for Department of Defense (DoD) CAC integration. After you insert the CAC, enter
the personal identification number (PIN) for the ActivClient and then enter the user name and
password for Application Server 5300 UC Client to authenticate.
17
18
For more information about how to install and launch Application Server 5300 UC Client, see
Avaya Aura Application Server 5300 UC Client User Guide, NN42040-107.
19
20
For more information about how to use the Common Access Card, see 102.1.3 AS 5300 Card
Reader Installation for UC Client.
Application logging
21
22
23
24
After you harden the MCP application logging, the system writes network element (NE) logs
to the following directories on the servers hosting the AS 5300 Element Manager Console NEs:
25
26
27
28
The non security related logs can be viewed by users in the AA role. The secure logs can only
be viewed by users in the SSA or SA roles.
29
68
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Security logs
1
2
In addition to the NE logs, the AS 5300 Element Manager Console and Provisioning Manager
NEs also write access logs to the platform.
3
4
5
6
The AS 5300 Element Manager Console writes logs to the /var/mcp/run/<MCP version>/
<EM_NEI_name>/tomcat/logs/ directory. The <EM_NEI_name> is the instance name of the
AS 5300 Element Manager Console on that server. For example SM1_0 denotes the primary
AS 5300 Element Manager Console instance.
7
8
9
10
11
12
Security logs
13
14
15
Navigation:
16
Syslog on page 69
17
18
19
20
Syslog
21
22
23
24
The system stores syslogs and security-related syslogs in the var/logs directory. Administrators
who have the role of SA or SSA can view syslogs. Only the root user can delete syslogs from
the system. However, the SA can force the logs to rotate by using the logrotate command.
25
26
27
By default, syslogs rotate daily and store up to 15 days worth of logs. After 15 days, the system
deletes the oldest log on a daily basis. Avaya recommends that you transfer the logs from the
server within 15 days, to prevent the loss of any log files after file rotation.
28
29
30
31
You can also configure the system to send syslogs to a syslog server. This configuration
typically occurs during system installation, but the SSA can choose to configure this at run time
by issuing the reconfigure script. You must configure the remote syslog server as a trusted
node, if an ACL firewall is configured on the system.
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
69
System audit
1
2
3
You can use audit logs to track and monitor administrative user behavior. The system
generates these logs and they can only be viewed by the SA or SSA.
command issued
object operated on
10
terminal type
11
exit code
12
13
14
15
The system stores audit logs in /var/log/audit. By default, the logs rotate daily, and the system
stores up to 15 days worth of audit logs. After 15 days, the system deletes the oldest log. An
SSA or SA can force Audit logs to rotate by issuing the logrotate command. Only the root user,
or an SSA with root access can delete audit logs.
16
17
18
19
Audit logs are rotated daily and can store up to 15 days of logs. After 15 days, the oldest log
is deleted on a daily basis. In the event, the /var/log partition fills up, and any SSA with root
access can log on and delete these logs. Avaya recommends that you backup the logs before
deleting.
20
21
22
If the system cannot write to the audit log, the system sends a message to syslog to indicate
the failure. After the free disk space for this partition drops below 750 MB, the system sends
a warning message to syslog.
23
24
25
26
After the free disk space for this partition drops below 250 MB, the system sends another
message to syslog to indicate that the disk is full, and logging may be interrupted. If the disk
partition fills up, Avaya recommends that you back up the logs, and then log on as root and
delete them.
27
28
29
To view the current audit rules, open the file /etc/audit/audit.rules as an SSA user on any SIP
Core or Avaya Media Server (MS). The rules are specific to either SIP Core or Avaya MS, so
different servers display different sets of rules.
30
31
32
Warning:
Do not change the audit rules file. If you change this file, auditing might cease to function
on the system.
33
34
Typically, system audit configuration occurs during initial installation. However, the SSA can
configure audit log settings by issuing the following command:
35
configAudit
70
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Security logs
1
2
You can also configure audit log settings by running the reconfigure script. If you change the
audit log configuration, you must reboot the system.
Any SSA or SA user can use the following tools to view audit logs:
ausearch search for patterns in audit log. (use --help for instructions)
Users with SSA or SA roles can also view the audit logs using vi and grep, if required.
6
7
8
9
10
11
Audit logs can be archived and transferred to another server for archiving or filtering. The
system does not delete the audit logs on the server; it transfers a copy of the logs. You must
be a root user to delete logs to free disk space. For more information, see 103.2.3 AS5300
Backup and Restore.
Failed logons
12
13
14
To view failed log on attempts, use the grep command for the audit log files and search for the
words "authentication" and "failed". The following example shows a failed login from the server
command line:
15
16
17
18
19
20
21
22
23
24
25
As shown in the following example, a summary report displays the number of failed
attempts.
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
Summary Report
======================
Range of time in logs: 05/10/2010 09:56:37.956 - 05/10/2010 11:13:53.107
Selected time for report: 05/10/2010 09:56:37 - 05/10/2010 11:13:53.107
Number of changes in configuration: 110
Number of changes to accounts, groups, or roles: 18
Number of logins: 3
Number of failed logins: 1
Number of authentications: 12
Number of failed authentications: 2
Number of users: 2
Number of terminals: 14
Number of host names: 3
Number of executables: 26
Number of files: 5805
Number of AVC's: 0
Number of MAC events: 0
Number of failed syscalls: 42
Number of anomaly events: 0
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
71
1
2
3
4
5
Number
Number
Number
Number
Number
of
of
of
of
of
7
8
9
The file system is locked down mainly by using file permissions appropriate to the
administrators role. However, these files require traceability to any modifications or
additions.
10
11
12
Auditing is based on watch rules on files and directories. The watch rule on directories includes
all the files in that directory. Most of the watch rules are on write or append to the directory and
files.
13
14
15
process ID
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
In this example, an administrator with userid 2023310 (field uid in the type=SYSCALL line)
tried to issue the touch command (field exe in the type=SYSCALL line) on the file /opt/mcp/
java/myfile.xml (field name in the type=PATH line) and did not succeed (field success in the
type=SYSCALL line).
34
35
36
37
38
72
You can transfer security logs from the server to a secured server. This action does not delete
the security logs from the server because the transfer process copies the logs without deleting
them from the original location. Only a root user can delete logs to free up disk space. For more
information about how to back up the Avaya Aura Application Server 5300 system, see Avaya
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
System alarms
1
2
Aura Application Server 5300 Backup and Restore Method and Avaya Aura Application
Server 5300 Administration, NN42040-600
System alarms
3
4
5
You can monitor the following disk partitions from the AS 5300 Element Manager Console, for
utilization:
boot
/var
/var/mcp
/var/log
10
11
/admin
12
/home
13
/opt
14
/tmp
15
16
17
18
19
20
After the system raises an alarm for disk usage, you can configure new alarm thresholds for
disk space usage, or remove unnecessary files from the server, and then clear the alarm when
the disk space is freed up. For more information about how to configure alarm thresholds, see
Avaya Aura Application Server 5300 Configuration, NN42040-500.
Important:
Only the root user can delete files to free up disk space.
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
73
74
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
4About
this task
5Use the procedures in this chapter to manage passwords for the database. For more information, see
6103.2.5 AS5300 Database Management.
7Navigation:
8
10
Changing the database application password, without changing the load on page 76
11
12
13
14
15
16
17
18
19
Policy can require that you periodically change all system passwords. Use the following
procedure to reset the passwords for the system level internal database accounts.
Important:
Only the database software uses the internal accounts. To prevent users from logging on to
these accounts, the passwords are randomly generated and not available to users. These
accounts are also locked.
20
Procedure
21
22
1. Log on to the server that hosts the primary database, as a user with SSA role.
23
2. Enter the command to reset the password for one of the internal database accounts:
24
resetDbSystemUserPasswd sys
25
resetDbSystemUserPasswd system
26
resetDbSystemUserPasswd internal
27
3. If a password prompt appears, enter the password for the SSA account.
28
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
75
1
2
Use the following procedure to change the password for the database Schema account.
Procedure
5
6
7
1. Log on to the server that hosts the primary AS 5300 Element Manager Console
(Instance 0), as a user with SSA role.
9
10
3. If a password prompt appears, enter the password for the SSA account.
11
12
13
14
16
17
Use the following procedure to change the password for the database application without
upgrading the load.
18
19
20
21
22
You are familiar with the procedure to deploy and start network elements. For more
information, see Avaya Aura Application Server 5300 Configuration, NN42040-500.
Procedure
23
24
25
1. Log on to the server that hosts the primary AS 5300 Element Manager (Instance
0), as a user with SSA role.
26
27
28
3. If a password prompt appears, enter the password for the SSA account.
76
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
3
4
5. Log on to the server that hosts the primary AS 5300 Element Manager (Instance
0), as a user with AA role.
6. Change directory:
cd /var/mcp/install
6
7
8
9
10
11
12
13
14
15
16
PROV Manager
17
18
19
20
21
Important:
Avaya recommends that for network elements with a hot standby instance, that
you stop, deploy, and start the hot standby instance first.
9. Log on to the server that hosts the primary AS 5300 Element Manager (Instance
0), as a user with SSA role.
22
23
24
25
26
27
28
29
30
31
32
33
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
77
3
4
Use the following procedure to change the database application password as part of a
Maintenance Release or patch upgrade.
7
8
You are familiar with the procedure to apply a Maintenance Release or patch upgrade.
For more information, see 103.2.2 AS5300 MR And Patch Guide.
Procedure
10
11
1. Log on to the server that hosts the primary AS 5300 Element Manager (Instance
0), as a user with SSA role.
12
13
14
3. If a password prompt appears, enter the password for the SSA account.
15
16
17
18
19
6. Log on to the server that hosts the primary AS 5300 Element Manager (Instance
0), as a user with SSA role
20
21
22
23
24
25
26
27
8. If a password prompt appears, enter the password for the SSA account.
This step removes the old application account.
Important:
If any network element is not upgraded and is therefore still running the old load,
an error message appears. To complete the procedure, repeat 5 on page 78 (for
the affected network elements) to 8 on page 77.
28
78
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
3The following procedures explain how to manage the antivirus software. For information about how to
4install and configure the antivirus software, see the Avaya antivirus installation method.
5
6
7
Warning:
Read all of the procedures carefully before you install the software. Adherence to the procedures and
requirements described in the following procedures is mandatory for warranty of the system.
8
9
10
11
Important:
Backups of the core servers or Avaya Media Servers do not include the antivirus software. After you
restore or reinstall a server, you must manually install, configure, and update the antivirus software and
virus definitions.
12Navigation
13
14
15
16
17
18
19
Use this procedure to update the virus definitions. The virus definition files must be kept upto-date on the system for valid and effective scans. Update the virus definition files after the
initial installation and then ongoing, on a regular basis, to maintain the security of the
system.
20
21
22
For detailed information about antivirus procedures, use the antivirus documentation. You can
obtain the documentation from the antivirus manufacturer web site and many antivirus
packages install documents on the server.
23
24
25
26
You have obtained the updater package from the antivirus support site or the appropriate
enterprise or DoD internal distribution site.
27
28
Important:
Repeat this procedure on each server in the system.
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
79
Antivirus management
Procedure
2
3
1. As an SSA, transfer the package to each server using SFTP to the /var/tmp/SAV
directory.
5
6
9
10
11
12
13
14
15
16
6. Ensure that the updater file has the appropriate execute permissions configured.
For example, to update to the June 2, 2010 update (20100602-002-unix.sh):
chmod 755 20100602-002-unix.sh
7. At the prompt, enter the following to execute the updater to extract and install the
new definitions:
For example:
./20100602-002-unix.sh
17
18
19
rm 20100602-002-unix.sh
20
21
22
23
24
25
For detailed information about how to schedule virus scans, use the antivirus
documentation.
26
27
28
Procedure
29
30
31
80
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
2
3
4
5
6
Important:
Schedule the virus scan during the lowest traffic time on the AS 5300 servers to
minimize scanning impact.
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
81
Antivirus management
82
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
4About
this task
5Use the procedures in this section to verify file system integrity (FSI) and to manage FSI baselines.
6Prerequisites:
7 You are a user with SSA role or a root user.
8Navigation:
9
10
11
12
13
14
Create an FSI baseline on a weekly basis or after any significant changes to the system, such
as software installation.
15
16
Procedure
17
18
19
20
21
22
23
24
Important:
A typical baseline can take at least 10 minutes to create.
25
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
83
2
3
4
Procedure
9
10
11
12
13
14
15
16
17
You can list all of the file system integrity (FSI) baselines currently stored on the server. The
system uses the file marked baseline for verification. You can select a different baseline file to
use for verification.
18
19
Procedure
20
21
22
23
24
84
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Choose to
Exit
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
85
86
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
8
9
10
11
If you configure a remote Syslog server on the platform, the system sends all local syslogs to
both the remote syslog server and to the local syslog server.
12
13
14
Procedure
15
16
17
18
19
20
21
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
87
1
2
Procedure
5
6
10
11
12
13
14
15
Procedure
16
17
18
19
4. Select an action:
Choose to
20
Enter
21
88
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
5This chapter provides the procedures that you require to configure and manage administrator security for
6the database and the following tools:
7
9Navigation:
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Exporting configuration data for AS 5300 Element Manager Console on page 113
27
Importing configuration data for AS 5300 Element Manager Console on page 114
28
29
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
89
Resetting the password for the AS 5300 Element Manager Console admin account on page 116
Resetting the password for a AS 5300 Element Manager Console administrator on page 117
10
Resetting the password for the Provisioning Manager admin account on page 121
11
12
13
14
15
Use this procedure to enable web server logs on the AS 5300 Element Manager and
Provisioning Manager network elements.
16
Procedure
17
18
Do this
19
20
21
22
6. Click -/+.
23
24
8. Click Apply.
25
90
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
1
2
3
4
5
Configure the password complexity rules and password aging rules to enhance the security of
the AS 5300 Element Manager ConsoleOpen Management Interface (OMI), and Avaya Aura
Provisioning Client passwords.
Procedure
1. From the menu bar of the AS 5300 Element Manager Console, select
Administration > Password Rules.
7
8
9
10
2. In the Password Rules pane, under Password Complexity Rules, configure the
parameters as required.
11
12
3. In the Password Rules pane, under Password Aging Rules, configure the
parameters as required.
13
4. Click Apply.
14
15
16
17
The following job aid lists and describes the parameters on the Password Rules panel.
18Application
Description
This rule defines the minimum number of characters that
must be included in a password.
The range of values allowed is 4-32. Default value: 8
Note: The following restrictions apply:
The Minimum Password Length must be equal to or
greater than the total of the Minimum Lowercase
Characters, Minimum Uppercase Characters,
Minimum Digit Characters, and Minimum Special
Characters values.
If Check For Dictionary Words in Password is enabled,
the Minimum Password Length value must be 6 or
more.
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
91
Parameter
Description
Caution:
The system supports passwords up to a maximum of
511 characters. However, some phone clients limit the
maximum length of passwords. Verify the capabilities
of your phone before creating a long password.
Minimum Lowercase Characters This rule defines the minimum number of lowercase
characters that must be included in a valid password.
Lowercase characters are defined by the US-ASCII
character set, a-z.
The range of values allowed is 0-10. Default value: 2
Minimum Uppercase Characters This rule defines the minimum number of uppercase
characters that must be included in a valid password.
Uppercase characters are defined by the US-ASCII
character set, A-Z.
The range of values allowed is 0-10. Default value: 2
92
Minimum Digits
Maximum Consecutive
Characters
Password History
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Parameter
Description
rule is case insensitive, so, for example, the passwords
"sysAdmin123", "sysadmin123" and "sysADMIN123"
are all found to contain "admin".
Select TRUE or FALSE. Default value: TRUE.
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
93
19
20
21
Configure new roles for the AS 5300 Element Manager Console and assign the roles to users
to specify admin privileges and level of access.
22
23
Procedure
24
1
2
1. From the menu bar of the AS 5300 Element Manager Console, select
Administration > Role Definition.
4
5
3. In the Add Role dialog box, in the Role Name box, type a name to identify the new
role.
6
7
4. Select the required READ, WRITE, and MAINT to configure privileges for each
service.
5. Click Apply.
10
11
12
13
The following job aid lists and describes the parameters that you use to configure AS 5300
Element Manager Console roles.
Parameter
Role Name
94
Description
Enter the role name in this text box. This name
cannot be changed after the role is created. A valid
role name must consist of 4-36 alphanumeric
characters that may also include, but not begin or
end with, the following 8 additional characters:
space @ # & ( ) + -
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
The effects of the READ, WRITE, and MAINT privileges differ according to the service that is
selected; however, the following points generally apply:
1
2
3
The READ privilege typically allows you to view, but not modify configuration data.
4
5
The WRITE privilege enables READ automatically and allows you to add and modify
configuration data.
6
7
8
The MAINT privilege allows you to start and stop services, but does not allow you to
change configuration data. Typically you must also have the READ privilege in addition
to MAINT.
9
10
The following job aid lists and describes the services for which you can add READ, WRITE,
and MAINT privileges to roles.
Service
Description
AcctProcessingRuleService
AdminUserService
AlarmMgmtService
Alarms configuration
AlarmMtcService
Acknowledgement/clearing of alarms
AlarmQueryService
Alarm viewing
AMOssProfileService
AudioCodesNumMapIP2TelService
IPToTelephonyMap configuration
AudioCodesServerService
AudioCodesServerStateService
AudioCodesTrunkService
AuthenticationService
BannerConfigService
CallAgentService
CertificateService
Certificate configuration
ChassisMonitorService
ChassisService
CipherSuiteService
ConfigParmService
Configuration parameters
ConfigRoleAssignmentService
ConfigRoleDefinitionService
CscfService
CSCF configuration
DBInstanceService
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
95
Service
96
Description
DBMonitorConfigService
DBMonitorService
DebugSecurityService
EndpointMtcService
EngParmService
ExportImportService
FPOssProfileService
FlowSpecCodecService
FlowSpecService
FlowSpec configuration
GatewayControllerLinkMtcService
GatewayControllerService
GatewayService
Gateway configuration
HttpsCipherSuiteService
IPAddressService
IP address configuration
InfoElementService
LogBrowserFeedService
LogProcessingRuleService
Log onRulesService
LOMServerService
LicenseKeyService
LocationServiceMgr
LogicalDBService
Database configuration
LogStreamService
Log viewing
MASService
MPClusterConfigParmsService
MPClusterFaultToleranceService
MPClusterGwcCallSvrService
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Service
Description
MPClusterMultiGwy
MPClusterNet2RouteService
MPClusterService
MPClusterSessionMgrService
MPClusterStaticRouteService
MPClusterSvcInstanceService
MPClusterVlan
NEInstanceService
NERecordStreamService
NEService
NcasLinkMtcService
Net2RouteService
NetworkAddrService
NetworkTypeService
NodeService
Node configuration
OMProcessingRuleService
OMQueryService
OM viewing
OssProfileService
PasswordRulesService
PhysicalServerService
Server configuration
PhysicalSiteService
PolicyServerConnectionService
PolicyServerService
RTPPortalBladeService
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
97
Service
Description
RegisteredGwcService
ServerLOMCommandService
ServerMonitorConfigService
ServerMonitorService
Server monitoring
SIPProxyService
SignalingCipherSuiteService
SnmpProfileService
StaticRouteService
SubnetMaskService
UpgradeManagerService
VMGAppearanceService
VlanService
VLANs configuration
WebServicesService
3
4
Use this procedure to configure a new administrative user for the AS 5300 Element Manager
Console.
6
7
Procedure
1. From the menu bar of the AS 5300 Element Manager Console, select
Administration > User Administration.
8
9
10
11
3. In the Add User Account dialog box, configure the parameters as required.
12
4. Click Apply.
98
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
1
2
3
The system validates the configuration data. If the change is valid, the Add User
Account dialog box closes and the new account appears on the User Administration
panel.
4
5
6
Important:
The new user account has no access. You must assign roles to new users so that
they can perform the administrative functions associated with their roles.
9
10
11
The following job aid lists and describes the parameters that you configure on the Add User
Account dialog box.
Parameters
Description
User ID
Enter the account user namethe new administrator uses this ID to log
on. It must contain between 4 and 16 characters. Valid characters
include the following US-ASCII character sets: a-z, A-Z, 0-9, the
underscore ( _ ) and the hyphen (-).
User Name
Enter the administrator's first and last names. This text field can have
up to 36 characters. There are no character restrictions.
Password
Password
Confirm
Maximum
Password Life
Force Password
Change
If you select this check box, the administrator must change the
password during initial login.
Account Disabled If you select this check box, the account is disabled and the
administrator cannot log on.
Disable Account
Inactivity Period
If you select this check box, the account will never be disabled due to
inactivity.
Immune to Expiry If you select this check box, password aging rules do not apply to the
account, but all password complexity rules apply.
For secure systems, select this option only for nonhuman accounts.
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
99
3
4
Use this procedure to assign a role to a new AS 5300 Element Manager Console user, or to
change the role currently assigned to an existing administrator.
6
7
You must know the Global Administrator account password or be assigned the admin
role.
Procedure
10
11
12
1. From the menu bar of the AS 5300 Element Manager Console, select
Administration > Role Assignment.
13
14
2. From the Role Assignment panel, select the user for which you want to assign a
role, and click Edit (-/+).
15
3. From the Available Roles list, select a role and click Apply.
16
17
18
19
Use this procedure to configure log on and session rules for the following interfaces:
20
21
22
23
Procedure
24
25
1. From the menu bar of the AS 5300 Element Manager Console, select
Administration > Login Rules.
26
27
3. Click Apply.
28
100
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
The following job aid lists and describes the parameters on the Login Rules dialog box.
Parameters
Login Interface
Description
Select the interface to edit:
Select Configuration Management (OMI) to configure rules for the
AS 5300 Element Manager Console / AS 5300 Element
Manager.
Select Provisioning Management (PROV ) to configure rules for the
Provisioning Client.
Session Timeout
(minutes)
Failed Login
Attempts before
Lockout
Lockout Duration
(minutes)
Account Inactivity
Period (days)
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
101
2
3
Use this procedure to configure new roles for the Provisioning Client and assign the roles to
users to specify administrator privileges and level of access.
7
8
Procedure
9
10
1. From the Provisioning Client menu bar, select Admin > Role to access the Admin
Role portlet.
11
2. On the Add tab, in the Role Name box, type a name for the new role.
12
13
14
15
4. Under the Select All option, check the Read, Write, or Delete boxes if you want
the administrator to have a specific privilege or check all boxes to provide all
privileges.
16
17
18
5. Under the Data Layer Management option, check the Write and Delete boxes if
you want the administrator to have one or both privileges on the System,
Domain, and User level.
19
20
6. Select the necessary Read, Write, and Delete check boxes to configure access for
each Admin privilege.
21
7. Click Save.
22
23
24
25
Use this procedure to configure new Admin users for the Provisioning Client. Assign each new
Admin a role so they can perform the administrative functions associated with that role.
26
27
28
29
102
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Procedure
1
2
3
1. From the Provisioning Client menu bar, select Admin > Add to access the Admin
portlet.
3. Click Save.
7
8
9
10
Description
Name
First Name
Last Name
Password
Confirm password
Enforce password change Select this check box to enforce password change during the
first log on.
Enable account
Immune to account
inactivity period
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
103
Parameters
Description
The value you enter in this field overrides the system Password
Policy for Maximum Password Life. Leave blank to use the
system value.
This parameter defines the maximum number of days before
the user's password expires. The range of values allowed is 0
180 days. For a password that never expires, enter 0 (zero).
Default value: 90
Business Phone
Home Phone
Cell Phone
Pager
Time Zone
This parameter (select from the list) contains the user's time
zone.
Locale
2
3
Configure banner text to display advisory warnings before and after log on for the OPI, Avaya
Aura Provisioning Client, AS 5300 Element Manager Console, and Debug interfaces.
Procedure
1. In the configuration view of the AS 5300 Element Manager Console, select Network
Data and Mtc > Banners.
8
9
2. On the Banners panel, from the Banner Type list, select a banner type.
10
104
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
To configure
Do this
A warning banner to appear after debug Select Debug Post Log on.
log on.
A warning banner to appear before
users log on.
A warning banner to appear after users Select User Post Log on.
log on.
1
5. Click Apply.
The following job aid describes the parameters that appear on the Banners panel.
Parameter
Description
Banner Data
Enter the text of the warning banner in this text box. The
text has a maximum length of 2000 bytes of UTF-8
encoded characters. The Debug Pre and Post Login
banners are restricted to characters in the
ANSI_X3.4-1968 character set (also known as USASCII).
Enabled
7
8
You can modify log on and session rules for the following interfaces:
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
105
1
2
Procedure
6
7
8
1. From the menu bar of the AS 5300 Element Manager Console, select
Administration > Login Rules.
10
11
12
13
14
The following job aid lists and describes the fields on the Log on Rules panel.
Parameter
Login Interface
Description
Select the interface to edit:
Select Configuration Management (OMI) to configure rules for the
AS 5300 Element Manager Console / AS 5300 Element
Manager.
Select Provisioning Management (PROV ) to configure rules for the
Provisioning Client.
106
Session Timeout
(minutes)
Failed Log on
Attempts before
Lockout
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Parameter
Description
Lockout Duration
(minutes)
Account Inactivity
Period (days)
3
4
5
You can modify the password complexity rules and password aging rules to enhance the
security of AS 5300 Element Manager ConsoleOpen Management Interface (OMI), and
Avaya Aura Provisioning Client passwords.
Procedure
7
8
1. From the menu bar of the AS 5300 Element Manager Console, select
Administration > Password Rules.
9
10
11
12
13
4. Click Apply.
14
15
16
17
18
The following job aid lists and describes the fields on the Password Rules panel, which apply
to Admin users.
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
107
1Application
Description
This rule defines the minimum number of characters that
must be included in a password.
The range of values allowed is 4-32. Default value: 8
Note: The following restrictions apply:
The Minimum Password Length must be equal to or
greater than the total of the Minimum Lowercase
Characters, Minimum Uppercase Characters,
Minimum Digit Characters, and Minimum Special
Characters values.
If Check For Dictionary Words in Password is enabled,
the Minimum Password Length value must be 6 or
more.
Caution:
The system supports passwords up to a maximum of
511 characters. However, some phone clients limit the
maximum length of passwords. Verify the capabilities
of your phone before creating a long password.
Minimum Lowercase Characters This rule defines the minimum number of lowercase
characters that must be included in a valid password.
Lowercase characters are defined by the US-ASCII
character set, a-z.
The range of values allowed is 0-10. Default value: 2
Minimum Uppercase Characters This rule defines the minimum number of uppercase
characters that must be included in a valid password.
Uppercase characters are defined by the US-ASCII
character set, A-Z.
The range of values allowed is 0-10. Default value: 2
108
Minimum Digits
Maximum Consecutive
Characters
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Parameter
Description
The range of values allowed is 0-10. Default value: 0
Password History
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
109
Parameter
Description
than the Maximum Password Life, and must be greater
than the Minimum Password Life.
The range of values allowed is 0-30 days. Default value:
7
2
3
You can modify roles for the AS 5300 Element Manager Console to specify admin privileges
and level of access.
Procedure
6
7
8
1. From the menu bar of the AS 5300 Element Manager Console, select
Administration > Role Definition.
2. On the Role Definition panel, select the role to modify, and then click Edit (-/+).
10
11
3. Select the required READ, WRITE, and MAINT to configure privileges for each
service.
12
4. Click Apply.
13
14
15
16
17
The effects of the READ, WRITE, and MAINT privileges differ according to the service that is
selected; however, the following points generally apply:
18
The READ privilege typically allows you to view, but not modify configuration data.
19
20
The WRITE privilege enables READ automatically and allows you to add and modify
configuration data.
21
22
23
The MAINT privilege allows you to start and stop services, but does not allow you to
change configuration data. Typically you must also have the READ privilege in addition
to MAINT.
24
25
26
110
Refer to Configuring a new AS 5300 Element Manager Console role job aid on page 94 for a
list and description of the services for which you can add READ, WRITE, and MAINT privileges
to roles.
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Procedure
6
7
8
1. From the menu bar of the AS 5300 Element Manager Console, select
Administration > User Administration.
2. On the User Administration panel, select the user to modify, and click Edit (-/+).
10
11
4. Click Apply.
If the change is valid, the Edit User Account dialog box closes and the modification
appears on the User Administration panel.
12
13
14
15
16
17
18
This job aid lists and describes the fields that you configure on the Add User Account dialog
box.
Parameter
Description
User Name
Edit the administrator's first and last names. The maximum characters
allowed is 36. There are no character restrictions.
Maximum
Password Life
If you enter a value greater than 0, this value is used instead of the
Maximum Password Life value found in the Password Rules. Enter 0 to
use the Password Rules value.
Account Disabled If you select this check box, the account is disabled and the
administrator cannot log on.
Disable Account
Inactivity Period
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
111
Parameter
Description
Immune to Expiry If you select this check box, the password rules do not apply. All
password complexity rules still apply. This option is intended for
nonhuman accounts.
For secure systems, select this option only for nonhuman accounts.
Procedure
6
7
1. From the menu bar of the AS 5300 Element Manager Console, select
Administration > User Administration.
8
9
2. On the User Administration panel, select the user to be disabled and click Edit (-/
+).
10
3. In the Edit User Account dialog box, select the Account Disabled check box.
11
4. Click Apply.
12
13
14
15
16
You can disable the password aging rules for a particular account. This option is intended for
system (non-human) accounts. All password complexity rules still apply.
17
Procedure
18
19
1. From the menu bar of the AS 5300 Element Manager Console, select
Administration > User Administration.
20
21
2. On the User Administration panel, select the User to be disabled and click Edit (-/
+).
22
3. In the Edit User Account dialog box, select the Immune to Expiry check box.
23
4. Click Apply.
24
112
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
2
3
You can view all AS 5300 Element Manager Console users who are logged on. If necessary
you can force another administrator off the system.
Procedure
6
7
8
1. From the AS 5300 Element Manager Console menu bar, select Administration >
User Display/Forceoff.
9
10
2. To force an administrator off the system, from the Logged-in Users panel, select an
entry and click Force Off.
11
12
15
You can export configuration data for the AS 5300 Element Manager Console.
16
17
18
Procedure
19
20
21
1. From the menu bar of the AS 5300 Element Manager Console, select Tools > DB
Export.
22
23
3. In the Save dialog box, browse to the location where you want to save the file.
24
25
5. Click Save.
26
27
7. From the Services Available for Export list, select the desired service.
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
113
9. In the FTP log on screen, enter the username and password for AA role.
10. Click Apply.
3
4
You can import configuration data for the AS 5300 Element Manager Console.
9
10
Procedure
11
12
13
1. From the menu bar of the AS 5300 Element Manager Console, select Tools > DB
Import.
14
15
16
3. In the Open dialog box, browse to the location from which you want to select the
file.
17
18
19
5. Click Open.
20
21
22
7. In the Save dialog box, browse to the location where you want to save the log output
file.
23
8. In the File name box, type a name for the log output file.
24
9. Click Save.
25
26
11. In the FTP log on screen, enter the user name and password for AA role.
27
28
114
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Procedure
5
6
7
1. From the AS 5300 Element Manager Console menu bar, select Administration >
Role Definition.
8
9
2. From the Roles Definition panel panel, select the role that you want to delete and
click Delete.
10
11
12
13
14
15
16
17
You can delete the user accounts for administrators who no longer require access to the AS
5300 Element Manager Console.
18
Procedure
19
20
1. From the AS 5300 Element Manager Console menu bar, select Administration >
User Administration.
21
22
2. From the User Administration panel, select the entry for the user and click Delete
(-).
23
24
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
115
3
4
5
Use this procedure to reset the password for the initial AS 5300 Element Manager Console
admin account, if there are no other administrative users who have sufficient privileges to reset
the password.
Procedure
10
1. Log on to the primary database (DB) server as a user with DBA role.
11
12
13
14
4. Type the password, which was reset by the previous script to admin.
15
5. Change directory:
cd /var/mcp/install
16
17
18
19
20
This script stops all AS 5300 Element Manager instances, redeploys the load
specified in installprops.txt, and restarts all AS 5300 Element Manager instances.
21
7. Log on to the AS 5300 Element Manager Console with the admin account.
22
23
8. At the prompt to change the password, type a new password that complies with the
password rules.
24
25
26
116
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
You can reset the password for another AS 5300 Element Manager Console administrator.
5
6
Procedure
1. From the menu bar of the AS 5300 Element Manager Console, select
Administration > Password Administration > Set Administrator Password.
7
8
9
10
2. On the Set Administrator Password panel, from the User ID list, choose the
administrator.
11
3. In the New Password box, type the new password for the administrator.
12
13
14
5. Optional. To force the administrator to change the new password at first logon,
select the Force Password Change check box.
15
16
17
18
19
Important:
Having more than one person know the password for a user account reduces
accountability and system security. Avaya recommends that you select this
option.
6. Click Apply.
20
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
117
3
4
Use this procedure to change the password for your AS 5300 Element Manager Console
account.
6
7
8
9
Procedure
1. From the menu bar of the AS 5300 Element Manager Console, select
Administration > Password Administration > Change My Password.
10
11
2. On the Change My Password panel, in the New Password box, type your new
password.
12
13
14
5. Click Apply.
15
16
17
18
You can modify roles for the Provisioning Client to specify admin privileges and level of
access.
19
20
21
22
Procedure
23
24
1. From the Provisioning Client menu bar, select Admin > Role to access the Admin
Role portlet.
25
26
2. On the List tab, in the Role Name column, click the name of the role to be
modified.
27
118
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
1
2
3
4. Under the Data Layer Management option, check the Write and Delete boxes if
you want the administrator to have one or both privileges on the System,
Domain, and User level.
4
5
5. Select the necessary Read, Write, and Delete check boxes to configure access for
each Admin privilege.
6. Click Save.
9
10
11
12
For more information about the administrative privileges listed on the Add a New Role page,
see Avaya Aura Application Server 5300 Using the Provisioning Client, NN42040-112.
13
14
Use this procedure to search for Admin user accounts for the Provisioning Client.
15
Procedure
16
17
1. From the Provisioning Client menu bar, select Admin > List to access the Admin
portlet.
18
19
20
21
Use this procedure to search for Provisioning Client administrative users by role.
22
23
24
25
26
Procedure
1. From the Provisioning Client menu bar, select Admin > List.
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
119
4. Click Search.
6
7
Use this procedure to search for Provisioning Client administrative users who have inactive
accounts.
9
10
11
Procedure
12
1. From the Provisioning Client menu bar, select Admin > List.
13
14
15
4. Click Search.
16
17
18
Use this procedure to modify Admin users for the Provisioning Client.
19
20
21
Procedure
22
23
1. From the Provisioning Client menu bar, select Admin > List.
24
25
3. Click the Details tab, and then modify the administrator fields as required.
26
4. Click Save.
120
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
5. Click the Domains tab, and then modify the administrator fields as required.
6. Click Save.
7. Click the Roles tab, and then modify the administrator fields as required.
8. Click Save.
5
6
9. Click the Account Policy tab, and then modify the administrator fields as
required.
10. Optionally, to disable an administrator, deselect the Enable account check box.
10
11
12
Use this procedure to remove Provisioning Client user accounts that are no longer required.
13
Procedure
14
15
1. From the Provisioning Client menu bar, select Admin > List to access the Admin
portlet.
16
2. On the List tab, click Delete for the user account that you want to delete.
17
18
3. On the confirmation dialog, type your administrator password, and then click
Confirm.
19
20
22
23
24
Use this procedure to reset the password for the initial Provisioning Manager admin account
if there are no other administrative users who have sufficient privileges to reset the
password.
25
26
Procedure
27
28
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
121
2. Change directory:
cd /var/mcp/run/MCP_<rel>/<dbName>/bin/util
1
2
6
7
5. From the configuration view, select Network Elements > Provisioning Managers
> <PROV_instance> > NE Maintenance.
8
9
6. In the Prov Maintenance window, under the Oper column, verify the Provisioning
Manager status is Active.
10
11
12
13
9. Use a supported Web browser to log on to the Provisioning Client for the
Provisioning Manager that you restarted in 7 on page 122.
(The above script resets the password to a default of admin.)
14
15
10. From the Provisioning Client navigation pane, select Administrator > Password.
16
11. Type the new password for the Provisioning Manager admin account.
17
18
19
20
23
24
25
26
To reset the password for the admin account, you must have the secadmin role.
Procedure
27
28
29
1. From the Provisioning Client menu bar, select Admin > List to access the Admin
portlet.
30
31
2. On the List tab, click Reset for the administrator whose password you want to
reset.
122
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
3. In the New Password box, type the new password for the administrator.
3
4
5. Optional. To force the administrator to change the new password at first logon,
select the Enforce Password Change check box.
Important:
Having more than one person know the password for a user account reduces
accountability and system security. Avaya recommends that you select this
option.
5
6
7
8
6. Click Apply.
9
10
11
12
Use this procedure to change the password for your Provisioning Client user account.
13
14
Procedure
15
16
17
1. From the Provisioning Client menu bar, select Admin > Change Admin
Password.
18
19
20
21
5. Click Save.
22
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
123
124
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
4About
this task
5Use the procedures in this chapter to better secure HTTPS communications with the AS 5300 Element
6Manager and the Provisioning Manager.
7For information about how to secure network element logs, see 105.1.3 AS5300 Security Hardening.
8Navigation:
Configuring the AS 5300 Element Manager with certificates for HTTPS on page 125
9
10
Configuring the Provisioning Manager with certificates for HTTPS on page 126
11
12
Configuring the AS 5300 Element Manager Console with certificates for HTTPS and SIPCAC on
page 127
15
16
Configure the HTTPS certificate for the AS 5300 Element Manager, after you replace the
default self-signed certificate, with a CA-signed certificate for each component in the system.
17
18
19
Obtain and import a CA-signed certificate for each component in the network.
Procedure
20
21
22
1. From the AS 5300 Element Manager Console navigation pane, select Network
Elements > Element Manager.
23
24
2. On the Element Manager window, select the As 5300 Element Manager, and then
click Edit (-/+).
25
26
3. On the Edit dialog, in the Internal OAM section, from the HTTPS Certificate list,
choose the new certificate.
27
28
4. If required, on the Edit dialog, in the External OAM section, from the HTTPS
Certificate list, choose the new certificate.
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
125
2
3
5. Click Apply.
After the configuration update, the system raises an alarm to alert you that you must
restart the AS 5300 Element Manager to pick up the new certificate.
5
6
7
8
7. After the standby instance state turns to hot standby, stop the active AS 5300
Element Manager.
This action causes a failover to the backup AS 5300 Element Manager and causes
the AS 5300 Element Manager Console to lose connectivity.
10
11
12
14
15
Configure the HTTPS certificate for the Provisioning Manager, after you replace the default
self-signed certificate, with a CA-signed certificate for each component in the system.
16
17
18
Important:
Repeat this procedure for each Provisioning Manager in your Application Server 5300
system.
19
20
21
Obtain and import a CA-signed certificate for each component in the network.
22
Procedure
23
24
25
2. From the AS 5300 Element Manager Console navigation pane, select Network
Elements > Provisioning Managers.
26
27
28
29
4. On the Edit dialog, in the Prov section, from the Internal OAM HTTPS Certificate
list, choose the new certificate.
30
31
5. On the Edit dialog, in the Prov section, from the External OAM HTTPS Certificate
list, choose the new certificate.
126
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Configuring the AS 5300 Element Manager Console with certificates for HTTPS and SIPCAC
1
2
6. On the Edit dialog, in the PA section, from the HTTPS Certificate list, choose the
new certificate.
3
4
5
7. Click Apply.
After the configuration update, the system raises an alarm to alert you that you must
restart the Provisioning Manager to pick up the new certificate.
10
11
12
Configure the HTTPS and SIP certificate for the AS 5300 Element Manager Console using
ActivClient (CAC reader), after you replace the default self-signed certificate with a CA-signed
certificate for each component in the system.
13
14
15
ActivClient is installed on the desktop on which the AS 5300 Element Manager Console
is running.
16
17
Procedure
1. Choose one of the following:
18
19
20
21
22
IF MCP FIPS is not enabled, In the address bar of your Web browser, enter
the following address: https://<EM_Service_IPAddress>:12121
23
24
25
26
27
5. Click Add (+) to add the CA certificate file to the AS 5300 Element Manager Console
truststore.
28
29
30
31
32
9. Click Browse, and then locate and select the acpkcs211.dll file. The location of the
acpkcs211.dll file depends on the installation of the ActivClient CAC software.
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
127
12. In ActivClient Login window, enter the PIN for the inserted CAC card.
128
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
4The Avaya Aura Application Server 5300 uses public-key cryptography standards (PKCS) technology
5(PKCS#12 certificates) in its Session Initiation Protocol (SIP) Transport Layer Security (TLS) application.
6This chapter provides supporting information about certificate management for the Application Server
75300 system.
8Platform
9The certmgr tool provides an interface to the server certificate database. The certmgr tool resides on each
10core Application Server 5300 server and Avaya Media Server (MS) server. A Security System
11Administrator (SSA) with sudo privileges can start the certmgr tool by typing the name of the tool at the
12prompt.
13Use the certmgr tool to generate Certificate Signing Requests (CSR), verify certificate chains, and to
14create PKCS#12 files.
15The certmgr tool does not include support for the following tasks:
16
17
18
19
20How to obtain these files and transfer them to the servers is the administrators choice. For example, the
21administrator can use secure FTP (SFTP) for this purpose.
22IPsec
custom certificates
23The procedures to generate IPsec custom certificates are the same as those to generate custom
24certificates for the Application Server 5300 core servers and Avaya MS. After an IPsec certificate is signed
25by the CA and bundled into a PKCS12 file, you can install it on the servers.
26
27
28
Important:
Before you can install IPsec certificates, you must stop the IPsec service on all Application Server 5300
core and Avaya MS servers.
29For more information about IPsec, see IPsec configuration overview on page 167.
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
129
1Core
application certificates
2Use the AS 5300 Element Manager Console or the Open Management Interface (OMI) to manage
3certificates for the Application Server 5300 core application. Certificate management for the core
4application includes management of
5
the Keystore
the Truststore
Certificate Revocation
8Keystore
certificates
9Keystore certificates are the certificates for the Network Elements that are part of the Application Server
105300 core. This does not include External Nodes such as gateways.
11You can import PKCS#12 files into the Keystore. The PKCS#12 file must contain one end entity certificate,
12the corresponding private key, and zero or more CA certificates. The system stores the private key
13internally; therefore, only the node that is assigned this certificate can retrieve the private key. The file can
14also include the certificate chain; in which case, the system automatically imports the rest of the chain into
15the Truststore, if an entry does not already exist for each CA in the chain. During the import process, the
16system associates a unique logical name with the certificate. You use the logical name to associate the
17certificate with a TLS port when you assign a Keystore certificate to a Network Element. For more
18information, see Core application certificate management on page 149.
19Truststore
certificates
20The system uses the Root CA and intermediate CA certificates stored in the Truststore to authenticate
21certificates issued by the CA. For the certificates stored in the Keystore to be authenticated, the signing
22chain must exist in the Truststore. The signing chain for other certificates, such as for gateways, must also
23exist in the Truststore. If the system uses a self-signed certificate, you must import the self-signed
24certificate into the Truststore. For more information, see Truststore certificate management on
25page 157.
26The system uses Privacy Enhanced Mail (PEM) formatted files to import certificates into the Truststore.
27Each file must contain only one certificate. Certificates in the Truststore are considered public; therefore,
28no password or private key data is required.
29Certificate
revocation
30Sometimes, a certificate must be revoked before the certificate expires (for example, the private key for
31a certificate is compromised and the certificate can no longer be trusted).
32The Application Server 5300 supports two methods of certificate revocation:
33
34
35
Online Certificate Status Protocol (OCSP): OCSP provides an on-line query mechanism that can be
used to check the revocation status of a certificate. Avaya recommends that you use OSCP for
certificate revocation. For more information, see OCSP configuration on page 161.
36
37
CRL Distribution Point (CDP): CDP provides a URL in the certificate that you use to download
CRLs.
130
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
1
2
preparation procedures
5The following task flow shows the sequence of procedures that you perform to prepare certificates.
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
131
Certificate preparation
1
2Navigation
3
4
5
Obtaining CA certificates and CA-signed certificates. Administrators decide the method of sending
the CSR to the CA and for obtaining the certificates.
132
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Generating a CSR
Installing custom certificates into the AS 5300 Element Manager keystore on page 136
Verifying that CA certificates import into the AS 5300 Element Manager truststore on page 137
Generating a CSR
3
4
5
Use this procedure to generate a certificate signing request (CSR). Only an SSA can read the
generated CSR file.
8
9
Check with your CA before creating the CSR to determine if certain fields require CAspecific data.
Procedure
10
11
1. Log on to the primary element manager server as a user with SSA role.
12
13
14
15
16
17
18
19
6. To confirm, enter Y.
20
21
22
23
This job aid lists and describes the parameters required to generate a CSR.
Parameter
Description
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
133
Certificate preparation
Parameter
Description
Common name
Non-repudiation (optional)
Procedure
5
6
1. Log on to the primary element manager server as a user with SSA role.
8
9
134
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
7. To confirm, enter Y.
8
9
This job aid lists and describes the parameters required to install a CA or CA-signed
certificate.
Parameter
10
Description
Type of certificate
11
12
The PKCS12 file contains the private key, the certificate, and the CA certificate.
13
14
15
16
17
Procedure
18
1. Log on to the primary element manager server as a user with SSA role.
19
20
21
3. From the Certificate Management Options menu, enter 6 to select Export PKCS12
File.
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
135
Certificate preparation
4. Enter the name of the PKCS12 file that you want to export.
7. To confirm, enter Y.
Use this procedure to install custom certificates into the AS 5300 Element Manager keystore.
You must perform this procedure for each signed certificate.
8
9
10
11
Important:
Repeat this procedure for all the certificates that you generate.
12
13
14
Procedure
1. Choose one of the following:
15
16
17
18
19
If MCP FIPS is not enabled, in the address bar of your Web browser, enter the
following address: https://<EM_Service_IPAddress>:12121
20
2. Log on to the AS 5300 Element Manager Console using the Admin User ID.
21
22
3. In the configuration view of the AS 5300 Element Manager Console, select Network
Data and Mtc > Certificate Management > Keystore.
23
24
25
26
6. Click Browse, and navigate to the PKCS12 file that holds the certificate being
imported (PKCS12 filename).
27
28
7. For the password used to create the PKCS12 file, enter the <Certificate> PKCS12
file password.
29
8. For the Export password, enter the <Certificate> PKCS12 file password.
30
9. Click Apply.
136
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Verifying that CA certificates import into the AS 5300 Element Manager truststore
12. Verify that the Certificate Status field at the bottom of the window displays OK.
7
8
Use this procedure to verify that the CA certificates were imported properly into the AS 5300
Element Manager truststore. You must perform this procedure for each signed certificate.
10
Procedure
11
12
13
14
15
16
IF MCP FIPS is not enabled, In the address bar of your Web browser, enter
the following address: https://<EM_Service_IPAddress>:12121
17
2. Log on to the AS 5300 Element Manager Console using the Admin User ID.
18
19
3. In the configuration view of the AS 5300 Element Manager Console, select Network
Data and Mtc > Certificate Management > Truststore.
20
21
4. Locate the CA of the certificate that was imported, and then click Edit (-/+) on the
certificate.
22
5. Verify that the Certificate Status field at the bottom of the window displays OK.
23
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
137
Certificate preparation
138
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
10
11
12
13
Identifying the subject of a certificate installed in the certificate databaseUnix on page 144
14
15
Identifying the subject of a certificate that is not installed in the certificate databaseUnix on
page 146
16
17
18
19
Use this procedure to list all certificates that are installed in the server's certificate database.
20
21
Procedure
22
23
1. Log on to the primary element manager server as a user with SSA role.
24
25
26
3. From the Certificate Management Options menu, enter 1 to select List All
Certificates.
27
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
139
Certificate management
2
3
4
Name: corresponds to the certificate friendly name specified when the certificate was
imported
Certificate Subject
Certificate Issuer
10
11
12
Procedure
13
1. Log on to the primary element manager server as a user with SSA role.
14
15
16
17
18
19
20
7. To confirm, enter Y.
21
22
23
24
25
This job aid lists and describes the parameters required to install a CA or CA-signed
certificate.
140
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Uninstalling a certificate
Parameter
Description
Type of certificate
Uninstalling a certificate
1
2
Procedure
5
6
1. Log on to the primary element manager server as a user with SSA role.
8
9
10
11
5. To confirm, enter Y.
12
13
14
Use this procedure to view the certificate chain for an installed certificate.
15
16
Procedure
17
18
1. Log on to the primary element manager server as a user with SSA role.
19
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
141
Certificate management
1
2
4
5
5. Validate the certificate and its installed chains. The chain displays only those CA
certificates that are installed in the server certificate database.
7
8
9
10
11
12
13
14
The following example shows the result of selecting an item in the verify certificate chain list.
Chain of the certificate "mfss1sm":
"DoDJITCRootCA2" [CN=DoD JITC Root CA 2,OU=PKI,OU=DoD,O=U.S. Government,C=US]
"DoDJITCCA-17" [CN=DOD JITC CA-17,OU=PKI,OU=DoD,O=U.S. Government,C=US]
"mfss1sm" [CN=200.23.2.246,OU=Contractor,OU=PKI,OU=DoD,O=U.S.
Government,C=US]
15
16
Use this procedure to import a PKCS12 file. Import a PKCS12 file if you want to:
17
view the certificate details for the certificate bundled inside the PKCS12 file.
18
19
20
21
re-export the PKCS12 file on a FIPS-compliant server. If the private key within the
PKCS12 file was generated on a non-FIPS complaint server, you can make it FIPS
compliant by importing the PKCS12 file into the server certificate database and then reexporting it.
22
23
Procedure
24
25
1. Log on to the primary element manager server as a user with SSA role.
26
27
28
3. From the Certificate Management Options menu, enter 7 to select Import PKCS12
File.
29
4. Enter the name of the PKCS12 file that you want to import.
30
31
142
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
7. To confirm, enter Y.
3
4
The PKCS12 file contains the private key, the certificate, and the CA certificate.
10
Procedure
11
1. Log on to the primary element manager server as a user with SSA role.
12
13
14
3. From the Certificate Management Options menu, enter 6 to select Export PKCS12
File.
15
4. Enter the name of the PKCS12 file that you want to export.
16
17
18
7. To confirm, enter Y.
19
20
21
22
23
The certificate friendly name is specified when you install a certificate in the server certificate
database using the certmgr tool.
24
25
26
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
143
Certificate management
Procedure
1
2
1. Log on to the primary element manager server as a user with SSA role.
4
5
3. From the Certificate Management Options menu, enter 1 to select List All
Certificates.
6
7
4. In the output, locate the Name field. The Name field corresponds to the Friendly
name field of the certificate.
10
11
12
13
The following example shows the result of listing all certificates. The Name field corresponds
to the Friendly name field of the certificate. In this example, there are three certificates installed:
two entity certificates and one CA certificate. The Friendly name for the second entity certificate
is "AS5300 Core".
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
32
33
Use this procedure to identify the subject of a certificate if the certificate is installed in the
servers certificate database.
34
35
36
144
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Procedure
1. Log on to the primary element manager server as a user with SSA role.
4
5
3. From the Certificate Management Options menu, enter 1 to select List All
Certificates.
6
7
4. In the output, locate the Subject field. The Subject field corresponds to the Subject
field of the certificate.
11
12
13
14
The following example shows the result of listing all certificates. The Subject field corresponds
to the Subject name field of the certificate. In this example, there are three certificates installed:
two entity certificates and one CA certificate. The Subject for the second entity certificate is
C=US,O=U.S. Government,OU=JITC,OU=PKI,OU=DoD,CN=AS5300 Core.
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
145
Certificate management
3
4
Use this procedure to identify the subject of a certificate if the certificate is not installed in the
servers certificate database.
6
7
Procedure
1. Log on to the primary element manager server as a user with SSA role.
10
11
12
13
4. In the output, locate the output that follows the subject= string. The output that
follows the subject= string corresponds to the Subject field of the certificate.
14
Variable
<certificate>
Value
The CA-signed certificate.
17
18
The following example shows the result of entering the command openssl x509 -subject
-noout -in <certificate>.
19
20
21
146
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
3
4
Use this procedure to identify the subject of a certificate if the certificate is installed in the
Windows certificate store.
6
7
Procedure
10
11
12
15
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
147
Certificate management
1
2
3
4
To build a string out of the Subject field, you must add the sub fields in reverse order, separating
each sub field with a comma. In this example Subject field, the sub fields are entered as follows:
In the details pane, CN=AS5300 Core is displayed first and C=US is displayed last.
148
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Configuring the AS 5300 Element Manager with certificates for HTTPS and SIP on page 151
10
Configuring the AS 5300 Session Manager with certificates for HTTPS and SIP on page 152
11
12
Configuring the AS 5300 Element Manager Console with certificates for HTTPS and SIP
manual on page 155
13
14
Configuring the Avaya Aura AS 5300 Personal Agent with certificates for HTTPS and SIP on
page 156
15
16
17
18
19
20
21
Use this procedure to import an internal certificate. The only supported format is PKCS #12.
The system expects the PKCS #12 file to contain only one end entity certificate and the
corresponding private key. Only the node that is assigned this certificate can retrieve the private
key. When you import a PKCS#12 file that also includes a certificate chain, you automatically
import the rest of the chain into the truststore, if an entry does not already exist for each CA in
the chain.
22
23
Keystore (internal) certificates are the certificates for the network elements (NE) that are part
of the system. This does not include external nodes, such as gateways.
24
25
When you import a certificate, the system associates it with a unique logical name, which you
can use to associate the certificate with a TLS port.
26
27
28
29
The PKCS#12 file exists in a location accessible to the AS 5300 Element Manager
Console.
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
149
Procedure
2
3
1. In the configuration view of the AS 5300 Element Manager Console select Network
Data and Mtc > Certificate Management > Keystore.
5
6
3. Configure the Logical Name, PKCS#12 file, Password, and Export Password
parameters.
4. Click Apply.
10
11
This job aid lists and describes the parameters for importing an internal certificate to the
keystore.
Parameter
Description
Logical Name
PKCS#12 File
Password
The password.
Export Password
12
13
Use this procedure to view the details for internal certificates in the keystore.
14
15
Procedure
16
17
18
1. In the configuration view of the AS 5300 Element Manager Console, select Network
Data and Mtc > Certificate Management > Keystore.
19
20
21
150
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
1
2
Procedure
6
7
8
1. In the configuration view of the AS 5300 Element Manager Console, select Network
Data and Mtc > Certificate Management > Keystore.
10
11
12
13
16
17
18
Configure the HTTPS and SIP certificate for the AS 5300 Element Manager, after you replace
the default self-signed certificate, with a CA-signed certificate for each component in the
system.
19
20
Obtain and import a CA-signed certificate for each component in the network.
21
Procedure
22
23
24
1. From the AS 5300 Element Manager Console navigation pane, select Network
Elements > Element Manager.
25
26
2. On the Element Manager window, select the AS 5300 Element Manager, and then
click Edit (-/+).
27
28
3. To configure an Internal OAM certificate, from the Internal OAM HTTPS Certificate
list, choose the new certificate.
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
151
1
2
4. To configure an External OAM certificate, from the External OAM HTTPS Certificate
list, choose the new certificate.
5. Click Apply.
8
9
10
Use this procedure to configure the HTTPS and SIP certificates for the AS 5300 Session
Manager, after you replace the default self-signed certificate with a CA-signed certificate for
each component in the system.
11
Important:
You must perform this procedure for each AS 5300 Session Manager that is deployed on
the system.
12
13
14
15
16
Obtain and import a CA-signed certificate for each component in the network.
17
Procedure
18
19
20
21
22
3. To configure a SIP certificate, from the SIP Certificate list, choose the new
certificate.
23
24
4. To configure an LDAP certificate, from the SESM LDAP Certificate list, choose the
new certificate.
25
26
27
5. Click Apply.
After the configuration update, the system raises an alarm to alert you that you must
restart the AS 5300 Element Manager to pick up the new certificate.
28
29
30
31
32
7. After the standby instance state turns to hot standby, stop the active AS 5300
Session Manger.
This action causes a failover to the backup AS 5300 Session Manager and causes
the AS 5300 Element Manager Console to lose connectivity.
33
152
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
1
2
5
6
7
Use this procedure to configure the HTTPS and SIP certificates for the Provisioning Manager,
after you replace the default self-signed certificate with a CA-signed certificate for each
component in the system.
Important:
Repeat this procedure for each Provisioning Manager in your system.
8
9
10
11
12
Obtain and import a CA-signed certificate for each component in the network.
Procedure
13
14
15
16
2. From the AS 5300 Element Manager Console navigation pane, select Network
Elements > Provisioning Managers.
17
18
19
20
4. On the Edit dialog, in the Prov section, from the Internal OAM HTTPS Certificate
list, choose the new certificate.
21
22
5. On the Edit dialog, in the Prov section, from the External OAM HTTPS Certificate
list, choose the new certificate.
23
24
6. On the Edit dialog, in the PA section, from the HTTPS Certificate list, choose the
new certificate.
25
26
7. On the Edit dialog, in the PA section, from the SIP Certificate list, choose the new
certificate.
27
28
29
8. Click Apply.
After the configuration update, the system raises an alarm to alert you that you must
restart the Provisioning Manager to pick up the new certificate.
30
31
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
153
3
4
5
Configure the HTTPS and SIP certificate for the AS 5300 Element Manager Console using
ActivClient (CAC reader), after you replace the default self-signed certificate with a CA-signed
certificate for each component in the system.
7
8
ActivClient is installed on the desktop on which the AS 5300 Element Manager Console
is running.
10
Procedure
1. Choose one of the following:
11
12
13
14
15
IF MCP FIPS is not enabled, In the address bar of your Web browser, enter
the following address: https://<EM_Service_IPAddress>:12121
16
17
18
19
20
5. Click Add (+) to add the CA certificate file to the AS 5300 Element Manager Console
truststore.
21
22
23
24
25
9. Click Browse, and then locate and select the acpkcs211.dll file. The location of the
acpkcs211.dll file depends on the installation of the ActivClient CAC software.
26
27
28
12. In ActivClient Login window, enter the PIN for the inserted CAC card.
29
30
154
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Configuring the AS 5300 Element Manager Console with certificates for HTTPS and SIPmanual
3
4
5
Configure the HTTPS and SIP certificate for the AS 5300 Element Manager Console using the
manual method, after you replace the default self-signed certificate with a CA-signed certificate
for each component in the system.
7
8
Procedure
1. Choose one of the following:
9
10
11
12
13
IF MCP FIPS is not enabled, In the address bar of your Web browser, enter
the following address: https://<EM_Service_IPAddress>:12121
14
15
16
17
5. Click Browse, and then locate and select the PKCS12 file for the client certificate
18
6. In the Password field, enter the password for the PKCS12 file.
19
7. In the Export Password field, enter the same password as the PKCS12 file.
20
8. Click Apply.
21
22
10. On the Keystore tab, verify that the system displays the certificate.
23
24
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
155
3
4
5
Configure the HTTPS certificate for the Avaya Aura Application Server 5300 Personal Agent,
after you replace the default self-signed certificate, with a CA-signed certificate for each
component in the system.
6
7
8
Important:
Repeat this procedure for each Avaya Aura Application Server 5300 Personal Agent in your
system.
9
10
Obtain and import a CA-signed certificate for each component in the network.
11
Procedure
12
13
14
15
2. From the AS 5300 Element Manager Console navigation pane, select Network
Elements > Personal Agent Manager.
16
3. On the Personal Agent Manager window, select an instance and click Edit (-/+).
17
18
4. On the Edit dialog, from the PA HTTPS Certificatelist, choose the new
certificate.
19
5. On the Edit dialog, from the SIP Certificate list, choose the new certificate.
20
6. Click Apply.
21
22
156
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
10
11
Use this procedure to import a certification authority (CA) root or intermediate certificate to the
truststore.
12
13
14
15
16
Truststore (root CA and intermediate CA) certificates are the certificates the system uses to
authenticate signed certificates. To authenticate a certificate stored in the keystore, the signing
chain must exist in the truststore. The signing chain for other certificates, such as for gateways,
must exist in the truststore. If the system uses a self-signed certificate, it must exist in the
truststore.
17
18
19
You use PEM files to import certificates into the Truststore. Each PEM file must contain only
one certificate. Certificates in the Truststore are public; therefore, you do not require a
password or private key.
20
21
22
23
The CA root or intermediate certificate file already exists in a location accessible to the
AS 5300 Element Manager Console.
24
Procedure
25
26
1. In the configuration view of the AS 5300 Element Manager Console, select Network
Data and Mtc > Certificate Management > Truststore.
27
28
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
157
4
5
Use this procedure to view the details for CA root and intermediate certificates in the
truststore.
7
8
Procedure
9
10
1. In the configuration view of the AS 5300 Element Manager Console, select Network
Data and Mtc > Certificate Management >Truststore.
11
12
13
14
Use this procedure to remove a CA root or intermediate certificate from the truststore.
15
16
17
18
19
20
21
Warning:
Use extreme caution when you perform this procedure. The removal of a trusted CA can
disrupt service.
Procedure
22
23
1. In the configuration view of the AS 5300 Element Manager Console, select Network
Data and Mtc > Certificate Management > Truststore.
24
25
26
158
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
159
160
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
3Configure OCSP to enable the OCSP certificate revocation method on your system.
4OCSP
configuration tasks
5The following work flow shows the sequence of tasks that you perform to configure OCSP for the
6system.
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
161
OCSP configuration
1Navigation
2
Configuring the AS 5300 Element Manager Console to support OCSP on page 165
Important:
You must perform this procedure on all SIP Core and Avaya Media Servers deployed in your
Application Server 5300 system.
10
11
12
13
14
Procedure
15
16
17
18
19
2. To add the PKI server to the hosts file, at the command prompt, enter the following
command: hostTableConfig -a [PKI Server IP address] [PKI
Server hostname]
20
21
3. To validate the configured hostnames, at the command prompt, enter the following
command: hostTableConfig -q
22
23
24
The following is an example of the command to add a PKI server to the hosts file:
25
162
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Use this procedure to configure the AS 5300 Element Manager to support OSCP.
Procedure
7
8
9
10
11
IF MCP FIPS is not enabled, In the address bar of your Web browser, enter
the following address: https://<EM_Service_IPAddress>:12121
12
2. Log on to the AS 5300 Element Manager Console using the Admin User ID.
13
14
3. From the AS 5300 Element Manager Console navigation pane, select Network
Elements > AS 5300 Element Manager > <AS 5300 Element Manager name>.
15
16
17
18
19
7. Click Apply.
20
21
22
24
Use this procedure to configure the AS 5300 Session Manager to support OSCP.
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
163
OCSP configuration
Important:
Perform this procedure for each AS 5300 Session Manager deployed on your system.
1
2
3
4
5
Procedure
1. Choose one of the following:
6
7
8
9
10
IF MCP FIPS is not enabled, In the address bar of your Web browser, enter
the following address: https://<EM Console IP>:12121
11
2. Log on to the AS 5300 Element Manager Console using the Admin User ID.
12
13
3. From the AS 5300 Element Manager Console navigation pane, select Network
Elements > Session Managers > <AS 5300 SESM name>.
14
15
16
17
18
7. Click Apply.
19
20
21
22
23
24
Important:
Perform this procedure for each Provisioning Manager that is deployed on your Application
Server 5300 system.
25
26
27
Procedure
1. Choose one of the following:
28
29
30
164
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
IF MCP FIPS is not enabled, In the address bar of your Web browser, enter
the following address: https://<EM Console IP>:12121
1
2
3
2. Log on to the AS 5300 Element Manager Console using the Admin User ID.
4
5
3. From the AS 5300 Element Manager Console navigation pane, select Network
Elements > Provisioning Managers > <Prov name>.
7
8
10
7. Click Apply.
11
12
15
Use this procedure to configure the AS 5300 Element Manager Console to support OSCP.
16
17
18
Procedure
1. Choose one of the following
19
20
21
22
23
IF MCP FIPS is not enabled, In the address bar of your Web browser, enter
the following address: https://<EM Console IP>:12121
24
25
26
27
28
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
165
OCSP configuration
2
3
Use this procedure to verify that the PKI OCSP server is accessible to your Application Server
5300 system.
Procedure
6
7
8
9
10
11
IF MCP FIPS is not enabled, In the address bar of your Web browser, enter
the following address: https://<EM Console IP>:12121
12
2. Log on to the AS 5300 Element Manager Console using the Admin User ID
13
14
3. In the configuration view of the AS 5300 Element Manager Console select Network
Data and Mtc > Certificate Management > Keystore.
15
16
17
18
19
166
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
10
11
12
Secure communication
13
14
15
The system uses an IPsec mesh to secure inter-server communications. IPsec uses PKI X.509
certificates for server authentication.
16
17
18
19
20
The IPSec configuration within the system is made up of internal and external tunnels. The
internal tunnels exist between SIP Core and Avaya Media Server (MS) . External tunnels exist
between SIP Core/Avaya MS servers and external servers (for example: Switch Expert). To
configure internal tunnels, you use a tool that automatically generates the internal tunnels using
the IP addresses configured in the MCP database. You configure external tunnels manually.
21
22
23
24
Initially, you must install IPsec with default staging certificates on each server. These default
staging certificates allow you to configure and test IPSec on the system servers before you
install custom certificates.
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
167
1
2
3
4
Important:
Do not use the default staging certificates on systems that are in production. You must
replace the default staging certificates with custom certificates before you place the system
into production.
Each server can host one or more of the following Server IP addresses:
6
7
10
11
12
13
Additionally, each server can host one or more of the following Service (floating) IP addresses:
14
AS 5300 Element Manager (AS 5300 EM) Internal OAM Service Address
15
AS 5300 Element Manager (AS 5300 EM) External OAM Service Address
16
17
18
19
20
21
22
Important:
Only the following addresses participate in the internal IPsec mesh:
23
AS 5300 Element Manager (AS 5300 EM) Internal OAM Service Address
24
25
26
168
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
1
2
3
When creating the internal IPSec mesh configuration file, the mcpGenIntIPSecConfig.pl script
uses the following IPSec tunnel rules:
4
5
IPSec tunnels are created between all datafilled server internal OAM server addresses.
Examples include:
Avaya Media Server 1 Internal OAM Address <-> EM Server 1 Internal OAM Address
8
9
IPSec tunnels are created between all datafilled server internal OAM server addresses
and the EM service address.
10
11
IPSec tunnels are created between all datafilled server internal OAM server addresses
and all FPM service addresses.
12
13
IPSec tunnels are created between all datafilled server internal OAM server addresses
and all AM service addresses.
14
When creating the internal ACL mesh configuration file, the mcpGenIntACLConfig.pl script
creates the following trusted node relationships:
15
16
17
18
A trusted node relationship between all datafilled server internal OAM server addresses.
For example:
19
20
21
Avaya Media Server (MS) 1 Internal OAM Address <-> EM Server 1 Internal OAM
Address
22
23
24
25
26
27
28
29
A trusted node relationship between all datafilled server internal OAM server addresses
and the EM service address. For example:
EM Server 1 Internal OAM Address <-> EM Service Address
A trusted node relationship between all datafilled server internal OAM server addresses
and all FPM service addresses. For example:
Avaya Media Server (MS) 2 Internal OAM Address <-> FPM 1 Service Address
A trusted node relationship between all datafilled server internal OAM server addresses
and all AM service addresses. For example:
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
169
1
2
3
4
A trusted node relationship between all effective signaling addresses of a server and all
AS 5300 SESM signaling service addresses. The effective signaling address of a server
may be the internal OAM address if no server signaling address is defined. For example:
5
6
On a server that has a defined server signaling address: EM Server 1 Signaling Address
<-> AS 5300 SESMx Service Address
7
8
On a server that does not have a defined server signaling address - EM Server 1 Internal
OAM Address <-> AS 5300 SESMx Service Address
10
11
12
You generate IPSec custom certificates just like MCP and Avaya Media Server (MS) custom
certificates. After the IPSec certificate has been signed by the CA and bundled into a PKCS12
file, you can install it on the servers.
13
14
Prior to installing custom IPSec certificates, you must stop IPSec on all SIP Core and Avaya
MS servers.
15
16
17
18
19
IPSec can automatically retrieve CRLs using the CRL distribution point of the certificate. To
configure automatic CRL retrieval, you must add the CRL distribution point hostname and IP
address to the /etc/hosts file on each server so that the system can resolve the hostname
properly.
20
Important:
Do not add the CDP hostname to /etc/hosts file until the CDP can be accessed on the
network from each server. If the CDP hostname is added to the /etc/hosts file before it can
be reached on the network, then IPsec will fail to start.
21
22
23
24
25
26
27
The Application Server 5300 system does not support live update of the IPSec rules. To update
the IPSec rules in an established IPSec mesh, you must stop the running IPSec service, update
the settings, and then restart the IPSec service.
28
29
It is important to plan the renewal of the CA certificate(s) and the IPSec certificate. The renewal
must occur before the certificate expires to prevent service interruption.
170
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
1
2
The following Application Server IPsec tools are specially designed for configuring or managing
the IPSec mesh in the Application Server system:
mcpGenIntIPSecConfig
mcpInstIntIPSecConf
ipsecCertmgr
ipsecstatus
startipsec
stopipsec
9
10
11
12
13
Warning:
It is prohibited to use any tool other than the provided tools to configure or change the IPsec
mesh configurations in an Avaya Aura Application Server 5300 system. The integrity of the
Avaya Aura Application Server 5300 IPsec configuration is not guaranteed if you use other
tools to alter the IPsec configuration.
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
171
172
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
3About
this task
4This chapter contains the procedures that you use to manage the IPsec service.
5Navigation:
6
10
11
12
Procedure
13
14
15
16
17
18
19
20
21
22
Procedure
23
24
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
173
stopipsec
1
2
4
5
Use this procedure to view and verify the connection status of all IPSec links configured in the
IPSec policies.
Important:
Perform this procedure for all SIP Core and Avaya Media Servers in your system.
6
7
8
9
Procedure
10
11
12
13
14
15
3. At the command prompt, enter the following command: ping <another AS5300
server in the mesh>.
16
17
18
The following shows an example of the result of executing the ipsecstatus command.
19
20
21
22
23
24
25
26
27
28
The following shows an example of the result of executing the ping <another AS5300
server in the mesh> command.
29
30
31
32
33
34
35
192.168.1.54:
192.168.1.55:
192.168.1.56:
192.168.1.58:
192.168.1.54:
192.168.1.55:
192.168.1.56:
connected
connected
connected
connected
connected
connected
connected
--- 192.168.1.54 ping statistics --2 packets transmitted, 2 received, 0% packet loss, time 1073ms
rtt min/avg/max/mdev = 1.245/2.041/2.838/0.797 ms
174
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
3This chapter contains the procedures that you use to configure the IPsec service.
4IPsec
configuration procedures
5The following task flow shows the sequence of procedures that you perform to configure the IPsec
6service.
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
175
IPsec configuration
176
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
1Navigation
2
Installing the internal IPsec configuration file on the primary EMS server on page 178
Installing the internal IPsec configuration file on non-primary EMS servers on page 178
10
11
12
13
14
15
Use this procedure to generate the internal IPsec configuration file and place it into a temporary
location on the primary element manager server.
16
17
Procedure
18
19
20
21
22
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
177
IPsec configuration
3
4
Use this procedure to install the internal IPsec configuration file to a permanent location on the
primary element manager server.
6
7
8
Procedure
1. Log on to the server as a user with SSA role.
2. At the command prompt, enter the following command: mcpInstIntIPSecConf
-copy
9
10
11
12
14
15
Use this procedure to install the internal IPsec configuration file to a permanent location on
non-primary EMS servers.
Important:
Perform this procedure all non-primary EMS servers.
16
17
18
19
Procedure
20
21
22
23
3. At the following prompt, enter the primary element manager server IP address:
Information for fetching internal IPSec conf file:
24
25
26
27
178
4. At the following prompt, enter the SSA username that is defined on the primary
element manager server: SFTP user id:
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
6
7
8
Use this procedure to configure IPsec with information about any external nodes. This
procedure is necessary if you need to configure IPsec tunnels to external nodes such as Switch
Expert.
9
10
If you need multiple IPSec tunnels to multiple external nodes, then you must define each
external node in the IPSec external configuration file.
11
12
You must be either the root user or a user with SSA role with sudo privileges.
13
14
Custom certificates are installed for IPSec on each SIP Core and Avaya Media Server
(MS).
15
16
The certificate used on the external node is signed by the same CA that signed the
certificate for IPSec on the SIP Core and Avaya MS servers.
Procedure
17
18
19
20
21
22
23
24
25
26
27
28
29
6. Add the following text to the end of the file, modifying the fields for each
connection.
30
31
7. If the external node is a Windows machine, add the following additional text to the
end of the text you entered in the previous step.
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
179
IPsec configuration
1
2
Important:
Do not add this text if the external node is a Linux machine.
3
4
5
<tab>esp="3des-sha1"
<tab>ike="3des-sha1"
<tab>pfs=no
8. Repeat step 6 on page 179 to step 7 on page 179 for each external IPsec tunnel.
11. Make the necessary IPSec configuration changes on the external node.
10
11
12
13
14
15
16
17
Variable
<connection name>
Value
Type a name that describes the connection.
For example,. for an IPSec tunnel to Switch
Expert, the string <connection_name> could
be "se1").
Important:
Do not change the "ext_" portion of this
string.
180
<external IP>
<local IP>
<tab>
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
The following text shows an example of the text to add to the end of the file for an external
connection to a Windows external node.
1
2
3
4
5
6
7
8
9
10
conn ext_se1
left=192.168.1.15
right=192.168.1.75
rightcert=""
rightid="C=US,O=U.S.Government,OU=JITC,OU=PKI,OU=DoD,CN=SwitchExpert"
esp="3des-sha1"
ike="3des-sha1"
pfs=no
11
12
The following example shows some sample lines to add to the end of the file for an external
connection to a Linux external node.
13
14
15
16
17
18
conn ext_lin1
left=192.168.1.35
right=192.168.1.25
rightcert=""
rightid="C=US,O=U.S.
Government,OU=JITC,OU=PKI,OU=DoD,CN=Linux Node"
19
20
21
22
Important:
Perform this procedure on each server in your system.
23
24
25
Procedure
26
27
1. Transfer the IPSec PKCS12 file to the server using SFTP or SCP.
28
29
30
3. From the IPSec Certificate Management Options menu, enter 2 to select Import
Server Certificate PKCS12 File
31
32
33
34
35
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
181
IPsec configuration
9. If the PKCS12 file does not contain the CA chain, then enter it manually on each
server using the ipsecCertmgr tool.
1
2
3
4
5
6
Use this procedure to configure IPsec to automatically retrieve CRLs. IPSec uses the
distribution point of the CRL to automatically retrieve CRLs.
7
8
You must add the CRL distribution point hostname and IP address to the /etc/hosts file on each
server so that the system can resolve the hostname.
Important:
Perform this procedure for all servers in your system.
9
10
11
12
13
Procedure
14
15
16
2. At the command prompt, enter the following command to view the distribution point:
openssl x509 -text -in <IPSec certificate>
17
18
3. Locate the distribution point in the output. The hostname is specified in the http://
<CRL hostname> line.
19
20
21
4. To add the CRL hostname to the server, at the command prompt, enter the following
command: hostTableConfig -a [CRL Distribution Point IP
address] [CRL Distribution Point hostname]
22
23
5. To validate the configured hostnames, at the command prompt, enter the following
command: hostTableConfig -q
24
25
26
27
182
The following is an example of the command to add a PKI server to the hosts file:
hostTableConfig -a 192.168.1.12 crl.hostname
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
1
2
Use this procedure to validate that automatic CRL retrieval is working properly.
You must be either the root user or a user with SSA role with sudo privileges.
5
6
Custom certificates are installed for IPSec on each SIP Core and Avaya Media Server
(MS).
Procedure
7
8
10
11
12
4. At the command prompt, enter the following command: ipsec auto -listcrls
13
14
5. Verify that the output from the ipsec auto listcrls command shows the
number of revoked certificates.
15
16
17
18
The following text shows an example of the output for the ipsec auto listcrls
command.
19
20
21
22
23
24
25
26
27
28
29
30
31
000
000 List of X.509 CRLs:
000
000 Apr 16 19:09:52 2010, revoked certs: 62
000
issuer: 'C=US, O=U.S. Government, OU=DoD, OU=PKI,
CN=DoD JITC Root CA 2'
000
distPts:
'ldap://crl.gds.nit.disa.mil/cn%3dDoD%20JITC%20Root%20CA%202%2cou%3dPKI%2cou%3dDoD
%2co%3dU.S.%20Government%2cc%3dUS?certificateRevocationList;binary'
000
'http://crl.gds.nit.disa.mil/getcrl?DoD%20JITC%20Root%20CA%202'
000
updates: this Apr 15 08:57:43 2010
000
next Jun 16 08:57:43 2010 ok
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
183
IPsec configuration
2
3
Use this procedure to manually add a CA chain if the installed PKCS12 file does not contain
a CA chain.
Procedure
6
7
9
10
3. From the IPSec Certificate Management Options menu, enter 3 to select Install CA
Certificate.
11
12
13
6. Enter Y to confirm.
14
184
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
1
2
10
11
12
13
14
15
16
The system controls the access to its servers by enforcing a set of designated access control
rules, called Access Control List (ACL) on each server. These access control rules reject all
communications except for those with trusted nodes and those using trusted ports.
17
The access control rules are enforced through the Linux iptables and ip6tables utilities.
18
19
20
Internal rules pertain to connections within the system itself. The MCP database autogenerates the internal rules.
21
22
23
External rules restrict external access to the Application Server 5300. Use the IPTables
utility (the firewall utility offered in the Linux system) to configure and enforces the external
access control rules.
24
25
The system enforces the internal ACL rules only after you use the iptcfg utility to configure and
commit the external ACL rules.
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
185
1
Figure 3: ACL firewall
Trusted nodes
4
5
Trusted nodes are external nodes with which communications of all protocols using any port
are permitted. IPsec protection for communications with trusted nodes is not required.
6
7
The system or network security administrator defines trusted nodes for the system. A trusted
node can be either a single external node, or a set of external nodes within a subnet.
Trusted ports
8
9
10
11
186
Trusted ports are server ports on which the system permits all ingress traffic of a particular
protocol from anywhere, if it is an input port, or, all egress traffic of a particular protocol to
anywhere, if it is an output port.
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
1
2
3
IPsec protection on traffic using trusted ports is not required. Trusted ports are predetermined.
The administrator can open or close a trusted port or change to use an alternate port number,
but cannot add a new trusted port or delete an existing trusted port.
The following table lists the predetermined trusted ports in the system.
Table 7: Trusted ports in the system
Port
Protocol
Port Number
(Default)
Redirect Port
Number (Default)
SIP UDP
UDP
5060
N/A
SIP TCP
TCP
5060
N/A
TCP
5061
N/A
PA HTTP
TCP
80
8081
PA HTTPS
TCP
443
8043
6
7
8
In addition to the external trusted nodes configuration that secures system communications
with the external world, the internal trusted node mesh configuration secures inter-server
communications within the system.
Use the following tools to manage and configure firewall (IPTables) rules for server access
control (trusted nodes, trusted ports, and DSCP marking).
10
11
Description
iptcfg
Administrators use this tool to configure firewall (IPTables) rules for server
access control (trusted nodes, trusted ports, and DSCP marking), and to
enforce the configured firewall (IPTables) rules.
iptstatus
Administrators use this tool to verify and view the trusted node, trusted port,
and DSCP marking configurations from outside of the iptcfg tool.
12
Access each tool by typing the tool name at the command prompt.
13
14
For more information about iptstatus, see Viewing trusted node and port configurations with
iptstatus on page 202.
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
187
DSCP marking
The system uses differentiated services code point (DSCP) marking to differentiate between
the following types of data:
2
3
4
Network Signaling
7
8
Filtering packets based on DSCP marking can also add an additional layer of security for the
system. The DSCP marking state is either enabled, or disabled.
9
10
11
12
13
Each defined communication channel on the system has a designated DSCP category.
Therefore, the system marks all of the IP packets that originate from each communication
channel according to its category. Applications and communication channels, to which the
system applies DSCP marking, are predefined and cannot be changed. The system applies
DSCP marking to the following list of applications and communication channels:
14
15
16
Database connections
17
IPsec negotiation
18
19
Syslog
20
21
22
23
24
25
188
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
DSCP marking
2
3
4
iptcfg: with the iptcfg tool, you can configure DSCP marking values, DSCP marking state,
and enforce IP Tables rules.
5
6
iptstatus: with the iptstatus tool, you can verify and view trusted nodes, DSCP marking
configurations, and the IP Tables rules from outside of the iptcfg tool
7
8
With the iptcfg tool, you can also roll back (reset) the DSCP marking configuration to its last
previous configuration. This rollback is limited to one version.
10
11
12
By default, DSCP marking status is disabled. However, a default DSCP marking values
configuration exists. The following table lists the default DSCP marking categories and
values.
Table 9: DSCP marking categories and values
DSCP marking category
13
14
15
16
17
Network Signaling
48
18
16
The following table lists system applications and the corresponding DSCP marking
categories.
Important:
You cannot add or remove applications, and you cannot change the corresponding DSCP
marking category for an application.
Table 10: DSCP marking categories for applications
Application
Database connections
IPsec negotiation
Network Signaling
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
189
Application
Syslog
NED
Sslftpd
ICMP messages
Network Signaling
2
3
By default, there are no trusted nodes configured and no corresponding firewall rules in place
after initial system installation.
4
5
6
After installation, there are no firewall rules for trusted ports configured except for the PA port
redirection rules, which redirect the PA HTPP port from port 80 to port 8041, and the PA HTTPS
port from port 443 to port 8043.
Except for the PA ports, other trusted ports are in the Unconfigured state after installation.
8
9
By default, DSCP marking is disabled. The three default values configuration exists, but the
system does not apply the values until after you enable DSCP marking.
10
11
12
The applications and communication channels to which DSCP marking applies, are predefined
and assigned a DSCP marking category. You cannot modify the predefined applications or
assignments.
Table 11: Predefined DSCP marking categories
Application
190
Database connections
IPsec negotiation
Network Signaling
Syslog
NED
SSL FTP
ICMP messages
Network Signaling
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
2
3
The administrator is not permitted to add new or delete existing trusted ports. Whenever there
are any changes in IPsec policy, access control rules must be recommitted.
4
5
6
The iptcfg tool is specially designed for configuring or modifying the firewall rules in the system.
The integrity of the firewall settings in the system is not guaranteed if other firewall configuration
tools are used.
7
8
9
The iptcfg tool provides a rollback capability allowing the firewall or access control to be reset
to its previous settings. However, this rollback is limited only to the most recent previous
version.
10
11
The administrator cannot add or remove applications, or change the corresponding DSCP
marking category for an application.
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
191
192
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
3Configure access control to only permit internal system communication and system communication with
4trusted external nodes over trusted ports.
5For more information, see 105.1.3 AS5300 Security Hardening.
6
7
8
9
Warning:
The iptcfg tool is specially designed to configure and manage the firewall (IPTables) rules for the Avaya
Aura Application Server 5300 system. Avaya does not guarantee the integrity of the firewall
configuration if you use any other firewall configuration tool.
10Prerequisites
11 The IPsec mesh configuration is complete.
12Access
13The following work flow shows the sequence of tasks that you perform to configure access control for the
14system.
15
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
193
1
2
3Navigation
4
194
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
6The following task flow shows the sequence of procedures that you perform to configure internal access
7control for the system.
8
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
195
1
2
3Navigation
4
Installing the internal ACL configuration file on the primary EMS on page 197
Installing the internal ACL configuration file on the other servers on page 198
196
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
1
2
3
4
Use this procedure to generate the internal Access Control List (ACL) file and place it into a
temporary location on the primary element manager server.
Procedure
6
7
8
9
10
11
1. Log on to the primary Element Management System (EMS) server as a user with
AA role.
The EMS servers host the primary and secondary AS 5300 Element Manager and
databases (DB).
2. Run the script to generate the internal ACL file:
/mcpGenIntACLConfig.pl
The newly-generated internal ACL file resides on the primary EMS.
12
13
14
16
17
18
To complete the internal ACL configuration, install the internal ACL file on the primary Element
Management System (EMS) server, and on all other Application Server 5300 servers, including
Avaya Media Server (MS).
19
20
21
22
23
24
25
26
27
28
A previously generated internal ACL file already exists. For more information, see Generating
the internal ACL file on page 197.
Procedure
1. Log on to the primary Element Management System (EMS) server as a user with
SSA role.
The EMS servers host the primary and secondary AS 5300 Element Manager and
databases (DB).
2. Install the internal ACL file:
mcpInstIntACLConf -copy
29
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
197
3
4
To complete the internal ACL configuration, install the internal ACL file on a temporary location
on the primary element manager server.
5
6
7
Important:
Repeat this procedure for each core server and Avaya Media Server (MS) in your Application
Server 5300 system.
8
9
10
11
Procedure
12
13
14
15
16
3. At the prompt for the Remote server IP address, enter the Internal OAM IP address
of the primary EMS server.
17
18
4. At the prompt for the SFTP user ID, enter an SSA username defined on the primary
EMS.
19
5. At the prompt for the SFTP password, enter the SSA user password.
20
6. At the prompt to confirm the password, enter the SSA user password again.
21
22
198
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
4About
this task
5This chapter contains procedures that you use to administer access control (IPTables) rules.
6Navigation:
7
10
11
Viewing trusted node and port configurations with iptstatus on page 202
12
13
14
15
Use this procedure to perform bulk data entry for access control configuration (trusted nodes,
trusted ports, and DSCP marking). The tool converts the import data into corresponding
IPTables rules and commits the changes.
16
17
18
You have transferred the server specific ACL import file to the server using sftp or scp.
19
Procedure
20
21
22
23
24
25
26
27
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
199
1
2
3
4
5
The import data file is a plain text file. You can find an example of an ACL import file on any
AS 5300 server in the /opt/mcp/ipt/example directory.
6
7
The import files are server specific, so each server in the AS 5300 system requires its own
import file with IP addresses that are specific to that server.
8
9
The following are examples of external trusted nodes that may need to be configured in the
import file:
10
11
12
13
Administrator PCs
14
15
16
17
Use this procedure to display all of the configured access control rules (trusted nodes trusted
ports, and DSCP marking).
18
19
20
Important:
The iptcfg tool shows only access control rules configured by using the iptcfg tool. The iptcfg
tool does not show access control rules configured by using other tools.
21
22
Procedure
23
24
25
26
27
28
200
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
1
2
3
Use this procedure for troubleshooting purposes, to roll access control rules (trusted nodes,
trusted ports, and DSCP marking) back to the previous configuration.
Procedure
6
7
10
11
12
13
14
15
Use this procedure for troubleshooting purposes, to restore the default configuration for access
control (trusted nodes, trusted ports, and DSCP marking).
16
17
Procedure
18
19
20
21
22
23
24
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
201
4
5
Use this procedure to display all of the configured trusted nodes and ports, and DSCP marking
configuration by using the iptstatus command.
Procedure
9
10
Viewing trusted node and port configurations with iptstatus job aid
11
12
13
202
Description
Displays all current access control rules. This option provides the same
functionality as the Show Current Access Control Rules option provided by the
iptcfg tool.
Displays all current DSCP marking configurations. This option provides the
same functionality as the Show DSCP marking configurations option provided
by the iptcfg tool.
Displays all current access control rules in a justified format based on the raw
format.
Displays all current trusted node configurations. This option provides the same
functionality as the List trusted nodes option provided by the iptcfg tool.
Displays all current trusted post configurations. This option provides the same
functionality as the List trusted ports option provided by the iptcfg tool.
Displays all current access control rules in a raw format that is convenient for
the user to further process the data, if desired.
The syntax for the iptstatus command in the raw format is as follows:
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Option
Description
<Type of Rule>,<Version of IP>, <Source IP>, <Source Subnet Mask>,
<Destination IP>, <Destination Subnet Mask>, <Protocol>, <Source Port>,
<Destination Port>, <To-Port>,<DSCP Value>
1
2
The ipstatus tool displays the access control rules in the raw format, as follows:
3
4
5
<Type of Rule>, <Version of IP>,<Source IP>, <Source Subnet Mask>, <Destination IP>,
<Destination Subnet Mask>, <Protocol>, <Source Port>, <Destination Port>, <ToPort><DSCP Value>
The following table lists and describes each of the syntax variables.
Syntax variable
Description
<Type of Rule>
<Version of IP>
<Source IP>
<Destination IP>
<Protocol>
<Source Port>
<Destination Port>
<To-Port>
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
203
Syntax variable
<DSCP Value>
Description
A number in 0-63 range, or a dash (-) to indicate that a
DSCP value is not needed.
The following shows an example of the access control rules in the raw format:
1
2
3
4
5
6
7
8
9
10
iptstatus -r
[sudo] password for sysadm:
1,ipv4,47.102.0.0,/16,135.60.83.68,-,*,*,*,-,2,ipv4,135.60.83.68,-,47.102.0.0,/16,*,*,*,-,1,ipv4,47.102.0.0,/16,135.60.83.77,-,*,*,*,-,2,ipv4,135.60.83.77,-,47.102.0.0,/16,*,*,*,-,1,ipv4,47.102.0.0,/16,135.60.83.78,-,*,*,*,-,2,ipv4,135.60.83.78,-,47.102.0.0,/16,*,*,*,-,1,ipv4,135.60.0.0,/16,135.60.83.68,-,*,*,*,-,-
11
12
13
14
Validate that the administrator PC(s) that were added as trusted nodes can access the
servers using SSH.
15
16
Validate that the System Management user interface can be accessed through the
administrator PC(s).
17
18
Validate that the Provisioning web page can be accessed through the administrator
PC(s).
19
20
Validate that the Avaya Media Server EM can be accessed through the administrator
PC(s).
21
Validate that subscribers can register and make calls on the system.
204
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
4About
this task
5Access control rules and DSCP marking configuration changes do not take effect until after you enforce
6(commit them). This section describes how to enforce access control rules and DSCP marking for the
7system.
8Navigation:
9 Enforcing access control rules on page 205
10
11
12
Enforce (commit) the access control and DSCP marking configuration rules so that the system
applies the rules for trusted nodes and trusted ports.
13
14
15
16
Important:
To prevent the administrator from being locked out of the server, the tool requires that at
least one trusted node be configured. If at least one configured trusted node does not exist,
the tool cannot commit the changes.
17
18
19
Procedure
20
21
22
23
24
5. Enter Y to confirm.
25
26
27
28
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
205
206
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
3The Application Server 5300 servers get the date and time from one or more remote NTP servers. The
4NTP servers are initially configured during system installation. If the remote NTP server changes, you
5must update the servers with the new IP of the remote NTP servers.
6NTP
7The following task flow shows the sequence of procedures that you perform to manage NTP servers.
8
9Navigation
10
11
12
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
207
2
3
Use this procedure to update the NTP server information on the Application Server 5300
servers if you need to change the IP the primary clock source servers.
5
6
Procedure
10
11
12
13
14
15
16
9. Repeat step7 on page 208 to step8 on page 208 for each primary clock source that
you add.
17
10. If you are configuring a simplex system, enter the machine logical IP address.
18
19
Updating the primary clock source servers when your system uses
21symmetric key encryption
20
22
23
If your system uses symmetric key encryption to protect NTP traffic, use this procedure to
change the IP the primary clock source servers for NTP.
24
25
Procedure
26
27
28
208
1. Transfer the keys file from the external NTP server to /var/tmp on the AS 5300
Element Manager server.
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
1
2
10
11
12
13
12. Repeat step 7 on page 208 to step 8 on page 208 for each primary clock source
that you add.
14
13. If you are configuring a simplex system, enter the machine logical IP address.
15
16
17
18
19
Use this procedure to update the NTP server information on the Application Server 5300
servers if you need to change the IP the secondary clock source servers.
20
21
Procedure
22
23
24
25
26
27
28
29
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
209
9. Enter the machine logical IP address of the primary clock source server.
3
4
10. Repeat step7 on page 209 to step9 on page 210 for each secondary clock source
that you add.
9
10
If your system uses symmetric key encryption to protect NTP traffic, use this procedure to
change the IP the secondary clock source servers for NTP.
11
12
13
Procedure
14
15
1. Transfer the keys file from the external NTP server to /var/tmp on the AS 5300
Element Manager server.
16
17
18
19
20
21
22
23
24
25
26
27
12. Enter the machine logical IP address of the primary clock source server.
28
29
13. Repeat step 7 on page 209 to step 9 on page 210 for each secondary clock source
that you add.
30
31
210
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Important:
Perform this procedure on all SIP Core and Avaya Media Server (MS) servers that are not
designated as a primary or secondary clock server.
3
4
5
7
8
Procedure
1. Log on to the server as a user with SSA role.
9
10
11
12
13
14
5. Enter the internal OAM IP of the EMS server used as the primary clock source
server.
15
16
6. Enter the internal OAM IP of the EMS server used as the secondary clock source
server.
17
18
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
211
212
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
3About
this task
Configuring the AS 5300 Session Managers to use only TLS on page 213
10
11
For a FIPS-compliant system, configure the AS 5300 Session Managers to use only Transport
Layer Security (TLS).
12
13
14
15
Procedure
16
17
1. From the configuration view of the AS 5300 Element Manager Console, select
Network Elements > Session Managers.
18
19
2. In the Session Managers panel, select the entry for the network element to modify
and click Edit (-/+).
20
21
3. In the Edit <Session Manager instance> dialog box, clear the Enable SIP TCP Port
and the Enable SIP TLS Port check boxes.
22
23
5. Click Apply.
24
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
213
TLS configuration
Variable definitions
Variable
Value
Configuring the AS 5300 Session Managers to use only TLS job aid
This job aid lists the fields on the Edit <Session Manager instance> dialog box.
Parameter
214
Description
Short Name
Long Name
Base Port
A range of 100 ports reserved off the base port for use by the NE.
Range: 1100654 000
FPM
Signaling Service
Address
AM
Call Park Id
SIP Certificate
The logical name of the certificate that the system uses for secure
SIP communication. (Select from the list.)
Sesm LDAP
Certificate
The logical name of the certificate that the AS 5300 Session Manager
uses to communicate with the LDAP server. (Select from the list.)
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
2
3
For a FIPS-compliant system, configure the Provisioning Managers to use only Transport Layer
Security (TLS).
Procedure
8
9
1. From the configuration view of the AS 5300 Element Manager Console, select
Network Elements > Provisioning Managers.
10
11
2. In the Provisioning Managers panel, select the entry for the network element to
modify and click Edit (-/+).
12
13
3. In the Edit <Provisioning Manager instance> dialog box, clear the Enable SIP TCP
Port and the Enable SIP TLS Port check boxes.
14
15
5. Click Apply.
16
17
Variable definitions
Variable
Value
18
19
20
This job aid lists and describes the fields on the Edit <Provisioning Manager instance> dialog
box.
Parameter
Description
Short Name
Long Name
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
215
TLS configuration
Parameter
216
Description
Base Port
A range of 100 ports reserved off the base port for use by the NE. Range:
1100654000
FPM
Enable Prov
HTTP Port
Internal OAM
HTTPS
Certificate
The private key and certificate pair for the Provisioning HTTPS server.
External OAM
HTTPS
Certificate
The private key and certificate pair for the Provisioning HTTPS server
(external interface).
LDAP Certificate
The logical name of the certificate used for communication between the
Provisioning Manager and the LDAP server.
Enable PA HTTP
Port
PA HTTPS
Certificate
The private key and certificate pair that the Personal Agent HTTPS
server uses. (Select from the list.)
(Check box) Select to enable the SIP UDP port. Default: 5060
(Check box) Select to enable the SIP TCP port. Default: 5060
(Check box) Select to enable the SIP TLS port. Default: 5061
SIP Certificate
The logical name of the certificate that the system uses for secure SIP
communication. (Select from the list.)
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
3About
this task
4TLS mutual authentication mode requires both the server endpoint and client endpoint to exchange X.509
5certificates for authentication. TLS mutual authentication is now supported for all end user devices.
6Interfaces between network elements will continue to enforce TLS mutual authentication as the mandatory
7setting. End user devices have the option to enforce TLS mutual authentication.
8When applied to end user interfaces the TLS mutual authentication allows for two factor authentication:
9
10
13
14
HTTPSOMI, OPI and SOPI. When TLS mutual authentication is enabled, the system administrator
is required to install a client certificate in all HTTPS endpoints.
15Navigation:
16
17
18
19
20
21
22
1. In the configuration view of the AS 5300 Element Manager Console, select Network
Elements >Session Managers ><Session Manager instance> > Configuration
Parameters.
23
24
25
26
27
28
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
217
Procedure
2
3
4
5
1. In the configuration view of the AS 5300 Element Manager Console, select Network
Elements > AS 5300 Element Manager > <AS 5300 Element Manager instance>
> Configuration Parameters.
7
8
9
10
11
5. Click Apply.
12
13
14
15
16
17
8. After the standby instance state turns to hot standby, stop the active AS 5300
Element Manager.
This action causes a failover to the backup AS 5300 Element Manager and will
cause the AS 5300 Element Manager Console to lose connectivity.
18
19
20
218
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
3This chapter provides details about Federal Information Processing (FIPS) in the Avaya Aura Application
4Server 5300 system. For background information about the National Institute of Standards and Technology
5(NIST) and FIPS, see Avaya Aura Application Server 5300 Overview, NN42040-100.
6Navigation:
7
10
FIPS compliance
11
12
13
14
15
The system is FIPS 140-2 compliant because all cryptographic modules in the solution use
FIPS 140-2 certified cryptographic modules and approved security functions. FIPS 140-2
covers cryptography for traffic external to the system and for internal system traffic. The
following communication protocols use FIPS 140-2 cryptographic modules:
16
SIP/TLS
17
IPsec
18
IKE
19
HTTPS
20
21
SSH
22
SFTP
23
Security function
Certificate number
Java JCE
#578, #792
Uses GSE-C
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
219
FIPS overview
Platform
An SSA administrator must enable FIPS on the platform for each server. For more information,
see 105.1.3 AS5300 Security Hardening.
2
3
SSH
5
6
3DES-cbc
AES128-cbc
AES192-cbc
AES256-cbc
10
11
12
13
The FIPS-compliant AS 5300 Element Manager Console requires Java Release 6.0 07. After
each AS 5300 Element Manager Console upgrade, an administrator must manually replace
the following files:
14
/var/mcp/run/MCP_15.1/EM_0/tomcat/webapps/ROOT/smguiws.jar
15
/var/mcp/run/MCP_15.1/EM_0/tomcat/webapps/ROOT/axis.jar
16
/var/mcp/run/MCP_15.1/EM_0/tomcat/webapps/ROOT/bcprov-jdk16-140.jar
17
18
220
For more information, see Updating the FIPS-compliant AS 5300 Element Manager
Console on page 229.
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
5The following task flow shows the sequence of procedures that you perform to configure cipher suites for
6the Avaya Aura Application Server 5300 system.
7
8
9
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
221
1Navigation
2
7
8
10
11
Procedure
12
13
14
1. From the configuration view of the AS 5300 Element Manager Console, select
Network Data and Mtc > Cipher Suites > OAMP Channel Cipher Suites.
15
16
17
3. Ensure that the value for each of the other cipher suite entries is false.
18
19
5. Click Apply.
20
21
22
23
24
25
26
222
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Procedure
2
3
1. From the configuration view of the AS 5300 Element Manager Console, select
Network Data and Mtc > Cipher Suites > External OAMP Cipher Suites.
4
5
6
7
8
9
10
11
5. Ensure that the value for each of the other cipher suite entries is false.
12
13
7. Click Apply.
14
15
16
17
Configure Secure Hypertext Transfer Protocol (HTTPS) ciphers to enable only FIPS-compliant
cipher suites.
18
19
20
21
Procedure
22
23
1. From the configuration view of the AS 5300 Element Manager Console, select
Network Data and Mtc > Cipher Suites > HTTPS Cipher Suites.
24
25
26
27
28
29
30
31
5. Ensure that the value for each of the other cipher suite entries is false.
32
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
223
7. Click Apply.
1
2
3
4
Procedure
9
10
1. From the configuration view of the AS 5300 Element Manager Console, select
Network Data and Mtc > Cipher Suites > Signaling Cipher Suites.
11
12
13
14
15
16
5. Click Apply.
17
224
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
3About
this task
4Configure Federal Information Processing Standards (FIPS) to enable FIPS 140-2 compliant validation
5for the Avaya Aura Application Server 5300 system. Use the procedures in this chapter to manage
6FIPS.
7Navigation:
8
10
11
12
13
14
15
16
17
18
19
20
Procedure
21
22
23
1. In the configuration view of the AS 5300 Element Manager Console, select Network
Elements > <NE type> > <NE instance> > NE Maintenance.
24
2. In the Maintenance panel, select the network element to stop, and click Stop.
The time required to complete the process depends on the network element type
and the hosting server.
25
26
27
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
225
FIPS management
Variable Definitions
Variable
Value
<NE type>
<NE instance>
Enable FIPS on each server as part of the FIPS configuration process, after you stop all of the
network elements.
3
4
5
6
7
Important:
Repeat this procedure for each server in your Application Server 5300 system.
Ensure that all Network Elements (NEs) on the system arel stopped.
10
Procedure
11
12
13
3. Enter Y to continue.
14
15
16
5. Configure the SSH client to use the following ciphers: 3DES-cbc, AES128-cbc,
AES192-cbc, and AES256-cbc.
17
18
19
20
226
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
2
3
This job aid provides an example of the results returned after you run the script to verify that
FIPS is enabled.
4
5
6
7
10
11
12
For a FIPS-compliant system, install the FIPS-compliant AS 5300 Element Manager Console
on the management PC.
13
Procedure
14
15
16
3. Click OK.
17
18
4. At the command prompt, enter java version to determine the current JRE
version installed on the management PC.
19
20
21
5. To determine the JRE version that the AS 5300 Element Manager Console requires,
open a web browser and enter: https://<EM Console IP>:12121/servlet/
InstallServlet
22
23
24
6. If the JRE version installed on the management PC does not match the JRE version
that the AS 5300 Element Manager Console requires, click the link titled Click to
install JRE <version> to download and run the installer.
25
26
27
28
29
Value
MCPJAVAHOME
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
227
FIPS management
Parameter
Variable value
Value
C:\Progra~1\Java\jre1.6.0_16 (Or
specify the path to the Java installation.
The path cannot contain spaces.)
2
3
4
13. Open a web browser, and enter the following command to download the FIPS
Management Console zip file:
https://<EM Console IP>:12121/fips-mgmtconsole.zip
7
8
9
Important:
You must download and unzip a new fips-mgmtconsole.zip file every time you
upgrade the MCP system.
10
11
12
13
14
15
cd %MCPJAVAHOME%\lib\security
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Tip:
If the system displays an error that the file cannot be created, right-click the fipsmgmtconsole.bat file, select Properties , and deselect the Read-only Attributes
check box.
31
32
26. Update the smaddr.txt file in the unzipped fips-mgmtconsole directory to include the
EM service IP address.
33
228
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Tip:
If the system displays an error that the file cannot be created, right-click the
smaddr.txt file, select Properties , and deselect the Read-only Attributes check
box.
1
2
3
4
5
6
28. To open the AS 5300 Element Manager Console, double-click the fipmgmtconsole.bat file in the unzipped fips-mgmtconsole directory.
7
8
9
10
Tip:
If the system displays an Unable to activate Certicom FIPS Manager
error, copy the fips-mgmtconsole directory to another location and launch the
batch file again.
11
12
13
14
Important:
To ensure FIPS compliance, always access the EM Console through the fipsmgmtconsole.bat file. Do not access the EM Console through https://<EM
Console IP>:12121.
15
16
Variable Definitions
Variable
<EM_Service_IPAddress>
Definition
The IP for the AS 5300 Element Manager Service
Address.
19
20
21
For a FIPS-compliant system, update the FIPS-compliant AS 5300 Element Manager Console
on the management PC after every AS 5300 Element Manager Console update.
22
Procedure
26
1. Download the FIPS Management Console zip file from the following address, to the
directory that you created in Installing the FIPS-compliant AS 5300 Element
Manager Console on page 227:
https://<EM_Service_IPAddress>:12121/fips-mgmtconsole.zip
27
28
23
24
25
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
229
FIPS management
1
2
You can use the backup copy to overwrite the FIPS version if you need to use the
original AS 5300 Element Manager Console.
3
4
3. Unzip the FIPS Management Console zip file that you downloaded in 1 on page
229.
5
6
4. Open a command window, and change to the directory that contains the AS 5300
Element Manager Console FIPS files.
7
8
9
10
5. Replace the original java.security file, in the library extension of the Java
installation folder, with the FIPS-compliant version of the file:
copy D:\MCP\fips_smgui\fips-mgmtconsole\java.security
%MCPJAVAHOME%\lib\security\java.security
11
12
6. To open the AS 5300 Element Manager Console, run the fip-mgmtconsole.bat file
(located in the D:\fips-mgmtconsole directory).
13
Variable Definitions
14
Variable
<EM_Service_IPAddress>
Definition
The IP for the AS 5300 Element Manager Service
Address.
15
16
17
18
19
Procedure
20
21
22
1. In the configuration view of the AS 5300 Element Manager Console, select Network
Elements > <NE type> > <NE instance> > NE Maintenance.
23
24
25
26
230
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)