nn42040-601 Security

1
2
3
Avaya Aura Application Server 5300

Security
4
5
6
7
8
Release 3.0
NN42040-601, Document Revision: 04.AU
May 3, 2012
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
1
2 2012 Avaya Inc.
67different number of licenses or units of capacity is specified in the

68Documentation or other materials available to End User. Designated
3All Rights Reserved.
69Processor means a single stand-alone computing device. Server
70means a Designated Processor that hosts a software application to be
4Notice
71accessed by multiple users. Software means the computer programs
72in object code, originally licensed by Avaya and ultimately utilized by
5While reasonable efforts have been made to ensure that the
End User, whether as stand-alone Products or pre-installed on
6information in this document is complete and accurate at the time of 73
74
Hardware means the standard hardware originally sold by
7printing, Avaya assumes no liability for any errors. Avaya reserves the 75Hardware.
Avaya and ultimately utilized by End User.
8right to make changes and corrections to the information in this
9document without the obligation to notify any person or organization of 76License Types
10such changes.
77Designated System(s) License (DS). End User may install and use
11Documentation disclaimer
78each copy of the Software on only one Designated Processor, unless
different number of Designated Processors is indicated in the
12Documentation means information published by Avaya in varying 79aDocumentation
or other materials available to End User. Avaya may
13mediums which may include product information, operating instructions 80
81
require the Designated Processor(s) to be identified by type, serial
14and performance specifications that Avaya generally makes available 82number, feature key, location or other specific designation, or to be
15to users of its products. Documentation does not include marketing 83provided by End User to Avaya through electronic means established
16materials. Avaya shall not be responsible for any modifications,
84by Avaya specifically for this purpose.
17additions, or deletions to the original published version of
18documentation unless such modifications, additions, or deletions were 85Concurrent User License (CU). End User may install and use the
19performed by Avaya. End User agrees to indemnify and hold harmless 86Software on multiple Designated Processors or one or more Servers,
20Avaya, Avaya's agents, servants and employees against all claims, 87so long as only the licensed number of Units are accessing and using
21lawsuits, demands and judgments arising out of, or in connection with, 88the Software at any given time. A Unit means the unit on which Avaya,
22subsequent modifications, additions or deletions to this documentation, 89at its sole discretion, bases the pricing of its licenses and can be,
23to the extent made by End User.
90without limitation, an agent, port or user, an e-mail or voice mail account
91in the name of a person or corporate function (e.g., webmaster or
24Link disclaimer
92helpdesk), or a directory entry in the administrative database utilized
25Avaya is not responsible for the contents or reliability of any linked Web 93by the Software that permits one user to interface with the Software.
26sites referenced within this site or documentation provided by Avaya. 94Units may be linked to a specific, identified Server.
27Avaya is not responsible for the accuracy of any information, statement
28or content provided on these sites and does not necessarily endorse 95Database License (DL). End User may install and use each copy of the
29the products, services, or information described or offered within them. 96Software on one Server or on multiple Servers provided that each of
30Avaya does not guarantee that these links will work all the time and has 97the Servers on which the Software is installed communicate with no
98more than a single instance of the same database.
31no control over the availability of the linked pages.
99CPU License (CP). End User may install and use each copy of the
32Warranty
100Software on a number of Servers up to the number indicated by Avaya
33Avaya provides a limited warranty on its Hardware and Software
101provided that the performance capacity of the Server(s) does not
34(Product(s)). Refer to your sales agreement to establish the terms of102exceed the performance capacity specified for the Software. End User
35the limited warranty. In addition, Avayas standard warranty language,103may not re-install or operate the Software on Server(s) with a larger
36as well as information regarding support for this Product while under 104performance capacity without Avaya's prior consent and payment of an
37warranty is available to Avaya customers and other parties through the105upgrade fee.
38Avaya Support Web site: http://support.avaya.com. Please note that if
39you acquired the Product(s) from an authorized Avaya reseller outside106Named User License (NU). End User may: (i) install and use the
40of the United States and Canada, the warranty is provided to you by 107Software on a single Designated Processor or Server per authorized
108Named User (defined below); or (ii) install and use the Software on a
41said Avaya reseller and not by Avaya.
109Server so long as only authorized Named Users access and use the
42Licenses
110Software. Named User, means a user or device that has been
111expressly authorized by Avaya to access and use the Software. At
43THE SOFTWARE LICENSE TERMS AVAILABLE ON THE AVAYA 112Avaya's sole discretion, a Named User may be, without limitation,
44WEBSITE, HTTP://SUPPORT.AVAYA.COM/LICENSEINFO/ ARE 113designated by name, corporate function (e.g., webmaster or helpdesk),
45APPLICABLE TO ANYONE WHO DOWNLOADS, USES AND/OR 114an e-mail or voice mail account in the name of a person or corporate
46INSTALLS AVAYA SOFTWARE, PURCHASED FROM AVAYA INC., 115function, or a directory entry in the administrative database utilized by
47ANY AVAYA AFFILIATE, OR AN AUTHORIZED AVAYA RESELLER 116the Software that permits one user to interface with the Software.
48(AS APPLICABLE) UNDER A COMMERCIAL AGREEMENT WITH
49AVAYA OR AN AUTHORIZED AVAYA RESELLER. UNLESS
117Shrinkwrap License (SR). Customer may install and use the Software
50OTHERWISE AGREED TO BY AVAYA IN WRITING, AVAYA DOES 118in accordance with the terms and conditions of the applicable license
51NOT EXTEND THIS LICENSE IF THE SOFTWARE WAS OBTAINED119agreements, such as shrinkwrap or clickthrough license
52FROM ANYONE OTHER THAN AVAYA, AN AVAYA AFFILIATE OR AN120accompanying or applicable to the Software (Shrinkwrap License).
53AVAYA AUTHORIZED RESELLER; AVAYA RESERVES THE RIGHT 121(see Third-party Components for more information).
54TO TAKE LEGAL ACTION AGAINST YOU AND ANYONE ELSE
55USING OR SELLING THE SOFTWARE WITHOUT A LICENSE. BY 122Copyright
56INSTALLING, DOWNLOADING OR USING THE SOFTWARE, OR
123Except where expressly stated otherwise, no use should be made of
57AUTHORIZING OTHERS TO DO SO, YOU, ON BEHALF OF
58YOURSELF AND THE ENTITY FOR WHOM YOU ARE INSTALLING,124materials on this site, the Documentation, Software, or Hardware
59DOWNLOADING OR USING THE SOFTWARE (HEREINAFTER 125provided by Avaya. All content on this site, the documentation and the
60REFERRED TO INTERCHANGEABLY AS YOU AND END USER),126Product provided by Avaya including the selection, arrangement and
61AGREE TO THESE TERMS AND CONDITIONS AND CREATE A 127design of the content is owned either by Avaya or its licensors and is
62BINDING CONTRACT BETWEEN YOU AND AVAYA INC. OR THE 128protected by copyright and other intellectual property laws including the
129sui generis rights relating to the protection of databases. You may not
63APPLICABLE AVAYA AFFILIATE ( AVAYA).
130modify, copy, reproduce, republish, upload, post, transmit or distribute
64Avaya grants End User a license within the scope of the license types131in any way any content, in whole or in part, including any code and
132software unless expressly authorized by Avaya. Unauthorized
65described below. The applicable number of licenses and units of
133reproduction, transmission, dissemination, storage, and or use without
66capacity for which the license is granted will be one (1), unless a
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Avaya Aura Application Server 5300 Security

May 3, 2012
1the express written consent of Avaya can be a criminal, as well as a

2civil offense under the applicable law.
3Third-party components
4Certain software programs or portions thereof included in the Product
5may contain software distributed under third party agreements (Third
6Party Components), which may contain terms that expand or limit
7rights to use certain portions of the Product (Third Party Terms).
8Information regarding distributed Linux OS source code (for those
9Products that have distributed the Linux OS source code), and
10identifying the copyright holders of the Third Party Components and the
11Third Party Terms that apply to them is available on the Avaya Support
12Web site: http://support.avaya.com/Copyright.
13Preventing Toll Fraud
14Toll fraud is the unauthorized use of your telecommunications system
15by an unauthorized party (for example, a person who is not a corporate
16employee, agent, subcontractor, or is not working on your company's
17behalf). Be aware that there can be a risk of Toll Fraud associated with
18your system and that, if Toll Fraud occurs, it can result in substantial
19additional charges for your telecommunications services.
20Avaya Toll Fraud Intervention
21If you suspect that you are being victimized by Toll Fraud and you need
22technical assistance or support, call Technical Service Center Toll
23Fraud Intervention Hotline at +1-800-643-2353 for the United States
24and Canada. For additional support telephone numbers, see the Avaya
25Support Web site: http://support.avaya.com. Suspected security
26vulnerabilities with Avaya products should be reported to Avaya by
27sending mail to: securityalerts@avaya.com.
28Trademarks
29The trademarks, logos and service marks (Marks) displayed in this
30site, the Documentation and Product(s) provided by Avaya are the
31registered or unregistered Marks of Avaya, its affiliates, or other third
32parties. Users are not permitted to use such Marks without prior written
33consent from Avaya or such third party which may own the Mark.
34Nothing contained in this site, the Documentation and Product(s)
35should be construed as granting, by implication, estoppel, or otherwise,
36any license or right in and to the Marks without the express written
37permission of Avaya or the applicable third party.
38Avaya is a registered trademark of Avaya Inc.
39All non-Avaya trademarks are the property of their respective owners,
40and Linux is a registered trademark of Linus Torvalds.
41Portions copyright 2001-2010 Certicom Corp. All rights reserved.
42Downloading Documentation
43For the most current versions of Documentation, see the Avaya
44Support Web site: http://support.avaya.com.
45Contact Avaya Support
46Avaya provides a telephone number for you to use to report problems
47or to ask questions about your Product. The support telephone number
48is 1-800-242-2121 in the United States. For additional support
49telephone numbers, see the Avaya Web site: http://support.avaya.com.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Contents
Chapter 1: New in this release........................................................................................... 13
Features.................................................................................................................................................... 13
Other changes........................................................................................................................................... 13
Chapter 2: Introduction...................................................................................................... 19
Chapter 3: Platform security overview.............................................................................. 21
BIOS password control............................................................................................................................. 21
GRUB password control............................................................................................................................ 23
Administrative user account names.......................................................................................................... 23
Administrative user roles........................................................................................................................... 24
Primary role............................................................................................................................................... 24
Sudo access control.................................................................................................................................. 25
Platform user management tool................................................................................................................ 25
Administrative account timers................................................................................................................... 26
Account lockout......................................................................................................................................... 26
Password complexity................................................................................................................................ 27
Password changes........................................................................................................................... 29
Inactive platform account auditing............................................................................................................ 29
Root user access...................................................................................................................................... 30
Individual user accounts............................................................................................................................ 30
Preconfigured accounts............................................................................................................................ 31
Remote system accounts.......................................................................................................................... 31
Secure Shell and Common Access Card integration................................................................................ 32
Administrative user database backup....................................................................................................... 32
Platform warning banners......................................................................................................................... 33
Chapter 4: Platform administrator security management............................................... 35
Modifying password complexity rulesmenu........................................................................................... 36
Configuring the GRUB password.............................................................................................................. 37
Creating individual user accountsmenu................................................................................................ 37
Creating individual user accounts job aid......................................................................................... 38
Adding emergency users.......................................................................................................................... 39
Deleting a user accountmenu................................................................................................................ 40
Deleting a user accountmenu job aid........................................................................................... 41
Deleting emergency users........................................................................................................................ 41
Modifying user rolesmenu..................................................................................................................... 42
Changing the state of a user accountmenu........................................................................................... 43
Listing server user accountsmenu......................................................................................................... 44
Managing sudo accessmenu................................................................................................................. 45
Resetting a platform user account passwordmenu............................................................................... 46
Resetting a platform user account passwordCLI................................................................................... 46
Viewing the status of inactive account auditing......................................................................................... 47
Enabling inactive account auditing............................................................................................................ 47
Enabling inactive account auditing job aid....................................................................................... 48
Disabling inactive account auditing........................................................................................................... 48
Configuring platform warning banners...................................................................................................... 49
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Chapter 5: Security configuration and management overview...................................... 51

Application administrator security............................................................................................................. 51
Administrator password complexity.................................................................................................. 52
Password aging................................................................................................................................ 54
Log on session constraints............................................................................................................... 55
Application warning banners............................................................................................................ 55
Administrative user accounts........................................................................................................... 56
Special rules for the Security Administrator..................................................................................... 57
MCP SNMP Community Strings....................................................................................................... 58
Administrative security services....................................................................................................... 58
Application administrator (Admin) security defaults......................................................................... 59
Web server logs........................................................................................................................................ 60
Internal database account security........................................................................................................... 60
Database application security................................................................................................................... 60
Subscriber security.................................................................................................................................... 61
Password policies and domains....................................................................................................... 62
Password expiry during active call................................................................................................... 63
Subscriber lockout............................................................................................................................ 63
Domain security........................................................................................................................................ 64
Antivirus.................................................................................................................................................... 65
File system integrity.................................................................................................................................. 65
Verification reports............................................................................................................................ 66
FSI baseline management............................................................................................................... 66
FSI baseline exclusions.................................................................................................................... 66
FSI baseline backup and restore...................................................................................................... 67
Configuration file.............................................................................................................................. 67
HTTPS certificates.................................................................................................................................... 67
AS 5300 Element Manager Console CAC integration.............................................................................. 68
AS5300 UC Client CAC integration.......................................................................................................... 68
Application logging.................................................................................................................................... 68
Security logs.............................................................................................................................................. 69
Syslog............................................................................................................................................... 69
System audit..................................................................................................................................... 70
Failed logons.................................................................................................................................... 71
File activity in restricted areas.......................................................................................................... 72
Backup of security logs.................................................................................................................... 72
System alarms.......................................................................................................................................... 73
Chapter 6: Database password management.................................................................. 75
Resetting the internal database account passwords................................................................................ 75
Changing the Schema account password................................................................................................ 76
Changing the database application password, without changing the load............................................... 76
Changing the database application password during an upgrade............................................................ 78
Chapter 7: Antivirus management..................................................................................... 79
Updating the virus definitions.................................................................................................................... 79
Scheduling virus scans............................................................................................................................. 80
Chapter 8: File system integrity management................................................................. 83
Creating an FSI baseline........................................................................................................................... 83
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Verifying the file system against a baseline.............................................................................................. 84

Managing FSI baselines............................................................................................................................ 84
Chapter 9: Security log management................................................................................ 87
Configuring a remote syslog server.......................................................................................................... 87
Deleting a remote syslog server................................................................................................................ 88
Modifying system audit logs...................................................................................................................... 88
Chapter 10: Application administrator security configuration and management........ 89
Enabling web server logs.......................................................................................................................... 90
Configuring application administrator password rules.............................................................................. 91
Configuring application administrator password rules job aid.......................................................... 91
Configuring a new AS 5300 Element Manager Console role.................................................................... 94
Configuring a new AS 5300 Element Manager Console role job aid............................................... 94
Configuring a new AS 5300 Element Manager Console administrator..................................................... 98
Configuring a new AS 5300 Element Manager Console user job aid.............................................. 99
Assigning a role to a AS 5300 Element Manager Console Administrator ................................................. 100
Configuring log on and session rules........................................................................................................ 100
Configuring log on and session rules job aid.................................................................................... 101
Configuring a new Provisioning Client role............................................................................................... 102
Configuring a new Provisioning Client Admin........................................................................................... 102
Configuring a new Provisioning Client Admin job aid....................................................................... 103
Configuring warning banners.................................................................................................................... 104
Configuring warning banners job aid................................................................................................ 105
Modifying log on and session rules........................................................................................................... 105
Modifying log on and session rules job aid....................................................................................... 106
Modifying application administrator password rules................................................................................. 107
Modifying application administrator password rules job aid............................................................. 107
Modifying a AS 5300 Element Manager Console role.............................................................................. 110
Modifying a new AS 5300 Element Manager Console role job aid.................................................. 110
Modifying an AS 5300 Element Manager Console administrator............................................................. 111
Modifying an AS 5300 Element Manager Console user job aid....................................................... 111
Disabling a AS 5300 Element Manager Console user account................................................................ 112
Disabling password aging rules for an account........................................................................................ 112
Viewing and forcing off users.................................................................................................................... 113
Exporting configuration data for AS 5300 Element Manager Console...................................................... 113
Importing configuration data for AS 5300 Element Manager Console...................................................... 114
Deleting a AS 5300 Element Manager Console role................................................................................ 115
Deleting a AS 5300 Element Manager Console user............................................................................... 115
Resetting the password for the AS 5300 Element Manager Console admin account.............................. 116
Resetting the password for a AS 5300 Element Manager Console administrator.................................... 117
Changing your AS 5300 Element Manager Console password................................................................ 118
Modifying a Provisioning Client role.......................................................................................................... 118
Modifying a Provisioning Client role job aid...................................................................................... 119
Listing Provisioning Client Admin users.................................................................................................... 119
Searching for Provisioning Client users by role........................................................................................ 119
Searching for inactive Provisioning Client users....................................................................................... 120
Modifying a Provisioning Client Admin...................................................................................................... 120
Deleting a Provisioning Client user........................................................................................................... 121
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Resetting the password for the Provisioning Manager admin account..................................................... 121
Resetting the password for a Provisioning Client administrator................................................................ 122
Changing your Provisioning Client password........................................................................................... 123
Chapter 11: Application security configuration............................................................... 125
Configuring the AS 5300 Element Manager with certificates for HTTPS.................................................. 125
Configuring the Provisioning Manager with certificates for HTTPS.......................................................... 126
Configuring the AS 5300 Element Manager Console with certificates for HTTPS and SIPCAC........... 127
Chapter 12: Certificate management overview................................................................ 129
Chapter 13: Certificate preparation................................................................................... 131
Generating a CSR..................................................................................................................................... 133
Generating a CSR job aid................................................................................................................ 133
Installing a CA or CA-signed certificate..................................................................................................... 134
Installing a CA or CA-signed certificate job aid................................................................................ 135
Exporting a PKCS12 file............................................................................................................................ 135
Installing custom certificates into the AS 5300 Element Manager keystore............................................. 136
Verifying that CA certificates import into the AS 5300 Element Manager truststore ................................. 137
Chapter 14: Certificate management................................................................................. 139
Listing all certificates................................................................................................................................. 139
Listing all certificates job aid............................................................................................................. 140
Installing a CA or CA-signed certificate..................................................................................................... 140
Installing a CA or CA-signed certificate job aid................................................................................ 140
Uninstalling a certificate............................................................................................................................ 141
Verifying a certificate chain....................................................................................................................... 141
Verifying a certificate chain job aid................................................................................................... 142
Importing a PKCS12 file............................................................................................................................ 142
Exporting a PKCS12 file............................................................................................................................ 143
Identifying the friendly name of a certificate.............................................................................................. 143
Identifying the friendly name of a certificate job aid......................................................................... 144
Identifying the subject of a certificate installed in the certificate databaseUnix..................................... 144
Identifying the subject field of a certificate installed in the certificate databaseUnix job aid......... 145
Identifying the subject of a certificate that is not installed in the certificate databaseUnix.................... 146
Identifying the subject field of a certificate that is not installed in the certificate databaseUnix job
aid..................................................................................................................................................... 146
Identifying the subject field of a certificate installed in the certificate databaseWindows...................... 147
Identifying the subject field of a certificate installed in the certificate databaseWindows job aid.. 147
Chapter 15: Core application certificate management.................................................... 149
Importing an internal certificate to the keystore........................................................................................ 149
Importing an internal certificate to the keystore job aid.................................................................... 150
Viewing an internal certificate in the keystore........................................................................................... 150
Removing an internal certificate from the keystore................................................................................... 151
Configuring the AS 5300 Element Manager with certificates for HTTPS and SIP.................................... 151
Configuring the AS 5300 Session Manager with certificates for HTTPS and SIP.................................... 152
Configuring HTTPS and SIP certificates for the Provisioning Manager.................................................... 153
Configuring the AS 5300 Element Manager Console with certificates for HTTPS and SIPCAC........... 154
Configuring the AS 5300 Element Manager Console with certificates for HTTPS and SIPmanual...... 155
Configuring the Avaya Aura AS 5300 Personal Agent with certificates for HTTPS and SIP .................... 156
Chapter 16: Truststore certificate management............................................................... 157
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Importing a CA certificate to the truststore................................................................................................ 157

Viewing a CA certificate in the truststore.................................................................................................. 158
Removing a CA certificate from the truststore.......................................................................................... 158
Chapter 17: OCSP configuration....................................................................................... 161
Configuring the operating system to support OCSP................................................................................. 162
Configuring the operating system to support OCSP job aid............................................................. 162
Configuring the AS 5300 Element Manager to support OCSP................................................................. 163
Configuring the AS 5300 Session Manager to support OCSP.................................................................. 163
Configuring the Provisioning Manager to support OCSP.......................................................................... 164
Configuring the AS 5300 Element Manager Console to support OCSP................................................... 165
Verifying access to the OCSP server........................................................................................................ 166
Chapter 18: IPsec configuration overview........................................................................ 167
Secure communication.............................................................................................................................. 167
Default staging certificates........................................................................................................................ 167
Server addresses and service addresses................................................................................................. 168
IPsec tunnel rules...................................................................................................................................... 169
Trusted node relationships........................................................................................................................ 169
IPsec custom certificates.......................................................................................................................... 170
IPsec automatic CRL retrieval................................................................................................................... 170
IPsec limitations and restrictions............................................................................................................... 170
Chapter 19: IPsec service management........................................................................... 173
Starting or restarting the IPsec service..................................................................................................... 173
Stopping the IPsec service........................................................................................................................ 173
Verifying IPsec connection status............................................................................................................. 174
Verifying IPsec connection status job aid......................................................................................... 174
Chapter 20: IPsec configuration........................................................................................ 175
Generating the internal IPsec configuration file........................................................................................ 177
Installing the internal IPsec configuration file on the primary EMS server................................................ 178
Installing the internal IPsec configuration file on non-primary EMS servers............................................. 178
Creating the external IPsec configuration file........................................................................................... 179
Creating the external IPsec configuration file job aid....................................................................... 180
Installing a custom IPsec certificate.......................................................................................................... 181
Configuring IPsec for automatic CRL retrieval.......................................................................................... 182
Configuring IPsec for automatic CRL retrieval job aid...................................................................... 182
Verifying IPsec automatic CRL retrieval.................................................................................................... 183
Verifying IPsec automatic CRL retrieval job aid............................................................................... 183
Manually adding a CA chain..................................................................................................................... 184
Chapter 21: Access control rules...................................................................................... 185
Access control rules overview................................................................................................................... 185
Trusted nodes........................................................................................................................................... 186
Trusted ports............................................................................................................................................. 186
Internal trusted node mesh....................................................................................................................... 187
Access control tools.................................................................................................................................. 187
DSCP marking.......................................................................................................................................... 188
DSCP marking configuration tools................................................................................................... 189
Default DSCP configuration............................................................................................................. 189
Access control default system configuration............................................................................................. 190
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Access control limitations and restrictions................................................................................................ 191

Chapter 22: Access control configuration........................................................................ 193
Chapter 23: Internal access control configuration.......................................................... 195
Generating the internal ACL file................................................................................................................ 197
Installing the internal ACL configuration file on the primary EMS............................................................. 197
Installing the internal ACL configuration file on the other servers............................................................. 198
Chapter 24: Access control rules management............................................................... 199
Importing access control rules.................................................................................................................. 199
Importing access control rules job aid.............................................................................................. 200
Viewing all configured access control rules.............................................................................................. 200
Rolling back to the previous access control configuration........................................................................ 201
Restoring the access control default configuration................................................................................... 201
Viewing trusted node and port configurations with iptstatus..................................................................... 202
Viewing trusted node and port configurations with iptstatus job aid................................................. 202
Syntax of an access control rule in the raw format job aid............................................................... 203
ACL configuration job aid................................................................................................................. 204
Chapter 25: Access control rules enforcement............................................................... 205
Enforcing access control rules.................................................................................................................. 205
Chapter 26: NTP server management............................................................................... 207
Updating the primary clock source servers............................................................................................... 208
Updating the primary clock source servers when your system uses symmetric key encryption...... 208
Updating the secondary clock source servers.......................................................................................... 209
Updating the secondary clock source servers when your system uses symmetric key encryption. 210
Configuring a server as a nonclock source............................................................................................... 211
Chapter 27: TLS configuration........................................................................................... 213
Configuring the AS 5300 Session Managers to use only TLS.................................................................. 213
Variable definitions........................................................................................................................... 214
Configuring the AS 5300 Session Managers to use only TLS job aid.............................................. 214
Configuring the Provisioning Managers to use only TLS.......................................................................... 215
Variable definitions........................................................................................................................... 215
Configuring the Provisioning Managers to use only TLS job aid...................................................... 215
Chapter 28: TLS Mutual authentication............................................................................ 217
Enabling mutual authentication mode for SIP........................................................................................... 217
Enabling mutual authentication mode for HTTPS..................................................................................... 218
Chapter 29: FIPS overview................................................................................................. 219
FIPS compliance....................................................................................................................................... 219
Platform..................................................................................................................................................... 220
SSH........................................................................................................................................................... 220
AS 5300 Element Manager Console......................................................................................................... 220
Chapter 30: Cipher suite configuration............................................................................. 221
Configuring OAMP ciphers........................................................................................................................ 222
Configuring external OAMP ciphers.......................................................................................................... 222
Configuring HTTPS ciphers...................................................................................................................... 223
Configuring signaling ciphers.................................................................................................................... 224
Chapter 31: FIPS management.......................................................................................... 225
Stopping a network element..................................................................................................................... 225
Enabling FIPS on the platform.................................................................................................................. 226
10
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Enabling FIPS on the platform job aid.............................................................................................. 227

Installing the FIPS-compliant AS 5300 Element Manager Console.......................................................... 227
Updating the FIPS-compliant AS 5300 Element Manager Console.......................................................... 229
Starting a network element....................................................................................................................... 230
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
11
12
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Chapter 1: New in this release
3The following sections detail what is new in Avaya Aura Application Server 5300 Security, NN42040-601
4for Avaya Aura Application Server 5300 Release 3.0
5Navigation
6
Features on page 13
Other changes on page 13
Features
8
9
For information about feature-related changes, see the following sections:
10
Password complexity on page 27
11
Administrator password complexity on page 52
12
Subscriber security on page 61
13
Password policies and domains on page 62
14
Configuring application administrator password rules on page 91
15
Modifying application administrator password rules on page 107
16
17
For more information about the features that are new for this release, see Avaya Aura
Application Server 5300 Release Delta, NN42040-201.
Other changes
18
19
Revision history
May 2012
Draft 04.AU
This document is issued for Avaya Aura Application Server 5300
Release 3.0.
Edited a few links in chapter navigation sections.
April 2012
Draft 04.AT
This document is issued for Avaya Aura Application Server 5300
Release 3.0.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
13
New in this release
Updated the following sections: FSI baseline exclusions on

page 66
March 2012
Draft 04.AS. This document is issued for Avaya Aura Application

Server 5300 Release 3.0.
Updated the following section to state that Attachmate Reflection
for Secure IT is not included with the system, but must be
purchased separately: Secure Shell and Common Access Card
integration on page 32
February 2012
Draft 04.AR. This document is issued for Avaya Aura Application

Server 5300 Release 3.0. Replaced reference of ntossadm
account to OSS role Preconfigured accounts on page 31
January 2012
Draft 04.AQ. This document is issued for Avaya Aura Application

Server 5300 Release 3.0. Made changes to formatting throughout
the document.
November 2011
Draft 04.AP. This document is issued for Avaya Aura Application

Server 5300 Release 3.0. Added the following sections for Avaya
Media Server content integration.
Adding emergency users on page 39
Deleting emergency users on page 41
November 2011
Draft 04.AO. This document is issued for Avaya Aura Application

Server 5300 Release 3.0. Updated various figures to comply with
Release 3.0 branding and product naming.
October 2011
Draft 04.AN. This document is issued for Avaya Aura Application

Updated the following sections:
Updating the primary clock source servers when your system
uses symmetric key encryption on page 208
Updating the secondary clock source servers when your system
uses symmetric key encryption on page 210
August 2011
Draft 04.AM. This document is issued for Avaya Aura Application

Server 5300 Release 3.0. Performed generic cleanup of
document to make name and profiling which include the following
changes:
Replaced System Manager with AS 5300 Element Manager as
a variable.
Replaced System Management Console with AS 5300 Element
Manager Console as a variable.
Replaced Media Application Server with Avaya Media Server
as a variable.
August 2011
14
Draft 04.AL. This document is issued for Avaya Aura Application

DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Other changes
Added the following section:

AS5300 UC Client CAC integration on page 68
August 2011
Draft 04.AK. This document is issued for Avaya Aura Application

July 2011
Draft 04.AJ. This document is issued for Avaya Aura Application

Updated the following section:
Application administrator (Admin) security defaults on
page 59
Modifying an AS 5300 Element Manager Console user job
aid on page 111
July 2011
Draft 04.AI. This document is issued for Avaya Aura Application

Server 5300 Release 3.0. Removed references to UNIStim and
IP Client Manager (IPCM).
June 2011
Draft 04.AH. This document is issued for Avaya Aura Application

Server 5300 Release 3.0. Added the following section:
Password expiry during active call on page 63
June 2011
Draft 04.AG. This document is issued for Avaya Aura Application

June 2011
Draft 04.AF. This document is issued for Avaya Aura Application

Updated for wi00890695, removing all mention of IP Client
Manager (IPCM).
May 2011
Draft 04.AE. This document is issued for Avaya Aura Application

Edited the following sections:
Application administrator password rules on page 52
May 2011
Draft 04.AD. This document is issued for Avaya Aura Application

Added or edited the following sections:
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
15
New in this release
Configuring log on and session rules job aid on page 101

Modifying log on and session rules job aid on page 106
Application administrator password rules on page 52
March 2011
Draft 04.AC. This document is issued for Avaya Aura Application

Updates related to password complexity enhancements were
made to the following sections:
Password aging on page 54
Application administrator (Admin) security defaults on
page 59
Configuring application administrator password rules job aid on
page 91
Modifying application administrator password rules job aid on
page 107
February 2011
Draft 04.AB. This document is issued for Avaya Aura Application

Technical changes were made to the following sections:
Application logging on page 68
Configuring application administrator password rules on
page 91
16
December 2010
Draft 04.AA. This document is issued for Avaya Aura Application

September 2010
Standard 02.05. This document is issued for Avaya Aura

Application Server 5300 Release 2.0. Updates were made to
Antivirus management on page 79.
August 2010

Application Server 5300 Release 2.0. Technical changes were
made to most of this document to reflect security changes.
June 2010

Application Server 5300 Release 2.0. This document is updated
after technical review.
May 2010

Application Server 5300 Release 2.0. This document contains
editorial changes.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Other changes
April 2010

Application Server 5300 Release 2.0.
August 2008
Standard 01.03. This document is issued for Nortel Application

Server 5300 Release 1.0. This document is up-issued to include
updates to technical content regarding support for foreign
domains.
July 2008

Server 5300 Release 1.0. This document is up-issued to include
organizational changes and updates to technical content.
June 2008

DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
17
New in this release
18
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Chapter 2: Introduction
3This document contains the procedures required to configure and administer security for the Avaya Aura
4Application Server 5300.
5For more information about configuration and administration, see Avaya Aura Application Server 5300
6Configuration, NN42040-500 and Avaya Aura Application Server 5300 Administration, NN42040-600.
7For information about general provisioning tasks and procedures, see Avaya Aura Application Server
85300 Using the Provisioning Client, NN42040-112.
9
10
11
Important:
Throughout this document, the term system refers to the Avaya Aura Application Server 5300 unless
otherwise noted.
12Prerequisites
13
The Avaya Aura Application Server 5300 installation is complete.
14
You are familiar with the AS 5300 Element Manager Console.
15
You are familiar with the Avaya Aura Provisioning Client.
16Navigation
17
Platform security overview on page 21
18
Platform administrator security management on page 35
19
Security configuration and management overview on page 51
20
File system integrity on page 65
21
Database password management on page 75
22
Antivirus management on page 79
23
Security log management on page 87
24
Application administrator security configuration and management on page 89
25
Application security configuration on page 125
26
Certificate management overview on page 129
27
Certificate preparation on page 131
28
Certificate management on page 139
29
Core application certificate management on page 149
30
Truststore certificate management on page 157
31
OCSP configuration on page 161
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
19
Introduction
IPsec configuration overview on page 167
IPsec service management on page 173
IPsec configuration on page 175
Access control rules on page 185
Access control configuration on page 193
Internal access control configuration on page 195
Access control rules management on page 199
Access control rules enforcement on page 205
NTP server management on page 207
10
TLS configuration on page 213
11
TLS Mutual authentication on page 217
12
FIPS overview on page 219
13
Cipher suite configuration on page 221
14
FIPS management on page 225
20
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
1
2
Chapter 3: Platform security overview
3This section contains information related to platform security configuration, including platform
4administrator accounts, roles, and access.
5For information about initial Basic Input/Output System (BIOS) and RSA-II card configuration, see Avaya
6Aura Application Server 5300 Installation, NN42040-300.
7Navigation:
8
BIOS password control on page 21
GRUB password control on page 23
10
Administrative user account names on page 23
11
Administrative user roles on page 24
12
Primary role on page 24
13
Sudo access control on page 25
14
Platform user management tool on page 25
15
Administrative account timers on page 26
16
Account lockout on page 26
17
18
Inactive platform account auditing on page 29
19
Root user access on page 30
20
Individual user accounts on page 30
21
Preconfigured accounts on page 31
22
Remote system accounts on page 31
23
Secure Shell and Common Access Card integration on page 32
24
Platform warning banners on page 33
BIOS password control
25
26
27
28
The planar BIOS includes options to configure both an Administrative and Power-on password.
For more information about password options and how to configure them, see the
documentation supplied with the server hardware.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
21
Platform security overview
1
2
3
The planar BIOS enables the user to configure both an Administrative and Power-on password.
The BIOS also refers to the Administrative password as the Privileged Access Password in
console messages displayed during BIOS initialization.
4
5
BIOS passwords are enforced at the end of BIOS initialization when the message BIOS
Installed Successfully displays.
6
7
The following table illustrates the password enforcement type performed by the BIOS at this
point in the BIOS execution.
BIOS Password Control
Password Configured
Power-on
password
Admin
Password Requirement
BIOS Entry
Requested (F1
pressed)
Standard Initialization
(F1 not pressed)
No
No
None
None
No
Yes
Admin
None
Yes
No
Power-on password
Power-on password
Yes
Yes
Power-on password
(limited access) or
Admin
Power-on password or
Admin
Two basic scenarios are possible:
8
9
10
11
12
13
The administrator presses the F1 key during the early stages of BIOS initialization with
the intent of entering BIOS setup when BIOS initialization finishes. If at least one password
is configured, the password must be entered to enter into the BIOS setup. If both
passwords are configured, specifying the Power-on password gives the administrator only
limited access, where no BIOS configuration changes can be made.
14
15
16
17
The administrator does not press the F1 key during the early stages of BIOS initialization.
If a Power-on password is configured (not recommended), BIOS requires the
administrator to enter the password to allow the system to continue past the BIOS
initialization. If configured, the administrative password is also accepted.
18
19
If an Administrator password is configured, an administrator entering BIOS with only a Poweron password receives access to the following menus:
20
21
System SummaryThis menu provides information such as processor model, USB

devices, and memory information.
22
23
System InformationThis menu provides information such as the machine type and
model number, serial number, firmware levels, and installed system cards.
22
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
GRUB password control
1
2
3
When configuring the Administrator password, changing the value of the Power-on password
changeable by user field to Yes provides limited BIOS access to the administrator. The
following are the additional menu items available:
System SecurityThis menu provides the facility to change or delete the Power-on
password.
4
5
The following general points also apply to Administrative and Power-on BIOS passwords:
6
7
Each password can be up to seven characters in length.
The passwords can consist of any characters.
9
10
If both passwords are configured, a forgotten Power-on password can be reset (deleted
and re-configured) by entering the BIOS with the Administrative password.
11
12
If a single password is set, and is forgotten, it cannot be recovered using the BIOS
menu.
13
14
If both the Administrative and Power-on password are set, and the Administrative
password is forgotten, it cannot be recovered using the BIOS menu.
15
16
Neither password is affected when you restore the configuration of the main BIOS to the
factory default configuration.
GRUB password control
17
18
19
20
21
The Linux Grand Unified Bootloader (GRUB) allows you to configure a password to prevent
unauthorized access to the bootloader. Whenever you change the server password policy, you
should reset the GRUB bootloader password to comply with these new settings. For more
information, see Configuring the GRUB password on page 37.
Administrative user account names
22
23
24
25
When you create a new account for an administrator, you specify the account name and a
numeric user ID. For the numeric user ID, always enter zero (0). After you enter zero (0), the
system assigns the next available numeric ID.
26
27
The system security administrator defines the password requirements using the pwConfig
tool.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
23
Administrative user roles
Roles define operational boundaries (access permissions) for administrators. Administrators

can have more than one role, depending on their duties. You assign roles to new administrators
when you create their accounts. The roles defined for the system are as follows:
2
3
4
System Security Administrator (SSA)The SSA can perform system configuration and
specify security attributes such as:
5
6
7
- Password configuration
- User management
- Certificate management
10
- Access control
11
- Antivirus
12
- File System Integrity tools
13
- Network configuration
14
- System files backup
15
- System restoration
16
17
Security Auditor (SA)The SA can collect and view security audit logs and syslogs at the
platform level. The SA can also transfer the security logs off the server.
18
19
20
Application Administrator (AA)The AA can install MCS application software and

manage components related to the application. The AA is responsible for installing,
maintaining, patching, and upgrading MCS software only.
21
22
Backup Administrator (BA)The BA can perform only system backups. A BA cannot

perform:
23
- any operation on the server except backups.
24
- a system restoreonly the SSA or root user can perform a system restore.
25
26
27
Database Administrator (DBA)The DBA can manage the database schemas and
database tools on servers on which the database resides. This role is not relevant on
servers that do not host the database.
28
29
Operational Support System Administrator (OSS)Downstream processors can use the

account with this role to connect to the server and collect OSS logs.
30
Primary role
The primary role of the administrator defines the administrators primary group. The primary
role determines permissions and group ownership for any files that are generated by the
31
32
24
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Sudo access control
1
2
3
administrator. Any tools that extract or create files use the administrators primary role to
determine the appropriate group settings. The primary role is the first role assigned during
account creation. An SSA or root user can change the primary role for an administrator.
4
5
6
In the user management tool (userMgt) the primary role of an administrator is the first role that
appears in the list of assigned roles. For example, if the list appears as follows: SSA, AA, BA;
the primary role of the administrator is SSA.
7
8
9
10
11
All roles, other than the Backup Administrator, OSS Administrator, and Regional Patching
Administrator roles, are intended to manage some aspect of the system. Because of this and
the use of discretionary access groups to control access to system resources, administrators
with a primary role of SSA, SA, AA, or DBA have a primary GID that is traditionally reserved
for system accounts (less than 500).
12
Sudo access control
13
14
15
By default, an administrator has access to all commands defined for each assigned role.
However, the root user can grant elevated privileges (such as root access) to an individual
administrator, if required.
16
17
The system records all commands that are run with sudo in /var/log/secure and only the
security administrator or security auditor can view these logs.
18
19
20
21
Only the root user can grant or deny all sudo level access to administrators. If you are already
logged on, before being granted sudo access, the sudo access is available the next time you
log on. The sudo menu option in the userMgt script is only visible when the script is run by the
root user.
22
23
24
Administrators who have sudo access need not know the root password of the system to invoke
root level commands; they use their own current passwords. The syntax for running commands
with sudo access is as follows:
25
> sudo <root-privileged command>
26
27
The system prompts for your administrator password the first time, and again after 10 minutes,
if you do not enter any other sudo commands.
Platform user management tool
28
29
30
31
32
To run the user management tool (userMgt) you must be the Security System Administrator
(SSA) or the root user. With the userMgt tool, you can create and manage user accounts for
platform administrators. Figure 1: Main menu on page 26 shows the options available from
the main menu of the tool.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
25
1
Figure 1: Main menu
2
3
4
5
Important:
Option [6] (from the main menu of the userMgt tool) is available only to the root user. To use
this option, an SSA with sudo access can su to root.
Administrative account timers
7
8
9
The idle session timer automatically logs off administrators that are not actively using their
sessions. After the configured time elapses without administrator activity, the session closes
automatically.
10
11
Changes to the idle session timer value do not effect currently existing sessions. Administrators
must log off and log back on for this configuration to take effect.
12
13
14
Use the pwConfig tool to specify the timeout value by configuring the Idle session timeout
(seconds) parameter. For more information, see Modifying password complexity rules
menu on page 36.
Account lockout
15
16
17
18
To reduce the effectiveness of password guessing attacks, you can configure account lockout
on the system. If you enable account lockout, the system temporarily locks an account after a
specified number of log on failures.
19
20
21
To enable account lockout, use the pwConfig tool to configure the 'Deny after this many log on
failures' parameter to a value other than zero. To subsequently disable account lockout, change
the value back to zero.
22
23
To configure the length of time that the account remains locked out, use the pwConfig tool to
configure the Unlock account duration (seconds) parameter. If you disable account lockout,
26
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Password complexity
1
2
the Unlock account duration parameter has no effect. For more information, see Modifying
password complexity rulesmenu on page 36.
3
4
5
6
7
8
If the system locks an account because of successive failed attempts to log on, the
administrator cannot log on to the system until the lockout period expires. An SSA can unlock
an administrators account, during the lockout period, by using the userMgt tool to disable and
subsequently enable the locked out administrator. Additionally, after three consecutive failed
access attempts, the SSH or SFTP connection terminates and the user must re-establish the
connection to log on.
After an account reaches the lockout threshold, the system generates a security log.
10
Password complexity
11
12
13
You can configure password policy rules to define the appropriate characters used for
administrator passwords. The administrator configures these passwords using either /usr/bin/
passwd or the userMgt tool.
14
15
The password complexity settings only affect subsequently configured passwords; they do not
affect current passwords.
16
17
18
19
20
21
You manage password complexity on a per-server basis. There is no automatic password

complexity synchronization performed between servers. Therefore, if you change any value
on one server, you must manually change it on all of the other servers. For more information
about the parameters, see Table 1: Password complexity parameters on page 27. For more
information about how to configure the parameters, see Modifying password complexity rules
menu on page 36.
Table 1: Password complexity parameters
Parameter
Description
Minimum lowercase chars
This parameter specifies the minimum number of lowercase

characters (az) that the password must contain. The
system rejects passwords that contain fewer lowercase
characters. Default: 2
Minimum uppercase chars
This parameter specifies the minimum number of uppercase

characters (AZ) that the password must contain. The
system rejects passwords that contain fewer uppercase
Minimum digits
This parameter specifies the minimum number of digit

characters (09) that the password must contain. The
system rejects passwords that contain fewer digit
Minimum special chars
This parameter specifies the minimum number of special

characters that the password must contain. Special
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
27
Parameter
Description
Characters are: . @ - _ & ^ ? ! ( ) , / \ : ; ~ = + The system
rejects passwords that contain fewer special characters.
Default: 0
28
Minimum change chars
This parameter specifies the minimum number of characters

by which the new password must differ from the previous
password. The system ignores this value if either one half of
the characters in the new password are different, or if there
are more than 23 characters in the new password. Default:
0
Minimum password length
This parameter specifies the minimum number of total

characters a password can contain. The system rejects
passwords that contain fewer characters. Default: 8
Maximum consecutive
repeat chars
This parameter specifies the maximum number of

consecutive repeating characters that are permitted in a
password. Default: 0
Deny after this many log on

failures
This parameter specifies the number of failed attempts to log

on to an account before the account is locked. Default: 0
Unlock account duration

(seconds)
This parameter specifies the amount of time for which the

account remains locked after log on failures. Default: 60
Old passwords to remember
This parameter specifies the number of previous passwords

the system remembers. Administrators cannot reuse any
password on the remembered list. Regardless of the value
of this parameter, administrators cannot ever reuse the
current password. Default: 0
Maximum password age

(days)
This parameter specifies the maximum number of days that

an administrators password can be used. After the specified
number of days, the administrator must change the
password to access the server. If you reduce this value,
some existing passwords can immediately expire. Default:
90
Minimum password age

(days)
This parameter specifies the minimum number of days

between password changes. This setting discourages
administrators from immediately changing their passwords
back to a previously used password (password flipping).
Default: 1
Password change warning

(days)
This parameter specifies the number of days in advance that

administrators receive warning that their passwords will
expire. If an administrator logs on within this number of days
before expiry, a message appears to indicate that their
password will expire soon. Default: 7
Idle session timeout

(seconds)
This parameter specifies the number of seconds a session

can be idle before it times out. Default: 600 (10 minutes)
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Inactive platform account auditing
22
23
You can modify the password complexity rules at any time; however, the configured rules apply
only to subsequently added administrator accounts.
1
2
3
4
5
Important:
If the default password complexity configuration values (as shown in the preceding table)
do not meet your site requirements, Avaya recommends that you change the values
immediately after installation and commissioning, and before you add administrators to the
system.
The following non-configurable parameters also apply to password complexity:
6
7
8
9
10
The system uses the Linux CrackLib library to ensure that the password is not based on
the username or on a dictionary word. This library manipulates the new password in
various ways to try and determine if the new password is based on the username or a
dictionary word.
11
12
Users must change their passwords during initial log on. Users cannot access the system
with the temporary passwords.
13
The password cannot be a palindrome.
14
15
The root user password does not adhere to the password complexity rules. Ensure that only
a very limited number of individuals know the root password for the servers.
16
The backup and restore process includes all files related to password complexity.
Password changes
17
18
19
20
When administrators use the UNIX passwd command to change their passwords, or when they
change the password during log on (for initial or expired passwords), the system applies all of
the enabled password complexity rules.
21
When an SSA uses the userMgt tool to change a password, the following rules do not apply:
22
Password history (Old passwords to remember)
23
Case change from previous password
24
Characters changed from previous password (Minimum change chars)

For more information about platform user account passwords, see Platform administrator
security management on page 35.
25
26
Inactive platform account auditing
27
28
29
30
You can configure the system to automatically lock out inactive platform administrator accounts
after a period of inactivity. If an administrator is locked out, that administrator cannot login to
the platform without intervention by another administrator.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
29
The system does not automatically delete locked out inactive administrator accounts. The site
administrator is responsible for monitoring locked out accounts and deleting them as
needed.
1
2
3
Root user access
5
6
The root user must log on to the server using the console keyboard, video and mouse (KVM).
Root users must change their passwords on first logon after installation.
7
8
9
10
The password for this account is subject to password complexity rules. Because the initial
(during installation) password complexity rules are minimal, Avaya recommends that you
change the password for this account after you complete the procedure to configure (harden)
password complexity rules.
11
12
On the SIP Core servers, users assigned the System Security Administrator (SSA) role, in
addition to full-time Super User Do (sudo) access, have full root access.
13
14
Even though SSA/sudo users have unrestricted root-level privileges, their actions are logged
on the system security log because they are logged on under their individual user ID.
15
Individual user accounts
16
17
18
19
Individual user accounts allow for full accountability and monitoring of individual actions. If the
installer chooses this option during server installation, the System Security Administrator (SSA)
must create each individual user account after the installation is complete. For more
information about installation, see the installation method for your system.
20
21
You manage user accounts on a per-server basis. Therefore, the SSA must create identical
users on each server within the system.
22
23
The SSA uses the User Management Configuration tool to create, modify, and delete users.
The SSA configures the rules for administrator user names using the pwConfig tool.
24
25
26
27
Each individual user account has its own password, which is subject to the password
complexity rules. The SSA can disable or re-enable each individual user account as necessary.
Individual user accounts have a home directory in /home/<userid>. If the SSA removes the
user account, the home directory is also removed.
30
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Preconfigured accounts
Preconfigured accounts
During server installation, the installation software creates the following user accounts:
2
3
4
ntappadm: The primary role of this account is the Application Administrator (AA) role,
which replaces the avaya user found on previous systems.
ntdbadm: The primary role of this account is the database administrator (DBA) role.
6
7
8
9
ntsysadm: The primary role of this account is the System Security Administrator (SSA)
role. The ntsysadm account, by default, has ALL sudo root access. You can remove full
sudo access, if required, by invoking the userMgt tool as root. This account replaces the
sysadmin user found on previous systems.
10
ntsecadm: The primary role of this account is the security auditor (SA) role.
11
ntbackup: The primary role of this account is the backup administrator (BA) role.
12
13
14
ntossadm: The primary role of this account is the OSS administrator (OSS) role. An
Operational Support Server (OSS) uses this account to connect to an Avaya Aura
Application Server 5300 server to collect OSS logs.
15
For more information about installation, see the installation method for your system.
16
You can use the userMgt tool to manage all the preconfigured accounts.
17
18
Each preconfigured account uses "password" as the initial password. You must change the
initial password at first log on.
19
20
21
22
23
The user with the OSS role is protected using password authentication. This account is also
susceptible to lockout if the password is entered incorrectly and the account lockout is
configured for the system. To change the password on this account, log on as OSS, and type
the command: #>passwd. You can also use the userMgt tool to reset the password for this
account.
24
25
26
27
The SSA can create additional individual user accounts. Additional individual accounts are
subject to the same password complexity profile as the preconfigured accounts. The SSA user
can delete preconfigured accounts. All preconfigured accounts are backed up and restored
during backup and restore procedures.
Remote system accounts
28
29
30
31
The Avaya Aura Application Server 5300 system requires the following remote system
account: a user with OSS role: An Operational Support Server (OSS) uses this account to
connect to an Avaya Aura Application Server 5300 server to collect OSS logs.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
31
1
2
The system automatically creates this account during installation. For more information, see
Preconfigured accounts on page 31.
Secure Shell and Common Access Card integration
4
5
6
Administrators use Secure Shell (SSH) for remote access and administration of the Linux
servers. The Avaya Aura Application Server 5300 comes with OpenSSH installed. OpenSSH
is an open-source application, which does not support two-factor authentication.
7
8
9
10
11
12
13
To satisfy requirements for two-factor authentication and Common Access Card (CAC)
integration, Avaya Aura Application Server 5300 also supports Attachmate Reflection for
Secure IT as an optional configuration. Attachmate Reflection is not included with Application
Server 5300. The purchase, installation and maintenance of Attachmate software are the
customers responsibility. To install Attachment Reflection for Secure IT, remove OpenSSH
during system installation and commissioning. For more information, see 106.1.5 AS5300 DoD
AttachMate Installation.
14
15
16
17
Attachmate Reflection for Secure IT includes both the Linux-based server side component and
the Windows-based client. Administrators can configure the Windows client to use certificates
on the CAC. and Reflection Group Policies so that all Reflection sessions meet Department of
Defense (DoD) Public Key Infrastructure (PKI) requirements.
18
The following changes occur when you configure DoD PKI mode:
19
20
The default Reflection configuration uses either CRL checking or an OCSP responder. In
DoD PKI mode, the option to use neither form of checking is disabled.
21
22
23
Reflection enforces FIPS-approved encryption algorithms. For SSH connections, this

means that only FIPS-approved options are available on the Encryption tab of the Secure
Shell settings dialog box.
24
25
26
For a connection to succeed, the host name specified in the certificate must exactly match
the host name specified for your Reflection connection. Therefore, the certificate
configuration is automatic and cannot be modified.
Administrative user database backup
27
28
29
30
31
32
The server backup job backs up the data from /admin, including the administrative user
database files. For more information about server backup, see Avaya Aura Application Server
5300 Backup and Restore Method and Avaya Aura Application Server 5300 Administration,
NN42040-600.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Platform warning banners
1
2
Prevent restoration of passwords that do not comply with the site password complexity policy.
Avaya recommends that you not back up the Administrator Database until after
3
4
You configure new passwords to comply with the site password complexity policy, for all
accounts not managed with the userMgt tool (for example, user with OSS role).
5
6
7
You ensure that the passwords for all accounts managed with the userMgt tool have
passwords that comply with the site password complexity policy. For example, users must
change the passwords for any account created before password policy configuration.
Platform warning banners
Configure the following messages to appear during log on:
10
11
The /etc/issue banner appears before an administrator enters their username and
password to access the system using the console, SSH, or SFTP.
12
13
The /etc/motd banner appears after a successful log on to the system using the console
or SSH.
For more information, see Configuring platform warning banners on page 49.
14
15
16
17
18
Important:
Avaya recommends that you perform a backup after making changes to the warning banner
files. For more information, see Avaya Aura Application Server 5300 Backup and Restore
Method and Avaya Aura Application Server 5300 Administration, NN42040-600
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
33
34
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Chapter 4: Platform administrator security

3
management
4About
this task
5This section describes how to manage password complexity requirements, create individual user
6accounts, and manage administrator role assignments to control access to the Avaya Aura Application
7Server 5300 servers.
8Prerequisites:
9 You must be a Security System Administrator (SSA) or the root user to run the tools for platform
10 administrator security management.
11Navigation:
12
Modifying password complexity rulesmenu on page 36
13
Configuring the GRUB password on page 37
14
Creating individual user accountsmenu on page 37
15
Deleting a user accountmenu on page 40
16
Modifying user rolesmenu on page 42
17
Changing the state of a user accountmenu on page 43
18
Listing server user accountsmenu on page 44
19
Managing sudo accessmenu on page 45
20
Resetting a platform user account passwordmenu on page 46
21
Resetting a platform user account passwordCLI on page 46
22
Viewing the status of inactive account auditing on page 47
23
Enabling inactive account auditing on page 47
24
Disabling inactive account auditing on page 48
25
Configuring platform warning banners on page 49
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
35
Platform administrator security management
Modifying password complexity rulesmenu
1
2
About this task
3
4
5
Use this procedure to use the script to modify password complexity rules to ensure that user
passwords are more secure. Password complexity rules apply only to subsequently configured
passwords.
Procedure
1. Log on to the server as a user with SSA role.
2. Run the script to configure password complexity:

pwConfig
9
10
3. If you receive a prompt, enter your password.
11
4. Enter 1 to view the current configuration.
12
5. Press Enter to continue.
13
6. Enter 2 to change the current configuration.
14
7. Enter a value for Minimum lowercase chars.
15
8. Enter a value for Minimum uppercase chars.
16
9. Enter a value for Minimum digits.
17
10. Enter a value for Minimum special chars.
18
11. Enter a value for Minimum change chars.
19
12. Enter a value for Minimum password length.
20
13. Enter a value for Deny after this many log on failures.
21
14. Enter a value for Unlock account duration (seconds).
22
15. Enter a value for Old passwords to remember.
23
16. Enter a value for Maximum password age (days).
24
17. Enter a value for Minimum password age (days).
25
18. Enter a value for Password change warning (days).
26
19. Enter a value for Idle session timeout (seconds).
27
28
21. (Optional) If you want to cancel pending (unsaved) changes, enter 3.
29
22. Enter 4 to save pending changes.
30
36
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Configuring the GRUB password
24. Enter 5 to exit.
1
2
Configuring the GRUB password
4
5
Use this procedure to configure the Linux Grand Unified Bootloader (GRUB) password. The
GRUB password prevents unauthorized access to the bootloader.
Before you begin

You are a user with SSA role.
7
8
Procedure
9
10
2. Enter grubPwConfig at the prompt.
11
3. Enter c to configure the password.
12
4. Enter a policy-compliant GRUB password.
13
5. Re-enter the policy-compliant GRUB password.
14
Creating individual user accountsmenu
15
16
About this task
17
18
19
If you add SSA administrators, you may need to add those users to the Avaya Media Server
EM Emergency Access list. For more information, see Adding emergency users on
page 39.
20
Procedure
21
22
23
2. At the command prompt:

userMgt
24
3. If prompted, enter your password.
25
4. Enter 1 to add a new user.
26
5. Enter a username for the new user.
27
6. Enter 0 to have the system select a user ID.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
37
2
3
7. Enter the corresponding numbers for the user's roles.

The first role is the user's primary role. Separate multiple role entries with a comma
(,).
8. Enter Y to continue adding users.
9. Enter the initial password for the user.

The user must change this password during the initial log on to gain access to the
server.
6
7
8
9
10. Enter the initial password again.

You receive a prompt to continue adding users or to return to the main menu.
10
Variable Definitions
11
Variable
12
Value
<userid>
This value is the user ID for the new user.
<username>
This value is the username for the new user.
<roles>
This value specifies the primary and any other roles for the user,
separated by commas (,).
<passwd>
This value is the initial password for the user.
Creating individual user accounts job aid
13
About this task
14
15
This job aid lists and describes the system groups defined on the system, and provides the
role to groups mapping. The system groups are:
16
ntsysgrpgroup for system related files
17
ntsecgrpgroup for security logs
18
ntappgrpgroup for MCP application files
19
ntdbgrpgroup for database related files
20
ntossgrpgroup for OSS files
21
ntbackupgrpgroup for backup files
38
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Adding emergency users
Table 2: Role to groups mapping

Role
Groups
SSASystem Security Administrator
ntsysgrp, ntsecgrp, ntbackupgrp
SASecurity Auditor
ntsecgrp
AAApplication Administrator
ntappgrp, ntossgrp
BABackup Administrator
ntbackupgrp
DBADatabase Administrator
ntdbgrp, ntappgrp
OSS OSS Administrator
ntossgrp
Adding emergency users
1
2
About this task
3
4
Add emergency users to allow them to access the Element Manager (EM) if the primary
security servers are down or cannot be reached.
The SSA or root user uses the emUser tool to list, add, or deny emergency users.
Procedure
1. Log on to the server as an SSA (for example, ntsysadm).
2. At the command prompt, enter:

emUser.pl
9
10
11
4. Enter 1 to add emergency users to the server.
12
13
5. Select the user that you want to add as an emergency user by selecting the
corresponding number and pressing Enter.
14
6. Enter Y to confirm that you want to add the user as an emergency user.
15
OR
16
Enter N to cancel adding the user as an emergency user.
17
7. Enter 4 to restart JBoss and apply the changes.
18
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
39
Deleting a user accountmenu
1
2
3
4
You can delete individual users who no longer require access to the server. The User
Management Configuration tool does not manage the following system accounts, and you
cannot delete them:
root
ntappsw
ntdbsw (database systems only)
ntdblsnr (database systems only)
9
10
If you delete administrators, you may need to delete them from the Avaya Media Server EM
Emergency Access list. For more information, see Deleting emergency users on page 41.
11
Procedure
12
13
14

userMgt
15
3. If prompted, enter your password.
16
4. Enter 2 to delete a user.
17
18
5. From the list of users, select the user that you want to delete by entering the
corresponding number.
19
6. Enter Y to confirm the delete.
20
21
7. If the tool finds files owned by the admin to delete, the system displays a list. Choose
an action:
Choose to
Do this
Delete the files
Enter Y
Stop the system from deleting the files
Enter N
22
23
Variable
<username>
40
Value
This value is the name of the user account.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Deleting emergency users
Deleting a user accountmenu job aid
2
3
4
5
After deleting a user account, the system deletes the associated home directory (/home/
<admin>) and all files and directories within it. Additionally, the system searches for any files
owned by this admin outside of their home directory (/home/<admin>). If files are found and
the user has read and write permissions that are:
6
7
8
1. less than the group read and write permissions, then the system transfers the file
(without warning) to a no login system account and the file remains on the
system.
9
10
11
12
2. greater than or equal to the group read and write permissions, then the system
deletes the file (with warning and confirmation) because transferring the file to a no
login system account with these settings could render it unmanageable by any
admin users in the same group.
The following table shows the no login system account to which files are transferred, based
on the primary role of the deleted user account:
13
14
Table 3: Deleted user account/no login account mapping
15
16
17
SSA
ntsysnl
SA
ntsecnl
AA
ntappnl
BA
ntbackupnl
DBA
ntdbnl
OSS
ntossnl
The system administrator must either leave these newly transferred files on the system or
remove them as is deemed necessary for the operation of the system. Prior to deletion, it is
important to determine if deleting files will hinder system operation.
Deleting emergency users
18
19
About this task
20
21
Deny emergency users to prevent them from accessing the Element Manager (EM) if the
primary security servers are down or cannot be reached.
22
Procedure
23
1. Log on to the server as an SSA (for example, ntsysadm).
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
41
2. At the command prompt, enter:

emUser.pl
4. Enter 2 to deny users emergency access to the server.
5
6
5. Select the user that you want to deny as an emergency user by selecting the
corresponding number and pressing Enter.
7
8
6. Enter Y to confirm that you want to deny the user emergency access to the
server.
OR
9
10
11
Enter N to cancel denying the user emergency access to the server.

7. Enter 4 to restart JBoss and apply the changes.
12
13
Modifying user rolesmenu
14
About this task
15
16
Use this procedure to modify roles for a server administrator. You can also change the primary
role of the administrator.
17
Procedure
18
19
20

userMgt
21
22
4. Enter 3 to modify a user's roles.
23
24
5. From the list of users, enter the corresponding number for the user account that you
want to modify.
25
26
6. Enter the corresponding number for the user's roles (primary role first), separated
by commas (,).
27
7. Enter Y to continue making modifications.
28
29
You receive a prompt to continue modifying roles for users or to return to the main
menu.
30
42
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Changing the state of a user accountmenu
Variable
Value
<username>
This value is the name of user account.
<roles>
This value contains the roles that you want to assign to the user
account. You must enter the primary role first, and separate multiple
roles with a comma (,). Example: SSA, AA
Changing the state of a user accountmenu
About this task
4
5
Disable a user's account to temporarily prevent access to the server with that account. Enable
the account to restore access.
6
7
If a user's account becomes locked because of failed attempts to log on, you can clear the lock
by disabling and then enabling the account again.
Procedure
11

userMgt
12
13
4. Enter 4 to enable or disable a user account.
14
15
5. Enter the corresponding number for the user account that you want to enable or
disable.
16
6. Enable or disable the account:
10
If the account is currently
Do this
Enabled
Enter Y to disable the account, and go to 9 on

page 44.
Disabled
Enter Y to enable the account, and go to 7 on

page 43.
18
7. Enter a new password for the user account.

The user must change this password during initial log on.
19
8. Enter the new password again.
17
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
43
9. Choose an action:
Choose to
Do this
Change another account state
Enter Y
Not change another account state
Enter N
Exit
Enter 8
Listing server user accountsmenu
3
4
About this task
5
6
7
You can view a list of users currently configured on the server. The display shows 20 entries
for each page, and lists the user name, userID, the user's configured state, and whether the
user has sudo access to the system.
Procedure
11

userMgt
12
13
4. Enter 5 to list the users currently configured on the server.
10
14
The screen displays up to 20 users.

5. You can choose to display the next 20 users or quit to the main menu.
15
To choose this
Do this
Show the next 20 users (if applicable)
Press Enter .
Return to the main menu
Type q and press Enter.
16
44
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Managing sudo accessmenu
Managing sudo accessmenu
1
2
Use this procedure to grant or revoke sudo access for user accounts.
Before you begin

You must be either the root user or a user with SSA role with sudo privileges.
4
5
Procedure
1. Log on to the server as root or a user with SSA role.
7
8
2. If you are an SSA, change to the root:

su - root
3. Enter the root password.
11
4. Run the User Management Configuration tool:

userMgt.pl
12
5. Enter 6 to manage sudo access.
13
14
6. Enter the corresponding number for the user account for which you want to grant
or deny sudo access.
15
7. Grant or remove sudo access:
10
If the account currently
16
Has sudo access
Enter Y to remove sudo access.
Does not have sudo access
Enter Y to enable sudo access.
8. Choose whether to manage sudo access for another user account.

Choose to
17
Do this
Do this
Manage sudo access for

another user account
Enter Y, and repeat 6 on page 45 to 8 on

page 45.
Not manage sudo access for

another user account
Enter N to go back to the main menu.
9. Enter 9 to exit.
18
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
45
Variable
<username>
Value
This value is the name of user account.
Resetting a platform user account passwordmenu
2
3
About this task
4
5
6
You can use the userMgt tool to change passwords for platform administrators. If an
administrator is locked out of the server because of failed attempts to log on, you can use the
userMgt tool to reset the user account password and clear the lock.
Procedure
9
10

userMgt
11
12
4. Enter 6 to reset a user password.
13
5. Enter the corresponding number for the user whose password you want to reset.
14
15
16
17
6. Enter a new password for the user account and confirm by entering the new
password again.
A prompt displays asking to reset a password for another user or return to the main
menu.
18
7. Reply to the prompt with the desired action.
19
20
Resetting a platform user account passwordCLI
21
About this task
22
23
You can change your platform administrator password from the command line. You can also
use this procedure to change the passwords for the user with OSS role.
46
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Viewing the status of inactive account auditing
Procedure
1
2
1. Log on to the server with the account for which you want to change the password.
3
4
2. Enter the UNIX command to change the password:

passwd
3. At the prompt, enter the current UNIX (platform) password for the account.
4. At the prompt, enter the new UNIX (platform) password for the account.
5. At the prompt, re-enter the new UNIX (platform) password for the account.
Viewing the status of inactive account auditing
9
10
Use this procedure to view the status of inactive account auditing.
11
Before you begin

12
Procedure
13
14
15
2. At the command prompt, enter configInactiveLoginAudit.
16
3. At the command prompt, enter d.
17
18
Enabling inactive account auditing
19
Use this procedure to enable inactive account auditing.
20
Before you begin
21
22
Procedure
23
1. Log on to the server as a user with SSA role
24
25
3. At the command prompt, enter c.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
47
4. To turn on the audit, enter Y.
5. To exempt the login accounts from the audit, enter Y.
6. Press Enter to accept the default list of exempted accounts.
4
5
7. For the Maximum number of inactive days before login account is locked
value, enter the number of days of account inactivity prior to account lock out.
Enabling inactive account auditing job aid
This job aid lists and describes the parameters required to enable inactive account auditing.
Parameter
Maximum number of inactive days
before login account is locked
Value
Enter a number between 4 and 364.
Disabling inactive account auditing
10
Use this procedure to disable inactive account auditing.
11
Before you begin
12
Procedure
13
14
15
16
3. At the command prompt, enter c.
17
4. To turn on the audit, enter N.
18
19
20
21
Important:
After you disable inactive account auditing, the system does not re-enable
previously locked out administrator accounts. You must manually re-enable any
locked out administrator accounts.
22
48
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Configuring platform warning banners
Configuring platform warning banners
2
3
4
5
6
7
8
Use this procedure to configure warning banners to display a message before users enter their
user names and passwords, and another message after a successful log on. Warning banners
typically state the legal implications of logging on to a system.
Important:
Repeat this procedure for each server in your Application Server 5300 system.
Before you begin

Procedure
9
10
1. Use a text editor to create or modify <issue_filename>
11
2. Use a text editor to create or modify <motd_filename>
12
3. Connect to the server as a user with SSA role by using SFTP or SCP.
13
4. Transfer <issue_filename> and <motd_filename> to /var/tmp.
14
5. Log on to the server as an SSA user with SSH.
15
16
6. Copy the files from /var/tmp to /etc directory:

cp /var/tmp/<issue_filename> /etc/issue
17
cp /var/tmp/<motd_filename> /etc/motd
18
19
Variable
Value
<issue_filename>
This value is the name of the text file that contains the message
that appears before log on.
<motd_filename>
This value is the name of the text file that contains the message
that appears after a successful log on.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
49
50
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Chapter 5: Security configuration and

3
management overview
4This section contains information about system security configuration and management.
5Navigation:
6
Application administrator security on page 51
Web server logs on page 60
Internal database account security on page 60
Database application security on page 60
10
11
Domain security on page 64
12
Antivirus on page 65
13
File system integrity on page 65
14
HTTPS certificates on page 67
15
AS 5300 Element Manager Console CAC integration on page 68
16
AS5300 UC Client CAC integration on page 68
17
Application logging on page 68
18
Security logs on page 69
19
System alarms on page 73
20
Application administrator security
21
22
23
24
25
26
The AS 5300 Element Manager Console and the Avaya Aura Provisioning Client applications
maintain independent administrator accounts for configuration and management of the Avaya
Aura Application Server 5300. Although these applications do not share the same pool of
administrator accounts, they do share common security rules for password complexity,
password aging, password history, log on session constraints, and application warning
banners. You configure these rules by using the AS 5300 Element Manager Console.
27
28
For more information about how to use the AS 5300 Element Manager Console, see Avaya
Aura Application Server 5300 Configuration, NN42040-500.
29
30
If you modify the password rules and the passwords of existing administrators no longer comply
with the new rules, the system does not take any special action. Existing administrators are
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
51
Security configuration and management overview
1
2
3
allowed to continue to use their existing passwords until they expire. Password rules are only
enforced at the time of password creation. You can force administrators to change existing
passwords, for example, to comply with an updated password policy.
4
5
For more information, see Application administrator security configuration and

management on page 89.
Administrator password complexity
7
8
The following table lists the parameters that you use to configure password complexity for
administrator user accounts.
9Application
administrator password rules

Parameter
Minimum Password Length
Description
This rule defines the minimum number of characters that
must be included in a password.
The range of values allowed is 4-32. Default value: 8
Note: The following restrictions apply:
The Minimum Password Length must be equal to or
greater than the total of the Minimum Lowercase
Characters, Minimum Uppercase Characters,
Minimum Digit Characters, and Minimum Special
Characters values.
If Check For Dictionary Words in Password is enabled,
the Minimum Password Length value must be 6 or
more.
Caution:
The system supports passwords up to a maximum of
511 characters. However, some phone clients limit the
maximum length of passwords. Verify the capabilities
of your phone before creating a long password.
Minimum Lowercase Characters This rule defines the minimum number of lowercase
characters that must be included in a valid password.
Lowercase characters are defined by the US-ASCII
character set, a-z.
Minimum Uppercase Characters This rule defines the minimum number of uppercase
Uppercase characters are defined by the US-ASCII
character set, A-Z.
52
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Parameter
Description
Minimum Digits
This rule defines the minimum number of digits that must

be included in a valid password. Digits are defined by the
US-ASCII character set, 09.
Minimum Special Characters
This rule defines the minimum number of special

Special characters are defined by the following USASCII character set: . @ - _ & ^ ? ! ( ) , / \ : ; ~ = +
Maximum Consecutive
Characters
This rule defines the maximum number of times a given

character can appear consecutively in a valid password.
Configure the value to 0 (zero) to disable Maximum
Consecutive Characters.
Minimum Characters Different

from Previous Password

must be different in the new password from the previous
password.
The range of values allowed is 0-10. Default value: 0.
Password History
This rule defines the number of previous passwords

stored by the system for each administrator. The system
rejects the reuse of any password found in the user's
history.
Configure the value to 0 (zero) to disable Password
History validation. When Password History is configured
to 0, the Minimum Characters Different From Previous
Password feature is automatically configured to 0.
The range of values allowed is 024. Default value: 0
User ID or Reversed User ID

Permitted in Password
This rule indicates whether or not an administrator user

name can appear in the administrator password. The
rule is case insensitive, so, for example, the passwords
"sysAdmin123", "sysadmin123" and "sysADMIN123"
are all found to contain "admin".
Select TRUE or FALSE. Default value: TRUE.
Check For Dictionary Words in

Password
This rule indicates whether or not the system performs

password checking in passwords. When this rule is
enabled, administrators are prevented from using
passwords that are derived from dictionary words.
Select TRUE or FALSE. Default value: FALSE.
Note: If Check For Dictionary Words in Password is
enabled, the Minimum Password Length value must be
6 or more.
Maximum Password Life (days)
This rule defines the maximum number of days before a

user's password expires. Configure the value to 0 (zero)
to disable password expiration.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
53
Parameter
Description
The range of values allowed is 0180 days. Default
value: 90
Minimum Password Life (hours)
This rule defines the minimum number of hours that a

password must exist before the user can change it.
Configure the value to 0 (zero) to permit users to change
their passwords as often as they wish. The Minimum
Password Life must be less than the Maximum
Password Life.
The range of values allowed is 0480 hours (20 days).
Default value: 1
Expiry Notification (days)
This rule defines the number of days that an

administrator is notified prior to password expiration.
Configure this value to 0 (zero) to disable expiry
notification. The Expiry Notification value must be less
than the Maximum Password Life, and must be greater
than the Minimum Password Life.
The range of values allowed is 0-30 days. Default value:
7
Password aging
The following rules control the length of time that a password remains valid, and expiration
notification.
2
3
Table 4: Password aging rules

Parameter
54
Description
Minimum Password Life

user's password must exist before the user can change
it. Configure the value to 0 (zero) to permit users to
change their passwords as often as they wish. If not zero,
the minimum password life must be less than the
maximum password life.
Default value: 1
Maximum Password Life

value: 90
Expiry Notification

Setting the value to 0 (zero) disables expiry notification.
The value must be less than the Maximum Password
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Parameter
Description
Life, and must be greater than the Minimum Password
Life.
7
1
2
3
When adding or editing an administrator account, the security administrator can override the
Maximum Password Life value, and thereby apply a different maximum life to an administrator's
password.
Log on session constraints
5
6
7
8
Log on session constraints control the length of time that a session can remain idle, before the
system forces the administrator to reauthenticate. You configure these rules separately for the
AS 5300 Element Manager ConsoleOpen Management Interface (OMI) and the Avaya Aura
Provisioning Client, by using the AS 5300 Element Manager Console.
Configure the following parameters for log on sessions:
10
11
12
13
14
15
16
Session Timeout: This rule defines the maximum number of minutes a session can be
idle before an administrator must reauthenticate. The range of values for this parameter
is 0-120. Configure the value to 0 (zero) to disable session timeout. You cannot disable
session timeout for the Avaya Aura Provisioning Client. For Configuration Management
clients (which include the AS 5300 Element Manager Console), after a session times out,
any write or maintenance operations require reauthentication; read operations continue
to function normally.
17
18
19
20
21
22
23
Failed Login Attempts before Lockout: This rule defines the maximum number of
successive failed attempts to log on, allowed before the system locks the administrator's
account. The range of values for this parameter is 0-10. Configure the value to 0 (zero)
to disable lockout and to allow an unlimited number of successive failed login attempts.
A value other than zero represents an inclusive number of attempts. Therefore, if the value
is 1 (one), a single failure causes the administrator's account to become immediately
locked. The system rejects further login attempts until the lockout duration expires.
24
25
26
Lockout Duration: This rule defines the number of minutes that an administrator's account
remains locked after reaching the maximum number of successive failed login attempts.
The range of values for this parameter is 1-60.
Application warning banners
27
28
29
Warning banners display advisory warnings before and after log on, for all application
interfaces. Warning banners typically state the legal implications of logging on to a system.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
55
Administrative user accounts
By default, the system defines the following administrative user account roles for the AS 5300
Element Manager Console and Avaya Aura Provisioning Client.
2
3
Table 5: AS 5300 Element Manager Console administrative user account roles

Role
secadmin
Definition
Administrators assigned to this role are authorized for all AS 5300
Element Manager Console services. The default admin user is
assigned this role by default. Only a user with the secadmin role
can assign the secadmin role to another user or make
modifications to this account. You can delete the admin user only
if another user is assigned to the secadmin role. In addition, this
role has the following properties and limitations:
at least one secadmin account must be enabled (for example,
you cannot delete the default admin user unless another user is
assigned to the secadmin role)
only a user assigned to the secadmin role can add, modify or
delete another account assigned to the secadmin role
only a user assigned to the secadmin role can reset the
password of another user with secadmin role
users assigned to the secadmin role are immune to lockout
users assigned to the secadmin role can log on to the system
even if the Maximum session limit is reached
admin
Administrators assigned this role are authorized for all AS 5300

Element Manager Console services.
no access
This is the default role. All new users are automatically assigned
to this role. Users assigned to this role have no authorization
privileges at the AS 5300 Element Manager Console except for
those services not requiring authorization.
Table 6: Avaya Aura Provisioning Client administrative user account roles

Role
56
Definition
SuperUser
This role has no initial users. This role cannot be modified or

deleted by any administrator. Care should be taken when
assigning this role to any administrator as this role will give full
access to all the provisioning data.
secadmin
The default admin user is assigned to this role by default and has
full access to all provisioning data. In addition, this role has the
following properties and limitations:
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Role
Definition
at least one secadmin account must be enabled (for example,
you cannot delete the default admin user unless another user is
assigned to the secadmin role)
only a user assigned to the secadmin role can add, modify or
delete another account assigned to the secadmin role
only a user assigned to the secadmin role can reset the
password of another user with secadmin role
users assigned to the secadmin role are immune to lockout
users assigned to the secadmin role can log on to the system
even if the Maximum session limit is reached
Special rules for the Security Administrator
2
3
4
The Security Administrator (SA) for the AS 5300 Element Manager Console and the Avaya
Aura Provisioning Client, is an administrator with the SA (for example, secadmin) role. An SA
has total control and access. The following rules apply to SAs:
There must be at least one enabled SA account in the system.
If only one SA account exists in the system, you cannot delete or disable that account.
7
8
The SA user has complete access to every service provided by the AS 5300 Element
Manager Console (or by the OMI interface).
9
10
Only a SA user can add, update or delete another user account with the SA role. Only an
SA user can reset the password for another SA user.
11
12
13
14
15
The SA account is immune to lockout from failed login attempts. This exemption is
necessary to prevent denial of service attacks whereby a malicious system could lock out
the SA by initiating successive invalid log on attempts against SA account. Although the
SA account cannot be locked out, the system generates standard security logs for log on
failure.
16
17
Regardless of the engineered maximum number of simultaneous logons, the SA account

can always log on.
18
An SA user can force-off the log on session of another SA.
19
20
21
22
23
Because of these capabilities, consider carefully, before assigning the SA role to another
administrator. However, Avaya recommends that every system have at least one other
administrator who is assigned the SA role in addition to the global administrator. This strategy
is useful as a backup in case the global administrator is unavailable, or in case the password
of the global administrator is forgotten.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
57
MCP SNMP Community Strings
1
2
3
4
5
You can update MCP SNMP Community Strings using the System Management user interface.
To change the SNMP Community String, you must create a new profile (you cannot modify
existing SNMP profiles) and then assign it to each server. For more information, see 105.1.3
AS5300 Security Hardening.
Administrative security services
7
8
9
When you create or manage AS 5300 Element Manager administrative user roles, protect
access to the services used to control AS 5300 Element Manager security configuration. These
services include:
10
11
12
13
AdminUserService: This service controls the adding, editing, and removal of administrative
users (AS 5300 Element Manager Console administration menu item User Administration). It
also controls force-out operations and password administration (administration menu items
Set Administrator Password and Force Password Change).
14
15
16
BannerConfigService: This service controls configuration of the system log on banners

(Banners application in the Network Data and Mtc folder of the AS 5300 Element Manager
Console topology tree).
17
18
ConfigRoleAssignmentService: This service controls the assignment of roles to administrative

users (AS 5300 Element Manager Console administration menu item Role Assignment).
19
20
21
ConfigRoleDefinitionService: This service manages the adding, editing, and removal of

administrative roles (AS 5300 Element Manager Console administration menu item Role
Definition).
22
23
24
25
26
DebugSecurityService: This service controls the management of debug roles and debug
security settings (AS 5300 Element Manager Console administration menu items Debug
Security Settings and Debug Role Assignment). Debugging control is supported only for Avaya
technicians, and debugging security access should be limited to the administrators who
interface with Avaya technicians.
27
28
29
Log onRulesService: This service controls the management of system log on rules for both the
Element and Provisioning Manager (AS 5300 Element Manager Console administration menu
item Log on Rules).
30
31
32
PasswordRulesService: This service controls the management of system password rules for
both the EM and Provisioning Manager (AS 5300 Element Manager Console administration
menu item Password Rules).
33
34
35
LogProcessingRulesService: This service controls Log Processing configuration for FPs (the
AS 5300 Element Manager and any Fault Performance Managers in the system). Part of the
configuration controlled by this service is the ability to configure where Security Logs are
58
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
1
2
3
stored, as well as which remote destinations these Security Logs can be pushed using FTP.
These points should be considered very carefully before granting write access to this service.
It is highly recommended that only Security Administrators have write access to this service.
4
5
6
7
LogBrowserFeedService: This service controls the configuration of the Log Browser Feed
functionality on the AS 5300 Element Manager. As the Log Browser Feed is available to anyone
that can log in to the AS 5300 Element Manager, care should be take to ensure the Log Browser
Feed is configured so that security logs are filtered out, if desired.
Application administrator (Admin) security defaults

After installation, the following (minimal) application security rule defaults exist:
9
10
11
12
The following AS 5300 Element Manager Console roles exist: admin, no access, and
secadmin. You cannot modify these roles. The admin and secadmin roles allow access
to all services.
13
14
15
16
The following Avaya Aura Provisioning Client roles exist: SuperUser and secadmin. Both
roles allow access to all services You cannot delete or modify these roles. The secadmin
role has special treatments, whereas the SuperUser role is an ordinary role with all service
rights.
17
18
19
A single admin user exists with the secadmin role. This is the Security Administrator (SA).
You can change the admin users role, or delete the admin user account, but only if
another Security Administrator account exists in the system.
20
The password for the admin user is admin.
21
The Minimum Password Length value is 4.
22
The Minimum Lowercase Characters value is 0.
23
The Minimum Uppercase Characters value is 0.
24
The Minimum Digits value is 0.
25
The Minimum Special Characters value is 0.
26
The Maximum Consecutive Characters value is 0.
27
The Minimum Characters Different From Previous Password value is 0.
28
The Password History value is 1 (users cannot reuse their current password).
29
The User ID or Reversed User ID Permitted in Password value is TRUE.
30
The Check For Dictionary Words in Password value is FALSE.
31
The Maximum Password Life value is 0 (no expiry).
32
The Minimum Password life value is 0 (passwords can be changed immediately).
33
The Expiry Notification value is 0 (no notification).
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
59
1
2
The session timeout for the Configuration Management interface is 0 minutes (no
timeout).
For the Avaya Aura Provisioning Client, the session timeout value is 15 minutes.
The number of successive failed attempts to log on before lockout is 5.
The Lockout Duration is 1 minute.
The Account Inactivity period value is 0.
Web server logs
You can enable web server logs on the AS 5300 Element Manager and Provisioning
Manager.
8
9
10
11
After enabling web server logs, the system writes the logs to the NE application logs. These
logs are found in the following directory on the AS 5300 Element Manager servers:
12
If security logs are enabled: /var/mcp/oss/seclog/SM/security/MCP/<NE>
13
If security logs are not enabled: /var/mcp/oss/log/SM/all/MCP/<NE>
Internal database account security
14
During Database installation, the system creates a system-level account with a static name,
and randomly generates a password. A System Administrator (SSA) can reset the password
for the system-level account, should security policy require it. For more information, see
Database password management on page 75.
15
16
17
18
19
Database application security

There are two accounts for database management:
20
21
Schema account
22
Application account
23
24
60
For more information about how to change the passwords for these accounts, see Database
password management on page 75.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Subscriber security
Subscriber security
2
3
4
5
The Avaya Aura Application Server 5300 system controls subscriber access with passwords.
Subscriber passwords are subject to password policy, which defines password protection
requirements. You associate a password policy with a domain to apply the policy to all
passwords for the subscribers of that domain.
6
7
You can create multiple password policies for an Avaya Aura Application Server 5300 system,
to associate with different domains. Two reserved password policies for the system exist:
8
9
Default: assigned to new domains as they are added to the system (if you do not specify
another password policy). You can modify the default policy.
10
11
No Policy: disables all password protection associated with password policy. You cannot
modify this policy.
You can configure the following subscriber password protection requirements:
12
13
14
15
16
A minimum password length that must be between 4 and 32 characters in length. The
specified value must be greater than the sum of the Minimum Number of Digits, Minimum
Number of Lowercase Characters, Minimum Number of Uppercase Characters and
Minimum Number of Special Characters.
17
18
19
20
A maximum password length of 511 characters (which is not administrator configurable).

Note: This upper bound limit may exceed the longest password length capability of some
phone client types. Verify the capabilities of your phone client before creating a long
password.
21
A minimum of 0 to 10 numerical characters that must be present in the password.
22
A minimum of 0 to 10 lowercase characters that must be present in the password.
23
A minimum of 0 to 10 uppercase characters that must be present in the password.
24
25
A minimum of 0 to 10 special characters that must be present in the password. Valid special
characters are . @ - _ & ' ^ ? ! ( ) , / \ : ; ~ = +
26
A maximum of 0 to 10 identical consecutive characters allowed in the password.
27
28
A minimum of 0 to 10 characters in the password that must be different from the previous
password.
29
A password history of 0 to 24 previously used passwords in order to prevent re-use.
30
An option to allow or disallow user ID or reverse user ID in the password.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
61
An option to enable or disable dictionary word checking in the password.
Subscriber password protection also includes the following password protection measures:
2
3
4
Initial password reset to force a subscriber to change the original password given by an
administrator to something only known to the subscriber
5
6
7
Subscriber lockout which temporarily locks all authorization attempts for a subscriber
when the number of failed authorizations reaches the configured threshold enforced as
follows:
- A maximum of 1 to 10 failed authorization attempts
- A lockout duration of 0 to 3600 seconds
10
11
An option to configure a Maximum Password Life value, which requires subscribers to

periodically change their password every 0 to 180 days.
12
13
An option to configure a Minimum Password Life value, which limits the frequency with
which subscribers can change their password.
14
15
An option to configure Expiry notification, which warns users whose password is soon to
expire.
16
17
An option to configure an Account inactivity period, which locks the account after a
specified number of consecutive days with no activity.
Password policies and domains
18
19
20
21
22
A password policy is not enforceable on subscribers until it is associated with a domain. When
a password policy is associated with a domain, all subscribers in that domain must conform to
that password policy. When you create a password policy, you can either select the policy
during the creation of a domain or update a domain and select the policy to use.
23
24
25
26
You can explicitly identify a password policy association when creating a new domain. You can
change the password policy of a domain through the domain modification process. If you do
not explicitly select a password policy when creating a new domain, the domain is given the
Default password policy.
27
28
29
30
31
32
33
When you create a new subscriber account, the initial password reset value for the domain
determines whether the newly created subscriber must change the initial password. Because
this determination occurs at the time of account creation, subsequent changes to the password
policy, or the movement of the subscriber from one domain to another, has no affect. Therefore,
any user that you create with the initial password reset value of false, can log on without
resetting the password, regardless of any subsequent changes to the value of that password
policy parameter.
34
35
36
37
If you move a subscriber from one domain to another domain, the subscriber must update the
password. The password is validated for conformance during any subsequent attempt to
access theAvaya Aura Application Server 5300 Personal Agent (by the subscriber) or any
subsequent data change attempted on the subscriber account by an administrator.
62
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Subscriber security
1
2
3
4
5
6
7
The password policy prevents subscribers from maintaining passwords that do not conform to
the password policy associated with the domain in which they are assigned (they can actually
have a noncompliant password for a while). They can keep their passwords as long as they
do not log on to their Avaya Aura Application Server 5300 Personal Agent account. If they log
on to their Avaya Aura Application Server 5300 Personal Agent with a nonconforming
password, they are directed to the password change page and cannot do anything on Avaya
Aura Application Server 5300 Personal Agent before changing their password.
Password expiry during active call
8
9
10
11
12
If a subscriber password expires or changes during an active call, the call does not get
disconnected during re-registration. The AS 5300 Session Manager skips the credential
validation for the subscriber and sends a registration successful message, if the re-registration
request is received during an active call.
13
14
15
16
If AS 5300 UC Client sends a Register message where the Expires value exceeds one hour,
the SESM changes it to one hour (3600 seconds) to force the client to send the next reregistration earlier. If the next re-registration request is received while the user is not on an
active call, the authorization happens as normal.
17
Subscriber lockout
18
19
20
21
Password policy includes the Max Failed Attempts and LockoutDuration parameters. The
system evaluates each subscriber authorization attempt against the password policy for the
current domain, at the time that the authentication attempt occurs. The system manages
authorization attempts on a per network element basis as follows:
22
23
After a successful authorization attempt, the count of failed authorization attempts

resets.
24
25
26
If the successive count of failed authorization attempts reaches the Maximum Failed Login
threshold, the subscriber is lockout for the number of seconds given by the value of
LockoutDuration and a log is generated:
27
ALERT 530 User ID: <<subscriber>> locked out for <<X>> seconds
28
29
If the value of Lockout Duration is 0, subscriber lockout is disabled. The system does not
lock out any subscribers, regardless of failed authorization attempts.
30
During lockout, any attempt to authorize the locked out subscriber fails.
31
32
33
Important:
The system manages authorization attempts internally, by each application. The count does
not persist after a failover.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
63
1
2
If you update the password policy for the domain, or move a subscriber to a new domain, the
following points apply to the next failed authorization attempt:
3
4
5
If the new value of Maximum Failed Login is lower than the current number of failed
attempts for a subscriber, the system locks the subscriber out on the next failed
authorization attempt.
6
7
8
9
If the new value of Maximum Failed Login is higher than the current number of failed
attempts, the system locks the subscriber out after the number of failed attempts reaches
the new threshold. Any failed authorization attempts prior to the change contribute to the
total count.
10
11
If a subscriber is currently locked out, the changes do not affect that subscriber until after
the lockout duration expires
12
13
If the new value of Lockout Duration is 0 (disabled), a subscribers failed authorization

attempts clear at the next authorization attempt.
14Lockout
clearing
15
16
17
18
Generally, after a lockout occurs, the subscriber cannot log on until the lockout duration expires.
While the lockout duration does increase security, you can clear a lockout condition manually.
For more information, see Avaya Aura Application Server 5300 Using the Provisioning Client,
NN42040-112.
19
20
21
22
Important:
If the lockout clearing procedure becomes a common request, consider raising the Maximum
Failed Login value or lowering the Lockout Duration value, to provide a balance between
security and subscriber support.
23
Domain security
24
25
After you add new domains to a hardened system, you must modify the following to ensure
proper security.
26
27
28
Domain security profile: You must configure the domain security profile to Security
Enforced for both signaling and media. For more information, see 105.1.3 AS5300
Security Hardening.
29
30
PA HTTP port: You must turn off the PA HTTP port for each domain by configuring the PA
HTTP port to 0. For more information, see 105.1.3 AS5300 Security Hardening.
31
32
Subscriber password policy: You must configure the appropriate subscriber password
policy for each domain. For more information, see 105.1.3 AS5300 Security Hardening.
33
34
DSCP (non MLPP) configuration: You must assign the non-MLPP DSCP values for each
domain. For more information, see 105.1.3 AS5300 Security Hardening.
64
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Antivirus
Antivirus
2
3
4
5
6
7
Avaya recommends that you use Symantec AntiVirus for Linux as the antivirus software for
SIP core servers. Symantec AntiVirus for Linux is the only supported antivirus software. The
purchase, installation, and maintenance of this software, including any applicable licensing,
virus definition update subscriptions, and renewal agreements, is optional and the
responsibility of the system administrator. The SIP core installation package does not contain
any antivirus software or virus definition files.
8
9
For more information, see 106.2.99 AS5300 Symantec AntiVirus Installation and Antivirus
management on page 79.
File system integrity
10
11
12
13
The installation software contains a file system integrity (FSI) tool called fcheck. Use this tool
to monitor changes in the file system for unauthorized modifications. Only the user with SSA
role or the root user can run the fcheck tool commands.
14
15
16
17
With this tool, you can create FSI baselines for later verification, to detect unauthorized
changes to the file system. A baseline is the snapshot of all the system files including their size
and permissions, at the time of baseline creation. The verification process detects the following
changes:
18
Addition and removal of files
19
Modification of files and attributes
20
File sizes and MD5 signatures
21
22
23
24
The operating system (OS) and Avaya Aura Application Server 5300 software modify files and
directories as a normal function of operation. Baseline checking excludes all log files and log
directories, because of their nature (with respect to file system changes). The following OS
and Avaya Aura Application Server 5300 directories are included in baseline checking:
25
/var/mcp/dropbox /var/mcp/dropbox/.auditLoads_chksumCache
26
/var/mcp/run/<MCP_release>/SM_0/work
27
/var/mcp/run/<MCP_release>/loads_0
28
/var/mcp/run/<MCP_release>/loads_0/bin
29
/var/mcp/run/<MCP_release>/loads_0/work /etc/adjtime /etc/ntp
30
/etc/ntp/ntp.drift
31
/etc/ntp/ntpstats/peerstats
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
65
/var/mcp/os/baselines
/opt/mcp/uvscan/result.txt
/opt/mcp/fcheck
4
5
Avaya recommends that you create FSI baselines weekly and after significant changes to the
file system (such as software installation).
Verification reports
After verification, fcheck reports findings of changes to the monitored files and directories, to
standard out (STDOUT). The tool reports file and directory changes by using the keyword stat
on file or dir. The tool checks the following file and directory attributes for changes: Inode
number, permission, file size, time of last status change, file UID, file GID, and file CRC
hash.
7
8
9
10
11
FSI baseline management
12
13
14
15
16
The system stores FSI baseline files in the /var/mcp/os/baselines directory. If the directory
contains more than 15 files, a warning message appears on the STDOUT when you run the
fcheck tool. The system also generates Syslog messages to remind you to backup the older
baselines files to prevent the partition from filling up.
17
18
19
You can list all of the baselines currently on the system; the file marked baseline is the one the
system uses for verification. You can also choose a new baseline file for verification (unset the
current file and set another).
20
FSI baseline exclusions
21
22
23
Some files and directories on the system change on a regular basis. Because the verification
process would always report these files as changed, they are not good candidates for
monitoring. The excluded files and directories are as follows:
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
/opt/mcp/db/product/10.2.0/network/log/
/opt/mcp/db/oradata/mcpdb/
/opt/mcp/ossec/logs
/var/mcp/os/baselines/baseline.dbf
/var/mcp/oss/log/
/var/mcp/oss/om/
/var/mcp/oss/tmom/
/dev/core /dev/fd
/dev/stderr /dev/stdin
/dev/stdout
/var/mcp/db/data/mcpdb/
/var/mcp/db/data/adump/
/var/mcp/run/ned/ned.log
/var/mcp/spool/log/
/var/mcp/spool/om/
/var/mcp/spool/tmom/
66
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
HTTPS certificates
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
/var/mcp/ma/common/log/
/var/mcp/ma/platdata/CStore/
/var/mcp/ma/platdata/ConfMP/
/var/mcp/ma/platdata/EAM/
/var/mcp/ma/platdata/IvrMP/
/var/mcp/ma/platdata/MySQL/
/var/mcp/ma/platdata/PerfCounterAgent/
/var/mcp/ma/platdata/Reporter/
/var/mcp/ma/platdata/SoapServer/
/var/mcp/ma/platdata/StreamSource/
/var/mcp/ma/platdata/ase/
/var/mcp/ma/platdata/ccxml/
/var/mcp/ma/platdata/tmpdir/
/var/mcp/ma/platdata/vxmli/
/var/mcp/ma/JBoss/bin/cnd/
/var/mcp/ma/JBoss/server/default/log/
/
FSI baseline backup and restore
18
19
20
21
22
An SSA (for example, ntsysadm) can back up FSI baseline files to, or restore them from either
the local server, or a remote server. For more information, see 103.2.3 AS5300 Backup and
Restore and Avaya Aura Application Server 5300 Administration, NN42040-600.
Configuration file
23
24
The fcheck configuration file is located at /opt/mcp/fcheck. The fcheck tool uses the following
configuration attributes to specify the files and directories to be monitored:
25
26
Directory: specifies that the directory that need to be monitored. The forward slash (/) at
the end of the directory indicates recursive directory monitoring.
27
28
Exclusion: to exclude directories and files that are not intended for monitoring, such as
log files that are known to change frequently on an ongoing basis.
Important:
Use the configuration file only for troubleshooting purposes.
29
30
HTTPS certificates
31
32
33
34
35
36
After installation, a default self-signed certificate exists for all HTTPS communications. Avaya
recommends that you replace the certificate with a CA-signed certificate for each component
in the system. After you replace the certificates, you must configure the AS 5300 Element
Manager and the Provisioning Manager to use the new certificate. For more information, see
Application security configuration on page 125.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
67
AS 5300 Element Manager Console CAC integration
2
3
4
5
6
The AS 5300 Element Manager Console supports the usage of ActivClient Common Access
Card (CAC) PKCS11 library for Department of Defense (DoD) CAC integration. After you install
the ActivClient software and configure the AS 5300 Element Manager Console to use the CAC,
administrators must enter the personal identification number (PIN) from the CAC, as well as
their user name and password to authenticate.
7
8
9
For more information about how to configure the AS 5300 Element Manager Console to use
CAC, see Configuring the AS 5300 Element Manager Console with certificates for HTTPS and
SIPCAC on page 127.
For more information about how to use the AS 5300 Element Manager Console, see Avaya
Aura Application Server 5300 Configuration, NN42040-500.
10
11
AS5300 UC Client CAC integration
12
13
14
15
16
The Application Server 5300 UC Client supports the usage of ActivClient Common Access
Card (CAC) for Department of Defense (DoD) CAC integration. After you insert the CAC, enter
the personal identification number (PIN) for the ActivClient and then enter the user name and
password for Application Server 5300 UC Client to authenticate.
17
18
For more information about how to install and launch Application Server 5300 UC Client, see
Avaya Aura Application Server 5300 UC Client User Guide, NN42040-107.
19
20
For more information about how to use the Common Access Card, see 102.1.3 AS 5300 Card
Reader Installation for UC Client.
Application logging
21
22
About this task
23
24
After you harden the MCP application logging, the system writes network element (NE) logs
to the following directories on the servers hosting the AS 5300 Element Manager Console NEs:
25
non security logs: /var/mcp/oss/log/SM/nonSecurity
26
security logs: /var/mcp/oss/seclog/SM/security
27
28
The non security related logs can be viewed by users in the AA role. The secure logs can only
be viewed by users in the SSA or SA roles.
29
For more information, see 105.1.3 AS5300 Security Hardening.
68
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Security logs
1
2
In addition to the NE logs, the AS 5300 Element Manager Console and Provisioning Manager
NEs also write access logs to the platform.
3
4
5
6
The AS 5300 Element Manager Console writes logs to the /var/mcp/run/<MCP version>/
<EM_NEI_name>/tomcat/logs/ directory. The <EM_NEI_name> is the instance name of the
AS 5300 Element Manager Console on that server. For example SM1_0 denotes the primary
AS 5300 Element Manager Console instance.
7
8
9
10
The Provisioning Manager writes logs to the /var/run/<MCP version>/<Prov_NEI_name>/

tomcat/log/ directory. The <Prov_NEI_name> is the instance name of the Provisioning
Manager on that server. For example PROV1_0 denotes the primary Provisioning Manager
instance.
Important:
You must remove these logs after you undeploy the network element instance.
11
12
Security logs
13
14
This section contains information about security logs.
15
Navigation:
16
Syslog on page 69
17
System audit on page 70
18
Failed logons on page 71
19
File activity in restricted areas on page 72
20
Backup of security logs on page 72
Syslog
21
22
23
24
The system stores syslogs and security-related syslogs in the var/logs directory. Administrators
who have the role of SA or SSA can view syslogs. Only the root user can delete syslogs from
the system. However, the SA can force the logs to rotate by using the logrotate command.
25
26
27
By default, syslogs rotate daily and store up to 15 days worth of logs. After 15 days, the system
deletes the oldest log on a daily basis. Avaya recommends that you transfer the logs from the
server within 15 days, to prevent the loss of any log files after file rotation.
28
29
30
31
You can also configure the system to send syslogs to a syslog server. This configuration
typically occurs during system installation, but the SSA can choose to configure this at run time
by issuing the reconfigure script. You must configure the remote syslog server as a trusted
node, if an ACL firewall is configured on the system.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
69
System audit
1
2
3
You can use audit logs to track and monitor administrative user behavior. The system
generates these logs and they can only be viewed by the SA or SSA.
Audit logs record the following data:
time and date of action
userID and PID of action
command issued
success or fail status
object operated on
10
terminal type
11
exit code
12
13
14
15
The system stores audit logs in /var/log/audit. By default, the logs rotate daily, and the system
stores up to 15 days worth of audit logs. After 15 days, the system deletes the oldest log. An
SSA or SA can force Audit logs to rotate by issuing the logrotate command. Only the root user,
or an SSA with root access can delete audit logs.
16
17
18
19
Audit logs are rotated daily and can store up to 15 days of logs. After 15 days, the oldest log
is deleted on a daily basis. In the event, the /var/log partition fills up, and any SSA with root
access can log on and delete these logs. Avaya recommends that you backup the logs before
deleting.
20
21
22
If the system cannot write to the audit log, the system sends a message to syslog to indicate
the failure. After the free disk space for this partition drops below 750 MB, the system sends
a warning message to syslog.
23
24
25
26
After the free disk space for this partition drops below 250 MB, the system sends another
message to syslog to indicate that the disk is full, and logging may be interrupted. If the disk
partition fills up, Avaya recommends that you back up the logs, and then log on as root and
delete them.
27
28
29
To view the current audit rules, open the file /etc/audit/audit.rules as an SSA user on any SIP
Core or Avaya Media Server (MS). The rules are specific to either SIP Core or Avaya MS, so
different servers display different sets of rules.
30
31
32
Warning:
Do not change the audit rules file. If you change this file, auditing might cease to function
on the system.
33
34
Typically, system audit configuration occurs during initial installation. However, the SSA can
configure audit log settings by issuing the following command:
35
configAudit
70
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Security logs
1
2
You can also configure audit log settings by running the reconfigure script. If you change the
audit log configuration, you must reboot the system.
Any SSA or SA user can use the following tools to view audit logs:
aureport used to get a summarized report on audit logs.
ausearch search for patterns in audit log. (use --help for instructions)
Users with SSA or SA roles can also view the audit logs using vi and grep, if required.
6
7
8
9
10
11
Audit logs can be archived and transferred to another server for archiving or filtering. The
system does not delete the audit logs on the server; it transfers a copy of the logs. You must
be a root user to delete logs to free disk space. For more information, see 103.2.3 AS5300
Backup and Restore.
Failed logons
12
13
14
To view failed log on attempts, use the grep command for the audit log files and search for the
words "authentication" and "failed". The following example shows a failed login from the server
command line:
15
16
17
18
19
> grep authentication /var/log/audit/* | grep failed

/var/log/audit/audit.log:type=USER_AUTH
msg=audit(1273507587.172:8886): user pid=3739 uid=0 auid=4294967295
msg='PAM: authentication acct="ntsysadm" : exe="/usr/sbin/sshd"
(hostname=192.168.1.10, addr=192.168.1.10, terminal=ssh res=failed)'
20
The resulting output displays the following data:
21
record ID for audit
22
user ID and log on name
23
host where the log on was attempted
24
25
As shown in the following example, a summary report displays the number of failed
attempts.
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
Summary Report
======================
Range of time in logs: 05/10/2010 09:56:37.956 - 05/10/2010 11:13:53.107
Selected time for report: 05/10/2010 09:56:37 - 05/10/2010 11:13:53.107
Number of changes in configuration: 110
Number of changes to accounts, groups, or roles: 18
Number of logins: 3
Number of failed logins: 1
Number of authentications: 12
Number of failed authentications: 2
Number of users: 2
Number of terminals: 14
Number of host names: 3
Number of executables: 26
Number of files: 5805
Number of AVC's: 0
Number of MAC events: 0
Number of failed syscalls: 42
Number of anomaly events: 0
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
71
1
2
3
4
5
Number
Number
Number
Number
Number
of
of
of
of
of
responses to anomaly events: 0

crypto events: 0
keys: 1
process IDs: 292
events: 8862
File activity in restricted areas
7
8
9
The file system is locked down mainly by using file permissions appropriate to the
administrators role. However, these files require traceability to any modifications or
additions.
10
11
12
Auditing is based on watch rules on files and directories. The watch rule on directories includes
all the files in that directory. Most of the watch rules are on write or append to the directory and
files.
13
When audited, the record includes the following data:
14
UID of user accessing the file
15
process ID
16
the file or directory in question
17
success or fail status
18
command run on the file or directory
19
20
The following is an example of an administrator who unsuccessfully tried to write to a directory

without write permission. In this example, joebobssa tried to write to the /opt/mcp/java directory:
21
22
23
24
25
26
27
28
29
type=SYSCALL msg=audit(1273094725.151:2224): arch=c000003e syscall=2

success=no exit=-13 a0=7fff9cdc3c24 a1=941 a2=1b6 a3=0 items=1 ppid=6554
pid=6623 auid=20229 uid=20233 gid=91 euid=20233 suid=20233 fsuid=20233
egid=91 sgid=91 fsgid=91 tty=pts0 ses=67 comm="touch" exe="/bin/touch"
key=(null)
type=CWD msg=audit(1273094725.151:2224): cwd="/home/joebobssa"
type=PATH msg=audit(1273094725.151:2224): item=0
name="/opt/mcp/java/myfile.xml" inode=261634 dev=03:05 mode=040755 ouid=0 ogid=0
rdev=00:00
30
31
32
33
In this example, an administrator with userid 2023310 (field uid in the type=SYSCALL line)
tried to issue the touch command (field exe in the type=SYSCALL line) on the file /opt/mcp/
java/myfile.xml (field name in the type=PATH line) and did not succeed (field success in the
type=SYSCALL line).
Backup of security logs
34
35
36
37
38
72
You can transfer security logs from the server to a secured server. This action does not delete
the security logs from the server because the transfer process copies the logs without deleting
them from the original location. Only a root user can delete logs to free up disk space. For more
information about how to back up the Avaya Aura Application Server 5300 system, see Avaya
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
System alarms
1
2
Aura Application Server 5300 Backup and Restore Method and Avaya Aura Application
Server 5300 Administration, NN42040-600
System alarms
3
4
5
You can monitor the following disk partitions from the AS 5300 Element Manager Console, for
utilization:
boot
/var
/var/mcp
/var/log
10
11
/admin
12
/home
13
/opt
14
/tmp
15
16
17
18
19
20
After the system raises an alarm for disk usage, you can configure new alarm thresholds for
disk space usage, or remove unnecessary files from the server, and then clear the alarm when
the disk space is freed up. For more information about how to configure alarm thresholds, see
Avaya Aura Application Server 5300 Configuration, NN42040-500.
Important:
Only the root user can delete files to free up disk space.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
73
74
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Chapter 6: Database password

3
management
4About
this task
5Use the procedures in this chapter to manage passwords for the database. For more information, see
6103.2.5 AS5300 Database Management.
7Navigation:
8
Resetting the internal database account passwords on page 75
Changing the Schema account password on page 76
10
Changing the database application password, without changing the load on page 76
11
Changing the database application password during an upgrade on page 78
12
Resetting the internal database account passwords
13
14
15
16
17
18
19
Policy can require that you periodically change all system passwords. Use the following
procedure to reset the passwords for the system level internal database accounts.
Important:
Only the database software uses the internal accounts. To prevent users from logging on to
these accounts, the passwords are randomly generated and not available to users. These
accounts are also locked.
Before you begin

20
Procedure
21
22
1. Log on to the server that hosts the primary database, as a user with SSA role.
23
2. Enter the command to reset the password for one of the internal database accounts:
24
resetDbSystemUserPasswd sys
25
resetDbSystemUserPasswd system
26
resetDbSystemUserPasswd internal
27
3. If a password prompt appears, enter the password for the SSA account.
28
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
75
Database password management
Changing the Schema account password
1
2
Use the following procedure to change the password for the database Schema account.
Before you begin

Procedure
5
6
7
1. Log on to the server that hosts the primary AS 5300 Element Manager Console
(Instance 0), as a user with SSA role.
2. Enter the command to change the password:

chgDbSchemaUserPasswd
9
10
11
4. At the prompt, confirm that you want to change the password.

A message appears to report the success or failure of the password change.
12
13
Changing the database application password, without

15changing the load
14
16
17
Use the following procedure to change the password for the database application without
upgrading the load.
18
Before you begin
19
20
You are a user with AA role.
21
22
You are familiar with the procedure to deploy and start network elements. For more
information, see Avaya Aura Application Server 5300 Configuration, NN42040-500.
Procedure
23
24
25
1. Log on to the server that hosts the primary AS 5300 Element Manager (Instance
0), as a user with SSA role.
26
27

chgDbAppUserPasswd
28
76
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Changing the database application password, without changing the load

3
4
0), as a user with AA role.
6. Change directory:
cd /var/mcp/install
6
7
8
9
10
11
12
13
7. Restart the primary AS 5300 Element Manager (Instance 0):

./smUpgrade.pl
This command stops all AS 5300 Element Manager instances, re-deploys the load
specified in the installprops.txt (the same load), and starts all AS 5300 Element
Manager instances.
8. Use the AS 5300 Element Manager Console to stop, deploy, and restart the
remaining network elements in the following order:
14
Fault Performance Manager (FPM)
15
Accounting Manager (AM)
16
PROV Manager
17
Personal Agent (PA) Manager
18
Session Manager (SESM)
19
20
21
Important:
Avaya recommends that for network elements with a hot standby instance, that
you stop, deploy, and start the hot standby instance first.
22
23
24
25
26
27
28
29
30
31
32

chgDbAppUserPasswd
This step removes the old application account.
Important:
If any network element did not stop, deploy, and start properly and is therefore
still using the old application account, an error message appears. To complete
the procedure, repeat 8 on page 77 (for the affected network elements) to 11 on
page 77.
33
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
77
Database password management
Changing the database application password during an

2upgrade
1
3
4
Use the following procedure to change the database application password as part of a
Maintenance Release or patch upgrade.
Before you begin
7
8
You are familiar with the procedure to apply a Maintenance Release or patch upgrade.
For more information, see 103.2.2 AS5300 MR And Patch Guide.
Procedure
10
11
12
13

chgDbAppUserPasswd
14
15
16

17
5. Apply the Maintenance Release or patch upgrade.
18
19
0), as a user with SSA role
20

chgDbAppUserPasswd
21
22
23
24
25
26
27
This step removes the old application account.
Important:
If any network element is not upgraded and is therefore still running the old load,
an error message appears. To complete the procedure, repeat 5 on page 78 (for
the affected network elements) to 8 on page 77.
28
78
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Chapter 7: Antivirus management
3The following procedures explain how to manage the antivirus software. For information about how to
4install and configure the antivirus software, see the Avaya antivirus installation method.
5
6
7
Warning:
Read all of the procedures carefully before you install the software. Adherence to the procedures and
requirements described in the following procedures is mandatory for warranty of the system.
8
9
10
11
Important:
Backups of the core servers or Avaya Media Servers do not include the antivirus software. After you
restore or reinstall a server, you must manually install, configure, and update the antivirus software and
virus definitions.
12Navigation
13
Updating the virus definitions on page 79
14
Scheduling virus scans on page 80
Updating the virus definitions
15
16
17
18
19
Use this procedure to update the virus definitions. The virus definition files must be kept upto-date on the system for valid and effective scans. Update the virus definition files after the
initial installation and then ongoing, on a regular basis, to maintain the security of the
system.
20
21
22
For detailed information about antivirus procedures, use the antivirus documentation. You can
obtain the documentation from the antivirus manufacturer web site and many antivirus
packages install documents on the server.
23
Before you begin
24
25
26
You have obtained the updater package from the antivirus support site or the appropriate
enterprise or DoD internal distribution site.
27
28
Important:
Repeat this procedure on each server in the system.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
79
Antivirus management
Procedure
2
3
1. As an SSA, transfer the package to each server using SFTP to the /var/tmp/SAV
directory.
2. Log on to the AS 5300 server as an SSA.
5
6
3. Change to the root:

su - root
4. At the password prompt, enter the su password.
5. At the prompt, change to the directory where the updater resides:

cd /var/tmp/SAV
9
10
11
12
13
14
15
16
6. Ensure that the updater file has the appropriate execute permissions configured.
For example, to update to the June 2, 2010 update (20100602-002-unix.sh):
chmod 755 20100602-002-unix.sh
7. At the prompt, enter the following to execute the updater to extract and install the
new definitions:
For example:
./20100602-002-unix.sh
17
8. Follow the updater prompts to update the server
18
9. At the prompt, enter the following to remove the updater package:

For example:
19
rm 20100602-002-unix.sh
20
21
22
Scheduling virus scans
23
Use this procedure to schedule a simple daily virus scan.
24
25
For detailed information about how to schedule virus scans, use the antivirus
documentation.
26
Before you begin

27
28
Procedure
29
1. Log on to the server as an SSA.
30
2. Change to the root:

su - root
31
80
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Scheduling virus scans
3. Enter the password for the root.
2
3
4. Using your antivirus software documentation, configure an automatic scan to run

on a daily basis.
4
5
6
Important:
Schedule the virus scan during the lowest traffic time on the AS 5300 servers to
minimize scanning impact.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
81
Antivirus management
82
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Chapter 8: File system integrity

3
management
4About
this task
5Use the procedures in this section to verify file system integrity (FSI) and to manage FSI baselines.
6Prerequisites:
7 You are a user with SSA role or a root user.
8Navigation:
Creating an FSI baseline on page 83
9
10
Verifying the file system against a baseline on page 84
11
Managing FSI baselines on page 84
Creating an FSI baseline
12
13
14
Create an FSI baseline on a weekly basis or after any significant changes to the system, such
as software installation.
15
Before you begin

You are a user with SSA role or a root user.
16
Procedure
17
18
1. Log on to the server a user with SSA role.
19
20
2. At the prompt, enter the following command:

fsibaseline
21
3. If you receive a warning, press any key to continue.
22
4. Enter Y to verify the new FSI baseline configuration.
23
24
Important:
A typical baseline can take at least 10 minutes to create.
25
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
83
File system integrity management
Verifying the file system against a baseline

Routinely verify the file system against the baselines. The verification process identifies the
following changes:
2
3
4
Addition or removal of files
Modification of files and attributes
File sizes and MD5 signatures
Before you begin

Procedure
9
10
11

fsiverify
12
13
14
Managing FSI baselines
15
16
17
You can list all of the file system integrity (FSI) baselines currently stored on the server. The
system uses the file marked baseline for verification. You can select a different baseline file to
use for verification.
18
Before you begin

19
Procedure
20
21
22
23

fsibaselineMgt
24
3. Select a management action:

Choose to
84
Enter selection number
List available baselines
Set the verification baseline
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Managing FSI baselines
Choose to
Enter selection number
Unset the verification baseline
Exit
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
85
File system integrity management
86
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Chapter 9: Security log management
3Use the procedure in this section to manage security logs.

4Navigation
5
Configuring a remote syslog server on page 87
Deleting a remote syslog server on page 88
Modifying system audit logs on page 88
Configuring a remote syslog server
8
9
Use this procedure to configure a remote syslog server.
10
11
If you configure a remote Syslog server on the platform, the system sends all local syslogs to
both the remote syslog server and to the local syslog server.
12
Before you begin
13
14
Procedure
15
16
2. Enter syslogConfig at the prompt.
17
3. Enter your password.
18
4. Enter c to configure a remote syslog server.
19
5. Enter the Syslog Server IP Address.
20
6. Enter Y to confirm the configuration.
21
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
87
Security log management
Deleting a remote syslog server
1
2
Use this procedure to delete a remote syslog server.
Before you begin

Procedure
5
6
2. Enter syslogConfig at the prompt.
3. Enter u to unconfigure a remote syslog server.
10
Modifying system audit logs
11
12
Use this procedure to enable or disable system audit logs.
13
Before you begin

14
15
Procedure
16
17
2. At the command prompt, enter configAudit
18
3. Enter c to configure the audit.
19
4. Select an action:
Choose to
20
Enter
Enable the audit
Disable the audit
5. If prompted to reboot, enter Y.
21
88
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Chapter 10: Application administrator

3
security configuration and
4
management
2
5This chapter provides the procedures that you require to configure and manage administrator security for
6the database and the following tools:
7
Avaya Aura AS 5300 Element Manager Console
Avaya Aura Provisioning Client
9Navigation:
10
Enabling web server logs on page 90
11
Configuring application administrator password rules on page 91
12
Configuring a new AS 5300 Element Manager Console role on page 94
13
Configuring a new AS 5300 Element Manager Console administrator on page 98
14
Assigning a role to a AS 5300 Element Manager Console Administrator on page 100
15
Configuring log on and session rules on page 100
16
Configuring a new Provisioning Client role on page 102
17
Configuring a new Provisioning Client Admin on page 102
18
Configuring warning banners on page 104
19
Modifying log on and session rules on page 105
20
Modifying application administrator password rules on page 107
21
Modifying a AS 5300 Element Manager Console role on page 110
22
Modifying an AS 5300 Element Manager Console administrator on page 111
23
Disabling a AS 5300 Element Manager Console user account on page 112
24
Disabling password aging rules for an account on page 112
25
Viewing and forcing off users on page 113
26
Exporting configuration data for AS 5300 Element Manager Console on page 113
27
Importing configuration data for AS 5300 Element Manager Console on page 114
28
Deleting a AS 5300 Element Manager Console role on page 115
29
Deleting a AS 5300 Element Manager Console user on page 115
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
89
Application administrator security configuration and management
Resetting the password for the AS 5300 Element Manager Console admin account on page 116
Resetting the password for a AS 5300 Element Manager Console administrator on page 117
Changing your AS 5300 Element Manager Console password on page 118
Modifying a Provisioning Client role on page 118
Listing Provisioning Client Admin users on page 119
Searching for Provisioning Client users by role on page 119
Searching for inactive Provisioning Client users on page 120
Modifying a Provisioning Client Admin on page 120
Deleting a Provisioning Client user on page 121
10
Resetting the password for the Provisioning Manager admin account on page 121
11
Resetting the password for a Provisioning Client administrator on page 122
12
Changing your Provisioning Client password on page 123
Enabling web server logs
13
14
15
Use this procedure to enable web server logs on the AS 5300 Element Manager and
Provisioning Manager network elements.
16
Procedure
17
1. Log on to the AS 5300 Element Manager Console.
18
2. From the configuration view, choose:

Choose to
Do this
Configure theAS 5300

Element Manager
Select Network Elements > AS 5300 Element

Manager > ElementManager
Configure the Provisioning

Manager
Select Network Elements, Provisioning

Managers > <PROV_instance>
19
3. Click Configuration Parameters.
20
4. In the Parm Group list, select WebServer.
21
5. Click the EnableAccessLogs row.
22
6. Click -/+.
23
7. In the EnableAccessLogs list, select true.
24
8. Click Apply.
25
90
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Configuring application administrator password rules
1
2
About this task
3
4
5
Configure the password complexity rules and password aging rules to enhance the security of
the AS 5300 Element Manager ConsoleOpen Management Interface (OMI), and Avaya Aura
Provisioning Client passwords.
Procedure
1. From the menu bar of the AS 5300 Element Manager Console, select
Administration > Password Rules.
7
8
9
10
2. In the Password Rules pane, under Password Complexity Rules, configure the
parameters as required.
11
12
3. In the Password Rules pane, under Password Aging Rules, configure the
13
4. Click Apply.
14
15
Configuring application administrator password rules job aid
16
About this task
17
The following job aid lists and describes the parameters on the Password Rules panel.
18Application

Parameter
Description
Characters values.
more.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
91
Parameter
Description
Caution:
character set, a-z.
character set, A-Z.
92
Minimum Digits


Maximum Consecutive
Characters



password.
Password History

history.


DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Parameter
Description

Password

6 or more.

value: 90

Password Life.
Default value: 1

7
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
93
Configuring a new AS 5300 Element Manager Console role
19
20
21
Configure new roles for the AS 5300 Element Manager Console and assign the roles to users
to specify admin privileges and level of access.
22
Before you begin

You have ConfigRoleDefinitionService READ and WRITE privileges.
23
Procedure
24
1
2
Administration > Role Definition.
2. On the Role Definition panel, click Add (+).
4
5
3. In the Add Role dialog box, in the Role Name box, type a name to identify the new
role.
6
7
4. Select the required READ, WRITE, and MAINT to configure privileges for each
service.
5. Click Apply.
Configuring a new AS 5300 Element Manager Console role job aid
10
11
About this task
12
13
The following job aid lists and describes the parameters that you use to configure AS 5300
Element Manager Console roles.
Parameter
Role Name
94
Description
Enter the role name in this text box. This name
cannot be changed after the role is created. A valid
role name must consist of 4-36 alphanumeric
characters that may also include, but not begin or
end with, the following 8 additional characters:
space @ # & ( ) + -
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
The effects of the READ, WRITE, and MAINT privileges differ according to the service that is
selected; however, the following points generally apply:
1
2
3
The READ privilege typically allows you to view, but not modify configuration data.
4
5
The WRITE privilege enables READ automatically and allows you to add and modify
configuration data.
6
7
8
The MAINT privilege allows you to start and stop services, but does not allow you to
change configuration data. Typically you must also have the READ privilege in addition
to MAINT.
9
10
The following job aid lists and describes the services for which you can add READ, WRITE,
and MAINT privileges to roles.
Service
Description
AcctProcessingRuleService
Account processing rule configuration
AdminUserService
Administrative users configuration
AlarmMgmtService
Alarms configuration
AlarmMtcService
Acknowledgement/clearing of alarms
AlarmQueryService
Alarm viewing
AMOssProfileService
OSS Profile data configurationdistributed to

the Accounting Manager (AM)
AudioCodesNumMapIP2TelService
IPToTelephonyMap configuration
AudioCodesServerService
AudioCodes gateway configuration
AudioCodesServerStateService
AudioCodes gateway state configuration
AudioCodesTrunkService
AudioCodes trunk configuration
AuthenticationService
AS 5300 Session Manager trusted node

authorized method configuration
BannerConfigService
Log on banner configuration
CallAgentService
CS 2000 Call Agent configuration
CertificateService
Certificate configuration
ChassisMonitorService
Blade Center Chassis monitoring
ChassisService
Blade Center Chassis configuration
CipherSuiteService
OAMP SSL/TLS cipher suite configuration
ConfigParmService
Configuration parameters
ConfigRoleAssignmentService
Administrative user role assignment
ConfigRoleDefinitionService
Administrative role configuration
CscfService
CSCF configuration
DBInstanceService
Database instance configuration
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
95
Service
96
Description
DBMonitorConfigService
Database monitor threshold configuration
DBMonitorService
Database instance monitoring
DebugSecurityService
Role and security settings debugging
EndpointMtcService
Endpoint Maintenance configuration and

monitoring
EngParmService
Engineering parameters configuration
ExportImportService
Bulk configuration export and import tools
FPOssProfileService
OSS profile data configuration (distributed to

FPM)
FlowSpecCodecService
FlowSpecService Video FlowSpec configuration

(in Packet Cable Integration, Codec)
FlowSpecService
FlowSpec configuration
GatewayControllerLinkMtcService
Gateway Controller Link Maintenance/

monitoring
GatewayControllerService
CS 2000 Gateway Controller configuration
GatewayService
Gateway configuration
HttpsCipherSuiteService
HTTPS cipher suite configuration
IPAddressService
IP address configuration
InfoElementService
Informational Element configuration
LogBrowserFeedService
Log browser feed configuration
LogProcessingRuleService
Log processing configuration
Log onRulesService
System log on rules configuration
LOMServerService
LOM and Terminal server configuration
LicenseKeyService
License key configuration
LocationServiceMgr
DNS server configuration for the AS 5300

Session Manager
LogicalDBService
Database configuration
LogStreamService
Log viewing
MASService
Avaya Media Server configuration
MPClusterConfigParmsService
Media Portal Cluster Configuration Parms
MPClusterFaultToleranceService
Media Portal Cluster Fault Tolerance

configuration
MPClusterGwcCallSvrService
Media Portal Cluster Gateway Controllers

configuration
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Service
Description
MPClusterMultiGwy
Multiple Network Gateway Routers configuration

for Media Portal Cluster
MPClusterNet2RouteService
Choosing the Net2 Routable Networks

configuration for a Media Portal
MPClusterService
Media Portal Cluster configuration
MPClusterSessionMgrService
Media Portal Cluster Session Managers

configuration
MPClusterStaticRouteService
Media Portal Cluster Static Routes configuration
MPClusterSvcInstanceService
Media Portal Cluster Service Instance

configuration
MPClusterVlan
Choosing the Vlan topology configuration for a

Media Portal
NEInstanceService
Network element instance configuration and

maintenance
NERecordStreamService
NE log, OM and accounting format path

configuration
NEService
Network element configuration
NcasLinkMtcService
NCAS Link Maintenance configuration
Net2RouteService
Net2 Routable Networks configuration
NetworkAddrService
Network Addresses configuration
NetworkTypeService
Choosing Network type for Media Portal Static

Routes Control, Net1, Net2 or OAM
NodeService
Node configuration
OMProcessingRuleService
OM Processing Rule configuration
OMQueryService
OM viewing
OssProfileService
OSS Profile data configuration (distributed to all

Element Managers)
PasswordRulesService
User password rules configuration
PhysicalServerService
Server configuration
PhysicalSiteService
Physical site configuration
PolicyServerConnectionService
Choose Policy Server Connection data

Application Manager ID (AMID) for an AS 5300
Session Manager
PolicyServerService
Policy Servers configuration
RTPPortalBladeService
RTP Portal blade configuration
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
97
Service
Description
RegisteredGwcService
Registered gateway controller service

configuration
ServerLOMCommandService
Server maintenance for servers that are

configured with a LOM server
ServerMonitorConfigService
Server monitor threshold configuration
ServerMonitorService
Server monitoring
SIPProxyService
SIP proxy configuration
SignalingCipherSuiteService
Signaling cipher suite configuration
SnmpProfileService
SNMP profile configuration
StaticRouteService
Static Routes configuration
SubnetMaskService
Subnet Masks configuration
UpgradeManagerService
Upgrade Manager configuration
VMGAppearanceService
Virtual Media Gateway Appearance

Configuration
VlanService
VLANs configuration
WebServicesService
Web services configuration
Configuring a new AS 5300 Element Manager Console

2administrator
1
3
4
Use this procedure to configure a new administrative user for the AS 5300 Element Manager
Console.
Before you begin
6
7
You must know the Global Administrator account password.
Procedure
Administration > User Administration.
8
9
10
2. On the User Administration panel, click Add (+).
11
3. In the Add User Account dialog box, configure the parameters as required.
12
4. Click Apply.
98
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Configuring a new AS 5300 Element Manager Console administrator
1
2
3
The system validates the configuration data. If the change is valid, the Add User
Account dialog box closes and the new account appears on the User Administration
panel.
4
5
6
Important:
The new user account has no access. You must assign roles to new users so that
they can perform the administrative functions associated with their roles.
Configuring a new AS 5300 Element Manager Console user job aid

About this task
9
10
11
The following job aid lists and describes the parameters that you configure on the Add User
Account dialog box.
Parameters
Description
User ID
Enter the account user namethe new administrator uses this ID to log
on. It must contain between 4 and 16 characters. Valid characters
include the following US-ASCII character sets: a-z, A-Z, 0-9, the
underscore ( _ ) and the hyphen (-).
User Name
Enter the administrator's first and last names. This text field can have
up to 36 characters. There are no character restrictions.
Password
Enter the administrator's password (subject to password complexity

rules).
Password
Confirm
Reenter the administrator's password. This value must match the

Password parameterused to reduce typing errors.
Maximum
Password Life
If greater than 0, this value is used instead of the Maximum Password

Life value found in the Password Rules. Enter 0 to use the Password
Rules value.
Force Password
Change
If you select this check box, the administrator must change the
password during initial login.
Account Disabled If you select this check box, the account is disabled and the
administrator cannot log on.
Disable Account
Inactivity Period
If you select this check box, the account will never be disabled due to
inactivity.
Immune to Expiry If you select this check box, password aging rules do not apply to the
account, but all password complexity rules apply.
For secure systems, select this option only for nonhuman accounts.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
99
Assigning a role to a AS 5300 Element Manager Console

2Administrator
1
3
4
Use this procedure to assign a role to a new AS 5300 Element Manager Console user, or to
change the role currently assigned to an existing administrator.
Before you begin
6
7
You must know the Global Administrator account password or be assigned the admin
role.
Ensure the administrator account exists.
Ensure the role to be assigned is already configured.
Procedure
10
11
12
Administration > Role Assignment.
13
14
2. From the Role Assignment panel, select the user for which you want to assign a
role, and click Edit (-/+).
15
3. From the Available Roles list, select a role and click Apply.
16
Configuring log on and session rules
17
18
About this task
19
Use this procedure to configure log on and session rules for the following interfaces:
20
21
Configuration Management (OMI) (applies to AS 5300 Element Manager Console and

AS 5300 Element Manager)
22
23
Procedure
24
25
Administration > Login Rules.
26
2. In the Login Rules pane, configure parameters as required.
27
3. Click Apply.
28
100
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Configuring log on and session rules
Configuring log on and session rules job aid
About this task
The following job aid lists and describes the parameters on the Login Rules dialog box.
Parameters
Login Interface
Description
Select the interface to edit:
Select Configuration Management (OMI) to configure rules for the
AS 5300 Element Manager Console / AS 5300 Element
Manager.
Select Provisioning Management (PROV ) to configure rules for the
Provisioning Client.
Session Timeout
(minutes)
This rule defines the maximum number of minutes a session can be

idle before the user must reauthenticate. For the AS 5300 Element
Manager Console, after a session times out, any write operations
must be re-authenticated. Configure the value to 0 (zero) to disable
Session Timeout. You cannot disable Session Timeout for the Avaya
Aura Provisioning Client interface.
The range of values is 0120.
Failed Login
Attempts before
Lockout
This rule defines the number of consecutive failed log on attempts

before the system locks the account. The current attempt is included
in the count. For example, if the value is 1 (one), a single failure
causes the user's account to be locked. Until the account is unlocked,
the system rejects further attempts to log on. Configure the value to
0 (zero) to disable lockout and permit unlimited successive failed
attempts.
Lockout Duration
(minutes)
If an account is locked by the Failed Log on Attempts before Lockout

feature, Lockout Duration (minutes) defines the number of minutes
that the account remains locked.
Account Inactivity
Period (days)
This rule defines the number of days an account can be inactive

before the system automatically disables the account. Configure the
value to 0 (zero) to disable Account Inactivity Period.
The range of values is 0-180.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
101
Configuring a new Provisioning Client role
2
3
Use this procedure to configure new roles for the Provisioning Client and assign the roles to
users to specify administrator privileges and level of access.
Before you begin
You have administration management rights.
You are a secadmin.

The secadmin role has complete access.
7
8
Procedure
9
10
1. From the Provisioning Client menu bar, select Admin > Role to access the Admin
Role portlet.
11
2. On the Add tab, in the Role Name box, type a name for the new role.
12
3. In the Role description box, type a brief description of the role.
13
14
15
4. Under the Select All option, check the Read, Write, or Delete boxes if you want
the administrator to have a specific privilege or check all boxes to provide all
privileges.
16
17
18
5. Under the Data Layer Management option, check the Write and Delete boxes if
you want the administrator to have one or both privileges on the System,
Domain, and User level.
19
20
6. Select the necessary Read, Write, and Delete check boxes to configure access for
each Admin privilege.
21
7. Click Save.
22
Configuring a new Provisioning Client Admin
23
24
25
Use this procedure to configure new Admin users for the Provisioning Client. Assign each new
Admin a role so they can perform the administrative functions associated with that role.
26
Before you begin
27
You have the administration management right.
28
You are a secadmin.

29
102
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Configuring a new Provisioning Client Admin
Procedure
1
2
3
1. From the Provisioning Client menu bar, select Admin > Add to access the Admin
portlet.
2. On the Add tab, configure parameters as required.
3. Click Save.
Configuring a new Provisioning Client Admin job aid
7
8
9
10
About this task

The following job aid describes the parameters that appear on the Add tab of the Admin
portlet.
Parameters
Description
Name
This parameter contains the account user name (maximum 64

characters).
First Name
This parameter contains the user's first name (maximum 30

characters).
Last Name
This parameter contains the user's last name (maximum 30

characters).
Password
This parameter contains the password for the user account.
Confirm password
This parameter must match the Password parameter.
Disable password aging
Select this check box to disable password aging.
Enforce password change Select this check box to enforce password change during the
first log on.
Enable account
Select this check box to enable the account.
Immune to account
inactivity period
Select this check box to make the account immune to the

Disable account inactivity period. Default is selected
(immune).
Disable account inactivity

period
This parameter defines the number of consecutive days an

account can be inactive before the system automatically
disables the account.
By default, this feature is disabled for the default Admin
account.
Caution:
If you configure all Admin accounts to be disabled after a
period of inactivity, there is a risk of permanently locking all
administrators out of the system.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
103
Parameters
Description
Maximum Password Life

(days)
The value you enter in this field overrides the system Password
Policy for Maximum Password Life. Leave blank to use the
system value.
This parameter defines the maximum number of days before
the user's password expires. The range of values allowed is 0
180 days. For a password that never expires, enter 0 (zero).
Default value: 90
Email
This parameter contains the user's email address (if

available).
Business Phone
This parameter contains the user's business telephone number

(if available).
Home Phone
This parameter contains the user's home phone number (if

available).
Cell Phone
This parameter contains the user's cell phone number (if

available).
Pager
This parameter contains the user's pager number (if

available).
Time Zone
This parameter (select from the list) contains the user's time
zone.
Locale
This parameter (select from the list) contains the user's

preferred language.
Configuring warning banners
2
3
Configure banner text to display advisory warnings before and after log on for the OPI, Avaya
Aura Provisioning Client, AS 5300 Element Manager Console, and Debug interfaces.
Before you begin
You can access the AS 5300 Element Manager Console.
You have BannerConfigService rights.
Procedure
1. In the configuration view of the AS 5300 Element Manager Console, select Network
Data and Mtc > Banners.
8
9
2. On the Banners panel, from the Banner Type list, select a banner type.
10
104
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Modifying log on and session rules
To configure
Do this
A warning banner to appear before

administrators log on.
Select Admin Pre Log on.
A warning banner to appear after

administrators log on.
Select Admin Post Log on.

debug log on.
Select Debug Pre Log on.
A warning banner to appear after debug Select Debug Post Log on.
log on.
users log on.
Select User Pre Log on.
A warning banner to appear after users Select User Post Log on.
log on.
1
3. In the Banner Data section, select the Enabled check box.
4. Type the message to display.
5. Click Apply.
Configuring warning banners job aid
The following job aid describes the parameters that appear on the Banners panel.
Parameter
Description
Banner Data
Enter the text of the warning banner in this text box. The
text has a maximum length of 2000 bytes of UTF-8
encoded characters. The Debug Pre and Post Login
banners are restricted to characters in the
ANSI_X3.4-1968 character set (also known as USASCII).
Enabled
This check box indicates whether or not the banner is

enabled. An enabled banner is presented when
appropriate when users log on to the system. A disabled
banner is ignored and not presented when users log on
to the system.
Modifying log on and session rules
7
8
You can modify log on and session rules for the following interfaces:
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
105
1
2
Configuration Management (OMI) (applies to AS 5300 Element Manager Console and

AS 5300 Element Manager)
Before you begin

You must have LoginRulesService rights.
Procedure
6
7
8
Administration > Login Rules.
2. In the Login Rules pane, edit the parameters as required.

3. Click Apply.
10
11
Modifying log on and session rules job aid
12
13
About this task
14
The following job aid lists and describes the fields on the Log on Rules panel.
Parameter
Login Interface
Description
Select the interface to edit:
Select Configuration Management (OMI) to configure rules for the
AS 5300 Element Manager Console / AS 5300 Element
Manager.
Select Provisioning Management (PROV ) to configure rules for the
Provisioning Client.
106
Session Timeout
(minutes)
This rule defines the maximum number of minutes a session can be

idle before the user must reauthenticate. For the MCP Management
Console, after a session times out, any write operations must be reauthenticated. Configure the value to 0 (zero) to disable Session
Timeout. You cannot disable Session Timeout for the Avaya Aura
Provisioning Client interface.
Failed Log on
Attempts before
Lockout
This rule defines the number of consecutive failed log on attempts

before the system locks the account. The current attempt is included
in the count. For example, if the value is 1 (one), a single failure
causes the user's account to be locked. Until the account is unlocked,
the system rejects further attempts to log on. Configure the value to
0 (zero) to disable lockout and permit unlimited successive failed
attempts.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Modifying application administrator password rules
Parameter
Description
Lockout Duration
(minutes)
If an account is locked by the Failed Log on Attempts before Lockout

feature, Lockout Duration (minutes) defines the number of minutes
that the account remains locked.
Account Inactivity
Period (days)
This rule defines the number of days an account can be inactive

before the system automatically disables the account. Configure the
value to 0 (zero) to disable Account Inactivity Period.
The range of values is 0-180.
About this task
3
4
5
You can modify the password complexity rules and password aging rules to enhance the
security of AS 5300 Element Manager ConsoleOpen Management Interface (OMI), and
Avaya Aura Provisioning Client passwords.
Procedure
7
8
Administration > Password Rules.
9
10
2. In the Password Rules panel, under Password Complexity Rules, modify

11
12
3. In the Password Rules panel, under Password Aging, modify parameters as

required.
13
4. Click Apply.
14
Modifying application administrator password rules job aid
15
16
About this task
17
18
The following job aid lists and describes the fields on the Password Rules panel, which apply
to Admin users.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
107
1Application

Parameter
Description
Characters values.
more.
Caution:
character set, a-z.
character set, A-Z.
108
Minimum Digits


Maximum Consecutive
Characters

DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Parameter
Description


password.
Password History

history.



Password

6 or more.

value: 90

Password Life.
Default value: 1

DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
109
Parameter
Description
7
Modifying a AS 5300 Element Manager Console role
2
3
You can modify roles for the AS 5300 Element Manager Console to specify admin privileges
and level of access.
Before you begin
You have ConfigRoleDefinitionService READ and WRITE privileges.
Procedure
6
7
8
Administration > Role Definition.
2. On the Role Definition panel, select the role to modify, and then click Edit (-/+).
10
11
3. Select the required READ, WRITE, and MAINT to configure privileges for each
service.
12
4. Click Apply.
13
14
Modifying a new AS 5300 Element Manager Console role job aid
15
About this task
16
17
The effects of the READ, WRITE, and MAINT privileges differ according to the service that is
selected; however, the following points generally apply:
18
The READ privilege typically allows you to view, but not modify configuration data.
19
20
The WRITE privilege enables READ automatically and allows you to add and modify
configuration data.
21
22
23
The MAINT privilege allows you to start and stop services, but does not allow you to
change configuration data. Typically you must also have the READ privilege in addition
to MAINT.
24
25
26
110
Refer to Configuring a new AS 5300 Element Manager Console role job aid on page 94 for a
list and description of the services for which you can add READ, WRITE, and MAINT privileges
to roles.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Modifying an AS 5300 Element Manager Console administrator
Modifying an AS 5300 Element Manager Console

2administrator
1
Modify a AS 5300 Element Manager Console administrator user account.
Before you begin

You know the Global Administrator account password.
Procedure
6
7
8
2. On the User Administration panel, select the user to modify, and click Edit (-/+).
10
3. In the Edit User Account dialog box, configure parameters as required.
11
4. Click Apply.
If the change is valid, the Edit User Account dialog box closes and the modification
appears on the User Administration panel.
12
13
14
15
Modifying an AS 5300 Element Manager Console user job aid
16
About this task
17
18
This job aid lists and describes the fields that you configure on the Add User Account dialog
box.
Parameter
Description
User Name
Edit the administrator's first and last names. The maximum characters
allowed is 36. There are no character restrictions.
Maximum
Password Life
If you enter a value greater than 0, this value is used instead of the
Maximum Password Life value found in the Password Rules. Enter 0 to
use the Password Rules value.
Account Disabled If you select this check box, the account is disabled and the
administrator cannot log on.
Disable Account
Inactivity Period
When enabled, this parameter exempts the administrator account from

automatic account inactivity disabling.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
111
Parameter
Description
Immune to Expiry If you select this check box, the password rules do not apply. All
password complexity rules still apply. This option is intended for
nonhuman accounts.
For secure systems, select this option only for nonhuman accounts.
Disabling a AS 5300 Element Manager Console user

2account
1
About this task
You can disable a AS 5300 Element Manager Console user account.
Procedure
6
7
8
9
2. On the User Administration panel, select the user to be disabled and click Edit (-/
+).
10
3. In the Edit User Account dialog box, select the Account Disabled check box.
11
4. Click Apply.
12
Disabling password aging rules for an account
13
14
About this task
15
16
You can disable the password aging rules for a particular account. This option is intended for
system (non-human) accounts. All password complexity rules still apply.
17
Procedure
18
19
20
21
2. On the User Administration panel, select the User to be disabled and click Edit (-/
+).
22
3. In the Edit User Account dialog box, select the Immune to Expiry check box.
23
4. Click Apply.
24
112
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Viewing and forcing off users
Viewing and forcing off users
2
3
You can view all AS 5300 Element Manager Console users who are logged on. If necessary
you can force another administrator off the system.
Before you begin

You have AdminUserService privileges.
Procedure
6
7
8
1. From the AS 5300 Element Manager Console menu bar, select Administration >
User Display/Forceoff.
9
10
2. To force an administrator off the system, from the Logged-in Users panel, select an
entry and click Force Off.
11
3. Click Yes to confirm the Force Off.
12
Exporting configuration data for AS 5300 Element Manager

14Console
13
15
You can export configuration data for the AS 5300 Element Manager Console.
16
Before you begin
17
You have ExportImportService privileges.
18
You must know the userid and password of an OS AA admin.
Procedure
19
20
21
1. From the menu bar of the AS 5300 Element Manager Console, select Tools > DB
Export.
22
2. In the DB Export panel, click Choose.
23
3. In the Save dialog box, browse to the location where you want to save the file.
24
4. In the File name box, type a name for the file.
25
5. Click Save.
26
6. Select the Export Selected Services radio button.
27
7. From the Services Available for Export list, select the desired service.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
113
8. Click Export Now.
9. In the FTP log on screen, enter the username and password for AA role.
10. Click Apply.
3
4
Importing configuration data for AS 5300 Element Manager

6Console
5
You can import configuration data for the AS 5300 Element Manager Console.
Before you begin

You have ExportImportService privileges.
9
10
You must know the userid and password of an OS AA admin.
Procedure
11
12
13
1. From the menu bar of the AS 5300 Element Manager Console, select Tools > DB
Import.
14
2. In the DB Import panel, under Import File, click Choose.
15
16
3. In the Open dialog box, browse to the location from which you want to select the
file.
17
18
4. Select the file that you want to restore.

The file name appears in the File name box.
19
5. Click Open.
20
6. In the DB Import panel, under Result File, click Choose.
21
22
7. In the Save dialog box, browse to the location where you want to save the log output
file.
23
8. In the File name box, type a name for the log output file.
24
9. Click Save.
25
10. Click Import Now.
26
11. In the FTP log on screen, enter the user name and password for AA role.
27
12. Click Apply.
28
114
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Deleting a AS 5300 Element Manager Console role
Deleting a AS 5300 Element Manager Console role
You can delete any role that is not required.
Before you begin

You must reassign any users assigned to the role.
Procedure
5
6
7
Role Definition.
8
9
2. From the Roles Definition panel panel, select the role that you want to delete and
click Delete.
10
11
12
3. Click Yes to confirm.

If the role is not referenced by any users, the entry disappears from the Roles
Definition panel.
13
Deleting a AS 5300 Element Manager Console user
14
15
About this task
16
17
You can delete the user accounts for administrators who no longer require access to the AS
5300 Element Manager Console.
18
Procedure
19
20
User Administration.
21
22
2. From the User Administration panel, select the entry for the user and click Delete
(-).
23
3. Click Yes to confirm.
24
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
115
Resetting the password for the AS 5300 Element Manager

2Console admin account
1
3
4
5
Use this procedure to reset the password for the initial AS 5300 Element Manager Console
admin account, if there are no other administrative users who have sufficient privileges to reset
the password.
Before you begin
You must belong to the Database Administrator role.
You must belong to the Application Administrator role.
Procedure
10
1. Log on to the primary database (DB) server as a user with DBA role.
11
12
2. Run the script to change the password:

./resetSMGuiAdminPasswd.pl
13
3. Log on to the primary AS 5300 Element Manager as a user with AA role.
14
4. Type the password, which was reset by the previous script to admin.
15
cd /var/mcp/install
16
6. Run the script to restart the AS 5300 Element Manager:

./smUpgrade.pl
17
18
19
20
This script stops all AS 5300 Element Manager instances, redeploys the load
specified in installprops.txt, and restarts all AS 5300 Element Manager instances.
21
7. Log on to the AS 5300 Element Manager Console with the admin account.
22
23
8. At the prompt to change the password, type a new password that complies with the
password rules.
24
9. Type the new password again to confirm.

10. Click OK to save the new password and complete the log on.
25
26
116
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Resetting the password for a AS 5300 Element Manager Console administrator
Resetting the password for a AS 5300 Element Manager

2Console administrator
You can reset the password for another AS 5300 Element Manager Console administrator.
Before you begin
5
6
Procedure
Administration > Password Administration > Set Administrator Password.
7
8
9
10
2. On the Set Administrator Password panel, from the User ID list, choose the
administrator.
11
3. In the New Password box, type the new password for the administrator.
12
4. In the Password Confirm box, type the new password again.
13
14
5. Optional. To force the administrator to change the new password at first logon,
select the Force Password Change check box.
15
16
17
18
19
Important:
Having more than one person know the password for a user account reduces
accountability and system security. Avaya recommends that you select this
option.
6. Click Apply.
20
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
117
Changing your AS 5300 Element Manager Console

2password
1
3
4
Use this procedure to change the password for your AS 5300 Element Manager Console
account.
Before you begin
6
7
8
9
Procedure
Administration > Password Administration > Change My Password.
10
11
2. On the Change My Password panel, in the New Password box, type your new
password.
12
3. In the Password Confirm box, type your new password again.
13
4. In the Current Password box, type your current password.
14
5. Click Apply.
15
Modifying a Provisioning Client role
16
17
18
You can modify roles for the Provisioning Client to specify admin privileges and level of
access.
19
Before you begin
20
21
22
You are a secadmin.

Procedure
23
24
1. From the Provisioning Client menu bar, select Admin > Role to access the Admin
Role portlet.
25
26
2. On the List tab, in the Role Name column, click the name of the role to be
modified.
27
3. In the Role Description box, type a brief description of the role.
118
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Listing Provisioning Client Admin users
1
2
3
4. Under the Data Layer Management option, check the Write and Delete boxes if
you want the administrator to have one or both privileges on the System,
Domain, and User level.
4
5
5. Select the necessary Read, Write, and Delete check boxes to configure access for
each Admin privilege.
6. Click Save.
Modifying a Provisioning Client role job aid

About this task
9
10
11
12
For more information about the administrative privileges listed on the Add a New Role page,
see Avaya Aura Application Server 5300 Using the Provisioning Client, NN42040-112.
Listing Provisioning Client Admin users
13
About this task
14
Use this procedure to search for Admin user accounts for the Provisioning Client.
15
Procedure
16
17
1. From the Provisioning Client menu bar, select Admin > List to access the Admin
portlet.
18
2. To see a list of administrator user accounts, select the List tab.
19
Searching for Provisioning Client users by role
20
21
Use this procedure to search for Provisioning Client administrative users by role.
22
Before you begin
23
24
You are a secadmin. The secadmin role has complete access.
25
26
Procedure
1. From the Provisioning Client menu bar, select Admin > List.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
119
2. Click the Advanced Search tab.
3. In the Administrator Role list, select a role.
4. Click Search.
Searching for inactive Provisioning Client users
6
7
Use this procedure to search for Provisioning Client administrative users who have inactive
accounts.
Before you begin
9
10
11

Procedure
12
13
2. Click the Search tab.
14
3. Enter a number for Inactive time in days.
15
4. Click Search.
16
Modifying a Provisioning Client Admin
17
18
Use this procedure to modify Admin users for the Provisioning Client.
19
Before you begin
20
21
Procedure
22
23
24
2. Select the administrator name.
25
3. Click the Details tab, and then modify the administrator fields as required.
26
4. Click Save.
120
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Deleting a Provisioning Client user
5. Click the Domains tab, and then modify the administrator fields as required.
6. Click Save.
7. Click the Roles tab, and then modify the administrator fields as required.
8. Click Save.
5
6
9. Click the Account Policy tab, and then modify the administrator fields as
required.
10. Optionally, to disable an administrator, deselect the Enable account check box.
11. Click Save.
Deleting a Provisioning Client user
10
11
About this task
12
Use this procedure to remove Provisioning Client user accounts that are no longer required.
13
Procedure
14
15
portlet.
16
2. On the List tab, click Delete for the user account that you want to delete.
17
18
3. On the confirmation dialog, type your administrator password, and then click
Confirm.
19
Resetting the password for the Provisioning Manager admin

21account
20
22
23
24
Use this procedure to reset the password for the initial Provisioning Manager admin account
if there are no other administrative users who have sufficient privileges to reset the
password.
25
Before you begin
26
You must belong to the Database Administrator role.
Procedure
27
28
1. Log on to the primary database server as a user with DBA role.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
121
cd /var/mcp/run/MCP_<rel>/<dbName>/bin/util
1
2
3. Run the script to change the password:

./resetProvAdminPasswd.pl
6
7
5. From the configuration view, select Network Elements > Provisioning Managers
> <PROV_instance> > NE Maintenance.
8
9
6. In the Prov Maintenance window, under the Oper column, verify the Provisioning
Manager status is Active.
10
7. Select the Provisioning Manager instance and click Restart.
11
8. Verify that the Provisioning Manager status returns to Active.
12
13
9. Use a supported Web browser to log on to the Provisioning Client for the
Provisioning Manager that you restarted in 7 on page 122.
(The above script resets the password to a default of admin.)
14
15
10. From the Provisioning Client navigation pane, select Administrator > Password.
16
11. Type the new password for the Provisioning Manager admin account.
17
12. Type the new password again to confirm.
18
13. Type the old password (the default password is admin).
19
14. Click Save.
20
Resetting the password for a Provisioning Client

22administrator
21
23
Use this procedure to reset another Provisioning Client administrator's password.
24
Before you begin
25
You have AdminUserService rights.
26
To reset the password for the admin account, you must have the secadmin role.
Procedure
27
28
29
portlet.
30
31
2. On the List tab, click Reset for the administrator whose password you want to
reset.
122
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Changing your Provisioning Client password
3. In the New Password box, type the new password for the administrator.
4. In the Confirm Password box, type the new password again.
3
4
5. Optional. To force the administrator to change the new password at first logon,
select the Enforce Password Change check box.
Important:
Having more than one person know the password for a user account reduces
accountability and system security. Avaya recommends that you select this
option.
5
6
7
8
6. Click Apply.
9
10
Changing your Provisioning Client password
11
12
Use this procedure to change the password for your Provisioning Client user account.
13
Before you begin

You can access the Provisioning Client.
14
Procedure
15
16
17
1. From the Provisioning Client menu bar, select Admin > Change Admin
Password.
18
2. In the New Password box, type your new password.
19
3. In the Confirm Password box, type your new password again.
20
4. In the Current Password box, type your current password.
21
5. Click Save.
22
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
123
124
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Chapter 11: Application security

3
configuration
2
4About
this task
5Use the procedures in this chapter to better secure HTTPS communications with the AS 5300 Element
6Manager and the Provisioning Manager.
7For information about how to secure network element logs, see 105.1.3 AS5300 Security Hardening.
8Navigation:
Configuring the AS 5300 Element Manager with certificates for HTTPS on page 125
9
10
Configuring the Provisioning Manager with certificates for HTTPS on page 126
11
12
Configuring the AS 5300 Element Manager Console with certificates for HTTPS and SIPCAC on
page 127
Configuring the AS 5300 Element Manager with certificates

14for HTTPS
13
15
16
Configure the HTTPS certificate for the AS 5300 Element Manager, after you replace the
default self-signed certificate, with a CA-signed certificate for each component in the system.
17
Before you begin
18
19
Obtain and import a CA-signed certificate for each component in the network.
Procedure
20
21
22
1. From the AS 5300 Element Manager Console navigation pane, select Network
Elements > Element Manager.
23
24
2. On the Element Manager window, select the As 5300 Element Manager, and then
click Edit (-/+).
25
26
3. On the Edit dialog, in the Internal OAM section, from the HTTPS Certificate list,
choose the new certificate.
27
28
4. If required, on the Edit dialog, in the External OAM section, from the HTTPS
Certificate list, choose the new certificate.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
125
Application security configuration
2
3
5. Click Apply.
After the configuration update, the system raises an alarm to alert you that you must
restart the AS 5300 Element Manager to pick up the new certificate.
6. Restart the standby instance of the AS 5300 Element Manager.
5
6
7
8
7. After the standby instance state turns to hot standby, stop the active AS 5300
Element Manager.
This action causes a failover to the backup AS 5300 Element Manager and causes
the AS 5300 Element Manager Console to lose connectivity.
8. Log on to the AS 5300 Element Manager Console again.
10
9. Start the AS 5300 Element Manager backup instance.
11
Configuring the Provisioning Manager with certificates for

13HTTPS
12
14
15
Configure the HTTPS certificate for the Provisioning Manager, after you replace the default
self-signed certificate, with a CA-signed certificate for each component in the system.
16
17
18
Important:
Repeat this procedure for each Provisioning Manager in your Application Server 5300
system.
19
Before you begin
20
21
22
Procedure
23
1. Stop the Provisioning Manager.
24
25
Elements > Provisioning Managers.
26
27
3. On the Provisioning Managers window, select an instance (for example, PROV1)

and click Edit (-/+).
28
29
4. On the Edit dialog, in the Prov section, from the Internal OAM HTTPS Certificate
list, choose the new certificate.
30
31
5. On the Edit dialog, in the Prov section, from the External OAM HTTPS Certificate
126
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Configuring the AS 5300 Element Manager Console with certificates for HTTPS and SIPCAC
1
2
6. On the Edit dialog, in the PA section, from the HTTPS Certificate list, choose the
new certificate.
3
4
5
7. Click Apply.
restart the Provisioning Manager to pick up the new certificate.
8. Start the Provisioning Manager.
Configuring the AS 5300 Element Manager Console with

9certificates for HTTPS and SIPCAC
10
11
12
Configure the HTTPS and SIP certificate for the AS 5300 Element Manager Console using
ActivClient (CAC reader), after you replace the default self-signed certificate with a CA-signed
certificate for each component in the system.
13
Before you begin
14
15
ActivClient is installed on the desktop on which the AS 5300 Element Manager Console
is running.
16
The Management PC is equipped with a CAC reader device.
17
Procedure
1. Choose one of the following:
18
19
20
If MCP FIPS is enabled, access the AS 5300 Element Manager Console by

running fips-mgmtconsole.bat.
21
22
IF MCP FIPS is not enabled, In the address bar of your Web browser, enter
the following address: https://<EM_Service_IPAddress>:12121
23
2. In the AS 5300 Element Manager Console connection window, click Advanced.
24
3. Select the Trust Store Certificates tab.
25
4. Select a CA certificate file.
26
27
5. Click Add (+) to add the CA certificate file to the AS 5300 Element Manager Console
truststore.
28
6. Select the PKCS11 Configuration tab.
29
7. Click Edit (-/+).
30
8. In the Module Name list, select ActivCard.
31
32
9. Click Browse, and then locate and select the acpkcs211.dll file. The location of the
acpkcs211.dll file depends on the installation of the ActivClient CAC software.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
127
Application security configuration
10. Click OK.
11. Click OK.
12. In ActivClient Login window, enter the PIN for the inserted CAC card.
128
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Chapter 12: Certificate management

3
overview
2
4The Avaya Aura Application Server 5300 uses public-key cryptography standards (PKCS) technology
5(PKCS#12 certificates) in its Session Initiation Protocol (SIP) Transport Layer Security (TLS) application.
6This chapter provides supporting information about certificate management for the Application Server
75300 system.
8Platform
certificate management tool
9The certmgr tool provides an interface to the server certificate database. The certmgr tool resides on each
10core Application Server 5300 server and Avaya Media Server (MS) server. A Security System
11Administrator (SSA) with sudo privileges can start the certmgr tool by typing the name of the tool at the
12prompt.
13Use the certmgr tool to generate Certificate Signing Requests (CSR), verify certificate chains, and to
14create PKCS#12 files.
15The certmgr tool does not include support for the following tasks:
16
obtaining the CA certificate
17
sending a CSR to the Certificate Authority (CA)
18
obtaining the signed certificate from the CA
19
obtaining the CRL from the CA
20How to obtain these files and transfer them to the servers is the administrators choice. For example, the
21administrator can use secure FTP (SFTP) for this purpose.
22IPsec
custom certificates
23The procedures to generate IPsec custom certificates are the same as those to generate custom
24certificates for the Application Server 5300 core servers and Avaya MS. After an IPsec certificate is signed
25by the CA and bundled into a PKCS12 file, you can install it on the servers.
26
27
28
Important:
Before you can install IPsec certificates, you must stop the IPsec service on all Application Server 5300
core and Avaya MS servers.
29For more information about IPsec, see IPsec configuration overview on page 167.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
129
Certificate management overview
1Core
application certificates
2Use the AS 5300 Element Manager Console or the Open Management Interface (OMI) to manage
3certificates for the Application Server 5300 core application. Certificate management for the core
4application includes management of
5
the Keystore
the Truststore
Certificate Revocation
8Keystore
certificates
9Keystore certificates are the certificates for the Network Elements that are part of the Application Server
105300 core. This does not include External Nodes such as gateways.
11You can import PKCS#12 files into the Keystore. The PKCS#12 file must contain one end entity certificate,
12the corresponding private key, and zero or more CA certificates. The system stores the private key
13internally; therefore, only the node that is assigned this certificate can retrieve the private key. The file can
14also include the certificate chain; in which case, the system automatically imports the rest of the chain into
15the Truststore, if an entry does not already exist for each CA in the chain. During the import process, the
16system associates a unique logical name with the certificate. You use the logical name to associate the
17certificate with a TLS port when you assign a Keystore certificate to a Network Element. For more
18information, see Core application certificate management on page 149.
19Truststore
certificates
20The system uses the Root CA and intermediate CA certificates stored in the Truststore to authenticate
21certificates issued by the CA. For the certificates stored in the Keystore to be authenticated, the signing
22chain must exist in the Truststore. The signing chain for other certificates, such as for gateways, must also
23exist in the Truststore. If the system uses a self-signed certificate, you must import the self-signed
24certificate into the Truststore. For more information, see Truststore certificate management on
25page 157.
26The system uses Privacy Enhanced Mail (PEM) formatted files to import certificates into the Truststore.
27Each file must contain only one certificate. Certificates in the Truststore are considered public; therefore,
28no password or private key data is required.
29Certificate
revocation
30Sometimes, a certificate must be revoked before the certificate expires (for example, the private key for
31a certificate is compromised and the certificate can no longer be trusted).
32The Application Server 5300 supports two methods of certificate revocation:
33
34
35
Online Certificate Status Protocol (OCSP): OCSP provides an on-line query mechanism that can be
used to check the revocation status of a certificate. Avaya recommends that you use OSCP for
certificate revocation. For more information, see OCSP configuration on page 161.
36
37
CRL Distribution Point (CDP): CDP provides a URL in the certificate that you use to download
CRLs.
130
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
1
2
Chapter 13: Certificate preparation
3Use these procedures to prepare certificates.

4Certificate
preparation procedures
5The following task flow shows the sequence of procedures that you perform to prepare certificates.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
131
Certificate preparation
1
2Navigation
3
Generating a CSR on page 133
4
5
Obtaining CA certificates and CA-signed certificates. Administrators decide the method of sending
the CSR to the CA and for obtaining the certificates.
Installing a CA or CA-signed certificate on page 134
Exporting a PKCS12 file on page 135
132
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Generating a CSR
Installing custom certificates into the AS 5300 Element Manager keystore on page 136
Verifying that CA certificates import into the AS 5300 Element Manager truststore on page 137
Generating a CSR
3
4
5
Use this procedure to generate a certificate signing request (CSR). Only an SSA can read the
generated CSR file.
Before you begin
8
9
Check with your CA before creating the CSR to determine if certain fields require CAspecific data.
Procedure
10
11
1. Log on to the primary element manager server as a user with SSA role.
12
2. Enter certmgr at the prompt.
13
14
4. Enter 4 to select Generate Certificate Signing Request.
15
5. Enter the values for each of the prompts.

Important:
Ask the CA for information on how to fill out the fields if you are unsure of the
data required.
16
17
18
19
6. To confirm, enter Y.
20
7. After the CSR is generated, send it to the CA for signing.
21
Generating a CSR job aid
22
23
This job aid lists and describes the parameters required to generate a CSR.
Parameter
Description
Output CSR file name
For the output CSR file, enter a full path file

name unless the file is to be saved in the
current working directory.
Country name (optional)
This is the two-letter country code.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
133
Parameter
Description
State or province name (optional)
This is the name of the state or province in less

than 40 characters.
Locality name (optional)
This is the name of the locality in less than 40

characters.
Organizational name (optional)
This is the name of the company or

subsidiary.
Organizational unit name (optional)
This is the name of the department or

division.
Common name
This is the common name in less than 40

characters.
DNS Name (optional)
Enter a comma separated list of DNS names to

be used in the subject alternative name
extension.
Key usage extension
Enter Y if the certificate requires a key usage

extension.
Digital Signature (optional)
Enter Y if the digital signature bit of the key

usage extension should be set.
Non-repudiation (optional)
Enter Y if the non-repudiation bit of the key

Key Encipherment (optional)
Enter Y if the Key Encipherment bit of the key

Data Encipherment (optional)
Enter Y if the Data Encipherment bit of the key

Installing a CA or CA-signed certificate
Use this procedure to install a CA or CA-signed certificate.
Before you begin

Procedure
5
6
2. At the prompt, enter certmgr
8
9
3. From the Certificate Management Options menu, enter 2 to select Install

Certificate.
134
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Exporting a PKCS12 file
4. Enter the Certificate file name.
5. Enter the Type of certificate.
6. Enter the certificate friendly name.
Installing a CA or CA-signed certificate job aid
About this task
8
9
This job aid lists and describes the parameters required to install a CA or CA-signed
certificate.
Parameter
10
Description
Certificate file name
Specify the full path to the certificate. If the full path

is not specified, the certmgr will look in the
administrator's current directory for the certificate.
Type of certificate
Indicates if this is an entity or a CA certificate.
certificate friendly name
Enter a text string used to reference the particular

certificate.
11
Use this procedure to export a PKCS12 file.
12
The PKCS12 file contains the private key, the certificate, and the CA certificate.
13
Before you begin
14
15
The certificate must be signed by the CA.
16
The certificate must be installed into the server's certificate database.
17
Procedure
18
19
2. At the prompt, enter certmgr.
20
21
3. From the Certificate Management Options menu, enter 6 to select Export PKCS12
File.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
135
4. Enter the name of the PKCS12 file that you want to export.
5. Enter the password for the PKCS12 file.
6. Enter the password for the PKCS12 file again.
Installing custom certificates into the AS 5300 Element

7Manager keystore
Use this procedure to install custom certificates into the AS 5300 Element Manager keystore.
You must perform this procedure for each signed certificate.
8
9
10
11
Important:
Repeat this procedure for all the certificates that you generate.
Before you begin
12
13
14
Procedure
15
16
17

18
19
If MCP FIPS is not enabled, in the address bar of your Web browser, enter the
following address: https://<EM_Service_IPAddress>:12121
20
2. Log on to the AS 5300 Element Manager Console using the Admin User ID.
21
22
Data and Mtc > Certificate Management > Keystore.
23
4. Click Add (+).
24
5. For the Logical Name, enter the <Certificate>PKCS12 logical name.
25
26
6. Click Browse, and navigate to the PKCS12 file that holds the certificate being
imported (PKCS12 filename).
27
28
7. For the password used to create the PKCS12 file, enter the <Certificate> PKCS12
file password.
29
8. For the Export password, enter the <Certificate> PKCS12 file password.
30
9. Click Apply.
136
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Verifying that CA certificates import into the AS 5300 Element Manager truststore
10. In the Keystore window, select the imported certificate.
12. Verify that the Certificate Status field at the bottom of the window displays OK.
Verifying that CA certificates import into the AS 5300

6Element Manager truststore
5
7
8
Use this procedure to verify that the CA certificates were imported properly into the AS 5300
Element Manager truststore. You must perform this procedure for each signed certificate.
Before you begin

10
Procedure
11
12
13
14

15
16
17
18
19
Data and Mtc > Certificate Management > Truststore.
20
21
4. Locate the CA of the certificate that was imported, and then click Edit (-/+) on the
certificate.
22
5. Verify that the Certificate Status field at the bottom of the window displays OK.
23
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
137
138
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Chapter 14: Certificate management
3Use these procedures to manage certificates.

4Navigation
5
Generating a CSR on page 133
Listing all certificates on page 139
Installing a CA or CA-signed certificate on page 134
Uninstalling a certificate on page 141
Verifying a certificate chain on page 141
10
Importing a PKCS12 file on page 142
11
Exporting a PKCS12 file on page 135
12
Identifying the friendly name of a certificate on page 143
13
Identifying the subject of a certificate installed in the certificate databaseUnix on page 144
14
15
Identifying the subject of a certificate that is not installed in the certificate databaseUnix on
page 146
16
17
Identifying the subject field of a certificate installed in the certificate databaseWindows on

page 147
Listing all certificates
18
19
Use this procedure to list all certificates that are installed in the server's certificate database.
20
Before you begin
21
Procedure
22
23
24
25
26
3. From the Certificate Management Options menu, enter 1 to select List All
Certificates.
27
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
139
Certificate management
Listing all certificates job aid
The following information displays for each certificate:
2
3
4
Name: corresponds to the certificate friendly name specified when the certificate was
imported
Type: indicates if this is an entity or a CA certificate
Certificate Subject
Certificate Issuer
Installing a CA or CA-signed certificate
Use this procedure to install a CA or CA-signed certificate.
Before you begin
10
11
12
Procedure
13
14
2. At the prompt, enter certmgr
15
16
3. From the Certificate Management Options menu, enter 2 to select Install

Certificate.
17
4. Enter the Certificate file name.
18
5. Enter the Type of certificate.
19
6. Enter the certificate friendly name.
20
21
22
Installing a CA or CA-signed certificate job aid
23
About this task
24
25
This job aid lists and describes the parameters required to install a CA or CA-signed
certificate.
140
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Uninstalling a certificate
Parameter
Description
Certificate file name
Specify the full path to the certificate. If the full path

is not specified, the certmgr will look in the
administrator's current directory for the certificate.
Type of certificate
Indicates if this is an entity or a CA certificate.
certificate friendly name
Enter a text string used to reference the particular

certificate.
Uninstalling a certificate
1
2
Use this procedure to uninstall a certificate.
Before you begin

Procedure
5
6
8
9
3. From the Certificate Management Options menu, enter 3 to select Uninstall

Certificate.
10
4. Enter the number of the certificate to remove.
11
12
Verifying a certificate chain
13
14
Use this procedure to view the certificate chain for an installed certificate.
15
Before you begin
16
Procedure
17
18
19
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
141
1
2
3. From the Certificate Management Options menu, enter 5 to select Verify

Certificate Chain.
4. Select a certificate from the list.
4
5
5. Validate the certificate and its installed chains. The chain displays only those CA
certificates that are installed in the server certificate database.
Verifying a certificate chain job aid
7
8
9
10
11
12
13
14
The following example shows the result of selecting an item in the verify certificate chain list.
Chain of the certificate "mfss1sm":
"DoDJITCRootCA2" [CN=DoD JITC Root CA 2,OU=PKI,OU=DoD,O=U.S. Government,C=US]
"DoDJITCCA-17" [CN=DOD JITC CA-17,OU=PKI,OU=DoD,O=U.S. Government,C=US]
"mfss1sm" [CN=200.23.2.246,OU=Contractor,OU=PKI,OU=DoD,O=U.S.
Government,C=US]
Importing a PKCS12 file
15
16
Use this procedure to import a PKCS12 file. Import a PKCS12 file if you want to:
17
view the certificate details for the certificate bundled inside the PKCS12 file.
18
19
20
21
re-export the PKCS12 file on a FIPS-compliant server. If the private key within the
PKCS12 file was generated on a non-FIPS complaint server, you can make it FIPS
compliant by importing the PKCS12 file into the server certificate database and then reexporting it.
22
23
Before you begin

Procedure
24
25
26
27
28
3. From the Certificate Management Options menu, enter 7 to select Import PKCS12
File.
29
4. Enter the name of the PKCS12 file that you want to import.
30
31
142
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
3
4
Use this procedure to export a PKCS12 file.
The PKCS12 file contains the private key, the certificate, and the CA certificate.
Before you begin
The certificate must be signed by the CA.
The certificate must be installed into the server's certificate database.
10
Procedure
11
12
13
14
3. From the Certificate Management Options menu, enter 6 to select Export PKCS12
File.
15
4. Enter the name of the PKCS12 file that you want to export.
16
17
18
19
20
Identifying the friendly name of a certificate
21
Use this procedure to identify the friendly name of a certificate.
22
23
The certificate friendly name is specified when you install a certificate in the server certificate
database using the certmgr tool.
24
Before you begin
25
26
The certificate must be installed in the server's certificate database.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
143
Procedure
1
2
4
5
Certificates.
6
7
4. In the output, locate the Name field. The Name field corresponds to the Friendly
name field of the certificate.
Identifying the friendly name of a certificate job aid
10
11
12
13
The following example shows the result of listing all certificates. The Name field corresponds
to the Friendly name field of the certificate. In this example, there are three certificates installed:
two entity certificates and one CA certificate. The Friendly name for the second entity certificate
is "AS5300 Core".
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
[1] Name: "Default Staging Certificate"

Type: entity cert
Subject: [C=US,ST=Texas,L=Richardson,O=Avaya,OU=AS5300,CN=Default Staging
Certificate]
Issuer: [C=US,ST=Texas,L=Richardson,O=Avaya,OU=AS5300,CN=Default Staging
Certificate]
[2] Name: "AS5300 Core"
Type: entity cert
Subject: [C=US,O=U.S. Government,OU=JITC,OU=PKI,OU=DoD,CN=AS5300 Core]
Issuer: [C=US,ST=TX,O=Avaya,OU=AS5300,CN=AS5300TestCA]
[3] Name: "AS5300 Test CA"
Type: CA cert
Subject: [C=US,ST=TX,O=Avaya,OU=AS5300,CN=AS5300TestCA]
Identifying the subject of a certificate installed in the

31certificate databaseUnix
30
32
33
Use this procedure to identify the subject of a certificate if the certificate is installed in the
servers certificate database.
34
Before you begin
35
36
The certificate must be installed in the certificate database of the server.
144
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Identifying the subject of a certificate installed in the certificate databaseUnix
Procedure
4
5
Certificates.
6
7
4. In the output, locate the Subject field. The Subject field corresponds to the Subject
field of the certificate.
Identifying the subject field of a certificate installed in the certificate

10databaseUnix job aid
9
11
12
13
14
The following example shows the result of listing all certificates. The Subject field corresponds
to the Subject name field of the certificate. In this example, there are three certificates installed:
two entity certificates and one CA certificate. The Subject for the second entity certificate is
C=US,O=U.S. Government,OU=JITC,OU=PKI,OU=DoD,CN=AS5300 Core.
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
[1] Name: "Default Staging Certificate"

Type: entity cert
Subject: [C=US,ST=Texas,L=Richardson,O=Avaya,OU=AS5300,CN=Default Staging
Certificate]
Issuer: [C=US,ST=Texas,L=Richardson,O=Avaya,OU=AS5300,CN=Default Staging
Certificate]
[2] Name: "AS5300 Core"
Type: entity cert
Subject: [C=US,O=U.S. Government,OU=JITC,OU=PKI,OU=DoD,CN=AS5300 Core]
[3] Name: "AS5300 Test CA"
Type: CA cert
Subject: [C=US,ST=TX,O=Avaya,OU=AS5300,CN=AS5300TestCA]
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
145
Identifying the subject of a certificate that is not installed in

2the certificate databaseUnix
1
3
4
Use this procedure to identify the subject of a certificate if the certificate is not installed in the
servers certificate database.
Before you begin
6
7
Procedure
2. Transfer the certificate to the server using sftp or scp.
10
11
3. Execute the following command: openssl x509 -subject -noout -in

<certificate>
12
13
4. In the output, locate the output that follows the subject= string. The output that
follows the subject= string corresponds to the Subject field of the certificate.
14
Identifying the subject field of a certificate that is not installed in the

16certificate databaseUnix job aid
15
Variable
<certificate>
Value
The CA-signed certificate.
17
18
The following example shows the result of entering the command openssl x509 -subject
-noout -in <certificate>.
19
subject= /C=US/O=U.S. Government/OU=JITC/OU=PKI/OU=DoD/CN=AS5300 Core
20
21
In this example, the subject is /C=US/O=U.S. Government/OU=JITC/OU=PKI/OU=DoD/

CN=AS5300 Core.
146
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Identifying the subject field of a certificate installed in the certificate databaseWindows
Identifying the subject field of a certificate installed in the

2certificate databaseWindows
1
3
4
Use this procedure to identify the subject of a certificate if the certificate is installed in the
Windows certificate store.
Before you begin
6
7
The certificate must be installed in the Windows certificate store.
Procedure
1. Open the Certificate dialog box for the certificate.
2. On the Certificate dialog box, click the Details tab.
10
11
3. In the Field column, click the Subject field.

The certificate details appear in the details box.
12
Identifying the subject field of a certificate installed in the certificate

14databaseWindows job aid
13
15
The following figure shows an example of Subject details.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
147
1
2
Figure 2: Subject Details
3
4
To build a string out of the Subject field, you must add the sub fields in reverse order, separating
each sub field with a comma. In this example Subject field, the sub fields are entered as follows:
C=US, O=U.S. Government, OU=JITC, OU=PKI, OU=DoD, CN=AS5300 Core
In the details pane, CN=AS5300 Core is displayed first and C=US is displayed last.
148
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Chapter 15: Core application certificate

3
management
4Use these procedures to manage certificates for core applications.

5Navigation
6
Importing an internal certificate to the keystore on page 149
Viewing an internal certificate in the keystore on page 150
Removing an internal certificate from the keystore on page 151
Configuring the AS 5300 Element Manager with certificates for HTTPS and SIP on page 151
10
Configuring the AS 5300 Session Manager with certificates for HTTPS and SIP on page 152
11
12
Configuring the AS 5300 Element Manager Console with certificates for HTTPS and SIP
manual on page 155
13
14
Configuring the Avaya Aura AS 5300 Personal Agent with certificates for HTTPS and SIP on
page 156
Importing an internal certificate to the keystore
15
16
17
18
19
20
21
Use this procedure to import an internal certificate. The only supported format is PKCS #12.
The system expects the PKCS #12 file to contain only one end entity certificate and the
corresponding private key. Only the node that is assigned this certificate can retrieve the private
key. When you import a PKCS#12 file that also includes a certificate chain, you automatically
import the rest of the chain into the truststore, if an entry does not already exist for each CA in
the chain.
22
23
Keystore (internal) certificates are the certificates for the network elements (NE) that are part
of the system. This does not include external nodes, such as gateways.
24
25
When you import a certificate, the system associates it with a unique logical name, which you
can use to associate the certificate with a TLS port.
26
Before you begin
27
28
29
The PKCS#12 file exists in a location accessible to the AS 5300 Element Manager
Console.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
149
Core application certificate management
Procedure
2
3
1. In the configuration view of the AS 5300 Element Manager Console select Network
2. Click Add (+).
5
6
3. Configure the Logical Name, PKCS#12 file, Password, and Export Password
parameters.
4. Click Apply.
Importing an internal certificate to the keystore job aid
10
11
This job aid lists and describes the parameters for importing an internal certificate to the
keystore.
Parameter
Description
Logical Name
The logical name to identify the certificate.
PKCS#12 File
Browse to the location of the PKCS#12 file.
Password
The password.
Export Password
The export password.
Viewing an internal certificate in the keystore
12
13
Use this procedure to view the details for internal certificates in the keystore.
14
Before you begin
15
Procedure
16
17
18
19
2. From the Keystore panel, select a certificate.
20
21
150
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Removing an internal certificate from the keystore
Removing an internal certificate from the keystore
1
2
Use this procedure to remove an internal certificate from the keystore.
Before you begin
The certificate must not be associated with a TLS port.
Procedure
6
7
8
2. From the Keystore panel, select a certificate.
10
3. Click Delete (-).
11
4. Click Yes to confirm the delete.

A successful delete removes the private key as well.
12
13
Configuring the AS 5300 Element Manager with certificates

15for HTTPS and SIP
14
16
17
18
Configure the HTTPS and SIP certificate for the AS 5300 Element Manager, after you replace
the default self-signed certificate, with a CA-signed certificate for each component in the
system.
19
Before you begin
20
21
Custom certificates must be installed in the keystore.
Procedure
22
23
24
Elements > Element Manager.
25
26
2. On the Element Manager window, select the AS 5300 Element Manager, and then
click Edit (-/+).
27
28
3. To configure an Internal OAM certificate, from the Internal OAM HTTPS Certificate
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
151
1
2
4. To configure an External OAM certificate, from the External OAM HTTPS Certificate
5. Click Apply.
6. Restart both instances of the AS 5300 Element Manager.
Configuring the AS 5300 Session Manager with certificates

7for HTTPS and SIP
6
8
9
10
Use this procedure to configure the HTTPS and SIP certificates for the AS 5300 Session
Manager, after you replace the default self-signed certificate with a CA-signed certificate for
each component in the system.
11
Important:
You must perform this procedure for each AS 5300 Session Manager that is deployed on
the system.
12
13
Before you begin
14
15
16
17
Procedure
18
19
1. From the Session Management Console navigation pane, select Network

Elements > Session Managers.
20
2. Select an AS 5300 Session Manager, and then click Edit (-/+).
21
22
3. To configure a SIP certificate, from the SIP Certificate list, choose the new
certificate.
23
24
4. To configure an LDAP certificate, from the SESM LDAP Certificate list, choose the
new certificate.
25
26
27
5. Click Apply.
restart the AS 5300 Element Manager to pick up the new certificate.
28
6. Restart the standby instance of the AS 5300 Session Manager.
29
30
31
32
Session Manger.
This action causes a failover to the backup AS 5300 Session Manager and causes
the AS 5300 Element Manager Console to lose connectivity.
33
152
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Configuring HTTPS and SIP certificates for the Provisioning Manager
9. Start the AS 5300 Session Manager backup instance.
1
2
Configuring HTTPS and SIP certificates for the Provisioning

4Manager
3
5
6
7
Use this procedure to configure the HTTPS and SIP certificates for the Provisioning Manager,
after you replace the default self-signed certificate with a CA-signed certificate for each
component in the system.
Important:
Repeat this procedure for each Provisioning Manager in your system.
8
9
10
Before you begin
11
12
Procedure
13
14
1. Stop the Provisioning Manager.
15
16
Elements > Provisioning Managers.
17
18
3. On the Provisioning Managers window, select an instance (for example, PROV1)

19
20
4. On the Edit dialog, in the Prov section, from the Internal OAM HTTPS Certificate
21
22
5. On the Edit dialog, in the Prov section, from the External OAM HTTPS Certificate
23
24
6. On the Edit dialog, in the PA section, from the HTTPS Certificate list, choose the
new certificate.
25
26
7. On the Edit dialog, in the PA section, from the SIP Certificate list, choose the new
certificate.
27
28
29
8. Click Apply.
restart the Provisioning Manager to pick up the new certificate.
30
9. Start the Provisioning Manager.
31
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
153

2certificates for HTTPS and SIPCAC
3
4
5
Configure the HTTPS and SIP certificate for the AS 5300 Element Manager Console using
ActivClient (CAC reader), after you replace the default self-signed certificate with a CA-signed
certificate for each component in the system.
Before you begin
7
8
ActivClient is installed on the desktop on which the AS 5300 Element Manager Console
is running.
The Management PC is equipped with a CAC reader device.
10
Procedure
11
12
13

14
15
16
2. In the AS 5300 Element Manager Console connection window, click Advanced.
17
3. Select the Trust Store Certificates tab.
18
4. Select a CA certificate file.
19
20
5. Click Add (+) to add the CA certificate file to the AS 5300 Element Manager Console
truststore.
21
6. Select the PKCS11 Configuration tab.
22
23
8. In the Module Name list, select ActivCard.
24
25
9. Click Browse, and then locate and select the acpkcs211.dll file. The location of the
acpkcs211.dll file depends on the installation of the ActivClient CAC software.
26
10. Click OK.
27
11. Click OK.
28
12. In ActivClient Login window, enter the PIN for the inserted CAC card.
29
30
154
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Configuring the AS 5300 Element Manager Console with certificates for HTTPS and SIPmanual

2certificates for HTTPS and SIPmanual
3
4
5
Configure the HTTPS and SIP certificate for the AS 5300 Element Manager Console using the
manual method, after you replace the default self-signed certificate with a CA-signed certificate
for each component in the system.
Before you begin
7
8
Custom certificates must be installed in the keystore.
Procedure
9
10
11

12
13
14
2. In the MCP System Management connection window, click Advanced.
15
3. Select the Key Store Certificates tab.
16
4. Click Add (+).
17
5. Click Browse, and then locate and select the PKCS12 file for the client certificate
18
6. In the Password field, enter the password for the PKCS12 file.
19
7. In the Export Password field, enter the same password as the PKCS12 file.
20
8. Click Apply.
21
9. Click the Keystore tab.
22
10. On the Keystore tab, verify that the system displays the certificate.
23
11. Click OK.
24
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
155
Configuring the Avaya Aura AS 5300 Personal Agent with

2certificates for HTTPS and SIP
1
3
4
5
Configure the HTTPS certificate for the Avaya Aura Application Server 5300 Personal Agent,
after you replace the default self-signed certificate, with a CA-signed certificate for each
component in the system.
6
7
8
Important:
Repeat this procedure for each Avaya Aura Application Server 5300 Personal Agent in your
system.
Before you begin
9
10
11
Custom certificates must be installed in the keystore
Procedure
12
13
1. Stop the PA.
14
15
Elements > Personal Agent Manager.
16
3. On the Personal Agent Manager window, select an instance and click Edit (-/+).
17
18
4. On the Edit dialog, from the PA HTTPS Certificatelist, choose the new
certificate.
19
5. On the Edit dialog, from the SIP Certificate list, choose the new certificate.
20
6. Click Apply.
21
7. Restart the PA.
22
156
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Chapter 16: Truststore certificate

3
management
4Use these procedures to manage truststore certificates.

5Navigation
6
Importing a CA certificate to the truststore on page 157
Viewing a CA certificate in the truststore on page 158
Removing a CA certificate from the truststore on page 158
Importing a CA certificate to the truststore
10
11
Use this procedure to import a certification authority (CA) root or intermediate certificate to the
truststore.
12
13
14
15
16
Truststore (root CA and intermediate CA) certificates are the certificates the system uses to
authenticate signed certificates. To authenticate a certificate stored in the keystore, the signing
chain must exist in the truststore. The signing chain for other certificates, such as for gateways,
must exist in the truststore. If the system uses a self-signed certificate, it must exist in the
truststore.
17
18
19
You use PEM files to import certificates into the Truststore. Each PEM file must contain only
one certificate. Certificates in the Truststore are public; therefore, you do not require a
password or private key.
20
Before you begin
21
22
23
The CA root or intermediate certificate file already exists in a location accessible to the
AS 5300 Element Manager Console.
24
Procedure
25
26
27
2. Click Add (+).
28
3. Click Browse, and navigate to the file location.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
157
Truststore certificate management
4. Select the CA root or intermediate certificate file, and click Open.
Viewing a CA certificate in the truststore
4
5
Use this procedure to view the details for CA root and intermediate certificates in the
truststore.
Before you begin
7
8
Procedure
9
10
Data and Mtc > Certificate Management >Truststore.
11
2. From the Truststore panel, select a root or intermediate certificate.
12
13
Removing a CA certificate from the truststore
14
Use this procedure to remove a CA root or intermediate certificate from the truststore.
15
16
17
18
19
20
21
Warning:
Use extreme caution when you perform this procedure. The removal of a trusted CA can
disrupt service.
Before you begin

Procedure
22
23
24
2. From the Truststore panel, select a certificate.
25
3. Click Delete (-).
26
4. Click Yes to confirm the delete.
158
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Removing a CA certificate from the truststore
5. Click Yes to confirm the warning note.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
159
Truststore certificate management
160
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Chapter 17: OCSP configuration
3Configure OCSP to enable the OCSP certificate revocation method on your system.
4OCSP
configuration tasks
5The following work flow shows the sequence of tasks that you perform to configure OCSP for the
6system.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
161
OCSP configuration
1Navigation
2
Configuring the operating system to support OCSP on page 162
Configuring the AS 5300 Element Manager to support OCSP on page 163
Configuring the AS 5300 Session Manager to support OCSP on page 163
Configuring the Provisioning Manager to support OCSP on page 164
Configuring the AS 5300 Element Manager Console to support OCSP on page 165
Verifying access to the OCSP server on page 166
Configuring the operating system to support OCSP
Use this procedure to configure the OS to support MCP OSCP.
Important:
You must perform this procedure on all SIP Core and Avaya Media Servers deployed in your
Application Server 5300 system.
10
11
12
Before you begin
13
14
Procedure
15
16
17
18
19
2. To add the PKI server to the hosts file, at the command prompt, enter the following
command: hostTableConfig -a [PKI Server IP address] [PKI
Server hostname]
20
21
3. To validate the configured hostnames, at the command prompt, enter the following
command: hostTableConfig -q
22
Configuring the operating system to support OCSP job aid
23
24
The following is an example of the command to add a PKI server to the hosts file:
25
hostTableConfig -a 192.168.1.14 pki.hostname
162
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Configuring the AS 5300 Element Manager to support OCSP
Configuring the AS 5300 Element Manager to support

2OCSP
Use this procedure to configure the AS 5300 Element Manager to support OSCP.
Before you begin

Procedure
7
8
9

10
11
12
13
14
Elements > AS 5300 Element Manager > <AS 5300 Element Manager name>.
15
16
17
5. In the Configuration Parameters window, in the Parm Group list, select

TLSAuth.
18
6. In the EnableOCSP list, select true.
19
7. Click Apply.
20
8. Close the Configuration Parameters window.
21
Configuring the AS 5300 Session Manager to support

23OCSP
22
24
Use this procedure to configure the AS 5300 Session Manager to support OSCP.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
163
OCSP configuration
Important:
Perform this procedure for each AS 5300 Session Manager deployed on your system.
1
2
Before you begin
3
4
5
You are a user with SSA role
Procedure
6
7
8

9
10
the following address: https://<EM Console IP>:12121
11
12
13
Elements > Session Managers > <AS 5300 SESM name>.
14
15
16

TLSAuth.
17
18
7. Click Apply.
19
Configuring the Provisioning Manager to support OCSP
20
Use this procedure to configure the Provisioning Manager to support OSCP.
21
22
23
24
Important:
Perform this procedure for each Provisioning Manager that is deployed on your Application
Server 5300 system.
Before you begin
25
26
27
Procedure
28
29
30
164

DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Configuring the AS 5300 Element Manager Console to support OCSP
1
2
3
4
5
Elements > Provisioning Managers > <Prov name>.
7
8

TLSAuth.
10
7. Click Apply.
11
8. Close the Configuration Parameters window.
12
Configuring the AS 5300 Element Manager Console to

14support OCSP
13
15
Use this procedure to configure the AS 5300 Element Manager Console to support OSCP.
16
Before you begin

17
18
Procedure
1. Choose one of the following
19
20
21

22
23
24
25
2. In the AS 5300 Element Manager Console connection window, click

Advanced.
26
3. Click the Properties tab.
27
4. Select the Enable OCSP check box.
28
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
165
OCSP configuration
Verifying access to the OCSP server
2
3
Use this procedure to verify that the PKI OCSP server is accessible to your Application Server
5300 system.
Before you begin
Procedure
6
7
8
9

10
11
12
2. Log on to the AS 5300 Element Manager Console using the Admin User ID
13
14
3. In the configuration view of the AS 5300 Element Manager Console select Network
15
4. Select a custom certificate, and then click Edit (-/+).
16
5. Verify that the Certificate Status field displays OK or Revoked.

If the certificate status shows Offlined, then the PKI server is not responding.
Make sure the AS5300 server can route to the PKI Server.
17
18
19
166
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Chapter 18: IPsec configuration overview
3This chapter provides information about IPsec configuration.

4Navigation:
5
Secure communication on page 167
Default staging certificates on page 167
Server addresses and service addresses on page 168
IPsec tunnel rules on page 169
Trusted node relationships on page 169
10
IPsec custom certificates on page 170
11
IPsec automatic CRL retrieval on page 170
12
IPsec limitations and restrictions on page 170
Secure communication
13
14
15
The system uses an IPsec mesh to secure inter-server communications. IPsec uses PKI X.509
certificates for server authentication.
16
17
18
19
20
The IPSec configuration within the system is made up of internal and external tunnels. The
internal tunnels exist between SIP Core and Avaya Media Server (MS) . External tunnels exist
between SIP Core/Avaya MS servers and external servers (for example: Switch Expert). To
configure internal tunnels, you use a tool that automatically generates the internal tunnels using
the IP addresses configured in the MCP database. You configure external tunnels manually.
21
Default staging certificates
22
23
24
Initially, you must install IPsec with default staging certificates on each server. These default
staging certificates allow you to configure and test IPSec on the system servers before you
install custom certificates.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
167
IPsec configuration overview
1
2
3
4
Important:
Do not use the default staging certificates on systems that are in production. You must
replace the default staging certificates with custom certificates before you place the system
into production.
Server addresses and service addresses
Each server can host one or more of the following Server IP addresses:
6
7
Internal OAM Server Address
External OAM Server Address
Signaling Server Address
10
Media Server Address

Important:
Only the Internal OAM Server Address participates in the internal IPsec mesh.
11
12
13
Additionally, each server can host one or more of the following Service (floating) IP addresses:
14
AS 5300 Element Manager (AS 5300 EM) Internal OAM Service Address
15
AS 5300 Element Manager (AS 5300 EM) External OAM Service Address
16
Fault Performance Manager (FPM) Internal OAM Service Address
17
Fault Performance Manager (FPM) External OAM Service Address
18
Accounting Manager (AM) Internal OAM Service Address
19
Accounting Manager (AM) External OAM Service Address
20
AS 5300 Session Manager (SESM) Signaling Service Address
21
22
Important:
Only the following addresses participate in the internal IPsec mesh:
23
AS 5300 Element Manager (AS 5300 EM) Internal OAM Service Address
24
Fault Performance Manager (FPM) Internal OAM Service Address
25
Accounting Manager (AM) Internal OAM Service Address
26
AS 5300 Session Manager (SESM) Signaling Service Address
168
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
IPsec tunnel rules
IPsec tunnel rules
1
2
3
When creating the internal IPSec mesh configuration file, the mcpGenIntIPSecConfig.pl script
uses the following IPSec tunnel rules:
4
5
IPSec tunnels are created between all datafilled server internal OAM server addresses.
Examples include:
EM Server 1 Internal OAM Address <-> EM Server 2 Internal OAM Address
Avaya Media Server 1 Internal OAM Address <-> EM Server 1 Internal OAM Address
8
9
IPSec tunnels are created between all datafilled server internal OAM server addresses
and the EM service address.
10
11
and all FPM service addresses.
12
13
and all AM service addresses.
Trusted node relationships
14
When creating the internal ACL mesh configuration file, the mcpGenIntACLConfig.pl script
creates the following trusted node relationships:
15
16
17
18
A trusted node relationship between all datafilled server internal OAM server addresses.
For example:
19
EM Server 1 Internal OAM Address <-> EM Server 2 Internal OAM Address
20
21
Avaya Media Server (MS) 1 Internal OAM Address <-> EM Server 1 Internal OAM
Address
22
23
24
25
26
27
28
29
A trusted node relationship between all datafilled server internal OAM server addresses
and the EM service address. For example:
EM Server 1 Internal OAM Address <-> EM Service Address
and all FPM service addresses. For example:
Avaya Media Server (MS) 2 Internal OAM Address <-> FPM 1 Service Address
and all AM service addresses. For example:
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
169
EM Server 2 Internal OAM Address <-> AM 1 Service Address
1
2
3
4
A trusted node relationship between all effective signaling addresses of a server and all
AS 5300 SESM signaling service addresses. The effective signaling address of a server
may be the internal OAM address if no server signaling address is defined. For example:
5
6
On a server that has a defined server signaling address: EM Server 1 Signaling Address
<-> AS 5300 SESMx Service Address
7
8
On a server that does not have a defined server signaling address - EM Server 1 Internal
OAM Address <-> AS 5300 SESMx Service Address
IPsec custom certificates
10
11
12
You generate IPSec custom certificates just like MCP and Avaya Media Server (MS) custom
certificates. After the IPSec certificate has been signed by the CA and bundled into a PKCS12
file, you can install it on the servers.
13
14
Prior to installing custom IPSec certificates, you must stop IPSec on all SIP Core and Avaya
MS servers.
IPsec automatic CRL retrieval
15
16
17
18
19
IPSec can automatically retrieve CRLs using the CRL distribution point of the certificate. To
configure automatic CRL retrieval, you must add the CRL distribution point hostname and IP
address to the /etc/hosts file on each server so that the system can resolve the hostname
properly.
20
Important:
Do not add the CDP hostname to /etc/hosts file until the CDP can be accessed on the
network from each server. If the CDP hostname is added to the /etc/hosts file before it can
be reached on the network, then IPsec will fail to start.
21
22
23
24
IPsec limitations and restrictions
25
26
27
The Application Server 5300 system does not support live update of the IPSec rules. To update
the IPSec rules in an established IPSec mesh, you must stop the running IPSec service, update
the settings, and then restart the IPSec service.
28
29
It is important to plan the renewal of the CA certificate(s) and the IPSec certificate. The renewal
must occur before the certificate expires to prevent service interruption.
170
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
IPsec limitations and restrictions
1
2
The following Application Server IPsec tools are specially designed for configuring or managing
the IPSec mesh in the Application Server system:
mcpGenIntIPSecConfig
mcpInstIntIPSecConf
ipsecCertmgr
ipsecstatus
startipsec
stopipsec
9
10
11
12
13
Warning:
It is prohibited to use any tool other than the provided tools to configure or change the IPsec
mesh configurations in an Avaya Aura Application Server 5300 system. The integrity of the
Avaya Aura Application Server 5300 IPsec configuration is not guaranteed if you use other
tools to alter the IPsec configuration.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
171
172
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Chapter 19: IPsec service management
3About
this task
4This chapter contains the procedures that you use to manage the IPsec service.
5Navigation:
6
Starting or restarting the IPsec service on page 173
Stopping the IPsec service on page 173
Verifying IPsec connection status on page 174
Starting or restarting the IPsec service
10
Use this procedure to start or restart the IPsec service.
11
Before you begin

12
Procedure
13
14
15
2. At the command prompt, enter the following command:

startipsec
16
17
18
Stopping the IPsec service
19
Use this procedure to stop the IPsec service.
20
Before you begin
21
22
You are a user with SSA role and sudo access.
Procedure
23
24
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
173
IPsec service management
stopipsec
1
2
Verifying IPsec connection status
4
5
Use this procedure to view and verify the connection status of all IPSec links configured in the
IPSec policies.
Important:
Perform this procedure for all SIP Core and Avaya Media Servers in your system.
6
7
8
9
Before you begin

Procedure
10
11
12
13

ipsecstatus
14
15
3. At the command prompt, enter the following command: ping <another AS5300
server in the mesh>.
16
Verifying IPsec connection status job aid
17
18
The following shows an example of the result of executing the ipsecstatus command.
19
20
21
22
23
24
25
26
IPSec link status:

[1] 192.168.1.53 <=>
[2] 192.168.1.53 <=>
[3] 192.168.1.53 <=>
[4] 192.168.1.53 <=>
[5] 192.168.1.57 <=>
[6] 192.168.1.57 <=>
[7] 192.168.1.57 <=>
27
28
The following shows an example of the result of executing the ping <another AS5300
server in the mesh> command.
29
30
31
32
33
34
35
PING 192.168.1.54 (192.168.1.54) 56(84) bytes of data.

64 bytes from 192.168.1.54: icmp_seq=1 ttl=64 time=1.24 ms
64 bytes from 192.168.1.54: icmp_seq=2 ttl=64 time=2.83 ms
192.168.1.54:
192.168.1.55:
192.168.1.56:
192.168.1.58:
192.168.1.54:
192.168.1.55:
192.168.1.56:
connected
connected
connected
connected
connected
connected
connected
--- 192.168.1.54 ping statistics --2 packets transmitted, 2 received, 0% packet loss, time 1073ms
rtt min/avg/max/mdev = 1.245/2.041/2.838/0.797 ms
174
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Chapter 20: IPsec configuration
3This chapter contains the procedures that you use to configure the IPsec service.
4IPsec
configuration procedures
5The following task flow shows the sequence of procedures that you perform to configure the IPsec
6service.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
175
IPsec configuration
176
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Generating the internal IPsec configuration file
1Navigation
2
Generating the internal IPsec configuration file on page 177
Installing the internal IPsec configuration file on the primary EMS server on page 178
Installing the internal IPsec configuration file on non-primary EMS servers on page 178
Creating the external IPsec configuration file on page 179
Stopping the IPsec service on page 173
Installing a custom IPsec certificate on page 181
Starting or restarting the IPsec service on page 173
Configuring IPsec for automatic CRL retrieval on page 182
10
Verifying IPsec automatic CRL retrieval on page 183
11
Manually adding a CA chain on page 184
12
Importing access control rules on page 199
Generating the internal IPsec configuration file
13
14
15
Use this procedure to generate the internal IPsec configuration file and place it into a temporary
location on the primary element manager server.
16
Before you begin

You are a user with AA role.
17
Procedure
18
19
1. Log on to the primary element manager server as a user with AA role.
20
21

mcpGenIntIPsecConfig.pl
22
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
177
IPsec configuration
Installing the internal IPsec configuration file on the primary

2EMS server
1
3
4
Use this procedure to install the internal IPsec configuration file to a permanent location on the
primary element manager server.
Before you begin
6
7
8
Procedure
2. At the command prompt, enter the following command: mcpInstIntIPSecConf
-copy
9
10
11
Installing the internal IPsec configuration file on non13primary EMS servers
12
14
15
Use this procedure to install the internal IPsec configuration file to a permanent location on
non-primary EMS servers.
Important:
Perform this procedure all non-primary EMS servers.
16
17
18
Before you begin

19
Procedure
20
21
22
2. At the command prompt, enter the following command: mcpInstIntIPSecConf
23
3. At the following prompt, enter the primary element manager server IP address:
Information for fetching internal IPSec conf file:
24
Remote server IP address:
25
26
27
178
4. At the following prompt, enter the SSA username that is defined on the primary
element manager server: SFTP user id:
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Creating the external IPsec configuration file
5. Enter the Application Administrator's password.
6. Re-enter the Application Administrator's password.
7. Enter Y to confirm the summary information.
Creating the external IPsec configuration file
6
7
8
Use this procedure to configure IPsec with information about any external nodes. This
procedure is necessary if you need to configure IPsec tunnels to external nodes such as Switch
Expert.
9
10
If you need multiple IPSec tunnels to multiple external nodes, then you must define each
external node in the IPSec external configuration file.
11
Before you begin
12
13
14
Custom certificates are installed for IPSec on each SIP Core and Avaya Media Server
(MS).
15
16
The certificate used on the external node is signed by the same CA that signed the
certificate for IPSec on the SIP Core and Avaya MS servers.
Procedure
17
18
19
2. If you are an SSA, change to the root: su - root
20
21
4. At the command prompt, enter the following command: cd /etc/ipsec.d
22
5. At the command prompt, enter the following command: vi external.conf
23
24
25
26
27
28
29
6. Add the following text to the end of the file, modifying the fields for each
connection.
30
31
7. If the external node is a Windows machine, add the following additional text to the
end of the text you entered in the previous step.
conn ext <connection name>

<tab>left=<local IP>
<tab>right=<external IP>
<tab>rightcert=""
<tab>rightid="<external cert subject>"
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
179
IPsec configuration
1
2
Important:
Do not add this text if the external node is a Linux machine.
3
4
5
<tab>esp="3des-sha1"
<tab>ike="3des-sha1"
<tab>pfs=no
8. Repeat step 6 on page 179 to step 7 on page 179 for each external IPsec tunnel.
9. Save the file.
10. Exit the editor.
11. Make the necessary IPSec configuration changes on the external node.
10
12. Stop IPSec on all SIP Core and Avaya MS servers.
11
13. Start IPSec on all SIP Core and Avaya MS servers.

Important:
If the external ACL import file does not include the IP addresses for these external
nodes, then add the remote IP address of all external nodes involved in IPSec
tunnels as trusted nodes to the external ACL rules.
12
13
14
15
16
Creating the external IPsec configuration file job aid
17
Variable
<connection name>
Value
Type a name that describes the connection.
For example,. for an IPSec tunnel to Switch
Expert, the string <connection_name> could
be "se1").
Important:
Do not change the "ext_" portion of this
string.
180
<external cert subject>
Type to the Subject of the external

certificate.
<external IP>
Type the remote IP address of the IPSec

tunnel.
<local IP>
Type the local IP address of the IPSec

tunnel.
<tab>
Type a single tab character. Attention: This

file must contain only one tab (no spaces)
before the indented lines.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Installing a custom IPsec certificate
The following text shows an example of the text to add to the end of the file for an external
connection to a Windows external node.
1
2
3
4
5
6
7
8
9
10
conn ext_se1
left=192.168.1.15
right=192.168.1.75
rightcert=""
rightid="C=US,O=U.S.Government,OU=JITC,OU=PKI,OU=DoD,CN=SwitchExpert"
esp="3des-sha1"
ike="3des-sha1"
pfs=no
11
12
The following example shows some sample lines to add to the end of the file for an external
connection to a Linux external node.
13
14
15
16
17
18
conn ext_lin1
left=192.168.1.35
right=192.168.1.25
rightcert=""
rightid="C=US,O=U.S.
Government,OU=JITC,OU=PKI,OU=DoD,CN=Linux Node"
19
Installing a custom IPsec certificate

Use this procedure to install a custom IPsec server certificate.
20
21
22
Important:
Perform this procedure on each server in your system.
Before you begin
23
24
IPSec is stopped on all SIP Core and Avaya MS servers.
25
Procedure
26
27
1. Transfer the IPSec PKCS12 file to the server using SFTP or SCP.
28
2. At the command prompt, enter the following command: ipsecCertmgr
29
30
3. From the IPSec Certificate Management Options menu, enter 2 to select Import
Server Certificate PKCS12 File
31
4. Enter the IPSec PKCS12 file filename.
32
5. Enter the IPSec PKCS12 file password.
33
6. Re-enter the IPSec PKCS12 file password.
34
7. To confirm the PKCS12 summary information, enter Y.
35
8. To confirm the warning, enter Y.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
181
IPsec configuration
9. If the PKCS12 file does not contain the CA chain, then enter it manually on each
server using the ipsecCertmgr tool.
1
2
3
Configuring IPsec for automatic CRL retrieval
4
5
6
Use this procedure to configure IPsec to automatically retrieve CRLs. IPSec uses the
distribution point of the CRL to automatically retrieve CRLs.
7
8
You must add the CRL distribution point hostname and IP address to the /etc/hosts file on each
server so that the system can resolve the hostname.
Important:
Perform this procedure for all servers in your system.
9
10
Before you begin
11
12
13
Procedure
14
15
16
2. At the command prompt, enter the following command to view the distribution point:
openssl x509 -text -in <IPSec certificate>
17
18
3. Locate the distribution point in the output. The hostname is specified in the http://
<CRL hostname> line.
19
20
21
4. To add the CRL hostname to the server, at the command prompt, enter the following
command: hostTableConfig -a [CRL Distribution Point IP
address] [CRL Distribution Point hostname]
22
23
5. To validate the configured hostnames, at the command prompt, enter the following
command: hostTableConfig -q
24
Configuring IPsec for automatic CRL retrieval job aid
25
26
27
182
The following is an example of the command to add a PKI server to the hosts file:
hostTableConfig -a 192.168.1.12 crl.hostname
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Verifying IPsec automatic CRL retrieval
Verifying IPsec automatic CRL retrieval
1
2
Use this procedure to validate that automatic CRL retrieval is working properly.
Before you begin
5
6
Custom certificates are installed for IPSec on each SIP Core and Avaya Media Server
(MS).
Procedure
7
8
2. If you are an SSA, change to the root: su - root
10
11
12
4. At the command prompt, enter the following command: ipsec auto -listcrls
13
14
5. Verify that the output from the ipsec auto listcrls command shows the
number of revoked certificates.
15
16
Verifying IPsec automatic CRL retrieval job aid
17
18
The following text shows an example of the output for the ipsec auto listcrls
command.
19
20
21
22
23
24
25
26
27
28
29
30
31
000
000 List of X.509 CRLs:
000
000 Apr 16 19:09:52 2010, revoked certs: 62
000
issuer: 'C=US, O=U.S. Government, OU=DoD, OU=PKI,
CN=DoD JITC Root CA 2'
000
distPts:
'ldap://crl.gds.nit.disa.mil/cn%3dDoD%20JITC%20Root%20CA%202%2cou%3dPKI%2cou%3dDoD
%2co%3dU.S.%20Government%2cc%3dUS?certificateRevocationList;binary'
000
'http://crl.gds.nit.disa.mil/getcrl?DoD%20JITC%20Root%20CA%202'
000
updates: this Apr 15 08:57:43 2010
000
next Jun 16 08:57:43 2010 ok
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
183
IPsec configuration
Manually adding a CA chain
2
3
Use this procedure to manually add a CA chain if the installed PKCS12 file does not contain
a CA chain.
Before you begin
Procedure
6
7
1. Connect to the server as a user with SSA role.
2. At the command prompt, enter the following command: ipsecCertmgr
9
10
3. From the IPSec Certificate Management Options menu, enter 3 to select Install CA
Certificate.
11
4. Enter the CA certificate file name.
12
5. Enter the CA certificate friendly name.
13
6. Enter Y to confirm.
14
184
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
1
2
Chapter 21: Access control rules
3This chapter provides information about access control rules.

4Navigation:
5
Access control rules overview on page 185
Trusted nodes on page 186
Trusted ports on page 186
Internal trusted node mesh on page 187
Access control tools on page 187
10
DSCP marking on page 188
11
Access control default system configuration on page 190
12
Access control limitations and restrictions on page 191
13
Access control rules overview
14
15
16
The system controls the access to its servers by enforcing a set of designated access control
rules, called Access Control List (ACL) on each server. These access control rules reject all
communications except for those with trusted nodes and those using trusted ports.
17
The access control rules are enforced through the Linux iptables and ip6tables utilities.
18
The ACL configuration for the system consists of two parts:
19
20
Internal rules pertain to connections within the system itself. The MCP database autogenerates the internal rules.
21
22
23
External rules restrict external access to the Application Server 5300. Use the IPTables
utility (the firewall utility offered in the Linux system) to configure and enforces the external
access control rules.
24
25
The system enforces the internal ACL rules only after you use the iptcfg utility to configure and
commit the external ACL rules.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
185
Access control rules
1
Figure 3: ACL firewall
Trusted nodes
4
5
Trusted nodes are external nodes with which communications of all protocols using any port
are permitted. IPsec protection for communications with trusted nodes is not required.
6
7
The system or network security administrator defines trusted nodes for the system. A trusted
node can be either a single external node, or a set of external nodes within a subnet.
Trusted ports
8
9
10
11
186
Trusted ports are server ports on which the system permits all ingress traffic of a particular
protocol from anywhere, if it is an input port, or, all egress traffic of a particular protocol to
anywhere, if it is an output port.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Internal trusted node mesh
1
2
3
IPsec protection on traffic using trusted ports is not required. Trusted ports are predetermined.
The administrator can open or close a trusted port or change to use an alternate port number,
but cannot add a new trusted port or delete an existing trusted port.
The following table lists the predetermined trusted ports in the system.
Table 7: Trusted ports in the system
Port
Protocol
Port Number
(Default)
Redirect Port
Number (Default)
SIP UDP
UDP
5060
N/A
SIP TCP
TCP
5060
N/A
SIP TCP TLS
TCP
5061
N/A
PA HTTP
TCP
80
8081
PA HTTPS
TCP
443
8043
Internal trusted node mesh
6
7
8
In addition to the external trusted nodes configuration that secures system communications
with the external world, the internal trusted node mesh configuration secures inter-server
communications within the system.
Access control tools
Use the following tools to manage and configure firewall (IPTables) rules for server access
control (trusted nodes, trusted ports, and DSCP marking).
10
11
Table 8: Access control tools

Tool
Description
iptcfg
Administrators use this tool to configure firewall (IPTables) rules for server
access control (trusted nodes, trusted ports, and DSCP marking), and to
enforce the configured firewall (IPTables) rules.
iptstatus
Administrators use this tool to verify and view the trusted node, trusted port,
and DSCP marking configurations from outside of the iptcfg tool.
12
Access each tool by typing the tool name at the command prompt.
13
14
For more information about iptstatus, see Viewing trusted node and port configurations with
iptstatus on page 202.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
187
DSCP marking
The system uses differentiated services code point (DSCP) marking to differentiate between
the following types of data:
2
3
4
Network Signaling
Low Latency Data
High Throughput Data
7
8
Filtering packets based on DSCP marking can also add an additional layer of security for the
system. The DSCP marking state is either enabled, or disabled.
9
10
11
12
13
Each defined communication channel on the system has a designated DSCP category.
Therefore, the system marks all of the IP packets that originate from each communication
channel according to its category. Applications and communication channels, to which the
system applies DSCP marking, are predefined and cannot be changed. The system applies
DSCP marking to the following list of applications and communication channels:
14
Secure Shell (SSH) log on
15
Network Time Protocol (NTP)
16
Database connections
17
IPsec negotiation
18
Simple Network Management Protocol (SNMP)
19
Syslog
20
Negative Exponential Distribution (NED)
21
Secure Sockets Layer File Transfer Protocol (SSL FTP)
22
Internet Control Message Protocol (ICMP) messages
23
For more information, see the following sections:
24
DSCP marking configuration tools on page 189
25
Default DSCP configuration on page 189
188
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
DSCP marking
DSCP marking configuration tools
Use the following tools to configure DSCP marking:
2
3
4
iptcfg: with the iptcfg tool, you can configure DSCP marking values, DSCP marking state,
and enforce IP Tables rules.
5
6
iptstatus: with the iptstatus tool, you can verify and view trusted nodes, DSCP marking
configurations, and the IP Tables rules from outside of the iptcfg tool
7
8
With the iptcfg tool, you can also roll back (reset) the DSCP marking configuration to its last
previous configuration. This rollback is limited to one version.
Default DSCP configuration
10
11
12
By default, DSCP marking status is disabled. However, a default DSCP marking values
configuration exists. The following table lists the default DSCP marking categories and
values.
Table 9: DSCP marking categories and values
DSCP marking category
13
14
15
16
17
DSCP marking value (0-63)
Network Signaling
48
Low Latency Data
18
16
The following table lists system applications and the corresponding DSCP marking
categories.
Important:
You cannot add or remove applications, and you cannot change the corresponding DSCP
marking category for an application.
Table 10: DSCP marking categories for applications
Application
Secure Shell Login
Low Latency Data
Network Time Protocol
Low Latency Data
Low Latency Data
IPsec negotiation
Network Signaling
Simple Network Management Protocol
Low Latency Data
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
189
Application
Syslog
NED
Low Latency Data
Sslftpd
Low Latency Data
ICMP messages
Network Signaling
Access control default system configuration
2
3
By default, there are no trusted nodes configured and no corresponding firewall rules in place
after initial system installation.
4
5
6
After installation, there are no firewall rules for trusted ports configured except for the PA port
redirection rules, which redirect the PA HTPP port from port 80 to port 8041, and the PA HTTPS
port from port 443 to port 8043.
Except for the PA ports, other trusted ports are in the Unconfigured state after installation.
8
9
By default, DSCP marking is disabled. The three default values configuration exists, but the
system does not apply the values until after you enable DSCP marking.
10
11
12
The applications and communication channels to which DSCP marking applies, are predefined
and assigned a DSCP marking category. You cannot modify the predefined applications or
assignments.
Table 11: Predefined DSCP marking categories
Application
190
Secure Shell log on
Low Latency Data
Network Time Protocol
Low Latency Data
Low Latency Data
IPsec negotiation
Network Signaling
Simple Network Management Protocol
Low Latency Data
Syslog
NED
Low Latency Data
SSL FTP
Low Latency Data
ICMP messages
Network Signaling
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Access control limitations and restrictions
Access control limitations and restrictions
2
3
The administrator is not permitted to add new or delete existing trusted ports. Whenever there
are any changes in IPsec policy, access control rules must be recommitted.
4
5
6
The iptcfg tool is specially designed for configuring or modifying the firewall rules in the system.
The integrity of the firewall settings in the system is not guaranteed if other firewall configuration
tools are used.
7
8
9
The iptcfg tool provides a rollback capability allowing the firewall or access control to be reset
to its previous settings. However, this rollback is limited only to the most recent previous
version.
10
11
The administrator cannot add or remove applications, or change the corresponding DSCP
marking category for an application.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
191
192
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Chapter 22: Access control configuration
3Configure access control to only permit internal system communication and system communication with
4trusted external nodes over trusted ports.
5For more information, see 105.1.3 AS5300 Security Hardening.
6
7
8
9
Warning:
The iptcfg tool is specially designed to configure and manage the firewall (IPTables) rules for the Avaya
Aura Application Server 5300 system. Avaya does not guarantee the integrity of the firewall
configuration if you use any other firewall configuration tool.
10Prerequisites
11 The IPsec mesh configuration is complete.
12Access
control configuration tasks
13The following work flow shows the sequence of tasks that you perform to configure access control for the
14system.
15
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
193
Access control configuration
1
2
3Navigation
4
Internal access control configuration on page 195
Access control rules enforcement on page 205
194
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Chapter 23: Internal access control

3
configuration
2
4Configure internal access control to secure internal system communication.

5Internal
access control configuration procedures
6The following task flow shows the sequence of procedures that you perform to configure internal access
7control for the system.
8
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
195
Internal access control configuration
1
2
3Navigation
4
Generating the internal ACL file on page 197
Installing the internal ACL configuration file on the primary EMS on page 197
Installing the internal ACL configuration file on the other servers on page 198
196
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Generating the internal ACL file
Generating the internal ACL file
1
2
About this task
3
4
Use this procedure to generate the internal Access Control List (ACL) file and place it into a
temporary location on the primary element manager server.
Procedure
6
7
8
9
10
11
1. Log on to the primary Element Management System (EMS) server as a user with
AA role.
The EMS servers host the primary and secondary AS 5300 Element Manager and
databases (DB).
2. Run the script to generate the internal ACL file:
/mcpGenIntACLConfig.pl
The newly-generated internal ACL file resides on the primary EMS.
12
13
Installing the internal ACL configuration file on the primary

15EMS
14
16
17
18
To complete the internal ACL configuration, install the internal ACL file on the primary Element
Management System (EMS) server, and on all other Application Server 5300 servers, including
Avaya Media Server (MS).
19
Before you begin
20
21
22
23
24
25
26
27
28
A previously generated internal ACL file already exists. For more information, see Generating
the internal ACL file on page 197.
Procedure
1. Log on to the primary Element Management System (EMS) server as a user with
SSA role.
The EMS servers host the primary and secondary AS 5300 Element Manager and
databases (DB).
2. Install the internal ACL file:
mcpInstIntACLConf -copy
29
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
197
Internal access control configuration
Installing the internal ACL configuration file on the other

2servers
3
4
To complete the internal ACL configuration, install the internal ACL file on a temporary location
on the primary element manager server.
5
6
7
Important:
Repeat this procedure for each core server and Avaya Media Server (MS) in your Application
Server 5300 system.
8
9
10
11
Before you begin

A previously generated internal ACL file already exists. For more information, see Generating
the internal ACL file on page 197.
Procedure
12
13
14
2. Install the internal ACL file:

mcpInstIntACLConf
15
16
3. At the prompt for the Remote server IP address, enter the Internal OAM IP address
of the primary EMS server.
17
18
4. At the prompt for the SFTP user ID, enter an SSA username defined on the primary
EMS.
19
5. At the prompt for the SFTP password, enter the SSA user password.
20
6. At the prompt to confirm the password, enter the SSA user password again.
21
7. Review the information summary and enter Y to confirm.
22
198
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012

3
management
4About
this task
5This chapter contains procedures that you use to administer access control (IPTables) rules.
6Navigation:
7
Importing access control rules on page 199
Viewing all configured access control rules on page 200
Rolling back to the previous access control configuration on page 201
10
Restoring the access control default configuration on page 201
11
Viewing trusted node and port configurations with iptstatus on page 202
12
Importing access control rules
13
14
15
Use this procedure to perform bulk data entry for access control configuration (trusted nodes,
trusted ports, and DSCP marking). The tool converts the import data into corresponding
IPTables rules and commits the changes.
16
Before you begin
17
18
You have transferred the server specific ACL import file to the server using sftp or scp.
19
Procedure
20
21
2. At the prompt, enter iptcfg.
22
23
4. Enter 4 to select Import Configurations.
24
5. Enter Y to proceed with the import.
25
6. Enter the full path and name of the import file.
26
27
7. Enter Y if trusted nodes used to perform system maintenance operations are

included.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
199
Access control rules management
8. Enter Y to add access control exclusion rules for IPsec.
1
2
Importing access control rules job aid
3
4
5
The import data file is a plain text file. You can find an example of an ACL import file on any
AS 5300 server in the /opt/mcp/ipt/example directory.
6
7
The import files are server specific, so each server in the AS 5300 system requires its own
import file with IP addresses that are specific to that server.
8
9
The following are examples of external trusted nodes that may need to be configured in the
import file:
10
Remote syslog server
11
Remote NTP servers
12
OCSP and CDP servers
13
Administrator PCs
14
External nodes used in IPSec tunnels
Viewing all configured access control rules
15
16
17
Use this procedure to display all of the configured access control rules (trusted nodes trusted
ports, and DSCP marking).
18
19
20
Important:
The iptcfg tool shows only access control rules configured by using the iptcfg tool. The iptcfg
tool does not show access control rules configured by using other tools.
21
Before you begin

22
Procedure
23
24
25
26
27
4. Enter 8 to select Show Current IPTables Rules.
28
200
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Rolling back to the previous access control configuration
Rolling back to the previous access control configuration
1
2
3
Use this procedure for troubleshooting purposes, to roll access control rules (trusted nodes,
trusted ports, and DSCP marking) back to the previous configuration.
Before you begin

Procedure
6
7
10
4. Enter 6 to select Rollback.
11
5. Enter Y to confirm the rollback to the previous access control configuration.
12
Restoring the access control default configuration
13
14
15
Use this procedure for troubleshooting purposes, to restore the default configuration for access
control (trusted nodes, trusted ports, and DSCP marking).
16
Before you begin

You are a user with SSA role and sudo access.
17
Procedure
18
19
20
21
22
4. Enter 7 to select Restore System Defaults.
23
5. Enter Y to confirm the rollback to the system defaults.
24
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
201
Viewing trusted node and port configurations with

2iptstatus
1
About this task
4
5
Use this procedure to display all of the configured trusted nodes and ports, and DSCP marking
configuration by using the iptstatus command.
Procedure
2. At the command line, enter the iptstatus command:

iptstatus -<option>
9
10
Viewing trusted node and port configurations with iptstatus job aid
11
12
About this task
13
The iptstatus tool includes the following command line options:

Option
202
Description
Displays all current access control rules. This option provides the same
functionality as the Show Current Access Control Rules option provided by the
iptcfg tool.
Displays all current DSCP marking configurations. This option provides the
same functionality as the Show DSCP marking configurations option provided
by the iptcfg tool.
Displays the Help information.
Displays all current access control rules in a justified format based on the raw
format.
Displays all current trusted node configurations. This option provides the same
functionality as the List trusted nodes option provided by the iptcfg tool.
Displays all current trusted post configurations. This option provides the same
functionality as the List trusted ports option provided by the iptcfg tool.
Displays all current access control rules in a raw format that is convenient for
the user to further process the data, if desired.
The syntax for the iptstatus command in the raw format is as follows:
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Viewing trusted node and port configurations with iptstatus
Option
Description
<Type of Rule>,<Version of IP>, <Source IP>, <Source Subnet Mask>,
<Destination IP>, <Destination Subnet Mask>, <Protocol>, <Source Port>,
<Destination Port>, <To-Port>,<DSCP Value>
Syntax of an access control rule in the raw format job aid
1
2
The ipstatus tool displays the access control rules in the raw format, as follows:
3
4
5
<Type of Rule>, <Version of IP>,<Source IP>, <Source Subnet Mask>, <Destination IP>,
<Destination Subnet Mask>, <Protocol>, <Source Port>, <Destination Port>, <ToPort><DSCP Value>
The following table lists and describes each of the syntax variables.
Syntax variable
Description
<Type of Rule>
The possible values are:

1 the type of rule is INPUT
2 the type of rule is OUTPUT
3 the type of rule is REDIRECT
4 the type of rule is IN_DSCP
5 the type of rule is OUT_DSCP
6 the type of rule is IN-OUT_DSCP
<Version of IP>
The possible values are ipv4 or ipv6.
<Source IP>
An IP address in dot notation, or a star (*) for any IP.
<Source Subnet Mask>
A subnet mask in the slash notation, or a dash (-) for the

subnet mask (/32) or to specify that a subnet mask is not
needed.
<Destination IP>
An IP address in dot notation, or a star (*) for any IP.
<Destination Subnet Mask>
A subnet mask in the slash notation, or a dash (-) for the

subnet mask (/32) or to specify that a subnet mask is not
needed.
<Protocol>
A protocol number as specified in RFC 1340, such as 6

for TCP, 17 for UDP, 1 for ICMP; or a star (*) for any
protocol.
<Source Port>
A port number, or a star (*) for any port, or a dash (-) to

specify that a port number is not needed
<Destination Port>

<To-Port>

DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
203
Syntax variable
<DSCP Value>
Description
A number in 0-63 range, or a dash (-) to indicate that a
DSCP value is not needed.
The following shows an example of the access control rules in the raw format:
1
2
3
4
5
6
7
8
9
10
iptstatus -r
[sudo] password for sysadm:
1,ipv4,47.102.0.0,/16,135.60.83.68,-,*,*,*,-,2,ipv4,135.60.83.68,-,47.102.0.0,/16,*,*,*,-,1,ipv4,47.102.0.0,/16,135.60.83.77,-,*,*,*,-,2,ipv4,135.60.83.77,-,47.102.0.0,/16,*,*,*,-,1,ipv4,47.102.0.0,/16,135.60.83.78,-,*,*,*,-,2,ipv4,135.60.83.78,-,47.102.0.0,/16,*,*,*,-,1,ipv4,135.60.0.0,/16,135.60.83.68,-,*,*,*,-,-
ACL configuration job aid
11
To verify ACL configuration, perform the following:
12
13
14
Validate that the administrator PC(s) that were added as trusted nodes can access the
servers using SSH.
15
16
Validate that the System Management user interface can be accessed through the
administrator PC(s).
17
18
Validate that the Provisioning web page can be accessed through the administrator
PC(s).
19
20
Validate that the Avaya Media Server EM can be accessed through the administrator
PC(s).
21
Validate that subscribers can register and make calls on the system.
204
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012

3
enforcement
4About
this task
5Access control rules and DSCP marking configuration changes do not take effect until after you enforce
6(commit them). This section describes how to enforce access control rules and DSCP marking for the
7system.
8Navigation:
9 Enforcing access control rules on page 205
10
Enforcing access control rules
11
12
Enforce (commit) the access control and DSCP marking configuration rules so that the system
applies the rules for trusted nodes and trusted ports.
13
14
15
16
Important:
To prevent the administrator from being locked out of the server, the tool requires that at
least one trusted node be configured. If at least one configured trusted node does not exist,
the tool cannot commit the changes.
Before you begin
17
18
19
Procedure
20
21
22
23
4. Enter 5 to select Commit IPTables Rules.
24
5. Enter Y to confirm.
25
26
6. Enter Y if trusted nodes used to perform system maintenance operations are

included.
27
7. Enter Y to add access control exclusion rules for IPsec.
28
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
205
Access control rules enforcement
206
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Chapter 26: NTP server management
3The Application Server 5300 servers get the date and time from one or more remote NTP servers. The
4NTP servers are initially configured during system installation. If the remote NTP server changes, you
5must update the servers with the new IP of the remote NTP servers.
6NTP
server management procedures
7The following task flow shows the sequence of procedures that you perform to manage NTP servers.
8
9Navigation
10
Updating the primary clock source servers on page 208
11
Updating the secondary clock source servers on page 209
12
Configuring a server as a nonclock source on page 211
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
207
NTP server management
Updating the primary clock source servers
2
3
Use this procedure to update the NTP server information on the Application Server 5300
servers if you need to change the IP the primary clock source servers.
Before you begin
5
6
Procedure
2. Enter ntpConfig at the prompt.
3. Enter c to configure the NTP servers.
10
4. Enter 1 to configure a primary clock source server.
11
5. Enter e to configure the external clock sources.
12
6. Enter the number of clock sources to reference.
13
7. Enter the IP address for the NTP servers.
14
8. When prompted to configure symmetric key authentication, enter n.
15
16
9. Repeat step7 on page 208 to step8 on page 208 for each primary clock source that
you add.
17
10. If you are configuring a simplex system, enter the machine logical IP address.
18
19
Updating the primary clock source servers when your system uses
21symmetric key encryption
20
22
23
If your system uses symmetric key encryption to protect NTP traffic, use this procedure to
change the IP the primary clock source servers for NTP.
24
Before you begin
25
Procedure
26
27
28
208
1. Transfer the keys file from the external NTP server to /var/tmp on the AS 5300
Element Manager server.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Updating the secondary clock source servers
1
2
2. Log on to the server as root, and enter # mv /var/tmp/keys /etc/ntp/keys

at the prompt.
6. Enter 1 to configure a primary clock source server.
9. Enter the IP address for the NTP servers.
10
10. When prompted to configure symmetric key authentication, enter y.
11
11. Select a key index to associate with the server IP address.
12
13
12. Repeat step 7 on page 208 to step 8 on page 208 for each primary clock source
that you add.
14
13. If you are configuring a simplex system, enter the machine logical IP address.
15
16
Updating the secondary clock source servers
17
18
19
Use this procedure to update the NTP server information on the Application Server 5300
servers if you need to change the IP the secondary clock source servers.
20
Before you begin

21
Procedure
22
23
24
25
26
4. Enter 2 to configure a secondary clock source server.
27
28
29
7. Enter the IP address for the NTP server.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
209
8. When prompted to configure symmetric key authentication, enter n.
9. Enter the machine logical IP address of the primary clock source server.
3
4
10. Repeat step7 on page 209 to step9 on page 210 for each secondary clock source
that you add.
Updating the secondary clock source servers when your system

8uses symmetric key encryption
7
9
10
If your system uses symmetric key encryption to protect NTP traffic, use this procedure to
change the IP the secondary clock source servers for NTP.
11
Before you begin
12
13
Procedure
14
15
1. Transfer the keys file from the external NTP server to /var/tmp on the AS 5300
Element Manager server.
16
17
2. Log on to the server as root, and enter # mv /var/tmp/keys /etc/ntp/keys

at the prompt.
18
19
20
21
6. Enter 2 to configure a secondary clock source server.
22
23
24
9. Enter the IP address for the NTP server.
25
10. When prompted to configure symmetric key authentication, enter y.
26
11. Select a key index to associate with the server IP address.
27
12. Enter the machine logical IP address of the primary clock source server.
28
29
13. Repeat step 7 on page 209 to step 9 on page 210 for each secondary clock source
that you add.
30
31
210
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Configuring a server as a nonclock source
Configuring a server as a nonclock source
Use this procedure to configure a server as a nonclock source for NTP.
Important:
Perform this procedure on all SIP Core and Avaya Media Server (MS) servers that are not
designated as a primary or secondary clock server.
3
4
5
Before you begin
7
8
Procedure
9
10
11
12
4. Enter 3 to configure a server that is not a clock source server.
13
14
5. Enter the internal OAM IP of the EMS server used as the primary clock source
server.
15
16
6. Enter the internal OAM IP of the EMS server used as the secondary clock source
server.
17
18
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
211
212
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Chapter 27: TLS configuration
3About
this task
4Use the procedures in this chapter to configure TLS.

5Navigation:
6
Configuring the AS 5300 Session Managers to use only TLS on page 213
Configuring the Provisioning Managers to use only TLS on page 215
Configuring the AS 5300 Session Managers to use only

9TLS
10
11
For a FIPS-compliant system, configure the AS 5300 Session Managers to use only Transport
Layer Security (TLS).
12
Before you begin
13
14
You have NEService privileges.
15
Procedure
16
17
1. From the configuration view of the AS 5300 Element Manager Console, select
Network Elements > Session Managers.
18
19
2. In the Session Managers panel, select the entry for the network element to modify
20
21
3. In the Edit <Session Manager instance> dialog box, clear the Enable SIP TCP Port
and the Enable SIP TLS Port check boxes.
22
4. Select the Enable SIP TLS Port check box.
23
5. Click Apply.
24
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
213
TLS configuration
Variable definitions
Variable
Value
<Session Manager instance>
This value is the name of the AS 5300 Session

Manager, such as SESM1.
Configuring the AS 5300 Session Managers to use only TLS job aid
This job aid lists the fields on the Edit <Session Manager instance> dialog box.
Parameter
214
Description
Short Name
(Read-only) The short name of the NE- maximum of 6 characters.
Long Name
The long name of the NE- maximum of 32 characters.
Base Port
A range of 100 ports reserved off the base port for use by the NE.
Range: 1100654 000
FPM
The FPM used by the NE.
Signaling Service
Address
The service address used by the NE.
AM
The Accounting Manager to which the NE reports. (Select from the

list.)
Call Park Id
(Read-only) The ID prepended to a call park number. This ID

indicates the AS 5300 Session Manager, on which a call is parked.
Enable SIP UDP

Port
Enables the SIP UDP port. Selected = enabled Not selected =

disabled
SIP UDP Port
Specifies the UDP port for SIP. Example: 5060
Enable SIP TCP

Port
Enables the SIP TCP port. Selected = enabled Not selected =

disabled Example: 5060
SIP TCP Port
Specifies the TCP port for SIP. Example: 5060
Enable SIP TLS

Port
Enables the SIP TLS port. Selected = enabled Not selected =

disabled
SIP TLS Port
Specifies the TLS port for SIP. Example: 5061
SIP Certificate
The logical name of the certificate that the system uses for secure
SIP communication. (Select from the list.)
Sesm LDAP
Certificate
The logical name of the certificate that the AS 5300 Session Manager
uses to communicate with the LDAP server. (Select from the list.)
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Configuring the Provisioning Managers to use only TLS
Configuring the Provisioning Managers to use only TLS
2
3
For a FIPS-compliant system, configure the Provisioning Managers to use only Transport Layer
Security (TLS).
Before you begin
Procedure
8
9
Network Elements > Provisioning Managers.
10
11
2. In the Provisioning Managers panel, select the entry for the network element to
modify and click Edit (-/+).
12
13
3. In the Edit <Provisioning Manager instance> dialog box, clear the Enable SIP TCP
Port and the Enable SIP TLS Port check boxes.
14
4. Select the Enable SIP TLS Port check box.
15
5. Click Apply.
16
17
Variable definitions
Variable
Value
<Provisioning Manager instance>
This value is the name of the Provisioning Manager,

such as PROV1.
Configuring the Provisioning Managers to use only TLS job aid
18
19
20
This job aid lists and describes the fields on the Edit <Provisioning Manager instance> dialog
box.
Parameter
Description
Short Name
(Read-only) The short name of the NEmaximum of 6 characters.
Long Name
The long name of the NEmaximum of 32 characters.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
215
TLS configuration
Parameter
216
Description
Base Port
A range of 100 ports reserved off the base port for use by the NE. Range:
1100654000
FPM
The FPM used by the NE.
Enable Prov
HTTP Port
(Check box) Select to enable the Provisioning HTTP port.
Internal OAM
HTTPS
Certificate
The private key and certificate pair for the Provisioning HTTPS server.
External OAM
HTTPS
Certificate
The private key and certificate pair for the Provisioning HTTPS server
(external interface).
LDAP Certificate
The logical name of the certificate used for communication between the
Provisioning Manager and the LDAP server.
Enable PA HTTP
Port
(Check box) Select to enable the Personal Agent HTTP port.
PA HTTPS
Certificate
The private key and certificate pair that the Personal Agent HTTPS
server uses. (Select from the list.)
Enable SIP UDP

Port
(Check box) Select to enable the SIP UDP port. Default: 5060
Enable SIP TCP

Port
(Check box) Select to enable the SIP TCP port. Default: 5060
Enable SIP TLS

Port
(Check box) Select to enable the SIP TLS port. Default: 5061
SIP Certificate
The logical name of the certificate that the system uses for secure SIP
communication. (Select from the list.)
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Chapter 28: TLS Mutual authentication
3About
this task
4TLS mutual authentication mode requires both the server endpoint and client endpoint to exchange X.509
5certificates for authentication. TLS mutual authentication is now supported for all end user devices.
6Interfaces between network elements will continue to enforce TLS mutual authentication as the mandatory
7setting. End user devices have the option to enforce TLS mutual authentication.
8When applied to end user interfaces the TLS mutual authentication allows for two factor authentication:
9
10
The end user provides a complex password

A client certificate
11There are two types of secure channels using TLS:

12
SIP call signaling
13
14
HTTPSOMI, OPI and SOPI. When TLS mutual authentication is enabled, the system administrator
is required to install a client certificate in all HTTPS endpoints.
15Navigation:
16
Enabling mutual authentication mode for SIP on page 217
17
Enabling mutual authentication mode for HTTPS on page 218
18
Enabling mutual authentication mode for SIP

Procedure
19
20
21
22
Elements >Session Managers ><Session Manager instance> > Configuration
Parameters.
23
2. From the Parm Group list, select TLSAuth.
24
3. In the list of configuration parameters, locate EnforceTLSMutualAuthForSIP.
25
26
4. Change the parameter value to true.

The default value for this parameter is false (disabled).
27
5. Restart the NE instance.
28
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
217
TLS Mutual authentication
Enabling mutual authentication mode for HTTPS
Procedure
2
3
4
5
Elements > AS 5300 Element Manager > <AS 5300 Element Manager instance>
> Configuration Parameters.
2. From the Parm Group list, select TLSAuth.
7
8
3. In the list of configuration parameters, locate

EnforceTLSMutualAuthForHTTPS.
9
10
4. Change the value to true.

The default value for this parameter is false (disabled).
11
5. Click Apply.
12
6. Close the configuration parameters window.
13
7. Restart the standby instance of the AS 5300 Element Manager.
14
15
16
17
Element Manager.
This action causes a failover to the backup AS 5300 Element Manager and will
cause the AS 5300 Element Manager Console to lose connectivity.
18
19
10. Start the AS 5300 Element Manager backup instance.
20
218
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Chapter 29: FIPS overview
3This chapter provides details about Federal Information Processing (FIPS) in the Avaya Aura Application
4Server 5300 system. For background information about the National Institute of Standards and Technology
5(NIST) and FIPS, see Avaya Aura Application Server 5300 Overview, NN42040-100.
6Navigation:
7
FIPS compliance on page 219
Platform on page 220
SSH on page 220

AS 5300 Element Manager Console on page 220
10
FIPS compliance
11
12
13
14
15
The system is FIPS 140-2 compliant because all cryptographic modules in the solution use
FIPS 140-2 certified cryptographic modules and approved security functions. FIPS 140-2
covers cryptography for traffic external to the system and for internal system traffic. The
following communication protocols use FIPS 140-2 cryptographic modules:
16
SIP/TLS
17
IPsec
18
IKE
19
HTTPS
20
PKI (for key encryption)
21
SSH
22
SFTP
23
The system uses the following Certicom cryptographic modules:

Table 12: Certicom cryptographic modules
Cryptographic module
Security function
Certificate number
Security Builder GSE J v2.2
Java JCE
#578, #792
Security Builder GSE-C v2.0
SSL cryptographic functions
#542, #829, #882
IPSec toolkit v3.1
IPSec and IKE
Uses GSE-C
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
219
FIPS overview
Platform
An SSA administrator must enable FIPS on the platform for each server. For more information,
see 105.1.3 AS5300 Security Hardening.
2
3
SSH
Secure Shell (SSH) supports only the following ciphers:
5
6
3DES-cbc
AES128-cbc
AES192-cbc
AES256-cbc
10
AS 5300 Element Manager Console
11
12
13
The FIPS-compliant AS 5300 Element Manager Console requires Java Release 6.0 07. After
each AS 5300 Element Manager Console upgrade, an administrator must manually replace
the following files:
14
/var/mcp/run/MCP_15.1/EM_0/tomcat/webapps/ROOT/smguiws.jar
15
/var/mcp/run/MCP_15.1/EM_0/tomcat/webapps/ROOT/axis.jar
16
/var/mcp/run/MCP_15.1/EM_0/tomcat/webapps/ROOT/bcprov-jdk16-140.jar
17
18
220
For more information, see Updating the FIPS-compliant AS 5300 Element Manager
Console on page 229.
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Chapter 30: Cipher suite configuration
3Configure cipher suites to enable only FIPS-compliant ciphers.

4Cipher
suite configuration procedures
5The following task flow shows the sequence of procedures that you perform to configure cipher suites for
6the Avaya Aura Application Server 5300 system.
7
8
9
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
221
Cipher suite configuration
1Navigation
2
Configuring OAMP ciphers on page 222
Configuring external OAMP ciphers on page 222
Configuring HTTPS ciphers on page 223
Configuring signaling ciphers on page 224
Configuring OAMP ciphers
7
8
Configure Operations, Administration, Maintenance, and Provisioning (OAMP) ciphers to

enable only FIPS-compliant cipher suites.
Before you begin
10
11
You have CipherSuiteService privileges.
Procedure
12
13
14
Network Data and Mtc > Cipher Suites > OAMP Channel Cipher Suites.
15
16
2. In the OAMP Channel Cipher Suites panel, select the

TLS_RSA_WITH_AES_128_CBC_SHA cipher suite entry and click Enable.
17
3. Ensure that the value for each of the other cipher suite entries is false.
18
4. To disable a cipher suite, select the entry and click Disable.
19
5. Click Apply.
20
Configuring external OAMP ciphers
21
22
23
Configure external Operations, Administration, Maintenance, and Provisioning (OAMP)

ciphers to enable only FIPS-compliant cipher suites.
24
Before you begin
25
26
222
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Configuring HTTPS ciphers
Procedure
2
3
Network Data and Mtc > Cipher Suites > External OAMP Cipher Suites.
4
5
6
2. In the External OAMP Cipher Suites panel, select the

SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA cipher suite entry and click
Enable.
7
8

SSL_RSA_WITH_3DES_EDE_CBC_SHA cipher suite entry and click Enable.
9
10

11
12
13
7. Click Apply.
14
15
Configuring HTTPS ciphers
16
17
Configure Secure Hypertext Transfer Protocol (HTTPS) ciphers to enable only FIPS-compliant
cipher suites.
18
Before you begin
19
20
21
Procedure
22
23
Network Data and Mtc > Cipher Suites > HTTPS Cipher Suites.
24
25
26
2. In the HTTPS Cipher Suites panel, select the

SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA cipher suite entry and click
Enable.
27
28

SSL_RSA_WITH_3DES_EDE_CBC_SHA cipher suite entry and click Enable.
29
30

31
32
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
223
Cipher suite configuration
7. Click Apply.
1
2
Configuring signaling ciphers
3
4
Configure signaling ciphers to enable only FIPS-compliant cipher suites.
Before you begin
Procedure
9
10
Network Data and Mtc > Cipher Suites > Signaling Cipher Suites.
11
12
2. In the Signaling Cipher Suites panel, select the

13
14
3. Select the TLS_RSA_WITH_AES_256_CBC_SHA cipher suite entry and click

Enable.
15
4. Select the TLS_RSA_WITH_NULL_SHA cipher suite entry and click Disable.
16
5. Click Apply.
17
224
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Chapter 31: FIPS management
3About
this task
4Configure Federal Information Processing Standards (FIPS) to enable FIPS 140-2 compliant validation
5for the Avaya Aura Application Server 5300 system. Use the procedures in this chapter to manage
6FIPS.
7Navigation:
8
Stopping a network element on page 225
Enabling FIPS on the platform on page 226
10
Installing the FIPS-compliant AS 5300 Element Manager Console on page 227
11
Updating the FIPS-compliant AS 5300 Element Manager Console on page 229
12
Starting a network element on page 230
Stopping a network element
13
14
15
16
17
18
Perform this procedure to stop a network element instance.

Important:
When the AS 5300 Element Manager stops, your AS 5300 Element Manager Console
window closes.
Before you begin
19
20
Procedure
21
22
23
Elements > <NE type> > <NE instance> > NE Maintenance.
24
2. In the Maintenance panel, select the network element to stop, and click Stop.
The time required to complete the process depends on the network element type
and the hosting server.
25
26
27
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
225
FIPS management
Variable
Value
<NE type>
This value is the type of network element, such as Accounting

Managers.
<NE instance>
This is the network element, such as the Accounting

Manager.
Enabling FIPS on the platform
Enable FIPS on each server as part of the FIPS configuration process, after you stop all of the
network elements.
3
4
5
6
7
Important:
Repeat this procedure for each server in your Application Server 5300 system.
Before you begin
Ensure that all Network Elements (NEs) on the system arel stopped.
10
Procedure
11
12
2. Run the script to enable FIPS: enableFips
13
3. Enter Y to continue.
14
4. After the script completes successfully, reboot the server.
15
16
5. Configure the SSH client to use the following ciphers: 3DES-cbc, AES128-cbc,
AES192-cbc, and AES256-cbc.
17
6. Log on to the server again as a user with SSA role.
18
7. Run the script to verify FIPS status:

enableFips status
19
20
226
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Installing the FIPS-compliant AS 5300 Element Manager Console
Enabling FIPS on the platform job aid
2
3
This job aid provides an example of the results returned after you run the script to verify that
FIPS is enabled.
4
5
6
7
Fips mode was Enabled on:

Tue Feb 24 12:43:06 CST 2009
version:2.0
Create Date: 12-17-2008
Installing the FIPS-compliant AS 5300 Element Manager

9Console
8
10
About this task
11
12
For a FIPS-compliant system, install the FIPS-compliant AS 5300 Element Manager Console
on the management PC.
13
Procedure
14
1. On the management PC, select Start > Run.
15
2. In the Open box, type cmd.
16
3. Click OK.
17
18
4. At the command prompt, enter java version to determine the current JRE
version installed on the management PC.
19
20
21
5. To determine the JRE version that the AS 5300 Element Manager Console requires,
open a web browser and enter: https://<EM Console IP>:12121/servlet/
InstallServlet
22
23
24
6. If the JRE version installed on the management PC does not match the JRE version
that the AS 5300 Element Manager Console requires, click the link titled Click to
install JRE <version> to download and run the installer.
25
7. On the PC, right click My Computer and select Properties.
26
8. On the System Properties dialog, select the Advanced tab.
27
9. Click Environment Variables.
28
10. Under User Variables, click New.
29
11. Configure the new User variable:

Parameter
Variable name
Value
MCPJAVAHOME
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
227
FIPS management
Parameter
Variable value
Value
C:\Progra~1\Java\jre1.6.0_16 (Or
specify the path to the Java installation.
The path cannot contain spaces.)
12. Click OK.
2
3
4
13. Open a web browser, and enter the following command to download the FIPS
Management Console zip file:
https://<EM Console IP>:12121/fips-mgmtconsole.zip
14. Save the fips-mgmtconsole.zip file to the PC.
15. Unzip the file to the C:\ hard drive.
7
8
9
Important:
You must download and unzip a new fips-mgmtconsole.zip file every time you
upgrade the MCP system.
10
16. On the management PC, select Start > Run.
11
17. In the Open box, type cmd.
12
18. Click OK.
13
14
19. At the command prompt, enter the following:

c:
15
cd %MCPJAVAHOME%\lib\security
16
17

copy java.security java.security.nonFIPS
18
19
21. Change directories to the unzipped fips-mgmtconsole directory that you

downloaded (for example, cd C:\fips-mgmtconsole).
20
21

copy java.security %MCPJAVAHOME%\lib\security\java.security
22
23. If prompted, enter Y to overwrite the java.security file.
23
24
25
24. In the fips-mgmtconsole.bat file in the unzipped fips-mgmtconsole directory, replace

all occurrences of the previous JRE version (for example 1.6.0.16) with the new
JRE version used by the EM Console.
26
25. Save the file.
27
28
29
30
Tip:
If the system displays an error that the file cannot be created, right-click the fipsmgmtconsole.bat file, select Properties , and deselect the Read-only Attributes
check box.
31
32
26. Update the smaddr.txt file in the unzipped fips-mgmtconsole directory to include the
EM service IP address.
33
27. Save the file.
228
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
Updating the FIPS-compliant AS 5300 Element Manager Console
Tip:
If the system displays an error that the file cannot be created, right-click the
smaddr.txt file, select Properties , and deselect the Read-only Attributes check
box.
1
2
3
4
5
6
28. To open the AS 5300 Element Manager Console, double-click the fipmgmtconsole.bat file in the unzipped fips-mgmtconsole directory.
7
8
9
10
Tip:
If the system displays an Unable to activate Certicom FIPS Manager
error, copy the fips-mgmtconsole directory to another location and launch the
batch file again.
11
12
13
14
Important:
To ensure FIPS compliance, always access the EM Console through the fipsmgmtconsole.bat file. Do not access the EM Console through https://<EM
Console IP>:12121.
15
16
Variable
<EM_Service_IPAddress>
Definition
The IP for the AS 5300 Element Manager Service
Address.
Updating the FIPS-compliant AS 5300 Element Manager

18Console
17
19
About this task
20
21
For a FIPS-compliant system, update the FIPS-compliant AS 5300 Element Manager Console
on the management PC after every AS 5300 Element Manager Console update.
22
Procedure
26
1. Download the FIPS Management Console zip file from the following address, to the
directory that you created in Installing the FIPS-compliant AS 5300 Element
Manager Console on page 227:
https://<EM_Service_IPAddress>:12121/fips-mgmtconsole.zip
27
28
2. (Optional) Create a backup copy of the original %MCPJAVAHOME%\lib\security

\java.security file.
23
24
25
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012
229
FIPS management
1
2
You can use the backup copy to overwrite the FIPS version if you need to use the
original AS 5300 Element Manager Console.
3
4
3. Unzip the FIPS Management Console zip file that you downloaded in 1 on page
229.
5
6
4. Open a command window, and change to the directory that contains the AS 5300
Element Manager Console FIPS files.
7
8
9
10
5. Replace the original java.security file, in the library extension of the Java
installation folder, with the FIPS-compliant version of the file:
copy D:\MCP\fips_smgui\fips-mgmtconsole\java.security
%MCPJAVAHOME%\lib\security\java.security
11
12
6. To open the AS 5300 Element Manager Console, run the fip-mgmtconsole.bat file
(located in the D:\fips-mgmtconsole directory).
13
14
Variable
<EM_Service_IPAddress>
Definition
The IP for the AS 5300 Element Manager Service
Address.
Starting a network element
15
16
Perform this procedure to start a network element instance.
17
Before you begin
18
19
Procedure
20
21
22
Elements > <NE type> > <NE instance> > NE Maintenance.
23
2. In the Maintenance panel, click Start.

The time required to complete the process depends on the network element type
and the hosting server.
24
25
26
230
DRAFTMay 3, 20128:51 PM (UTC+01:00)

May 3, 2012

nn42040-601 Security

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

nn42040-601 Security

Uploaded by

Copyright:

Available Formats

1

Avaya Aura Application Server 5300

67different number of licenses or units of capacity is specified in the

Avaya Aura Application Server 5300 Security

1the express written consent of Avaya can be a criminal, as well as a

Avaya Aura Application Server 5300 Security

Avaya Aura Application Server 5300 Security

Avaya Aura Application Server 5300 Security

Chapter 5: Security configuration and management overview...................................... 51

Avaya Aura Application Server 5300 Security

Verifying the file system against a baseline.............................................................................................. 84

Avaya Aura Application Server 5300 Security

Avaya Aura Application Server 5300 Security

Importing a CA certificate to the truststore................................................................................................ 157

Avaya Aura Application Server 5300 Security

Access control limitations and restrictions................................................................................................ 191

Avaya Aura Application Server 5300 Security

Enabling FIPS on the platform job aid.............................................................................................. 227

Avaya Aura Application Server 5300 Security

Avaya Aura Application Server 5300 Security

Chapter 1: New in this release

Other changes on page 13

For information about feature-related changes, see the following sections:

Password complexity on page 27

Administrator password complexity on page 52

Subscriber security on page 61

Password policies and domains on page 62

Configuring application administrator password rules on page 91

Modifying application administrator password rules on page 107

Avaya Aura Application Server 5300 Security

New in this release

Updated the following sections: FSI baseline exclusions on

Draft 04.AS. This document is issued for Avaya Aura Application

Draft 04.AR. This document is issued for Avaya Aura Application

Draft 04.AQ. This document is issued for Avaya Aura Application

Draft 04.AP. This document is issued for Avaya Aura Application

Draft 04.AO. This document is issued for Avaya Aura Application

Draft 04.AN. This document is issued for Avaya Aura Application

Draft 04.AM. This document is issued for Avaya Aura Application

Draft 04.AL. This document is issued for Avaya Aura Application

Avaya Aura Application Server 5300 Security

Added the following section:

Draft 04.AK. This document is issued for Avaya Aura Application

Draft 04.AJ. This document is issued for Avaya Aura Application

Draft 04.AI. This document is issued for Avaya Aura Application

Draft 04.AH. This document is issued for Avaya Aura Application

Draft 04.AG. This document is issued for Avaya Aura Application

Draft 04.AF. This document is issued for Avaya Aura Application

Draft 04.AE. This document is issued for Avaya Aura Application

Draft 04.AD. This document is issued for Avaya Aura Application

Avaya Aura Application Server 5300 Security

New in this release

Configuring log on and session rules job aid on page 101

Draft 04.AC. This document is issued for Avaya Aura Application

Draft 04.AB. This document is issued for Avaya Aura Application

Draft 04.AA. This document is issued for Avaya Aura Application

Standard 02.05. This document is issued for Avaya Aura

Standard 02.04. This document is issued for Avaya Aura

Standard 02.03. This document is issued for Avaya Aura

Standard 02.02. This document is issued for Avaya Aura

Avaya Aura Application Server 5300 Security

Standard 02.01. This document is issued for Avaya Aura

Standard 01.03. This document is issued for Nortel Application