Avaya Aura® Conferencing Security

Release 8.0
May 2013
© 2013, Avaya Inc. YOU DO NOT WISH TO ACCEPT THESE TERMS OF USE, YOU
All Rights Reserved. MUST NOT ACCESS OR USE THE HOSTED SERVICE OR
AUTHORIZE ANYONE TO ACCESS OR USE THE HOSTED
Notice SERVICE.
While reasonable efforts have been made to ensure that the Licenses
information in this document is complete and accurate at the time of
printing, Avaya assumes no liability for any errors. Avaya reserves THE SOFTWARE LICENSE TERMS AVAILABLE ON THE AVAYA
the right to make changes and corrections to the information in this WEBSITE, HTTPS://SUPPORT.AVAYA.COM/LICENSEINFO,
document without the obligation to notify any person or organization UNDER THE LINK “AVAYA SOFTWARE LICENSE TERMS (Avaya
of such changes. Products)” OR SUCH SUCCESSOR SITE AS DESIGNATED BY
AVAYA, ARE APPLICABLE TO ANYONE WHO DOWNLOADS,
Documentation disclaimer USES AND/OR INSTALLS AVAYA SOFTWARE, PURCHASED
“Documentation” means information published in varying mediums FROM AVAYA INC., ANY AVAYA AFFILIATE, OR AN AVAYA
which may include product information, operating instructions and CHANNEL PARTNER (AS APPLICABLE) UNDER A COMMERCIAL
performance specifications that are generally made available to users AGREEMENT WITH AVAYA OR AN AVAYA CHANNEL PARTNER.
of products. Documentation does not include marketing materials. UNLESS OTHERWISE AGREED TO BY AVAYA IN WRITING,
Avaya shall not be responsible for any modifications, additions, or AVAYA DOES NOT EXTEND THIS LICENSE IF THE SOFTWARE
deletions to the original published version of Documentation unless WAS OBTAINED FROM ANYONE OTHER THAN AVAYA, AN AVAYA
such modifications, additions, or deletions were performed by or on AFFILIATE OR AN AVAYA CHANNEL PARTNER; AVAYA
the express behalf of Avaya. End User agrees to indemnify and hold RESERVES THE RIGHT TO TAKE LEGAL ACTION AGAINST YOU
harmless Avaya, Avaya's agents, servants and employees against all AND ANYONE ELSE USING OR SELLING THE SOFTWARE
claims, lawsuits, demands and judgments arising out of, or in WITHOUT A LICENSE. BY INSTALLING, DOWNLOADING OR
connection with, subsequent modifications, additions or deletions to USING THE SOFTWARE, OR AUTHORIZING OTHERS TO DO SO,
this documentation, to the extent made by End User. YOU, ON BEHALF OF YOURSELF AND THE ENTITY FOR WHOM
YOU ARE INSTALLING, DOWNLOADING OR USING THE
Link disclaimer SOFTWARE (HEREINAFTER REFERRED TO
Avaya is not responsible for the contents or reliability of any linked INTERCHANGEABLY AS “YOU” AND “END USER”), AGREE TO
websites referenced within this site or Documentation provided by THESE TERMS AND CONDITIONS AND CREATE A BINDING
Avaya. Avaya is not responsible for the accuracy of any information, CONTRACT BETWEEN YOU AND AVAYA INC. OR THE
statement or content provided on these sites and does not APPLICABLE AVAYA AFFILIATE (“AVAYA”).
necessarily endorse the products, services, or information described Avaya grants You a license within the scope of the license types
or offered within them. Avaya does not guarantee that these links will described below, with the exception of Heritage Nortel Software, for
work all the time and has no control over the availability of the linked which the scope of the license is detailed below. Where the order
pages. documentation does not expressly identify a license type, the
Warranty applicable license will be a Designated System License as set forth
below in the Designated System(s) License (DS) section as
Avaya provides a limited warranty on Avaya hardware and software. applicable. The applicable number of licenses and units of capacity
Refer to your sales agreement to establish the terms of the limited for which the license is granted will be one (1), unless a different
warranty. In addition, Avaya’s standard warranty language, as well as number of licenses or units of capacity is specified in the
information regarding support for this product while under warranty is documentation or other materials available to You. “Software” means
available to Avaya customers and other parties through the Avaya computer programs in object code, provided by Avaya or an Avaya
Support website: https://support.avaya.com/helpcenter/ Channel Partner, whether as stand-alone products, pre-installed on
getGenericDetails?detailId=C20091120112456651010 under the link hardware products, and any upgrades, updates, patches, bug fixes,
“Warranty & Product Lifecycle” or such successor site as designated or modified versions thereto. “Designated Processor” means a single
by Avaya. Please note that if You acquired the product(s) from an stand-alone computing device. “Server” means a set of Designated
authorized Avaya Channel Partner outside of the United States and Processors that hosts (physically or virtually) a software application
Canada, the warranty is provided to You by said Avaya Channel to be accessed by multiple users. “Instance” means a single copy of
Partner and not by Avaya. the Software executing at a particular time: (i) on one physical
“Hosted Service” means an Avaya hosted service subscription that machine; or (ii) on one deployed software virtual machine (“VM”) or
You acquire from either Avaya or an authorized Avaya Channel similar deployment.
Partner (as applicable) and which is described further in Hosted SAS License types
or other service description documentation regarding the applicable
hosted service. If You purchase a Hosted Service subscription, the Designated System(s) License (DS). End User may install and use
foregoing limited warranty may not apply but You may be entitled to each copy or an Instance of the Software only: 1) on a number of
support services in connection with the Hosted Service as described Designated Processors up to the number indicated in the order; or 2)
further in your service description documents for the applicable up to the number of Instances of the Software as indicated in the
Hosted Service. Contact Avaya or Avaya Channel Partner (as order, Documentation, or as authorized by Avaya in writing. Avaya
applicable) for more information. may require the Designated Processor(s) to be identified in the order
by type, serial number, feature key, Instance, location or other
Hosted Service specific designation, or to be provided by End User to Avaya through
THE FOLLOWING APPLIES ONLY IF YOU PURCHASE AN AVAYA electronic means established by Avaya specifically for this purpose.
HOSTED SERVICE SUBSCRIPTION FROM AVAYA OR AN AVAYA Named User License (NU). You may: (i) install and use each copy or
CHANNEL PARTNER (AS APPLICABLE), THE TERMS OF USE Instance of the Software on a single Designated Processor or Server
FOR HOSTED SERVICES ARE AVAILABLE ON THE AVAYA per authorized Named User (defined below); or (ii) install and use
WEBSITE, HTTPS://SUPPORT.AVAYA.COM/LICENSEINFO UNDER each copy or Instance of the Software on a Server so long as only
THE LINK “Avaya Terms of Use for Hosted Services” OR SUCH authorized Named Users access and use the Software. “Named
SUCCESSOR SITE AS DESIGNATED BY AVAYA, AND ARE User”, means a user or device that has been expressly authorized by
APPLICABLE TO ANYONE WHO ACCESSES OR USES THE Avaya to access and use the Software. At Avaya’s sole discretion, a
HOSTED SERVICE. BY ACCESSING OR USING THE HOSTED “Named User” may be, without limitation, designated by name,
SERVICE, OR AUTHORIZING OTHERS TO DO SO, YOU, ON corporate function (e.g., webmaster or helpdesk), an e-mail or voice
BEHALF OF YOURSELF AND THE ENTITY FOR WHOM YOU ARE mail account in the name of a person or corporate function, or a
DOING SO (HEREINAFTER REFERRED TO INTERCHANGEABLY directory entry in the administrative database utilized by the Software
AS “YOU” AND “END USER”), AGREE TO THE TERMS OF USE. IF that permits one user to interface with the Software.
YOU ARE ACCEPTING THE TERMS OF USE ON BEHALF A
COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT Heritage Nortel Software
YOU HAVE THE AUTHORITY TO BIND SUCH ENTITY TO THESE “Heritage Nortel Software” means the software that was acquired by
TERMS OF USE. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF Avaya as part of its purchase of the Nortel Enterprise Solutions
Business in December 2009. The Heritage Nortel Software is the HOSTING OF AVAYA PRODUCTS MUST BE AUTHORIZED IN
software contained within the list of Heritage Nortel Products located WRITING BY AVAYA AND IF THOSE HOSTED PRODUCTS USE
at https://support.avaya.com/LicenseInfo under the link “Heritage OR EMBED CERTAIN THIRD PARTY SOFTWARE, INCLUDING
Nortel Products” or such successor site as designated by Avaya. For BUT NOT LIMITED TO MICROSOFT SOFTWARE OR CODECS,
Heritage Nortel Software, Avaya grants Customer a license to use THE AVAYA CHANNEL PARTNER IS REQUIRED TO
Heritage Nortel Software provided hereunder solely to the extent of INDEPENDENTLY OBTAIN ANY APPLICABLE LICENSE
the authorized activation or authorized usage level, solely for the AGREEMENTS, AT THE AVAYA CHANNEL PARTNER’S EXPENSE,
purpose specified in the Documentation, and solely as embedded in, DIRECTLY FROM THE APPLICABLE THIRD PARTY SUPPLIER.
for execution on, or for communication with Avaya equipment.
Charges for Heritage Nortel Software may be based on extent of WITH RESPECT TO CODECS, IF THE AVAYA CHANNEL
PARTNER IS HOSTING ANY PRODUCTS THAT USE OR EMBED
activation or use authorized as specified in an order or invoice.
THE G.729 CODEC, H.264 CODEC, OR H.265 CODEC, THE
Copyright AVAYA CHANNEL PARTNER ACKNOWLEDGES AND AGREES
THE AVAYA CHANNEL PARTNER IS RESPONSIBLE FOR ANY
Except where expressly stated otherwise, no use should be made of AND ALL RELATED FEES AND/OR ROYALTIES. THE G.729
materials on this site, the Documentation, Software, Hosted Service, CODEC IS LICENSED BY SIPRO LAB TELECOM INC. SEE
or hardware provided by Avaya. All content on this site, the WWW.SIPRO.COM/CONTACT.HTML. THE H.264 (AVC) CODEC IS
documentation, Hosted Service, and the product provided by Avaya
LICENSED UNDER THE AVC PATENT PORTFOLIO LICENSE FOR
including the selection, arrangement and design of the content is THE PERSONAL USE OF A CONSUMER OR OTHER USES IN
owned either by Avaya or its licensors and is protected by copyright WHICH IT DOES NOT RECEIVE REMUNERATION TO: (I) ENCODE
and other intellectual property laws including the sui generis rights VIDEO IN COMPLIANCE WITH THE AVC STANDARD (“AVC
relating to the protection of databases. You may not modify, copy, VIDEO”) AND/OR (II) DECODE AVC VIDEO THAT WAS ENCODED
reproduce, republish, upload, post, transmit or distribute in any way BY A CONSUMER ENGAGED IN A PERSONAL ACTIVITY AND/OR
any content, in whole or in part, including any code and software WAS OBTAINED FROM A VIDEO PROVIDER LICENSED TO
unless expressly authorized by Avaya. Unauthorized reproduction, PROVIDE AVC VIDEO. NO LICENSE IS GRANTED OR SHALL BE
transmission, dissemination, storage, and or use without the express IMPLIED FOR ANY OTHER USE. ADDITIONAL INFORMATION
written consent of Avaya can be a criminal, as well as a civil offense FOR H.264 (AVC) AND H.265 (HEVC) CODECS MAY BE
under the applicable law. OBTAINED FROM MPEG LA, L.L.C. SEE HTTP://
Virtualization WWW.MPEGLA.COM.
The following applies if the product is deployed on a virtual machine. Compliance with Laws
Each product has its own ordering code and license types. Note, You acknowledge and agree that it is Your responsibility for
unless otherwise stated, that each Instance of a product must be complying with any applicable laws and regulations, including, but not
separately licensed and ordered. For example, if the end user limited to laws and regulations related to call recording, data privacy,
customer or Avaya Channel Partner would like to install two intellectual property, trade secret, fraud, and music performance
Instances of the same type of products, then two products of that rights, in the country or territory where the Avaya product is used.
type must be ordered.
Preventing Toll Fraud
Third Party Components
“Toll Fraud” is the unauthorized use of your telecommunications
“Third Party Components” mean certain software programs or system by an unauthorized party (for example, a person who is not a
portions thereof included in the Software or Hosted Service may corporate employee, agent, subcontractor, or is not working on your
contain software (including open source software) distributed under company's behalf). Be aware that there can be a risk of Toll Fraud
third party agreements (“Third Party Components”), which contain associated with your system and that, if Toll Fraud occurs, it can
terms regarding the rights to use certain portions of the Software result in substantial additional charges for your telecommunications
(“Third Party Terms”). As required, information regarding distributed services.
Linux OS source code (for those products that have distributed Linux
OS source code) and identifying the copyright holders of the Third Avaya Toll Fraud intervention
Party Components and the Third Party Terms that apply is available
If You suspect that You are being victimized by Toll Fraud and You
in the products, Documentation or on Avaya’s website at: https://
support.avaya.com/Copyright or such successor site as designated need technical assistance or support, call Technical Service Center
by Avaya. The open source software license terms provided as Third Toll Fraud Intervention Hotline at +1-800-643-2353 for the United
Party Terms are consistent with the license rights granted in these States and Canada. For additional support telephone numbers, see
Software License Terms, and may contain additional rights benefiting the Avaya Support website: https://support.avaya.com or such
successor site as designated by Avaya.
You, such as modification and distribution of the open source
software. The Third Party Terms shall take precedence over these Security Vulnerabilities
Software License Terms, solely with respect to the applicable Third
Party Components to the extent that these Software License Terms Information about Avaya’s security support policies can be found in
impose greater restrictions on You than the applicable Third Party the Security Policies and Support section of https://
Terms. support.avaya.com/security.

The following applies only if the H.264 (AVC) codec is distributed with Suspected Avaya product security vulnerabilities are handled per the
the product. THIS PRODUCT IS LICENSED UNDER THE AVC Avaya Product Security Support Flow (https://
PATENT PORTFOLIO LICENSE FOR THE PERSONAL USE OF A support.avaya.com/css/P8/documents/100161515).
CONSUMER OR OTHER USES IN WHICH IT DOES NOT RECEIVE Downloading Documentation
REMUNERATION TO (i) ENCODE VIDEO IN COMPLIANCE WITH
THE AVC STANDARD (“AVC VIDEO”) AND/OR (ii) DECODE AVC For the most current versions of Documentation, see the Avaya
VIDEO THAT WAS ENCODED BY A CONSUMER ENGAGED IN A Support website: https://support.avaya.com, or such successor site
PERSONAL ACTIVITY AND/OR WAS OBTAINED FROM A VIDEO as designated by Avaya.
PROVIDER LICENSED TO PROVIDE AVC VIDEO. NO LICENSE IS Contact Avaya Support
GRANTED OR SHALL BE IMPLIED FOR ANY OTHER USE.
ADDITIONAL INFORMATION MAY BE OBTAINED FROM MPEG LA, See the Avaya Support website: https://support.avaya.com for
L.L.C. SEE HTTP://WWW.MPEGLA.COM. product or Hosted Service notices and articles, or to report a problem
with your Avaya product or Hosted Service. For a list of support
Service Provider telephone numbers and contact addresses, go to the Avaya Support
THE FOLLOWING APPLIES TO AVAYA CHANNEL PARTNER’S website: https://support.avaya.com (or such successor site as
HOSTING OF AVAYA PRODUCTS OR SERVICES. THE PRODUCT designated by Avaya), scroll to the bottom of the page, and select
OR HOSTED SERVICE MAY USE THIRD PARTY COMPONENTS Contact Avaya Support.
SUBJECT TO THIRD PARTY TERMS AND REQUIRE A SERVICE
PROVIDER TO BE INDEPENDENTLY LICENSED DIRECTLY FROM
THE THIRD PARTY SUPPLIER. AN AVAYA CHANNEL PARTNER’S
Trademarks
The trademarks, logos and service marks (“Marks”) displayed in this
site, the Documentation, Hosted Service(s), and product(s) provided
by Avaya are the registered or unregistered Marks of Avaya, its
affiliates, its licensors, its suppliers, or other third parties. Users are
not permitted to use such Marks without prior written consent from
Avaya or such third party which may own the Mark. Nothing
contained in this site, the Documentation, Hosted Service(s) and
product(s) should be construed as granting, by implication, estoppel,
or otherwise, any license or right in and to the Marks without the
express written permission of Avaya or the applicable third party.
Avaya is a registered trademark of Avaya Inc.

All non-Avaya trademarks are the property of their respective owners.

Linux® is the registered trademark of Linus Torvalds in the U.S. and
other countries.
Java is a registered trademark of Oracle and/or its affiliates.
 Contents

Chapter 1: Introduction............................................................................................................ 8
Purpose.................................................................................................................................. 8
Prerequisites..................................................................................................................... 8
Intended audience................................................................................................................... 8
Related resources................................................................................................................... 8
Documentation.................................................................................................................. 8
Training.......................................................................................................................... 10
Viewing Avaya Mentor videos........................................................................................... 10
Support................................................................................................................................. 11
Warranty............................................................................................................................... 11
Chapter 2: Platform security overview................................................................................. 12
BIOS password control.......................................................................................................... 12
GRUB password control......................................................................................................... 13
Administrative user account names......................................................................................... 13
Administrative user roles........................................................................................................ 14
Primary role.......................................................................................................................... 15
Sudo access control.............................................................................................................. 15
Platform user management tool.............................................................................................. 15
Administrative account timers................................................................................................. 16
Account lockout..................................................................................................................... 16
Password complexity............................................................................................................. 17
Password changes.......................................................................................................... 19
Inactive platform account auditing........................................................................................... 19
Root user access.................................................................................................................. 20
Individual user accounts......................................................................................................... 20
Preconfigured accounts......................................................................................................... 21
Remote system accounts....................................................................................................... 22
Administrator database backup.............................................................................................. 22
Platform warning banners...................................................................................................... 22
Chapter 3: Platform administrator security management................................................... 23
Modifying password complexity rules–menu............................................................................ 23
Configuring the GRUB password............................................................................................ 24
Creating individual user accounts–menu................................................................................. 25
Deleting a user account......................................................................................................... 26
Modifying user roles—menu................................................................................................... 27
Changing the state of a user account—menu.......................................................................... 27
Listing server user accounts—menu....................................................................................... 28
Managing sudo access—menu............................................................................................... 29
Resetting a platform user account password—menu................................................................ 30

May 2013 Avaya Aura® Conferencing Security 5

Comments on this document? [email protected]
Contents

Changing a platform user account password using CLI............................................................. 30

Viewing the status of inactive account auditing......................................................................... 31
Enabling inactive account auditing ......................................................................................... 31
Disabling inactive account auditing ........................................................................................ 31
Configuring platform warning banners..................................................................................... 32
Chapter 4: Security configuration and management overview.......................................... 34
Application local administrator account security....................................................................... 34
Local administrator account password complexity.............................................................. 34
Local administrator account password aging...................................................................... 36
Local administrator account log on session constraints....................................................... 36
Application local administrator account security defaults..................................................... 37
®
Avaya Aura Conferencing SNMP Community Strings.............................................................. 38
Changing the Element Manager SNMP community string......................................................... 38
Internal database account security.......................................................................................... 39
Database application security................................................................................................. 39
File system integrity............................................................................................................... 40
Verification reports........................................................................................................... 40
FSI baseline management............................................................................................... 41
FSI baseline exclusions................................................................................................... 41
FSI baseline backup and restore...................................................................................... 41
Configuration file............................................................................................................. 42
Application logging................................................................................................................ 42
Web server logs.................................................................................................................... 42
Security logs......................................................................................................................... 43
Syslog............................................................................................................................ 43
System audit................................................................................................................... 43
Failed logons.................................................................................................................. 44
File activity in restricted areas.......................................................................................... 45
Backup of security logs.................................................................................................... 46
Chapter 5: Database password management...................................................................... 47
Resetting the internal database account passwords................................................................. 47
Changing the schema account password................................................................................ 47
Changing the database application password without upgrading the software............................ 48
Changing the database application password during an upgrade.............................................. 49
Chapter 6: File system integrity management..................................................................... 51
Creating an FSI baseline........................................................................................................ 51
Verifying the file system against a baseline.............................................................................. 51
Managing FSI baselines......................................................................................................... 52
Chapter 7: Security log management................................................................................... 53
Configuring a remote syslog server......................................................................................... 53
Deleting a remote syslog server.............................................................................................. 53
Modifying system audit logs................................................................................................... 54
Chapter 8: Application administrator security configuration and management.............. 55

May 2013 Avaya Aura® Conferencing Security 6

Comments on this document? [email protected]
 Contents

Enabling web server logs....................................................................................................... 55

Configuring password rules for the application local administrator accounts............................... 56
Password Rules dialog box field descriptions..................................................................... 56
Configuring log on and session rules for the local administrator accounts.................................. 58
Login Rules dialog box field descriptions........................................................................... 59
Resetting the password for the local administrator account....................................................... 59
Resetting the password for another local administrator from Element Manager Console............. 60
Changing the password for your local administrator account from Element Manager Console...... 61
Chapter 9: Access Control List configuration..................................................................... 62
Configuring internal ACL rules................................................................................................ 62
Generating an internal ACL configuration file..................................................................... 62
Installing an internal ACL configuration file on the primary Element Manager server............. 63
Installing an internal ACL configuration file on all other servers........................................... 63
Configuring external ACL rules............................................................................................... 64
Preparing the Avaya Media Server.................................................................................... 65
Importing an external Access Control List configuration file................................................. 65
Configuring external ACL rules manually (using the iptcfg tool)........................................... 67
Verifying the ACL configuration......................................................................................... 70
Access Control List external configuration......................................................................... 70
Example of import.dat...................................................................................................... 71
Chapter 10: TLS mutual authentication................................................................................ 73
Enabling mutual authentication mode for SIP........................................................................... 73
Enabling mutual authentication mode for Element Manager...................................................... 73
Chapter 11: Cipher suite configuration................................................................................. 75
Configuring OAMP ciphers..................................................................................................... 75
Configuring HTTPS ciphers.................................................................................................... 75
Configuring signaling ciphers.................................................................................................. 76

May 2013 Avaya Aura® Conferencing Security 7

Comments on this document? [email protected]
Chapter 1: Introduction

Purpose
This document contains information about how to perform Avaya Aura® Conferencing administration
tasks to manage data and security.

Prerequisites
Before you perform the administration tasks to manage data and security, you must:
• Complete the Avaya Aura® Conferencing installation.
• Know how to use Element Manager Console and Provisioning Client.

Intended audience
This document is intended for people who perform the product or solution system administration
tasks.

Related resources

Documentation
Download the following related documents at http://support.avaya.com.
The Avaya Support website also includes the latest information about product compatibility, ports
and Avaya Aura® Conferencing releases.

May 2013 Avaya Aura® Conferencing Security 8

Comments on this document? [email protected]
 Related resources

Administration
Document Title Use this document to: Audience
number
04-604378 Administering Avaya Aura® Perform system-wide administration System
Conferencing tasks administrators
04-604403 Migrating Avaya Aura® Perform system-wide security System
Conferencing administration and backup/restore administrators
tasks
04-604398 Maintaining and Perform maintenance and System
Troubleshooting Avaya Aura® troubleshooting tasks. administrators
Conferencing
Understand logs and fault tracking. Partners,
Services, and
Support
personnel

Implementation
Document Title Use this document to: Audience
number
04-604418 Deploying Avaya Aura® Perform installation and configuration Partners,
Conferencing: Basic tasks Services, and
Installation Support
personnel
04-604363 Deploying Avaya Aura® Perform installation and configuration Partners,
Conferencing: Advanced tasks Services, and
Installation and Configuration Support
personnel
04-604353 Upgrading Avaya Aura® Perform upgrading and configuration Partners,
Conferencing tasks Services, and
Support
personnel

Supporting
Document Title Use this document to: Audience
number
04–604423 Avaya Aura® Conferencing Collect information about accounting System
Accounting Records Reference records administrators
Customers,
Partners,
Services, and
Support
personnel
Table continues…

May 2013 Avaya Aura® Conferencing Security 9

Comments on this document? [email protected]
Introduction

Document Title Use this document to: Audience

number
04-604443 Avaya Aura® Conferencing Collect information about alarms and System
Alarms and Logs Reference logs, including the alarms and logs administrators
families
Customers,
Partners,
Services, and
Support
personnel
04-604444 Avaya Aura® Conferencing Collect information about operational System
Operational Measurements measurements administrators
Reference
Customers,
Partners,
Services, and
Support
personnel

Training
The following courses are available on http://www.avaya-learning.com. In the Search field, type the
course code, and click Go to search for the course.
Course code Course title
2U00110O Selling Avaya Aura® Conferencing Solution Learning Bytes
2U00325O Avaya Aura® Conferencing 7 L1 Customer Scenario
3U00260W Designing Avaya Aura® Conferencing
5U00120E Avaya Aura® Conferencing
3204 Avaya Aura® Conferencing Implementation and Maintenance Exam

Viewing Avaya Mentor videos

Avaya Mentor videos provide technical content on how to install, configure, and troubleshoot Avaya
products.
About this task
Videos are available on the Avaya Support website, listed under the video document type, and on
the Avaya-run channel on YouTube.
Procedure
• To find videos on the Avaya Support website, go to support.avaya.com and perform one of the
following actions:
- In Search, type Avaya Mentor Videos to see a list of the available videos.

May 2013 Avaya Aura® Conferencing Security 10

Comments on this document? [email protected]
 Support

- In Search, type the product name. On the Search Results page, select Video in the
Content Type column on the left.
• To find the Avaya Mentor videos on YouTube, go to www.youtube.com/AvayaMentor and
perform one of the following actions:
- Enter a key word or key words in the Search Channel to search for a specific product or
topic.
- Scroll down Playlists, and click the name of a topic to see the available list of videos posted
on the website.
Note:
Videos are not available for all products.

Support
Go to the Avaya Support website at http://support.avaya.com for the most up-to-date
documentation, product notices, and knowledge articles. You can also search for release notes,
downloads, and resolutions to issues. Use the online service request system to create a service
request. Chat with live agents to get answers to questions, or request an agent to connect you to a
support team if an issue requires additional expertise.

Warranty
Detailed terms and conditions are contained in the sales agreement or other applicable
documentation and establish the terms of the limited warranty. In addition, the Avaya standard
warranty description and details for support under warranty are available at Avaya Support under
More Resources for Maintenance and Warranty Information, see https://support.avaya.com/.

May 2013 Avaya Aura® Conferencing Security 11

Comments on this document? [email protected]
Chapter 2: Platform security overview

This chapter contains information related to platform security configuration, including platform
administrator accounts, roles, and access.

BIOS password control

The planar BIOS includes options to configure both an administrative and power-on password. For
more information about password options and how to configure them, see the documentation
supplied with the server hardware.
The planar BIOS enables the user to configure both an administrative and power-on password. The
BIOS also refers to the administrative password as the privileged access password in console
messages displayed during BIOS initialization.
BIOS passwords are enforced at the end of BIOS initialization when the message BIOS Installed
Successfully displays.
The following table illustrates the password enforcement type performed by the BIOS at this point in
the BIOS execution.
BIOS Password Control
Password Configured Password Requirement
Power-on password Admin BIOS Entry Requested Standard Initialization (F1
(F1 pressed) not pressed)
No No None None
No Yes Admin None
Yes No Power-on password Power-on password
Yes Yes Power-on password Power-on password or
(limited access) or Admin Admin

Two basic scenarios are possible:

• The administrator presses the F1 key during the early stages of BIOS initialization with the
intent of entering BIOS setup when BIOS initialization finishes. If at least one password is
configured, the password must be entered to enter into the BIOS setup. If both passwords are
configured, specifying the power-on password gives the administrator only limited access,
where no BIOS configuration changes can be made.

May 2013 Avaya Aura® Conferencing Security 12

Comments on this document? [email protected]
 GRUB password control

• The administrator does not press the F1 key during the early stages of BIOS initialization. If a
power-on password is configured (not recommended), BIOS requires the administrator to enter
the password to allow the system to continue past the BIOS initialization. If configured, the
administrative password is also accepted.
If an administrator password is configured, an administrator entering BIOS with only a power-on
password receives access to the following menus:
• System Summary—This menu provides information such as processor model, USB devices,
and memory information.
• System Information—This menu provides information such as the machine type and model
number, serial number, firmware levels, and installed system cards.
When configuring the administrator password, changing the value of the power-on password
changeable by user field to Yes provides limited BIOS access to the administrator. The following are
the additional menu items available:
• System Security—This menu provides the facility to change or delete the power-on password.
The following general points also apply to administrative and power-on BIOS passwords:
• Each password can be up to seven characters in length.
• The passwords can consist of any characters.
• If both passwords are configured, a forgotten power-on password can be reset (deleted and re-
configured) by entering the BIOS with the administrative password.
• If a single password is set, and is forgotten, it cannot be recovered using the BIOS menu.
• If both the administrative and power-on password are set, and the administrative password is
forgotten, it cannot be recovered using the BIOS menu.
• Neither password is affected when you restore the configuration of the main BIOS to the
factory default configuration.

GRUB password control

The Linux Grand Unified Bootloader (GRUB) allows you to configure a password to prevent
unauthorized access to the bootloader. Whenever you change the server password policy, you
should reset the GRUB bootloader password to comply with these new settings. For more
information, see Configuring the GRUB password on page 24.

Administrative user account names

When you create a new account for an administrator, you specify the account name and a numeric
user ID. For the numeric user ID, always enter zero (0). After you enter zero (0), the system assigns
the next available numeric ID.

May 2013 Avaya Aura® Conferencing Security 13

Comments on this document? [email protected]
Platform security overview

The system security administrator defines the password requirements using the pwConfig tool. For
more information about the pwConfig tool, see Modifying password complexity rules–menu on
page 23.

Administrative user roles

Roles define operational boundaries (access permissions) for administrators. Administrators can
have more than one role, depending on their duties. You assign roles to new administrators when
you create their accounts. The roles defined for the system are as follows:
• System Security Administrator (SSA)—The SSA can perform system configuration and specify
security attributes such as:
- Password configuration
- Administrative user management
- Access control
- Antivirus
- File System Integrity tools
- Network configuration
- System files backup
- System restoration
• Security Auditor (SA)—The SA can collect and view security audit logs and syslogs at the
platform level. The SA can also transfer the security logs off the server.
• Application Administrator (AA)—The AA can install Avaya Aura® Conferencing application
software and manage components related to the application. The AA is responsible for
installing, maintaining, patching, and upgrading Avaya Aura® Conferencing software only.
• Backup Administrator (BA)—The BA can perform only system backups. A BA cannot perform:
- any operation on the server except backups.
- a system restore—only the SSA or root user can perform a system restore.
• Database Administrator (DBA)—The DBA can manage the database schemas and database
tools on servers on which the database resides. This role is not relevant on servers that do not
host the database.
• Operational Support System Administrator (OSS)—Downstream processors can use the
account with this role to connect to the server and collect OSS logs.

May 2013 Avaya Aura® Conferencing Security 14

Comments on this document? [email protected]
 Primary role

Primary role
The primary role of the administrator defines the administrator’s primary group. The primary role
determines permissions and group ownership for any files that are generated by the administrator.
Any tools that extract or create files use the administrator’s primary role to determine the
appropriate group settings. The primary role is the first role assigned during account creation. An
SSA or root user can change the primary role for an administrator.
In the user management tool (userMgt), the primary role of an administrator is the first role that
appears in the list of assigned roles. For example, if the list appears as follows: SSA, AA, BA; the
primary role of the administrator is SSA.
All roles, other than the Backup Administrator and OSS Administrator roles, are intended to manage
some aspect of the system. Because of this and the use of discretionary access groups to control
access to system resources, administrators with a primary role of SSA, SA, AA, or DBA have a
primary GID that is traditionally reserved for system accounts (less than 500).

Sudo access control

By default, an administrator has access to all commands defined for each assigned role. However,
the root user can grant elevated privileges (such as root access) to an individual administrator, if
required.
The system records all commands that are run with sudo in /var/log/secure and only the security
administrator or security auditor can view these logs.
Only the root user can grant or deny all sudo level access to administrators. If you are already
logged on, before being granted sudo access, the sudo access is available the next time you log on.
The sudo menu option in the userMgt script is only visible when the script is run by the root user.
Administrators who have sudo access need not know the root password of the system to invoke root
level commands; they use their own current passwords. The syntax for running commands with
sudo access is as follows:
> sudo <root-privileged command>
The system prompts for your administrator password the first time, and again after 10 minutes, if
you do not enter any other sudo commands.

Platform user management tool

Using the platform user management tool, User Configuration Manager, you can create and
manage user accounts of platform administrators. To gain access to User Configuration Manager,
log in with the Security System Administrator (SSA) or sudo login.

May 2013 Avaya Aura® Conferencing Security 15

Comments on this document? [email protected]
Platform security overview

User Configuration Manager provides the following menu options for the SSA role and the sudo
login:
SSA sudo
• Add a new user • Add a new user
• Delete a user • Delete a user
• Modify user roles • Modify user roles
• Enable or disable the user local authentication • Enable or disable the user local authentication
• List the users on the system • List the users on the system
• Reset the user password • sudo access management
• Load the restored users • Reset the user password
• Exit • Load the restored users
• Exit

Administrative account timers

The idle session timer automatically logs off administrators that are not actively using their sessions.
After the configured time elapses without administrator activity, the session closes automatically.
Changes to the idle session timer value do not effect currently existing sessions. Administrators
must log off and log back on for this configuration to take effect.
Use the pwConfig tool to specify the timeout value by configuring the Idle session timeout (seconds)
parameter. For more information, see Modifying password complexity rules–menu on page 23.

Account lockout
To reduce the effectiveness of password guessing attacks, you can configure account lockout on the
system. If you enable account lockout, the system temporarily locks an account after a specified
number of log on failures.
To enable account lockout, use the pwConfig tool to configure the 'Deny after this many log on
failures' parameter to a value other than zero. To subsequently disable account lockout, change the
value back to zero.
To configure the length of time that the account remains locked out, use the pwConfig tool to
configure the Unlock account duration (seconds) parameter. If you disable account lockout, the
Unlock account duration parameter has no effect. For more information, see Modifying password
complexity rules–menu on page 23.

May 2013 Avaya Aura® Conferencing Security 16

Comments on this document? [email protected]
 Password complexity

If the system locks an account because of consecutive failed attempts to log on, the administrator
cannot log on to the system until the lockout period expires. An SSA can unlock an administrator’s
account, during the lockout period, by using the userMgt tool to disable and subsequently enable the
locked out administrator. Additionally, after three consecutive failed access attempts, the SSH or
SFTP connection terminates and the user must re-establish the connection to log on.
After an account reaches the lockout threshold, the system generates a security log.

Password complexity
You can configure password policy rules to define the appropriate characters used for administrator
passwords. The administrator configures these passwords using either /usr/bin/passwd or the
userMgt tool.
The password complexity settings only affect subsequently configured passwords; they do not affect
current passwords.
You manage password complexity on a per-server basis. There is no automatic password
complexity synchronization performed between servers. Therefore, if you change any value on one
server, you must manually change it on all of the other servers. For more information about the
parameters, see the following table. For more information about how to configure the parameters,
see Modifying password complexity rules–menu on page 23.

Table 1: Password complexity parameters

Parameter Description

Minimum lowercase chars This parameter specifies the minimum number of lowercase characters
(a–z) that the password must contain. The system rejects passwords
that contain fewer lowercase characters.
The range of values allowed is 0-10. Default: 2
Minimum uppercase chars This parameter specifies the minimum number of uppercase characters
(A–Z) that the password must contain. The system rejects passwords
that contain fewer uppercase characters.
The range of values allowed is 0-10. Default: 2
Minimum digits This parameter specifies the minimum number of digit characters (0–9)
that the password must contain. The system rejects passwords that
contain fewer digit characters.
The range of values allowed is 0-10. Default: 2
Minimum special chars This parameter specifies the minimum number of special characters
that the password must contain. Special characters are: . @ -_ & ' ^ ? !
( ) , / \ : ; ~ = +. The system rejects passwords that contain fewer
special characters.
The range of values allowed is 0-10. Default: 0
Table continues…

May 2013 Avaya Aura® Conferencing Security 17

Comments on this document? [email protected]
Platform security overview

Parameter Description
Minimum change chars This parameter specifies the minimum number of characters by which
the new password must differ from the previous password. The system
ignores this value if either one half of the characters in the new
password are different, or if there are more than 23 characters in the
new password.
The range of values allowed is 0-10. Default: 0
Minimum password length This parameter specifies the minimum number of total characters a
password must contain. The system rejects passwords that contain
fewer characters.
The range of values allowed is 4-32. Default: 8.
Maximum consecutive repeat This parameter specifies the maximum number of times a given
chars character can appear consecutively in a valid password. Configure the
value to 0 (zero) to disable Maximum consecutive repeat chars.
The range of values allowed is 0-10. Default: 0
Deny after this many login failures The parameter specifies the number of failed attempts to log in to an
account before the account is locked. Default: 0
Unlock account duration (seconds) This parameter specifies the amount of time for which the account
remains locked after log on failures. Default: 60
Old passwords to remember This parameter specifies the number of previous passwords the system
remembers. Administrators cannot reuse any password on the
remembered list. Regardless of the value of this parameter,
administrators can never reuse the current password. Default: 0.
Maximum password age (days) This parameter specifies the maximum number of days that an
administrator's password can be used. After the specified number of
days, the administrator must change the password to access the
server. If you reduce this value, some existing passwords can
immediately expire. Default: 90
Minimum password age (days) This parameter specifies the minimum number of days between
password changes. This setting discourages administrators from
immediately changing their passwords back to a previously used
password (password flipping). Default: 1
Password change warning (days) This parameter specifies the number of days in advance that users
receive a warning that their passwords will expire. If an administrator
logs on within this number of days before expiry, a message appears to
indicate that the password will expire soon. Default: 7.
Idle session timeout (seconds) This parameter specifies the number of seconds a session can be idle
before it times out. Default: 600 (10 minutes)
Maximum number of concurrent This parameter specifies the number of concurrent login sessions
logins permitted for an account.

May 2013 Avaya Aura® Conferencing Security 18

Comments on this document? [email protected]
 Inactive platform account auditing

Important:
If the default password complexity configuration values (as shown in the preceding table) do not
meet your site requirements, Avaya recommends that you change the values immediately after
installation and deployment, and before you add administrators to the system.
The following non-configurable parameters also apply to password complexity:
• The system uses the Linux CrackLib library to ensure that the password is not based on the
username or on a dictionary word. This library manipulates the new password in various ways
to try and determine if the new password is based on the username or a dictionary word.
• Users must change their passwords during initial log on. Users cannot access the system with
the temporary passwords.
• The password cannot be a palindrome.
Note:
There is no enforcement of password complexity rules for the root user. Ensure that only a very
limited number of individuals know the root password for the servers. Also, take additional care
in choosing the root password since there is no enforcement.
The backup and restore process includes all files related to password complexity.
Related links
Modifying password complexity rules–menu on page 23

Password changes
When administrators use the UNIX passwd command to change their passwords, or when they
change the password during log on (for initial or expired passwords), the system applies all of the
enabled password complexity rules.
When an SSA uses the userMgt tool to change a password, the following rules do not apply:
• Password history (old passwords to remember)
• Case change from previous password
• Characters changed from previous password (Minimum change chars)
For more information about platform user account passwords, see Platform administrator security
management on page 23.

Inactive platform account auditing

You can configure the system to automatically lock out inactive platform administrator accounts after
a period of inactivity. If an administrator is locked out, that administrator cannot login to the platform
without intervention by another administrator.

May 2013 Avaya Aura® Conferencing Security 19

Comments on this document? [email protected]
Platform security overview

The system does not automatically delete locked out inactive administrator accounts. The site
administrator is responsible for monitoring locked out accounts and deleting them as needed.
Related links
Viewing the status of inactive account auditing on page 31
Enabling inactive account auditing on page 31
Disabling inactive account auditing on page 31

Root user access

On the Avaya Aura® Conferencing core servers, users assigned the System Security Administrator
(SSA) role and full-time sudo access have root–level access to the system. By default, after the
system installation, the sudo access is enabled in the preconfigured accounts, such as ntsysadm
and init.
Root users must log on to the server using the console keyboard, video, and mouse. Root users
also must change the passwords when the users log in for the first time.
Although root users have unrestricted root-level privileges, Avaya Aura® Conferencing logs the
actions of SSA and sudo users because the users log in using individual user IDs.

Individual user accounts

Individual user accounts allow for full accountability and monitoring of individual actions. If the
installer chooses this option during server installation, the System Security Administrator (SSA)
must create each individual user account after the installation is complete. For more information
about installation, see the installation method for your system.
You manage user accounts on a per-server basis. Therefore, the SSA must create identical users
on each server within the system.
The SSA uses the user management tool (userMgt) to create, modify, and delete users. The SSA
configures the rules for administrator user names using the pwConfig tool.
Each individual user account has its own password, which is subject to the password complexity
rules. The SSA can disable or re-enable each individual user account as necessary. Individual user
accounts have a home directory in /home/<userid>. If the SSA removes the user account, the home
directory is also removed.

May 2013 Avaya Aura® Conferencing Security 20

Comments on this document? [email protected]
 Preconfigured accounts

Preconfigured accounts
The installation process automatically creates the following user accounts:
• ntsysadm: This account has two roles: System Security Administrator (SSA) and Application
Administrator (AA). The primary role of this account is SSA. By default, the ntsysadm account
has sudo root access. You can remove full sudo access by logging in to User Configuration
Manager as a root user. This account replaces sysadmin in earlier releases.
• ntsecadm: The primary role of this account is Security Auditor (SA).
• ntappadm: The primary role of this account is AA, which replaces avaya in earlier releases.
• ntbackup: The primary role of this account is Backup Administrator (BA).
• ntdbadm: The primary role of this account is Database Administrator (DBA).
• ntossadm: The primary role of this account is OSS Administrator (OSS). An Operational
Support Server (OSS) uses this account to connect to an Avaya Aura® Conferencing server to
collect OSS logs.
• craft: The primary role of this account is AA, which is used for Avaya Services access.
• init: This account has three roles: SSA, DBA, and AA. The primary role of this account is SSA.
By default, the init account has sudo root access. You can remove full sudo access by logging
in to User Configuration Manager as a root user. This account is used for Avaya Services
access.
For more information about the installation, see the installation method for your system.
Use User Configuration Manager to manage all accounts, including the preconfigured accounts,
except the root account.
• The default password of the preconfigured accounts is password. Change the initial password
when you log in for the first time. To change the password for an account, log in to the account,
and type the command: #>passwd.
• ntossadm is protected using password authentication. The primary role of this account is OSS.
If account lockout is configured for the system, Avaya Aura® Conferencing locks this account if
you enter an incorrect password. Users with the SSA role can use User Configuration Manager
to reset the password for locked accounts.
• ntsysadm, the root account, and any account with the SSA role can be used to create
additional individual user accounts. Additional individual accounts are subject to the same
password complexity profile as the preconfigured accounts. Using ntsysadm, you can delete
preconfigured accounts. All preconfigured accounts are backed up and restored during the
backup and restore process.

May 2013 Avaya Aura® Conferencing Security 21

Comments on this document? [email protected]
Platform security overview

Remote system accounts

Avaya Aura® Conferencing automatically creates the ntossadm remote system account.
Operational Support Server (OSS) uses this account to connect to an Avaya Aura® Conferencing
server and collect OSS logs.
If you do not use the remote system account, delete the account.

Administrator database backup

The server backup backs up the data from /admin, including the administrator database.
For more information about server backup, see Administering Avaya Aura® Conferencing.
To prevent restoration of passwords that do not comply with the site password complexity policy,
before backing up the administrator database:
• Configure new passwords that comply with the password policy for all accounts that are not
managed with User Configuration Manager. For example, accounts that are assigned the OSS
role.
• Ensure that the passwords of all accounts that are managed with User Configuration Manager
comply with the password policy. For example, ensure that users change the passwords for
accounts that were created before the password policy configuration.

Platform warning banners

The system displays warnings during the login process. When an administrator logs in, the system
displays:
• The /etc/issue banner before the administrator enters the username and password to log in
using the console, SSH, or SFTP.
• The /etc/motd banner after a successful login attempt using the console or SSH.

Important:
Perform backups after making changes to the warning banner files.
For more information, see Administering Avaya Aura® Conferencing.
Related links
Configuring platform warning banners on page 32

May 2013 Avaya Aura® Conferencing Security 22

Comments on this document? [email protected]
Chapter 3: Platform administrator security
management

This chapter describes how to manage password complexity requirements, create individual user
accounts, and manage administrator role assignments to control access to the Avaya Aura®
Conferencing servers.
Log in as Security System Administrator (SSA) or as a root user to use the tools for platform
administrator security management.

Modifying password complexity rules–menu

About this task
Use this procedure to use the script to modify password complexity rules to ensure that user
passwords are more secure. Password complexity rules apply only to subsequently configured
passwords.
Procedure
1. Log on to the server as a user with SSA role.
2. Run the script to configure password complexity:
pwConfig
3. If you receive a prompt, enter your password.
4. Enter 1 to view the current configuration.
5. Press Enter to continue.
6. Enter 2 to change the current configuration.
7. Enter a value for Minimum lowercase chars.
8. Enter a value for Minimum uppercase chars.
9. Enter a value for Minimum digits.
10. Enter a value for Minimum special chars.
11. Enter a value for Minimum change chars.

May 2013 Avaya Aura® Conferencing Security 23

Comments on this document? [email protected]
Platform administrator security management

12. Enter a value for Minimum password length.

13. Enter a value for Maximum consecutive repeat characters.
14. Enter a value for Deny after this many login failures.
15. Enter a value for Unlock account duration (seconds).
16. Enter a value for Old passwords to remember.
17. Enter a value for Maximum password age (days).
18. Enter a value for Minimum password age (days).
19. Enter a value for Password change warning (days).
20. Enter a value for Idle session timeout (seconds).
21. Enter a value for Maximum number of concurrent logins.
22. Press Enter to continue.
23. (Optional) If you want to cancel pending (unsaved) changes, enter 3.
24. Enter 4 to save pending changes.
25. Press Enter to continue.
26. Enter 5 to exit.
Related links
Password complexity on page 17

Configuring the GRUB password

Use this procedure to configure the Linux Grand Unified Bootloader (GRUB) password. The GRUB
password prevents unauthorized access to the bootloader.
Before you begin
You are a user with SSA role.
Procedure
1. Log on to the server as a user with SSA role.
2. Enter grubPWConfig at the prompt.
3. Enter c to configure the password.
4. Enter a policy-compliant GRUB password.
5. Re-enter the policy-compliant GRUB password.

May 2013 Avaya Aura® Conferencing Security 24

Comments on this document? [email protected]
 Creating individual user accounts–menu

Creating individual user accounts–menu

About this task
Use this procedure to create individual user accounts.
The following table provides the role to groups mapping.
Table 2: Role to groups mapping

Role Groups
SSA—System Security Administrator ntsysgrp, ntsecgrp, ntbackupgrp
SA—Security Auditor ntsecgrp
AA—Application Administrator ntappgrp, ntossgrp
BA—Backup Administrator ntbackupgrp
DBA—Database Administrator ntdbgrp, ntappgrp
OSS – OSS Administrator ntossgrp

Procedure
1. Log on to the server as a user with SSA role.
2. At the command prompt, enter:
userMgt
3. If prompted, enter your password.
4. Enter 1 to add a new user.
5. Enter a username for the new user.
6. Enter 0 to have the system select a user ID.
7. Enter the corresponding numbers for the user's roles.
The first role is the user's primary role. Separate multiple role entries with a comma (,).
8. Enter Y to continue adding users.
9. Enter the initial password for the user.
The user must change this password during the initial log on to gain access to the server.
10. Enter the initial password again.
You receive a prompt to continue adding users or to return to the main menu.

May 2013 Avaya Aura® Conferencing Security 25

Comments on this document? [email protected]
Platform administrator security management

Deleting a user account

About this task
Delete individual users to prevent their access to the server. You cannot manage or delete the
following system accounts using User Configuration Manager:
• root
• ntappsw
• ntdbsw: Only for database systems
• sync
After deleting a user account, Avaya Aura® Conferencing deletes the associated root directory and
its contents, which is located at /home/<username>. Avaya Aura® Conferencing searches for files
owned by the user account at other locations. If Avaya Aura® Conferencing finds files that the user
of the deleted account owns at other locations, depending on the read and write permissions of the
user, Avaya Aura® Conferencing performs the following actions:
• If the permissions are lower than the read and write permissions of the group, Avaya Aura®
Conferencing transfers the files to one of the following no-login system accounts:
User account No-login account
SSA ntsysnl
SA ntsecnl
AA ntappnl
BA ntbackupnl
DBA ntdbnl
OSS ntossnl

Avaya Aura® Conferencing determines the account to transfer the files based on the primary
role of the deleted account. Avaya Aura® Conferencing does not display a warning before
transferring the files. You can keep the transferred files on the system or delete the files. Before
deleting the files, ensure that removing the files does not hinder the system operation.
• If the permissions are higher than or equal to the read and write permissions of the group ,
Avaya Aura® Conferencing deletes the files. Transferring the files to a no-login account with
these settings could make the files unmanageable by the user accounts in the same group.
Avaya Aura® Conferencing displays a warning and a confirmation before deleting the files.
Procedure
1. Log on to the server as SSA.
2. At the command prompt, enter:
userMgt
3. If Avaya Aura® Conferencing prompts you for a password, type your password.
4. To delete a user, type 2.
5. From the list of users, select the user to delete by entering the associated number of the
user.

May 2013 Avaya Aura® Conferencing Security 26

Comments on this document? [email protected]
 Modifying user roles—menu

6. To confirm deleting the user, type Y.

If Avaya Aura® Conferencing finds files owned by the user to delete, Avaya Aura®
Conferencing displays a list of the files.
7. To delete the files, type Y.
8. To keep the files on the system, type N.

Modifying user roles—menu

About this task
Use this procedure to modify roles for a server administrator. You can also change the primary role
of the administrator.
Procedure
1. Log on to the server as a user with SSA role.
2. At the command prompt, enter:
userMgt
3. If you receive a prompt, enter your password.
4. Enter 3 to modify a user's roles.
5. From the list of users, enter the corresponding number for the user account that you want to
modify.
6. Enter the corresponding number for the user's roles (primary role first), separated by
commas (,). (Example: For the roles SSA and AA, enter 1, 5).
7. Enter Y to continue making modifications.
You receive a prompt to continue modifying roles for users or to return to the main menu.

Changing the state of a user account—menu

About this task
Disable a user's account to temporarily prevent access to the server with that account. Enable the
account to restore access.
If a user's account becomes locked because of failed attempts to log on, you can clear the lock by
disabling and then enabling the account again.
Procedure
1. Log on to the server as a user with SSA role.

May 2013 Avaya Aura® Conferencing Security 27

Comments on this document? [email protected]
Platform administrator security management

2. At the command prompt:

userMgt
3. If you receive a prompt, enter your password.
4. Enter 4 to enable or disable a user account.
5. Enter the corresponding number for the user account that you want to enable or disable.
6. Enable or disable the account:
If the account is currently Do this
Enabled Enter Y to disable the account, and go to Step 9.
Disabled Enter Y to enable the account, and go to Step 7.

7. Enter a new password for the user account.

The user must change this password during initial log on.
8. Enter the new password again.
9. Choose an action:
Choose to Do this
Change another account state Enter Y.
Not change another account state Enter N.
Exit Enter 8.

Listing server user accounts—menu

About this task
You can view a list of users currently configured on the server. The display shows 20 entries for
each page and lists the user name, userID, the user's configured state, the roles associated with
each account, and whether the user has sudo access to the system.
Procedure
1. Log on to the server as a user with SSA role.
2. At the command prompt:
userMgt
3. If you receive a prompt, enter your password.
4. Enter 5 to list the users currently configured on the server.
The screen displays up to 20 users.
5. You can choose to display the next 20 users or quit to the main menu.

May 2013 Avaya Aura® Conferencing Security 28

Comments on this document? [email protected]
 Managing sudo access—menu

To choose this Do this

Show the next 20 users (if applicable) Press Enter .
Return to the main menu Type q and press Enter.

Managing sudo access—menu

Use this procedure to grant or revoke sudo access for user accounts.
Before you begin
You must be the root user.
Procedure
1. Log on to the server as root or a user with SSA role.
2. If you are an SSA, change to the root:
su - root
3. Enter the root password.
4. Run the user management tool:
userMgt.pl
5. Enter 6 to manage sudo access.
6. Enter the corresponding number for the user account for which you want to grant or deny
sudo access.
7. Grant or remove sudo access:
If the account currently Do this
Has sudo access Enter Y to remove sudo access.
Does not have sudo access Enter Y to enable sudo access.

8. Choose whether to manage sudo access for another user account.

Choose to Do this
Manage sudo access for another user Enter Y, and repeat Steps 6 through 8.
account
Not manage sudo access for another Enter N to go back to the main menu.
user account

9. Enter 9 to exit.

May 2013 Avaya Aura® Conferencing Security 29

Comments on this document? [email protected]
Platform administrator security management

Resetting a platform user account password—menu

About this task
You can use the userMgt tool to change passwords for platform administrators. If an administrator is
locked out of the server because of failed attempts to log on, you can use the userMgt tool to reset
the user account password and clear the lock.
The user whose password you reset will be forced to change the password the next time that person
logs in after the reset.
Procedure
1. Log on to the server as a user with SSA role.
2. At the command prompt:
userMgt
3. If you receive a prompt, enter your password.
4. Enter 6 to reset a user password.
5. Enter the corresponding number for the user whose password you want to reset.
6. Enter a new password for the user account and confirm by entering the new password again.
A prompt displays asking to reset a password for another user or return to the main menu.
7. Reply to the prompt with the desired action.

Changing a platform user account password using CLI

About this task
Change your platform administrator password from the command line. Platform administrator
accounts are managed independently on each Avaya Aura® Conferencing server.
Procedure
1. Log on to the server.
2. Enter the following UNIX command to change the password:
passwd
3. At the prompt, enter the current UNIX platform password for the account.
4. Enter the new UNIX platform password for the account.
5. Re-enter the new UNIX platform password for the account.

May 2013 Avaya Aura® Conferencing Security 30

Comments on this document? [email protected]
 Viewing the status of inactive account auditing

Viewing the status of inactive account auditing

Use this procedure to view the status of inactive account auditing.
Before you begin
You are a user with SSA role.
Procedure
1. Log on to the server as a user with SSA role.
2. At the command prompt, enter configInactiveLoginAudit.
3. At the command prompt, enter d.
Related links
Inactive platform account auditing on page 19

Enabling inactive account auditing

Use this procedure to enable inactive account auditing.
Before you begin
You are a user with SSA role.
Procedure
1. Log on to the server as a user with SSA role
2. At the command prompt, enter configInactiveLoginAudit.
3. At the command prompt, enter c.
4. To turn on the audit, enter Y.
5. To exempt the login accounts from the audit, enter Y.
6. Press Enter to accept the default list of exempted accounts.
7. For the Maximum number of inactive days before login account is locked value, enter
the number of days of account inactivity prior to account lock out. The range is 4 to 364.
Related links
Inactive platform account auditing on page 19

Disabling inactive account auditing

Use this procedure to disable inactive account auditing.

May 2013 Avaya Aura® Conferencing Security 31

Comments on this document? [email protected]
Platform administrator security management

Before you begin

You are a user with SSA role.
Procedure
1. Log on to the server as a user with SSA role.
2. At the command prompt, enter configInactiveLoginAudit.
3. At the command prompt, enter c.
4. To turn on the audit, enter N.

Important:
After you disable inactive account auditing, the system does not re-enable previously
locked out administrator accounts. You must manually re-enable any locked out
administrator accounts.
Related links
Inactive platform account auditing on page 19

Configuring platform warning banners

Use this procedure to configure warning banners to display a message before users enter their user
names and passwords, and another message after a successful log on. Warning banners typically
state the legal implications of logging on to a system.
Important:
Repeat this procedure for each server in your Avaya Aura® Conferencing system.
Before you begin
You are a user with SSA role.
Procedure
1. Use a text editor to create or modify <issue_filename>. <issue_filename> is the name of the
text file that contains the message that appears before log on.
2. Use a text editor to create or modify <motd_filename>. <motd_filename> is the name of the
text file that contains the message that appears after a successful log on.
3. Connect to the server as a user with SSA role by using SFTP or SCP.
4. Transfer <issue_filename> and <motd_filename> to /var/tmp.
5. Log on to the server as an SSA user with SSH.
6. Copy the files from /var/tmp to /etc directory:
cp /var/tmp/<issue_filename> /etc/issue

May 2013 Avaya Aura® Conferencing Security 32

Comments on this document? [email protected]
 Configuring platform warning banners

cp /var/tmp/<motd_filename> /etc/motd
Related links
Platform warning banners on page 22

May 2013 Avaya Aura® Conferencing Security 33

Comments on this document? [email protected]
Chapter 4: Security configuration and
management overview

This chapter contains information about system security configuration and management.

Application local administrator account security

Element Manager Console and Provisioning Client support six local administrator accounts for
configuration and management of Avaya Aura® Conferencing. These local administrator accounts
have common security rules for password complexity, password aging, password history, and the
login session constraints. You can configure these rules using Element Manager Console.
For more information about how to use Element Manager Console, see Administering Avaya Aura®
Conferencing.
Log in using the single sign-on account in Avaya Aura® System Manager to administer Avaya Aura®
Conferencing. You need a local login account to change the configuration of the local login
accounts.
If you modify the password rules, the current passwords of local administrator accounts might not
comply with the new rules. However, the local administrators can use the current passwords until
the passwords expire. Avaya Aura® Conferencing enforces the password rules only when you create
or change a password.
Related links
Application administrator security configuration and management on page 55

Local administrator account password complexity

The following table lists the parameters that you use to configure password complexity for
administrator user accounts.

May 2013 Avaya Aura® Conferencing Security 34

Comments on this document? [email protected]
 Application local administrator account security

Table 3: Password complexity parameters

Parameter Description
Minimum Password Length This parameter specifies the minimum number of total characters a
password must contain.
The range of values allowed is 4-32. Default: 8.
The Minimum Password Length must be equal to or greater than the
total of the Minimum Lowercase Characters, Minimum Uppercase
Characters, Minimum Digit Characters, and Minimum Special
Characters. If Check For Dictionary Words in Password is enabled, the
Minimum Password Length value must be 6 or more.
Minimum Lowercase Characters This parameter specifies the minimum number of lowercase characters
(a–z) that the password must contain.
The range of values allowed is 0-10. Default: 2
Minimum Uppercase Characters This parameter specifies the minimum number of uppercase characters
(A–Z) that the password must contain.
The range of values allowed is 0-10. Default: 2
Minimum Digits This parameter specifies the minimum number of digit characters (0–9)
that the password must contain.
The range of values allowed is 0-10. Default: 2
Minimum Special Characters This parameter specifies the minimum number of special characters
that the password must contain. Special Characters are: !#$%*. @ - _
{}& ‘ ^ ? ! ( ) , / \ : ; ~ = +.
The range of values allowed is 0-10. Default: 0
Maximum Consecutive Characters This parameter specifies the maximum number of times a given
character can appear consecutively in a valid password. Configure the
value to 0 (zero) to disable Maximum Consecutive Characters.
The range of values allowed is 0-10. Default: 0
Minimum Characters Different This parameter specifies the minimum number of characters by which
from Previous Password the new password must differ from the previous password. The system
ignores this value if either one half of the characters in the new
password are different, or if there are more than 23 characters in the
new password.
The range of values allowed is 0-10. Default: 0
Password History This parameter specifies the size of the password history maintained
by the system for each user. The system rejects the reuse of any
password found in the user's history. To disable password history
validation, set this value to 0 (zero).
The range of values allowed is 0-24. Default: 1
User ID or Reversed User ID Select this check box if you want to allow the password to include the
Permitted in Password user's ID or the user's ID reversed.
Table continues…

May 2013 Avaya Aura® Conferencing Security 35

Comments on this document? [email protected]
Security configuration and management overview

Parameter Description
Check for Dictionary Words in Select this check box if you want to prevent administrators from using
Password passwords that are derived from dictionary words. When this setting is
enabled, the system checks whether dictionary words are used in the
password.

Local administrator account password aging

The following table lists the parameters that control the length of time that a password remains valid
and expiration notification.

Table 4: Password aging parameters

Name Description
Maximum Password Life (days) This parameter specifies the maximum number of days that an
administrator’s password can be used before it expires. After the
specified number of days, the administrator must change the password
to access the server. To disable password expiration, set this value to 0
(zero).
The range of values allowed is 0-180 days. Default: 90
Minimum Password Life (hours) This parameter specifies the minimum number of hours between
password changes.This setting discourages administrators from
immediately changing their passwords back to a previously used
password (password flipping). To permit users to change their
passwords as often as they want, set this value to 0 (zero). If not set to
0, the minimum password life must be less than the maximum
password life.
The range of values allowed is 0-480 hours (20 days). Default: 1
Expiry Notification (days) This parameter specifies the number of days in advance that users
receive a warning that their passwords will expire. To disable expiry
notification, set this value to 0 (zero). If not set to 0, the expiry
notification must be less than the maximum password life and greater
than the minimum password life.
The range of values allowed is 0-30 days. Default: 7

When editing a local administrator account, the security administrator can override the Maximum
Password Life value, and thereby apply a different maximum life to an administrator's password.

Local administrator account log on session constraints

Log on session constraints control the length of time that a local administrator account session can
remain idle, before the system forces the administrator to reauthenticate. You configure these rules

May 2013 Avaya Aura® Conferencing Security 36

Comments on this document? [email protected]
 Application local administrator account security

separately for the Element Manager Console—Open Management Interface (OMI) and the
Provisioning Client, by using Element Manager Console.
Note:
These log on session constraints do no apply to single signon account sessions via Avaya
Aura® System Manager.
Configure the following parameters for local administrator account log on sessions:
• Session Timeout: This rule defines the maximum number of minutes a session can be idle
before an administrator must reauthenticate. The range of values for this parameter is 0-120.
Configure the value to 0 (zero) to disable session timeout. You cannot disable session timeout
for the Avaya Aura Provisioning Client. For Configuration Management clients (which include
Element Manager Console), after a session times out, any write or maintenance operations
require reauthentication; read operations continue to function normally.
• Failed Login Attempts before Lockout: This rule defines the maximum number of successive
failed attempts to log on, allowed before the system locks the administrator's account. The
range of values for this parameter is 0-10. Configure the value to 0 (zero) to disable lockout
and to allow an unlimited number of successive failed login attempts. A value other than zero
represents an inclusive number of attempts. Therefore, if the value is 1 (one), a single failure
causes the administrator's account to become immediately locked. The system rejects further
login attempts until the lockout duration expires.
• Lockout Duration: This rule defines the number of minutes that an administrator's account
remains locked after reaching the maximum number of successive failed login attempts. The
range of values for this parameter is 1-60.

Application local administrator account security defaults

The following table contains the default application security rules for the local administrator
accounts:
• The session timeout for User Configuration Manager is 0 minutes, which indicates no timeout.
• The session timeout for Provisioning Client is 15 minutes.
Field Default value
Password • admin: admin
• admin1: admin1
• admin2: admin2
• admin3: admin3
• admin4: admin4
• admin5: admin5
Minimum Password Length 4
Table continues…

May 2013 Avaya Aura® Conferencing Security 37

Comments on this document? [email protected]
Security configuration and management overview

Field Default value

Minimum Lowercase Characters 0
Minimum Uppercase Characters 0
Minimum Digits 0
Minimum Special Characters 0
Maximum Consecutive Characters 0
Minimum Characters Different From Previous 0
Password
Password History 1
Users cannot reuse the current password.
User ID or Reversed User ID Permitted in TRUE
Password
Check For Dictionary Words in Password FALSE
Maximum Password Life 0
0 indicates no expiry.
Minimum Password Life 0
0 indicates that users can change the password
immediately after creating a new password or
changing a password.
Expiry Notification 0
0 indicates that no notifications are generated.
Lockout Duration 1
Account Inactivity Period 0

Avaya Aura® Conferencing SNMP Community Strings

You can update Avaya Aura® Conferencing SNMP Community Strings using Element Manager
Console. To change the SNMP Community String, you must create a new profile (you cannot modify
existing SNMP profiles) and then assign it to each server.

Changing the Element Manager SNMP community string

Before you begin
Ensure that all Avaya Aura® Conferencing servers are online, and you can connect to the servers
through the active Element Manager server.

May 2013 Avaya Aura® Conferencing Security 38

Comments on this document? [email protected]
 Internal database account security

About this task

Use this procedure to change the SNMP community string of servers that are online and reachable
on the network.
Procedure
1. In the navigation pane of Element Manager Console, select Feature Server Elements >
SNMP Profiles.
2. In the SNMP Profiles window, click Add (+).
3. In the Add Server SNMP Profiles dialog box, configure the following parameters:
• Profile Name: SNMP profile name
• Read Community String: SNMP Read Community string
• Write Community String: SNMP Write Community string
4. Click Apply, and close the SNMP Profile window
5. In the navigation pane of Element Manager Console, select Servers.
6. In the Servers window, select the server, and click Edit (-/+).
7. In the Edit Server dialog box, from the SNMP Profile drop-down list, select the appropriate
SNMP profile name.
8. Click Apply
9. Repeat Steps 7 to Step 10 for each server.
If you add new servers, ensure that you select the new SNMP profile for the new server.

Internal database account security

During database installation, the system creates a system-level account with a static name, and
randomly generates a password. A System Administrator (SSA) can reset the password for the
system-level account, should security policy require it. For more information, see Database
password management on page 47.

Database application security

There are two accounts for database management:
• Schema account
• Application account
For more information about how to change the passwords for these accounts, see Database
password management on page 47.

May 2013 Avaya Aura® Conferencing Security 39

Comments on this document? [email protected]
Security configuration and management overview

File system integrity

The installation software contains a file system integrity (FSI) tool called fcheck. Use this tool to
monitor changes in the file system for unauthorized modifications. Only the user with SSA role or the
root user can run the fcheck tool commands.
With this tool, you can create FSI baselines for later verification, to detect unauthorized changes to
the file system. A baseline is the snapshot of all the system files including their size and
permissions, at the time of baseline creation. The verification process detects the following changes:
• Addition and removal of files
• Modification of files and attributes
• File sizes and MD5 signatures
The operating system (OS) and Avaya Aura® Conferencing software modify files and directories as
a normal function of operation. Baseline checking excludes all log files and log directories, because
of their nature (with respect to file system changes). The following OS and Avaya Aura®
Conferencing directories are included in baseline checking:
• /var/mcp/dropbox /var/mcp/dropbox/.auditLoads_chksumCache
• /var/mcp/run/<MCP_release>/EM_0/work
• /var/mcp/run/<MCP_release>/loads_0
• /var/mcp/run/<MCP_release>/loads_0/bin
• /var/mcp/run/<MCP_release>/loads_0/work /etc/adjtime /etc/ntp
• /etc/ntp/ntp.drift
• /etc/ntp/ntpstats/peerstats
• /var/mcp/os/baselines
• /opt/mcp/uvscan/result.txt
• /opt/mcp/fcheck
Avaya recommends that you create FSI baselines weekly and after significant changes to the file
system (such as software installation).

Verification reports
After verification, fcheck reports findings of changes to the monitored files and directories, to
standard out (STDOUT). The tool reports file and directory changes by using the keyword stat on file
or dir. The tool checks the following file and directory attributes for changes: Inode number,
permission, file size, time of last status change, file UID, file GID, and file CRC hash.

May 2013 Avaya Aura® Conferencing Security 40

Comments on this document? [email protected]
 File system integrity

FSI baseline management

The system stores FSI baseline files in the /var/mcp/os/baselines directory. If the directory contains
more than 15 files, a warning message appears on the STDOUT when you run the fcheck tool. The
system also generates Syslog messages to remind you to backup the older baselines files to
prevent the partition from filling up.
You can list all of the baselines currently on the system; the file marked baseline is the one the
system uses for verification. You can also choose a new baseline file for verification (unset the
current file and set another).

FSI baseline exclusions

Some files and directories on the system change on a regular basis. Because the verification
process would always report these files as changed, they are not good candidates for monitoring.
The excluded files and directories are as follows:
/var/mcp/os/baselines/baseline.dbf
/var/mcp/oss/log/
/dev/core /dev/fd
/dev/stderr /dev/stdin
/dev/stdout
/var/mcp/db/data/adump/
/var/mcp/run/ned/ned.log
/var/mcp/spool/log/
/var/mcp/spool/om/
/var/mcp/spool/tmom/
/var/mcp/ma/MAS/common/log/
/var/mcp/ma/MAS/platdata/CStore/
/var/mcp/ma/MAS/platdata/ConfMP/
/var/mcp/ma/MAS/platdata/IvrMP/
/var/mcp/ma/MAS/platdata/MySQL/
/var/mcp/ma/MAS/platdata/PerfCounterAgent/
/var/mcp/ma/MAS/platdata/Reporter/
/var/mcp/ma/MAS/platdata/Soapserver/
/var/mcp/ma/MAS/platdata/StreamSource/
/var/mcp/ma/MAS/platdata/ase/
/var/mcp/ma/MAS/platdata/ccxml/
/var/mcp/ma/MAS/platdata/tmpdir/
/var/mcp/ma/MAS/platdata/vxmli/

FSI baseline backup and restore

An SSA user, such as ntsysadm, can back up and restore FSI baseline files from a local server or a
remote server.
For more information, see Administering Avaya Aura® Conferencing.

May 2013 Avaya Aura® Conferencing Security 41

Comments on this document? [email protected]
Security configuration and management overview

Configuration file
The fcheck configuration file is located at /opt/mcp/fcheck. The fcheck tool uses the following
configuration attributes to specify the files and directories to be monitored:
• Directory: specifies that the directory that need to be monitored. The forward slash (/) at the
end of the directory indicates recursive directory monitoring.
• Exclusion: to exclude directories and files that are not intended for monitoring, such as log files
that are known to change frequently on an ongoing basis.
Important:
Use the configuration file only for troubleshooting purposes.

Application logging
After you harden the Avaya Aura® Conferencing application logging, the system writes network
element (NE) logs to the following directories on the servers hosting the Element Manager Console
NEs:
• non security logs: /var/mcp/oss/log/EM/nonSecurity
• security logs: /var/mcp/oss/seclog/EM/security
The non security related logs can be viewed by users in the AA role. The secure logs can only be
viewed by users in the SSA or SA roles.
Important:
You must remove these logs after you undeploy the network element instance.
In addition to the NE logs, the Element Manager Console and Provisioning Manager NEs also write
access logs to the platform.
The Element Manager Console writes logs to the /var/mcp/run/<MCP version>/<EM_NEI_name>/
tomcat/logs/ directory. The <EM_NEI_name> is the instance name of the Element Manager Console
on that server. For example EM1_0 denotes the primary Element Manager Console instance.
The Provisioning Manager writes logs to the /var/mcp/run/<MCP version>/<Prov_NEI_name>/
tomcat/log/ directory. The <Prov_NEI_name> is the instance name of the Provisioning Manager on
that server. For example PROV1_0 denotes the primary Provisioning Manager instance.

Web server logs

You can enable web server logs on Element Manager Console and Provisioning Manager.

May 2013 Avaya Aura® Conferencing Security 42

Comments on this document? [email protected]
 Security logs

After enabling web server logs, the system writes the logs to the NE application logs. These logs are
found in /var/mcp/oss/log/EM/all/MCP/<NE> on the Avaya Aura® Conferencing application server.

Security logs
This section contains information about security logs.

Syslog
The system stores syslogs and security-related syslogs in the var/log directory. Administrators who
have the role of SA or SSA can view syslogs. Only the root user can delete syslogs from the
system. However, the SA can force the logs to rotate by using the logrotate command.
By default, syslogs rotate daily and store up to 15 days worth of logs. After 15 days, the system
deletes the oldest log on a daily basis. Avaya recommends that you transfer the logs from the server
within 15 days, to prevent the loss of any log files after file rotation.
You can also configure the system to send syslogs to a syslog server. This configuration typically
occurs during system installation, but the SSA can choose to configure this at run time by issuing
the reconfigure script. You must configure the remote syslog server as a trusted node, if an ACL
firewall is configured on the system.

System audit
Avaya Aura® Conferencing generates audit logs to monitor administrator behavior. Only Security
Auditor (SA) or System Security Administrator (SSA) can view these logs. The audit logs contain the
following data:
• Time and date of action
• User ID and PID of action
• Command issued
• Success or fail status
• Object changed
• Terminal type
• Exit code
Avaya Aura® Conferencing stores the audit logs at /var/log/audit. By default, the logs rotate
daily, and Avaya Aura® Conferencing stores the logs for a maximum of 15 days. SSA or SA can
force the audit logs to rotate using the logrotate command. Only the root user or SSA can delete
audit logs.

May 2013 Avaya Aura® Conferencing Security 43

Comments on this document? [email protected]
Security configuration and management overview

If Avaya Aura® Conferencing cannot write to the audit log, Avaya Aura® Conferencing sends a failure
message to syslog.
When the free disk space in the partition is less than 750 MB, Avaya Aura® Conferencing sends a
warning message to syslog. When the free disk space is less than 250 MB, Avaya Aura®
Conferencing sends another message to syslog to indicate that the disk is full and logging might
stop. If the disk partition is full, back up the logs, log in with root-level access, and delete the logs.
To view the current audit rules, on the Avaya Aura® Conferencing core server or Avaya Media
Server, log in as SSA, and open the /etc/audit/audit.rules. The rules are specific to either
the Avaya Aura® Conferencing core server or Avaya Media Server, so different servers display
different sets of rules.

Warning:
Do not change the audit rules file. If you change the file, auditing might stop.
Typically, system audit configuration occurs during initial installation. SSA can configure audit log
settings using the configAudit command. You can also configure audit log settings by running
the reconfigure script. If you change the audit log configuration, restart the system.
SSA or SA can use the following tools to view audit logs:
• aureport: Get a summarized report on audit logs.
• ausearch: Search for patterns in audit logs. For example, use --help for instructions.
SSA or SA roles can also view the audit logs using vi and grep.
Audit logs can be archived and transferred to another server for archiving or filtering. Avaya Aura®
Conferencing does not delete the audit logs on the server, but transfers a copy of the logs. You must
be a root user to delete logs and free disk space.
For more information, see Administering Avaya Aura® Conferencing.
Related links
File activity in restricted areas on page 45

Failed logons
To view failed log on attempts, use the grep command for the audit log files and search for the
words "authentication" and "failed". The following example shows a failed login from the server
command line:
> grep authentication /var/log/audit/* | grep failed
/var/log/audit/audit.log:type=USER_AUTH
msg=audit(1273507587.172:8886): user pid=3739 uid=0 auid=4294967295
msg='PAM: authentication acct="ntsysadm" : exe="/usr/sbin/sshd"
(hostname=192.168.1.10, addr=192.168.1.10, terminal=ssh res=failed)'

The resulting output displays the following data:

• record ID for audit

May 2013 Avaya Aura® Conferencing Security 44

Comments on this document? [email protected]
 Security logs

• user ID and log on name

• host where the log on was attempted
As shown in the following example, a summary report displays the number of failed attempts.
Summary Report
======================
Range of time in logs: 05/10/2012 09:56:37.956 - 05/10/2012 11:13:53.107
Selected time for report: 05/10/2012 09:56:37 - 05/10/2012 11:13:53.107
Number of changes in configuration: 110
Number of changes to accounts, groups, or roles: 18
Number of logins: 3
Number of failed logins: 1
Number of authentications: 12
Number of failed authentications: 2
Number of users: 2
Number of terminals: 14
Number of host names: 3
Number of executables: 26
Number of files: 5805
Number of AVC's: 0
Number of MAC events: 0
Number of failed syscalls: 42
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of keys: 1
Number of process IDs: 292
Number of events: 8862

File activity in restricted areas

The file system is locked by administering file permissions to restrict access only to administrators.
The audit process records all modifications to the files. The audit process is based on the watch
rules on files and directories. The watch rule on directories includes all files in the directory. Most
watch rules are on the write or append permissions in the directory and files.
The system audit must be enabled for logging of restricted file activity. After the auditing process is
complete, the audit record contains the following data:
• UID of user accessing the file
• The process ID
• The file or directory
• The success or fail status
• The command run on the file or directory
Example
The following example describes the failure of an administrator to write to a directory without the
write permission:
type=SYSCALL msg=audit(1273094725.151:2224): arch=c000003e syscall=2
success=no exit=-13 a0=7fff9cdc3c24 a1=941 a2=1b6 a3=0 items=1 ppid=6554
pid=6623 auid=20229 uid=20233 gid=91 euid=20233 suid=20233 fsuid=20233
egid=91 sgid=91 fsgid=91 tty=pts0 ses=67 comm="touch" exe="/bin/touch"
key=(null)

May 2013 Avaya Aura® Conferencing Security 45

Comments on this document? [email protected]
Security configuration and management overview

type=CWD msg=audit(1273094725.151:2224): cwd="/home/joebobssa"

type=PATH msg=audit(1273094725.151:2224): item=0
name="/opt/mcp/java/myfile.xml" inode=261634 dev=03:05 mode=040755 ouid=0 ogid=0
rdev=00:00

In this example, joebobssa tries to write to the /opt/mcp/java directory. The administrator with
the 20233 user ID types the touch command on the file /opt/mcp/java/myfile.xml and fails.
The following fields describe the information in this example:
• uid: The administrator joebobssa with the 20233 user ID
• exe: The touch command that the administrator runs
• name: The name and path of the file
• success: The result of the command
Related links
System audit on page 43

Backup of security logs

To backup the security logs, you can copy the logs to a secured server. Only root users can delete
the logs in the original server.
For more information about how to back up the Avaya Aura® Conferencing system, see
Administering Avaya Aura® Conferencing.

May 2013 Avaya Aura® Conferencing Security 46

Comments on this document? [email protected]
Chapter 5: Database password
management

Use the procedures in this chapter to manage passwords for the database.

Resetting the internal database account passwords

Policy can require that you periodically change all system passwords. Use the following procedure
to reset the passwords for the system level internal database accounts.
Important:
Only the database software uses the internal accounts. To prevent users from logging on to
these accounts, the passwords are randomly generated and not available to users. These
accounts are also locked.
Before you begin
You are a user with SSA role.
Procedure
1. Log on to the server that hosts the primary database, as a user with SSA role.
2. Enter the command to reset the password for one of the internal database accounts:
• resetDbSystemUserPasswd system
• resetDbSystemUserPasswd internal
3. If a password prompt appears, enter the password for the SSA account.

Changing the schema account password

Use the following procedure to change the password for the database schema account.
Before you begin
You are a user with SSA role.

May 2013 Avaya Aura® Conferencing Security 47

Comments on this document? [email protected]
Database password management

Procedure
1. Log on to the server that hosts the primary Avaya Aura® Conferencing Element Manager
(Instance 0), as a user with SSA role.
2. Enter the command to change the password:
chgDbSchemaUserPasswd
3. If a password prompt appears, enter the password for the SSA account.
4. At the prompt, confirm that you want to change the password.
A message appears to report the success or failure of the password change.

Changing the database application password without

upgrading the software
Before you begin
Ensure that your user ID is assigned the following roles:
• Security System Administrator (SSA)
• Application Administrator (AA)
You must know how to deploy and start network elements. For more information, see Administering
Avaya Aura® Conferencing.
Procedure
1. Log on to the primary Element Manager server as SSA.
2. Type the following command to change the password:
chgDbAppUserPasswd
3. (Optional) Enter the password.
4. At the prompt, confirm that you want to change the password.
Element Manager displays a message that indicates the success or failure of the password
change.
5. Log on to the primary Element Manager server as AA.
6. To navigate to the install directory, type the following command:
cd /var/mcp/install
7. To restart the primary Element Manager server, type the following command:
./emUpgrade.pl

May 2013 Avaya Aura® Conferencing Security 48

Comments on this document? [email protected]
 Changing the database application password during an upgrade

Avaya Aura® Conferencing:

a. Stops all Element Manager instances.
b. Installs the software version specified in the installprops.txt file, which is the current
version.
c. Starts all Element Manager instances.
8. Using Element Manager Console, stop, install, and restart other network elements in the
following order:
a. Application Server
b. Accounting Manager
c. PROV Manager
d. Collaboration Agent Manager
e. Web Conferencing Management Server
f. Web Conferencing Server
g. Document Conversion Server
h. Avaya Media Server
Important:
If a network element has a hot standby instance, first perform this step on the hot
standby instance.
If you cannot successfully perform this step on a network element, Element Manager
Console displays an error message. To complete the procedure, repeat Step 8.

Changing the database application password during an

upgrade
Use the following procedure to change the database application password as part of a Maintenance
Release or patch upgrade.
Before you begin
• You are a user with SSA role.
• You are familiar with the procedure to apply a Maintenance Release or patch upgrade.
Procedure
1. Log on to the server that hosts the primary Avaya Aura® Conferencing Element Manager
(Instance 0), as a user with SSA role.
2. Enter the command to change the password:
chgDbAppUserPasswd

May 2013 Avaya Aura® Conferencing Security 49

Comments on this document? [email protected]
Database password management

3. If a password prompt appears, enter the password for the SSA account.
4. At the prompt, confirm that you want to change the password.
A message appears to report the success or failure of the password change.
5. Apply the Maintenance Release or patch upgrade.
Important:
If any network element is not upgraded and is therefore still running the old load, an
error message appears. To complete the procedure, repeat Step 5 for the affected
network elements.

May 2013 Avaya Aura® Conferencing Security 50

Comments on this document? [email protected]
Chapter 6: File system integrity
management

Use the procedures in this chapter to verify file system integrity (FSI) and to manage FSI baselines.

Creating an FSI baseline

Create an FSI baseline on a weekly basis or after any significant changes to the system, such as
software installation or upgrade.
This task must be performed on all Element Manager servers and Avaya media servers.
Important:
It can take at least 10 minutes to create a typical baseline.
Before you begin
You are a user with the SSA role or a root user.
Procedure
1. Log on to the server as ntsysadm or an account with the SSA role.
2. Enter fsibaseline.
3. Enter the password (if required).
4. If you receive a warning, press any key to continue.
5. Enter Y to verify the new FSI baseline configuration.

Verifying the file system against a baseline

Routinely verify the file system against the baselines. The verification process identifies the following
changes:
• Addition or removal of files
• Modification of files and attributes

May 2013 Avaya Aura® Conferencing Security 51

Comments on this document? [email protected]
File system integrity management

• File sizes and MD5 signatures

Before you begin
You are a user with SSA role or a root user.
Procedure
1. Log on to the server as a user with SSA role.
2. At the prompt, enter the following command:
fsiverify

Managing FSI baselines

You can list all of the file system integrity (FSI) baselines currently stored on the server. The system
uses the file marked baseline for verification. You can select a different baseline file to use for
verification.
Before you begin
You are a user with SSA role or a root user.
Procedure
1. Log on to the server as a user with SSA role.
2. At the prompt, enter the following command:
fsibaselineMgt
3. Select a management action:
Choose to Enter selection number
List available baselines 1
Set the verification baseline 2
Unset the verification baseline 3
Exit 4

May 2013 Avaya Aura® Conferencing Security 52

Comments on this document? [email protected]
Chapter 7: Security log management

Use the procedures in this chapter to manage security logs.

Configuring a remote syslog server

Use this procedure to configure a remote syslog server.
If you configure a remote syslog server on the platform, the system sends all local syslogs to both
the remote syslog server and to the local syslog server.
Before you begin
You are a user with SSA role.
Procedure
1. Log on to the server as a user with SSA role.
2. Enter syslogConfig at the prompt.
3. Enter your password.
4. Enter c to configure a remote syslog server.
5. Enter the Syslog Server IP Address.
6. Enter Y to confirm the configuration.

Deleting a remote syslog server

Use this procedure to delete a remote syslog server.
Before you begin
You are a user with SSA role.
Procedure
1. Log on to the server as a user with SSA role.
2. Enter syslogConfig at the prompt.

May 2013 Avaya Aura® Conferencing Security 53

Comments on this document? [email protected]
Security log management

3. Enter u to unconfigure a remote syslog server.

4. Enter Y to confirm the configuration.

Modifying system audit logs

Use this procedure to enable or disable system audit logs.
Before you begin
• You are a user with SSA role.
Procedure
1. Log on to the server as a user with SSA role.
2. At the command prompt, enter configAudit
3. Enter c to configure the audit.
4. Select an action:
Choose to Enter
Enable the audit Y
Disable the audit N

5. If prompted to reboot, enter Y.

May 2013 Avaya Aura® Conferencing Security 54

Comments on this document? [email protected]
Chapter 8: Application administrator
security configuration and
management

This chapter describes the procedures to configure and manage administrator security for Avaya
Aura® Conferencing applications.
Related links
Application local administrator account security on page 34

Enabling web server logs

Use this procedure to enable web server logs on the Element Manager and Provisioning Manager
network elements.
Procedure
1. Log on to Element Manager Console.
2. In the navigation pane of Element Manager Console, select Feature Server Elements >
Element Manager > Element Manager > Configuration Parameters.
3. From the Parm Group drop-down list box in the Element Manager Configuration Parameters
window, select WebServer.
4. Click the EnableAccessLogs row.
5. Click Edit (-/+).
6. From the Value drop-down list box, select true.
7. Click Apply.
8. In the navigation pane of Element Manager Console, select Feature Server Elements
>Provisioning Managers><PROV_instance>>Configuration Parameters.
9. From the Parm Group drop-down list box in the Provisioning Manager Configuration
Parameters window, select WebServer.
10. Click the EnableAccessLogs row.

May 2013 Avaya Aura® Conferencing Security 55

Comments on this document? [email protected]
Application administrator security configuration and management

11. Click Edit (-/+).

12. From the Value drop-down list box, select true.
13. Click Apply.

Configuring password rules for the application local

administrator accounts
Before you begin
Ensure that you can log in to Element Manager Console directly, instead of logging in using SSO
from System Manager.
About this task
Configure the password complexity and password aging rules to enhance the security of Element
Manager Console and Provisioning Client passwords for the local administrator accounts.
Procedure
1. Log in to Element Manager Console locally.
2. On the Administration menu, select Password Rules.
The system displays the Password Rules dialog box.
3. In the Password Complexity Rules area , configure the parameters.
4. In the Password Aging Rules area, configure the parameters.
5. Click Apply.

Password Rules dialog box field descriptions

Name Description
Password Complexity Rules area
Minimum Password Length This parameter specifies the minimum number of total characters a
password must contain.
The range of values allowed is 4-32. Default: 8.
The Minimum Password Length must be equal to or greater than the
total of the Minimum Lowercase Characters, Minimum Uppercase
Characters, Minimum Digit Characters, and Minimum Special
Characters. If Check For Dictionary Words in Password is enabled, the
Minimum Password Length value must be 6 or more.
Table continues…

May 2013 Avaya Aura® Conferencing Security 56

Comments on this document? [email protected]
 Configuring password rules for the application local administrator accounts

Name Description
Minimum Lowercase Characters This parameter specifies the minimum number of lowercase characters
(a–z) that the password must contain.
The range of values allowed is 0-10. Default: 2
Minimum Uppercase Characters This parameter specifies the minimum number of uppercase characters
(A–Z) that the password must contain.
The range of values allowed is 0-10. Default: 2
Minimum Digits This parameter specifies the minimum number of digit characters (0–9)
that the password must contain.
The range of values allowed is 0-10. Default: 2
Minimum Special Characters This parameter specifies the minimum number of special characters
that the password must contain. Special Characters are: !#$%*. @ - _
{}& ‘ ^ ? ! ( ) , / \ : ; ~ = +.
The range of values allowed is 0-10. Default: 0
Maximum Consecutive Characters This parameter specifies the maximum number of times a given
character can appear consecutively in a valid password. Configure the
value to 0 (zero) to disable Maximum Consecutive Characters.
The range of values allowed is 0-10. Default: 0
Minimum Characters Different This parameter specifies the minimum number of characters by which
from Previous Password the new password must differ from the previous password. The system
ignores this value if either one half of the characters in the new
password are different, or if there are more than 23 characters in the
new password.
The range of values allowed is 0-10. Default: 0
Password History This parameter specifies the size of the password history maintained
by the system for each user. The system rejects the reuse of any
password found in the user's history. To disable password history
validation, set this value to 0 (zero).
The range of values allowed is 0-24. Default: 1
User ID or Reversed User ID Select this check box if you want to allow the password to include the
Permitted in Password user's ID or the user's ID reversed.
Check for Dictionary Words in Select this check box if you want to prevent administrators from using
Password passwords that are derived from dictionary words. When this setting is
enabled, the system checks whether dictionary words are used in the
password.
Password Aging Rules area
Maximum Password Life (days) This parameter specifies the maximum number of days that an
administrator’s password can be used before it expires. After the
specified number of days, the administrator must change the password
to access the server. To disable password expiration, set this value to 0
(zero).
Table continues…

May 2013 Avaya Aura® Conferencing Security 57

Comments on this document? [email protected]
Application administrator security configuration and management

Name Description
The range of values allowed is 0-180 days. Default: 90
Minimum Password Life (hours) This parameter specifies the minimum number of hours between
password changes.This setting discourages administrators from
immediately changing their passwords back to a previously used
password (password flipping). To permit users to change their
passwords as often as they want, set this value to 0 (zero). If not set to
0, the minimum password life must be less than the maximum
password life.
The range of values allowed is 0-480 hours (20 days). Default: 1
Expiry Notification (days) This parameter specifies the number of days in advance that users
receive a warning that their passwords will expire. To disable expiry
notification, set this value to 0 (zero). If not set to 0, the expiry
notification must be less than the maximum password life and greater
than the minimum password life.
The range of values allowed is 0-30 days. Default: 7

Configuring log on and session rules for the local

administrator accounts
About this task
Use this procedure to configure log on and session rules for the local administrator accounts for the
following interfaces:
• Configuration Management (OMI) (applies to Element Manager Console and Element
Manager)
• Provisioning Client
Note:
The local administrator accounts cannot be locked out.
Procedure
1. Log on to Element Manager Console locally.
2. From the Administration menu in Element Manager Console, select Login Rules.
3. In the Login Rules dialog box, configure the parameters as required. For more information,
see Login Rules dialog box field descriptions on page 59.
4. When finished, click Apply.

May 2013 Avaya Aura® Conferencing Security 58

Comments on this document? [email protected]
 Resetting the password for the local administrator account

Login Rules dialog box field descriptions

Name Description
Configuration Session This rule defines the maximum number of minutes a session can be idle before
Timeout (minutes) the user must reauthenticate. The range of values allowed is 0–120. Configure
the value to 0 (zero) to disable session timeout. After a session times out, any
write operations must be re-authenticated.
Provisioning Session This rule defines the maximum number of minutes a session can be idle before
Timeout (minutes) the user must reauthenticate. The range of values allowed is 0–120. You cannot
disable session timeout for the Provisioning Client interface.
Failed Login Attempts This rule defines the maximum number of successive failed attempts to log on,
before Lockout allowed before the user's account is locked. The range of values allowed is 0–10.
Configure the value to 0 (zero) to disable lockout and permit unlimited successive
failed log on attempts. If not zero, the value represents an inclusive number of
attempts. Therefore, if the value is 1 (one), a single failure causes the user's
account is immediately locked. Until the account is unlocked, the system rejects
further attempts to log on.
Lockout Duration This rule defines the number of minutes that a user's account remains locked
(minutes) after reaching the maximum number of successive failed attempts to log on. The
range of values allowed is 1–60.
Account Inactivity Period This rule defines the number of consecutive days of inactivity (that is, the number
(days) of consecutive days that the user did not log onto the system) at which the user's
account is locked.

Resetting the password for the local administrator

account
Use this procedure to reset the password for the initial local administrator account (that is, admin).
Before you begin
• You must belong to the Database Administrator role.
• You must belong to the Application Administrator role.
Procedure
1. Log on to the primary database (DB) server as a user with DBA role.
2. Run the script to change the password:
/var/mcp/run/MCP_15.0/mcpdb_0/bin/util/resetEMGuiAdminPasswd.pl
3. Log on to the primary Element Manager as a user with AA role.
4. Change directory:

May 2013 Avaya Aura® Conferencing Security 59

Comments on this document? [email protected]
Application administrator security configuration and management

cd /var/mcp/install
5. Run the script to restart the Element Manager:
./emUpgrade.pl
This script stops all Element Manager instances, redeploys the load specified in
installprops.txt, and restarts all Element Manager instances.
6. Log on Element Manager Console with the admin account.
7. Type the password, which was reset by the resetEMGuiAdminPasswd.pl script to admin.
8. At the prompt to change the password, type a new password that complies with the
password rules.
9. Type the new password again to confirm.
10. Click OK to save the new password and complete the log on.

Resetting the password for another local administrator

from Element Manager Console
Use this procedure to reset the password for another local administrator account.
Procedure
1. Log on to Element Manager Console locally.
2. From the Administration menu in Element Manager Console, select Password
Administration > Set Administrator Password.
3. From the User ID box in the Set Administrator Password dialog box, select the appropriate
local administrator user ID.
4. In the New Password box, enter the new password for the selected user ID.
5. In the Password Confirm box, reenter the new password.
6. If you want the system to force a password change for this user ID the first time the user logs
on, click the Force Password Change check box.
Important:
Having more than one person know the password for a user account reduces
accountability and system security. Avaya recommends that you select this option.
7. When finished, click Apply.

May 2013 Avaya Aura® Conferencing Security 60

Comments on this document? [email protected]
 Changing the password for your local administrator account from Element Manager Console

Changing the password for your local administrator

account from Element Manager Console
Use this procedure to change the password for your local administrator account.
Procedure
1. Log on to Element Manager Console locally.
2. From the Administration menu in Element Manager Console, select Password
Administration > Change My Password.
3. In the New Password box, enter the new password.
4. In the Password Confirm box, reenter the new password.
5. In the Current Password box, enter your old password.
6. Click Apply.

May 2013 Avaya Aura® Conferencing Security 61

Comments on this document? [email protected]
Chapter 9: Access Control List
configuration

The Access Control List (ACL) configuration includes configuring the internal ACL rules and external
ACL rules. The system uses the internal rules to apply to connections. Generate these rules by
running the mcpGenIntACLconfig.pl program that creates the rules based on the configuration
data in the Avaya Aura® Conferencing database. The external rules apply to restricting external
access from ancillary devices to Avaya Aura® Conferencing. Configure the external rules manually.
Complete all tasks in Configuring internal ACL rules and Configuring external ACL rules to complete
the ACL configuration. Avaya Aura® Conferencing applies the internal ACL rules only after you
configure and commit the external ACL rules.

Configuring internal ACL rules

About this task
Use the following procedure to configure internal ACL rules.
Procedure
1. Generate an internal ACL configuration file. See Generating an internal ACL configuration
file on page 62.
2. Install an internal ACL configuration file on the primary Element Manager server. See
Installing an internal ACL configuration file on the primary Element Manager server on
page 63.
3. Install an internal ACL configuration file on all other servers. See Installing an internal ACL
configuration file on all other servers on page 63.

Generating an internal ACL configuration file

Before you begin
You must be able to log onto the primary Element Manager server a user with the Application
Administrator (AA) role.

May 2013 Avaya Aura® Conferencing Security 62

Comments on this document? [email protected]
 Configuring internal ACL rules

About this task

Use the following procedure to generate an internal ACL configuration file.
Procedure
1. Log onto the primary Element Manager server as a user with the AA role.
2. At the command prompt, enter cd /var/mcp/install and press Enter.
3. Enter mcpGenIntACLConfig.pl and press Enter.
The internal ACL configuration file has now been generated and resides on the primary
Element Manager server. You must now install the internal ACL configuration file on all
servers in the system (including the primary Element Manager server).

Installing an internal ACL configuration file on the primary

Element Manager server
Before you begin
You must be able to log onto the primary Element Manager server as a user the System Security
Administrator (SSA) role.
About this task
Use the following procedure to install an internal ACL configuration file on the primary Element
Manager server.
Procedure
1. Log onto the primary Element Manager server as a user with the SSA role.
2. At the command prompt, enter mcpInstIntACLConf –copy and press Enter.

Installing an internal ACL configuration file on all other servers

Before you begin
You must be able to log onto the primary Element Manager server a user with the System Security
Administrator (SSA) role.
About this task
Use the following procedure to install an internal ACL configuration file on all other servers.
If your deployment supports integrated audio and video, this includes the Flash Media Gateway
(FMG) server. For more information on integrated audio and video, see Deploying Avaya Aura®
Conferencing.
Procedure
1. Log onto the server as a user with the SSA role.

May 2013 Avaya Aura® Conferencing Security 63

Comments on this document? [email protected]
Access Control List configuration

2. At the command prompt, enter mcpInstIntACLConf and press Enter.

3. At the prompt Remote server IP address, enter the primary Element Manager server
internal OAM IP address and press Enter.
4. At the prompt SFTP user id, enter the SSA user name defined on the primary Element
Manager server and press Enter.
5. At the prompt SFTP password, enter the SSA password and press Enter.
6. At the prompt Please retype the password to confirm, re-enter the SSA password
and press Enter.
7. At the prompt Confirm (Y or N), enter y and press Enter.

Note:
If you receive an error message that the remote host identification has changed, see
Deploying Avaya Aura® Conferencing to fix the problem. Once you fix the keys, retry the
script on this server.
8. Repeat Steps 1 through 7 on all remaining servers in the system.
Note:
The internal ACL rules are applied to the system only after you commit the ACL rules via
the iptcfg tool. See Importing an external Access Control List configuration file on
page 65.

Configuring external ACL rules

About this task
There are multiple methods available for configuring external ACL rules. The iptcfg tool provides an
interactive menu that enables you to
• configure the settings for an individual node
• configure the settings for a port
• configure the DSCP settings
• import configuration files
The import files used in this section were auto-generated after the platform was installed. If the
import file want not generated automatically, you must create that file manually.
When external ACL rules are committed via the iptcfg tool, the internal ACL rules file (previously
installed) is used by the iptcfg tool to create firewall rules for the internal nodes. No further action is
required to include the internal ACL rules.
Use the following procedure to configure external ACL rules.

May 2013 Avaya Aura® Conferencing Security 64

Comments on this document? [email protected]
 Configuring external ACL rules

Procedure
1. If the Avaya Media Server is deployed on the target server, prepare the Avaya Media Server.
See Preparing the Avaya Media Server on page 65.
2. Perform one of the following steps:
• Create a configuration file and then import it using the iptcfg tool. See Importing an
external ACL configuration file on page 65.
• Configure the rules manually using the iptcfg tool. See Configuring external ACL rules
manually (using the iptcfg tool) on page 67.
3. Verify the ACL configuration. See Verifying the ACL configuration on page 70.

Preparing the Avaya Media Server

Before you begin
• You must be able to log onto the server as a user with the System Security Administrator (SSA)
role.
• You must know the root password.
About this task
Perform this procedure on all servers where the Avaya Media Server is deployed, regardless of the
layout type (that is, SMB, medium, or lrage)).
Procedure
1. Log onto the server as a user with the SSA role.
2. At the prompt, enter su - and press Enter.
3. At the prompt password, enter the root password, and press Enter.
4. Enter aacconfiginstall.pl and press Enter.
The following message is displayed:
Install AAC configuration
/var/mcp/ma/MAS/bin/chmodplat.sh
/var/mcp/ma/MAS/bin/dscpconfig.sh install
/var/mcp/ma/MAS/bin/dscpconfig.sh install

Importing an external Access Control List configuration file

About this task
Use this procedure to import an external Access Control List (ACL) configuration file. ACL
configuration files are server specific, with each file containing IP addresses that are specific to a
server. The Element Manager server and Avaya Media Server configuration files are different. The

May 2013 Avaya Aura® Conferencing Security 65

Comments on this document? [email protected]
Access Control List configuration

Avaya Media Server file has additional syntax. Refer to the appropriate example of the configuration
files for each server. Log in as a root user and view examples of:
• The Avaya Media Server configuration file at /opt/mcp/ipt/example on Avaya Media
Server.
• The Element Manager server configuration file, with instructions on how to configure the file,
at /opt/mcp/ipt/example on the Avaya Aura® Conferencing server.
You might need to configure the following external trusted nodes in the configuration file:
• Remote syslog server
• Remote NTP server
• Administrator computer
• DNS
Perform this procedure on all servers in the Avaya Aura® Conferencing system.
Procedure
1. Log on to the server as SSA.
2. At the prompt, enter su -, and press Enter.
3. At the password prompt, enter the root password, and press Enter.
4. Create an ACL configuration file based on the configuration file examples.
Ensure that the trusted nodes listed in the configuration file contain the IP address of your
computer. If your computer is not configured as a trusted node, you cannot access the server
after you configure and commit the ACL rules because applying the rules will block access to
the server.
5. To revert to the login as SSA, type exit, and press Enter.
6. After you create the ACL configuration file, type iptcfg, and press Enter.
The system displays the IPTables Configurations Options menu.
7. At the prompt Selection [1 to 9], enter 4 to select Import Configurations, and press
Enter.
The system displays a warning that the operation changes the IPTables rules.
8. At the prompt Proceed (Y or N), enter y and press Enter.
9. At the prompt Import file name (full path), enter the file path and the configuration
file name of the server, and press Enter.
The system displays the following warning:
WARNING: Trusted nodes must include those from which the user logs
into the current server to perform the maintenance tasks. If you
have not specified them as trusted nodes in the import file, you
will not be able to log in to the server again after the importing
has completed.

May 2013 Avaya Aura® Conferencing Security 66

Comments on this document? [email protected]
 Configuring external ACL rules

10. At the prompt Proceed (Y or N), enter y, and press Enter.

Configuring external ACL rules manually (using the iptcfg tool)

Before you begin
You must be able to log onto the server as a user with the System Security Administrator (SSA) role.
About this task
Use this procedure to configure the external ACL rules using the iptcfg tool. See External ACL
configuration settings on page 70 to determine the list of trusted nodes, trusted ports, and DSCP
settings you must configure on each server.
Note:
You must perform this procedure on all servers in the Avaya Aura® Conferencing system.
If your deployment supports integrated audio and video, this includes the Flash Media Gateway
(FMG) server. For more information on integrated audio and video, see Deploying Avaya Aura®
Conferencing.
Procedure
1. Log onto the server as a user with the SSA role.
2. At the command prompt, enter iptcfg and press Enter.
The IPTables Configurations Options menu appears.
3. At the prompt Selection [1 to 9], enter 1 to select Configure Trusted Nodes, and
press Enter.
The Trusted Nodes Configuration Options menu appears.
4. Perform the following steps for each trusted node you want to add to the configuration:
a. At the prompt Selection [1 to 6], enter 2 to select Add a new trusted node
configuration, and press Enter.
b. Enter the local IPv4 node address.
c. At the prompt Enter trusted node type, enter 1 to add a single trusted node to
the local IPv4 address you entered in Step B, and press Enter.
d. Enter the IPv4 trusted node address, and press Enter.
e. Enter y and press Enter to confirm your action.
f. Repeat Steps A through E for each trusted node you want to add to the configuration.
5. At the prompt Selection [1 to 6] for the Trusted Nodes Configuration Options menu,
enter 5 to select Return to main menu, and press Enter.
6. Enter y and press Enter to confirm your action.
The IPTables Configurations Options menu appears.

May 2013 Avaya Aura® Conferencing Security 67

Comments on this document? [email protected]
Access Control List configuration

Note:
The list of trusted nodes is not added to the IPTables rules yet. The changes will be
committed to the IPTables rules after you complete this procedure.
7. At the prompt Selection [1 to 9], enter 2 to select Configure Trusted Ports, and
press Enter.
The Trusted Port Configuration Options menu appears.
8. Perform the following steps for each trusted port you want to be enabled on the server:
a. At the prompt Selection [1 to 4], enter 1 to select List all trusted port
configuration, and press Enter.
The list of all trusted port configurations is displayed.
b. At the prompt Selection [1 to 4], enter 2 to select Modify a trusted port
configuration, and press Enter.
c. At the prompt Enter ID of trusted port configuration to be modified,
enter the ID of the port you want to modify (from the list of all trusted port configuration),
and press Enter.
d. Press Enter to confirm your action.
e. At the prompt Enter port status, enter 1 to enable the port or enter 0 to disable
the port.
f. Press Enter.
g. Press Enter to confirm your change.
h. Repeat Steps A through G for each trusted port you want to enable on the server.
9. At the prompt Selection [1 to 4] for the Trusted Port Configuration Options menu,
enter 3 to select Return to main menu, and press Enter.
10. Enter y and press Enter to confirm your action.
The IPTables Configurations Options menu appears.
Note:
The list of trusted ports is not added to the IPTables rules yet. The changes will be
committed to the IPTables rules after you complete this procedure.
11. At the prompt Selection [1 to 9], enter 3 to select DSCP Marking, and press Enter.
The DSCP Marking Configuration Options menu appears.
12. Perform the following steps for each DSCP value you want to configure on the server:
a. At the prompt Selection [1 to 4], enter 1 to select Show DSCP marking
configuration, and press Enter.
The DSCP marking configuration is displayed.

May 2013 Avaya Aura® Conferencing Security 68

Comments on this document? [email protected]
 Configuring external ACL rules

b. At the prompt Selection [1 to 4], enter 2 to select Modify DSCP values, and
press Enter.
c. At the prompt Enter ID of the DSCP category to be modified, enter the ID
of the DSCP value you want to modify (displayed in the DSCP marking configuration),
and press Enter.
d. Enter the DSCP value and press Enter.
e. Press Enter to confirm your change.
f. Repeat Steps A through E for each DSCP value you want to configure on the server.
13. At the prompt Selection [1 to 4] for the DSCP Marking Configuration Options menu,
enter 3 to select Modify DSCP marking status, and press Enter.
14. Enter 1 to enable the DSCP marking status or enter 0 to disable it.
15. Press Enter.
16. Press Enter to confirm your change.
17. At the prompt Selection [1 to 5] for the DSCP Marking Configuration Options menu,
enter 4 to select Return to main menu, and press Enter.
18. Enter y and press Enter to confirm your action.
The IPTables Configurations Options menu appears.
Note:
The DSCP configuration changes are not added to the IPTables rules yet. The changes
will be committed to the IPTables rules after you complete this procedure.
19. At the prompt Selection [1 to 9], enter 5 to select Commit IPTables Rules, and press
Enter.
20. At the prompt Proceed (Y or N), enter y and press Enter.
The following warning appears:
WARNING: Trusted nodes must include those from which the user logs
into the current server to perform the maintenance tasks. If you
have not configured these as trusted nodes, you will not be able to
log in to the server again after the configuration changes are
committed.
21. At the prompt Proceed (Y or N), enter y and press Enter.
22. Restart the Web Conference Server (WCS) network element.
This is an important step. If you do not restart the WCS, the WCS will not operate correctly
and users will not be able to start or join a Web collaboration.

May 2013 Avaya Aura® Conferencing Security 69

Comments on this document? [email protected]
Access Control List configuration

Verifying the ACL configuration

Before you begin
You must be able to log onto the server as a user with the System Security Administrator (SSA) role.
About this task
Use the following procedure to verify the ACL configuration.
Note:
You must perform this procedure on all Avaya Aura® Conferencing core servers and Avaya
Media Servers.
Procedure
1. Log onto the server as a user with the SSA role.
2. At the command prompt, enter iptstatus -n and press Enter.
The list of trusted nodes is displayed.
3. Verify that the list of trusted nodes contains the trusted nodes that you configured either in
the import file or manually.
Note:
The full list of trusted nodes contains internal ACL trusted nodes as well as external
trusted nodes that you configured either in the import file or manually. The list of external
trusted nodes is a subset of all ACL rules.
4. Enter iptstatus -p and press Enter.
The list of trusted ports is displayed.
5. Verify that the list of trusted ports matches the trusted ports that you configured either in the
import file or manually.
6. Enter iptstatus -d and press Enter.
The list of DSCP values is displayed.
7. Verify that the list of DSCP values matches the DSCP values that you configured either in
the import file or manually.
8. Ensure that all rules according to the external ACL configuration table are configured. See
Access Control List external configuration on page 70.

Access Control List external configuration

The following table describes how to configure trusted ports, trusted nodes, and DSCP markings on
each Avaya Aura® Conferencing server for different deployment layouts.

May 2013 Avaya Aura® Conferencing Security 70

Comments on this document? [email protected]
 Configuring external ACL rules

Deployment Server Trusted port Trusted node DSCP marking

layout
Small to Element Manager 443 • DNS Disabled
Medium:
8140 • Remote NTP servers
simplex and
redundant 8141 • Remote syslog server
8142 • Administrator computer
6000 to 42599
Medium: Element Manager 443 • DNS Disabled
simplex and
8140 • Remote NTP servers
redundant
8141 • Remote syslog server
8142 • Administrator computer
Avaya Media 6000 to 42599 • DNS Disabled
Server
• Remote NTP servers
• Remote syslog server
• Administrator computer
Large: simplex Element Manager 443 • DNS Disabled
and redundant
8140 • Remote NTP servers
8141 • Remote syslog server
8142 • Administrator computer
Web Conferencing 443 • DNS Disabled
Server
8140 • Remote NTP servers
Avaya Media
8141 • Remote syslog server
Server
8142 • Administrator computer
6000 to 42599
Avaya Media 6000 to 42599 — Disabled
Server

Example of import.dat
The rules for an external Access Control List (ACL) configuration file are at /opt/mcp/ipt/
example/import.dat. Follow the instructions in the example file to configure an ACL file.
The following example of the import.dat configuration file applies to Element Manager servers in
Small to Medium and Medium layouts:
trusted node 192.168.209.241 192.168.209.22
trusted node 192.168.209.241 192.168.209.10
trusted node 192.168.209.241 192.168.209.20
trusted node 192.168.209.241 192.168.209.13
siptcpport 5060 0

May 2013 Avaya Aura® Conferencing Security 71

Comments on this document? [email protected]
Access Control List configuration

siptcptlsport 5061 1
httpport 80 1
httpsport 443 1
wcshttp 8140 0
wcshttps 8141 0
wcsflashpolicy 8142 0
dscpenabled false
dscpvalue 1 48
dscpvalue 2 18
dscpvalue 3 16
mediaports 6000 42599 1

May 2013 Avaya Aura® Conferencing Security 72

Comments on this document? [email protected]
Chapter 10: TLS mutual authentication

The TLS mutual authentication mode requires that both the server endpoint and the client endpoint
exchange X.509 certificates for authentication. Interfaces between network elements continue to
enforce TLS mutual authentication as the mandatory setting.
Avaya Aura® Conferencing supports user devices used only as administrator computers for TLS
mutual authentication.

Enabling mutual authentication mode for SIP

Procedure
1. Log on to Element Manager Console.
2. In the navigation pane of Element Manager Console, click Feature Server Elements >
Application Servers > <Application Server name> > Configuration Parameters.
3. From the Parm Group drop-down list box in the Application Server Configuration Parameters
window, select TLSAuth.
4. Click EnforceTLSMutualAuthForSIP, and click Edit (-/+).
5. From the Value box in the Edit Application Server - TLSAuth Config Parm dialog box, select
true.
6. Click Apply.
7. Close the Application Server Configuration Parameters window.
8. Restart the NE instance.

Enabling mutual authentication mode for Element

Manager
Before you begin
Get a client certificate that is signed by Certificate Authority that Element Manager trusts . If the
client certificate is not trusted by Element Manager, you cannot log in to Element Manager Console
after you perform this procedure.

May 2013 Avaya Aura® Conferencing Security 73

Comments on this document? [email protected]
TLS mutual authentication

Procedure
1. Log in to Element Manager Console.
2. In the navigation pane of Element Manager Console, click Feature Server Elements >
Element Manager > Element Manager > Configuration Parameters.
3. In the Element Manager Configuration Parameters window, from the Parm Group field,
select TLSAuth.
4. Click EnforceTLSMutualAuthForHTTPS, and click Edit (-/+).
5. In the Edit Element Manager - TLSAuth Config Parm dialog box, from the Value box, select
true.
6. Click Apply.
7. Close the Element Manager Configuration Parameters window.
8. Restart the standby Element Manager instance.
9. After the standby instance of Element Manager instance moves to the hot standby state,
stop the active Element Manager instance.
Element Manager fails over to the backup instance. Element Manager Console loses
connectivity during the failover.
10. Log in to Element Manager Console again.
11. Start the Element Manager backup instance.

May 2013 Avaya Aura® Conferencing Security 74

Comments on this document? [email protected]
Chapter 11: Cipher suite configuration

This chapter contains the procedures to configure cipher suites.

Perform the procedures only if you are upgrading to Avaya Aura® Conferencing Release 8.0.

Configuring OAMP ciphers

About this task
Use this procedure to configure Operations, Administration, Maintenance, and Provisioning (OAMP)
ciphers.
Procedure
1. Log in to Element Manager Console.
2. In the navigation pane of Element Manager Console, click Security > Cipher Suites >
OAMP Channel Cipher Suites.
3. In the OAMP Channel Cipher Suites dialog box, select
TLS_RSA_WITH_AES_128_CBC_SHA, and click Enable.
4. Ensure that the other cipher suite entries are disabled.
5. Click Apply.

Configuring HTTPS ciphers

Procedure
1. Log in to Element Manager Console.
2. In the navigation pane of Element Manager Console, click Security > Cipher Suites >
HTTPS Cipher Suites.
3. In the HTTPS Cipher Suites dialog box, perform the following steps:
a. Select SSL_RSA_WITH_3DES_EDE_CBC_SHA, and click Enable.
b. Select TLS_RSA_WITH_AES_128_CBC_SHA, and click Enable.
4. Ensure that the other cipher suite entries are disabled.

May 2013 Avaya Aura® Conferencing Security 75

Comments on this document? [email protected]
Cipher suite configuration

5. Restart the following network elements to apply the changes: PROV, WCS, DCS and EM.

Configuring signaling ciphers

Use this procedure to configure signaling ciphers.
Procedure
1. Log on to Element Manager Console.
2. In the navigation pane of Element Manager Console, click Security > Cipher Suites >
Signaling Cipher Suites.
3. In the Signaling Cipher Suites dialog box, perform the following steps:
a. Select the TLS_RSA_WITH_AES_128_CBC_SHA cipher suite entry and click Enable.
b. Select the TLS_RSA_WITH_AES_256_CBC_SHA cipher suite entry and click Enable.
c. Select the TLS_RSA_WITH_NULL_SHA cipher suite entry and click Disable.
4. Click Apply.

May 2013 Avaya Aura® Conferencing Security 76

Comments on this document? [email protected]
Index
A backup
administrator database ................................................. 22
access FSI baseline ..................................................................41
sudo ..............................................................................15 security logs ..................................................................46
Access Control List banners
configuration overview ..................................................62 warning ......................................................................... 22
configuring external rules ............................................. 65 BIOS .................................................................................... 12
DSCP markings ............................................................ 70
external rules ................................................................ 62
external rules configuration .......................................... 70
C
external rules example ................................................. 71 changing
import.dat example ....................................................... 71 account passwords .......................................................30
importing external file ................................................... 65 database passwords .....................................................48
internal rules ................................................................. 62 SNMP community string ............................................... 38
trusted nodes ................................................................70 changing passwords
trusted ports ..................................................................70 database .......................................................................48
access permissions user accounts ............................................................... 30
file system .....................................................................45 using CLI ...................................................................... 30
account passwords changing SNMP community string
changing ....................................................................... 30 Element Manager Console ........................................... 38
configuring .................................................................... 56 ciphers
accounts configuring HTTPS ....................................................... 75
remote system .............................................................. 22 configuring OAMP ........................................................ 75
account timers ..................................................................... 16 CLI
ACL rules ........................................................... 62–64, 67, 70 changing passwords .....................................................30
administrator accounts community strings ................................................................38
configuring passwords ..................................................56 configuration
default security settings ................................................ 37 Access Control List example ........................................ 71
login session constraints .............................................. 34 Access Control List external rules ................................ 70
password aging ............................................................ 34 configuring
password complexity .................................................... 34 Access Control List external rules ................................ 65
password history ...........................................................34 account passwords .......................................................56
administrator computers HTTPS ciphers ............................................................. 75
TLS authentication ........................................................73 OAMP ciphers .............................................................. 75
administrator database TLS mutual authentication mode ..................................73
backup .......................................................................... 22 configuring HTTPS ciphers
administrators Element Manager Console ........................................... 75
account security settings ........................................ 34, 37 configuring OAMP ciphers
database backup .......................................................... 22 Element Manager Console ........................................... 75
application logging ............................................................... 42 configuring passwords
audit logs administrator accounts ................................................. 56
backing up .................................................................... 43 Element Manager Console ........................................... 56
system audit ................................................................. 43 configuring TLS authentication
audit rules Element Manager Console ........................................... 73
system audit ................................................................. 43 craft
authentication preconfigured accounts ................................................ 21
TLS ............................................................................... 73
TLS mutual authentication mode ..................................73
D
B database
changing passwords .....................................................48
backing up internal ..........................................................................47
audit logs ...................................................................... 43 database passwords

May 2013 Avaya Aura® Conferencing Security 77

Comments on this document? [email protected]
Index

database passwords (continued) login rules ............................................................................ 59

changing ....................................................................... 48 login session constraints
default values administrator accounts ................................................. 34
local administrator accounts ......................................... 37 logs ...................................................................................... 42
deleting backup .......................................................................... 46
user accounts ............................................................... 26
deleting accounts
User Configuration Manager ........................................ 26
M
DSCP markings media server ........................................................................ 65
Access Control List .......................................................70 menu
User Configuration Manager ........................................ 15
E mutual authentication ...........................................................73
mutual authentication mode .................................................73
Element Manager Console
changing SNMP community string ............................... 38
configuring HTTPS ciphers ...........................................75
N
configuring OAMP ciphers ............................................75 ntappadm
configuring passwords ..................................................56 preconfigured accounts ................................................ 21
configuring TLS authentication ..................................... 73 ntbackup
example preconfigured accounts ................................................ 21
import.dat ......................................................................71 ntdbadm
preconfigured accounts ................................................ 21
F ntossadm
preconfigured accounts ................................................ 21
failed logons .........................................................................44 ntsecadm
file system ............................................................................51 preconfigured accounts ................................................ 21
access permissions ...................................................... 45 ntsysadm
system audit ................................................................. 45 preconfigured accounts ................................................ 21
user access .................................................................. 45
FSI
baseline backup ............................................................41
O
baseline management .................................................. 41 OAMP
configuring ciphers ....................................................... 75
H OAMP ciphers
configuring .................................................................... 75
HTTPS overview
configuring ciphers ....................................................... 75 Access Control List configuration ................................. 62
HTTPS ciphers
configuring .................................................................... 75
P
I password
aging .............................................................................36
import.dat BIOS ............................................................................. 12
example ........................................................................ 71 complexity .....................................................................23
importing GRUB ........................................................................... 24
external Access Control List file ................................... 65 local administrator ........................................................ 36
init resetting ........................................................................47
preconfigured accounts ................................................ 21 password aging
integrity ................................................................................ 51 administrator accounts ................................................. 34
password complexity
administrator accounts ................................................. 34
L password history
local administrator account .................................................. 36 administrator accounts ................................................. 34
local administrator accounts passwords
default values ............................................................... 37 changing database ....................................................... 48
security settings ............................................................34 changing user accounts ................................................30

May 2013 Avaya Aura® Conferencing Security 78

Comments on this document? [email protected]
 Index

preconfigured accounts TLS ...................................................................................... 73

craft ...............................................................................21 configuring mutual authentication mode .......................73
init ................................................................................. 21 TLS authentication
ntappadm ......................................................................21 administrator computers ............................................... 73
ntbackup ....................................................................... 21 X.509 certificates .......................................................... 73
ntdbadm ........................................................................21 trusted nodes
ntossadm ...................................................................... 21 Access Control List .......................................................70
ntsecadm ...................................................................... 21 trusted ports
ntsysadm ...................................................................... 21 Access Control List .......................................................70
root user ....................................................................... 20
user accounts ............................................................... 21
U
R user access
file system .....................................................................45
remote syslog server ........................................................... 53 root ............................................................................... 20
root user accounts
user access .................................................................. 20 changing passwords .....................................................30
root access changing passwords using CLI .....................................30
servers ..........................................................................20 deleting ......................................................................... 26
root user preconfigured accounts ................................................ 21
preconfigured accounts ................................................ 20 User Configuration Manager
deleting accounts ..........................................................26
SSA menu .................................................................... 15
S sudo menu ....................................................................15
security logs user management tool ..................................................15
backup .......................................................................... 46 user management
security settings tool ................................................................................15
default values for administrators ...................................37 User Configuration Manager ........................................ 15
local administrator accounts ......................................... 34 user roles ............................................................................. 27
servers administrative ............................................................... 14
root access ................................................................... 20
system audit ................................................................. 43 V
SIP ....................................................................................... 73
SNMP .................................................................................. 38 videos .................................................................................. 10
changing community string ...........................................38
SNMP community string
changing ....................................................................... 38
W
SSA warnings
User Configuration Manager menu .............................. 15 banner .......................................................................... 22
sudo web server logs ....................................................................42
User Configuration Manager menu .............................. 15
sudo access .........................................................................15
support ................................................................................. 11 X
syslog ...................................................................................53
X.509 certificates
system accounts
TLS authentication ........................................................73
remote .......................................................................... 22
system audit
audit logs ...................................................................... 43
audit rules ..................................................................... 43
backing up audit logs ....................................................43
file system .....................................................................45
servers ..........................................................................43

T
timers ................................................................................... 16

May 2013 Avaya Aura® Conferencing Security 79

Comments on this document? [email protected]