nn42040-601_security
TRANSCRIPT
-
8/10/2019 nn42040-601_Security
1/230
1
Avaya AuraApplication Server 53002Security3
4
5
Release 3.06
NN42040-601, Document Revision: 04.AU7May 3, 20128
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
-
8/10/2019 nn42040-601_Security
2/230
12012 Avaya Inc.2
All Rights Reserved.3
Notice4
While reasonable efforts have been made to ensure that the5information in this document is complete and accurate at the time of6printing, Avaya assumes no liability for any errors. Avaya reserves the7right to make changes and corrections to the information in this8document without the obligation to notify any person or organization of9such changes.10
Documentation disclaimer11
Documentation means information published by Avaya in varying12mediums which may include product information, operating instructions13and performance specifications that Avaya generally makes available14to users of its products. Documentation does not include marketing15materials. Avaya shall not be responsible for any modifications,16additions, or deletions to the original published version of17documentation unless such modifications, additions, or deletions were18performed by Avaya. End User agrees to indemnify and hold harmless19
Avaya, Avaya's agents, servants and employees against all claims,20lawsuits, demands and judgments arising out of, or in connection with,21subsequent modifications, additions or deletions to this documentation,22to the extent made by End User.23
Link disclaimer24
Avaya is not responsible for the contents or reliability of any linked Web25sites referenced within this site or documentation provided by Avaya.26
Avaya is not responsible for the accuracy of any information, statement27or content provided on these sites and does not necessarily endorse28the products, services, or information described or offered within them.29
Avaya does not guarantee that these links will work all the time and has30no control over the availability of the linked pages.31
Warranty32
Avaya provides a limited warranty on its Hardware and Software33(Product(s)). Refer to your sales agreement to establish the terms of34the limited warranty. In addition, Avayas standard warranty language,35as well as information regarding support for this Product while under36warranty is available to Avaya customers and other parties through the37
Avaya Support Web site: http://support.avaya.com. Please note that if38you acquired the Product(s) from an authorized Avaya reseller outside39of the United States and Canada, the warranty is provided to you by40said Avaya reseller and not by Avaya.41
Licenses42
THE SOFTWARE LICENSE TERMS AVAILABLE ON THE AVAYA43WEBSITE, HTTP://SUPPORT.AVAYA.COM/LICENSEINFO/ARE44
APPLICABLE TO ANYONE WHO DOWNLOADS, USES AND/OR45INSTALLS AVAYA SOFTWARE, PURCHASED FROM AVAYA INC.,46
ANY AVAYA AFFILIATE, OR AN AUTHORIZED AVAYA RESELLER47(AS APPLICABLE) UNDER A COMMERCIAL AGREEMENT WITH48
AVAYA OR AN AUTHORIZED AVAYA RESELLER. UNLESS49OTHERWISE AGREED TO BY AVAYA IN WRITING, AVAYA DOES50NOT EXTEND THIS LICENSE IF THE SOFTWARE WAS OBTAINED51FROM ANYONE OTHER THAN AVAYA, AN AVAYA AFFILIATE OR AN52
AVAYA AUTHORIZED RESELLER; AVAYA RESERVES THE RIGHT53TO TAKE LEGAL ACTION AGAINST YOU AND ANYONE ELSE54USING OR SELLING THE SOFTWARE WITHOUT A LICENSE. BY55INSTALLING, DOWNLOADING OR USING THE SOFTWARE, OR56
AUTHORIZING OTHERS TO DO SO, YOU, ON BEHALF OF57
YOURSELF AND THE ENTITY FOR WHOM YOU ARE INSTALLING,58DOWNLOADING OR USING THE SOFTWARE (HEREINAFTER59REFERRED TO INTERCHANGEABLY AS YOU AND END USER),60
AGREE TO THESE TERMS AND CONDITIONS AND CREATE A61BINDING CONTRACT BETWEEN YOU AND AVAYA INC. OR THE62
APPLICABLE AVAYA AFFILIATE ( AVAYA).63
Avaya grants End User a license within the scope of the license types64described below. The applicable number of licenses and units of65capacity for which the license is granted will be one (1), unless a66
different number of licenses or units of capacity is specified in the67Documentation or other materials available to End User. Designated68Processor means a single stand-alone computing device. Server69means a Designated Processor that hosts a software application to be70accessed by multiple users. Software means the computer programs71in object code, originally licensed by Avaya and ultimately utilized by72End User, whether as stand-alone Products or pre-installed on73Hardware. Hardware means the standard hardware originally sold by74
Avaya and ultimately utilized by End User.75
License Types76
Designated System(s) License (DS). End User may install and use77
each copy of the Software on only one Designated Processor, unless78a different number of Designated Processors is indicated in the79Documentation or other materials available to End User. Avaya may80require the Designated Processor(s) to be identified by type, serial81number, feature key, location or other specific designation, or to be82provided by End User to Avaya through electronic means established83by Avaya specifically for this purpose.84
Concurrent User License (CU). End User may install and use the85Software on multiple Designated Processors or one or more Servers,86so long as only the licensed number of Units are accessing and using87the Software at any given time. A Unit means the unit on which Avaya,88at its sole discretion, bases the pricing of its licenses and can be,89without limitation, an agent, port or user, an e-mail or voice mail account90in the name of a person or corporate function (e.g., webmaster or91helpdesk), or a directory entry in the administrative database utilized92by the Software that permits one user to interface with the Software.93Units may be linked to a specific, identified Server.94
Database License (DL). End User may install and use each copy of the95Software on one Server or on multiple Servers provided that each of96the Servers on which the Software is installed communicate with no97more than a single instance of the same database.98
CPU License (CP). End User may install and use each copy of the99Software on a number of Servers up to the number indicated by Avaya100provided that the performance capacity of the Server(s) does not101exceed the performance capacity specified for the Software. End User102may not re-install or operate the Software on Server(s) with a larger103performance capacity without Avaya's prior consent and payment of an104upgrade fee.105
Named User License (NU). End User may: (i) install and use the106Software on a single Designated Processor or Server per authorized107Named User (defined below); or (ii) install and use the Software on a108
Server so long as only authorized Named Users access and use the109
Software. Named User, means a user or device that has been110expressly authorized by Avaya to access and use the Software. At111
Avaya's sole discretion, a Named User may be, without limitation,112designated by name, corporate function (e.g., webmaster or helpdesk),113an e-mail or voice mail account in the name of a person or corporate114function, or a directory entry in the administrative database utilized by115the Software that permits one user to interface with the Software.116
Shrinkwrap License (SR). Customer may install and use the Software117in accordance with the terms and conditions of the applicable license118agreements, such as shrinkwrap or clickthrough license119accompanying or applicable to the Software (Shrinkwrap License).120(see Third-party Components for more information).121
Copyright122
Except where expressly stated otherwise, no use should be made of123
materials on this site, the Documentation, Software, or Hardware124provided by Avaya. All content on this site, the documentation and the125Product provided by Avaya including the selection, arrangement and126design of the content is owned either by Avaya or its licensors and is127protected by copyright and other intellectual property laws including the128sui generis rights relating to the protection of databases. You may not129modify, copy, reproduce, republish, upload, post, transmit or distribute130in any way any content, in whole or in part, including any code and131software unless expressly authorized by Avaya. Unauthorized132reproduction, transmission, dissemination, storage, and or use without133
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
2 Avaya AuraApplication Server 5300 Security May 3, 2012
http://www.avaya.com/support/LicenseInfohttp://support.avaya.com/http://www.avaya.com/support/LicenseInfohttp://support.avaya.com/http://www.avaya.com/support/LicenseInfohttp://support.avaya.com/ -
8/10/2019 nn42040-601_Security
3/230
the express written consent of Avaya can be a criminal, as well as a1civil offense under the applicable law.2
Third-party components3
Certain software programs or portions thereof included in the Product4may contain software distributed under third party agreements (Third5Party Components), which may contain terms that expand or limit6rights to use certain portions of the Product (Third Party Terms).7Information regarding distributed Linux OS source code (for those8Products that have distributed the Linux OS source code), and9identifying the copyright holders of the Third Party Components and the10Third Party Terms that apply to them is available on the Avaya Support11
Web site: http://support.avaya.com/Copyright.12
Preventing Toll Fraud13
Toll fraud is the unauthorized use of your telecommunications system14by an unauthorized party (for example, a person who is not a corporate15employee, agent, subcontractor, or is not working on your company's16behalf). Be aware that there can be a risk of Toll Fraud associated with17your system and that, if Toll Fraud occurs, it can result in substantial18additional charges for your telecommunications services.19
Avaya Toll Fraud In terventi on20
If you suspect that you are being victimized by Toll Fraud andyou need21technical assistance or support, call Technical Service Center Toll22Fraud Intervention Hotline at +1-800-643-2353 for the United States23and Canada. For additional support telephone numbers, see the Avaya24Support Web site: http://support.avaya.com. Suspected security25
vulnerabilities with Avaya products should be reported to Avaya by26
sending mail to: [email protected]
Trademarks28
The trademarks, logos and service marks (Marks) displayed in this29site, the Documentation and Product(s) provided by Avaya are the30registered or unregistered Marks of Avaya, its affiliates, or other third31parties. Users are not permitted to use such Marks without prior written32consent from Avaya or such third party which may own the Mark.33Nothing contained in this site, the Documentation and Product(s)34should be construed as granting, by implication, estoppel, or otherwise,35any license or right in and to the Marks without the express written36permission of Avaya or the applicable third party.37
Avaya is a registered trademark of Avaya Inc.38
All non-Avaya trademarks are the property of their respective owners,39
and Linux is a registered trademark of Linus Torvalds.40
Portions copyright 2001-2010 Certicom Corp. All rights reserved.41
Downloading Documentation42
For the most current versions of Documentation, see the Avaya43Support Web site: http://support.avaya.com.44
Contact Avaya Support45
Avaya provides a telephone number for you to use to report problems46or to ask questions about your Product. The support telephone number47is 1-800-242-2121 in the United States. For additional support48telephone numbers, see the Avaya Web site: http://support.avaya.com.49
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Avaya AuraApplication Server 5300 Security May 3, 2012 3
http://support.avaya.com/http://support.avaya.com/http://support.avaya.com/http://support.avaya.com/http://support.avaya.com/http://support.avaya.com/Copyright -
8/10/2019 nn42040-601_Security
4/230
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
4 Avaya AuraApplication Server 5300 Security May 3, 2012
-
8/10/2019 nn42040-601_Security
5/230
-
8/10/2019 nn42040-601_Security
6/230
Chapter 5: Security configuration and management overview...................................... 51Application administrator security............................................................................................................. 51
Administrator password complexity.................................................................................................. 52
Password aging................................................................................................................................ 54
Log on session constraints............................................................................................................... 55
Application warning banners............................................................................................................ 55
Administrative user accounts........................................................................................................... 56Special rules for the Security Administrator..................................................................................... 57
MCP SNMP Community Strings....................................................................................................... 58
Administrative security services....................................................................................................... 58
Application administrator (Admin) security defaults......................................................................... 59
Web server logs........................................................................................................................................ 60
Internal database account security........................................................................................................... 60
Database application security................................................................................................................... 60
Subscriber security.................................................................................................................................... 61
Password policies and domains....................................................................................................... 62
Password expiry during active call................................................................................................... 63
Subscriber lockout............................................................................................................................ 63
Domain security........................................................................................................................................ 64
Antivirus.................................................................................................................................................... 65
File system integrity.................................................................................................................................. 65
Verification reports............................................................................................................................ 66
FSI baseline management............................................................................................................... 66
FSI baseline exclusions.................................................................................................................... 66
FSI baseline backup and restore...................................................................................................... 67
Configuration file.............................................................................................................................. 67
HTTPS certificates.................................................................................................................................... 67
AS 5300 Element Manager Console CAC integration.............................................................................. 68
AS5300 UC Client CAC integration.......................................................................................................... 68
Application logging.................................................................................................................................... 68Security logs.............................................................................................................................................. 69
Syslog............................................................................................................................................... 69
System audit..................................................................................................................................... 70
Failed logons.................................................................................................................................... 71
File activity in restricted areas.......................................................................................................... 72
Backup of security logs.................................................................................................................... 72
System alarms.......................................................................................................................................... 73
Chapter 6: Database password management.................................................................. 75Resetting the internal database account passwords................................................................................ 75
Changing the Schema account password................................................................................................ 76
Changing the database application password, without changing the load............................................... 76
Changing the database application password during an upgrade............................................................ 78Chapter 7: Antivirus management..................................................................................... 79
Updating the virus definitions.................................................................................................................... 79
Scheduling virus scans............................................................................................................................. 80
Chapter 8: File system integri ty management................................................................. 83Creating an FSI baseline........................................................................................................................... 83
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
6 Avaya AuraApplication Server 5300 Security May 3, 2012
-
8/10/2019 nn42040-601_Security
7/230
Verifying the file system against a baseline.............................................................................................. 84
Managing FSI baselines............................................................................................................................ 84
Chapter 9: Security log management................................................................................ 87Configuring a remote syslog server.......................................................................................................... 87
Deleting a remote syslog server................................................................................................................ 88
Modifying system audit logs...................................................................................................................... 88
Chapter 10: Application administrator security configuration and management........ 89Enabling web server logs.......................................................................................................................... 90
Configuring application administrator password rules.............................................................................. 91
Configuring application administrator password rules job aid.......................................................... 91
Configuring a new AS 5300 Element Manager Console role.................................................................... 94
Configuring a new AS 5300 Element Manager Console role job aid............................................... 94
Configuring a new AS 5300 Element Manager Console administrator..................................................... 98
Configuring a new AS 5300 Element Manager Console user job aid.............................................. 99
Assigning a role to a AS 5300 Element Manager Console Administrator................................................. 100
Configuring log on and session rules........................................................................................................ 100
Configuring log on and session rules job aid.................................................................................... 101
Configuring a new Provisioning Client role............................................................................................... 102
Configuring a new Provisioning Client Admin........................................................................................... 102
Configuring a new Provisioning Client Admin job aid....................................................................... 103
Configuring warning banners.................................................................................................................... 104
Configuring warning banners job aid................................................................................................ 105
Modifying log on and session rules........................................................................................................... 105
Modifying log on and session rules job aid....................................................................................... 106
Modifying application administrator password rules................................................................................. 107
Modifying application administrator password rules job aid............................................................. 107
Modifying a AS 5300 Element Manager Console role.............................................................................. 110
Modifying a new AS 5300 Element Manager Console role job aid.................................................. 110
Modifying an AS 5300 Element Manager Console administrator............................................................. 111
Modifying an AS 5300 Element Manager Console user job aid....................................................... 111Disabling a AS 5300 Element Manager Console user account................................................................ 112
Disabling password aging rules for an account........................................................................................ 112
Viewing and forcing off users.................................................................................................................... 113
Exporting configuration data for AS 5300 Element Manager Console...................................................... 113
Importing configuration data for AS 5300 Element Manager Console ...................................................... 114
Deleting a AS 5300 Element Manager Console role ................................................................................ 115
Deleting a AS 5300 Element Manager Console user ............................................................................... 115
Resetting the password for the AS 5300 Element Manager Console admin account.............................. 116
Resetting the password for a AS 5300 Element Manager Console administrator.................................... 117
Changing your AS 5300 Element Manager Console password................................................................ 118
Modifying a Provisioning Client role.......................................................................................................... 118
Modifying a Provisioning Client role job aid...................................................................................... 119Listing Provisioning Client Admin users.................................................................................................... 119
Searching for Provisioning Client users by role........................................................................................ 119
Searching for inactive Provisioning Client users....................................................................................... 120
Modifying a Provisioning Client Admin...................................................................................................... 120
Deleting a Provisioning Client user........................................................................................................... 121
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Avaya AuraApplication Server 5300 Security May 3, 2012 7
-
8/10/2019 nn42040-601_Security
8/230
Resetting the password for the Provisioning Manager admin account..................................................... 121
Resetting the password for a Provisioning Client administrator................................................................ 122
Changing your Provisioning Client password........................................................................................... 123
Chapter 11: Application security configuration............................................................... 125Configuring the AS 5300 Element Manager with certificates for HTTPS.................................................. 125
Configuring the Provisioning Manager with certificates for HTTPS.......................................................... 126
Configuring the AS 5300 Element Manager Console with certificates for HTTPS and SIPCAC........... 127
Chapter 12: Certificate management overview................................................................ 129Chapter 13: Certificate preparation................................................................................... 131
Generating a CSR..................................................................................................................................... 133
Generating a CSR job aid................................................................................................................ 133
Installing a CA or CA-signed certificate..................................................................................................... 134
Installing a CA or CA-signed certificate job aid................................................................................ 135
Exporting a PKCS12 file............................................................................................................................ 135
Installing custom certificates into the AS 5300 Element Manager keystore............................................. 136
Verifying that CA certificates import into the AS 5300 Element Manager truststore................................. 137
Chapter 14: Certificate management................................................................................. 139
Listing all certificates................................................................................................................................. 139Listing all certificates job aid............................................................................................................. 140
Installing a CA or CA-signed certificate..................................................................................................... 140
Installing a CA or CA-signed certificate job aid................................................................................ 140
Uninstalling a certificate............................................................................................................................ 141
Verifying a certificate chain....................................................................................................................... 141
Verifying a certificate chain job aid................................................................................................... 142
Importing a PKCS12 file............................................................................................................................ 142
Exporting a PKCS12 file............................................................................................................................ 143
Identifying the friendly name of a certificate.............................................................................................. 143
Identifying the friendly name of a certificate job aid......................................................................... 144
Identifying the subject of a certificate installed in the certificate databaseUnix..................................... 144
Identifying the subject field of a certificate installed in the certificate databaseUnix job aid......... 145Identifying the subject of a certificate that is not installed in the certificate databaseUnix.................... 146
Identifying the subject field of a certificate that is not installed in the certificate databaseUnix jobaid..................................................................................................................................................... 146
Identifying the subject field of a certificate installed in the certificate databaseWindows...................... 147
Identifying the subject field of a certificate installed in the certificate databaseWindows job aid.. 147
Chapter 15: Core application certificate management.................................................... 149Importing an internal certificate to the keystore........................................................................................ 149
Importing an internal certificate to the keystore job aid.................................................................... 150
Viewing an internal certificate in the keystore........................................................................................... 150
Removing an internal certificate from the keystore................................................................................... 151
Configuring the AS 5300 Element Manager with certificates for HTTPS and SIP .................................... 151
Configuring the AS 5300 Session Manager with certificates for HTTPS and SIP.................................... 152Configuring HTTPS and SIP certificates for the Provisioning Manager.................................................... 153
Configuring the AS 5300 Element Manager Console with certificates for HTTPS and SIPCAC........... 154
Configuring the AS 5300 Element Manager Console with certificates for HTTPS and SIPmanual...... 155
Configuring the Avaya Aura AS 5300 Personal Agent with certificates for HTTPS and SIP .............. ...... 156
Chapter 16: Truststore cert if icate management............................................................... 157
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
8 Avaya AuraApplication Server 5300 Security May 3, 2012
-
8/10/2019 nn42040-601_Security
9/230
Importing a CA certificate to the truststore................................................................................................ 157
Viewing a CA certificate in the truststore.................................................................................................. 158
Removing a CA certificate from the truststore.......................................................................................... 158
Chapter 17: OCSP configuration....................................................................................... 161Configuring the operating system to support OCSP................................................................................. 162
Configuring the operating system to support OCSP job aid............................................................. 162
Configuring the AS 5300 Element Manager to support OCSP................................................................. 163Configuring the AS 5300 Session Manager to support OCSP.................................................................. 163
Configuring the Provisioning Manager to support OCSP.......................................................................... 164
Configuring the AS 5300 Element Manager Console to support OCSP................................................... 165
Verifying access to the OCSP server........................................................................................................ 166
Chapter 18: IPsec configuration overview........................................................................ 167Secure communication.............................................................................................................................. 167
Default staging certificates........................................................................................................................ 167
Server addresses and service addresses................................................................................................. 168
IPsec tunnel rules...................................................................................................................................... 169
Trusted node relationships........................................................................................................................ 169
IPsec custom certificates.......................................................................................................................... 170
IPsec automatic CRL retrieval................................................................................................................... 170
IPsec limitations and restrictions............................................................................................................... 170
Chapter 19: IPsec serv ice management........................................................................... 173Starting or restarting the IPsec service..................................................................................................... 173
Stopping the IPsec service........................................................................................................................ 173
Verifying IPsec connection status............................................................................................................. 174
Verifying IPsec connection status job aid......................................................................................... 174
Chapter 20: IPsec configuration........................................................................................ 175Generating the internal IPsec configuration file........................................................................................ 177
Installing the internal IPsec configuration file on the primary EMS server................................................ 178
Installing the internal IPsec configuration file on non-primary EMS servers............................................. 178
Creating the external IPsec configuration file........................................................................................... 179Creating the external IPsec configuration file job aid....................................................................... 180
Installing a custom IPsec certificate.......................................................................................................... 181
Configuring IPsec for automatic CRL retrieval.......................................................................................... 182
Configuring IPsec for automatic CRL retrieval job aid...................................................................... 182
Verifying IPsec automatic CRL retrieval.................................................................................................... 183
Verifying IPsec automatic CRL retrieval job aid............................................................................... 183
Manually adding a CA chain..................................................................................................................... 184
Chapter 21: Access control rules ...................................................................................... 185Access control rules overview................................................................................................................... 185
Trusted nodes........................................................................................................................................... 186
Trusted ports............................................................................................................................................. 186
Internal trusted node mesh....................................................................................................................... 187
Access control tools.................................................................................................................................. 187
DSCP marking.......................................................................................................................................... 188
DSCP marking configuration tools................................................................................................... 189
Default DSCP configuration............................................................................................................. 189
Access control default system configuration............................................................................................. 190
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Avaya AuraApplication Server 5300 Security May 3, 2012 9
-
8/10/2019 nn42040-601_Security
10/230
Access control limitations and restrictions................................................................................................ 191
Chapter 22: Access control configuration........................................................................ 193Chapter 23: Internal access control configuration.......................................................... 195
Generating the internal ACL file ................................................................................................................ 197
Installing the internal ACL configuration file on the primary EMS ............................................................. 197
Installing the internal ACL configuration file on the other servers............................................................. 198
Chapter 24: Access control rules management ............................................................... 199Importing access control rules.................................................................................................................. 199
Importing access control rules job aid.............................................................................................. 200
Viewing all configured access control rules.............................................................................................. 200
Rolling back to the previous access control configuration........................................................................ 201
Restoring the access control default configuration................................................................................... 201
Viewing trusted node and port configurations with iptstatus..................................................................... 202
Viewing trusted node and port configurations with iptstatus job aid................................................. 202
Syntax of an access control rule in the raw format job aid............................................................... 203
ACL configuration job aid................................................................................................................. 204
Chapter 25: Access control rules enforcement............................................................... 205
Enforcing access control rules.................................................................................................................. 205Chapter 26: NTP server management............................................................................... 207
Updating the primary clock source servers............................................................................................... 208
Updating the primary clock source servers when your system uses symmetric key encryption...... 208
Updating the secondary clock source servers.......................................................................................... 209
Updating the secondary clock source servers when your system uses symmetric key encryption. 210
Configuring a server as a nonclock source............................................................................................... 211
Chapter 27: TLS configuration........................................................................................... 213Configuring the AS 5300 Session Managers to use only TLS.................................................................. 213
Variable definitions........................................................................................................................... 214
Configuring the AS 5300 Session Managers to use only TLS job aid.............................................. 214
Configuring the Provisioning Managers to use only TLS.......................................................................... 215
Variable definitions........................................................................................................................... 215Configuring the Provisioning Managers to use only TLS job aid...................................................... 215
Chapter 28: TLS Mutual authentication............................................................................ 217Enabling mutual authentication mode for SIP........................................................................................... 217
Enabling mutual authentication mode for HTTPS..................................................................................... 218
Chapter 29: FIPS overview................................................................................................. 219FIPS compliance....................................................................................................................................... 219
Platform..................................................................................................................................................... 220
SSH........................................................................................................................................................... 220
AS 5300 Element Manager Console......................................................................................................... 220
Chapter 30: Cipher suite configuration............................................................................. 221Configuring OAMP ciphers........................................................................................................................
222Configuring external OAMP ciphers.......................................................................................................... 222
Configuring HTTPS ciphers...................................................................................................................... 223
Configuring signaling ciphers.................................................................................................................... 224
Chapter 31: FIPS management.......................................................................................... 225Stopping a network element..................................................................................................................... 225
Enabling FIPS on the platform.................................................................................................................. 226
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
10 Avaya AuraApplication Server 5300 Security May 3, 2012
-
8/10/2019 nn42040-601_Security
11/230
Enabling FIPS on the platform job aid.............................................................................................. 227
Installing the FIPS-compliant AS 5300 Element Manager Console.......................................................... 227
Updating the FIPS-compliant AS 5300 Element Manager Console.......................................................... 229
Starting a network element....................................................................................................................... 230
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Avaya AuraApplication Server 5300 Security May 3, 2012 11
-
8/10/2019 nn42040-601_Security
12/230
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
12 Avaya AuraApplication Server 5300 Security May 3, 2012
-
8/10/2019 nn42040-601_Security
13/230
1
Chapter 1: New in this release2
The following sections detail what is new inAvaya AuraApplication Server 5300 Security, NN42040-6013
for Avaya Aura Application Server 5300 Release 3.04
Navigation5
Featureson page 136
Other changeson page 137
Features8For information about feature-related changes, see the following sections:9
Password complexityon page 2710
Administrator password complexityon page 5211
Subscriber securityon page 6112
Password policies and domainson page 6213
Configuring application administrator password ruleson page 9114
Modifying application administrator password ruleson page 10715
For more information about the features that are new for this release, seeAvaya Aura16
Application Server 5300 Release Delta, NN42040-201.17
Other changes18
Revision history19
May 2012 Draft 04.AU
This document is issued for Avaya Aura
Application Server 5300Release 3.0.
Edited a few links in chapter navigation sections.
April 2012 Draft 04.AT
This document is issued for Avaya AuraApplication Server 5300
Release 3.0.
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Avaya AuraApplication Server 5300 Security May 3, 2012 13
-
8/10/2019 nn42040-601_Security
14/230
Updated the following sections: FSI baseline exclusionson
page 66
March 2012 Draft 04.AS. This document is issued for Avaya AuraApplication
Server 5300 Release 3.0.
Updated the following section to state that Attachmate Reflection
for Secure IT is not included with the system, but must bepurchased separately: Secure Shell and Common Access Card
integrationon page 32
February 2012 Draft 04.AR. This document is issued for Avaya AuraApplication
Server 5300 Release 3.0. Replaced reference of ntossadm
account to OSS role Preconfigured accountson page 31
January 2012 Draft 04.AQ. This document is issued for Avaya AuraApplication
Server 5300 Release 3.0. Made changes to formatting throughout
the document.
November 2011 Draft 04.AP. This document is issued for Avaya AuraApplication
Server 5300 Release 3.0. Added the following sections for Avaya
Media Server content integration.Adding emergency userson page 39
Deleting emergency userson page 41
November 2011 Draft 04.AO. This document is issued for Avaya AuraApplication
Server 5300 Release 3.0. Updated various figures to comply with
Release 3.0 branding and product naming.
October 2011 Draft 04.AN. This document is issued for Avaya AuraApplication
Server 5300 Release 3.0.
Updated the following sections:
Updating the primary clock source servers when your system
uses symmetric key encryptionon page 208
Updating the secondary clock source servers when your system
uses symmetric key encryptionon page 210
August 2011 Draft 04.AM. This document is issued for Avaya AuraApplication
Server 5300 Release 3.0. Performed generic cleanup of
document to make name and profiling which include the following
changes:
Replaced System Manager with AS 5300 Element Manager as
a variable.
Replaced System Management Console with AS 5300 Element
Manager Console as a variable. Replaced Media Application Server with Avaya Media Server
as a variable.
August 2011 Draft 04.AL. This document is issued for Avaya AuraApplication
Server 5300 Release 3.0.
New in this release
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
14 Avaya AuraApplication Server 5300 Security May 3, 2012
-
8/10/2019 nn42040-601_Security
15/230
Added the following section:
AS5300 UC Client CAC integrationon page 68
August 2011 Draft 04.AK. This document is issued for Avaya AuraApplication
Server 5300 Release 3.0.
Password complexityon page 27
July 2011 Draft 04.AJ. This document is issued for Avaya AuraApplication
Server 5300 Release 3.0.
Updated the following section:
Password complexityon page 27
Application administrator (Admin) security defaultson
page 59
Subscriber securityon page 61
Modifying an AS 5300 Element Manager Console user job
aidon page 111
July 2011 Draft 04.AI. This document is issued for Avaya AuraApplication
Server 5300 Release 3.0. Removed references to UNIStim and
IP Client Manager (IPCM).
June 2011 Draft 04.AH. This document is issued for Avaya AuraApplication
Server 5300 Release 3.0. Added the following section:
Password expiry during active callon page 63
June 2011 Draft 04.AG. This document is issued for Avaya AuraApplication
Server 5300 Release 3.0.
Password complexityon page 27
Administrator password complexityon page 52
Subscriber securityon page 61
June 2011 Draft 04.AF. This document is issued for Avaya AuraApplication
Server 5300 Release 3.0.
Updated for wi00890695, removing all mention of IP Client
Manager (IPCM).
May 2011 Draft 04.AE. This document is issued for Avaya AuraApplication
Server 5300 Release 3.0.
Edited the following sections:
Application administrator password ruleson page 52
May 2011 Draft 04.AD. This document is issued for Avaya AuraApplicationServer 5300 Release 3.0.
Added or edited the following sections:
Other changes
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Avaya AuraApplication Server 5300 Security May 3, 2012 15
-
8/10/2019 nn42040-601_Security
16/230
Configuring log on and session rules job aidon page 101
Modifying log on and session rules job aidon page 106
Application administrator password ruleson page 52
March 2011 Draft 04.AC. This document is issued for Avaya AuraApplication
Server 5300 Release 3.0.Updates related to password complexity enhancements were
made to the following sections:
Password complexityon page 27
Administrator password complexityon page 52
Password agingon page 54
Application administrator (Admin) security defaultson
page 59
Subscriber securityon page 61
Configuring application administrator password rules job aidon
page 91
Modifying application administrator password rules job aidon
page 107
February 2011 Draft 04.AB. This document is issued for Avaya AuraApplication
Server 5300 Release 3.0.
Technical changes were made to the following sections:
Subscriber securityon page 61
Application loggingon page 68
Configuring application administrator password ruleson
page 91
December 2010 Draft 04.AA. This document is issued for Avaya AuraApplication
Server 5300 Release 3.0.
September 2010 Standard 02.05. This document is issued for Avaya Aura
Application Server 5300 Release 2.0. Updates were made to
Antivirus managementon page 79.
August 2010 Standard 02.04. This document is issued for Avaya Aura
Application Server 5300 Release 2.0. Technical changes were
made to most of this document to reflect security changes.
June 2010 Standard 02.03. This document is issued for Avaya Aura
Application Server 5300 Release 2.0. This document is updated
after technical review.
May 2010 Standard 02.02. This document is issued for Avaya Aura
Application Server 5300 Release 2.0. This document contains
editorial changes.
New in this release
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
16 Avaya AuraApplication Server 5300 Security May 3, 2012
-
8/10/2019 nn42040-601_Security
17/230
April 2010 Standard 02.01. This document is issued for Avaya Aura
Application Server 5300 Release 2.0.
August 2008 Standard 01.03. This document is issued for Nortel Application
Server 5300 Release 1.0. This document is up-issued to include
updates to technical content regarding support for foreign
domains.July 2008 Standard 01.02. This document is issued for Nortel Application
Server 5300 Release 1.0. This document is up-issued to include
organizational changes and updates to technical content.
June 2008 Standard 01.01. This document is issued for Nortel Application
Server 5300 Release 1.0.
Other changes
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Avaya AuraApplication Server 5300 Security May 3, 2012 17
-
8/10/2019 nn42040-601_Security
18/230
New in this release
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
18 Avaya AuraApplication Server 5300 Security May 3, 2012
-
8/10/2019 nn42040-601_Security
19/230
1
Chapter 2: Introduction2
This document contains the procedures required to configure and administer security for the Avaya Aura3
Application Server 5300.4
For more information about configuration and administration, seeAvaya AuraApplication Server 53005
Configuration, NN42040-500andAvaya AuraApplication Server 5300 Administration, NN42040-600.6
For information about general provisioning tasks and procedures, seeAvaya AuraApplication Server7
5300 Using the Provisioning Client, NN42040-112.8
Important:9
Throughout this document, the term system refers to the Avaya AuraApplication Server 5300 unless10otherwise noted.11
Prerequisites12
The AvayaAuraApplication Server 5300 installation is complete.13
You are familiar with the AS 5300 Element Manager Console.14
You are familiar with the AvayaAura Provisioning Client.15
Navigation16
Platform security overviewon page 2117
Platform administrator security managementon page 3518
Security configuration and management overviewon page 5119
File system integrityon page 6520
Database password managementon page 7521
Antivirus managementon page 7922
Security log managementon page 8723
Application administrator security configuration and managementon page 8924
Application security configurationon page 12525
Certificate management overviewon page 12926
Certificate preparationon page 13127
Certificate managementon page 13928
Core application certificate managementon page 14929
Truststore certificate managementon page 15730
OCSP configurationon page 16131
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Avaya AuraApplication Server 5300 Security May 3, 2012 19
-
8/10/2019 nn42040-601_Security
20/230
IPsec configuration overviewon page 1671
IPsec service managementon page 1732
IPsec configurationon page 1753
Access control ruleson page 1854
Access control configurationon page 1935 Internal access control configurationon page 1956
Access control rules managementon page 1997
Access control rules enforcementon page 2058
NTP server managementon page 2079
TLS configurationon page 21310
TLS Mutual authenticationon page 21711
FIPS overviewon page 21912
Cipher suite configurationon page 22113
FIPS managementon page 22514
Introduction
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
20 Avaya AuraApplication Server 5300 Security May 3, 2012
-
8/10/2019 nn42040-601_Security
21/230
1
Chapter 3: Platform security overview2
This section contains information related to platform security configuration, including platform3
administrator accounts, roles, and access.4
For information about initial Basic Input/Output System (BIOS) and RSA-II card configuration, seeAvaya5
AuraApplication Server 5300 Installation, NN42040-300.6
Navigation:7
BIOS password controlon page 218
GRUB password controlon page 239
Administrative user account nameson page 2310
Administrative user roleson page 2411
Primary roleon page 2412
Sudo access controlon page 2513
Platform user management toolon page 2514
Administrative account timerson page 2615
Account lockouton page 2616
Password complexityon page 2717
Inactive platform account auditingon page 2918
Root user accesson page 3019
Individual user accountson page 3020
Preconfigured accountson page 3121
Remote system accountson page 3122
Secure Shell and Common Access Card integrationon page 3223
Platform warning bannerson page 3324
BIOS password control25
The planar BIOS includes options to configure both an Administrative and Power-on password.26
For more information about password options and how to configure them, see the27
documentation supplied with the server hardware.28
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Avaya AuraApplication Server 5300 Security May 3, 2012 21
-
8/10/2019 nn42040-601_Security
22/230
The planar BIOS enables the user to configure both an Administrative and Power-on password.1
The BIOS also refers to the Administrative password as the Privileged Access Password in2
console messages displayed during BIOS initialization.3
BIOS passwords are enforced at the end of BIOS initialization when the message BIOS4
Installed Successfully displays.5
The following table illustrates the password enforcement type performed by the BIOS at this6
point in the BIOS execution.7
BIOS Password Control
Password Configured Password Requirement
Power-on
password
Admin BIOS Entry
Requested (F1
pressed)
Standard Initialization
(F1 not pressed)
No No None None
No Yes Admin None
Yes No Power-on password Power-on password
Yes Yes Power-on password
(limited access) or
Admin
Power-on password or
Admin
Two basic scenarios are possible:8
The administrator presses the F1 key during the early stages of BIOS initialization with9
the intent of entering BIOS setup when BIOS initialization finishes. If at least one password10
is configured, the password must be entered to enter into the BIOS setup. If both11
passwords are configured, specifying the Power-on password gives the administrator only12
limited access, where no BIOS configuration changes can be made.13
The administrator does not press the F1 key during the early stages of BIOS initialization.14
If a Power-on password is configured (not recommended), BIOS requires the15
administrator to enter the password to allow the system to continue past the BIOS16
initialization. If configured, the administrative password is also accepted.17
If an Administrator password is configured, an administrator entering BIOS with only a Power-18
on password receives access to the following menus:19
System SummaryThis menu provides information such as processor model, USB20
devices, and memory information.21
System InformationThis menu provides information such as the machine type and22
model number, serial number, firmware levels, and installed system cards.23
Platform security overview
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
22 Avaya AuraApplication Server 5300 Security May 3, 2012
-
8/10/2019 nn42040-601_Security
23/230
When configuring the Administrator password, changing the value of the Power-on password1
changeable by user field to Yes provides limited BIOS access to the administrator. The2
following are the additional menu items available:3
System SecurityThis menu provides the facility to change or delete the Power-on4
password.5
The following general points also apply to Administrative and Power-on BIOS passwords:6
Each password can be up to seven characters in length.7
The passwords can consist of any characters.8
If both passwords are configured, a forgotten Power-on password can be reset (deleted9
and re-configured) by entering the BIOS with the Administrative password.10
If a single password is set, and is forgotten, it cannot be recovered using the BIOS11
menu.12
If both the Administrative and Power-on password are set, and the Administrative13
password is forgotten, it cannot be recovered using the BIOS menu.14
Neither password is affected when you restore the configuration of the main BIOS to the15
factory default configuration.16
GRUB password control17
The Linux Grand Unified Bootloader (GRUB) allows you to configure a password to prevent18
unauthorized access to the bootloader. Whenever you change the server password policy, you19
should reset the GRUB bootloader password to comply with these new settings. For more20
information, see Configuring the GRUB passwordon page 37.21
Administrative user account names22
When you create a new account for an administrator, you specify the account name and a23
numeric user ID. For the numeric user ID, always enter zero (0). After you enter zero (0), the24
system assigns the next available numeric ID.25
The system security administrator defines the password requirements using the pwConfig26
tool.27
GRUB password control
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Avaya AuraApplication Server 5300 Security May 3, 2012 23
-
8/10/2019 nn42040-601_Security
24/230
Administrative user roles1
Roles define operational boundaries (access permissions) for administrators. Administrators2
can have more than one role, depending on their duties. You assign roles to new administrators3
when you create their accounts. The roles defined for the system are as follows:4
System Security Administrator (SSA)The SSA can perform system configuration and5
specify security attributes such as:6
- Password configuration7
- User management8
- Certificate management9
- Access control10
- Antivirus11
- File System Integrity tools12
- Network configuration13
- System files backup14
- System restoration15
Security Auditor (SA)The SA can collect and view security audit logs and syslogs at the16
platform level. The SA can also transfer the security logs off the server.17
Application Administrator (AA)The AA can install MCS application software and18
manage components related to the application. The AA is responsible for installing,19
maintaining, patching, and upgrading MCS software only.20
Backup Administrator (BA)The BA can perform only system backups. A BA cannot21
perform:22
- any operation on the server except backups.23
- a system restoreonly the SSA or root user can perform a system restore.24
Database Administrator (DBA)The DBA can manage the database schemas and25
database tools on servers on which the database resides. This role is not relevant on26
servers that do not host the database.27
Operational Support System Administrator (OSS)Downstream processors can use the28
account with this role to connect to the server and collect OSS logs.29
Primary role30
The primary role of the administrator defines the administrators primary group. The primary31
role determines permissions and group ownership for any files that are generated by the32
Platform security overview
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
24 Avaya AuraApplication Server 5300 Security May 3, 2012
-
8/10/2019 nn42040-601_Security
25/230
administrator. Any tools that extract or create files use the administrators primary role to1
determine the appropriate group settings. The primary role is the first role assigned during2
account creation. An SSA or root user can change the primary role for an administrator.3
In the user management tool (userMgt) the primary role of an administrator is the first role that4
appears in the list of assigned roles. For example, if the list appears as follows: SSA, AA, BA;5
the primary role of the administrator is SSA.6
All roles, other than the Backup Administrator, OSS Administrator, and Regional Patching7
Administrator roles, are intended to manage some aspect of the system. Because of this and8
the use of discretionary access groups to control accessto system resources, administrators9
with a primary role of SSA, SA, AA, or DBA have a primary GID that is traditionally reserved10
for system accounts (less than 500).11
Sudo access control12
By default, an administrator has access to all commands defined for each assigned role.13
However, the root user can grant elevated privileges (such as root access) to an individual14
administrator, if required.15
The system records all commands that are run with sudo in /var/log/secure and only the16
security administrator or security auditor can view these logs.17
Only the root user can grant or deny all sudo level access to administrators. If you are already18
logged on, before being granted sudo access, the sudo access is available the next time you19
log on. The sudo menu option in the userMgt script is only visible when the script is run by the20
root user.21
Administrators who have sudo access need not know the root password of the system to invoke22root level commands; they use their own current passwords. The syntax for running commands23
with sudo access is as follows:24
> sudo 25
The system prompts for your administrator password the first time, and again after 10 minutes,26
if you do not enter any other sudo commands.27
Platform user management tool28
To run the user management tool (userMgt) you must be the Security System Administrator29
(SSA) or the root user. With the userMgt tool, you can create and manage user accounts for30
platform administrators. Figure 1: Main menuon page 26 shows the options available from31
the main menu of the tool.32
Sudo access control
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Avaya AuraApplication Server 5300 Security May 3, 2012 25
-
8/10/2019 nn42040-601_Security
26/230
1
Figure 1: Main menu2
Important:3
Option [6] (from the main menu of the userMgt tool) is available only to the root user. To use4this option, an SSA with sudo access can su to root.5
Administrative account timers6
The idle session timer automatically logs off administrators that are not actively using their7
sessions. After the configured time elapses without administrator activity, the session closes8
automatically.9
Changes to the idle session timer value do not effect currently existing sessions. Administrators10
must log off and log back on for this configuration to take effect.11
Use the pwConfig tool to specify the timeout value by configuring the Idle session timeout12
(seconds) parameter. For more information, see Modifying password complexity rules13
menuon page 36.14
Account lockout15
To reduce the effectiveness of password guessing attacks, you can configure account lockout16
on the system. If you enable account lockout, the system temporarily locks an account after a17
specified number of log on failures.18
To enable account lockout, use the pwConfig tool to configure the 'Deny after this many log on19failures' parameter to a value other than zero. To subsequently disable account lockout, change20
the value back to zero.21
To configure the length of time that the account remains locked out, use the pwConfig tool to22
configure the Unlock account duration (seconds) parameter. If you disable account lockout,23
Platform security overview
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
26 Avaya AuraApplication Server 5300 Security May 3, 2012
-
8/10/2019 nn42040-601_Security
27/230
the Unlock account duration parameter has no effect. For more information, see Modifying1
password complexity rulesmenuon page 36.2
If the system locks an account because of successive failed attempts to log on, the3
administrator cannot log on to the system until the lockout period expires. An SSA can unlock4
an administrators account, during the lockout period, by using the userMgt tool to disable and5
subsequently enable the locked out administrator. Additionally, after three consecutive failed6access attempts, the SSH or SFTP connection terminates and the user must re-establish the7
connection to log on.8
After an account reaches the lockout threshold, the system generates a security log.9
Password complexity10
You can configure password policy rules to define the appropriate characters used for11
administrator passwords. The administrator configures these passwords using either /usr/bin/12passwd or the userMgt tool.13
The password complexity settings only affect subsequently configured passwords; they do not14
affect current passwords.15
You manage password complexity on a per-server basis. There is no automatic password16
complexity synchronization performed between servers. Therefore, if you change any value17
on one server, you must manually change it on all of the other servers. For more information18
about the parameters, see Table 1: Password complexity parameterson page 27. For more19
informationabout how to configure the parameters, see Modifying password complexity rules20
menuon page 36.21
Table 1: Password complexity parameters
Parameter Description
Minimum lowercase chars This parameter specifies the minimum number of lowercase
characters (az) that the password must contain. The
system rejects passwords that contain fewer lowercase
characters. Default: 2
Minimum uppercase chars This parameter specifies the minimum number of uppercase
characters (AZ) that the password must contain. The
system rejects passwords that contain fewer uppercase
characters. Default: 2
Minimum digits This parameter specifies the minimum number of digitcharacters (09) that the password must contain. The
system rejects passwords that contain fewer digit
characters. Default: 2
Minimum special chars This parameter specifies the minimum number of special
characters that the password must contain. Special
Password complexity
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Avaya AuraApplication Server 5300 Security May 3, 2012 27
-
8/10/2019 nn42040-601_Security
28/230
Parameter Description
Characters are: . @ - _ & ^ ? ! ( ) , / \ : ; ~ = + The system
rejects passwords that contain fewer special characters.
Default: 0
Minimum change chars This parameter specifies the minimum number of characters
by which the new password must differ from the previouspassword. The system ignores this value if either one half of
the characters in the new password are different, or if there
are more than 23 characters in the new password. Default:
0
Minimum password length This parameter specifies the minimum number of total
characters a password can contain. The system rejects
passwords that contain fewer characters. Default: 8
Maximum consecutive
repeat chars
This parameter specifies the maximum number of
consecutive repeating characters that are permitted in a
password. Default: 0
Deny after this many log onfailures
This parameter specifies the number of failed attempts to logon to an account before the account is locked. Default: 0
Unlock account duration
(seconds)
This parameter specifies the amount of time for which the
account remains locked after log on failures. Default: 60
Old passwords to remember This parameter specifies the number of previous passwords
the system remembers. Administrators cannot reuse any
password on the remembered list. Regardless of the value
of this parameter, administrators cannot ever reuse the
current password. Default: 0
Maximum password age
(days)
This parameter specifies the maximum number of days that
an administrators password can be used. After the specified
number of days, the administrator must change thepassword to access the server. If you reduce this value,
some existing passwords can immediately expire. Default:
90
Minimum password age
(days)
This parameter specifies the minimum number of days
between password changes. This setting discourages
administrators from immediately changing their passwords
back to a previously used password (password flipping).
Default: 1
Password change warning
(days)
This parameter specifies the number of days in advance that
administrators receive warning that their passwords will
expire. If an administrator logs on within this number of days
before expiry, a message appears to indicate that their
password will expire soon. Default: 7
Idle session timeout
(seconds)
This parameter specifies the number of seconds a session
can be idle before it times out. Default: 600 (10 minutes)
Platform security overview
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
28 Avaya AuraApplication Server 5300 Security May 3, 2012
-
8/10/2019 nn42040-601_Security
29/230
You can modify the password complexity rules at any time; however, the configured rules apply22
only to subsequently added administrator accounts.23
Important:1
If the default password complexity configuration values (as shown in the preceding table)2do not meet your site requirements, Avaya recommends that you change the values3immediately after installation and commissioning, and before you add administrators to the4system.5
The following non-configurable parameters also apply to password complexity:6
The system uses the Linux CrackLib library to ensure that the password is not based on7
the username or on a dictionary word. This library manipulates the new password in8
various ways to try and determine if the new password is based on the username or a9
dictionary word.10
Users must change their passwords during initial log on. Users cannot access the system11
with the temporary passwords.12
The password cannot be a palindrome.13
The root user password does not adhere to the password complexity rules. Ensure that only14
a very limited number of individuals know the root password for the servers.15
The backup and restore process includes all files related to password complexity.16
Password changes17
When administrators use the UNIX passwd command to change their passwords, or when they18
change the password during log on (for initial or expired passwords), the system applies all of19
the enabled password complexity rules.20
When an SSA uses the userMgt tool to change a password, the following rules do not apply:21
Password history (Old passwords to remember)22
Case change from previous password23
Characters changed from previous password (Minimum change chars)24
For more information about platform user account passwords, see Platform administrator25
security managementon page 35.26
Inactive platform account auditing27
You can configure the system to automatically lock out inactive platform administrator accounts28
after a period of inactivity. If an administrator is locked out, that administrator cannot login to29
the platform without intervention by another administrator.30
Inactive platform account auditing
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Avaya AuraApplication Server 5300 Security May 3, 2012 29
-
8/10/2019 nn42040-601_Security
30/230
The system does not automatically delete locked out inactive administrator accounts. The site1
administrator is responsible for monitoring locked out accounts and deleting them as2
needed.3
Root user access4
The root user must log on to the server using the console keyboard, video and mouse (KVM).5
Root users must change their passwords on first logon after installation.6
The password for this account is subject to password complexity rules. Because the initial7
(during installation) password complexity rules are minimal, Avaya recommends that you8
change the password for this account after you complete the procedure to configure (harden)9
password complexity rules.10
On the SIP Core servers, users assigned the System Security Administrator (SSA) role, in11
addition to full-time Super User Do (sudo) access, have full root access.12
Even though SSA/sudo users have unrestricted root-level privileges, their actions are logged13
on the system security log because they are logged on under their individual user ID.14
Individual user accounts15
Individual user accounts allow for full accountability and monitoring of individual actions. If the16
installer chooses this option during server installation, the System Security Administrator (SSA)17
must create each individual user account after the installation is complete. For more18
information about installation, see the installation method for your system.19
You manage user accounts on a per-server basis. Therefore, the SSA must create identical20
users on each server within the system.21
The SSA uses the User Management Configuration tool to create, modify, and delete users.22
The SSA configures the rules for administrator user names using the pwConfig tool.23
Each individual user account has its own password, which is subject to the password24
complexity rules. The SSA can disable or re-enable each individual user account as necessary.25
Individual user accounts have a home directory in /home/. If the SSA removes the26
user account, the home directory is also removed.27
Platform security overview
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
30 Avaya AuraApplication Server 5300 Security May 3, 2012
-
8/10/2019 nn42040-601_Security
31/230
Preconfigured accounts1
During server installation, the installation software creates the following user accounts:2
ntappadm: The primary role of this account is the Application Administrator (AA) role,3
which replaces the avaya user found on previous systems.4
ntdbadm: The primary role of this account is the database administrator (DBA) role.5
ntsysadm: The primary role of this account is the System Security Administrator (SSA)6
role. The ntsysadm account, by default, has ALL sudo root access. You can remove full7
sudo access, if required, by invoking the userMgt tool as root. This account replaces the8
sysadmin user found on previous systems.9
ntsecadm: The primary role of this account is the security auditor (SA) role.10
ntbackup: The primary role of this account is the backup administrator (BA) role.11
ntossadm: The primary role of this account is the OSS administrator (OSS) role. An12
Operational Support Server (OSS) uses this account to connect to an Avaya Aura13
Application Server 5300 server to collect OSS logs.14
For more information about installation, see the installation method for your system.15
You can use the userMgt tool to manage all the preconfigured accounts.16
Each preconfigured account uses "password" as the initial password. You must change the17
initial password at first log on.18
The user with the OSS role is protected using password authentication. This account is also19
susceptible to lockout if the password is entered incorrectly and the account lockout is20
configured for the system. To change the password on this account, log on as OSS, and type21
the command: #>passwd. You can also use the userMgt tool to reset the password for this22
account.23
The SSA can create additional individual user accounts. Additional individual accounts are24
subject to the same password complexity profile as the preconfigured accounts. The SSA user25
can delete preconfigured accounts. All preconfigured accounts are backed up and restored26
during backup and restore procedures.27
Remote system accounts28
The Avaya Aura Application Server 5300 system requires the following remote system29
account: a user with OSS role: An Operational Support Server (OSS) uses this account to30
connect to an Avaya Aura Application Server 5300 server to collect OSS logs.31
Preconfigured accounts
Avaya - Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy.
DRAFTMay 3, 20128:51 PM (UTC+01:00)
Avaya AuraApplication Server 5300 Security May 3, 2012 31
-
8/10/2019 nn42040-601_Security
32/230
The system automatically creates this account during installation. For more information, see1
Preconfigured accountson page 31.2
Secure Shell and Common Access Card integration3
Administrators use Secure Shell (SSH) for remote access and administration of the Linux4
servers. The Avaya Aura Application Server 5300 comes with OpenSSH installed. OpenSSH5
is an open-source application, which does not support two-factor authentication.6
To satisfy requirements for two-factor authentication and Common Access Card (CAC)7
integration, Avaya Aura Application Server 5300 also supports Attachmate Reflection for8
Secure IT as an optional configuration. Attachmate Reflection is not included with Application9
Server 5300. The purchase, installation and maintenance of Attachmate software are the10
customers responsibility. To install Attachment Reflection for Secure IT, remove OpenSSH11
during system installation and commissioning. For more information, see 106.1.5 AS5300 DoD12
AttachMate Installation.13
Attachmate Reflection for Secure IT includes both the Linux-based server side component and14
the Windows-based client. Administrators can configure the Windows client to use certificates15
on the CAC. and Reflection Group Policies so that all Reflection sessions meet Department of16
Defense (DoD) Public Key Infrastructure (PKI) requirements.17
The following changes occur when you configure DoD PKI mode:18
The default Reflection configuration uses either CRL checking or an OCSP responder. In19
DoD PKI mode, the option to use neither form of checking is disabled.20
Reflection enforces FIPS-approved encryption algorithms. For SSH connections, this21
means that only FIPS-approved options are available on the Encryption tab of the Secure22Shell settings dialog box.23
For a connection to succeed, the host name specified in the certificate must exactly match24
the h