You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Current »

In this section:

Overview

 This feature significantly improves the SBC instance security policies to align with AWS requirements.

The following significant changes are introduced in the SBC 07.02.00S400 instances on AWS:

  •  “root” login from “linuxadmin” is disabled
  • "linuxadmin" user "sudo" access tightened:
    • On AMI Instance start-up the "linuxadmin” user will not be in the “sudo” group
    • When any valid licence is installed, the “linuxadmin” user will be given sudo access
  • support only SSH Key login for the “admin” user 

    • Update CFTs to support SSH Key login for "admin" user 

    • Revert change to set "admin" user password to primary interface-id

  • No default passwords for all Linux accounts on installation
    • The “linuxadmin” and “admin” users permit only key based SSH
    • The default "root" user password is removed
    • To use EMA or other services which require passwords, the customer must add a user with a user password after installation/upgrade of the SBC has completed
  • Sanity Checking - After AMI Instance Initiation
    • Ensure only default users in sshd_config file
    • No unexpected users are configured in the "sudo" group
    • Logging in with "ssh" is only available to the "linuxadmin" and "admin" users
    • For any unexpected users configured on the system:
      • All accounts should be locked/removed from /etc/passwd (using "mod user -l")
      • Ensure only white list users are configured in /etc/sudoers.d

CFT Updates - Key Login

New Fields

The following figure displays the new Key entry fields in the AWS Cloud Formation Templates (CFNs) to access the SBC for the “linuxadmin” and “admin” users.

New Fields

Obtaining and Inserting Keys into the New AWS CFTs for “linuxadmin” and “admin” Users

Generate keys for use with SBC using AWS console EC2 > Network & Security > Key Pairs 

  • one for “linuxadmin”
  • one for “admin” users on the SBC (ssh key for admin may be the same or different to the linuxadmin ssh key)

Using the Keys in the CFN:

  1. Field “LinuxAdminSshKey”: use the “linuxadmin” key(pem) obtained above.
  2. Field "AdminSshKey": enter the Public key string obtained using the following process:
    1. Transfer the .pem file generated by AWS to a Linux server. Use the following AWS instructions to generate the key pair: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html#having-ec2-create-your-key-pair
    2. Run: ssh-keygen -y -f <pem_file>. It will output a Public key string
    3. Cut/paste the key: “ssh-rsa <key>” into the “AdminSshKey” field

Installing License 

Steps to install initial license on AWS SBC Swe

  1. Get the Chassis number from the SBC logging in as “admin” to CLI
    • ssh -i <admin_pem> admin@<sbc_ip>
    • show table system serverStatus
    • Extract the SERIAL NUM – eg EC2655E1-AC17-C688-1C3E-72562BB72000

  2. Acquire license from SalesForce / the account team.

  3. SCP the license file onto the SBC as “linuxadmin” user using port 2024:
    1. scp -i <pem_file> -P 2024 <license_file.xml> linuxadmin@<aws_ip>:/opt/sonus/external

  4.  As the “admin” user run  the CLI “request” command to initially install the license for “linuxadmin” to gain sudoers permissions
    •  ssh -i <admin_pem> admin@<sbc_ip>
    • request system admin <system_name> license loadLicenseFile bundleName b1 fileName <license_file.xml>

Diagnostic Tools

sbcDiagnostic.sh

If the SBC fails to start and the “linuxadmin” user does not yet have Sudo permissions we can debug the issue with the Diagnostics tool.

Run the following command as “linuxadmin” user:

sudo /opt/sonus/sbx/scripts/sbcDiagnostic.sh 1
This diagnostics tool:
• Checks "cloud-init", "cps", "lca" and "sbx" services current status
• Report issue, if SBC application is not up
• Dumps limited set of logs for further investigation
Usage: Run the following command as “linuxadmin” user:
  • sudo /opt/sonus/sbx/scripts/sbcDiagnostic.sh [0] - Dumps System Information and Status
  • sudo /opt/sonus/sbx/scripts/sbcDiagnostic.sh 1 - Captures logs for investigation
  • sudo /opt/sonus/sbx/scripts/sbcDiagnostic.sh 2 - Runs System Dump

EMS and Platform Manager (PM) Admin Login

The EMS and Platform Manager both require an admin password to login.

To set up an Admin password:

  1. log in to admin using SSH key.
  2. Use the following CLI command to create a password for the “admin” user:
set oam localAuth user admin passwordLoginSupport enabled
commit

  • No labels