Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

 

Panel

In this section:

Table of Contents
maxLevel3

 

Use the admin object to configure system administration related parameters in the 

Spacevars
0series4
system. You can configure audit log state, system location, IP version used, password rules and other parameters.

Account Management

Command Syntax

Command syntax for the set command is shown below.

Code Block
title

...

% set system admin <SYSTEM NAME> accountManagement
	OSAccountAging
		OSAccountAgingPeriod <7-712 days>
		state <disabled | enabled>
	accountAging
		accountAgingPeriod <30-180 days>
		state <disabled | enabled>
	accountRemoval
		accountRemovalPeriod <60-360 days>
		state <disabled | enabled>
	bruteForceAttack
		allowAutoUnlock <disabled | enabled>
		consecutiveFailedAttemptAllowed <1-10>
		state <disabled | enabled>
		unlockTime <30-3600 seconds>
	bruteForceAttackOS
		OSstate <disabled | enabled>
		allowOSAutoUnlock <disabled | enabled>
		consecutiveFailedOSAttemptAllowed <1-10>
		unlockOSTime <30-5400 seconds>
	maxSessions <1-5>
	passwordAging
		OSstate <disabled | enabled>
		passwordAgingPeriod <30-180>
		passwordExpiryWarningPeriod <3-14 days>
		passwordMinimumAge <> 
		state <disabled | enabled>
	sessionIdleTimeout 
		idleTimeout <1-120>
		state <disabled | enabled>

Command Parameters

...

0Table
1Account Management Parameters
3Account Management Parameters

...

Parameter

...

Description

...

To minimize the possibility of an unauthorized user compromising inactive OS user accounts (root/linuxadmin/sftpadmin/rss), configure this parameter to specify the number of days of OS account inactivity (OSAccountAgingPeriod) before the account is automatically disabled.

  • OSAccountAgingPeriod <7-712 days> (default = 30) – The number of days of inactivity before the OS user is disabled.
  • state – Enable this flag to apply the account aging period to OS users.
    • disabled
    • enabled

...

Use this parameter to specify the account expiration duration for accounts other than OS management users.

  • accountAgingPeriod (default = 30) – The number of days to elapse, after which the account is locked if left unused (range: 30-180).
  • state – Set flag to "enabled" to enable account aging system-wide.
    • disabled
    • enabled (default)

...

Use this parameter to configure the account removal period.

  • accountRemovalPeriod – Specify the number of days to elapse for an unused user account before it is automatically (range: 60-360 days).
  • state – Administrative state of this parameter.
    • disabled (default)
    • enabled

...

 Configuration for defense against brute force OAM password guessing attempts.

  • allowAutoUnlock – Enable Auto Unlock of an account blocked due to consecutive wrong password attempts.

    • disabled (default)
    • enabled
  • consecutiveFailedAttemptAllowed (default = 3) – Number of consecutive failed login attempts allowed before account is locked. As a safety measure, the system will not lock out the last/only active Administrator user on 

    Spacevars
    0product
    platform. (range: 1-10)

  • state – Enable/disable defense against brute force OAM password guessing attempts

    • disabled (default)
    • enabled
  • unlockTime (default = 30) – If allowAutoUnlock flag is enabled, this parameter specifies the time (in seconds) to elapse before a locked account automatically unlocks. (range: 30-3600)

NOTE: You must first set state to 'disabled' before changing the value of consecutiveFailedAttemptAllowed.

...

Use this configuration to defend against brute force attacks to Linux OS.

  • OSstate – Enable this flag to defend the Linux OS against brute force attacks.
    • enabled
    • disabled (default)
  • allowOSAutoUnlock – Enable this flag to automatically unlock the Linux OS account after a configurable number of seconds set by unlockOSTime parameter.
    • enabled
    • disabled (default)
  • consecutiveFailedOSAttemptAllowed (default = 3) – Number of consecutive failed login attempts allowed before account is locked. (range: 1-10)
  • unlockOSTime – Time interval after which the disabled Linux OS account will automatically unlock. (range: 30-5400 seconds  / default = 30 seconds)

...

Maximum number of simultaneous sessions allowed per user (default = 2).

...

Password expiration related configuration.

...

  • disabled
  • enabled (default)

...

  • passwordExpiryWarningPeriod (default = 12) – The number of days prior to the password expiry date on which the user receives a warning to change the password (range: 3-14).
  • passwordMinimumAge (default = 1) – Specify the number of days to elapse before a password is changeable by a non-Administrator user (range: 1-365 days).
  • state – Use this flag to enable/disable passwordAging feature.

    • disabled
    • enabled (default)

...

Session idle timeout related configuration.

  • idleTimeout (default = 10) – The amount of idle time, in minutes, to elapse before ending a session due to inactivity (range: 1-120).
  • state – To use this feature, set this flag to "enabled".
    • disabled
    • enabled (default)

Audit Log State

Command Syntax

Code Block
titleAudit Log State
% set system admin <SYSTEM NAME> auditLogState <disabled | enabled>

Command Parameters

Caption
0Table
1Audit Log State Parameters
3Audit Log State Parameters

Parameter

Description

auditLogState

Use this flag to specify the management audit log state.

  • disabled
  • enabled (default)

Banner

Command Syntax

Code Block
titleBanner
% set system admin <SYSTEM NAME> banner <system name>
	ackBanner <disable | enable>
	bannerText <text>

 

Command Parameters

Caption
0Table
1Banner Parameters
3Banner Parameters

Parameter

Length/Range

Description

banner

1-23

Use this parameter to customize the post-login banner from EMA and CLI applications.

  • ackBanner – Enable flag to require user to acknowledge (accept) the banner before gaining access to the system each time the user logs into the system.
    • disabled (default)
    • enabled 
  • bannerText  – Use this parameter to specify the banner text to display when users login to EMA and CLI applications.

NOTE: "Field Service" and "Operator" user types are not allowed to change the Login Banner configuration.

CLI Set Warning Support

Command Syntax

Code Block
titleCLI Set Warning Support
% set system admin <SYSTEM NAME> cliSetWarningSupport <disabled | enabled>

Command Parameters

Caption
0Table
1CLI Set Warning Support Parameters
3CLI Set Warning Support Parameters

Parameter

Description

cliSetWarningSupport

When this flag is enabled, warning prompts are configured for the "set" command.

  • disabled
  • enabled (default)

Contact

Command Syntax

Code Block
titleContact
% set system admin <SYSTEM NAME> contact <contact_info>

Command Parameters

Caption
0Table
1Contact Parameters
3Contact Parameters

Parameter

Length/Range

Description

contact

N/A

Use parameter to specify system contact information. (default is "Unknown")

DOD

Command Syntax

Code Block
titleDOD
% set system admin <SYSTEM NAME> dod
	cliAccess <disabled | enabled>
	mode <disabled | enabled>
	pmAccess <disabled | enabled>

Command Parameters

Caption
0Table
1DOD Parameters
3DOD Parameters

Parameter

Description

dod

Use this object to enable DoD mode, and to enable/disable CLI and/or EMA access for temporary troubleshooting and diagnostics.

  • cliAccess – Use this flag to temporarily enable CLI for troubleshooting and diagnostic while the SBC is in DoD mode.
    • disabled (default)
    • enabled
  • mode – Use this flag to enable/disable DoD Mode.
    • disabled (default)
    • enabled
  • pmAccess – Use this flag to temporarily enable EMA's Platform Mode for troubleshooting and diagnostic while the SBC is in DoD mode.
    • disabled (default)
    • enabled

WARNING: Enabling CLI and/or EMA for DoD mode lowers the security posture of the SBC. Remember to disable CLI and PM access once troubleshooting and/or diagnostics is completed.

DSP Mismatch Action

Command Syntax

Code Block
titleDSP Mismatch Action
% set system admin <SYSTEM NAME> dspMismatchAction <preserveCapacity | preserveRedundancy>

Command Parameters

Caption
0Table
1DSP Mismatch Action Parameters
3DSP Mismatch Action Parameters

Parameter

Description

dspMismatchAction

Use this parameter to specify the action to take if a DSP mismatch is detected between the active and standby servers. 

  • preserveCapacity – The Active 

    Spacevars
    0product
    continues to use the extra DSP capacity, as needed, assuming appropriate session licenses are in place; partial redundancy is in effect.

  • preserveRedundancy (default) – The Active automatically triggers a graceful dry-up in an attempt to align DSP hardware capabilities. Once dry-up completes, the Active SBC uses the protected, matching DSP capacity to preserve redundancy.

NOTE: If a switchover occurs, calls using the extra, non-matching DSP capacity on Active are not protected during switchover (i.e. partial redundancy).

NOTE: During the dry-up period, active calls using the extra, non-matching DSP capacity are not protected in the event that a switchover occurs before the dry up completes.

External Authentication

Command Syntax

...

titleExternal Authentication
% set system admin <SYSTEM NAME> externalAuthenticationEnabled <false | true>

Command

...

Parameter

Caption
0Table
1External Authentication Enabled Parameters
3External Authentication Enabled Parameters

Parameter

Description

externalAuthenticationEnabled

The confd CLI user information stored on remote RADIUS server is available for authentication.

  • false (default)
  • true

FIPS-140-2 Mode

Command Syntax

Code Block
titleFIPS-140-2 Mode
% set system admin <SYSTEM NAME> fips-140-2 mode <disabled | enabled>

Command Parameters

Caption
0Table
1FIPS-140-2 Mode Parameters
3FIPS-140-2 Mode Parameters

Parameter

Description

fips-140-2 mode

Use this object to enable FIPS-140-2 mode.

  • disabled (default)
  • enabled 

NOTE: Once fips-140-2 mode is enabled, it cannot be 'disabled' through the configuration. A fresh software installation is required to set the FIPS-140-2 mode back to 'disabled'.

For complete details of configuring the 

Spacevars
0product
for FIPS 140-2 compliance, see Enabling SBC for FIPS 140-2 Compliance page.

Local Authentication

Command Syntax

Code Block
titleLocal Authentication
% set system admin <SYSTEM NAME> localAuthenticationEnabled <false | true>

Command Parameters

Caption
0Table
1Local Authentication Parameters
3Local Authentication Parameters

Parameter

Description

localAuthenticationEnabled

The confd CLI user information stored locally is available for authentication.

  • false
  • true (default)

Location

Command Syntax

Code Block
titleLocation
% set system admin <SYSTEM NAME> location <location_info> 

Command Parameters

Caption
0Table
1Location Parameters
3Location Parameters

Parameter

Description

location

Specifies the physical location of the system.

Password Rules

Command Syntax

Code Block
titlePassword Rules
% set system admin <SYSTEM NAME> passwordRules 
	maximumRepeatingCharsCount <#>
	minimumDiffWithOldPassword <#>
	minimumLength <#>
	minimumNumberOfDigits <#>
	minimumNumberOfLowercaseChars <#>
	minimumNumberOfOtherChars <#>
	minimumNumberOfUppercaseChars <#>
	passwordHistoryDepth <#>

Command Parameters

Caption
0Table
1Password Rules Parameters
3Password Rules Parameters

Parameter

Description

passwordRules

The rules implementing confd user password policy.

  • maximumRepeatingCharsCount – Maximum number of consecutive repeating characters in the password. (range: 3-16 / default = 3).
  • minimumDiffWithOldPassword  – The minimum differences between the old and the new passwords (range 1-8 / default - 4).
  • minimumLength – Minimum number of characters that should be present in the password. (range: 8-24 / default = 8)
  • minimumNumberOfDigits – Minimum number of digits that should be present in the password. (range: 0-16 / default = 1)
  • minimumNumberOfLowercaseChars – Minimum number of lower case characters that should be present in the password. (range: 0-16 / default = 1)
  • minimumNumberOfOtherChars –-Minimum number of non-alpha-numeric characters that should be present in the password. (range: 0-16 / default = 1)
  • minimumNumberOfUppercaseChars – Minimum number of upper case characters that should be present in the password. (range: 0-16 / default = 1)
  • passwordHistoryDepth –The number of latest passwords that should be prevented from re-use. (range: 0-10 / default = 4)

REST State

Command Syntax

Code Block
titleREST State
% set system admin <SYSTEM NAME> rest state <disabled | enabled>

Command Parameters

Caption
0Table
1Rest State Parameters
3Rest State Parameters

Parameter

Description

rest

Enable this flag to allow

Spacevars
0series4
to support REST API. For REST API details, see REST API User's Guide.

  • disabled (default)
  • enabled

Standby Server State

Command Syntax

Code Block
titleStandby Server State
% set system admin <SYSTEM NAME> standbyServerState <disabled | enabled>

Command Parameters

Caption
0Table
1System Admin Parameters (set)

Parameter

Description

standbyServerState

Use this flag to manually enable or disable standby server if the active server fails.

  • disabled
  • enabled (default)

Utility Monitor Statistics Interval

Command Syntax

Code Block
titleUtility Monitor Statistics Interval
% set system admin <SYSTEM NAME> utilMonitorStatsInterval <#>

Command Parameters

...

0Table
1Utility Monitor Statistics Interval
3Utility Monitor Statistics Interval

...

Parameter

...

Length/Range

...

Description

...

utilMonitorStatsInterval

...

5-60

Specifies time interval for system resource monitoring statistics. This parameter defines the range of timer interval in minutes used by configuration management for measuring the statistics of certain resources. (default = 15).

...

Utility Monitor Statistics for Number of Past Intervals

Command Syntax

Code Block
titleUtility Monitor Statistics - Number of Past Intervals
% set system admin <SYSTEM NAME> utilMonitorStatsNumOfPastInterval <#> 

 

Command Parameters

Caption
0Table
1Utility Monitor Statistics - Number of Past Intervals
3Utility Monitor Statistics - Number of Past Intervals

Parameter

Length/Range

Description

utilMonitorStatsNumOfPastInterval

1-12

The number of past intervals that can be configured for retrieving the statistics data. (default = 4).

 

Request Command

Command syntax for the request command is shown below.

Command Syntax

Multiexcerpt
MultiExcerptNameadminRequestSyntax
Code Block
languagenone
% request system admin <SYSTEM NAME>
	loadConfig
		allowOldVersion <no | yes>
		filename 
	reGenerateSshRsaKeys
	reKeyConfdEncryptionKeys
	removeSavedConfig fileName <filename>
	restart
	saveConfig fileNameSuffix <suffix>
	setHaConfig
		bondMonitoring <currentValue | direct-connect | network-connect> 
		leaderElection <currentValue | enhanced | standard>
	softReset
	switchover
	verifyDatabaseIntegrity <activeAndStandbyPolicy | activeConfigAndActivePolicy | all>
	zeroizePersistenKeys

 

Command Parameters

...

MultiExcerptNameadminRequestParameters
Caption
0Table
1System Admin Parameters (request)

 

...

classpdf8pttext

...

Parameter

...

Description

...

loadConfig

Load saved configuration and restart the system without rebooting the servers.

...

  • no
  • yes

...

filename – Enter the configuration file to load.

Note
In a redundant system, using loadConfig restarts both CEs.
Note

If "reason Configuration file version not compatible with current software version. matrixFileNotAvailable" error is returned, the lswuMatrixSBX5000.bin/lswuMatrixSBX5000.txt file is missing from the/opt/sonus directory. You must must restore these files from the release package of the currently running software with the name pattern of "sbc-V0X.YY.ZZRQQQ.x86_64.tar.gz". Unzip and untar the current release's tar.gz file in that directory, return to the CLI and perform the command again.

...

Use this control to regenerate system configuration database encryption keys.

Note

Spacevars
0company
recommends backing up current encrypted parameters in plaintext, if possible. 
Spacevars
0company
further recommends performing a full configuration backup immediately after this activity has successfully completed.

...

removeSavedConfig

...

Remove the saved configuration from the system.

  • fileName – Specify filename of configuration to remove from the system.

...

restart

...

Restart system (all CEs).

...

saveConfig

...

Save the current configuration.

  • fileNameSuffix – Use this parameter to specify the filename suffix to use when saving the configuration.

...

Use this action command to configure SBC for Geographical Redundancy High Availability (GRHA) mode when active and standby servers are located in two different data centers to protect SBCs against data center and network failures. To configure/change just one setting, use currentValue option for the other setting.

  • bondMonitoring – Select the bond monitoring type for GRHA mode.
    • currentValue 
    • direct-connect
    • network-connect
  • leaderElection Select the leader election algorithm type to use for GRHA mode.
    • currentValue 
    • enhanced
    • standard

References:

Note

Bond monitoring is not applicable to

Spacevars
0product2
.

...

softReset

...

Restart the applications on the system without rebooting the server(s).

...

switchover

...

Perform a switchover of the management applications and restart all applications on currently active server.

...

Use this command to verify that the

Spacevars
0product
policy and configuration databases on the active server are in sync and that the policy databases on the active and standby servers are in sync. Because these commands take a few seconds to execute, it is not advisable to constantly run these commands on systems.

  • activeAndStandbyPolicy – Check if policy databases on the active and standby servers are in sync.
  • activeConfigAndActivePolicy – Check if the policy and configuration databases on the active server are in sync.
  • all – Perform both of the above checks.

To view the results of the above checks, use the 'show table system databaseIntegrity' command. See Show Table System for details.

...

Use this control to securely erase all persistent CSPs from the system. The 

Spacevars
0product
server reboots after confirmation.

 

Command Examples

The following example displays system administrative information:

Code Block
languagenone
% show system admin
admin sbx1 {
    auditLogState       enabled;
    dspMismatchAction   preserveRedundancy;
    passwordRules {
        minimumLength                 8;
        minimumNumberOfUppercaseChars 1;
        minimumNumberOfLowercaseChars 1;
        minimumNumberOfDigits         1;
        minimumNumberOfOtherChars     1;
        passwordHistoryDepth          4;
        maximumRepeatingCharsCount    3;
        minimumDiffWithOldPassword    4;
    }
    fips-140-2 {
        mode disabled;
    }
    dod {
        mode disabled;
    }
} 

 

The following example sets the Banner content to require user acknowledgement:

Code Block
languagenone
% set system admin SBC01 banner ackBanner enabled bannerText "This computer system, including all related equipment and network devices (including Internet access), are provided for authorized use only"
% commit

 

The following example uses the Account Management feature to accomplish the following actions:

  • Allows a locked account to unlock after five minutes
  • Enables 
    Spacevars
    0product
    to defend against brute force attacks
  • Sets the number of consecutive failed attempts to "3"
Code Block
languagenone
% set system admin MYSBC accountManagement bruteForceAttack state enabled allowAutoUnlock enabled consecutiveFailedAttemptAllowed 3 unlockTime 300

% show system admin MYSBC accountManagement bruteForceAttack
state                           enabled;
consecutiveFailedAttemptAllowed 3;
allowAutoUnlock                 enabled;
unlockTime                      300;

To set bond monitoring type to 'network-connect' and leader election algorithm type to 'enhanced':

Code Block
languagenone
% request system admin sbx1 setHaConfig bondMonitoring network-connect leaderElection enhanced  

 

To set bond monitoring type to 'direct-connect' and retain current setting of leader election algorithm:

Code Block
languagenone
% request system admin sbx1 setHaConfig bondMonitoring direct-connect leaderElection currentValue

 


Pagebreak