Administering Users and Permissions
Uploaded by
Sufian AlbadaniAdministering Users and Permissions
Uploaded by
Sufian AlbadaniNetAct™ 22
Administering Users and Permissions
DN0992646
Issue: 4-1 Final
© 2021 Nokia. Nokia Confidential Information
Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Disclaimer
Nokia is committed to diversity and inclusion. We are continuously reviewing our customer documentation and consulting with standards
bodies to ensure that terminology is inclusive and aligned with the industry. Our future customer documentation will be updated accordingly.
This document includes Nokia proprietary and confidential information, which may not be distributed or disclosed to any third parties without
the prior written consent of Nokia.
This document is intended for use by Nokia’s customers (“You”/”Your”) in connection with a product purchased or licensed from any company
within Nokia Group of Companies. Use this document as agreed. You agree to notify Nokia of any errors you may find in this document;
however, should you elect to use this document for any purpose(s) for which it is not intended, You understand and warrant that any
determinations You may make or actions You may take will be based upon Your independent judgment and analysis of the content of this
document.
Nokia reserves the right to make changes to this document without notice. At all times, the controlling version is the one available on Nokia’s
site.
No part of this document may be modified.
N O WA RRA NT Y O F AN Y KI ND , EI T HER EXPR ES S OR I M P L I E D , I N C L U D I N G B U T N O T L I M I T E D TO A N Y
WARR ANT Y OF AVA IL ABI LI T Y, AC CU RAC Y, R EL I A B I L IT Y, T I T L E , N O N - I N F R I N G E M E N T, M E R C H A N TA B I L I TY
OR F IT NE SS FO R A PA RT ICU LAR PU RPO SE, I S M A D E IN R E L AT I O N TO T H E C O N T E N T O F T H I S D O C U M E N T.
IN NO EVEN T WI L L NOK IA B E LI ABLE F OR AN Y DA M A G E S , I N C L U D I N G B U T N O T L I M I T E D TO S P E C I A L ,
D IRE CT, IN D IRECT, I NCI DE NTAL OR C ON SEQ UE N T IA L OR A N Y L O S S E S , S U C H A S B U T N O T L I M I T E D TO LO SS
OF PRO F IT, REVE NU E, B US IN ESS IN T ER RU PT I ON , B U S I NE S S O P P O RT U N I T Y O R D ATA T H AT M AY A R I S E
FRO M T HE USE O F TH IS DO CU M EN T O R T HE IN F OR M AT IO N I N I T, E V E N I N T H E C A S E O F E R R O R S I N O R
OM IS SI O NS FRO M T HI S DOC UM EN T O R IT S CO NT E N T.
This document is Nokia’ proprietary and confidential information, which may not be distributed or disclosed to any third parties without the
prior written consent of Nokia.
Copyright and trademark: Nokia is a registered trademark of Nokia Corporation. Other product names mentioned in this document may be
trademarks of their respective owners.
© 2021 Nokia.
© 2021 Nokia. Nokia Confidential Information
Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Table of Contents
Contents
1 Administering NetAct system users and password.................................................................................. 10
1.1 NetAct default system users................................................................................................................... 10
1.2 Guidelines for changing password..........................................................................................................45
1.3 Changing password of directory server, database, OS, and active directory users................................45
1.3.1 Changing password of users using password-tool.........................................................................46
1.3.2 Changing password of users in Active Directory........................................................................... 49
1.4 Changing password of datacenter and virtualization infrastructure users.............................................. 49
1.4.1 Changing the [email protected] password of the VMware vCenter Server Appliance .. 50
1.4.2 Changing the root password of the VMware vCenter Server Appliance........................................ 51
1.4.3 Changing root password of an ESXi host...................................................................................... 52
1.4.4 Changing the vmanager user password........................................................................................ 52
1.5 Changing password for hardware devices............................................................................................. 54
1.5.1 Changing password for storage devices........................................................................................ 54
1.5.1.1 Changing admin user password of EMC Unity Storage........................................................ 54
1.5.1.2 Changing admin user password of HPE MSA 2040/2050 Storage........................................55
1.5.1.3 Changing admin user password of HPE 3par Storage.......................................................... 56
1.5.1.4 Changing admin user password of EMC VNX Storage......................................................... 56
1.5.2 Changing password for switches and HPE Virtual Connect.......................................................... 57
1.5.2.1 Changing admin user password for HPE Virtual Connect..................................................... 57
1.5.2.2 Changing admin user password for HPE Brocade SAN switch............................................. 58
1.5.2.3 Changing admin user password for HPE 5900/5500/5510/6127 Network switch.................. 59
1.5.3 Changing password for servers......................................................................................................60
1.5.3.1 Changing password for HPE iLO 4 server............................................................................ 60
1.5.3.2 Changing password for HPE iLO 5 server............................................................................ 61
1.5.3.3 Changing password for HPE Onboard Administrator............................................................ 62
1.6 Changing password of Avamar Virtual Edition....................................................................................... 62
1.6.1 Changing passwords of Avamar Virtual Edition users................................................................... 63
1.6.2 Changing password of Avamar Virtual Edition Combined Proxy................................................... 63
1.7 Changing password of omc user through User Management................................................................ 63
2 Administering NetAct end users and password........................................................................................ 64
2.1 Changing NetAct end users password................................................................................................... 64
2.1.1 Changing own password................................................................................................................ 64
2.1.2 Changing password of other users................................................................................................ 65
2.2 Managing user SSH and certificate configuration.................................................................................. 66
2.2.1 Enabling SSH login.........................................................................................................................67
2.2.2 Disable SSH login...........................................................................................................................68
2.2.3 Configuring certificates................................................................................................................... 69
2.3 Listing non-expiring user accounts......................................................................................................... 70
3 Administering user policies......................................................................................................................... 71
3.1 Configuring policy for system users and end users in directory server.................................................. 71
3.1.1 Login name policy...........................................................................................................................72
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 3
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Table of Contents
3.1.2 Password expiry policy................................................................................................................... 73
3.1.2.1 Synchronize password expiry warning in Node Manager...................................................... 74
3.1.3 Password history policy.................................................................................................................. 74
3.1.4 Account lockout policy.................................................................................................................... 75
3.1.5 Password syntax policy.................................................................................................................. 77
3.1.6 Unused login names disable policy................................................................................................78
3.2 Policy for Administrator user account in Node Manager Server.............................................................79
3.3 Policy for NetAct system users in oracle database................................................................................ 80
3.4 Policy for NetAct system users in Linux OS.......................................................................................... 81
3.5 ESXi password policy for root user........................................................................................................ 81
3.6 VMware vCenter Server Appliance password policy for root and [email protected] user .... 82
3.7 Avamar Virtual Edition password policy for Linux OS default user accounts......................................... 83
3.8 Avamar Virtual Edition password policy for MCUser, repluser, and Avamar root user........................... 83
4 Changing login delay for login to NetAct GUI........................................................................................... 84
5 Controlling network element access with Network Element Access Control application..................... 85
6 Controlling network element access with Centralized Network Element User Management.................88
6.1 NetAct prerequisites................................................................................................................................ 89
6.1.1 Checking if CNUM license is installed........................................................................................... 89
6.1.2 Ensure that LDAP certificate is installed........................................................................................ 90
6.1.2.1 Checking if LDAP certificates are installed............................................................................ 91
6.1.3 Service user for CNUM provisioning.............................................................................................. 92
6.1.4 Service user usage post CNUM activation.................................................................................... 92
6.1.5 Network element permissions........................................................................................................ 92
6.1.6 Restricted anonymous login to the LDAP directory....................................................................... 93
6.2 Network element specific prerequisites and procedures........................................................................ 94
6.2.1 Configuring CNUM for Flexi NS..................................................................................................... 94
6.2.1.1 CNUM Prerequisites for Flexi NS.......................................................................................... 94
6.2.1.2 Limitations...............................................................................................................................95
6.2.1.3 Installing and activating Network Element Certificate............................................................ 95
6.2.1.3.1 Applying certificates for Flexi NS...................................................................................95
6.2.1.4 Checking Flexi NS permissions........................................................................................... 100
6.2.1.5 Activating and deactivating CNUM.......................................................................................102
6.2.1.5.1 Activating CNUM for Flexi NS..................................................................................... 102
6.2.1.5.2 Verifying CNUM activation........................................................................................... 103
6.2.1.5.3 Deactivating CNUM for Flexi NS................................................................................. 105
6.2.1.5.4 Verifying CNUM deactivation....................................................................................... 105
6.2.1.6 Troubleshooting CNUM........................................................................................................ 106
6.2.1.6.1 Activation fails.............................................................................................................. 106
6.2.1.6.2 Deactivation fails.......................................................................................................... 108
6.2.1.6.3 Unable to log in to NE using NetAct user credentials after CNUM is activatedProblem. 108
6.2.1.6.4 Changing password fails..............................................................................................108
6.2.1.6.5 Unable to perform specific operation on NE after CNUM is activated......................... 109
6.2.2 Configuring CNUM for Open BGW.............................................................................................. 109
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 4
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Table of Contents
6.2.2.1 Prerequisites for Open BGW............................................................................................... 109
6.2.2.2 Limitations.............................................................................................................................110
6.2.2.3 Installing and activating Open BGW certificate....................................................................110
6.2.2.3.1 Applying certificates for Open BGW............................................................................ 110
6.2.2.3.2 Adding additional CA certificate to Open BGW trust store.......................................... 110
6.2.2.4 Checking CNUM configuration............................................................................................. 112
6.2.2.5 Checking permissions.......................................................................................................... 113
6.2.2.6 Activating and deactivating CNUM.......................................................................................119
6.2.2.6.1 Activating CNUM..........................................................................................................119
6.2.2.6.2 Verifying CNUM activation........................................................................................... 120
6.2.2.6.3 Deactivating CNUM......................................................................................................122
6.2.2.6.4 Verifying CNUM deactivation....................................................................................... 122
6.2.2.7 Configuring CNUM-oBGW for Audit Trail.............................................................................123
6.2.2.7.1 CNUM-oBGW Prerequisites for Audit Trail..................................................................123
6.2.2.7.2 Activating CNUM-oBGW.............................................................................................. 123
6.2.2.7.3 Verifying CNUM-oBGW Activation............................................................................... 123
6.2.2.7.4 Deactivating CNUM-oBGW..........................................................................................124
6.2.2.7.5 Verifying CNUM-oBGW Deactivation........................................................................... 124
6.2.2.8 Troubleshooting.................................................................................................................... 124
6.2.2.8.1 Activation failure...........................................................................................................124
6.2.2.8.2 Changes in permissions not immediately replicated....................................................125
6.2.3 Configuring CNUM for SBTS........................................................................................................125
6.2.3.1 Prerequisites for SBTS.........................................................................................................125
6.2.3.2 Limitations.............................................................................................................................126
6.2.3.3 Installing and activating SBTS certificate.............................................................................126
6.2.3.4 Checking SBTS permissions................................................................................................127
6.2.3.5 Activating and deactivating CNUM.......................................................................................128
6.2.3.5.1 Activating CNUM on SBTS..........................................................................................128
6.2.3.5.2 Verifying CNUM activation........................................................................................... 129
6.2.3.5.3 Deactivating CNUM on SBTS......................................................................................129
6.2.3.5.4 Verifying CNUM deactivation....................................................................................... 129
6.2.3.5.5 Change password of SBTS account............................................................................130
6.2.3.6 Troubleshooting.................................................................................................................... 130
6.2.3.6.1 Activation failure on SBTS...........................................................................................130
6.2.4 Configuring CNUM for Nokia AirScale BTS 5G........................................................................... 131
6.2.4.1 Prerequisites for Nokia AirScale BTS 5G............................................................................ 131
6.2.4.2 Checking Nokia AirScale BTS 5G permissions................................................................... 132
6.2.4.3 Activating and deactivating CNUM.......................................................................................133
6.2.4.3.1 Activating CNUM on Nokia AirScale BTS 5G..............................................................133
6.2.4.3.2 Verifying CNUM activation........................................................................................... 133
6.2.4.3.3 Deactivating CNUM on Nokia AirScale BTS 5G......................................................... 134
6.2.4.3.4 Verifying CNUM deactivation....................................................................................... 134
6.2.4.3.5 Change password of Nokia AirScale BTS 5G account............................................... 135
6.2.4.4 Limitation...............................................................................................................................135
6.2.4.5 Troubleshooting.................................................................................................................... 136
6.2.4.5.1 Activation failure on Nokia AirScale BTS 5G...............................................................136
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 5
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Table of Contents
6.2.4.5.2 Deactivation failure on Nokia AirScale BTS 5G.......................................................... 136
6.2.5 Configuring CNUM for DCAP....................................................................................................... 137
6.2.5.1 Preparing CNUM.................................................................................................................. 137
6.2.5.1.1 Checking and creating certificates on NetAct..............................................................138
6.2.5.1.2 Installing and activating DCAP certificate....................................................................139
6.2.5.2 Checking permissions.......................................................................................................... 139
6.2.5.3 Activating CNUM.................................................................................................................. 139
6.2.5.4 Verifying CNUM activation................................................................................................... 140
6.2.5.5 Changing password of DCAP account................................................................................ 142
6.2.5.6 Deactivating CNUM and verifying CNUM deactivation........................................................ 142
6.2.5.7 Troubleshooting CNUM........................................................................................................ 144
6.2.5.7.1 Activating CNUM fails.................................................................................................. 144
6.2.5.7.2 Changing password fails..............................................................................................144
6.2.6 Configuring CNUM for BSC..........................................................................................................144
6.2.6.1 CNUM prerequisites for BSC............................................................................................... 144
6.2.6.2 Installing BSC certificate...................................................................................................... 146
6.2.6.2.1 Generating and installing certificate and key...............................................................146
6.2.6.3 Checking BSC permissions..................................................................................................154
6.2.6.4 Activating and deactivating CNUM.......................................................................................156
6.2.6.4.1 Activating CNUM for BSC............................................................................................156
6.2.6.4.2 Verifying CNUM activation........................................................................................... 157
6.2.6.4.3 Deactivating CNUM for BSC....................................................................................... 159
6.2.6.4.4 Verifying CNUM deactivation....................................................................................... 159
6.2.6.5 Limitation...............................................................................................................................160
6.2.6.6 Troubleshooting.................................................................................................................... 160
6.2.6.6.1 Activation fails.............................................................................................................. 160
6.2.6.6.2 Deactivation fails.......................................................................................................... 161
6.2.6.6.3 Changing password fails..............................................................................................162
6.2.6.6.4 File transfer with FTAM fails........................................................................................ 162
6.2.7 Configuring CNUM for WCDMA network elements......................................................................163
6.2.7.1 CNUM prerequisites for WCDMA network elements........................................................... 163
6.2.7.1.1 Enabling CNUM on OMS.............................................................................................164
6.2.7.1.2 Setting the RUIMAutomaticActivation parameter on OMS.......................................... 165
6.2.7.1.3 Configuring SSH server on IPA-RNC.......................................................................... 165
6.2.7.1.4 Activating centralized user authentication and authorization on IPA-RNC...................166
6.2.7.1.5 Managing centralized network element user management on mcRNC....................... 166
6.2.7.1.6 Managing centralized network element user management on ASRNC....................... 166
6.2.7.2 Limitations.............................................................................................................................166
6.2.7.3 Installing and activating WCDMA certificates on WCDMA network elements and NetAct....167
6.2.7.3.1 Applying certificates on WCDMA network elements....................................................167
6.2.7.3.2 Applying certificates on NetAct.................................................................................... 169
6.2.7.4 Preparing the NetAct users used for managing WCDMA network elements....................... 169
6.2.7.4.1 Supported OMS permissions....................................................................................... 170
6.2.7.4.2 Supported IPA-RNC permissions.................................................................................176
6.2.7.4.3 Supported mcRNC and ASRNC permissions..............................................................178
6.2.7.5 Activating and deactivating CNUM.......................................................................................181
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 6
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Table of Contents
6.2.7.5.1 Activating CNUM on WCDMA network elements........................................................ 181
6.2.7.5.2 Verifying CNUM activation........................................................................................... 182
6.2.7.5.3 Deactivating CNUM on WCDMA network elements.................................................... 184
6.2.7.5.4 Verifying CNUM deactivation....................................................................................... 186
6.2.7.6 Troubleshooting CNUM........................................................................................................ 188
6.2.7.6.1 Activating CNUM for WCDMA fails..............................................................................188
6.2.7.6.2 NetAct user account is locked in OMS........................................................................188
6.2.7.6.3 Unable to log in to IPA-RNC while launching the MML Session..................................189
6.2.7.6.4 NetAct operation failure after CNUM activation on OMS.............................................189
6.2.7.6.5 CNUM deactivating or password updating failure on ASRNC..................................... 190
6.2.8 Configuring CNUM for CMS-8200 HSS, CFX-5000, CM Repository Server, TIAMS and NT HLR
FE..................................................................................................................................................... 190
6.2.8.1 Prerequisites for CMS-8200 HSS, CFX-5000, CM Repository Server, TIAMS and NT HLR
FE................................................................................................................................................190
6.2.8.1.1 NetAct upgrade scenario............................................................................................. 191
6.2.8.1.2 CNUM information checklist.........................................................................................191
6.2.8.1.3 Checking integration data upload................................................................................ 195
6.2.8.1.4 Triggering integration data upload............................................................................... 196
6.2.8.1.5 Installing LDAP certificates on network elements........................................................197
6.2.8.2 Limitations.............................................................................................................................197
6.2.8.3 Checking CMS-8200 HSS, CFX-5000, CM Repository Server, TIAMS and NT HLR FE
permissions................................................................................................................................. 198
6.2.8.4 Activating and deactivating CNUM.......................................................................................199
6.2.8.4.1 Activating CNUM..........................................................................................................199
6.2.8.4.2 Verifying CNUM activation........................................................................................... 201
6.2.8.4.3 Deactivating CNUM......................................................................................................202
6.2.8.4.4 Verifying CNUM deactivation....................................................................................... 203
6.2.8.4.5 Changing password of network element account (network element bind user
account)................................................................................................................................. 204
6.2.8.5 Troubleshooting CNUM........................................................................................................ 205
6.2.8.5.1 Failure of activating CNUM..........................................................................................205
6.2.8.5.2 Failure of changing password......................................................................................205
6.3 Activating CNUM................................................................................................................................... 205
6.3.1 Verifying CNUM activation............................................................................................................ 206
6.3.2 Verifying CNUM activation for Configuration Management.......................................................... 206
6.4 Deactivating CNUM...............................................................................................................................207
6.4.1 Verifying CNUM deactivation........................................................................................................ 207
6.4.2 Verifying CNUM deactivation for Configuration Management...................................................... 208
6.5 Maintenance of network element user access using CNUM................................................................208
6.5.1 Network element account password update................................................................................ 208
6.5.2 Network element integration......................................................................................................... 208
6.5.3 Rehoming a network element to another Maintenance Region................................................... 209
6.5.4 Removing a network element from NetAct.................................................................................. 209
6.6 Configuring CNUM token parameters for external users......................................................................209
6.7 Configuring token mode for external users.......................................................................................... 211
7 Managing external accounts in NetAct.....................................................................................................213
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 7
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Table of Contents
7.1 Importing external accounts using CLI................................................................................................. 213
7.1.1 Updating external accounts configuration file...............................................................................215
7.2 Exporting external accounts using CLI................................................................................................. 218
7.3 Listing external users accounts using CLI............................................................................................220
7.4 Deleting external accounts using CLI................................................................................................... 221
7.5 Modifying external user automatically...................................................................................................223
7.6 Creating and updating external accounts automatically....................................................................... 225
7.7 Configuring automatic shell access for external users......................................................................... 226
7.8 Configuring lowercase for new external users..................................................................................... 228
7.9 Managing external groups mapping..................................................................................................... 229
7.9.1 Exporting NetAct groups...............................................................................................................229
7.9.1.1 NetAct group to external group mapping data.....................................................................232
7.9.2 Listing external groups mapped with NetAct groups....................................................................233
7.9.3 Mapping external group to NetAct group..................................................................................... 233
7.9.3.1 Considerations of NetAct group mapping for integration with multiple NetAct clusters........ 235
7.9.4 Detaching external group from NetAct group...............................................................................235
8 Managing external accounts in NMS........................................................................................................ 238
9 Security alarms............................................................................................................................................ 239
9.1 Viewing and monitoring security alarms............................................................................................... 239
9.2 Login failure alarms...............................................................................................................................240
9.2.1 NetAct end user............................................................................................................................242
9.2.2 System users................................................................................................................................ 242
9.2.3 Non-existing user.......................................................................................................................... 243
9.2.4 NE bind users............................................................................................................................... 243
9.2.5 Directory server admin users....................................................................................................... 244
9.2.6 External user accounts................................................................................................................. 244
9.3 Brute force alarm for SSH.................................................................................................................... 245
9.4 Brute force alarm for NetAct Web services.......................................................................................... 246
9.5 Brute force alarm for NetAct Oracle DB...............................................................................................246
9.6 Simultaneous session failure alarm...................................................................................................... 246
10 Session management................................................................................................................................248
10.1 Configuring user session.................................................................................................................... 248
10.2 Enabling simultaneous session access login failure message in NetAct login page.......................... 250
10.3 Changing time interval for auto invalidation of disconnected session................................................ 251
10.4 Checking session management license............................................................................................. 252
11 Appendix..................................................................................................................................................... 254
11.1 Type and individual operation way of password tool.......................................................................... 254
11.2 Retrieving password of system users................................................................................................. 258
11.3 SCA type and instance....................................................................................................................... 259
11.4 Service restarts needed after password change of system user........................................................ 260
11.5 Special characters allowed in system user’s password......................................................................262
11.6 Users unsupported in type mode of operation................................................................................... 262
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 8
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Table of Contents
11.7 Changes in NE configuration post password change......................................................................... 264
11.8 Checking password score for OS users............................................................................................. 264
11.9 Invalidating cache for effective shell access.......................................................................................265
11.10 Perform password synchronization in DR environment.................................................................... 265
11.10.1 Synchronizing all system users password from active site to standby site...............................266
11.10.2 Synchronizing specific system users password from active site to standby site...................... 267
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 9
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
1 Administering NetAct system users and password
1.1 NetAct default system users
NetAct default system users are the users which are available after commissioning of NetAct. This
section provides the list of system users in NetAct classified based on authentication repositories. In-
formation regarding which system users password change is needed is also provided in this section.
• Directory server users: Users stored in NetAct LDAP directory server, which are used to run
NetAct internal services such as mediations, northbound services, and southbound services.
• Oracle database users: System User needed for access to data stored in Oracle DB. These
users are also used by WebSphere datasource using JAAS alias. Refer to below list for users
having such configuration.
• Linux OS users: System User stored in Linux Operating System specific repositories, such as, /
etc/passwd. Only local resources of the node can be accessed by the users.
• Windows OS and Active directory users: System User stored in Windows Active Directory or
Windows OS.
• Admin Server users: System users existing in Admin Server VM used for commissioning of
NetAct system.
• DC Infra and Virtualization users: System users existing in data center and virtualization
infrastructure such as VMWare vCenter and ESXi hypervisor. Presence of this users varies based
on the software only delivery mode of NetAct.
Each of the above repository can have users for administrative and non administrative purpose. Ad-
ministrative users are used for administration and maintenance purpose.
• System user in directory server.
• System user in oracle database
• System user in Windows OS and Active directory
• System user in Linux OS
• System users in Admin Server
• System users in data center (DC) and Virtualization infrastructure
Explanation of superscripts used in the tables below:
1
Locked during operation phase: Yes/No. Only users with locked state as No are allowed for pass-
word change of user. For OS users, locked status indicate remote access of user is not possible
2
JAAS: Yes/No. If ‘JAAS’ = Yes means: Users are used by WebSphere.
3
Administrator User: Yes/No. Yes means: Users used for administration purpose and are highly critical
in operation of NetAct.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 10
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
Admin
1 2
System User Id System User Group Component Locked JAAS Description
User
atuser sysop,sshaccess SLNBI No No No Created for SLNBI. The account is used to run Audit Trail File
Collector. Password for this is user is randomly generated dur-
ing installation. No default password.
cmauto sysop Configurator No No No Provides visibility on CM workflows that have been triggered/
executed automatically without human user. Used by Intelli-
gent Configuration Synchronization for LTE feature for making
upload to eNB.
cmbscres cmauto Configurator No No No Provides visibility on Network Resiliency for mcBSC that have
been triggered/executed automatically without human user.
Used by Network Resiliency for mcBSC feature for upload and
export operation.
cmretry cmauto Configurator No No No Provides visibility on CM workflows that have been triggered/
executed automatically without human user. Used by CM Au-
tomatic Retry Mechanism feature for running plan provisioning
to NE.
cn=atwasproxy n/a SLNBI No No No This user is created during installation of SLNBI system as
integrated with NetAct 8 LDAP. It is used internally by Web-
sphere to authorize to LDAP if anonymous LDAP login is dis-
abled.
httpdproxy n/a n/a No No No This user is created during installation or upgrade. It is used
internally by NE3SWS to disable anonymous LDAP login from
Apache HTTPD.
ihsproxy n/a n/a No No No This user is created during installation or upgrade. It is used
internally by CM for IHS HTTPD to bind to ldap .
cn=Manager n/a SecM No No Yes Created during the installation.
cn=replication man- n/a CPF No No Yes This user is created during installation. It is used internally to
ager replicate data between dirsrv primary and secondary
sysproxy n/a n/a No No No This user is created during installation or upgrade. It is used
internally by Linux Pluggable Authentication Module (PAM) in
all VM nodes to disable anonymous LDAP login from PAM ser-
vice.
wasproxy n/a n/a No No No This user is created during installation or upgrade. It is used
internally by Websphere LdapUserRegistry to disable anony-
mous LDAP login from WAS service.
dauser sysop,sshaccess,smxmediations
Dynamic Adaptation No No No Created for ne3sws_dynamicadaptation mediation.
esbadmin sysop, smxmedia- Various Mediations No No No common_mediations Service Mix instance.
tions
genmdsrv sysop, smxmedia- generic mediation No No No generic_mediations Service Mix instance. User available only
tions in upgraded environment of NetAct.
hwchange cmwsapi Configurator No No No Used to execute upload of HW fragment within Configurator
when HW change occurs at NE side
isdk sysop ISDK platform for No No No ISDK platform
ISDK Mediations
isdkcorb sysop ISDK CORBA Medi- No No No isdkcorba Tomcat instance.
ation
isdkftp sysop,sshaccess ISDK FTP PM Medi- No No No isdkftp Tomcat instance.
ation
isdksnmp sysop ISDK SNMP FM & No No No isdksnmp Tomcat instance.
SNMP PM Media-
tions
lteauser sysop LTEA SNMP FM, CM No No No lteauser will be used for the running the LTEA mediation con-
& Auto Discovery tainer process and also for WAS communication from the con-
Mediations tainer Instance
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 11
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
Admin
1 2
System User Id System User Group Component Locked JAAS Description
User
lteapm sysop, LTEA SNMP PM Me- No No No lteapm will be used for the running the LTEA PM mediation
diation container process and also for WAS communication from the
container Instance
nbi3gc sysop, smxmedia- 3GPP FM NBI No No No for 3GPP NBI.
tions
nbi3gcom sysop,smxmediations 3GPP NBI COM No No No Provide Open source JacORB Naming Service and Notifica-
tion Service.
nbi3gcpm sysop, 3GPP PM NBI No No No Created by Mediation Framework. 3GPP XML format PM NB
smxmediations,ftirpftp mediation running with this user.
nbiim sysop, INVENTORY NBI No No No Created for INVENTORY NBI
smxmediations,ftirpftp
nbisnmp sysop, smxmedia- SNMP FM NBI No No No Created by Mediation Framework. SNMP NB mediation run-
tions ning with this user.
ne3sws sysop,sshaccess,smxmediations
NE3SWS Mediation No No No NE3SWS mediation runs with this user
nwi3 sysop, smxmedia- NWI3 South bound No No No for NWI3 South bound mediation.
tions mediation
nwi3ftp nwi3ftp, sysop NWI3 South bound No No No Created by NetAct Base. NE uses this to access the NetAct
mediation FTP/HTTP server, NWI3 mediation passes the credentials
to NE. Mediation sends FTP credentials to NE and NE uses
those to access the NetAct FTP server.
nwi3system nwi3-nms-access NWI3 South bound No No No Created by NetAct Base. NE uses this user for accessing
mediation NWI3 registration service, NWI3 mediation can configure it.
NE must give credentials when it registers to NWI3 registration
service.
nx2suser sysop,sshaccess,smxmediations
NX2S Mediation No No No NX2S mediation running with this user. nx2suser is the FTP
MML & SCLI Media- user for the NX2S interface for NE.
tion
omc sysop,sshaccess,sqm_ Mediations and oth- No No No LINUX OS user and group created by Cpf (moved to ldap later
admin ers by IFW) for e.g. FM pipe, WebSphere application server and
MML/SCLI mediations to retrieve NE credentials from NEAC.
pm2sol sysop NetAct PM No Yes No This user is needed for establish authenticated communication
between PM and other NetAct clusters for PM applications.
q3usr sysop,sshaccess,smxmediations
Q3/IP South Bound No No No Created by Mediation Framework. User is used for starting
Mediations servicemix for Q3 mediations and also for using some EM
launches. Bash will be used
raccli raccli Configurator No No No User used internally for authentication purposes by webser-
vice-based racclimx implementation.
racftam racftp,sshaccess Configurator No No No NE uses this account to access the FTAM server
racftp racftp,sshaccess Configurator No No No Created by NetAct Base. NE uses this to access the NetAct
FTP server.
rachttp rachttp,sshaccess Configurator No No No Created by NetAct Base. NE uses this to access the NetAct
HTTP server.
rac3gp sysop,sshaccess,smxmediations
NBI No No No Runs as a standalone java process invoked by NMS, invokes
EJB interface provide by CM on Websphere Application Serv-
er.
restda sysop,smxmediations No No No App_NBI: Open API phase 1
ruim_admin ruim_admin PEM No No No POSIX user and group created by Installation FW. LDAP ad-
ministrator account under the NetAct Admin user. ruim_ad-
min is needed for read or write access to ruim-tree in NetAct
DirSrv e.g. by Permission Management (PEM). The permis-
sion to modify the ruim branch is granted only to ruim_admin.
The ruim_admin user account is defined as a combination of
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 12
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
Admin
1 2
System User Id System User Group Component Locked JAAS Description
User
the account and inetOrgPerson object classes defined in RFC
4524 and RFC 2798. Also needed to manage NetAct PM.
sauuser sysop, SAU mediation No No No SAU mediation runs with this user
smxmediations,sshaccess
system sysop,sshaccess WAS processes No No No LINUX OS user and group created by Cpf (moved to ldap later
by IFW). WebSphere Application Server's process user.
wasadmin wassrvid SLNBI No No No Used to administer Websphere on SLNBI server, when SLNBI
WAS is connected to NetAct LDAP registry
wassrvid wassrvid WebSphere Applica- No No Yes Created by CPf. The wassrvid user account is used for ac-
tion Server cessing WebSphere Application Server. This user account is
defined as a combination of the account and simpleSecurity-
Object object classes defined in RFC 4524.
xohuser sysop,sshaccess,smxmediations
XOH Mediation No No No XOH mediation runs with this user
fpinst sshaccess Internal NetAct com- No No No to deploy fast pass package
ponents
trexuser sysop Trace Expert No No No Internal communication between Trace Expert services, also to
communicate with CM web services
cmcompsrv sysop PnP Compatibility No No No User will be used for running new NetAct service "PnP Com-
Service patibility Service." This new service will be managed by sman-
ager and will in part replace old service "pnpserver". Sysop
group is required for sending alarms to FM
tpuser tandp T&P No No No Created for Thresholder and Profiler. The account is used to
request Performance Manager in order to run TandP reports.
Password for this is user is randomly generated during instal-
lation. No default password.
Table 1: System users in Directory Server
Admin
1 2
System User Id System User Group Component Locked JAAS Description
User
adm adm Yes No No Linux Standard Base required user
apache apache Yes No No
bin bin Yes No No Linux Standard Base required user
buadmin buadmin Yes No No Created by CPf for disk-based backup functionality.
cpfoma sysop Yes n/a No Required for Oma Agent appliaction
cpfvcs sysop Yes n/a No Required for start, stop cpfvcenterselfmon application
cpfvman sysop Yes n/a No Required for start, stop selfmon cpfvmanager application
daemon daemon Yes No No Linux Standard Base required user
dbus dbus Yes No No System message bus
dcfw sysop Yes No No Data collection framework user. Key based authentication is
used for authentication.
dirsrv dirsrv Yes No No User created for management of directory server packages in
RHEL8.
dradmin dradmin Yes No No Used for Disaster Recovery
ftirpuser ftirpftp 3GPP PM NBI IN- No NA No Created for external NMS using ftp/sftp service to download
VENTORY NBI 3GPP measurement and inventory files.
ftirpuser2 ftirpftp 3GPP PM NBI IN- No NA No Created for external NMS using ftp/sftp service to download
VENTORY NBI 3GPP measurement and inventory files.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 13
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
Admin
1 2
System User Id System User Group Component Locked JAAS Description
User
ftirpuser3 ftirpftp 3GPP PM NBI IN- No NA No Created for external NMS using ftp/sftp service to download
VENTORY NBI 3GPP measurement and inventory files.
ftp ftp Yes No No FTP User
ftpsecure ftpsecure Yes No No CPF created user for FTP connections
games users Yes No No Linux Standard Base required user
gopher gopher Yes No No Linux Standard Base required user available only in upgraded
labs
haldaemon haldaemon Yes No No HAL Daemon user available only in upgraded labs
halt root Yes No No Linux Standard Base required user
hpadmin hpadmin No NA Yes User to access HPE Sim
hsql sdba Yes No No HSQLDB
isdkuser sftpchroot,smxmediations,sysop,isdkmediations No NA No NE uses this account to access the directory to PUT the raw
files. The home directory of isdkuser is used by the NE to PUT
files.
jettysrv sysop Adaptation Manager Yes No No Used to run jetty service
ldap ldap Yes No No LDAP access for NetAct
lp lp Yes No No Linux Standard Base required user
mail mail Yes No No Linux Standard Base required user
mhcf mhcf Yes No No Used by PHC tool
named named Yes No No Domain Name Server
nfsnobody nfsnobody Yes No No Anonymous NFS User
nobody nobody Yes No No Linux Standard Base required user
nscd nscd Yes No No NSCD Daemon
sssd sssd Yes No No LDAP Client User
chrony chrony Yes NA NA Time server user
operator root Yes No No Linux Standard Base required user
oracle dba No NA Yes Local user required for starting oracle database, also used for
oracle database client.
pcp pcp Yes No No Used to run pcp commands
pmflmgr sysop PM file merger Yes No No Used to run PM file merger service and generate merged PM
files in sysop group
polkitd polkitd Yes No No User for managing policy kit system service in RHEL8.
postfix postfix Yes No No Mail user
rdsftp rdgroup RESTful Web Ser- No No No Created for external NMS using sftp service to download rest-
vice Data Access da result files
API(restda)
root root No NA Yes RHEL Super User. System User with login. Home directory
disabled during hardening.
rpc rpc Yes No No Rpcbind Daemon
rpcuser rpcuser Yes No No RPC Service User
sadap stomcat Yes No No Used for administrate SBTS Adapter
sadmin sadmin Yes No No Created by CPf for service monitoring use.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 14
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
Admin
1 2
System User Id System User Group Component Locked JAAS Description
User
saslauth saslauth Yes No No Linux Standard Base required user. Available only in upgrade
environment.
shutdown root Yes No No Linux Standard Base required user
sockd sockd Yes No No sockd is secure socket proxy server. It provide hosts within a
firewall access to resources outside of the firewall.
sshd sshd Yes No No Privilege-separated SSH
stomcat stomcat Yes No No Apache Tomcat
sync root Yes No No Linux Standard Base required user
systemd-network systemd-network Yes No No User for managing systemd service in RHEL8
tcpdump tcpdump Yes No No TCP dump capture user
tomcat tomcat Yes No No Apache Tomcat
tss tss Yes No No User for managing trusted computing resources. Available only
in upgrade environment.
uucp uucp Yes No No Linux Standard Base required user. Available only in upgrade
environment.
vcsa vcsa Yes No No Virtual console memory owner. Available only in upgrade envi-
ronment.
Keycloak Keycloak CSF CKEY (Key- Yes No No Keycloak linux user
cloak)
admusr sysop Yes No No As adm User (non-root) under sysop group should be able to
Activate the D3B2 , Confmeta artifact
redis redis Yes No No Redis cache service
cmtmbe sysop Configurator Yes No No CM Template Management Backend service user
frr frr DR NCS Yes N No User used to run the BGPd service.
frr frrvty DR NCS Yes N No User used to run the BGPd service.
Table 2: System users in Linux OS
Admin
1 2
System User Id System User Group Component Locked JAAS Description
User
AC n/a FM Yes No No Schema used for storing data related to alarm correlation.
ANONYMOUS n/a Yes No No Oracle default user: NetAct expires and locks the account.
Used for storing/managing all data and metadata required by
Oracle Quality of Service Management.
AOM n/a AoM Yes No No Created by NetAct component during installation. The schema
is used for storing the plan and template information related to
administration of measurements.
APPQOSSYS n/a Yes No No Oracle default user: Stores/Manages data required by Oracle
Quality of Service Management. Locked and expired by de-
fault
ATL n/a ATL Yes No No Schema used for storing information about log collections
scheduled from Audit Trail server
AUDSYS n/a Yes No No Oracle default user: Used for having unified audit records.
Locked and expired by default
CGNEPM n/a PM Adapt Yes No No Schema created as part of Cisco Network Element adaptation
deployment. Used for storing aggregation data.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 15
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
Admin
1 2
System User Id System User Group Component Locked JAAS Description
User
CGNEPMRAW n/a PM Adapt Yes No No Schema created as part of Cisco Network Element adaptation
deployment. Used for storing raw data.
CMDAHW n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDALB n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDAMR n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDAN3 n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDANP n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDANT n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDASRNC n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDASRNCIP n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDATH n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDAWS n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDAXC n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDBCU n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDBCUM n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDBFM n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDBGA n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDBGH n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDBGW n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDBHW n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDBSC n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDBSR n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDBSRA n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDBTC n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDBTF n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDBTH n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 16
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
Admin
1 2
System User Id System User Group Component Locked JAAS Description
User
CMDBTU n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDCDA n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDCDH n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDCDS n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDCFC n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDCFI n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDCFP n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDCMV n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDCODS n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDCOM n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDCON n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDCRA n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDCSA n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDCSC n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDCSF n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDCSI n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDCTP n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDDLB n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDDLC n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDDRA n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDDRC n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDDRI n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDDRM n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDDXH n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDDXT n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 17
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
Admin
1 2
System User Id System User Group Component Locked JAAS Description
User
CMDERF n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDEXR n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDFDHW n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDFHW n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDFNA n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDFNG n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDFNS n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDFTM n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDFZCP n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDFZCPCA n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDGGA n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDGGS n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDGLD n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDGOM n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDGPB n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDHFC n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDHFE n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDHFI n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDHLA n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDHLH n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDHLR n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDHLRC n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDHMV n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDHPH n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDHPHW n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 18
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
Admin
1 2
System User Id System User Group Component Locked JAAS Description
User
CMDDHSCP n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDHSE n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDHSF n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDHSG n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDHSI n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDHSM n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDIHF n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDIHR n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDIHW n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDIMH n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDINT n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDIOA n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDIOM n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDIPA n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDIPL n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDISC n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDJUN n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDLBA n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDLBC n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDLBI n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDLBS n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDLCC n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDLHW n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDLTE n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDLTTHC n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 19
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
Admin
1 2
System User Id System User Group Component Locked JAAS Description
User
CMDMCHW n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDMGA n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDMGH n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDMGW n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDMPL n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDMR n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDMRC n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDMRCP n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDMRS n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDMSH n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDMSS n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDN3A n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDNCO n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDNDA n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDNDB n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDNDM n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDNDN n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDNDP n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDNE3 n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDNET n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDNFM n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDNHW n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDNSG n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDNTA n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDNTAS n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 20
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
Admin
1 2
System User Id System User Group Component Locked JAAS Description
User
CMDOGH n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDOGW n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDOMA n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDOMC n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDOPF n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDPCC n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDPCL n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDPF n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDPGD n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDPLA n/a CM Adaptation Yes No No Schema used for storing common part of all configuration data
of Configuration Management.
CMDPNP n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDPSA n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDPSG n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDQ3A n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDRACS n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDRCU n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDRDA n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDRNC n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDRNCP n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDRPO n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDSBTS n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDSBTSHW n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDSGA n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDSGH n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDSGS n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 21
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
Admin
1 2
System User Id System User Group Component Locked JAAS Description
User
CMDSMM n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDSMMHW n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDDSR n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDDSRE n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDDSRER n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDSRG n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDSRHW n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDSRIU n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDSRM n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDSRT n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDSRW n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDSUH n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDTAH n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDTAM n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDTAS n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDTIA n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDTIC n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDTII n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDTIM n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDTLC n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDUHC n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDUHI n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDUHS n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDUHW n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDV2G n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 22
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
Admin
1 2
System User Id System User Group Component Locked JAAS Description
User
CMDV3G n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDVDU n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDVEX n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDVHSC n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDVHSI n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDVHSS n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDVLT n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDVLSB n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDVTE n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDWIFI n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHAHW n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMDHALB n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHAN3 n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHANP n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHANT n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHASRNC n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHASRNCIP n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHATH n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHAWS n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHAXC n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHBCU n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHBCUM n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHBFM n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHBGH n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHBGW n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 23
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
Admin
1 2
System User Id System User Group Component Locked JAAS Description
User
CMHBHW n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHBLC n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHBMED
CMHBSC n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHBSR n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHBTC n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHBTF n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHBTH n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHBTU n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHCDH n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHCDS n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHCFC n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHCFI n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHCFP n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHCMV n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHCODS n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHCOM n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHCRA n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHCSA n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHCSC n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHCSF n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHCSI n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHDLB n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHDLC n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHDRA n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 24
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
Admin
1 2
System User Id System User Group Component Locked JAAS Description
User
CMHDRC n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHDRI n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHDRM n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHDXH n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHDXT n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHERF n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHEXR n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHFDHW n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHFHW n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHFNG n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHFNS n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHFTM n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHFZCP n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHFZCPA n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHGGS n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHGOM n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHGPB n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHHFC n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHHFE n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHHFI n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHHLH n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHHLR n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHHPH n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHHLRC n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHHMV n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 25
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
Admin
1 2
System User Id System User Group Component Locked JAAS Description
User
CMHHPH n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHHPPW n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHHSCP n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHHSE n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHHSF n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHHSG n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHHSI n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHHSM n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHIHF n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHIHR n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHIHW n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHIMH n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHIOA n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHIOM n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHIPA n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHIPL n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHISC n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHJUN n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHLBA n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHLBC n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHLBI n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHLBS n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHLCC n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHLHW n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHLTE n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 26
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
Admin
1 2
System User Id System User Group Component Locked JAAS Description
User
CMHLTTHC n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHMCHW n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHMGH n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHMGW n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHMPL n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHMR n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHMRC n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHMRCP n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHMRS n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHMSH n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHMSS n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHN3A n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHNDA n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHNDB n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHNDN n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHNDP n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHNFM n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHNGNHW
CMHNHW n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHNSG n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHNTAS n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHOGH n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHOGW n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHOMC n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHOPF n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 27
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
Admin
1 2
System User Id System User Group Component Locked JAAS Description
User
CMHPCC n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHPCL n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHPF n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHPGD n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHPNP n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHPSG n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHRACS n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHRCU n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHRDA n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHREP n/a CM Adaptation Yes No No Schema used for storing Configuration Management history
topology related data.
CMHRNC n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHRNCP n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHRPO n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHSBTS n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHSBTSHW n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHSGH n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHSGS n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHSMM n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHSMMHW n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHSR n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHSRE n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHSRER n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHSRG n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHSRHW n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHSRIU n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 28
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
Admin
1 2
System User Id System User Group Component Locked JAAS Description
User
CMHSRM n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHSRT n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHSRW n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHSUH n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHTAH n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHTAS n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHTIA n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHTIC n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHTII n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHTIM n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHTLC n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHUHC n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHUHI n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHUHS n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHUHW n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHV2G n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHV3G n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHVDU n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHVEX n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHVHSC n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHVHSI n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHVHSS n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHVLT n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHVSLB n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMHVTE n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 29
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
Admin
1 2
System User Id System User Group Component Locked JAAS Description
User
CMHWIFI n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMPOLMGR n/a CM Adaptation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
CMREPO n/a d3btool Yes No No Created by Dynamic Adaptation
CMREPORAW n/a d3btool Yes No No Created by Dynamic Adaptation
COMMODEL n/a Adaptation Manager Yes No No Created by Adaptation Manager during installation for its own
DB schemas.
COMMON_ n/a Mediation Frame- Yes No No Created by MF during installation for its own DB schemas and
MEDIATIONS work DB user accounts.
CSCACH n/a NetAct PM Yes No No Created by Core Platform (COP) during installation for its own
DB schemas.
CTXSYS n/a Yes No No Oracle default user created for Oracle Text management. This
is used for linguistic analysis on documents and search text
using various strategies. NetAct expires and locks the account
D3BSQL n/a Yes No No Schema User used internally by d3bv2 tool
DBPM n/a NetAct PM Yes No No Created by Database Partitioning Management during installa-
tion for its own DB schemas.
DBSNMP n/a Yes No No Locked by default. The account used by the Management
Agent component of Oracle Enterprise Manager to monitor
and manage the database. Unlocked when oracle enterprise
manager is enabled and locked when disabled
DES n/a Yes No No Schema used for storing data related to Defra (Workspace set-
ting of monitor).
DIP n/a Yes No No Oracle default user. Generic user account DIP for processing
events propagated by DIP. This account would be used by all
applications using the DIP provisioning service when connect-
ing to the database. NetAct expires and locks the account
DVF n/a Yes No No Oracle default user contains public functions to retrieve (at run
time) the factor values set in the Oracle Database Vault access
control configuration.
DVSYS n/a Yes No No Oracle default user which stores the database objects needed
to process Oracle data for Oracle Database Vault.
DYNMED n/a Yes No No Schema user created by dynamic adaptation
EJBTIMERCM Yes Yes No EJB Timer service for CM cluster of WebSphere. Configured
datasource in websphere has alias: ium_jaas_ejbtimercm
EJBTIMERFM n/a WebSphere No Yes No EJB Timer service for FM cluster of WebSphere. Configured
datasource in websphere has alias: ium_jaas_ejbtimerfm
EJBTIMERINTG n/a WebSphere No Yes No EJB Timer service for INTG cluster of WebSphere. Configured
datasource in websphere has alias: ium_jaas_ejbtimerintg
EJBTIMERITSM n/a WebSphere No Yes No EJB Timer service for ITSM cluster of WebSphere. Configured
datasource in websphere has alias: ium_jaas_ejbtimeritsm
EJBTIMERPM n/a WebSphere No Yes No EJB Timer service for PM cluster of WebSphere. Configured
datasource in websphere has alias: ium_jaas_ejbtimerpm
EJBTIMERSOL n/a WebSphere No No No EJB Timer service for SOL cluster of WebSphere.
EJBTIMERSYS n/a WebSphere No Yes No EJB Timer service for SYS cluster of WebSphere. Configured
datasource in websphere has alias: ium_jaas_ejbtimersys
ERL n/a NetAct PM Yes No No Created by Erlang B during installation for its own DB
schemas.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 30
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
Admin
1 2
System User Id System User Group Component Locked JAAS Description
User
ETRDXT n/a Yes No No Schema created as part of Tetra NE deployment. Used for
storing aggregation data.
ETRDXTRAW n/a Yes No No Schema created as part of Tetra NE deployment. Used for
storing raw data.
FM n/a FM Yes No No Schema used for storing data related to Fault management
metadata, Alarms and GEP rules.
FMGUI n/a FM Yes No No Schema used for storing data related to FM monitor (Views,
CMUI metadata information)
FMSNMPMODEL n/a SNMP Mediation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
FNSMED n/a Mediation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
GEN- n/a Mediation Yes No No Created by NetAct component during installation for its own
ERIC-MEDIATIONS DB schemas and DB user accounts.
GENMED n/a Mediation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
GSMADMIN_INTER- n/a Yes No No Schema used for storing data related to global service manag-
NAL er. Locked and expired by default
GSMCATUSER n/a Yes No No Schema used for storing data related to global service manag-
er. Locked and expired by default
rda n/a Many components No Yes No Created by NetAct component during installation for its own
DB schemas and DB user accounts. Used for Read only ac-
cess to NetAct Data.Configured datasource in websphere has
alias: ium_jaas_rda
GSMUSER n/a Yes No No Schema used for storing data related to global service manag-
er. Locked and expired by default
HPSIM n/a HPSIM service No No No This schema is for HPESIM application. This is used for col-
lecting HW alarms information.
IBLDNS n/a PM Adapt Yes No No Schema created as part of Infoblox DNS DHCP adaptation de-
ployment. Used for storing aggregation data.
IBLDNSRAW n/a PM Adapt Yes No No Schema created as part of Infoblox DNS DHCP adaptation de-
ployment. Used for storing raw data.
ICDCMD n/a PM Adapt Yes No No Schema created as part of Charge At Once Mediate adapta-
tion deployment. Used for storing aggregation data.
ICDCMDRAW n/a PM Adapt Yes No No Schema created as part of Charge At Once Mediate adapta-
tion deployment. Used for storing raw data.
ICDIPP n/a PM Adapt Yes No No Schema created as part of Serve Advance Activation Manager
adaptation deployment. Used for storing aggregation data.
ICDIPPRAW n/a PM Adapt Yes No No Schema created as part of Serve Advance Activation Manager
adaptation deployment. Used for storing raw data.
ICF n/a P Yes No No Schema used for storing registration data for Mediator Dis-
patcher and Notification Dispatcher. Configured datasource in
websphere has alias: icfAlias
IMSBNG n/a d3btool Yes No No Schema created as part of dynamic adaptation upgrade to IMS
BNG Load Balance 11.0. Used for storing aggregation data.
IMSBNGRAW n/a d3btool Yes No No Schema created by part of dynamic adaptation upgrade to IMS
BNG Load Balance 11.0. Used for storing raw data.
IMSCSF n/a d3btool Yes No No Schema created as part of dynamic adaptation upgrade IMS
Call Session Control Function 11.0. Used for storing aggrega-
tion data.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 31
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
Admin
1 2
System User Id System User Group Component Locked JAAS Description
User
IMSCSFRAW n/a d3btool Yes No No Schema created as part of dynamic adaptation upgrade IMS
Call Session Control Function 11.0. Used for storing raw data.
IMSDRA n/a d3btool Yes No No Schema created as part of Diameter Routing Agent dynamic
adaptation deployment . Used for storing aggregation data.
IMSDRARAW n/a d3btool Yes No No Schema created as part of Diameter Routing Agent dynamic
adaptation deployment . Used for storing raw data.
IMSHSS n/a d3btool Yes No No Schema created as part of dynamic adaptation upgrade to IMS
Home Subscriber Server Front End 11.0. Used for storing ag-
gregation data.
IMSHSSRAW n/a d3btool Yes No No Schema created by part of dynamic adaptation upgrade to IMS
Home Subscriber Server Front End 11.0. Used for storing raw
data.
IMSOAM n/a d3btool Yes No No Created by Dynamic Adaptation
IMSOAMRAW n/a d3btool Yes No No Created by Dynamic Adaptation
IMSTIA n/a d3btool Yes No No Schema created as part of dynamic adaptation upgrade to IMS
TSP Installation, Admin and Management Server 11.0. Used
for storing aggregation data.
IMSTIARAW n/a d3btool Yes No No Schema created by part of dynamic adaptation upgrade to IMS
TSP Installation, Admin and Management Server 11.0. Used
for storing raw data.
ISDK n/a ISDK Yes No No Created by ISDK for during installation for its own DB schemas
and DB user accounts
JMBCOM n/a PM Adapt Yes No No Schema created as part of Juniper Network Element adapta-
tion deployment. Used for storing aggregation data.
JMBCOMRAW n/a PM Adapt Yes No No Schema created as part of Juniper Network Element adapta-
tion deployment. USed for storing raw data.
LACAFM n/a PM Adapt Yes No No LACAFM is coming as part of AFM Network Element adapta-
tion deployment. Used for storing aggregation data.
LACAFMRAW n/a PM Adapt Yes No No Schema created as part of AFM Network Element adaptation
deployment. Used for storing raw data.
LACCOD n/a PM Adapt Yes No No Schema created as part of RACS-CODS Network Element
adaptation deployment. Used for storing aggregation data.
LACCODRAW n/a PM Adapt Yes No No Schema created as part of RACS-CODS Network Element
adaptation deployment. Used for storing raw data.
LACRCC n/a PM Adapt Yes No No Schema created as part of RACS-C Network Element adapta-
tion deployment. Used for storing aggregation data.
LACRCCRAW n/a PM Adapt Yes No No Schema created as part of RACS-C Network Element adapta-
tion deployment. Used for storing raw data.
LACRCT n/a PM Adapt Yes No No Schema created as part of RACS-T Network Element adapta-
tion deployment. Used for storing aggregation data.
LACRCTRAW n/a PM Adapt Yes No No Schema created as part of RACS-T Network Element adapta-
tion deployment. Used for storing raw data.
LBACSYS Yes No No Oracle label security default user, which has the privileges
to manage Oracle label security administration. By default,
LBACSYS is created as a locked account with it's password
expired.
LIC n/a License Manager Yes No No Schema used by License Manager application for storing the
information about licenses distribution in the network and other
application-specific data.
LICENSE n/a OSSMW Licensing Yes No No Schema used for storing the data about all LK installed to Net-
Act.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 32
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
Admin
1 2
System User Id System User Group Component Locked JAAS Description
User
LTEA Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
MADBRS n/a PM Adapt Yes No No Schema created as part of Backup and Restore Server adap-
tation deployment. Used for storing aggregation data.
MADBRSRAW n/a PM Adapt Yes No No Schema created as part of Backup and Restore Server adap-
tation deployment. Used for storing raw data.
MADNHR n/a PM Adapt Yes No No Schema created as part of New technology Home Location
Register adaptation deployment. Used for storing aggregation
data.
MADNHRRAW n/a PM Adapt Yes No No Schema created as part of New technology Home Location
Register adaptation deployment. Used for storing raw data.
MADNTM n/a PM Adapt Yes No No Schema created as part of Serve atOnce Device Manager
adaptation deployment. Used for storing aggregation data.
MADNTMRAW n/a PM Adapt Yes No No Schema created as part of Serve atOnce Device Manager
adaptation deployment. Used for storing raw data.
MADODC n/a PM Adapt Yes No No Schema created as part of One NDS adaptation deployment.
Used for storing aggregation data.
MADODCRAW n/a PM Adapt Yes No No Schema created as part of One NDS adaptation deployment.
Used for storing raw data.
MADPKA n/a PM Adapt Yes No No Schema created as part of PKI INSTA Network Element adap-
tation deployment. Used for storing aggregation data.
MADPKARAW n/a PM Adapt Yes No No MADPKA is coming as part of PKI INSTA Network Element
adaptation deployment. Used for storing raw data.
MDDATA n/a Yes No No Oracle default user. The schema used by Oracle Spatial for
storing Geocoder and router data. NetAct expires and locks
the account
MDSYS n/a Yes No No Oracle default user. The Oracle Spatial and Oracle interMedia
Locator administrator account. NetAct expires and locks the
account
MF_COMMON n/a Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
MOVMMS n/a PM Adapt Yes No No Schema created as part of Movius Moreon6000 Media Server
adaptation deployment. Used for storing aggregation data.
MOVMMSRAW n/a PM Adapt Yes No No Schema created as part of Movius Moreon6000 Media Server
adaptation deployment. Used for storing raw data.
MPF n/a NetAct PM Yes No No Schema used for storing CertGen certification authority details
to manage certificates.
MWSCOMSCHED n/a Scheduler Yes No No Schema used for storing lock info for EJB Scheduler
MWSQUARTZSCHED n/a Quartz Scheduler Yes No No Schema used for storing scheduled jobs data for applications
which use Quartz Scheduler
NASDA n/a NASDA Yes No No Schema used for storing NetAct System Data.
NBI3GC n/a 3GPP FM NBI 3GPP Yes No No Created by Mediation Framework when mediation deployed.
PM NBI During normal operation this account is not used by NBI direct-
ly, but the JBossCache will use it.
NBI3GCPM n/a 3GPP PM NBI Yes No No Created by Mediation Framework when mediation deployed.
During normal operation this account is not used by NBI direct-
ly, but the JBossCache will use it.
NBISNMP n/a SNMP FM NBI Yes No No Created by Mediation Framework when mediation deployed.
During normal operation this account is not used by NBI direct-
ly, but the JBossCache will use it.
NDSADM n/a PM Adapt Yes No No The user will be created only after dynamic adaption
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 33
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
Admin
1 2
System User Id System User Group Component Locked JAAS Description
User
NDSADMRAW n/a PM Adapt Yes No No The user will be created only after dynamic adaption
NDSBDS n/a PM Adapt Yes No No The user will be created only after dynamic adaption
NDSBDSRAW n/a PM Adapt Yes No No The user will be created only after dynamic adaption
NDSPDS n/a PM Adapt Yes No No The user will be created only after dynamic adaption
NDSPDSRAW n/a PM Adapt Yes No No The user will be created only after dynamic adaption
NDSPGW n/a PM Adapt Yes No No The user will be created only after dynamic adaption
NDSPGWRAW n/a PM Adapt Yes No No The user will be created only after dynamic adaption
NDSRDS n/a PM Adapt Yes No No The user will be created only after dynamic adaption
NDSRDSRAW n/a PM Adapt Yes No No The user will be created only after dynamic adaption
NE3SFM n/a NE3S FM Mediation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
NE3SPM n/a NE3S PM Mediation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
NE3SWS n/a NE3SWS Mediation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
NE3SWS_DYNAMI- n/a NE3SWS Mediation Yes No No Created by NetAct component during installation for its own
CADAPTATION DB schemas and DB user accounts.
NEAC n/a NEAC Yes No No Schema used to service user related data
NECERT n/a Yes No No Schema used for storing operations related to certificate man-
agement operations performed on Network Element
NEIW n/a NEIW Yes No No Schema used for storing data related to NEIW application
NOKACS n/a PM Adapt Yes No No Schema created as part of RACS Network Element adaptation
deployment. Used for storing aggregation data.
NOKACSRAW n/a PM Adapt Yes No No Schema created as part of RACS Network Element adaptation
deployment. Used for storing raw data.
NOKAXC n/a PM Adapt Yes No No Schema created as part of ATM Cross Connect adaptation de-
ployment. Used for storing aggregation data.
NOKAXCRAW n/a PM Adapt Yes No No Schema created as part of ATM Cross Connect adaptation de-
ployment. Used for storing raw data.
NOKBCU n/a PM Adapt Yes No No Schema created as part of BCU3 adaptation deployment.
Used for storing aggregation data.
NOKBCURAW n/a PM Adapt Yes No No Schema created as part of BCU3 adaptation deployment.
Used for storing raw data.
NOKBSC n/a PM Adapt Yes No No Schema used for storing GSM(BSC) PM aggregation data.
NOKBSCRAW n/a PM Adapt Yes No No Schema used for storing GSM(BSC) PM raw data.
NOKBSR n/a PM Adapt Yes No No Schema used for storing GSM Railway (BSC) PM aggregation
data.
NOKBSRRAW n/a PM Adapt Yes No No Schema used for storing GSM Railway (BSC) PM raw data.
NOKCAM n/a PM Adapt Yes No No Schema created as part of Cloud application adaptation de-
ployment. Used for storing aggregation data.
NOKCAMRAW n/a PM Adapt Yes No No Schema created as part of Cloud application adaptation de-
ployment. Used for storing raw data.
NOKCFZ n/a PM Adapt Yes No No Created by PM Adaptation during installation for its own DB
schemas and DB user accounts.
NOKCFZRAW n/a PM Adapt Yes No No Created by PM Adaptation during installation for its own DB
schemas and DB user accounts.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 34
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
Admin
1 2
System User Id System User Group Component Locked JAAS Description
User
NOKDXA n/a PM Adapt Yes No No Schema created as part of DX HLR adaptation deployment.
Used for storing aggregation data. Note: the user is unavail-
able in the scratch installed NetAct.
NOKDXARAW n/a PM Adapt Yes No No Schema created as part of DX HLR adaptation deployment.
Used for storing raw data. Note: the user is unavailable in the
scratch installed NetAct.
NOKEUM n/a PM Adapt Yes No No The user will be created only after dynamic adaption
NOKEUMRAW n/a PM Adapt Yes No No The user will be created only after dynamic adaption
NOKFTO n/a PM Adapt Yes No No Schema created as part of Femto Gateway adaptation deploy-
ment. Used for storing aggregation data.
NOKFTORAW n/a PM Adapt Yes No No Schema created as part of Femto Gateway adaptation deploy-
ment. Used for storing raw data.
NOKFZC n/a PM Adapt Yes No No Schema created as part of Flexi Zone Controller platform de-
ployment. Used for storing aggregation data.
NOKFZCRAW n/a PM Adapt Yes No No Schema created as part of Flexi Zone Controller platform de-
ployment. Used for storing raw data.
NOKIUM n/a PM Adapt Yes No No Schema created as part of Intelligent Number Mapping adap-
tation deployment. Used for storing aggregation data.
NOKIUMRAW n/a PM Adapt Yes No No Schema created as part of Intelligent Number Mapping adap-
tation deployment. Used for storing raw data.
NOKIWW n/a PM Adapt Yes No No Schema created as part of Flexi Direct BTS/RNC adaptation
deployment. Used for storing aggregation data.
NOKIWWRAW n/a PM Adapt Yes No No Schema created as part of Flexi Direct BTS/RNC adaptation
deployment. Used for storing raw data.
NOKKCC n/a PM Adapt Yes No No Created by PM Adaptation during installation for its own DB
schemas and DB user accounts.
NOKKCCRAW n/a PM Adapt Yes No No Created by PM Adaptation during installation for its own DB
schemas and DB user accounts.
NOKLAS n/a PM Adapt Yes No No Created by PM Adaptation during installation for its own DB
schemas and DB user accounts.
NOKLASRAW n/a PM Adapt Yes No No Created by PM Adaptation during installation for its own DB
schemas and DB user accounts.
NOKLTE n/a PM Adapt Yes No No Schema created as part of LTE Base Station adaptation de-
ployment. Used for storing aggregation data.
NOKLTERAW n/a PM Adapt Yes No No Schema created as part of LTE Base Station adaptation de-
ployment. Used for storing raw data.
NOKMWW n/a PM Adapt Yes No No Schema created as part of Multimedia Gateway adaptation de-
ployment. Used for storing aggregation data.
NOKMWWRAW n/a PM Adapt Yes No No Schema created as part of Multimedia Gateway adaptation de-
ployment. Used for storing raw data.
NOKOBW n/a PM Adapt Yes No No Schema created as part of Open Border Gateway adaptation
deployment. Used for storing aggregation data.
NOKOBWRAW n/a PM Adapt Yes No No Schema created as part of Open Border Gateway adaptation
deployment. Used for storing raw data.
NOKOMW n/a PM Adapt Yes No No Schema created as part of Open Multimedia Gateway adapta-
tion deployment. Used for storing aggregation data.
NOKOMWRAW n/a PM Adapt Yes No No Schema created as part of Open Multimedia Gateway adapta-
tion deployment. Used for storing raw data.
NOKRWW n/a PM Adapt Yes No No Schema created as part of WCDMA Base Station/RNC adap-
tation deployment. Used for storing aggregation data.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 35
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
Admin
1 2
System User Id System User Group Component Locked JAAS Description
User
NOKRWWRAW n/a PM Adapt Yes No No Schema created as part of WCDMA Base Station/RNC adap-
tation deployment. Used for storing raw data.
NOKSAU n/a PM Adapt Yes No No Schema created as part of Simultaneous Active Users counter
for MSS/TAS adaptation deployment. Used for storing aggre-
gation data.
NOKSAURAW n/a PM Adapt Yes No No Schema created as part of Simultaneous Active Users counter
for MSS/TAS adaptation deployment. Used for storing raw da-
ta.
NOKSEE n/a PM Adapt Yes No No Schema created as part of OpenTAS Service execution envi-
ronment deployment. Used for storing aggreation data.
NOKSEERAW n/a PM Adapt Yes No No Schema created as part of OpenTAS Service execution envi-
ronment deployment. Used for storing raw data.
NOKSRN n/a PM Adapt Yes No No Schema created as part of Single RAN Base Transceiver Sta-
tion deployment. Used for storing aggregation data.
NOKSRNRAW n/a PM Adapt Yes No No Schema created as part of Single RAN Base Transceiver Sta-
tion deployment. Used for storing raw data.
NOKTAS n/a PM Adapt Yes No No Schema created as part of Telecom Application Server adapta-
tion deployment. Used for storing aggregation data.
NOKTASRAW n/a PM Adapt Yes No No Schema created as part of Telecom Application Server adapta-
tion deployment. Used for storing raw data.
NSISGW n/a PM Adapt Yes No No The user will be created only after dynamic adaption
NSISGWRAW n/a PM Adapt Yes No No The user will be created only after dynamic adaption
NTCAPP n/a Yes No No Schema user created for storing data relevant to NTCAPP.
NWI3 n/a Yes No No Schema user created for storing data relevant to NWI3 media-
tion
NWI3MED n/a NWI3 South bound Yes No No NWI3 DB schema owner. NWI3 mediation has nwi3med Ora-
mediation cle user for NWI3 DB tables.
NX2S n/a Yes No No Schema user created for storing data relevant to NX2S media-
tion
OBJREG n/a NASDA Yes No No Object Registry
OJVMSYS n/a Yes No No Oracle default user. Locked and Expired by default.
OLAPSYS n/a Yes No No Oracle default user. Locked and Expired by default. Account
that owns the OLAP Catalog.
OMC n/a many components No Yes Yes This is the NetAct Oracle Standard User. Configured data-
source in websphere has alias: ium_jaas_omc
ONEAAA n/a PM Adapt Yes No No The user will be created only after dynamic adaption
ONEAAARAW n/a PM Adapt Yes No No The user will be created only after dynamic adaption
ORACLE n/a No No Yes Used by platform for passwordless authentication. Uses OS
based authentication mechanism
ORACLE_OCM n/a Yes No No Oracle default user: NetAct expires and locks the account.
This account contains the instrumentation for configuration col-
lection used by the Oracle Configuration Manager
ORDDATA n/a Yes No No Oracle default user: NetAct expires and locks the account. Ac-
count that contains the Oracle Multimedia DICOM data model.
ORDPLUGINS n/a Yes No No Oracle default user: NetAct expires and locks the account. Or-
acle Multimedia user: Plug-ins supplied by Oracle and third-
party, format plug-ins are installed in this schema
ORDSYS n/a Yes No No Oracle default user: NetAct expires and locks the account. Or-
acle Multimedia administrator account.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 36
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
Admin
1 2
System User Id System User Group Component Locked JAAS Description
User
OSSSYS n/a Yes No No Oracle account used for J2EE applications: Database adminis-
trator
OUTLN n/a Yes No No Oracle default user: NetAct expires and locks the account.
The account that supports plan stability. Plan stability prevents
certain database environment changes from affecting the per-
formance characteristics of applications by preserving execu-
tion plans in stored outlines. OUTLN acts as a role to centrally
manage metadata associated with stored outlines
OWBSYS n/a Yes No No Oracle default user: NetAct expires and locks the account. Ac-
count for administrating the Oracle Warehouse Builder reposi-
tory.
OWBSYS_AUDIT n/a Yes No No Expired and locked by default. This account is used by the
Warehouse Builder Control Center Agent to access the hetero-
geneous execution audit tables in the OWBSYS schema
PCOFNG n/a PM Adapt Yes No No Schema created as part of Flexi Network Gateway adaptation.
Used for storing aggreation data.
PCOFNGRAW n/a PM Adapt Yes No No Schema created as part of Flexi Network Gateway adaptation.
Used for storing raw data.
PCOFNS n/a PM Adapt Yes No No Schema created as part of Flexi Network Server adaptation.
Used for storing aggreation data.
PCOFNSRAW n/a PM Adapt Yes No No Schema created as part of Flexi Network Server adaptation.
Used for storing raw data.
PCOGGN n/a PM Adapt Yes No No Schema created as part of Gateway GPRS Support Node
adaptation. Used for storing aggreation data.
PCOGGNRAW n/a PM Adapt Yes No No Schema created as part of Gateway GPRS Support Node
adaptation. Used for storing raw data.
PCOLIB n/a PM Adapt Yes No No Schema created as part of Lawful Interception adaptation de-
ployment. Used for storing aggreation data.
PCOLIBRAW n/a PM Adapt Yes No No Schema created as part of Lawful Interception adaptation de-
ployment. Used for storing raw data.
PCOLIC n/a PM Adapt Yes No No Schema created as part of Lawful Interception controller adap-
tation deployment. Used for storing aggreation data.
PCOLICRAW n/a PM Adapt Yes No No Schema created as part of Lawful Interception controller adap-
tation deployment. Used for storing raw data.
PCOPCN n/a PM Adapt Yes No No Schema created as part of RedKnee Policy control adaptation
deployment. Used for storing aggreation data.
PCOPCNRAW n/a PM Adapt Yes No No Schema created as part of RedKnee Policy control controller
adaptation deployment. Used for storing raw data.
PCOPDG n/a PM Adapt Yes No No Schema created as part of Genband Evolved Packet Data
Gateway adaptation deployment. Used for storing aggregation
data.
PCOPDGRAW n/a PM Adapt Yes No No Schema created as part of Genband Evolved Packet Data
Gateway adaptation deployment. Used for storing raw data.
PCOSGN n/a PM Adapt Yes No No Schema created as part of NSN Serving GPRS Support Node
adaptation. Used for storing aggreation data.
PCOSGNRAW n/a PM Adapt Yes No No Schema created as part of NSN Serving GPRS Support Node
adaptation. Used for storing raw data.
PCOSGS n/a PM Adapt Yes No No Created by PM Adaptation during installation for its own DB
schemas and DB user accounts.
PCOSGSRAW n/a PM Adapt Yes No No Created by PM Adaptation during installation for its own DB
schemas and DB user accounts.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 37
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
Admin
1 2
System User Id System User Group Component Locked JAAS Description
User
PEM n/a PEM Yes No No Schema used for storing presentation data of permission relat-
ed objects created in NetAct (e.g. Roles)
PM n/a NetAct PM Yes No No Created by NetAct Performance Manager during installation
for its own DB schemas and DB user accounts.
PMACCD n/a PM Adapt Yes No No Schema created as part of Accedian Network Element adapta-
tion deployment. Used for storing aggregation data.
PMACCDRAW n/a PM Adapt Yes No No Schema created as part of Accedian Network Element adapta-
tion deployment. Used for storing raw data.
PMASBC n/a PM Adapt Yes No No Schema created as part of Acme Packet SBC adaptation de-
ployment. Used for storing aggregation data.
PMASBCRAW n/a PM Adapt Yes No No Schema created as part of Acme Packet SBC adaptation de-
ployment. Used for storing raw data.
PMFPRB n/a PM Adapt Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
PMFPRBRAW n/a PM Adapt Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
PMKVS n/a NetAct PM Yes No No This schema user is created for KPI Value Storage. Where cal-
culated KPI values are persistently stored on DB.
PMLITE n/a PM Adapt Yes No No Schema created as part of Microwave Radio Lite Network Ele-
ment adaptation deployment. Used for storing raw data.
PMLITERAW n/a PM Adapt Yes No No Schema created as part of Microwave Radio Lite Network Ele-
ment adaptation deployment. Used for storing aggregation da-
ta.
PMR n/a NetAct PM No Yes No Created by NetAct Performance Manager during installation
for its own DB schemas and DB user accounts.Configured
datasource in websphere has alias: ium_jaas_pmr
PMSNMPMODEL n/a SNMP Mediation Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
PMW n/a NetAct PM No Yes No Created by NetAct Performance Manager during installation
for its own DB schemas and DB user accounts. Used for Read
and Write access to NetAct Data. Configured datasource in
websphere has alias: ium_jaas_pmw
PM_CMA n/a Yes No No Schema created as part of Connection Master Network Ele-
ment adaptation deployment. Used for storing aggregation da-
ta.
PM_CMARAW n/a Yes No No Schema created as part of Connection Master Network Ele-
ment adaptation deployment. Used for storing raw data,
PM_FMI n/a PM Adapt Yes No No Schema created as part of First Mile 200i Network Element
adaptation deployment. Used for storing aggregation data.
PM_FMIRAW n/a PM Adapt Yes No No Schema created as part of First Mile 200i Network Element
adaptation deployment. Used for storing raw data.
PM_MWT n/a PM Adapt Yes No No Schema created as part of Microwave Radio Transport (MWT)
Network Element adaptation deployment. Used for storing raw
data.
PM_MWTRAW n/a PM Adapt Yes No No Schema created as part of Microwave Radio Transport (MWT)
Network Element adaptation deployment. Used for storing ag-
gregation data.
PM_NVA n/a PM Adapt Yes No No Schema created as part of Netviewer Network Element adap-
tation deployment. Used for storing aggregation data.
PM_NVARAW n/a PM Adapt Yes No No PM_NVA is coming as part of Netviewer Network Element
adaptation deployment. Used for storing raw data.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 38
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
Admin
1 2
System User Id System User Group Component Locked JAAS Description
User
PM_PHV n/a PM Adapt Yes No No Schema created as part of HighCap Radio NMS (Ceragon)
CBBW Network Element adaptation deployment. Used for
storing aggregation data.
PM_PHVRAW n/a PM Adapt Yes No No Schema is coming as part of HighCap Radio NMS (Ceragon)
CBBW Network Element adaptation deployment. Used for
storing raw data.
PM_SER n/a PM Adapt Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
PM_SERRAW n/a PM Adapt Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
PM_SMM n/a PM Adapt Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
PM_SMMRAW n/a PM Adapt Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
PM_SWI n/a PM Adapt Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
PM_SWIRAW n/a PM Adapt Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
PM_TLA n/a PM Adapt Yes No No Schema created as part of Tellabs Network Element adapta-
tion deployment. Used for storing aggregation data.
PM_TLARAW n/a PM Adapt Yes No No Schema created as part of Tellabs Network Element adapta-
tion deployment. Used for storing raw data.
PM_UER n/a PM Adapt Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
PM_UERRAW n/a PM Adapt Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
PM_WDM n/a PM Adapt Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
PM_WDMRAW n/a PM Adapt Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
PREF n/a Preference Yes No No Schema used for storing preferences data. Configured data-
source in websphere has alias: prefAlias
PT n/a FM Yes No No Schema used for storing data related to state and logs of
progress tracker tool used in Monitor
Q3_COMMON n/a Q3/IP South Bound Yes No No Created by NetAct component during installation for its own
Mediations DB schemas and DB user accounts.
Q3_TM n/a Q3/IP South Bound Yes No No Created by NetAct component during installation for its own
Mediations DB schemas and DB user accounts.
Q3USER n/a Q3/IP South Bound Yes No No Created by NetAct component during installation for its own
Mediations DB schemas and DB user accounts.
RADCMS n/a PM Adapt Yes No No Schema created as part of NetAct CMS 3000/9000 adaptation
deployment. Used for storing aggregation data.
RADCMSRAW n/a PM Adapt Yes No No Schema created as part of NetAct CMS 3000/9000 adaptation
deployment. Used for storing raw data.
RADMRF n/a PM Adapt Yes No No Created by PM Adaptation during installation for its own DB
schemas and DB user accounts.
RADMRFRAW n/a PM Adapt Yes No No Created by PM Adaptation during installation for its own DB
schemas and DB user accounts.
RASWPM n/a PM Adapt Yes No No Schema created as part of RACS-Switch Network Element
adaptation deployment. Used for storing aggregation data.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 39
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
Admin
1 2
System User Id System User Group Component Locked JAAS Description
User
RASWPMRAW n/a PM Adapt Yes No No Schema created as part of RACS-Switch Network Element
adaptation deployment. Used for storing raw data.
RDR n/a NetAct PM No No No Created by NetAct component during installation for its own
DB schemas and DB user accounts. Used for Read access to
NetAct Data.
REPALS n/a Thresholder & Profil- Yes No No Created by T&P during installation for its own DB schemas
er and DB user accounts.
REPAOA n/a NetAct PM Yes No No Created by NetAct Performance Manager during installation
for its own DB schemas and DB user accounts.
REPDAR n/a NetAct PM Yes No No Created by NetAct Performance Manager during installation
for its own DB schemas and DB user accounts.
REPOBH n/a NetAct PM Yes No No Created by NetAct Performance Manager during installation
for its own DB schemas and DB user accounts.
REPPCO n/a PM Adapt Yes No No Created by PM Adaptation during installation for its own DB
schemas and DB user accounts.
REPPCORAW n/a PM Adapt Yes No No Created by PM Adaptation during installation for its own DB
schemas and DB user accounts.
REPRHM n/a NetAct PM Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
REPRPE n/a NetAct PM Yes No No Created by NetAct Performance Manager during installation
for its own DB schemas and DB user accounts.
REPRPL n/a Thresholder & Profil- Yes No No Created by T&P during installation for its own DB schemas
er and DB user accounts.
REPSPA n/a NetAct PM Yes No No Created by NetAct Performance Manager during installation
for Reporter adaptation for self-performance RAW data
REPSPARAW n/a NetAct PM Yes No No Created by NetAct Performance Manager during installation
for Reporter adaptation for self-performance AGG data
REPSPM n/a NetAct PM Yes No No Created by NetAct Performance Manager during installation
for its own DB schemas and DB user accounts.
REPWH n/a NetAct PM Yes No No Created by NetAct Performance Manager during installation
for its own DB schemas and DB user accounts.
REPWMR n/a NetAct PM Yes No No Created by NetAct Performance Manager during installation
for Topology Editor
REPWSS n/a NetAct PM Yes No No Created by NetAct Performance Manager during installation
for Working Set Synchronizer
SAMSRV n/a PM Adapt Yes No No The user will be created only after dynamic adaption
SAMSRVRAW n/a PM Adapt Yes No No The user will be created only after dynamic adaption
SAUCNT n/a SAU South Bound Yes No No Created by NetAct component during installation for its own
Mediations DB schemas and DB user accounts.
SCA n/a SCA Yes No No Schema used for storing token information for users in System
Credential Access.
SDMAAA n/a PM Adapt Yes No No The user will be created only after dynamic adaption
SDMAAARAW n/a PM Adapt Yes No No The user will be created only after dynamic adaption
SDMBIG n/a PM Adapt Yes No No Schema created as part of BIG-IP product suite adaptation de-
ployment. Used for storing aggregation data.
SDMBIGRAW n/a PM Adapt Yes No No Schema created as part of BIG-IP product suite adaptation de-
ployment. Used for storing raw data.
SDMPCC PM Adapt Yes No No Schema created as part of Point Code Concentrator Solution
adaptation deployment. Used for storing aggregation data.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 40
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
Admin
1 2
System User Id System User Group Component Locked JAAS Description
User
SDMPCCRAW n/a PM Adapt Yes No No Schema created as part of Point Code Concentrator Solution
adaptation deployment. Used for storing raw data.
SDMSDM n/a PM Adapt Yes No No Schema created as part of Subscriber Data Management
adaptation deployment. Used for storing aggregation data.
SDMSDMRAW n/a PM Adapt Yes No No Schema created as part of Subscriber Data Management
adaptation deployment. Used for storing raw data.
SEMNPC n/a PM Adapt Yes No No Schema created as part of Policy server adaptation deploy-
ment. Used for storing aggregation data.
SEMNPCRAW n/a PM Adapt Yes No No Schema created as part of Policy server adaptation deploy-
ment. Used for storing raw data.
SI_INFORMTN_ n/a Yes No No Oracle default user: NetAct expires and locks the account. Ac-
SCHEMA count that stores the information views for the SQL/MM Still
Image Standard
SIGNLB n/a PM Adapt Yes No No The user will be created only after dynamic adaption
SIGNLBRAW n/a PM Adapt Yes No No The user will be created only after dynamic adaption
SMAMFA n/a PM Adapt Yes No No Schema created as part of Mediation Framework Monitoring
deployment. Used for storing aggregation data.
SMAMFARAW n/a PM Adapt Yes No No Schema created as part of Mediation Framework Monitoring
deployment. Used for storing raw data.
SMU Yes No No Schema used for storing system monitoring unit data.
SMAMPA n/a PM Adapt Yes No No Schema created as part of Monitoring NetAct system adapta-
tion deployment. Used for storing aggregation data.
SMAPMARAW n/a PM Adapt Yes No No Schema created as part of Monitoring NetAct system adapta-
tion deployment. Used for storing raw data.
SPATIAL_CSW_AD- n/a Yes No No Oracle default user: NetAct expires and locks the account. The
MIN_USR Catalog Services for the Web (CSW) account. It is used by
the Oracle Spatial CSW cache manager to load all record type
metadata, and record instances from the database into the
main memory for the record types that are cached
SPATIAL_WFS_AD- n/a Yes No No Oracle default user: NetAct expires and locks the account. The
MIN_USR Web Feature Service (WFS) account. It is used by the Oracle
Spatial WFS cache manager to load all feature type metadata,
and feature instances from the database into main memory for
the feature types that are cached
SQLOP n/a CM Yes No No Oracle account which defines db schema required by CM
Workflow Engine. Used by Operations Manager.
SQLSVC n/a Yes No No Created by CM - defines schema required by CM Views
SQM n/a T&P No No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
SWAM n/a SWAM Yes No No Schema used by Software Asset Monitoring application for
storing information about reports, modules and other applica-
tion-specific data.
SWM n/a SWM Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
SYS n/a many components No No Yes Oracle default user. Oracle Data Dictionary/ Catalog account.
Also,used to perform database administration tasks.
SQM_CORE n/a T&P No No No Schema used for T&P operations.
SYSBACKUP n/a Yes No No Oracle default user. Used for data guard related operations.
NetAct expires and locks the account.
SYSDG n/a Yes No No Oracle default user. Used for data vault related administrative
operations. NetAct expires and locks the account.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 41
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
Admin
1 2
System User Id System User Group Component Locked JAAS Description
User
SYSKM n/a WebSphere No Yes Yes Oracle default users acc. to Oracle Security Guide. Another
account used to perform database administration tasks.Ora-
cle Administrative User - Open. Configured datasource in web-
sphere has alias: ium_jaas_system
SYSTEM n/a NetAct PM Yes No No Created by NetAct Performance Manager during installation
for its own DB schemas and DB user accounts.
TCMPTL n/a PM Adapt Yes No No Schema created as part of IP/MPLS Agent Network Element
adaptation deployment. Used for storing aggregation data.
TMAIPM n/a PM Adapt Yes No No Schema created as part of IP/MPLS Agent Network Element
adaptation deployment. Used for storing raw data.
TMAIPMRAW n/a PM Adapt Yes No No Schema created as part of Q1 Agent Network Element adapta-
tion deployment. Used for storing aggregation data.
TMAQ1A n/a PM Adapt Yes No No Schema created as part of Q1 Agent Network Element adapta-
tion deployment. Used for storing raw data.
TMAQ1ARAW n/a User Management Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts. Configured datasource in
websphere has alias: tmfAlias
TMF n/a NetAct TraceViewer Yes No No Schema used for storing data related to TraceViewer applica-
tion: Network Element traces messages and calls and to man-
age tracing network elements
TRC n/a User Management Yes No No Schema used for storing user profile and some of policy con-
figurations. Configured datasource in websphere has alias: ua-
mAlias
UAM n/a NetAct PM Yes No No Created by NetAct component during installation for its own
DB schemas and DB user accounts.
UMA n/a Yes No No Oracle default user: NetAct expires and locks the account.
Used to store the metadata information for Oracle Workspace
Manager
WMSYS n/a Yes No No Oracle default user: NetAct expires and locks the account.
Used for storing Oracle XML DB data and metadata
XDB n/a PM Adapt Yes No No Schema created as part of 2G Core/HLR Adaptation deploy-
ment. Used for storing aggregation data.
XMLNSS n/a PM Adapt Yes No No Schema created as part of 2G Core/HLR Adaptation deploy-
ment. Used for storing raw data.
XMLNSSRAW n/a Yes No No Schema user created for storing data relevant to XOH media-
tion
XOH n/a Yes No No Oracle default user: NetAct expires and locks the account. An
internal account that represents the absence of a user in a
session. XS$NULL has no privileges and no one can authenti-
cate as XS$NULL, nor can authentication credentials ever be
assigned to XS$NULL
XS$NULL n/a PM Adapt Yes No No Schema created as part of SDL adaptation deployment. Used
for storing aggregation data.
SDMSDL n/a PM Adapt Yes No No Schema created as part of SDL adaptation deployment. Used
for storing raw data.
SDMSDLRAW n/a PM Adapt Yes No No Schema created as part of PGW adaptation deployment. Used
for storing aggregation data.
SDMPGW n/a PM Adapt Yes No No Schema created as part of PGW adaptation deployment. Used
for storing raw data.
SDMPGWRAW n/a PM Adapt Yes No No Schema created as part of SDME adaptation deployment.
Used for storing aggregation data.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 42
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
Admin
1 2
System User Id System User Group Component Locked JAAS Description
User
SDMSDE n/a PM Adapt Yes No No Schema created as part of SDME adaptation deployment.
Used for storing raw data.
SDMSDERAW n/a keycloak Yes No No Schema created as part of keycloak service. Used for storing
raw data.
KEYCLOAK
Table 3: System users in Oracle DB
Admin
1 2
System User Id System User Group Component Locked JAAS Description
User
root (VMWare vCen- root No No Yes
ter server)
root (Esxi Host) root No No Yes
administrator NA No No Yes
@vsphere.local
(VMWare vCenter
Server)
root (Avamar Virtual root No No Yes
Edition)
admin (Avamar Virtu- root No No Yes
al Edition)
MCUser (Avamar Vir- root No No Yes
tual Edition)
root (Avamar Virtu- root No No Yes
al Edition Combined
Proxy)
admin (Avamar Virtu- root No No Yes
al Edition Combined
Proxy)
Table 4: System users in DC Infra and Virtualization
Admin
1 2
System User Id System User Group Component Locked JAAS Description
User
abrt abrt Yes NA NA Automatic Bug Reporting Tool
adm adm Yes NA NA Linux Standard Base required user
apache apache Yes NA NA
avahi-autoipd avahi-autoipd Yes NA NA Avahi IPv4LL Stack
bin bin Yes NA NA Linux Standard Base required user
daemon daemon Yes NA NA Linux Standard Base required user
dbus dbus Yes NA NA System message bus
dhcpd dhcpd DHCP server
ftp ftp Yes NA NA FTP User
games games Yes NA NA Linux Standard Base required user
gdm gdm Linux Standard Base required user
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 43
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
Admin
1 2
System User Id System User Group Component Locked JAAS Description
User
gopher gopher Yes NA NA Linux Standard Base required user
haldaemon haldaemon Yes NA NA HAL Daemon
halt root Yes NA NA Linux Standard Base required user
lp lp Yes NA NA Linux Standard Base required user
mail mail Yes NA NA Linux Standard Base required user
named named
nfsnobody nfsnobody Yes NA NA Anonymous NFS User
nobody nobody Yes NA NA Linux Standard Base required user
chrony chrony Yes NA NA Time server user
operator root Yes NA NA Linux Standard Base required user
polkitd
postfix postfix Yes NA NA Mail user
pulse Audio purpose user
root root No NA Yes RHEL Super User. System User with login. Home directory
disabled during hardening.
rpc rpc Yes NA NA Rpcbind Daemon
rpcuser rpcuser Yes NA NA RPC Service User
rtkit rtkit Yes NA NA RealtimeKit
saslauth saslauth Yes NA NA Saslauthd user
shutdown shutdown Yes NA NA shutdown
sshd sshd Yes NA NA Privilege-separated SSH
sync root Yes NA NA sync user
tcpdump tcpdump Yes NA NA TCP dump capture user
uucp uucp Yes NA NA uucp
vcsa root Yes NA NA virtual console memory owner
webalizer webalizer Yes NA NA Webalizer
Table 5: System users in Admin Server
Admin
1 2
System User Id System User Group Component Locked JAAS Description
User
nmAdmin n/a Node Manager No NA Yes For integration of Node Manager
administrator n/a Node Manager No NA Yes Windows Node Manager user. Built-in account for administer-
ing the computer and domain
Guest n/a Node Manager Yes NA No Windows Node Manager user. Built-in account for guest ac-
cess to the computer and domain. Disabled by default.
Ctx_ConfigMgr n/a Node Manager Yes NA No Windows Node Manager user. Citrix built-in user which is cre-
ated during Citrix installation. Disabled in Security hardening.
Ctx_StreamingSvc n/a Node Manager Yes NA No Windows Node Manager user. Citrix built-in user which is cre-
ated during Citrix installation.
Ctx_cpuuser n/a Node Manager Yes NA No Windows Node Manager user. Citrix built-in user which is cre-
ated during Citrix installation.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 44
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
Table 6: System users in Windows OS and AD
Admin
1 2
System User Id System User Group Component Locked JAAS Description
User
superadmin master SM No No Yes Used to manage all Keycloak's realm admin users. Realm is
master realm
ckeyadmin ntcapp NTCApp No No No user name “ckeyadmin” and realm “ntcapp” used for CBAM
integration using OAuth2.0
authadmin netact-auth SM No No No Used to manage ldap users
Table 7: System users in Keycloak Realm admin user
1.2 Guidelines for changing password
• It is recommended to read all the instructions provided in this section carefully before the
password change is attempted. This is beneficial for planning of password change as few user's
password change involves service restart and restriction in allowed special characters within
password and configuration of user password impacts Network Elements (NEs) and so on.
For more information, see Service restarts needed after password change of system user, Special
characters allowed in system user’s password, and Changes in NE configuration post password
change.
• It is recommended to know the password policies applicable for user prior to changing of
passwords. This helps in determining the password which will match existing policy and also
avoids repeated execution of tool due to password validation failure.
For more information about how to know current policy in place, see Administering user policies.
• It is suggested to know the current password of users before password change is attempted for
users. For more information about the users whose password can be retrieved, see Retrieving
password of system users.
• In case of password change for system user fails for any unforeseen reason, see Troubleshooting
Password-Tool Execution Failures in Troubleshooting Security Management to resolve issues re-
lated to password change failures.
1.3 Changing password of directory server, database, OS, and active
directory users
This section provides the relevant instructions to be carried out to change the password of all system
users in NetAct available across directory server, oracle database and OS, and active directory users.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 45
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
1.3.1 Changing password of users using password-tool
Prerequisites
Before initializing the password change, see Guidelines for changing password.
NetAct password-tool is a command line tool, used for changing NetAct default system users's pass-
word. password-tool provides mechanism to change the password of system users stored in multiple
repositories such as Directory server, Oracle database and OS repository.
The password-tool automates all the steps required for successful password change of system
user including the necessary restarts and configuration changes. The tool also supports changing
user’s password collectively in group within single execution and eases the password change
operation by minimizing the downtime caused due to service restarts in an optimal way. Health check
of the system is also done before password change is attempted to avoid failures in password change.
Note:
• To obtain the list of users supported by password-tool, log in as omc or root user to the
NetAct VM hosting the dmgr service and enter:
[omc] /opt/nokia/oss/bin/password-tool --list
OR
[omc] /opt/nokia/oss/bin/password-tool -l
• In a Disaster Recovery (DR) environment, file system synchronization between two sites
can indicate as non-functional during or after the password change. This is due to simul-
taneous execution of commands in standby site involving enable or disable of root login
and file system synchronization cron job running every 15 minutes. This synchroniza-
tion will be recovered during subsequent invocation of the cron job. The execution of the
password-tool before the subsequent invocation of the cron job will fail during the DR
status check. If the file system synchronization is not functional post subsequent invoca-
tion of cron job after a password change, contact Nokia Technical Support.
Changing password of all users supported by password-tool involves below steps:
• Password change of non administrative users for which random passwords are generated inter-
nally according to relevant password policy.
• Password change of administrative users for which password needs to be provided manually by
the user of the tool.
• Passwords of critical administrative users and users requiring configuration changes outside Net-
Act (like on NE, AuditTrail etc) needs to be changed individually.
This classification is done considering the criticality of user, usage for administrative purpose and
changes needed in network element post successful password change in NetAct.
Follow below steps to change all users supported by password-tool.
1. Log in as omc user to VM where dmgr service is running and switch to root user.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 46
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
To locate the correct virtual machine, see Locating the right virtual machine for a service in Admin-
istering NetAct Virtual Infrastructure.
2. To change password of all non administrative users supporting random password, execute:
[omc] /opt/nokia/oss/bin/password-tool --type all --mode nonAdmin
OR
[omc] /opt/nokia/oss/bin/password-tool -t all -m nonAdmin
Note: Non-administrative users supported by password-tool can be obtained by exe-
cuting:
[omc] /opt/nokia/oss/bin/password-tool --list --type all --
mode nonAdmin
OR
[omc] /opt/nokia/oss/bin/password-tool -l -t all -m nonAdmin
Upon execution of above command, following are prompted before password change is attempted:
• Root login password: root user password is needed for restarting services after performing
password change if applicable. Provided root user password will be validated and tool will ter-
minate if incorrect password was provided.
• Confirmation for service restarts: It will be prompted and asked for confirmation only when
service restarts are needed after password change of user. Tool will be terminated if options
apart from Y (case insensitive) is provided upon prompt.
Password change will then be performed by generating random password meeting the configured
policy of the relevant type. For all successfully changed user’s password, post password change
action are performed and service restarts are combined and restarted in an optimal way leading to
minimal downtime of services.
Password change will continue even if password change fails for any of user. Password will be re-
verted back to old password in case of any failure if old password is retrievable. It is recommended
to check the logs to analyze the failure of password change before continuing further. Refer, Trou-
bleshooting Password-Tool Execution Failures in Troubleshooting Security Management for resolv-
ing any password change issues.
3. To change password of all administrative users not supporting random password, execute:
[omc] /opt/nokia/oss/bin/password-tool --type all --mode admin [--
skip old_password]
OR
[omc] /opt/nokia/oss/bin/password-tool -t all -m admin [-s op]
Note: Administrative users supported by password-tool can be obtained by executing:
[omc] /opt/nokia/oss/bin/password-tool --list --type all --
mode admin
OR
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 47
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
[omc] /opt/nokia/oss/bin/password-tool -l -t all -m admin
Upon execution of above command, following are prompted before password change is attempted:
• Root login password: root user password is needed for restarting services after performing
password change if applicable. Provided root user password will be validated and tool will ter-
minate if incorrect password is provided.
• Confirmation for service restarts: It will be prompted and asked for confirmation only when
service restarts are needed after password change of user. Tool will be terminated if options
apart from Y (case insensitive) is provided upon prompt.
• Old password: Old password is current password of user and is optional. It will be prompted
only if tool was invoked without --skip old_password or -s op option.
• New password: It is mandatory and provided password will be validated against the config-
ured policy of relevant type. For OS users, it is recommended to check the score of the new
password prior to password change. For more information on password score, see Checking
password score for OS users.
• Confirm New password: It is mandatory and should match the password provided during
prompt of New password.
Note:
• New password and Confirm New password will be prompted for each user at-
tempted. It will be re-prompted twice upon providing invalid password.
• Old password will be prompted if tool was invoked without --skip
old_password or -s op option. It will be re-prompted twice upon providing in-
correct password.
Password change of users will continue even if password change failed for attempted user. Service
restart will be done only for associated services of successfully changed users. Password will be
reverted for user in case of failure in password change. Reverting to old password upon failure will
be attempted only if old password was provided or is retrievable.
For example: If execution involves two users (U1 & U2) and password change of U1 fails, then it’s
password will be reverted back and password change will be continued for U2. If password change
was successful for U2, only service restarts applicable for U2 will be performed.
Progress of password change and overall summary status of the performed operation is shown in
the console. If any failures are detected in password change, it is recommended to check the rea-
son for failure before continuing further. Refer Troubleshooting Password-Tool Execution Failures
in Troubleshooting Security Management for resolving any password change issues.
4. Passwords of critical administrative users and users requiring configuration changes in NE needs
to be changed individually. Users falling under this category are mentioned in Users unsupported
in type mode of operation. Refer to Changing password of system users individually regarding in-
structions to be followed for password change of such users.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 48
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
Note: password-tool also supports changing password of users under particular type and
individually. Refer to section Type and individual operation way of password tool for the in-
structions.
1.3.2 Changing password of users in Active Directory
Follow the instruction described below to change password of administrator.
Note:
• Information regarding Node manager domain controller and member server nodes can
be obtained from local installation team.
To change the password of the Domain Administrator
1. Log in to the Node Manager domain controller as the Domain Administrator, that is, administrator.
2. Click Start → Windows Administrative Tools → Active Directory Users and Computers and
expand <domain_name> → Users on the right panel, right-click Administrator and select Reset
Password.
3. Enter new password and confirm new password, un-check User must change password at next
login and click OK.
Note:
No need to log in to other Domain Controller or Member server to do same steps, be-
cause domain administrator is global account for all servers in same domain.
4. Reconfigure the scheduled tasks after you change the password of the Domain Administrator. For
more information, see Appendix G: Reconfiguring scheduled tasks in Administering Node Manager
Server.
To change the password of the Local Administrator
1. Log in to the Node Manager member as the Local Administrator, that is, administrator.
2. Click Start → Windows Administrative Tools → Server Manager, expand Configuration →
Local Users and Groups on the right-panel, right-click Administrator and select Set Password.
3. Click Proceed.
4. Enter new password and confirm new password and click OK.
5. Repeat step1 to step 4 on other member servers.
1.4 Changing password of datacenter and virtualization infrastructure
users
This section provides information about password change of data center (DC) and virtualization infra-
structure provider users which includes ESXi and VMware vCenter Server Appliance.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 49
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
1.4.1 Changing the [email protected] password of the VMware vCenter
Server Appliance
Note: It is mandatory to have the same password for root and [email protected]
users and follow the same password policy for both root and [email protected]
users.
To change the [email protected] password of vCenter host:
Note: Ensure to follow the password policy stated under VMware vCenter Server Appliance
password policy for root and [email protected] user.
1. Go to the configuration address that your VMware vCenter Server Appliance virtual machine
provides:
https://<VMware vCenter Server Appliance IP address>/ui
2. Enter your user name as [email protected] and enter the password, and click
Login.
3. From the Menu drop-down list, click Administration.
4. In the left pane, click Single Sign-On → Users and Groups.
The Users and Groups pane appears.
5. In the Users tab, from the Domain drop-down list, select vsphere.local.
6. Click the Administrator user.
The Edit option appears on the top.
7. Click Edit.
The Edit User dialog box appears.
8. In the Password field, type the new password.
9. In the Confirm password field, type the new password again.
10. Click SAVE.
11. After changing the [email protected] vCenter user password, you must re-register
Avamar with vCenter with the new password if [email protected] is used inside AVE. To
re-register vCenter in Avamar, see Updating the vCenter user password in AVE in Administering
Backups.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 50
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
Note: This is applicable only if AVE is used as a Backup and Restore solution in NetAct.
1.4.2 Changing the root password of the VMware vCenter Server Appliance
Prerequisites
• You must have the VMware vCenter Server Appliance installed.
Note:
• It is mandatory to have the same password for root and [email protected]
users and follow the same password policy for both root and
[email protected] users.
• Ensure to follow the password policy stated under VMware vCenter Server Appliance
password policy for root and [email protected] user.
1. Go to the configuration address that your VMware vCenter Server Appliance virtual machine
provides:
https://<VMware vCenter Server Appliance IP address>:5480
2. Type your root user name and password, and click Login.
3. In the left pane, click Administration.
4. In the right pane, click CHANGE.
The Change Password dialog box appears.
5. In the Current password filed, type the password.
6. In the New password filed, type the new password.
7. In the Confirm password filed, type the new password again.
8. Click SAVE.
Note: If vCenter root user is used to register vCenter with AVE, then you must update
the new changed password in AVE. For more information, see Updating the vCenter user
password in AVE in Administering Backups. This is applicable only if AVE is used as a
Backup and Restore solution in NetAct.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 51
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
1.4.3 Changing root password of an ESXi host
Note: Ensure to follow the password policy stated under ESXi password policy for root user.
1. Connect to the management interface, HPE Integrated Lights-Out (ILO) site, of your ESXi host.
Note: It is recommended to use Internet Explorer when logging in to the HPE ILO site.
2. Click Remote Console → Remote Console.
You can use either .NET Integrated Remote Console (.NET IRC) or Java Integrated Remote
Console (Java IRC) to launch the remote console.
3. From one of the Integrated Remote Console section, click Launch.
A pop-up window appears.
4. Click Run.
A console appears.
5. In the remote console window, press F2 and log in with root credentials.
6. In the System Customization menu of the ESXi host, use the keyboard arrows to select
Configure Password and press Enter.
The Configure Password dialog box appears.
7. Fill the required fields to change the password and press Enter.
1.4.4 Changing the vmanager user password
vmanager is the default username configured in vCenter with the privilege to query the status, reboot
the GuestOS and to reset the virtual machine. The NetAct cpfvmanager service uses the vmanager
user to restore the virtual machine from any critical NetAct unrecoverable service failures.
Note: It is recommended to store the changed password in a safe and secure place
after successful password change, as vmanager user password cannot be retrieved with
syscredacc.sh tool.
Perform the following instructions to change the vmanager user password at runtime:
1. Log in to the virtual machine (VM) where the cpfvmanager service is running and switch to root
user.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 52
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
To locate the right virtual machine, see Locating the right virtual machine for a service in
Administering NetAct Virtual Infrastructure.
2. Stop the cpfvmanager service by entering:
[root]# /opt/cpf/install/bin/cpfvmanager_configure.sh --stop
3. Stop the vcenterselfmon service by entering:
[root]# smanager.pl stop service vcenterselfmon
4. Log in to vCenter VM using putty connection as a root user.
Alternatively, you can also access vCenter VM through vCenter Client by performing the following
steps:
a) Log in to vSphere Client as a root user.
b) From the Menu drop-down list, click Hosts and Clusters.
c) In the left pane, expand vCenter Server → NetAct Data Center → NetAct Cluster.
A complete list of existing hosts and VMs in a cluster appears.
d) Select the vCenter VM and click Launch Console in the Summary tab.
5. Enable shell by entering:
[root]# pi shell.set --enabled true
6. Access the appliance shell and log in as a user who has a super administrator role by entering:
[root]# appliancesh
The default user with a super administrator role is root.
7. Enter the root password.
8. Set the vmanager user password by entering:
Command> localaccounts.user.password.update --username vmanager --
password
9. Enter and confirm the new password when prompted.
10. Enter exit to exit the appliance shell.
11. Log in to the VM where the cpfvmanager service is running and switch to root user.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 53
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
To locate the right virtual machine, see Locating the right virtual machine for a service in
Administering NetAct Virtual Infrastructure.
12. Update the cpfvmanager service properties with the latest password by entering:
[root]# /opt/cpf/install/bin/cpfvcenter_update_credentials.sh --
vmanager
13. Start the cpfvmanager service by entering:
[root]# /opt/cpf/install/bin/cpfvmanager_configure.sh --start
Ensure that the output of the above command is started OK and there are no errors or warnings
seen in /var/log/vmanager/vmanager.log file.
14. Update the vcenterselfmon service properties with the latest password by entering:
[root]# /opt/cpf/install/bin/cpfvcenter_update_credentials.sh --
vcenterselfmon
15. Start the vcenterselfmon service by entering:
[root]# smanager.pl start service vcenterselfmon
Ensure that the output of the above command is started OK and there are no errors or warnings
seen in /var/log/vcenterselfmon/logfile.log.0 file.
16. Log out from vCenter VM and NetAct VM.
1.5 Changing password for hardware devices
This section provides information about changing the password of all hardware devices.
1.5.1 Changing password for storage devices
This section provides information about changing the password of storage devices.
1.5.1.1 Changing admin user password of EMC Unity Storage
The administrator can change the admin user password of EMC Unity Storage in adherence to the
current password policy.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 54
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
1. Connect to the management interface of EMC Unity Storage GUI.
2. Log in to EMC Unity console as admin user.
3. In the right pane, click Users → Change Password.
The Change Password pop-up window appears.
4. In the Old Password field, type the old password.
5. In the Password field, type the new password.
Note: The password must contain:
• minimum of 8 characters
• one upper case character
• one lower case character
• one numeric character
• one special character
6. In the Confirm Password field, retype the new password.
7. Click OK.
Note: For Disaster Recovery based systems, the hardware level security settings must be
done on both active and standby sites.
1.5.1.2 Changing admin user password of HPE MSA 2040/2050 Storage
The administrator can change the admin user password of HPE MSA 2040/2050 Storage in
adherence to the current password policy.
1. Log in to HPE MSA 2040/2050 Storage GUI console with manage user account.
2. In the right pane, click the manage user's profile.
3. From the drop-down, click Manage Users.
The System Settings pop-up window appears.
4. Click on the required user name.
5. In the Password field, type the new password.
Note: The password must contain:
• minimum of 8 characters
• one upper case character
• one lower case character
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 55
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
• one numeric character
• one special character
6. In the Confirm Password field, retype the new password.
7. Click Apply and Close.
Note: For Disaster Recovery based systems, the hardware level security settings must be
done on both active and standby sites.
1.5.1.3 Changing admin user password of HPE 3par Storage
The administrator can change the admin user password of HPE 3par Storage in adherence to the
current password policy.
1. Log in to HPE 3par Storage IP or FQDN with 3paradm user using SSH option.
2. Change the 3paradm user password by entering:
setpassword -u 3paradm
For example,
3par3 cli% setpassword -u 3paradm
Old password:
New password for user 3paradm:
Re-type new password:
3par3 cli%
Note: The password must contain:
• minimum of 8 characters
• one upper case character
• one lower case character
• one numeric character
• one special character
Note: For Disaster Recovery based systems, the hardware level security settings must be
done on both active and standby sites.
1.5.1.4 Changing admin user password of EMC VNX Storage
The administrator can change the admin user password of EMC VNX Storage in adherence to the
current password policy.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 56
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
1. Log in to EMC VNX2 storage GUI with administrative user account.
2. Go to Settings.
3. In the Common Settings Tasks, click Change Password.
The Change Password pop-up window appears.
4. In the Old Password field, type the old password.
5. In the New Password field, type the new password.
Note: The password must contain:
• minimum of 8 characters
• one upper case character
• one lower case character
• one numeric character
• one special character
6. In the Confirm Password field, retype the new password.
7. Click OK.
The Confirm: Change Password pop-up window appears.
8. Click Yes.
The Application Shutdown pop-up window appears.
9. Click OK.
Note: For Disaster Recovery based systems, the hardware level security settings must be
done on both active and standby sites.
1.5.2 Changing password for switches and HPE Virtual Connect
This section provides information about changing the password of switches and HPE Virtual Connect.
1.5.2.1 Changing admin user password for HPE Virtual Connect
The administrator can change the existing admin user password of HPE Virtual Connect in adherence
to the current password policy.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 57
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
1. Log in to HPE Virtual Connect.
2. In the left pane, expand Users/Authentication.
3. Click Local Users.
The Local Users Accounts pane appears.
4. Click Edit for the Administrator user name.
The Edit Local User pop-up window appears.
5. In the Password field, type the new password.
Note: The password must contain:
• minimum of 8 characters
• one upper case character
• one lower case character
• one numeric character
• one special character
6. In the Confirm Password field, retype the new password.
Note: The optional fields such as Full Name and Contact Info can be updated, if
required.
7. Click Apply.
The Local user updated message appears.
Note: For Disaster Recovery based systems, the hardware level security settings must be
done on both active and standby sites.
1.5.2.2 Changing admin user password for HPE Brocade SAN switch
The administrator can change the existing admin user password of HPE Brocade SAN switch in
adherence to the current password policy.
1. Log in to HPE Brocade SAN switch IP with admin user using the SSH option.
2. Change the password of the admin user by entering:
sw1:admin> passwd
while changing password, you must provide the existing password, then type the new password
and confirm password by retyping the new password.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 58
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
For example,
Enc23-fsw1:admin> passwd
Changing password for admin
Enter old password:
Enter new password:
Re-type new password:
passwd: all authentication tokens updated successfully
Saving password to stable storage.
Password saved to stable storage successfully.
Note: The password must contain:
• minimum of 8 characters
• one upper case character
• one lower case character
• one numeric character
• one special character
Note: For Disaster Recovery based systems, the hardware level security settings must be
done on both active and standby sites.
1.5.2.3 Changing admin user password for HPE 5900/5500/5510/6127 Network switch
The administrator can change the existing admin user password of HPE 5900/5500/5510/6127
Network switch in adherence to the current password policy.
1. Log in to HPE Network switch IP with admin user using the SSH option.
2. Switch to configuration mode by entering:
[comware] system-view
3. Log in to the admin profile by entering:
[comware] local-user admin
4. Change the password by entering:
[comware-luser-manage-admin] password simple <newpassword>
Note: The password must contain:
• minimum of 8 characters
• one upper case character
• one lower case character
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 59
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
• one numeric character
• one special character
5. Type quit and save force.
For example,
<dcnL3switchstack>system-view
System View: return to User View with Ctrl+Z.
[dcnL3switchstack]local-user admin
[dcnL3switchstack-luser-manage-admin]password simple Password_123
[dcnL3switchstack-luser-manage-admin]quit
[dcnL3switchstack]save force
Validating file. Please wait...
Saved the current configuration to mainboard device successfully.
Note: For Disaster Recovery based systems, the hardware level security settings must be
done on both active and standby sites.
1.5.3 Changing password for servers
This section provides information about changing the password of servers.
1.5.3.1 Changing password for HPE iLO 4 server
You can change the existing ilouser user password of HPE iLO 4 server, such as ProLiant BL460c and
ProLiant DL360 (Gen8, Gen9, and Gen10) in adherence to the current password policy.
1. Log in as ilouser user to the iLO 4 console.
2. In the left pane, click Administration → User Administration.
The User Administration area appears in the right pane.
3. In the Local Users area, select the check box next to the ilouser user, and then click Edit.
The Add/Edit Local User window appears.
4. In the User Information area, do the following:
a) Select the Change password check box.
b) In the Password field, type the new password.
Note: The password must contain:
• minimum of 8 characters
• one upper case character
• one lower case character
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 60
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
• one numeric character
• one special character
c) In the Password Confirm field, retype the password to confirm.
5. Click Update User.
Expected outcome
The password for the HPE iLO 4 server is changed.
1.5.3.2 Changing password for HPE iLO 5 server
You can change the existing ilouser user password of HPE iLO 5 server, such as ProLiant BL460c and
ProLiant DL360 (Gen8, Gen9, and Gen10) in adherence to the current password policy.
1. Log in as ilouser user to the iLO 5 console.
2. In the left pane, click Administration.
The Administration - User Administration area appears in the right pane.
3. Click the User Administration tab, if it is not selected by default.
4. For the ilouser, select the check box if it is not selected by default, and then click Edit.
The Edit Local User window appears.
5. In the User Information area, do the following:
a) In the New Password field, type the new password.
Note: The password must contain:
• minimum of 8 characters
• one upper case character
• one lower case character
• one numeric character
• one special character
b) In the Confirm Password field, retype the password to confirm.
6. Click Update User.
Expected outcome
The The user has been modified. message appears.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 61
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
1.5.3.3 Changing password for HPE Onboard Administrator
The administrator can change the existing password of the HPE Onboard Administrator (OA) in
adherence to the current password policy.
1. Log in as Administrator user to the HPE OA.
2. In the left pane, expand Users/Authentication → Local Users.
The Local Users window appears in the right pane.
3. Select the check box next to the Administrator user and click Edit.
The Edit Local User window appears.
Note: You can also open the Edit Local User window by doing the following:
• In the left pane, expand Users/Authentication → Local Users, and then click
Administrator.
The Edit Local User window appears.
4. In the Password field, type the new password.
Note: The password must contain:
• minimum of 8 characters
• one upper case character
• one lower case character
• one numeric character
• one special character
5. In the Password Confirm field, retype the password to confirm.
6. Click Update User.
Expected outcome
The password of the HPE Onboard Administrator is changed.
1.6 Changing password of Avamar Virtual Edition
This section provides information about changing the password of Avamar Virtual Edition.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 62
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct system users and
password
1.6.1 Changing passwords of Avamar Virtual Edition users
For instructions to change the passwords for the operating system accounts, that is, admin and root
and to change the passwords for the internal Avamar server accounts, that is, root, MCUser, repluser,
and viewuser, see Changing Avamar Virtual Edition user passwords in Administering Backups.
1.6.2 Changing password of Avamar Virtual Edition Combined Proxy
For instructions to change the passwords for the operating system accounts, that is, admin and root
use of Avamar Virtual Edition Combined Proxy (AVECP), see Changing Avamar Virtual Edition Com-
bined Proxy user passwords in Administering Backups.
1.7 Changing password of omc user through User Management
The omc system user password can be changed through User management application. Steps
involved in changing password is similar to changing of user password in User management
application.
Refer to Changing NetAct end users password for specific steps involved in changing the password.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 63
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct end users and
password
2 Administering NetAct end users and password
The instruction described in this section is applicable to users created using User Management appli-
cation.
2.1 Changing NetAct end users password
This section describes the procedure for changing the NetAct end users password. This is applicable
only to users whose user profiles are created using User Management application.
• Changing own password
• Changing password of other users
2.1.1 Changing own password
The users can change their own password in adherence to the current password policy.
To change the password of your account using User Management application, do the following:
1. Log in to the NetAct Start Page.
a) In the address field of your internet browser, type the following URL address:
https://<system_FQDN>/startpage
where <system_FQDN> is the fully qualified domain name of the NetAct cluster load balancer
for WebSphere. For more information, see Launching the NetAct Start Page.
b) Type the Username and Password, and click Log In.
Note: If the terms and conditions appear, select the I have read and agree to
the above terms and conditions check box, and then click Log In. For more
information, see Modifying terms and conditions page.
c) Click Accept or Continue.
2. Click Security → User Management.
The User Management application opens. The List users page appears displaying all the active
and inactive users configured in NetAct.
3. From the Personal Settings drop-down list, select Change Password.
The Change Password page appears.
4. In the Login profile details area, do the following:
a) In the Old Password field, type the password which is used to login to NetAct.
b) In the New password field, type the new password.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 64
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct end users and
password
c) In the Confirm password field, retype the password.
5. Click Save.
Expected outcome
User profile details updated successfully message appears and the user password is
changed successfully.
Note: Change of password is not applicable for external users.
2.1.2 Changing password of other users
The administrator with permissions to access the User Management application can reset the
password of other NetAct users.
Note:
• You cannot change the password of system users (except omc) using User
Management application. Use password tool to change the password of system users.
1. Log in to the NetAct Start Page.
a) In the address field of your internet browser, type the following URL address:
https://<system_FQDN>/startpage
where <system_FQDN> is the fully qualified domain name of the NetAct cluster load balancer
for WebSphere. For more information, see Launching the NetAct Start Page.
b) Type the Username and Password, and click Log In.
Note: If the terms and conditions appear, select the I have read and agree to
the above terms and conditions check box, and then click Log In. For more
information, see Modifying terms and conditions page.
c) Click Accept or Continue.
2. Click Security → User Management.
The User Management application opens. The List users page appears displaying all the active
and inactive users configured in NetAct.
3. In the List users page, select the check box next to the user.
The Modify button is enabled.
4. Click Modify.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 65
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct end users and
password
The Modify user page appears.
5. In the Login details area, select the check box next to the Login name.
The Modify button is enabled.
6. Click Modify.
The Modify user page appears and the user information is populated.
7. In Login profile details area, do the following:
• In the Password field, type the new password.
• In the Confirm password field, retype the password.
8. Click Modify.
The Modify user page is refreshed.
9. Click Save.
Expected outcome
User profile details updated successfully message appears and the user password is
changed successfully.
2.2 Managing user SSH and certificate configuration
NetAct provides a tool that allows the administrators to:
• Grant and revoke SSH login permissions to the NetAct users
• Obtains updated overview of all the current NetAct user accounts with their SSH access settings
• Configure certificates for the NetAct user accounts
• Obtains current NetAct user accounts configured with certificates and the remaining certificate
validity
• Reconfiguring expired certificates for NetAct user accounts
• Enabling SSH access and configuring certificate can be done by using --configCert along with --
access option
The tool is located on dmgr node, /opt/oss/NSN-sm_hardening/bin/sshAccess4Users.sh and can only
be executed as root. To locate dmgr node, see Locating the right virtual machine for a service in
Administering NetAct Virtual Infrastructure.
Note: If direct SSH access to root is disabled, then log in as a different user. For example,
omc for which SSH access is enabled and switch the user to root (su - root).
For a comprehensive description of syntax and parameters, see Tool help.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 66
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct end users and
password
2.2.1 Enabling SSH login
To enable SSH login permissions for NetAct users:
1. Obtain the list of all NetAct users with SSH access status by entering:
[root]# /opt/oss/NSN-sm_hardening/bin/sshAccess4Users.sh --list
Expected outcome
The expected output is similar to:
Account Name Home Dir Login Shell SSH Group SSH/SFTP Access
IllegalPrimaryGrp
------------------------------------------------------------------------
--------------
atuser /home/atuser /bin/bash yes yes
cmauto NA/cmauto /bin/false no no
…
demo1 /home/demo1 /bin/bash no no
demo2 /home/demo2 /bin/bash yes yes
demo3 /home/demo3 /bin/false no no
…
hwchange NA/hwchange /bin/false no no
isdk NA/isdk /bin/false no no
isdkcorb /home/isdkcorb no no
------------------------------------------------------------------------
--------------
2. Enable the SSH access by doing the following:
• for a specific user, enter:
[root]# /opt/oss/NSN-sm_hardening/bin/sshAccess4Users.sh --modify -
-user <user-name> --access on
where, <user-name> is the name of the user, for which the SSH access has to be enabled.
• for a list of users, enter:
[root]# /opt/oss/NSN-sm_hardening/bin/sshAccess4Users.sh --modify -
-file <fileName> --access on
where, <fileName> is the absolute path of the file which has list of users, for which the SSH
access has to be enabled. Each username must be present in separate lines.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 67
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct end users and
password
Note:
• The $HOME directory for the user is created automatically incase it does not exist.
The shell-start-up skeleton files are copied from /etc/skel. By default, the primary
group of the user is recursively assigned to the $HOME directory and all contents
within the directory. For more options and details, see Tool help.
• The SSH login using NetAct users are case sensitive. For example, username is
Testuser and user needs to login with the exact case. In this example, if user
enters lower case t instead of upper case T, then logging to SSH fails.
• Due to internal caching, SSH access takes maximum of 90 minutes to be effective.
To provide the immediate access, see Invalidating cache for effective shell access.
• Due to the security feature of Unix PAM modules, the SSH logins are case-sensitive
although the NetAct Start Page allows users to login with both upper and lower
cases.
• The NetAct Start Page login is case-insensitive. For example, user JohnPaul
can log in to the Start Page with JohnPaul or johnpaul username.
• The SSH login is case-sensitive. For example, the user JohnPaul can do SSH
login with JohnPaul but not with the johnpaul username.
2.2.2 Disable SSH login
Disable SSH access for a specific user by entering:
[root]# /opt/oss/NSN-sm_hardening/bin/sshAccess4Users.sh --modify --
user <user-name> --access off
Expected outcome
Sample output:
SHELL access for user <user name> set to "off"
Note:
• By default, the $HOME directory is not deleted. If you want to delete the $HOME
directory implicitly, then use --rmhome option. User certificate will also be cleaned
up when --rmhome option is used. For more options and details, see Tool help.
• Due to internal caching, SSH access takes maximum of 90 minutes to be effective.
To provide immediate access, see Invalidating cache for effective shell access.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 68
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct end users and
password
2.2.3 Configuring certificates
For the CLIs to communicate with WebSphere services, the user invoking the CLI needs to be authen-
ticated without a password as input.
The user authentication is performed using user-specific certificates.
To configure certificates for NetAct user accounts:
1. Obtain the current NetAct user accounts configured with certificates and the remaining certificate
validity by entering:
[root]# /opt/oss/NSN-sm_hardening/bin/sshAccess4Users.sh --certStatus
Sample output:
Account Name Expiry (in days)
------------------------------------
<user1> <days>
<user2> Expired
<user3> <days>
<user4> Expired
<user5> <days>
------------------------------------
Note:
Value of the remaining validity (Expiry) is rounded off to the previous value.
If certificate expires in 10 days 4 hours, then output will be 10 days.
If certificate expires in less than 1 day, then output will be Expired.
2. Configure user certificate for a particular user by entering:
[root]# /opt/oss/NSN-sm_hardening/bin/sshAccess4Users.sh --modify --
user <user-name> --configCert <validity>
Where,
<validity>: It is validity of the certificate which needs to be generated. It should be either in
days or years.
Example:
• /opt/oss/NSN-sm_hardening/bin/sshAccess4Users.sh --modify --user
myUser --configCert 250D
• /opt/oss/NSN-sm_hardening/bin/sshAccess4Users.sh --modify --user
myUser --configCert 10Y
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 69
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering NetAct end users and
password
Expected outcome
The expected output is similar to:
User certificate created for user <user-name>
Note: Preferred value for certificate validity is 1 year. For more options and details, see Tool
help.
2.3 Listing non-expiring user accounts
User management application has an option for configuration of changing password expiration for
user accounts. Password of user account does not expire, when expiration is disabled for account.
Accounts configured with password expiration disabled can be listed using command line tool
listUMAccounts.sh.
Note: By default, System user in directory server will not expire and are excluded to be
shown from this tool.
Execute the below command in the VM where dmgr service is running as omc user. To locate the
correct virtual machine, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.
[omc @lab ~]# listUMAccounts.sh -p noexpiry
OR
[omc @lab ~]# listUMAccounts.sh --policy noexpiry
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 70
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering user policies
3 Administering user policies
3.1 Configuring policy for system users and end users in directory
server
Password policy is a set of rules that governs how passwords are used in a given system. The
password policy mechanism allows you to manage minimum length of a password and lockout policies
of password.
To configure the password policy of a user:
• Go to User Management → Administration → Policy configuration.
The Policy configuration page appears.
Note: Password policies should only be modified using the User Management application
and not in Node Manager server updated manually.
Password policy configuration page displays the following sections:
• Password syntax policy
• Password expiry policy
• Password history policy
• Account lockout policy
• Login name policy
Password character classes are defined as follows:
• Lowercase letters (Example: a, b, c, d)
• Uppercase letters (Example: A, B, C)
• Numbers (Example: 1, 2, 3)
• Special characters (Example: ~!%^&)
Character class Description with example
One character class A password following One character class means the password contains
characters from any one of the above stated character classes.
Example: htcestan contains character from one character class, that is
Lowercase letters.
Two character class A password following Two character class means the password contains
characters from any two of the above stated character classes.
Example: xQaTEhbU contains character from two character classes, that
is Lowercase letters and Uppercase letters.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 71
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering user policies
Character class Description with example
Three character class A password following Three character class means the password con-
tains characters from any three of the above stated character classes.
Example: xQaT3pb contains character from three character classes, that
is Lowercase letters, Uppercase letters and Numbers.
Four character class A password following Four character class means the password contains
characters from all the above stated character classes.
Example: xQaT3& contains character from four character classes, that is
Lowercase letters, Uppercase letters, Numbers and Special characters.
Table 8: Character class definition
Note: The special characters should be from the list of ASCII printable characters starting
from HEX 21 to HEX 7E.
3.1.1 Login name policy
The Login name policy allows you to manage the supported characters and the maximum length of a
login name.
Field Description
Supported charac- The characters that are supported in a login name.
ters in login name
Note:
• The default set of supported characters are:
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_
• Additionally, period (.) and hyphen (-) can be added to the set of
supported characters. However, period (.) is not allowed as the
last character and hyphen (-) is not allowed as the first character.
WARNING! In general, period (.) and hyphen (-) are known to cause
authentication failures with certain NEs and are not recommended. To
check if these characters are supported, see corresponding NE docu-
mentation.
Maximum length The maximum length allowed for a login name. The maximum length may vary
of login name between 8 and 20 characters.
Table 9: Login name policy fields
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 72
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering user policies
3.1.2 Password expiry policy
Note: Password expiry policy is not applicable for system users.
To configure Password expiry policy:
1. Select User Management Operations → Administration → Policy configuration.
2. Select Yes next to Password expiry.
3. Set the values in the following fields:
Field Description
Password expiry Password expiry for users can be set to Yes or No.
Maximum password age Maximum duration (in days) the user can wait after
changing the password, before changing it again.
Password warning ^1 The duration (in days) to notify the users in advance
about password modification.
Password grace limit The number of successful login attempts for a user af-
ter the password expires.
Table 10: Password expiry policy fields
CAUTION!
• ^1 - To synchronize password warning attribute in Node manager, refer, Synchronize
password expiry warning in Node manager.
• Changing Password expiry configuration from No to Yes may result in existing user's
password to expire immediately. Hence, it is recommended to notify about policy
change to all users. Post successful configuration change, expired user password
can be changed by the respective user provided Password grace limit has been set
to a non-zero value. Expired user password needs to be manually set by administra-
tor if permitted grace logins are used up or if Password grace limit is set to zero.
This is not applicable for all user accounts with Password never expires option be-
ing set. For details regarding such accounts, see Listing non-expiring user accounts .
Note:
• It is possible to change password expiry configuration for specific user by Password
never expires option (excluding system accounts). For more information, see
Creating login profile in User Management Help or Modifying existing login profile in
User Management Help.
• Password expiry is calculated differently by RedHat directory server in NetAct and
Microsoft Active directory in Node Manager Server. Thus, if Password expiry
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 73
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering user policies
configuration value is changed from No to Yes the warning notification/message
may be inconsistent upon login to NetAct Start page and Node Manager Server
(Remote desktop access).
In active directory, expiration time is calculated based on user created time and last
password changed time independent of Password expiry configuration.
In RedHat directory server, expiration time gets calculated only when Password ex-
piry configuration is set to Yes.
• Password grace login is applicable for users logging in to NetAct Start page and
not applicable for users logging in to Node Manager Server (Remote desktop access/
Citrix).
• Password expiry warning is synched between RedHat directory server in NetAct and
Microsoft Active directory in Node Manager Server. It has a default value of 10 days.
3.1.2.1 Synchronize password expiry warning in Node Manager
To synchronize the Password warning attribute in Node Manager Server perform the following steps:
1. Login into any of the node manager DC node as nmAdmin user using Remote Desktop Applica-
tion.
2. Open power shell command prompt as administrator and run the following commands.
Note: It will prompt for User Account Control, please select I want to complete this
action by entering my credentials on the authentic windows sign-in screen and fol-
low the instructions, which is given in the below prompts:
a. PS C:\Windows\system32> cd C:\Apps\Oss\platform_sw\Scripts
b. PS C:\Apps\Oss\platform_sw\Scripts>.\updatePasswordExpiryWarning.ps1 -
PasswordExpiry <Value>
For example, .\updatePasswordExpiryWarning.ps1 -PasswordExpiry 14.
c. <Value> has to be same as the password warning attribute in password policy.
Note: To view NetAct password policies:
1. Login to NetAct as omc user.
2. Select User Management Operations → Administration → Policy configuration.
3.1.3 Password history policy
User Management stores a specific number of old passwords. If a user attempts to reuse one of the
passwords stored in the server, the Password history policy prevents users from reusing old pass-
words.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 74
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering user policies
Field Description
Passwords in history The number of user passwords to be stored.
Minimum password age Minimum duration (in days) users have to wait after
changing their password, before they can change it
again. This is to prevent users from cycling through
the password history.
Table 11: Password history policy fields
Note: Current password of user is not considered as history password. For example,
If Passwords in history is set to 3, user must not use the current password and the 3
previous passwords when trying to change the password.
3.1.4 Account lockout policy
Note: Account lockout policy is not applicable for system users.
The lockout policy works in conjunction with the password policy to provide further security. The ac-
count lockout feature protects against hackers who try to break into the directory by repeatedly trying
to guess a user password.
Note:
The temporarily locked user will be unlocked after the User account lockout duration.
Field Description
Lock user account User is locked out after a certain number of continu-
ous failed attempts in a given time period.
Maximum login attempts during Failed login count- This is the maximum number of continuous failed
ing period login attempts allowed for a user in Failed login
counting period. After exceeding the count, ac-
count will be locked. This count is reset:
• For active accounts when:
1. User successfully logs in.
2. Failed login counting period expires.
• For locked accounts when:
1. Unlocked by a Security Administrator from
User Management application
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 75
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering user policies
Field Description
2. Unlocked after user account lockout dura-
tion expires.
Note:
After successful login, last successful lo-
gin time and number of unsuccessful at-
tempts (if any) are displayed.
User account lockout duration Password lockout duration in hours is the period
of time during which users are prevented from ac-
cessing NetAct after entering wrong password for a
value greater than Maximum login attempts during
Failed login counting period.
Failed login counting period This time period counts the continuous failed lo-
gin attempts, in order to lock the account. This pe-
riod starts at the time when the user provides the
wrong password for the first time after the last re-
set of Maximum login attempts during Failed login
counting period.
Table 12: Account lockout policy fields
Note:
• The User account lockout duration must be greater than the Failed login counting
period.
• User lock status is synchronized between NetAct Directory Server (NetAct DS) and Node
Manager Active Directory (NMS AD) every five minutes. During each scheduled invo-
cation, upto 50 locked accounts in NMS are synchronized to Nokia. The following differ-
ences are observed between Nokia DS and NMS AD:
– When lockout policy is disabled, locked user accounts:
• can login to Nokia DS within the User account lockout duration.
• cannot login to NMS AD until the next account synchronization happens.
– For locked users, change of User account lockout duration policy configura-
tion:
• changes the time of account unlock dynamically in NMS AD.
• changes the time of account unlock after another failed login attempt in Nokia
DS.
– When lockout policy is disabled, failed login count:
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 76
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering user policies
• is updated in NMS AD but account will not be locked out. This leads to account
being locked on next failed login to NMS AD upon enabling of lockout policy.
• does not update in Nokia DS.
– For locked users, any failed login attempts within the Failed login counting period
in Nokia updates the time of account unlock in Nokia DS. Account lock status will be
synchronized to NMS AD upon subsequent account synchronization.
– Locked user account in NMS AD will be unlocked if change of Password never ex-
pires configuration is performed using User management application before the next
scheduler synchronization. For changing Password never expires configuration of
user account, see Modifying existing login profile in User Management Help.
3.1.5 Password syntax policy
The password syntax checking mechanism ensures that the password strings conform to the pass-
word syntax guidelines established by the password policy.
1. Select User Management Operations → Administration → Policy configuration.
2. Select Yes next to Password syntax check.
3. Set the values in the following fields:
Field Description
Reverse login name in password Usage of reverse login name in password. For example, if
xyz is the login name, you can use zyx as the password.
Minimum digits in password Minimum number of digits the password must contain.
Minimum lower case letters in pass- Minimum number of lower case letters the password must
word contain.
Minimum upper case letters in pass- Minimum number of upper case letters the password must
word contain.
Minimum alphabets in password Minimum number of alphabetic characters the password
must contain.
Maximum character repeat in pass- Maximum number of times the same character can appear
word sequentially in the password.
Minimum count of special characters Minimum number of special characters that the password
in password must contain.
Unsupported special characters in The characters that are not supported in a password. Net-
password Act restricts #$*/@"'\` special characters by default.
These default special characters must not be removed
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 77
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering user policies
Field Description
during the policy configuration. Additional special charac-
ters can be added to the policy field.
Minimum password length Minimum number of characters required in a password.
The minimum length is 8 characters.
Maximum password length Maximum number of characters allowed in a password.
The maximum length is 64 characters.
Table 13: Password syntax check fields
Note:
Password syntax policy must be configured to greater than zero for at least three of the
following four fields:
• Minimum digits in password
• Minimum lower case letters in password
• Minimum upper case letters in password
• Minimum count of special characters in password
3.1.6 Unused login names disable policy
This section describes how to define policies for disabling unused user names. The Unused login
names disable policy checks inactive login names for the configured Login names deactivation du-
ration and then disables the corresponding user profile.
Inactivity of user account can be due to users not logging into:
• NetAct through Start page or SSH to any NetAct VM
• Node Manager through remote desktop or Citrix client
Note:
• System user accounts cannot be deactivated using this policy.
• This feature support is available only for password based logging mechanism.
• This feature is not applicable for login names which are not associated to a profile such
as external users.
• In case a profile has more than one login names (account), and if one of the login names
is unused for the predetermined duration, then the entire profile is deactivated which in-
cludes all the accounts in that profile.
The Administrator can activate the profile and clean up the login names if required. However, the secu-
rity alarms raised because of this policy must be cleared manually.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 78
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering user policies
To disable Unused login names:
1. Select User Management Operations → Administration → Policy configuration.
2. In the Unused login names disable policy section, select Yes next to Disable unused login
names.
3. Set the values in the following fields for expected outcome:
Field Description
Login names deactivation duration Duration in days after which the user profile of the
unused login names is disabled. Range is between
2 to 366. A major alarm (30004) is raised upon de-
activation of the profile.
Warning alarm sent before Day on which a minor alarm (30003) is sent for un-
used login names. An alarm is sent to NetAct Mon-
itor indicating that the user profile of the inactive
names will be disabled if no action is taken. The val-
ue in this field must be less than Login user deac-
tivation duration and must be in the range of 1 to
365 days. List of unused login names are included
in the alarm details.
Table 14: Unused login names disable policy fields
Note:
• For user who has logged into NetAct at least once, change of user password by securi-
ty administrator using User Management application updates the last login time of user.
Calculation of account inactivity for such user will be determined from last password
changed time.
• To determine the account inactivity, 1500 user accounts are considered in a day. If there
are more than 1500 user accounts in NetAct, the remaining user accounts will be consid-
ered for the next day.
• User profile having account with Password never expires configured is not consid-
ered for unused user deactivation. For more information on listing the user accounts with
Password never expires configuration, see Listing non-expiring user accounts.
3.2 Policy for Administrator user account in Node Manager Server
This section provides information about the password policy configuration for Administrator user in
Node Manager Server (NMS). This policy is used by the NMS Administrator user at the time of pass-
word change.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 79
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering user policies
Password complexity policy includes:
• Password must contain minimum of 8 characters
• Password must contain the combination of uppercase letters, lowercase letters, numbers, and non
alphanumeric characters such as ~!@#$%&*_-+=`\{}()[];"'<>,.?/
• Passwords must not contain the user's AccountName value or entire displayName (Full Name
value). Both checks are not case sensitive.
• Password must be same for DC, CTXDC, VDA, and AS.
3.3 Policy for NetAct system users in oracle database
This chapter provides information about the password policy configuration for NetAct unlocked data-
base users. The password policy is applicable only to the unlocked oracle DB users, see NetAct de-
fault system user of type Oracle DB. This policy is used by the DB users at the time of password
change.
Password complexity check policy:
Note: Password history policy is not applicable for sys database account.
• Password must contain minimum eight characters
• Password must not exceed thirty character
• Password should not contain the username
• Password should not contain reverse of the username
• Password must contain at least three of the following combinations:
– At least one lower case alphabet character
– At least one upper case alphabet character
– At least one numeric character
– At least one special character
Password expiry policy:
• Password never expires.
Account lockout policy:
• Account is not locked for any number of failed attempts.
Password history policy:
• Password cannot be reused before 365 days.
• Previous six passwords cannot be reused.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 80
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering user policies
3.4 Policy for NetAct system users in Linux OS
This section provides information about the password policy applicable for Linux OS users. This policy
will be checked at the time of password change.
Note: In RHEL8.x more strict dictionary checks are applied and some of the password which
worked earlier in RHEL 7.x may not work after changing the password. However, existing
password will continue to work.
Password complexity policy:
• Password should be of minimum of 9 characters and should not exceed 50 characters.
Note:
– There are no maximum password length settings in RHEL8.x but the password-tool
limits maximum password length to 50 characters for all Linux OS user password
changes through the tool.
– Password minimum length is configurable. For more information see, Setting pass-
word minimum length for OS users in Administering NetAct System Security.
• Password should contain characters from all four character classes which includes digits, upper
and lower case alphabets and special characters.
• Password cannot contain a dictionary word or part of a dictionary word.
Password expiry policy:
• Password never expires.
Account lockout policy:
• Account is not locked for any number of failed attempts.
Password history policy:
• Previous six passwords cannot be reused.
Note: Password history policy is not applicable for root user.
3.5 ESXi password policy for root user
This section provides information about the password policy configuration for root ESXi user. This poli-
cy is used by the ESXi root user at the time of password change.
Default password complexity check policy:
• password length is more than 7 and less than 40 characters.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 81
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering user policies
• Password include a mix of characters from three or four character classes such as lowercase let-
ters, uppercase letters, numbers, and special characters. For the list of allowed special characters,
see Special characters allowed in system user’s password.
• Passwords cannot contain a dictionary word or part of a dictionary word.
Note:
• In a password, the following characters are not counted towards the number of character
classes used:
– An upper case character at the beginning of the password
– A number at the end of the password.
• The default requirements for ESXi passwords can change from one release to the next.
• ESXi uses the Linux PAM module pam_passwdqc for password management and con-
trol. We can change the required length, character class requirement, or allow pass
phrases using the ESXi Advanced setting Security.PasswordQualityControl.
Account lockout policy:
• By default, a maximum of five failed attempts is allowed before the account is locked.
(Security.AccountLockFailures = 5). The account is unlocked after 15 minutes by default.
(Security.AccountUnlocktime = 900 second)
3.6 VMware vCenter Server Appliance password policy for root and
[email protected] user
Note: It is mandatory to have the same password for root and [email protected]
users and follow the same password policy for both root and [email protected]
users.
This chapter provides information about the password policy configuration for vCenter
[email protected] user. This policy is used by the vCenter [email protected]
user at the time of password change.
Default password complexity check policy:
• A password must be 8-20 characters long.
• Password must contain one upper case character(s).
• Password must contain one lower case character(s).
• Password must contain one numeric character(s).
• Password must contain two alphabetic character(s).
• Password must contain one special or non alpha numeric character(s). For the list of allowed spe-
cial characters, see Special characters allowed in system user’s password.
• Password must not have more than three identical adjacent characters.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 82
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Administering user policies
Note:
– Even if the root password support 6 characters, Nokia recommends using the same
password policy for both root and [email protected] users. The root pass-
word must be 8-20 characters long.
– The password for the [email protected] user cannot be more than 20
characters long.
– Space character is not allowed.
– Non-ASCII characters are allowed.
– The underscore (_) character with any special character is allowed but only under-
score (_) without any special character is not allowed.
– Administrators can change the default password policy.
Password expiry policy:
• Password must be changed every 90 days.
Account lockout policy:
• By default, the [email protected] user is not affected by the lockout policy.
Password history policy:
• Previous five passwords cannot be reused.
3.7 Avamar Virtual Edition password policy for Linux OS default user
accounts
For information on the password policies for Avamar Virtual Edition (AVE) Linux OS default user ac-
counts, see Common password policies for all AVE user accounts in Administering Backups.
3.8 Avamar Virtual Edition password policy for MCUser, repluser, and
Avamar root user
For information on the password policies for Avamar Virtual Edition (AVE) Linux OS default user ac-
counts, see Common password policies for all AVE user accounts in Administering Backups.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 83
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Changing login delay for login to NetAct
GUI
4 Changing login delay for login to NetAct GUI
To limit the number of unsuccessful login attempts to Nokia GUI, there is a delay after each unsuc-
cessful login to NetAct Login page and to Session management re-authentication page. A new lo-
gin attempt is only possible after this delay. The delay is introduced as protection for brute force at-
tacks through login to NetAct GUI. By default, the delay is one second. It is possible to change the de-
fault value.
Note: The value of the login delay can be changed by NetAct administrator only.
To change the login delay value, do the following:
1. Log in to any of VM where syswas service is running through SSH as omc user.
To locate the right NetAct VM, see Locating the right virtual machine for a service in Administering
NetAct Virtual Infrastructure.
2. Check if the file Pref_system_login_settings.xml exists in /etc/opt/oss/global/
custom/conf/javaprefs/Authentication and take backup if it exists by executing the
following command:
[omc@lab ~]$ mv /etc/opt/oss/global/custom/conf/javaprefs/
Authentication/Pref_system_login_settings.xml /var/tmp/Pref_system_
login_settings.bkp
3. Copy the Pref_system_login_settings.xml file to custom location by following the below
steps:
a) Create a directory /etc/opt/oss/global/custom/conf/javaprefs/Authentication
if it is not existing. Change the owner of this directory to omc and the group to sysop.
b) Copy the necessary preference file to custom location by executing:
[omc@lab ~]$ cp -p /var/opt/oss/global/javaprefs/Authentication/
Pref_system_login_settings.xml /etc/opt/oss/global/custom/conf/
javaprefs/Authentication
4. Change the value of entry key="delay" in the copied file.
Note: It is recommended to configure the value of entry key="delay" in the range of
1-60 seconds.
5. Change other custom set values from backup file if taken in step 2 to /etc/opt/oss/global/
custom/conf/javaprefs/Authentication/Pref_system_login_settings.xml.
Remove the backup file after changing the custom set value.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 84
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Network Element Access Control
application
5 Controlling network element access with Network
Element Access Control application
Credentials for accessing the network elements can be managed with the Network Element Access
Control (NEAC) application. This application allows you to manage the service users of a network ele-
ment and it implements both graphical user interface (GUI) and command line interface (CLI).
You can do the following with the Network Element Access Control application:
• View network element credentials.
• Create and modify credentials in the NetAct database.
• Grant credentials to a group and revoke credentials from a group.
• Provision credentials from NetAct to network elements.
• Delete credentials from network elements
• Delete credentials from the NetAct database.
• Create and view profiles.
The following can be done with NEAC CLI. It is useful if you need several network element cre-
dentials with identical permissions to the same network element.
• View granted services and service types.
• View groups.
The Credentials table describes the credentials of a network element.
Term Definition
Service type The service type is an interface or protocol used to communicate with the
network element. For example, FTP Access, FTAM Access, HTTP Access
and so on.
Profile The profile defines the commands that a service user can provide for a man-
aged object.
For example, if you select FTP Access as a service type, it supports the fol-
lowing profiles:
• FTP Read Access - The service user can perform only read operations
in the system.
• FTP Write Access - The service user can perform both read and write
operations in the system.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 85
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Network Element Access Control
application
Term Definition
Group The group refers to the application groups present in the system. For exam-
ple, sysop, wassvrid and so on.
For more information on groups, see About permission management in Per-
mission Management Help.
Service user A service user is a managed object user account with an ID, password and
authority profile. The user account is used by NetAct applications to access
managed objects through a specific service type.
Network element The network element is a system that can be managed, monitored, or con-
trolled in a network. It has multiple standard interfaces, and is identified by a
unique management address.
The credentials are divided into the following types:
• All NE instances: It indicates that the credentials are applied to all the
NE instances present in the system for a service type and profile combi-
nation.
• NE Type: It indicates that the credentials are applied to a particular NE
type in the system for a service type and profile combination. These cre-
dentials are applied to all network elements of that particular NE type.
• Individual NE: It indicates that the credentials are applied to individual
network elements in the system for a service type and profile combina-
tion.
• MR: It indicates that the credentials are applied to an MR with a particu-
lar service type and profile combination.
Maintenance Region The maintenance region (MR) is part of the network that is maintained by a
specific service organization. It also refers to a group of managed objects
defined by the system administrator. For example, managed objects located
in a specific geographical area can be grouped into a maintenance region.
Provisioning status The provisioning status of the service user is displayed. Also, it displays
if the provisioning is supported for the service user. For more information
about the provisioning status, see What to do when the network element
provisioning status is new, modified, or failed in Network Element Access
Control Help.
Enable auto provisioning NEAC automatically provisions the user accounts at the configured time only
when the network element has raised default password alarm and user ac-
counts are configured with auto provision at the maintenance region level.
This helps to mitigate security risks caused by default passwords on the net-
work elements.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 86
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Network Element Access Control
application
Term Definition
By default, the Automated Default Password Change feature is disabled.
For more information about auto provisioning, enabling or disabling the Au-
tomated Default Password Change feature, and configuring the provision-
ing trigger time, see Manage auto provisioning of credentials in Network Ele-
ment Access Control Help.
Table 15: Credentials
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 87
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
6 Controlling network element access with Centralized
Network Element User Management
The Centralized Network Element User Management (CNUM) feature (also known as Centralized
User Authentication and Authorization (CUAA) or Remote User Identification Management (RUIM))
enables network elements to authenticate and authorize users against a centralized user reposito-
ry (LDAP directory). For an introduction to CNUM, see Centralized NE user management in Security
Management Overview and Operations.
Note: For few network elements, CNUM is not supported for all operations triggered from
NetAct, that means service users will still be in use for such operations. For more informa-
tion, see corresponding Network element specific prerequisites and procedures section.
This chapter describes the procedures for taking CNUM into use, for maintenance and rolling back to
using the local user management of the network elements.
CNUM in NetAct
The tools that are used to manage CNUM in NetAct are the Network Element Access Control (NEAC)
application for activating and deactivating CNUM in the network elements and the Permission Man-
agement (PEM) application, which is used to assign the necessary permissions to roles and user
groups. For information on how to use these applications, see corresponding online help.
The following flow chart depicts the steps to activate CNUM:
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 88
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Figure 1: Steps to activate CNUM
6.1 NetAct prerequisites
This section describes all the requirements required from NetAct to activate CNUM.
• Checking if CNUM license is installed
• Ensure that LDAP certificate is installed
• Configuring the administration service user
• Configuring the network element permissions
• Restricted anonymous login to the LDAP directory
6.1.1 Checking if CNUM license is installed
1. Log in to the NetAct Start Page.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 89
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
a) In the address field of your internet browser, type the following URL address:
https://<system_FQDN>/startpage
where <system_FQDN> is the fully qualified domain name of the NetAct cluster load balancer
for WebSphere. For more information, see Launching the NetAct Start Page.
b) Type the Username and Password, and click Log In.
Note: If the terms and conditions appear, select the I have read and agree to
the above terms and conditions check box, and then click Log In. For more
information, see Modifying terms and conditions page.
c) Click Accept or Continue.
2. Click Configuration → License Manager.
The NetAct Start Page appears.
Note: Login to NetAct as a user having permission to Launch the License manager.
3. Click NetAct Software Licenses tab.
Check if the feature code of the required CNUM license is present as per Network element specific
prerequisites and procedures. If it is not available, contact Nokia Technical Support team.
6.1.2 Ensure that LDAP certificate is installed
For secure LDAP connection, either LDAPS or StartTLS are the recommended protocols. To support
these protocols, certificates need to be installed in NetAct and in the network elements.
To verify if the LDAP certificate is already applied, see Checking if LDAP certificates are installed.
If the verification fails, then LDAP certificate is not installed on NetAct and it is required to install LDAP
certificate.
1. To install LDAP certificate, you can use either NetAct Smart Certificate (SmCert) CA or the third
party CA to generate LDAP certificate.
• Using SmCert CA (NetAct CA): In this case, you have to create CA using NetAct provided
scripts and use this CA to generate LDAP Certificate.
• Using third party CA: In this case, you can use any existing CA (third party CA) to generate
LDAP certificate.
To generate and install LDAP certificate, see Managing certificates in Administering NetAct System
Security.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 90
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
To check LDAP certificate is applied successfully, execute the verification steps described in
Checking if LDAP certificates are installed.
2. Install LDAP signer certificate on the network element.
Obtain the LDAP signer certificate by following the instruction provided in Root CA certificate for
NetAct services in Administering NetAct System Security by using dirsrv as service.
Copy the LDAP signer certificate on to the network element and install.
For more information, see Network element specific prerequisites and procedures.
Note: This is a mandatory step for CNUM to support secure LDAP.
3. Install network element certificate.
This is an optional step for secure LDAP connection.
Some NEs require NE certificate installation for secure LDAP connection and in such cases, NE
certificate and private key need to be generated and installed in NE. For more information, see
Network element specific prerequisites and procedures.
Note: If the NE certificate is generated (signed) from a certification hierarchy different
from the Certification hierarchy used for LDAP certificate, then certificate of the root CA in
network element certification hierarchy must be added to the LDAP trust-store (dirsrv
endpoint). For more information, see Adding additional trust anchors in Administering
NetAct System Security.
6.1.2.1 Checking if LDAP certificates are installed
To verify if the LDAP certificate is already applied:
1. Log in to NetAct VM where dmgr service is running and switch to root user.
To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.
2. Check if secure Directory Server (LDAP) search is successful by directly addressing each dirsrv-
node, through the ldapAccessFqdn:
ldapsearch -D "cn=Manager" -W -H ldaps://<Fqdn>
When prompted, enter the password for user "cn=Manager".
<Fqdn>: can be any of ldapFqdnPri or ldapFqdnSec or ldapAccessFqdn.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 91
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Note:
To use ldapFqdnPri for verification, dirsrv VM should be up and running. To
use ldapFqdnSec, dirsrv-secondary VM should be up and running and to use
ldapAccessFqdn, either dirsrv or dirsrv-secondary VM should be up and
running.
LDAP password can be obtained by executing the following command:
/opt/nokia/oss/bin/syscredacc.sh -user "cn=Manager" -type ds
To locate the right VM (ldapFqdnPri, ldapFqdnSec, ldapAccessFqdn), see Locating the
right virtual machine for a service in Administering NetAct Virtual Infrastructure.
For example,
ldapsearch -D "cn=Manager" -w "Manager" -H ldaps://myLdapAccessnode.
myDomain.com
Verification is successful if data present in LDAP is displayed.
6.1.3 Service user for CNUM provisioning
For CNUM provisioning in network element, NetAct must be able to access network element through
a service user, which is authorized to perform this action. Check Network element specific prerequi-
sites and procedures for the service users required for CNUM provisioning. If that service user is not
present in NEAC, create that service user and grant it to appropriate NetAct user who will perform
CNUM operations.
6.1.4 Service user usage post CNUM activation
For few network elements, CNUM is not supported for all operations triggered from NetAct, that means
service users will still be in use for such operations. For more information, see corresponding Network
element specific prerequisites and procedures section.
6.1.5 Network element permissions
When CNUM is activated, network element will authenticate and authorize the NetAct user against
NetAct LDAP server. Therefore, it should be ensured that required NE permissions are granted to the
roles and User Group - Role association is scoped to NE/MR before CNUM activation.
• User Group - Role association is scoped to the given NE/MR using Scope Editor in Permission
Management Help application before CNUM activation.
• If only NetAct default roles are planned to be used, it is sufficient if scoping of User Group - Role
association to NE/MR is ensured.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 92
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
• For custom roles, required NE permissions must be granted to those custom roles and scoping
of User Group - custom Role association to NE/MR must be ensured. For more information, see
Granting permissions to a role in Permission Management Help.
6.1.6 Restricted anonymous login to the LDAP directory
The anonymous login to LDAP is recommended to be disabled as part of NetAct security hardening,
see Disabling anonymous bind to LDAP in Administering NetAct System Security. This is also the
recommendation, when CNUM is enabled. However, some network elements require anonymous
bind for certain use cases in CNUM and if CNUM is to be enabled in such network element, restricted
anonymous login to LDAP server has to be enabled.
Restricted access to LDAP directory server allows anonymous users read access to
ou=individual,ou=LDAPConfData,ou=Authorization,ou=ruim,<BASE_DN> LDAP node
and sub-nodes for reading CNUM related configuration data.
Check Network element specific prerequisites and procedures to know whether Restricted anony-
mous login needs to be enabled or not for the given network element. If it needs to be enabled, pro-
ceed with the following:
1. Log in to NetAct VM where dmgr service is running as omc user.
To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.
2. Switch to root user.
3. Find the current status of anonymous LDAP access by executing the following command:
/opt/oss/NSN-sm_hardening/bin/ConfigureAnonymousLdapBind.sh -status
If anonymous login to LDAP is disabled, the expected response is Anonymous LDAP access is
currently: ‘Disabled’.
4. To enable restricted anonymous LDAP access, execute the following command:
/opt/oss/NSN-sm_hardening/bin/configureRestrictedLdapAccess.sh -e
The configureRestrictedLdapAccess.sh script provides the following options:
• -s, --status: shows the current status for anonymous access.
• -e, --enable: enables restricted anonymous access to LDAP data.
• -r, --revert: reverts anonymous LDAP access to the state before executing this script.
• -h, --help: shows usage information.
• -v, --verbose: shows additional information where applicable. Useful for displaying the
current access rights for anonymous user and for displaying the defined access control
instructions.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 93
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Note: If anonymous login to LDAP was not disabled during NetAct hardening and if
the same needs to be disabled before CNUM activation (to follow recommendation),
ensure to perform Disabling anonymous bind to LDAP in Administering
NetAct System Security and then enable restricted anonymous access using
configureRestrictedLdapAccess.sh
Expected outcome
Enabling restricted anonymous LDAP access completed successfully.
6.2 Network element specific prerequisites and procedures
Before activating Centralized NE User Management in the network element, check the requirements
for the specific network elements.
For information on the required procedures to be followed before CNUM activation, see network ele-
ment procedure in the respective network element integration document.
6.2.1 Configuring CNUM for Flexi NS
Flexi NS supports Centralized Network Element User Management (CNUM) in NetAct. For more
information on CNUM, see Controlling network element access with Centralized Network Element
User Management in Administering Users and Permissions.
6.2.1.1 CNUM Prerequisites for Flexi NS
The prerequisites for configuring CNUM are listed in the following table.
Requirements Instructions
Licenses Feature code: 0000005095
Feature name: Centralized NE User Management for PaCo
Service Type(s) NEUM Admin Access
needed to activate
CNUM
Supported Flexi • (ATCA) Flexi NS 18 Standalone MME and later releases
NS releases for • (ATCA) Flexi NS 18 Combined SGSN/MME and later releases
CNUM
• (ATCA) Flexi NS 18 Standalone SGSN through NE3S/WS and later releases
Supported LDAP StartTLS
access types
Supported IP ver- IPv4/IPv6
sions
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 94
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Requirements Instructions
Integrate Flexi NS See Overview of Flexi NS integration in Integrating Flexi NS to NetAct.
to NetAct
Note:
Ensure port 389 is open from Flexi NS to LB WAS virtual IP during integration. In Network Element
Access Control application, get the NEUM Admin Access user which is the Network Element Access
Control admin user on Flexi NS. The user must have I=250 permission. This user is used to log in to
Flexi NS to perform operations in this document.
Create NetAct user The following roles are required:
to activate Flexi • FM-Fault Management Admin
NS CNUM from • SM-Security Administration
NEAC GUI with re-
quired roles
Enable restrictedSee Restricted anonymous login to the LDAP directory in Security Management → Security Man-
anonymous access agement Operating Procedures → Administering Users and Permissions → Controlling net-
work element access with Centralized Network Element User Management → NetAct prerequi-
sites.
Table 16: Requirements needed for configuring CNUM
6.2.1.2 Limitations
After CNUM is activated, the length of Flexi NS user name must be in the range of 3 to 6 for Flexi NS
18, and Flexi NS 18.5.
Note:
• Because of the limitation on Flexi NS, if the length of NetAct user name does not match
the rule, the user is not allowed to log in to Flexi NS, and NetAct falls back to Network
Element Access Control (NEAC) automatically.
• The password of Flexi NS must contain 6 to 15 characters, and consist of alphanumeric
characters, and ASCII characters from HEX 21 to HEX 7E.
6.2.1.3 Installing and activating Network Element Certificate
6.2.1.3.1 Applying certificates for Flexi NS
You can either use local NetAct Smart Certificate (SmCert) CA, SmCert CA on a separate machine or
the 3rd party CA. Here we take local NetAct SmCert CA to sign certificates as an example.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 95
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Note: If NetAct LDAP certificate is signed by the root CA, use the root CA to sign Flexi NS
certificate. If NetAct LDAP certificate is signed by an intermediate CA, use this intermediate
CA's root CA to sign Flexi NS certificate.
6.2.1.3.1.1 Generating NE certificate and key for Flexi NS
1. Generate certificate signing request and key for Flexi NS by referring to Generating certificate
signing requests and keys in Administering NetAct System Security.
Expected outcome
The following file was generated:
/opt/oss/NSN-sm_conf_cert/generated/server/<systemName>_<certId>Key.pem
2. Generate certificate for Flexi NS by referring to Signing using NetAct CA in Administering NetAct
System Security.
Expected outcome
The following file was generated:
/opt/oss/NSN-sm_conf_cert/generated/server/<systemName>_<certId>Cert.pem
6.2.1.3.1.2 Converting Flexi NS certificate, private key and signer certificate
Convert Flexi NS certificate, private key and signer certificate from PEM format to DER binary.
1. Log in to the NetAct VM where the dmgr service runs as the omc user, and switch to the root
user.
2. Create a temporary directory by executing:
mkdir /tmp/FLEXINS_CERT/
3. Navigate to the directory you created in step 2 by executing:
cd /tmp/FLEXINS_CERT/
4. Get the password for the private key when you generate the certificate by executing:
cat /opt/oss/NSN-sm_conf_cert/templates/serverKey.pwd
5. Convert Flexi NS certificate from PEM format to DER binary OWNCERT.BIN by entering:
openssl x509 -inform PEM -outform DER -in /opt/oss/NSN-sm_conf_cert/
generated/server/<systemName>_<certId>Cert.pem -out OWNCERT.BIN
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 96
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
For example:
openssl x509 -inform PEM -outform DER -in /opt/oss/NSN-sm_conf_cert/
generated/server/NetAct_FNSCert.pem -out OWNCERT.BIN
6. Convert Flexi NS private key from PEM format to DER binary OWNPRIV.BIN by entering:
openssl rsa -inform PEM -outform DER -in /opt/oss/NSN-sm_conf_cert/
generated/server/<systemName>_<certId>Key.pem -out OWNPRIV.BIN
For example:
openssl rsa -inform PEM -outform DER -in /opt/oss/NSN-sm_conf_cert/
generated/server/NetAct_FNSKey.pem -out OWNPRIV.BIN
Note: If the password is required, enter the password you got in step 4.
7. Convert the signer CA certificate for Flexi NS from PEM format to DER binary CACERT.BIN by
entering:
openssl x509 -inform PEM -outform DER -in <Signer_CA_Certificate_for_
FlexiNS> -out CACERT.BIN
For example:
openssl x509 -inform PEM -outform DER -in /opt/oss/NSN-sm_conf_cert/
generated/certificationAuthority/NetAct_L0_CACert.pem -out CACERT.BIN
8. Change the ownership of the BIN files by entering:
chown omc:sysop /tmp/FLEXINS_CERT
chown omc:sysop *.BIN
After the operations above, you have the following files available:
OWNCERT.BIN
OWNPRIV.BIN
CACERT.BIN
9. Remove following files:
/opt/oss/NSN-sm_conf_cert/generated/server/<systemName>_<certId>Cert.pem
/opt/oss/NSN-sm_conf_cert/generated/server/<systemName>_<certId>Key.pem
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 97
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
6.2.1.3.1.3 Installing Flexi NS certificate, private key and the signer certificate
1. Log in to Flexi NS through SSH or Telnet.
2. Check the SSL/TLS protocol definitions by entering:
ZI3I:OMU;
Expected outcome
An example output:
LOADING PROGRAM VERSION 3.2-0
CDS MINEA 2013-11-06 04:43:20
INTERROGATING SSL/TLS LAYER DEFINITIONS
LOCAL DEFAULT LOCAL DEFAULT TRUSTED CA
UNIT CERTIFICATE PRIVATE KEY CERTIFICATE
--------------- --------------- --------------- -----------
COMMAND EXECUTED
Note: If the OMU unit exists as below and TLS is not used by other functions, remove it
by entering ZI3D:OMU;. The example output is as the following:
LOADING PROGRAM VERSION 4.4-0
Flexi NS vSAMANTHA 2015-12-03 10:48:10
DELETED SSL/TLS LAYER DEFINITIONS
LOCAL DEFAULT LOCAL DEFAULT TRUSTED CA
UNIT CERTIFICATE PRIVATE KEY CERTIFICATE
--------------- --------------- --------------- ---------------
OMU OWNCERT OWNPRIV CACERT
COMMAND EXECUTED
If TLS is used by other functions, contact Nokia Technical Support for further
investigation.
3. Transfer Flexi NS certificate, private key and the signer certificate from NetAct to Flexi NS through
FTP or SFTP.
a) Log in to the NetAct VM where the dmgr service runs as the omc user.
b) Navigate to /tmp/FLEXINS_CERT where you store the CA and private key.
c) Enter the following command:
sftp <user>@<IP_address_of_Flexi NS>
Expected outcome
An example output:
Connecting to <IP_address_of_Flexi_NS >
The authenticity of host '< IP_address_of_Flexi_NS > (<IP_address_of_
Flexi_NS >)' can't be established.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 98
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
RSA key fingerprint is
41:72:a4:59:18:b1:e5:ba:c8:c4:94:aa:67:df:59:25.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '< IP_address_of_Flexi_NS >' (RSA) to the
list of known hosts.
<user>@< IP_address_of_Flexi_NS >'s password:
d) Navigate to the default directory by entering:
cd /DW0-/<the directory of BIN on Flexi NS>
You can find the directory of BIN files on Flexi NS by entering ZWQO:CR;. The example output
as the following:
LOADING PROGRAM VERSION 14.32-0
PACKAGES CREATED IN OMU:
SW-PACKAGE STATUS DIRECTORY ENVIRONMENT
DEF ACT
PACKAGE-ID (REP-ID) DELIVERY
CD-ID
FB150806 FB FLXFB150806 N6 1.13-0 -
Y
N6 1.13-0 CID000NX 10.12-0
N6011300 BU N6_1_13_0 N6 1.13-0
Y Y
N6 1.13-0 CID000NX 10.12-0
Find the line where the value of DEF is Y, and the value of DIRECTORY in the line is the
directory of BIN files on Flexi NS. In the above example, N6_1_13_0 is the directory of BIN
files on Flexi NS.
e) Transfer the OWNCERT.BIN, OWNPRIV.BIN and CACERT.BIN into the default directory by
entering:
put OWNCERT.BIN
put OWNPRIV.BIN
put CACERT.BIN
f) Remove the OWNCERT.BIN, OWNPRIV.BIN and CACERT.BIN in the /tmp/FLEXINS_CERT
directory and the /tmp/FLEXINS_CERT temporary directory from NetAct.
4. Log in to Flexi NS through SSH or Telnet.
5. Add Flexi NS certificate and private key by entering:
ZQ4A:<key name 1>,P:F,"DW0-/<the directory of BIN on Flexi NS>/
OWNPRIV.BIN":;
ZQ4A:<key name 2>,C:F,"DW0-/<the directory of BIN on Flexi NS>/
OWNCERT.BIN":;
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 99
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
ZQ4A:<key name 3>,C:F,"DW0-/<the directory of BIN on Flexi
NS>/.CACERT.BIN":;
Example:
ZQ4A:TLSPRIVATE,P:F,"DW0-/N6_1_13_0/OWNPRIV.BIN":;
ZQ4A:TLSNECERT,C:F,"DW0-/N6_1_13_0/OWNCERT.BIN":;
ZQ4A:TLSCACERT,C:F,"DW0-/N6_1_13_0/CACERT.BIN":;
Note: Check the existing key name in OMU key database by entering ZQ4L;, and make
sure the above key names are not the same as the existing ones.
6. Configuring Flexi NS for the installed certificates and private key by entering:
ZI3C:OMU:<key name 2>,<key name 1>:<key name 3>:;
Example:
ZI3C:OMU:TLSNECERT,TLSPRIVATE:TLSCACERT:;
Verify if the certificate and private key are configured by entering:
ZI3I;
7. Remove the source files by entering:
ZDDS:;
ZMD:DW0-/<the directory of BIN on Flexi NS>/OWNCERT.BIN;
ZMD:DW0-/<the directory of BIN on Flexi NS>/OWNPRIV.BIN;
ZMD:DW0-/<the directory of BIN on Flexi NS>/CACERT.BIN;
ZE;
6.2.1.4 Checking Flexi NS permissions
• Skip this section if you only use default roles during NetAct user creation.
• When creating a role, assign the NetAct permissions and Flexi NS permissions to your new role.
To create a role, see Creating a new role in Permission Management Help. To configure Flexi NS
permissions, see Network element permissions.
• The context root of Flexi NS in Permission Management is DX.
The supported permissions of Flexi NS are listed in the following table:
Permission Name Operation/Value Description
commandClass: A- 1-251 The Commandclasses are
Z a series of executable MML
commands on Flexi NS.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 100
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Permission Name Operation/Value Description
For more information, refer to
Flexi Network Server, Rel. 4.
0, Operating Documentation
in online library. In that docu-
ment, go to MML Commands.
timeLimit: Session- 1-15300 It is used for MML session idle
TimeLimit time limitation. It is fit for the
value under user role, and the
value units are seconds.
dirPath: DW0-/ R, W, X It is used for FTP/SFTP.
logAccess: MML- R It is used for MML log trail.
LOG
LowGranularObject: R, W, X It is used for NE3S/WS.
SESSION
Table 17: Supported Flexi NS permissions
The supported NetAct management functions and their corresponding Flexi NS permissions are listed
in the following table:
logAc-
Management commandClass: timeLimit: Ses- dirPath: LowGranularObject:
cess: MM-
function A-Z sionTimeLimit DW0-/ SESSION
LLog
Fault manage- D: 250 900 not ap- not applica- R,W,X
ment plicable ble
Performance D: 250 900 R not applica- R,W,X
management ble
U: 50
W: 50
Element man- A-Z: 250 900 not ap- not applica- not applicable
agement plicable ble
Configuration A-Z: 250 900 R not applica- not applicable
management ble
License man- W: 250 900 R, W, X not applica- not applicable
agement ble
Software man- I: 150 900 R, W, X not applica- not applicable
agement ble
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 101
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
logAc-
Management commandClass: timeLimit: Ses- dirPath: LowGranularObject:
cess: MM-
function A-Z sionTimeLimit DW0-/ SESSION
LLog
W: 50
Hardware W: 150 900 R not applica- not applicable
management ble
Network Ele- I: 250 900 not ap- not applica- not applicable
ment Access plicable ble
W: 150
Control
Administration T: 150 900 not ap- not applica- not applicable
of Measure- plicable ble
O: 100
ment
Q: 50
Audit Trail I: 200 900 not ap- R not applicable
plicable
D: 50
TraceViewer T: 150 900 R not applica- not applicable
ble
Table 18: NetAct management functions and supported Flexi NS permissions
6.2.1.5 Activating and deactivating CNUM
6.2.1.5.1 Activating CNUM for Flexi NS
1. Log in to the NetAct Start Page.
a) In the address field of your internet browser, type the following URL address:
https://<system_FQDN>/startpage
where <system_FQDN> is the fully qualified domain name of the NetAct cluster load balancer
for WebSphere. For more information, see Launching the NetAct Start Page.
b) Type the Username and Password, and click Log In.
Note: If the terms and conditions appear, select the I have read and agree to
the above terms and conditions check box, and then click Log In. For more
information, see Modifying terms and conditions page.
c) Click Accept or Continue.
2. Click Security → Network Element Access Control.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 102
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Network Element Access Control window appears.
3. Click Centralized NE User Management tab.
4. Select the network element for which you want to activate CNUM.
Tip: You can filter or sort the list, and select the desired network element.
• Click the column header to sort the list in alphabetical order.
• Type the text in the column field to filter the list.
5. From the LDAP access type list, select StartTLS.
6. From IP version list, select IPv4 or IPv6 .
7. Click Activate.
CNUM status of the network element changes to Ongoing.
8. Click Refresh to view the CNUM status change.
Note: Activation of CNUM on the network element takes time.
If the activation is unsuccessful, the CNUM status shows Failed activation. Click Failed activa-
tion link to view the causes of failure.
For more information about activating CNUM, see Activating Centralized Network Element User
Management in Centralized Network Element User Management Help.
6.2.1.5.2 Verifying CNUM activation
1. Log in to the NetAct Start Page.
a) In the address field of your internet browser, type the following URL address:
https://<system_FQDN>/startpage
where <system_FQDN> is the fully qualified domain name of the NetAct cluster load balancer
for WebSphere. For more information, see Launching the NetAct Start Page.
b) Type the Username and Password, and click Log In.
Note: If the terms and conditions appear, select the I have read and agree to
the above terms and conditions check box, and then click Log In. For more
information, see Modifying terms and conditions page.
c) Click Accept or Continue.
2. Select Security → Network Element Access Control → Centralized NE User Management.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 103
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Expected outcome
The CNUM status on the activated Flexi NS displays Activated.
3. Log in to Flexi NS through SSH or Telnet.
4. Check whether CNUM is activated by entering:
ZIAV:TYPE=ALL:LIM;
Expected outcome
An example output:
LOADING PROGRAM VERSION 19.9-0
EXECUTION STARTED
CONFIGURATION LDAP DIRECTORY
============================
IP ADDRESS: <LB WAS Virtual IP>
PORT NUMBER: 389
SSL STATE: FORCED
PRIMARY LDAP DIRECTORY
======================
IP ADDRESS: <LB WAS Virtual IP>
PORT NUMBER: 389
SSL STATE: FORCED
FEATURE ACTIVATION STATUS
=========================
DIRECTORY CLIENT ACTIVATION STATUS: ACTIVE
CENTRALIZED USER AUTHENTICATION STATUS: ACTIVE
COMMAND EXECUTED
MMI SYSTEM AUTHORITY HANDLING COMMAND <IA_>
Ensure the IP address is the NetAct LB WAS Virtual IP address, and the CENTRALIZED USER
AUTHENTICATION STATUS is ACTIVE.
5. Verify CNUM activation through element management launch.
a) Log in to NetAct Start Page.
b) In NetAct Start Page, open Monitor by clicking Monitoring → Monitor.
c) In Monitor, open Object Explorer by selecting Tools → Managed Objects → Object Explorer.
d) Right-click the FLEXINS object and select Element Management → MML Session.
Expected outcome
CNUM is activated if the integration user logs in to Flexi NS in MML Session successfully.
An example output:
<integration user>@<IP address of Flexi NS>'s password:
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 104
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Flexi NS 2015-01-19 10:53:55
WELCOME TO THE DX 200 SERIES DIALOGUE
6.2.1.5.3 Deactivating CNUM for Flexi NS
1. Log in to the NetAct Start Page.
a) In the address field of your internet browser, type the following URL address:
https://<system_FQDN>/startpage
where <system_FQDN> is the fully qualified domain name of the NetAct cluster load balancer
for WebSphere. For more information, see Launching the NetAct Start Page.
b) Type the Username and Password, and click Log In.
Note: If the terms and conditions appear, select the I have read and agree to
the above terms and conditions check box, and then click Log In. For more
information, see Modifying terms and conditions page.
c) Click Accept or Continue.
2. Click Security → Network Element Access Control.
Network Element Access Control window appears.
3. Click Centralized NE User Management tab.
4. Select the network element for which you want to deactivate CNUM.
5. Click Deactivate.
The status of the network element changes to Ongoing.
6. Click Refresh.
The status is changed to Deactivated.
Note: Deactivation of CNUM on the network element takes some time.
If the deactivation is unsuccessful, the CNUM status shows Failed deactivation. Click Failed de-
activation link to view the causes of failure.
6.2.1.5.4 Verifying CNUM deactivation
1. Log in to Flexi NS through SSH or Telnet.
2. Enter the following command:
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 105
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
ZIAV:TYPE=ALL:LIM;
Expected outcome
An example output:
LOADING PROGRAM VERSION 19.9-0
EXECUTION STARTED
CONFIGURATION LDAP DIRECTORY
============================
IP ADDRESS: <LB WAS Virtual IP>
PORT NUMBER: 389
SSL STATE: FORCED
PRIMARY LDAP DIRECTORY
======================
IP ADDRESS: <LB WAS Virtual IP>
PORT NUMBER: 389
SSL STATE: FORCED
FEATURE ACTIVATION STATUS
=========================
DIRECTORY CLIENT ACTIVATION STATUS: ACTIVE
CENTRALIZED USER AUTHENTICATION STATUS: INACTIVE
COMMAND EXECUTED
MMI SYSTEM AUTHORITY HANDLING COMMAND <IA_>
CNUM is deactivated if the CENTRALIZED USER AUTHENTICATION STATUS is INACTIVE.
6.2.1.6 Troubleshooting CNUM
This section describes how to troubleshoot problems when you configure CNUM for Flexi NS.
6.2.1.6.1 Activation fails
Problem
Activating CNUM for Flexi NS fails.
Possible causes
• The certificates are not installed successfully on Flexi NS.
• Fail to log in to LDAP.
• Q3 mediation is not working properly.
Solution
• Check whether the certificates are installed successfully on Flexi NS.
1. Log in to Flexi NS through SSH or Telnet.
2. Check whether the certificates are installed to the key storage of Flexi NS by entering:
ZQ4L;
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 106
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Expected outcome
LOADING PROGRAM VERSION 7.1-0
EXECUTION STARTED
KEY NAME KEY TYPE
-------- --------
PUBLICKEY1 SSH RSA PUB
PUBLICKEY2 SSH DSA PUB
PRIVATEKEY1 SSH RSA PRI
PRIVATEKEY2 SSH DSA PRI
<CA certificate> PKI PUB
<Private key of Flexi NS> PKI PRI
<End-entity certificate of Flexi NS> PKI PUB
PUBKEYNM01 SSH RSA PUB
PRIKEYNM01 SSH RSA PRI
PUBKEYNM02 SSH DSA PUB
PRIKEYNM02 SSH DSA PRI
COMMAND EXECUTED
KEY DATABASE HANDLING COMMAND <Q4_>
Note: CA certificate and the end-entity certificate of Flexi NS must be in PKI PUB
type. The private key of Flexi NS must be in PKI PRI type.
3. Check whether the SSL/TLS server and client interfaces of a functional unit can be assigned to
apply the certificates to their SSL/TLS protocol-based connections by entering:
ZI3I;
Expected outcome
LOADING PROGRAM VERSION 4.1-0
Flexi NS FREEMAN 2015-01-20 12:25:47
INTERROGATING SSL/TLS LAYER DEFINITIONS
LOCAL DEFAULT LOCAL DEFAULT TRUSTED CA
UNIT CERTIFICATE PRIVATE KEY CERTIFICATE
----------- --------------- --------------- ---------------
OMU <End-entity certificate of Flexi NS> <Private key of
Flexi NS> <CA certificate>
COMMAND EXECUTED
SSL/TLS PROTOCOL LAYER HANDLING COMMAND <I3_>
• Check the LDAP related problems. For more information, see Unable to login - LDAP problems in
Troubleshooting Security Management.
• Check Q3 mediation log from /var/opt/oss/log/q3user/ on the NetAct VM where q3user
service runs. To locate the VM where a specific service is running, see Locating the right virtual
machine for a service in Administering NetAct Virtual Infrastructure.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 107
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
6.2.1.6.2 Deactivation fails
Problem
Deactivating CNUM for Flexi NS fails.
Possible causes
• Fail to log in to LDAP.
• Q3 mediation is not working properly.
Solution
• Check the LDAP related problems. For more information, see Unable to login - LDAP problems in
Troubleshooting Security Management.
• Check Q3 mediation log from /var/opt/oss/log/q3user/ on the NetAct VM where q3user
service runs. To locate the VM where a specific service is running, see Locating the right virtual
machine for a service in Administering NetAct Virtual Infrastructure.
6.2.1.6.3 Unable to log in to NE using NetAct user credentials after CNUM is activatedProblem
Problem
Unable to log in to NE with NetAct user after CNUM is activated.
Possible causes
• LDAP is not working properly.
• Q3 mediation is not working properly.
Solution
• Check the LDAP related problems. For more information, see Unable to login - LDAP problems in
Troubleshooting Security Management.
• Check Q3 mediation log from /var/opt/oss/log/q3user/ on the NetAct VM where q3user
service runs. To locate the VM where a specific service is running, see Locating the right virtual
machine for a service in Administering NetAct Virtual Infrastructure.
6.2.1.6.4 Changing password fails
Problem
Failed to change password.
Possible causes
The user permissions are insufficient.
Solution
If the password update is unsuccessful, the CNUM status shows Failed update. Click the Failed up-
date link to view the causes of failure.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 108
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
6.2.1.6.5 Unable to perform specific operation on NE after CNUM is activated
Problem
Unable to perform specific operation on NE although CNUM is activated.
Possible causes
User has insufficient permissions to perform this operation on NE.
Solution
• Check the authentication log on Flexi NS.
1. Log in to Flexi NS through SSH or Telnet.
2. Locate the working unit by entering:
ZDDS:;
3. Check the authentication logs on Flexi NS by entering:
ZGSC:,622
6.2.2 Configuring CNUM for Open BGW
Open BGW supports Centralized Network Element User Management (CNUM) in NetAct. For more
information on CNUM, see Controlling network element access with Centralized Network Element
User Management.
6.2.2.1 Prerequisites for Open BGW
This section provides the CNUM information checklist for Open BGW.
Required information Information details
License The following license is required to be installed in NetAct:
• Feature code: 0000025104
• Feature name: Centralized NE User Management for MV (oBGW)
Firewall Ensure the port 389 is open from Open BGW to LB WAS virtual IP during
integration.
Open BGW is integrated with Net- To integrate Open BGW to NetAct, refer to Overview of Open BGW inte-
Act. gration in Integrating Open BGW to NetAct.
Service types used to activate Create a Network Element Access Control admin user with
CNUM fsuiNe3sAllowClientSession, fsumManageAll, FSHASVIEW and
fsCertManage permission in Open BGW, and configure the same user
with NEUM Admin Access service type in NetAct through Network Element
Access Control application so that the users are mapped in Open BGW
and NetAct.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 109
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Required information Information details
For how to create the Network Element Access Control admin user with
the required permission, see Creating Network Element Access Control
admin user in Integrating Open BGW to NetAct.
Supported Open BGW releases • OpenBGW17
• OpenBGW17SP1
Supported LDAP access types StartTLS
Supported IP versions IPv4
Table 19: CNUM information checklist for Open BGW
6.2.2.2 Limitations
The naming convention of Open BGW user name and password for CNUM must follow the NetAct
and Open BGW naming rule. When a user from NetAct side logs in to Open BGW for the first time
after CNUM activation, it may take 0 - 10 minutes for the user's permissions to take effect. Some
NetAct user IDs are reserved for NetAct internal services and are ignored by Open BGW in CNUM
scenario. To check the NetAct user ID details, refer to the Administration Guide of Open BGW in
Support portal in https://customer.nokia.com. Accessing the documentation and software in the portal
requires authentication.
6.2.2.3 Installing and activating Open BGW certificate
If the Signature Algorithm used in the NetAct server certificate cannot be supported by Open BGW,
CNUM will fail when connecting to LDAP server. To check the supported Signature Algorithm, refer to
the Administration Guide of Open BGW in Support portal in https://customer.nokia.com. Accessing the
documentation and software in the portal requires authentication.
6.2.2.3.1 Applying certificates for Open BGW
No certificates need to be installed in Open BGW for secured LDAP interface.
6.2.2.3.2 Adding additional CA certificate to Open BGW trust store
1. Log in as the omc user to the VM where the dirsrv service runs and swtich to the root user.
2. Get the CA certificates which sign LDAP certificate by entering:
[root]# certutil -L -d /etc/dirsrv/slapd-oss
Example output:
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 110
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
NetAct L0 CA - NetAct - NSB CT,,
NetAct L1 CA - NetAct - NSB CT,,
dirsrv_access u,u,u
In this example, the CA certificates which sign LDAP certificate are /opt/oss/NSN-
sm_conf_cert/generated/certificationAuthority/NetAct_L0_CACert.pem
and /opt/oss/NSN-sm_conf_cert/generated/certificationAuthority/
NetAct_L1_CACert.pem on the node where dmgr service runs. If the output does not display
any CA certificates, install the LDAP certificate in NetAct as Ensure that LDAP certificate is
installed.
3. Install the certificate on Open BGW.
a) Log in as the omc user to the VM where the dmgr service runs and then switch to the root
user.
b) Copy the CA files you get from step 2 to the /home/<NEUM Admin Access user>
directory of Open BGW. For multi-layered certificates, you have to copy the CA files
NetAct_L0_CACert.pem, NetAct_L1_CACert.pem, ... till the layer of the CA which
signs and issues the common mediation certificate. For example, copy /opt/oss/NSN-
sm_conf_cert/generated/certificationAuthority/NetAct_L0_CACert.pem
and /opt/oss/NSN-sm_conf_cert/generated/certificationAuthority/
NetAct_L1_CACert.pem to /home/BGWADM directory through scp from NetAct:
[omc]$ scp <root_certificate> <NEUM Admin Access
user>@<IP_address_or_Fully_Qualified_Domain_Name(FQDN)_of_Open BGW>:/
home/<NEUM Admin Access user>/
Example:
[omc]$ scp /opt/oss/NSN-sm_conf_cert/generated/certificationAuthority/
NetAct_L0_CACert.pem [email protected]:/home/BGWADM/
[omc]$ scp /opt/oss/NSN-sm_conf_cert/generated/certificationAuthority/
NetAct_L1_CACert.pem [email protected]:/home/BGWADM/
Note:
• Open BGW only supports certificate in PEM file. If the certificate is not in PEM
file, convert it to PEM file.
• The firewall for scp or sftp between Open BGW and NetAct VM where the
dirsrv service runs is not open by default. If you use scp or sftp to copy the cer-
tificate, ensure the port for example 22 is open in advance. After copying the cer-
tificate, disable the port.
• To transfer file using scp or sftp, assign the NEUM Admin Access user to the
group _nokfsuifiletransfer in advance by entering:
add user-management user-to-group user-name <NEUM Admin
Access user> group-name _nokfsuifiletransfer
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 111
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Example:
add user-management user-to-group user-name BGWADM group-
name _nokfsuifiletransfer
c) Log in to Open BGW and install the certificate:
set security cert ruim ca-cert cert-file <root_certificate> ca-id
<ca_ID> cert-type new-with-new
Example:
set security cert ruim ca-cert cert-file /home/BGWADM/
NetAct_L0_CACert.pem ca-id rootCert cert-type new-with-new
Note: For multi-layered certificates, enter:
set security cert ruim ca-cert cert-directory <cert-file
folder>
Example:
set security cert ruim ca-cert cert-directory /home/ADMBGW/
Expected outcome
>>Executing a command CLA-1@<instance identifier of Open BGW> [2015-
04-21 13:12:31 +0800]
CA certificate installed successfully.
d) Delete the source file of the certificate from Open BGW:
delete file local /home/<NEUM Admin Access user>/<root_certificate>
Example:
delete file local /home/BGWADM/NetAct_L0_CACert.pem
6.2.2.4 Checking CNUM configuration
1. Check CNUM configuration in Open BGW as Remote user information management in
Administration Guide of Open BGW documentation in Support portal in https://
customer.nokia.com. Accessing the documentation and software in the portal requires
authentication.
2. Upload Configuration Management data as Verifying Configuration Management data flow in
Integrating Open BGW to NetAct.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 112
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Expected outcome
After the uploading, in NetAct Monitor, the instance of Open BGW object is updated with the Open
BGW system name. In the properties of the Open BGW object, the system name of Open BGW
displays in Name of Connectivity Information.
Note: To check the system name of Open BGW, log in to Open BGW.
BGWADM@CLA-1 [Tiger] >
The system name displays in the square brackets "[]", for example, Tiger.
6.2.2.5 Checking permissions
The mapping between Open BGW permissions and default NetAct roles are listed in the following
table.
Permission
Operation Description Default Roles
Name
fsui manage The permission is typically used by op- CM_NetworkPlanningAn-
erators. It gives access to most (if not dEngineer
all) write-like commands in all interac-
CM_Installation
tive interfaces (Web UI, SCLI).
CM_Provisioning
Note: Users assigned to this
SM_Detection
permission also require the
permission of fsui and moni- SM_ContainmentAndRecov-
tor. ery
SM_Prevention
SM_SecurityAdministration
NetAct_Administrator
monitor The permission is typically used by op- CM_ConfigurationManage-
erators. It gives access to most (if not mentAdm
all) view-like commands in all interactive
NetAct_Administrator
interfaces (Web UI, SCLI).
CM_NetworkPlanningAn-
dEngineer
CM_Installation
FM_FaultLocalization
FM_FaultManagementAdmin
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 113
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Permission
Operation Description Default Roles
Name
PM_PerformanceAnalysis
CM_Provisioning
SM_Detection
SM_ContainmentAndRecov-
ery
SM_Prevention
SM_SecurityAdministration
CM_ServicePlanningAndNe-
gotiat
wheel Allows access to the root account. Ad- NetAct_Administrator
ditionally, knowledge of the password to
CM_NetworkPlanningAn-
the root account is required.
dEngineer
Note: By default the direct CM_Installation
root account access is denied
CM_Provisioning
on external management in-
terfaces. So typically user first SM_Detection
log in with their user-specific
SM_ContainmentAndRecov-
account and switch to the root
ery
account, if such access is re-
ally needed. Almost all (if not SM_Prevention
all) management operations
SM_SecurityAdministration
required for normal operation
of the network element do not
require access to the root ac-
count.
log Users assigned to this permission have NetAct_Administrator
read access to “normal” log files gener-
FM_FaultLocalization
ated, for example, to follow the general
system state. FM_FaultManagementAdmin
FM_AlarmSurveillance
PM_PerformanceAnalysis
CM_ConfigurationManage-
mentAdm
CM_StatusAndControl
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 114
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Permission
Operation Description Default Roles
Name
CM_ServicePlanningAndNe-
gotiat
CM_Provisioning
CM_NetworkPlanningAn-
dEngineer
CM_Installation
SM_Detection
SM_ContainmentAndRecov-
ery
SM_Prevention
SM_SecurityAdministration
tracelog In addition to “normal” log files , users
assigned to this permission have read
access to trace files generated for de-
bugging purposes.
crashlog Allows access to automatically generat-
ed crash (core) files for debugging pur-
poses.
vendoradmin Allows access to the unsupported inter-
face within the SCLI that can be used
by Nokia staff in some troubleshooting
situation. Typically Nokia staff will re-
quest access to it if needed. The vendor
mode is not considered a secure man-
agement interface, meaning the permis-
sion should normally not be assigned
to any users, unless requested in some
troubleshooting situation.
remoteconsole Allows access to the SCLI command
“shell remote-console”. This commands
is not a secure interface as it supports
internal console connections to the con-
sole of the various blades in the network
element that support it. Further authen-
tication might be necessary on these
consoles, but is not mandated by the
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 115
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Permission
Operation Description Default Roles
Name
system. Typically this is only needed in
severe troubleshooting cases.
seclog Users assigned to this permission have NetAct_Administrator
read access to “security” log files gen-
CM_NetworkPlanningAn-
erated for audit purposes (includes, for
dEngineer
example, all commands executed via
SCLI). CM_Installation
SM_Detection
SM_ContainmentAndRecov-
ery
SM_Prevention
SM_SecurityAdministration
fsclishroot Assigning this permission to a user will NetAct_Administrator
override all authorization checks in the
SCLI.
backup Provides read access to the files CM_ConfigurationManage-
present in the “backup” directory for mentAdm
users who are assigned to this permis-
FM_FaultManagementAdmin
sion.
filetransfer A user assigned to this permission have NetAct_Administrator
access to scp/sftp if their shell is set
FM_FaultManagementAdmin
to the SCLI shell. Users with the SCLI
shell do not have access to file transfer CM_ConfigurationManage-
via scp/sftp (from scp/sftp, client is in- mentAdm
voked from outside the NE and initiates
an SSH session towards the NE) unless
assigned to this permission. Users with
the full bash shell as login shell (a setup
not recommended for security reasons)
always have access to scp/sftp and this
membership to this permission (or not)
has no effect on them.
fileshare Provides read and write access to the NetAct_Administrator
files present in the “share” directory for
FM_FaultManagementAdmin
users who are assigned to this permis-
sion. CM_ConfigurationManage-
mentAdm
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 116
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Permission
Operation Description Default Roles
Name
webuiadmin Users assigned to this permission can NetAct_Administrator
do anything within the Web UI. No fur-
FM_FaultManagementAdmin
ther authorization checks are done.
CM_ConfigurationManage-
mentAdm
limitedbash Users who are assigned to this permis- NetAct_Administrator
sion have access to the limited bash
FM_FaultManagementAdmin
shell from an SCLI session. Access to
the limited bash shell is secure in the CM_ConfigurationManage-
sense that users cannot misuse it, for mentAdm
example, to send traffic on NE-internal
interfaces (as can be done from a full
“generic” bash shell). The limited bash
shell also applied a limited chroot envi-
ronment.
fsuicli ownhomedir For RUIM only: own home dir in CLI FM_FaultManagementAdmin
structuredlogin- For RUIM only: CLI login shell is fsclish NetAct_Administrator
shell
FM_FaultLocalization
FM_FaultManagementAdmin
FM_AlarmSurveillance
CM_ConfigurationManage-
mentAdm
CM_NetworkPlanningAn-
dEngineer
CM_Installation
CM_Provisioning
CM_StatusAndControl
CM_ServicePlanningAndNe-
gotiat
SM_Detection
SM_ContainmentAndRecov-
ery
SM_Prevention
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 117
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Permission
Operation Description Default Roles
Name
SM_SecurityAdministration
generalloginshell CLI login shell is bash
hassharedreadon- shared home dir in CLI
lyhome
fsuiusb manage Allows access to operations related to
USB storage devices (like USB sticks).
For example, a user with this permis-
sion can mount USB devices as read-
write instead of read-only.
fsuilic man This permission provides access to the CM_NetworkPlanningAn-
license management system, for exam- dEngineer
ple, to add or remove license files.
CM_Installation
CM_Provisioning
NetAct_Administrator
view The permission provides read-like ac-
cess to the license management sys-
tem. For example, to check the license
state.
fsuiperformance man This permission provides read-like ac- PM_PerformanceAnalysis
cess to the performance management
NetAct_Administrator
or statistics system. Additionally, it gives
read access to the configuration. Users CM_Provisioning
assigned to this permission typically are
also assigned the fsuiperformance and
view group.
view This permission provides read-like ac- PM_PerformanceMonitoring
cess to the performance management
CM_Provisioning
or statistics system.
fsuifault man This permission provides write-like ac- CM_Provisioning
cess to the alarm system. Additionally, it
NetAct_Administrator
gives permission for some basic config-
uration checks. Users assigned to this
permission typically are also assigned
the permission fsuifault and view.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 118
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Permission
Operation Description Default Roles
Name
view This permission gives read-like access FM_AlarmSurveillance
to the alarm system to check alarm sit-
CM_StatusAndControl
uation. Additionally, it gives permission
for some basic configuration checking.
fsuine3s manage This permission will give users access PM_PerformanceAnalysis
to the NE3S interface with write-like op-
PM_PerformanceMonitoring
erations. Other management interfaces
(SCLI/WebUI) are not affected. Typical- FM_FaultLocalization
ly this permission is assigned together
FM_Testing
with the permission fsuine3s and view.
FM_FaultManagementAdmin
NetAct_Administrator
CM_NetworkPlanningAn-
dEngineer
CM_Installation
CM_Provisioning
SM_Detection
SM_ContainmentAndRecov-
ery
SM_Prevention
SM_SecurityAdministration
view This permission provides access to the PM_PerformanceMonitoring
NE3S interface with read-like opera-
CM_Provisioning
tions only. Other management inter-
faces (SCLI/Web UI) are not affected.
Table 20: Mapping between Open BGW permissions and default NetAct roles
6.2.2.6 Activating and deactivating CNUM
6.2.2.6.1 Activating CNUM
To activate CNUM on Open BGW, see Activating Centralized Network Element User Management in
Centralized Network Element User Management Help.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 119
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
6.2.2.6.2 Verifying CNUM activation
1. Log in to the NetAct Start Page.
a) In the address field of your internet browser, type the following URL address:
https://<system_FQDN>/startpage
where <system_FQDN> is the fully qualified domain name of the NetAct cluster load balancer
for WebSphere. For more information, see Launching the NetAct Start Page.
b) Type the Username and Password, and click Log In.
Note: If the terms and conditions appear, select the I have read and agree to
the above terms and conditions check box, and then click Log In. For more
information, see Modifying terms and conditions page.
c) Click Accept or Continue.
2. Select Security → Network Element Access Control → Centralized NE User Management.
Expected outcome
The CNUM status on the activated Open BGW displays Activated.
3. Log in to Open BGW.
4. Check the CNUM and RUIM configuration on Open BGW by entering:
show user-management ruim nms-ldap-config
Expected outcome
Example output:
>>Executing a command CLA-1@<instance identifier of Open BGW> [2015-04-
22 10:45:58 +0800]
Primary NMS LDAP Server Configuration
IP address : <LB WAS Virtual IP>
Port : 389 Config location in NMS :
cn=OBGW,
ou=LDAPConfData,
ou=Authorization,
ou=ruim,
dc=netact,
dc=net
Account location in NMS : ou=people,
ou=accounts,
dc=netact,
dc=net
Connection mode : tls Verification policy :
default (full-except-hostname-check)
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 120
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Secondary NMS LDAP Server Configuration
IP address :
Port : default (389)
Config location in NMS :
Account location in NMS :
Connection mode : tls
Verification policy : default (full-except-hostname-check)
Ensure the IP address is the NetAct LB WAS Virtual IP address, the value of the Port parameter is
389, and the value of the Connection mode parameter is tls.
5. Check whether CNUM is activated by entering:
show has state managed-object /PAP /RuimReplicator
Expected outcome
An example output:
>>Executing a command CLA-1@<instance identifier of Open BGW> [2015-04-
22 13:17:20 +0800]
OBJECT ADMINISTRATIVE OPERATIONAL USAGE ROLE PROCEDURAL DYNAMIC
/PAP UNLOCKED ENABLED ACTIVE - - INTERNAL_STATE=ENABLED
/RuimReplicator UNLOCKED ENABLED ACTIVE - - INTERNAL_STATE=ENABLED
CNUM is activated if the status of DYNAMIC is INTERNAL_STATE=ENABLED.
6. Verify Element Management launch.
For more information, see Verifying Element Management launch in Integrating Open BGW to
NetAct.
Note: With CNUM, you can launch the Element Management as the user you log in to
NetAct Start Page. If CNUM is not activated, the Element Management is launched as
the user configured in Network Element Access Control application.
7. Verify Fault Management connectivity.
For more information, see Verifying Fault Management connectivity in Integrating Open BGW to
NetAct.
8. Verify Performance Management connectivity.
For more information, see Verifying Performance Management connectivity in Integrating Open
BGW to NetAct.
9. Verify Configuration Management connectivity.
For more information, see Verifying Configuration Management connectivity in Integrating Open
BGW to NetAct.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 121
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
6.2.2.6.3 Deactivating CNUM
To deactivate CNUM on Open BGW, see Deactivating Centralized Network Element User
Management in Centralized Network Element User Management Help.
6.2.2.6.4 Verifying CNUM deactivation
1. Log in to the NetAct Start Page.
a) In the address field of your internet browser, type the following URL address:
https://<system_FQDN>/startpage
where <system_FQDN> is the fully qualified domain name of the NetAct cluster load balancer
for WebSphere. For more information, see Launching the NetAct Start Page.
b) Type the Username and Password, and click Log In.
Note: If the terms and conditions appear, select the I have read and agree to
the above terms and conditions check box, and then click Log In. For more
information, see Modifying terms and conditions page.
c) Click Accept or Continue.
2. Select Security → Network Element Access Control → Centralized NE User Management.
Expected outcome
The CNUM status on the activated Open BGW displays Deactivated.
3. Log in to Open BGW.
4. Enter the following command:
show has state managed-object /PAP /RuimReplicator
Expected outcome
>>Executing a command CLA-1@<instance identifier of Open BGW> [2015-04-
22 13:12:31 +0800]
OBJECT ADMINISTRATIVE OPERATIONAL USAGE ROLE PROCEDURAL DYNAMIC
/PAP UNLOCKED ENABLED ACTIVE - - INTERNAL_STATE=DISABLED
/RuimReplicator UNLOCKED ENABLED ACTIVE - - INTERNAL_STATE=DISABLED
CNUM is deactivated if the status of DYNAMIC is INTERNAL_STATE=DISABLED for /PAP and /
RuimReplicator.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 122
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
6.2.2.7 Configuring CNUM-oBGW for Audit Trail
The following chapter provides information on how to configure CNUM-oBGW for Audit Trail.
6.2.2.7.1 CNUM-oBGW Prerequisites for Audit Trail
Log in to OBGW as the root user, and check if the system image is in read only state, by executing:
mount |grep /mnt/sysimg
Expected output:
/dev/mapper/VG_CLA--0-sysimg--R_OB_15.9.1.3--x86_64--std_acpi5 on /mnt/
sysimg type ext2 (ro,relatime,errors=continue)
If it is not, contact Nokia Technical Support.
6.2.2.7.2 Activating CNUM-oBGW
1. Log in to OBGW as the root user, and copy file /opt/Nokia/SS_RUIM/etc/
replicator_properties.cfg by executing:
cp /opt/Nokia/SS_RUIM/etc/replicator_properties.cfg /root/patch.cfg
2. Edit patch.cfg so that Audit Trail User ID (592) is added in:
ruim.replicator.uid_range=387,401,412,501,592,950-9999999
3. Save the file.
4. Execute patching command:
fsswcli --patch --install --comment 'Audit Trail' */*/*:/root/patch.
cfg=/opt/Nokia/SS_RUIM/etc/replicator_properties.cfg
6.2.2.7.3 Verifying CNUM-oBGW Activation
Procedure
• To see the list of patched files, execute:
fsswcli -p -l comment:'Audit_Trail_cnum'
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 123
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
6.2.2.7.4 Deactivating CNUM-oBGW
Procedure
• Log in to OBGW as the root user, and execute:
fsswcli -p -r comment:'Audit_Trail_cnum'
6.2.2.7.5 Verifying CNUM-oBGW Deactivation
Procedure
• Check if the patch is removed from the whole system by executing:
fsswcli -p -l comment:'Audit_Trail_cnum'
Expected outcome
“0 patches found”
6.2.2.8 Troubleshooting
6.2.2.8.1 Activation failure
Problem
Activating CNUM for Open BGW fails.
Possible causes
• NE3S/WS mediation is not working properly.
• /PAP or /RuimReplicator server is not started.
• The system name of Open BGW is missing.
Solution
1. Check NE3S/WS mediation log from /var/opt/oss/log/common_mediations/ on the Net-
Act VM where common_mediations is running. If you find exceptions from the log, contact Nokia
Technical Support.
2. Check the status of /PAP and /RuimReplicator servers on Open BGW by entering:
show has state managed-object /PAP /RuimReplicator
Expected outcome
>>Executing a command CLA-1@<instance identifier of Open BGW> [2015-04-
22 13:12:31 +0800]
OBJECT ADMINISTRATIVE OPERATIONAL USAGE ROLE PROCEDURAL DYNAMIC
/PAP UNLOCKED ENABLED ACTIVE - - INTERNAL_STATE=DISABLED
/RuimReplicator UNLOCKED ENABLED ACTIVE - - INTERNAL_STATE=DISABLED
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 124
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Ensure that the status of ADMINISTRATIVE is UNLOCKED, the status of OPERATIONAL is EN-
ABLED, and the status of USAGE is ACTIVE. If not, contact Nokia Technical Support.
3. Upload Configuration Management data. After the uploading, in Monitor, the instance of Open
BGW object is updated with the Open BGW system name. In the properties of the Open BGW ob-
ject, the system name of Open BGW displays in Name of Connectivity Information.
To upload the Configuration Management data flow, see Verifying Configuration Management data
flow in Integrating Open BGW to NetAct.
6.2.2.8.2 Changes in permissions not immediately replicated
Problem
Permission changes of NetAct user are not immediately replicated in Open BGW.
Possible causes
The Open BGW fetches user's authorization data when the user logs in to the Open BGW for the first
time. The data is fetched again only if the replicated data is removed from the Open BGW.
Solution
Refresh the permissions on Open BGW for all the users by entering:
set user-management ruim replicator refresh allusers
6.2.3 Configuring CNUM for SBTS
SBTS supports Centralized Network Element User Management (CNUM) in NetAct. For more
information on CNUM, see Controlling network element access with Centralized Network Element
User Management.
6.2.3.1 Prerequisites for SBTS
This section describes the information you must know and the basic requirements which must be met
before configuring CNUM for SBTS.
Information and requirements Description
License The following license is required to be installed in NetAct:
• Feature code: 15960
• Feature name: Centralized NE User Management for SRAN
List of service types needed to ac- • SOAM Web Service Access
tivate CNUM
Service types needed to verify • BTS Account Access
CNUM activation or deactivation
status
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 125
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Information and requirements Description
Supported LDAP access types • StartTLS
• PREFER_TLS
Supported IP versions IPv4, IPv6
The NetAct user needed for The NetAct user is used to log in to NetAct Start Page to perform CNUM
CNUM configuration related operations in NetAct. In Network Element Access Control, grant the
credentials listed in Service types needed to activate CNUM and Service
types needed to verify CNUM activation or deactivation status to the group
where the CNUM user belongs. The following default NetAct roles must be
assigned to the CNUM user:
• FM-Fault Management Admin
• SM-Security Administration
Firewall Ensure the port 389 is open from SBTS to LB WAS virtual IP during inte-
gration.
SBTS integration Ensure that SBTS is integrated to NetAct successfully(Nokia recommends
that SBTS is integrated to NetAct in TLS mode because NE bind user ac-
count and password are encrypted in TLS mode). For detailed instructions,
see Overview of SBTS integration in Integrating SBTS to NetAct.
Table 21: CNUM information checklist for SBTS
6.2.3.2 Limitations
SBTS only supports CNUM for Element Manager Launch operation. For other O&M operation (for ex-
ample, fault management, configuration management, and so on), Network Element Access Control
(NEAC) service users are used. But if NE3S operation logging feature is enabled, SBTS with CNUM li-
cense supports end-to-end traceability with NetAct username in the BTS logs.
Note: To enable NE3S OAM operation logging feature, ne3sOperationLogging parame-
ter should be enabled through WebEM/CM.
6.2.3.3 Installing and activating SBTS certificate
For SBTS20B and later versions on how to install and activate SBTS certificates, follow instructions
described in Single RAN, Rel. <network element release>, Operating Documentation on Support
portal in https://customer.nokia.com. Accessing the documentation and software in the portal requires
authentication. Where the <network element release> means the SRAN release. For example,
when you are integrating SBTS20B, you should refer to Single RAN, Rel. SRAN 20B, Operating
Documentation.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 126
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
6.2.3.4 Checking SBTS permissions
Note:
• If you only use default roles, assign the default roles to the group to which the NetAct
user belongs.
• If you need to create a new role, grant the NetAct permissions and SBTS permissions
to the new role, and then assign the new role to the group to which the NetAct user
belongs. The root context of SBTS in Permission Management is SBTS.
Permission Name Operation Description Default Role Used by SBTS
System User Access Deprecated/Invalid This permission is N/A No
Mode Permission: Read_ not valid.
Only
Read_Write This permission en- CM-Configuration Yes
ables read and write Management Admin-
access to BTS Ad- istration
min as BTS system
Note:
administrator.
FM-Fault
Manage-
ment Ad-
min is
added
since
SRAN21B
Security User Ac- Deprecated/Invalid This permission is N/A No
cess Mode Permission: Read_ not valid.
Only
Read_Write This permission en- N/A Yes
ables read and write
access to BTS Ad-
min as BTS security
administrator.
Application User Ac- Deprecated/Invalid This permission is N/A No
cess Mode Permission: Read_ not valid.
Only
Read_Write This permission en- N/A Yes
ables read and write
access to BTS Ad-
min as BTS applica-
tion administrator.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 127
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Permission Name Operation Description Default Role Used by SBTS
Read Only User Ac- Read_Only This permission en- N/A Yes
cess Mode ables read only ac-
cess to BTS Admin.
Table 22: Supported BTS roles and permissions
6.2.3.5 Activating and deactivating CNUM
6.2.3.5.1 Activating CNUM on SBTS
The supported LDAP access type in SBTS are StartTLS and PREFER TLS.
Note: To activate CNUM using StartTLS, it is mandatory to ensure the following activities
are done before activating CNUM. To activate CNUM using PREFER TLS, Nokia highly rec-
ommended to ensure the following activities are done before activating CNUM to prevent se-
curity risk.
• Certificates are installed on NetAct.
To check whether the certificates are installed, see Get issuer name in Administering
NetAct System Security. If the certifications are not installed, see Managing certificates
in Administering NetAct System Security to install them.
Note: When you follow the instructions in Managing certificates in Administer-
ing NetAct System Security, use dirsrv_access as the usecase name.
• Certificates are installed on SBTS
To check whether the certificates are installed, see Installing and activating SBTS certifi-
cate.
To activate CNUM on SBTS, see Activating CNUM.
Note:
– When you log in to the NetAct Start Page to do the activation, use the login
name and password of the integrating user. For more information about the
integrating user, see Managing NetAct user for SBTS integration engineer
in Integrating SBTS to NetAct.
– If you need to change the LDAP access type for SBTS after CNUM activa-
tion, deactivate CNUM firstly, and then activate CNUM again with the new
LDAP access type.
Note: With the feature, SR000858: Login restriction with CNUM, the operator
can disable the local SBTS operator user account if the Centralized Network
Element User Management (CNUM) is in use. For more information, see Sin-
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 128
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
gle RAN, Rel. <network element release>, Operating Documentation on Sup-
port portal in https://customer.nokia.com. Accessing the documentation and
software in the portal requires authentication. Where the <network element
release> means the SRAN release. For example, when you are integrating
SBTS20B, you should refer to Single RAN, Rel. SRAN 20B, Operating Docu-
mentation.
6.2.3.5.2 Verifying CNUM activation
1. Log in to the NetAct Start Page as the integration user.
2. Select Security → Network Element Access Control → Centralized NE User Management.
Expected outcome
The CNUM status on the activated SBTS displays Activated.
3. Verify CNUM activation through Element Manager.
a) Log in to the NetAct Start Page as described in step 1.
b) In NetAct Start Page, click Monitoring → Monitor.
c) In NetAct Monitor, open Object Explorer by selecting Tools → Managed Objects → Object
Explorer
Expected outcome
The Objects pane appears.
d) Right-click the MRBTS and select Element Manager in the Element Management sub-menu.
Expected outcome
CNUM is activated if the integration user logs in to Element Manager successfully.
6.2.3.5.3 Deactivating CNUM on SBTS
To deactivate CNUM on SBTS, see Deactivating CNUM.
6.2.3.5.4 Verifying CNUM deactivation
1. Log in to the NetAct Start Page.
a) In the address field of your internet browser, type the following URL address:
https://<system_FQDN>/startpage
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 129
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
where <system_FQDN> is the fully qualified domain name of the NetAct cluster load balancer
for WebSphere. For more information, see Launching the NetAct Start Page.
b) Type the Username and Password, and click Log In.
Note: If the terms and conditions appear, select the I have read and agree to
the above terms and conditions check box, and then click Log In. For more
information, see Modifying terms and conditions page.
c) Click Accept or Continue.
2. Select Security → Network Element Access Control → Centralized NE User Management.
Expected outcome
The CNUM status on the deactivated SBTS displays Deactivated.
6.2.3.5.5 Change password of SBTS account
To change the password of a network element account, see Updating the password for the network
element account (NE bind user account) in Centralized Network Element User Management Help.
6.2.3.6 Troubleshooting
6.2.3.6.1 Activation failure on SBTS
Problem
Activating CNUM on SBTS fails.
Possible causes
• The certificates of LDAP are not installed on NetAct properly for StartTLS mode.
• LDAP service is not working properly.
• NE3S/WS mediation is not working properly.
Solution
1. Check whether the LDAP certificates are installed successfully on NetAct. For more information,
see Get issuer name in Administering NetAct System Security. If the certificate is not as expected
or not trusted, reinstall the certificates for LDAP. For information, see Installing certificates for se-
lected usecase in Administering NetAct System Security.
Note: When you follow the instructions in Managing certificates in Administering NetAct
System Security, use dirsrv_access as the usecase name.
2. Check the LDAP related problems. For more information, see Unable to login - LDAP problems in
Troubleshooting Security Management.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 130
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
3. Check NE3S/WS mediation log from the /var/opt/oss/log/common_mediations directo-
ry on the NetAct VM where the common_mediation is running, and then contact Nokia Techni-
cal Support. To locate the VM where a specific service is running, see Locating the right virtual ma-
chine for a service in Administering NetAct Virtual Infrastructure.
6.2.4 Configuring CNUM for Nokia AirScale BTS 5G
Nokia AirScale BTS 5G supports Centralized Network Element User Management (CNUM) in NetAct.
For more information on CNUM, see Controlling network element access with Centralized Network
Element User Management.
Note: To get the support of network element versions supported through NetAct fast pass
Service Packages (SPs), you need to install or activate the compatible NetAct fast pass
SPs through fast pass installation toolkit (FIT). For more information about network element
support through NetAct fast pass SPs, see Compatibility of NetAct and NetAct fast pass
Service Packages in NetAct Release Changes.
6.2.4.1 Prerequisites for Nokia AirScale BTS 5G
This section describes the information you must know and the basic requirements which must be met
before configuring CNUM for Nokia AirScale BTS 5G.
Information and requirements Description
License The following license is required to be installed in NetAct:
• Feature code: 51026
• Feature name: Centralized UM with Security Logs Radio
Supported Nokia AirScale BTS AirScale BTS-5G, gNB-DU 5G21ADU, and later gNB-DU
5G releases
List of service types needed to ac- SOAM Web Service Access
tivate CNUM
Service types needed to verify BTS Account Access
CNUM activation or deactivation
status
Supported LDAP access types StartTLS, PREFER TLS
Note: PREFER TLS is not supported for 5G19ACLA.
Supported IP versions IPv4, IPv6
The NetAct user needed for The CNUM user is used to log in to NetAct Start Page to perform CNUM
CNUM configuration (CNUM user) related operations in NetAct. In Network Element Access Control, grant the
credentials listed in Service types needed to activate CNUM and Service
types needed to verify CNUM activation or deactivation status to the group
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 131
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Information and requirements Description
where the CNUM user belongs. The following default NetAct roles must be
assigned to the group to which the CNUM user belongs:
• FM-Fault Management Admin
• SM-Security Administration
For more permissions which must be granted to the CNUM user for CNUM
operations, see Checking Nokia AirScale BTS 5G permissions.
For detailed instructions on how to manage users, see About user man-
agement in User Management Help.
For detailed instructions on how to manage permissions, see About per-
mission management in Permission Management Help.
Firewall Ensure the port 389 is open from Nokia AirScale BTS 5G to LB WAS virtu-
al IP during integration.
Nokia AirScale BTS 5G integra- Ensure that Nokia AirScale BTS 5G is integrated to NetAct with TLS mode
tion with TLS mode successfully. For detailed instructions, see Overview of Nokia Airscale BTS
5G integration section in Integrating Nokia Airscale BTS 5G to NetAct doc-
ument. However, the Integrating Nokia Airscale BTS 5G to NetAct docu-
ment is available once the respective NetAct fast pass Service Package is
installed.
Table 23: CNUM information checklist for Nokia AirScale BTS 5G
6.2.4.2 Checking Nokia AirScale BTS 5G permissions
Note:
• If you only use default roles, assign the default roles to the group to which the CNUM
user belongs.
• If you need to create a new role, grant the NetAct permissions and Nokia AirScale BTS
5G permissions to the new role, and then assign the new role to the group to which
the CNUM user belongs. The root context of Nokia AirScale BTS 5G in Permission
Management is NRBTS.
• CNUM only supports System User Access Mode in 5G19B and earlier classical versions.
Used by Nokia
Permission Name Operation Description Default Role
AirScale BTS 5G
System User Access Read_Write This permission en- • FM-Fault Man- Yes
Mode ables read and write agement Admin
access to BTS Ad- • CM-Configura-
min as BTS system tion Manage-
administrator. ment Adminis-
tration
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 132
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Used by Nokia
Permission Name Operation Description Default Role
AirScale BTS 5G
Security User Ac- Read_Write This permission en- • FM-Fault Man- Yes
cess Mode ables read and write agement Admin
access to BTS Ad- • CM-Configura-
min as BTS security tion Manage-
administrator. ment Adminis-
tration
Application User Ac- Read_Write This permission en- N/A Yes
cess Mode ables read and write
access to BTS Ad-
min as BTS applica-
tion administrator.
Read Only User Ac- Read_Only This permission en- N/A Yes
cess Mode ables read only ac-
cess to BTS Admin.
Table 24: Supported default BTS roles and permissions
For detailed instructions on how to manage permissions, see About permission management in Per-
mission Management Help.
6.2.4.3 Activating and deactivating CNUM
6.2.4.3.1 Activating CNUM on Nokia AirScale BTS 5G
The supported LDAP access type in Nokia AirScale BTS 5G is StartTLS and PREFER TLS. To
activate CNUM, it is mandatory to ensure the instructions in Prerequisites for Nokia AirScale BTS 5G
are completed before activating CNUM.
To activate CNUM on Nokia AirScale BTS 5G, see Activating CNUM.
Note: When you log in to the NetAct Start Page to do the activation, use the login name and
password of the CNUM user.
6.2.4.3.2 Verifying CNUM activation
1. Log in to the NetAct Start Page.
a) In the address field of your internet browser, type the following URL address:
https://<system_FQDN>/startpage
where <system_FQDN> is the fully qualified domain name of the NetAct cluster load balancer
for WebSphere. For more information, see Launching the NetAct Start Page.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 133
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
b) Type the Username and Password, and click Log In.
Note: If the terms and conditions appear, select the I have read and agree to
the above terms and conditions check box, and then click Log In. For more
information, see Modifying terms and conditions page.
c) Click Accept or Continue.
2. Select Security → Network Element Access Control → Centralized NE User Management.
Expected outcome
The CNUM status on the activated Nokia AirScale BTS 5G displays Activated.
3. Verify CNUM activation through Element Manager.
a) Log in to the NetAct Start Page as described in step 1.
b) In NetAct Start Page, click Monitoring → Monitor.
c) In NetAct Monitor, open Object Explorer by selecting Tools → Managed Objects → Object
Explorer.
Expected outcome
The Objects pane appears.
d) Right-click the MRBTS-<instance ID> object, and select Element Manager in the Element
Management sub-menu.
Expected outcome
CNUM is activated if the CNUM user logs in to Element Manager successfully.
Note: CNUM user is valid only for Element Manager Launch, but not for other integration
operations including PM or CM related operations. Other integration operations have to
take credentials from NEAC.
6.2.4.3.3 Deactivating CNUM on Nokia AirScale BTS 5G
To deactivate CNUM on Nokia AirScale BTS 5G, see Deactivating CNUM.
6.2.4.3.4 Verifying CNUM deactivation
1. Log in to the NetAct Start Page.
a) In the address field of your internet browser, type the following URL address:
https://<system_FQDN>/startpage
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 134
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
where <system_FQDN> is the fully qualified domain name of the NetAct cluster load balancer
for WebSphere. For more information, see Launching the NetAct Start Page.
b) Type the Username and Password, and click Log In.
Note: If the terms and conditions appear, select the I have read and agree to
the above terms and conditions check box, and then click Log In. For more
information, see Modifying terms and conditions page.
c) Click Accept or Continue.
2. Select Security → Network Element Access Control → Centralized NE User Management.
Expected outcome
The CNUM status on the deactivated Nokia AirScale BTS 5G displays Deactivated.
3. Verify CNUM deactivation through Element Manager.
a) Log in to the NetAct Start Page as described in step 1.
b) In NetAct Start Page, click Monitoring → Monitor.
c) In NetAct Monitor, open Object Explorer by selecting Tools → Managed Objects → Object
Explorer.
Expected outcome
The Objects pane appears.
d) Right-click the MRBTS-<instance ID> object, and select Element Manager in the Element
Management sub-menu.
Expected outcome
If the login user is the BTS Account Access user configured in NEAC, CNUM deactivation is
successful.
6.2.4.3.5 Change password of Nokia AirScale BTS 5G account
To change the password of a network element account, see Updating the password for the network
element account (NE bind user account) in Centralized Network Element User Management Help.
6.2.4.4 Limitation
Nokia AirScale BTS 5G only supports CNUM for Element Manager Launch operation. For other O&M
operation (for example, fault management, configuration management, and so on), Network Element
Access Control (NEAC) service users are used.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 135
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
6.2.4.5 Troubleshooting
6.2.4.5.1 Activation failure on Nokia AirScale BTS 5G
Problem
Activating CNUM on Nokia AirScale BTS 5G fails.
Possible causes
1. The certificates of LDAP are not installed on NetAct properly for StartTLS mode.
2. LDAP service is not working properly.
3. NE3S/WS mediation is not working properly.
4. The certificates are not installed successfully on Nokia AirScale BTS 5G.
Solution
1. Check whether the LDAP certificates are installed successfully on NetAct. For more information,
see Get issuer name in Administering NetAct System Security. If the certificate is not as expected
or not trusted, re-install the certificates for LDAP. For information, see Installing certificates in Inte-
grating Nokia AirScale BTS 5G to NetAct.
Note: When you follow the instructions in Get issuer name in Administering NetAct Sys-
tem Security, use dirsrv_access as the usecase name.
2. Check the LDAP related problems. For more information, see Unable to login - LDAP problems in
Troubleshooting Security Management.
3. Check NE3S/WS mediation log from the /var/opt/oss/log/common_mediations directo-
ry on the NetAct VM where the common_mediation is running, and then contact Nokia Techni-
cal Support. To locate the VM where a specific service is running, see Locating the right virtual ma-
chine for a service in Administering NetAct Virtual Infrastructure.
4. Check whether the certificates are installed successfully on Nokia AirScale BTS 5G. For more in-
formation, see Verifying Nokia AirScale BTS 5G connectivity to NetAct in TLS mode section in In-
tegrating Nokia Airscale BTS 5G to NetAct document. If the certificate is not as expected or not
trusted, re-install the certificates for Nokia AirScale BTS 5G. For information, see Configuring cer-
tificates on Nokia AirScale BTS 5G for TLS mode section in Integrating Nokia Airscale BTS 5G to
NetAct document. However, the Integrating Nokia Airscale BTS 5G to NetAct document is avail-
able once the respective NetAct fast pass Service Package is installed.
6.2.4.5.2 Deactivation failure on Nokia AirScale BTS 5G
Problem
Deactivating CNUM for Nokia AirScale BTS 5G fails.
Possible causes
1. Fail to log in to LDAP.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 136
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
2. NE3S/WS mediation is not working properly.
Solution
1. Check the LDAP related problems. For more information, see Unable to login - LDAP problems in
Troubleshooting Security Management.
2. Check NE3S/WS mediation log from the /var/opt/oss/log/common_mediations directory
on the NetAct VM where the common_mediation is running, and then contact Nokia Technical
Support. To locate the VM where a specific service is running, see Locating the right virtual
machine for a service in Administering NetAct Virtual Infrastructure.
6.2.5 Configuring CNUM for DCAP
DCAP supports Centralized Network Element User Management (CNUM) in NetAct. For more infor-
mation on CNUM, see Controlling network element access with Centralized Network Element User
Management in Administering Users and Permissions.
6.2.5.1 Preparing CNUM
The prerequisites for configuring CNUM are listed in the following table.
Requirements Instructions
Make sure DCAP DCAP Windows (DCAP18 FP1 and later releases) support CNUM.
supports CNUM.
DCAP is integrated See Overview of DCAP integration in Integrating Data Collection and Analytics Platforms to NetAct.
to NetAct success-
fully. Note: Ensure port 389 is open from DCAP to LB WAS virtual IP during integration.
The required li- One of following licenses is installed in NetAct:
cense is installed
• Feature code: 36212; Feature name: NetAct Radio DCAP LTE Standard SW.
in NetAct and
• Feature code: 36213; Feature name: NetAct Radio DCAP 2G/3G Standard SW.
DCAP.
License installed in DCAP: contact the network element administrator to check the CNUM license in-
stalled in DCAP.
The NetAct user The required roles are the following:
with required roles • FM-Fault Management Admin
is created to acti- • SM-Security Administration
vate DCAP CNUM
from NEAC GUI.
Service Type(s) NEUM Admin Access
needed to activate
For more information, see Managing DCAP credentials in Integrating Data Collection and Analytics
CNUM
Platforms to NetAct.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 137
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Requirements Instructions
The credential on The following credential on DCAP Windows must be obtained: Windows OS user account
DCAP Windows
Supported LDAP StartTLS
access types
Supported IP ver- IPv4, IPv6
sions
Table 25: Requirements needed for configuring CNUM
6.2.5.1.1 Checking and creating certificates on NetAct
You can either use local NetAct Smart Certificate (SmCert) CA or the 3rd party CA. Here we take
local NetAct SmCert CA to sign certificates as an example. To use the 3rd party CA, contact Nokia
Technical Support for help to get the required certificates.
Note: If NetAct LDAP certificate is signed by the root CA, use the root CA to sign DCAP
certificate. If NetAct LDAP certificate is signed by an intermediate CA, use the intermediate
CA's root CA to sign DCAP certificate.
1. Log in to the NetAct VM where the dirsrv service runs as the omc user, and switch to the root
user.
2. Check whether the LDAP certificates are installed by entering:
certutil -L -d /etc/dirsrv/slapd-oss
Expected outcome
An example output:
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
CN=NetAct Root -345678 CA CT,,
dirsrv_access u,u,u
3. If the LDAP certificates are not installed, perform the following steps:
a) Configure and generate SmCert CA.
For more information, see Selecting certification authority in Administering NetAct System
Security.
b) Install the LDAP certificates. During the installation, if the LDAP certificates are not created,
create and re-install the certificates.
To create the LDAP certificates, see Creating certificates in Administering NetAct System Se-
curity.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 138
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
To install the LDAP certificates, see Installing certificates for selected usecase in Administering
NetAct System Security.
6.2.5.1.2 Installing and activating DCAP certificate
To install and activate certificates on DCAP Windows, see Managing certificates section and
Configuring JOMA/Esymac settings section in Nokia DCAP NetAct O&M Agent Installation
and Configuration Instructions on Support portal in https://customer.nokia.com. Accessing the
documentation and software in the portal requires authentication.
6.2.5.2 Checking permissions
The mapping between DCAP permissions and default NetAct roles are listed in the following table.
Permission Name Operation Description Default Roles
SecurityAdmin AdminAccess The admin permission for SM_SecurityAdminis-
DCAP Windows. tration
Table 26: Mapping between DCAP permissions and default NetAct roles
6.2.5.3 Activating CNUM
1. Log in to the NetAct Start Page.
a) In the address field of your internet browser, type the following URL address:
https://<system_FQDN>/startpage
where <system_FQDN> is the fully qualified domain name of the NetAct cluster load balancer
for WebSphere. For more information, see Launching the NetAct Start Page.
b) Type the Username and Password, and click Log In.
Note: If the terms and conditions appear, select the I have read and agree to
the above terms and conditions check box, and then click Log In. For more
information, see Modifying terms and conditions page.
c) Click Accept or Continue.
2. Click Security → Network Element Access Control.
Network Element Access Control window appears.
3. Click Centralized NE User Management tab.
4. Select the network element for which you want to activate CNUM.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 139
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Tip: You can filter or sort the list, and select the desired network element.
• Click the column header to sort the list in alphabetical order.
• Type the text in the column field to filter the list.
5. From the LDAP access type list, select StartTLS.
6. If the IP address of the network element is IPv4, select IPv4 from the IP version list; if the IP
address of the network element is IPv6, select IPv6 from the IP version list.
7. Click Activate.
CNUM status of the network element changes to Ongoing.
8. Click Refresh to view the CNUM status change.
If the activation is unsuccessful, the CNUM status shows Failed activation. Click Failed activa-
tion link to view the causes of failure.
For more information about activating CNUM, see Activating Centralized Network Element User
Management in Centralized Network Element User Management Help.
9. Log in to DCAP Windows server as <domain name>\<Windows OS user account> user by
using remote desktop connection.
Note: To log in using remote desktop, for example in Windows Operation System, click
Start → All Programs → Accessories → Remote Desktop Connection. The following
procedures should be done on the Remote Desktop.
10. Restart JomaManager on DCAP. For more information, see section Starting and stopping JOMA
of Nokia DCAP NetAct O&M Agent Installation and Configuration Instructions on Support portal
in https://customer.nokia.com. Accessing the documentation and software in the portal requires
authentication.
11. Right-click the JomaManager notification icon and select Login.
12. Enter the NetAct Username and Password in the DCAP Login dialog, and click Log In.
Expected outcome
Login succeeds.
6.2.5.4 Verifying CNUM activation
1. Log in to the NetAct Start Page.
a) In the address field of your internet browser, type the following URL address:
https://<system_FQDN>/startpage
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 140
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
where <system_FQDN> is the fully qualified domain name of the NetAct cluster load balancer
for WebSphere. For more information, see Launching the NetAct Start Page.
b) Type the Username and Password, and click Log In.
Note: If the terms and conditions appear, select the I have read and agree to
the above terms and conditions check box, and then click Log In. For more
information, see Modifying terms and conditions page.
c) Click Accept or Continue.
2. Select Security → Network Element Access Control → Centralized NE User Management.
Expected outcome
The CNUM status on the activated DCAP displays Activated.
3. Verify CNUM activation through element management launch.
a) Log in to NetAct Start Page.
b) In NetAct Start Page, open Monitor by clicking Monitoring → Monitor.
c) In Monitor, open Object Explorer by selecting Tools → Managed Objects → Object Explorer.
d) Right-click the DCAP-<instance ID> object and select Element Management → Launch
Server Desktop.
Expected outcome
The elementmanager progress bar appears displaying the status of the operation. After the
operation is complete, the Remote Desktop Connection window opens.
Note: If there is a security warning from Citrix Receiver, click Permit use.
e) In Remote Desktop Connection window, enter <domain name>\<Windows OS user
account> and password, then click OK.
Note: If there is a security warning that the remote computer could not be
authenticated, click Yes to continue.
Expected outcome
The target server based on Windows can be access and the connectivity is successful.
f) Go to the directory where a DCAP application was installed. For example, C:\Program
Files\MegaMon.
g) Open the application.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 141
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Expected outcome
Application opens successfully. CNUM is activated.
6.2.5.5 Changing password of DCAP account
1. Log in to the NetAct Start Page.
a) In the address field of your internet browser, type the following URL address:
https://<system_FQDN>/startpage
where <system_FQDN> is the fully qualified domain name of the NetAct cluster load balancer
for WebSphere. For more information, see Launching the NetAct Start Page.
b) Type the Username and Password, and click Log In.
Note: If the terms and conditions appear, select the I have read and agree to
the above terms and conditions check box, and then click Log In. For more
information, see Modifying terms and conditions page.
c) Click Accept or Continue.
2. Click Security → Network Element Access Control.
Network Element Access Control window appears.
3. Click Centralized NE User Management tab.
4. Select the network element for which you want to update the password.
5. Click Update Password.
The status of the network element is changed to Ongoing.
6. Click Refresh.
The status is changed to Password updated.
6.2.5.6 Deactivating CNUM and verifying CNUM deactivation
1. Log in to the NetAct Start Page.
a) In the address field of your internet browser, type the following URL address:
https://<system_FQDN>/startpage
where <system_FQDN> is the fully qualified domain name of the NetAct cluster load balancer
for WebSphere. For more information, see Launching the NetAct Start Page.
b) Type the Username and Password, and click Log In.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 142
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Note: If the terms and conditions appear, select the I have read and agree to
the above terms and conditions check box, and then click Log In. For more
information, see Modifying terms and conditions page.
c) Click Accept or Continue.
2. Click Security → Network Element Access Control.
Network Element Access Control window appears.
3. Click Centralized NE User Management tab.
4. Select the network element for which you want to deactivate CNUM.
5. Click Deactivate.
The status of the network element changes to Ongoing.
6. Click Refresh.
The status is changed to Deactivated.
Note: Deactivation of CNUM on the network element takes some time.
If the deactivation is unsuccessful, the CNUM status shows Failed deactivation. Click Failed de-
activation link to view the causes of failure.
7. Log in to DCAP Windows server as <domain name>\<Windows OS user account> user by
using remote desktop connection.
Note: To log in using remote desktop, for example in Windows Operation System, click
Start → All Programs → Accessories → Remote Desktop Connection. The following
procedures should be done on the Remote Desktop.
8. Restart JomaManager on DCAP. For more information, see section Starting and stopping JOMA
of Nokia DCAP NetAct O&M Agent Installation and Configuration Instructions on Support portal
in https://customer.nokia.com. Accessing the documentation and software in the portal requires
authentication.
9. Right-click the JomaManager notification icon and check the Login item.
Expected outcome
The Login item is disabled and appears gray. Then CNUM is deactivated.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 143
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
6.2.5.7 Troubleshooting CNUM
This section describes how to troubleshoot problems when you configure CNUM for DCAP.
6.2.5.7.1 Activating CNUM fails
For possible causes and solutions, see Centralized Network Element User Management Activation
Failure in Troubleshooting Security Management.
6.2.5.7.2 Changing password fails
Problem
Changing password fails.
Solution
If the password update is unsuccessful, the CNUM status shows Failed update. Click the Failed
update link to view the causes of failure.
6.2.6 Configuring CNUM for BSC
FlexiBSC, mcBSC, and ASBSC support Centralized Network Element User Management (CNUM)
in NetAct. For more information, see Controlling network element access with Centralized Network
Element User Management in Administering Users and Permissions.
6.2.6.1 CNUM prerequisites for BSC
The requirements for configuring CNUM are listed in the following table.
Requirements Instructions
License Following license is required to be installed in NetAct:
• Feature code: 0000005090
• Feature name: Centralized NE User Management for GSM
Service Type NEUM Admin Access
needed to activate
CNUM
Supported BSC re- • BSCFP20A, BSCFP20B, and BSCFP21B are supported for both mcBSC and FlexiBSC plat-
leases for CNUM forms.
• ASBSC20FP1, ASBSC20FP2, ASBSCFP20A, ASBSCFP20B, and ASBSCFP21B are supported
for AirScale BSC.
• SR50 (since RGR50 SP4) is supported for GSMR BSC.
Note: SR50 (since RGR50 SP4) only supports Hashing algorithm SHA1. For CNUM
functionality to work as expected, you need to enable TLS 1.0. For more information
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 144
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Requirements Instructions
on how to enable TLS 1.0, see Managing TLS protocol configuration in Administering
NetAct System Security
Supported LDAP StartTLS
access types
Supported IP ver- IPv4/IPv6
sions
Note:
• mcBSC supports IPv6 integration.
• ASBSC supports IPv6 integration for ASBSC20FP2 and later versions.
• GSMR only supports IPV4.
BSC username • The length of BSC username must be in the range listed below after CNUM is activated.
and password pol-
– For SR50 (since RGR50 SP4), the range is from 3 to 6.
icy
– For BSCFP20A, ASBSC20FP1 and their later versions, the range is from 3 to 16.
Note: If the length of NetAct username is not in the range listed above, the user is
not allowed to log in to BSC, and NetAct falls back to Network Element Access Con-
trol (NEAC) automatically.
• The password of BSC must contain 6 to 15 characters, and consist of alphanumeric characters,
and ASCII characters from HEX 21 to HEX 7E.
Note: The password of the NetAct user which is used for CNUM should be complied
with the BSC password policy.
BSC is integrated See Overview of BSC integration in Integrating BSC to NetAct.
to NetAct success-
fully. Note: Ensure port 389 is open from BSC to LB WAS virtual IP during integration. In Net-
work Element Access Control application, get the NEUM Admin Access user which is the
Network Element Access Control admin user on BSC. The user must have I=250, W=250
and Q=250 permissions. This user is used to log in to BSC to perform operations in this
document.
The NetAct user The required roles are as the following:
with required roles • FM-Fault Management Admin
is created to acti- • SM-Security Administration
vate BSC CNUM
from NEAC GUI.
Enable restricted See Restricted anonymous login to the LDAP directory.
anonymous ac-
cess.
Check FTP-1 and If interfaces are not created, you can create them. For more information, see Creating FTP interface
FTP-PM inter- object in Integrating BSC to NetAct.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 145
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Requirements Instructions
faces are created
in Monitor.
Table 27: Requirements needed for configuring CNUM
6.2.6.2 Installing BSC certificate
6.2.6.2.1 Generating and installing certificate and key
You can either use local NetAct Smart Certificate (SmCert) CA, SmCert CA on a separate machine or
the 3rd party CA. Here we take local NetAct SmCert CA to sign certificates as an example.
Note: If NetAct LDAP certificate is signed by the root CA, use the root CA to sign BSC
certificate. If NetAct LDAP certificate is signed by an intermediate CA, use this intermediate
CA's root CA to sign BSC certificate.
6.2.6.2.1.1 Generating certificate and key
1. Log in to the NetAct VM where the dmgr service runs as the omc user, and switch to the root user.
2. Check whether the CA exists by entering the command:
find *.pem /opt/oss/NSN-sm_conf_cert/generated/certificationAuthority
Example output:
NetAct_L0_CACert.pem
In the output, NetAct is <systemname>.
Note: Skip step 3 to step 10 if the NetAct CA is already installed and it works normally.
3. Generate CA by entering the command:
cp /opt/oss/NSN-sm_conf_cert/templates/smcert.properties.template /opt/
oss/NSN-sm_conf_cert/templates/smcert.properties
4. Change the permission for the smcert.properties file by entering the command:
chmod 600 /opt/oss/NSN-sm_conf_cert/templates/smcert.properties
5. Edit the /opt/oss/NSN-sm_conf_cert/templates/smcert.properties file by entering
the command:
property.<systemName>.crlURI.<caLevel> = URI:http://<server>/ca/
{crlFileName}
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 146
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
For example, if you set <systemname> as NetAct, <caLevel> as 0 and <server> from the
result by entering the command /opt/cpf/bin/cpf_list_lb_address.sh --lb was, then
you can enter the command:
property.NetAct.crlURI.0 = URI:http://clab1525lbwas.myDomain.com/ca/
{crlFileName}
Note: <systemname> in step 5 cannot be the same as the <systemname> in step 2
output.
For more information, see Signing using NetAct CA in Administering NetAct System Security.
6. Navigate to the /opt/oss/NSN-sm_conf_cert/bin directory by entering the command:
cd /opt/oss/NSN-sm_conf_cert/bin
7. Generate NetAct CA by entering the command:
./smcert_generate_ca.sh --systemName <systemname> --caLevel 0 --
hashingAlgorithm <hashingAlgorithm>
For example, if you set <systemname> as NetAct and <hashingAlgorithm> as SHA1, then
you can enter the command:
./smcert_generate_ca.sh --systemName NetAct --caLevel 0 --
hashingAlgorithm SHA1
For more information, see Generating CA certificates and CRLs in Administering NetAct System
Security.
Expected outcome
The following file is generated:
/opt/oss/NSN-sm_conf_cert/generated/certificationAuthority/
<systemName>_L0_CACert.pem
8. Generate certificate signing request and key for NetAct by entering the command:
./smcert_generate_server_csr.sh --systemName <systemName> --usecaseName
dirsrv_access --hashingAlgorithm <hashingAlgorithm>
For example, if you set <systemname> as NetAct and <hashingAlgorithm> as SHA1, then
you can enter the command:
./smcert_generate_server_csr.sh --systemName NetAct --usecaseName
dirsrv_access --hashingAlgorithm SHA1
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 147
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
For more information, see step 1 to step 3 in Generating certificate signing requests and keys in
Administering NetAct System Security.
9. Sign NetAct CA by entering the command:
./smcert_sign_server_certificate.sh --systemName <systemName>
--usecaseName dirsrv_access --caLevel 0 --hashingAlgorithm
<hashingAlgorithm>
For example, if you set <systemname> as NetAct and <hashingAlgorithm> as SHA1, then
you can enter the command:
./smcert_sign_server_certificate.sh --systemName NetAct --usecaseName
dirsrv_access --caLevel 0 --hashingAlgorithm SHA1
For more information, see step 1 to step 6.a in Signing using NetAct CA in Administering NetAct
System Security.
10. Install the certificate by entering the command:
./smcert_apply_certificate.sh --systemName <systemName> --usecaseName
dirsrv_access
For example, if you set <systemname> as NetAct, then you can enter the command:
./smcert_apply_certificate.sh --systemName NetAct --usecaseName
dirsrv_access
Note: The dirsrv and sssd services are restarted automatically if you install the
certificates.
For more information, see Installing certificates for selected usecase in Administering NetAct Sys-
tem Security.
11. Generate certificate signing request and key for BSC by entering the command:
./smcert_generate_csr.sh --systemName <systemName> --certId dirsrv --
hashingAlgorithm <hashingAlgorithm> --cn <BSC IP or BSC FQDN> --ip <BSC
IP>
For IPv6 integrated BSC, the <BSC IP> is IPv6 address. For IPv4 integrated BSC, the <BSC IP>
is IPv4 address. For example:
• For IPv4 integrated BSC, if you set <systemname> as NetAct and <hashingAlgorithm>
as SHA1, then you can enter the command:
./smcert_generate_csr.sh --systemName NetAct --certId dirsrv --
hashingAlgorithm SHA1 --cn 10.0.0.0 --ip 10.0.0.0
• For IPv6 integrated BSC, if you set <systemname> as NetAct and <hashingAlgorithm>
as SHA1, then you can enter the command:
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 148
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
./smcert_generate_csr.sh --systemName NetAct --certId dirsrv --
hashingAlgorithm SHA1 --cn 1000:0:0:0:0:0:0:0 --ip 1000:0:0:0:0:0:0:0
For more information, see step 1, step 2 and step 4 in Generating certificate signing requests and
keys in Administering NetAct System Security.
Expected outcome
The following file is generated:
/opt/oss/NSN-sm_conf_cert/generated/server/<systemName>_dirsrvKey.pem
12. Generate certificate for BSC by entering the command:
./smcert_sign_server_certificate.sh --systemName <systemName> --certId
dirsrv --caLevel 0 --hashingAlgorithm <hashingAlgorithm>
For example, if you set <systemname> as NetAct and <hashingAlgorithm> as SHA1, then
you can enter the command:
./smcert_sign_server_certificate.sh --systemName NetAct --certId dirsrv
--caLevel 0 --hashingAlgorithm SHA1
For more information, see step 1, step 2, step 3, step 4, step 5 and step 6.b in Signing using Net-
Act CA in Administering NetAct System Security.
Expected outcome
The following file is generated:
/opt/oss/NSN-sm_conf_cert/generated/server/<systemName>_dirsrvCert.pem
6.2.6.2.1.2 Converting BSC certificate, private key and signer certificate from PEM format to DER binary
1. Log in to the NetAct VM where the dmgr service runs as the omc user, and switch to the root user.
2. Create a temporary directory by entering:
mkdir /tmp/BSC_CERT/
3. Navigate to the directory you created in step 2 by entering:
cd /tmp/BSC_CERT/
4. Get the password for the private key when you generate the certificate by entering:
cat /opt/oss/NSN-sm_conf_cert/templates/serverKey.pwd
5. Convert BSC certificate from PEM format to DER binary OWNCERT.BIN by entering:
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 149
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
openssl x509 -inform PEM -outform DER -in /opt/oss/NSN-sm_conf_cert/
generated/server/<systemName>_dirsrvCert.pem -out OWNCERT.BIN
For example:
openssl x509 -inform PEM -outform DER -in /opt/oss/NSN-sm_conf_cert/
generated/server/NetAct_dirsrvCert.pem -out OWNCERT.BIN
6. Convert BSC private key from PEM format to DER binary OWNPRIV.BIN by entering:
openssl rsa -inform PEM -outform DER -in /opt/oss/NSN-sm_conf_cert/
generated/server/<systemName>_dirsrvKey.pem -out OWNPRIV.BIN
For example:
openssl rsa -inform PEM -outform DER -in /opt/oss/NSN-sm_conf_cert/
generated/server/NetAct_dirsrvKey.pem -out OWNPRIV.BIN
Note: If the password is required, enter the password you got in step 4.
7. Convert the signer CA certificate for BSC from PEM format to DER binary CACERT.BIN by
entering:
openssl x509 -inform PEM -outform DER -in /opt/oss/NSN-sm_conf_cert/
generated/certificationAuthority/<systemName>_L0_CACert.pem -out
CACERT.BIN
For example:
openssl x509 -inform PEM -outform DER -in /opt/oss/NSN-sm_conf_cert/
generated/certificationAuthority/NetAct_L0_CACert.pem -out CACERT.BIN
8. Change the ownership of the BIN files by entering:
chown omc:sysop /tmp/BSC_CERT
chown omc:sysop *.BIN
Expected outcome
You have the following files available:
• OWNCERT.BIN
• OWNPRIV.BIN
• CACERT.BIN
9. Remove the following files by entering:
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 150
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
rm /opt/oss/NSN-sm_conf_cert/generated/server/
<systemName>_dirsrvCert.pem
rm /opt/oss/NSN-sm_conf_cert/generated/server/<systemName>_dirsrvKey.pem
6.2.6.2.1.3 Installing BSC certificate, private key and the signer certificate
1. Log in to BSC through SSH or Telnet.
2. Check the SSL/TLS protocol definitions by entering:
ZI3I;
Expected outcome
An example output:
INTERROGATING SSL/TLS LAYER DEFINITIONS
LOCAL DEFAULT LOCAL DEFAULT TRUSTED CA
UNIT CERTIFICATE PRIVATE KEY CERTIFICATE
--------------- --------------- --------------- --------
-------
COMMAND EXECUTED
Note: If the OMU unit exists as below and TLS is not used by other functions, remove it
by entering ZI3D:OMU;. The example output is as the following:
DELETED SSL/TLS LAYER DEFINITIONS
LOCAL DEFAULT LOCAL DEFAULT TRUSTED CA
UNIT CERTIFICATE PRIVATE KEY CERTIFICATE
--------------- --------------- ---------------
---------------
OMU TLSCERT TLSPRIVATE TLSCACERT
COMMAND EXECUTED
If TLS is used by other functions, contact Nokia Technical Support for further
investigation.
3. Transfer BSC certificate, private key and the signer certificate from NetAct to BSC through FTP or
SFTP.
a) Log in to the NetAct VM where the dmgr service runs as the omc user.
b) Navigate to the /tmp/BSC_CERT directory where you store the CA and private key.
c) Enter the following command:
sftp <user>@<IP_address_of_BSC>
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 151
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Expected outcome
An example output:
Connecting to <IP_address_of_BSC >
The authenticity of host '< IP_address_of_BSC > (<IP_address_of_BSC
>)' can't be established.
RSA key fingerprint is
41:72:a4:59:18:b1:e5:ba:c8:c4:94:aa:67:df:59:25.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '< IP_address_of_BSC >' (RSA) to the list
of known hosts.
<user>@< IP_address_of_BSC >'s password:
d) Navigate to the default directory by entering:
cd /DW0-/<the directory of BIN on BSC>
You can find the directory of BIN files on BSC by entering ZWQO:CR;. The example output as
the following:
LOADING PROGRAM VERSION 14.32-0
PACKAGES CREATED IN OMU:
SW-PACKAGE STATUS DIRECTORY ENVIRONMENT
DEF ACT
PACKAGE-ID (REP-ID) DELIVERY
CD-ID
FB310517 FB FB310517 SG 7.17-0
- Y
SG 7.17-0 CIDE00SX 14.2-0
SG4000MP BU SG071700 SG 7.17-0
Y Y
SG 7.17-0 1 CIDE00SX 14.2-0
SG4000MP
SG3101MP NW SG061100 SG 6.11-0
- Y
SG 6.11-0 2 CIDE00SX 13.2-0
SG3101MP
SG071700 UT SG071700 SG 7.17-0
- N
SG 7.17-0 CIDE00SX 14.2-0
UPGB16FB UT UPGB16FB SG 6.11-0
- Y
SG 6.11-0 2 CIDE00SX 13.2-0
SG3101MP
SG3000MP UT SG061100 SG 6.11-0
- N
SG 6.11-0 1 CIDE00SX 13.2-0
SG3000MP
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 152
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
In the output, find the line where the value of DEF is Y, and the value of DIRECTORY in the line
is the directory of BIN files on BSC. In the example from step d, SG071700 is the directory of
BIN files on BSC.
e) Transfer the OWNCERT.BIN. OWNPRIV.BIN and CACERT.BIN files into the default directory by
entering:
put OWNCERT.BIN
put OWNPRIV.BIN
put CACERT.BIN
f) Remove the OWNCERT.BIN, OWNPRIV.BIN and CACERT.BIN files in the /tmp/BSC_CERT
directory.
rm /tmp/BSC_CERT/OWNCERT.BIN
rm /tmp/BSC_CERT/OWNPRIV.BIN
rm /tmp/BSC_CERT/CACERT.BIN
4. Log in to BSC through SSH or Telnet.
5. Add BSC certificate, private key and the signer certificate by entering:
ZQ4A:<key name 1>,P:F,"DW0-/<the directory of BIN on BSC>/OWNPRIV.BIN":;
ZQ4A:<key name 2>,C:F,"DW0-/<the directory of BIN on BSC>/OWNCERT.BIN":;
ZQ4A:<key name 3>,C:F,"DW0-/<the directory of BIN on BSC>/CACERT.BIN":;
For example:
ZQ4A:TLSPRIVATE,P:F,"DW0-/SG071700/OWNPRIV.BIN":;
ZQ4A:TLSCECERT,C:F,"DW0-/SG071700/OWNCERT.BIN":;
ZQ4A:TLSCACERT,C:F,"DW0-/SG071700/CACERT.BIN":;
Note: Check the existing key name in OMU key database by entering ZQ4L;, and make
sure the key names are not the same as the existing ones.
6. Configure BSC for the installed certificates and private key by entering:
ZI3C:OMU:<key name 2>,<key name 1>:<key name 3>:;
For example:
ZI3C:OMU:TLSCECERT,TLSPRIVATE:TLSCACERT:;
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 153
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Note: You can check whether the certificate and private key are configured by entering
ZI3I;.
7. Remove the source file by entering:
ZDDS:;
ZMD:DW0-/<the directory of BIN on BSC>/OWNCERT.BIN;
ZMD:DW0-/<the directory of BIN on BSC>/OWNPRIV.BIN;
ZMD:DW0-/<the directory of BIN on BSC>/CACERT.BIN;
ZE;
6.2.6.3 Checking BSC permissions
Note:
• Skip this section if you only use default roles, see Default roles and permissions in
Permission Management Help.
• When creating a role, assign the NetAct permissions and BSC permissions to the new
role. To create a role, see Creating a new role in Permission Management Help. To
configure BSC permissions, see Network element permissions in Administering Users
and Permissions, the table Supported BSC permissions and table NetAct management
functions and corresponding BSC permissions as below.
• The context root of BSC in Permission Management is BSC.
The supported permissions of BSC are listed in the following table:
Used in
Permission Name Operation/Value Description
BSC
commandClass:A-Z 1-251 The commandClasses is a series of Yes
MML commands that can be exe-
cuted on BSC.
For more information, see Admin-
ister → BSC/TCSM and mcBSC/
mcTC → Security and User Man-
agement → MML command au-
thority in GSM/EDGE BSS operat-
ing documentation on Support por-
tal in https://customer.nokia.com.
Accessing the documentation and
software in the portal requires au-
thentication.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 154
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Used in
Permission Name Operation/Value Description
BSC
timeLimit:SessionTimeLimit 1-15300 It is used for session limitation. It is Yes
fit for the value under user role, and
the value units are seconds.
applField:FS/CM/FM/PM R,W,X FS: FTAM Yes
FM: FM CMISE
PM: PM CMISE
CM: CM CMISE
dirPath:DW0-/ R,W,X It is used for FTP/SFTP. Yes
logAccess:MMLLOG R,W,X It is used for MML command log ac- Yes
cessibility.
Table 28: Supported BSC permissions
The supported NetAct management functions and their corresponding BSC minimum permissions are
listed in the following table:
command-
timeLimit: applField:
Management Class: A-Z dirPath:
SessionTime- FS/CM/FM/ logAccess:MMLLOG
function and default DW0-/
Limit PM
permission
Fault manage- not applicable not applicable FS:X R, W, X not applicable
ment
FM:X
Performance E:50 900 FS:X R, W, X R
management
Q:150 PM:X
Element man- A-Z:250 900 FS:X R, W, X R
agement
Configuration A-Z:250 900 CM:X R, W, X R
management
FS:X
License man- W:250 900 FS:X R, W, X R
agement
Software man- A-Z:250 900 FS:X R, W, X R
agement
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 155
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
command-
timeLimit: applField:
Management Class: A-Z dirPath:
SessionTime- FS/CM/FM/ logAccess:MMLLOG
function and default DW0-/
Limit PM
permission
Hardware W:150 900 CM:X R, W, X R
management
FS:X
FM: X
Administration not applicable 900 CM:X not applicable not applicable
of Measure-
ment
TraceViewer T:150 900 not applicable not applicable R,W,X
Audit Trail I:200 900 not applicable not applicable R,W,X
D:50
Time manage- D:250 900 not applicable not applicable R
ment
Super BTS D:250 900 not applicable not applicable R
E:250
Network Ele- I:200 900 not applicable not applicable R
ment Access
W:250
Control
Q:250
Remote BTS E:250 900 not applicable not applicable R
Password
Management
Table 29: NetAct management functions and corresponding BSC permissions
6.2.6.4 Activating and deactivating CNUM
6.2.6.4.1 Activating CNUM for BSC
1. Log in to the NetAct Start Page.
a) In the address field of your internet browser, type the following URL address:
https://<system_FQDN>/startpage
where <system_FQDN> is the fully qualified domain name of the NetAct cluster load balancer
for WebSphere. For more information, see Launching the NetAct Start Page.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 156
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
b) Type the Username and Password, and click Log In.
Note: If the terms and conditions appear, select the I have read and agree to
the above terms and conditions check box, and then click Log In. For more
information, see Modifying terms and conditions page.
c) Click Accept or Continue.
2. Click Security → Network Element Access Control.
Network Element Access Control window appears.
3. Click Centralized NE User Management tab.
4. Select the network element for which you want to activate CNUM.
Tip: You can filter or sort the list, and select the desired network element.
• Click the column header to sort the list in alphabetical order.
• Type the text in the column field to filter the list.
5. From the LDAP access type list, select StartTLS.
6. From IP version list, select IPv4.
Note: If BSC is integrated with IPv6, select IPv6.
7. Click Activate.
CNUM status of the network element changes to Ongoing.
8. Click Refresh to view the CNUM status change.
Note: Activation of CNUM on the network element takes time.
If the activation is unsuccessful, the CNUM status shows Failed activation. Click Failed activa-
tion link to view the causes of failure.
For more information about activating CNUM, see Activating Centralized Network Element User
Management in Centralized Network Element User Management Help.
6.2.6.4.2 Verifying CNUM activation
1. Log in to the NetAct Start Page as the integration user.
a) In the address field of your internet browser, type the following URL address:
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 157
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
https://<system_FQDN>/startpage
where <system_FQDN> is the fully qualified domain name of the NetAct cluster load balancer
for WebSphere. For more information, see Launching the NetAct Start Page.
b) Type the Username and Password of the integration user, and click Log In.
Note: If the terms and conditions appear, select the I have read and agree to
the above terms and conditions check box, and then click Log In. For more
information, see Modifying terms and conditions page.
c) Click Accept or Continue.
2. Select Security → Network Element Access Control → Centralized NE User Management.
Expected outcome
The CNUM status on the activated BSC displays Activated.
3. Log in to BSC.
4. Check CNUM status by entering:
ZIAV:TYPE=ALL:LIM;
Expected outcome
LOADING PROGRAM VERSION 19.15-4
EXECUTION STARTED
CONFIGURATION LDAP DIRECTORY
============================
IP ADDRESS: <LB WAS Virtual IP>
PORT NUMBER: 389
SSL STATE: FORCED
PRIMARY LDAP DIRECTORY
======================
IP ADDRESS: <LB WAS Virtual IP>
PORT NUMBER: 389
SSL STATE: FORCED
FEATURE ACTIVATION STATUS
=========================
DIRECTORY CLIENT ACTIVATION STATUS: ACTIVE
CENTRALIZED USER AUTHENTICATION STATUS: ACTIVE
COMMAND EXECUTED
MMI SYSTEM AUTHORITY HANDLING COMMAND <IA_>
Ensure the IP address is the NetAct LB WAS Virtual IP address and the CENTRALIZED USER
AUTHENTICATION STATUS is ACTIVE.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 158
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
6.2.6.4.3 Deactivating CNUM for BSC
1. Log in to the NetAct Start Page.
a) In the address field of your internet browser, type the following URL address:
https://<system_FQDN>/startpage
where <system_FQDN> is the fully qualified domain name of the NetAct cluster load balancer
for WebSphere. For more information, see Launching the NetAct Start Page.
b) Type the Username and Password, and click Log In.
Note: If the terms and conditions appear, select the I have read and agree to
the above terms and conditions check box, and then click Log In. For more
information, see Modifying terms and conditions page.
c) Click Accept or Continue.
2. Click Security → Network Element Access Control.
Network Element Access Control window appears.
3. Click Centralized NE User Management tab.
4. Select the network element for which you want to deactivate CNUM.
5. Click Deactivate.
The status of the network element changes to Ongoing.
6. Click Refresh.
The status is changed to Deactivated.
Note: Deactivation of CNUM on the network element takes some time.
If the deactivation is unsuccessful, the CNUM status shows Failed deactivation. Click Failed de-
activation link to view the causes of failure.
6.2.6.4.4 Verifying CNUM deactivation
1. Log in to BSC.
2. Enter the following command:
ZIAV:TYPE=ALL:LIM;
Expected outcome
LOADING PROGRAM VERSION 19.15-4
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 159
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
EXECUTION STARTED
CONFIGURATION LDAP DIRECTORY
============================
IP ADDRESS: <LB WAS Virtual IP>
PORT NUMBER: 389
SSL STATE: FORCED
PRIMARY LDAP DIRECTORY
======================
IP ADDRESS: <LB WAS Virtual IP>
PORT NUMBER: 389
SSL STATE: FORCED
FEATURE ACTIVATION STATUS
=========================
DIRECTORY CLIENT ACTIVATION STATUS: ACTIVE
CENTRALIZED USER AUTHENTICATION STATUS: INACTIVE
COMMAND EXECUTED
MMI SYSTEM AUTHORITY HANDLING COMMAND <IA_>
6.2.6.5 Limitation
Limitations for BSC are listed as below:
Super BTS Switch Function, Audit Trail Logging Collection, Fault Management File Transfer Function,
Hardware Management Change Notification, and Performance Management Event Function use de-
fault user.
6.2.6.6 Troubleshooting
6.2.6.6.1 Activation fails
Problem
Activating CNUM for BSC fails.
Possible causes
• The certificates are not installed successfully on BSC.
• Fail to log in to LDAP.
• Q3 mediation is not working properly.
Solution
• Check whether the certificates are installed successfully on BSC.
1. Log in to BSC.
2. Check whether the certificates are installed to the key storage of BSC by entering:
ZQ4L;
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 160
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Expected outcome
LOADING PROGRAM VERSION 7.3-0
EXECUTION STARTED
KEY NAME KEY TYPE
-------- --------
PUBKEYNM01 SSH RSA PUB
PRIVATEKEY1 SSH RSA PRI
PUBKEYNM02 SSH DSA PUB
PRIVATEKEY2 SSH DSA PRI
TLSCACERT PKI PUB
TLSPRIVATE PKI PRI
TLSCERT PKI PUB
COMMAND EXECUTED
KEY DATABASE HANDLING COMMAND <Q4_>
Note: CA certificate and the end-entity certificate of BSC must be in PKI PUB type.
The private key of BSC must be in PKI PRI type.
3. Check whether the SSL/TLS server and client interfaces of a functional unit can be assigned to
apply the certificates to their SSL/TLS protocol-based connections by entering:
ZI3I;
Expected outcome
LOADING PROGRAM VERSION 4.4-0
mcBSC BAGUKAN 2015-07-29 06:07:56
INTERROGATING SSL/TLS LAYER DEFINITIONS
LOCAL DEFAULT LOCAL DEFAULT TRUSTED CA
UNIT CERTIFICATE PRIVATE KEY CERTIFICATE
--------------- --------------- --------------- ---------------
OMU TLSCERT TLSPRIVATE TLSCACERT
COMMAND EXECUTED
SSL/TLS PROTOCOL LAYER HANDLING COMMAND <I3_>
The highlighted values in the above output are examples only. TLSCERT stands for the end-entity
certificate of BSC; TLSPRIVATE stands for the private key of BSC and TLSCACERT stands for the CA
certificate.
• Check the LDAP related problems. For more information, see Unable to login - LDAP problems in
Troubleshooting Security Management.
• Check Q3 mediation log from /var/opt/oss/log/q3user/ on the NetAct VM where the
q3user service is running. To locate the VM where a specific service is running, see Locating the
right virtual machine for a service in Administering NetAct Virtual Infrastructure.
6.2.6.6.2 Deactivation fails
Problem
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 161
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Deactivating CNUM for BSC fails.
Possible causes
• Fail to log in to LDAP.
• Q3 mediation is not working properly.
Solution
• Check the LDAP related problems. For more information, see Unable to login - LDAP problems in
Troubleshooting Security Management.
• Check Q3 mediation log from /var/opt/oss/log/q3user/ on the NetAct VM where q3user
service runs. To locate the VM where a specific service is running, see Locating the right virtual
machine for a service in Administering NetAct Virtual Infrastructure.
6.2.6.6.3 Changing password fails
Problem
Changing password fails.
Solution
If the password update is unsuccessful, the CNUM status shows Failed update. Click the Failed
update link to view the causes of failure.
6.2.6.6.4 File transfer with FTAM fails
Problem
File transfer with FTAM fails.
Possible cases
• There is ; in operator user password.
• There is ; in q3usr password.
Solution
1. Change operator user password without ;. For details, see Changing NetAct end users password.
2. Change q3usr password without ;
a. Log in as the omc user to the VM where the q3user service is running.
To locate the right NetAct VM, see Locating the right virtual machine for a service in Administering
NetAct Virtual Infrastructure.
b. Get the password for q3usr by executing the following command:
/opt/nokia/oss/bin/syscredacc.sh -user q3usr -type appserv -instance
appserv
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 162
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
c. Check whether there is ;in the q3usr password.
If there is no ; in the password, skip step d. Otherwise, perform step d.
d. Change the q3usr password without ; by executing the script:
/opt/nokia/oss/bin/password-tool -u q3usr -t dirsrv
For more information, see Changing password of system user individually.
6.2.7 Configuring CNUM for WCDMA network elements
6.2.7.1 CNUM prerequisites for WCDMA network elements
This section describes the information you must know and basic requirements which must be met
before configuring CNUM for WCDMA network elements and using CNUM.
Information and require-
Descriptions
ments
License The following license is required to be installed in NetAct:
• Feature code: 5091
• Feature name: Centralized NE User Management for WCDMA
Service types needed to NWI3 Access
activate CNUM
Service types needed to The corresponding credential is needed for verifying the CNUM activation or deacti-
verify CNUM activation or vation status though element management launch in Monitor:
deactivation status
• Remote MML Access: for IPA-RNC
• SCLI Access: for mcRNC and ASRNC
• EM Access: for OMS and WBTS
Supported LDAP access • StartTLS
types • PREFER TLS
Supported IP versions IPv4
The NetAct user need- The CNUM user is used to log in to NetAct Start Page to perform CNUM related op-
ed for CNUM operations erations. In Network Element Access Control, grant the credentials listed in Ser-
(CNUM user) vice types needed to activate CNUM and Service types needed to verify CNUM ac-
tivation or deactivation status to the group where the CNUM user belongs. The fol-
lowing default NetAct roles must be assigned to the CNUM user:
• FM-Fault Management Admin
• SM-Security Administration
Restricted anonymous To enable restricted anonymous access, see Restricted anonymous login to the
bind to LDAP LDAP directory in Administering NetAct System Security.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 163
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Information and require-
Descriptions
ments
Note: This prerequisite is for activating CNUM for IPA-RNC and WBTS
usage.
WCDMA integration Ensure that WCDMA is integrated to NetAct. For detailed instructions, see
Overview of RNC and WBTS integration in Integrating RNC and WBTS to NetAct.
CNUM configuration on See Enabling CNUM on OMS and Setting the RUIMAutomaticActivation parameter
OMS on OMS.
CNUM configuration on See Configuring SSH server on IPA-RNC and Activating centralized user authenti-
IPA-RNC cation and authorization on IPA-RNC.
CNUM configuration on See Managing centralized network element user management on mcRNC.
mcRNC
CNUM configuration on See Managing centralized network element user management on ASRNC.
ASRNC
WCDMA documentation • For WCDMA network elements, see WCDMA RAN, Rel.<network element re-
lease>, <Issue number> Operating Documentation. For example, WCDMA
RAN, Rel. WCDMA 20, Issue 02.
• For ASRNC, see WCDMA RAN, Rel.<network element release>, <Issue num-
ber> Operating Documentation. For example, WCDMA RAN, Rel. WCDMA 20,
Issue 02.
Get the documents from Support portal in https://customer.nokia.com. Accessing
the documentation and software in the portal requires authentication.
Table 30: CNUM checklist for WCDMA network elements
6.2.7.1.1 Enabling CNUM on OMS
This sections describes how to enable CNUM on OMS.
1. Log in to OMS as the Nemuadmin user, and then switch to the root user.
2. Enable CNUM by entering:
[root]# fscontrolRUIM -e
For more information, see Administering OMS in WCDMA RAN, Rel.<network element release>,
<Issue number> Operating Documentation. For example, WCDMA RAN, Rel. WCDMA 20, Is-
sue 02. In Administering OMS, go to User management → Centralized User Authentica-
tion and Authorization → Enabling CUAA. Get the documents from Support portal in https://
customer.nokia.com. Accessing the documentation and software in the portal requires authentica-
tion.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 164
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
6.2.7.1.2 Setting the RUIMAutomaticActivation parameter on OMS
This section describes how to configure the RUIMAutomaticActivation parameter on OMS.
1. Log in to Application Launcher as the Nemuadmin user.
2. Open Parameter Tool.
3. In the left application pane, select the following fragment:
fsClusterId=ClusterRoot → fsFragmentId=OMS → omsFragmentId=System →
omsFragmentId=RUIM → omsParameterID=RUIMAutomaticActivation
4. Change the value of omsParameterValue to 1.
For more information about the settings, see Managing Security with OMS in WCDMA RAN,
Rel.<network element release>, <Issue number> Operating Documentation. For example,
WCDMA RAN, Rel. WCDMA 20, Issue 02. In Managing Security with OMS, go to User security
→ Centralized User Authentication and Authorization → Enabling and disabling CUAA
automatic activation. Get the documents from Support portal in https://customer.nokia.com.
Accessing the documentation and software in the portal requires authentication.
5. For OMS, the content of the /opt/Nokia_BP/SS_AAA/etc/
replicator_properties.cfg file must be verified. Check the value of the
ruim.replicator.uid_range parameter in the network element. The default
value in OMS is ruim.replicator.uid_range=387,401,1000-9999999. If the
required values are not included, add them manually as the root user. For example,
ruim.replicator.uid_range=387,401,501,1000-9999999.
Note:
• If the value does not contain 501, add it. The value 501 is used for NetAct operations
which use the omc user.
• You may also need the following user IDs:
• 762: for NetAct operations which use the cmretry user.
• 751: for NetAct operations which use the hwchange user.
6. If the replicator_properties.cfg file is modified, make the changes take effect by entering
the following command as the root user:
[root]# fsdistribute /opt/Nokia_BP/SS_AAA/etc/replicator_properties.cfg
6.2.7.1.3 Configuring SSH server on IPA-RNC
This section describes how to configure SSH server on IPA-RNC.
For detailed instructions on how to configure SSH server on IPA-RNC, see Integrating IPA-RNC
in WCDMA RAN, Rel.<network element release>, <Issue number> Operating Documentation. For
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 165
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
example, WCDMA RAN, Rel. WCDMA 20, Issue 02. In Integrating IPA-RNC, go to Configuring
RNC → Configuring SSH server in OMU. Get the documents from Support portal in https://
customer.nokia.com. Accessing the documentation and software in the portal requires authentication.
6.2.7.1.4 Activating centralized user authentication and authorization on IPA-RNC
This section describes how to activate centralized user authentication and authorization (CUAA) on
IPA-RNC.
For detailed instructions on how to activate centralized user authentication and authorization on IPA-
RNC, see Managing Information Security in IPA-RNC in WCDMA RAN, Rel.<network element re-
lease>, <Issue number> Operating Documentation. For example, WCDMA RAN, Rel. WCDMA 20, Is-
sue 02. In Managing Information Security in IPA-RNC, go to Managing centralized users in the MMI
system → Activating and deactivating centralized user authentication and authorization. Get
the documents from Support portal in https://customer.nokia.com. Accessing the documentation and
software in the portal requires authentication.
6.2.7.1.5 Managing centralized network element user management on mcRNC
This section describes how to manage CNUM user on mcRNC.
For detailed instructions on how to manage CNUM user on mcRNC, see Managing Users in mcRNC
in WCDMA RAN, Rel.<network element release>, <Issue number> Operating Documentation. For ex-
ample, WCDMA RAN, Rel. WCDMA 20, Issue 02. Get the documents from Support portal in https://
customer.nokia.com. Accessing the documentation and software in the portal requires authentication.
6.2.7.1.6 Managing centralized network element user management on ASRNC
This section describes how to manage CNUM user on ASRNC.
For detailed instructions on how to manage CNUM user on ASRNC, see Managing Users in AirScale
RNC in WCDMA RAN, Rel.<network element release>, <Issue number> Operating Documentation.
For example, WCDMA RAN, Rel. WCDMA 20, Issue 02.
In Managing Users in AirScale RNC, go to Centralized network element user management. Get the
documents from Support portal in https://customer.nokia.com. Accessing the documentation and soft-
ware in the portal requires authentication.
6.2.7.2 Limitations
This section lists the CNUM limitations for WCDMA network elements.
1. There is a password limitation on Q3 mediation that the password must contain 6 characters at
least. Therefore, you will fail to log in to IPA-RNC while launching the MML Session by clicking Ele-
ment Management → MML Session in Monitor if the password is less than 6 characters. To solve
the problem, change the password to contain 6 characters at least in User Management.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 166
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
2. LDAP client SSLv3 is disabled in NetAct, but it is still supported in IPA-RNC RN8.0. Different con-
figurations between NetAct and IPA-RNC may cause activation failure of CNUM.
3. For ASRNC, CNUM activation will fail if PREFER TLS is used as LDAP access type and CNUM
certificates are not installed in mcRNC/ASRNC and NetAct. Because when PREFER TLS is used
as LDAP access type, mcRNC/ASRNC attempts to connect with NetAct only in secure mode. Even
though secure connection cannot be established, mcRNC/ASRNC does not try insecure connec-
tion. To solve the problem, you must install CNUM certificates on both mcRNC/ASRNC and Net-
Act.
4. The user name cannot contain '-' (hyphen) if CNUM activation of OMS is needed due to OMS limi-
tation. Otherwise, after activation, CNUM authentication fails on OMS.
5. For ASRNC20FP1, ASRNC20FP2, and ASRNC20FP3, due to RC0524 limitation, if AirScale RNC
primary and secondary VNFs switch over after activating CNUM, and not all the data is synchro-
nized between the primary and secondary VNFs, it will cause unable to verify nor deactivate the
CNUM activation. To resolve the issue, you can contact your network element administrator to syn-
chronize the data between primary and secondary VNFs.
6. For ASRNC20FP4 and later versions, CNUM is supported for AirScale RNC primary and sec-
ondary VNFs. Due to RC0524 limitation, not all the data is synchronized between the primary and
secondary VNFs, Nokia recommend that you activate/deactivate CNUM for corresponding RNC
and VNFs at the same time.
6.2.7.3 Installing and activating WCDMA certificates on WCDMA network elements and NetAct
This section provides the instructions to install and activate the WCDMA certificates on WCDMA
network elements and NetAct.
For WCDMA, the supported LDAP access types are StartTLS and PREFER TLS. StartTLS is recom-
mended because it encrypts the connection between the network elements and NetAct.
You must complete all the tasks in this section if you use StartTLS to activate CNUM. If you use PRE-
FER TLS to activate CNUM, the tasks in this section are not mandatory, but Nokia recommends that
you complete the tasks to prevent security issues.
6.2.7.3.1 Applying certificates on WCDMA network elements
This section describes how to install certificates on OMS, IPA-RNC, mcRNC, ASRNC and WBTS.
6.2.7.3.1.1 Installing certificates on OMS
This section describes how to install certificates on OMS.
For detailed instructions on how to install certificates on OMS, see Managing Security with OMS
in WCDMA RAN, Rel.<network element release>, <Issue number> Operating Documentation.
For example, WCDMA RAN, Rel. WCDMA 20, Issue 02. In Managing Security with OMS, go to
Certificates management. Get the documents from Support portal in https://customer.nokia.com.
Accessing the documentation and software in the portal requires authentication.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 167
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
6.2.7.3.1.2 Installing certificates on IPA-RNC
This section describes how to install certificates on IPA-RNC.
For detailed instructions on how to install certificates on IPA-RNC, see Managing Information
Security in IPA-RNC in WCDMA RAN, Rel.<network element release>, <Issue number> Operating
Documentation. For example, WCDMA RAN, Rel. WCDMA 20, Issue 02. In Managing Information
Security in IPA-RNC, go to Managing secure operation and maintenance connections →
Configuring TLS authentication proxy. Get the documents from Support portal in https://
customer.nokia.com. Accessing the documentation and software in the portal requires authentication.
6.2.7.3.1.3 Installing certificates on mcRNC
This section describes how to install certificates on mcRNC.
For detailed instructions on how to install the certificates, see Managing Security in mcRNC in
WCDMA RAN, Rel.<network element release>, <Issue number> Operating Documentation. For
example, WCDMA RAN, Rel. WCDMA 20, Issue 02. In Managing Security in mcRNC, go to
Centralized certificate management → Certificate management SCLI commands → Certificates
installation. Get the documents from Support portal in https://customer.nokia.com. Accessing the
documentation and software in the portal requires authentication.
6.2.7.3.1.4 Installing certificates on ASRNC
This section describes how to install certificates on ASRNC.
For detailed instructions on how to install certificates on ASRNC, see Managing Security in AirScale
RNC in WCDMA RAN, Rel.<network element release>, <Issue number> Operating Documentation.
For example, WCDMA RAN, Rel. WCDMA 20, Issue 02.
In Managing Security in AirScale RNC, go to User security → Certificate management. Get the doc-
uments from Support portal in https://customer.nokia.com. Accessing the documentation and software
in the portal requires authentication.
6.2.7.3.1.5 Installing certificates on WBTS
This section describes how to install certificates on WBTS.
For detailed instructions on how to install certificates on WBTS, see Integrating and Configuring Flexi
Multiradio BTS WCDMA Transmission in WCDMA RAN, Rel.<network element release>, <Issue num-
ber> Operating Documentation. For example, WCDMA RAN, Rel. WCDMA 20, Issue 02. In Integrat-
ing and Configuring Flexi Multiradio BTS WCDMA Transmission, go to Configuration of security
features → Configuring certificates manually. Get the documents from Support portal in https://
customer.nokia.com. Accessing the documentation and software in the portal requires authentication.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 168
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
6.2.7.3.2 Applying certificates on NetAct
This section describes how to check and install the WCDMA certificates on NetAct.
Check whether the WCDMA certificates are already installed on NetAct. For detailed instructions, see
Get issuer name in Administering NetAct System Security. If the certificates are not installed, install
the certificates following the instructions in Managing certificates in Administering NetAct System
Security.
Note: When you follow the instructions in Managing certificates in Administering NetAct
System Security, use dirsrv_access as the usecase name.
6.2.7.4 Preparing the NetAct users used for managing WCDMA network elements
This section provides instructions on how to prepare the NetAct users used for managing the WCDMA
network elements.
To ensure that NetAct users have enough permissions to manage WCDMA network elements, the
default or user-defined NetAct roles which associate with the WCDMA network element permissions
must be granted to the NetAct users.
Note: Before using the NetAct users to manage WCDMA network elements for the first time,
ensure that the NetAct users do not exist in the WCDMA network elements to be managed.
1. Ensure that the NetAct users and associated groups are created.
For detailed instructions on how to manage users and groups, see About user management in
User Management Help.
2. Ensure that the NetAct roles (default or user-defined) to be assigned to the group where the
NetAct user belongs exist and contain all the required permissions.
• If the required network element permissions are associated with NetAct default roles, you
can use the NetAct default roles directly. For the mapping information between the WCDMA
network element permissions and NetAct default roles, see Supported OMS permissions,
Supported IPA-RNC permissions, and Supported mcRNC and ASRNC permissions.
• If the required network element permissions or operations are not associated with NetAct
default roles, you can create user-defined roles and grant the permissions to the user-
defined roles. For example, there is no default role mapping for the ownhomedir and
hassharedreadonlyhome operations of the fsuicli permission on OMS; you can create
a user-defined role and associate one of the two operations (the two operations cannot be
selected at the same time) to your user-defined role while needed.
For detailed instructions, see Creating a new role in Permission Management Help and Granti-
ng permissions to a role in Permission Management Help.
3. Assign the NetAct roles which contain the required network element permissions to the group
where the NetAct user belongs.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 169
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
For detailed instructions, see Assigning roles to a group in Permission Management Help.
4. Add scope to the group-role combinations. Restrict the NetAct users to access certain
maintenance regions (MRs) or network elements (NEs) based on your need.
For more information, see Network element permissions in Administering Users and Permissions.
For detailed instructions on how to add scope to the group-role combinations, see Adding scope to
group-role combinations in Permission Management Help.
6.2.7.4.1 Supported OMS permissions
The following table lists the supported OMS permissions and their associated roles:
Note: In Permission Management, the context root of OMS is RNCOMS.
Permission Used in
Operation Description Default Role
Name OMS
Action Log Op- manage This permission enables manage NetAct-Administrator Yes
eration access to ActionLogOperation.
Active Sessions monitor This permission enables read ac- Yes
cess to ActiveSessions.
manage This permission enables manage NetAct-Administrator Yes
access to ActiveSessions.
CM Plan Man- monitor This permission enables read ac- Yes
agement cess to CMPlanManagement. This
permission is also required to ac-
cess Parameter Viewer through
OMS Element Manager.
manage This permission enables manage NetAct-Administrator Yes
access to CMPlanManagement.
CM-Network Planning and Engi-
This permission is also required to
neering
access Parameter Viewer and Pa-
rameter Editor through OMS Ele- CM-Provisioning
ment Manager. CM-Configuration Management
Administration
CM-Installation
Fault Manage- monitor This permission enables read ac- Yes
ment cess to Fault Management.
manage This permission enables manage NetAct-Administrator Yes
access to Fault Management.
FM-Fault Localization
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 170
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Permission Used in
Operation Description Default Role
Name OMS
PM-Performance Analysis
fsui log This permission is for files gener- NetAct-Administrator Yes
ated by syslog. Syslog itself only
CM-Configuration Management
uses numeric IDs when the sys-
Administration
log daemon creates the files, so
as not to depend on LDAP. Users CM-Installation
should be assigned to the group CM-Network Planning and Engi-
which includes the fsui log permis- neering
sion when they need to read nor-
CM-Provisioning
mal log files. The syslog daemon
creates files with the group own- CM-Service Planning and Nego-
er and grants read access to this tiation
group.
CM-Status and Control
FM-Alarm Surveillance
FM-Fault Localization
PM-Performance Analysis
SM-Containment and Recovery
SM-Detection
SM-Prevention
manage It is a typical management actions NetAct-Administrator Yes
such as attempting recovery, man-
CM-Installation
aging IP addresses, hardware and
licenses. This does not include CM-Provisioning
access to data stored in databas- CM-Service Planning and Nego-
es, to backup functionality, or to tiation
passwords stored in LDAP. This
SM-Containment and Recovery
includes the rights to clear and
raise alarms. This role is target- SM-Detection
ed for daily management work (for
SM-Prevention
example, reacting to alarms). Note
that normally root privileges are
required for anything that cannot
be done using this group (excep-
tions log files (_nokfsuilog, _nok-
fsuiseclog), the backup (_nokf-
suibackup).
monitor It is typically assigned to operators NetAct-Administrator Yes
that monitor the network element,
CM-Configuration Management
but do not take any management
Administration
actions. This also includes access
to log files (managed using ATL). CM-Installation
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 171
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Permission Used in
Operation Description Default Role
Name OMS
CM-Network Planning and Engi-
neering
CM-Provisioning
CM-Service Planning and Nego-
tiation
FM-Fault Localization
PM-Performance Analysis
SM-Containment and Recovery
SM-Detection
SM-Prevention
seclog This permission is for files gener- NetAct-Administrator Yes
ated by syslog.
CM-Installation
Syslog only uses numeric IDs
CM-Network Planning and Engi-
when the syslog daemon creates
neering
the file so as not to depend on
LDAP. Users should be assigned SM-Containment and Recovery
to the group which includes the SM-Detection
fsui seclog permission when they
SM-Prevention
need to read security log files. The
syslog daemon creates files with
the group owner and grants read
access to this group.
wheel This permission allows a user to NetAct-Administrator Yes
use the su command to switch to
CM-Installation
the root account.
CM-Network Planning and Engi-
neering
CM-Provisioning
SM-Containment and Recovery
SM-Detection
SM-Prevention
fsuicli generalloginshell This permission sets the login NetAct-Administrator Yes
shell, which is necessary to log in
CM-Configuration Management
to OMS through SSH.
Administration
CM-Installation
CM-Network Planning and Engi-
neering
CM-Provisioning
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 172
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Permission Used in
Operation Description Default Role
Name OMS
CM-Service Planning and Nego-
tiation
CM-Status and Control
FM-Alarm Surveillance
FM-Fault Localization
PM-Performance Analysis
PM-Performance Monitoring
SM-Containment and Recovery
SM-Detection
SM-Prevention
hassharedreadon- This permission sets the users' Yes
lyhome home directory to a read-only
shared home directory (/usr/
bin).
ownhomedir This permission sets the NetAct Yes
users' home directory (/home/
<user-name>).
fsuiexternalldap login Only members of the group which NetAct-Administrator Yes
includes the fsuiexternalldap login
CM-Configuration Management
permission are allowed to create
Administration
external LDAP sessions (bind) us-
ing the external LDAP interface. CM-Installation
By default, no one is a member of CM-Network Planning and Engi-
this group. neering
CM-Provisioning
CM-Service Planning and Nego-
tiation
FM-Fault Localization
PM-Performance Analysis
SM-Containment and Recovery
SM-Detection
SM-Prevention
fsuifault man This permission provides write-like NetAct-Administrator Yes
access to the alarm system. Ad-
ditionally, it gives permission for
some basic configuration checks.
Typically, users assigned to the
group which includes the fsuifault
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 173
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Permission Used in
Operation Description Default Role
Name OMS
man permission are also assigned
to the _nokfsuifaultview group.
view This permission gives read-like CM-Status and Control Yes
access to the alarm system to
FM-Alarm Surveillance
check alarm situation. Additionally,
it gives permission for some basic
configuration checking.
fsuilic man This permission is assigned to NetAct-Administrator Yes
users that need to manage the li-
CM-Installation
censing of a FlexiPlatform-based
network element. CM-Network Planning and Engi-
neering
CM-Provisioning
fsuiom manage It allows access to collect statis- NetAct-Administrator Yes
tics and modify the performance
CM-Installation
management configuration and
alarm system configuration (for CM-Network Planning and Engi-
example, alarm correlation). In neering
addition, users granted this role CM-Provisioning
are typically also assigned to the
_nokfsuilog role, which enables
them to view syslog and WAS re-
lated log files.
fsuiperformance man This permission enables read-like NetAct-Administrator Yes
access to the performance man-
PM-Performance Analysis
agement or statistics system. Ad-
ditionally, it gives read access to
the configuration.
view This permission enables read-like PM-Performance Monitoring Yes
access to the performance man-
agement or statistics system.
Mmi Login manage This permission enables manage NetAct-Administrator Yes
access to MMILogin.
monitor This permission enables read ac- Yes
cess to MMILogin.
OMS Common manage This permission allows using NetAct-Administrator Yes
Common EMI and NWI3 inter-
CM-Provisioning
faces.
CM-Installation
FM-Fault Localization
PM-Performance Analysis
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 174
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Permission Used in
Operation Description Default Role
Name OMS
CM-Configuration Management
Administration
CM-Network Planning and Engi-
neering
monitor This permission enables read ac- Yes
cess to OMSCommon.
Performance manage This permission enables manage FM-Fault Localization Yes
Management access to Performance Manage-
PM-Performance Analysis
ment.
NetAct-Administrator
monitor This permission enables read ac- FM-Fault Localization Yes
cess to Performance Manage-
PM-Performance Analysis
ment.
pmg configure This permission allows read/write CM-Network Planning and Engi- Yes
access to LDAP fragments that neering
are typically used when changing
CM-Provisioning
configuration data in LDAP.
manage This permission allows read and NetAct-Administrator Yes
write access to all data in LDAP.
CM-Installation
CM-Network Planning and Engi-
neering
SM-Containment and Recovery
SM-Detection
SM-Prevention
monitor This permission allows read ac- CM-Configuration Management Yes
cess to the HA and hardware frag- Administration
ment in LDAP.
CM-Network Planning and Engi-
neering
CM-Provisioning
CM-Service Planning and Nego-
tiation
FM-Fault Localization
PM-Performance Analysis
RNW CM Man- manage This permission enables manage NetAct-Administrator Yes
agement access to RNWCMManagement.
monitor This permission enables read ac- Yes
cess to RNWCMManagement.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 175
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Permission Used in
Operation Description Default Role
Name OMS
SW Version manage This permission enables manage NetAct-Administrator Yes
access to SWVersion.
CM-Network Planning and Engi-
neering
CM-Installation
FM-Fault Localization
PM-Performance Analysis
monitor This permission enables read ac- Yes
cess to SWVersion.
User Authority manage This permission enables manage NetAct-Administrator Yes
Manager access to UserAuthorityManager.
monitor This permission enables read ac- Yes
cess to UserAuthorityManager.
System Status monitor This permission enables read ac- NetAct_Administrator Yes
Provider cess to OMS System Status View
Table 31: Supported OMS permissions and associated roles
Note:
• To keep consistency with permissions on the network elements, some permissions
which are not used by WCDMA network elements are still retained in NetAct. These
permissions are marked as No in the table.
• To launch OMS Element Manager (for RU50 EP1 or earlier releases) or OMS Web UI
(for WCDMA16 or later releases), one of the following permissions must be granted:
fsui monitor, fsui manage, fsuiom manage, fsuiperformance view, fsuiperformance man,
fsuifault man or fsuifault view.
• To open Application Launcher applications, the OMS Common monitor permission and
one of the following permissions must be granted: fsui monitor, fsui manage, fsuiom
manage, fsuiperformance view, fsuiperformance man, fsuifault man or fsuifault view.
For more information about the permissions of a specific application, see Administering
OMS in WCDMA RAN, Rel.<network element release>, <Issue number> Operating Doc-
umentation. For example, WCDMA RAN, Rel. WCDMA 20, Issue 02. In Administering
OMS, go to User management → Defining group permission restrictions for OMS
Element Manager operations.
• NetAct users are not allowed to launch the Parameter Tool application from Application
Launcher.
6.2.7.4.2 Supported IPA-RNC permissions
The following table lists the supported IPA-RNC permissions and their associated roles:
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 176
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Note: In Permission Management, the context root of IPA-RNC is IPA.
Opera- Used in IPA-
Permission Name Description Default Role
tion/Value RNC
commandClass:A-Z 1-251 Commandclasses are a serial of FM-Fault Man- Yes
MML commands that can be ex- agement Admin
ecuted on IPA-RNC. For more in-
CM-Configura-
formation, see Executing MML
tion Manage-
Commands in IPA-RNC and Man-
ment Adminis-
aging Information Security in IPA-
tration
RNC in WCDMA RAN, Rel.<net-
work element release>, <Issue PM_Perfor-
number> Operating Documenta- manceManage-
tion. For example, WCDMA RAN, mentCtrl
Rel. WCDMA 20, Issue 02. CM-Provision-
ing
CM-Network
Planning and
Engineering
CM-Installation
LogAccess:MMLLOG R,W,X Users with the permission are al- Yes
lowed to use ZGSC command.
timeLimit:Session Time 1-15300 It is used for session limitation. It Yes
Limit should be fit for value under user
role, the value/60 = seconds.
dirPath: DW0- R,W,X It is used for FTP. PM-Perfor- Yes
mance Analysis
CM-Configura-
tion Manage-
ment Adminis-
tration
CM-Provision-
ing
CM-Network
Planning and
Engineering
CM-Installation
FM-Fault Man-
agement Admin
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 177
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Table 32: Supported IPA-RNC permissions and associated roles
The preferred values of MML commands for roles are as follows:
• Fault Management: The preferred value is 250 for A and 100 for others.
• Configuration Management: The preferred value is 250 for A, C, D, E, L, I, N, O, Q, R, T, W and
100 for others.
• Security Management: The preferred value is 250 for A, I, Q and 100 for others.
• Performance Management: The preferred value is 250 for T and 100 for others.
• Element Management: Any value between 1 and 251 is fine.
6.2.7.4.3 Supported mcRNC and ASRNC permissions
The following table lists the supported mcRNC and ASRNC permissions and their associated roles.
Note:
• In Permission Management, the context root for mcRNC is FlexiPlatform5.
• In Permission Management, the context root for ASRNC is ASRNC.
Permission Name Operation Default Role Used in mcRNC and ASRNC
fsui backup Yes
crashlog Yes
fileshare Yes
filetransfer Yes
fsclishroot NetAct-Administrator Yes
fullbash Yes
limitedbash Yes
log CM-Status and Control Yes
CM-Provisioning
PM-Performance Analysis
CM-Installation
CM-Network Planning and Engineering
CM-Configuration Management Adminis-
tration
manage SM-Prevention Yes
SM-Containment and Recovery
SM-Detection
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 178
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Permission Name Operation Default Role Used in mcRNC and ASRNC
monitor CM-Configuration Management Adminis- Yes
tration
CM-Service Planning and Negotiation
SM-Prevention
SM-Containment and Recovery
SM-Detection
CM-Provisioning
PM-Performance Analysis
FM-Fault Localization
CM-Installation
CM-Network Planning and Engineering
seclog SM-Detection Yes
SM-Containment and Recovery
SM-Prevention
tracelog Yes
vendoradmin Yes
wheel NetAct-Administrator Yes
CM-Network Planning and Engineering
CM-Installation
SM-Detection
SM-Containment and Recovery
SM-Prevention
CM-Provisioning
fsuicli generallogin- Yes
shell
hassharedread- Yes
onlyhome
ownhomedir Yes
structuredlogin- CM-Service Planning and Negotiation Yes
shell
CM-Status and Control
FM-Alarm Surveillance
SM-Prevention
SM-Containment and Recovery
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 179
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Permission Name Operation Default Role Used in mcRNC and ASRNC
SM-Detection
CM-Provisioning
PM-Performance Analysis
FM-Fault Localization
CM-Installation
CM-Network Planning and Engineering
NetAct-Administrator
CM-Configuration Management Adminis-
tration
PM-Performance Monitoring
fsuifault man CM-Status and Control Yes
FM-Fault Localization
FM-Fault Management Admin
FM-Alarm Surveillance
view FM-Alarm Surveillance Yes
CM-Status and Control
FM-Fault Localization
FM-Fault Management Admin
fsuiperformance man NetAct-Administrator Yes
PM-Performance Analysis
view PM-Performance Monitoring Yes
fsuilic man CM-Configuration Management Adminis- Yes
tration
view CM-Configuration Management Adminis- Yes
tration
UESecurity Manage Yes
Monitor Yes
Table 33: Supported mcRNC and ASRNC permissions and associated roles
Note: Some permissions are mutually exclusive (for example, fsui fullbash and fsui
limitedbash, fsuicli hassharedreadonlyhome and fsuicli ownhomedir),
which means only one of them takes effect when both permissions are granted to the user.
Therefore, only grant the needed permissions to the user before activating CNUM.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 180
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
For more information about mcRNC, see Managing Users in mcRNC in WCDMA RAN, Rel.<network
element release>, <Issue number> Operating Documentation. For example, WCDMA RAN, Rel.
WCDMA 20, Issue 02. In Managing Users in mcRNC, go to Permissions for Management interfaces.
Get the documents from Support portal in https://customer.nokia.com. Accessing the documentation
and software in the portal requires authentication.
For more information about ASRNC, see Managing Security in AirScale RNC in WCDMA RAN,
Rel.<network element release>, <Issue number> Operating Documentation. For example, WCDMA
RAN, Rel. WCDMA 20, Issue 02.
In Managing Security in AirScale RNC, go to Permissions for Management interfaces. Get the docu-
ments from Support portal in https://customer.nokia.com. Accessing the documentation and software
in the portal requires authentication.
6.2.7.5 Activating and deactivating CNUM
This section describes how to activate and deactivate CNUM for WCDMA network elements.
6.2.7.5.1 Activating CNUM on WCDMA network elements
Use the CNUM user to activate CNUM for the WCDMA network elements.
For information about the CNUM user, see CNUM prerequisites for WCDMA network elements.
1. Log in to the NetAct Start Page.
a) In the address field of your internet browser, type the following URL address:
https://<system_FQDN>/startpage
where <system_FQDN> is the fully qualified domain name of the NetAct cluster load balancer
for WebSphere. For more information, see Launching the NetAct Start Page.
b) Type the Username and Password, and click Log In.
Note: If the terms and conditions appear, select the I have read and agree to
the above terms and conditions check box, and then click Log In. For more
information, see Modifying terms and conditions page.
c) Click Accept or Continue.
2. Click Security → Network Element Access Control.
3. Select the Centralized NE User Management tab.
4. Select the WCDMA network element for which you want to activate CNUM.
5. From the LDAP access type list, select the LDAP access type.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 181
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Note:
• The supported LDAP access types are StartTLS and PREFER TLS. StartTLS is
recommended because it encrypts the connection between the network elements
and NetAct.
• The LDAP access type for OMS and corresponding network elements is enforced to
be the same. Once the LDAP access type for one of network elements is selected,
the access types for the others are set to the same option automatically and cannot
be modified.
6. Click Activate.
Expected outcome
CNUM status of the network element changes to Ongoing.
7. Click Refresh to view the CNUM status change.
For information about CNUM activation status, see About Centralized Network Element User
Management in Centralized Network Element User Management Help.
Expected outcome
The status shows Activated.
6.2.7.5.2 Verifying CNUM activation
To verify whether CNUM activation is successful, check whether the CNUM user can launch element
management applications successfully from Monitor.
For information about the CNUM user, see CNUM prerequisites for WCDMA network elements.
Note: If CNUM is not activated for a network element, skip the corresponding verification
step.
1. Log in to the NetAct Start Page.
a) In the address field of your internet browser, type the following URL address:
https://<system_FQDN>/startpage
where <system_FQDN> is the fully qualified domain name of the NetAct cluster load balancer
for WebSphere. For more information, see Launching the NetAct Start Page.
b) Type the Username and Password, and click Log In.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 182
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Note: If the terms and conditions appear, select the I have read and agree to
the above terms and conditions check box, and then click Log In. For more
information, see Modifying terms and conditions page.
c) Click Accept or Continue.
2. In NetAct Start Page, select Monitoring → Monitor.
3. In Monitor, open Object Explorer by selecting Tools → Managed Objects → Object Explorer.
Expected outcome
The Objects pane appears.
4. Verify CNUM activation for OMS.
a) In the Objects pane, expand the PLMN-PLMN root object and find the OMS-<instance ID>
object on which you performed the CNUM activation operation.
b) Right-click the OMS-<instance ID> object, and then select Element Management → <OMS
launch name>.
Note:
• For RU50 EP1 and earlier releases, the OMS launch name is OMS Element
Manager.
• For WCDMA16 and later releases, the OMS launch name is OMS Web UI.
Expected outcome
The OMS Element Manager or OMS Web UI is launched successfully by the NetAct user.
5. Verify CNUM activation for IPA-RNC.
a) In the Objects pane, find the RNC-<instance ID> object for IPA-RNC on which you performed
the CNUM activation operation.
b) Right-click the RNC-<instance ID> object, and then select Element Management → MML
Session.
Expected outcome
The MML session is launched successfully by the NetAct user.
6. Verify CNUM activation for mcRNC and ASRNC.
a) In the Objects pane, find the RNC-<instance ID> object for mcRNC or ASRNC on which you
performed the CNUM activation operation.
b) Right-click the RNC-<instance ID> object, and then select Element Management → SCLI
Session.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 183
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Expected outcome
The SCLI session is launched successfully by the NetAct user.
7. Verify CNUM activation for WBTS.
a) In the Objects pane, find the WBTS-<instance ID> object on which you performed the CNUM
activation operation.
b) Right-click the WBTS-<instance ID> object, and then select Element Management → WBTS
Site Manager.
Expected outcome
The WBTS Site Manager is launched successfully by the NetAct user.
6.2.7.5.3 Deactivating CNUM on WCDMA network elements
If the CNUM user is still available when you deactivate CNUM for the WCDMA network elements, you
can use the CNUM user to do the deactivation. You can also use any NetAct user which has enough
permissions to do the deactivation.
1. Log in to the NetAct Start Page.
a) In the address field of your internet browser, type the following URL address:
https://<system_FQDN>/startpage
where <system_FQDN> is the fully qualified domain name of the NetAct cluster load balancer
for WebSphere. For more information, see Launching the NetAct Start Page.
b) Type the Username and Password, and click Log In.
Note: If the terms and conditions appear, select the I have read and agree to
the above terms and conditions check box, and then click Log In. For more
information, see Modifying terms and conditions page.
c) Click Accept or Continue.
2. Click Security → Network Element Access Control.
3. Select the Centralized NE User Management tab.
4. Select the network element for which you want to deactivate CNUM.
5. Click Deactivate.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 184
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Expected outcome
The status of the progress changes to Ongoing.
6. Click Refresh to view the CNUM status change.
Expected outcome
The status changes to Partial deactivated because WCDMA only supports partial
deactivation currently. The NetAct user is not deleted automatically during the deactivation
process.
Note: If the deactivation is unsuccessful, the CNUM status shows Failed
deactivation. Click the Failed deactivation link to view the causes of the
failure.
7. Delete the NetAct user and deactivate CNUM on OMS.
a) Log in to OMS as the Nemuadmin user, and then switch to the root user.
b) To delete the NetAct user, enter:
[root]# fsruimrepcli --cleanupallusers
c) To disable CNUM on OMS, enter:
[root]# fscontrolRUIM -d
8. Deactivate CNUM on IPA-RNC.
a) Log in to IPA-RNC as an administrator user.
b) To deactivate CNUM on IPA-RNC, enter:
ZIAJ:STATE=OFF;
Expected outcome
CONFIRM COMMAND EXECUTION: Y/N?
c) Enter Y.
9. Delete the NetAct user on mcRNC.
a) Log in to mcRNC as an administrator user.
b) To delete the NetAct user on mcRNC, enter:
set user-management ruim disable
delete user-management ruim nms-ldap-account
10. Delete the NetAct user on ASRNC.
a) Log in to ASRNC as an administrator user.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 185
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
b) To delete the NetAct user on ASRNC, enter:
set user-management ruim disable
save snapshot startup
For detailed instructions on how to deactivate CNUM on ASRNC, see Managing Users in AirS-
cale RNC in WCDMA RAN, Rel.<network element release>, <Issue number> Operating Docu-
mentation. For example, WCDMA RAN, Rel. WCDMA 20, Issue 02.
In Managing Users in AirScale RNC, go to Centralized network element user management
→ Administering CNUM using SCLI → Disabling CNUM. Get the documents from Support
portal in https://customer.nokia.com. Accessing the documentation and software in the portal
requires authentication.
11. Deactivate CNUM on WBTS.
a) Log in to WBTS Site Manager as an administrator user.
b) Select Configuration → IP Configuration → Security.
c) Clear the Allow only secure connection check box.
d) Clear the IP address of LDAP server address.
e) Click Send button to make it effective.
6.2.7.5.4 Verifying CNUM deactivation
To verify whether CNUM deactivation is successful, check whether the NetAct users (CNUM user or
any NetAct user which has enough permissions) can still launch element management applications
successfully from Monitor.
Note: If CNUM is not deactivated for a network element, skip the corresponding verification
step.
1. Log in to the NetAct Start Page.
a) In the address field of your internet browser, type the following URL address:
https://<system_FQDN>/startpage
where <system_FQDN> is the fully qualified domain name of the NetAct cluster load balancer
for WebSphere. For more information, see Launching the NetAct Start Page.
b) Type the Username and Password, and click Log In.
Note: If the terms and conditions appear, select the I have read and agree to
the above terms and conditions check box, and then click Log In. For more
information, see Modifying terms and conditions page.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 186
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
c) Click Accept or Continue.
2. In NetAct Start Page, select Monitoring → Monitor.
3. In Monitor, open Object Explorer by selecting Tools → Managed Objects → Object Explorer.
Expected outcome
The Objects pane appears.
4. Verify CNUM deactivation for OMS.
a) In the Objects pane, expand the PLMN-PLMN root object and find the OMS-<instance ID>
object on which you performed the CNUM deactivation operation.
b) Right-click the OMS-<instance ID> object, and then select Element Management → <OMS
launch name>.
Note:
• For RU50 EP1 and earlier releases, the OMS launch name is OMS Element
Manager.
• For WCDMA16 and later releases, the OMS launch name is OMS Web UI.
Expected outcome
The OMS Element Manager or OMS Web UI is launched successfully by the EM Access user
(for example, Nemuadmin).
5. Verify CNUM deactivation for IPA-RNC.
a) In the Objects pane, find the RNC-<instance ID> object for IPA-RNC on which you performed
the CNUM deactivation operation.
b) Right-click the RNC-<instance ID> object, and then select Element Management → MML
Session.
Expected outcome
The MML session is launched by the Remote MML Access user (for example, SYSTEM).
6. Verify CNUM deactivation for mcRNC or ASRNC.
a) In the Objects pane, find the RNC-<instance ID> object for mcRNC or ASRNC on which you
performed the CNUM deactivation operation.
b) Right-click the RNC-<instance ID> object, and then select Element Management → SCLI
Session.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 187
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Expected outcome
The SCLI session is launched successfully by the Remote SCLI Access user (for example,
NUPADM).
7. Verify CNUM deactivation for WBTS.
a) In the Objects pane, find the WBTS-<instance ID> object on which you performed the CNUM
deactivation operation.
b) Right-click the WBTS-<instance ID> object, and then select Element Management → WBTS
Site Manager.
Expected outcome
The WBTS Site Manager is launched successfully by the EM Access user (for example,
Nemuadmin).
6.2.7.6 Troubleshooting CNUM
This section lists the problems you may encounter during the CNUM activation process and provides
instructions on how to solve the problems.
6.2.7.6.1 Activating CNUM for WCDMA fails
This section lists the causes of CNUM activation failures and provides solutions to solve the problem.
Causes
• Limitations
See limitations 2 to 3 in Limitations.
• Common causes
See Centralized Network Element User Management Activation Failure in Troubleshooting Securi-
ty Management.
6.2.7.6.2 NetAct user account is locked in OMS
This section describes how to identify and solve the problem when the NetAct user, which is used to
manage OMS, is locked in OMS after CNUM activation.
6.2.7.6.2.1 Diagnosing the problem
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 188
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Procedure
• Log in to OMS through SSH as the NetAct user which has enough permissions to manage OMS.
Expected outcome
If any of the following error messages appears, the NetAct user account is locked.
Access denied
Account locked due to <count of failed attempts> failed logins
In OMS, locked NetAct user account is automatically unlocked after 2 hours. You can also unlock
it immediately following the instructions in Resolving the problem.
6.2.7.6.2.2 Resolving the problem
1. Log in to OMS as the Nemuadmin user, and then switch to the root user.
2. Unlock the NetAct user account by entering:
[root]# pam_tally2 -f /var/log/tallylog -u <NetAct user> -r
For example:
[root]# pam_tally2 -f /var/log/tallylog -u omc -r
3. Try to log in to OMS as the NetAct user again.
6.2.7.6.3 Unable to log in to IPA-RNC while launching the MML Session
This section lists the cause of IPA-RNC MML Session launch failure after CNUM activation.
Causes
• Incorrect password format on IPA-RNC
See limitation 1 in Limitations.
• No enough permission
See Operation failure on Network Element post CNUM activation in Troubleshooting Security Man-
agement.
6.2.7.6.4 NetAct operation failure after CNUM activation on OMS
Problem
NetAct operations, such as Element Management, FM alarm upload, CM upload fail after CNUM acti-
vation on OMS with LDAP access type as StartTLS.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 189
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Possible Cause
Activation on network element(OMS) is not successful.
Solution
In case of CNUM, OMS will raise alarm if it is unable to communicate to NetAct LDAP server.
In NetAct Monitor, check whether any alarm like 70268,70358 related to the OMS is raised. If the
alarm is found, then the problem is caused by certificate configuration for CNUM. Fix the certificate
configuration in both NetAct and OMS. For detailed list of alarms raised during OMS to NetAct LDAP
communication, see WCDMA OMS Alarms in WCDMA RAN, Rel.<network element release>, <Issue
number> Operating Documentation. For example, WCDMA RAN, Rel. WCDMA 20, Issue 02. Get the
document from Support portal in https://customer.nokia.com. Accessing the documentation and soft-
ware in the portal requires authentication..
6.2.7.6.5 CNUM deactivating or password updating failure on ASRNC
Problem
The execution of deactivating CNUM or updating password on an ASRNC fails.
Possible Cause
After geo-resiliency is activated on the ASRNC, the AirScale RNC primary and secondary VNFs switch
over, and the data is not synchronized between the primary and secondary VNFs.
Solution
See Activating CNUM on WCDMA network elements to activate the CNUM again, or contact your net-
work element administrator to synchronize the data between the ASRNC primary and secondary VN-
Fs.
6.2.8 Configuring CNUM for CMS-8200 HSS, CFX-5000, CM Repository Server, TIAMS
and NT HLR FE
The following network elements support Centralized Network Element User Management (CNUM)
in NetAct. For more information on CNUM, see Controlling network element access with Centralized
Network Element User Management.
6.2.8.1 Prerequisites for CMS-8200 HSS, CFX-5000, CM Repository Server, TIAMS and NT HLR FE
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 190
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
6.2.8.1.1 NetAct upgrade scenario
If the network element was integrated to a NetAct release earlier than NetAct 18A SP1812 and up-
graded to current release, then execute the following steps to re-deploy the adaptations:
1. Log in to any NetAct VM on which the intgwas service is running as an omc user.
2. Re-deploy the adaptations for respective Network Element by entering:
/var/opt/oss/global/NSN-integrationmanager/ims_aif/deploy_adaptation.
sh
Where:
• <adaptation_id> is the value of adaptation_id in below table.
• <adaptation_release> is the value of adaptation_release in below table.
Network element adaptation_id adaptation_release
CM Repository Server Bare Metal com.nsn.imsnfm 18.5CI or later ver-
sions
com.nsn.cmrepo 18.5CI or later ver-
sions
CFX-5000 (Call Session Control Function) Bare com.nsn.cscf 18.5C or later versions
Metal
CMS-8200 (Home Subscriber Server Front com.nsn.hssfe 18.5C or later versions
End) Bare Metal
CFX-5000 (Load Balancer) Bare Metal com.nsn.bnglb 18.5C or later versions
NT HLR FE Bare Metal com.nsn.nthlrfe 18.5C or later versions
TIAMS Bare Metal com.nsn.tiams 18.5C or later versions
TIAMS Bare Metal com.nsn.tiams 18.5Cc or later ver-
sions
Expected Output:
{"status":"OK","cause":"","result":""}
The output means that the deployment is successful.
3. Restart Monitor to load metadata as the integration user.
6.2.8.1.2 CNUM information checklist
This section describes the information you must know and basic requirements which must be met
before configuring CNUM for the following network elements.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 191
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Information and requirements Description
Supported network element re- The network element versions which support CNUM are as follows:
leases
• CM Repository Server Bare Metal 18.5CI and later versions
• CFX-5000 (Call Session Control Function) Bare Metal 18.5C and later
versions
• CMS-8200 (Home Subscriber Server Front End) Bare Metal 18.5C
and later versions
• CFX-5000 (Load Balancer) Bare Metal 18.5C and later versions
• NT HLR FE Bare Metal 18.5C and later versions
• TIAMS Bare Metal 18.5Cc and later versions
• TIAMS Bare Metal 18.5C and later versions
License The following licenses are required to be installed in NetAct for CNUM. For
more information on how to check the licenses, see Browsing licenses in
License Manager Help .
• NT HLR FE
Feature code: 34006
Feature name: Cen NE User Manag for NTHLR
• CMS-8200 (Home Subscriber Server Front End)
Feature code: 34004
Feature name: Cen NE User Manag for CMS-8200 HSS
• CFX-5000 (Call Session Control Function), CFX-5000 (Load Balancer)
Feature code: 34002
Feature name: Cen NE User Manag for CFX 5000 CSCF
• TIAMS, CM Repository Server
Any of licenses with the feature code 34006, 34004 or 34002 can acti-
vate CNUM for TIAMS and CM Repository Server.
The integration user needed for • The naming convention of username and password for CNUM must
CNUM configuration follow the NetAct and network element naming rules.
• The username of the integration user for CNUM cannot be the same
as the username of the network element.
Note: If the integration is completed but the username
does not meet the requirements, see About user manage-
ment in User Management Help to create a new user and
assign it to the same group of the integration user, and in
the following sections, this new user is known as integra-
tion user.
• Do not update the integration user password on network element.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 192
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Information and requirements Description
Firewall Ensure that the port 389 is open from network element to LB WAS virtual
IP during integration.
Network elements integration Ensure that the needed network element releases are integrated under
Transport Layer Security (TLS) mode to NetAct successfully. Integrating
CM Repository Server Bare Metal and TIAMS to NetAct is mandatory, be-
cause CM Repository Server Bare Metal acts as the data repository for
these network elements. For more details about the related network ele-
ment integration, see the following:
• Overview of Centralized CM Repository Server Bare Metal integration
in Integrating CM Repository Server Bare Metal to NetAct
• Overview of CSCF integration in Integrating CFX-5000 (Call Session
Control Function) to NetAct
• Overview of Load Balancer integration in Integrating CFX-5000 (Load
Balancer) to NetAct
• Overview of HSS-FE integration in Integrating CMS-8200 (Home Sub-
scriber Server Front End) to NetAct
• Overview of NT HLR FE integration in Integrating NT HLR FE to Net-
Act
• Overview of TIAMS integration in Integrating TIAMS to NetAct
Note:
– Role-scope combinations corresponding to IMSNFM
and TIAMS nodes are scoped at MR level, for ex-
ample, no role-scope combination is scoped only to
IMSNFM or TIAMS.
– CNUM is supported under TLS mode.
– The same network element cannot be integrated to
multiple NetAct instances when CNUM is activated.
– For CMS-8200 HSS and NT HLR FE, if the instance
IDs of HSSFE and NTHLR objects are not named as
<DN name>_<DU Name>, follow the below steps to
do the de-integrations and re-integrations:
1. Check the CNUM status, if CNUM status is ac-
tivated, deactivate it. For more information, see
Verifying CNUM activation and Deactivating
CNUM.
2. If the Warning List, Alarm List or Alarm History
appears, please save the table configuration and
quick filter. For more information, see Personaliz-
ing alarm list in Alarm List Help and
• Saving quick filter in Warning List Help
• Saving quick filter in Alarm List Help
• Saving quick filter in Alarm History Help
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 193
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Information and requirements Description
3. Remove the integration of CMS-8200 HSS and
NT HLR FE. For more information, see Remov-
ing HSS-FE integration in Integrating CMS-8200
(Home Subscriber Server Front End) to NetAct
and Removing NT HLR FE integration in Integrat-
ing NT HLR FE to NetAct.
If the legacy CM, FM and PM data need to be re-
tained, only do the unregistration and the NE3S in-
terface object deletion steps in the integration re-
moving sections.
4. Re-integrate CMS-8200 HSS and NT HLR FE
to NetAct. For more information, see manual or
NEIW integration section of integration docu-
ments.
5. Open the Warning List, Alarm List or Alarm His-
tory of the object created in step 4, then apply the
alarm filter saved in step 2 to it. For more informa-
tion, see Filtering the Alarm List in Alarm List Help.
SSH password based authentica- Ensure that the SSH password based authentication is enabled. For more
tion information, follow the step 1 in Configuring SSH authentication between
<network element> and NetAct chapter of the corresponding network ele-
ment integration documents.
Note: For CM Repository Server Bare Metal, skip the check of
SSH password based authentication.
List of service types needed to ac- Service type: NEUM Admin Access
tivate CNUM
Note: If the NEUM Admin Access credential does not exist, cre-
ate the credential with the following information. For more infor-
mation on how to check and create Network Element Access
Control user, see Network Element Access Control graphical
user interface in Network Element Access Control Help .
The properties needed:
• Profile: Default
• NEUM Admin UserName: wsuser
• NEUM Admin Password: the password of the wsuser user
• Maintenance region: the same maintenance region which is used dur-
ing the network element integration
• Application Group:
– sysop
– the group to which the integration user belongs
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 194
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Information and requirements Description
Supported LDAP access types StartTLS
Supported IP versions IPv4, IPv6
Anonymous LDAP access Check anonymous access status. If anonymous LDAP access is restricted,
execute the command to enable it again. Otherwise, skip this step. For de-
tailed instructions, see Restricted anonymous login to the LDAP directory.
Certificates installation in NetAct To ensure that the certificates are installed, see Checking if LDAP certifi-
cates are installed.
Table 34: CNUM information checklist for network elements
6.2.8.1.3 Checking integration data upload
1. Log in to the NetAct Start Page as the integration user.
a) In the address field of your internet browser, type the following URL address:
https://<system_FQDN>/startpage
where <system_FQDN> is the fully qualified domain name of the NetAct cluster load balancer
for WebSphere. For more information, see Launching the NetAct Start Page.
b) Type the Username and Password of the integration user, and click Log In.
Note: If the terms and conditions appear, select the I have read and agree to
the above terms and conditions check box, and then click Log In. For more
information, see Modifying terms and conditions page.
c) Click Accept or Continue.
2. In NetAct Start Page, click Monitoring → Monitor.
3. In NetAct Monitor, click Tools → Managed Objects → Object Explorer.
Expected outcome
The Objects pane appears.
4. Check if CNUMINT-1 interface is created under <network element managed object>-
<instance ID>.
Note:
• For REPOSERVER, check if CNUMINT-1 interface is created under IMSNFM-
<instance ID>.
• For BNGLB, CSCF, HSSFE, NTHLRFE or TIAMS, check if CNUMINT-1 interface is
created under the expected <network element managed object>-<instance
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 195
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
ID> object. For example, for TIAMS, check if CNUMINT-1 is created under TIAMS-
<instance ID>.
If CNUMINT-1 is created under the <network element managed object>-<instance ID>
object, see Installing LDAP certificates on network elements. Otherwise, see Triggering integration
data upload.
6.2.8.1.4 Triggering integration data upload
1. Log in to the NetAct Start Page as the integration user.
a) In the address field of your internet browser, type the following URL address:
https://<system_FQDN>/startpage
where <system_FQDN> is the fully qualified domain name of the NetAct cluster load balancer
for WebSphere. For more information, see Launching the NetAct Start Page.
b) Type the Username and Password of the integration user, and click Log In.
Note: If the terms and conditions appear, select the I have read and agree to
the above terms and conditions check box, and then click Log In. For more
information, see Modifying terms and conditions page.
c) Click Accept or Continue.
2. In NetAct Start Page, click Monitoring → Monitor.
3. In NetAct Monitor, click Tools → Managed Objects → Object Explorer.
Expected outcome
The Objects pane appears.
4. In the Objects pane, right-click the IMSNFM-<instance ID> object and select Integration Data
Upload.
Note: If the integration data upload of the same IMSNFM-<instance ID> is ongoing,
wait for the progress to be completed and then check the status.
Expected outcome
In the Ongoing Operations area, the integration data upload is in progress. In the Operations
History area, check if Completed Successfully shows in the Operation Status.
5. Check if CNUMINT-1 interface is created under <network element managed object>-
<instance ID>.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 196
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Note:
• For REPOSERVER, check if CNUMINT-1 interface is created under IMSNFM-
<instance ID>.
• For BNGLB, CSCF, HSSFE, NTHLRFE or TIAMS, check if CNUMINT-1 interface is
created under the expected <network element managed object>-<instance
ID> object. For example, for TIAMS, check if CNUMINT-1 is created under TIAMS-
<instance ID>.
Expected outcome
CNUMINT-1 is created under <network element managed object>-<instance ID>
object.
6.2.8.1.5 Installing LDAP certificates on network elements
1. Copy the LDAP signer certificate from NetAct to the CM Repository Server. For the location of
the certificate on NetAct, see Ensure that LDAP certificate is installed in Administering Users and
Permissions.
2. For detailed information on how to install the certificates on network elements, see the CNUM
descriptions in corresponding network element documents based on different releases.
• For CFX-5000, CM Repository Server and TIAMS, see the CNUM Activation or Deactivation
chapter of the network element documents.
• For CMS-8200 HSS and NT HLR FE, see the CNUM Activation and Deactivation chapter of
the network element documents.
Note: Contact network administrator to get the corresponding network element
documents.
6.2.8.2 Limitations
• Parallel activation, deactivation and password update operations are not supported by CMS-8200
HSS, CFX-5000, CM Repository Server, TIAMS and NT HLR FE. Select only one Fully Qualified
Distinguished Name (FQDN) of the network element among the network elements under the same
CM Repository Server at a time for performing activation, deactivation and password update oper-
ations. Activation, deactivation and password update operations cannot be performed in parallel,
so there is about one minute from one operation to another.
• Because CNUM is not supported for SS7 administration launch of NT HLR FE, you need to use
NT HLR FE credential instead of NetAct credential to log in.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 197
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
6.2.8.3 Checking CMS-8200 HSS, CFX-5000, CM Repository Server, TIAMS and NT HLR FE permissions
• Skip this section if you only use default roles during NetAct user creation.
• When creating a role, assign the NetAct permissions and the network element permissions to your
new role. To create a role, see Creating a new role in Permission Management Help. To configure
the network element permissions, see Network element permissions.
• For CM Repository Server, there is no mapping between network element permissions and default
NetAct roles, and the mapping of TIAMS is used for CM Repository Server.
The root contexts of CMS-8200 HSS, CFX-5000, CM Repository Server, TIAMS and NT HLR FE in
Permission Management are listed in the following table:
Network Element Root Context
CMS-8200 (HSS-FE) HSSFE
CFX-5000 (CSCF) CSCF
CFX-5000 (BNGLB) BNGLB
CM Repository Server TIAMS
TIAMS TIAMS
NTHLRFE NTHLRFE
Table 35: Root contexts of CMS-8200 HSS, CFX-5000, CM Repository Server, TIAMS and NT HLR
FE in Permission Management
The supported permissions of CMS-8200 HSS, CFX-5000, CM Repository Server, TIAMS and NT
HLR FE are same, which are listed in the following table:
Permission Name Operation Description Default Roles
FM Plan Management Manual Clear for Alarms Privilege as- FM_FaultManagementAdmin
signed to Clear
FM_FaultLocalization
the Alarms Manu-
ally from NetAct FM_AlarmSurveillance
FM_FaultCorrection
FM_Testing
Application Adminis- Application Administra- Privilege assigned FM_FaultManagementAdmin
trator tor to carryout main-
tenance activities
Application User Privilege assigned
to Monitor service
status
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 198
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Permission Name Operation Description Default Roles
Network Administrator Network Administrator Privilege assigned FM_FaultManagementAdmin
to Network plan-
ning and trou-
bleshooting at net-
work level
Network User Privilege assigned
to Network User
OS Administrator OS Administrator Privilege assigned FM_FaultManagementAdmin
for OS Administra-
tion
DataBase User DataBase User DB USER Admin- FM_FaultManagementAdmin
istration
HW Administrator Hardware Administrator Privilege assigned FM_FaultManagementAdmin
to Read the Hard-
ware Details
Log Collecting Tools Log Collecting Tools Privilege assigned FM_FaultManagementAdmin
to collect logs
from Node Ele-
ment
CM Upload, CM Provi- CM Upload, CM Provi- CM Upload and CM_ConfigurationManagemen-
sion sion CM Provision tAdm
CM_NetworkPlanningAndEngi-
neer
CM_Provisioning
Table 36: Supported network element permissions
6.2.8.4 Activating and deactivating CNUM
6.2.8.4.1 Activating CNUM
This section describes how to activate CNUM.
The order of activating CNUM:
1. Activate TIAMS.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 199
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Note: For HPE TIAMS, activate both TIAMS nodes first.
2. Activate REPOSERVER or IMSNFM.
3. Activate CSCF, HSSFE, NTHLRFE or BNGLB ( in no particular order).
Note: If you see the failure for CSCF, HSSFE, NTHLRFE, or BNGLB, you need to de-
activate REPOSERVER or IMSNFM, and then activate CSCF, HSSFE, NTHLRFE, or
BNGLB.
For how to activate CNUM, do the following:
1. Log in to the NetAct Start Page.
a) In the address field of your internet browser, type the following URL address:
https://<system_FQDN>/startpage
where <system_FQDN> is the fully qualified domain name of the NetAct cluster load balancer
for WebSphere. For more information, see Launching the NetAct Start Page.
b) Type the Username and Password, and click Log In.
Note: If the terms and conditions appear, select the I have read and agree to
the above terms and conditions check box, and then click Log In. For more
information, see Modifying terms and conditions page.
c) Click Accept or Continue.
2. Click Security → Network Element Access Control.
Network Element Access Control window appears.
3. Click Centralized NE User Management tab.
4. Select the network element for which you want to activate CNUM.
Tip: You can filter or sort the list, and select the desired network element.
• Click the column header to sort the list in alphabetical order.
• Type the text in the column field to filter the list.
5. From the LDAP access type list, select StartTLS.
6. From IP version list, select IPv4 or IPv6.
7. Click Activate.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 200
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Expected outcome
CNUM status of the network element changes to Ongoing.
8. Click Refresh.
Expected outcome
The status is changed to Activated.
Note: Activation of CNUM on the network element takes some time.
If the activation is unsuccessful, the CNUM status shows Failed activation. Click Failed
activation link to view the causes of failure.
For more information on how to activate CNUM, see Activating Centralized Network Element User
Management in Centralized Network Element User Management Help.
6.2.8.4.2 Verifying CNUM activation
1. Log in to the NetAct Start Page as the integration user.
a) In the address field of your internet browser, type the following URL address:
https://<system_FQDN>/startpage
where <system_FQDN> is the fully qualified domain name of the NetAct cluster load balancer
for WebSphere. For more information, see Launching the NetAct Start Page.
b) Type the Username and Password of the integration user, and click Log In.
Note: If the terms and conditions appear, select the I have read and agree to
the above terms and conditions check box, and then click Log In. For more
information, see Modifying terms and conditions page.
c) Click Accept or Continue.
2. Select Security → Network Element Access Control → Centralized NE User Management.
The CNUM status on the activated Network Element displays Activated.
3. Verify CNUM activation through Shell Access launch.
Note: Because CNUM activation internally takes some time in network elements, wait
about one minute to verify Shell Access launch.
a) In NetAct Start Page opened in step 1, click Monitoring → Monitor.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 201
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
b) In NetAct Monitor, open Object Explorer by selecting Tools → Managed Objects → Object
Explorer.
Expected outcome
The Objects pane appears.
c) Right-click the <network element managed object>-<instance ID> object, and
select the Shell Access in the Element Management sub-menu.
d) To check if CNUM activation is successful, verify whether the login user is the integration user
by entering:
who am i
Expected outcome
The expected user is the integration user.
Ignore the following example warning message if you see it.
Could not chdir to home directory /home/<login_user>: No such file or
directory
id: cannot find name for group ID <group_ID>
6.2.8.4.3 Deactivating CNUM
Note:
• For REPOSERVER, select Fully Qualified Distinguished Name (FQDN) of IMSNFM in
CNUM GUI.
• For BNGLB, CSCF, HSSFE, NTHLRFE or TIAMS, select FQDN of the expected network
element managed object in CNUM GUI.
The order of deactivating CNUM:
1. Deactivate CSCF, HSSFE, NTHLRFE or BNGLB (in no particular order).
Note: If you see the failure for CSCF, HSSFE, NTHLRFE, or BNGLB, you need to de-
activate REPOSERVER or IMSNFM, and then deactivate CSCF, HSSFE, NTHLRFE, or
BNGLB.
2. Deactivate REPOSERVER or IMSNFM.
3. Deactivate TIAMS.
Note: For HPE TIAMS, deactivate both TIAMS nodes.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 202
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
For how to deactivate CNUM, do the following:
1. Log in to the NetAct Start Page.
a) In the address field of your internet browser, type the following URL address:
https://<system_FQDN>/startpage
where <system_FQDN> is the fully qualified domain name of the NetAct cluster load balancer
for WebSphere. For more information, see Launching the NetAct Start Page.
b) Type the Username and Password, and click Log In.
Note: If the terms and conditions appear, select the I have read and agree to
the above terms and conditions check box, and then click Log In. For more
information, see Modifying terms and conditions page.
c) Click Accept or Continue.
2. Click Security → Network Element Access Control.
Network Element Access Control window appears.
3. Click Centralized NE User Management tab.
4. Select the network element for which you want to deactivate CNUM.
5. Click Deactivate.
Expected outcome
The status of the network element changes to Ongoing.
6. Click Refresh.
Expected outcome
The status is changed to Deactivated.
Note: Deactivation of CNUM on the network element takes some time.
If the deactivation is unsuccessful, the CNUM status shows Failed deactivation. Click
Failed deactivation link to view the causes of failure.
6.2.8.4.4 Verifying CNUM deactivation
1. Log in to the NetAct Start Page as the integration user.
a) In the address field of your internet browser, type the following URL address:
https://<system_FQDN>/startpage
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 203
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
where <system_FQDN> is the fully qualified domain name of the NetAct cluster load balancer
for WebSphere. For more information, see Launching the NetAct Start Page.
b) Type the Username and Password of the integration user, and click Log In.
Note: If the terms and conditions appear, select the I have read and agree to
the above terms and conditions check box, and then click Log In. For more
information, see Modifying terms and conditions page.
c) Click Accept or Continue.
2. Select Security → Network Element Access Control → Centralized NE User Management.
The CNUM status on the activated Network Element displays Deactivated.
3. Verify CNUM deactivation through Shell Access launch.
Note: CNUM activation internally takes some time in network element, so wait about one
minute and verify Shell Access launch.
a) In NetAct Start Page opened in step 1, click Monitoring → Monitor.
b) In NetAct Monitor, open Object Explorer by selecting Tools → Managed Objects → Object
Explorer.
Expected outcome
The Objects pane appears.
c) Right-click the <network element managed object>-<instance ID> object, and
select the Shell Access in the Element Management sub-menu.
d) To check if CNUM deactivation is successful, verify whether the login user is the SSH service
user configured in NEAC by entering:
who am i
Expected outcome
The expected user is the SSH service user configured in NEAC.
6.2.8.4.5 Changing password of network element account (network element bind user account)
To change the password of a network element account, see Updating the password for the network
element account (NE bind user account) in Centralized Network Element User Management Help.
Note:
• For REPOSERVER, select Fully Qualified Distinguished Name (FQDN) of IMSNFM in
CNUM GUI.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 204
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
• For BNGLB, CSCF, HSSFE, NTHLRFE or TIAMS, select FQDN of the expected network
element managed object in CNUM GUI.
6.2.8.5 Troubleshooting CNUM
This chapter describes how to troubleshoot problems when you configure CNUM for network
elements.
6.2.8.5.1 Failure of activating CNUM
For possible causes and solutions, see Centralized Network Element User Management Activation
Failure in Troubleshooting Security Management.
6.2.8.5.2 Failure of changing password
Problem
Changing password fails.
Solution
If the password update is unsuccessful, the CNUM status shows Failed update. Click the Failed up-
date link to view the causes of failure.
6.3 Activating CNUM
For instructions on activating CNUM using the NEAC application, see Activating Centralized Network
Element User Management in Centralized Network Element User Management Help.
Note:
• NetAct prerequisites and Network element specific prerequisites and procedures should
be followed before activating CNUM.
• If CNUM is activated for a large number of network elements at once, a queuing mecha-
nism is applied to avoid overloading NetAct and the network.
Rollback
In case problems are encountered after the activation of CNUM and a rollback to service users is re-
quired, see the instructions in Deactivating CNUM.
Cleanup
Once CNUM is activated, you can access the network element using the NetAct user account in the
centralized user management repository. The service users (other than the users used to configure
CNUM) in the local user management of the network element are no longer used for access.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 205
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Depending on the network element implementation, it is possible to access the network element us-
ing these users and if they are not maintained (with regular password changes), this can be a secu-
rity risk. It should be considered, if these service users can be removed. It is recommended to do the
cleanup only after CNUM is proven in use.
6.3.1 Verifying CNUM activation
1. Log in to the NetAct Start Page.
a) In the address field of your internet browser, type the following URL address:
https://<system_FQDN>/startpage
where <system_FQDN> is the fully qualified domain name of the NetAct cluster load balancer
for WebSphere. For more information, see Launching the NetAct Start Page.
b) Type the Username and Password, and click Log In.
Note: If the terms and conditions appear, select the I have read and agree to
the above terms and conditions check box, and then click Log In. For more
information, see Modifying terms and conditions page.
c) Click Accept or Continue.
2. Click Security → NetAct Element Access Control.
Network Element Access Control window appears.
3. Click Centralized NE User Management tab.
CNUM status of the network element is displayed as activated.
To verify the CNUM activation from the network element, see Verification section in Network ele-
ment specific prerequisites and procedures.
6.3.2 Verifying CNUM activation for Configuration Management
Perform the following upon CNUM activation:
1. Perform upload operation. For more information, see Verifying CM Repository Server Configuration
Management connectivity in Integrating CM Repository Server Bare Metal to NetAct.
2. Log in as omc user to any NetAct VM where the WAS service is running.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 206
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
To locate the correct virtual machine, see Locating the right virtual machine for a service in Admin-
istering NetAct Virtual Infrastructure.
3. Check the /var/opt/oss/log/audit/oss_change_CMCluster_*_*.log files on the was
node. The latest log is usually oss_change_CMCluster_0_0.log.
4. Search the text Starting upload using NE3S agent at in
oss_change_CMCluster_*_*.log.
5. CNUM is activated if the value of User identity and Target user identity is same as the logged-in
user.
6.4 Deactivating CNUM
Deactivating CNUM and taking service users back into use entails the same steps as activating
CNUM, but in reverse order.
If the service users meant for CNUM operations are decommissioned after CNUM activation, those
service users have to be set up in the network elements and stored in the NEAC application before de-
activating CNUM.
If the service users are still in the network and in NEAC, a rollback includes deactivating CNUM using
the NEAC application and possibly some actions in the network element as described in Network ele-
ment specific prerequisites and procedures.
For instructions on deactivating CNUM using the NEAC application, see Deactivating Centralized Net-
work Element User Management in Centralized Network Element User Management Help.
6.4.1 Verifying CNUM deactivation
1. Log in to the NetAct Start Page.
a) In the address field of your internet browser, type the following URL address:
https://<system_FQDN>/startpage
where <system_FQDN> is the fully qualified domain name of the NetAct cluster load balancer
for WebSphere. For more information, see Launching the NetAct Start Page.
b) Type the Username and Password, and click Log In.
Note: If the terms and conditions appear, select the I have read and agree to
the above terms and conditions check box, and then click Log In. For more
information, see Modifying terms and conditions page.
c) Click Accept or Continue.
2. Click Security → NetAct Element Access Control.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 207
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Network Element Access Control window appears.
3. Click Centralized NE User Management tab.
CNUM status of the network element is displayed as deactivated.
To verify the CNUM deactivation from the network element, see Verification section in Network ele-
ment specific prerequisites and procedures.
6.4.2 Verifying CNUM deactivation for Configuration Management
Perform the following upon CNUM deactivation:
1. Perform upload operation. For more information, see Verifying CM Repository Server Configuration
Management connectivity in Integrating CM Repository Server Bare Metal to NetAct.
2. Log in as omc user to any NetAct VM where the was service is running. To locate the correct
virtual machine, see Locating the right virtual machine for a service in Administering NetAct Virtual
Infrastructure.
3. Check the /var/opt/oss/log/audit/oss_change_CMCluster_*_*.log files on the was
node. The latest log is usually oss_change_CMCluster_0_0.log.
4. Search the text Starting upload using NE3S agent at in
oss_change_CMCluster_*_*.log.
5. CNUM is deactivated if the value of User identity is same as the logged-in user and Target user
identity is same as the user provided in NEAC credentials.
6.5 Maintenance of network element user access using CNUM
6.5.1 Network element account password update
The network element accounts (NE bind users) are used by the network elements to bind into the cen-
tralized LDAP for retrieving authentication and authorization related data of NetAct users. These users
are automatically created when CNUM is activated, and able to access only a limited scope in LDAP,
but it is still recommended to regularly update the passwords for the NE bind users.
Note: Only manual triggered update from NEAC application is supported. For more
information, see Updating the password for the network element account (NE bind user
account) in Centralized Network Element User Management Help.
6.5.2 Network element integration
When CNUM is in use for a certain network element type and a new network element instance of the
same network element type is integrated to NetAct, follow the process in section Controlling network
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 208
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
element access with Centralized Network Element User Management to activate CNUM for the new
network element.
6.5.3 Rehoming a network element to another Maintenance Region
When a network element, in which CNUM is activated, is to be moved into another Maintenance Re-
gion, it is recommended to deactivate and again activate CNUM for that network element. As, it also
cleans any cached information related to users or permissions that may remain in network elements.
6.5.4 Removing a network element from NetAct
When network element is deleted from the NetAct Monitor, the CNUM configuration for the NE in-
stance is automatically cleaned up in NetAct, but no configuration changes (such as, deactivating of
CNUM) are done in the network element. If CNUM needs to be deactivated in the network element
that is being removed from NetAct, then CNUM must be deactivated in NetAct beforehand.
6.6 Configuring CNUM token parameters for external users
Tokens are used for authentication for any operation initiated on Centralised Network Element
User Management (CNUM) enabled Network Element (NE). CNUM token parameters are used for
determining token expiration and grace time along with the token hash algorithm.
Table 37: Token parameters and definition describes the configuration parameters associated to
CNUM tokens.
Default
Token parameter Definition Allowed range
value
CNUMTokenExpiryDuration Duration for which 20 minutes 20 – 180 minutes
the generated to-
kens are valid
GraceCNUMTokenExpiryDuration Duration prior to to- 2 minutes 2 – Less than configured
ken expiration for CNUMTokenExpiryDuration
consideration of value
generating new to-
ken
CNUMTokenHashAlgorithm Hash algorithm in SHA-512 Only SHA hash algorithms
use for token gener- above SHA-256
ation
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 209
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
Table 37: Token parameters and definition
To change the token parameter value, do the following:
1. Log in to any VM where syswas service is running through SSH as omc user.
To locate the right NetAct VM, see Locating the right virtual machine for a service in Administering
NetAct Virtual Infrastructure.
2. Check if Pref_ExternalUserTokenExpiryConfig.xml file exists in /etc/opt/oss/
global/custom/conf/javaprefs/um location. If it exists, take backup by entering the
following command:
[omc@lab ~]$ mv /etc/opt/oss/global/custom/conf/javaprefs/um/
Pref_ExternalUserTokenExpiryConfig.xml /var/tmp/
Pref_ExternalUserTokenExpiryConfig.bkp
3. Copy the Pref_ExternalUserTokenExpiryConfig.xml preference file to custom location by
doing the following:
a) Create a directory in /etc/opt/oss/global/custom/conf/javaprefs/um location
by entering the following command if it does not exist as root user, and assign the directory
ownership and permission.
[omc@lab ~]$ su - root
Password: <Enter root password here>
[root@lab ~]# mkdir -p /etc/opt/oss/global/custom/conf/javaprefs/um; chown omc:sysop /etc/opt/
oss/global/custom/conf/javaprefs/um; chmod 775 /etc/opt/oss/global/custom/conf/javaprefs/um
[root@lab ~]# exit
b) Copy the required preference file to custom location by entering:
[omc@lab ~]$ cp -p /var/opt/oss/global/javaprefs/um/
Pref_ExternalUserTokenExpiryConfig.xml
/etc/opt/oss/global/custom/conf/javaprefs/um
4. Change the value of token parameter as defined in Table 37: Token parameters and definition
within the allowed limit.
Note: Default values will be taken if invalid values are provided in the configuration file.
Minimum and maximum supported values will be taken for values provided beyond the
allowed range.
5. Change other custom set values from backup file if taken in step 2 to /etc/opt/oss/global/
custom/conf/javaprefs/um/Pref_ExternalUserTokenExpiryConfig.xml. Remove the
backup file after changing the custom set value.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 210
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
6.7 Configuring token mode for external users
By default, tokens are used for the authentication of an external user, for any operation performed on
Centralized Network Element (CNUM) enabled Network Element (NE).
Note:
• Token mode in use for operations on CNUM enabled NE continues to work despite the
actual user getting expired or locked or deactivated in the external authentication and
authorization server. Users are expected to re-login in such case or administrator can
terminate session to have proper token validation. For information about termination of
session, see Terminating active user sessions in User Management Help.
• This section involves restart of Network Credential Access application (neac-nca-ear)
which is used for providing credentials for operation performed on NE from NetAct.
Token mode can be changed if there are any issues with the NE being operated upon. This configura-
tion can be done at the NE class level.
1. Log in to any VM where syswas service is running through SSH as omc user.
To locate the right NetAct VM, see Locating the right virtual machine for a service in Administering
NetAct Virtual Infrastructure.
2. Check if Pref_system_cnum_feature_class_release_licence-mapping.xml file exists
in /etc/opt/oss/global/custom/conf/javaprefs/neac location. If it exists, take backup
by entering the following command:
[omc@lab ~]$ mv /etc/opt/oss/global/custom/conf/javaprefs/neac/
Pref_system_cnum_feature_class_release_licence-mapping.xml /var/tmp/
Pref_system_cnum_feature_class_release_licence-mapping.bkp
3. Copy the Pref_system_cnum_feature_class_release_licence-mapping.xml
preference file to custom location by doing the following:
a) Create a neac directory in /etc/opt/oss/global/custom/conf/javaprefs location by
entering:
[omc@lab ~]$ mkdir -m 775 /etc/opt/oss/global/custom/conf/javaprefs/neac
If the command output report file exists, continue further.
b) Copy the required preference file to custom location by entering:
[omc@lab ~]$ cp -p /var/opt/oss/global/javaprefs/neac/
Pref_system_cnum_feature_class_release_licence-mapping.xml
/etc/opt/oss/global/custom/conf/javaprefs/neac
4. Obtain the NE type for which the token mode support must be changed.
Note: The NE type with the token mode support can be obtained by viewing the Object
Class property value for the NE fully qualified distinguished name in the Object Explorer
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 211
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Controlling network element access
with Centralized Network Element User
Management
of the NetAct Monitor tool. For more information, see Displaying object attributes in
Object Explorer Help.
5. Add the following entry key in the class level if it is missing or update the existing key to set the
token mode.
<entry key="externalUserCnumTokenAccess" value="disabled" />
Setting value to disabled will disable the token mode access and enabled will set the token mode
access for external user.
Note: Missing key at class level is taken as enabled status.
6. Change other custom set values from backup file if taken in step 2
to /etc/opt/oss/global/custom/conf/javaprefs/neac/
Pref_system_cnum_feature_class_release_licence-mapping.xml. Remove the
backup file after changing the custom set value.
7. Restart the nca credential access application for the changes to be effective by entering the
following commands:
[omc@lab ~]$ /opt/cpf/pylib/bin/stopApplication.sh neac-nca-ear
[omc@lab ~]$ /opt/cpf/pylib/bin/startApplication.sh neac-nca-ear
8. The started state of the application can be checked by entering the following command:
[omc@lab ~]$ /opt/cpf/bin/cpfwas_listClusterApplications.sh --cluster SysCluster | grep neac-nca-ear
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 212
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Managing external accounts in NetAct
7 Managing external accounts in NetAct
This section provides information about:
• Importing external accounts using CLI
• Exporting external accounts using CLI
• Listing external users accounts using CLI
• Deleting external accounts using CLI
7.1 Importing external accounts using CLI
External accounts are imported to create or modify accounts in order to provide authentication and
authorization to the users.
Prerequisites
• Integration of NetAct with the external authentication server must be successful. For information
about how to integrate NetAct with the external authentication and authorization server, see
Integrating external authentication and authorization server to NetAct in Administering NetAct
System Security.
• The required licenses must be available. For more information about the license and their
availability, see Checking NetAct licenses needed for external authentication and authorization
server integration in Administering NetAct System Security.
1. Log in as omc user to the NetAct VM hosting the DMGR service.
To locate the right virtual machine, see Locating the right virtual machine for a service in
Administering NetAct Virtual Infrastructure.
2. On the command line, enter the following to import the external account.
• [omc] manageExternalUsers.sh --import <path to import xml file>
Or
• [omc] manageExternalUsers.sh -i <path to import xml file>
The ImportExternalUsersTemplate.xml file is available in /opt/oss/Nokia-
sm_external_authentication/conf.
Note: The above command can be:
• executed by any sysop user
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 213
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Managing external accounts in NetAct
• used to import external accounts in bulk
3. Edit the ImportExternalUsersTemplate.xml file to create or modify user accounts along
with their group and domain associations. For more information, see Updating external accounts
configuration file.
4. At the prompt, press Y or N after checking the number of user entries to be created or modified
along with the number of invalid user entries.
Expected outcome
Summary of external user import:
Total number of user entries: 4
Number of users successfully created/modified: 4
Number of users failed to create/modify: 0
Note:
• On the command line, enter the following to skip the prompt.
[omc] manageExternalUsers.sh --import <path to import xml
file> --noPrompt
Or
[omc] manageExternalUsers.sh --import <path to import xml
file> -n
• Tool will be terminated, if the options except y or yes (case-insensitive) is provided after
three attempts.
• For any issues during the creation or modification of external accounts, see
Troubleshooting external user management operations in Troubleshooting Security
Management.
• If the external authentication and authorization server is integrated to multiple NetAct
systems, the import operation must be performed on all the required NetAct systems.
• The manageExternalUsers.sh operation allows update of NetAct groups for external
user. When the authorization to external authentication and authorization server is
enabled, this operation will lead to inconsistent group associations in NetAct and external
authentication and authorization server for the external user. As a consequence, external
user upon successful login gets access rights in NetAct according to NetAct groups
associated which are not kept up to date with external groups mapped in external
authentication and authorization server.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 214
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Managing external accounts in NetAct
In such a case, it is expected that user and their group association in external authenti-
cation and authorization server is kept same with mapped external user and associated
group in NetAct.
For checking and updating the group mapping in NetAct, see Managing external groups
mapping and for updating groups associated with external user in external authentication
and authorization server, see Adding external user to universal group of external authen-
tication and authorization server in Administering NetAct System Security.
7.1.1 Updating external accounts configuration file
Note:
If the value listed in Values and description contains special characters such
as double quotes (“), ampersand (&), left angle bracket (<), right angle bracket
(>), apostrophe (‘), consecutive spaces, escape these characters in the
ImportExternalUsersTemplate.xml file by referring xml specification. For example, if a
domain name of the external server is na”lab2903, then escape double quote with "
and update the value in xml as na"lab2093.
Values and description table describes the values present in the external account's configuration file.
Values Description
domain Domain name is used during the login to external
authentication and authorization server by pro-
viding login name in <domain name>\<login
name> format. This must match with the domain
name provided in Integrating external authentica-
tion and authorization server to NetAct in Admin-
istering NetAct System Security.
userIdentifier Relative distinguished name attribute of the user
object in external authentication and authoriza-
tion. This is an optional attribute. The default val-
ue is CN.
branchRDN If the corporate domain has multiple branches,
then provide the corresponding branch relative
distinguished name where the users are present.
Note:
This is an optional attribute. If there is
no branch relative distinguished name,
remove branchRDN attribute from the .
xml file.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 215
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Managing external accounts in NetAct
Values Description
Ensure that RDN value does not con-
tain the following characters as these
characters are not supported in NetAct.
• plus (+)
• comma (,)
• double quote (”)
• forward slash (/)
• backward slash (\)
• left angle bracket (<)
• right angle bracket (>)
• semicolon (;)
• equals (=)
• consecutive spaces
For example, if RDN is CN=test,
+h,DC=nalab675,DC=netact,DC=nsn-
rdnet,DC=net, DC and CN are
separated by comma but CN or DC
value cannot contain comma or any
other unsupported characters. In this
example, test,+h is not supported
as this contains comma and plus
characters.
accountId Account name which is used to login to NetAct. In
User Management Operations → Administra-
tion → Policy configuration page, Supported
characters in login name and Maximum length
of login name fields need to be modified accord-
ingly with the account name. For more informa-
tion, see Login name policy.
associatedGroups Provide NetAct group names separated by |
(pipe). For example, NetAct-grp1 | NetAct-grp2
Groups that are mentioned in the entry are on-
ly associated to the user. Incase of groups which
are already associated but not mentioned in the
entry, the user will be disassociated from those
groups.
At least one group must be mentioned in the en-
try.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 216
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Managing external accounts in NetAct
Values Description
Note:
• The associated groups must be
available in NetAct.
• If ssh access is enabled for the
user, while modifying that user, add
sshaccess group also in the import
xml file to retain the ssh access.
commonName Account name which is used to do searches in
the external authentication and authorization
server.
Note: Ensure that commonName does
not contain special characters such as
+,”\/<>;=and consecutive spaces as
these are not supported in NetAct.
Table 38: Values and description
Example: To determine the userIdentifier, branchRDN, commonName, and domain information:
1. Login to the Node Manager domain controller as a local NetAct user which belongs to
NetAct_Administrators group.
2. Press WINDOWS+R on the keyboard and type cmd.exe to launch the command prompt in Run
dialogue.
3. On the command prompt, type PowerShell to launch the PowerShell in the console.
4. On the PowerShell prompt, enter the following to obtain the distinguished name.
Get-ADUser <username> -server <external_server_domain_name> -
credential <Admin_user_of_external_server> | Select -ExpandProperty
DistinguishedName
where:
• <username> is the username of the external user.
• <external_server_domain_name> is the domain name of the external user which is used
during the login to external authentication and authorization server.
• <Admin_user_of_external_server> is any admin user of the external authentication and
authorization server.
At the prompt, enter the admin user password.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 217
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Managing external accounts in NetAct
Expected outcome:
<UserIdentifier>=<commonName>,<branchRDN>,<baseDN>
Example:
PS D:\Users\Administrator> Get-ADUser tUser -server domain1.corporate.
net -credential Administrator | Select -ExpandProperty DistinguishedName
Output:
CN=Test User 1,OU=unit1,OU=location1,CN=Users,DC=domain1,DC=corporate,
DC=net
where:
• domain: domain1
• userIdentifier: CN
• branchRDN: OU=unit1,OU=location1
• commonName: Test User 1
• baseDN: CN=Users,DC=domain1,DC=corporate,DC=net
7.2 Exporting external accounts using CLI
Details of the external accounts present in the NetAct can be exported into an XML file using
Command Line Interface (CLI).
1. Log in as omc user to the NetAct VM hosting the dmgr service.
To locate the right virtual machine, see Locating the right virtual machine for a service in
Administering NetAct Virtual Infrastructure.
2. Export external accounts by doing one of the following:
• To export data of an external user, enter one of the following commands:
manageExternalUsers.sh -e -U <Username> [-n]
Or
manageExternalUsers.sh --export --Username <Username> [-n]
Note:
• -n or --noPrompt is used to skip the prompt.
• If tool is executed without -n or --noPrompt option, press Y or N at the prompt.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 218
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Managing external accounts in NetAct
• Tool will be terminated, if the options except y or yes (case-insensitive) is
provided after three attempts.
• User name containing special characters must be provided correctly, either
by enclosing the user name with single quotes or by escaping each special
character using appropriate escape character, for example, backslash character.
• To export data for all external users, enter one of the following commands:
manageExternalUsers.sh -e -a [-n]
Or
manageExternalUsers.sh --export --all [--noPrompt]
• To export data for all external users present in the input file, enter one of the following
commands:
manageExternalUsers.sh -e -f <text file path> [-n]
Or
manageExternalUsers.sh --export --file <text file path> [--
noPrompt]
where <text file path> is the absolute path of the input text file, which must contain the
external user names for which the data needs to be exported.
Note:
• External user names in <text file path> needs to be separated by a new line.
• <text file path> must have read permission for the sysop group.
• The exported XML file will be available at /var/tmp/Nokia-
sm_external_authentication/export_externalusers/
ExportExternalUsers-<ddmmyyyyhhmmss>.xml location.
• For any issues during the export of external user accounts, see Troubleshooting
external user management operations in Troubleshooting Security Management.
• If the external authentication and authorization server is integrated to multiple NetAct
systems, then the external users can be exported from one NetAct installation
and the same can be imported to another NetAct installation. In case the group
association is different for an external user in different NetAct installations, the
exported file can be modified to the required group association and then imported in
the corresponding NetAct system.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 219
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Managing external accounts in NetAct
7.3 Listing external users accounts using CLI
This tool is used to list all the external user accounts present in NetAct. It also shows the associated
groups, domain name, and common name corresponding to the external user.
1. Log in as omc user to the NetAct VM hosting the dmgr service.
To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.
2. List of the external user accounts with the related information can be generated by doing one of
the following:
• To list all the external user names, enter one of the following commands:
[omc] manageExternalUsers.sh -l -u
Or
[omc] manageExternalUsers.sh --list --usernames
• To list all the external user names with group information, enter one of the following
commands:
[omc] manageExternalUsers.sh -l -g
Or
[omc] manageExternalUsers.sh --list --groups
• To list all the external user names with domain name information, enter one of the following
commands:
[omc] manageExternalUsers.sh -l -d
Or
[omc] manageExternalUsers.sh --list --domain
• To list all the external user names with group, domain name, and common name, enter one of
the following commands:
[omc] manageExternalUsers.sh -l -a
Or
[omc] manageExternalUsers.sh --list --all
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 220
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Managing external accounts in NetAct
• To list an external user information, enter one of the following commands:
[omc] manageExternalUsers.sh -l -U <Username>
Or
[omc] manageExternalUsers.sh --list --Username <Username>
where <Username> is the user name of which information needs to be listed.
Note: User name containing special characters must be provided correctly, either by
enclosing the user name with single quotes or by escaping each special character
using appropriate escape character, for example, backslash character.
• To list all the external user information present in the input file, enter one of the following
commands:
[omc] manageExternalUsers.sh -l -f <text file path>
Or
[omc] manageExternalUsers.sh --list --file <text file path>
where <text file path> is the absolute path of the input text file, which must contain the
user names of which information needs to be listed.
Note:
• User names need to be separated by newline.
• < text file path> must have read permission for sysop group.
• It is recommended to delete the file after execution.
3. Tool execution must be terminated if any problem occurs during the list operation. To resolve the
issue, see Failed to list users in Troubleshooting Security Management.
7.4 Deleting external accounts using CLI
External accounts present in the NetAct can be manually removed using the Command Line Interface
(CLI) tool.
1. Log in as omc user to the NetAct VM hosting the dmgr service.
To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.
2. Delete the external accounts based on the type of the account.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 221
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Managing external accounts in NetAct
• For deleting an external account, enter:
manageExternalUsers.sh -D -U <username> [-n]
Or
manageExternalUsers.sh --Delete --User <username> [--noPrompt]
where <username> is the external user name which needs to be deleted.
Note: User name containing special characters must be provided correctly, either by
enclosing the user name with single quotes or by escaping each special character
using appropriate escape character, for example, backslash character.
• For deleting all external accounts, enter:
manageExternalUsers.sh -D -a [-n]
Or
manageExternalUsers.sh --Delete --all [--noPrompt]
• For deleting all external accounts present in the input file, enter:
manageExternalUsers.sh -D -f <text file path> [-n]
Or
manageExternalUsers.sh --Delete --file <text file path> [--
noPrompt]
where <text file path> is the absolute path of the input text file, which must contain the
external user names which needs to be deleted.
Note:
• User names need to be separated by a new line.
• -n or --noPrompt is used to skip the prompt.
• If the tool is executed without -n or --noPrompt option, at the prompt, press Y or N
after checking the number of users to be deleted.
• Tool will be terminated, if the options except y or yes (case-insensitive) is provided
after three attempts.
• For any issues during the deletion of external accounts, see Troubleshooting external
user management operations in Troubleshooting Security Management.
• File must be deleted after the execution.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 222
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Managing external accounts in NetAct
• Deletion of an external user does not terminate the current active sessions of that
user. To terminate such active user sessions manually, see Management of active
user sessions in User Management Help.
7.5 Modifying external user automatically
This section describes the configuration changes required for modification of external user upon
NetAct start page login automatically.
External user who is not associated to any NetAct specific group in the external authentication server
or who is part of NetAct specific group, but that group is not mapped to any of the groups in NetAct will
not be modified by default upon start page login. Nokia recommends to modify such external user to
avoid other ways of login such as SSH login. To modify such external user upon start page login, up-
date the DeleteUserOnNoGroupAssociation field in the preference file by doing the following:
1. Log in as omc user to the NetAct VM hosting the dmgr service.
To locate the right virtual machine, see Locating the right virtual machine for a service in
Administering NetAct Virtual Infrastructure.
2. Go to /etc/opt/oss/global/custom/conf/javaprefs/um location and check if the
Pref_ExternalGroupMappingConfig.xml file exists. If it exists, take backup by entering:
[omc@lab ~]$ mv /etc/opt/oss/global/custom/conf/javaprefs/
um/Pref_ExternalGroupMappingConfig.xml /var/tmp/Pref_
ExternalGroupMappingConfig.bkp
If the Pref_ExternalGroupMappingConfig.xml file does not exists, go to step 3.
3. Check if the directory exists in /etc/opt/oss/global/custom/conf/javaprefs/um
location. If it exists, proceed to next step. Else, do the following:
• Create a directory in /etc/opt/oss/global/custom/conf/javaprefs/um location as
root user and assign the directory ownership and permission by entering:
[omc@lab ~]$ su - root
Password: <Enter root password here>
[root@lab ~]# mkdir -p /etc/opt/oss/global/custom/conf/javaprefs/
um;
chown omc:sysop /etc/opt/oss/global/custom/conf/javaprefs/um;
chmod 775 /etc/opt/oss/global/custom/conf/javaprefs/um
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 223
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Managing external accounts in NetAct
[root@lab ~]# exit
4. Copy the group preference file to the custom location by entering:
[omc@lab ~]$ cp -p /var/opt/oss/global/javaprefs/um/Pref_
ExternalGroupMappingConfig.xml /etc/opt/oss/global/custom/conf/
javaprefs/um
5. Update the preference file. To update, see Table 39: Parameters and their description.
Parameters Description Default value
DeleteUserOnNoGroupAssoci- If the external user has no Net- No
ation Act specific groups in the ex-
However, user can change to
ternal authentication server
Yes if required to delete the
and if this value is set to Yes in
user on no group association.
the preference file, then the ex-
ternal user would be deleted. If
this value is No, then the exter-
nal user will not be deleted.
SkipModifyExternalAccount External authentication serv- No
er group associations (NetAct
specific groups) for an exter-
nal account is retrieved, if the
value is set to no each time an
existing external user logs into
NetAct. This updates the group
associations in NetAct for the
corresponding external user
account.
If it is set to yes, each
time an existing external
user logs into NetAct, the
groups are not obtained
from external authentication
server for updating the group
associations in NetAct. The
existing group associations
for the same external user
remains unchanged and also
DeleteUserOnNoGroupMapping
field will not have any
significance.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 224
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Managing external accounts in NetAct
Table 39: Parameters and their description
6. Change custom values that are set previously from backup file if taken in step 2 to /etc/opt/
oss/global/custom/conf/javaprefs/um/Pref_ExternalGroupMappingConfig.xml
file.
Note:
• If backup was taken in step 2, remove the backup file after changing the custom set
value.
• By default, the external user’s start page login fails, if NetAct specific groups are not
mapped. But SSH login for such user is possible and that user needs to be cleaned
up manually (If not auto removed) by following the instructions provided in Deleting
external accounts using CLI.
• Home directory of user is not removed as part of the user removal and it needs to be
removed separately.
7.6 Creating and updating external accounts automatically
External accounts are automatically created for valid users on login to NetAct start page, if external
authorization server is enabled. Existing users already imported or migrated are also automatically
updated, if the corresponding groups in external authentication server are modified.
Prerequisites
• External authorization server must be configured and enabled. To enable external authorization
server, see Enabling NetAct directory server authorization with external authentication and
authorization server in Administering NetAct System Security.
• User account must have at least one group mapped to a NetAct group. For more information, see
Managing external groups mapping.
• A local NetAct user with the same account name must not be already existing. If the account
needs to be migrated, see Migrating NetAct users to external users in Administering NetAct
System Security.
Procedure
• Login to NetAct start page as an external user by using the following syntax:
<extUser>[@<extDomainName>]
By performing a direct login to NetAct start page, NetAct validates the account name against the
NetAct login name policy. In User Management application, the supported characters in the login
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 225
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Managing external accounts in NetAct
name and Maximum length of login name fields must be modified accordingly with the account
name. For more information, see Login name policy.
Once the account name validation is done, NetAct checks if the external authentication server
accepts the passed credentials. If the external authentication server accepts the credentials and
valid groups are found mapped to the account in the external authentication server, an external
user account is automatically created in the NetAct user management. By default, the account’s
associated groups and thus the access rights are also automatically updated in subsequent logins.
Note:
– The domain name is optional and if provided, must match the domain name
configured as part of Updating External Authentication Server Integration
configuration file in Administering NetAct System Security.
– If the domain name configured is incorrect, login validation from NetAct would
not fail, but login to external server might fail. To correct the configured domain
name, see Login failure for external user in NetAct in Troubleshooting Security
Management.
– External user logging in through SSH, Citrix, or other means will not update the
group mapping and access rights.
– Reauthentication to an existing active session does not update the group
associations.
– Ensure that commonName, which is an account name does not contain special
characters such as +,”\/<>;= and consecutive spaces as these are not supported
in NetAct.
7.7 Configuring automatic shell access for external users
External users in NetAct can have their shell access automatically enabled if they are associated with
sshaccess group or with a group in the external authentication and authorization server mapped to
sshaccess group in NetAct. This requires the automatic shell login feature to be enabled in NetAct.
To enable the automatic shell login feature, do the following:
1. Log in as omc user to any NetAct VM hosting the dmgr service running through SSH.
To locate the right virtual machine, see Locating the right virtual machine for a service in Adminis-
tering NetAct Virtual Infrastructure.
2. Check if the Pref_ExternalUserAutoSSHConfig.xml file exists in the /etc/opt/oss/
global/custom/conf/javaprefs/um directory by entering:
[omc@lab ~]$ ll /etc/opt/oss/global/custom/conf/javaprefs/um/Pref_
ExternalUserAutoSSHConfig.xml
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 226
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Managing external accounts in NetAct
If the preference file is listed, go to step 4. Else, continue with the next step.
3. Copy the Pref_ExternalUserAutoSSHConfig.xml preference file to the operator-defined
location by doing the following:
a) Create um directory inside the /etc/opt/oss/global/custom/conf/javaprefs path by
entering:
mkdir -m 775 /etc/opt/oss/global/custom/conf/javaprefs/um
If the um directory already exists, go to next step.
b) Copy the Pref_ExternalUserAutoSSHConfig.xml preference file to the operator-defined
location by entering:
[omc@lab ~]$ cp -p /var/opt/oss/global/javaprefs/um/Pref_
ExternalUserAutoSSHConfig.xml /etc/opt/oss/global/custom/conf/
javaprefs/um
4. Enable the automatic shell access feature by changing the value of entry
key="autoConfigSSHAccess" in the copied file from "false" to "true".
Note:
• Successful login to NetAct through NetAct Start Page is required after the
configuration of the automatic shell access for changes to be effective.
• External user meant for the non-interactive usecases (machine to machine access),
which are managed in the external server can be created through Command Line
Interface (CLI) tool to auto grant the shell access and avoid NetAct Start Page login.
For creating such accounts, see Importing external accounts using CLI.
• To revoke the shell access right for the user, the user must be disassociated from the
group mapped to sshaccess group in the external authentication and authorization
server. Disabling the automatic shell access feature alone will not revoke the shell
access rights for user.
• Due to the security feature of Unix PAM modules, the SSH logins are case-sensitive
although the NetAct Start Page allows users to login with both upper and lower
cases.
• The NetAct Start Page login is case-insensitive. For example, user JohnPaul
can log in to the Start Page with JohnPaul or johnpaul username.
• The SSH login is case-sensitive. For example, the user JohnPaul can do SSH
login with JohnPaul but not with the johnpaul username.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 227
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Managing external accounts in NetAct
7.8 Configuring lowercase for new external users
The administrator can enable the key="usernameToLowerCase" flag to allow newly created
external users to perform all NetAct operations with lower case usernames.
To create the external users in lowercase, do the following:
1. Log in as omc user to any NetAct VM hosting the dmgr service running through SSH.
To locate the right virtual machine, see Locating the right virtual machine for a service in
Administering NetAct Virtual Infrastructure.
2. Check if the Pref_ExternalUsernamesConfig.xml file exists in the /etc/opt/oss/
global/custom/conf/javaprefs/um directory by entering:
[omc@lab ~]$ ll /etc/opt/oss/global/custom/conf/javaprefs/um/Pref_
ExternalUsernamesConfig.xml
If the preference file is listed, go to step 4. Else, continue with the next step.
3. Copy the Pref_ExternalUsernamesConfig.xml preference file to the operator-defined
location by doing the following:
a) Create um directory inside the /etc/opt/oss/global/custom/conf/javaprefs path by
entering:
mkdir -m 775 /etc/opt/oss/global/custom/conf/javaprefs/um
If the um directory already exists, go to next step.
b) Copy the Pref_ExternalUsernamesConfig.xml preference file to the operator-defined
location by entering:
[omc@lab ~]$ cp -p /var/opt/oss/global/javaprefs/um/Pref_
ExternalUsernamesConfig.xml /etc/opt/oss/global/custom/conf/
javaprefs/um
4. To create the external user in lowercase, change the value of entry
key="usernameToLowerCase" in the copied file from "false" to "true".
Note:
• The key="usernameToLowerCase" preference value can only be used to create
external users in lowercase.
• In the migration scenario (Migrating NetAct users to external users in Administering
NetAct System Security) where the external user name is same as the local NetAct user
name irrespective of the usernameToLowerCase flag value, the shadow account in
NetAct is created with the same case as the local user.
For example:
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 228
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Managing external accounts in NetAct
– Scenario1:
Consider the scenario of local user JohnPaul in NetAct and its corresponding user
in the external authentication and authorization server is johnpaul. If the migration
operation is triggered for JohnPaul irrespective of the preference value (if it is set
to true or false), the shadow user in NetAct is created with JohnPaul (not with
johnpaul) as it will be considered as the same name migration. The SSH operation
only works with the JohnPaul username and will not succeed with the johnpaul
username.
– Scenario 2:
Consider the scenario of the local user johnpaul in NetAct and its corresponding
user in the external authentication and authorization server is JohnPaul. If the
migration operation is triggered for johnpaul irrespective of the preference value
(if it is set to true or false), the shadow user in NetAct is created with johnpaul
(not with JohnPaul) as it will be considered as the same name migration. The SSH
operation only works with the johnpaul username and will not succeed with the
JohnPaul username.
7.9 Managing external groups mapping
This chapter provides instructions for the following:
• Exporting NetAct groups
• Listing external groups mapped with NetAct groups
• Mapping external group to NetAct group
• Detaching external group from NetAct group
7.9.1 Exporting NetAct groups
NetAct groups can be exported along with their mapped group in the external authentication and
authorization server. This assists in deciding access right for external user controlled through groups
associated in NetAct, which is mapped to groups in the external authentication and authorization
server.
The export operation performed using external group mapping tool (extGroupsMappingtool.sh) exports
all NetAct groups along with the corresponding external groups. Exported .csv file will be available at
/var/opt/oss/Nokia-sm_external_authentication/netact_groups/export/ location
and it can be used for subsequent mapping operations. To perform the export operation, do the
following:
1. Log in as omc user to the NetAct VM where the dmgr service is running.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 229
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Managing external accounts in NetAct
To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.
2. By default, the exported external group name will have similar name to NetAct group name, if
they are not mapped. To export with default behaviour, go to step 5 or to export unmapped NetAct
groups with the operator-defined prefix name, do the following:
• Go to /etc/opt/oss/global/custom/conf/javaprefs/um location
and check if the Pref_ExternalGroupMappingConfig.xml file exists. If
Pref_ExternalGroupMappingConfig.xml file exists, take backup of the file by entering:
[omc@lab ~]$ mv /etc/opt/oss/global/custom/conf/javaprefs/
um/Pref_ExternalGroupMappingConfig.xml /var/tmp/Pref_
ExternalGroupMappingConfig.bkp
If the Pref_ExternalGroupMappingConfig.xml file does not exist, go to next step.
3. Check if the directory exists in /etc/opt/oss/global/custom/conf/javaprefs/um
location. If the directory exists, go to next step. Otherwise, do the following:
• Create a directory in /etc/opt/oss/global/custom/conf/javaprefs/um location as
root user and assign the directory ownership and permission by entering:
[omc@lab ~]$ su - root
Password: <Enter root password here>
[root@lab ~]# mkdir -p /etc/opt/oss/global/custom/conf/javaprefs/
um; chown omc:sysop /etc/opt/oss/global/custom/conf/javaprefs/um;
chmod 775 /etc/opt/oss/global/custom/conf/javaprefs/um
[root@lab ~]# exit
4. Copy the group preference file to the location used for providing non-default configuration by
entering:
[omc@lab ~]$ cp -p /var/opt/oss/global/javaprefs/um/Pref_
ExternalGroupMappingConfig.xml /etc/opt/oss/global/custom/conf/
javaprefs/um
Note: Nokia recommends to define the group prefix value in the group preference file.
If the external authentication server uses multiple clusters and the group prefix value is
empty, there is a possibility that two NetAct clusters can have the same group name and
the user from one cluster can access the other cluster. To update the group preference
file, see Table 40: Parameters and their description.
Parameters Description Default value
ExternalGroupPrefix Indicates the prefix, which is added to Net- Empty
Act groups in the external group column
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 230
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Managing external accounts in NetAct
Parameters Description Default value
when exported. Allowed characters in Ex- However, the admin-
ternalGroupPrefix entry are: istrator can add the
prefix, if required.
A-Z a-z 0-9 ~ ` ! @ # $ % ^ ( ) - _ { } ‘
.
Note:
If ExternalGroupPrefix
contains the following special
characters and consecutive
spaces, escape these
characters by referring xml
specification.
• double quote (“)
• ampersand (&)
• left angle bracket (<)
• right angle bracket (>)
• apostrophe (‘)
For example, if
ExternalGroupPrefix is
ca”d, escape double quote with
" and update the value in
xml as ca"d.
Table 40: Parameters and their description
Note: Change non-default values that are set previously from backup file if
taken in step 2 to /etc/opt/oss/global/custom/conf/javaprefs/um/
Pref_ExternalGroupMappingConfig.xml file. Remove the backup file after
changing the non-default set value.
5. Export NetAct groups by entering one of the following commands:
• extGroupsMappingTool.sh -e
Or
• extGroupsMappingTool.sh --export
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 231
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Managing external accounts in NetAct
Expected outcome
Sample Output:
NetAct groups mapping data is exported successfully to /var/opt/oss/
Nokia-sm_external_authentication/netact_groups/export/
NetActAndExternalGroupsMapping_<yyyymmddhhmmss>.csv file.
For more information about the column name and their description in the exported file, see NetAct
group to external group mapping data.
Note:
• After the .csv file is exported, the corresponding mapped groups, if already present in
the external authentication and authorization server, must be used for NetAct operations
only.
• The external user management is done in the external authentication and authorization
server. But, the roles and permissions for the users are handled in NetAct.
7.9.1.1 NetAct group to external group mapping data
Table 41: Column name and description describes the column name and their description in the ex-
ported file.
Column name Description
NetAct group Groups present in NetAct.
External group • If the external group is already mapped to NetAct
group, then the external group column will have the
corresponding mapped group.
• If the external groups are not mapped, then the ex-
ternal group column is populated as follows:
– External group is populated based on the Net-
Act group and the group prefix value extract-
ed from the group preference file. The mapped
external group name is Group Prefix +
NetAct Group name.
For example, if NetAct group is sysop and the
group prefix is NA1, then the corresponding
external group is NA1sysop.
– NetAct group and the corresponding mapped
group can have same name when the group
prefix value is empty.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 232
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Managing external accounts in NetAct
Column name Description
For example, if NetAct group is sysop and
the group prefix is not defined, then the corre-
sponding external group will also be sysop.
• NetAct group name and the corresponding
mapped group with independent names.
Mapping Status Describes the current mapping status of the respec-
tive external group. If the external group is already
mapped, then the value is Done, else it is Not Done.
Table 41: Column name and description
7.9.2 Listing external groups mapped with NetAct groups
You can view the list of external groups mapped with NetAct groups using External Groups Mapping
(extGroupsMappingTool.sh) tool.
1. Log in as omc user to the NetAct VM hosting the dmgr service.
To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.
2. View the list of external groups mapped with NetAct groups by entering one of the following
commands:
• extGroupsMappingTool.sh -l
Or
• extGroupsMappingTool.sh --list
Expected outcome
Sample output:
NetAct Groups External Groups
localG1 CorporateG1
localG2 CorporateG2
7.9.3 Mapping external group to NetAct group
External Groups Mapping (extGroupsMappingTool.sh) tool is used to map external groups to NetAct
groups so that the effective rights for users granted through external group are enforced in NetAct.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 233
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Managing external accounts in NetAct
Prerequisites
• Ensure that NetAct groups to be mapped to external groups exist in NetAct. For more information,
see User group management in User Management Help.
• Ensure that the external groups to be mapped to NetAct groups exist in external authentication
and authorization server.
There must be a one-to-one association of External groups to be mapped to NetAct groups. One-to-
many or many-to-one group mapping association is not supported and the mapping tool will fail to pro-
vide appropriate messages on the console.
1. Log in as omc user to the NetAct VM hosting the dmgr service.
To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.
2. Mapping of the NetAct specific external groups to the NetAct groups can be performed by entering
one of the following commands:
• extGroupsMappingTool.sh -m -f <filename> [-n]
Or
• extGroupsMappingTool.sh --mapping --file <filename> [--noPrompt]
where <filename> is the absolute path of the NetAct groups mapping data file, which
contains NetAct groups to be mapped to the specific external groups.
Expected outcome
External groups are mapped to NetAct groups.
Note:
• <filename> must have read permission for sysop group.
• Nokia recommends to delete the exported file after execution.
• -n or --noPrompt is used to skip the confirmation prompt.
• If group name contains special characters such as double quote and comma, escape
these characters using appropriate escape character. To escape these special
characters, see the csv document. For example, if group name is ca"d_sysop, escape
double quote by preceding it with another double quote.
• The extGroupsMappingTool.sh tool provides a confirmation prompt to proceed with
the operation. At the prompt, press y (yes) or n (no) (case insensitive) after checking the
information related to NetAct groups to be mapped to external group.
• The extGroupsMappingTool.sh tool is terminated, if the inputs apart from y or yes
(case-insensitive) is provided after three attempts.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 234
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Managing external accounts in NetAct
• For any issues during the Groups Mapping operation, see Troubleshooting for external
groups mapping in NetAct in Troubleshooting Security Management.
• In case multiple NetAct clusters are integrated to same external authentication and
authorization server, deciding upon group mapping in each NetAct cluster can affect the
access right of user. For more information, see Considerations of NetAct group mapping
for integration with multiple NetAct clusters.
7.9.3.1 Considerations of NetAct group mapping for integration with multiple NetAct clusters
Note: This section requires that the creation of universal groups in external authentication
and authorization server as described in Considerations in universal groups creation for inte-
gration with multiple NetAct clusters in Administering NetAct System Security is followed.
Mapping of NetAct group in specific cluster to universal groups in external authentication and autho-
rization server is carried out by NetAct administrator. This is done after getting necessary information
regarding NetAct specific universal groups from external server administrator. This eventually deter-
mines the access rights of the user who is being associated with universal group in external authen-
tication and authorization server during login to NetAct start page. If multiple NetAct clusters are inte-
grated with the same external authentication and authorization server, proper decision of group map-
ping results in same or different level of access rights for user.
Mapping for same access rights for user across NetAct cluster: This requires the NetAct group
across NetAct clusters having same permissions to be mapped with the same universal group. NetAct
default groups, for example, sysop comes under this category as the permission under this group re-
mains same across NetAct. Operator created groups with same access right across NetAct cluster al-
so comes under this mapping category.
Mapping for different access rights for user across NetAct cluster: This requires the NetAct group
across NetAct clusters having different permissions to be mapped with the corresponding cluster spe-
cific universal group created in the external authentication and authorization server. Only operator cre-
ated group comes under this category.
7.9.4 Detaching external group from NetAct group
External groups are detached from NetAct groups using External Groups Mapping
(extGroupsMappingTool.sh) tool so that the detached NetAct groups are not administered in the
external authentication server.
Prerequisites
• Ensure that the external groups are mapped to the corresponding NetAct groups. To view the
external groups mapped to the NetAct groups, see Listing external groups mapped with NetAct
groups.
1. Log in as omc user to the NetAct VM hosting the dmgr service.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 235
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Managing external accounts in NetAct
To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.
2. Detach external groups from NetAct groups by entering one of the following commands:
• extGroupsMappingTool.sh -d -f <filename> [-n]
Or
• extGroupsMappingTool.sh --detach --file <filename> [--noPrompt]
where <filename> is the absolute path of the file, which contains external groups to be
detached from NetAct groups. Each entry in the file is line separated and the omc user must
have the read permission to this file.
Expected outcome
External groups are detached from NetAct groups.
After executing the command for detaching external group mapping, list operation is executed to
check if the selected external groups are detached.
Note:
• To detach an individual external group, enter:
extGroupsMappingTool.sh -d -g <groupname> [-n]
Or
extGroupsMappingTool.sh --detach --group <groupname> [--
noPrompt]
where <groupname> is the name of the external group which must be detached from
the NetAct group.
• -n or --noPrompt is used to skip the confirmation prompt.
• The extGroupsMappingTool.sh tool provides a confirmation prompt to proceed with
the operation. At the prompt, press y (yes) or n (no) (case insensitive) after checking the
information related to NetAct groups to be detached from external group.
• The extGroupsMappingTool.sh tool is terminated, if any other input apart from y or
yes (case-insensitive) is provided after three attempts.
• Group name containing special characters must be provided correctly, either by
enclosing the group name with single quotes or by escaping each special character
using appropriate escape character, for example, backslash character.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 236
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Managing external accounts in NetAct
• For any issues during groups detach operation, see Troubleshooting for detaching
external groups from NetAct groups in Troubleshooting Security Management.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 237
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Managing external accounts in NMS
8 Managing external accounts in NMS
To allow external users to access Node Manager server (NMS), ensure that the external users are as-
sociated to appropriate groups in the external authentication and authorization server. For more infor-
mation, see Adding external user to universal group of external authentication and authorization server
in Administering NetAct System Security.
To enable Single-Sign-On (SSO) for external users to perform EM launch operation, shadow accounts
(EM launch accounts) are created in NMS with the same name as that of external accounts. A short-
lived random token with maximum allowed length in password policy is generated for EM launch ac-
counts. NetAct resets the token on expiration.
Note: EM Launch operation continues to work despite the actual user getting expired or
locked or deactivated in the external authentication and authorization server. Administrator
can terminate such user sessions. For more information, see Terminating active user ses-
sions in User Management Help.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 238
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Security alarms
9 Security alarms
Security alarms correspond to events that are a potential security threat to NetAct. Such events can be
due to authentication failures, deactivation of unused user accounts and brute force attempt. Security
alarms help you to:
• Detect security threats to the system
• Monitor security threats
• Avoid similar threats
9.1 Viewing and monitoring security alarms
Prerequisites
Selfmonitor must be integrated to NetAct so that security related alarms are visible in NetAct Monitor
application.
Security administrator can filter the security alarms by creating a filter in NetAct Monitor. Export the fil-
ter to the desired location so that the filter can be used for future NetAct Monitor sessions.
To view security alarms:
Note: Log in to NetAct Start page as a user who has permissions to view alarms in Monitor.
1. Log in to the NetAct Start Page.
a) In the address field of your internet browser, type the following URL address:
https://<system_FQDN>/startpage
where <system_FQDN> is the fully qualified domain name of the NetAct cluster load balancer
for WebSphere. For more information, see Launching the NetAct Start Page.
b) Type the Username and Password, and click Log In.
Note: If the terms and conditions appear, select the I have read and agree to
the above terms and conditions check box, and then click Log In. For more
information, see Modifying terms and conditions page.
c) Click Accept or Continue.
2. Click Monitoring → Monitor.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 239
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Security alarms
The Monitor application opens.
3. From the Tools menu, select Monitoring Desktop → Alarm List.
4. Right-click Alarm List menu bar, select Alarm Type from the Available Columns list and add it to
the Selected Columns List.
5. Create a filter as described in Creating a filter in Alarm Filter Explorer Help.
6. Double-click the created filter.
7. In the right pane, right-click the Alarm Pattern, and select Alarm Type as a pattern.
8. Enter Security Violation as the value for the Alarm Type pattern.
Note: Enter 30005 as value for the Alarm Number pattern to see brute force alarms.
9. Right-click the created filter in Alarm Filter Explorer and select Set as Alarm Tool Default Filter
check box.
10. To view security alarms, open Alarm List.
Only security alarms are displayed in the Alarm List.
For information on importing and exporting the filters, see Importing Alarm Filter in Alarm Filter
Explorer Help and Exporting alarm filter in Alarm Filter Explorer Help.
To Monitor security alarms:
• To enable the security alarms, navigate to Fault Management → Fault Management Helps →
Alarm List Help → Displaying/hiding columns in Alarm List by selecting Alarm Update Time
field, so that it is visible in Alarm List.
Note: To monitor the security alarms, such as Login failure alarms, the Alarm Update
Time field must be visible.
• This view can be set as default to enable the alarm list filtering in Alarm Update Time field and
see the updates in security alarms.
9.2 Login failure alarms
Login failure alarms are raised when there is a failed login attempt. Login failure can be due to:
• incorrect or invalid login name
• incorrect password
• incorrect or invalid domain name
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 240
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Security alarms
Note: The login failure due to invalid domain name is applicable only, if an external au-
thentication or authorization server is integrated to NetAct.
For more information about alarms, see Viewing and monitoring security alarms.
Login failures can be unintentional, for example, username, password, or domain name is forgotten
or incorrectly entered. They can also be intentional, for example, a deliberate brute force attack on
the system. Login failure alarms can be from NetAct Start Page, shell access, and from other Net-
Act components which require authentication to perform operations from Network Elements (NEs) for
which the Centralized Network Element User Management (CNUM) is activated or from any compo-
nent which tries to connect to the NetAct directory server.
Login failure alarms depend on the login failure of the user type. The user type is classified as:
• NetAct end user
• System users
• Non-existing user
• NE bind users
• Directory server admin users
• External user accounts
For the same Distinguished Name (DN), the initial alarm for a failed login is raised as a new alarm and
the subsequent login failures are sent as alarm change notification for the existing alarm.
Each login failure alarm raised contains the following alarm text:
Login failed for user: <login name>
where, <login name> corresponds to the login name of the user for which the authentication has
failed.
Unsuccessful login count is reset when the next successful login happens for the login name.
Note:
Configuration files for changing the parameters associated with login failure attempts are
located at /opt/oss/conf/login_alarms_configuration.properties in the nodes
where dirsrv or was service is running. For information on how to locate these nodes, see
Locating the right virtual machine for a service in Administering NetAct Virtual Infrastructure.
• USER_FAILED_ATTEMPTS_LOWER_LIMIT value corresponds to minimum configured failed
logins up to which no alarms are raised. Default configured value is 1.
• USER_FAILED_ATTEMPTS_UPPER_LIMIT value corresponds to maximum configured failed
logins beyond which no alarms are raised. Default configured value is 50.
• SYSTEM_USER_PASSWORD_THRESHOLD value in milliseconds corresponds to the threshold after
the password has been changed successfully for system users within which login failures are
ignored. Default configured value is 300000 (five minutes).
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 241
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Security alarms
9.2.1 NetAct end user
These users are created using User Management application. Login failure alarms raised for these
users depend on the Lock user account and Maximum login attempts during ‘Failed login count-
ing period’ configuration.
You can view these configurations by selecting User Management Operations → Administration →
Policy configuration.
Alarms are raised:
• When Lock user account is set as Yes:
Severity of alarm is MAJOR when the account is not locked and the number of successive login
failure attempts is more than the USER_FAILED_ATTEMPTS_LOWER_LIMIT and less than the
Maximum login attempts during ‘Failed login counting period’ configured for this user.
Severity of alarm is CRITICAL when the account is locked and successive login failure attempts
are less than or equal to USER_FAILED_ATTEMPTS_UPPER_LIMIT.
• when Lock user account is set as No:
Severity of alarm is MAJOR when the number of successive login failure attempts is
more than the USER_FAILED_ATTEMPTS_LOWER_LIMIT or less than or equal to the
USER_FAILED_ATTEMPTS_UPPER_LIMIT.
Note:
The security alarm number for consecutive failed login attempts by local NetAct end-user
is 30000.
Supplementary information of the alarm includes the unsuccessful login count and
locked status of the user along with time stamp of the last failed login.
9.2.2 System users
System users correspond to users other than NetAct end-users. These users are critical for the oper-
ation of NetAct. Therefore, login failure alarms raised depend on the number of failed login attempts
and the time of the last password change.
System users are used by components within NetAct. These users require time to update the old
cached password upon successful password change. Therefore, the threshold is set after successful
password change so that:
• failed logins are ignored and
• components are updated with the new password within the password change threshold limit value.
Severity of alarm is CRITICAL when successive login failure attempts are more
than the USER_FAILED_ATTEMPTS_LOWER_LIMIT and less than or equal to the
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 242
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Security alarms
USER_FAILED_ATTEMPTS_UPPER_LIMIT. Alarm is not raised if the user changes the password and
login failure occurs within the password change threshold value. Severity of alarm remains CRITICAL
for login failures after the password change threshold limit.
Note:
• Alarm number of system user login failure alarms is 30001.
• Login failure alarms are not raised for Linux OS users, and system users used by oracle
database.
• Supplementary information of the alarm contains the unsuccessful login count of user
and time stamp of last failed login.
9.2.3 Non-existing user
Non-existing users are login names for which the account does not exist in NetAct. Successive login
failures can be considered as an attempt of brute force attack on the system. Alarm severity is MAJOR
for login failures of non existing user from NetAct Login page.
Login to NetAct start page as an external user with invalid credentials (username, password, or do-
main name) are processed as non-existing user. For more information, see External user accounts.
Note:
• The login failure due to invalid domain name is applicable only, if an external
authentication or authorization server is integrated to NetAct.
• Alarm number of non-existing user login failure is 30002.
• Supplementary information of the alarm contains the time stamp of last failed login
attempt.
9.2.4 NE bind users
Network element bind users are automatically created in NetAct when CNUM is activated. Network el-
ements for which CNUM is activated use these users to bind to the directory server for retrieving au-
thorization related data. In case of unsuccessful bind to the directory server, login failure alarms are
raised for these users depending on the number of failed bind attempts and the time of the last pass-
word change.
An alarm of severity CRITICAL is raised when successive failed bind attempts are more
than the USER_FAILED_ATTEMPTS_LOWER_LIMIT and less than or equal to the
USER_FAILED_ATTEMPTS_UPPER_LIMIT. Alarm is not raised if the password for the network ele-
ment bind user was changed and bind failure occurs within the password change threshold value.
Note:
• Alarm number of network element bind user login failure alarms is 30007.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 243
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Security alarms
• Supplementary information of the alarm contains the unsuccessful login count of the user
and time stamp of last failed login.
9.2.5 Directory server admin users
Directory server admin users are:
• The LDAP server administrator cn= Manager.
• The cn=replication manager used for directory server replication proxy users for directory
server access such as cn=sysproxy and cn=wasproxy.
These users are critical for the operation of NetAct. Therefore, login failure alarms for each
of these users are raised every 5 minutes when failed bind attempts are more than the
USER_FAILED_ATTEMPTS_LOWER_LIMIT within the previous 5 minutes. The severity of the alarm
is CRITICAL.
Note:
• Alarm number of directory server admin user login failure alarms is 30008.
• Supplementary information of the alarm contains the total number of unsuccessful login
attempts of the user and the time interval during which the unsuccessful login attempts
occurred.
9.2.6 External user accounts
External user accounts are accounts for which the actual authentication happens in an external au-
thentication server integrated to NetAct. External users are managed centrally in an authentication and
authorization server usually managed by corporate IT administrators. NetAct user management poli-
cies do not affect external users, and only corporate policies defined in external authentication and au-
thorization server applies for external users. Alarms raised for failed login attempts of external user de-
pends on the failure count in NetAct and not based on the failure count in the external authentication
server.
The security alarm number for NetAct external user account is 30000 or 30002. The security alarm
30002 is raised when:
• the user is non-existing.
• an incorrect password is entered.
• the domain name specified is incorrect while logging in from NetAct start page.
When authentication is performed from other components or network elements for which the CNUM is
activated:
• security alarm 30000 is raised, if an incorrect password is entered for already imported or added
external accounts.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 244
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Security alarms
Note:
– severity of the alarm is MAJOR, when the successive login failure attempts are
more than USER_FAILED_ATTEMPTS_LOWER_LIMIT and less than or equal to
USER_FAILED_ATTEMPTS_UPPER_LIMIT.
– The supplementary information about the alarm includes the unsuccessful login
count and time stamp of the last failed login.
– Alarms for external users are based on the failed login count in the NetAct cluster.
Consequently, severity remains as MAJOR and it does not change to CRITICAL due
to locking of user on the external authentication server.
– Failed logins for external accounts existing in NetAct but not in the external authenti-
cation server will still have an alarm number as 30000.
• security alarm 30002 is raised irrespective of the correctness of credentials for external accounts,
which are not added or imported.
Note:
The security alarm number for consecutive failed login attempts by local NetAct end-user is
30000.
Supplementary information of the alarm includes the unsuccessful login count and locked
status of the user along with time stamp of the last failed login.
9.3 Brute force alarm for SSH
Brute force alarm is raised when a defined number of failed SSH login attempts are detected from any
IP address in a NetAct VM. This is considered as a deliberate brute force attack on the system. Once
brute force attempt is detected in a NetAct VM, the suspicious IP address making repeated failed SSH
login attempts is blocked for a preconfigured duration, and an alarm is raised indicating the same. For
more information on these alarms, see Viewing and monitoring security alarms section.
Brute force alarm contains the following information:
• Alarm text: Brute force attempt from <IP Address>
Where, <IP Address> corresponds to the work station IP address, from where the brute force
attempt is detected.
• Alarm number: 30005
Additional information of the alarm includes the summary of user names along with the total number of
unsuccessful attempts.
For example:
User1: 15 failed logins, User2: 10 failed logins, User3: 5 failed logins
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 245
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Security alarms
9.4 Brute force alarm for NetAct Web services
This alarm contains the following information:
• Alarm text:
– Brute force attempt from IP <IP Address>, corresponds to the work station IP address, from
where the brute force attempt is detected.
– Brute force attempt for USER <User name>, corresponds to the username that is blocked
when the same username is used for the brute force attack from multiple work stations.
• Alarm number: 30006
Additional information of the alarm includes, The last brute force attempt was made
at <time stamp>
9.5 Brute force alarm for NetAct Oracle DB
Brute force alarm is raised when a defined number of failed DB login attempts are detected from any
IP address on the NetAct Oracle DB. This is considered as a deliberate brute force attack on the Data-
base. Once brute force attempt is detected on NetAct Oracle DB, an alarm is raised indicating the sus-
picious IP address making repeated failed DB login attempts.
Brute force alarm contains the following information:
Alarm text:
• Brute force attempt from IP <IP_Address>, corresponds to the IP address, from where the brute
force attempt is triggered.
Alarm number: 30009
Supplementary Information of the alarm includes the summary of user names along with the total
number of unsuccessful attempts.
For example:
Brute force attempt has been detected at oracle database for users, User1:15, User2: 10.
Note: Oracle Enterprise Manager has the following bug:
If the brute force attempt is made from Enterprise Manager then the user name is always
displayed as System in oracle db_audit.log.
9.6 Simultaneous session failure alarm
Simultaneous session failure alarm:
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 246
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Security alarms
• is raised
– when there is an active session existing already for a user and login attempt is made to obtain
new session for user. For more information about viewing of this alarm, see Viewing and moni-
toring security alarms.
– for both Nokia end users and system users (excluding omc, pm2sol, and nbi3gcpm).
For the same distinguished name, initial alarm for a simultaneous session access is raised as
a new alarm and the subsequent attempt for getting new session are sent as alarm change
notification for the existing alarm.
• can be unintentional, when user tries to open multiple session by mistake or can be intentionally
done by malicious user trying to get access when it has been configured to have only one active
session per user account at any time.
• will be raised, if the below attributes have value in Configuring user session page.
– Allow simultaneous user session to No
– Simultaneous session failure alarm set to Yes
Each simultaneous session failure alarm raised contains the following alarm text:
• Simultaneous session login failure for account <login name>
where <login name> corresponds to the login name of the account for which the alarm has been
raised.
Note: Number of simultaneous user session failure alarm is 30010. Supplementary text of
alarm indicates the timestamp of last simultaneous session access attempted.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 247
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Session management
10 Session management
10.1 Configuring user session
Prerequisites
• License NetAct Enhanced Session Management must be available for accessing session
management configuration. To know the license availability, see Checking session management
license.
• You must have UMGUI - Administer NetAct Sessions permission to configure session
management attributes.
This section provides information about configuration options available for the management of user
session. To configure user session configuration fields, do the following:
1. Log in to the NetAct Start Page.
a) In the address field of your internet browser, type the following URL address:
https://<system_FQDN>/startpage
where <system_FQDN> is the fully qualified domain name of the NetAct cluster load balancer
for WebSphere. For more information, see Launching the NetAct Start Page.
b) Type the Username and Password, and click Log In.
Note: If the terms and conditions appear, select the I have read and agree to
the above terms and conditions check box, and then click Log In. For more
information, see Modifying terms and conditions page.
c) Click Accept or Continue.
2. To open User Management, click Security → User Management.
3. To open Session Management Configuration page, click User Management Operations →
Sessions → Configuration.
4. In Session Management Configuration page, modify the required configuration and click Apply.
Note: Changes applied to user session configuration are applicable from the next login.
Existing sessions will not be impacted by the change in user session configuration.
Field Description
Allow simultaneous sessions Determines whether simultaneous user ses-
sions are allowed. By default, simultaneous
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 248
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Session management
Field Description
sessions are allowed for user and value is con-
figured as Yes.
If the value is set to No, one session is allowed
for an account.
Simultaneous sessions failure alarm Determines whether alarm needs to be raised
when login attempt is made to get new session
for user account who already has an active ses-
sion. By default, the value is set to Yes.
Configuration is allowed only when Allow si-
multaneous session is set to No. For more
details about the alarm, see Simultaneous ses-
sion failure alarm.
Limit simultaneous sessions Determines whether simultaneous user session
needs to be limited. By default, value is set to
No indicating that user session limit is not con-
trolled.
Configuration is allowed only when Allow si-
multaneous session is set to Yes.
Maximum simultaneous sessions For an account, maximum number of simulta-
neous sessions are allowed. It can be config-
ured between two to ten and by default, value is
set to 3.
Configuration is allowed only when Limit Si-
multaneous session is set to Yes.
Table 42: Simultaneous sessions per account:
Field Description
Idle session timeout period Time interval used for determining idle or inac-
tive session. User need to re-authenticate post
this interval to continue existing session.
It can be configured between 10 - 1500 minutes
and has default value of 30 minutes.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 249
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Session management
Table 43: Session expiry policy:
Note:
• Users such as omc, pm2sol, nbi3gcpm, and restda are excluded from simultaneous
session configuration and can have any number of sessions. Idle session timeout is
still applicable for these users.
• User logged in through Citrix will have their own idle session timeout and this
timeout can differ from idle session timeout configured in Nokia. This can result
in authentication in NetAct and Citrix separately if idle session timeout period
is configured with lower value in Nokia compared to Citrix. To avoid multiple re-
authentication, keep the session timeout value to maximum permitted limit (1500
min) in Nokia. To configure Citrix idle session timeout, see Configuring the idle timer
interval to disconnect Citrix sessions in Administering Node Manager Server.
10.2 Enabling simultaneous session access login failure message in
NetAct login page
Note: Steps provided in this section must be executed only after careful scrutiny by the Se-
curity administrator.
NetAct login page displays common error message for any kind of login failure. This is also applicable
during the login failure which happens when simultaneous sessions attempted is more than the config-
ured limit. To assist user to know about the failure due to simultaneous session access, the administra-
tor can enable custom login failure message. For more information about the configured limit for simul-
taneous session access, see Configuring user session.
To enable custom login failure message for simultaneous session access, do the following:
1. Log in to any VM where syswas service is running through SSH as the omc user.
To locate the right NetAct VM, see Locating the right virtual machine for a service in Administering
NetAct Virtual Infrastructure.
2. Check if file Pref_system_login_settings.xml exists in /etc/opt/oss/global/
custom/conf/javaprefs/Authentication and take backup if it exists by executing the
following command:
[omc@lab ~]$ mv /etc/opt/oss/global/custom/conf/javaprefs/
Authentication/Pref_system_login_settings.xml /var/tmp/Pref_system_
login_settings.bkp
3. Copy the Pref_system_login_settings.xml file to custom location by following the below
steps:
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 250
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Session management
1. Create a directory /etc/opt/oss/global/custom/conf/javaprefs/Authentication
if it does not exist. Change the owner of this directory to omc and the group to sysop.
2. Copy the required preference file to custom location by executing:
[omc@lab ~]$ cp -p /var/opt/oss/global/javaprefs/Authentication/
Pref_system_login_settings.xml /etc/opt/oss/global/custom/conf/
javaprefs/Authentication
4. Change the value of entry key=showOnLoginPage in the file to ENABLE. Default value is
DISABLE.
5. Change other custom set values from backup file if taken in step 2 in /etc/opt/oss/global/
custom/conf/javaprefs/Authentication/Pref_system_login_settings.xml.
Remove the backup file after changing the custom set value.
Note: Login failed. Simultaneous login exceeds the system
limitation message will be seen on subsequent login attempts exceeding the
configured simultaneous session access limit.
10.3 Changing time interval for auto invalidation of disconnected
session
User session is tracked upon successful user login and will be invalidated on proper logout from ap-
plication. But, it is possible that connectivity to Nokia is not possible due to network issues or session
is terminated incorrectly by not logging out from application. In such cases, incorrectly terminated ses-
sions are auto invalidated after default duration of 10 minutes.
Note: Time interval for auto invalidation of disconnected session must be selected judicious-
ly. Setting very low value can result in session to invalidate, if network latency is very high. It
is also recommended not to set to high value so that sessions are not invalidated even when
network gets disconnected for longer interval of time.
To change the time interval for auto invalidation of disconnected session, do the following:
1. Log in to any of VM where syswas service is running through SSH as the omc user.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 251
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Session management
To locate the right NetAct VM, see Locating the right virtual machine for a service in Administering
NetAct Virtual Infrastructure.
2. Check if file Pref_system_UM_sessionmanagement.xml exists in /etc/opt/oss/global/
custom/conf/javaprefs/sessionmanagement and take backup if it exists by executing the
following command:
[omc@lab ~]$ mv /etc/opt/oss/global/custom/conf/javaprefs/
sessionmanagement/Pref_system_UM_sessionmanagement.xml /var/tmp/Pref_
system_UM_sessionmanagement.bkp
3. Copy the preference file Pref_system_UM_sessionmanagement.xml to custom location by
following below steps:
1. Create a directory /etc/opt/oss/global/custom/conf/javaprefs/
sessionmanagement if it does not exist. Change the owner of this directory to omc and the
group to sysop.
2. Copy the required preference file to custom location by executing:
[omc@lab ~]$ cp -p /var/opt/oss/global/javaprefs/sessionmanagement/
Pref_system_UM_sessionmanagement.xml /etc/opt/oss/global/custom/
conf/javaprefs/sessionmanagement
4. Change the value of entry key="disconnectedSessionTimeout"in the copied file. The
recommended value is between 300-1800 seconds and it must not be less than 300.
5. Change other custom set values from backup file if taken in step 2 to /etc/
opt/oss/global/custom/conf/javaprefs/sessionmanagement/
Pref_system_UM_sessionmanagement.xml. Remove the backup file after changing the
custom set value.
Note: For active sessions, the configured time interval for auto invalidation of
disconnected session is immediately applicable.
10.4 Checking session management license
Application Feature code License key
NetAct User Management 0000045991 NetAct Enhanced Session Man-
agement
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 252
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Session management
Table 44: NetAct session management configuration license
To check NetAct licenses using License manager application, do the following:
1. Log in to NetAct Start Page as user who has the Roles and permissions definition of
the License Manager application permission.
2. Open License Manager by clicking Configuration → License Manager.
3. If the License Browser view is not opened, click Licenses → License Browser to open it.
4. In License Browser, click NetAct Software Licenses if it is not already selected.
5. Check if the license code or license name of the required license is displayed. For more
information on license operations, see About License Manager in License Manager Help.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 253
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Appendix
11 Appendix
11.1 Type and individual operation way of password tool
This section describes changing password of users individually and all users under particular type sup-
ported by password-tool.
• Changing password of system user individually
• Changing password of system users of particular type
Note: In a Disaster Recovery (DR) environment, file system synchronization between two
sites can indicate as non-functional during or after the password change. This is due to si-
multaneous execution of commands in standby site involving enable or disable of root lo-
gin and file system synchronization cron job running every 15 minutes. This synchroniza-
tion will be recovered during subsequent invocation of the cron job. The execution of the
password-tool before the subsequent invocation of the cron job will fail during the DR status
check. If the file system synchronization is not functional post subsequent invocation of cron
job after a password change, contact Nokia Technical Support.
Changing password of system user individually
Read Guidelines for changing password before initiating password change.
Follow below steps to change password of system users individually:
1. Log in as omc or root user to VM where dmgr service is running.
To locate the correct virtual machine, see Locating the right virtual machine for a service in Admin-
istering NetAct Virtual Infrastructure.
2. To change the password individually, execute the following command:
[omc] /opt/nokia/oss/bin/password-tool --user <username> [--type
<type>] [--skip old_password]
OR
[omc] /opt/nokia/oss/bin/password-tool -u <username> [-t <type>] [-s
op]
where:
<username> is mandatory and indicates the login name of system user whose password needs
to be changed. Login name argument is case sensitive, so enter the login name as obtained when
password-tool --list or password-tool -l is executed. Tool will be terminated if invalid
username is specified which is not supported by password-tool.
<type> is mandatory when there are users with similar user name of different type.
For example:
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 254
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Appendix
There is a dirsrv user and a db user with name omc. Otherwise, it is optional.
Type of user can be obtained by executing:
[omc] /opt/nokia/oss/bin/password-tool --list
Output of command lists all users supported by the password tool in the format:
--------------------------------------------------
USER NAME TYPE RANDOM PASSWORD ALLOWED
--------------------------------------------------
<user> <type> true/false
where, <type> indicates the type for the <user>.
Random password allowed (true/false) indicates whether random password is generated by tool au-
tomatically during the type way of operation. Refer, Changing password of system users of particular
type for more information.
--skip old_password or -s op is an optional argument used for skipping prompt of old password
of user. Old password is used to restore password of user upon password change failure. For
providing old password of user, see Retrieving password of system users.
Upon execution of above command, following are prompted before password change is attempted for
user:
• Type of user: This will be prompted when there are users with same username but of different
types and will not be prompted if password-tool was already invoked with --type or -t argument.
password-tool will be terminated if invalid type is provided for the user.
• Root login password: Password of root user is needed for restarting services after performing
password change if applicable. root user password will be prompted if password change is done
for any user of type os. If invalid or incorrect password is provided, tool will be terminated.
• Confirmation for service restarts: It will be prompted and asked for confirmation only when ser-
vice restarts are needed after password change of user. Tool will be terminated if options apart
from Y (case insensitive) is provided upon prompt.
• Old password: Old password is current password of user and is optional. It will be prompted on-
ly if tool was invoked without --skip old_password or -s op option. It will not be prompted for
root user irrespective of the --skip old_password option as the password will be already pro-
vided during Root login password. Tool will be terminated if old password provided is not match-
ing with password in repository.
• New password: It is mandatory and provided password will be validated against the configured
policy of relevant type. For OS users, it is recommended to check the score of the new password
prior to password change. For more information on password score, see Checking password
score for OS users.
• Confirm New password: It is mandatory and should match the password provided during prompt
of New password.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 255
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Appendix
Note: New password and Confirm New password will be prompted for each user attempt-
ed. It will be re-prompted twice upon providing invalid password.
Password change is attempted for user. Progress of password change and overall summary status of
the performed operation is shown in the console.
Failure in change of password for user will result in reverting to user password. Service restart will be
done only for associated services if password was changed successfully for user. Password revert is
also attempted when service restart fails.
Note:
• Password change of system users (nwi3system, racftam, racftp, racsftp and
nx2suser) involves changes in configuration of NE's. Refer, Changes in NE configura-
tion post password changeto for the needed changes in NE configuration.
• Password history policy is not applicable for cn=Manager, cn=replication man-
ager, sys, root and nmAdmin user.
• Password history policy will be enforced for users under type os only when old password
is provided or retrievable.
Changing password of system users of particular type
Read Guidelines for changing password before initiating password change.
This section describes instructions for changing password of users of particular type. Classification
of type is done based on the type of repositories users are associated with and can have any of
dirsrv, db and os as value.
Some users under particular type are not being considered when executed under this mode. Refer,
Users unsupported in type mode of operation for list of users falling under this category.
Follow below steps for changing password of users under particular type:
1. Log in as omc or root user to the VM where dmgr service is running.
To locate the correct virtual machine, refer to Locating the right virtual machine for a service in Ad-
ministering NetAct Virtual Infrastructure.
2. To change the password, execute the following command:
[omc] /opt/nokia/oss/bin/password-tool --type <type> --mode <mode> [--
skip old_password]
OR
[omc] /opt/nokia/oss/bin/password-tool -t <type> -m <mode> [-s op]
where:
<type> is mandatory and can be of dirsrv, db, os
<mode> can be admin or nonAdmin
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 256
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Appendix
--skip old_password or -s op is an optional argument used for skipping prompt of old
password of user. Old password is used to restore password of user upon password change
failure. For providing old password of user, see Retrieving password of system users. This option
has no significance when password-tool is invoked with --mode nonAdmin or -m nonAdmin.
Note:
type can also have value of all which changes the password of users across supported
types.
Users supported by password-tool per type can be obtained by executing:
[omc] /opt/nokia/oss/bin/password-tool --list --type <type> --
mode <mode>
OR
[omc] /opt/nokia/oss/bin/password-tool -l -t <type> -m <mode>
Upon execution of above command, following are prompted before password change is attempted for
all users under particular type:
• Root login password: Password of root user is needed for restarting services post password
change if applicable. password-tool will terminate if incorrect password is provided.
• Confirmation for service restarts: It will be prompted and asked for confirmation only if service
restarts are needed after password change of user. Tool will be terminated if options apart from Y
(case insensitive) is provided upon prompt.
• Below inputs are prompted only when tool is invoked with admin mode:
– Old password: Old password is current password of user, which is applicable only in
admin mode and is optional. It will be prompted only if tool was invoked without --skip
old_password or -s op option.
– New password: It is mandatory and provided password will be validated against the config-
ured policy of relevant type. For OS users, it is recommended to check the score of the new
password prior to password change. For more information on password score, see Checking
password score for OS users.
– Confirm New password: It is mandatory and should match the password provided during
prompt of New password.
• Note: In admin mode:
– New password and Confirm New password will be prompted for each user at-
tempt. It will be re-prompted twice upon providing invalid password.
– Old password will be prompted if tool was invoked without --skip
old_password or -s op option. It will be re-prompted twice upon providing incor-
rect password.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 257
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Appendix
• In nonAdmin mode, the password change will then be performed for all non-administrative users
within the type by generating random password meeting the configured policy of the relevant
type. In admin mode, the password change will be performed for all administrative users with the
provided new password. For all successfully changed user’s password, post password change
action are performed and service restarts are combined and done only once minimizing the
restarts that had to be done if changed individually.
• Password change of users within type will be performed and will proceed even if any of the user
password change fails. Password change for failed users will be reverted only if old password
is retrievable. Service restart will be done only for associated services of successfully changed
users.
For example: If execution involves two users (U1 & U2) and password change of U1 fails, then it’s
password will be rolled back and password change will be done for U2. If password change was
successful for U2, only service restarts applicable for U2 will be performed.
• Progress of password change and overall summary status of the performed operation is shown in
the console.
11.2 Retrieving password of system users
1. Current login password of system users can be found if users are present in System Credential
Access (SCA) repository. User type and instance must be known before password can be
retrieved from SCA. To know about the type and instance of system user, see SCA type and
instance.
2. The current password of the user can be obtained by executing the following command in any VM
where was service is running.
[omc] /opt/nokia/oss/bin/syscredacc.sh -user <user_name> -type <user_
type> -instance <user_instance>
where
<user_name> is mandatory field and indicates login name of the user.
<user_type> is mandatory field and is the type of the user found in step 1.
<user_instance> is optional field depending on the instance of user found in step 1.
To locate the correct virtual machine, see Locating the right virtual machine for a service in Admin-
istering NetAct Virtual Infrastructure.
Note:
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 258
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Appendix
• Same login name with multiple types exists, for example, system with database and
application server type. Therefore, provide suitable type for which password needs to
be retrieved and changed.
3. If password needs to be changed for first time after installation and intended user password cannot
be obtained from previous step, contact the Nokia Support for obtaining the default password
which comes after installation.
Note: It is recommended to store the changed password in a safe and secure place after
successful password change for users whose password cannot be obtained by the above
mentioned methods.
11.3 SCA type and instance
To view the user type and instance, do the following:
1. Log in as omc user to any NetAct VM hosting the syswas service.
2. To view the user type and instance, enter:
[omc] /opt/nokia/oss/bin/syscredacc.sh -list <username>
Sample output:
[omc@vm ~] $ /opt/nokia/oss/bin/syscredacc.sh -list omc
--------------------------------------------------------
USER NAME TYPE INSTANCE
--------------------------------------------------------
omc DB OSS
omc APPSERV APPSERV
Total number of users 2
[omc@vm ~] $
Note: To list all users in the SCA, enter:
[omc] /opt/nokia/oss/bin/syscredacc.sh -list
Sample output:
[omc@vm ~] $ /opt/nokia/oss/bin/syscredacc.sh -list
--------------------------------------------------------------------
----
USER NAME TYPE INSTANCE
--------------------------------------------------------------------
----
admusr DS SYSAUTH
atuser APPSERV APPSERV
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 259
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Appendix
ejbtimerfm DB OSS
racftp RAC MEDIATION
11.4 Service restarts needed after password change of system user
This section lists the service restarts needed after password change is successfully completed. Ser-
vice restarts are needed to have new password to be in effect and below table maps the needed ser-
vice restart associated with the user.
Note: Service restarts are handled internally when password is changed through pass-
word-tool and there is no need of restarting services separately.
System users needing restart of services after password change are as given below:
Involved Service Impacts During
User User Type
Restart Restart
omc DB WebSphere services NetAct functionalities
(dmgr, nodeagent, will not be available.
cmwas, fmwas, intg-
Thresholder and Profil-
was, itsmwas, syswas,
er functionality will not
pmwas), sqm services
be available.
(sqm-message-broker,
sqm-node-manager,
sqm-backend, sqm-spg,
sqm-spg-email-plug-
in, sqm-spg-sms-plug-
in, sqm-spg-ne3s-plug-
in, sqm-eem, sqm-epm,
sqm-collector-npm)
cn=Manager DirSrv sqm services (sqm-mes- Thresholder and Profil-
sage-broker, sqm-node- er functionality will not
manager, sqm-backend, be available.
sqm-spg, sqm-spg-email-
plugin, sqm-spg-sms-plu-
gin, sqm-spg-ne3s-plug-
in, sqm-eem, sqm-epm,
sqm-collector-npm)
sysproxy DirSrv sssd NSS and PAM services
will not be available.
ihsproxy DirSrv ihs NetAct functionalities
will not be available.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 260
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Appendix
Involved Service Impacts During
User User Type
Restart Restart
httpdproxy DirSrv httpd FCAPS functionalities
for NE3S based NEs
may not be available.
ejbtimerfm, ejb- DB WebSphere services NetAct functionalities
timerpm, ejbtimer- (dmgr, nodeagent, will not be available.
intg, ejbtimercm, ejb- cmwas, fmwas, intg-
timeritsm, ejbtimer- was, itsmwas, syswas,
sys, pmr, pmw, wass- pmwas)
rvid, system, rda
sqm, sqm_core DB sqm services (sqm-mes- Thresholder and Profil-
sage-broker, sqm-node- er functionality will not
manager, sqm-backend, be available.
sqm-spg, sqm-spg-email-
plugin, sqm-spg-sms-plu-
gin, sqm-spg-ne3s-plug-
in, sqm-eem, sqm-epm,
sqm-collector-npm)
wasproxy DirSrv WebSphere services NetAct functionalities
(dmgr, nodeagent, will not be available.
cmwas, fmwas, intg-
was, itsmwas, syswas,
pmwas)
hpsim DB hpsim Hardware alarms might
be delayed.
Table 45: Users and Involved Service Restart
Involved Application Impacts During
User User Type
Restart Restart
pm2sol DirSrv onepm-topology_replica- PM applications will not
tor-ear, onepm-topology_ws- be available.
ear [in PM cluster]
Table 46: Users and Involved Application Restarts
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 261
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Appendix
11.5 Special characters allowed in system user’s password
Below table provides special characters allowed within system user password.
Type of user Users Allowed special Characters
DB SQM ~!%^&()-_+={}[]|:;,.<>?
SQM_CORE ~!%^&()-_+={}[]|:;,.<>?
Other oracle database users ~!%^&()-_+=|:;.<>?
OS Root ~!%^&()-_+={}[]|;,.<>?
Other Linux OS users ~!%^&()-_+={}[]|:;,.<>?
Directory server nwi3system ~!%^()-_+={}[]|:;,.?
sysproxy, wasproxy, ihsproxy, ~%^-_+=:,.?
httpdproxy
cn=Manager ~!%&()-_+=]:;,.?
pm2sol ~!%^&()-_+=|:;,.<>?
Other Dirsrv users ~!%^&()-_+={}[]|:;,.<>?
vCenter root ~!%^()-+={}[]|:;,.>@#%*/?
vmanager ~!%^()-+={}[]|:;,.>@#%*/?
[email protected] ~!%^()-+={}[]|:;,.>@#%*/?
ESXI root ~!%^()-_+={}[]|:;,.>@#%*/?
Table 47: User and Allowed special Characters
Character restriction for system users in data center (DC) and Virtualization infrastructure:
User Restricted Characters
ESXi root user, VMware vCenter root and &,<
[email protected]
Table 48: User and Restricted special Characters
For information about the users, see NetAct default system users.
11.6 Users unsupported in type mode of operation
This section provides the list of users along with their types which are not supported in type operation
mode of password-tool.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 262
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Appendix
Password of the below listed users’ needs to be changed individually. Refer to Changing password of
system user individually for more information.
User
User Manual actions needed after password change
type
nwi3system dirsrv Needs configuration changes or re-integration of specific family of NE's. For
more information, see Changes in NE configuration post password change
in Administering Users and Permissions.
nx2suser dirsrv Needs configuration changes or re-integration of specific family of NE's. For
more information, see Changes in NE configuration post password change
in Administering Users and Permissions.
racftp dirsrv Needs configuration changes or re-integration of specific family of NE's. For
more information, see Changes in NE configuration post password change
in Administering Users and Permissions.
racftam dirsrv Needs configuration changes or re-integration of specific family of NE's. For
more information, see Changes in NE configuration post password change
in Administering Users and Permissions.
racsftp os Needs configuration changes or re-integration of specific family of NE's. For
more information, see Changes in NE configuration post password change
in Administering Users and Permissions.
root os None
isdkuser os Needs configuration changes or re-integration of specific family of NE's. For
more information, see Changes in NE configuration post password change.
rdsftp os Password must be updated in external systems. For more information, see
Downloading result file through SFTP in RESTful Web Service Data Access
API.
cn=replication dirsrv Needs replication reinitialization. For more information, see Resolving the
manager problem in Troubleshooting NetAct Administration.
Note: In a Disaster Recovery environment, replication reinitializa-
tion must be done on both active and standby sites separately.
ftirpuser os None
ftirpuser2 os None
ftirpuser3 os None
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 263
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Appendix
Table 49: Users and user type
11.7 Changes in NE configuration post password change
Password change of users nwi3system, racftam, racftp, and racsftp involves changes in NE’s
post successful password change.
Follow below steps to make the necessary changes in NE’s if applicable.
• If password is changed successfully for nwi3system user, reintegrate all the NWI3 NE's by
executing the command below on nwi3 node as omc user.
[omc] python /opt/oss/NSN-nwi3/bin/neIntegration.zip -R
To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.
• If password is changed successfully for racftam (for FTAM protocol), racftp (for FTP protocol)
and racsftp (for SFTP protocol) user, CM XML events from BSC to NetAct for all the BSC NEs
integrated to NetAct should be configured.
To configure CM XML events, refer to Configuring CM XML events from BSC to NetAct in Integrat-
ing BSC to NetAct.
• If password is changed successfully for isdkuser, connectivity towards NetAct from network
elements that are integrated through ISDK ftpput model must be reconfigured. These network
elements use SFTP protocol to communicate with NetAct using isdkuser. Therefore after
changing the password of this user, refer to the respective network element integration document
to reconfigure the connectivity from network element towards NetAct.
The respective network elements' integration documents are:
– TITAN: refer to Overview of NetNumber TITAN integration in Integrating NetNumber TITAN to
NetAct.
– For MVI or GS adaptations, refer to the corresponding integration documents to modify
isdkuser password on network element.
11.8 Checking password score for OS users
For OS users, it is recommended to check the score of the new password to be used before proceed-
ing with the password tool.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 264
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Appendix
To check the password score, do the following:
1. Log in to any NetAct VM as omc user.
2. Execute the following command and provide the new password to be checked. If the password
meets password quality settings, the password score will be displayed as output.
[omc] pwscore
<New Password>
If the score is greater than 50, OS user password is considered as strong. In case the score is less
than 50, password change might fail. To avoid password change failure, choose a strong pass-
word.
11.9 Invalidating cache for effective shell access
Secure Shell (SSH) access for user is determined by users association with sshaccess group along
with valid login shell and home directory. This can take up to 90 minutes to have change in access to
be in effect. Below section describes the instructions to be followed for invalidating the System Securi-
ty Services Daemon (SSSD) cache required for change in effective shell access immediately.
Note:
It is recommended to know the relevant nodes in advance where shell access rights need to
be effective.
Below instructions need to be executed in all VMs where immediate change in shell access is needed:
1. Log in to VM through SSH as omc where shell access need to be changed and switch to root user.
To locate the correct virtual machine, see Locating the right virtual machine for a service in Admin-
istering NetAct Virtual Infrastructure.
2. Invalidate the sssd cache by executing the below command:
[root] # /opt/cpf/bin/cpfrhds_connectivity_ldapauth_action.sh --
invalidate_cache all
3. Successful execution of the above command will invalidate the cache and will make change in
shell access to be effective immediately.
11.10 Perform password synchronization in DR environment
The NetAct performDRSync tool synchronizes NetAct default system users password from the active
site to the standby site. The performDRSync tool:
• automates all the steps required for successful synchronization of the system users password
including necessary configuration changes and restarts.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 265
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Appendix
• performs a health check of the services in the standby site before the password synchronization is
attempted to avoid failures.
• checks the status of the Disaster Recovery (DR) before initiating any operation.
• must be executed explicitly to synchronize passwords when both sites are installed separately
(in OpenStack environment) or in case of troubleshooting, where passwords are out of
synchronization across sites.
During the password change, the password tool internally detects the DR environment and
synchronizes the password. If passwords are changed in the DR intact system, then do not execute
the performDRSync tool independently.
Password synchronization can be done for a specific set of users or for all users together that is
determined by the performDRSync tool internally.
Note: File system synchronization between two sites can indicate as non-functional during
or after password synchronization. This is due to simultaneous execution of commands in
standby site involving enable or disable of root login and file system synchronization cron job
running every 15 minutes. File system synchronization will be recovered during subsequent
invocation of the cron job. performing password synchronization before the subsequent
invocation of cron job will fail during DR status check. If the file system synchronization is not
functional post subsequent invocation of cron job after password synchronization, contact
Nokia Technical Support.
11.10.1 Synchronizing all system users password from active site to standby site
Perform this procedure to synchronize all system users password supported by performDRSync tool
from active site to standby site.
1. Log in as omc user to the VM hosting the dmgr service running in active site.
To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.
2. Synchronize all system users password by entering:
• [omc@dmgrvm ~] $ performDRSync -a
Or
• [omc@dmgrvm ~]$ performDRSync --all
Before attempting the password synchronization, the following prompts appear:
• Root login password of standby site: The root user password is required for performing
certain actions in the standby site. For example, restarting services after performing
password synchronization, if applicable.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 266
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Appendix
• Root login password of active site: The root user password is required for executing the
command as root user in the active site and for file synchronization operations, and so on.
• Confirmation of skip password sync for password not retrievable users: A confirmation
prompt appears only if there are users for whom the password cannot be retrieved for
synchronization. At prompt, if:
• N (case insensitive) is provided, the performDRSync tool skips the DR actions for those
users.
• Y (case insensitive) is provided, the performDRSync tool prompts for the password to
execute the DR actions for those users.
• Current password of users in standby site: The current password of a system user in the
standby site is required to update configurations. To retrieve the password in the standby site,
see Retrieving password of system users. Confirmation of password is also prompted.
• Current password of user in active site: If the operator does not skip the DR actions for
users whose password is not retrievable, then the current password of that user in the active
site is required to synchronize the password. Confirmation of the password is also prompted.
Note:
• If the user provides invalid password, the user can try providing current and confirm
passwords twice. If all retries exceed, then the DR action is skipped for that user.
• Password synchronization of users will continue for other users even if password
synchronization or DR action failed for the attempted user.
• Password synchronization for OS users will fail if the password to be synchronized is
already in effect in the standby site and such failures can be ignored.
Expected outcome
The password synchronization progress and the overall performed operation summary status appears
on the console.
11.10.2 Synchronizing specific system users password from active site to standby site
Perform this procedure to synchronize specific system users password supported by
performDRSync tool from active site to standby site.
1. Log in as omc user to the VM hosting the dmgr service running in active site.
To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.
2. Synchronize specific system users password by entering:
• [omc@dmgrvm ~]$ performDRSync -t <type1> -u <username1> [ -u
<username2> [ -t <type2>] [-u <username3>] [-u <username4>]
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 267
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Appendix
Or
• [omc@dmgrvm ~]$ performDRSync --type <type1> --username
<username1> [--username <username2>] [--type <type2>] [ --username
<username3>] [--username <username4>]
where:
• <type1>, <type2> are the types of user.
• <username1>, <username2>, <username3>, <username4> are the login name of the
system users whose password must be synchronized. The username is case sensitive.
For example:
[omc@dmgrvm ~]# performDRSync -t dirsrv -u pm2sol -t os -u
ftirpuser -u ftirpuser2 -u ftirpuser3
Note: The performDRSync tool can be executed for different type of users together.
Before attempting the password synchronization, the following prompts appear:
• Root login password of standby site: The root user password is required for performing
certain action in the standby site. For example, restarting services after performing
password synchronization, if applicable.
• Root login password of active site: The root user password is required for executing the
command as root user in the active site and file synchronization operations, and so on.
• Confirmation of skip password sync for password not retrievable users: A confirmation
prompt appears only if there are users for whom the password cannot be retrieved for
synchronization. At prompt, if:
• N (case insensitive) is provided, the performDRSync tool skips the DR actions for those
users.
• Y (case insensitive) is provided, the performDRSync tool prompts for the password to
execute the DR actions for those users.
• Current password of users in standby site: The current password of the system user in the
standby site is required to update configurations. To retrieve password in the standby site, see
Retrieving password of system users. Confirmation of password is also prompted.
• Current password of user in active site: If the operator does not skip DR actions for users
whose password is not retrievable, then the current password of that user in the active site is
required to synchronize the password. Confirmation of password is also prompted.
Note:
• If the user provides invalid password, the user can try providing current and confirm
passwords twice. If all retries exceed, then the DR action is skipped for that user.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 268
Final Use subject to agreed restrictions on disclosure and use.
Administering Users and Permissions DN0992646 4-1 Appendix
• Password synchronization for OS users will fail if the password to be synchronized is
already in effect in the standby site and such failures can be ignored.
Expected outcome
The password synchronization progress and the overall performed operation summary status appears
on the console.
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 269
Final Use subject to agreed restrictions on disclosure and use.
You might also like
- STOPPLE / HOT TAPPING Method of StatementNo ratings yetSTOPPLE / HOT TAPPING Method of Statement9 pages
- Lesson 8: Implementing Identity and Account Management ControlsNo ratings yetLesson 8: Implementing Identity and Account Management Controls38 pages
- Avaya Communications Manager Admin GuideNo ratings yetAvaya Communications Manager Admin Guide1,800 pages
- Piston Ring Theoretical & Design Formulae: Nomenclature100% (1)Piston Ring Theoretical & Design Formulae: Nomenclature8 pages
- administering_netact_system_security_baseNo ratings yetadministering_netact_system_security_base594 pages
- Configuring Storage Area Network Switches: Netact™No ratings yetConfiguring Storage Area Network Switches: Netact™41 pages
- NetAct Hardware Configuration Guide (NetAct22)100% (2)NetAct Hardware Configuration Guide (NetAct22)22 pages
- Instructional Writing Sample: Windows 2000No ratings yetInstructional Writing Sample: Windows 200016 pages
- 14. SAS® Management Console Guide to Users and PermissionsNo ratings yet14. SAS® Management Console Guide to Users and Permissions58 pages
- Trellix Drive Encryption 7.4.x Product Guide 10-5-2023No ratings yetTrellix Drive Encryption 7.4.x Product Guide 10-5-202373 pages
- Samsung SDS EMM Admin Portal Help v16 - 9 PDFNo ratings yetSamsung SDS EMM Admin Portal Help v16 - 9 PDF398 pages
- Samsung SDS IAM & EMM User Portal Help v17!3!1No ratings yetSamsung SDS IAM & EMM User Portal Help v17!3!199 pages
- CompTIA A+ 220-1001 Core 1 Course Notes by Professor Messers_106-108No ratings yetCompTIA A+ 220-1001 Core 1 Course Notes by Professor Messers_106-1083 pages
- Administering Avaya Session Border Controller For Enterprise 10-10-2019 PDF100% (1)Administering Avaya Session Border Controller For Enterprise 10-10-2019 PDF644 pages
- Guardian Edge Client Administrator GuideNo ratings yetGuardian Edge Client Administrator Guide49 pages
- Netapp System Manager 1.1 Quick Start Guide: January 2010No ratings yetNetapp System Manager 1.1 Quick Start Guide: January 201034 pages
- CSAD-STC - NIAM End User Guide - ProOptima v0.4 - CompressedNo ratings yetCSAD-STC - NIAM End User Guide - ProOptima v0.4 - Compressed90 pages
- Security Patterns: Integrating Security and Systems EngineeringFrom EverandSecurity Patterns: Integrating Security and Systems EngineeringNo ratings yet
- Advanced Multiplayer Game Development with Ureal Engine 5: A Comprehensive Guide to C++ ScriptingFrom EverandAdvanced Multiplayer Game Development with Ureal Engine 5: A Comprehensive Guide to C++ ScriptingNo ratings yet
- Computerised Systems Architecture: An embedded systems approachFrom EverandComputerised Systems Architecture: An embedded systems approachNo ratings yet
- Manual - Netgear ReadyNAS Pro 6 RNDP6000No ratings yetManual - Netgear ReadyNAS Pro 6 RNDP6000132 pages
- Microsoft Windows XP Professional Resource Kit Third Edition Charlie Russel pdf download100% (1)Microsoft Windows XP Professional Resource Kit Third Edition Charlie Russel pdf download53 pages
- Ibm Security Qradar Log Manager Administration GuideNo ratings yetIbm Security Qradar Log Manager Administration Guide237 pages
- Fabric Attached and Direct Attached Fibre Channel Network TypesNo ratings yetFabric Attached and Direct Attached Fibre Channel Network Types1 page
- Chief Marketing Officer in USA Resume Lativia Ray-AlstonNo ratings yetChief Marketing Officer in USA Resume Lativia Ray-Alston3 pages
- Sizing Pneumatic Cylinders and ISO ValvesNo ratings yetSizing Pneumatic Cylinders and ISO Valves3 pages
- The New Bloom's Taxonomy: An Interactive Quiz GameNo ratings yetThe New Bloom's Taxonomy: An Interactive Quiz Game28 pages
- Unit - 2 Production and Management: P.K.Jawahar Kumar Assistant Professor MBA DepartmentNo ratings yetUnit - 2 Production and Management: P.K.Jawahar Kumar Assistant Professor MBA Department113 pages
- Organisation and Management - Business StudiesNo ratings yetOrganisation and Management - Business Studies7 pages
- Statement 11-MAY-23 AC 40256846 13042507No ratings yetStatement 11-MAY-23 AC 40256846 130425074 pages
- Daring To Play: Art, Life and Therapy, From Heidegger To Gadamer, by Way of Barthes' Punctum and The Paintings of Paul KleeNo ratings yetDaring To Play: Art, Life and Therapy, From Heidegger To Gadamer, by Way of Barthes' Punctum and The Paintings of Paul Klee18 pages
- Child - 2025 - Bauer - Children s Risky Play and Resilience Perspectives of Emergency Care PractitionersNo ratings yetChild - 2025 - Bauer - Children s Risky Play and Resilience Perspectives of Emergency Care Practitioners8 pages
