nn42040-601_security

8/10/2019 nn42040-601_Security

1/230

1

Avaya AuraApplication Server 53002Security3

4

5

Release 3.06

NN42040-601, Document Revision: 04.AU7May 3, 20128

Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.

DRAFTMay 3, 20128:51 PM (UTC+01:00)

8/10/2019 nn42040-601_Security

2/230

12012 Avaya Inc.2

All Rights Reserved.3

Notice4

While reasonable efforts have been made to ensure that the5information in this document is complete and accurate at the time of6printing, Avaya assumes no liability for any errors. Avaya reserves the7right to make changes and corrections to the information in this8document without the obligation to notify any person or organization of9such changes.10

Documentation disclaimer11

Documentation means information published by Avaya in varying12mediums which may include product information, operating instructions13and performance specifications that Avaya generally makes available14to users of its products. Documentation does not include marketing15materials. Avaya shall not be responsible for any modifications,16additions, or deletions to the original published version of17documentation unless such modifications, additions, or deletions were18performed by Avaya. End User agrees to indemnify and hold harmless19

Avaya, Avaya's agents, servants and employees against all claims,20lawsuits, demands and judgments arising out of, or in connection with,21subsequent modifications, additions or deletions to this documentation,22to the extent made by End User.23

Link disclaimer24

Avaya is not responsible for the contents or reliability of any linked Web25sites referenced within this site or documentation provided by Avaya.26

Avaya is not responsible for the accuracy of any information, statement27or content provided on these sites and does not necessarily endorse28the products, services, or information described or offered within them.29

Avaya does not guarantee that these links will work all the time and has30no control over the availability of the linked pages.31

Warranty32

Avaya provides a limited warranty on its Hardware and Software33(Product(s)). Refer to your sales agreement to establish the terms of34the limited warranty. In addition, Avayas standard warranty language,35as well as information regarding support for this Product while under36warranty is available to Avaya customers and other parties through the37

Avaya Support Web site: http://support.avaya.com. Please note that if38you acquired the Product(s) from an authorized Avaya reseller outside39of the United States and Canada, the warranty is provided to you by40said Avaya reseller and not by Avaya.41

Licenses42

THE SOFTWARE LICENSE TERMS AVAILABLE ON THE AVAYA43WEBSITE, HTTP://SUPPORT.AVAYA.COM/LICENSEINFO/ARE44

APPLICABLE TO ANYONE WHO DOWNLOADS, USES AND/OR45INSTALLS AVAYA SOFTWARE, PURCHASED FROM AVAYA INC.,46

ANY AVAYA AFFILIATE, OR AN AUTHORIZED AVAYA RESELLER47(AS APPLICABLE) UNDER A COMMERCIAL AGREEMENT WITH48

AVAYA OR AN AUTHORIZED AVAYA RESELLER. UNLESS49OTHERWISE AGREED TO BY AVAYA IN WRITING, AVAYA DOES50NOT EXTEND THIS LICENSE IF THE SOFTWARE WAS OBTAINED51FROM ANYONE OTHER THAN AVAYA, AN AVAYA AFFILIATE OR AN52

AVAYA AUTHORIZED RESELLER; AVAYA RESERVES THE RIGHT53TO TAKE LEGAL ACTION AGAINST YOU AND ANYONE ELSE54USING OR SELLING THE SOFTWARE WITHOUT A LICENSE. BY55INSTALLING, DOWNLOADING OR USING THE SOFTWARE, OR56

AUTHORIZING OTHERS TO DO SO, YOU, ON BEHALF OF57

YOURSELF AND THE ENTITY FOR WHOM YOU ARE INSTALLING,58DOWNLOADING OR USING THE SOFTWARE (HEREINAFTER59REFERRED TO INTERCHANGEABLY AS YOU AND END USER),60

AGREE TO THESE TERMS AND CONDITIONS AND CREATE A61BINDING CONTRACT BETWEEN YOU AND AVAYA INC. OR THE62

APPLICABLE AVAYA AFFILIATE ( AVAYA).63

Avaya grants End User a license within the scope of the license types64described below. The applicable number of licenses and units of65capacity for which the license is granted will be one (1), unless a66

different number of licenses or units of capacity is specified in the67Documentation or other materials available to End User. Designated68Processor means a single stand-alone computing device. Server69means a Designated Processor that hosts a software application to be70accessed by multiple users. Software means the computer programs71in object code, originally licensed by Avaya and ultimately utilized by72End User, whether as stand-alone Products or pre-installed on73Hardware. Hardware means the standard hardware originally sold by74

Avaya and ultimately utilized by End User.75

License Types76

Designated System(s) License (DS). End User may install and use77

each copy of the Software on only one Designated Processor, unless78a different number of Designated Processors is indicated in the79Documentation or other materials available to End User. Avaya may80require the Designated Processor(s) to be identified by type, serial81number, feature key, location or other specific designation, or to be82provided by End User to Avaya through electronic means established83by Avaya specifically for this purpose.84

Concurrent User License (CU). End User may install and use the85Software on multiple Designated Processors or one or more Servers,86so long as only the licensed number of Units are accessing and using87the Software at any given time. A Unit means the unit on which Avaya,88at its sole discretion, bases the pricing of its licenses and can be,89without limitation, an agent, port or user, an e-mail or voice mail account90in the name of a person or corporate function (e.g., webmaster or91helpdesk), or a directory entry in the administrative database utilized92by the Software that permits one user to interface with the Software.93Units may be linked to a specific, identified Server.94

Database License (DL). End User may install and use each copy of the95Software on one Server or on multiple Servers provided that each of96the Servers on which the Software is installed communicate with no97more than a single instance of the same database.98

CPU License (CP). End User may install and use each copy of the99Software on a number of Servers up to the number indicated by Avaya100provided that the performance capacity of the Server(s) does not101exceed the performance capacity specified for the Software. End User102may not re-install or operate the Software on Server(s) with a larger103performance capacity without Avaya's prior consent and payment of an104upgrade fee.105

Named User License (NU). End User may: (i) install and use the106Software on a single Designated Processor or Server per authorized107Named User (defined below); or (ii) install and use the Software on a108

Server so long as only authorized Named Users access and use the109

Software. Named User, means a user or device that has been110expressly authorized by Avaya to access and use the Software. At111

Avaya's sole discretion, a Named User may be, without limitation,112designated by name, corporate function (e.g., webmaster or helpdesk),113an e-mail or voice mail account in the name of a person or corporate114function, or a directory entry in the administrative database utilized by115the Software that permits one user to interface with the Software.116

Shrinkwrap License (SR). Customer may install and use the Software117in accordance with the terms and conditions of the applicable license118agreements, such as shrinkwrap or clickthrough license119accompanying or applicable to the Software (Shrinkwrap License).120(see Third-party Components for more information).121

Copyright122

Except where expressly stated otherwise, no use should be made of123

materials on this site, the Documentation, Software, or Hardware124provided by Avaya. All content on this site, the documentation and the125Product provided by Avaya including the selection, arrangement and126design of the content is owned either by Avaya or its licensors and is127protected by copyright and other intellectual property laws including the128sui generis rights relating to the protection of databases. You may not129modify, copy, reproduce, republish, upload, post, transmit or distribute130in any way any content, in whole or in part, including any code and131software unless expressly authorized by Avaya. Unauthorized132reproduction, transmission, dissemination, storage, and or use without133


DRAFTMay 3, 20128:51 PM (UTC+01:00)

2 Avaya AuraApplication Server 5300 Security May 3, 2012
http://www.avaya.com/support/LicenseInfohttp://support.avaya.com/http://www.avaya.com/support/LicenseInfohttp://support.avaya.com/http://www.avaya.com/support/LicenseInfohttp://support.avaya.com/

8/10/2019 nn42040-601_Security

3/230

the express written consent of Avaya can be a criminal, as well as a1civil offense under the applicable law.2

Third-party components3

Certain software programs or portions thereof included in the Product4may contain software distributed under third party agreements (Third5Party Components), which may contain terms that expand or limit6rights to use certain portions of the Product (Third Party Terms).7Information regarding distributed Linux OS source code (for those8Products that have distributed the Linux OS source code), and9identifying the copyright holders of the Third Party Components and the10Third Party Terms that apply to them is available on the Avaya Support11

Web site: http://support.avaya.com/Copyright.12

Preventing Toll Fraud13

Toll fraud is the unauthorized use of your telecommunications system14by an unauthorized party (for example, a person who is not a corporate15employee, agent, subcontractor, or is not working on your company's16behalf). Be aware that there can be a risk of Toll Fraud associated with17your system and that, if Toll Fraud occurs, it can result in substantial18additional charges for your telecommunications services.19

Avaya Toll Fraud In terventi on20

If you suspect that you are being victimized by Toll Fraud andyou need21technical assistance or support, call Technical Service Center Toll22Fraud Intervention Hotline at +1-800-643-2353 for the United States23and Canada. For additional support telephone numbers, see the Avaya24Support Web site: http://support.avaya.com. Suspected security25

vulnerabilities with Avaya products should be reported to Avaya by26

sending mail to: [email protected]

Trademarks28

The trademarks, logos and service marks (Marks) displayed in this29site, the Documentation and Product(s) provided by Avaya are the30registered or unregistered Marks of Avaya, its affiliates, or other third31parties. Users are not permitted to use such Marks without prior written32consent from Avaya or such third party which may own the Mark.33Nothing contained in this site, the Documentation and Product(s)34should be construed as granting, by implication, estoppel, or otherwise,35any license or right in and to the Marks without the express written36permission of Avaya or the applicable third party.37

Avaya is a registered trademark of Avaya Inc.38

All non-Avaya trademarks are the property of their respective owners,39

and Linux is a registered trademark of Linus Torvalds.40

Portions copyright 2001-2010 Certicom Corp. All rights reserved.41

Downloading Documentation42

For the most current versions of Documentation, see the Avaya43Support Web site: http://support.avaya.com.44

Contact Avaya Support45

Avaya provides a telephone number for you to use to report problems46or to ask questions about your Product. The support telephone number47is 1-800-242-2121 in the United States. For additional support48telephone numbers, see the Avaya Web site: http://support.avaya.com.49


DRAFTMay 3, 20128:51 PM (UTC+01:00)

Avaya AuraApplication Server 5300 Security May 3, 2012 3
http://support.avaya.com/http://support.avaya.com/http://support.avaya.com/http://support.avaya.com/http://support.avaya.com/http://support.avaya.com/Copyright

8/10/2019 nn42040-601_Security

4/230


DRAFTMay 3, 20128:51 PM (UTC+01:00)


8/10/2019 nn42040-601_Security

5/230

8/10/2019 nn42040-601_Security

6/230

Chapter 5: Security configuration and management overview...................................... 51Application administrator security............................................................................................................. 51

Administrator password complexity.................................................................................................. 52

Password aging................................................................................................................................ 54

Log on session constraints............................................................................................................... 55

Application warning banners............................................................................................................ 55

Administrative user accounts........................................................................................................... 56Special rules for the Security Administrator..................................................................................... 57

MCP SNMP Community Strings....................................................................................................... 58

Administrative security services....................................................................................................... 58

Application administrator (Admin) security defaults......................................................................... 59

Web server logs........................................................................................................................................ 60

Internal database account security........................................................................................................... 60

Database application security................................................................................................................... 60

Subscriber security.................................................................................................................................... 61

Password policies and domains....................................................................................................... 62

Password expiry during active call................................................................................................... 63

Subscriber lockout............................................................................................................................ 63

Domain security........................................................................................................................................ 64

Antivirus.................................................................................................................................................... 65

File system integrity.................................................................................................................................. 65

Verification reports............................................................................................................................ 66

FSI baseline management............................................................................................................... 66

FSI baseline exclusions.................................................................................................................... 66

FSI baseline backup and restore...................................................................................................... 67

Configuration file.............................................................................................................................. 67

HTTPS certificates.................................................................................................................................... 67

AS 5300 Element Manager Console CAC integration.............................................................................. 68

AS5300 UC Client CAC integration.......................................................................................................... 68

Application logging.................................................................................................................................... 68Security logs.............................................................................................................................................. 69

Syslog............................................................................................................................................... 69

System audit..................................................................................................................................... 70

Failed logons.................................................................................................................................... 71

File activity in restricted areas.......................................................................................................... 72

Backup of security logs.................................................................................................................... 72

System alarms.......................................................................................................................................... 73

Chapter 6: Database password management.................................................................. 75Resetting the internal database account passwords................................................................................ 75

Changing the Schema account password................................................................................................ 76

Changing the database application password, without changing the load............................................... 76

Changing the database application password during an upgrade............................................................ 78Chapter 7: Antivirus management..................................................................................... 79

Updating the virus definitions.................................................................................................................... 79

Scheduling virus scans............................................................................................................................. 80

Chapter 8: File system integri ty management................................................................. 83Creating an FSI baseline........................................................................................................................... 83


DRAFTMay 3, 20128:51 PM (UTC+01:00)


8/10/2019 nn42040-601_Security

7/230

Verifying the file system against a baseline.............................................................................................. 84

Managing FSI baselines............................................................................................................................ 84

Chapter 9: Security log management................................................................................ 87Configuring a remote syslog server.......................................................................................................... 87

Deleting a remote syslog server................................................................................................................ 88

Modifying system audit logs...................................................................................................................... 88

Chapter 10: Application administrator security configuration and management........ 89Enabling web server logs.......................................................................................................................... 90

Configuring application administrator password rules.............................................................................. 91

Configuring application administrator password rules job aid.......................................................... 91

Configuring a new AS 5300 Element Manager Console role.................................................................... 94

Configuring a new AS 5300 Element Manager Console role job aid............................................... 94

Configuring a new AS 5300 Element Manager Console administrator..................................................... 98

Configuring a new AS 5300 Element Manager Console user job aid.............................................. 99

Assigning a role to a AS 5300 Element Manager Console Administrator................................................. 100

Configuring log on and session rules........................................................................................................ 100

Configuring log on and session rules job aid.................................................................................... 101

Configuring a new Provisioning Client role............................................................................................... 102

Configuring a new Provisioning Client Admin........................................................................................... 102

Configuring a new Provisioning Client Admin job aid....................................................................... 103

Configuring warning banners.................................................................................................................... 104

Configuring warning banners job aid................................................................................................ 105

Modifying log on and session rules........................................................................................................... 105

Modifying log on and session rules job aid....................................................................................... 106

Modifying application administrator password rules................................................................................. 107

Modifying application administrator password rules job aid............................................................. 107

Modifying a AS 5300 Element Manager Console role.............................................................................. 110

Modifying a new AS 5300 Element Manager Console role job aid.................................................. 110

Modifying an AS 5300 Element Manager Console administrator............................................................. 111

Modifying an AS 5300 Element Manager Console user job aid....................................................... 111Disabling a AS 5300 Element Manager Console user account................................................................ 112

Disabling password aging rules for an account........................................................................................ 112

Viewing and forcing off users.................................................................................................................... 113

Exporting configuration data for AS 5300 Element Manager Console...................................................... 113

Importing configuration data for AS 5300 Element Manager Console ...................................................... 114

Deleting a AS 5300 Element Manager Console role ................................................................................ 115

Deleting a AS 5300 Element Manager Console user ............................................................................... 115

Resetting the password for the AS 5300 Element Manager Console admin account.............................. 116

Resetting the password for a AS 5300 Element Manager Console administrator.................................... 117

Changing your AS 5300 Element Manager Console password................................................................ 118

Modifying a Provisioning Client role.......................................................................................................... 118

Modifying a Provisioning Client role job aid...................................................................................... 119Listing Provisioning Client Admin users.................................................................................................... 119

Searching for Provisioning Client users by role........................................................................................ 119

Searching for inactive Provisioning Client users....................................................................................... 120

Modifying a Provisioning Client Admin...................................................................................................... 120

Deleting a Provisioning Client user........................................................................................................... 121


DRAFTMay 3, 20128:51 PM (UTC+01:00)


8/10/2019 nn42040-601_Security

8/230

Resetting the password for the Provisioning Manager admin account..................................................... 121

Resetting the password for a Provisioning Client administrator................................................................ 122

Changing your Provisioning Client password........................................................................................... 123

Chapter 11: Application security configuration............................................................... 125Configuring the AS 5300 Element Manager with certificates for HTTPS.................................................. 125

Configuring the Provisioning Manager with certificates for HTTPS.......................................................... 126

Configuring the AS 5300 Element Manager Console with certificates for HTTPS and SIPCAC........... 127

Chapter 12: Certificate management overview................................................................ 129Chapter 13: Certificate preparation................................................................................... 131

Generating a CSR..................................................................................................................................... 133

Generating a CSR job aid................................................................................................................ 133

Installing a CA or CA-signed certificate..................................................................................................... 134

Installing a CA or CA-signed certificate job aid................................................................................ 135

Exporting a PKCS12 file............................................................................................................................ 135

Installing custom certificates into the AS 5300 Element Manager keystore............................................. 136

Verifying that CA certificates import into the AS 5300 Element Manager truststore................................. 137

Chapter 14: Certificate management................................................................................. 139

Listing all certificates................................................................................................................................. 139Listing all certificates job aid............................................................................................................. 140

Installing a CA or CA-signed certificate..................................................................................................... 140

Installing a CA or CA-signed certificate job aid................................................................................ 140

Uninstalling a certificate............................................................................................................................ 141

Verifying a certificate chain....................................................................................................................... 141

Verifying a certificate chain job aid................................................................................................... 142

Importing a PKCS12 file............................................................................................................................ 142

Exporting a PKCS12 file............................................................................................................................ 143

Identifying the friendly name of a certificate.............................................................................................. 143

Identifying the friendly name of a certificate job aid......................................................................... 144

Identifying the subject of a certificate installed in the certificate databaseUnix..................................... 144

Identifying the subject field of a certificate installed in the certificate databaseUnix job aid......... 145Identifying the subject of a certificate that is not installed in the certificate databaseUnix.................... 146

Identifying the subject field of a certificate that is not installed in the certificate databaseUnix jobaid..................................................................................................................................................... 146

Identifying the subject field of a certificate installed in the certificate databaseWindows...................... 147

Identifying the subject field of a certificate installed in the certificate databaseWindows job aid.. 147

Chapter 15: Core application certificate management.................................................... 149Importing an internal certificate to the keystore........................................................................................ 149

Importing an internal certificate to the keystore job aid.................................................................... 150

Viewing an internal certificate in the keystore........................................................................................... 150

Removing an internal certificate from the keystore................................................................................... 151

Configuring the AS 5300 Element Manager with certificates for HTTPS and SIP .................................... 151

Configuring the AS 5300 Session Manager with certificates for HTTPS and SIP.................................... 152Configuring HTTPS and SIP certificates for the Provisioning Manager.................................................... 153

Configuring the AS 5300 Element Manager Console with certificates for HTTPS and SIPCAC........... 154

Configuring the AS 5300 Element Manager Console with certificates for HTTPS and SIPmanual...... 155

Configuring the Avaya Aura AS 5300 Personal Agent with certificates for HTTPS and SIP .............. ...... 156

Chapter 16: Truststore cert if icate management............................................................... 157


DRAFTMay 3, 20128:51 PM (UTC+01:00)


8/10/2019 nn42040-601_Security

9/230

Importing a CA certificate to the truststore................................................................................................ 157

Viewing a CA certificate in the truststore.................................................................................................. 158

Removing a CA certificate from the truststore.......................................................................................... 158

Chapter 17: OCSP configuration....................................................................................... 161Configuring the operating system to support OCSP................................................................................. 162

Configuring the operating system to support OCSP job aid............................................................. 162

Configuring the AS 5300 Element Manager to support OCSP................................................................. 163Configuring the AS 5300 Session Manager to support OCSP.................................................................. 163

Configuring the Provisioning Manager to support OCSP.......................................................................... 164

Configuring the AS 5300 Element Manager Console to support OCSP................................................... 165

Verifying access to the OCSP server........................................................................................................ 166

Chapter 18: IPsec configuration overview........................................................................ 167Secure communication.............................................................................................................................. 167

Default staging certificates........................................................................................................................ 167

Server addresses and service addresses................................................................................................. 168

IPsec tunnel rules...................................................................................................................................... 169

Trusted node relationships........................................................................................................................ 169

IPsec custom certificates.......................................................................................................................... 170

IPsec automatic CRL retrieval................................................................................................................... 170

IPsec limitations and restrictions............................................................................................................... 170

Chapter 19: IPsec serv ice management........................................................................... 173Starting or restarting the IPsec service..................................................................................................... 173

Stopping the IPsec service........................................................................................................................ 173

Verifying IPsec connection status............................................................................................................. 174

Verifying IPsec connection status job aid......................................................................................... 174

Chapter 20: IPsec configuration........................................................................................ 175Generating the internal IPsec configuration file........................................................................................ 177

Installing the internal IPsec configuration file on the primary EMS server................................................ 178

Installing the internal IPsec configuration file on non-primary EMS servers............................................. 178

Creating the external IPsec configuration file........................................................................................... 179Creating the external IPsec configuration file job aid....................................................................... 180

Installing a custom IPsec certificate.......................................................................................................... 181

Configuring IPsec for automatic CRL retrieval.......................................................................................... 182

Configuring IPsec for automatic CRL retrieval job aid...................................................................... 182

Verifying IPsec automatic CRL retrieval.................................................................................................... 183

Verifying IPsec automatic CRL retrieval job aid............................................................................... 183

Manually adding a CA chain..................................................................................................................... 184

Chapter 21: Access control rules ...................................................................................... 185Access control rules overview................................................................................................................... 185

Trusted nodes........................................................................................................................................... 186

Trusted ports............................................................................................................................................. 186

Internal trusted node mesh....................................................................................................................... 187

Access control tools.................................................................................................................................. 187

DSCP marking.......................................................................................................................................... 188

DSCP marking configuration tools................................................................................................... 189

Default DSCP configuration............................................................................................................. 189

Access control default system configuration............................................................................................. 190


DRAFTMay 3, 20128:51 PM (UTC+01:00)


8/10/2019 nn42040-601_Security

10/230

Access control limitations and restrictions................................................................................................ 191

Chapter 22: Access control configuration........................................................................ 193Chapter 23: Internal access control configuration.......................................................... 195

Generating the internal ACL file ................................................................................................................ 197

Installing the internal ACL configuration file on the primary EMS ............................................................. 197

Installing the internal ACL configuration file on the other servers............................................................. 198

Chapter 24: Access control rules management ............................................................... 199Importing access control rules.................................................................................................................. 199

Importing access control rules job aid.............................................................................................. 200

Viewing all configured access control rules.............................................................................................. 200

Rolling back to the previous access control configuration........................................................................ 201

Restoring the access control default configuration................................................................................... 201

Viewing trusted node and port configurations with iptstatus..................................................................... 202

Viewing trusted node and port configurations with iptstatus job aid................................................. 202

Syntax of an access control rule in the raw format job aid............................................................... 203

ACL configuration job aid................................................................................................................. 204

Chapter 25: Access control rules enforcement............................................................... 205

Enforcing access control rules.................................................................................................................. 205Chapter 26: NTP server management............................................................................... 207

Updating the primary clock source servers............................................................................................... 208

Updating the primary clock source servers when your system uses symmetric key encryption...... 208

Updating the secondary clock source servers.......................................................................................... 209

Updating the secondary clock source servers when your system uses symmetric key encryption. 210

Configuring a server as a nonclock source............................................................................................... 211

Chapter 27: TLS configuration........................................................................................... 213Configuring the AS 5300 Session Managers to use only TLS.................................................................. 213

Variable definitions........................................................................................................................... 214

Configuring the AS 5300 Session Managers to use only TLS job aid.............................................. 214

Configuring the Provisioning Managers to use only TLS.......................................................................... 215

Variable definitions........................................................................................................................... 215Configuring the Provisioning Managers to use only TLS job aid...................................................... 215

Chapter 28: TLS Mutual authentication............................................................................ 217Enabling mutual authentication mode for SIP........................................................................................... 217

Enabling mutual authentication mode for HTTPS..................................................................................... 218

Chapter 29: FIPS overview................................................................................................. 219FIPS compliance....................................................................................................................................... 219

Platform..................................................................................................................................................... 220

SSH........................................................................................................................................................... 220

AS 5300 Element Manager Console......................................................................................................... 220

Chapter 30: Cipher suite configuration............................................................................. 221Configuring OAMP ciphers........................................................................................................................

222Configuring external OAMP ciphers.......................................................................................................... 222

Configuring HTTPS ciphers...................................................................................................................... 223

Configuring signaling ciphers.................................................................................................................... 224

Chapter 31: FIPS management.......................................................................................... 225Stopping a network element..................................................................................................................... 225

Enabling FIPS on the platform.................................................................................................................. 226


DRAFTMay 3, 20128:51 PM (UTC+01:00)


8/10/2019 nn42040-601_Security

11/230

Enabling FIPS on the platform job aid.............................................................................................. 227

Installing the FIPS-compliant AS 5300 Element Manager Console.......................................................... 227

Updating the FIPS-compliant AS 5300 Element Manager Console.......................................................... 229

Starting a network element....................................................................................................................... 230


DRAFTMay 3, 20128:51 PM (UTC+01:00)


8/10/2019 nn42040-601_Security

12/230


DRAFTMay 3, 20128:51 PM (UTC+01:00)


8/10/2019 nn42040-601_Security

13/230

1

Chapter 1: New in this release2

The following sections detail what is new inAvaya AuraApplication Server 5300 Security, NN42040-6013

for Avaya Aura Application Server 5300 Release 3.04

Navigation5

Featureson page 136

Other changeson page 137

Features8For information about feature-related changes, see the following sections:9

Password complexityon page 2710

Administrator password complexityon page 5211

Subscriber securityon page 6112

Password policies and domainson page 6213

Configuring application administrator password ruleson page 9114

Modifying application administrator password ruleson page 10715

For more information about the features that are new for this release, seeAvaya Aura16

Application Server 5300 Release Delta, NN42040-201.17

Other changes18

Revision history19

May 2012 Draft 04.AU

This document is issued for Avaya Aura

Application Server 5300Release 3.0.

Edited a few links in chapter navigation sections.

April 2012 Draft 04.AT

This document is issued for Avaya AuraApplication Server 5300

Release 3.0.


DRAFTMay 3, 20128:51 PM (UTC+01:00)


8/10/2019 nn42040-601_Security

14/230

Updated the following sections: FSI baseline exclusionson

page 66

March 2012 Draft 04.AS. This document is issued for Avaya AuraApplication

Server 5300 Release 3.0.

Updated the following section to state that Attachmate Reflection

for Secure IT is not included with the system, but must bepurchased separately: Secure Shell and Common Access Card

integrationon page 32

February 2012 Draft 04.AR. This document is issued for Avaya AuraApplication

Server 5300 Release 3.0. Replaced reference of ntossadm

account to OSS role Preconfigured accountson page 31

January 2012 Draft 04.AQ. This document is issued for Avaya AuraApplication

Server 5300 Release 3.0. Made changes to formatting throughout

the document.

November 2011 Draft 04.AP. This document is issued for Avaya AuraApplication

Server 5300 Release 3.0. Added the following sections for Avaya

Media Server content integration.Adding emergency userson page 39

Deleting emergency userson page 41

November 2011 Draft 04.AO. This document is issued for Avaya AuraApplication

Server 5300 Release 3.0. Updated various figures to comply with

Release 3.0 branding and product naming.

October 2011 Draft 04.AN. This document is issued for Avaya AuraApplication


Updated the following sections:

Updating the primary clock source servers when your system

uses symmetric key encryptionon page 208

Updating the secondary clock source servers when your system

uses symmetric key encryptionon page 210

August 2011 Draft 04.AM. This document is issued for Avaya AuraApplication

Server 5300 Release 3.0. Performed generic cleanup of

document to make name and profiling which include the following

changes:

Replaced System Manager with AS 5300 Element Manager as

a variable.

Replaced System Management Console with AS 5300 Element

Manager Console as a variable. Replaced Media Application Server with Avaya Media Server

as a variable.

August 2011 Draft 04.AL. This document is issued for Avaya AuraApplication


New in this release


DRAFTMay 3, 20128:51 PM (UTC+01:00)


8/10/2019 nn42040-601_Security

15/230

Added the following section:

AS5300 UC Client CAC integrationon page 68

August 2011 Draft 04.AK. This document is issued for Avaya AuraApplication



July 2011 Draft 04.AJ. This document is issued for Avaya AuraApplication


Updated the following section:


Application administrator (Admin) security defaultson

page 59


Modifying an AS 5300 Element Manager Console user job

aidon page 111

July 2011 Draft 04.AI. This document is issued for Avaya AuraApplication

Server 5300 Release 3.0. Removed references to UNIStim and

IP Client Manager (IPCM).

June 2011 Draft 04.AH. This document is issued for Avaya AuraApplication

Server 5300 Release 3.0. Added the following section:

Password expiry during active callon page 63

June 2011 Draft 04.AG. This document is issued for Avaya AuraApplication





June 2011 Draft 04.AF. This document is issued for Avaya AuraApplication


Updated for wi00890695, removing all mention of IP Client

Manager (IPCM).

May 2011 Draft 04.AE. This document is issued for Avaya AuraApplication


Edited the following sections:

Application administrator password ruleson page 52

May 2011 Draft 04.AD. This document is issued for Avaya AuraApplicationServer 5300 Release 3.0.

Added or edited the following sections:

Other changes


DRAFTMay 3, 20128:51 PM (UTC+01:00)


8/10/2019 nn42040-601_Security

16/230

Configuring log on and session rules job aidon page 101

Modifying log on and session rules job aidon page 106

Application administrator password ruleson page 52

March 2011 Draft 04.AC. This document is issued for Avaya AuraApplication

Server 5300 Release 3.0.Updates related to password complexity enhancements were

made to the following sections:



Password agingon page 54

Application administrator (Admin) security defaultson

page 59


Configuring application administrator password rules job aidon

page 91

Modifying application administrator password rules job aidon

page 107

February 2011 Draft 04.AB. This document is issued for Avaya AuraApplication


Technical changes were made to the following sections:


Application loggingon page 68

Configuring application administrator password ruleson

page 91

December 2010 Draft 04.AA. This document is issued for Avaya AuraApplication


September 2010 Standard 02.05. This document is issued for Avaya Aura

Application Server 5300 Release 2.0. Updates were made to

Antivirus managementon page 79.

August 2010 Standard 02.04. This document is issued for Avaya Aura

Application Server 5300 Release 2.0. Technical changes were

made to most of this document to reflect security changes.

June 2010 Standard 02.03. This document is issued for Avaya Aura

Application Server 5300 Release 2.0. This document is updated

after technical review.

May 2010 Standard 02.02. This document is issued for Avaya Aura

Application Server 5300 Release 2.0. This document contains

editorial changes.

New in this release


DRAFTMay 3, 20128:51 PM (UTC+01:00)


8/10/2019 nn42040-601_Security

17/230

April 2010 Standard 02.01. This document is issued for Avaya Aura

Application Server 5300 Release 2.0.

August 2008 Standard 01.03. This document is issued for Nortel Application

Server 5300 Release 1.0. This document is up-issued to include

updates to technical content regarding support for foreign

domains.July 2008 Standard 01.02. This document is issued for Nortel Application

Server 5300 Release 1.0. This document is up-issued to include

organizational changes and updates to technical content.

June 2008 Standard 01.01. This document is issued for Nortel Application


Other changes


DRAFTMay 3, 20128:51 PM (UTC+01:00)


8/10/2019 nn42040-601_Security

18/230

New in this release


DRAFTMay 3, 20128:51 PM (UTC+01:00)


8/10/2019 nn42040-601_Security

19/230

1

Chapter 2: Introduction2

This document contains the procedures required to configure and administer security for the Avaya Aura3

Application Server 5300.4

For more information about configuration and administration, seeAvaya AuraApplication Server 53005

Configuration, NN42040-500andAvaya AuraApplication Server 5300 Administration, NN42040-600.6

For information about general provisioning tasks and procedures, seeAvaya AuraApplication Server7

5300 Using the Provisioning Client, NN42040-112.8

Important:9

Throughout this document, the term system refers to the Avaya AuraApplication Server 5300 unless10otherwise noted.11

Prerequisites12

The AvayaAuraApplication Server 5300 installation is complete.13

You are familiar with the AS 5300 Element Manager Console.14

You are familiar with the AvayaAura Provisioning Client.15

Navigation16

Platform security overviewon page 2117

Platform administrator security managementon page 3518

Security configuration and management overviewon page 5119

File system integrityon page 6520

Database password managementon page 7521

Antivirus managementon page 7922

Security log managementon page 8723

Application administrator security configuration and managementon page 8924

Application security configurationon page 12525

Certificate management overviewon page 12926

Certificate preparationon page 13127

Certificate managementon page 13928

Core application certificate managementon page 14929

Truststore certificate managementon page 15730

OCSP configurationon page 16131


DRAFTMay 3, 20128:51 PM (UTC+01:00)


8/10/2019 nn42040-601_Security

20/230

IPsec configuration overviewon page 1671

IPsec service managementon page 1732

IPsec configurationon page 1753

Access control ruleson page 1854

Access control configurationon page 1935 Internal access control configurationon page 1956

Access control rules managementon page 1997

Access control rules enforcementon page 2058

NTP server managementon page 2079

TLS configurationon page 21310

TLS Mutual authenticationon page 21711

FIPS overviewon page 21912

Cipher suite configurationon page 22113

FIPS managementon page 22514

Introduction


DRAFTMay 3, 20128:51 PM (UTC+01:00)


8/10/2019 nn42040-601_Security

21/230

1

Chapter 3: Platform security overview2

This section contains information related to platform security configuration, including platform3

administrator accounts, roles, and access.4

For information about initial Basic Input/Output System (BIOS) and RSA-II card configuration, seeAvaya5

AuraApplication Server 5300 Installation, NN42040-300.6

Navigation:7

BIOS password controlon page 218

GRUB password controlon page 239

Administrative user account nameson page 2310

Administrative user roleson page 2411

Primary roleon page 2412

Sudo access controlon page 2513

Platform user management toolon page 2514

Administrative account timerson page 2615

Account lockouton page 2616


Inactive platform account auditingon page 2918

Root user accesson page 3019

Individual user accountson page 3020

Preconfigured accountson page 3121

Remote system accountson page 3122

Secure Shell and Common Access Card integrationon page 3223

Platform warning bannerson page 3324

BIOS password control25

The planar BIOS includes options to configure both an Administrative and Power-on password.26

For more information about password options and how to configure them, see the27

documentation supplied with the server hardware.28


DRAFTMay 3, 20128:51 PM (UTC+01:00)


8/10/2019 nn42040-601_Security

22/230

The planar BIOS enables the user to configure both an Administrative and Power-on password.1

The BIOS also refers to the Administrative password as the Privileged Access Password in2

console messages displayed during BIOS initialization.3

BIOS passwords are enforced at the end of BIOS initialization when the message BIOS4

Installed Successfully displays.5

The following table illustrates the password enforcement type performed by the BIOS at this6

point in the BIOS execution.7

BIOS Password Control

Password Configured Password Requirement

Power-on

password

Admin BIOS Entry

Requested (F1

pressed)

Standard Initialization

(F1 not pressed)

No No None None

No Yes Admin None

Yes No Power-on password Power-on password

Yes Yes Power-on password

(limited access) or

Admin

Power-on password or

Admin

Two basic scenarios are possible:8

The administrator presses the F1 key during the early stages of BIOS initialization with9

the intent of entering BIOS setup when BIOS initialization finishes. If at least one password10

is configured, the password must be entered to enter into the BIOS setup. If both11

passwords are configured, specifying the Power-on password gives the administrator only12

limited access, where no BIOS configuration changes can be made.13

The administrator does not press the F1 key during the early stages of BIOS initialization.14

If a Power-on password is configured (not recommended), BIOS requires the15

administrator to enter the password to allow the system to continue past the BIOS16

initialization. If configured, the administrative password is also accepted.17

If an Administrator password is configured, an administrator entering BIOS with only a Power-18

on password receives access to the following menus:19

System SummaryThis menu provides information such as processor model, USB20

devices, and memory information.21

System InformationThis menu provides information such as the machine type and22

model number, serial number, firmware levels, and installed system cards.23

Platform security overview


DRAFTMay 3, 20128:51 PM (UTC+01:00)


8/10/2019 nn42040-601_Security

23/230

When configuring the Administrator password, changing the value of the Power-on password1

changeable by user field to Yes provides limited BIOS access to the administrator. The2

following are the additional menu items available:3

System SecurityThis menu provides the facility to change or delete the Power-on4

password.5

The following general points also apply to Administrative and Power-on BIOS passwords:6

Each password can be up to seven characters in length.7

The passwords can consist of any characters.8

If both passwords are configured, a forgotten Power-on password can be reset (deleted9

and re-configured) by entering the BIOS with the Administrative password.10

If a single password is set, and is forgotten, it cannot be recovered using the BIOS11

menu.12

If both the Administrative and Power-on password are set, and the Administrative13

password is forgotten, it cannot be recovered using the BIOS menu.14

Neither password is affected when you restore the configuration of the main BIOS to the15

factory default configuration.16

GRUB password control17

The Linux Grand Unified Bootloader (GRUB) allows you to configure a password to prevent18

unauthorized access to the bootloader. Whenever you change the server password policy, you19

should reset the GRUB bootloader password to comply with these new settings. For more20

information, see Configuring the GRUB passwordon page 37.21

Administrative user account names22

When you create a new account for an administrator, you specify the account name and a23

numeric user ID. For the numeric user ID, always enter zero (0). After you enter zero (0), the24

system assigns the next available numeric ID.25

The system security administrator defines the password requirements using the pwConfig26

tool.27

GRUB password control


DRAFTMay 3, 20128:51 PM (UTC+01:00)


8/10/2019 nn42040-601_Security

24/230

Administrative user roles1

Roles define operational boundaries (access permissions) for administrators. Administrators2

can have more than one role, depending on their duties. You assign roles to new administrators3

when you create their accounts. The roles defined for the system are as follows:4

System Security Administrator (SSA)The SSA can perform system configuration and5

specify security attributes such as:6

- Password configuration7

- User management8

- Certificate management9

- Access control10

- Antivirus11

- File System Integrity tools12

- Network configuration13

- System files backup14

- System restoration15

Security Auditor (SA)The SA can collect and view security audit logs and syslogs at the16

platform level. The SA can also transfer the security logs off the server.17

Application Administrator (AA)The AA can install MCS application software and18

manage components related to the application. The AA is responsible for installing,19

maintaining, patching, and upgrading MCS software only.20

Backup Administrator (BA)The BA can perform only system backups. A BA cannot21

perform:22

- any operation on the server except backups.23

- a system restoreonly the SSA or root user can perform a system restore.24

Database Administrator (DBA)The DBA can manage the database schemas and25

database tools on servers on which the database resides. This role is not relevant on26

servers that do not host the database.27

Operational Support System Administrator (OSS)Downstream processors can use the28

account with this role to connect to the server and collect OSS logs.29

Primary role30

The primary role of the administrator defines the administrators primary group. The primary31

role determines permissions and group ownership for any files that are generated by the32



DRAFTMay 3, 20128:51 PM (UTC+01:00)


8/10/2019 nn42040-601_Security

25/230

administrator. Any tools that extract or create files use the administrators primary role to1

determine the appropriate group settings. The primary role is the first role assigned during2

account creation. An SSA or root user can change the primary role for an administrator.3

In the user management tool (userMgt) the primary role of an administrator is the first role that4

appears in the list of assigned roles. For example, if the list appears as follows: SSA, AA, BA;5

the primary role of the administrator is SSA.6

All roles, other than the Backup Administrator, OSS Administrator, and Regional Patching7

Administrator roles, are intended to manage some aspect of the system. Because of this and8

the use of discretionary access groups to control accessto system resources, administrators9

with a primary role of SSA, SA, AA, or DBA have a primary GID that is traditionally reserved10

for system accounts (less than 500).11

Sudo access control12

By default, an administrator has access to all commands defined for each assigned role.13

However, the root user can grant elevated privileges (such as root access) to an individual14

administrator, if required.15

The system records all commands that are run with sudo in /var/log/secure and only the16

security administrator or security auditor can view these logs.17

Only the root user can grant or deny all sudo level access to administrators. If you are already18

logged on, before being granted sudo access, the sudo access is available the next time you19

log on. The sudo menu option in the userMgt script is only visible when the script is run by the20

root user.21

Administrators who have sudo access need not know the root password of the system to invoke22root level commands; they use their own current passwords. The syntax for running commands23

with sudo access is as follows:24

> sudo 25

The system prompts for your administrator password the first time, and again after 10 minutes,26

if you do not enter any other sudo commands.27

Platform user management tool28

To run the user management tool (userMgt) you must be the Security System Administrator29

(SSA) or the root user. With the userMgt tool, you can create and manage user accounts for30

platform administrators. Figure 1: Main menuon page 26 shows the options available from31

the main menu of the tool.32

Sudo access control


DRAFTMay 3, 20128:51 PM (UTC+01:00)


8/10/2019 nn42040-601_Security

26/230

1

Figure 1: Main menu2

Important:3

Option [6] (from the main menu of the userMgt tool) is available only to the root user. To use4this option, an SSA with sudo access can su to root.5

Administrative account timers6

The idle session timer automatically logs off administrators that are not actively using their7

sessions. After the configured time elapses without administrator activity, the session closes8

automatically.9

Changes to the idle session timer value do not effect currently existing sessions. Administrators10

must log off and log back on for this configuration to take effect.11

Use the pwConfig tool to specify the timeout value by configuring the Idle session timeout12

(seconds) parameter. For more information, see Modifying password complexity rules13

menuon page 36.14

Account lockout15

To reduce the effectiveness of password guessing attacks, you can configure account lockout16

on the system. If you enable account lockout, the system temporarily locks an account after a17

specified number of log on failures.18

To enable account lockout, use the pwConfig tool to configure the 'Deny after this many log on19failures' parameter to a value other than zero. To subsequently disable account lockout, change20

the value back to zero.21

To configure the length of time that the account remains locked out, use the pwConfig tool to22

configure the Unlock account duration (seconds) parameter. If you disable account lockout,23



DRAFTMay 3, 20128:51 PM (UTC+01:00)


8/10/2019 nn42040-601_Security

27/230

the Unlock account duration parameter has no effect. For more information, see Modifying1

password complexity rulesmenuon page 36.2

If the system locks an account because of successive failed attempts to log on, the3

administrator cannot log on to the system until the lockout period expires. An SSA can unlock4

an administrators account, during the lockout period, by using the userMgt tool to disable and5

subsequently enable the locked out administrator. Additionally, after three consecutive failed6access attempts, the SSH or SFTP connection terminates and the user must re-establish the7

connection to log on.8

After an account reaches the lockout threshold, the system generates a security log.9

Password complexity10

You can configure password policy rules to define the appropriate characters used for11

administrator passwords. The administrator configures these passwords using either /usr/bin/12passwd or the userMgt tool.13

The password complexity settings only affect subsequently configured passwords; they do not14

affect current passwords.15

You manage password complexity on a per-server basis. There is no automatic password16

complexity synchronization performed between servers. Therefore, if you change any value17

on one server, you must manually change it on all of the other servers. For more information18

about the parameters, see Table 1: Password complexity parameterson page 27. For more19

informationabout how to configure the parameters, see Modifying password complexity rules20

menuon page 36.21

Table 1: Password complexity parameters

Parameter Description

Minimum lowercase chars This parameter specifies the minimum number of lowercase

characters (az) that the password must contain. The

system rejects passwords that contain fewer lowercase

characters. Default: 2

Minimum uppercase chars This parameter specifies the minimum number of uppercase

characters (AZ) that the password must contain. The

system rejects passwords that contain fewer uppercase


Minimum digits This parameter specifies the minimum number of digitcharacters (09) that the password must contain. The

system rejects passwords that contain fewer digit


Minimum special chars This parameter specifies the minimum number of special

characters that the password must contain. Special

Password complexity


DRAFTMay 3, 20128:51 PM (UTC+01:00)


8/10/2019 nn42040-601_Security

28/230

Parameter Description

Characters are: . @ - _ & ^ ? ! ( ) , / \ : ; ~ = + The system

rejects passwords that contain fewer special characters.

Default: 0

Minimum change chars This parameter specifies the minimum number of characters

by which the new password must differ from the previouspassword. The system ignores this value if either one half of

the characters in the new password are different, or if there

are more than 23 characters in the new password. Default:

0

Minimum password length This parameter specifies the minimum number of total

characters a password can contain. The system rejects

passwords that contain fewer characters. Default: 8

Maximum consecutive

repeat chars

This parameter specifies the maximum number of

consecutive repeating characters that are permitted in a

password. Default: 0

Deny after this many log onfailures

This parameter specifies the number of failed attempts to logon to an account before the account is locked. Default: 0

Unlock account duration

(seconds)

This parameter specifies the amount of time for which the

account remains locked after log on failures. Default: 60

Old passwords to remember This parameter specifies the number of previous passwords

the system remembers. Administrators cannot reuse any

password on the remembered list. Regardless of the value

of this parameter, administrators cannot ever reuse the

current password. Default: 0

Maximum password age

(days)

This parameter specifies the maximum number of days that

an administrators password can be used. After the specified

number of days, the administrator must change thepassword to access the server. If you reduce this value,

some existing passwords can immediately expire. Default:

90

Minimum password age

(days)

This parameter specifies the minimum number of days

between password changes. This setting discourages

administrators from immediately changing their passwords

back to a previously used password (password flipping).

Default: 1

Password change warning

(days)

This parameter specifies the number of days in advance that

administrators receive warning that their passwords will

expire. If an administrator logs on within this number of days

before expiry, a message appears to indicate that their

password will expire soon. Default: 7

Idle session timeout

(seconds)

This parameter specifies the number of seconds a session

can be idle before it times out. Default: 600 (10 minutes)



DRAFTMay 3, 20128:51 PM (UTC+01:00)


8/10/2019 nn42040-601_Security

29/230

You can modify the password complexity rules at any time; however, the configured rules apply22

only to subsequently added administrator accounts.23

Important:1

If the default password complexity configuration values (as shown in the preceding table)2do not meet your site requirements, Avaya recommends that you change the values3immediately after installation and commissioning, and before you add administrators to the4system.5

The following non-configurable parameters also apply to password complexity:6

The system uses the Linux CrackLib library to ensure that the password is not based on7

the username or on a dictionary word. This library manipulates the new password in8

various ways to try and determine if the new password is based on the username or a9

dictionary word.10

Users must change their passwords during initial log on. Users cannot access the system11

with the temporary passwords.12

The password cannot be a palindrome.13

The root user password does not adhere to the password complexity rules. Ensure that only14

a very limited number of individuals know the root password for the servers.15

The backup and restore process includes all files related to password complexity.16

Password changes17

When administrators use the UNIX passwd command to change their passwords, or when they18

change the password during log on (for initial or expired passwords), the system applies all of19

the enabled password complexity rules.20

When an SSA uses the userMgt tool to change a password, the following rules do not apply:21

Password history (Old passwords to remember)22

Case change from previous password23

Characters changed from previous password (Minimum change chars)24

For more information about platform user account passwords, see Platform administrator25

security managementon page 35.26

Inactive platform account auditing27

You can configure the system to automatically lock out inactive platform administrator accounts28

after a period of inactivity. If an administrator is locked out, that administrator cannot login to29

the platform without intervention by another administrator.30

Inactive platform account auditing


DRAFTMay 3, 20128:51 PM (UTC+01:00)


8/10/2019 nn42040-601_Security

30/230

The system does not automatically delete locked out inactive administrator accounts. The site1

administrator is responsible for monitoring locked out accounts and deleting them as2

needed.3

Root user access4

The root user must log on to the server using the console keyboard, video and mouse (KVM).5

Root users must change their passwords on first logon after installation.6

The password for this account is subject to password complexity rules. Because the initial7

(during installation) password complexity rules are minimal, Avaya recommends that you8

change the password for this account after you complete the procedure to configure (harden)9

password complexity rules.10

On the SIP Core servers, users assigned the System Security Administrator (SSA) role, in11

addition to full-time Super User Do (sudo) access, have full root access.12

Even though SSA/sudo users have unrestricted root-level privileges, their actions are logged13

on the system security log because they are logged on under their individual user ID.14

Individual user accounts15

Individual user accounts allow for full accountability and monitoring of individual actions. If the16

installer chooses this option during server installation, the System Security Administrator (SSA)17

must create each individual user account after the installation is complete. For more18

information about installation, see the installation method for your system.19

You manage user accounts on a per-server basis. Therefore, the SSA must create identical20

users on each server within the system.21

The SSA uses the User Management Configuration tool to create, modify, and delete users.22

The SSA configures the rules for administrator user names using the pwConfig tool.23

Each individual user account has its own password, which is subject to the password24

complexity rules. The SSA can disable or re-enable each individual user account as necessary.25

Individual user accounts have a home directory in /home/. If the SSA removes the26

user account, the home directory is also removed.27



DRAFTMay 3, 20128:51 PM (UTC+01:00)


8/10/2019 nn42040-601_Security

31/230

Preconfigured accounts1

During server installation, the installation software creates the following user accounts:2

ntappadm: The primary role of this account is the Application Administrator (AA) role,3

which replaces the avaya user found on previous systems.4

ntdbadm: The primary role of this account is the database administrator (DBA) role.5

ntsysadm: The primary role of this account is the System Security Administrator (SSA)6

role. The ntsysadm account, by default, has ALL sudo root access. You can remove full7

sudo access, if required, by invoking the userMgt tool as root. This account replaces the8

sysadmin user found on previous systems.9

ntsecadm: The primary role of this account is the security auditor (SA) role.10

ntbackup: The primary role of this account is the backup administrator (BA) role.11

ntossadm: The primary role of this account is the OSS administrator (OSS) role. An12

Operational Support Server (OSS) uses this account to connect to an Avaya Aura13

Application Server 5300 server to collect OSS logs.14

For more information about installation, see the installation method for your system.15

You can use the userMgt tool to manage all the preconfigured accounts.16

Each preconfigured account uses "password" as the initial password. You must change the17

initial password at first log on.18

The user with the OSS role is protected using password authentication. This account is also19

susceptible to lockout if the password is entered incorrectly and the account lockout is20

configured for the system. To change the password on this account, log on as OSS, and type21

the command: #>passwd. You can also use the userMgt tool to reset the password for this22

account.23

The SSA can create additional individual user accounts. Additional individual accounts are24

subject to the same password complexity profile as the preconfigured accounts. The SSA user25

can delete preconfigured accounts. All preconfigured accounts are backed up and restored26

during backup and restore procedures.27

Remote system accounts28

The Avaya Aura Application Server 5300 system requires the following remote system29

account: a user with OSS role: An Operational Support Server (OSS) uses this account to30

connect to an Avaya Aura Application Server 5300 server to collect OSS logs.31

Preconfigured accounts


DRAFTMay 3, 20128:51 PM (UTC+01:00)


8/10/2019 nn42040-601_Security

32/230

The system automatically creates this account during installation. For more information, see1

Preconfigured accountson page 31.2

Secure Shell and Common Access Card integration3

Administrators use Secure Shell (SSH) for remote access and administration of the Linux4

servers. The Avaya Aura Application Server 5300 comes with OpenSSH installed. OpenSSH5

is an open-source application, which does not support two-factor authentication.6

To satisfy requirements for two-factor authentication and Common Access Card (CAC)7

integration, Avaya Aura Application Server 5300 also supports Attachmate Reflection for8

Secure IT as an optional configuration. Attachmate Reflection is not included with Application9

Server 5300. The purchase, installation and maintenance of Attachmate software are the10

customers responsibility. To install Attachment Reflection for Secure IT, remove OpenSSH11

during system installation and commissioning. For more information, see 106.1.5 AS5300 DoD12

AttachMate Installation.13

Attachmate Reflection for Secure IT includes both the Linux-based server side component and14

the Windows-based client. Administrators can configure the Windows client to use certificates15

on the CAC. and Reflection Group Policies so that all Reflection sessions meet Department of16

Defense (DoD) Public Key Infrastructure (PKI) requirements.17

The following changes occur when you configure DoD PKI mode:18

The default Reflection configuration uses either CRL checking or an OCSP responder. In19

DoD PKI mode, the option to use neither form of checking is disabled.20

Reflection enforces FIPS-approved encryption algorithms. For SSH connections, this21

means that only FIPS-approved options are available on the Encryption tab of the Secure22Shell settings dialog box.23

For a connection to succeed, the host name specified in the certificate must exactly match24

the h

nn42040-601_security

Documents