Avaya Aura Application Server 5300 Security

Transcription

1 Avaya Aura Application Server 5300 Security Release 3.0 NN Issue October 2017

2 , Avaya Inc. All Rights Reserved. Notice While reasonable efforts have been made to ensure that the information in this document is complete and accurate at the time of printing, Avaya assumes no liability for any errors. Avaya reserves the right to make changes and corrections to the information in this document without the obligation to notify any person or organization of such changes. Documentation disclaimer Documentation means information published in varying mediums which may include product information, operating instructions and performance specifications that are generally made available to users of products. Documentation does not include marketing materials. Avaya shall not be responsible for any modifications, additions, or deletions to the original published version of Documentation unless such modifications, additions, or deletions were performed by or on the express behalf of Avaya. End User agrees to indemnify and hold harmless Avaya, Avaya's agents, servants and employees against all claims, lawsuits, demands and judgments arising out of, or in connection with, subsequent modifications, additions or deletions to this documentation, to the extent made by End User. Link disclaimer Avaya is not responsible for the contents or reliability of any linked websites referenced within this site or Documentation provided by Avaya. Avaya is not responsible for the accuracy of any information, statement or content provided on these sites and does not necessarily endorse the products, services, or information described or offered within them. Avaya does not guarantee that these links will work all the time and has no control over the availability of the linked pages. Warranty Avaya provides a limited warranty on Avaya hardware and software. Refer to your sales agreement to establish the terms of the limited warranty. In addition, Avaya s standard warranty language, as well as information regarding support for this product while under warranty is available to Avaya customers and other parties through the Avaya Support website: getgenericdetails?detailid=c under the link Warranty & Product Lifecycle or such successor site as designated by Avaya. Please note that if You acquired the product(s) from an authorized Avaya Channel Partner outside of the United States and Canada, the warranty is provided to You by said Avaya Channel Partner and not by Avaya. Hosted Service means an Avaya hosted service subscription that You acquire from either Avaya or an authorized Avaya Channel Partner (as applicable) and which is described further in Hosted SAS or other service description documentation regarding the applicable hosted service. If You purchase a Hosted Service subscription, the foregoing limited warranty may not apply but You may be entitled to support services in connection with the Hosted Service as described further in your service description documents for the applicable Hosted Service. Contact Avaya or Avaya Channel Partner (as applicable) for more information. Hosted Service THE FOLLOWING APPLIES ONLY IF YOU PURCHASE AN AVAYA HOSTED SERVICE SUBSCRIPTION FROM AVAYA OR AN AVAYA CHANNEL PARTNER (AS APPLICABLE), THE TERMS OF USE FOR HOSTED SERVICES ARE AVAILABLE ON THE AVAYA WEBSITE, UNDER THE LINK Avaya Terms of Use for Hosted Services OR SUCH SUCCESSOR SITE AS DESIGNATED BY AVAYA, AND ARE APPLICABLE TO ANYONE WHO ACCESSES OR USES THE HOSTED SERVICE. BY ACCESSING OR USING THE HOSTED SERVICE, OR AUTHORIZING OTHERS TO DO SO, YOU, ON BEHALF OF YOURSELF AND THE ENTITY FOR WHOM YOU ARE DOING SO (HEREINAFTER REFERRED TO INTERCHANGEABLY AS YOU AND END USER ), AGREE TO THE TERMS OF USE. IF YOU ARE ACCEPTING THE TERMS OF USE ON BEHALF A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND SUCH ENTITY TO THESE TERMS OF USE. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT WISH TO ACCEPT THESE TERMS OF USE, YOU MUST NOT ACCESS OR USE THE HOSTED SERVICE OR AUTHORIZE ANYONE TO ACCESS OR USE THE HOSTED SERVICE. Licenses THE SOFTWARE LICENSE TERMS AVAILABLE ON THE AVAYA WEBSITE, UNDER THE LINK AVAYA SOFTWARE LICENSE TERMS (Avaya Products) OR SUCH SUCCESSOR SITE AS DESIGNATED BY AVAYA, ARE APPLICABLE TO ANYONE WHO DOWNLOADS, USES AND/OR INSTALLS AVAYA SOFTWARE, PURCHASED FROM AVAYA INC., ANY AVAYA AFFILIATE, OR AN AVAYA CHANNEL PARTNER (AS APPLICABLE) UNDER A COMMERCIAL AGREEMENT WITH AVAYA OR AN AVAYA CHANNEL PARTNER. UNLESS OTHERWISE AGREED TO BY AVAYA IN WRITING, AVAYA DOES NOT EXTEND THIS LICENSE IF THE SOFTWARE WAS OBTAINED FROM ANYONE OTHER THAN AVAYA, AN AVAYA AFFILIATE OR AN AVAYA CHANNEL PARTNER; AVAYA RESERVES THE RIGHT TO TAKE LEGAL ACTION AGAINST YOU AND ANYONE ELSE USING OR SELLING THE SOFTWARE WITHOUT A LICENSE. BY INSTALLING, DOWNLOADING OR USING THE SOFTWARE, OR AUTHORIZING OTHERS TO DO SO, YOU, ON BEHALF OF YOURSELF AND THE ENTITY FOR WHOM YOU ARE INSTALLING, DOWNLOADING OR USING THE SOFTWARE (HEREINAFTER REFERRED TO INTERCHANGEABLY AS YOU AND END USER ), AGREE TO THESE TERMS AND CONDITIONS AND CREATE A BINDING CONTRACT BETWEEN YOU AND AVAYA INC. OR THE APPLICABLE AVAYA AFFILIATE ( AVAYA ). Avaya grants You a license within the scope of the license types described below, with the exception of Heritage Nortel Software, for which the scope of the license is detailed below. Where the order documentation does not expressly identify a license type, the applicable license will be a Designated System License as set forth below in the Designated System(s) License (DS) section as applicable. The applicable number of licenses and units of capacity for which the license is granted will be one (1), unless a different number of licenses or units of capacity is specified in the documentation or other materials available to You. Software means computer programs in object code, provided by Avaya or an Avaya Channel Partner, whether as stand-alone products, pre-installed on hardware products, and any upgrades, updates, patches, bug fixes, or modified versions thereto. Designated Processor means a single stand-alone computing device. Server means a set of Designated Processors that hosts (physically or virtually) a software application to be accessed by multiple users. Instance means a single copy of the Software executing at a particular time: (i) on one physical machine; or (ii) on one deployed software virtual machine ( VM ) or similar deployment. License types Named User License (NU). You may: (i) install and use each copy or Instance of the Software on a single Designated Processor or Server per authorized Named User (defined below); or (ii) install and use each copy or Instance of the Software on a Server so long as only authorized Named Users access and use the Software. Named User, means a user or device that has been expressly authorized by Avaya to access and use the Software. At Avaya s sole discretion, a Named User may be, without limitation, designated by name, corporate function (e.g., webmaster or helpdesk), an or voice mail account in the name of a person or corporate function, or a directory entry in the administrative database utilized by the Software that permits one user to interface with the Software. Heritage Nortel Software Heritage Nortel Software means the software that was acquired by Avaya as part of its purchase of the Nortel Enterprise Solutions Business in December The Heritage Nortel Software is the software contained within the list of Heritage Nortel Products located at under the link Heritage Nortel Products or such successor site as designated by Avaya. For Heritage Nortel Software, Avaya grants Customer a license to use Heritage Nortel Software provided hereunder solely to the extent of the authorized activation or authorized usage level, solely for the purpose specified in the Documentation, and solely as embedded in, for execution on, or for communication with Avaya equipment.

3 Charges for Heritage Nortel Software may be based on extent of activation or use authorized as specified in an order or invoice. Copyright Except where expressly stated otherwise, no use should be made of materials on this site, the Documentation, Software, Hosted Service, or hardware provided by Avaya. All content on this site, the documentation, Hosted Service, and the product provided by Avaya including the selection, arrangement and design of the content is owned either by Avaya or its licensors and is protected by copyright and other intellectual property laws including the sui generis rights relating to the protection of databases. You may not modify, copy, reproduce, republish, upload, post, transmit or distribute in any way any content, in whole or in part, including any code and software unless expressly authorized by Avaya. Unauthorized reproduction, transmission, dissemination, storage, and or use without the express written consent of Avaya can be a criminal, as well as a civil offense under the applicable law. Virtualization The following applies if the product is deployed on a virtual machine. Each product has its own ordering code and license types. Note, unless otherwise stated, that each Instance of a product must be separately licensed and ordered. For example, if the end user customer or Avaya Channel Partner would like to install two Instances of the same type of products, then two products of that type must be ordered. Third Party Components Third Party Components mean certain software programs or portions thereof included in the Software or Hosted Service may contain software (including open source software) distributed under third party agreements ( Third Party Components ), which contain terms regarding the rights to use certain portions of the Software ( Third Party Terms ). As required, information regarding distributed Linux OS source code (for those products that have distributed Linux OS source code) and identifying the copyright holders of the Third Party Components and the Third Party Terms that apply is available in the products, Documentation or on Avaya s website at: support.avaya.com/copyright or such successor site as designated by Avaya. The open source software license terms provided as Third Party Terms are consistent with the license rights granted in these Software License Terms, and may contain additional rights benefiting You, such as modification and distribution of the open source software. The Third Party Terms shall take precedence over these Software License Terms, solely with respect to the applicable Third Party Components to the extent that these Software License Terms impose greater restrictions on You than the applicable Third Party Terms. The following applies only if the H.264 (AVC) codec is distributed with the product. THIS PRODUCT IS LICENSED UNDER THE AVC PATENT PORTFOLIO LICENSE FOR THE PERSONAL USE OF A CONSUMER OR OTHER USES IN WHICH IT DOES NOT RECEIVE REMUNERATION TO (i) ENCODE VIDEO IN COMPLIANCE WITH THE AVC STANDARD ( AVC VIDEO ) AND/OR (ii) DECODE AVC VIDEO THAT WAS ENCODED BY A CONSUMER ENGAGED IN A PERSONAL ACTIVITY AND/OR WAS OBTAINED FROM A VIDEO PROVIDER LICENSED TO PROVIDE AVC VIDEO. NO LICENSE IS GRANTED OR SHALL BE IMPLIED FOR ANY OTHER USE. ADDITIONAL INFORMATION MAY BE OBTAINED FROM MPEG LA, L.L.C. SEE Service Provider THE FOLLOWING APPLIES TO AVAYA CHANNEL PARTNER S HOSTING OF AVAYA PRODUCTS OR SERVICES. THE PRODUCT OR HOSTED SERVICE MAY USE THIRD PARTY COMPONENTS SUBJECT TO THIRD PARTY TERMS AND REQUIRE A SERVICE PROVIDER TO BE INDEPENDENTLY LICENSED DIRECTLY FROM THE THIRD PARTY SUPPLIER. AN AVAYA CHANNEL PARTNER S HOSTING OF AVAYA PRODUCTS MUST BE AUTHORIZED IN WRITING BY AVAYA AND IF THOSE HOSTED PRODUCTS USE OR EMBED CERTAIN THIRD PARTY SOFTWARE, INCLUDING BUT NOT LIMITED TO MICROSOFT SOFTWARE OR CODECS, THE AVAYA CHANNEL PARTNER IS REQUIRED TO INDEPENDENTLY OBTAIN ANY APPLICABLE LICENSE AGREEMENTS, AT THE AVAYA CHANNEL PARTNER S EXPENSE, DIRECTLY FROM THE APPLICABLE THIRD PARTY SUPPLIER. WITH RESPECT TO CODECS, IF THE AVAYA CHANNEL PARTNER IS HOSTING ANY PRODUCTS THAT USE OR EMBED THE G.729 CODEC, H.264 CODEC, OR H.265 CODEC, THE AVAYA CHANNEL PARTNER ACKNOWLEDGES AND AGREES THE AVAYA CHANNEL PARTNER IS RESPONSIBLE FOR ANY AND ALL RELATED FEES AND/OR ROYALTIES. THE G.729 CODEC IS LICENSED BY SIPRO LAB TELECOM INC. SEE THE H.264 (AVC) CODEC IS LICENSED UNDER THE AVC PATENT PORTFOLIO LICENSE FOR THE PERSONAL USE OF A CONSUMER OR OTHER USES IN WHICH IT DOES NOT RECEIVE REMUNERATION TO: (I) ENCODE VIDEO IN COMPLIANCE WITH THE AVC STANDARD ( AVC VIDEO ) AND/OR (II) DECODE AVC VIDEO THAT WAS ENCODED BY A CONSUMER ENGAGED IN A PERSONAL ACTIVITY AND/OR WAS OBTAINED FROM A VIDEO PROVIDER LICENSED TO PROVIDE AVC VIDEO. NO LICENSE IS GRANTED OR SHALL BE IMPLIED FOR ANY OTHER USE. ADDITIONAL INFORMATION FOR H.264 (AVC) AND H.265 (HEVC) CODECS MAY BE OBTAINED FROM MPEG LA, L.L.C. SEE Compliance with Laws You acknowledge and agree that it is Your responsibility for complying with any applicable laws and regulations, including, but not limited to laws and regulations related to call recording, data privacy, intellectual property, trade secret, fraud, and music performance rights, in the country or territory where the Avaya product is used. Preventing Toll Fraud Toll Fraud is the unauthorized use of your telecommunications system by an unauthorized party (for example, a person who is not a corporate employee, agent, subcontractor, or is not working on your company's behalf). Be aware that there can be a risk of Toll Fraud associated with your system and that, if Toll Fraud occurs, it can result in substantial additional charges for your telecommunications services. Avaya Toll Fraud intervention If You suspect that You are being victimized by Toll Fraud and You need technical assistance or support, call Technical Service Center Toll Fraud Intervention Hotline at for the United States and Canada. For additional support telephone numbers, see the Avaya Support website: or such successor site as designated by Avaya. Security Vulnerabilities Information about Avaya s security support policies can be found in the Security Policies and Support section of support.avaya.com/security. Suspected Avaya product security vulnerabilities are handled per the Avaya Product Security Support Flow ( support.avaya.com/css/p8/documents/ ). Downloading Documentation For the most current versions of Documentation, see the Avaya Support website: or such successor site as designated by Avaya. Contact Avaya Support See the Avaya Support website: for product or Hosted Service notices and articles, or to report a problem with your Avaya product or Hosted Service. For a list of support telephone numbers and contact addresses, go to the Avaya Support website: (or such successor site as designated by Avaya), scroll to the bottom of the page, and select Contact Avaya Support. Trademarks The trademarks, logos and service marks ( Marks ) displayed in this site, the Documentation, Hosted Service(s), and product(s) provided by Avaya are the registered or unregistered Marks of Avaya, its affiliates, its licensors, its suppliers, or other third parties. Users are not permitted to use such Marks without prior written consent from Avaya or such third party which may own the Mark. Nothing contained in this site, the Documentation, Hosted Service(s) and product(s) should be construed as granting, by implication, estoppel,

4 or otherwise, any license or right in and to the Marks without the express written permission of Avaya or the applicable third party. Avaya is a registered trademark of Avaya Inc. All non-avaya trademarks are the property of their respective owners. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Java is a registered trademark of Oracle and/or its affiliates.

5 Contents Chapter 1: New in this release Features Document changes since last issue Other changes Chapter 2: Introduction Chapter 3: Platform security overview BIOS password control GRUB password control Administrative user account names Administrative user roles Primary role Sudo access control Platform user management tool Administrative account timers Account lockout Password complexity Password changes Inactive platform account auditing Root user access Individual user accounts Preconfigured accounts Remote system accounts Secure Shell and Common Access Card integration Administrative user database backup Platform warning banners Chapter 4: Platform administrator security management Modifying password complexity rules menu Configuring the GRUB password Creating individual user accounts menu Creating individual user accounts job aid Deleting a user account menu Deleting a user account menu job aid Modifying user roles menu Changing the state of a user account menu Listing server user accounts menu Managing sudo access menu Resetting a platform user account password menu Resetting a platform user account password CLI Viewing the status of inactive account auditing October 2017 Avaya Aura Application Server 5300 Security 5

6 Contents Enabling inactive account auditing Enabling inactive account auditing job aid Disabling inactive account auditing Configuring platform warning banners Chapter 5: Security configuration and management overview Application administrator security Administrator password complexity Password aging Log on session constraints Application warning banners Administrative user accounts Special rules for the Security Administrator MCP SNMP Community Strings Administrative security services Application administrator (Admin) security defaults Web server logs Internal database account security Database application security Subscriber security Password policies and domains Password expiry during active call Subscriber lockout Domain security File system integrity Verification reports FSI baseline management FSI baseline exclusions FSI baseline backup and restore Configuration file HTTPS certificates AS 5300 Element Manager Console CAC integration AS5300 UC Client CAC integration Application logging Security logs Syslog System audit Failed logons File activity in restricted areas Backup of security logs System alarms Chapter 6: Database password management Resetting the internal database account passwords Changing the Schema account password October 2017 Avaya Aura Application Server 5300 Security 6

7 Contents Changing the database application password, without changing the load Changing the database application password during an upgrade Chapter 7: Antivirus management Updating the virus definitions Scheduling virus scans Chapter 8: File system integrity management Creating an FSI baseline Verifying the file system against a baseline Managing FSI baselines Chapter 9: Security log management Configuring a remote syslog server Deleting a remote syslog server Modifying system audit logs Chapter 10: Application administrator security configuration and management Enabling web server logs Configuring application administrator password rules Configuring application administrator password rules job aid Configuring a new AS 5300 Element Manager Console role Configuring a new AS 5300 Element Manager Console role job aid Configuring a new AS 5300 Element Manager Console administrator Configuring a new AS 5300 Element Manager Console user job aid Assigning a role to an AS 5300 Element Manager Console administrator Configuring log on and session rules Configuring log on and session rules job aid Configuring a new Provisioning Client role Configuring a new Provisioning Client administrator Configuring a new Provisioning Client administrator job aid Configuring warning banners Configuring warning banners job aid Modifying log on and session rules Modifying log on and session rules job aid Modifying application administrator password rules Modifying application administrator password rules job aid Modifying an AS 5300 Element Manager Console role Modifying an AS 5300 Element Manager Console role job aid Modifying an AS 5300 Element Manager Console administrator Modifying an AS 5300 Element Manager Console administrator job aid Disabling an AS 5300 Element Manager administrator account Disabling password aging rules for an account Viewing and forcing off users Exporting configuration data for AS 5300 Element Manager Console Importing configuration data for AS 5300 Element Manager Console Deleting an AS 5300 Element Manager Console role October 2017 Avaya Aura Application Server 5300 Security 7

8 Contents Deleting an AS 5300 Element Manager Console administrator Resetting the password for the AS 5300 Element Manager Console admin account Resetting the password for a AS 5300 Element Manager Console administrator Changing your AS 5300 Element Manager Console password Modifying a Provisioning Client role Modifying a Provisioning Client role job aid Listing Provisioning Client Admin users Searching for Provisioning Client users by role Searching for inactive Provisioning Client users Modifying a Provisioning Client Admin Deleting a Provisioning Client user Resetting the password for the Provisioning Manager admin account Resetting the password for a Provisioning Client administrator Changing your Provisioning Client password Chapter 11: Application security configuration Configuring the AS 5300 Element Manager with certificates for HTTPS Configuring the Provisioning Manager with certificates for HTTPS Configuring the AS 5300 Element Manager Console with certificates for HTTPS and SIP CAC Chapter 12: Certificate management overview Chapter 13: Certificate preparation Generating a CSR Generating a CSR job aid Installing a CA or CA-signed certificate Installing a CA or CA-signed certificate job aid Exporting a PKCS12 file Installing custom certificates into the AS 5300 Element Manager keystore Verifying that CA certificates import into the AS 5300 Element Manager truststore Chapter 14: Certificate management Listing all certificates Listing all certificates job aid Installing a CA or CA-signed certificate Installing a CA or CA-signed certificate job aid Uninstalling a certificate Verifying a certificate chain Verifying a certificate chain job aid Importing a PKCS12 file Exporting a PKCS12 file Identifying the friendly name of a certificate Identifying the friendly name of a certificate job aid Identifying the subject of a certificate installed in the certificate database Unix Identifying the subject field of a certificate installed in the certificate database Unix job aid 120 Identifying the subject of a certificate that is not installed in the certificate database Unix October 2017 Avaya Aura Application Server 5300 Security 8

9 Contents Identifying the subject field of a certificate that is not installed in the certificate database Unix job aid Identifying the subject field of a certificate installed in the certificate database Windows Identifying the subject field of a certificate installed in the certificate database Windows job aid Chapter 15: Core application certificate management Importing an internal certificate to the keystore Importing an internal certificate to the keystore job aid Viewing an internal certificate in the keystore Removing an internal certificate from the keystore Configuring the AS 5300 Element Manager with certificates for HTTPS and SIP Configuring the AS 5300 Session Manager with certificates for HTTPS and SIP Configuring HTTPS and SIP certificates for the Provisioning Manager Configuring the AS 5300 Element Manager Console with certificates for HTTPS and SIP CAC Configuring the AS 5300 Element Manager Console with certificates for HTTPS and SIP manual Configuring the Avaya Aura AS 5300 Personal Agent with certificates for HTTPS and SIP Chapter 16: Truststore certificate management Importing a CA certificate to the truststore Viewing a CA certificate in the truststore Removing a CA certificate from the truststore Chapter 17: OCSP configuration Configuring the operating system to support OCSP Configuring the operating system to support OCSP job aid Configuring the AS 5300 Element Manager to support OCSP Configuring the AS 5300 Session Manager to support OCSP Configuring Avaya MS to support OCSP Configuring the Provisioning Manager to support OCSP Configuring the AS 5300 Element Manager Console to support OCSP Verifying access to the OCSP server Chapter 18: IPsec configuration overview Secure communication Default staging certificates Server addresses and service addresses IPsec tunnel rules Trusted node relationships IPsec custom certificates IPsec automatic CRL retrieval IPsec limitations and restrictions Chapter 19: IPsec service management Starting or restarting the IPsec service Stopping the IPsec service October 2017 Avaya Aura Application Server 5300 Security 9

10 Contents Verifying IPsec connection status Verifying IPsec connection status job aid Chapter 20: IPsec configuration Generating the internal IPsec configuration file Installing the internal IPsec configuration file on the primary EMS server Installing the internal IPsec configuration file on non-primary EMS servers Creating the external IPsec configuration file Creating the external IPsec configuration file job aid Installing a custom IPsec certificate Configuring IPsec for automatic CRL retrieval Configuring IPsec for automatic CRL retrieval job aid Verifying IPsec automatic CRL retrieval Verifying IPsec automatic CRL retrieval job aid Manually adding a CA chain Chapter 21: Access control rules Access control rules overview Trusted nodes Trusted ports Internal trusted node mesh Access control tools DSCP marking DSCP marking configuration tools Default DSCP configuration Access control default system configuration Access control limitations and restrictions Chapter 22: Access control configuration Chapter 23: Internal access control configuration Generating the internal ACL file Installing the internal ACL configuration file on the primary EMS Installing the internal ACL configuration file on the other servers Chapter 24: Access control rules management Importing access control rules Importing access control rules job aid Viewing all configured access control rules Rolling back to the previous access control configuration Restoring the access control default configuration Viewing trusted node and port configurations with iptstatus Viewing trusted node and port configurations with iptstatus job aid Syntax of an access control rule in the raw format job aid ACL configuration job aid Chapter 25: Access control rules enforcement Enforcing access control rules October 2017 Avaya Aura Application Server 5300 Security 10

11 Contents Chapter 26: NTP server management Updating the primary clock source servers Updating the primary clock source servers when your system uses symmetric key encryption Updating the secondary clock source servers Updating the secondary clock source servers when your system uses symmetric key encryption Configuring a server as a nonclock source Chapter 27: TLS configuration Configuring the AS 5300 Session Managers to use only TLS Variable definitions Configuring the AS 5300 Session Managers to use only TLS job aid Configuring the Provisioning Managers to use only TLS Variable definitions Configuring the Provisioning Managers to use only TLS job aid Configuring the Personal Agent Managers to use only TLS Variable definitions Configuring the Personal Agent Managers to use only TLS job aid Chapter 28: TLS Mutual authentication Enabling mutual authentication mode for SIP Enabling mutual authentication mode for HTTPS Chapter 29: FIPS overview FIPS compliance Platform SSH AS 5300 Element Manager Console Chapter 30: Cipher suite configuration Configuring OAMP ciphers Configuring external OAMP ciphers Configuring HTTPS ciphers Configuring signaling ciphers Chapter 31: FIPS management Stopping a network element Enabling FIPS on the platform Enabling FIPS on the platform job aid Installing the FIPS-compliant AS 5300 Element Manager Console Updating the FIPS-compliant AS 5300 Element Manager Console Starting a network element October 2017 Avaya Aura Application Server 5300 Security 11

12 Chapter 1: New in this release The following sections detail what is new in Avaya Aura Application Server 5300 Security, NN for Avaya Aura Application Server 5300 Release 3.0 Navigation Features on page 12 Other changes on page 13 Features For information about feature-related changes, see the following sections: Password complexity on page 23 Administrator password complexity on page 42 Subscriber security on page 50 Password policies and domains on page 51 Configuring application administrator password rules on page 75 Modifying application administrator password rules on page 89 For more information about the features that are new for this release, see Avaya Aura Application Server 5300 Release Delta, NN Document changes since last issue The following changes have been made to this document since it was issued for Application Server 5300 Release 3.0 in June, 2012: Added the following new procedure: Configuring the Personal Agent Managers to use only TLS on page 185. Updated the following procedures: Configuring the Avaya Aura AS 5300 Personal Agent with certificates for HTTPS and SIP on page 130 and Configuring HTTPS and SIP certificates for the Provisioning Manager on page 128. October 2017 Avaya Aura Application Server 5300 Security 12

13 Document changes since last issue Other changes Revision history October 2017 March 2016 June 2013 December 2012 November 2012 October 2012 July 2012 July 2012 June 2012 Updated the legal page for Avaya Aura Application Server 5300 Release 3.0. Standard This document is issued to support Avaya Aura Application Server 5300 Release 3.0. Removed the Antivirus chapter, and its reference. Removed third party references from Updating the virus definitions on page 67 and Scheduling virus scans on page 68. Standard This document is issued to support Avaya Aura Application Server 5300 Release 3.0. Added the following new procedure: Configuring the Personal Agent Managers to use only TLS on page 185. Updated the following procedures: Configuring the Avaya Aura AS 5300 Personal Agent with certificates for HTTPS and SIP on page 130 and Configuring HTTPS and SIP certificates for the Provisioning Manager on page 128. Standard This document is issued to support Avaya Aura Application Server 5300 Release 3.0. Updated procedures in Antivirus management on page 67. Updated the list of FSI baseline exclusions on page 55. Standard This document is issued to support Avaya Aura Application Server 5300 Release 3.0. Standard This document is issued to support Avaya Aura Application Server 5300 Release 3.0. Updated the following procedure: Resetting the password for the AS 5300 Element Manager Console admin account on page 96 Standard This document is issued to support Avaya Aura Application Server 5300 Release 3.0. Added a procedure for configuring Avaya MS to support OCSP:Configuring Avaya MS to support OCSP on page 138. Standard This document is issued to support Avaya Aura Application Server 5300 Release 3.0. Made minor editorial changes in the following section:acl configuration job aid on page 173. Standard This document is issued to support Avaya Aura Application Server 5300 Release 3.0. Made minor editorial changes. Table continues October 2017 Avaya Aura Application Server 5300 Security 13

14 New in this release June 2012 September 2010 August 2010 June 2010 May 2010 April 2010 Standard This document is issued for Avaya Aura Application Server 5300 Release 3.0. Standard This document is issued for Avaya Aura Application Server 5300 Release 2.0. Updates were made to Antivirus management on page 67. Standard This document is issued for Avaya Aura Application Server 5300 Release 2.0. Technical changes were made to most of this document to reflect security changes. Standard This document is issued for Avaya Aura Application Server 5300 Release 2.0. This document is updated after technical review. Standard This document is issued for Avaya Aura Application Server 5300 Release 2.0. This document contains editorial changes. Standard This document is issued for Avaya Aura Application Server 5300 Release 2.0. August 2008 Standard This document is issued for Nortel Application Server 5300 Release 1.0. This document is up-issued to include updates to technical content regarding support for foreign domains. July 2008 Standard This document is issued for Nortel Application Server 5300 Release 1.0. This document is up-issued to include organizational changes and updates to technical content. June 2008 Standard This document is issued for Nortel Application Server 5300 Release 1.0. October 2017 Avaya Aura Application Server 5300 Security 14

15 Chapter 2: Introduction This document contains the procedures required to configure and administer security for the Avaya Aura Application Server For more information about configuration and administration, see Avaya Aura Application Server 5300 Configuration, NN and Avaya Aura Application Server 5300 Administration, NN For information about general provisioning tasks and procedures, see Avaya Aura Application Server 5300 Using the Provisioning Client, NN Important: Throughout this document, the term system refers to the Avaya Aura Application Server 5300 unless otherwise noted. Prerequisites The Avaya Aura Application Server 5300 installation is complete. You are familiar with the AS 5300 Element Manager Console. You are familiar with the Avaya Aura Provisioning Client. Navigation Platform security overview on page 17 Platform administrator security management on page 29 Security configuration and management overview on page 41 File system integrity on page 54 Database password management on page 63 Antivirus management on page 67 Security log management on page 71 Application administrator security configuration and management on page 73 Application security configuration on page 103 Certificate management overview on page 106 Certificate preparation on page 108 Certificate management on page 115 Core application certificate management on page 124 October 2017 Avaya Aura Application Server 5300 Security 15

16 Introduction Truststore certificate management on page 132 OCSP configuration on page 134 IPsec configuration overview on page 141 IPsec service management on page 146 IPsec configuration on page 148 Access control rules on page 157 Access control configuration on page 163 Internal access control configuration on page 165 Access control rules management on page 169 Access control rules enforcement on page 175 NTP server management on page 176 TLS configuration on page 182 TLS Mutual authentication on page 187 FIPS overview on page 189 Cipher suite configuration on page 191 FIPS management on page 195 October 2017 Avaya Aura Application Server 5300 Security 16

17 Chapter 3: Platform security overview This section contains information related to platform security configuration, including platform administrator accounts, roles, and access. For information about initial Basic Input/Output System (BIOS) and RSA-II card configuration, see Avaya Aura Application Server 5300 Installation, NN Navigation: BIOS password control on page 18 GRUB password control on page 19 Administrative user account names on page 19 Administrative user roles on page 20 Primary role on page 20 Sudo access control on page 21 Platform user management tool on page 21 Administrative account timers on page 22 Account lockout on page 22 Password complexity on page 23 Inactive platform account auditing on page 25 Root user access on page 25 Individual user accounts on page 26 Preconfigured accounts on page 26 Remote system accounts on page 27 Secure Shell and Common Access Card integration on page 27 Platform warning banners on page 28 October 2017 Avaya Aura Application Server 5300 Security 17

18 Platform security overview BIOS password control The planar BIOS includes options to configure both an Administrative and Power-on password. For more information about password options and how to configure them, see the documentation supplied with the server hardware. The planar BIOS enables the user to configure both an Administrative and Power-on password. The BIOS also refers to the Administrative password as the Privileged Access Password in console messages displayed during BIOS initialization. BIOS passwords are enforced at the end of BIOS initialization when the message BIOS Installed Successfully displays. The following table illustrates the password enforcement type performed by the BIOS at this point in the BIOS execution. Password Configured BIOS Password Control Password Requirement Power-on password Admin BIOS Entry Requested (F1 pressed) No No None None No Yes Admin None Standard Initialization (F1 not pressed) Yes No Power-on password Power-on password Yes Yes Power-on password (limited access) or Admin Two basic scenarios are possible: Power-on password or Admin The administrator presses the F1 key during the early stages of BIOS initialization with the intent of entering BIOS setup when BIOS initialization finishes. If at least one password is configured, the password must be entered to enter into the BIOS setup. If both passwords are configured, specifying the Power-on password gives the administrator only limited access, where no BIOS configuration changes can be made. The administrator does not press the F1 key during the early stages of BIOS initialization. If a Power-on password is configured (not recommended), BIOS requires the administrator to enter the password to allow the system to continue past the BIOS initialization. If configured, the administrative password is also accepted. If an Administrator password is configured, an administrator entering BIOS with only a Power-on password receives access to the following menus: System Summary This menu provides information such as processor model, USB devices, and memory information. System Information This menu provides information such as the machine type and model number, serial number, firmware levels, and installed system cards. October 2017 Avaya Aura Application Server 5300 Security 18

19 GRUB password control When configuring the Administrator password, changing the value of the Power-on password changeable by user field to Yes provides limited BIOS access to the administrator. The following are the additional menu items available: System Security This menu provides the facility to change or delete the Power-on password. The following general points also apply to Administrative and Power-on BIOS passwords: Each password can be up to seven characters in length. The passwords can consist of any characters. If both passwords are configured, a forgotten Power-on password can be reset (deleted and reconfigured) by entering the BIOS with the Administrative password. If a single password is set, and is forgotten, it cannot be recovered using the BIOS menu. If both the Administrative and Power-on password are set, and the Administrative password is forgotten, it cannot be recovered using the BIOS menu. Neither password is affected when you restore the configuration of the main BIOS to the factory default configuration. GRUB password control The Linux Grand Unified Bootloader (GRUB) allows you to configure a password to prevent unauthorized access to the bootloader. Whenever you change the server password policy, you should reset the GRUB bootloader password to comply with these new settings. For more information, see Configuring the GRUB password on page 31. Administrative user account names When you create a new account for an administrator, you specify the account name and a numeric user ID. For the numeric user ID, always enter zero (0). After you enter zero (0), the system assigns the next available numeric ID. The system security administrator defines the password requirements using the pwconfig tool. October 2017 Avaya Aura Application Server 5300 Security 19

20 Platform security overview Administrative user roles Roles define operational boundaries (access permissions) for administrators. Administrators can have more than one role, depending on their duties. You assign roles to new administrators when you create their accounts. The roles defined for the system are as follows: System Security Administrator (SSA) The SSA can perform system configuration and specify security attributes such as: - Password configuration - User management - Certificate management - Access control - Antivirus - File System Integrity tools - Network configuration - System files backup - System restoration Security Auditor (SA) The SA can collect and view security audit logs and syslogs at the platform level. The SA can also transfer the security logs off the server. Application Administrator (AA) The AA can install MCS application software and manage components related to the application. The AA is responsible for installing, maintaining, patching, and upgrading MCS software only. Backup Administrator (BA) The BA can perform only system backups. A BA cannot perform: - any operation on the server except backups. - a system restore only the SSA or root user can perform a system restore. Database Administrator (DBA) The DBA can manage the database schemas and database tools on servers on which the database resides. This role is not relevant on servers that do not host the database. Operational Support System Administrator (OSS) Downstream processors can use the account with this role to connect to the server and collect OSS logs. Primary role The primary role of the administrator defines the administrator s primary group. The primary role determines permissions and group ownership for any files that are generated by the administrator. Any tools that extract or create files use the administrator s primary role to determine the appropriate group settings. The primary role is the first role assigned during account creation. An SSA or root user can change the primary role for an administrator. October 2017 Avaya Aura Application Server 5300 Security 20

21 Sudo access control In the user management tool (usermgt) the primary role of an administrator is the first role that appears in the list of assigned roles. For example, if the list appears as follows: SSA, AA, BA; the primary role of the administrator is SSA. All roles, other than the Backup Administrator, OSS Administrator, and Regional Patching Administrator roles, are intended to manage some aspect of the system. Because of this and the use of discretionary access groups to control access to system resources, administrators with a primary role of SSA, SA, AA, or DBA have a primary GID that is traditionally reserved for system accounts (less than 500). Sudo access control By default, an administrator has access to all commands defined for each assigned role. However, the root user can grant elevated privileges (such as root access) to an individual administrator, if required. The system records all commands that are run with sudo in /var/log/secure and only the security administrator or security auditor can view these logs. Only the root user can grant or deny all sudo level access to administrators. If you are already logged on, before being granted sudo access, the sudo access is available the next time you log on. The sudo menu option in the usermgt script is only visible when the script is run by the root user. Administrators who have sudo access need not know the root password of the system to invoke root level commands; they use their own current passwords. The syntax for running commands with sudo access is as follows: > sudo <root-privileged command> The system prompts for your administrator password the first time, and again after 10 minutes, if you do not enter any other sudo commands. Platform user management tool To run the user management tool (usermgt) you must be the Security System Administrator (SSA) or the root user. With the usermgt tool, you can create and manage user accounts for platform administrators. Figure 1: Main menu on page 22 shows the options available from the main menu of the tool. October 2017 Avaya Aura Application Server 5300 Security 21

22 Platform security overview Figure 1: Main menu Important: Option [6] (from the main menu of the usermgt tool) is available only to the root user. To use this option, an SSA with sudo access can su to root. Administrative account timers The idle session timer automatically logs off administrators that are not actively using their sessions. After the configured time elapses without administrator activity, the session closes automatically. Changes to the idle session timer value do not effect currently existing sessions. Administrators must log off and log back on for this configuration to take effect. Use the pwconfig tool to specify the timeout value by configuring the Idle session timeout (seconds) parameter. For more information, see Modifying password complexity rules menu on page 30. Account lockout To reduce the effectiveness of password guessing attacks, you can configure account lockout on the system. If you enable account lockout, the system temporarily locks an account after a specified number of log on failures. To enable account lockout, use the pwconfig tool to configure the 'Deny after this many log on failures' parameter to a value other than zero. To subsequently disable account lockout, change the value back to zero. To configure the length of time that the account remains locked out, use the pwconfig tool to configure the Unlock account duration (seconds) parameter. If you disable account lockout, the Unlock account duration parameter has no effect. For more information, see Modifying password complexity rules menu on page 30. If the system locks an account because of successive failed attempts to log on, the administrator cannot log on to the system until the lockout period expires. An SSA can unlock an administrator s October 2017 Avaya Aura Application Server 5300 Security 22

23 Password complexity account, during the lockout period, by using the usermgt tool to disable and subsequently enable the locked out administrator. Additionally, after three consecutive failed access attempts, the SSH or SFTP connection terminates and the user must re-establish the connection to log on. After an account reaches the lockout threshold, the system generates a security log. Password complexity You can configure password policy rules to define the appropriate characters used for administrator passwords. The administrator configures these passwords using either /usr/bin/passwd or the usermgt tool. The password complexity settings only affect subsequently configured passwords; they do not affect current passwords. You manage password complexity on a per-server basis. There is no automatic password complexity synchronization performed between servers. Therefore, if you change any value on one server, you must manually change it on all of the other servers. For more information about the parameters, see Table 1: Password complexity parameters on page 23. For more information about how to configure the parameters, see Modifying password complexity rules menu on page 30. Table 1: Password complexity parameters Parameter Minimum lowercase chars Minimum uppercase chars Description This parameter specifies the minimum number of lowercase characters (a z) that the password must contain. The system rejects passwords that contain fewer lowercase characters. Default: 2 This parameter specifies the minimum number of uppercase characters (A Z) that the password must contain. The system rejects passwords that contain fewer uppercase characters. Default: 2 Minimum digits This parameter specifies the minimum number of digit characters (0 9) that the password must contain. The system rejects passwords that contain fewer digit characters. Default: 2 Minimum special chars Minimum change chars This parameter specifies the minimum number of special characters that the password must contain. Special Characters - _ & ^?! ( ), / \ : ; ~ = + The system rejects passwords that contain fewer special characters. Default: 0 This parameter specifies the minimum number of characters by which the new password must differ from the previous password. The system ignores this value if either one half of the characters in the new password are different, or if there are more than 23 characters in the new password. Default: 0 Table continues October 2017 Avaya Aura Application Server 5300 Security 23

24 Platform security overview Parameter Minimum password length Maximum consecutive repeat chars Deny after this many log on failures Unlock account duration (seconds) Old passwords to remember Maximum password age (days) Minimum password age (days) Password change warning (days) Idle session timeout (seconds) Description This parameter specifies the minimum number of total characters a password can contain. The system rejects passwords that contain fewer characters. Default: 8 This parameter specifies the maximum number of consecutive repeating characters that are permitted in a password. Default: 0 This parameter specifies the number of failed attempts to log on to an account before the account is locked. Default: 0 This parameter specifies the amount of time for which the account remains locked after log on failures. Default: 60 This parameter specifies the number of previous passwords the system remembers. Administrators cannot reuse any password on the remembered list. Regardless of the value of this parameter, administrators cannot ever reuse the current password. Default: 0 This parameter specifies the maximum number of days that an administrator s password can be used. After the specified number of days, the administrator must change the password to access the server. If you reduce this value, some existing passwords can immediately expire. Default: 90 This parameter specifies the minimum number of days between password changes. This setting discourages administrators from immediately changing their passwords back to a previously used password (password flipping). Default: 1 This parameter specifies the number of days in advance that administrators receive warning that their passwords will expire. If an administrator logs on within this number of days before expiry, a message appears to indicate that their password will expire soon. Default: 7 This parameter specifies the number of seconds a session can be idle before it times out. Default: 600 (10 minutes) You can modify the password complexity rules at any time; however, the configured rules apply only to subsequently added administrator accounts. Important: If the default password complexity configuration values (as shown in the preceding table) do not meet your site requirements, Avaya recommends that you change the values immediately after installation and commissioning, and before you add administrators to the system. The following non-configurable parameters also apply to password complexity: The system uses the Linux CrackLib library to ensure that the password is not based on the username or on a dictionary word. This library manipulates the new password in various ways to try and determine if the new password is based on the username or a dictionary word. Users must change their passwords during initial log on. Users cannot access the system with the temporary passwords. October 2017 Avaya Aura Application Server 5300 Security 24

25 Inactive platform account auditing The password cannot be a palindrome. The root user password does not adhere to the password complexity rules. Ensure that only a very limited number of individuals know the root password for the servers. The backup and restore process includes all files related to password complexity. Password changes When administrators use the UNIX passwd command to change their passwords, or when they change the password during log on (for initial or expired passwords), the system applies all of the enabled password complexity rules. When an SSA uses the usermgt tool to change a password, the following rules do not apply: Password history (Old passwords to remember) Case change from previous password Characters changed from previous password (Minimum change chars) For more information about platform user account passwords, see Platform administrator security management on page 29. Inactive platform account auditing You can configure the system to automatically lock out inactive platform administrator accounts after a period of inactivity. If an administrator is locked out, that administrator cannot login to the platform without intervention by another administrator. The system does not automatically delete locked out inactive administrator accounts. The site administrator is responsible for monitoring locked out accounts and deleting them as needed. Root user access The root user must log on to the server using the console keyboard, video and mouse (KVM). Root users must change their passwords on first logon after installation. The password for this account is subject to password complexity rules. Because the initial (during installation) password complexity rules are minimal, Avaya recommends that you change the password for this account after you complete the procedure to configure (harden) password complexity rules. On the SIP Core servers, users assigned the System Security Administrator (SSA) role, in addition to full-time Super User Do (sudo) access, have full root access. October 2017 Avaya Aura Application Server 5300 Security 25

26 Platform security overview Even though SSA/sudo users have unrestricted root-level privileges, their actions are logged on the system security log because they are logged on under their individual user ID. Individual user accounts Individual user accounts allow for full accountability and monitoring of individual actions. If the installer chooses this option during server installation, the System Security Administrator (SSA) must create each individual user account after the installation is complete. For more information about installation, see the installation method for your system. You manage user accounts on a per-server basis. Therefore, the SSA must create identical users on each server within the system. The SSA uses the User Management Configuration tool to create, modify, and delete users. The SSA configures the rules for administrator user names using the pwconfig tool. Each individual user account has its own password, which is subject to the password complexity rules. The SSA can disable or re-enable each individual user account as necessary. Individual user accounts have a home directory in /home/<userid>. If the SSA removes the user account, the home directory is also removed. Preconfigured accounts During server installation, the installation software creates the following user accounts: ntappadm: The primary role of this account is the Application Administrator (AA) role, which replaces the avaya user found on previous systems. ntdbadm: The primary role of this account is the database administrator (DBA) role. ntsysadm: The primary role of this account is the System Security Administrator (SSA) role. The ntsysadm account, by default, has ALL sudo root access. You can remove full sudo access, if required, by invoking the usermgt tool as root. This account replaces the sysadmin user found on previous systems. ntsecadm: The primary role of this account is the security auditor (SA) role. ntbackup: The primary role of this account is the backup administrator (BA) role. ntossadm: The primary role of this account is the OSS administrator (OSS) role. An Operational Support Server (OSS) uses this account to connect to an Avaya Aura Application Server 5300 server to collect OSS logs. For more information about installation, see the installation method for your system. You can use the usermgt tool to manage all the preconfigured accounts. Each preconfigured account uses "password" as the initial password. You must change the initial password at first log on. October 2017 Avaya Aura Application Server 5300 Security 26

27 Remote system accounts The user with the OSS role is protected using password authentication. This account is also susceptible to lockout if the password is entered incorrectly and the account lockout is configured for the system. To change the password on this account, log on as OSS, and type the command: #>passwd. You can also use the usermgt tool to reset the password for this account. The SSA can create additional individual user accounts. Additional individual accounts are subject to the same password complexity profile as the preconfigured accounts. The SSA user can delete preconfigured accounts. All preconfigured accounts are backed up and restored during backup and restore procedures. Remote system accounts The Avaya Aura Application Server 5300 system requires the following remote system account: a user with OSS role: An Operational Support Server (OSS) uses this account to connect to an Avaya Aura Application Server 5300 server to collect OSS logs. The system automatically creates this account during installation. For more information, see Preconfigured accounts on page 26. Secure Shell and Common Access Card integration Administrators use Secure Shell (SSH) for remote access and administration of the Linux servers. The Avaya Aura Application Server 5300 comes with OpenSSH installed. OpenSSH is an opensource application, which does not support two-factor authentication. To satisfy requirements for two-factor authentication and Common Access Card (CAC) integration, Avaya Aura Application Server 5300 also supports Attachmate Reflection for Secure IT as an optional configuration. Attachmate Reflection is not included with Application Server The purchase, installation and maintenance of Attachmate software are the customer s responsibility. To install Attachment Reflection for Secure IT, remove OpenSSH during system installation and commissioning. For more information, see AS 5300 DoD Attachmate Administration. Attachmate Reflection for Secure IT includes both the Linux-based server side component and the Windows-based client. Administrators can configure the Windows client to use certificates on the CAC, and can configure Reflection Group Policies so that all Reflection sessions meet Department of Defense (DoD) Public Key Infrastructure (PKI) requirements. The following changes occur when you configure DoD PKI mode: The default Reflection configuration uses either CRL checking or an OCSP responder. In DoD PKI mode, the option to use neither form of checking is disabled. Reflection enforces FIPS-approved encryption algorithms. For SSH connections, this means that only FIPS-approved options are available on the Encryption tab of the Secure Shell settings dialog box. October 2017 Avaya Aura Application Server 5300 Security 27

28 Platform security overview For a connection to succeed, the host name specified in the certificate must exactly match the host name specified for your Reflection connection. Therefore, the certificate configuration is automatic and cannot be modified. Administrative user database backup The server backup job backs up the data from /admin, including the administrative user database files. For more information about server backup, see Avaya Aura Application Server 5300 Backup and Restore Method and Avaya Aura Application Server 5300 Administration, NN Prevent restoration of passwords that do not comply with the site password complexity policy. Avaya recommends that you not back up the Administrator Database until after You configure new passwords to comply with the site password complexity policy, for all accounts not managed with the usermgt tool (for example, user with OSS role). You ensure that the passwords for all accounts managed with the usermgt tool have passwords that comply with the site password complexity policy. For example, users must change the passwords for any account created before password policy configuration. Platform warning banners Configure the following messages to appear during log on: The /etc/issue banner appears before an administrator enters their username and password to access the system using the console, SSH, or SFTP. The /etc/motd banner appears after a successful log on to the system using the console or SSH. For more information, see Configuring platform warning banners on page 39. Important: Avaya recommends that you perform a backup after making changes to the warning banner files. For more information, see Avaya Aura Application Server 5300 Backup and Restore Method and Avaya Aura Application Server 5300 Administration, NN October 2017 Avaya Aura Application Server 5300 Security 28

29 Chapter 4: Platform administrator security management About this task This section describes how to manage password complexity requirements, create individual user accounts, and manage administrator role assignments to control access to the Avaya Aura Application Server 5300 servers. Prerequisites: You must be a Security System Administrator (SSA) or the root user to run the tools for platform administrator security management. Navigation: Modifying password complexity rules menu on page 30 Configuring the GRUB password on page 31 Creating individual user accounts menu on page 31 Deleting a user account menu on page 32 Modifying user roles menu on page 34 Changing the state of a user account menu on page 35 Listing server user accounts menu on page 36 Managing sudo access menu on page 36 Resetting a platform user account password menu on page 37 Resetting a platform user account password CLI on page 38 Viewing the status of inactive account auditing on page 38 Enabling inactive account auditing on page 38 Disabling inactive account auditing on page 39 Configuring platform warning banners on page 39 October 2017 Avaya Aura Application Server 5300 Security 29

30 Platform administrator security management Modifying password complexity rules menu About this task Use this procedure to use the script to modify password complexity rules to ensure that user passwords are more secure. Password complexity rules apply only to subsequently configured passwords. 1. Log on to the server as a user with SSA role. 2. Run the script to configure password complexity: pwconfig 3. If you receive a prompt, enter your password. 4. Enter 1 to view the current configuration. 5. Press Enter to continue. 6. Enter 2 to change the current configuration. 7. Enter a value for Minimum lowercase chars. 8. Enter a value for Minimum uppercase chars. 9. Enter a value for Minimum digits. 10. Enter a value for Minimum special chars. 11. Enter a value for Minimum change chars. 12. Enter a value for Minimum password length. 13. Enter a value for Deny after this many log on failures. 14. Enter a value for Unlock account duration (seconds). 15. Enter a value for Old passwords to remember. 16. Enter a value for Maximum password age (days). 17. Enter a value for Minimum password age (days). 18. Enter a value for Password change warning (days). 19. Enter a value for Idle session timeout (seconds). 20. Press Enter to continue. 21. (Optional) If you want to cancel pending (unsaved) changes, enter Enter 4 to save pending changes. 23. Press Enter to continue. 24. Enter 5 to exit. October 2017 Avaya Aura Application Server 5300 Security 30

31 Configuring the GRUB password Configuring the GRUB password Use this procedure to configure the Linux Grand Unified Bootloader (GRUB) password. The GRUB password prevents unauthorized access to the bootloader. You are a user with SSA role. 1. Log on to the server as a user with SSA role. 2. Enter grubpwconfig at the prompt. 3. Enter c to configure the password. 4. Enter a policy-compliant GRUB password. 5. Re-enter the policy-compliant GRUB password. Creating individual user accounts menu About this task Use this procedure to create administrator accounts. 1. Log on to the server as a user with SSA role. 2. At the command prompt: usermgt 3. If prompted, enter your password. 4. Enter 1 to add a new user. 5. Enter a username for the new user. 6. Enter 0 to have the system select a user ID. 7. Enter the corresponding numbers for the user's roles. The first role is the user's primary role. Separate multiple role entries with a comma (,). 8. Enter Y to continue adding users. 9. Enter the initial password for the user. The user must change this password during the initial log on to gain access to the server. 10. Enter the initial password again. You receive a prompt to continue adding users or to return to the main menu. October 2017 Avaya Aura Application Server 5300 Security 31

32 Platform administrator security management Variable Definitions Variable <userid> <username> <roles> <passwd> Value This value is the user ID for the new user. This value is the username for the new user. This value specifies the primary and any other roles for the user, separated by commas (,). This value is the initial password for the user. Creating individual user accounts job aid About this task This job aid lists and describes the system groups defined on the system, and provides the role to groups mapping. The system groups are: ntsysgrp group for system related files ntsecgrp group for security logs ntappgrp group for MCP application files ntdbgrp group for database related files ntossgrp group for OSS files ntbackupgrp group for backup files Table 2: Role to groups mapping Role SSA System Security Administrator SA Security Auditor AA Application Administrator BA Backup Administrator DBA Database Administrator OSS OSS Administrator Groups ntsysgrp, ntsecgrp, ntbackupgrp ntsecgrp ntappgrp, ntossgrp ntbackupgrp ntdbgrp, ntappgrp ntossgrp Deleting a user account menu You can delete individual users who no longer require access to the server. The User Management Configuration tool does not manage the following system accounts, and you cannot delete them: root October 2017 Avaya Aura Application Server 5300 Security 32

33 Deleting a user account menu ntappsw ntdbsw (database systems only) ntdblsnr (database systems only) 1. Log on to the server as a user with SSA role. 2. At the command prompt: usermgt 3. If prompted, enter your password. 4. Enter 2 to delete a user. 5. From the list of users, select the user that you want to delete by entering the corresponding number. 6. Enter Y to confirm the delete. 7. If the tool finds files owned by the admin to delete, the system displays a list. Choose an action: Choose to Delete the files Stop the system from deleting the files Do this Enter Y Enter N Variable Definitions Variable <username> Value This value is the name of the user account. Deleting a user account menu job aid After deleting a user account, the system deletes the associated home directory (/home/<admin>) and all files and directories within it. Additionally, the system searches for any files owned by this admin outside of their home directory (/home/<admin>). If files are found and the user has read and write permissions that are: 1. less than the group read and write permissions, then the system transfers the file (without warning) to a no login system account and the file remains on the system. 2. greater than or equal to the group read and write permissions, then the system deletes the file (with warning and confirmation) because transferring the file to a no login system account with these settings could render it unmanageable by any admin users in the same group. The following table shows the no login system account to which files are transferred, based on the primary role of the deleted user account: October 2017 Avaya Aura Application Server 5300 Security 33

34 Platform administrator security management Table 3: Deleted user account/no login account mapping SSA SA AA BA DBA OSS ntsysnl ntsecnl ntappnl ntbackupnl ntdbnl ntossnl The system administrator must either leave these newly transferred files on the system or remove them as is deemed necessary for the operation of the system. Prior to deletion, it is important to determine if deleting files will hinder system operation. Modifying user roles menu About this task Use this procedure to modify roles for a server administrator. You can also change the primary role of the administrator. 1. Log on to the server as a user with SSA role. 2. At the command prompt: usermgt 3. If you receive a prompt, enter your password. 4. Enter 3 to modify a user's roles. 5. From the list of users, enter the corresponding number for the user account that you want to modify. 6. Enter the corresponding number for the user's roles (primary role first), separated by commas (,). 7. Enter Y to continue making modifications. You receive a prompt to continue modifying roles for users or to return to the main menu. Variable Definitions Variable <username> Value This value is the name of user account. Table continues October 2017 Avaya Aura Application Server 5300 Security 34

35 Changing the state of a user account menu Variable <roles> Value This value contains the roles that you want to assign to the user account. You must enter the primary role first, and separate multiple roles with a comma (,). Example: SSA, AA Changing the state of a user account menu About this task Disable a user's account to temporarily prevent access to the server with that account. Enable the account to restore access. If a user's account becomes locked because of failed attempts to log on, you can clear the lock by disabling and then enabling the account again. 1. Log on to the server as a user with SSA role. 2. At the command prompt: usermgt 3. If you receive a prompt, enter your password. 4. Enter 4 to enable or disable a user account. 5. Enter the corresponding number for the user account that you want to enable or disable. 6. Enable or disable the account: If the account is currently Do this Enabled Enter Y to disable the account, and go to 9 on page 35. Disabled Enter Y to enable the account, and go to 7 on page Enter a new password for the user account. The user must change this password during initial log on. 8. Enter the new password again. 9. Choose an action: Choose to Change another account state Not change another account state Do this Enter Y Enter N Exit Enter 8 October 2017 Avaya Aura Application Server 5300 Security 35

36 Platform administrator security management Listing server user accounts menu About this task You can view a list of users currently configured on the server. The display shows 20 entries for each page, and lists the user name, userid, the user's configured state, and whether the user has sudo access to the system. 1. Log on to the server as a user with SSA role. 2. At the command prompt: usermgt 3. If you receive a prompt, enter your password. 4. Enter 5 to list the users currently configured on the server. The screen displays up to 20 users. 5. You can choose to display the next 20 users or quit to the main menu. To choose this Do this Show the next 20 users (if applicable) Press Enter. Return to the main menu Type q and press Enter. Managing sudo access menu Use this procedure to grant or revoke sudo access for user accounts. You must be either the root user or a user with SSA role with sudo privileges. 1. Log on to the server as root or a user with SSA role. 2. If you are an SSA, change to the root: su - root 3. Enter the root password. 4. Run the User Management Configuration tool: usermgt.pl 5. Enter 6 to manage sudo access. 6. Enter the corresponding number for the user account for which you want to grant or deny sudo access. October 2017 Avaya Aura Application Server 5300 Security 36

37 Resetting a platform user account password menu 7. Grant or remove sudo access: If the account currently Has sudo access Does not have sudo access Do this Enter Y to remove sudo access. Enter Y to enable sudo access. 8. Choose whether to manage sudo access for another user account. Choose to Manage sudo access for another user account Not manage sudo access for another user account Do this Enter Y, and repeat 6 on page 36 to 8 on page 37. Enter N to go back to the main menu. 9. Enter 9 to exit. Variable Definitions Variable <username> Value This value is the name of user account. Resetting a platform user account password menu About this task You can use the usermgt tool to change passwords for platform administrators. If an administrator is locked out of the server because of failed attempts to log on, you can use the usermgt tool to reset the user account password and clear the lock. 1. Log on to the server as a user with SSA role. 2. At the command prompt: usermgt 3. If you receive a prompt, enter your password. 4. Enter 6 to reset a user password. 5. Enter the corresponding number for the user whose password you want to reset. 6. Enter a new password for the user account and confirm by entering the new password again. A prompt displays asking to reset a password for another user or return to the main menu. 7. Reply to the prompt with the desired action. October 2017 Avaya Aura Application Server 5300 Security 37

38 Platform administrator security management Resetting a platform user account password CLI About this task You can change your platform administrator password from the command line. You can also use this procedure to change the passwords for the user with OSS role. 1. Log on to the server with the account for which you want to change the password. 2. Enter the UNIX command to change the password: passwd 3. At the prompt, enter the current UNIX (platform) password for the account. 4. At the prompt, enter the new UNIX (platform) password for the account. 5. At the prompt, re-enter the new UNIX (platform) password for the account. Viewing the status of inactive account auditing Use this procedure to view the status of inactive account auditing. You are a user with SSA role. 1. Log on to the server as a user with SSA role. 2. At the command prompt, enter configinactiveloginaudit. 3. At the command prompt, enter d. Enabling inactive account auditing Use this procedure to enable inactive account auditing. You are a user with SSA role. 1. Log on to the server as a user with SSA role 2. At the command prompt, enter configinactiveloginaudit. 3. At the command prompt, enter c. October 2017 Avaya Aura Application Server 5300 Security 38

39 Disabling inactive account auditing 4. To turn on the audit, enter Y. 5. To exempt the login accounts from the audit, enter Y. 6. Press Enter to accept the default list of exempted accounts. 7. For the Maximum number of inactive days before login account is locked value, enter the number of days of account inactivity prior to account lock out. Enabling inactive account auditing job aid This job aid lists and describes the parameters required to enable inactive account auditing. Parameter Maximum number of inactive days before login account is locked Value Enter a number between 4 and 364. Disabling inactive account auditing Use this procedure to disable inactive account auditing. You are a user with SSA role. 1. Log on to the server as a user with SSA role. 2. At the command prompt, enter configinactiveloginaudit. 3. At the command prompt, enter c. 4. To turn on the audit, enter N. Important: After you disable inactive account auditing, the system does not re-enable previously locked out administrator accounts. You must manually re-enable any locked out administrator accounts. Configuring platform warning banners Use this procedure to configure warning banners to display a message before users enter their user names and passwords, and another message after a successful log on. Warning banners typically state the legal implications of logging on to a system. October 2017 Avaya Aura Application Server 5300 Security 39

40 Platform administrator security management Important: Repeat this procedure for each server in your Application Server 5300 system. You are a user with SSA role. 1. Use a text editor to create or modify <issue_filename> 2. Use a text editor to create or modify <motd_filename> 3. Connect to the server as a user with SSA role by using SFTP or SCP. 4. Transfer <issue_filename> and <motd_filename> to /var/tmp. 5. Log on to the server as an SSA user with SSH. 6. Copy the files from /var/tmp to /etc directory: cp /var/tmp/<issue_filename> /etc/issue cp /var/tmp/<motd_filename> /etc/motd Variable Definitions Variable <issue_filename> <motd_filename> Value This value is the name of the text file that contains the message that appears before log on. This value is the name of the text file that contains the message that appears after a successful log on. October 2017 Avaya Aura Application Server 5300 Security 40

41 Chapter 5: Security configuration and management overview This section contains information about system security configuration and management. Navigation: Application administrator security on page 41 Web server logs on page 49 Internal database account security on page 50 Database application security on page 50 Subscriber security on page 50 Domain security on page 53 File system integrity on page 54 HTTPS certificates on page 56 AS 5300 Element Manager Console CAC integration on page 56 AS5300 UC Client CAC integration on page 57 Application logging on page 57 Security logs on page 57 System alarms on page 61 Application administrator security The AS 5300 Element Manager Console and the Avaya Aura Provisioning Client applications maintain independent administrator accounts for configuration and management of the Avaya Aura Application Server Although these applications do not share the same pool of administrator accounts, they do share common security rules for password complexity, password aging, password history, log on session constraints, and application warning banners. You configure these rules by using the AS 5300 Element Manager Console. For more information about how to use the AS 5300 Element Manager Console, see Avaya Aura Application Server 5300 Configuration, NN October 2017 Avaya Aura Application Server 5300 Security 41

42 Security configuration and management overview If you modify the password rules and the passwords of existing administrators no longer comply with the new rules, the system does not take any special action. Existing administrators are allowed to continue to use their existing passwords until they expire. Password rules are only enforced at the time of password creation. You can force administrators to change existing passwords, for example, to comply with an updated password policy. For more information, see Application administrator security configuration and management on page 73. Administrator password complexity The following table lists the parameters that you use to configure password complexity for administrator user accounts. Application administrator password rules Parameter Minimum Password Length Description This rule defines the minimum number of characters that must be included in a password. The range of values allowed is Default value: 8 Note: The following restrictions apply: The Minimum Password Length must be equal to or greater than the total of the Minimum Lowercase Characters, Minimum Uppercase Characters, Minimum Digit Characters, and Minimum Special Characters values. If Check For Dictionary Words in Password is enabled, the Minimum Password Length value must be 6 or more. Minimum Lowercase Characters Minimum Uppercase Characters Caution: The system supports passwords up to a maximum of 511 characters. However, some phone clients limit the maximum length of passwords. Verify the capabilities of your phone before creating a long password. This rule defines the minimum number of lowercase characters that must be included in a valid password. Lowercase characters are defined by the US-ASCII character set, a-z. The range of values allowed is Default value: 2 This rule defines the minimum number of uppercase characters that must be included in a valid password. Uppercase characters are defined by the US-ASCII character set, A-Z. The range of values allowed is Default value: 2 Table continues October 2017 Avaya Aura Application Server 5300 Security 42

43 Application administrator security Parameter Minimum Digits Minimum Special Characters Maximum Consecutive Characters Minimum Characters Different from Previous Password Password History User ID or Reversed User ID Permitted in Password Check For Dictionary Words in Password Maximum Password Life (days) Description This rule defines the minimum number of digits that must be included in a valid password. Digits are defined by the US-ASCII character set, 0 9. The range of values allowed is Default value: 2 This rule defines the minimum number of special characters that must be included in a valid password. Special characters are defined by the following US-ASCII character - _ & ^?! ( ), / \ : ; ~ = + The range of values allowed is Default value: 0 This rule defines the maximum number of times a given character can appear consecutively in a valid password. Configure the value to 0 (zero) to disable Maximum Consecutive Characters. The range of values allowed is Default value: 0 This rule defines the minimum number of characters that must be different in the new password from the previous password. The range of values allowed is Default value: 0. This rule defines the number of previous passwords stored by the system for each administrator. The system rejects the reuse of any password found in the user's history. Configure the value to 0 (zero) to disable Password History validation. When Password History is configured to 0, the Minimum Characters Different From Previous Password feature is automatically configured to 0. The range of values allowed is Default value: 0 This rule indicates whether or not an administrator user name can appear in the administrator password. The rule is case insensitive, so, for example, the passwords "sysadmin123", "sysadmin123" and "sysadmin123" are all found to contain "admin". Select TRUE or FALSE. Default value: TRUE. This rule indicates whether or not the system performs password checking in passwords. When this rule is enabled, administrators are prevented from using passwords that are derived from dictionary words. Select TRUE or FALSE. Default value: FALSE. Note: If Check For Dictionary Words in Password is enabled, the Minimum Password Length value must be 6 or more. This rule defines the maximum number of days before a user's password expires. Configure the value to 0 (zero) to disable password expiration. The range of values allowed is days. Default value: 90 Table continues October 2017 Avaya Aura Application Server 5300 Security 43

44 Security configuration and management overview Parameter Minimum Password Life (hours) Expiry Notification (days) Description This rule defines the minimum number of hours that a password must exist before the user can change it. Configure the value to 0 (zero) to permit users to change their passwords as often as they wish. The Minimum Password Life must be less than the Maximum Password Life. The range of values allowed is hours (20 days). Default value: 1 This rule defines the number of days that an administrator is notified prior to password expiration. Configure this value to 0 (zero) to disable expiry notification. The Expiry Notification value must be less than the Maximum Password Life, and must be greater than the Minimum Password Life. The range of values allowed is 0-30 days. Default value: 7 Password aging The following rules control the length of time that a password remains valid, and expiration notification. Table 4: Password aging rules Parameter Minimum Password Life Maximum Password Life Expiry Notification Description This rule defines the minimum number of hours that a user's password must exist before the user can change it. Configure the value to 0 (zero) to permit users to change their passwords as often as they wish. If not zero, the minimum password life must be less than the maximum password life. The range of values allowed is hours (20 days). Default value: 1 This rule defines the maximum number of days before a user's password expires. Configure the value to 0 (zero) to disable password expiration. The range of values allowed is days. Default value: 90 This rule defines the number of days that an administrator is notified prior to password expiration. Setting the value to 0 (zero) disables expiry notification. The value must be less than the Maximum Password Life, and must be greater than the Minimum Password Life. The range of values allowed is 0-30 days. Default value: 7 When adding or editing an administrator account, the security administrator can override the Maximum Password Life value, and thereby apply a different maximum life to an administrator's password. October 2017 Avaya Aura Application Server 5300 Security 44

45 Application administrator security Log on session constraints Log on session constraints control the length of time that a session can remain idle, before the system forces the administrator to reauthenticate. You configure these rules separately for the AS 5300 Element Manager Console Open Management Interface (OMI) and the Avaya Aura Provisioning Client, by using the AS 5300 Element Manager Console. Configure the following parameters for log on sessions: Session Timeout: This rule defines the maximum number of minutes a session can be idle before an administrator must reauthenticate. The range of values for this parameter is Configure the value to 0 (zero) to disable session timeout. You cannot disable session timeout for the Avaya Aura Provisioning Client. For Configuration Management clients (which include the AS 5300 Element Manager Console), after a session times out, any write or maintenance operations require reauthentication; read operations continue to function normally. Failed Login Attempts before Lockout: This rule defines the maximum number of successive failed attempts to log on, allowed before the system locks the administrator's account. The range of values for this parameter is Configure the value to 0 (zero) to disable lockout and to allow an unlimited number of successive failed login attempts. A value other than zero represents an inclusive number of attempts. Therefore, if the value is 1 (one), a single failure causes the administrator's account to become immediately locked. The system rejects further login attempts until the lockout duration expires. Lockout Duration: This rule defines the number of minutes that an administrator's account remains locked after reaching the maximum number of successive failed login attempts. The range of values for this parameter is Application warning banners Warning banners display advisory warnings before and after log on, for all application interfaces. Warning banners typically state the legal implications of logging on to a system. Administrative user accounts By default, the system defines the following administrative user account roles for the AS 5300 Element Manager Console and Avaya Aura Provisioning Client. Table 5: AS 5300 Element Manager Console administrative user account roles Role secadmin Definition Administrators assigned to this role are authorized for all AS 5300 Element Manager Console services. The default admin user is assigned this role by default. Only a user with the secadmin role can assign the secadmin role to Table continues October 2017 Avaya Aura Application Server 5300 Security 45

46 Security configuration and management overview Role admin no access Definition another user or make modifications to this account. You can delete the admin user only if another user is assigned to the secadmin role. In addition, this role has the following properties and limitations: at least one secadmin account must be enabled (for example, you cannot delete the default admin user unless another user is assigned to the secadmin role) only a user assigned to the secadmin role can add, modify or delete another account assigned to the secadmin role only a user assigned to the secadmin role can reset the password of another user with secadmin role users assigned to the secadmin role are immune to lockout users assigned to the secadmin role can log on to the system even if the Maximum session limit is reached Administrators assigned this role are authorized for all AS 5300 Element Manager Console services. This is the default role. All new users are automatically assigned to this role. Users assigned to this role have no authorization privileges at the AS 5300 Element Manager Console except for those services not requiring authorization. Table 6: Avaya Aura Provisioning Client administrative user account roles Role SuperUser secadmin Definition This role has no initial users. This role cannot be modified or deleted by any administrator. Care should be taken when assigning this role to any administrator as this role will give full access to all the provisioning data. The default admin user is assigned to this role by default and has full access to all provisioning data. In addition, this role has the following properties and limitations: at least one secadmin account must be enabled (for example, you cannot delete the default admin user unless another user is assigned to the secadmin role) only a user assigned to the secadmin role can add, modify or delete another account assigned to the secadmin role only a user assigned to the secadmin role can reset the password of another user with secadmin role users assigned to the secadmin role are immune to lockout users assigned to the secadmin role can log on to the system even if the Maximum session limit is reached October 2017 Avaya Aura Application Server 5300 Security 46

47 Application administrator security Special rules for the Security Administrator The Security Administrator (SA) for the AS 5300 Element Manager Console and the Avaya Aura Provisioning Client, is an administrator with the SA (for example, secadmin) role. An SA has total control and access. The following rules apply to SAs: There must be at least one enabled SA account in the system. If only one SA account exists in the system, you cannot delete or disable that account. The SA user has complete access to every service provided by the AS 5300 Element Manager Console (or by the OMI interface). Only a SA user can add, update or delete another user account with the SA role. Only an SA user can reset the password for another SA user. The SA account is immune to lockout from failed login attempts. This exemption is necessary to prevent denial of service attacks whereby a malicious system could lock out the SA by initiating successive invalid log on attempts against SA account. Although the SA account cannot be locked out, the system generates standard security logs for log on failure. Regardless of the engineered maximum number of simultaneous logons, the SA account can always log on. An SA user can force-off the log on session of another SA. Because of these capabilities, consider carefully, before assigning the SA role to another administrator. However, Avaya recommends that every system have at least one other administrator who is assigned the SA role in addition to the global administrator. This strategy is useful as a backup in case the global administrator is unavailable, or in case the password of the global administrator is forgotten. MCP SNMP Community Strings You can update MCP SNMP Community Strings using the AS 5300 Element Manager user interface. To change the SNMP Community String, you must create a new profile (you cannot modify existing SNMP profiles) and then assign it to each server. For more information, see AS5300 Security Hardening. Administrative security services When you create or manage AS 5300 Element Manager administrative user roles, protect access to the services used to control AS 5300 Element Manager security configuration. These services include: AdminUserService: This service controls the adding, editing, and removal of administrative users (AS 5300 Element Manager Console administration menu item User Administration). It also controls October 2017 Avaya Aura Application Server 5300 Security 47

48 Security configuration and management overview force-out operations and password administration (administration menu items Set Administrator Password and Force Password Change). BannerConfigService: This service controls configuration of the system log on banners (Banners application in the Network Data and Mtc folder of the AS 5300 Element Manager Console topology tree). ConfigRoleAssignmentService: This service controls the assignment of roles to administrative users (AS 5300 Element Manager Console administration menu item Role Assignment). ConfigRoleDefinitionService: This service manages the adding, editing, and removal of administrative roles (AS 5300 Element Manager Console administration menu item Role Definition). DebugSecurityService: This service controls the management of debug roles and debug security settings (AS 5300 Element Manager Console administration menu items Debug Security Settings and Debug Role Assignment). Debugging control is supported only for Avaya technicians, and debugging security access should be limited to the administrators who interface with Avaya technicians. Log onrulesservice: This service controls the management of system log on rules for both the Element and Provisioning Manager (AS 5300 Element Manager Console administration menu item Log on Rules). PasswordRulesService: This service controls the management of system password rules for both the EM and Provisioning Manager (AS 5300 Element Manager Console administration menu item Password Rules). LogProcessingRulesService: This service controls Log Processing configuration for FPs (the AS 5300 Element Manager and any Fault Performance Managers in the system). Part of the configuration controlled by this service is the ability to configure where Security Logs are stored, as well as which remote destinations these Security Logs can be pushed using FTP. These points should be considered very carefully before granting write access to this service. It is highly recommended that only Security Administrators have write access to this service. LogBrowserFeedService: This service controls the configuration of the Log Browser Feed functionality on the AS 5300 Element Manager. As the Log Browser Feed is available to anyone that can log in to the AS 5300 Element Manager, care should be take to ensure the Log Browser Feed is configured so that security logs are filtered out, if desired. Application administrator (Admin) security defaults After installation, the following (minimal) application security rule defaults exist: The following AS 5300 Element Manager Console roles exist: admin, no access, and secadmin. You cannot modify these roles. The admin and secadmin roles allow access to all services. The following Avaya Aura Provisioning Client roles exist: SuperUser and secadmin. Both roles allow access to all services You cannot delete or modify these roles. The secadmin role has special treatments, whereas the SuperUser role is an ordinary role with all service rights. October 2017 Avaya Aura Application Server 5300 Security 48

49 Web server logs A single admin user exists with the secadmin role. This is the Security Administrator (SA). You can change the admin user s role, or delete the admin user account, but only if another Security Administrator account exists in the system. The password for the admin user is admin. The Minimum Password Length value is 4. The Minimum Lowercase Characters value is 0. The Minimum Uppercase Characters value is 0. The Minimum Digits value is 0. The Minimum Special Characters value is 0. The Maximum Consecutive Characters value is 0. The Minimum Characters Different From Previous Password value is 0. The Password History value is 1 (users cannot reuse their current password). The User ID or Reversed User ID Permitted in Password value is TRUE. The Check For Dictionary Words in Password value is FALSE. The Maximum Password Life value is 0 (no expiry). The Minimum Password life value is 0 (passwords can be changed immediately). The Expiry Notification value is 0 (no notification). The session timeout for the Configuration Management interface is 0 minutes (no timeout). For the Avaya Aura Provisioning Client, the session timeout value is 15 minutes. The number of successive failed attempts to log on before lockout is 5. The Lockout Duration is 1 minute. The Account Inactivity period value is 0. Web server logs You can enable web server logs on the AS 5300 Element Manager and Provisioning Manager. After enabling web server logs, the system writes the logs to the NE application logs. These logs are found in the following directory on the AS 5300 Element Manager servers: If security logs are enabled: /var/mcp/oss/seclog/sm/security/mcp/<ne> If security logs are not enabled: /var/mcp/oss/log/sm/all/mcp/<ne> October 2017 Avaya Aura Application Server 5300 Security 49

50 Security configuration and management overview Internal database account security During Database installation, the system creates a system-level account with a static name, and randomly generates a password. A System Administrator (SSA) can reset the password for the system-level account, should security policy require it. For more information, see Database password management on page 63. Database application security There are two accounts for database management: Schema account Application account For more information about how to change the passwords for these accounts, see Database password management on page 63. Subscriber security The Avaya Aura Application Server 5300 system controls subscriber access with passwords. Subscriber passwords are subject to password policy, which defines password protection requirements. You associate a password policy with a domain to apply the policy to all passwords for the subscribers of that domain. You can create multiple password policies for an Avaya Aura Application Server 5300 system, to associate with different domains. Two reserved password policies for the system exist: Default: assigned to new domains as they are added to the system (if you do not specify another password policy). You can modify the default policy. No Policy: disables all password protection associated with password policy. You cannot modify this policy. You can configure the following subscriber password protection requirements: A minimum password length that must be between 4 and 32 characters in length. The specified value must be greater than the sum of the Minimum Number of Digits, Minimum Number of Lowercase Characters, Minimum Number of Uppercase Characters and Minimum Number of Special Characters. A maximum password length of 511 characters (which is not administrator configurable). Note: This upper bound limit may exceed the longest password length capability of some phone client types. Verify the capabilities of your phone client before creating a long password. A minimum of 0 to 10 numerical characters that must be present in the password. October 2017 Avaya Aura Application Server 5300 Security 50

51 Subscriber security A minimum of 0 to 10 lowercase characters that must be present in the password. A minimum of 0 to 10 uppercase characters that must be present in the password. A minimum of 0 to 10 special characters that must be present in the password. Valid special characters - _ & ' ^?! ( ), / \ : ; ~ = + A maximum of 0 to 10 identical consecutive characters allowed in the password. A minimum of 0 to 10 characters in the password that must be different from the previous password. A password history of 0 to 24 previously used passwords in order to prevent re-use. An option to allow or disallow user ID or reverse user ID in the password. An option to enable or disable dictionary word checking in the password. Subscriber password protection also includes the following password protection measures: Initial password reset to force a subscriber to change the original password given by an administrator to something only known to the subscriber Subscriber lockout which temporarily locks all authorization attempts for a subscriber when the number of failed authorizations reaches the configured threshold enforced as follows: - A maximum of 1 to 10 failed authorization attempts - A lockout duration of 0 to 3600 seconds An option to configure a Maximum Password Life value, which requires subscribers to periodically change their password every 0 to 180 days. An option to configure a Minimum Password Life value, which limits the frequency with which subscribers can change their password. An option to configure Expiry notification, which warns users whose password is soon to expire. An option to configure an Account inactivity period, which locks the account after a specified number of consecutive days with no activity. Password policies and domains A password policy is not enforceable on subscribers until it is associated with a domain. When a password policy is associated with a domain, all subscribers in that domain must conform to that password policy. When you create a password policy, you can either select the policy during the creation of a domain or update a domain and select the policy to use. You can explicitly identify a password policy association when creating a new domain. You can change the password policy of a domain through the domain modification process. If you do not explicitly select a password policy when creating a new domain, the domain is given the Default password policy. When you create a new subscriber account, the initial password reset value for the domain determines whether the newly created subscriber must change the initial password. Because this October 2017 Avaya Aura Application Server 5300 Security 51

52 Security configuration and management overview determination occurs at the time of account creation, subsequent changes to the password policy, or the movement of the subscriber from one domain to another, has no affect. Therefore, any user that you create with the initial password reset value of false, can log on without resetting the password, regardless of any subsequent changes to the value of that password policy parameter. If you move a subscriber from one domain to another domain, the subscriber must update the password. The password is validated for conformance during any subsequent attempt to access theavaya Aura Application Server 5300 Personal Agent (by the subscriber) or any subsequent data change attempted on the subscriber account by an administrator. The password policy prevents subscribers from maintaining passwords that do not conform to the password policy associated with the domain in which they are assigned (they can actually have a noncompliant password for a while). They can keep their passwords as long as they do not log on to their Avaya Aura Application Server 5300 Personal Agent account. If they log on to their Avaya Aura Application Server 5300 Personal Agent with a nonconforming password, they are directed to the password change page and cannot do anything on Avaya Aura Application Server 5300 Personal Agent before changing their password. Password expiry during active call If a subscriber password expires or changes during an active call, the call does not get disconnected during re-registration. The AS 5300 Session Manager skips the credential validation for the subscriber and sends a registration successful message, if the re-registration request is received during an active call. If AS 5300 UC Client sends a Register message where the Expires value exceeds one hour, the SESM changes it to one hour (3600 seconds) to force the client to send the next re-registration earlier. If the next re-registration request is received while the user is not on an active call, the authorization happens as normal. Subscriber lockout Password policy includes the Max Failed Attempts and LockoutDuration parameters. The system evaluates each subscriber authorization attempt against the password policy for the current domain, at the time that the authentication attempt occurs. The system manages authorization attempts on a per network element basis as follows: After a successful authorization attempt, the count of failed authorization attempts resets. If the successive count of failed authorization attempts reaches the Maximum Failed Login threshold, the subscriber is lockout for the number of seconds given by the value of LockoutDuration and a log is generated: ALERT 530 User ID: <<subscriber>> locked out for <<X>> seconds If the value of Lockout Duration is 0, subscriber lockout is disabled. The system does not lock out any subscribers, regardless of failed authorization attempts. October 2017 Avaya Aura Application Server 5300 Security 52

53 Domain security During lockout, any attempt to authorize the locked out subscriber fails. Important: The system manages authorization attempts internally, by each application. The count does not persist after a failover. If you update the password policy for the domain, or move a subscriber to a new domain, the following points apply to the next failed authorization attempt: If the new value of Maximum Failed Login is lower than the current number of failed attempts for a subscriber, the system locks the subscriber out on the next failed authorization attempt. If the new value of Maximum Failed Login is higher than the current number of failed attempts, the system locks the subscriber out after the number of failed attempts reaches the new threshold. Any failed authorization attempts prior to the change contribute to the total count. If a subscriber is currently locked out, the changes do not affect that subscriber until after the lockout duration expires If the new value of Lockout Duration is 0 (disabled), a subscriber s failed authorization attempts clear at the next authorization attempt. Lockout clearing Generally, after a lockout occurs, the subscriber cannot log on until the lockout duration expires. While the lockout duration does increase security, you can clear a lockout condition manually. For more information, see Avaya Aura Application Server 5300 Using the Provisioning Client, NN Important: If the lockout clearing procedure becomes a common request, consider raising the Maximum Failed Login value or lowering the Lockout Duration value, to provide a balance between security and subscriber support. Domain security After you add new domains to a hardened system, you must modify the following to ensure proper security. Domain security profile: You must configure the domain security profile to Security Enforced for both signaling and media. For more information, see AS5300 Security Hardening. PA HTTP port: You must turn off the PA HTTP port for each domain by configuring the PA HTTP port to 0. For more information, see AS5300 Security Hardening. Subscriber password policy: You must configure the appropriate subscriber password policy for each domain. For more information, see AS5300 Security Hardening. DSCP (non MLPP) configuration: You must assign the non-mlpp DSCP values for each domain. For more information, see AS5300 Security Hardening. October 2017 Avaya Aura Application Server 5300 Security 53

54 Security configuration and management overview File system integrity The installation software contains a file system integrity (FSI) tool called fcheck. Use this tool to monitor changes in the file system for unauthorized modifications. Only the user with SSA role or the root user can run the fcheck tool commands. With this tool, you can create FSI baselines for later verification, to detect unauthorized changes to the file system. A baseline is the snapshot of all the system files including their size and permissions, at the time of baseline creation. The verification process detects the following changes: Addition and removal of files Modification of files and attributes File sizes and MD5 signatures The operating system (OS) and Avaya Aura Application Server 5300 software modify files and directories as a normal function of operation. Baseline checking excludes all log files and log directories, because of their nature (with respect to file system changes). The following OS and Avaya Aura Application Server 5300 directories are included in baseline checking: /var/mcp/dropbox /var/mcp/dropbox/.auditloads_chksumcache /var/mcp/run/<mcp_release>/sm_0/work /var/mcp/run/<mcp_release>/loads_0 /var/mcp/run/<mcp_release>/loads_0/bin /var/mcp/run/<mcp_release>/loads_0/work /etc/adjtime /etc/ntp /etc/ntp/ntp.drift /etc/ntp/ntpstats/peerstats /var/mcp/os/baselines /opt/mcp/uvscan/result.txt /opt/mcp/fcheck Avaya recommends that you create FSI baselines weekly and after significant changes to the file system (such as software installation). Verification reports After verification, fcheck reports findings of changes to the monitored files and directories, to standard out (STDOUT). The tool reports file and directory changes by using the keyword stat on file or dir. The tool checks the following file and directory attributes for changes: Inode number, permission, file size, time of last status change, file UID, file GID, and file CRC hash. October 2017 Avaya Aura Application Server 5300 Security 54

55 File system integrity FSI baseline management The system stores FSI baseline files in the /var/mcp/os/baselines directory. If the directory contains more than 15 files, a warning message appears on the STDOUT when you run the fcheck tool. The system also generates Syslog messages to remind you to backup the older baselines files to prevent the partition from filling up. You can list all of the baselines currently on the system; the file marked baseline is the one the system uses for verification. You can also choose a new baseline file for verification (unset the current file and set another). FSI baseline exclusions Some files and directories on the system change on a regular basis. Because the verification process would always report these files as changed, they are not good candidates for monitoring, and are therefore excluded from the baseline. The excluded files and directories are as follows: /opt/mcp/db/product/10.2.0/network/log/ /opt/mcp/db/oradata/mcpdb/ /opt/mcp/ossec/logs /var/mcp/os/baselines/baseline.dbf /var/mcp/oss/log/ /var/mcp/oss/om/ /var/mcp/oss/tmom/ /dev/core /dev/fd /dev/stderr /dev/stdin /dev/stdout /var/mcp/db/data/mcpdb/ /var/mcp/db/data/adump/ /var/mcp/run/ned/ned.log /var/mcp/spool/log/ /var/mcp/spool/om/ /var/mcp/spool/tmom/ FSI baseline backup and restore An SSA (for example, ntsysadm) can back up FSI baseline files to, or restore them from either the local server, or a remote server. For more information, see AS5300 Backup and Restore and Avaya Aura Application Server 5300 Administration, NN October 2017 Avaya Aura Application Server 5300 Security 55

56 Security configuration and management overview Configuration file The fcheck configuration file is located at /opt/mcp/fcheck. The fcheck tool uses the following configuration attributes to specify the files and directories to be monitored: Directory: specifies that the directory that need to be monitored. The forward slash (/) at the end of the directory indicates recursive directory monitoring. Exclusion: to exclude directories and files that are not intended for monitoring, such as log files that are known to change frequently on an ongoing basis. Important: Use the configuration file only for troubleshooting purposes. HTTPS certificates After installation, a default self-signed certificate exists for all HTTPS communications. Avaya recommends that you replace the certificate with a CA-signed certificate for each component in the system. After you replace the certificates, you must configure the AS 5300 Element Manager and the Provisioning Manager to use the new certificate. For more information, see Application security configuration on page 103. AS 5300 Element Manager Console CAC integration The AS 5300 Element Manager Console supports the usage of ActivClient Common Access Card (CAC) PKCS11 library for Department of Defense (DoD) CAC integration. After you install the ActivClient software and configure the AS 5300 Element Manager Console to use the CAC, administrators must enter the personal identification number (PIN) from the CAC, as well as their user name and password to authenticate. For more information about how to configure the AS 5300 Element Manager Console to use CAC, see Configuring the AS 5300 Element Manager Console with certificates for HTTPS and SIP CAC on page 105. For more information about how to use the AS 5300 Element Manager Console, see Avaya Aura Application Server 5300 Configuration, NN October 2017 Avaya Aura Application Server 5300 Security 56

57 AS5300 UC Client CAC integration AS5300 UC Client CAC integration The Application Server 5300 UC Client supports the usage of ActivClient Common Access Card (CAC) for Department of Defense (DoD) CAC integration. After you insert the CAC, enter the personal identification number (PIN) for the ActivClient and then enter the user name and password for Application Server 5300 UC Client to authenticate. For more information about how to install and launch Application Server 5300 UC Client, see Avaya Aura Application Server 5300 UC Client User Guide, NN For more information about how to use the Common Access Card, see AS 5300 Card Reader Installation for UC Client. Application logging About this task After you harden the MCP application logging, the system writes network element (NE) logs to the following directories on the servers hosting the AS 5300 Element Manager Console NEs: non security logs: /var/mcp/oss/log/sm/nonsecurity security logs: /var/mcp/oss/seclog/sm/security The non security related logs can be viewed by users in the AA role. The secure logs can only be viewed by users in the SSA or SA roles. For more information, see AS5300 Security Hardening. In addition to the NE logs, the AS 5300 Element Manager Console and Provisioning Manager NEs also write access logs to the platform. The AS 5300 Element Manager Console writes logs to the /var/mcp/run/<mcp version>/ <EM_NEI_name>/tomcat/logs/ directory. The <EM_NEI_name> is the instance name of the AS 5300 Element Manager Console on that server. For example SM1_0 denotes the primary AS 5300 Element Manager Console instance. The Provisioning Manager writes logs to the /var/run/<mcp version>/<prov_nei_name>/tomcat/log/ directory. The <Prov_NEI_name> is the instance name of the Provisioning Manager on that server. For example PROV1_0 denotes the primary Provisioning Manager instance. Important: You must remove these logs after you undeploy the network element instance. Security logs This section contains information about security logs. October 2017 Avaya Aura Application Server 5300 Security 57

58 Security configuration and management overview Navigation: Syslog on page 58 System audit on page 58 Failed logons on page 59 File activity in restricted areas on page 60 Backup of security logs on page 61 Syslog The system stores syslogs and security-related syslogs in the var/logs directory. Administrators who have the role of SA or SSA can view syslogs. Only the root user can delete syslogs from the system. However, the SA can force the logs to rotate by using the logrotate command. By default, syslogs rotate daily and store up to 15 days worth of logs. After 15 days, the system deletes the oldest log on a daily basis. Avaya recommends that you transfer the logs from the server within 15 days, to prevent the loss of any log files after file rotation. You can also configure the system to send syslogs to a syslog server. This configuration typically occurs during system installation, but the SSA can choose to configure this at run time by issuing the reconfigure script. You must configure the remote syslog server as a trusted node, if an ACL firewall is configured on the system. System audit You can use audit logs to track and monitor administrative user behavior. The system generates these logs and they can only be viewed by the SA or SSA. Audit logs record the following data: time and date of action userid and PID of action command issued success or fail status object operated on terminal type exit code The system stores audit logs in /var/log/audit. By default, the logs rotate daily, and the system stores up to 15 days worth of audit logs. After 15 days, the system deletes the oldest log. An SSA or SA can force Audit logs to rotate by issuing the logrotate command. Only the root user, or an SSA with root access can delete audit logs. October 2017 Avaya Aura Application Server 5300 Security 58

59 Security logs Audit logs are rotated daily and can store up to 15 days of logs. After 15 days, the oldest log is deleted on a daily basis. In the event, the /var/log partition fills up, and any SSA with root access can log on and delete these logs. Avaya recommends that you backup the logs before deleting. If the system cannot write to the audit log, the system sends a message to syslog to indicate the failure. After the free disk space for this partition drops below 750 MB, the system sends a warning message to syslog. After the free disk space for this partition drops below 250 MB, the system sends another message to syslog to indicate that the disk is full, and logging may be interrupted. If the disk partition fills up, Avaya recommends that you back up the logs, and then log on as root and delete them. To view the current audit rules, open the file /etc/audit/audit.rules as an SSA user on any SIP Core or Avaya Media Server (MS). The rules are specific to either SIP Core or Avaya MS, so different servers display different sets of rules. Warning: Do not change the audit rules file. If you change this file, auditing might cease to function on the system. Typically, system audit configuration occurs during initial installation. However, the SSA can configure audit log settings by issuing the following command: configaudit You can also configure audit log settings by running the reconfigure script. If you change the audit log configuration, you must reboot the system. Any SSA or SA user can use the following tools to view audit logs: aureport used to get a summarized report on audit logs. ausearch search for patterns in audit log. (use --help for instructions) Users with SSA or SA roles can also view the audit logs using vi and grep, if required. Audit logs can be archived and transferred to another server for archiving or filtering. The system does not delete the audit logs on the server; it transfers a copy of the logs. You must be a root user to delete logs to free disk space. For more information, see AS5300 Backup and Restore. Failed logons To view failed log on attempts, use the grep command for the audit log files and search for the words "authentication" and "failed". The following example shows a failed login from the server command line: > grep authentication /var/log/audit/* grep failed /var/log/audit/audit.log:type=user_auth msg=audit( :8886): user pid=3739 uid=0 auid= msg='pam: authentication acct="ntsysadm" : exe="/usr/sbin/sshd" (hostname= , addr= , terminal=ssh res=failed)' October 2017 Avaya Aura Application Server 5300 Security 59

60 Security configuration and management overview The resulting output displays the following data: record ID for audit user ID and log on name host where the log on was attempted As shown in the following example, a summary report displays the number of failed attempts. Summary Report ====================== Range of time in logs: 05/10/ :56: /10/ :13: Selected time for report: 05/10/ :56:37-05/10/ :13: Number of changes in configuration: 110 Number of changes to accounts, groups, or roles: 18 Number of logins: 3 Number of failed logins: 1 Number of authentications: 12 Number of failed authentications: 2 Number of users: 2 Number of terminals: 14 Number of host names: 3 Number of executables: 26 Number of files: 5805 Number of AVC's: 0 Number of MAC events: 0 Number of failed syscalls: 42 Number of anomaly events: 0 Number of responses to anomaly events: 0 Number of crypto events: 0 Number of keys: 1 Number of process IDs: 292 Number of events: 8862 File activity in restricted areas The file system is locked down mainly by using file permissions appropriate to the administrator s role. However, these files require traceability to any modifications or additions. Auditing is based on watch rules on files and directories. The watch rule on directories includes all the files in that directory. Most of the watch rules are on write or append to the directory and files. When audited, the record includes the following data: UID of user accessing the file process ID the file or directory in question success or fail status command run on the file or directory The following is an example of an administrator who unsuccessfully tried to write to a directory without write permission. In this example, joebobssa tried to write to the /opt/mcp/java directory: type=syscall msg=audit( :2224): arch=c000003e syscall=2 success=no exit=-13 a0=7fff9cdc3c24 a1=941 a2=1b6 a3=0 items=1 ppid=6554 pid=6623 auid=20229 uid=20233 gid=91 euid=20233 suid=20233 fsuid=20233 October 2017 Avaya Aura Application Server 5300 Security 60

61 System alarms egid=91 sgid=91 fsgid=91 tty=pts0 ses=67 comm="touch" exe="/bin/touch" key=(null) type=cwd msg=audit( :2224): cwd="/home/joebobssa" type=path msg=audit( :2224): item=0 name="/opt/mcp/java/myfile.xml" inode= dev=03:05 mode= ouid=0 ogid=0 rdev=00:00 In this example, an administrator with userid (field uid in the type=syscall line) tried to issue the touch command (field exe in the type=syscall line) on the file /opt/mcp/java/myfile.xml (field name in the type=path line) and did not succeed (field success in the type=syscall line). Backup of security logs You can transfer security logs from the server to a secured server. This action does not delete the security logs from the server because the transfer process copies the logs without deleting them from the original location. Only a root user can delete logs to free up disk space. For more information about how to back up the Avaya Aura Application Server 5300 system, see Avaya Aura Application Server 5300 Backup and Restore Method and Avaya Aura Application Server 5300 Administration, NN System alarms You can monitor the following disk partitions from the AS 5300 Element Manager Console, for utilization: boot /var /var/mcp /var/log / /admin /home /opt /tmp After the system raises an alarm for disk usage, you can configure new alarm thresholds for disk space usage, or remove unnecessary files from the server, and then clear the alarm when the disk space is freed up. For more information about how to configure alarm thresholds, see Avaya Aura Application Server 5300 Configuration, NN October 2017 Avaya Aura Application Server 5300 Security 61

62 Security configuration and management overview Important: Only the root user can delete files to free up disk space. October 2017 Avaya Aura Application Server 5300 Security 62

63 Chapter 6: Database password management About this task Use the procedures in this chapter to manage passwords for the database. For more information, see AS5300 Database Management. Navigation: Resetting the internal database account passwords on page 63 Changing the Schema account password on page 64 Changing the database application password, without changing the load on page 64 Changing the database application password during an upgrade on page 66 Resetting the internal database account passwords Policy can require that you periodically change all system passwords. Use the following procedure to reset the passwords for the system level internal database accounts. Important: Only the database software uses the internal accounts. To prevent users from logging on using these accounts, the passwords are randomly generated and not available to users. These accounts are also locked. You have an account with the SSA role. 1. Log on to the server that hosts the primary database, as a user with SSA role. 2. Enter the command to reset the password for one of the internal database accounts: resetdbsystemuserpasswd sys resetdbsystemuserpasswd system resetdbsystemuserpasswd internal October 2017 Avaya Aura Application Server 5300 Security 63

64 Database password management 3. If a password prompt appears, enter your password. Changing the Schema account password Use the following procedure to change the password for the database Schema account. You are a user with SSA role. 1. Log on to the server that hosts the primary AS 5300 Element Manager Console (Instance 0), as a user with SSA role. 2. Enter the command to change the password: chgdbschemauserpasswd 3. If a password prompt appears, enter the password for the SSA account. 4. At the prompt, confirm that you want to change the password. A message appears to report the success or failure of the password change. Changing the database application password, without changing the load Use the following procedure to change the password for the database application without upgrading the load. You are a user with SSA role. You are a user with AA role. You are familiar with the procedure to deploy and start network elements. For more information, see Avaya Aura Application Server 5300 Configuration, NN Log on to the server that hosts the primary AS 5300 Element Manager (Instance 0), as a user with SSA role. 2. Enter the command to change the password: chgdbappuserpasswd 3. If a password prompt appears, enter the password for the SSA account. October 2017 Avaya Aura Application Server 5300 Security 64

65 Changing the database application password, without changing the load 4. At the prompt, confirm that you want to change the password. A message appears to report the success or failure of the password change. 5. Log on to the server that hosts the primary AS 5300 Element Manager (Instance 0), as a user with AA role. 6. Change directory: cd /var/mcp/install 7. Restart the primary AS 5300 Element Manager (Instance 0):./smUpgrade.pl This command stops all AS 5300 Element Manager instances, re-deploys the load specified in the installprops.txt (the same load), and starts all AS 5300 Element Manager instances. 8. Use the AS 5300 Element Manager Console to stop, deploy, and restart the remaining network elements in the following order: Fault Performance Manager (FPM) Accounting Manager (AM) PROV Manager Personal Agent (PA) Manager Session Manager (SESM) Important: Avaya recommends that for network elements with a hot standby instance, that you stop, deploy, and start the hot standby instance first. 9. Log on to the server that hosts the primary AS 5300 Element Manager (Instance 0), as a user with SSA role. 10. Enter the command to change the password: chgdbappuserpasswd 11. If a password prompt appears, enter the password for the SSA account. This step removes the old application account. Important: If any network element did not stop, deploy, and start properly and is therefore still using the old application account, an error message appears. To complete the procedure, repeat 8 on page 65 (for the affected network elements) to 11 on page 65. October 2017 Avaya Aura Application Server 5300 Security 65

66 Database password management Changing the database application password during an upgrade Use the following procedure to change the database application password as part of a Maintenance Release or patch upgrade. You are a user with SSA role. You are familiar with the procedure to apply a Maintenance Release or patch upgrade. For more information, see AS5300 MR And Patch Guide. 1. Log on to the server that hosts the primary AS 5300 Element Manager (Instance 0), as a user with SSA role. 2. Enter the command to change the password: chgdbappuserpasswd 3. If a password prompt appears, enter the password for the SSA account. 4. At the prompt, confirm that you want to change the password. A message appears to report the success or failure of the password change. 5. Apply the Maintenance Release or patch upgrade. 6. Log on to the server that hosts the primary AS 5300 Element Manager (Instance 0), as a user with SSA role 7. Enter the command to change the password: chgdbappuserpasswd 8. If a password prompt appears, enter the password for the SSA account. This step removes the old application account. Important: If any network element is not upgraded and is therefore still running the old load, an error message appears. To complete the procedure, repeat 5 on page 66 (for the affected network elements) to 8 on page 65. October 2017 Avaya Aura Application Server 5300 Security 66

67 Chapter 7: Antivirus management The following procedures explain how to manage the antivirus software. For information about how to install and configure the antivirus software, see the Avaya antivirus installation method. Warning: Read all of the procedures carefully before you install the software. Adherence to the procedures and requirements described in the following procedures is mandatory for warranty of the system. Important: Backups of the core servers or Avaya Media Servers do not include the antivirus software. After you restore or reinstall a server, you must manually install, configure, and update the antivirus software and virus definitions. Navigation Updating the virus definitions on page 67 Scheduling virus scans on page 68 Updating the virus definitions Use this procedure to update the virus definitions. To ensure effective protection from viruses, update the virus definition files on each server, after the initial installation, and periodically on an ongoing basis. For more information about antivirus procedures, see the documentation that accompanies your antivirus software. You are a user with SSA role. You have obtained the updater package from the antivirus support site or the appropriate enterprise or DoD internal distribution site. 1. Log on to the server as an SSA. 2. Change to the root: su - root October 2017 Avaya Aura Application Server 5300 Security 67

68 Antivirus management 3. Enter the password for the root. 4. Use your antivirus software documentation to update the virus definitions. Scheduling virus scans Use this procedure to schedule a daily virus scan. For more information about antivirus procedures, see the documentation that accompanies your antivirus software. You are a user with SSA role. 1. Log on to the server as an SSA. 2. Change to the root: su - root 3. Enter the password for the root. 4. Use your antivirus software documentation to update the virus definitions. Important: Schedule the virus scan during the lowest traffic time on the AS 5300 servers to minimize scanning impact. October 2017 Avaya Aura Application Server 5300 Security 68

69 Chapter 8: File system integrity management About this task Use the procedures in this section to verify file system integrity (FSI) and to manage FSI baselines. Prerequisites: You are a user with SSA role or a root user. Navigation: Creating an FSI baseline on page 69 Verifying the file system against a baseline on page 70 Managing FSI baselines on page 70 Creating an FSI baseline Create an FSI baseline on a weekly basis or after any significant changes to the system, such as software installation. You are a user with SSA role or a root user. 1. Log on to the server a user with SSA role. 2. At the prompt, enter the following command: fsibaseline 3. If you receive a warning, press any key to continue. 4. Enter Y to verify the new FSI baseline configuration. Important: A typical baseline can take at least 10 minutes to create. October 2017 Avaya Aura Application Server 5300 Security 69

70 File system integrity management Verifying the file system against a baseline Routinely verify the file system against the baselines. The verification process identifies the following changes: Addition or removal of files Modification of files and attributes File sizes and MD5 signatures You are a user with SSA role or a root user. 1. Log on to the server as a user with SSA role. 2. At the prompt, enter the following command: fsiverify Managing FSI baselines You can list all of the file system integrity (FSI) baselines currently stored on the server. The system uses the file marked baseline for verification. You can select a different baseline file to use for verification. You are a user with SSA role or a root user. 1. Log on to the server as a user with SSA role. 2. At the prompt, enter the following command: fsibaselinemgt 3. Select a management action: Choose to List available baselines 1 Set the verification baseline 2 Unset the verification baseline 3 Exit 4 Enter selection number October 2017 Avaya Aura Application Server 5300 Security 70

71 Chapter 9: Security log management Use the procedure in this section to manage security logs. Navigation Configuring a remote syslog server on page 71 Deleting a remote syslog server on page 71 Modifying system audit logs on page 72 Configuring a remote syslog server Use this procedure to configure a remote syslog server. If you configure a remote Syslog server on the platform, the system sends all local syslogs to both the remote syslog server and to the local syslog server. You are a user with SSA role. 1. Log on to the server as a user with SSA role. 2. Enter syslogconfig at the prompt. 3. Enter your password. 4. Enter c to configure a remote syslog server. 5. Enter the Syslog Server IP Address. 6. Enter Y to confirm the configuration. Deleting a remote syslog server Use this procedure to delete a remote syslog server. October 2017 Avaya Aura Application Server 5300 Security 71

72 Security log management You are a user with SSA role. 1. Log on to the server as a user with SSA role. 2. Enter syslogconfig at the prompt. 3. Enter u to unconfigure a remote syslog server. 4. Enter Y to confirm the configuration. Modifying system audit logs Use this procedure to enable or disable system audit logs. You are a user with SSA role. 1. Log on to the server as a user with SSA role. 2. At the command prompt, enter configaudit 3. Enter c to configure the audit. 4. Select an action: Choose to Enable the audit Disable the audit Enter Y N 5. If prompted to reboot, enter Y. October 2017 Avaya Aura Application Server 5300 Security 72

73 Chapter 10: Application administrator security configuration and management This chapter provides the procedures that you require to configure and manage administrator security for the database and the following tools: Avaya Aura AS 5300 Element Manager Console Avaya Aura Provisioning Client Navigation: Enabling web server logs on page 74 Configuring application administrator password rules on page 75 Configuring a new AS 5300 Element Manager Console role on page 77 Configuring a new AS 5300 Element Manager Console administrator on page 81 Assigning a role to an AS 5300 Element Manager Console administrator on page 82 Configuring log on and session rules on page 83 Configuring a new Provisioning Client role on page 84 Configuring a new Provisioning Client administrator on page 85 Configuring warning banners on page 86 Modifying log on and session rules on page 87 Modifying application administrator password rules on page 89 Modifying an AS 5300 Element Manager Console role on page 91 Modifying an AS 5300 Element Manager Console administrator on page 92 Disabling an AS 5300 Element Manager administrator account on page 93 Disabling password aging rules for an account on page 93 Viewing and forcing off users on page 94 Exporting configuration data for AS 5300 Element Manager Console on page 94 Importing configuration data for AS 5300 Element Manager Console on page 95 October 2017 Avaya Aura Application Server 5300 Security 73

74 Application administrator security configuration and management Deleting an AS 5300 Element Manager Console role on page 95 Deleting an AS 5300 Element Manager Console administrator on page 96 Resetting the password for the AS 5300 Element Manager Console admin account on page 96 Resetting the password for a AS 5300 Element Manager Console administrator on page 97 Changing your AS 5300 Element Manager Console password on page 98 Modifying a Provisioning Client role on page 98 Listing Provisioning Client Admin users on page 99 Searching for Provisioning Client users by role on page 99 Searching for inactive Provisioning Client users on page 99 Modifying a Provisioning Client Admin on page 100 Deleting a Provisioning Client user on page 100 Resetting the password for the Provisioning Manager admin account on page 101 Resetting the password for a Provisioning Client administrator on page 102 Changing your Provisioning Client password on page 102 Enabling web server logs Use this procedure to enable web server logs on the AS 5300 Element Manager and Provisioning Manager network elements. 1. Log on to the AS 5300 Element Manager Console. 2. From the configuration view, choose: Choose to Configure theas 5300 Element Manager Do this Select Network Elements > AS 5300 Element Manager > ElementManager Configure the Provisioning Manager Select Network Elements, Provisioning Managers > <PROV_instance> 3. Click Configuration Parameters. 4. In the Parm Group list, select WebServer. 5. Click the EnableAccessLogs row. 6. Click -/+. 7. In the EnableAccessLogs list, select true. October 2017 Avaya Aura Application Server 5300 Security 74

75 Configuring application administrator password rules 8. Click Apply. Configuring application administrator password rules About this task Configure the password complexity rules and password aging rules to enhance the security of the AS 5300 Element Manager Console Open Management Interface (OMI), and Avaya Aura Provisioning Client passwords. 1. From the menu bar of the AS 5300 Element Manager Console, select Administration > Password Rules. 2. In the Password Rules pane, under Password Complexity Rules, configure the parameters as required. 3. In the Password Rules pane, under Password Aging Rules, configure the parameters as required. 4. Click Apply. Configuring application administrator password rules job aid About this task The following job aid lists and describes the parameters on the Password Rules panel. Application administrator password rules Parameter Minimum Password Length Description This rule defines the minimum number of characters that must be included in a password. The range of values allowed is Default value: 8 Note: The following restrictions apply: The Minimum Password Length must be equal to or greater than the total of the Minimum Lowercase Characters, Minimum Uppercase Characters, Minimum Digit Characters, and Minimum Special Characters values. If Check For Dictionary Words in Password is enabled, the Minimum Password Length value must be 6 or more. Table continues October 2017 Avaya Aura Application Server 5300 Security 75

76 Application administrator security configuration and management Parameter Minimum Lowercase Characters Minimum Uppercase Characters Minimum Digits Minimum Special Characters Description Caution: The system supports passwords up to a maximum of 511 characters. However, some phone clients limit the maximum length of passwords. Verify the capabilities of your phone before creating a long password. This rule defines the minimum number of lowercase characters that must be included in a valid password. Lowercase characters are defined by the US-ASCII character set, a-z. The range of values allowed is Default value: 2 This rule defines the minimum number of uppercase characters that must be included in a valid password. Uppercase characters are defined by the US-ASCII character set, A-Z. The range of values allowed is Default value: 2 This rule defines the minimum number of digits that must be included in a valid password. Digits are defined by the US-ASCII character set, 0 9. The range of values allowed is Default value: 2 This rule defines the minimum number of special characters that must be included in a valid password. Special characters are defined by the following US-ASCII character - _ & ^?! ( ), / \ : ; ~ = + Maximum Consecutive Characters Minimum Characters Different from Previous Password Password History The range of values allowed is Default value: 0 This rule defines the maximum number of times a given character can appear consecutively in a valid password. Configure the value to 0 (zero) to disable Maximum Consecutive Characters. The range of values allowed is Default value: 0 This rule defines the minimum number of characters that must be different in the new password from the previous password. The range of values allowed is Default value: 0. This rule defines the number of previous passwords stored by the system for each administrator. The system rejects the reuse of any password found in the user's history. Configure the value to 0 (zero) to disable Password History validation. When Password History is configured to 0, the Minimum Characters Different From Previous Password feature is automatically configured to 0. User ID or Reversed User ID Permitted in Password The range of values allowed is Default value: 0 This rule indicates whether or not an administrator user name can appear in the administrator password. The rule is case insensitive, Table continues October 2017 Avaya Aura Application Server 5300 Security 76

77 Configuring a new AS 5300 Element Manager Console role Parameter Check For Dictionary Words in Password Maximum Password Life (days) Minimum Password Life (hours) Expiry Notification (days) Description so, for example, the passwords "sysadmin123", "sysadmin123" and "sysadmin123" are all found to contain "admin". Select TRUE or FALSE. Default value: TRUE. This rule indicates whether or not the system performs password checking in passwords. When this rule is enabled, administrators are prevented from using passwords that are derived from dictionary words. Select TRUE or FALSE. Default value: FALSE. Note: If Check For Dictionary Words in Password is enabled, the Minimum Password Length value must be 6 or more. This rule defines the maximum number of days before a user's password expires. Configure the value to 0 (zero) to disable password expiration. The range of values allowed is days. Default value: 90 This rule defines the minimum number of hours that a password must exist before the user can change it. Configure the value to 0 (zero) to permit users to change their passwords as often as they wish. The Minimum Password Life must be less than the Maximum Password Life. The range of values allowed is hours (20 days). Default value: 1 This rule defines the number of days that an administrator is notified prior to password expiration. Configure this value to 0 (zero) to disable expiry notification. The Expiry Notification value must be less than the Maximum Password Life, and must be greater than the Minimum Password Life. The range of values allowed is 0-30 days. Default value: 7 Configuring a new AS 5300 Element Manager Console role Configure new roles for the AS 5300 Element Manager Console and assign the roles to users to specify admin privileges and level of access. You have ConfigRoleDefinitionService READ and WRITE privileges. 1. From the menu bar of the AS 5300 Element Manager Console, select Administration > Role Definition. 2. On the Role Definition panel, click Add (+). October 2017 Avaya Aura Application Server 5300 Security 77

78 Application administrator security configuration and management 3. In the Add Role dialog box, in the Role Name box, type a name to identify the new role. 4. Select the required READ, WRITE, and MAINT to configure privileges for each service. 5. Click Apply. Configuring a new AS 5300 Element Manager Console role job aid About this task The following job aid lists and describes the parameters that you use to configure AS 5300 Element Manager Console roles. Parameter Role Name Description Enter the role name in this text box. This name cannot be changed after the role is created. A valid role name must consist of 4-36 alphanumeric characters that may also include, but not begin or end with, the following 8 additional characters: # & ( ) + - The effects of the READ, WRITE, and MAINT privileges differ according to the service that is selected; however, the following points generally apply: The READ privilege typically allows you to view, but not modify configuration data. The WRITE privilege enables READ automatically and allows you to add and modify configuration data. The MAINT privilege allows you to start and stop services, but does not allow you to change configuration data. Typically you must also have the READ privilege in addition to MAINT. The following job aid lists and describes the services for which you can add READ, WRITE, and MAINT privileges to roles. Service AcctProcessingRuleService AdminUserService AlarmMgmtService AlarmMtcService AlarmQueryService AMOssProfileService AudioCodesNumMapIP2TelService AudioCodesServerService AudioCodesServerStateService AudioCodesTrunkService Description Account processing rule configuration Administrative users configuration Alarms configuration Acknowledgement/clearing of alarms Alarm viewing OSS Profile data configuration distributed to the Accounting Manager (AM) IPToTelephonyMap configuration AudioCodes gateway configuration AudioCodes gateway state configuration AudioCodes trunk configuration Table continues October 2017 Avaya Aura Application Server 5300 Security 78

79 Configuring a new AS 5300 Element Manager Console role Service AuthenticationService BannerConfigService CallAgentService CertificateService ChassisMonitorService ChassisService CipherSuiteService ConfigParmService ConfigRoleAssignmentService ConfigRoleDefinitionService CscfService DBInstanceService DBMonitorConfigService DBMonitorService DebugSecurityService EndpointMtcService EngParmService ExportImportService FPOssProfileService FlowSpecCodecService FlowSpecService GatewayControllerLinkMtcService GatewayControllerService GatewayService HttpsCipherSuiteService IPAddressService InfoElementService LogBrowserFeedService LogProcessingRuleService Log onrulesservice LOMServerService LicenseKeyService LocationServiceMgr Description AS 5300 Session Manager trusted node authorized method configuration Log on banner configuration CS 2000 Call Agent configuration Certificate configuration Blade Center Chassis monitoring Blade Center Chassis configuration OAMP SSL/TLS cipher suite configuration Configuration parameters Administrative user role assignment Administrative role configuration CSCF configuration Database instance configuration Database monitor threshold configuration Database instance monitoring Role and security settings debugging Endpoint Maintenance configuration and monitoring Engineering parameters configuration Bulk configuration export and import tools OSS profile data configuration (distributed to FPM) FlowSpecService Video FlowSpec configuration (in Packet Cable Integration, Codec) FlowSpec configuration Gateway Controller Link Maintenance/ monitoring CS 2000 Gateway Controller configuration Gateway configuration HTTPS cipher suite configuration IP address configuration Informational Element configuration Log browser feed configuration Log processing configuration System log on rules configuration LOM and Terminal server configuration License key configuration DNS server configuration for the AS 5300 Session Manager Table continues October 2017 Avaya Aura Application Server 5300 Security 79

80 Application administrator security configuration and management Service LogicalDBService LogStreamService MASService MPClusterConfigParmsService MPClusterFaultToleranceService MPClusterGwcCallSvrService MPClusterMultiGwy MPClusterNet2RouteService MPClusterService MPClusterSessionMgrService MPClusterStaticRouteService MPClusterSvcInstanceService MPClusterVlan NEInstanceService NERecordStreamService NEService NcasLinkMtcService Net2RouteService NetworkAddrService Description Database configuration Log viewing Avaya Media Server configuration Media Portal Cluster Configuration Parms Media Portal Cluster Fault Tolerance configuration Media Portal Cluster Gateway Controllers configuration Multiple Network Gateway Routers configuration for Media Portal Cluster Choosing the Net2 Routable Networks configuration for a Media Portal Media Portal Cluster configuration Media Portal Cluster Session Managers configuration Media Portal Cluster Static Routes configuration Media Portal Cluster Service Instance configuration Choosing the Vlan topology configuration for a Media Portal Network element instance configuration and maintenance NE log, OM and accounting format path configuration Network element configuration NCAS Link Maintenance configuration Net2 Routable Networks configuration Network Addresses configuration NetworkTypeService Choosing Network type for Media Portal Static Routes Control, Net1, Net2 or OAM NodeService OMProcessingRuleService OMQueryService OssProfileService PasswordRulesService PhysicalServerService PhysicalSiteService PolicyServerConnectionService PolicyServerService RTPPortalBladeService RegisteredGwcService Node configuration OM Processing Rule configuration OM viewing OSS Profile data configuration (distributed to all Element Managers) User password rules configuration Server configuration Physical site configuration Choose Policy Server Connection data Application Manager ID (AMID) for an AS 5300 Session Manager Policy Servers configuration RTP Portal blade configuration Registered gateway controller service configuration Table continues October 2017 Avaya Aura Application Server 5300 Security 80

81 Configuring a new AS 5300 Element Manager Console administrator Service ServerLOMCommandService ServerMonitorConfigService ServerMonitorService SIPProxyService SignalingCipherSuiteService SnmpProfileService StaticRouteService SubnetMaskService UpgradeManagerService VMGAppearanceService VlanService WebServicesService Description Server maintenance for servers that are configured with a LOM server Server monitor threshold configuration Server monitoring SIP proxy configuration Signaling cipher suite configuration SNMP profile configuration Static Routes configuration Subnet Masks configuration Upgrade Manager configuration Virtual Media Gateway Appearance Configuration VLANs configuration Web services configuration Configuring a new AS 5300 Element Manager Console administrator Use this procedure to configure a new administrative user for the AS 5300 Element Manager Console. You must know the Global Administrator account password. 1. From the menu bar of the AS 5300 Element Manager Console, select Administration > User Administration. 2. On the User Administration panel, click Add (+). 3. In the Add User Account dialog box, configure the parameters as required. 4. Click Apply. The system validates the configuration data. If the change is valid, the Add User Account dialog box closes and the new account appears on the User Administration panel. Important: The new user account has no access. You must assign roles to new users so that they can perform the administrative functions associated with their roles. October 2017 Avaya Aura Application Server 5300 Security 81

82 Application administrator security configuration and management Configuring a new AS 5300 Element Manager Console user job aid About this task The following job aid lists and describes the parameters that you configure on the Add User Account dialog box. Parameters User ID Description Enter the account user name the new administrator uses this ID to log on. It must contain between 4 and 16 characters. Valid characters include the following US- ASCII character sets: a-z, A-Z, 0-9, the underscore ( _ ) and the hyphen (-). User Name Enter the administrator's first and last names. This text field can have up to 36 characters. There are no character restrictions. Password Password Confirm Maximum Password Life Force Password Change Account Disabled Disable Account Inactivity Period Immune to Expiry Enter the administrator's password (subject to password complexity rules). Reenter the administrator's password. This value must match the Password parameter used to reduce typing errors. If greater than 0, this value is used instead of the Maximum Password Life value found in the Password Rules. Enter 0 to use the Password Rules value. If you select this check box, the administrator must change the password during initial login. If you select this check box, the account is disabled and the administrator cannot log on. If you select this check box, the account will never be disabled due to inactivity. If you select this check box, password aging rules do not apply to the account, but all password complexity rules apply. For secure systems, select this option only for nonhuman accounts. Assigning a role to an AS 5300 Element Manager Console administrator Use this procedure to assign a role to a new AS 5300 Element Manager Console user, or to change the role currently assigned to an existing administrator. You must know the Global Administrator account password or be assigned the admin role. Ensure the administrator account exists. Ensure the role to be assigned is already configured. October 2017 Avaya Aura Application Server 5300 Security 82

83 Configuring log on and session rules 1. From the menu bar of the AS 5300 Element Manager Console, select Administration > Role Assignment. 2. From the Role Assignment panel, select the user for which you want to assign a role, and click Edit (-/+). 3. From the Available Roles list, select a role and click Apply. Configuring log on and session rules About this task Use this procedure to configure log on and session rules for the following interfaces: Configuration Management (OMI) (applies to AS 5300 Element Manager Console and AS 5300 Element Manager) Avaya Aura Provisioning Client 1. From the menu bar of the AS 5300 Element Manager Console, select Administration > Login Rules. 2. In the Login Rules pane, configure parameters as required. 3. Click Apply. Configuring log on and session rules job aid About this task The following job aid lists and describes the parameters on the Login Rules dialog box. Parameters Login Interface Session Timeout (minutes) Description Select the interface to edit: Select Configuration Management (OMI) to configure rules for the AS 5300 Element Manager Console / AS 5300 Element Manager. Select Provisioning Management (PROV ) to configure rules for the Provisioning Client. This rule defines the maximum number of minutes a session can be idle before the user must reauthenticate. For the AS 5300 Element Manager Console, after a session times out, any write operations must be re-authenticated. Configure the value to 0 (zero) to disable Session Timeout. You cannot disable Session Timeout for the Avaya Aura Provisioning Client interface. Table continues October 2017 Avaya Aura Application Server 5300 Security 83

84 Application administrator security configuration and management Parameters Failed Login Attempts before Lockout Description The range of values is This rule defines the number of consecutive failed log on attempts before the system locks the account. The current attempt is included in the count. For example, if the value is 1 (one), a single failure causes the user's account to be locked. Until the account is unlocked, the system rejects further attempts to log on. Configure the value to 0 (zero) to disable lockout and permit unlimited successive failed attempts. The range of values is Lockout Duration (minutes) If an account is locked by the Failed Log on Attempts before Lockout feature, Lockout Duration (minutes) defines the number of minutes that the account remains locked. The range of values is Account Inactivity Period (days) This rule defines the number of days an account can be inactive before the system automatically disables the account. Configure the value to 0 (zero) to disable Account Inactivity Period. The range of values is Configuring a new Provisioning Client role Use this procedure to configure new roles for the Provisioning Client and assign the roles to users to specify administrator privileges and level of access. You have administration management rights. You are a secadmin. The secadmin role has complete access. 1. From the Provisioning Client menu bar, select Admin > Role to access the Admin Role portlet. 2. On the Add tab, in the Role Name box, type a name for the new role. 3. In the Role description box, type a brief description of the role. 4. Under the Select All option, check the Read, Write, or Delete boxes if you want the administrator to have a specific privilege or check all boxes to provide all privileges. 5. Under the Data Layer Management option, check the Write and Delete boxes if you want the administrator to have one or both privileges on the System, Domain, and User level. 6. Select the necessary Read, Write, and Delete check boxes to configure access for each Admin privilege. October 2017 Avaya Aura Application Server 5300 Security 84

85 Configuring a new Provisioning Client administrator 7. Click Save. Configuring a new Provisioning Client administrator Use this procedure to configure new administrators for the Provisioning Client. Assign each new administrator a role so they can perform the administrative functions associated with that role. You have the administration management right. You are a secadmin. The secadmin role has complete access. 1. From the Provisioning Client menu bar, select Admin > Add to access the Admin portlet. 2. On the Add tab, configure parameters as required. 3. Click Save. 4. On the Roles tab, from the list, select the role for the new administrator. 5. Click Save. Configuring a new Provisioning Client administrator job aid About this task The following job aid describes the parameters that appear on the Add tab of the Admin portlet. Parameters Description Name This parameter contains the account user name (maximum 64 characters). First Name Last Name Password Confirm password Disable password aging Enforce password change Enable account Disable account inactivity period This parameter contains the user's first name (maximum 30 characters). This parameter contains the user's last name (maximum 30 characters). This parameter contains the password for the user account. This parameter must match the Password parameter. Select this check box to disable password aging. Select this check box to enforce password change during the first log on. Select this check box to enable the account. This parameter defines the number of consecutive days an account can be inactive before the system automatically disables the account. Table continues October 2017 Avaya Aura Application Server 5300 Security 85

86 Application administrator security configuration and management Parameters Description By default, this feature is disabled for the default Admin account. Caution: If you configure all accounts to be disabled after a period of inactivity, there is a risk of permanently locking all administrators out of the system. Maximum Password Life (days) The value you enter in this field overrides the system Password Policy for Maximum Password Life. Leave blank to use the system value. This parameter defines the maximum number of days before the password expires. The range of values allowed is days. For a password that never expires, enter 0 (zero). Default value: 90 Business Phone Home Phone Cell Phone Pager Time Zone Locale This parameter contains the user's address (if available). This parameter contains the user's business telephone number (if available). This parameter contains the user's home phone number (if available). This parameter contains the user's cell phone number (if available). This parameter contains the user's pager number (if available). This parameter (select from the list) contains the user's time zone. This parameter (select from the list) contains the user's preferred language. Configuring warning banners Configure banner text to display advisory warnings before and after log on for the OPI, Avaya Aura Provisioning Client, AS 5300 Element Manager Console, and Debug interfaces. You can access the AS 5300 Element Manager Console. You have BannerConfigService rights. 1. In the configuration view of the AS 5300 Element Manager Console, select Network Data and Mtc > Banners. 2. On the Banners panel, from the Banner Type list, select a banner type. To configure A warning banner to appear before administrators log on. Do this Select Admin Pre Log on. Table continues October 2017 Avaya Aura Application Server 5300 Security 86

87 Modifying log on and session rules To configure A warning banner to appear after administrators log on. A warning banner to appear before debug log on. A warning banner to appear after debug log on. A warning banner to appear before users log on. A warning banner to appear after users log on. Do this Select Admin Post Log on. Select Debug Pre Log on. Select Debug Post Log on. Select User Pre Log on. Select User Post Log on. 3. In the Banner Data section, select the Enabled check box. 4. Type the message to display. 5. Click Apply. Configuring warning banners job aid The following job aid describes the parameters that appear on the Banners panel. Parameter Banner Data Enabled Description Enter the text of the warning banner in this text box. The text has a maximum length of 2000 bytes of UTF-8 encoded characters. The Debug Pre and Post Login banners are restricted to characters in the ANSI_X character set (also known as US-ASCII). This check box indicates whether or not the banner is enabled. An enabled banner is presented when appropriate when users log on to the system. A disabled banner is ignored and not presented when users log on to the system. Modifying log on and session rules You can modify log on and session rules for the following interfaces: Configuration Management (OMI) (applies to AS 5300 Element Manager Console and AS 5300 Element Manager) Avaya Aura Provisioning Client You must have LoginRulesService rights. 1. From the menu bar of the AS 5300 Element Manager Console, select Administration > Login Rules. October 2017 Avaya Aura Application Server 5300 Security 87

88 Application administrator security configuration and management 2. In the Login Rules pane, edit the parameters as required. 3. Click Apply. Modifying log on and session rules job aid About this task The following job aid lists and describes the fields on the Log on Rules panel. Parameter Login Interface Session Timeout (minutes) Failed Log on Attempts before Lockout Lockout Duration (minutes) Account Inactivity Period (days) Description Select the interface to edit: Select Configuration Management (OMI) to configure rules for the AS 5300 Element Manager Console / AS 5300 Element Manager. Select Provisioning Management (PROV ) to configure rules for the Provisioning Client. This rule defines the maximum number of minutes a session can be idle before the user must reauthenticate. For the MCP Management Console, after a session times out, any write operations must be re-authenticated. Configure the value to 0 (zero) to disable Session Timeout. You cannot disable Session Timeout for the Avaya Aura Provisioning Client interface. The range of values is This rule defines the number of consecutive failed log on attempts before the system locks the account. The current attempt is included in the count. For example, if the value is 1 (one), a single failure causes the user's account to be locked. Until the account is unlocked, the system rejects further attempts to log on. Configure the value to 0 (zero) to disable lockout and permit unlimited successive failed attempts. The range of values is If an account is locked by the Failed Log on Attempts before Lockout feature, Lockout Duration (minutes) defines the number of minutes that the account remains locked. The range of values is This rule defines the number of days an account can be inactive before the system automatically disables the account. Configure the value to 0 (zero) to disable Account Inactivity Period. The range of values is October 2017 Avaya Aura Application Server 5300 Security 88

89 Modifying application administrator password rules Modifying application administrator password rules About this task You can modify the password complexity rules and password aging rules to enhance the security of AS 5300 Element Manager Console Open Management Interface (OMI), and Avaya Aura Provisioning Client passwords. 1. From the menu bar of the AS 5300 Element Manager Console, select Administration > Password Rules. 2. In the Password Rules panel, under Password Complexity Rules, modify parameters as required. 3. In the Password Rules panel, under Password Aging, modify parameters as required. 4. Click Apply. Modifying application administrator password rules job aid About this task The following job aid lists and describes the fields on the Password Rules panel, which apply to Admin users. Application administrator password rules Parameter Minimum Password Length Description This rule defines the minimum number of characters that must be included in a password. The range of values allowed is Default value: 8 Note: The following restrictions apply: The Minimum Password Length must be equal to or greater than the total of the Minimum Lowercase Characters, Minimum Uppercase Characters, Minimum Digit Characters, and Minimum Special Characters values. If Check For Dictionary Words in Password is enabled, the Minimum Password Length value must be 6 or more. Caution: The system supports passwords up to a maximum of 511 characters. However, some phone clients limit the maximum length of passwords. Verify the capabilities of your phone before creating a long password. Table continues October 2017 Avaya Aura Application Server 5300 Security 89

90 Application administrator security configuration and management Parameter Minimum Lowercase Characters Minimum Uppercase Characters Minimum Digits Minimum Special Characters Description This rule defines the minimum number of lowercase characters that must be included in a valid password. Lowercase characters are defined by the US-ASCII character set, a-z. The range of values allowed is Default value: 2 This rule defines the minimum number of uppercase characters that must be included in a valid password. Uppercase characters are defined by the US-ASCII character set, A-Z. The range of values allowed is Default value: 2 This rule defines the minimum number of digits that must be included in a valid password. Digits are defined by the US-ASCII character set, 0 9. The range of values allowed is Default value: 2 This rule defines the minimum number of special characters that must be included in a valid password. Special characters are defined by the following US-ASCII character - _ & ^?! ( ), / \ : ; ~ = + Maximum Consecutive Characters Minimum Characters Different from Previous Password Password History The range of values allowed is Default value: 0 This rule defines the maximum number of times a given character can appear consecutively in a valid password. Configure the value to 0 (zero) to disable Maximum Consecutive Characters. The range of values allowed is Default value: 0 This rule defines the minimum number of characters that must be different in the new password from the previous password. The range of values allowed is Default value: 0. This rule defines the number of previous passwords stored by the system for each administrator. The system rejects the reuse of any password found in the user's history. Configure the value to 0 (zero) to disable Password History validation. When Password History is configured to 0, the Minimum Characters Different From Previous Password feature is automatically configured to 0. User ID or Reversed User ID Permitted in Password Check For Dictionary Words in Password The range of values allowed is Default value: 0 This rule indicates whether or not an administrator user name can appear in the administrator password. The rule is case insensitive, so, for example, the passwords "sysadmin123", "sysadmin123" and "sysadmin123" are all found to contain "admin". Select TRUE or FALSE. Default value: TRUE. This rule indicates whether or not the system performs password checking in passwords. When this rule is enabled, administrators Table continues October 2017 Avaya Aura Application Server 5300 Security 90

91 Modifying an AS 5300 Element Manager Console role Parameter Maximum Password Life (days) Minimum Password Life (hours) Expiry Notification (days) Description are prevented from using passwords that are derived from dictionary words. Select TRUE or FALSE. Default value: FALSE. Note: If Check For Dictionary Words in Password is enabled, the Minimum Password Length value must be 6 or more. This rule defines the maximum number of days before a user's password expires. Configure the value to 0 (zero) to disable password expiration. The range of values allowed is days. Default value: 90 This rule defines the minimum number of hours that a password must exist before the user can change it. Configure the value to 0 (zero) to permit users to change their passwords as often as they wish. The Minimum Password Life must be less than the Maximum Password Life. The range of values allowed is hours (20 days). Default value: 1 This rule defines the number of days that an administrator is notified prior to password expiration. Configure this value to 0 (zero) to disable expiry notification. The Expiry Notification value must be less than the Maximum Password Life, and must be greater than the Minimum Password Life. The range of values allowed is 0-30 days. Default value: 7 Modifying an AS 5300 Element Manager Console role You can modify roles for the AS 5300 Element Manager Console to specify admin privileges and level of access. You have ConfigRoleDefinitionService READ and WRITE privileges. 1. From the menu bar of the AS 5300 Element Manager Console, select Administration > Role Definition. 2. On the Role Definition panel, select the role to modify, and then click Edit (-/+). 3. Select the required READ, WRITE, and MAINT to configure privileges for each service. 4. Click Apply. October 2017 Avaya Aura Application Server 5300 Security 91

92 Application administrator security configuration and management Modifying an AS 5300 Element Manager Console role job aid About this task The effects of the READ, WRITE, and MAINT privileges differ according to the service that is selected; however, the following points generally apply: The READ privilege typically allows you to view, but not modify configuration data. The WRITE privilege enables READ automatically and allows you to add and modify configuration data. The MAINT privilege allows you to start and stop services, but does not allow you to change configuration data. Typically you must also have the READ privilege in addition to MAINT. Refer to Configuring a new AS 5300 Element Manager Console role job aid on page 78 for a list and description of the services for which you can add READ, WRITE, and MAINT privileges to roles. Modifying an AS 5300 Element Manager Console administrator Modify a AS 5300 Element Manager Console administrator user account. You know the Global Administrator account password. 1. From the menu bar of the AS 5300 Element Manager Console, select Administration > User Administration. 2. On the User Administration panel, select the user to modify, and click Edit (-/+). 3. In the Edit User Account dialog box, configure parameters as required. 4. Click Apply. If the change is valid, the Edit User Account dialog box closes and the modification appears on the User Administration panel. Modifying an AS 5300 Element Manager Console administrator job aid About this task This job aid lists and describes the fields that you configure on the Add User Account dialog box. October 2017 Avaya Aura Application Server 5300 Security 92

93 Disabling an AS 5300 Element Manager administrator account Parameter Description User Name Edit the administrator's first and last names. The maximum characters allowed is 36. There are no character restrictions. Maximum Password Life Account Disabled Disable Account Inactivity Period Immune to Expiry If you enter a value greater than 0, this value is used instead of the Maximum Password Life value found in the Password Rules. Enter 0 to use the Password Rules value. If you select this check box, the account is disabled and the administrator cannot log on. When enabled, this parameter exempts the administrator account from automatic account inactivity disabling. If you select this check box, the password rules do not apply. All password complexity rules still apply. This option is intended for nonhuman accounts. For secure systems, select this option only for nonhuman accounts. Disabling an AS 5300 Element Manager administrator account About this task You can disable a AS 5300 Element Manager Console administrator account. 1. From the menu bar of the AS 5300 Element Manager Console, select Administration > User Administration. 2. On the User Administration panel, select the user to be disabled and click Edit (-/+). 3. In the Edit User Account dialog box, select the Account Disabled check box. 4. Click Apply. Disabling password aging rules for an account About this task You can disable the password aging rules for a particular account. This option is intended for system (non-human) accounts. All password complexity rules still apply. 1. From the menu bar of the AS 5300 Element Manager Console, select Administration > User Administration. 2. On the User Administration panel, select the User to be disabled and click Edit (-/+). October 2017 Avaya Aura Application Server 5300 Security 93

94 Application administrator security configuration and management 3. In the Edit User Account dialog box, select the Immune to Expiry check box. 4. Click Apply. Viewing and forcing off users You can view all AS 5300 Element Manager Console users who are logged on. If necessary you can force another administrator off the system. You have AdminUserService privileges. 1. From the AS 5300 Element Manager Console menu bar, select Administration > User Display/Forceoff. 2. To force an administrator off the system, from the Logged-in Users panel, select an entry and click Force Off. 3. Click Yes to confirm the Force Off. Exporting configuration data for AS 5300 Element Manager Console You can export configuration data for the AS 5300 Element Manager Console. You have ExportImportService privileges. You must know the userid and password of an OS AA admin. 1. From the menu bar of the AS 5300 Element Manager Console, select Tools > DB Export. 2. In the DB Export panel, click Choose. 3. In the Save dialog box, browse to the location where you want to save the file. 4. In the File name box, type a name for the file. 5. Click Save. 6. Select the Export Selected Services radio button. 7. From the Services Available for Export list, select the desired service. 8. Click Export Now. October 2017 Avaya Aura Application Server 5300 Security 94

95 Importing configuration data for AS 5300 Element Manager Console 9. In the FTP log on screen, enter the username and password for AA role. 10. Click Apply. Importing configuration data for AS 5300 Element Manager Console You can import configuration data for the AS 5300 Element Manager Console. You have ExportImportService privileges. You must know the userid and password of an OS AA admin. 1. From the menu bar of the AS 5300 Element Manager Console, select Tools > DB Import. 2. In the DB Import panel, under Import File, click Choose. 3. In the Open dialog box, browse to the location from which you want to select the file. 4. Select the file that you want to restore. The file name appears in the File name box. 5. Click Open. 6. In the DB Import panel, under Result File, click Choose. 7. In the Save dialog box, browse to the location where you want to save the log output file. 8. In the File name box, type a name for the log output file. 9. Click Save. 10. Click Import Now. 11. In the FTP log on screen, enter the user name and password for AA role. 12. Click Apply. Deleting an AS 5300 Element Manager Console role You can delete any role that is not required. You must reassign any users assigned to the role. October 2017 Avaya Aura Application Server 5300 Security 95

96 Application administrator security configuration and management 1. From the AS 5300 Element Manager Console menu bar, select Administration > Role Definition. 2. From the Roles Definition panel panel, select the role that you want to delete and click Delete. 3. Click Yes to confirm. If the role is not referenced by any users, the entry disappears from the Roles Definition panel. Deleting an AS 5300 Element Manager Console administrator About this task You can delete the user accounts for administrators who no longer require access to the AS 5300 Element Manager Console. 1. From the AS 5300 Element Manager Console menu bar, select Administration > User Administration. 2. From the User Administration panel, select the entry for the user and click Delete (-). 3. Click Yes to confirm. Resetting the password for the AS 5300 Element Manager Console admin account Use this procedure to reset the password for the initial AS 5300 Element Manager Console admin account, if there are no other administrative users who have sufficient privileges to reset the password. You must belong to the Database Administrator role. You must belong to the Application Administrator role. 1. Log on to the primary database (DB) server as a user with DBA role. 2. Run the script to change the password: October 2017 Avaya Aura Application Server 5300 Security 96

97 Resetting the password for a AS 5300 Element Manager Console administrator./resetsmguiadminpasswd.pl 3. Log on to the primary AS 5300 Element Manager as a user with AA role. 4. Type the password, which was reset by the previous script to admin. 5. Change directory: cd /var/mcp/install 6. Run the script to restart the AS 5300 Element Manager:./emUpgrade.pl This script stops all AS 5300 Element Manager instances, redeploys the load specified in installprops.txt, and restarts all AS 5300 Element Manager instances. 7. Log on to the AS 5300 Element Manager Console with the admin account. 8. At the prompt to change the password, type a new password that complies with the password rules. 9. Type the new password again to confirm. 10. Click OK to save the new password and complete the log on. Resetting the password for a AS 5300 Element Manager Console administrator You can reset the password for another AS 5300 Element Manager Console administrator. You can access the AS 5300 Element Manager Console. 1. From the menu bar of the AS 5300 Element Manager Console, select Administration > Password Administration > Set Administrator Password. 2. On the Set Administrator Password panel, from the User ID list, choose the administrator. 3. In the New Password box, type the new password for the administrator. 4. In the Password Confirm box, type the new password again. 5. Optional. To force the administrator to change the new password at first logon, select the Force Password Change check box. Important: Having more than one person know the password for a user account reduces accountability and system security. Avaya recommends that you select this option. 6. Click Apply. October 2017 Avaya Aura Application Server 5300 Security 97

98 Application administrator security configuration and management Changing your AS 5300 Element Manager Console password Use this procedure to change the password for your AS 5300 Element Manager Console account. You can access the AS 5300 Element Manager Console. 1. From the menu bar of the AS 5300 Element Manager Console, select Administration > Password Administration > Change My Password. 2. On the Change My Password panel, in the New Password box, type your new password. 3. In the Password Confirm box, type your new password again. 4. In the Current Password box, type your current password. 5. Click Apply. Modifying a Provisioning Client role You can modify roles for the Provisioning Client to specify admin privileges and level of access. You are a secadmin. The secadmin role has complete access. 1. From the Provisioning Client menu bar, select Admin > Role to access the Admin Role portlet. 2. On the List tab, in the Role Name column, click the name of the role to be modified. 3. In the Role Description box, type a brief description of the role. 4. Under the Data Layer Management option, check the Write and Delete boxes if you want the administrator to have one or both privileges on the System, Domain, and User level. 5. Select the necessary Read, Write, and Delete check boxes to configure access for each Admin privilege. 6. Click Save. October 2017 Avaya Aura Application Server 5300 Security 98

99 Listing Provisioning Client Admin users Modifying a Provisioning Client role job aid About this task For more information about the administrative privileges listed on the Add a New Role page, see Avaya Aura Application Server 5300 Using the Provisioning Client, NN Listing Provisioning Client Admin users About this task Use this procedure to search for Admin user accounts for the Provisioning Client. 1. From the Provisioning Client menu bar, select Admin > List to access the Admin portlet. 2. To see a list of administrator user accounts, select the List tab. Searching for Provisioning Client users by role Use this procedure to search for Provisioning Client administrative users by role. You have the administration management right. You are a secadmin. The secadmin role has complete access. 1. From the Provisioning Client menu bar, select Admin > List. 2. Click the Advanced Search tab. 3. In the Administrator Role list, select a role. 4. Click Search. Searching for inactive Provisioning Client users Use this procedure to search for Provisioning Client administrative users who have inactive accounts. October 2017 Avaya Aura Application Server 5300 Security 99

100 Application administrator security configuration and management You have the administration management right. You are a secadmin. The secadmin role has complete access. 1. From the Provisioning Client menu bar, select Admin > List. 2. Click the Search tab. 3. Enter a number for Inactive time in days. 4. Click Search. Modifying a Provisioning Client Admin Use this procedure to modify Admin users for the Provisioning Client. You have the administration management right. You are a secadmin. The secadmin role has complete access. 1. From the Provisioning Client menu bar, select Admin > List. 2. Select the administrator name. 3. Click the Details tab, and then modify the administrator fields as required. 4. Click Save. 5. Click the Domains tab, and then modify the administrator fields as required. 6. Click Save. 7. Click the Roles tab, and then modify the administrator fields as required. 8. Click Save. 9. Click the Account Policy tab, and then modify the administrator fields as required. 10. Optionally, to disable an administrator, deselect the Enable account check box. 11. Click Save. Deleting a Provisioning Client user About this task Use this procedure to remove Provisioning Client user accounts that are no longer required. October 2017 Avaya Aura Application Server 5300 Security 100

101 Resetting the password for the Provisioning Manager admin account 1. From the Provisioning Client menu bar, select Admin > List to access the Admin portlet. 2. On the List tab, click Delete for the user account that you want to delete. 3. On the confirmation dialog, type your administrator password, and then click Confirm. Resetting the password for the Provisioning Manager admin account Use this procedure to reset the password for the initial Provisioning Manager admin account if there are no other administrative users who have sufficient privileges to reset the password. You must belong to the Database Administrator role. 1. Log on to the primary database server as a user with DBA role. 2. Change directory: cd /var/mcp/run/mcp_<rel>/<dbname>/bin/util 3. Run the script to change the password:./resetprovadminpasswd.pl 4. Log on to the AS 5300 Element Manager Console. 5. From the configuration view, select Network Elements > Provisioning Managers > <PROV_instance> > NE Maintenance. 6. In the Prov Maintenance window, under the Oper column, verify the Provisioning Manager status is Active. 7. Select the Provisioning Manager instance and click Restart. 8. Verify that the Provisioning Manager status returns to Active. 9. Use a supported Web browser to log on to the Provisioning Client for the Provisioning Manager that you restarted in 7 on page 101. (The above script resets the password to a default of admin.) 10. From the Provisioning Client navigation pane, select Administrator > Password. 11. Type the new password for the Provisioning Manager admin account. 12. Type the new password again to confirm. 13. Type the old password (the default password is admin). 14. Click Save. October 2017 Avaya Aura Application Server 5300 Security 101

102 Application administrator security configuration and management Resetting the password for a Provisioning Client administrator Use this procedure to reset another Provisioning Client administrator's password. You have AdminUserService rights. To reset the password for the admin account, you must have the secadmin role. 1. From the Provisioning Client menu bar, select Admin > List to access the Admin portlet. 2. On the List tab, click Reset for the administrator whose password you want to reset. 3. In the New Password box, type the new password for the administrator. 4. In the Confirm Password box, type the new password again. 5. Optional. To force the administrator to change the new password at first logon, select the Enforce Password Change check box. Important: Having more than one person know the password for a user account reduces accountability and system security. Avaya recommends that you select this option. 6. Click Apply. Changing your Provisioning Client password Use this procedure to change the password for your Provisioning Client user account. You can access the Provisioning Client. 1. From the Provisioning Client menu bar, select Admin > Change Admin Password. 2. In the New Password box, type your new password. 3. In the Confirm Password box, type your new password again. 4. In the Current Password box, type your current password. 5. Click Save. October 2017 Avaya Aura Application Server 5300 Security 102

103 Chapter 11: Application security configuration About this task Use the procedures in this chapter to better secure HTTPS communications with the AS 5300 Element Manager and the Provisioning Manager. For information about how to secure network element logs, see AS5300 Security Hardening. Navigation: Configuring the AS 5300 Element Manager with certificates for HTTPS on page 103 Configuring the Provisioning Manager with certificates for HTTPS on page 104 Configuring the AS 5300 Element Manager Console with certificates for HTTPS and SIP CAC on page 105 Configuring the AS 5300 Element Manager with certificates for HTTPS Configure the HTTPS certificate for the AS 5300 Element Manager, after you replace the default self-signed certificate, with a CA-signed certificate for each component in the system. You can access the AS 5300 Element Manager Console. Obtain and import a CA-signed certificate for each component in the network. 1. From the AS 5300 Element Manager Console navigation pane, select Network Elements > Element Manager. 2. On the Element Manager window, select the As 5300 Element Manager, and then click Edit (-/+). 3. On the Edit dialog, in the Internal OAM section, from the HTTPS Certificate list, choose the new certificate. 4. If required, on the Edit dialog, in the External OAM section, from the HTTPS Certificate list, choose the new certificate. October 2017 Avaya Aura Application Server 5300 Security 103

104 Application security configuration 5. Click Apply. After the configuration update, the system raises an alarm to alert you that you must restart the AS 5300 Element Manager to pick up the new certificate. 6. Restart the standby instance of the AS 5300 Element Manager. 7. After the standby instance state turns to hot standby, stop the active AS 5300 Element Manager. This action causes a failover to the backup AS 5300 Element Manager and causes the AS 5300 Element Manager Console to lose connectivity. 8. Log on to the AS 5300 Element Manager Console again. 9. Start the AS 5300 Element Manager backup instance. Configuring the Provisioning Manager with certificates for HTTPS Configure the HTTPS certificate for the Provisioning Manager, after you replace the default selfsigned certificate, with a CA-signed certificate for each component in the system. Important: Repeat this procedure for each Provisioning Manager in your Application Server 5300 system. You can access the AS 5300 Element Manager Console. Obtain and import a CA-signed certificate for each component in the network. 1. Stop the Provisioning Manager. 2. From the AS 5300 Element Manager Console navigation pane, select Network Elements > Provisioning Managers. 3. On the Provisioning Managers window, select an instance (for example, PROV1) and click Edit (-/+). 4. On the Edit dialog, in the Prov section, from the Internal OAM HTTPS Certificate list, choose the new certificate. 5. On the Edit dialog, in the Prov section, from the External OAM HTTPS Certificate list, choose the new certificate. 6. On the Edit dialog, in the PA section, from the HTTPS Certificate list, choose the new certificate. 7. Click Apply. October 2017 Avaya Aura Application Server 5300 Security 104

105 Configuring the AS 5300 Element Manager Console with certificates for HTTPS and SIP CAC After the configuration update, the system raises an alarm to alert you that you must restart the Provisioning Manager to pick up the new certificate. 8. Start the Provisioning Manager. Configuring the AS 5300 Element Manager Console with certificates for HTTPS and SIP CAC Configure the HTTPS and SIP certificate for the AS 5300 Element Manager Console using ActivClient (CAC reader), after you replace the default self-signed certificate with a CA-signed certificate for each component in the system. ActivClient is installed on the desktop on which the AS 5300 Element Manager Console is running. The Management PC is equipped with a CAC reader device. 1. Choose one of the following: If MCP FIPS is enabled, access the AS 5300 Element Manager Console by running fips-mgmtconsole.bat. IF MCP FIPS is not enabled, In the address bar of your Web browser, enter the following address: 2. In the AS 5300 Element Manager Console connection window, click Advanced. 3. Select the Trust Store Certificates tab. 4. Select a CA certificate file. 5. Click Add (+) to add the CA certificate file to the AS 5300 Element Manager Console truststore. 6. Select the PKCS11 Configuration tab. 7. Click Edit (-/+). 8. In the Module Name list, select ActivCard. 9. Click Browse, and then locate and select the acpkcs211.dll file. The location of the acpkcs211.dll file depends on the installation of the ActivClient CAC software. 10. Click OK. 11. Click OK. 12. In ActivClient Login window, enter the PIN for the inserted CAC card. 13. Log on to the AS 5300 Element Manager Console. October 2017 Avaya Aura Application Server 5300 Security 105

106 Chapter 12: Certificate management overview The Avaya Aura Application Server 5300 uses public-key cryptography standards (PKCS) technology (PKCS#12 certificates) in its Session Initiation Protocol (SIP) Transport Layer Security (TLS) application. This chapter provides supporting information about certificate management for the Application Server 5300 system. Platform certificate management tool The certmgr tool provides an interface to the server certificate database. The certmgr tool resides on each core Application Server 5300 server and Avaya Media Server (MS) server. A Security System Administrator (SSA) with sudo privileges can start the certmgr tool by typing the name of the tool at the prompt. Use the certmgr tool to generate Certificate Signing Requests (CSR), verify certificate chains, and to create PKCS#12 files. The certmgr tool does not include support for the following tasks: obtaining the CA certificate sending a CSR to the Certificate Authority (CA) obtaining the signed certificate from the CA obtaining the CRL from the CA How to obtain these files and transfer them to the servers is the administrator s choice. For example, the administrator can use secure FTP (SFTP) for this purpose. IPsec custom certificates The procedures to generate IPsec custom certificates are the same as those to generate custom certificates for the Application Server 5300 core servers and Avaya MS. After an IPsec certificate is signed by the CA and bundled into a PKCS12 file, you can install it on the servers. Important: Before you can install IPsec certificates, you must stop the IPsec service on all Application Server 5300 core and Avaya MS servers. For more information about IPsec, see IPsec configuration overview on page 141. October 2017 Avaya Aura Application Server 5300 Security 106

107 Core application certificates Use the AS 5300 Element Manager Console or the Open Management Interface (OMI) to manage certificates for the Application Server 5300 core application. Certificate management for the core application includes management of the Keystore the Truststore Certificate Revocation Keystore certificates Keystore certificates are the certificates for the Network Elements that are part of the Application Server 5300 core. This does not include External Nodes such as gateways. You can import PKCS#12 files into the Keystore. The PKCS#12 file must contain one end entity certificate, the corresponding private key, and zero or more CA certificates. The system stores the private key internally; therefore, only the node that is assigned this certificate can retrieve the private key. The file can also include the certificate chain; in which case, the system automatically imports the rest of the chain into the Truststore, if an entry does not already exist for each CA in the chain. During the import process, the system associates a unique logical name with the certificate. You use the logical name to associate the certificate with a TLS port when you assign a Keystore certificate to a Network Element. For more information, see Core application certificate management on page 124. Truststore certificates The system uses the Root CA and intermediate CA certificates stored in the Truststore to authenticate certificates issued by the CA. For the certificates stored in the Keystore to be authenticated, the signing chain must exist in the Truststore. The signing chain for other certificates, such as for gateways, must also exist in the Truststore. If the system uses a self-signed certificate, you must import the self-signed certificate into the Truststore. For more information, see Truststore certificate management on page 132. The system uses Privacy Enhanced Mail (PEM) formatted files to import certificates into the Truststore. Each file must contain only one certificate. Certificates in the Truststore are considered public; therefore, no password or private key data is required. Certificate revocation Sometimes, a certificate must be revoked before the certificate expires (for example, the private key for a certificate is compromised and the certificate can no longer be trusted). The Application Server 5300 supports two methods of certificate revocation: Online Certificate Status Protocol (OCSP): OCSP provides an on-line query mechanism that can be used to check the revocation status of a certificate. Avaya recommends that you use OSCP for certificate revocation. For more information, see OCSP configuration on page 134. CRL Distribution Point (CDP): CDP provides a URL in the certificate that you use to download CRLs. October 2017 Avaya Aura Application Server 5300 Security 107

108 Chapter 13: Certificate preparation Use these procedures to prepare certificates. Certificate preparation procedures The following task flow shows the sequence of procedures that you perform to prepare certificates. October 2017 Avaya Aura Application Server 5300 Security 108

109 Navigation Generating a CSR on page 110 Obtaining CA certificates and CA-signed certificates. Administrators decide the method of sending the CSR to the CA and for obtaining the certificates. Installing a CA or CA-signed certificate on page 111 Exporting a PKCS12 file on page 112 October 2017 Avaya Aura Application Server 5300 Security 109

110 Certificate preparation Installing custom certificates into the AS 5300 Element Manager keystore on page 113 Verifying that CA certificates import into the AS 5300 Element Manager truststore on page 114 Generating a CSR Use this procedure to generate a certificate signing request (CSR). Only an SSA can read the generated CSR file. You are a user with SSA role. Check with your CA before creating the CSR to determine if certain fields require CA-specific data. 1. Log on to the primary element manager server as a user with SSA role. 2. Enter certmgr at the prompt. 3. If you receive a prompt, enter your password. 4. Enter 4 to select Generate Certificate Signing Request. 5. Enter the values for each of the prompts. Important: Ask the CA for information on how to fill out the fields if you are unsure of the data required. 6. To confirm, enter Y. 7. After the CSR is generated, send it to the CA for signing. Generating a CSR job aid This job aid lists and describes the parameters required to generate a CSR. Parameter Output CSR file name Country name (optional) Description For the output CSR file, enter a full path file name unless the file is to be saved in the current working directory. This is the two-letter country code. State or province name (optional) This is the name of the state or province in less than 40 characters. Table continues October 2017 Avaya Aura Application Server 5300 Security 110

111 Installing a CA or CA-signed certificate Parameter Description Locality name (optional) This is the name of the locality in less than 40 characters. Organizational name (optional) Organizational unit name (optional) Common name DNS Name (optional) Key usage extension Digital Signature (optional) Non-repudiation (optional) Key Encipherment (optional) Data Encipherment (optional) This is the name of the company or subsidiary. This is the name of the department or division. This is the common name in less than 40 characters. Enter a comma separated list of DNS names to be used in the subject alternative name extension. Enter Y if the certificate requires a key usage extension. Enter Y if the digital signature bit of the key usage extension should be set. Enter Y if the non-repudiation bit of the key usage extension should be set. Enter Y if the Key Encipherment bit of the key usage extension should be set. Enter Y if the Data Encipherment bit of the key usage extension should be set. Installing a CA or CA-signed certificate Use this procedure to install a CA or CA-signed certificate. You are a user with SSA role. 1. Log on to the primary element manager server as a user with SSA role. 2. At the prompt, enter certmgr 3. From the Certificate Management Options menu, enter 2 to select Install Certificate. 4. Enter the Certificate file name. 5. Enter the Type of certificate. 6. Enter the certificate friendly name. 7. To confirm, enter Y. October 2017 Avaya Aura Application Server 5300 Security 111

112 Certificate preparation Installing a CA or CA-signed certificate job aid About this task This job aid lists and describes the parameters required to install a CA or CA-signed certificate. Parameter Certificate file name Type of certificate certificate friendly name Description Specify the full path to the certificate. If the full path is not specified, the certmgr will look in the administrator's current directory for the certificate. Indicates if this is an entity or a CA certificate. Enter a text string used to reference the particular certificate. Exporting a PKCS12 file Use this procedure to export a PKCS12 file. The PKCS12 file contains the private key, the certificate, and the CA certificate. You are a user with SSA role. The certificate must be signed by the CA. The certificate must be installed into the server's certificate database. 1. Log on to the primary element manager server as a user with SSA role. 2. At the prompt, enter certmgr. 3. From the Certificate Management Options menu, enter 6 to select Export PKCS12 File. 4. Enter the name of the PKCS12 file that you want to export. 5. Enter the password for the PKCS12 file. 6. Enter the password for the PKCS12 file again. 7. To confirm, enter Y. October 2017 Avaya Aura Application Server 5300 Security 112

113 Installing custom certificates into the AS 5300 Element Manager keystore Installing custom certificates into the AS 5300 Element Manager keystore Use this procedure to install custom certificates into the AS 5300 Element Manager keystore. You must perform this procedure for each signed certificate. Important: Repeat this procedure for all the certificates that you generate. You can access the AS 5300 Element Manager Console. 1. Choose one of the following: If MCP FIPS is enabled, access the AS 5300 Element Manager Console by running fips-mgmtconsole.bat. If MCP FIPS is not enabled, in the address bar of your Web browser, enter the following address: 2. Log on to the AS 5300 Element Manager Console using the Admin User ID. 3. In the configuration view of the AS 5300 Element Manager Console, select Network Data and Mtc > Certificate Management > Keystore. 4. Click Add (+). 5. For the Logical Name, enter the <Certificate>PKCS12 logical name. 6. Click Browse, and navigate to the PKCS12 file that holds the certificate being imported (PKCS12 filename). 7. For the password used to create the PKCS12 file, enter the <Certificate> PKCS12 file password. 8. For the Export password, enter the <Certificate> PKCS12 file password. 9. Click Apply. 10. In the Keystore window, select the imported certificate. 11. Click Edit (-/+). 12. Verify that the Certificate Status field at the bottom of the window displays OK. October 2017 Avaya Aura Application Server 5300 Security 113

114 Certificate preparation Verifying that CA certificates import into the AS 5300 Element Manager truststore Use this procedure to verify that the CA certificates were imported properly into the AS 5300 Element Manager truststore. You must perform this procedure for each signed certificate. You can access the AS 5300 Element Manager Console. 1. Choose one of the following: If MCP FIPS is enabled, access the AS 5300 Element Manager Console by running fips-mgmtconsole.bat. IF MCP FIPS is not enabled, In the address bar of your Web browser, enter the following address: 2. Log on to the AS 5300 Element Manager Console using the Admin User ID. 3. In the configuration view of the AS 5300 Element Manager Console, select Network Data and Mtc > Certificate Management > Truststore. 4. Locate the CA of the certificate that was imported, and then click Edit (-/+) on the certificate. 5. Verify that the Certificate Status field at the bottom of the window displays OK. October 2017 Avaya Aura Application Server 5300 Security 114

115 Chapter 14: Certificate management Use these procedures to manage certificates. Navigation Generating a CSR on page 110 Installing a CA or CA-signed certificate on page 111 Listing all certificates on page 115 Uninstalling a certificate on page 117 Verifying a certificate chain on page 117 Importing a PKCS12 file on page 118 Exporting a PKCS12 file on page 112 Identifying the friendly name of a certificate on page 119 Identifying the subject of a certificate installed in the certificate database Unix on page 120 Identifying the subject of a certificate that is not installed in the certificate database Unix on page 121 Identifying the subject field of a certificate installed in the certificate database Windows on page 121 Listing all certificates Use this procedure to list all certificates that are installed in the server's certificate database. You are a user with SSA role. 1. Log on to the primary element manager server as a user with SSA role. 2. At the prompt, enter certmgr. 3. From the Certificate Management Options menu, enter 1 to select List All Certificates. October 2017 Avaya Aura Application Server 5300 Security 115

116 Certificate management Listing all certificates job aid The following information displays for each certificate: Name: corresponds to the certificate friendly name specified when the certificate was imported Type: indicates if this is an entity or a CA certificate Certificate Subject Certificate Issuer Installing a CA or CA-signed certificate Use this procedure to install a CA or CA-signed certificate. You are a user with SSA role. 1. Log on to the primary element manager server as a user with SSA role. 2. At the prompt, enter certmgr 3. From the Certificate Management Options menu, enter 2 to select Install Certificate. 4. Enter the Certificate file name. 5. Enter the Type of certificate. 6. Enter the certificate friendly name. 7. To confirm, enter Y. Installing a CA or CA-signed certificate job aid About this task This job aid lists and describes the parameters required to install a CA or CA-signed certificate. Parameter Certificate file name Type of certificate certificate friendly name Description Specify the full path to the certificate. If the full path is not specified, the certmgr will look in the administrator's current directory for the certificate. Indicates if this is an entity or a CA certificate. Enter a text string used to reference the particular certificate. October 2017 Avaya Aura Application Server 5300 Security 116

117 Uninstalling a certificate Uninstalling a certificate Use this procedure to uninstall a certificate. You are a user with SSA role. 1. Log on to the primary element manager server as a user with SSA role. 2. At the prompt, enter certmgr. 3. From the Certificate Management Options menu, enter 3 to select Uninstall Certificate. 4. Enter the number of the certificate to remove. 5. To confirm, enter Y. Verifying a certificate chain Use this procedure to view the certificate chain for an installed certificate. You are a user with SSA role. 1. Log on to the primary element manager server as a user with SSA role. 2. At the prompt, enter certmgr. 3. From the Certificate Management Options menu, enter 5 to select Verify Certificate Chain. 4. Select a certificate from the list. 5. Validate the certificate and its installed chains. The chain displays only those CA certificates that are installed in the server certificate database. Verifying a certificate chain job aid The following example shows the result of selecting an item in the verify certificate chain list. Chain of the certificate "mfss1sm": "DoDJITCRootCA2" [CN=DoD JITC Root CA 2,OU=PKI,OU=DoD,O=U.S. Government,C=US] "DoDJITCCA-17" [CN=DOD JITC CA-17,OU=PKI,OU=DoD,O=U.S. Government,C=US] "mfss1sm" [CN= ,OU=Contractor,OU=PKI,OU=DoD,O=U.S. Government,C=US] October 2017 Avaya Aura Application Server 5300 Security 117

118 Certificate management Importing a PKCS12 file Use this procedure to import a PKCS12 file. Import a PKCS12 file if you want to: view the certificate details for the certificate bundled inside the PKCS12 file. re-export the PKCS12 file on a FIPS-compliant server. If the private key within the PKCS12 file was generated on a non-fips complaint server, you can make it FIPS compliant by importing the PKCS12 file into the server certificate database and then re-exporting it. You are a user with SSA role. 1. Log on to the primary element manager server as a user with SSA role. 2. At the prompt, enter certmgr. 3. From the Certificate Management Options menu, enter 7 to select Import PKCS12 File. 4. Enter the name of the PKCS12 file that you want to import. 5. Enter the password for the PKCS12 file. 6. Enter the password for the PKCS12 file again. 7. To confirm, enter Y. Exporting a PKCS12 file Use this procedure to export a PKCS12 file. The PKCS12 file contains the private key, the certificate, and the CA certificate. You are a user with SSA role. The certificate must be signed by the CA. The certificate must be installed into the server's certificate database. 1. Log on to the primary element manager server as a user with SSA role. 2. At the prompt, enter certmgr. 3. From the Certificate Management Options menu, enter 6 to select Export PKCS12 File. 4. Enter the name of the PKCS12 file that you want to export. 5. Enter the password for the PKCS12 file. 6. Enter the password for the PKCS12 file again. October 2017 Avaya Aura Application Server 5300 Security 118

119 Identifying the friendly name of a certificate 7. To confirm, enter Y. Identifying the friendly name of a certificate Use this procedure to identify the friendly name of a certificate. The certificate friendly name is specified when you install a certificate in the server certificate database using the certmgr tool. You are a user with SSA role. The certificate must be installed in the server's certificate database. 1. Log on to the primary element manager server as a user with SSA role. 2. At the prompt, enter certmgr. 3. From the Certificate Management Options menu, enter 1 to select List All Certificates. 4. In the output, locate the Name field. The Name field corresponds to the Friendly name field of the certificate. Identifying the friendly name of a certificate job aid The following example shows the result of listing all certificates. The Name field corresponds to the Friendly name field of the certificate. In this example, there are three certificates installed: two entity certificates and one CA certificate. The Friendly name for the second entity certificate is "AS5300 Core". [1] Name: "Default Staging Certificate" Type: entity cert Subject: [C=US,ST=Texas,L=Richardson,O=Avaya,OU=AS5300,CN=Default Staging Certificate] Issuer: [C=US,ST=Texas,L=Richardson,O=Avaya,OU=AS5300,CN=Default Staging Certificate] [2] Name: "AS5300 Core" Type: entity cert Subject: [C=US,O=U.S. Government,OU=JITC,OU=PKI,OU=DoD,CN=AS5300 Core] Issuer: [C=US,ST=TX,O=Avaya,OU=AS5300,CN=AS5300TestCA] [3] Name: "AS5300 Test CA" Type: CA cert Subject: [C=US,ST=TX,O=Avaya,OU=AS5300,CN=AS5300TestCA] Issuer: [C=US,ST=TX,O=Avaya,OU=AS5300,CN=AS5300TestCA] October 2017 Avaya Aura Application Server 5300 Security 119

120 Certificate management Identifying the subject of a certificate installed in the certificate database Unix Use this procedure to identify the subject of a certificate if the certificate is installed in the server s certificate database. You are a user with SSA role. The certificate must be installed in the certificate database of the server. 1. Log on to the primary element manager server as a user with SSA role. 2. At the prompt, enter certmgr. 3. From the Certificate Management Options menu, enter 1 to select List All Certificates. 4. In the output, locate the Subject field. The Subject field corresponds to the Subject field of the certificate. Identifying the subject field of a certificate installed in the certificate database Unix job aid The following example shows the result of listing all certificates. The Subject field corresponds to the Subject name field of the certificate. In this example, there are three certificates installed: two entity certificates and one CA certificate. The Subject for the second entity certificate is C=US,O=U.S. Government,OU=JITC,OU=PKI,OU=DoD,CN=AS5300 Core. [1] Name: "Default Staging Certificate" Type: entity cert Subject: [C=US,ST=Texas,L=Richardson,O=Avaya,OU=AS5300,CN=Default Staging Certificate] Issuer: [C=US,ST=Texas,L=Richardson,O=Avaya,OU=AS5300,CN=Default Staging Certificate] [2] Name: "AS5300 Core" Type: entity cert Subject: [C=US,O=U.S. Government,OU=JITC,OU=PKI,OU=DoD,CN=AS5300 Core] Issuer: [C=US,ST=TX,O=Avaya,OU=AS5300,CN=AS5300TestCA] [3] Name: "AS5300 Test CA" Type: CA cert Subject: [C=US,ST=TX,O=Avaya,OU=AS5300,CN=AS5300TestCA] Issuer: [C=US,ST=TX,O=Avaya,OU=AS5300,CN=AS5300TestCA] October 2017 Avaya Aura Application Server 5300 Security 120

121 Identifying the subject of a certificate that is not installed in the certificate database Unix Identifying the subject of a certificate that is not installed in the certificate database Unix Use this procedure to identify the subject of a certificate if the certificate is not installed in the server s certificate database. You are a user with SSA role. 1. Log on to the primary element manager server as a user with SSA role. 2. Transfer the certificate to the server using sftp or scp. 3. Execute the following command: openssl x509 -subject -noout -in <certificate> 4. In the output, locate the output that follows the subject= string. The output that follows the subject= string corresponds to the Subject field of the certificate. Identifying the subject field of a certificate that is not installed in the certificate database Unix job aid Variable <certificate> Value The CA-signed certificate. The following example shows the result of entering the command openssl x509 -subject - noout -in <certificate>. subject= /C=US/O=U.S. Government/OU=JITC/OU=PKI/OU=DoD/CN=AS5300 Core In this example, the subject is /C=US/O=U.S. Government/OU=JITC/OU=PKI/OU=DoD/ CN=AS5300 Core. Identifying the subject field of a certificate installed in the certificate database Windows Use this procedure to identify the subject of a certificate if the certificate is installed in the Windows certificate store. The certificate must be installed in the Windows certificate store. October 2017 Avaya Aura Application Server 5300 Security 121

122 Certificate management 1. Open the Certificate dialog box for the certificate. 2. On the Certificate dialog box, click the Details tab. 3. In the Field column, click the Subject field. The certificate details appear in the details box. Identifying the subject field of a certificate installed in the certificate database Windows job aid The following figure shows an example of Subject details. Figure 2: Subject Details To build a string out of the Subject field, you must add the sub fields in reverse order, separating each sub field with a comma. In this example Subject field, the sub fields are entered as follows: C=US, O=U.S. Government, OU=JITC, OU=PKI, OU=DoD, CN=AS5300 Core October 2017 Avaya Aura Application Server 5300 Security 122

123 Identifying the subject field of a certificate installed in the certificate database Windows In the details pane, CN=AS5300 Core is displayed first and C=US is displayed last. October 2017 Avaya Aura Application Server 5300 Security 123

124 Chapter 15: Core application certificate management Use these procedures to manage certificates for core applications. Navigation Importing an internal certificate to the keystore on page 124 Viewing an internal certificate in the keystore on page 125 Removing an internal certificate from the keystore on page 125 Configuring the AS 5300 Element Manager with certificates for HTTPS and SIP on page 126 Configuring the AS 5300 Session Manager with certificates for HTTPS and SIP on page 127 Configuring HTTPS and SIP certificates for the Provisioning Manager on page 128 Configuring the AS 5300 Element Manager Console with certificates for HTTPS and SIP- CAC on page 105 Configuring the AS 5300 Element Manager Console with certificates for HTTPS and SIP manual on page 130 Configuring the Avaya Aura AS 5300 Personal Agent with certificates for HTTPS and SIP on page 130 Importing an internal certificate to the keystore Use this procedure to import an internal certificate. The only supported format is PKCS #12. The system expects the PKCS #12 file to contain only one end entity certificate and the corresponding private key. Only the node that is assigned this certificate can retrieve the private key. When you import a PKCS#12 file that also includes a certificate chain, you automatically import the rest of the chain into the truststore, if an entry does not already exist for each CA in the chain. Keystore (internal) certificates are the certificates for the network elements (NE) that are part of the system. This does not include external nodes, such as gateways. When you import a certificate, the system associates it with a unique logical name, which you can use to associate the certificate with a TLS port. You can access the AS 5300 Element Manager Console. October 2017 Avaya Aura Application Server 5300 Security 124

125 Viewing an internal certificate in the keystore The PKCS#12 file exists in a location accessible to the AS 5300 Element Manager Console. 1. In the configuration view of the AS 5300 Element Manager Console select Network Data and Mtc > Certificate Management > Keystore. 2. Click Add (+). 3. Configure the Logical Name, PKCS#12 file, Password, and Export Password parameters. 4. Click Apply. Importing an internal certificate to the keystore job aid This job aid lists and describes the parameters for importing an internal certificate to the keystore. Parameter Logical Name PKCS#12 File Password Export Password Description The logical name to identify the certificate. Browse to the location of the PKCS#12 file. The password. The export password. Viewing an internal certificate in the keystore Use this procedure to view the details for internal certificates in the keystore. You can access the AS 5300 Element Manager Console. 1. In the configuration view of the AS 5300 Element Manager Console, select Network Data and Mtc > Certificate Management > Keystore. 2. From the Keystore panel, select a certificate. 3. Click Edit (-/+). Removing an internal certificate from the keystore Use this procedure to remove an internal certificate from the keystore. You can access the AS 5300 Element Manager Console. October 2017 Avaya Aura Application Server 5300 Security 125

126 Core application certificate management The certificate must not be associated with a TLS port. 1. In the configuration view of the AS 5300 Element Manager Console, select Network Data and Mtc > Certificate Management > Keystore. 2. From the Keystore panel, select a certificate. 3. Click Delete (-). 4. Click Yes to confirm the delete. A successful delete removes the private key as well. Configuring the AS 5300 Element Manager with certificates for HTTPS and SIP Configure the HTTPS and SIP certificate for the AS 5300 Element Manager, after you replace the default self-signed certificate, with a CA-signed certificate for each component in the system. Obtain and import a CA-signed certificate for each component in the network. Custom certificates must be installed in the keystore. 1. From the AS 5300 Element Manager Console navigation pane, select Network Elements > Element Manager. 2. On the Element Manager window, select the AS 5300 Element Manager, and then click Edit (-/+). 3. To configure an Internal OAM certificate, from the Internal OAM HTTPS Certificate list, choose the new certificate. 4. To configure an External OAM certificate, from the External OAM HTTPS Certificate list, choose the new certificate. 5. Click Apply. 6. Restart both instances of the AS 5300 Element Manager. October 2017 Avaya Aura Application Server 5300 Security 126

127 Configuring the AS 5300 Session Manager with certificates for HTTPS and SIP Configuring the AS 5300 Session Manager with certificates for HTTPS and SIP Use this procedure to configure the HTTPS and SIP certificates for the AS 5300 Session Manager, after you replace the default self-signed certificate with a CA-signed certificate for each component in the system. Important: You must perform this procedure for each AS 5300 Session Manager that is deployed on the system. You can access the AS 5300 Element Manager Console. Obtain and import a CA-signed certificate for each component in the network. 1. From the Session Management Console navigation pane, select Network Elements > Session Managers. 2. Select an AS 5300 Session Manager, and then click Edit (-/+). 3. To configure a SIP certificate, from the SIP Certificate list, choose the new certificate. 4. To configure an LDAP certificate, from the SESM LDAP Certificate list, choose the new certificate. 5. Click Apply. After the configuration update, the system raises an alarm to alert you that you must restart the AS 5300 Element Manager to pick up the new certificate. 6. Restart the standby instance of the AS 5300 Session Manager. 7. After the standby instance state turns to hot standby, stop the active AS 5300 Session Manger. This action causes a failover to the backup AS 5300 Session Manager and causes the AS 5300 Element Manager Console to lose connectivity. 8. Log on to the AS 5300 Element Manager Console again. 9. Start the AS 5300 Session Manager backup instance. October 2017 Avaya Aura Application Server 5300 Security 127

128 Core application certificate management Configuring HTTPS and SIP certificates for the Provisioning Manager Use this procedure to configure the HTTPS and SIP certificates for the Provisioning Manager, after you replace the default self-signed certificate with a CA-signed certificate for each component in the system. Important: Repeat this procedure for each Provisioning Manager in your system. You can access the AS 5300 Element Manager Console. Obtain and import a CA-signed certificate for each component in the network. 1. Stop the Provisioning Manager. 2. From the AS 5300 Element Manager Console navigation pane, select Network Elements > Provisioning Managers. 3. On the Provisioning Managers window, select an instance (for example, PROV1) and click Edit (-/+). 4. On the Edit dialog, in the Prov section, from the Internal OAM HTTPS Certificate list, choose the new certificate. 5. On the Edit dialog, in the Prov section, from the External OAM HTTPS Certificate list, choose the new certificate. 6. On the Edit dialog, in the Prov section, from the LDAP Certificate list, choose the new certificate. 7. On the Edit dialog, in the PA section, from the HTTPS Certificate list, choose the new certificate. 8. On the Edit dialog, in the PA section, from the SIP Certificate list, choose the new certificate. 9. Click Apply. After the configuration update, the system raises an alarm to alert you that you must restart the Provisioning Manager to pick up the new certificate. 10. Start the Provisioning Manager. October 2017 Avaya Aura Application Server 5300 Security 128

129 Configuring the AS 5300 Element Manager Console with certificates for HTTPS and SIP CAC Configuring the AS 5300 Element Manager Console with certificates for HTTPS and SIP CAC Configure the HTTPS and SIP certificate for the AS 5300 Element Manager Console using ActivClient (CAC reader), after you replace the default self-signed certificate with a CA-signed certificate for each component in the system. ActivClient is installed on the desktop on which the AS 5300 Element Manager Console is running. The Management PC is equipped with a CAC reader device. 1. Choose one of the following: If MCP FIPS is enabled, access the AS 5300 Element Manager Console by running fips-mgmtconsole.bat. IF MCP FIPS is not enabled, In the address bar of your Web browser, enter the following address: 2. In the AS 5300 Element Manager Console connection window, click Advanced. 3. Select the Trust Store Certificates tab. 4. Select a CA certificate file. 5. Click Add (+) to add the CA certificate file to the AS 5300 Element Manager Console truststore. 6. Select the PKCS11 Configuration tab. 7. Click Edit (-/+). 8. In the Module Name list, select ActivCard. 9. Click Browse, and then locate and select the acpkcs211.dll file. The location of the acpkcs211.dll file depends on the installation of the ActivClient CAC software. 10. Click OK. 11. Click OK. 12. In ActivClient Login window, enter the PIN for the inserted CAC card. 13. Log on to the AS 5300 Element Manager Console. October 2017 Avaya Aura Application Server 5300 Security 129

130 Core application certificate management Configuring the AS 5300 Element Manager Console with certificates for HTTPS and SIP manual Configure the HTTPS and SIP certificate for the AS 5300 Element Manager Console using the manual method, after you replace the default self-signed certificate with a CA-signed certificate for each component in the system. Custom certificates must be installed in the keystore. 1. Choose one of the following: If MCP FIPS is enabled, access the AS 5300 Element Manager Console by running fips-mgmtconsole.bat. IF MCP FIPS is not enabled, In the address bar of your Web browser, enter the following address: 2. In the AS 5300 Element Manager connection window, click Advanced. 3. Select the Key Store Certificates tab. 4. Click Add (+). 5. Click Browse, and then locate and select the PKCS12 file for the client certificate 6. In the Password field, enter the password for the PKCS12 file. 7. In the Export Password field, enter the same password as the PKCS12 file. 8. Click Apply. 9. Click the Keystore tab. 10. On the Keystore tab, verify that the system displays the certificate. 11. Click OK. Configuring the Avaya Aura AS 5300 Personal Agent with certificates for HTTPS and SIP Configure the HTTPS certificate for the Avaya Aura Application Server 5300 Personal Agent, after you replace the default self-signed certificate, with a CA-signed certificate for each component in the system. Important: Repeat this procedure for each Avaya Aura Application Server 5300 Personal Agent in your system. October 2017 Avaya Aura Application Server 5300 Security 130

131 Configuring the Avaya Aura AS 5300 Personal Agent with certificates for HTTPS and SIP Obtain and import a CA-signed certificate for each component in the network. Custom certificates must be installed in the keystore 1. Stop the PA. 2. From the AS 5300 Element Manager Console navigation pane, select Network Elements > Personal Agent Manager. 3. On the Personal Agent Manager window, select an instance and click Edit (-/+). 4. To configure a PA HTTPS Certificate, from the PA HTTPS Certificatelist, choose the new certificate. 5. To configure a SIP Certificate, from the SIP Certificate list, choose the new certificate. 6. To configure a LDAP Certificate, from the LDAP Certificate list, choose the new certificate. 7. Click Apply. 8. Restart the PA. October 2017 Avaya Aura Application Server 5300 Security 131

132 Chapter 16: Truststore certificate management Use these procedures to manage truststore certificates. Navigation Importing a CA certificate to the truststore on page 132 Viewing a CA certificate in the truststore on page 133 Removing a CA certificate from the truststore on page 133 Importing a CA certificate to the truststore Use this procedure to import a certification authority (CA) root or intermediate certificate to the truststore. Truststore (root CA and intermediate CA) certificates are the certificates the system uses to authenticate signed certificates. To authenticate a certificate stored in the keystore, the signing chain must exist in the truststore. The signing chain for other certificates, such as for gateways, must exist in the truststore. If the system uses a self-signed certificate, it must exist in the truststore. You use PEM files to import certificates into the Truststore. Each PEM file must contain only one certificate. Certificates in the Truststore are public; therefore, you do not require a password or private key. You can access the AS 5300 Element Manager Console. The CA root or intermediate certificate file already exists in a location accessible to the AS 5300 Element Manager Console. 1. In the configuration view of the AS 5300 Element Manager Console, select Network Data and Mtc > Certificate Management > Truststore. 2. Click Add (+). 3. Click Browse, and navigate to the file location. 4. Select the CA root or intermediate certificate file, and click Open. October 2017 Avaya Aura Application Server 5300 Security 132

133 Viewing a CA certificate in the truststore Viewing a CA certificate in the truststore Use this procedure to view the details for CA root and intermediate certificates in the truststore. You can access the AS 5300 Element Manager Console. 1. In the configuration view of the AS 5300 Element Manager Console, select Network Data and Mtc > Certificate Management >Truststore. 2. From the Truststore panel, select a root or intermediate certificate. 3. Click Edit (-/+). Removing a CA certificate from the truststore Use this procedure to remove a CA root or intermediate certificate from the truststore. Warning: Use extreme caution when you perform this procedure. The removal of a trusted CA can disrupt service. You can access the AS 5300 Element Manager Console. 1. In the configuration view of the AS 5300 Element Manager Console, select Network Data and Mtc > Certificate Management > Truststore. 2. From the Truststore panel, select a certificate. 3. Click Delete (-). 4. Click Yes to confirm the delete. 5. Click Yes to confirm the warning note. October 2017 Avaya Aura Application Server 5300 Security 133

134 Chapter 17: OCSP configuration Configure OCSP to enable the OCSP certificate revocation method on your system. OCSP configuration tasks The following work flow shows the sequence of tasks that you perform to configure OCSP for the system. October 2017 Avaya Aura Application Server 5300 Security 134

135 Navigation Configuring the operating system to support OCSP on page 136 Configuring the AS 5300 Element Manager to support OCSP on page 136 Configuring the AS 5300 Session Manager to support OCSP on page 137 Configuring to support OCSP on page 138 Configuring the Provisioning Manager to support OCSP on page 138 October 2017 Avaya Aura Application Server 5300 Security 135

136 OCSP configuration Configuring the AS 5300 Element Manager Console to support OCSP on page 139 Verifying access to the OCSP server on page 140 Configuring the operating system to support OCSP Use this procedure to configure the OS to support MCP OSCP. Important: You must perform this procedure on all SIP Core and Avaya Media Servers deployed in your Application Server 5300 system. You are a user with SSA role. 1. Log on to the server as a user with SSA role. 2. To add the PKI server to the hosts file, at the command prompt, enter the following command: hosttableconfig -a [PKI Server IP address] [PKI Server hostname] 3. To validate the configured hostnames, at the command prompt, enter the following command: hosttableconfig -q Configuring the operating system to support OCSP job aid The following is an example of the command to add a PKI server to the hosts file: hosttableconfig -a pki.hostname Configuring the AS 5300 Element Manager to support OCSP Use this procedure to configure the AS 5300 Element Manager to support OSCP. You are a user with SSA role. October 2017 Avaya Aura Application Server 5300 Security 136

137 Configuring the AS 5300 Session Manager to support OCSP 1. Choose one of the following: If MCP FIPS is enabled, access the AS 5300 Element Manager Console by running fips-mgmtconsole.bat. IF MCP FIPS is not enabled, In the address bar of your Web browser, enter the following address: 2. Log on to the AS 5300 Element Manager Console using the Admin User ID. 3. From the AS 5300 Element Manager Console navigation pane, select Network Elements > AS 5300 Element Manager > <AS 5300 Element Manager name>. 4. Click Configuration Parameters. 5. In the Configuration Parameters window, in the Parm Group list, select TLSAuth. 6. In the EnableOCSP list, select true. 7. Click Apply. 8. Close the Configuration Parameters window. Configuring the AS 5300 Session Manager to support OCSP Use this procedure to configure the AS 5300 Session Manager to support OSCP. Important: Perform this procedure for each AS 5300 Session Manager deployed on your system. You are a user with SSA role 1. Choose one of the following: If MCP FIPS is enabled, access the AS 5300 Element Manager Console by running fips-mgmtconsole.bat. IF MCP FIPS is not enabled, In the address bar of your Web browser, enter the following address: Console IP>: Log on to the AS 5300 Element Manager Console using the Admin User ID. 3. From the AS 5300 Element Manager Console navigation pane, select Network Elements > Session Managers > <AS 5300 SESM name>. 4. Click Configuration Parameters. October 2017 Avaya Aura Application Server 5300 Security 137

138 OCSP configuration 5. In the Configuration Parameters window, in the Parm Group list, select TLSAuth. 6. In the EnableOCSP list, select true. 7. Click Apply. 8. Close the Configuration Parameters window. Configuring Avaya MS to support OCSP Use this procedure to configure the Avaya MS to support OSCP. Important: Perform this procedure for each Avaya MS that is deployed on your system. You are a user with SSA role. 1. Choose one of the following: If MCP FIPS is enabled, access the AS 5300 Element Manager Console by running fips-mgmtconsole.bat. IF MCP FIPS is not enabled, in the address bar of your Web browser, enter the following address: Console IP>: Log on to the AS 5300 Element Manager Console using the Admin User ID. 3. From the AS 5300 Element Manager Console navigation pane, select Network Elements > Media Servers and Clusters > Media Servers <MS name>. 4. Click Configuration Parameters. 5. In the Configuration Parameters window, in the Parm Group list, select TLSAuth. 6. In the EnableOCSP list, select true. 7. Click Apply. 8. Close the Configuration Parameters window. Configuring the Provisioning Manager to support OCSP Use this procedure to configure the Provisioning Manager to support OSCP. October 2017 Avaya Aura Application Server 5300 Security 138

139 Configuring the AS 5300 Element Manager Console to support OCSP Important: Perform this procedure for each Provisioning Manager that is deployed on your Application Server 5300 system. You are a user with SSA role. 1. Choose one of the following: If MCP FIPS is enabled, access the AS 5300 Element Manager Console by running fips-mgmtconsole.bat. IF MCP FIPS is not enabled, In the address bar of your Web browser, enter the following address: Console IP>: Log on to the AS 5300 Element Manager Console using the Admin User ID. 3. From the AS 5300 Element Manager Console navigation pane, select Network Elements > Provisioning Managers > <Prov name>. 4. Click Configuration Parameters. 5. In the Configuration Parameters window, in the Parm Group list, select TLSAuth. 6. In the EnableOCSP list, select true. 7. Click Apply. 8. Close the Configuration Parameters window. Configuring the AS 5300 Element Manager Console to support OCSP Use this procedure to configure the AS 5300 Element Manager Console to support OSCP. You are a user with SSA role. 1. Choose one of the following If MCP FIPS is enabled, access the AS 5300 Element Manager Console by running fips-mgmtconsole.bat. IF MCP FIPS is not enabled, In the address bar of your Web browser, enter the following address: Console IP>: In the AS 5300 Element Manager Console connection window, click Advanced. October 2017 Avaya Aura Application Server 5300 Security 139

140 OCSP configuration 3. Click the Properties tab. 4. Select the Enable OCSP check box. Verifying access to the OCSP server Use this procedure to verify that the PKI OCSP server is accessible to your Application Server 5300 system. You are a user with SSA role. 1. Choose one of the following: If MCP FIPS is enabled, access the AS 5300 Element Manager Console by running fips-mgmtconsole.bat. IF MCP FIPS is not enabled, In the address bar of your Web browser, enter the following address: Console IP>: Log on to the AS 5300 Element Manager Console using the Admin User ID 3. In the configuration view of the AS 5300 Element Manager Console select Network Data and Mtc > Certificate Management > Keystore. 4. Select a custom certificate, and then click Edit (-/+). 5. Verify that the Certificate Status field displays OK or Revoked. If the certificate status shows Offlined, then the PKI server is not responding. Make sure the AS5300 server can route to the PKI Server. October 2017 Avaya Aura Application Server 5300 Security 140

141 Chapter 18: IPsec configuration overview This chapter provides information about IPsec configuration. Navigation: Secure communication on page 141 Default staging certificates on page 141 Server addresses and service addresses on page 142 IPsec tunnel rules on page 143 Trusted node relationships on page 143 IPsec custom certificates on page 144 IPsec automatic CRL retrieval on page 144 IPsec limitations and restrictions on page 144 Secure communication The system uses an IPsec mesh to secure inter-server communications. IPsec uses PKI X.509 certificates for server authentication. The IPSec configuration within the system is made up of internal and external tunnels. The internal tunnels exist between SIP Core and Avaya Media Server (MS). External tunnels exist between SIP Core/Avaya MS servers and external servers (for example: Switch Expert). To configure internal tunnels, you use a tool that automatically generates the internal tunnels using the IP addresses configured in the MCP database. You configure external tunnels manually. Default staging certificates Initially, you must install IPsec with default staging certificates on each server. These default staging certificates allow you to configure and test IPSec on the system servers before you install custom certificates. October 2017 Avaya Aura Application Server 5300 Security 141

142 IPsec configuration overview Important: Do not use the default staging certificates on systems that are in production. You must replace the default staging certificates with custom certificates before you place the system into production. Server addresses and service addresses Each server can host one or more of the following Server IP addresses: Internal OAM Server Address External OAM Server Address Signaling Server Address Media Server Address Important: Only the Internal OAM Server Address participates in the internal IPsec mesh. Additionally, each server can host one or more of the following Service (floating) IP addresses: AS 5300 Element Manager (AS 5300 EM) Internal OAM Service Address AS 5300 Element Manager (AS 5300 EM) External OAM Service Address Fault Performance Manager (FPM) Internal OAM Service Address Fault Performance Manager (FPM) External OAM Service Address Accounting Manager (AM) Internal OAM Service Address Accounting Manager (AM) External OAM Service Address AS 5300 Session Manager (SESM) Signaling Service Address Important: Only the following addresses participate in the internal IPsec mesh: AS 5300 Element Manager (AS 5300 EM) Internal OAM Service Address Fault Performance Manager (FPM) Internal OAM Service Address Accounting Manager (AM) Internal OAM Service Address AS 5300 Session Manager (SESM) Signaling Service Address October 2017 Avaya Aura Application Server 5300 Security 142

143 IPsec tunnel rules IPsec tunnel rules When creating the internal IPSec mesh configuration file, the mcpgenintipsecconfig.pl script uses the following IPSec tunnel rules: IPSec tunnels are created between all datafilled server internal OAM server addresses. Examples include: EM Server 1 Internal OAM Address <-> EM Server 2 Internal OAM Address Avaya Media Server 1 Internal OAM Address <-> EM Server 1 Internal OAM Address IPSec tunnels are created between all datafilled server internal OAM server addresses and the EM service address. IPSec tunnels are created between all datafilled server internal OAM server addresses and all FPM service addresses. IPSec tunnels are created between all datafilled server internal OAM server addresses and all AM service addresses. Trusted node relationships When creating the internal ACL mesh configuration file, the mcpgenintaclconfig.pl script creates the following trusted node relationships: A trusted node relationship between all datafilled server internal OAM server addresses. For example: EM Server 1 Internal OAM Address <-> EM Server 2 Internal OAM Address Avaya Media Server (MS) 1 Internal OAM Address <-> EM Server 1 Internal OAM Address A trusted node relationship between all datafilled server internal OAM server addresses and the EM service address. For example: EM Server 1 Internal OAM Address <-> EM Service Address A trusted node relationship between all datafilled server internal OAM server addresses and all FPM service addresses. For example: Avaya Media Server (MS) 2 Internal OAM Address <-> FPM 1 Service Address A trusted node relationship between all datafilled server internal OAM server addresses and all AM service addresses. For example: EM Server 2 Internal OAM Address <-> AM 1 Service Address A trusted node relationship between all effective signaling addresses of a server and all AS 5300 SESM signaling service addresses. The effective signaling address of a server may be the internal OAM address if no server signaling address is defined. For example: October 2017 Avaya Aura Application Server 5300 Security 143

144 IPsec configuration overview On a server that has a defined server signaling address: EM Server 1 Signaling Address <-> AS 5300 SESMx Service Address On a server that does not have a defined server signaling address - EM Server 1 Internal OAM Address <-> AS 5300 SESMx Service Address IPsec custom certificates You generate IPSec custom certificates just like MCP and Avaya Media Server (MS) custom certificates. After the IPSec certificate has been signed by the CA and bundled into a PKCS12 file, you can install it on the servers. Prior to installing custom IPSec certificates, you must stop IPSec on all SIP Core and Avaya MS servers. IPsec automatic CRL retrieval IPSec can automatically retrieve CRLs using the CRL distribution point of the certificate. To configure automatic CRL retrieval, you must add the CRL distribution point hostname and IP address to the /etc/hosts file on each server so that the system can resolve the hostname properly. Important: Do not add the CDP hostname to /etc/hosts file until the CDP can be accessed on the network from each server. If the CDP hostname is added to the /etc/hosts file before it can be reached on the network, then IPsec will fail to start. IPsec limitations and restrictions The Application Server 5300 system does not support live update of the IPSec rules. To update the IPSec rules in an established IPSec mesh, you must stop the running IPSec service, update the settings, and then restart the IPSec service. It is important to plan the renewal of the CA certificate(s) and the IPSec certificate. The renewal must occur before the certificate expires to prevent service interruption. The following Application Server IPsec tools are specially designed for configuring or managing the IPSec mesh in the Application Server system: mcpgenintipsecconfig mcpinstintipsecconf October 2017 Avaya Aura Application Server 5300 Security 144

145 IPsec limitations and restrictions ipseccertmgr ipsecstatus startipsec stopipsec Warning: It is prohibited to use any tool other than the provided tools to configure or change the IPsec mesh configurations in an Avaya Aura Application Server 5300 system. The integrity of the Avaya Aura Application Server 5300 IPsec configuration is not guaranteed if you use other tools to alter the IPsec configuration. October 2017 Avaya Aura Application Server 5300 Security 145

146 Chapter 19: IPsec service management About this task This chapter contains the procedures that you use to manage the IPsec service. Navigation: Starting or restarting the IPsec service on page 146 Stopping the IPsec service on page 146 Verifying IPsec connection status on page 147 Starting or restarting the IPsec service Use this procedure to start or restart the IPsec service. You are a user with SSA role. 1. Log on to the server as a user with SSA role. 2. At the command prompt, enter the following command: startipsec Stopping the IPsec service Use this procedure to stop the IPsec service. You are a user with SSA role and sudo access. 1. Log on to the server as a user with SSA role. 2. At the command prompt, enter the following command: stopipsec October 2017 Avaya Aura Application Server 5300 Security 146

147 Verifying IPsec connection status Verifying IPsec connection status Use this procedure to view and verify the connection status of all IPSec links configured in the IPSec policies. Important: Perform this procedure for all SIP Core and Avaya Media Servers in your system. You are a user with SSA role. 1. Log on to the server as a user with SSA role. 2. At the command prompt, enter the following command: ipsecstatus 3. At the command prompt, enter the following command: ping <another AS5300 server in the mesh>. Verifying IPsec connection status job aid The following shows an example of the result of executing the ipsecstatus command. IPSec link status: [1] <=> : connected [2] <=> : connected [3] <=> : connected [4] <=> : connected [5] <=> : connected [6] <=> : connected [7] <=> : connected The following shows an example of the result of executing the ping <another AS5300 server in the mesh> command. PING ( ) 56(84) bytes of data. 64 bytes from : icmp_seq=1 ttl=64 time=1.24 ms 64 bytes from : icmp_seq=2 ttl=64 time=2.83 ms ping statistics packets transmitted, 2 received, 0% packet loss, time 1073ms rtt min/avg/max/mdev = 1.245/2.041/2.838/0.797 ms October 2017 Avaya Aura Application Server 5300 Security 147

148 Chapter 20: IPsec configuration This chapter contains the procedures that you use to configure the IPsec service. IPsec configuration procedures The following task flow shows the sequence of procedures that you perform to configure the IPsec service. October 2017 Avaya Aura Application Server 5300 Security 148

149 Navigation Generating the internal IPsec configuration file on page 150 October 2017 Avaya Aura Application Server 5300 Security 149

150 IPsec configuration Installing the internal IPsec configuration file on the primary EMS server on page 150 Installing the internal IPsec configuration file on non-primary EMS servers on page 151 Creating the external IPsec configuration file on page 151 Stopping the IPsec service on page 146 Installing a custom IPsec certificate on page 153 Starting or restarting the IPsec service on page 146 Configuring IPsec for automatic CRL retrieval on page 154 Verifying IPsec automatic CRL retrieval on page 155 Manually adding a CA chain on page 156 Importing access control rules on page 169 Generating the internal IPsec configuration file Use this procedure to generate the internal IPsec configuration file and place it into a temporary location on the primary element manager server. You are a user with AA role. 1. Log on to the primary element manager server as a user with AA role. 2. At the command prompt, enter the following command: mcpgenintipsecconfig.pl Installing the internal IPsec configuration file on the primary EMS server Use this procedure to install the internal IPsec configuration file to a permanent location on the primary element manager server. You are a user with SSA role. 1. Log on to the server as a user with SSA role. 2. At the command prompt, enter the following command: mcpinstintipsecconf -copy October 2017 Avaya Aura Application Server 5300 Security 150

151 Installing the internal IPsec configuration file on non-primary EMS servers Installing the internal IPsec configuration file on nonprimary EMS servers Use this procedure to install the internal IPsec configuration file to a permanent location on nonprimary EMS servers. Important: Perform this procedure all non-primary EMS servers. You are a user with SSA role. 1. Log on to the server as a user with SSA role. 2. At the command prompt, enter the following command: mcpinstintipsecconf 3. At the following prompt, enter the primary element manager server IP address: Information for fetching internal IPSec conf file: Remote server IP address: 4. At the following prompt, enter the SSA username that is defined on the primary element manager server: SFTP user id: 5. Enter the Application Administrator's password. 6. Re-enter the Application Administrator's password. 7. Enter Y to confirm the summary information. Creating the external IPsec configuration file Use this procedure to configure IPsec with information about any external nodes. This procedure is necessary if you need to configure IPsec tunnels to external nodes such as Switch Expert. If you need multiple IPSec tunnels to multiple external nodes, then you must define each external node in the IPSec external configuration file. You must be either the root user or a user with SSA role with sudo privileges. Custom certificates are installed for IPSec on each SIP Core and Avaya Media Server (MS). The certificate used on the external node is signed by the same CA that signed the certificate for IPSec on the SIP Core and Avaya MS servers. October 2017 Avaya Aura Application Server 5300 Security 151

152 IPsec configuration 1. Log on to the server as root or a user with SSA role. 2. If you are an SSA, change to the root: su - root 3. Enter the root password. 4. At the command prompt, enter the following command: cd /etc/ipsec.d 5. At the command prompt, enter the following command: vi external.conf 6. Add the following text to the end of the file, modifying the fields for each connection. conn ext <connection name> <tab>left=<local IP> <tab>right=<external IP> <tab>rightcert="" <tab>rightid="<external cert subject>" 7. If the external node is a Windows machine, add the following additional text to the end of the text you entered in the previous step. Important: Do not add this text if the external node is a Linux machine. <tab>esp="3des-sha1" <tab>ike="3des-sha1" <tab>pfs=no 8. Repeat step 6 on page 152 to step 7 on page 152 for each external IPsec tunnel. 9. Save the file. 10. Exit the editor. 11. Make the necessary IPSec configuration changes on the external node. 12. Stop IPSec on all SIP Core and Avaya MS servers. 13. Start IPSec on all SIP Core and Avaya MS servers. Important: If the external ACL import file does not include the IP addresses for these external nodes, then add the remote IP address of all external nodes involved in IPSec tunnels as trusted nodes to the external ACL rules. Creating the external IPsec configuration file job aid Variable <connection name> Value Type a name that describes the connection. For example,. for an IPSec tunnel to Switch Expert, the string <connection_name> could be "se1"). Table continues October 2017 Avaya Aura Application Server 5300 Security 152

153 Installing a custom IPsec certificate Variable <external cert subject> <external IP> <local IP> <tab> Value Important: Do not change the "ext_" portion of this string. Type to the Subject of the external certificate. Type the remote IP address of the IPSec tunnel. Type the local IP address of the IPSec tunnel. Type a single tab character. Attention: This file must contain only one tab (no spaces) before the indented lines. The following text shows an example of the text to add to the end of the file for an external connection to a Windows external node. conn ext_se1 left= right= rightcert="" rightid="c=us,o=u.s.government,ou=jitc,ou=pki,ou=dod,cn=switchexpert" esp="3des-sha1" ike="3des-sha1" pfs=no The following example shows some sample lines to add to the end of the file for an external connection to a Linux external node. conn ext_lin1 left= right= rightcert="" rightid="c=us,o=u.s. Government,OU=JITC,OU=PKI,OU=DoD,CN=Linux Node" Installing a custom IPsec certificate Use this procedure to install a custom IPsec server certificate. Important: Perform this procedure on each server in your system. IPSec is stopped on all SIP Core and Avaya MS servers. You are a user with SSA role. 1. Transfer the IPSec PKCS12 file to the server using SFTP or SCP. 2. At the command prompt, enter the following command: ipseccertmgr October 2017 Avaya Aura Application Server 5300 Security 153

154 IPsec configuration 3. From the IPSec Certificate Management Options menu, enter 2 to select Import Server Certificate PKCS12 File 4. Enter the IPSec PKCS12 file filename. 5. Enter the IPSec PKCS12 file password. 6. Re-enter the IPSec PKCS12 file password. 7. To confirm the PKCS12 summary information, enter Y. 8. To confirm the warning, enter Y. 9. If the PKCS12 file does not contain the CA chain, then enter it manually on each server using the ipseccertmgr tool. Configuring IPsec for automatic CRL retrieval Use this procedure to configure IPsec to automatically retrieve CRLs. IPSec uses the distribution point of the CRL to automatically retrieve CRLs. You must add the CRL distribution point hostname and IP address to the /etc/hosts file on each server so that the system can resolve the hostname. Important: Perform this procedure for all servers in your system. You are a user with SSA role. 1. Log on to the server as a user with SSA role. 2. At the command prompt, enter the following command to view the distribution point: openssl x509 -text -in <IPSec certificate> 3. Locate the distribution point in the output. The hostname is specified in the hostname> line. 4. To add the CRL hostname to the server, at the command prompt, enter the following command: hosttableconfig -a [CRL Distribution Point IP address] [CRL Distribution Point hostname] 5. To validate the configured hostnames, at the command prompt, enter the following command: hosttableconfig -q October 2017 Avaya Aura Application Server 5300 Security 154

155 Verifying IPsec automatic CRL retrieval Configuring IPsec for automatic CRL retrieval job aid The following is an example of the command to add a PKI server to the hosts file: hosttableconfig -a crl.hostname Verifying IPsec automatic CRL retrieval Use this procedure to validate that automatic CRL retrieval is working properly. You must be either the root user or a user with SSA role with sudo privileges. Custom certificates are installed for IPSec on each SIP Core and Avaya Media Server (MS). 1. Log on to the server as root or a user with SSA role. 2. If you are an SSA, change to the root: su - root 3. Enter the root password. 4. At the command prompt, enter the following command: ipsec auto --listcrls 5. Verify that the output from the ipsec auto listcrls command shows the number of revoked certificates. Verifying IPsec automatic CRL retrieval job aid The following text shows an example of the output for the ipsec auto listcrls command List of X.509 CRLs: Apr 16 19:09: , revoked certs: issuer: 'C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD JITC Root CA 2' 000 distpts: 'ldap://crl.gds.nit.disa.mil/cn%3ddod%20jitc%20root%20ca%202%2cou%3dpki%2cou%3ddod%2co %3dU.S.%20Government%2cc%3dUS?certificateRevocationList;binary' 000 ' 000 updates: this Apr 15 08:57: next Jun 16 08:57: ok October 2017 Avaya Aura Application Server 5300 Security 155

156 IPsec configuration Manually adding a CA chain Use this procedure to manually add a CA chain if the installed PKCS12 file does not contain a CA chain. You are a user with SSA role. 1. Connect to the server as a user with SSA role. 2. At the command prompt, enter the following command: ipseccertmgr 3. From the IPSec Certificate Management Options menu, enter 3 to select Install CA Certificate. 4. Enter the CA certificate file name. 5. Enter the CA certificate friendly name. 6. Enter Y to confirm. October 2017 Avaya Aura Application Server 5300 Security 156

157 Chapter 21: Access control rules This chapter provides information about access control rules. Navigation: Access control rules overview on page 157 Trusted nodes on page 158 Trusted ports on page 158 Internal trusted node mesh on page 159 Access control tools on page 159 DSCP marking on page 160 Access control default system configuration on page 161 Access control limitations and restrictions on page 162 Access control rules overview The system controls the access to its servers by enforcing a set of designated access control rules, called Access Control List (ACL) on each server. These access control rules reject all communications except for those with trusted nodes and those using trusted ports. The access control rules are enforced through the Linux iptables and ip6tables utilities. The ACL configuration for the system consists of two parts: Internal rules pertain to connections within the system itself. The MCP database autogenerates the internal rules. External rules restrict external access to the Application Server Use the IPTables utility (the firewall utility offered in the Linux system) to configure and enforces the external access control rules. The system enforces the internal ACL rules only after you use the iptcfg utility to configure and commit the external ACL rules. October 2017 Avaya Aura Application Server 5300 Security 157

158 Access control rules Figure 3: ACL firewall Trusted nodes Trusted nodes are external nodes with which communications of all protocols using any port are permitted. IPsec protection for communications with trusted nodes is not required. The system or network security administrator defines trusted nodes for the system. A trusted node can be either a single external node, or a set of external nodes within a subnet. Trusted ports Trusted ports are server ports on which the system permits all ingress traffic of a particular protocol from anywhere, if it is an input port, or, all egress traffic of a particular protocol to anywhere, if it is an output port. October 2017 Avaya Aura Application Server 5300 Security 158