In this section:
Use the admin
object to configure system administration related parameters in the
Command syntax for the set
command is shown below.
% set system admin <SYSTEM NAME> accountManagement accountAging accountAgingPeriod <30-180> state <disabled | enabled> bruteForceAttack allowAutoUnlock <disabled | enabled> consecutiveFailedAttemptAllowed <1-10> state <disabled | enabled> unlockTime <30-3600 seconds> maxSessions <1-5> passwordAging passwordAgingPeriod <30-180> passwordExpiryWarningPeriod <3-14> state <disabled | enabled> sessionIdleTimeout idleTimeout <1-120> state <disabled | enabled>
% set system admin <SYSTEM NAME> auditLogState <disabled | enabled>
% set system admin <SYSTEM NAME> banner <system name> ackBanner <disable | enable> bannerText <text>
% set system admin <SYSTEM NAME> cliSetWarningSupport <disabled | enabled>
% set system admin <SYSTEM NAME> contact <contact_info>
% set system admin <SYSTEM NAME> dod cliAccess <disabled | enabled> mode <disabled | enabled> pmAccess <disabled | enabled>
% set system admin <SYSTEM NAME> dspMismatchAction <preserveCapacity | preserveRedundancy>
% set system admin <SYSTEM NAME> externalAuthenticationEnabled <false | true>
% set system admin <SYSTEM NAME> fips-140-2 mode <disabled | enabled>
% set system admin <SYSTEM NAME> localAuthenticationEnabled <false | true>
% set system admin <SYSTEM NAME> location <location_info>
% set system admin <SYSTEM NAME> passwordRules maximumRepeatingCharsCount <#> minimumDiffWithOldPassword <#> minimumLength <#> minimumNumberOfDigits <#> minimumNumberOfLowercaseChars <#> minimumNumberOfOtherChars <#> minimumNumberOfUppercaseChars <#> passwordHistoryDepth <#>
% set system admin <SYSTEM NAME> rest state <disabled | enabled>
% set system admin <SYSTEM NAME> standbyServerState <disabled | enabled>
% set system admin <SYSTEM NAME> utilMonitorStatsInterval <#>
% set system admin <SYSTEM NAME> utilMonitorStatsNumOfPastInterval <#>
Parameter | Length/Range | Description |
---|---|---|
| N/A | Use this object to specify system name. |
accountManagement | N/A | Use this feature to manage system level account and password related settings. See Account Management Parameters table below for details. |
| N/A | Use this flag to specify the management audit log state.
|
| 1-23 | Use this parameter to customize the post-login banner from EMA and CLI applications.
"Field Service" and "Operator" user types are not allowed to change the Login Banner configuration. |
| N/A | When this flag is enabled, warning prompts are configured for the "set" command.
|
| N/A | Use parameter to specify system contact information. (default is "Unknown") |
dod | N/A | Use this object to enable DoD mode, and to enable/disable CLI and/or EMA access for temporary troubleshooting and diagnostics.
Enabling CLI and/or EMA for DoD mode lowers the security posture of the SBC. Remember to disable CLI and PM access once troubleshooting and/or diagnostics is completed. |
dspMismatchAction | N/A | Use this parameter to specify the action to take if a DSP mismatch is detected between the active and standby servers.
|
| N/A | The confd CLI user information stored on remote RADIUS server is available for authentication.
|
fips-140-2 mode | N/A | Use this object to enable FIPS-140-2 mode.
Once fips-140-2 mode is enabled, it cannot be 'disabled' through the configuration. A fresh software installation is required to set the FIPS-140-2 mode back to 'disabled'. For complete details of configuring the Unable to show "metadata-from": No such page "_space_variables" for FIPS 140-2 compliance, see Enabling SBC for FIPS 140-2 Compliance page. |
| N/A | The confd CLI user information stored locally is available for authentication.
|
| N/A | Specifies the physical location of the system. |
| N/A | The rules implementing confd user password policy.
|
rest | N/A | Enable this flag to allow Unable to show "metadata-from": No such page "_space_variables" to support REST API. For REST API details, see REST API User's Guide.
|
| N/A | Use this flag to manually enable or disable standby server if the active server fails.
|
| 5-60 | Specifies time interval for system resource monitoring statistics. This parameter defines the range of timer interval in minutes used by configuration management for measuring the statistics of certain resources. (default = 15). Note
If using the EMS in your network, configure EMS PM data collection intervals for the SBC to be both:
Refer to Insight EMS User Guide for configuration details. |
| 1-12 | The number of past intervals that can be configured for retrieving the statistics data. (default = 4). |
Parameter | Length/Range | Description |
---|---|---|
accountAging | N/A | Use this parameter to enable account aging, and to specify the account expiration duration.
|
bruteForceAttack | N/A | Configuration for defense against brute force OAM password guessing attempts.
|
bruteForceAttackOS | N/A | Use this configuration to defend against brute force attacks to Linux OS.
|
maxSessions | 1-5 | Maximum number of simultaneous sessions allowed per user (default = 2). |
passwordAging | N/A | Password expiration related configuration.
|
sessionIdleTimeout | N/A | Session idle timeout related configuration.
|
Command syntax for the request
command is shown below.
% request system admin <SYSTEM NAME> loadConfig allowOldVersion <no | yes> filename reGenerateSshRsaKeys reKeyConfdEncryptionKeys removeSavedConfig fileName <filename> restart saveConfig fileNameSuffix <suffix> setHaConfig bondMonitoring <currentValue | direct-connect | network-connect> leaderElection <currentValue | enhanced | standard> softReset switchover verifyDatabaseIntegrity <activeAndStandbyPolicy | activeConfigAndActivePolicy | all> zeroizePersistenKeys
Parameter | Description |
---|---|
| Load saved configuration and restart the system without rebooting the servers.
In a redundant system, using
loadConfig restarts both CEs.If " |
reGenerateSshRsaKeys | Use this control to regenerate all SSH keys. |
reKeyConfdEncryptionKeys | Use this control to regenerate system configuration database encryption keys. Unable to show "metadata-from": No such page "_space_variables" recommends backing up current encrypted parameters in plaintext, if possible. Unable to show "metadata-from": No such page "_space_variables" further recommends performing a full configuration backup immediately after this activity has successfully completed. |
| Remove the saved configuration from the system.
|
| Restart system (all CEs). |
| Save the current configuration.
|
setHaConfig | Use this action command to configure SBC for Geographical Redundancy High Availability (GRHA) mode when active and standby servers are located in two different data centers to protect SBCs against data center and network failures. To configure/change just one setting, use
References:
Bond monitoring is not applicable to Unable to show "metadata-from": No such page "_space_variables" . |
| Restart the applications on the system without rebooting the server(s). |
| Perform a switchover of the management applications and restart all applications on currently active server. |
verifyDatabaseIntegrity | Use this command to verify that the Unable to show "metadata-from": No such page "_space_variables" policy and configuration databases on the active server are in sync and that the policy databases on the active and standby servers are in sync. Because these commands take a few seconds to execute, it is not advisable to constantly run these commands on systems.
To view the results of the above checks, use the ' |
zeroizePersistenKeys | Use this control to securely erase all persistent CSPs from the system. The Unable to show "metadata-from": No such page "_space_variables" server reboots after confirmation. |
The following example displays system administrative information:
% show system admin admin sbx1 { auditLogState enabled; dspMismatchAction preserveRedundancy; passwordRules { minimumLength 8; minimumNumberOfUppercaseChars 1; minimumNumberOfLowercaseChars 1; minimumNumberOfDigits 1; minimumNumberOfOtherChars 1; passwordHistoryDepth 4; maximumRepeatingCharsCount 3; minimumDiffWithOldPassword 4; } fips-140-2 { mode disabled; } dod { mode disabled; } }
The following example sets the Banner content to require user acknowledgement:
% set system admin SBC01 banner ackBanner enabled bannerText "This computer system, including all related equipment and network devices (including Internet access), are provided for authorized use only" % commit
The following example uses the Account Management feature to accomplish the following actions:
% set system admin MYSBC accountManagement bruteForceAttack state enabled allowAutoUnlock enabled consecutiveFailedAttemptAllowed 3 unlockTime 300 % show system admin MYSBC accountManagement bruteForceAttack state enabled; consecutiveFailedAttemptAllowed 3; allowAutoUnlock enabled; unlockTime 300;
To set bond monitoring type to 'network-connect' and leader election algorithm type to 'enhanced':
% request system admin sbx1 setHaConfig bondMonitoring network-connect leaderElection enhanced
To set bond monitoring type to 'direct-connect' and retain current setting of leader election algorithm:
% request system admin sbx1 setHaConfig bondMonitoring direct-connect leaderElection currentValue