MAGNUM-SDVN Security Administration Manual

MAGNUM-SDVN Security Administration Manual Revision 19: November 21, 2017 Contents Overview... 3 Administrative Access... 4 Logging Into Terminal Locally... 4 Logging Out Of Local Terminal... 4 Logging in to Web Interface... 5 Logging Out from Web Interface... 5 Configuring Date and Time... 6 Configuring IP Addresses... 7 Configuring Clustering... 8 Transferring Files... 9 Transferring Files Using FTPS... 9 Transfer Files Using SFTP or SCP... 10 Entering High Security Mode... 11 Power-on Self-Test... 13 Disabling USB Storage Devices In The BIOS... 14 Changing the Connection Security Mode... 15 Edit Login Banner... 16 Remote Audit Servers... 17 Import Code Verification Public Key... 18 Change Linux User Passwords... 19 Expire Web User Passwords... 20 Reset Disk Encryption Key... 22 Reset TLS Key... 23 Reset Cluster Key... 24 Export Cluster Key... 25 Page 1 of 52

Import Cluster Key... 26 Show Server Certificate... 27 Create Certificate Signing Request... 28 Import Signed Server Certificate... 29 Export Server Certificate... 30 Show Trusted CA Certificates... 31 Import Trusted CA Certificate... 32 Remove Trusted CA Certificate... 33 Show Certificate Revocation List... 34 Import Certificate Revocation List... 35 Remove Certificate Revocation List... 36 Allowed Subject Alt Names (DNS)... 37 Allowed Subject Alt Names (email)... 38 Allow Subject Alt Names (IP)... 39 Bypass Mode Options... 40 Configure Interactive Session Timeout... 41 Configure Minimum Password Length... 42 Auditable Events... 43 Checking Firmware Version... 43 Checking Version from Terminal... 44 Checking Version from Web... 45 Adding and Deleting Web Users... 46 Changing Web User s Passwords... 47 Upgrading Firmware... 48 Export Logs... 50 Full Data Purge... 51 Other Devices... 51 Page 2 of 52

Overview This manual is a supplement to the MAGNUM-SDVN User Manual. It is specifically intended for use with the MAGNUM-SC-CC. MAGNUM is a software product produced by Evertz. MAGNUM-SC-CC is a product consisting of MAGNUM software pre-installed on an Evertzprovided server. MAGNUM-SC-CC is a product that meets the Collaborative Protection Profile for Network Devices for Common Criteria. MAGNUM-SC-CC only meets these requirements in High Security Mode. It is shipped with the security mode turned off ( Normal Security Mode ). This is because once High Security Mode is enabled it is permanent. This is to accommodate customers who wish to use only a subset of the High Security Mode features. (Evertz does not recommend using only a subset of High Security features; Normal Security Mode is intended to accommodate unusual customer requirements.) To be clear, MAGNUM-SC-CC only meets the Collaborative Protection Profile for Network Devices for Common Criteria when in High Security Mode. Except where specifically stated in this manual the nature of physical network connections is outside the scope of the Collaborative Protection Profile for Network Devices for Common Criteria, as the available network elements (IP switches, IP routers, etc.) which may be used in establishing those links are site-specific. Evertz stipulates that any connection must meet organizationally-specific security requirements for the location(s) where the equipment is deployed. Page 3 of 52

Administrative Access Logging Into Terminal Locally Most administrative actions are accomplished through the admin menu on the terminal. 1) Connect a VGA monitor and a USB keyboard 2) Switch Linux terminals by pressing <CTRL><ALT><F1> through <CTRL><ALT><F6>. 3) Log in with username admin and default password admin to access a structured menu 4) Changing any settings requires entering admin s password each time, and that step is assumed in all instructions. Security-sensitive changes are further protected by user prompts and warnings. 5) There also exists users etservice and etdev that access an open shell with limited permissions Logging Out Of Local Terminal 1. Select logout at the bottom of the menu list 2. This will close the current administration terminal session Page 4 of 52

Logging in to Web Interface Users can access the system from a web browser. MAGNUM s web interface supports Chrome and Safari. 1) Launch a web browser session 2) In the address part enter the IP address of MAGNUM 3) When prompted for login credentials enter admin and his password Logging Out from Web Interface 1. Select the stack icon on the top left of the web page 2. Select the person icon(highlighted in red border) 3. Select logout Page 5 of 52

Configuring Date and Time Relating logged events to the real world requires accurate time keeping. 1) Log in to the terminal as admin and select System 2) Select and configure each of: Date, Time, Time Zone 3) If the organization provides any NTP servers, select NTP Servers and add them 4) In the NTP Servers menu, select Force Sync after saving 5) When prompted, press Yes to tolerate the service interruption Page 6 of 52

Configuring IP Addresses MAGNUM uses static IP addresses. There are multiple network ports, configured differently depending on each organization s requirements. 1) Port names on the MAGNUM device: 2) Log in to the terminal as admin and select Network 3) Assign an IP Address (and Gateway if needed) to each network port, starting with eth0 4) Select Save and Apply 5) When prompted, press Yes to tolerate the service interruption Page 7 of 52

Configuring Clustering MAGNUM devices can be clustered (teamed up) to provide redundancy. Cluster communications are always encrypted, but not to the level required by Common Criteria. For Common Criteria, a trusted channel must be formed by connecting an Ethernet cable directly between the servers, with no other devices (like switches) in between. 1) Connect an Ethernet cable directly between the MAGNUM devices. Use eth1. 2) Each MAGNUM device in a cluster must have a different host name 3) Log in to the terminal as admin and select System 4) Select Host Name and choose a new one (eg. MAGNUM-PRI) 5) Return to the main menu by selecting Back using <Tab> and <Enter> 6) Select Cluster 7) Assign an arbitrary Multicast Address 8) Assign eth1 as the Multicast Interface 9) Assign an unused IP address to Database IP. This IP address will be owned by whichever MAGNUM device is the master, and is reassigned seamlessly. It s the main IP address used by clients (e.g. web browsers) to contact MAGNUM. 10) Select Save and Apply Page 8 of 52

Transferring Files In normal security mode, SCP, FTPS and USB storage devices can be used to transfer files to or from. However, in high security mode, the on-board USB ports are disabled. Transferring Files Using FTPS The FTPS server must obey the following rules: Instructions: Use passive mode Listen on port 990 for control connections Listen on restricted range of ephemeral ports for data connections: 50000-50009 1. When prompted to select the source, select FTPS Server 2. Fill in the connection and login parameters for the organization s FTPS server a. Note: use the arrow keys (not <Tab>) to navigate between fields b. Note: the settings are purposefully forgotten between sessions c. Note: the password field is blank when being filled in, and is hard to read 3. Review the FTPS server certificate, and if the details are wrong, select Don t Trust 4. To continue, select Trust Certificate 5. Select the file to import or export, depending on action being done Page 9 of 52

Transfer Files Using SFTP or SCP 1. Launch WinSCP (or other application that supports SFTP or SCP) 2. Enter IP address of server 3. Enter login credentials for admin 4. Use the interface to transfer files 5. Close Application once transfer is complete Page 10 of 52

Entering High Security Mode The device should not be considered online, and should not be connected to the network, unless it s in high security mode The following restrictions are put in place after entering high security mode: All encryption keys and passwords are regenerated All external connections are encrypted and authenticated with certificates o (All Connections between MAGNUM and IPX are encrypted) Any protocols that cannot be encrypted are disabled (eg. SNMP, with the exception of NTP) Password complexity is enforced for all users Firmware upgrade images must be signed by Evertz (including patches) The checksums of all files are checked at power-on, halting the system if any are corrupted USB storage devices are disabled Extra steps (described in the next section) are needed to disable USB storage devices in the BIOS 2) Select System Security Mode and then high 3) Select Yes to accept the warning that entering high security mode is permanent 4) When prompted, enter admin s password Page 11 of 52

5) Change each user s password as prompted, subject to password complexity requirements 6) Web user passwords are automatically expired and each user will be forced to change their password at their next login 7) Wait while the device enables high security mode 8) When prompted, reboot 9) MAGNUM will now reboot into high security mode Page 12 of 52

Power-On Self-Test In High Security mode, a self-test is performed at every power-on. It looks like the following: If the power-on self-test fails (as in the screenshot below), contact Evertz Service Department Page 13 of 52

Disabling USB Storage Devices In The BIOS High security mode requires these additional steps to disable USB storage devices in the BIOS, to prevent booting from USB keys. 1) Connect a VGA monitor and a USB keyboard 2) During power-on, press the <Delete> key repeatedly 3) In the BIOS menu, navigate to the Advanced tab using the arrow keys 4) Select USB Configuration 5) Select USB Mass Storage Driver Support 6) Select Disabled 7) Press <F10> to save and exit 8) Select Yes when prompted to save and exit 9) MAGNUM will now reboot Page 14 of 52

Changing the Connection Security Mode There are 5 connection security modes: normal: All connections are unencrypted and unblocked encrypted: All connections are either encrypted or blocked verify-ca: All encrypted connections are authenticated with certificates, verified by CAs verify-san: All encrypted connections are authenticated with certificates, verified by CAs, and Subject Alternative Names verify-crl: All encrypted connections are authenticated with certificates, verified by CAs, Subject Alternative Names, and CRLs Each system security mode (normal and high) has a default connection security mode (normal and verify-crl, respectively) that is automatically set. The connection security mode can be changed, depending on each organization s special needs, but this is protected by warnings and should be avoided. This option is meant to clearly indicate the current mode, rather than encourage the weakening of security. 2) Select Connection Security Mode and select the desired mode 3) Select Yes to proceed past the warning (this will violate Common Criteria) 4) When prompted, reboot Page 15 of 52

Edit Login Banner The message in MAGNUM s login banner can be customized, depending on each organization s requirements. The terminal and web login banners share the same message. 2) Select Edit Login Banner 3) Edit the message as required. The editor is called nano, and should be easy to use. 4) To save and exit press <CTRL>X, then Y, then <Enter> Page 16 of 52

Remote Audit Servers System log messages can be sent to a remote log server. Remote audit server must listen on port 16514 for TLS connections. The audit data is simultaneously sent to the external server and the local store. 2) Select Secure Audit Server 3) Select Add Server to add new entries 4) Enter a valid IP address 5) Add additional IP addresses as needed 6) Select Save and Apply when done 7) When prompted, enter admin password Page 17 of 52

Import Code Verification Public Key In high security mode, all firmware upgrade images (.efp files) will have their signatures (.sig files) verified before being installed. Evertz signs these firmware images at build-time, and this menu option provides the ability to change the code verification public key, allowing upgrades to continue if Evertz changes its private signing key. 2) Select Import Code Verification Public Key 3) Select the source, usually FTPS Server 4) Select the public key to import 5) Wait until the import is complete Page 18 of 52

Change Linux User Passwords At any time, the Linux user passwords can be changed, subject to password complexity requirements depending on the current system security level. These passwords are forced to change when entering high security mode. Furthermore, these passwords are reset to defaults upon any firmware upgrade (excluding patches). A list of valid characters is also applied when users password is reset. The valid charter list is: Upper case letters Lower case letters Numerals Special characters [!, @, #, $, %, ^, &, *, (, ) ] Other special characters: [,, ', +,,, -,., /, :, ;, <, =, >,?, [, \, ], _, `, {,, }, ~ ] User passwords must meet a set of minimum requirements, those requirements are: Minimum length 8 characters Must use two of each o Upper case letters o Lower case letters o Numbers o Symbols No reusing previous password 2) Select Change Linux User Passwords 3) Select the target user Page 19 of 52

4) When prompted, enter admin s password first, regardless of the target user 5) Enter the user s new password, twice for confirmation, adhering to the displayed password complexity requirements 6) Repeat this process for other users Expire Web User Passwords An administrator can force all web users to change their password by expiring all of them simultaneously. Each user will be forced to change their password at their next login, subject to password complexity requirements depending on the system security mode. These passwords are automatically expired when entering high security mode. 2) Select Expire Web User Passwords Page 20 of 52

3) When prompted, enter admin s password 4) Each web user will be forced to change their password at their next login Page 21 of 52

Reset Disk Encryption Key MAGNUM operates with an encrypted disk to protect all stored data, using an auto-generated key. This option allows an administrator to change this private disk encryption key at any time. 2) Select Reset Disk Encryption Key 3) Select Yes to proceed 4) When prompted, enter admin s password 5) When prompted, reboot Page 22 of 52

Reset TLS Key In high security mode, MAGNUM encrypts all connections with TLSv1.2. This option allows an administrator to change the private TLS key at any time. The new random key is chosen automatically. A new self-signed certificate will also be created, replacing any existing certificate identifying the device. The administrator should generate a new CSR and have it signed by a CA before MAGNUM reconnects to other devices. 2) Select Reset TLS Key 3) Select Yes to proceed 4) When prompted, enter admin s password 5) When prompted, reboot 6) A new key and self-signed certificate are automatically generated during power-on 7) Create a new CSR, sign it, and import it before connecting MAGNUM to other devices Page 23 of 52

Reset Cluster Key Clustering MAGNUM devices is optional. In high security mode, a trusted channel (i.e. a dedicated Ethernet link) should be configured, in which case the cluster key does not contribute to security. This option allows an administrator to change the private cluster key at any time. All MAGNUM devices in a cluster must share the same cluster key: use the export and import functions described next to share the cluster key. 2) Select Reset Cluster Key 3) Select Yes to proceed 4) When prompted, enter admin s password 5) When prompted, reboot 6) A new cluster key is automatically generated during power-on Page 24 of 52

Export Cluster Key Clustering MAGNUM devices is optional. In high security mode, a trusted channel (i.e. a dedicated Ethernet link) should be configured, in which case the cluster key does not contribute to security. All MAGNUM devices in a cluster must share the same cluster key. The cluster key is encrypted during export and decrypted during import. 2) Select Export Cluster Key 3) When prompted, enter admin s password 4) Choose a unique and arbitrary passphrase with which to encrypt the key during transport 5) Select the source, usually FTPS Server 6) The file name is auto-generated during export Page 25 of 52

Import Cluster Key Clustering MAGNUM devices is optional. In high security mode, a trusted channel (i.e. a dedicated Ethernet link) should be configured, in which case the cluster key does not contribute to security. All MAGNUM devices in a cluster must share the same cluster key. The cluster key is encrypted during export and decrypted during import. 2) Select Import Cluster Key 3) When prompted, enter admin s password 4) Select the source, usually FTPS Server 5) Select the key file that was exported earlier 6) When prompted, enter the unique passphrase used to encrypt the key during export 7) When prompted, reboot Page 26 of 52

Show Server Certificate This option allows the administrator to review the certificate that identifies a particular MAGNUM device. 2) Select Show Server Certificate 3) Review the certificate details, using the arrow keys to scroll down or right Page 27 of 52

Create Certificate Signing Request MAGNUM initially powers on with a self-signed certificate. To connect with other devices in an organization, a CSR must be signed by the organization s CA. This option allows an administrator to create and export a CSR. It s derived from the private TLS key, which is unique to each device and automatically generated at first power-on, when entering high security mode, or when manually reset. The CSR is created with editable fields, but it s expected that the CA will provide its own when creating a signed certificate for the device. 2) Select Create Certificate Signing Request 3) Update each field as appropriate for the particular device and organization 4) The CA should provide its own values when creating a signed certificate for the device 5) Select Create and Export 6) Select the source, usually FTPS Server 7) The file name is auto-generated during export Page 28 of 52

Import Signed Server Certificate After the organization s CA signs a previously exported CSR to create a signed certificate, this option allows the administrator to import the certificate into MAGNUM. This certificate will identify a particular MAGNUM device to the other devices to which it connects. 2) Select Import Signed Server Certificate 3) When prompted, enter admin s password 4) Select the source, usually FTPS Server 5) Select the correct certificate file (must be in PEM format with a.pem extension) 6) When prompted, reboot Page 29 of 52

Export Server Certificate This option allows the administrator to export a particular MAGNUM device s certificate, if a need for that arises. 2) Select Export Server Certificate 3) When prompted, enter admin s password 4) Select the source, usually FTPS Server 5) The file name is auto-generated during export Page 30 of 52

Show Trusted CA Certificates This option allows the administrator to review the CA certificates trusted by a MAGNUM device. This option is useful before and after importing or removing trusted CA certificates. In high security mode, all connections are authenticated by verifying the peer s certificate. They must all be signed by a trusted CA. Each CA in the chain must be explicitly imported to be trusted. 2) Select Show Trusted CA Certificates 3) Select the particular CA certificate to review 4) Review the certificate details, using the arrow keys to scroll down or right Page 31 of 52

Import Trusted CA Certificate This option allows the administrator to import and thereby trust a CA certificate. In high security mode, all connections are authenticated by verifying the peer s certificate. They must all be signed by a trusted CA. Each CA in the chain must be explicitly imported to be trusted. 2) Select Import Trusted CA Certificate 3) When prompted, enter admin s password 4) Select the source, usually FTPS Server 7) Select the correct CA certificate file (must be in PEM format with a.crt extension) 5) When prompted, reboot Page 32 of 52

Remove Trusted CA Certificate This option allows the administrator to remove and thereby stop trusting a CA certificate. In high security mode, all CA certificates must have a corresponding CRL, which must be removed first. This is enforced by MAGNUM to ensure there are no stale CRLs. 2) Select Remove Trusted CA Certificate 3) Select the particular CA certificate to remove 4) When prompted, enter admin s password 5) When prompted, reboot Page 33 of 52

Show Certificate Revocation List This option allows the administrator to review CRLs. This option is useful before and after importing or removing CRLs. In high security mode, all connections are authenticated by verifying the peer s certificate. If peer s certificate is revoked by an imported CRL, the connection is blocked. Every trusted CA certificate must have a corresponding CRL. The CAs must be imported first. 2) Select Show Certificate Revocation List 3) Select the particular CRL to review 4) Review the CRL details, using the arrow keys to scroll down or right Page 34 of 52

Import Certificate Revocation List This option allows the administrator to import CRLs. In high security mode, all connections are authenticated by verifying the peer s certificate. If peer s certificate is revoked by an imported CRL, the connection is blocked. Every trusted CA certificate must have a corresponding CRL. The CAs must be imported first. 2) Select Import Certificate Revocation list 3) When prompted, enter admin s password 4) Select the source, usually FTPS Server 5) Select the correct CRL file (must have a.crl extension) 6) When prompted, reboot Page 35 of 52

Remove Certificate Revocation List This option allows the administrator to remove and thereby stop checking a CRL. Until the corresponding CA certificate is also removed, MAGNUM will not communicate with other devices, because in high security mode, all CA certificates must have a corresponding CRL. 2) Select Remove Certificate Revocation List 3) Select the particular CRL to remove 4) When prompted, enter admin s password 5) When prompted, reboot Page 36 of 52

Allowed Subject Alt Names (DNS) This option allows the administrator to configure a list of allowed Subject Alternative Names (also known as reference identifiers). In high security mode, all connections (including both client and server connections) are authenticated by verifying the peer s certificate. If the peer s certificate does not contain a Subject Alternative Name field from the MAGNUM device s allowed list, the connection is blocked. If the allowed list is empty, this field is not checked during certificate authentication. If the peer s certificate does not have a Subject Alternative Names field, the Common Name field is checked instead, for backwards compatibility. 2) Select Allowed Subject Alt Names (DNS) 3) Select Add DNS Host to add new entries 4) Enter a valid DNS name (wildcards are supported) 5) Select Remove DNS Host to remove entries 6) Select Save and Apply when done 7) When prompted, enter admin s password 8) When prompted, reboot Page 37 of 52

Allowed Subject Alt Names (email) This option allows the administrator to configure a list of allowed Subject Alternative Names (also known as reference identifiers). In high security mode, all connections (including both client and server connections) are authenticated by verifying the peer s certificate. If the peer s certificate does not contain a Subject Alternative Name field from the MAGNUM device s allowed list, the connection is blocked. If the allowed list is empty, this field is not checked during certificate authentication. 2) Select Allowed Subject Alt Names (email) 3) Select Add Email to add new entries 4) Enter a valid email address 5) Select Remove Email to remove entries 6) Select Save and Apply when done 7) When prompted, enter admin s password 8) When prompted, reboot Page 38 of 52

Allow Subject Alt Names (IP) This option allows the administrator to configure a list of allowed Subject Alternative Names (also known as reference identifiers). In high security mode, all connections (including both client and server connections) are authenticated by verifying the peer s certificate. If the peer s certificate does not contain a Subject Alternative Name field from the MAGNUM device s allowed list, the connection is blocked. If the allowed list is empty, this field is not checked during certificate authentication. 2) Select Allowed Subject Alt Names (IP) 3) Select Add IP to add new entries 4) Enter a valid IP address 5) Select Remove IP to remove entries 6) Select Save and Apply when done 7) When prompted, enter admin s password 8) When prompted, reboot Page 39 of 52

Bypass Mode Options In high security mode, many restrictions are put in place. The bottom-most set of options in the Security menu allow the administrator to bypass some of the restrictions for necessity, but they are protected by warnings and should be avoided. Once enabled, each bypass option remains enabled until the administrator explicitly disables it. The following bypass options are available (but should be avoided): Allowing USB storage devices to transfer files Allowing the etdev Linux user to use sudo Allowing unencrypted communication with specific types of Evertz devices Allowing Remote Authentication communication with Remote server 2) Select the restriction to bypass 3) Consider the warning, and select Yes to continue 4) When prompted, enter admin s password 5) If prompted, reboot 6) When the task is complete, disable the bypass option Page 40 of 52

Configure Interactive Session Timeout Administrator account is able to define a given timeout time to different interactive sessions of the system. 2) Select Interactive Session Timeout 3) When prompted, enter admin password 4) Select the minimum password length (range 1-60 minutes) 5) The change will take affect Page 41 of 52

Configure Minimum Password Length Administration account is able to define the minimum password length that each account must meet. 2) Select Set Minimum User Password Length 3) When prompted, enter admin s password 4) Select the minimum password length (range 4-15) 5) The change will take affect the next time a user logs into their account Page 42 of 52

Auditable Events Auditable Event Start-up of the audit functions Shut-down of the audit functions Web login Web logout Local Linux login Local Linux logout Remote Linux login Remote Linux logout Local Linux login Local Linux logout TLS certificate verification Attempt to update firmware Enter secure mode Edit login banner Change Linux user password Expire web all user passwords Web user changing own password Create web user Delete web user Import signed certificate (CSR response) Import trusted CA certificate Remove trusted CA certificate Import CRL file Remove CRL file Configure allowed Subject Alt Names Configure device IP address Result of attempt to update firmware Changing time / date / time zone Terminate remote interactive session after timeout (web) Terminate remote interactive session after timeout (Linux) TLS connection initiated TLS connection terminated TLS connection failed to establish Remote administrator session failed (web) Remote administrator session failed (Linux) Log rotated to prevent filling storage space Configure IP of remote audit server Import update verification public key Reset disk encryption key Reset TLS private key Failure to establish HTTPS session (server side) Audit Record Content <audit-process-info> start <audit-process-info> <stop-reason> Authenticated user <user-name> <token-info> <origin-ip-addr> User logged out <user-name> <token-info> <origin-ip-addr> Session opened for <user-name> Session closed for <user-name> Accepted password for <user-name> from <origin-ip-addr> session opened Received disconnect from <origin-ip-addr> session closed for <user-name> N/A (same as FIA_UIA_EXT.1) N/A (same as FIA_UIA_EXT.1) Cert verification error <reason> Performing action from <origin-ip-addr> upgrade server <efp-name> Enabling high security mode from local terminal Editing login banner from <origin-ip-addr> Performing action from <origin-ip-addr> change linux password <user-name> Performing action from <origin-ip-addr> expire all web passwords Modified user <user-name> from <origin-ip-addr> Created user <user-name> from <origin-ip-addr> Deleted user <user-name> from <origin-ip-addr> Import signed server certificate Import trusted CA certificate <cert-file-name> Remove trusted CA certificate <cert-file-name> Import CRL <crl-file-name> issued by <issuing-ca-cert-file-name> Remove CRL <crl-file-name> Configure allowed <san-type> SAN settings Performing action from <origin-ip-addr> save network settings <settings-info> Success or <reason-for-failure> <old-timestamp> Performing action from <origin-ip-addr> change time <new-timestamp> Web user timed out <user-name> <token-info> Received disconnect from <origin-ip-addr> session closed for <user-name> <connection-id> accepted connection from <origin-ip-addr> connected to <target-ip-addr> <connection-id> connection closed <connection-id> error <reason> Failed to authenticate user <user-name> <origin-ip-addr> Failure <reason> session closed for <user-name> <log-file-name> <max-size> log rotating <rotated-log-file-name> Performing action from <origin-ip-addr> configure remote audit server <target-ip-addr> Performing action from <origin-ip-addr> import code verification public key <checksum-ofkey> Performing action from <origin-ip-addr> reset disk encryption key <checksum-of-key> Performing action from <origin-ip-addr> erase and create TLS key <checksum-of-key> <connection-id> accepted connection from <origin-ip-addr> error <reason> Checking Firmware Version Admin users have the ability to check version of software installed on system Page 43 of 52

Checking Version from Terminal 1) Connect a VGA monitor and a USB keyboard 2) Switch Linux terminals by pressing <CTRL><ALT><F1> through <CTRL><ALT><F6>. 3) Log in with username admin 4) Changing any settings requires entering admin s password each time, and that step is assumed in all instructions. Security-sensitive changes are further protected by user prompts and warnings. 5) Select Version 6) Using the arrow keys can scroll through the install packages list 7) Press Esc key to return to main menu Page 44 of 52

Checking Version from Web 1) Login to the web interface as admin 2) In the GO bar search Config 3) Select Config Management a. 4) Select Current System Info 5) Complete all the password fields, subject to password complexity requirements 6) Click Close Page 45 of 52

Adding and Deleting Web Users The admin web user can add or delete non-admin web users. These new users have limited access, and cannot change any sensitive configuration (except for their own passwords). MAGNUM s web interface supports Chrome and Safari. 1) Login to the web interface as admin (default password is admin) 2) Select the User Management app 3) In the GO bar type user, Select User Management a. 4) Select the + to add a user a. 5) Complete all the fields, subject to password complexity requirements 6) Click Submit 7) To delete users, select the target user and click Delete Selected Page 46 of 52

Changing Web User s Passwords The admin web user can change every other web user s password. Each web user can change their own password. Every web user s password is automatically expired when entering high security mode, or when explicitly expired from the terminal menu. MAGNUM s web interface supports Chrome and Safari. Upper case letters Lower case letters Numerals Special characters [!, @, #, $, %, ^, &, *, (, ) ] Other special characters: [,, ', +,,, -,., /, :, ;, <, =, >,?, [, \, ], _, `, {,, }, ~ ] User passwords must meet a set of minimum requirements, those requirements are: Minimum length 8 characters Must use two of each o Upper case letters o Lower case letters o Numbers o Symbols No reusing previous password 1) Login to the web interface as admin (default password is admin) 2) In the GO bar type user, Select User Management 3) For the target user, click Change Password 4) Complete all the password fields, subject to password complexity requirements 5) For the target user, click Change Password Page 47 of 52

6) Click Yes Upgrading Firmware In high security mode, all firmware upgrade images (.efp files) will have their signatures (.sig files) verified before being installed. Evertz signs these firmware images at build-time. If the.efp file has been tampered with, the installation is aborted. Always keep the.sig file beside the.efp file. The Linux user passwords are reset to defaults upon a firmware upgrade (excluding patches), and should be changed. The web user passwords are not reset. 1) Log in to the terminal as admin and select System 2) Select Upgrade 3) When prompted, enter admin s password 4) Select the source, usually FTPS Server in high security mode 5) Login to the FTPS server. 6) Select the correct.efp file 7) The.sig file won t appear in the menu, but is expected to exist beside the.efp file 8) Consider the prompt, and select Yes to proceed 7) When prompted, enter admin s password 8) Wait until the upgrade completes, and press Q to return 9) When prompted, reboot Page 48 of 52

10) If the EFP is corrupted it will display the following message: 11) If the upgrade fails, contact Evertz Service Department Page 49 of 52

Export Logs The ability to export system logs to view. 1) Log in to the terminal as admin and select Debug 2) 3) Select Export Logs 4) 5) When prompted, enter admin s password 6) Select the source, usually FTPS Server in high security mode 7) Login to the FTPS server. 8) Wait until the export completes. Once completed will return to debug menu Page 50 of 52

Full Data Purge If the device needs to be to fully purged. Power down the device. Remove both SSDs located at the back of the device. Place the SSDs into hard drive shredder. Contact either sales or service at Evertz to get replacement SSDs Page 51 of 52

Other Devices A MAGNUM server (or multiple MAGNUM Servers set as a Cluster ) can control a wide variety of devices. However, when set up in secure mode MAGNUM only communicates with these devices via TLS, so only devices using TLS (also running in secure mode) are actually controllable by MAGNUM. (Thus it is impossible to cluster a secure MAGNUM with another MAGNUM that is not in secure mode.) As of this writing these secure devices consist of MMA10G-IPX-16, MMA10G-IPX-32 and MMA10G-IPX-64, which are NDcPP version 1.0 certified, and the EXE (which has multiple configurations), which is pending certification. All of these devices are similar (non-blocking IP switches optimized for IP video); their difference is size (as in, the number of physical IP ports). It is expected that additional devices will be added in future. Page 52 of 52