Home

Cisco Systems OL-5742-01 Home Security System User Manual

1. enter the following command sgm badloginalarm number of attempts where number of attempts is the number of unsuccessful login attempts allowed before SGM generates an alarm The valid range is unsuccessful attempt to an unlimited number of unsuccessful attempts The default value is 5 unsuccessful attempts To disable this function that is to prevent SGM from automatically generating an alarm after unsuccessful login attempts enter the following command sgm badloginalarm clear Optional You can configure SGM to disable a user s security authentication automatically after a specified number of unsuccessful login attempts To do so enter the following command sgm badlogindisable number of attempts where number of attempts is the number of unsuccessful login attempts allowed before SGM disables the user s authentication SGM does not delete the user from the authentication list SGM only disables the user s authentication The valid range is unsuccessful attempt to an unlimited number of unsuccessful attempts The default value is 10 unsuccessful attempts To re enable the user s authentication use the sgm enableuser command To disable this function that is to prevent SGM from automatically disabling a user s authentication after unsuccessful login attempts enter the following command sgm badlogindisable clear I OL 5742 01 Cisco Signaling Gateway Manager User Guide m Chapter
2. of the subject which must match the fully qualified host name of your SGM server such as sgm sun8 cisco com The Subject field might also contain other information such as the Country C Organizational Unit OU or Organization O of the subject Issuer CA that issued the SSL certificate The Issuer field might include the Common Name CN of the issuer as well as the Country C Organizational Unit OU or Organization O of the issuer Version Version of the SSL certificate such as V1 Serial number Serial number associated with the SSL certificate Signature algorithm Asymmetric algorithm used to ensure that the digital signature is secure such as MD5withRSA Valid from Date and time on which the SSL certificate was created or became valid Valid to Date and time on which the SSL certificate expires Public key Public key associated with the SSL certificate used for encryption and for verifying signatures OK Closes the Certificate Information dialog When you are ready to close the dialog click OK SGM closes the Certificate Information dialog If necessary click Exit to close the SGM Certificate Tool dialog Related Topics Launching the SGM Certificate Tool for SSL page 18 31 Cisco Signaling Gateway Manager User Guide 18 38 0L 5742 01 Chapter 18 Configuring SGM Security Implementing SSL Supportin SGM W Managing SSL Support in
3. SGM SGM enables you to perform the following tasks to make it easier to manage SSL support in SGM To display the current status of SSL support in SGM including whether SSL support is enabled or disabled and which SSL keys and certificates exist use either the sgm ssl status or sgm sslstatus command To print the SGM server s SSL certificate in X 509 format use the sgm keytool print_crt command To list the SSL key certificate pair on the SGM server use the sgm keytool list command To list all SSL certificates on the SGM client launch the SGM SSL Certificate Tool SGM lists each imported certificate including to whom the certificate was issued who issued the certificate and when the certificate expires See the SGM Command Reference section on page C 1 for more information on the use of these commands See the Importing an SSL Certificate to an SGM Client section on page 18 33 for more information on launching the SGM SSL Certificate Tool Disabling SSL Support in SGM SGM enables you to disable SSL support in SGM and to remove SSL keys and certificates from the SGM server and clients To disable SSL support in SGM use the sgm ssl disable command See the sgm ssl section on page C 98 for more information To remove all SSL keys and certificates from the SGM server use the sgm keytool clear command SGM stops the SGM server if necessary and removes the keys and certificates Before restarting the
4. SGM Security HI implementing SSL Support in SGM Field or Button Description Files of Type Specifies the type of file to save and displays all files of that type in the selected directory For SSL certificates this field displays All files which means files of all types are displayed in the table Up One Level Displays the sub folders and files that are in the folder that is up one level from the currently displayed folder Desktop Displays the sub folders and files that are on your workstation desktop Create New Folder Creates a new sub folder in the displayed folder List Displays only icons for sub folders and files Details Displays detailed information for sub folders and files including their size type date they were last modified and so on Save Saves the file closes the Save dialog for an SSL certificate and returns to the SGM Certificate Tool dialog Click Exit to close the SGM Certificate Tool dialog and export the self signed SSL certificate in X 509 format Cancel Closes the Save dialog for an SSL certificate without saving the file Related Topics e Launching the SGM Certificate Tool for SSL page 18 31 Viewing Detailed Information About an SSL Certificate If you have implemented Secure Sockets Layer SSL support in your SGM system you can view detailed information about SSL certificates that have been imported to the SGM client To view detailed information about an
5. SSL certificate use one of the following procedures e Click the locked padlock symbol in the bottom left corner of any SGM window e Launch the SGM SSL Certificate Tool as described in the Launching the SGM Certificate Tool for SSL section on page 18 31 select an SSL certificate from the list and click Details SGM displays the Certificate Information dialog Figure 18 1 Cisco Signaling Gateway Manager User Guide ka 0L 5742 01 Chapter18 Configuring SGM Security Implementing SSL Supportin SGM W Figure 18 5 Certificate Information Dialog Certificate Information E x xyz company com Subject CN xyz company com c U5 Issuer CN xyz company com C US Version V3 Serial number 0 Signature algorithm MDSwithRSA Valid from Ved Oct 23 17 15 59 EDT 2002 Validto Thu Oct 23 17 15 59 EDT 2003 6A 5C AS A9 47 01 69 AF 94 EC 3C OD B7 14 CB 7E 67 D8 8E DA 25 53 F 64 C9 99 FD 74 24 47 8E 4C Ag X Public key DB 42 B2 03 67 A8 E5 11 07 EF B5 z 84578 Cisco Signaling Gateway Manager User Guide oL 5742 01 m Chapter 18 Configuring SGM Security HI implementing SSL Support in SGM Field or Button The Certificate Information dialog displays the following detailed information for the selected SSL certificate Description Subject Device to which the SSL certificate was issued The Subject field always includes the Common Name CN
6. as a result of inactivity enter the following command sgm clitimeout clear I OL 5742 01 Cisco Signaling Gateway Manager User Guide m Chapter 18 Configuring SGM Security W Configuring SGM User Based Access Manually Disabling Users and Passwords Solaris Only Step 1 Step 2 Step 3 Step 4 As described in the Automatically Disabling Users and Passwords Solaris Only section on page 18 10 you can customize SGM to automatically disable users and passwords when certain conditions are met However you can also manually disable SGM User Based Access users and passwords when the need arises To do so use the following procedures Log in as the root user as described in the Becoming the Root User Solaris Only section on page 2 3 or as a super user as described in the Specifying a Super User Solaris Only section on page 18 24 Enter the following command cd opt CSCOsgm bin Optional To delete a user entirely from the SGM User Based Access authentication list enter the following command sgm deluser username where username is the name of the user If you later decide to add the user back to the authentication list you must use the sgm adduser command Optional If sgm authtype is set to local you can disable a user s password To do so enter the following command sgm disablepass username where username is the name of the user SGM does not delete the user
7. from the authentication list SGM only disables the user s password amp Note If sgm authtype is set to solaris you cannot use the sgm disablepass command Instead you must manage passwords on the external authentication servers The user must change his password the next time he logs in Cisco Signaling Gateway Manager User Guide e14 0L 5742 01 Chapter 18 Configuring SGM Security Step 5 Configuring SGM User Based Access W You can also re enable the user s authentication with the same password or with a new password e To re enable the user s authentication with the same password as before use the sgm enableuser command e To re enable the user s authentication with a new password use the sgm userpass command Optional To disable a user s authentication but not the user s password use the following command sgm disableuser username where username is the name of the user amp Note If sgm authtype is set to solaris you must be logged in as the root user not as a super user to enter this command SGM does not delete the user from the authentication list SGM only disables the user s authentication The user cannot log in until you re enable the user s authentication e To re enable the user s authentication with the same password as before use the sgm enableuser command e To re enable the user s authentication with a new password use the sgm use
8. of the day the Message of the Day dialog is displayed e Select View gt Message of the Day from the SGM Main Menu e Select the SGM server name in the bottom right corner of the SGM Main Window Cisco Signaling Gateway Manager User Guide 18 18 0L 5742 01 Chapter 18 Configuring SGM Security Configuring SGM User Based Access W e SGM displays the Message of the Day dialog Figure 18 1 Figure 18 1 Message of the Day Dialog Message of the Day Last Updated June 7 2002 9 28 51 PM Sample message of the day Accept Decline The Message of the Day dialog contains the following fields and buttons 74858 Field or Button Description Message of the Day Date and time the message of the day was last updated If there is no message Last Updated of the day SGM displays Unknown Message Field Text of the message of the day If there is no message of the day SGM displays There is no message of the day Accept Closes the Message of the Day dialog and launches the client If you do not click Accept you cannot launch the client This button is available when there is a message of the day and you launch the SGM client or GTT client Cisco Signaling Gateway Manager User Guide oL 5742 01 ME Chapter 18 Configuring SGM Security W Configuring SGM User Based Access Field or Button Description Decline Closes the Message of the Day dialog and exits the client This button is
9. server you must either generate new SSL keys using the sgm keytool genkey command or you must completely disable SSL using the sgm ssl disable command See the SGM Command Reference section on page C 1 for more information on the use of these commands oL 5742 01 Cisco Signaling Gateway Manager User Guide m Chapter 18 Configuring SGM Security HZ Limiting SGM Client Access to the SGM Server Solaris Only e To remove an SSL certificate from the SGM client launch the SGM SSL Certificate Tool SGM lists each imported certificate Select the certificate you want to remove and click Remove SGM deletes the certificate from the list See the Importing an SSL Certificate to an SGM Client section on page 18 33 for more information on launching the SGM SSL Certificate Tool Limiting SGM Client Access to the SGM Server Solaris Only Step 1 Step 2 By default when you first install SGM all SGM client IP addresses are allowed to connect to the SGM server However SGM enables you to limit client access to the server by creating and maintaining the ipaccess conf file You can create the ipaccess conf file and populate it with a list of SGM client IP addresses that can connect to the SGM server SGM allows connections from only those clients plus the local host If the file exists but is empty SGM allows connections only from the local host SGM always allows connections from the local host When you firs
10. 18 Configuring SGM Security WE Configuring SGM User Based Access Step 5 Step 6 Optional SGM keeps track of the date and time each user last logged in You can configure SGM to disable a user s security authentication automatically after a specified number of days of inactivity To do so enter the following command sgm inactiveuserdays number of days where number of days is the number of days a user can be inactive before SGM disables the user s authentication SGM does not delete the user from the authentication list SGM only disables the user s authentication The valid range is 1 day to an unlimited number of days There is no default setting To re enable the user s authentication use the sgm enableuser command This function is disabled by default If you do not specify the sgm inactiveuserdays command user accounts are never disabled as a result of inactivity If you have enabled this function and you want to disable it that is to prevent SGM from automatically disabling user accounts as a result of inactivity enter the following command sgm inactiveuserdays clear Optional If sgm authtype is set to local you can configure SGM to force users to change their passwords after a specified number of days To configure SGM to force users to change their passwords after a specified number of days enter the following command sgm passwordage number of days where number of days is the number
11. Based Access W To display the contents of the message of the day file enter the following command sgm motd cat To disable this function that is to stop displaying the message of the day whenever a user attempts to launch an SGM or GTT client enter the following command sgm motd disable Manually Synchronizing Local SGM Passwords If sgm authtype is set to solaris SGM automatically synchronizes local SGM passwords with Solaris at 1 30 AM each night However you can also manually synchronize passwords at any time To do so log in as the root user as described in the Becoming the Root User Solaris Only section on page 2 3 then enter the following commands cd opt CSCOsgm bin sgm syncusers SGM synchronizes the passwords with Solaris Listing All Currently Defined Users You can list all currently defined users in the SGM User Based Access authentication list To do so log in as the root user as described in the Becoming the Root User Solaris Only section on page 2 3 or as a super user as described in the Specifying a Super User Solaris Only section on page 18 24 then enter the following commands cd opt CSCOsgm bin sgm listusers I OL 5742 01 Cisco Signaling Gateway Manager User Guide B Chapter 18 Configuring SGM Security W Configuring SGM User Based Access SGM displays the following information for each user e User name e Last time the user logged
12. Optional e Displaying a Message of the Day page 18 18 Optional e Manually Synchronizing Local SGM Passwords page 18 21 Optional e Listing All Currently Defined Users page 18 21 Optional e Displaying the Contents of the System Security Log page 18 22 Optional e Restoring Security Related SGM Data page 18 23 Optional e Disabling SGM User Bases Access page 18 24 Optional e Specifying a Super User Solaris Only page 18 24 Optional Implementing SGM User Based Access Solaris Only Step 1 Step 2 Before you can access SGM s full suite of security commands you must enable SGM User Based Access configure the type of security authentication you want to use and begin adding users to your authentication lists To implement SGM User Based Access use the following procedure Log in as the root user as described in the Becoming the Root User Solaris Only section on page 2 3 or as a super user as described in the Specifying a Super User Solaris Only section on page 18 24 Enter the following commands cd opt CSCOsgm bin sgm useraccess enable SGM User Based Access is enabled the next time you restart the SGM server Cisco Signaling Gateway Manager User Guide OL 5742 01 Chapter 18 Configuring SGM Security Configuring SGM User Based Access W Step3 If you have already configured the type of SGM security authentication you want to use skip to Step 4 Otherwise co
13. a Configuring SGM Security This chapter provides the following information about configuring SGM security and limiting access to SGM Configuring SGM User Based Access page 18 1 Implementing SSL Support in SGM page 18 26 Limiting SGM Client Access to the SGM Server Solaris Only page 18 40 Configuring SGM User Based Access SGM enables you to control who is allowed to do what in SGM beyond simply specifying root and non root users SGM calls this ability User Based Access User Based Access provides multi level password protected access to SGM features Each user can have a unique user name and password Each user can also be assigned to one of five levels of access which control the list of SGM features accessible by that user To configure SGM User Based Access perform the tasks in the following sections Required and optional tasks are indicated Implementing SGM User Based Access Solaris Only page 18 2 Required Creating Secure Passwords page 18 5 Required Configuring SGM User Authentication Levels Solaris Only page 18 6 Required Automatically Disabling Users and Passwords Solaris Only page 18 10 Optional I OL 5742 01 Cisco Signaling Gateway Manager User Guide n Chapter 18 Configuring SGM Security W Configuring SGM User Based Access e Manually Disabling Users and Passwords Solaris Only page 18 14 Optional e Enabling and Changing Users and Passwords Solaris Only page 18 16
14. ager User Guide n Chapter 18 Configuring SGM Security W Configuring SGM User Based Access Step 4 To enable Solaris authentication enter the following command sgm authtype solaris See the SGM Command Reference section on page C 1 for more information on the use of each of the above SGM commands To add a user to your SGM User Based Access authentication list use the following command sgm sgm adduser username where username is the name of the user Note If sgm authtype is set to solaris you must be logged in as the root user not as a super user to enter this command SGM also prompts you for the authentication level for the user Valid levels are e 1 Basic User e 2 Power User e 3 Network Operator e 4 Network Administrator e 5 System Administrator For more information about authentication levels see the Configuring SGM User Authentication Levels Solaris Only section on page 18 6 If sgm authtype is set to local SGM also issues the following prompts e SGM prompts you for the user s password When setting the password follow the rules and considerations in the Creating Secure Passwords section on page 18 5 e SGM asks whether you want to force the user to change the password at the next login The default is not to force the user to change the password Whenever a user needs to change a password SGM issues an appropriate message and prompts for the user na
15. are ranges for example 1 100 For example the address allows all clients to connect to the SGM server After you create the ipaccess conf file you can use the full set of sgm ipaccess keywords to work with the file e clear Remove all client IP addresses from the ipaccess conf file and allow connections from any SGM client IP address e list List all client IP addresses currently in the ipaccess conf file If no client IP addresses are listed that is the list is empty connections from any SGM client IP address are allowed e rem Remove the specified client IP address from the ipaccess conf file e sample Print out a sample ipaccess conf file See the sgm ipaccess section on page C 44 for more information I OL 5742 01 Cisco Signaling Gateway Manager User Guide m Chapter18 Configuring SGM Security HZ Limiting SGM Client Access to the SGM Server Solaris Only Any changes you make to the ipaccess conf file take effect when you restart the SGM server SGM also enables you to limit the IP addresses that can send traps to the server by creating and maintaining the trapaccess conf file For more information see the Limiting Traps by IP Address Solaris Only section on page 19 40 Cisco Signaling Gateway Manager User Guide a 0L 5742 01
16. available when there is a message of the day and you launch the SGM client or GTT client OK Closes the Message of the Day dialog without exiting the client This button is available if you displayed the Message of the Day dialog by selecting View gt Message of the Day from the SGM Main Menu If you want to configure SGM to display a message of the day you must first enable the function To do so log in as the root user as described in the Becoming the Root User Solaris Only section on page 2 3 or as a super user as described in the Specifying a Super User Solaris Only section on page 18 24 then enter the following commands cd opt CSCOsgm bin sgm motd enable SGM displays the following prompt Enter location of the message of the day file opt CSCOsgm etc motd To accept the default value press Enter or type a different location and press Enter SGM displays the following messages Setting Message of the Day File to opt CSCOsgm etc motd Message of the Day File set to opt CSCOsgm etc motd SGM server must be restarted for changes to take effect Initially the file is blank enter the following command to specify the message text sgm motd edit You can also use the sgm motd edit command at any time to change the text of the message of the day Cisco Signaling Gateway Manager User Guide P18 20 fF 0L 5742 01 Chapter 18 Configuring SGM Security Configuring SGM User
17. ble to all higher authentication levels For example a System Administrator also has access to all Network Administrator functions Authentication levels are based on the function to be performed not on the target object Therefore if a user can perform a function on one SGM object such as deleting a node the user can perform the same function on all similar SGM objects such as deleting a signaling point or linkset Cisco Signaling Gateway Manager User Guide Eca 0L 5742 01 Chapter 18 Configuring SGM Security Configuring SGM User Based Access W amp Note Access to SGM information and downloads on Cisco com is already protected by Cisco com and is not protected by SGM To configure the authentication level for a user use the sgm adduser command as described in the Implementing SGM User Based Access Solaris Only section on page 18 2 or the sgm updateuser or sgm newlevel command as described in the Enabling and Changing Users and Passwords Solaris Only section on page 18 16 Basic User Level 1 Access Basic Users can view SGM data load SGM files and use SGM drill down menus Basic Users have access to the following SGM functions e Connecting to a new server e Applying changes to views e Loading the DEFAULT view and existing views but not saving them e Editing loading and applying preferences files but not saving them e Viewing and manipulating the topology map and saving i
18. changes and program changes at the Solaris level e SGM restarts e Failures of computers programs communications and operations at the Solaris level To clear the log and restart the server enter the following command sgm seclog clear The default path and filename for the system security log file is opt CSCOsgm logs sgmSecurityLog txt If you installed SGM in a directory other than opt then the system security log file is located in that directory Note You can also view the system security log on the SGM System Security Log Web page For more information see the Viewing the SGM System Security Log section on page 21 41 Restoring Security Related SGM Data If you inadvertently delete your user accounts or make other unwanted changes to your SGM security information SGM enables you to restore the security related parts of the SGM data files from the previous night s backup To restore the files log in as the root user as described in the Becoming the Root User Solaris Only section on page 2 3 then enter the following commands cd opt CSCOsgm bin sgm restore security SGM restores the files I OL 5742 01 Cisco Signaling Gateway Manager User Guide m Chapter18 Configuring SGM Security W Configuring SGM User Based Access Disabling SGM User Bases Access For some reason you might want to completely disable SGM User Based Access To do so log in as the root user as
19. d 774 is the Web port being using by SGM 1774 is the default port number If you do not know the name or Web port of the SGM Web Server contact the system administrator who installed the SGM server software SGM displays the SGM Server Home page Select Server SSL Certificate from the SGM Server Home Page SGM displays the SGM Server SSL Certificate page Right click Download SGM Server SSL Certificate Select Save Link As from the right click menu Select a directory in which to save the certificate server cer and click Save SGM downloads the server cer file into the specified directory Cisco Signaling Gateway Manager User Guide ka OL 5742 01 Chapter 18 Configuring SGM Security Implementing SSL Supportin SGM W Launching the SGM Certificate Tool for SSL If you have implemented Secure Sockets Layer SSL support in your SGM system you can launch the SGM Certificate Tool for SSL The SGM Certificate Tool dialog lists all SSL certificates that have been imported by the SGM client and enables you to import export and display detailed information about SSL certificates To launch the SGM SSL Certificate Tool use one of the following procedures e In Solaris log in as the root user and enter the following commands cd opt CSCOsgm bin sgm certgui See the sgm certgui section on page C 15 for more information e In Windows select Start gt Programs gt Cisco SGM Client gt SGM SSL Certifica
20. described in the Becoming the Root User Solaris Only section on page 2 3 or as a super user as described in the Specifying a Super User Solaris Only section on page 18 24 then enter the following commands cd opt CSCOsgm bin sgm useraccess disable SGM User Based Access is disabled the next time you restart the SGM server using the following command sgm restart Specifying a Super User Solaris Only A SGM enables you to specify one or more super users A super user can perform most functions that otherwise require the user to be logged in as the root user The root user can still perform those functions too If you specify a super user the server also runs as the super user and not as the root user Caution As a super user you can adversely affect your operating environment if you are unaware of the effects of the commands you use If you are a relatively inexperienced UNIX user limit your activities as a super user to the tasks described in this document To specify a super user log in as the root user as described in the Becoming the Root User Solaris Only section on page 2 3 then enter the following commands cd opt CSCOsgm bin sgm superuser username where username is the name of the user Cisco Signaling Gateway Manager User Guide 0L 5742 01 Chapter 18 Configuring SGM Security When you specify a super user keep in mind the following consid
21. e new password cannot be the same as the old password e SGM does not allow users to switch back and forth between two passwords Cisco Signaling Gateway Manager User Guide oL 5742 01 g iss Chapter 18 Configuring SGM Security W Configuring SGM User Based Access e The password cannot be a common word SGM uses the dictionary located at usr lib share dict words to determine whether a word is common To override the SGM dictionary change the DICT_FILE entry in the System properties file To disable the SGM dictionary and allow common words change the DICT_FILE entry to DICT_FILE dev null To use a custom dictionary change the DICT_FILE entry to DICT_FILE new dictionary where new dictionary is the path and filename of the custom dictionary file such as users rolive words Each line in the custom dictionary must contain a single word with no leading or trailing spaces Configuring SGM User Authentication Levels Solaris Only This section describes the user authentication levels in SGM and the SGM functions and Web displays available at each level e Basic User Level 1 Access page 18 7 e Power User Level 2 Access page 18 8 e Network Operator Level 3 Access page 18 8 e Network Administrator Level 4 Access page 18 9 e System Administrator Level 5 Access page 18 9 The authentication level that includes a function is the lowest level with access to that function The function is also availa
22. erations Configuring SGM User Based Access The user must exist in the local etc passwd file You cannot specify a user that is defined in a distributed Network Information Services NIS system The super user does not have access to all SGM commands You must still be logged in as the root user to enter the following commands sgm backup sgm browserpath sgm certgui sgm certtool sgm clean sgm cleanall sgm cleandb sgm cw2ksetup sgm evilstop sgm jspport sgm keytool sgm killclients sgm reboot sgm restore sgm restoreprops sgm setpath if you are specifying a username sgm ssl sgm sslstatus sgm stopclients sgm superuser sgm syncusers sgm telnetpath sgm trapsetup sgm uninstall Cisco Signaling Gateway Manager User Guide oL 5742 01 Chapter 18 Configuring SGM Security HI implementing SSL Support in SGM sgm webport sgm xtermpath e Ifsgm authtype is set to solaris you must still be logged in as the root user to enter the following commands sgm adduser sgm disableuser sgm enableuser sgm updateuser e Ifthe SNMP trap port number on the SGM server is less than 1024 you cannot use the sgm superuser command To correct this situation you must specify a new SNMP trap port number that is greater than 1024 To change the SNMP trap port number in the ITPs in your network use the snmp server host c
23. ertificate opt CSCOsgm etc ssl server csr is a certificate signing request CSR It is not used if you are using a self signed SSL certificate e To install a new SSL key and a CA signed certificate generate the key and a CSR by logging in as the root user on the SGM server and entering the sgm keytool genkey command SGM stops the SGM server and issues the following prompts Country Name 2 letter code State or Province Name full name Locality Name eg city Organization Name eg company Organizational Unit Name eg section Common Name your hostname Email Address Enter the requested information SGM generates the following files opt CSCOsgm etc ssl server key is the SGM server s private key Ensure that unauthorized personnel cannot access this key opt CSCOsgm etc ssl server csr is a CSR opt CSCOsgm etc ssl server cer is the self signed SSL certificate It is not used if you are using a CA signed SSL certificate the CA signed certificate overrides the self signed certificate Print the CSR in X 509 format by logging in as the root user on the SGM server and entering the sgm keytool print_csr command Send the CSR to a certificate authority CA to be signed After the CA signs the certificate log in as the root user on the SGM server and enter the following command sgm keytool import_cert cert_filename where cert_filename is the name of the signed certif
24. ficate locate the directory in which you downloaded the certificate File Name Enter a name for the SSL certificate or select a file from those listed in the Open field SGM displays the name of the certificate in the File Name field Files of Type Specifies the type of file to display and displays all files of that type in the selected directory For SSL certificates this field displays All files which means files of all types are displayed in the table Up One Level Displays the sub folders and files that are in the folder that is up one level from the currently displayed folder Desktop Displays the sub folders and files that are on your workstation desktop Create New Folder Creates a new sub folder in the displayed folder List Displays only icons for sub folders and files Details Displays detailed information for sub folders and files including their size type date they were last modified and so on Open Imports the file closes the Open dialog for an SSL certificate and populates the SGM Certificate Tool dialog with the SSL certificate s information Cancel Closes the Open dialog for an SSL certificate without importing the file Related Topics e Launching the SGM Certificate Tool for SSL page 18 31 Exporting an SSL Certificate If you have implemented Secure Sockets Layer SSL support in your SGM system you can export SSL certificates that have been imported to the SGM clien
25. he following command sgm userpass username where username is the name of the user SGM prompts you for the new password When setting the password follow the rules and considerations in the Creating Secure Passwords section on page 18 5 If the user s authentication has also been disabled SGM re enables the user s authentication with the new password Cisco Signaling Gateway Manager User Guide a 0L 5742 01 Chapter 18 Configuring SGM Security Step 5 Configuring SGM User Based Access W amp Note If sgm authtype is set to solaris you cannot use the sgm userpass command Instead you must manage passwords on the external authentication servers Optional To change a user s authentication level and password enter the following command sgm updateuser username where username is the name of the user amp Note If sgm authtype is set to solaris you must be logged in as the root user not as a super user to enter this command SGM prompts you for the new authentication level Valid levels are e 1 Basic User e 2 Power User e 3 Network Operator e 4 Network Administrator e 5 System Administrator For more information about authentication levels see the Configuring SGM User Authentication Levels Solaris Only section on page 18 6 If sgm authtype is set to local SGM also prompts you for the user s new password When setting the password follow t
26. he rules and considerations in the Creating Secure Passwords section on page 18 5 I OL 5742 01 Cisco Signaling Gateway Manager User Guide Chapter 18 Configuring SGM Security W Configuring SGM User Based Access Step 6 Optional To change a user s authentication level but not the user s password enter the following command sgm newlevel username where username is the name of the user SGM prompts you for the new authentication level Valid levels are e 1 Basic User e 2 Power User e 3 Network Operator e 4 Network Administrator e 5 System Administrator For more information about authentication levels see the Configuring SGM User Authentication Levels Solaris Only section on page 18 6 Displaying a Message of the Day SGM enables you to display a user specified SGM system notice called the message of the day Figure 18 1 You can use the message of the day to inform users of important changes or events in the SGM system The message of the day also gives users an opportunity to exit the SGM or GTT client before launching If the message of the day is enabled it is displayed whenever a user attempts to launch an SGM or GTT client e Ifthe user accepts the message the client launches e Ifthe user declines the message the client does not launch To display the Message of the Day dialog use one of the following procedures e Launch the SGM or GTT client If there is a message
27. icate SGM stops the SGM server and imports the certificate in X 509 format Cisco Signaling Gateway Manager User Guide 18 28 0L 5742 01 Chapter 18 Configuring SGM Security Step 3 Step 4 Step 5 Implementing SSL Supportin SGM W e To use an existing signed key certificate pair log in as the root user on the SGM server and enter the following command sgm keytool import_key key_filename cert_filename where key_filename is the name of the existing SSL key and cert_filename is the name of the existing signed certificate SGM stops the SGM server and imports the SSL key in OpenSSL format and the signed SSL certificate in X 509 format Enable SSL support in SGM by logging in as the root user on the SGM server and entering the sgm ssl enable command Set up the SGM client side SSL certificate trust relationship by downloading and importing the self signed or CA signed certificate on every remote SGM client Windows as well as Solaris that connects to the SGM server a Self signed certificate only Download the self signed certificate servercer using the procedure in the Downloading the SGM Server s Self Signed SSL Certificate section on page 18 30 b Import the self signed or CA signed certificate using the procedure in the Importing an SSL Certificate to an SGM Client section on page 18 33 Restart the SGM client The SGM clients can now connect to the SGM server using SSL All co
28. in e User s authentication access level e User s current authentication status such as Account Enabled or Password Disabled To list information for only a specific user enter the following command sgm listusers username where username is the name of the user Note You can also view user account information on the SGM User Accounts Web page For more information see the Viewing SGM User Account Information section on page 21 47 Displaying the Contents of the System Security Log You can display the contents of the system security log with PAGER To do so log in as the root user as described in the Becoming the Root User Solaris Only section on page 2 3 or as a super user as described in the Specifying a Super User Solaris Only section on page 18 24 then enter the following commands cd opt CSCOsgm bin sgm seclog The following security events are recorded in the log e All changes to system security including adding users e Login attempts whether successful or unsuccessful and logoffs e Attempts to switch to another user s account whether successful or unsuccessful e Attempts to access files or resources of higher authentication level Cisco Signaling Gateway Manager User Guide ra 0L 5742 01 Chapter 18 Configuring SGM Security amp Configuring SGM User Based Access W e Access to all privileged files and processes e Operating system configuration
29. ing SGM functions e Ignoring network objects and views e Polling nodes Cisco Signaling Gateway Manager User Guide OL 5742 01 Chapter 18 Configuring SGM Security Configuring SGM User Based Access W e Telnetting to the ITP e Viewing route table files and GTT files but not editing them Network Operators have access to the following SGM Web displays e Point Code Inventories e System Data Files Route table files Global Title Translation GTT table files System ITP IOS README Network Administrator Level 4 Access Network Administrators have access to all Basic User Power User and Network Operator functions Network Administrators have access to all SGM client functions Network Administrators have access to the following SGM functions e SNMP configuration e Network Discovery e Deleting network objects e Managing and unmanaging nodes e Editing and saving route table files and GTT files e Using the Deployment Wizard Network Administrators have access to the following SGM Web displays e System Data Files Discovery Seeds System Administrator Level 5 Access System Administrators have access to all Basic User Power User Network Operator and Network Administrator functions System Administrators have access to all functions in SGM Cisco Signaling Gateway Manager User Guide oL 5742 01 g iso Chapter 18 Configuring SGM Security W Configuring SGM User Based Access System Administ
30. it Closes the SGM Certificate Tool dialog Help Displays online help for the current window Importing an SSL Certificate to an SGM Client If you have implemented Secure Sockets Layer SSL support in your SGM system you can import the SGM server s self signed SSL certificate or a CA signed SSL certificate to all remote SGM clients that connect to the server using SSL To import an SSL certificate launch the SGM SSL Certificate Tool as described in the Launching the SGM Certificate Tool for SSL section on page 18 31 then click Import SGM displays the Open dialog for SSL certificates Figure 18 1 Figure 18 3 Open Dialog for SSL Certificates z Look In a SGMClient cal 43 ca gE Ci bin C sounds Cj etc README txt Cf images server crt Cij2re Ci lib Clogs C properties FileName server crt Files of Type All Files Open Cancel ira 2 oO Cisco Signaling Gateway Manager User Guide oL 5742 01 E 1833 Chapter 18 Configuring SGM Security HI implementing SSL Support in SGM Use the Open dialog to locate the SSL certificate that you want to import The Open dialog for an SSL certificate provides the following fields and buttons Field or Button Description Look In Enables you to select the directory in which you want to find the SSL certificate Either accept the default directory or select a new directory from the drop down list box For a self signed certi
31. me and new password Cisco Signaling Gateway Manager User Guide EI 0L 5742 01 Chapter 18 Configuring SGM Security Configuring SGM User Based Access W N Note If sgm authtype is set to solaris users cannot change their passwords using the SGM client Instead they must manage their passwords on the external authentication servers using Solaris commands such as passwd All new passwords take effect the next time SGM automatically synchronizes local SGM passwords with Solaris or you can manually synchronize passwords at any time using the sgm syncusers command See the sgm syncusers section on page C 118 for more information At this point you have implemented your basic SGM User Based Access Users must now log in before using the SGM client the GTT client and SGM Web based functions Use the remaining procedures in this section to customize your SGM security system Note After you implement SGM User Based Access if a user logs in on one SGM or GTT client then logs in on a second SGM or GTT client SGM closes the first client and records the event in the system security log Creating Secure Passwords When setting passwords in SGM keep in mind the following rules and considerations e The password must be at least 6 characters up to an unlimited number of characters However passwords longer than 15 characters are not recommended e The password cannot be identical to the user name e Th
32. mmunication between the server and clients is encrypted If an SGM or GTT client that is not SSL enabled attempts to connect to an SSL enabled SGM server SGM displays an appropriate warning message and opens the SGM client download page The user can then download and install a new SGM client to use to connect to that SGM server If the client is SSL enabled but does not have the correct certificate SGM displays an appropriate warning message and opens the SGM Server SSL Certificate page The user can then download the signed SSL certificate in X 509 format to the client OL 5742 01 Cisco Signaling Gateway Manager User Guide J Chapter18 Configuring SGM Security HT implementing SSL Support in SGM Downloading the SGM Server s Self Signed SSL Certificate Step 1 Step 2 Step 3 Step 4 Step 5 If you have implemented Secure Sockets Layer SSL support in your SGM system you can download the SGM server s signed SSL certificate to all remote SGM clients that connect to the server using SSL To download the certificate from the SGM Server SSL Certificate page use the following procedure on each remote SGM client Use one of the following procedures to access the SGM Server Home Page e Select View gt SGM Server gt Home Page from the SGM Main Menu e Enter the following URL in a Web browser https server_name 1774 where server_name is the name or IP address of the server on which the SGM server is running an
33. nfigure the type of SGM security authentication you want to use Local authentication allows you to create user accounts and passwords local to the SGM system When using this method you can use SGM User Based Access commands manage user names passwords and access levels To enable local authentication enter the following command sgm authtype local Solaris authentication uses standard Solaris based user accounts and passwords as specified in the etc nsswitch conf file Authentication can be provided by the local etc passwd file or from a distributed Network Information Services NIS system You can use all SGM User Based Access commands except the following commands sgm disablepass sgm passwordage sgm userpass You must use Solaris commands such as passwd to manage passwords Users also cannot change their passwords using the SGM client Instead they must manage their passwords on the external authentication servers using Solaris commands such as passwd All new passwords take effect the next time SGM automatically synchronizes local SGM passwords with Solaris or you can manually synchronize passwords at any time using the sgm syncusers command In addition if you have enabled Solaris authentication you must be logged in as the root user not a super user to use the following SGM commands sgm adduser sgm disableuser sgm enableuser sgm updateuser oL 5742 01 Cisco Signaling Gateway Man
34. of days allowed before users must change their passwords The valid range is 1 day to an unlimited number of days There is no default setting This function is disabled by default If you do not specify the sgm passwordage command users never need to change their passwords Cisco Signaling Gateway Manager User Guide Ea OL 5742 01 Chapter 18 Configuring SGM Security Step 7 Configuring SGM User Based Access W If you have enabled this function and you want to disable it that is prevent SGM from forcing users to change passwords enter the following command sgm passwordage clear amp Note If sgm authtype is set to solaris you cannot use the sgm passwordage command Instead you must manage passwords on the external authentication servers Optional You can configure SGM to disconnect an SGM or GTT client automatically after a specified number of minutes of inactivity To do so enter the following command sgm clitimeout number of minutes where number of minutes is the number of minutes an SGM or GTT client can be inactive before SGM disconnects the client The valid range is 1 minute to an unlimited number of minutes There is no default value This function is disabled by default If you do not specify the sgm clitimeout command clients are never disconnected as a result of inactivity If you have enabled this function and you want to disable it that is never disconnect a client
35. ommand By default SGM listens for traps from trap multiplexing devices and NMS applications on port 44750 so that is a good port number to choose The SNMP trap port number must be the same on all ITPs in your network See the description of the snmp server host command in the ITP Requirements section of the Cisco Signaling Gateway Manager Installation Guide for more information Use the sgm trapsetup command to change the SNMP trap port number in the SGM server to match the port number in the ITPs in your network See the sgm trapsetup section on page C 122 for more information Implementing SSL Support in SGM You can implement Secure Sockets Layer SSL support in your SGM system When you do so SGM uses secure sockets to encrypt all communication between the SGM clients and server This section includes the following information e Enabling SSL Support in SGM page 18 27 e Downloading the SGM Server s Self Signed SSL Certificate page 18 30 e Launching the SGM Certificate Tool for SSL page 18 31 Cisco Signaling Gateway Manager User Guide 0L 5742 01 Chapter 18 Configuring SGM Security Implementing SSL Supportin SGM W e Importing an SSL Certificate to an SGM Client page 18 33 e Exporting an SSL Certificate page 18 34 e Viewing Detailed Information About an SSL Certificate page 18 36 e Managing SSL Support in SGM page 18 39 e Disabling SSL Support in SGM page 18 39 Enabling SSL Supp
36. ort in SGM Step 1 Step 2 To enable SSL support in SGM perform the following tasks Obtain the SSL enabled version of SGM Due to US government restrictions on the export of SSL enabled software Cisco provides two versions of SGM Basic SGM which does not provide SSL support and SSL enabled SGM which does To obtain SSL enabled SGM you must contact Cisco TAC or your Cisco Account Team They will help you apply for an export licence and download and install SSL enabled SGM Install an SSL key certificate pair in SGM using one of the following procedures e To install a new SSL key and a self signed certificate generate the key and certificate by logging in as the root user on the SGM server and entering the sgm keytool genkey command SGM stops the SGM server and issues the following prompts Country Name 2 letter code State or Province Name full name Locality Name eg city Organization Name eg company Organizational Unit Name eg section Common Name your hostname Email Address Enter the requested information I OL 5742 01 Cisco Signaling Gateway Manager User Guide m Chapter18 Configuring SGM Security HT implementing SSL Support in SGM SGM generates the following files opt CSCOsgm etc ssl server key is the SGM server s private key Ensure that unauthorized personnel cannot access this key opt CSCOsgm etc ssl server cer is the self signed SSL c
37. rators have access to the following SGM Web displays e System Messages and Logs e System Status including User Accounts and System Troubleshooting e Trap Host Configuration including SNMP configuration information e System Information System Command Log System Console Log System Event Automation Log System Install Log System Process Services System Properties System Report Parameters and Timers Page System Reports Log System Root Variables System Security Log System Web Access Log System Web Error Log Automatically Disabling Users and Passwords Solaris Only After you have implemented the basic SGM User Based Access security system you can customize the system to automatically disable users and passwords when certain conditions are met To automatically disable users and passwords use the following procedures Step 1 Log in as the root user as described in the Becoming the Root User Solaris Only section on page 2 3 or as a super user as described in the Specifying a Super User Solaris Only section on page 18 24 Cisco Signaling Gateway Manager User Guide OL 5742 01 Chapter 18 Configuring SGM Security Step 2 Step 3 Step 4 Configuring SGM User Based Access W Enter the following command cd opt CSCOsgm bin Optional You can configure SGM to generate an alarm after a specified number of unsuccessful login attempts by a user To do so
38. rpass command I OL 5742 01 Cisco Signaling Gateway Manager User Guide m Chapter 18 Configuring SGM Security W Configuring SGM User Based Access Enabling and Changing Users and Passwords Solaris Only Step 1 Step 2 Step 3 Step 4 Of course SGM also enables you to re enable users and passwords and change user accounts To enable and change users and passwords use the following procedures Log in as the root user as described in the Becoming the Root User Solaris Only section on page 2 3 or as a super user as described in the Specifying a Super User Solaris Only section on page 18 24 Enter the following command cd opt CSCOsgm bin Optional To re enable a user s authentication which had been disabled either automatically by SGM or by a super user enter the following command sgm enableuser username where username is the name of the user SGM re enables the user s authentication with the same password as before amp Note If sgm authtype is set to solaris you must be logged in as the root user not as a super user to enter this command Optional If sgm authtype is set to local you can change a user s password or re enable the user s authentication with a new password if the user s authentication had been disabled either automatically by SGM or by a super user To change a password or to re enable a user s authentication with a new password enter t
39. t E Cisco Signaling Gateway Manager User Guide OL 5742 01 Chapter 18 Configuring SGM Security Field or Button Implementing SSL Supportin SGM W To export an SSL certificate launch the SGM SSL Certificate Tool as described in the Launching the SGM Certificate Tool for SSL section on page 18 31 select a certificate from the list then click Export SGM displays the Save dialog for SSL certificates Figure 18 1 Figure 18 4 Save Dialog for SSL Certificates x Save In E SGMClient ail iia eal Ci bin C sounds Ciete README txt Climages server crt 1 j2re C lib Clogs CJ properties FileName server crt R Files of Type All Files Save Cancel D D oO Use the Save dialog to export the SSL certificate to another directory The Save dialog for an SSL certificate provides the fields and buttons Description Save In Enables you to select the directory in which you want to save the SSL certificate Either accept the default directory or select a new directory from the drop down list box For a self signed certificate locate the directory in which you downloaded the certificate File Name Enter a name for the SSL certificate or select a file from those listed in the Save In field SGM displays the name of the certificate in the File Name field I OL 5742 01 Cisco Signaling Gateway Manager User Guide B Chapter 18 Configuring
40. t as a JPEG but not saving icon locations e Viewing network objects events details and notes e Viewing the ITP home page e Loading existing event filters but not saving them e Printing SGM windows e Launching CiscoWorks2000 Basic Users have access to the following SGM Web displays e Server Home Page e System README e Network Status Cisco Signaling Gateway Manager User Guide oL 5742 01 m Chapter18 Configuring SGM Security WE Configuring SGM User Based Access e System Data Files Notes Views Preferences e Viewing SGM documentation e Downloading client software Power User Level 2 Access Power Users have access to all Basic User functions Power Users can change some aspects of the way SGM works Power Users have access to the following SGM functions e Editing network objects events and views e Unignoring network objects and views e Saving preferences files event filters and views e Acknowledging events e Viewing ITP real time data and charts e Viewing the event configuration but not editing it Power Users have access to the following SGM Web displays e System Status excluding User Accounts and System Troubleshooting e Accounting Statistics Reports e Network Statistics Reports Network Operator Level 3 Access Network Operators have access to all Basic User and Power User functions Network Operators can make changes to SGM network files Network Operators have access to the follow
41. t install SGM the ipaccess conf file does not exist and SGM allows all client IP addresses to connect to the SGM server To create the ipaccess conf file and work with the list of allowed client IP addresses use the following procedure Log in as the root user as described in the Becoming the Root User Solaris Only section on page 2 3 or as a super user as described in the Specifying a Super User Solaris Only section on page 18 24 Enter the following command cd opt CSCOsgm bin Cisco Signaling Gateway Manager User Guide EZT 0L 5742 01 Chapter 18 Configuring SGM Security Limiting SGM Client Access to the SGM Server Solaris Only W Step3 Create the ipaccess conf file e To create the ipaccess conf file and add a client IP address to the list enter the following command sgm ipaccess add e To create the ipaccess conf file and open the file to edit it directly enter the following command sgm ipaccess edit The default directory for the file is located in the SGM installation directory e If you installed SGM in the default directory opt then the default directory is opt CSCOsgm etc e If you installed SGM in a different directory then the default directory is located in that directory In the ipaccess conf file begin all comment lines with a pound sign All other lines in the file are SGM client IP addresses with one address per line Wildcards are allowed as
42. te Tool SGM displays the SGM Certificate Tool dialog Figure 18 1 Cisco Signaling Gateway Manager User Guide oL 5742 01 E i831 Chapter 18 Configuring SGM Security HI implementing SSL Support in SGM Figure 18 2 SGM Certificate Tool Dialog scm certificate Too 101 Certificates Issued to Issued by Expiration Date yZ company com xyZ company com 10 23 03 Import Export Remove Details Exit Help Z co The SGM Certificate Tool dialog displays the following information about each SSL certificate Field or Button Description Issued to Host name of the SGM server to which the SSL certificate was issued Issued by Certificate authority CA that issued the SSL certificate Self signed SSL certificates display the host name of the SGM server Expiration Date Date on which the SSL certificate expires Import Displays the Open dialog for an SSL certificate which enables you to import SSL certificates Export Displays the Save dialog for an SSL certificate which enables you to export the selected SSL certificate Remove Removes the selected SSL certificate from the table Cisco Signaling Gateway Manager User Guide ka 0L 5742 01 Chapter 18 Configuring SGM Security Implementing SSL Supportin SGM W Field or Button Description Details Displays the Certificate Information dialog which provides detailed information about the selected certificate Ex

Cisco Systems OL-5742-01 Home Security System User Manual

Contents

Download Pdf Manuals

Related Search

Related Contents