Add_workflow_for_techpubs |
---|
|
...
Use the admin
object to configure system administration related parameters in the
system. You can configure audit log state, system location, IP version used, password rules and other parameters.Set Command
Command Syntax
Command syntax for the set
command is shown below.
Code Block |
---|
|
% set system admin <SYSTEM NAME> accountManagement
accountAging
accountAgingPeriod <30-180>
state <disabled | enabled>
bruteForceAttack
allowAutoUnlock <disabled | enabled>
consecutiveFailedAttemptAllowed <1-10>
state <disabled | enabled>
unlockTime <30-3600 seconds>
maxSessions <1-5>
passwordAging
passwordAgingPeriod <30-180>
passwordExpiryWarningPeriod <3-14>
state <disabled | enabled>
sessionIdleTimeout
idleTimeout <1-120>
state <disabled | enabled> |
Code Block |
---|
|
% set system admin <SYSTEM NAME> auditLogState <disabled | enabled>
|
Code Block |
---|
|
% set system admin <SYSTEM NAME> banner <system name>
ackBanner <disable | enable>
bannerText <text>
|
Code Block |
---|
title | CLI Set Warning Support |
---|
|
% set system admin <SYSTEM NAME> cliSetWarningSupport <disabled | enabled>
|
Code Block |
---|
|
% set system admin <SYSTEM NAME> contact <contact_info>
|
Code Block |
---|
|
% set system admin <SYSTEM NAME> dod
cliAccess <disabled | enabled>
mode <disabled | enabled>
pmAccess <disabled | enabled>
|
Code Block |
---|
|
% set system admin <SYSTEM NAME> dspMismatchAction <preserveCapacity | preserveRedundancy>
|
Code Block |
---|
title | External Authentication |
---|
|
% set system admin <SYSTEM NAME> externalAuthenticationEnabled <false | true>
|
Code Block |
---|
|
% set system admin <SYSTEM NAME> fips-140-2 mode <disabled | enabled>
|
Code Block |
---|
title | Local Authentication |
---|
|
% set system admin <SYSTEM NAME> localAuthenticationEnabled <false | true>
|
Code Block |
---|
|
% set system admin <SYSTEM NAME> location <location_info> |
Code Block |
---|
|
% set system admin <SYSTEM NAME> passwordRules
maximumRepeatingCharsCount <#>
minimumDiffWithOldPassword <#>
minimumLength <#>
minimumNumberOfDigits <#>
minimumNumberOfLowercaseChars <#>
minimumNumberOfOtherChars <#>
minimumNumberOfUppercaseChars <#>
passwordHistoryDepth <#>
|
Code Block |
---|
|
% set system admin <SYSTEM NAME> rest state <disabled | enabled>
|
Code Block |
---|
title | Standby Server State |
---|
|
% set system admin <SYSTEM NAME> standbyServerState <disabled | enabled>
|
Code Block |
---|
title | Resource Monitor Stats Interval |
---|
|
% set system admin <SYSTEM NAME> utilMonitorStatsInterval <#>
|
Code Block |
---|
title | Number of Past Resource Monitor Stats |
---|
|
% set system admin <SYSTEM NAME> utilMonitorStatsNumOfPastInterval <#> |
Command Parameters
Caption |
---|
0 | Table |
---|
1 | System Admin Parameters (set) |
---|
|
|
Div |
---|
|
Parameter | Length/Range | Description |
---|
admin
| N/A | Use this object to specify system name. | accountManagement | N/A | Use this feature to manage system level account and password related settings. See Account Management Parameters table below for details. | auditLogState
| N/A | Use this flag to specify the management audit log state. disabled enabled (default)
| banner
| 1-23 | Use this parameter to customize the post-login banner from EMA and CLI applications. ackBanner – Enable flag to require user to acknowledge (accept) the banner before gaining access to the system each time the user logs into the system.
disabled (default)enabled
bannerText – Use this parameter to specify the banner text to display when users login to EMA and CLI applications.
Note |
---|
"Field Service" and "Operator" user types are not allowed to change the Login Banner configuration. |
| cliSetWarningSupport
| N/A | When this flag is enabled, warning prompts are configured for the "set" command. disabled enabled (default)
| contact
| N/A | Use parameter to specify system contact information. (default is "Unknown") | dod | N/A | Use this object to enable DoD mode, and to enable/disable CLI and/or EMA access for temporary troubleshooting and diagnostics. cliAccess – Use this flag to temporarily enable CLI for troubleshooting and diagnostic while the SBC is in DoD mode.disabled (default)enabled
mode – Use this flag to enable/disable DoD Mode.disabled (default)enabled
pmAccess – Use this flag to temporarily enable EMA's Platform Mode for troubleshooting and diagnostic while the SBC is in DoD mode.disabled (default)enabled
Warning |
---|
Enabling CLI and/or EMA for DoD mode lowers the security posture of the SBC. Remember to disable CLI and PM access once troubleshooting and/or diagnostics is completed. |
| dspMismatchAction | N/A | Use this parameter to specify the action to take if a DSP mismatch is detected between the active and standby servers. preserveCapacity – The Active continues to use the extra DSP capacity, as needed, assuming appropriate session licenses are in place; partial redundancy is in effect. Note |
---|
If a switchover occurs, calls using the extra, non-matching DSP capacity on Active are not protected during switchover (i.e. partial redundancy). |
preserveRedundancy (default) – The Active automatically triggers a graceful dry-up in an attempt to align DSP hardware capabilities. Once dry-up completes, the Active SBC uses the protected, matching DSP capacity to preserve redundancy.
Note |
---|
During the dry-up period, active calls using the extra, non-matching DSP capacity are not protected in the event that a switchover occurs before the dry up completes. |
| externalAuthenticationEnabled
| N/A | The confd CLI user information stored on remote RADIUS server is available for authentication. | fips-140-2 mode | N/A | Use this object to enable FIPS-140-2 mode. disabled (default)enabled
Note |
---|
Once fips-140-2 mode is enabled, it cannot be 'disabled' through the configuration. A fresh software installation is required to set the FIPS-140-2 mode back to 'disabled'. |
For complete details of configuring the for FIPS 140-2 compliance, see Enabling SBC for FIPS 140-2 Compliance page. | localAuthenticationEnabled
| N/A | The confd CLI user information stored locally is available for authentication. | location
| N/A | Specifies the physical location of the system. | passwordRules
| N/A | The rules implementing confd user password policy. maximumRepeatingCharsCount – Maximum number of consecutive repeating characters in the password. (range: 3-16 / default = 3).minimumDiffWithOldPassword – The minimum differences between the old and the new passwords (range 1-8 / default - 4).minimumLength – Minimum number of characters that should be present in the password. (range: 8-24 / default = 8)minimumNumberOfDigits – Minimum number of digits that should be present in the password. (range: 0-16 / default = 1)minimumNumberOfLowercaseChars – Minimum number of lower case characters that should be present in the password. (range: 0-16 / default = 1)minimumNumberOfOtherChars –-Minimum number of non-alpha-numeric characters that should be present in the password. (range: 0-16 / default = 1)minimumNumberOfUppercaseChars – Minimum number of upper case characters that should be present in the password. (range: 0-16 / default = 1)passwordHistoryDepth –The number of latest passwords that should be prevented from re-use. (range: 0-10 / default = 4)
| rest | N/A | Enable this flag to allow to support REST API. For REST API details, see REST API User's Guide.disabled (default)enabled
| standbyServerState
| N/A | Use this flag to manually enable or disable standby server if the active server fails. disabled enabled (default)
| utilMonitorStatsInterval
| 5-60 | Specifies time interval for system resource monitoring statistics. This parameter defines the range of timer interval in minutes used by configuration management for measuring the statistics of certain resources. (default = 15). Include Page |
---|
| IntervalStatsMustMatchEMS |
---|
| IntervalStatsMustMatchEMS |
---|
|
| utilMonitorStatsNumOfPastInterval
| 1-12 | The number of past intervals that can be configured for retrieving the statistics data. (default = 4). |
|
Caption |
---|
0 | Table |
---|
1 | Account Management Parameters |
---|
3 | Account Management Parameters |
---|
|
|
Div |
---|
|
Parameter | Length/Range | Description |
---|
accountAging | N/A | Use this parameter to enable account aging, and to specify the account expiration duration. accountAgingPeriod – The number of days to elapse, after which the account is locked if left unused (range: 30-180 / default = 30).state – Set flag to "enabled" to enable account aging system-wide.
disabled enabled (default)
| bruteForceAttack | N/A | Configuration for defense against brute force OAM password guessing attempts. allowAutoUnlock – Enable Auto Unlock of an account blocked due to consecutive wrong password attempts.
disabled (default)enabled
consecutiveFailedAttemptAllowed – Number of consecutive failed login attempts allowed before account is locked. As a safety measure, the system will not lock out the last/only active Administrator user on platform. (range: 1-10 / default = 3) Note |
---|
You must first set state to 'disabled ' before changing the value of consecutiveFailedAttemptAllowed . |
state – Enable/disable defense against brute force OAM password guessing attempts
disabled (default) enabled
unlockTime – If allowAutoUnlock flag is enabled, this parameter specifies the time (in seconds) to elapse before a locked account automatically unlocks. (range: 30-3600 / default = 30)
| bruteForceAttackOS | N/A | Use this configuration to defend against brute force attacks to Linux OS. OSstate – Enable this flag to defend the Linux OS against brute force attacks.enabled disabled (default)
allowOSAutoUnlock – Enable this flag to automatically unlock the Linux OS account after a configurable number of seconds set by unlockOSTime parameter.
enabled disabled (default)
consecutiveFailedOSAttemptAllowed – Number of consecutive failed login attempts allowed before account is locked. (range: 1-10 / default = 3)unlockOSTime – Time interval after which the disabled Linux OS account will automatically unlock. (range: 30-5400 seconds / default = 30 seconds)
| maxSessions | 1-5 | Maximum number of simultaneous sessions allowed per user (default = 2). | passwordAging | N/A | Password expiration related configuration. passwordAgingPeriod – The number of days to elapse, after which a password expires (range: 30-180 / default = 90).
passwordExpiryWarningPeriod – The number of days prior to the password expiry date on which the user receives a warning to change the password (range: 3-14 / default = 12).
state – Use this flag to enable/disable password aging feature.
disabled enabled (default)
| sessionIdleTimeout | N/A | Session idle timeout related configuration. idleTimeout – The amount of idle time, in minutes, to elapse before ending a session due to inactivity (range: 1-120 / default = 10).state – To use this feature, set this flag to "enabled".
disabled enabled (default)
|
|
Request Command
Command syntax for the request
command is shown below.
Command Syntax
Multiexcerpt |
---|
MultiExcerptName | adminRequestSyntax |
---|
|
Code Block |
---|
| % request system admin <SYSTEM NAME> |
|
...
loadConfig
allowOldVersion <no | yes>
filename
reGenerateSshRsaKeys
reKeyConfdEncryptionKeys
removeSavedConfig fileName <filename>
restart
saveConfig fileNameSuffix <suffix>
setHaConfig
bondMonitoring <currentValue | direct-connect | network-connect>
leaderElection <currentValue | enhanced | standard>
softReset
switchover
verifyDatabaseIntegrity <activeAndStandbyPolicy | activeConfigAndActivePolicy | all>
zeroizePersistenKeys |
|
Command Parameters
Multiexcerpt |
---|
MultiExcerptName | adminRequestParameters |
---|
|
Caption |
---|
0 | Table |
---|
1 | System Admin Parameters (request) |
---|
| |
|
...
identify
...
Turn on/off the locator LED of the specified server for the amount of time set with the duration
sub-parameter below.
duration
– The duration (in seconds) to illuminate the locator LED of specified server (range: 0-255). The LED illuminates for the specified number of seconds and then extinguishes. A duration of "0" turns off the locator LED and a duration of "255" turns on the locator LED indefinitely. If the duration is not specified, 15 seconds is set as the default value.
...
loadConfig
Load saved configuration and restart the system without rebooting the servers.
...
loadConfig
| Load saved configuration and restart the system without rebooting the servers. Note |
---|
In a redundant system, using loadConfig restarts both CEs. |
Note |
---|
If "reason Configuration file version not compatible with current software version. matrixFileNotAvailable " error is returned, the lswuMatrixSBX5000.bin/lswuMatrixSBX5000.txt file is missing from the/opt/sonus directory. You must must restore these files from the release package of the currently running software with the name pattern of "sbc-V0X.YY.ZZRQQQ.x86_64.tar.gz". Unzip and untar the current release's tar.gz file in that directory, return to the CLI and perform the command again. |
| reGenerateSshRsaKeys | Use this control to regenerate all SSH keys. | reKeyConfdEncryptionKeys | Use this control to regenerate system configuration database encryption keys. Note |
---|
recommends backing up current encrypted parameters in plaintext, if possible. further recommends performing a full configuration backup immediately after this activity has successfully completed. |
| removeSavedConfig
| Remove the saved configuration from the system. fileName – Specify filename of configuration to remove from the system.
| restart
| Restart system (all CEs). | saveConfig
| Save the current configuration. fileNameSuffix – Use this parameter to specify the filename suffix to use when saving the configuration.
| setHaConfig | Use this action command to configure SBC for Geographical Redundancy High Availability (GRHA) mode when active and standby servers are located in two different data centers to protect SBCs against data center and network failures. To configure/change just one setting, use currentValue option for the other setting. bondMonitoring – Select the bond monitoring type for GRHA mode.currentValue direct-connect network-connect
leaderElection – Select the leader election algorithm type to use for GRHA mode.currentValue enhanced standard
References: Note |
---|
Bond monitoring is not applicable to . |
| softReset
| Restart the applications on the system without rebooting the server(s). | switchover
| Perform a switchover of the management applications and restart all applications on currently active server. | verifyDatabaseIntegrity | Use this command to verify that the policy and configuration databases on the active server are in sync and that the policy databases on the active and standby servers are in sync. Because these commands take a few seconds to execute, it is not advisable to constantly run these commands on systems.activeAndStandbyPolicy – Check if policy databases on the active and standby servers are in sync.activeConfigAndActivePolicy – Check if the policy and configuration databases on the active server are in sync.all – Perform both of the above checks.
To view the results of the above checks, use the 'show table system databaseIntegrity' command. See Show Table System for details. | zeroizePersistenKeys | Use this control to securely erase all persistent CSPs from the system. The server reboots after confirmation. |
|
|
Command Examples
The following example displays system administrative information:
Code Block |
---|
|
% show system admin
admin sbx1 {
auditLogState enabled;
dspMismatchAction preserveRedundancy;
passwordRules {
minimumLength 8;
minimumNumberOfUppercaseChars 1;
minimumNumberOfLowercaseChars 1;
minimumNumberOfDigits 1;
minimumNumberOfOtherChars 1;
passwordHistoryDepth 4;
maximumRepeatingCharsCount 3;
minimumDiffWithOldPassword 4;
}
fips-140-2 |
...
...
...
...
The following example turns on locator LED for 60 seconds:
...
...
mode disabled;
}
dod {
mode disabled;
}
} |
The following example sets the Banner content to require user acknowledgement:
Code Block |
---|
|
% set system admin SBC01 banner ackBanner enabled bannerText "This computer system, including all related equipment and network devices (including Internet access), are provided for authorized use only"
% commit |
The following example uses the Account Management feature to accomplish the following actions:
- Allows a locked account to unlock after five minutes
- Enables to defend against brute force attacks
- Sets the number of consecutive failed attempts to "3"
Code Block |
---|
|
% set system admin MYSBC accountManagement bruteForceAttack state enabled allowAutoUnlock enabled consecutiveFailedAttemptAllowed 3 unlockTime 300
% show system admin MYSBC accountManagement bruteForceAttack
state enabled;
consecutiveFailedAttemptAllowed 3;
allowAutoUnlock enabled;
unlockTime 300;
|
To set bond monitoring type to 'network-connect' and leader election algorithm type to 'enhanced':
Code Block |
---|
|
% request system admin sbx1 setHaConfig bondMonitoring network-connect leaderElection enhanced |
To set bond monitoring type to 'direct-connect' and retain current setting of leader election algorithm:
Code Block |
---|
|
% request system admin sbx1 setHaConfig bondMonitoring direct-connect leaderElection currentValue |