Scribd
Upload
38 views594 pages

administering_netact_system_security_base

Uploaded by

Sufian Albadani
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
38 views594 pages

administering_netact_system_security_base

Uploaded by

Sufian Albadani
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 594

NetAct™ 22

Administering NetAct System Security


DN0979438_C
Issue: 5-2 Final

© 2021 Nokia. Nokia Confidential Information

Use subject to agreed restrictions on disclosure and use.


Administering NetAct System Security DN0979438_C 5-2 Disclaimer

Nokia is committed to diversity and inclusion. We are continuously reviewing our customer documentation and consulting with standards
bodies to ensure that terminology is inclusive and aligned with the industry. Our future customer documentation will be updated accordingly.

This document includes Nokia proprietary and confidential information, which may not be distributed or disclosed to any third parties without
the prior written consent of Nokia.

This document is intended for use by Nokia’s customers (“You”/”Your”) in connection with a product purchased or licensed from any company
within Nokia Group of Companies. Use this document as agreed. You agree to notify Nokia of any errors you may find in this document;
however, should you elect to use this document for any purpose(s) for which it is not intended, You understand and warrant that any
determinations You may make or actions You may take will be based upon Your independent judgment and analysis of the content of this
document.

Nokia reserves the right to make changes to this document without notice. At all times, the controlling version is the one available on Nokia’s
site.

No part of this document may be modified.

N O WA RRA NT Y O F AN Y KI ND , EI T HER EXPR ES S OR I M P L I E D , I N C L U D I N G B U T N O T L I M I T E D TO A N Y


WARR ANT Y OF AVA IL ABI LI T Y, AC CU RAC Y, R EL I A B I L IT Y, T I T L E , N O N - I N F R I N G E M E N T, M E R C H A N TA B I L I TY
OR F IT NE SS FO R A PA RT ICU LAR PU RPO SE, I S M A D E IN R E L AT I O N TO T H E C O N T E N T O F T H I S D O C U M E N T.
IN NO EVEN T WI L L NOK IA B E LI ABLE F OR AN Y DA M A G E S , I N C L U D I N G B U T N O T L I M I T E D TO S P E C I A L ,
D IRE CT, IN D IRECT, I NCI DE NTAL OR C ON SEQ UE N T IA L OR A N Y L O S S E S , S U C H A S B U T N O T L I M I T E D TO LO SS
OF PRO F IT, REVE NU E, B US IN ESS IN T ER RU PT I ON , B U S I NE S S O P P O RT U N I T Y O R D ATA T H AT M AY A R I S E
FRO M T HE USE O F TH IS DO CU M EN T O R T HE IN F OR M AT IO N I N I T, E V E N I N T H E C A S E O F E R R O R S I N O R
OM IS SI O NS FRO M T HI S DOC UM EN T O R IT S CO NT E N T.

This document is Nokia’ proprietary and confidential information, which may not be distributed or disclosed to any third parties without the
prior written consent of Nokia.

Copyright and trademark: Nokia is a registered trademark of Nokia Corporation. Other product names mentioned in this document may be
trademarks of their respective owners.

© 2021 Nokia.

© 2021 Nokia. Nokia Confidential Information

Use subject to agreed restrictions on disclosure and use.


Administering NetAct System Security DN0979438_C 5-2 Table of Contents

Contents
1 System security overview............................................................................................................................ 16
1.1 Security Administration and System Hardening tasks............................................................................16
1.2 Node structure overview......................................................................................................................... 18

2 Managing certificates.................................................................................................................................... 19
2.1 Introduction to multi-layered certificates................................................................................................. 19
2.2 Checking requirement of generating and installing certificates for usecases......................................... 20
2.3 Installing multi-layered certificates for NetAct services.......................................................................... 22
2.4 Selecting certification authority............................................................................................................... 23
2.4.1 NetAct CA....................................................................................................................................... 23
2.4.1.1 Providing basic configuration data for CA............................................................................. 23
2.4.1.2 Upgrading NetAct CA installation on separate machine........................................................ 27
2.4.1.3 Generating CA certificates and CRLs....................................................................................28
2.4.1.4 Publishing CRLs..................................................................................................................... 30
2.4.2 Third party CA................................................................................................................................ 31
2.5 Creating certificates.................................................................................................................................31
2.5.1 Requirements to generate certificates externally........................................................................... 33
2.5.2 Creating private-key and certificates.............................................................................................. 34
2.5.2.1 Providing basic configuration data......................................................................................... 34
2.5.2.2 Generating certificate signing requests and keys.................................................................. 35
2.5.2.3 Signing certificates................................................................................................................. 37
2.5.2.3.1 Signing using NetAct CA............................................................................................... 37
2.5.2.3.2 Signing using third party CA..........................................................................................40
2.6 Installing certificates................................................................................................................................ 41
2.6.1 Transferring certificates to NetAct.................................................................................................. 41
2.6.2 Installing certificates for selected usecase..................................................................................... 42
2.6.3 Cleanup........................................................................................................................................... 43
2.7 Installing root certificate on browser....................................................................................................... 44
2.8 Installing root CA certificate of specific end point to user workstation browser...................................... 44
2.9 Installing certificates on standby site in DR environment....................................................................... 45
2.10 Adding additional trust anchors............................................................................................................ 48
2.11 Adding additional trust anchors in standby site.................................................................................... 49
2.12 Usecases and end point mapping........................................................................................................ 52
2.13 Root CA certificate for NetAct services................................................................................................ 53
2.14 Converting certificates to PEM format.................................................................................................. 54
2.15 Get issuer name....................................................................................................................................54
2.16 Rolling back certificate configuration.................................................................................................... 55
2.17 Migrating Certificates.............................................................................................................................56
2.17.1 Assessment for SHA2 migration.................................................................................................. 57
2.17.1.1 Southbound...........................................................................................................................58
2.17.1.2 Northbound........................................................................................................................... 59
2.17.1.3 NetAct WebApps.................................................................................................................. 60
2.17.1.4 Hardware and virtual infrastructure...................................................................................... 60

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 3


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Table of Contents

2.17.1.5 Node manager......................................................................................................................60


2.17.1.6 Customization and other OSS products...............................................................................60
2.17.1.7 NTCApp................................................................................................................................ 60
2.17.2 Hardware certificate migration...................................................................................................... 60
2.17.3 Virtual infrastructure certificate migration..................................................................................... 61
2.17.4 Node Manager certificate migration............................................................................................. 61
2.17.5 Southbound certificate migration.................................................................................................. 61
2.17.5.1 Generating certificates..........................................................................................................62
2.17.5.2 Importing Network Element root certificate to NetAct services............................................ 62
2.17.5.3 Generating and applying end-entity certificates for Core Network Elements....................... 63
2.17.5.4 Importing NetAct root certificate to Network Elements........................................................ 63
2.17.5.5 Applying certificates to NetAct services............................................................................... 64
2.17.5.6 Generating and applying end-entity certificates on Radio Network Elements......................64
2.17.6 Northbound certificate migration...................................................................................................64
2.17.6.1 Generating certificates for NBI services...............................................................................65
2.17.6.2 Importing NetAct root certificates to High Level Systems....................................................65
2.17.6.3 Applying certificates to NBI services....................................................................................65
2.17.6.4 Importing High Level Systems root certificate to NetAct NBI services.................................65
2.17.6.5 Generating and applying certificates on High Level Systems..............................................65
2.17.7 NetAct WebApps migration...........................................................................................................65
2.17.8 NTCApp migration........................................................................................................................ 66
2.18 Creating keystore with end-entity certificate and immediate issuer......................................................66
2.19 Troubleshooting..................................................................................................................................... 68

3 Managing certificates for hardware devices.............................................................................................. 69


3.1 HPE onboard administrator.....................................................................................................................69
3.1.1 Steps to generate CSR.................................................................................................................. 69
3.1.2 Import certificate............................................................................................................................. 70
3.2 HPE iLO.................................................................................................................................................. 71
3.2.1 Steps to Generate CSR................................................................................................................. 71
3.2.2 Import certificate............................................................................................................................. 72
3.3 HPE Virtual Connect............................................................................................................................... 72
3.3.1 Steps to generate CSR.................................................................................................................. 72
3.3.2 Import certificate............................................................................................................................. 73
3.4 HPE Synergy 12000............................................................................................................................... 73
3.4.1 OneView..........................................................................................................................................73
3.4.1.1 Steps to generate CSR.......................................................................................................... 73
3.4.1.2 Adding root/intermediate CA certificate to OneView and browser......................................... 74
3.4.1.3 Import certificate..................................................................................................................... 75
3.4.2 Synergy 480 Gen10 iLO.................................................................................................................75
3.4.2.1 Steps to generate CSR.......................................................................................................... 75
3.4.2.2 Import certificate..................................................................................................................... 76
3.5 EMC VNX storage...................................................................................................................................77
3.5.1 Steps to generate CSR.................................................................................................................. 77
3.5.1.1 Enabling DNS on the array via GUI...................................................................................... 77
3.5.2 Import certificate............................................................................................................................. 78

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 4


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Table of Contents

3.6 EMC Unity storage..................................................................................................................................79


3.6.1 Steps to generate CSR.................................................................................................................. 79
3.6.2 Import certificate............................................................................................................................. 81
3.7 SAN SWITCH..........................................................................................................................................82
3.7.1 Steps to generate CSR.................................................................................................................. 82
3.7.1.1 Generating a public/private key pair...................................................................................... 82
3.7.1.2 Generating and storing a certificate signing request............................................................. 82
3.7.1.3 Obtaining certificates.............................................................................................................. 82
3.7.2 Import certificate............................................................................................................................. 83
3.8 MSA Storage (2040/2050)...................................................................................................................... 84
3.8.1 Steps to generate CSR.................................................................................................................. 84
3.8.2 Import certificate............................................................................................................................. 85
3.9 Common certificate related information for hardware devices............................................................... 86
3.10 SSL certificate verification.....................................................................................................................88
3.11 Installing root certificate on browser..................................................................................................... 88
3.11.1 Installing root certificate on Internet Explorer............................................................................... 89
3.11.2 Installing root certificate on Google Chrome................................................................................ 89
3.11.3 Installing root certificate on Firefox...............................................................................................90

4 Managing certificate for HPE SIM server....................................................................................................91


4.1 Generating and Installing Certificates.....................................................................................................91
4.1.1 Generating configuration files and certificate request.................................................................... 91
4.1.2 Signing server certificates.............................................................................................................. 91
4.1.2.1 Signing using NetAct CA........................................................................................................92
4.1.2.2 Signing using Third party CA................................................................................................. 93
4.1.3 Installing certificates........................................................................................................................93

5 Managing certificates for VMware vSphere................................................................................................95


5.1 Configuring certificates signed by custom third-party CA for vCenter Server Appliance 7.x...................95
5.1.1 System and Environment requirements......................................................................................... 95
5.1.2 Generating and installing certificate for vCenter............................................................................ 96
5.1.2.1 Generating, installing, and configuring certificates for vCenter..............................................96
5.1.2.2 Updating vManager and vcenterselfmon vcenter certificates................................................ 97
5.2 Generating, installing, and configuring custom third-party CA certificates for ESXi host........................97
5.3 Changing certificate mode to custom..................................................................................................... 98
5.4 Rollback or regenerate vSphere certificates to use self-signed VMware CA......................................... 99
5.5 Verifying installed certificates.................................................................................................................. 99

6 Managing certificates for AVE and AVECP...............................................................................................100


6.1 Managing certificates for AVE...............................................................................................................100
6.2 Managing certificates during AVE upgrade...........................................................................................106
6.3 Managing certificates for AVECP..........................................................................................................106
6.3.1 Signing certificate for AVECP using NetAct CA........................................................................... 109
6.3.2 Signing certificate for AVECP using third-party CA......................................................................111
6.4 Managing certificates during AVECP upgrade......................................................................................111

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 5


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Table of Contents

7 Managing certificates for Nokia Telco Cloud Application (NTCApp)..................................................... 112


7.1 Generating and installing certificates for NTCApp................................................................................112

8 Managing certificates for Centralized License Server (CLS).................................................................. 114


8.1 Generating certificates for CLS.............................................................................................................114
8.2 Installing certificates on CLS Frontend VM.......................................................................................... 116
8.3 Installing certificate on CLS Backend VM............................................................................................ 117

9 Configuring southbound interface (SBI) and HTTP for TLS................................................................... 119


9.1 Configuring NE3S/WS southbound interface for TLS connection........................................................ 119
9.1.1 Creating keys and certificates and installing certificates for TLS connection............................... 119
9.1.2 Enabling Transport Layer Security connection for existing objects.............................................. 119
9.1.3 Disabling Transport Layer Security connection for existing objects............................................. 120
9.1.4 Decrypting passwords...................................................................................................................121

10 Configuring Northbound Interfaces.........................................................................................................122


10.1 Security Configuration for SNMP V3.................................................................................................. 122
10.2 Configuring secure communication for NBI........................................................................................ 122
10.2.1 NBI Overview.............................................................................................................................. 122
10.2.2 Enabling secure communication for NBI.................................................................................... 124
10.2.3 Disabling secure communication for NBI................................................................................... 125
10.2.4 Enabling weak ciphers of SSL/TLS for NBI............................................................................... 125
10.2.4.1 Enabling weak ciphers of SSL/TLS for nbi3gcom..............................................................125
10.2.4.2 Enabling weak ciphers of SSL/TLS for 3GPP Rel6 CORBA FM NBI................................ 126
10.2.5 Disabling weak ciphers of SSL/TLS for NBI.............................................................................. 127
10.2.5.1 Disabling weak ciphers of SSL/TLS for nbi3gcom.............................................................127
10.2.5.2 Disabling weak ciphers of SSL/TLS for 3GPP Rel6 CORBA FM NBI................................128

11 Managing NWI3 Interface Security.......................................................................................................... 129


11.1 Adding certificates for CM upload.......................................................................................................129
11.2 Adding network element certificate to NWI3 mediation's truststore.................................................... 129
11.3 Configuring the Tomcat NWI3-HTTP server....................................................................................... 130
11.3.1 Installing New Certificate for Tomcat NWI3-HTTP Server.......................................................... 130
11.3.2 Disabling HTTP to enforce secure communication.................................................................... 130
11.3.3 Restoring HTTP.......................................................................................................................... 130
11.3.4 Enabling CRL checking of network element certificates by Tomcat........................................... 131
11.3.5 Disabling CRL checking of network element certificates by Tomcat.......................................... 131
11.3.6 Configuring DHE keysize............................................................................................................ 132
11.4 Turning on CRL checking of network element certificates on NetAct................................................. 133
11.5 Configuring certificates on network elements..................................................................................... 133
11.5.1 CMP server................................................................................................................................. 133
11.5.2 Generation and installation of a new certificate on a network element...................................... 134
11.5.3 Using NWI3 certificate Management CLI tool............................................................................ 136
11.5.3.1 Common options.................................................................................................................136
11.5.3.2 Set operation...................................................................................................................... 139

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 6


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Table of Contents

11.5.3.3 Remove root certificate operation...................................................................................... 140


11.5.3.4 Trigger CMP initialization operation....................................................................................141
11.5.3.5 Trigger CMP key update sequence operation....................................................................141
11.5.3.6 Trigger Update on Certificate Revocation List operation....................................................142
11.6 Requirements for the end-entity certificate on the network element to communicate successfully
with NetAct............................................................................................................................................ 142
11.7 Requirements for the CA certificate on the network element to communicate successfully with
NetAct.................................................................................................................................................... 145
11.8 Requirements for the CRLs used by NetAct and by the network element to function correctly.......... 148

12 Managing XoH Interface Security............................................................................................................ 151


12.1 Supported XOH ciphers...................................................................................................................... 151
12.2 Enabling weak ciphers........................................................................................................................ 156
12.3 Disabling weak ciphers....................................................................................................................... 157

13 Managing certificates for GSM BTS........................................................................................................ 159


13.1 Verifying ACM license......................................................................................................................... 159
13.2 ACM configuration...............................................................................................................................160
13.3 Command Line Interface (CLI)........................................................................................................... 160
13.3.1 User setting for CLI.................................................................................................................... 161
13.3.2 Command options.......................................................................................................................161
13.3.3 Initialize operator certificate........................................................................................................ 162
13.3.4 Update operator certificate......................................................................................................... 162
13.3.5 Certificate Revocation List (CRL) download...............................................................................163
13.3.6 Remove root certificate...............................................................................................................163

14 Hardening of NetAct Virtual Infrastructure (VI)......................................................................................165


14.1 Activating Virtual Infrastructure Security Settings............................................................................... 166
14.1.1 Restore installation config files...................................................................................................166
14.1.2 Verifying Virtual Infrastructure Hardening...................................................................................167
14.1.3 Activating security settings......................................................................................................... 167
14.2 De-activating of security settings........................................................................................................ 169
14.3 Modifying Virtual Infrastructure Security Settings............................................................................... 170
14.4 Managing TLSv1 protocol for vCenter and ESXI............................................................................... 172
14.4.1 Creating backup for existing TLS configuration......................................................................... 173
14.4.2 Disabling TLSv1 protocol............................................................................................................173
14.4.3 Enabling TLSv1 protocol............................................................................................................ 179

15 Hardening for NetAct applications and services................................................................................... 183


15.1 Managing TLS version protocol and TLS cipher configuration...........................................................183
15.1.1 Managing TLS protocol configuration.........................................................................................184
15.1.1.1 TLS protocol assessment tool............................................................................................184
15.1.1.2 Checking TLS configuration state of NetAct system..........................................................187
15.1.1.3 Disabling TLS version from NetAct services......................................................................189
15.1.1.4 Enabling TLS version in NetAct services...........................................................................191
15.1.1.5 Managing TLS protocol configuration for Oracle EM Database Express........................... 192
15.1.1.6 Taking backup of current TLS status of system.................................................................194
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 7
Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Table of Contents

15.1.1.7 Restoring TLS status of the system...................................................................................194


15.1.1.8 Listing backup files.............................................................................................................196
15.1.1.9 Syncing TLS states of all service between active and standby site...................................197
15.1.2 Managing TLS cipher configuration............................................................................................198
15.1.2.1 Managing TLS ciphers in IHS server.................................................................................198
15.1.2.1.1 Disabling weak ciphers configuration in IHS............................................................. 198
15.1.2.1.2 Enabling weak ciphers configuration in IHS.............................................................. 199
15.1.2.2 Managing TLS ciphers in NWI3 HTTPS client...................................................................200
15.1.2.2.1 Enabling RC4 ciphers in NWI3 HTTPS client............................................................200
15.1.2.2.2 Disabling RC4 ciphers in NWI3 HTTPS client...........................................................200
15.1.2.3 Managing TLS ciphers in httpd service............................................................................. 201
15.1.2.3.1 Listing supported ciphers in NE3S/WS httpd service................................................ 201
15.1.2.3.2 Disabling or enabling cipher in NE3S/WS httpd service............................................202
15.1.2.3.3 Synchronizing cipher change on standby site for DR based system......................... 204
15.1.2.4 Managing TLS ciphers in common_mediations................................................................. 205
15.1.2.4.1 Listing supported cipher in common_mediations service.......................................... 205
15.1.2.4.2 Restoring default cipher setting in common_mediations service............................... 206
15.1.2.4.3 Disabling or enabling ciphers in common_mediations service.................................. 207
15.1.2.5 Managing TLS ciphers in NBI............................................................................................ 209
15.1.2.5.1 Disabling DES ciphers............................................................................................... 209
15.1.2.6 Managing TLS ciphers in directory server......................................................................... 209
15.1.2.6.1 Enabling or disabling ciphers in directory server....................................................... 209
15.1.2.7 Managing TLS ciphers in Node Manager server............................................................... 219
15.1.2.7.1 Enabling or disabling ciphers.....................................................................................219
15.1.2.8 Managing TLS ciphers in IBM WebSphere application server (WAS)............................... 219
15.1.2.8.1 Disabling weak ciphers configuration in IBM webSphere application server (WAS)... 219
15.1.2.8.2 Enabling weak ciphers configuration in IBM webSphere application server (WAS)... 221
15.1.2.9 Managing TLS ciphers in HPE SIM................................................................................... 222
15.1.2.9.1 Disabling weak ciphers configuration in HPE SIM.....................................................222
15.1.2.9.2 Enabling weak ciphers configuration in HPE SIM..................................................... 224
15.2 Hardening SSH client configuration....................................................................................................226
15.2.1 Hardening core mediation or application....................................................................................226
15.2.1.1 SSH hardening in core mediation or application................................................................226
15.2.1.1.1 Enabling or disabling ciphers.....................................................................................226
15.2.2 Hardening ciphers for SSH client of MML mediation................................................................. 233
15.2.2.1 Enabling weak ciphers for SSH client of MML mediation.................................................. 234
15.2.2.2 Disabling weak ciphers for SSH client of MML mediation................................................. 234
15.2.3 Hardening ciphers for SSH client of SCLI mediation................................................................. 234
15.2.3.1 Enabling weak ciphers for SSH client of SCLI mediation.................................................. 235
15.2.3.2 Disabling weak ciphers for SSH client of SCLI mediation................................................. 235
15.2.4 Hardening ciphers for SSH client of CM application.................................................................. 235
15.2.4.1 Enabling weak ciphers for SSH client of CM application................................................... 235
15.2.4.2 Disabling weak ciphers for SSH client of CM application.................................................. 236
15.2.5 Hardening ciphers for SSH client of Monitor application............................................................237
15.2.5.1 Enabling weak ciphers for SSH client of Monitor application.............................................237
15.2.5.2 Disabling weak ciphers for SSH client of Monitor application............................................ 238

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 8


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Table of Contents

15.2.6 Hardening SSH and SFTP client of Q3 mediation..................................................................... 239


15.2.6.1 Disabling weak secure algorithms for SSH and SFTP client of Q3 mediation................... 240
15.2.6.2 Enabling weak secure algorithms for SSH and SFTP client of Q3 mediation.................... 240
15.2.7 Hardening ciphers,macs, Key exchanges for SFTP client of SAM mediation............................ 241
15.2.7.1 Enabling weak ciphers, macs, key exchanges for SFTP client of SAM mediation............. 241
15.2.7.2 Disabling weak ciphers, macs, key exchanges for SFTP client of SAM mediation............ 242
15.3 Hardening SSH server configuration.................................................................................................. 242
15.3.1 Hardening Ciphers, MACs, and KexAlgorithms in SSH server.................................................. 242
15.3.1.1 Disabling weak Ciphers, MACs, and KexAlgorithms in SSH server.................................. 244
15.3.1.2 Enabling weak Ciphers, MACs, and KexAlgorithms in SSH server................................... 247
15.4 Hardening of Configuration Management Applications and NASDA Web Services........................... 249
15.4.1 Enabling showing stack traces in CM Applications and CLI...................................................... 249
15.4.2 Enabling showing stack traces in NASDA Web Services.......................................................... 249
15.5 Configuring anonymous LDAP bind....................................................................................................250
15.5.1 Disabling anonymous bind to LDAP...........................................................................................250
15.5.2 Enabling anonymous bind to LDAP........................................................................................... 251
15.6 Controlling Root SSH login................................................................................................................. 253
15.6.1 Disabling root SSH login............................................................................................................ 253
15.6.2 Enabling root SSH login............................................................................................................. 254
15.7 Changing passwords...........................................................................................................................255
15.8 Configuring trust anchors for dirsrv truststore.................................................................................... 256
15.8.1 Adding extra trust anchor to dirsrv service truststore.................................................................256
15.8.2 Removing a trust anchor from dirsrv service truststore............................................................. 257
15.9 Configuring su access permissions.................................................................................................... 258
15.10 Disabling of additional unnecessary services................................................................................... 259
15.10.1 Enabling of disabled Linux services......................................................................................... 261
15.11 Handling slow HTTP denial of service attack................................................................................... 262

16 Managing auditd service in Avamar Virtual Edition.............................................................................. 263


16.1 Enabling auditd service.......................................................................................................................263
16.2 Disabling auditd service...................................................................................................................... 263

17 Managing FIPS in Avamar Virtual Edition.............................................................................................. 264


17.1 Enabling FIPS..................................................................................................................................... 264
17.2 Disabling FIPS.....................................................................................................................................265

18 Configuring additional audit rules...........................................................................................................266


18.1 Updating audit rules............................................................................................................................ 266
18.2 Revoking audit rules........................................................................................................................... 267
18.3 Verifying audit rules.............................................................................................................................268

19 Operating System Hardening................................................................................................................... 271


19.1 Managing specific hardening features................................................................................................ 271
19.1.1 Managing core dumps................................................................................................................ 271
19.1.1.1 Enabling core dumps......................................................................................................... 271
19.1.1.2 Disabling core dumps.........................................................................................................271

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 9


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Table of Contents

19.1.2 Hardening partition......................................................................................................................272


19.1.2.1 Enabling restrictions for partition........................................................................................272
19.1.2.2 Reverting partition restrictions to default settings.............................................................. 275
19.1.3 Handling insecure FTP port........................................................................................................276
19.1.3.1 Disabling insecure FTP port...............................................................................................276
19.1.3.2 Enabling insecure FTP port............................................................................................... 277
19.1.4 Hardening SSHD configuration...................................................................................................278
19.1.4.1 Reconfiguring SSHD parameters....................................................................................... 278
19.1.4.2 Reverting SSHD configuration to default setting................................................................281
19.1.5 Strengthening OS user password configuration.........................................................................282
19.1.5.1 Setting password policy for OS users................................................................................282
19.1.5.1.1 Setting password minimum length for OS users....................................................... 282
19.1.5.1.2 Setting minimum number of days between password change value......................... 283
19.1.6 Reverting password policy settings............................................................................................ 284

20 Hardening of Node Manager Server........................................................................................................286


20.1 Configuring Node Manager Server Hardening................................................................................... 286
20.1.1 Additional group policy settings..................................................................................................290
20.2 Managing hardening settings.............................................................................................................. 293
20.2.1 Enabling hardening settings....................................................................................................... 293
20.2.2 Disabling hardening settings...................................................................................................... 295
20.2.3 Checking hardening status......................................................................................................... 299
20.3 Configuring Windows Defender Remote Credential Guard................................................................ 300

21 Microsoft Defender Antivirus................................................................................................................... 302


21.1 Verifying Microsoft Defender Antivirus status..................................................................................... 302
21.2 Enabling Windows Defender Antivirus................................................................................................302
21.3 Updating the Windows Defender Antivirus Definitions....................................................................... 303
21.4 Disabling Windows Defender Antivirus............................................................................................... 304

22 Managing TLS version protocol for NetAct hardware devices.............................................................306


22.1 HPE Onboard Administrator............................................................................................................... 307
22.1.1 Disabling TLS version.................................................................................................................307
22.1.2 Enabling TLS version................................................................................................................. 307
22.2 HPE iLO.............................................................................................................................................. 308
22.2.1 HPE iLO4.................................................................................................................................... 308
22.2.1.1 Disabling TLS version........................................................................................................ 308
22.2.1.2 Enabling TLS version......................................................................................................... 308
22.2.2 HPE iLO5.................................................................................................................................... 309
22.2.2.1 Disabling TLS version........................................................................................................ 309
22.2.2.2 Enabling TLS version......................................................................................................... 309
22.3 HPE SAN switch................................................................................................................................. 309
22.3.1 Disabling TLS version.................................................................................................................310
22.3.2 Enabling TLS version................................................................................................................. 311
22.4 HPE Virtual Connect........................................................................................................................... 311
22.4.1 Disabling TLS version.................................................................................................................311

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 10


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Table of Contents

22.4.2 Enabling TLS version................................................................................................................. 312


22.5 EMC Unity Storage............................................................................................................................. 312
22.5.1 Disabling TLS version.................................................................................................................313
22.5.2 Enabling TLS version................................................................................................................. 313
22.6 EMC VNX2.......................................................................................................................................... 314
22.6.1 Disabling TLS version.................................................................................................................314
22.6.2 Enabling TLS version................................................................................................................. 315
22.7 HPE 5500/ 5510/5900 LAN switches................................................................................................. 316

23 Managing TLS cipher configuration for hardware devices...................................................................317


23.1 HPE Onboard Administrator............................................................................................................... 317
23.1.1 Disabling weak ciphers...............................................................................................................317
23.1.2 Enabling weak ciphers................................................................................................................318
23.2 HPE iLO.............................................................................................................................................. 319
23.2.1 HPE iLO4.................................................................................................................................... 319
23.2.1.1 Disabling weak ciphers...................................................................................................... 319
23.2.1.2 Enabling weak ciphers....................................................................................................... 320
23.2.2 HPE iLO5.................................................................................................................................... 320
23.2.2.1 Disabling weak ciphers...................................................................................................... 320
23.2.2.2 Enabling weak ciphers....................................................................................................... 321
23.3 HPE Virtual Connect........................................................................................................................... 321
23.4 EMC Unity Storage............................................................................................................................. 321
23.4.1 Disabling weak ciphers...............................................................................................................321
23.4.2 Enabling weak ciphers................................................................................................................323
23.5 EMC VNX2.......................................................................................................................................... 324
23.5.1 Disabling weak ciphers...............................................................................................................324
23.5.2 Enabling weak ciphers................................................................................................................325
23.6 HPE 3PAR storage............................................................................................................................. 325
23.7 HPE MSA storage...............................................................................................................................326
23.7.1 HPE MSA 2040.......................................................................................................................... 326
23.7.2 HPE MSA 2050.......................................................................................................................... 326
23.7.3 HPE Switches............................................................................................................................. 326
23.8 HPE Synergy 12000........................................................................................................................... 326
23.8.1 OneView......................................................................................................................................326
23.8.1.1 Disabling weak ciphers...................................................................................................... 326
23.8.1.2 Enabling weak ciphers....................................................................................................... 327
23.8.2 Synergy 480 Gen10 iLO.............................................................................................................328
23.8.2.1 Disabling weak ciphers...................................................................................................... 328
23.8.2.2 Enabling weak ciphers....................................................................................................... 328

24 Managing SSH cipher configuration for hardware devices.................................................................. 330


24.1 HPE 5510, 5900, and 6127 xlg switches........................................................................................... 330
24.1.1 Disabling weak ciphers...............................................................................................................331
24.2 HPE 5500 switch.................................................................................................................................332
24.3 HPE SAN switch................................................................................................................................. 333
24.3.1 Disabling weak ciphers...............................................................................................................333

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 11


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Table of Contents

24.3.2 Enabling weak ciphers................................................................................................................334

25 Managing SSL 2.0 and SSL 3.0 for AVECP............................................................................................ 336


25.1 Disabling SSL 2.0 and SSL 3.0..........................................................................................................336
25.2 Enabling SSL 2.0 and SSL 3.0...........................................................................................................336

26 Configuring Brute Force protection........................................................................................................ 337


26.1 Brute Force attacks.............................................................................................................................337
26.1.1 Brute force attack on NetAct VMs..............................................................................................337
26.1.2 Brute force attack on NetAct Web services............................................................................... 337
26.1.3 Brute force attack on NetAct Oracle DB.................................................................................... 337
26.2 Configuring brute force protection for SSH........................................................................................ 337
26.3 Configuring brute force protection for Admin Server.......................................................................... 339
26.4 Configuring brute force protection for web services........................................................................... 341
26.5 Configuring brute force detection for Oracle Database...................................................................... 346

27 Configuring Firewall for NetAct............................................................................................................... 349


27.1 Initial Setup for Firewall Environment................................................................................................. 349
27.1.1 TCP Session Timeout.................................................................................................................352
27.1.2 Juniper JunOS............................................................................................................................ 352
27.1.3 Internet Control Message Protocol............................................................................................. 352
27.2 Firewall rules....................................................................................................................................... 353
27.2.1 Firewall rules for NetAct workstation..........................................................................................353
27.2.2 Firewall rules for All VMs........................................................................................................... 353
27.2.3 Firewall rules for VMs that host Administration Server.............................................................. 354
27.2.4 Firewall rules for CLS_BackEnd.................................................................................................354
27.2.5 Firewall rules for CLS_FrontEnd................................................................................................ 355
27.2.6 Firewall rules for VMs with the database................................................................................... 355
27.2.7 Firewall rules for NAPD.............................................................................................................. 355
27.2.8 Firewall rules for VMs to upper OSS through NBI..................................................................... 356
27.2.9 Firewall rules for VMs that host SBI-Common Mediation...........................................................373
27.2.10 Firewall rules for VMs with DNS and LDAP.............................................................................396
27.2.11 Firewall rules for AVE............................................................................................................... 398
27.2.12 Firewall rules for ESXi.............................................................................................................. 399
27.2.13 Firewall rules for VMs that host Fault Management (FM)........................................................ 400
27.2.14 Firewall rules for HW objects................................................................................................... 401
27.2.15 Firewall rules for VMs that host IHS........................................................................................ 405
27.2.16 Firewall rules for VMs that host loadbalancer (LB) and socks................................................. 405
27.2.17 Firewall rules for VMs that host LTE-A_Mediation................................................................... 445
27.2.18 Firewall rules for VMs that host NWI3 mediations................................................................... 446
27.2.19 Firewall rules for VMs that host NX2S and XOH..................................................................... 452
27.2.20 Firewall rules for VMs that host the Node Manager.................................................................462
27.2.21 Firewall rules for VMs that host Q3......................................................................................... 471
27.2.22 Firewall rules for VMs that host Self Monitoring (Self Mon) and/or Hewlett-Packard Enterprise
Systems Insight Manager (HPE SIM)............................................................................................. 475
27.2.23 Firewall rules for VMs that host the Security Log NBI (SLNBI)................................................477

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 12


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Table of Contents

27.2.24 Firewall rules for Thresholder and Profiler............................................................................... 478


27.2.25 Firewall rules for VMs that host vCSA..................................................................................... 478
27.2.26 Firewall rules for VMs that host WebSphere............................................................................480
27.2.27 Changes in firewall rules.......................................................................................................... 514

28 Integrating external authentication and authorization server to NetAct..............................................515


28.1 Overview of external authentication and authorization server integration.......................................... 515
28.2 Preparing external authentication and authorization server............................................................... 517
28.2.1 Obtaining users container RDN of external authentication and authorization server................. 520
28.2.2 Exporting root CA certificate from external authentication and authorization server.................. 521
28.2.3 Creating new group in external authentication and authorization server....................................523
28.2.3.1 Identifying groups............................................................................................................... 523
28.2.3.1.1 Identifying NetAct groups...........................................................................................523
28.2.3.1.2 Identifying Node Manager groups..............................................................................523
28.2.3.2 Creating universal groups.................................................................................................. 524
28.2.3.2.1 Considerations in universal groups creation for integration with multiple NetAct
clusters.................................................................................................................................. 525
28.2.4 Adding external user to universal group of external authentication and authorization server.... 525
28.2.5 Server certificate requirements of external authentication and authorization server.................. 526
28.3 Preparing NetAct................................................................................................................................. 526
28.3.1 Checking NetAct licenses needed for external authentication and authorization server
integration.........................................................................................................................................527
28.4 Preparing intermediate system........................................................................................................... 527
28.4.1 Setting up firewall rules.............................................................................................................. 528
28.4.2 Setting up routes in network segregation environment.............................................................. 531
28.5 Integrating external authentication and authorization server.............................................................. 532
28.5.1 Enabling NetAct directory server authorization with external authentication and authorization
server................................................................................................................................................532
28.5.1.1 Updating external authentication and authorization server integration configuration file....535
28.5.1.2 Integrating NetAct directory server with external authentication and authorization server.. 539
28.5.2 Integrating NetAct NMS with external authentication and authorization server..........................541
28.5.2.1 Setup bi-directional DNS forwarding.................................................................................. 541
28.5.2.1.1 Stub zone and conditional forwarders comparison....................................................542
28.5.2.1.2 Setup forwarding using stub zones........................................................................... 543
28.5.2.1.3 Setup forwarding using conditional forwarders..........................................................547
28.5.2.2 Creating one-way external trust......................................................................................... 551
28.5.2.3 Adding universal group of external authentication and authorization server as member
of NMS groups........................................................................................................................... 553
28.5.2.4 Adding universal group from external authentication and authorization server as member
of default Administrators group in NMS AD (Optional).............................................................. 554
28.5.2.5 Creating password policy container for EM launch accounts in Node Manager server..... 555
28.5.2.6 Modifying password expiry duration of EM launch users (Optional).................................. 556
28.5.3 Preparing external users............................................................................................................ 559
28.5.4 Verifying external authentication and authorization server integration with NetAct.................... 559

29 Migrating NetAct users to external users...............................................................................................561


29.1 Overview of migrating NetAct users to external users....................................................................... 561

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 13


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Table of Contents

29.2 Exporting NetAct users and NM groups for NetAct users.................................................................. 562
29.2.1 Exporting NetAct users...............................................................................................................563
29.2.2 Exporting NM groups for NetAct users...................................................................................... 563
29.3 Updating exported files for migration..................................................................................................564
29.4 Verifying input file before migration.................................................................................................... 566
29.5 Checking NetAct licenses needed for migrating NetAct users........................................................... 567
29.6 Migrating NetAct users........................................................................................................................567
29.6.1 Listing migrated users................................................................................................................ 569
29.6.2 Cleaning up local users after migration......................................................................................570
29.6.3 Reverting external users to local users......................................................................................571

30 Disintegrating external authentication and authorization server from NetAct....................................572


30.1 Overview of external authentication and authorization server disintegration......................................572
30.2 Disintegrating external authentication and authorization server......................................................... 573
30.2.1 Disintegrating external authentication and authorization server from NetAct directory server....573
30.2.2 Disintegrating external authentication and authorization server from NetAct Node Manager
Server............................................................................................................................................... 575
30.2.2.1 Removing one-way external trust...................................................................................... 575
30.2.2.2 Removing universal group of external authentication and authorization server as member
of NMS groups........................................................................................................................... 576
30.2.2.3 Removing forwarding zone from NMS (Optional).............................................................. 578
30.2.3 Disabling authorization for external authentication and authorization server............................. 579
30.3 Verifying external authentication and authorization server disintegration from NetAct....................... 581
30.4 Deleting external user accounts from NetAct (Optional).................................................................... 581

31 Accessing Keycloak server...................................................................................................................... 582


31.1 Addition of certificates for Keycloak OAuth 2.0 client authentication..................................................582
31.1.1 Enable secure communication between CBAM and keycloak................................................... 582
31.1.2 Enable secure communication between ZTS and keycloak.......................................................582
31.2 Configuration of NetAct CA certificates on CBAM..............................................................................583
31.3 Configuration of NetAct CA certificates on ZTS................................................................................. 583
31.4 Requesting initial access token from Keycloak server....................................................................... 583
31.5 Accessing keycloak admin console.................................................................................................... 585
31.6 Retrieving Keycloak realm admin user password...............................................................................586

32 Verifying NetAct security..........................................................................................................................587


32.1 Verifying hardening during runtime..................................................................................................... 587
32.2 Verifying File Access rights.................................................................................................................588
32.2.1 Checking that user home directories are not world-readable.....................................................588
32.2.2 Checking that user dot-files are not group- or world-writable.................................................... 589
32.3 Checking for certificates that are about to expire...............................................................................590
32.3.1 Checking for WebSphere certificates......................................................................................... 590
32.3.2 Checking for directory server..................................................................................................... 590
32.3.3 Checking for filesystem certificates............................................................................................ 591
32.4 Checking WebSphere application server (WAS) configuration...........................................................592
32.4.1 Verifying that dynamic SSL configuration update functionality is disabled................................. 592
32.4.2 Checking SSL security settings for WebSphere application server............................................592
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 14
Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Table of Contents

32.5 Verifying status of disabling anonymous bind to LDAP...................................................................... 592


32.6 Verifying status of brute force protection for web services.................................................................593
32.7 Verifying status of brute force detection for Oracle database configuration....................................... 594

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 15


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 System security overview

1 System security overview


The following sections describes the operating procedures to administer and verify NetAct System Se-
curity. Security Administration comprises of:

• Certificate Management
• Hardening of the Virtual Infrastructure
• Hardening of NetAct system and services
• Configuring Brute Force protection
• Configuring Firewall for NetAct
• Verifying NetAct Security

1.1 Security Administration and System Hardening tasks


The mandatory and optional administration steps are described in the Table 1: Mandatory security ad-
ministration and system hardening steps and Table 2: Optional security administration and system
hardening steps tables.

Note:

The administration steps require root access to the NetAct Virtual Machines. Before execut-
ing one or more steps, you must enable root SSH login. See Enabling root SSH login.

Disable the root SSH login afterwards again as described in Disabling root SSH login.

Mandatory security administration and system hardening

The following steps are mandatory to perform a base hardening on the NetAct system. These must be
executed in NetAct installation after running the DCA installation process.

Task Chapter Mandatory

Certificate Man- Managing certificates Yes


agement

Password update Changing passwords Yes

Firewall configu- Configuring Firewall for NetAct Yes


ration

Disabling anony- Disabling anonymous bind to LDAP Yes


mous LDAP bind

Disable root login Disabling root SSH login Yes

Disable root login after com-


pleting mandatory and op-
tional steps.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 16


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 System security overview

Table 1: Mandatory security administration and system hardening steps

Optional and conditional security administration and system hardening

Task Chapter Mandatory

Certificate Man- Managing certificates for hardware devices Recommended


agement
Managing certificate for HPE SIM server Recommended

Managing certificates for VMware vSphere Recommended

Managing certificates for AVE and AVECP Recommended

Certificate Man- Managing certificates for Nokia Telco Cloud Application (NTCApp) Mandatory for NetAct sys-
agement tems integrating with exter-
nal cloud management sys-
tem or platform via NTCApp

Managing NWI3 Interface Security Mandatory for NetAct sys-


tems managing NEs with
NWI3 via SBI

Managing certificates for GSM BTS Mandatory for systems


managing GSM BTS NEs

Security configu- Configuring southbound interface (SBI) and HTTP for TLS Recommended for all south-
ration for SBI bound mediations used

Security configu- Configuring Northbound Interfaces Recommended


ration for NBI

Configuring Brute Configuring Brute Force protection Recommended


Force protection

su access permis- Configuring su access permissions In special cases only Su ac-


sion administra- cess permissions are con-
tion figured by default. Change
only if there are optional ap-
plications installed, which
require additional Su per-
missions

OS hardening • Disabling of additional unnecessary services Recommended

• Managing specific hardening features

Hardening of ci- • Managing TLS cipher configuration Optional


phers • Hardening SSH client configuration Weak ciphers can be en-
• Hardening SSH server configuration abled or disabled based on
• Enabling and disabling ciphers in Node Manager Server in Administer- the requirements.
ing Node Manager Server

Disable TLSv1 • Disabling TLS version from NetAct services Optional


• Managing TLSv1 protocol for vCenter and ESXI TLSv1 can be disabled, if
• Managing TLS version protocol for NetAct hardware devices all integrated network ele-
• Managing TLS protocol in Node Manager Server in Administering Node ments and higher level sys-
Manager Server tems are using TLSv1.1 or
TLSv1.2.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 17


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 System security overview

Task Chapter Mandatory

Hardening of TLS Managing TLS protocol configuration for Oracle EM Database Express Optional
protocol
Oracle supports only one
TLS version to be enabled
at any time. For Oracle EM
Database (DB) express, any
one of the TLS version such
as, TLSv1.0, TLSv1.1, and
TLSv1.2 can be configured.

Hardening of Hardening of Node Manager Server Recommended


Node Manager
Server

Table 2: Optional security administration and system hardening steps

Verification of system security

Verification of proper security configuration must be performed regularly but especially after the re-
lease upgrade or major configuration changes. See Verifying NetAct security.

1.2 Node structure overview


NetAct security settings depend on the node types. The nodes are also called as Virtual Machine
(VM), host or server.

The main node types are:

• NetAct nodes
• Node Manager nodes

For more information on technical requirements for the underlying hardware in the various NetAct con-
figurations, see the release specific NetAct Node Architecture and Resource Plan document available
in Support portal in https://customer.nokia.com. Accessing the documentation and software in the por-
tal requires authentication.

Note: If Avamar Virtual Edition (AVE) is taken as the backup and restore solution, two
additional VMs are added to the infrastructure as follows:

VM name Service name

ave ave

avecp avecp

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 18


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

2 Managing certificates
Certificates are essential for the security of the NetAct system. Basic part for NetAct as described is
mandatory. Depending on the specific Network Elements (NEs) and customers, you must also consid-
er NE parts.

Note: NetAct nodes referred in this section are obtained by executing the command, /opt/
oss/NSN-sm_hardening/bin/getNodeNames.sh --all as root user on dmgr node.
To identify the relevant virtual machine, see Locating the right virtual machine for a service in
Administering NetAct Virtual Infrastructure.

2.1 Introduction to multi-layered certificates


Certificates (along with both a private and public key) are used to identify servers to clients and vice
versa, and to secure the communication using secure protocols between them. The certificate used by
the server to authenticate itself towards the client is called a server certificate (serverCert). The certifi-
cate used by the client to authenticate itself towards the server is called a client certificate (clientCert).
The basic principle of the authentication consists of the server generating an encrypted message us-
ing its private key which is known only to the server and the client verifying and decrypting the mes-
sage with the server's public key which is provided as a part of the published serverCert.

As only the owner of the private key can encrypt a message such that it can be decrypted using the
public key, a message that can be decrypted using the public key must have originated from the owner
of the corresponding private key.

Note: This also works the other way round, that is, a message encrypted using the public
key can only be decrypted by the owner of the corresponding private key.

There are self-signed certificates and multi-layered certificates. With self-signed certificates the recipi-
ent (client) has to know and trust directly each of the serverCerts.

With multi-layered certificates, there exists one root Certification Authority (CA) and many server
certificates which are issued by the certification authority. The CA signs the server certificate only if it
knows the server and that way establishes its chain of trust. The client has to know the root CA and its
certificate (rootCert) which identifies the CA. By trusting the root CA, the client automatically trusts
all certificates issued (and trusted) by the CA. Depending on the CA and its policy, the serverCerts are
either directly issued by the root CA (identified by rootCert) or by an intermediate CA (also known
as subordinate CA, identified by intCert) which in turn is issued by the rootCert.

The following figure illustrates the flow of multi-layered certificates:

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 19


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

Figure 1: Certificate Flow Overview

1. The client has the rootCert of the root CA in its truststore which means that it knows and trusts the
root CA.
2. Once the client connects to the server, the server presents its serverCert which the client does not
know. The serverCert is issued by intCert.
3. The client retrieves the intCert (which can normally be downloaded from the server). The intCert is
issued by the rootCert which the client knows and trusts. The client therefore trusts intCert and fi-
nally serverCert. This process of verifying the certificates is known as establishing a chain of trust.

The issuing of certificates by the CA is done on a secure systems. The private key of the CA is used
for issuing certificates and is secured, whereas the private key of a server (or client) resides on ma-
chines which are not specially protected, is used more frequently and therefore is more prone to at-
tack. Therefore the period of validity of a rootCert can be longer than the validity of a serverCert or
clientCert. Also, the CA provides the possibility to revoke compromised certificates therefore providing
the following benefits:

• Only the rootCert is to be installed to establish trust with servers.


• A compromised serverCert key pair can be revoked and replaced by a new serverCert issued by
the same rootCert without impacting clients connecting to the server.
• The serverCert can be replaced easily and therefore can be given a relatively short lifetime (for
example, 2 years instead of 10 years for the serverCert).

2.2 Checking requirement of generating and installing certificates for


usecases

Prerequisites

• SSH login as root user has to be enabled. For information on how to enable the root login, see
Enabling root SSH login
• For nbi_open_api usecase, the restda service must be enabled. To activate, see Enabling and
disabling RESTDA in RESTful Web Service Data Access API.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 20


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

• For 3gpp_corba_nbi usecase, secure communication must be enabled. For more information,
see IIOP configuration in Integrating NetAct to an External NMS Using 3GPP XML Format PM
Northbound Interface.

This task must be executed only as part of the North Bound and the South Bound integration or re-in-
tegration procedure to evaluate the requirement of certificate generation and installing to NetAct ser-
vices.

To know the requirement of certificate generation and installing certificate for usecases, do the follow-
ing:

1. Log in as omc user to the dmgr VM of NetAct and switch to root user.

To locate dmgr VM, see Locating the right virtual machine for a service in Administering NetAct Vir-
tual Infrastructure.

2. Execute the following command to change the working directory to SM Cert tool bin directory:

cd /opt/oss/NSN-sm_conf_cert/bin/

3. Execute the following command for a chosen usecase:

./smcert_check_need_of_cert_generation.sh --usecaseName <usecaseName>

where <usecaseName> is the usecase for which the requirement of certificate configurations has
to be checked. To find the list of supported usecases, see Use cases and description.

To know the usage of the script, execute the following command:

./smcert_check_need_of_cert_generation.sh --help

Example:

./smcert_check_need_of_cert_generation.sh --usecaseName nwi3

4. If the Step 3 provides an output to generate and apply certificates for the chosen usecase, follow
the instructions provided in Installing multi-layered certificates for NetAct services.

Note:

• For the usecase nbi_open_api, if the restda service is enabled at the beginning,
then disable the restda service by following the steps provided in Enabling and
disabling RESTDA in RESTful Web Service Data Access API.
• For the usecase 3gpp_corba_nbi, if the secure communication is enabled at the
beginning, then disable the secure communication by following the steps provided

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 21


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

in IIOP configuration in Integrating NetAct to an External NMS Using 3GPP XML


Format PM Northbound Interface.

5. Disable the root SSH login, if it was enabled. For information on how to disable the root login, see
Disabling root SSH login.

2.3 Installing multi-layered certificates for NetAct services

Prerequisites

Ensure that SSH login as root is enabled on all NetAct nodes. For information, see Enabling root SSH
login.

Certificates for NetAct services can be generated either by the Certification Authority (CA) created us-
ing NetAct provided scripts(NetAct CA) or by 3rd party CA.

Figure 2: Steps to install certificates on NetAct using NetAct CA and Figure 3: Steps to install certifi-
cates on NetAct using 3rd party CA depicts the steps to create and install certificates using NetAct CA
and 3rd Party CA respectively.

1. To install certificates on NetAct using NetAct CA:

Figure 2: Steps to install certificates on NetAct using NetAct CA

2. To install certificates on NetAct using 3rd party CA:

The following flow chart depicts the steps to create and install server certificates in NetAct using a
CA that the user already has.

Figure 3: Steps to install certificates on NetAct using 3rd party CA

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 22


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

2.4 Selecting certification authority


User can select either of the following CAs:

• NetAct CA
• Third Party CA

2.4.1 NetAct CA
This section describes the steps needed for creating a new Certification Authority (CA) hierarchy with
its own public and private key pairs and certificates using the scripts provided by the NetAct. Trusting
the root certificate means to trust all certificates issued by it or its intermediate CAs, the respective pri-
vate root keys which are required for issuing those certificates are to be protected especially. Although
it would be technically possible to generate the certificates on NetAct itself. It is recommended to exe-
cute the following steps on a secure computer and to store the resulting CA private keys on a secure
removable media which is to be kept in a safe place when not in use.

Note:

It is highly recommended to create a backup of the removable media as it is not possible to


create new or additional certificates if the CA’s private key is lost due to damaged media.

The secure computer that is not connected to the network as long as the private key of the
root CA is accessible on it, should have the following software (or newer ones).

• A running Linux-System or Windows PC with CygWin


• OpenSSL 1.0.0-fips 29 Mar 2010

1. Configuration of the CA.

2. Generating the CA's keys and CRL.

These are one time activities.

After this the CA is ready to issue server certificates.

2.4.1.1 Providing basic configuration data for CA


1. If the NetAct CA is already hosted on a separate machine, refer to Upgrading NetAct CA
installation on separate machine and proceed to step 6.
2. If CA is on separate machine, then continue with below steps.

Note: If CA should be on the dmgr VM of NetAct (not recommended), then go to step 3.

a. Log in as omc user to the dmgr VM of NetAct and switch to root user.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 23


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

To locate the right VM, see Locating the right virtual machine for a service in Administering Net-
Act Virtual Infrastructure.
b. Execute the following command to pack the files needed for the external CA:

/opt/oss/NSN-sm_conf_cert/bin/smcert_create_ca_instFiles.sh

c. Transfer the generated file,

/opt/oss/NSN-sm_conf_cert/generated/rootCaInstall.tar

into /var/tmp of the machine you want to install the CA on to.


d. Log in to your CA-machine.
e. Create a directory CA-Dir (for example: <myHome>/myCaDir) into which the CA files can be
installed. For example,

mkdir <CA-Dir>

f. Go to CA-Dir by executing:

cd <CA-DIR>
g. Untar the archive:

tar -xvf /var/tmp/rootCaInstall.tar

3. Define your own system name.

Note: For each NetAct cluster an own CA is created along with a private and public keys.
A systemName is used to allocate keys or certificates to a specific NetAct cluster. It can
be chosen freely as long as it can be taken as a valid Unix file name (spaces are not
allowed). It is recommended that it relates to the NetAct cluster, the certificates are used.
For example, the host name used to access the start page.

4. Copy file by executing the following command:

cp <CA-Dir>/templates/smcert.properties.template <CA-Dir>/templates/
smcert.properties

If the CA is on the same NetAct machine, then <CA-Dir> will be /opt/oss/NSN-sm_conf_cert


on dmgr VM of NetAct. To locate the right VM, see Locating the right virtual machine for a service
in Administering NetAct Virtual Infrastructure.

If the CA is on separate machine, <CA-Dir> will be the one chosen in Step 1.


5. Change permission of the file by executing:

chmod 600 <CA-Dir>/templates/smcert.properties

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 24


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

6. Edit the file:

<CA-Dir>/templates/smcert.properties

• The following list provides the information regarding the owner of the certificates, for example
your company name and location. Specify the values for the following OPTIONAL properties.

- property.countryName: Two letter country code only. For example, IN


- property.stateOrProvinceName: Province of the owner
- property.localityName: Town of the owner
- property.organizationName: Name of the company
- property.organizationalUnitName: Department name
- property.emailAddress: Email address of the contact person
• property.CA.commonName: The common name of the CA certificate can be specified with
property.

The default value of NetAct {caLevel} CA - {systemName} can be retained or


{systemName} and {caLevel} can be replaced with the value passed during the execution
of smcert_generate_ca.sh script in the next section.
• property.root.certificate.lifetimeInDays: Life-time of the root CA certificate.

• For SHA2 root CA certificate, the default lifetime is 5475 days (approximately 15 years)
and maximum lifetime allowed is 7300 days (approximately 20 years).
• For SHA1 root CA certificate, both the default and maximum lifetime allowed is 3650 days
(approximately 10 years).
• property.intermediate.certificate.lifetimeInDays: Lifetime of intermediate CA
certificates in days (This is an optional field).

• For SHA2 CA certificate, the default and maximum lifetime allowed is 7300 days or such
that it expires one day prior to expiration of its issuer, whichever is lesser.
• For SHA1 CA certificate, the default and maximum lifetime allowed is 3650 days or such
that it expires one day prior to expiration of its issuer, whichever is lesser.
• property.crl.lifetimeInDays: Lifetime of the certificate revocation list (CRL).

The Default and maximum lifetime is same as the lifetime of the respective CA certificate.

• property.<systemName>.crlURI.<caLevel>: Location from where the CRL can be re-


trieved.

Specify the URI of the respective certificate revocation list for selected systemName and CA-
Level. The basic format is:

property.<systemName>.crlURI.<caLevel> = URI:http://<server>/ca/
{crlFileName}

with:

• <systemName>: Reference to the NetAct cluster as described in Step3.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 25


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

Note:

Same systemName must be used in all further sections in this chapter.

• <caLevel>: The level of the signing CA. It will be 0 for creating root CA ( level 0, self
signed certificate) and for creating level-1 intermediate CA certificate (level-0 CA is the
signer).

<caLevel>: will be 1 for creating level-2 intermediate CA certificate (level-1 intermediate


CA is the signer) and so on.
• <server>: The FQDN of the NetAct WAS load balancer (Java EE access point). For
information on how to locate the FQDN, see Locating the right virtual machine for a service
in Administering NetAct Virtual Infrastructure.
• {crlFileName}: Is a variable which will be filled in during script execution.

For generating root CA and level-1 intermediate CA, the resulting entry must be similar to:

property.mySystemName.crlURI.0 = URI:http://myJ2eeAccessFqdn.in.my.
domain.com/ca/{crlFileName}

For generating level-2 intermediate CA, the resulting entry must be similar to:

property.mySystemName.crlURI.1 = URI:http://myJ2eeAccessFqdn.in.my.
domain.com/ca/{crlFileName}

and so on
7. Replace the password for the private key of the CA certificate by entering in the first line of the
following file:

<CA-Dir>/templates/rootKey.pwd

If CA is on the same NetAct machine, then <CA-Dir> will be /opt/oss/NSN-sm_conf_cert


on dmgr VM of NetAct. If the CA is on separate machine, <CA-Dir> will be the one chosen in
Step 1.

Note:

• Supported characters in password are alphabets, numbers, and special characters


• Special characters allowed in password are ~!%^&()_+={}[]|:;,.<>?

To ensure that the file is readable and writable only by root, execute:

ls -l <CA-Dir>/templates/rootKey.pwd

Expected output:

-rw------- 1 root root 11 Feb 10 11:39 <CA-Dir>/templates/rootKey.pwd

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 26


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

2.4.1.2 Upgrading NetAct CA installation on separate machine

This section describes the steps to upgrade the NetAct CA installation on the separate machine. The
machine will be referred to as CA-machine.

1. Log in as omc user to the dmgr VM of NetAct and switch to root user.

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. To create a package with the required files for hosting the NetAct CA on CA-machine, execute:

/opt/oss/NSN-sm_conf_cert/bin/smcert_create_ca_instFiles.sh

Note: The package rootCaInstall.tar will be created at /opt/oss/NSN-


sm_conf_cert/generated/

3. Transfer the generated package rootCaInstall.tar to a temporary directory <temp-dir> on


a CA-machine.

4. Log in to your CA-machine.

5. Switch to the directory where NetAct CA is installed:

cd <CA-Dir>

6. To avoid overwriting, backup the user-modifiable files before upgrading by executing:

mv <CA-Dir>/templates/smcert.properties /var/tmp

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 27


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

/mv <CA-Dir>/templates/rootKey.pwd /var/tmp/

7. Extract the package by executing:

tar -xf <temp-dir>/rootCaInstall.tar

8. Move the CA certificates to the new directory structure:

mv <CA-Dir>/generated/rootCA/* <CA-Dir>/generated/
certificationAuthority/

9. Restore the CA password file by executing:

mv /var/tmp/rootKey.pwd <CA-Dir>/templates/

10. Create the NetAct CA property file by executing the following:

cp <CA-Dir>/templates/smcert.properties.template <CA-Dir>/templates/
smcert.properties

chmod 600 <CA-Dir>/templates/smcert.properties

11. Refer to the backup file, /var/tmp/smcert.properties to configure the new file.

Note: Except for the properties property.root.certificate.lifetimeInDays


and property.intermediate.certificate.lifetimeInDays, the rest can use
the same values as configured earlier. For the exceptions, refer to the comments for the
possible values.

2.4.1.3 Generating CA certificates and CRLs

Note: For a given <systemName> this must be one time activity at least for the root-CA
(=L0). Once generated, the CA keys must not be overwritten or regenerated as this leads to
inconsistencies with all certificates issued previously using the old CA key.

Execute the following commands for each CA-Level in ascending order (0, 1, ...):

1. Execute, cd <CA-Dir>/bin

If CA is on same dmgr VM of NetAct machine, <CA-Dir> will be /opt/oss/NSN-


sm_conf_cert or else it is the one selected in the section Providing basic configuration data for
CA.
2. Log in as omc user and switch to root user, and then enter:

./smcert_generate_ca.sh --systemName <systemName> --caLevel <caLevel>


--hashingAlgorithm <hashingAlgorithm>

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 28


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

where,

- <systemName>: As described while configuring the CA.


- <caLevel>: The level of the CA to be created (0, 1, ...).
- <hashingAlgorithm>: Hashing Algorithm to be used for CA certificate signing. Supported
values are SHA1 and SHA2.

To know the usage of the script, execute:

./smcert_generate_ca.sh --help

Note:

• To generate CA with level-n, all level-0 to level-(n-1) CAs with same systemName
and hashingAlgorithm must be generated first.
• In NetAct scratch installation, SHA2 certificates can be used only if all the planned
Network Elements integration are SHA2 algorithm compliant.

Example 1:

./smcert_generate_ca.sh --systemName MySystemName --caLevel 0 --


hashingAlgorithm SHA1

Example 2:

./smcert_generate_ca.sh --systemName MySystemName --caLevel 0 --


hashingAlgorithm SHA2

As a result, the directory <CA-Dir>/generated/certificationAuthority/ will contain the


following files (among others):

• <systemName>_L<caLevel>[_S2]_crl.cnf: Configuration file for the certificate


revocation list
• <systemName>_L<caLevel>[_S2]_CA.csr: Certificate signing request for the CA
certificate
• private/<systemName>_L<caLevel>[_S2]_CAKey.pem: The private key of the CA to be
created
• <systemName>_L<caLevel>[_S2]_CACert.pem: The CA certificate
• <systemName>_root.serial: Serial number file used when signing certificates
• <systemName>_L<caLevel>[_S2]_index.txt: The index file with the certificates to
revoke
• <systemName>_L<caLevel>[_S2]_CA.crl: The certificate revocation list

Note:

• File names have _S2 only for SHA2 certificates starting from Level 1 to Level n.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 29


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

• <CA-Dir>/generated/certificationAuthority/private/
<systemName>_L<caLevel>[_S2]_CAKey.pem and <CA-Dir>/templates/
rootKey.pwd are the most critical files and are to be protected particularly. Once
all required certificates are generated, the files are to be deleted from the CA file
system.

1. Mount a USB stick or another removable drive on the machine as <mountPoint>.


2. Create directories for the CA private key and its password by executing:

mkdir <mountPoint>/myCAPrivateKey

mkdir <mountPoint>/myCAPrivateKeyPwd

3. Replace the directory <CA-dir>/generated/certificationAuthority/private with a


symbolic link to the <mountPoint> drive:

mv <CA-dir>/generated/certificationAuthority/private/* <mountPoint>/
myCAPrivateKey

ln -s <mountPoint>/myCAPrivateKey/* <CA-dir>/generated/
certificationAuthority/private/

4. Replace the file <CA-Dir>/templates/rootKey.pwd with a symbolic link to <mountPoint>


drive:

mv <CA-Dir>/templates/rootKey.pwd <mountPoint>/myCAPrivateKeyPwd

ln -s <mountPoint>/myCAPrivateKeyPwd/rootKey.pwd <CA-Dir>/templates/
rootKey.pwd

2.4.1.4 Publishing CRLs


After generating Certification Authorities with all required levels for a selected systemName, follow the
below steps to publish all the generated Certification Revocation Lists (CRLs).

1. Copy all generated CRL files, <CA-dir>/generated/certificationAuthority/


<systemName>_L<caLevel>[_S2]_CA.crl to /opt/oss/NSN-sm_conf_cert/
generated/certificationAuthority/ on dmgr VM of NetAct.

Note: If CA is created on the same NetAct machine, then skip step 1.

2. Log in as omc user to the dmgr VM of NetAct and switch to root user.

To locate dmgr VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 30


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

3. Go to the bin directory by executing:

cd /opt/oss/NSN-sm_conf_cert/bin

4. Publish all CRLs generated with the same systemName by executing:

./smcert_publish_ca_crl.sh --systemName <systemName>

with <systemName> : as described in the section Providing basic configuration data for CA.

Example:

./smcert_publish_ca_crl.sh --systemName MySystemName

2.4.2 Third party CA


Following are the requirements for any third party Certification Authority to be used:

1. Key Length must be minimum 2048 bits.

2. Key Usage: Key Cert Sign, CRL Sign.

3. It must allow servers FQDNs and IPv4 & IPv6 (if available) addresses in the certificate's Subject
Alternative Names.

4. Signature Algorithm: sha1WithRSAEncryption or sha256WithRSAEncryption

5. Certificates must be in PEM format.

Note: If certificate is not in PEM format, convert the certificate file into pem format. For
more information, see Converting certificates to PEM format.

2.5 Creating certificates


This section contains instructions for creating certificates for the following mentioned usecases and
also for any other access points. Here the usecase is logical grouping of NetAct service end-points.
CertId is for fileName convention.

Note:

For a given usecase, if certificate along with its privateKey for the mentioned certId already
exists, the same certificate and privateKey can be reused.

Nokia recommends having certificates with the SHA2 signature algorithm on NetAct end
points. If due to some reason, any of the services accessed through the web browser (for ex-
ample, NetAct Start Page) has a SHA1 signature algorithm, then all other services accessed
in the browser with the same domain or sub domain (for example, Keycloak) must also have

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 31


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

certificates with the SHA1 signature algorithm. Otherwise, access to services with the SHA1
signature algorithm will be blocked by the browser (Chrome and MS Edge) because HSTS
(HTTP Strict Transport Security) is enabled in most of the services (for example, Keycloak,
NetAct Start Page, and so on).

Usecases Cert ID Description

netact_webapps ihs For NetAct web applications

dirsrv_access dirsrv To configure the Directory Serv-


er for TLS communication

ne3sws httpd For NE3SWS communication


with NEs
ihs

common-mediations

cmwas

nwi3 nwi3 For NWI3 communication with


NEs
ihs

isdk_corba_fm isdk-corba-fm For CORBA communication


with NEs

nbi_open_api restda For Restful NBI communication


with OSS

xoh xoh For XOH communication with


NEs

3gpp_corba_nbi nbi For NBI communication with


OSS

sl_nbi slc For Gray log server communi-


cation with NetAct

ntcapp ntcapp For Restful CBAM or ZTS com-


munication with NTCApp

keycloak keycloak For Restful communication with


Keycloak

bts_om pnp-compatibility For PnP compatibility service


communication with NEs

centralized_pnp pnp-autoconnection For eastbound communication


between initial and target Ne-
tActs. This usecase is applic-
able only for Centralized Plug
and Play feature.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 32


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

Table 3: Use cases and description

2.5.1 Requirements to generate certificates externally


Following are the procedure, details, and requirements for generating keys and certificates without us-
ing NetAct provided scripts for the usecases mentioned in the Table 3: Use cases and description.

1. Log in as omc user to the dmgr VM of NetAct and switch to root user.

To locate dmgr VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.
2. Go to bin directory by executing the following command:

cd /opt/oss/NSN-sm_conf_cert/bin

3. Execute the below command to know the required values in certificates for each certId for a giv-
en usecase.

./smcert_get_server_certificate_details.sh --systemName <systemName> -


-usecaseName <usecaseName>

where,

• <systemName>: Used to allocate keys or certificates to a NetAct cluster. It must be taken as a


valid Unix file name (spaces are not allowed). It is recommended that <systemName> relates
to the NetAct cluster for which the certificates are used.
• <usecaseName>: Name of the usecase. To know the supported usecases, see Table 3: Use
cases and description.

To know the script usage, execute:

./smcert_get_server_certificate_details.sh --help

Example:

./smcert_get_server_certificate_details.sh --systemName
mySystemName --usecaseName nbi_open_api

4. Signature Algorithm in certificate: sha1WithRSAEncryption or sha256WithRSAEncryption


5. Private keys of end-entity certificates must be password protected.

Note:

• Supported characters in password are alphabets, numbers, and special characters


• Special characters allowed in password are ~!%^&()_+={}[]|:;,.<>?

6. Server certificates and private keys must be in PEM format.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 33


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

Note: To convert the certificate file into PEM format, see Converting certificates to PEM
format

2.5.2 Creating private-key and certificates

2.5.2.1 Providing basic configuration data

Follow below steps to provide certificate details:

1. Log in as omc user to the dmgr VM of NetAct and switch to root user.

To locate dmgr VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.
2. Define the password for the private key in the first line of /opt/oss/NSN-sm_conf_cert/tem-
plates/serverKey.pwd

Note:

• Supported characters in password are alphabets, numbers, and special characters.


• Special characters allowed in password are ~!%^&()_+={}[]|:;,.<>?

Make sure that the file is readable only by root, execute:

ls -l /opt/oss/NSN-sm_conf_cert/templates/serverKey.pwd

Expected output:

-rw------- 1 root root 49 Aug 16 08:16 /opt/oss/NSN-sm_conf_


cert/templates/serverKey.pwd

3. If /opt/oss/NSN-sm_conf_cert/templates/smcert.properties file does not exist, exe-


cute:

cp /opt/oss/NSN-sm_conf_cert/templates/smcert.properties.template /
opt/oss/NSN-sm_conf_cert/templates/smcert.properties

chmod 600 /opt/oss/NSN-sm_conf_cert/templates/smcert.properties

4. Edit /opt/oss/NSN-sm_conf_cert/templates/smcert.properties:

Provide information regarding the owner of the certificates. Specify values for the following OP-
TIONAL properties:

• - property.countryName: Two letter for country code only, for example: IN


- property.stateOrProvinceName: Province of the owner
- property.localityName: Town of owner

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 34


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

- property.organizationName: Name of the company


- property.organizationalUnitName: Department name
- property.emailAddress: Email address of contact person

2.5.2.2 Generating certificate signing requests and keys

Prerequisites

Instructions in chapter Providing basic configuration data for CA must be executed.

1. Log in as omc user to the dmgr VM of NetAct and switch to root user.

To locate dmgr VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. Go to the bin directory by executing:

cd /opt/oss/NSN-sm_conf_cert/bin

3. If you need certificates for the usecases given in Table 3: Use cases and description, do the
following, else go to Step 4.

• Execute the following command to generate private key and CSR for selected usecase:

./smcert_generate_server_csr.sh --systemName <systemName> --


usecaseName <usecaseName> --hashingAlgorithm <hashingAlgorithm>

where:

• <systemName>: It must be same as used in the section Providing basic configuration data
for CA. If a third party CA is being used, then choose the systemName. It must be taken as
a valid Unix file name (spaces are not allowed).
• <usecaseName>: Name of the usecase. To know the supported usecases, see Table 3:
Use cases and description.
• <hashingAlgorithm>: Hashing Algorithm to be used for generating certificate signing
request. Supported values are SHA1 and SHA2.

To know the script usage, execute: ./smcert_generate_server_csr.sh --help.

Example:

./smcert_generate_server_csr.sh --systemName MySystemName --


usecaseName xoh --hashingAlgorithm SHA1

./smcert_generate_server_csr.sh --systemName MySystemName --


usecaseName nwi3 --hashingAlgorithm SHA2

Expected output:

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 35


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

As a result the directory /opt/oss/NSN-sm_conf_cert/generated/server/ will contain the


following files:

<systemName>_<certId>_<usecaseName>.csr: Certificate signing request for certId of


selected usecase

<systemName>_<certId>_<usecaseName>.cnf: Configuration file for csr and certificate

<systemName>_<certId>_<usecaseName>Key.pem: Private key for the certId of selected


usecase

4. If certificates are required for access points other than mentioned in Table 3: Use cases and
description, do the following steps:
a) Obtain the FQDN and IP addresses of the access points.
b) Create the private key and CSR for the access point by executing:

./smcert_generate_csr.sh --systemName <systemName> --certId


<certId> --hashingAlgorithm <hashingAlgorithm> --cn <CommonName>
--ip <ip-address1> [[--ip <ip-address2>]...] --dns <dns1> [[--dns
<dns2>] ...]

where,

• <systemName>: It is same as that used in the section Providing basic configuration data.
• <certId>: Certificate identifier. It is part of output file name.
• <hashingAlgorithm>: Hashing Algorithm to be used for generating certificate signing
request. Supported values are SHA1 and SHA2.
• <CommonName>: Common Name value of the subject, which can be IP address or FQDN
of the host.
• <ip-address>: IP address of the hosts, multiple values can be given.
• <dns>: DNS entry (FQDN) of the hosts, multiple values can be given.

To know the script usage, execute:

./smcert_generate_csr.sh --help

Example:

./smcert_generate_csr.sh --cn 111.122.133.144 --ip 111.122.133.144 -


-ip 21.22.23.24 --dns myNode1.domain.xy --systemName MySystemName --
hashingAlgorithm SHA2 --certId MyCertId

Expected output:

As a result the directory /opt/oss/NSN-sm_conf_cert/generated/server/ will contain


the following files:

<systemName>_<certId>.csr: Certificate signing request for certId

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 36


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

<systemName>_<certId>.cnf: Configuration file for csr and certificate

<systemName>_<certId>Key.pem: Private key for the certId

2.5.2.3 Signing certificates


Proceed with the following procedures only after creating the end-entity certificate signing request:

• Signing using NetAct CA

• Signing using Third party CA

If certificates are already applied for the selected usecase, then the same CA can be used with
which certificates were generated and applied, so that the truststore update can be skipped while
applying certificates. To know the CA name with which the certificates are applied for the usecase
before, see Get issuer name.

2.5.2.3.1 Signing using NetAct CA

Prerequisites

NetAct CA must be created with the same Hashing Algorithm with which end-entity certificate needs to
be generated. To create NetAct CA, see NetAct CA.

If the NetAct CA is hosted on a separated machine in a previous release, follow the steps provided in
Upgrading NetAct CA installation on separate machine before proceeding.

To sign the certificate signing requests (CSR) using NetAct CA, follow the steps:

1. Log in to CA machine as omc user and switch to root user.

2. Edit the file, <CA-Dir>/templates/smcert.properties

Note: If CA is on dmgr VM of NetAct machine, <CA-Dir> will be /opt/oss/NSN-


sm_conf_cert or it is the one chosen in the section Providing basic configuration data
for CA.

a) property.<systemName>.crlURI.<caLevel>: Location from where the CRL can be


retrieved.

Specify the URI of the respective certificate revocation list for the selected systemName and
the CA-Level. The basic format is property.<systemName>.crlURI.<caLevel> =
URI:http://<server>/ca/{crlFileName} where:

• <systemName>: It is same as used in previous sections


• <caLevel>: The level of the signing CA.

<caLevel> will be 0 if the end-entity certificate is getting signed from root CA.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 37


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

<caLevel>will be 1 if the end-entity certificate is getting signed from level-1 intermediate


CA and so on.
• <server>: The FQDN of the NetAct WAS load balancer. Locate the NetAct WAS load
balancer using the command, /opt/cpf/bin/cpf_list_lb_address.sh --lb was.
• {crlFileName}: Is a variable which will be filled in during script execution.

For example:

If the end-entity certificate is getting signed from the root CA, the resulting entry appears as
below:

property.mySystemName.crlURI.0 = URI:http://myJ2eeAccessFqdn.in.my.
domain.com/ca/{crlFileName}

If the end-entity certificate is getting signed from the level-1 intermediate CA, the resulting entry
appears as below:

property.mySystemName.crlURI.1 = URI:http://myJ2eeAccessFqdn.in.my.
domain.com/ca/{crlFileName}

b) property.server.certificate.lifetimeInDays: Lifetime of the certificates in


days (This is an optional field). The default and maximum lifetime allowed is 3650 days
(approximately 10 years) or such that it expires one day prior to expiration of its issuer,
whichever is lesser.

3. Execute, cd <CA-Dir>/bin

4. If the private key of the CA is removed from the system (as recommended), make it available again
as:

<CA-Dir>/generated/certificationAuthority/private/<systemName>_
L<caLevel>[_S2]_CAKey.pem

Note: _S2 will be part of file names only if respective certificate is signed with SHA2
algorithm.

5. If CA privateKey password file is removed from the system (as recommended), make it available
again as <CA-Dir>/templates/rootKey.pwd.

Note:

1. If CA is on separate machine, copy the *.csr and *.cnf files of the certificates to
be issued from /opt/oss/NSN-sm_conf_cert/generated/server of the dmgr
VM of NetAct to the directory <CA-Dir>/generated/server on CA machine. The
names are expected to have the following format:

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 38


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

• For the usecases mentioned in Table 1:


<systemName>_<certId>_<usecaseName>.cnf and
<systemName>_<certId>_<usecaseName>.csr
• For other accesspoints: <systemName>_<certId>.cnf and
<systemName>_<certId>.csr

6. Sign the certificates:


a) If you need certificates for the usecases given in Table 3: Use cases and description, execute
the following command:

./smcert_sign_server_certificate.sh --systemName <systemName> --


usecaseName <usecaseName> --caLevel <caLevel> --hashingAlgorithm
<hashingAlgorithm>

where:

• <systemName>: It is same as used in previous sections


• <usecaseName>: Name of the usecase. To know the supported usecases, see Table 3:
Use cases and description
• <caLevel>: The level of the CA to be used when issuing the certificate
• <hashingAlgorithm>: Hashing algorithm to be used for signing the certificate. Support-
ed values are SHA1 and SHA2.

To know the script usage, execute:

./smcert_sign_server_certificate.sh --help

Example:

./smcert_sign_server_certificate.sh --systemName MySystemName --


usecaseName dirsrv_access --caLevel 0 --hashingAlgorithm SHA1

Expected outcome:

The certificates are created in:

<CA_Dir>/generated/server/<systemName>_<certId>_<usecaseName>Cert.
pem

for each certId of given usecase.


b) For certificates of other access points, execute the following command:

./smcert_sign_server_certificate.sh --systemName <systemName>


--certId <certId> --caLevel<caLevel> --hashingAlgorithm
<hashingAlgorithm>

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 39


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

where:

• <systemName>: It is same as used in previous sections.


• <certId>: Certificate identifier. It is part of output files name. It is same as used in Gener-
ating certificate signing requests and keys section.
• <caLevel>: The level of the CA to be used when issuing the certificate.
• <hashingAlgorithm>: Hashing algorithm to be used for signing the certificate. Support-
ed values are SHA1 and SHA2.

To know the script usage, execute:

./smcert_sign_server_certificate.sh --help

Example:

./smcert_sign_server_certificate.sh --systemName MySystemName --


certId MyCertId --caLevel 2 --hashingAlgorithm SHA1

Expected outcome:

The certificates are created in:

<CA_Dir>/generated/server/<systemName>_<certId>Cert.pem

7. Remove the private key of the CA, if previously copied to the system by executing:

rm <CA-Dir>/generated/certificationAuthority/private/<systemName>_
L<caLevel>[_S2]_CAKey.pem

Or, un-mount it.

8. Delete the rootKey password file, if previously copied to the system:

rm <CA-Dir>/templates/rootKey.pwd

2.5.2.3.2 Signing using third party CA

To sign certificate signing requests (CSR) using Third party CA:

Copy the *.csr files (created in the section Generating certificate signing requests and keys) present
under /opt/oss/NSN-sm_conf_cert/generated/server/ on the dmgr VM of NetAct to the CA
machine for signing.

Note: To locate the dmgr VM, see Locating the right virtual machine for a service in Adminis-
tering NetAct Virtual Infrastructure.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 40


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

2.6 Installing certificates

2.6.1 Transferring certificates to NetAct

Prerequisites

Skip this section, if the NetAct CA used for signing is on the same NetAct system.

• SSH login as root user has to be enabled. For information on how to enable the root login, see En-
abling root SSH login.
• The private keys and certificates must be in PEM format. To convert the certificates to PEM, see
Converting certificates to PEM format.
• The password must be same for all the private keys for a selected usecase. The same
password must be present as the first line in /opt/oss/NSN-sm_conf_cert/tem-
plates/serverKey.pwd
• The file naming convention for the private keys and certificates must be:

1. private key - <systemName>_<certId>_<usecaseName>Key.pem


2. certificate - <systemName>_<certId>_<usecaseName>Cert.pem

• <systemName>: A string without spaces, used to uniquely identify related private keys
and certificates of a NetAct system.
• <usecaseName>: Name of the selected usecase
• <certId>: Possible values for the selected usecase. Refer Table 3: Use cases and de-
scription for the list of supported usecases and related certIds.

For <systemName>: MySystem and <usecaseName>, nwi3.

The certIds for the usecase nwi3 will be ihs and nwi3. The file names for this combination
will be:

• MySystem_ihs_nwi3Key.pem and MySystem_ihs_nwi3Cert.pem


• MySystem_nwi3_nwi3Key.pem and MySystem_nwi3_nwi3Cert.pem

1. Log in as omc user to the dmgr VM of NetAct and switch to root user.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 41


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

To locate dmgr VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. Transfer the generated certificates for all certIds of the selected usecases to:

/opt/oss/NSN-sm_conf_cert/generated/server/

3. Transfer the private keys for all certIds of the selected usecase if they are not created in NetAct
using Creating private-key and certificates.

4. Transfer the certificates of root CA till the issuer CA to:

/opt/oss/NSN-sm_conf_cert/generated/certificationAuthority/

Note: The NetAct CA certificates will be available in <CA-Dir>/generated/


certificationAuthority/ on the CA machine.

Example:

If the certificates for a selected usecase are signed by level-2 intermediate CA, then transfer the
certificates of level-2 intermediate CA, level-1 intermediate CA (signer of level-2 intermediate CA)
and root CA (level: 0, the signer of the level-1 intermediate CA).

5. Disable the root SSH login, if it was enabled. For information on how to disable the root login, see
Disabling root SSH login.

2.6.2 Installing certificates for selected usecase


Prerequisites:

SSH login as root user has to be enabled. For information on how to enable the root login, see En-
abling root SSH login.

In case of certificate installation failure, restore the selected usecase, see Rolling back certificate con-
figuration and try again

1. Log in as omc user to the dmgr VM of NetAct and switch to root user.

To locate dmgr VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.
2. Change the working directory to SM Cert tool bin directory:

cd /opt/oss/NSN-sm_conf_cert/bin/

3. Execute the SM Cert by entering:

./smcert_apply_certificate.sh --systemName <systemName> --usecaseName


<usecaseName> [--skipTrustUpdate]

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 42


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

where:

• <systemName>: The value must be as per certificate file names.


• <usecaseName>: The value must be selected usecase. Refer Table 3: Use cases and de-
scription for the list of supported usecases.

Note:

• If the selected usecase is dirsrv_access, then execute the below command from
dmgr VM to enable LDAPS usage for sssd service on all VMs and then apply the
certificate.

./smcert_dirsrv_access_setup.sh --enable

• SkipTrustUpdate option cannot be used, if you are installing certificate for the se-
lected usecase for the first time.
• For the second time or later invocations, skipTrustUpdate can be used only if the
current issuer CA is same as the earlier issuer CA.
• Issuer CA for the certificates of the selected usecase can be fetched using Get issuer
name.
• The life-cycle (for example, expiry and revocation) of certificates configured should
be managed by customers.

Example:

./smcert_apply_certificate.sh --systemName NetAct --usecaseName


netact_webapps

./smcert_apply_certificate.sh --systemName NetAct --usecaseName nwi3 -


-skipTrustUpdate

If certificate is applied for the usecase netact_webapps, then execute the section Installing the
Root CA certificate to a browser in Installing and Configuring NetAct User Workstations to add
rootCA certificate of CA chain used for generating the certificate to browser.

Note:

• Upon successful installation of the certificates for the selected usecase, perform Cleanup
procedure to avoid any security vulnerabilities.
• In case of DR environment, certificates must be applied on the standby site also. For
more information on applying certificates on the standby site, see Installing certificates
on standby site in DR environment.

2.6.3 Cleanup
Upon successful installation of the certificates for the selected usecase, execute the following steps to
avoid any security vulnerabilities:

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 43


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

1. On the dmgr VM, remove the server key files and the password file:

rm /opt/oss/NSN-sm_conf_cert/templates/serverKey.pwd

rm /opt/oss/NSN-sm_conf_cert/generated/server/<systemName>_<certId>_
<usecaseName>Key.pem

2. Disable root login, in case it was enabled in the beginning. For more information on how to disable
root login, see Disabling root SSH login.

2.7 Installing root certificate on browser


Use a secure communication channel, for example USB stick, email with signature or provide it on a
trusted server using https secured by an already known and a trusted certificate.

Ensure that the fingerprint of the downloaded certificate matches with that at the server even if the
communication channel is not secure.

Go to http://httpFqdn/ca and save Root-Certificate to your local hard-disk. The fingerprint of the
certificate will be displayed by the browser before the import is completed.

Note: To know the IBMHttpServer FQDN (httpFqdn), see Locating the right virtual machine
for a service in Administering NetAct Virtual Infrastructure.

On the server side it can be calculated using:

openssl x509 -in <certificate-file-name> -sha1 -fingerprint -noout

To install the root certificate on browsers, see Installing the Root CA certificate to a browser in In-
stalling and Configuring NetAct User Workstations.

2.8 Installing root CA certificate of specific end point to user


workstation browser
This procedure must be followed only when the given service name of an end point is used to access
the applications hosted on that end point from the browser. For example, service name keycloak
is used by the end point keycloak and user can access the Keycloak web application running on
keycloak service from the browser

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 44


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

Note: Each workstation user must install the end point specific root CA certificate to a
browser.

1. Login as omc user to the DMGR node and switch to root user.

2. Get root CA certificate for the given service name or end point by entering:

sh /opt/oss/NSN-sm_conf_cert/bin/smcert_get_root_cert.sh --
serviceName <ServiceName>

The root CA certificate file is generated at the /root/smcert/ location.

For example, if the <ServiceName> is keycloak, then the root CA certificate file name will be /
root/smcert/keycloak_keycloak.pem.

3. Convert the root CA certificate file name from .pem to .crt format by entering:

openssl x509 -outform der -in /root/smcert/<CERTIFICATE_FILE>.pem -


out <CERTIFICATE_FILE>.crt

4. Transfer <CERTIFICATE_FILE>.crt to user workstation.

5. Double-click the <CERTIFICATE_FILE>.crt from user workstation and follow the instructions.

2.9 Installing certificates on standby site in DR environment

1. Log in as omc user to the NetAct VM hosting the db service on the active site and switch to root
user.

To locate the right NetAct VM, see Locating the right virtual machine for a service in Administering
NetAct Virtual Infrastructure.

2. Check if the environment is DR environment by entering:

[root@dbvm sitea] # /opt/oss/NSN-dr/bin/drCheckStatus.pl -status

Expected output:

Enabled

If the output is Enabled, then it is DR environment, go to next step.

If the output is Disabled, then execute the following steps when DR is enabled.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 45


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

If the output is No such file or directory, then it is not DR environment. Skip the following
steps.

3. Copy certificate files from the active site to standby site by entering:

/opt/oss/NSN-dr/bin/localFsSync.pl -backup -fast

4. Check if the service is in maintenance mode ON by entering:

Note: This must be followed for all Cert IDs for the selected use case name on the
standby site.

/opt/oss/NSN-dr/bin/drTransmitCommand.pl -service dmgr -cmd "smanager.


pl status service <certId>” -timeout 800

Sample output:

Enable root ssh login on neighbour site success.


[DR][Standby] <Node Name >:smanager.pl status service ihs.
<ServiceName>:<Node Name>:frozen
Execute command on <Node Name> of DR standby site success.
Disable root ssh login on neighbour site success.

If the output contains frozen, then the service is set to maintenance ON. Change the maintenance
mode to OFF for the <ServiceName> by executing the following command. Otherwise, go to step
5.

/opt/oss/NSN-dr/bin/drTransmitCommand.pl -service dmgr -cmd "smanager.


pl maintenance <ServiceName> off" -timeout 800

Sample output:

Service <ServiceName> maintenance mode is set to off

Note:

• For usecases and cert ID, see Use cases and description table in Creating
certificates.
• If the selected usecase is dirsrv_access, set the keycloak service to maintenance
mode OFF on the standby site.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 46


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

• If there are multiple cert IDs for selected usecases, then set the maintenance mode
OFF for all cert IDs.

5. Set the db service to Snapshot Standby on the standby site by entering:

/opt/oss/NSN-dr/bin/drTransmitCommand.pl -service db -cmd "/opt/oss/


NSN-dr/install/bin/dbChangeStandbyMode.sh -s" -timeout 800

Sample output:

Conversion completed Successfully

6. Install certificate on the standby site for the selected usecase by entering:

Note: If the selected usecase is dirsrv_access, then execute the below command
to enable LDAPS usage for sssd service on all VMs on standby site and then apply the
certificate.

/opt/oss/NSN-dr/bin/drTransmitCommand.pl -service dmgr -cmd "yes|/opt/


oss/NSN-sm_conf_cert/bin/smcert_dirsrv_access_setup.sh --enable 2> /
dev/null" -timeout 1800

/opt/oss/NSN-dr/bin/drTransmitCommand.pl -service dmgr -cmd "yes|/


opt/oss/NSN-sm_conf_cert/bin/smcert_apply_certificate.sh --systemName
<SYSTEM_NAME> --usecaseName <USECASE_NAME> 2>/dev/null" -timeout 1200

where:

• <SYSTEM_NAME> value must be as per the certificate file names.


• <USECASE_NAME> value must be selected usecase. For more information, see Use cases and
description table in Creating certificates.

Sample output:

Certificate configuration was successful

7. If the maintenance mode is changed to OFF state as part of step 4, change it back to previous
state to maintenance mode ON on the standby site otherwise do not execute the below command:

/opt/oss/NSN-dr/bin/drTransmitCommand.pl -service dmgr -cmd "smanager.


pl maintenance <ServiceName> on" -timeout 800

For <ServiceName>, see step 4.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 47


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

Sample output:

Service <ServiceName> maintenance mode is set to on

8. Set the db service to Physical Standby on the standby site by entering:

/opt/oss/NSN-dr/bin/drTransmitCommand.pl -service db -cmd "/opt/oss/


NSN-dr/install/bin/dbChangeStandbyMode.sh -p" -timeout 800

Sample output:

Role changed to Physical Standby completed Successfully.

2.10 Adding additional trust anchors


This section must be performed, if the Network Elements (NE) uses a different CA chain from that of
NetAct.

The general guideline is to use same Certification Authority (CA) to sign Network Element (NE) and
NetAct certificates.

Pre-requisites:

• SSH login as root user must be enabled. For information on how to enable the root login, see En-
abling root SSH login.
• The CA certificates must be in PEM format. To convert certificates to PEM, see Converting certifi-
cates to PEM format.

1. Get the CA certificate from the CA who signed the NE certificate.


2. Log in as omc user to the dmgr VM and switch to root user.

To locate the correct virtual machine, see Locating the right virtual machine for a service in Admin-
istering NetAct Virtual Infrastructure.
3. Change the working directory to SM Cert tool bin directory:

cd /opt/oss/NSN-sm_conf_cert/bin

4. To add the chosen CA certificate to the trust store, execute:

./smcert_add_cacertificate_to_trust_store.sh --endpointName
<endpointName> --caFile <caFile> [--skipActivate]

where:

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 48


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

• <endpointName>: The value specifies the end point where the CA needs to be added. To
know all supported endpoint names, execute:

./smcert_add_cacertificate_to_trust_store.sh --list

For usecases and endpoint mapping, see Usecases and end point mapping.
• <caFile>: The absolute path of the CA file that needs to be added to the trust store.

Note:

• Invoking the script with the optional argument --skipActivate will skip the restart
or reload of the endpoint.

Example:

./smcert_add_cacertificate_to_trust_store.sh --endpointName
fm_pipe --caFile /root/ca.pem
./smcert_add_cacertificate_to_trust_store.sh --endpointName
sqm_jboss --caFile /root/ca.pem --skipActivate

• In case of DR environment, trust anchors must be added on the standby site also.
For more information, see Adding additional trust anchors in standby site.

5. Disable the root SSH login, if it was enabled. For information on how to disable the root login, see
Disabling root SSH login.

2.11 Adding additional trust anchors in standby site


This section must be followed for adding a CA certificate to the trust store on the standby site in the
DR environment when the certificate is added to the trust store on the active site.

1. Log in as omc user to the NetAct VM hosting the db service on the active site and switch to root
user.

To locate the right NetAct VM, see Locating the right virtual machine for a service in Administering
NetAct Virtual Infrastructure.

2. Check if the environment is DR environment by entering:

[root@dbvm sitea] # /opt/oss/NSN-dr/bin/drCheckStatus.pl -status

Sample output:

Enabled

If the output is Enabled, then it is DR environment, go to next step.

If the output is Disabled, then execute the following steps when DR is enabled.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 49


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

If the output is No such file or directory, then it is not DR environment. Skip the following
steps.

3. Place the CA certificate file under the /opt/oss/NSN-sm_conf_cert/bin/generated/


certificationAuthority/ path in the active site.

4. Copy certificate files from the active site to standby site by entering:

/opt/oss/NSN-dr/bin/localFsSync.pl -backup -fast

5. Check if the service is in maintenance mode ON by entering:

/opt/oss/NSN-dr/bin/drTransmitCommand.pl -service dmgr -cmd "smanager.


pl status service <ENDPOINT_NAME>” -timeout 800

<ENDPOINT_NAME> value must be selected end point. For more information, see Usecases and
end point mapping.

Sample output:

Enable root ssh login on neighbour site success.


[DR][Standby] <Node Name >:smanager.pl status service ihs.
<ServiceName>:<Node Name>:frozen
Execute command on <Node Name> of DR standby site success.
Disable root ssh login on neighbour site success.

If the output contains frozen, then the service is been set to maintenance ON. Change the
maintenance mode to OFF for the <ServiceName> by executing the following command.
Otherwise, go to step 6.

/opt/oss/NSN-dr/bin/drTransmitCommand.pl -service dmgr -cmd "smanager.


pl maintenance <ServiceName> off” -timeout 800

Note: All the services that are listed as part of the command must be set to maintenance
mode OFF.

Sample output:

Service <ServiceName> maintenance mode is set to off

6. Set the db service to Snapshot Standby on the standby site by entering:

/opt/oss/NSN-dr/bin/drTransmitCommand.pl -service db -cmd "/opt/oss/


NSN-dr/install/bin/dbChangeStandbyMode.sh -s" -timeout 800

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 50


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

Sample output:

Conversion completed Successfully

7. To add the chosen CA certificate to the trust store on standby site, enter:

/opt/oss/NSN-dr/bin/drTransmitCommand.pl -service dmgr -cmd "yes |/


opt/oss/NSN-sm_conf_cert/bin/smcert_add_cacertificate_to_trust_store.
sh --endpointName <ENDPOINT_NAME> --caFile <CA certificate file path>
2>/dev/null" -timeout 1200

where:

• <ENDPOINT_NAME> value must be selected end point. For more information, see Usecases
and end point mapping.
• <CA certificate file name> is the absolute file path /opt/oss/NSN-
sm_conf_cert/bin/generated/certificationAuthority/<CA_CERT.pem>

Sample output:

configuration successful

8. If the maintenance mode is changed to off as part of step 5, change it back to previous state to
maintenance mode ON on the standby site otherwise do not execute below command:

/opt/oss/NSN-dr/bin/drTransmitCommand.pl -service dmgr -cmd "smanager.


pl maintenance <ServiceName> on" -timeout 800

For <ServiceName>, see step 5.

Sample output:

Service <ServiceName> maintenance mode is set to on

9. Set the db service to Physical Standby on the stand by site by entering:

/opt/oss/NSN-dr/bin/drTransmitCommand.pl -service db -cmd "/opt/oss/


NSN-dr/install/bin/dbChangeStandbyMode.sh -p" -timeout 800

Sample output:

Role changed to Physical Standby completed Successfully.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 51


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

2.12 Usecases and end point mapping


The usecase is a logical grouping of NetAct service endpoints and endpoints are where the CA needs
to be added.

Table 4: Usecases and Endpoint mapping lists the usecases and endpoint mapping.

Usecases Endpoints

dirsrv_access sssd

dirsrv

ne3sws cmwas

httpd

common_mediations

nwi3 cmwas

nwi3

nwi3-http

isdk_corba_fm isdk-corba-fm

nbi_open_api restda

xoh xoh

3gpp_corba_nbi nbi3gc

nbi3gcom

sl_nbi slc

ntcapp ntcapp

keycloak keycloak

fm_email_server fm_pipe

tp_email_server sqm_jboss

sam_med sam_med

pmwas pmwas

syswas syswas

fmwas fmwas

itsmwas itsmwas

intgwas intgwas

bts_om pnp_compatibility

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 52


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

Usecases Endpoints

centralized_pnp pnp_autoconnection

Table 4: Usecases and Endpoint mapping

2.13 Root CA certificate for NetAct services


Pre-requisite:

To get root CA certificate for restda service, the service needs to be activated. See Enabling and dis-
abling RESTDA in RESTful Web Service Data Access API for activation.

To get root CA certificate for nbi3gc and nbi3gcom services, secure communication must be enabled.
For more information, see IIOP configuration in Integrating NetAct to an External NMS Using 3GPP
XML Format PM Northbound Interface.

This section describes steps for getting the root CA certificate of the CA chain used for signing the
NetAct service certificate(s). This CA certificate needs to be installed to the external client trust stores
for trusting the NetAct services.

1. Log in as omc user to the dmgr VM of NetAct and then switch to root user.

To locate dmgr VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.
2. Change the working directory to SM Cert tool bin directory:

cd /opt/oss/NSN-sm_conf_cert/bin/

3. Execute the below command to get the root CA certificate for a NetAct service:

./smcert_get_root_cert.sh --serviceName <serviceName>

Where:

<serviceName>: A NetAct service name. To know the supported serviceNames, execute:

./smcert_get_root_cert.sh --list

On successful completion, the root CA certificate will be stored at /root/smcert/ with file name
<serviceName>_<usecaseName>.pem in dmgr VM.

Example:

./smcert_get_root_cert.sh --serviceName xoh

The root CA certificate will be stored as /root/smcert/xoh_xoh.pem


4. Deactivate the restda service. For more information on how to deactivate, see Enabling and
disabling RESTDA in RESTful Web Service Data Access API.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 53


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

2.14 Converting certificates to PEM format


To convert a DER file (.crt, .cer and .der) to PEM format (.pem), execute the following command
from any VM:

openssl x509 -inform der -in <certificate.cer> -out <certificate.pem>

where,

<certificate.cer> is the certificate file in .crt, .cer or .der

<certificate.pem> is the name of the output file (certificate in .pem format)

For example:

openssl x509 -inform der -in rootCA.cer -out rootCA.pem

2.15 Get issuer name


This section describes the steps to get the Distinguished Name(DN) of the certificate issuer:

Note: SSH login as root user must be enabled. For information on how to enable the root lo-
gin, see Enabling root SSH login.

1. Log in as omc user to the dmgr VM of NetAct and switch to root user.

To locate dmgr VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.
2. Change the working directory to SM Cert tool bin directory.

cd /opt/oss/NSN-sm_conf_cert/bin

3. To get the issuer DN of the certificate, execute:

./smcert_get_issuer_dn.sh --usecaseName <usecaseName>

where <usecaseName>: : The usecase name.

To know the supported usecases, execute:

./smcert_get_issuer_dn.sh --list

Example usage:

./smcert_get_issuer_dn.sh --usecaseName ne3sws

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 54


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

Expected outcome:

• If the certificates are not applied to a usecase in runtime using the SMCert tool, then usecase
has the certificates which are generated as part of NetAct installation for NetAct internal use
and output is: The usecase "<usecaseName>" has default certificate(s).
• If the certificates are applied to a usecase using the SMCert tool, the distinguished name of
the CA(s) which signed the certificates of the chosen usecase is displayed.
4. Disable the root SSH login, if it was enabled. For information on how to disable the root login, see
Disabling root SSH login.

2.16 Rolling back certificate configuration


This procedure allows you to rollback to the previous configuration post applying the certificates for a
usecase.

Prerequisites

SSH login as root user must be enabled. For information on how to enable the root login, see Enabling
root SSH login.

Note: Rollback cannot be performed in succession and can only be performed once per
successful certificate application for a usecase. Also, rollback cannot be the first operation
after a NetAct upgrade.

To rollback to previous configuration post applying the certificates for a usecase:

1. Log in as root user to the dmgr VM of NetAct.

To locate the dmgr VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. Change the working directory to SMCert tool bin directory.

cd /opt/oss/NSN-sm_conf_cert/bin

3. Perform rollback for the usecase.

./smcert_rollback.sh --usecaseName <usecaseName>

Where <usecaseName> is the usecase for which the certificate configurations are to be reverted.
To find the list of supported usecases, see Table 3: Use cases and description.

Note:

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 55


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

If rollback is executed for the usecase dirsrv_access, then execute the below
command from dmgr VM to disable LDAPS usage for sssd service on all VMs.

./smcert_dirsrv_access_setup.sh --disable

The above command disables the LDAP usage for sssd service only if the
dirsrv_access has default certificates after rollback otherwise the script exits.

To know the usage of the script, execute:

./smcert_rollback.sh --help

Example:

./smcert_rollback.sh --usecaseName netact_webapps

This will rollback the certificate configuration changes of usecase netact_webapps.

In case of failures in rolling back to the previous configuration, see Troubleshooting NetAct Smart-
Certificate (SMCert) Tool in Troubleshooting Security Management.

4. Disable the root SSH login, if it was enabled. For information on how to disable the root login, see
Disabling root SSH login.

2.17 Migrating Certificates


NetAct uses certificates for secure communication with network elements, NBI systems, other OSS
products, and customizations. These certificates can be changed in bulk using the migration proce-
dure. The two migration flows are:

• PKI migration
• SHA2 migration

As part of PKI migration, the Southbound certificate migration must be followed and changing
the network elements certificates is mandatory. Unlike the PKI migration, SHA2 migration mandates
changing the certificates at NetAct alone and updating the root CA certificate at relevant systems. Mi-
grating NetAct certificates involves a sequence of steps, which are detailed in the following sections:

• Assessment for SHA2 migration


• Hardware certificate migration
• Virtual infrastructure certificate migration
• Node Manager certificate migration
• Southbound certificate migration
• Northbound certificate migration
• NetAct WebApps migration
• NTCApp migration

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 56


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

2.17.1 Assessment for SHA2 migration


• To assess the readiness of SHA2 certificate migration, some information about the integrated sys-
tems has to be collected. The data collection includes the details (version, O&M interface, Element
Management launch,and SHA2 compatibility) of the systems integrated to NetAct. Impacts on all
integrated network elements, NBI systems, other OSS products, and customizations must be con-
sidered as part of data collection.
• To migrate NetAct certificates to SHA2, the southbound, northbound, and NetAct WebApps must
be assessed together as these depend on the same ihs:443 end point.
• You can migrate hardware and virtual infrastructure, node manager, customization and other OSS
products, and NTCApp certificates to SHA2 independently.
• In the following conditions, the SHA2 certificate migration is not possible until all the NBI and SBI
network elements using the same NetAct end point supports SHA2:

– If one or more NBI clients or SBI network elements support only SHA1 and one or more NBI
clients or SBI network elements support SHA2, and depend on the same NetAct end point.

For example:

• If BTS network element is of SHA2 and NBI client - Network360 is of SHA1 and both BTS
and Network360 depends on NetAct WebApps and NetAct usecase, then it is not possible
to migrate.
• If BTS network element is of SHA2 and OneNDS is of SHA1 and both BTS and OneNDS
depends on NetAct WebApps and NetAct usecase, then it is not possible to migrate.
• If 3gpp_corba_nbi is of SHA2 and nbi_open_api is of SHA1 and both BTS and OneNDS
depends on NetAct WebApps NetAct usecase, then it is not possible to migrate.
– If one or more NBI clients and SBI network elements support only SHA1 and one or more NBI
clients and SBI network elements support SHA2, and depend on the same NetAct end point.

Prepare the assessment list by filling the following details:

• For NBI assessment:

– NBI clients
– Support for SHA2 (Yes/No)
– End point which is used to communicate to NetAct
– NetAct Port
– Current communication is secured or not
– If secured communication, is SHA2 certificate used (yes/No)
• For SBI assessment:

– Network Elements
– Support for SHA2 (Yes/No)
– End point which NE used to communicates to NetAct
– Downtime is required while enabling tls

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 57


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

2.17.1.1 Southbound

Southbound interface is used for integrating the network elements to NetAct. Gather the below men-
tioned details of all the integrated network elements which uses TLS (network elements integrated us-
ing non-Transport Layer Security are not impacted with this migration).

• Network element version


• O&M interface
• CNUM activation status
• Element Management launch

To gather the required details and obtain the O&M Interface used, see Integration document of the net-
work elements.

Example output:

A sample of gathered details of an integrated BTS Mediator to NetAct are:

• Network Element Version : 17A


• O&M Interface : NE3S
• CNUM Activated : Yes
• Element Management launch: Yes (SSH)

The below table describes the network technology, network elements and their minimum version sup-
porting SHA2 certificates.

Network Technology Network Elements Minimum Version

LTE LTE iOMS LOMS16

GSM WCDMA LTE SBTS SBTS17A

WCDMA Flexi BTS WBTS18

WCDMA mcRNC mcRNC20FP1

WCDMA OMS WOMS18

WCDMA ASRNC ASRNC18FP1

GSM WCDMA LTE BTS Mediator 17A

IMS CSCF VNF 18.5VNF

IMS IMS OAM Unit 18.5VI

IMS CM Repository Server 18.5VI, 18.5VNF

IMS CSCF 18.5C

IMS Load Balancer 18.5C

IMS TIAMS 18.5C, 18.5Cc

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 58


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

Network Technology Network Elements Minimum Version

IMS CM Repository Server 18.5CI

IMS IMS ATCA HW 18.5

IMS IMS HPE HW 18.5

IMS Nokia HSS VNF 18.5VNF

IMS HSS-FE 18.5VI

IMS HSS-FE 18.5C

IMS-VoLTE Nokia TAS Cloud NTASCloud17SP1

Subscriber Data Management One-EIR 18 SP3

Subscriber Data Management One-EIR Cloud 18 SP3

Subscriber Data Management One-MNP 20

Subscriber Data Management One-MNP Cloud 20

Subscriber Data Management NT HLR FE 18.5C

Subscriber Data Management NT HLR FE 18.5VI

Subscriber Data Management One-NDS (Status Service One-NDS 19


Based)

Telco Cloud Infrastructure CBAM 17.5

Table 5: Network Technology and Network Elements with minimum version supporting SHA2 certifi-
cates

Limitations on southbound migration:

On Southbound, NetAct can be migrated to SHA2 certificates only if any of the network elements with
minimum version or above are integrated to NetAct in a customer deployment.

NetAct Southbound migration to SHA2 certificate must not be performed if TLS network elements oth-
er than the above mentioned network elements are integrated to NetAct.

Only the network elements listed in Table 5: Network Technology and Network Elements with minimum
version supporting SHA2 certificates are of SHA2 compatibility among the network elements integrat-
ed to NetAct.

2.17.1.2 Northbound

Northbound interface is used for integrating NetAct into higher-level systems. Gather details of all the
integrated northbound systems which use TLS and check their SHA2 compatibility (NBI's integrated
using non-TLS are not impacted with this migration).

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 59


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

Gathered details of Network360 integrated to NetAct would be:

SHA2 Compatibility : Yes

2.17.1.3 NetAct WebApps


For all the integrated LTE OMS and SBTS elements, collect the following details:

• NE version
• O&M interface

Gather SHA2 compatibility of TMF615 clients and Network360.

NetAct WebApps migration has to be performed only if:

1. All TMF615 clients and Network360 are SHA2 compatible.


2. Integrated OMS/SBTS are compatible with SHA2 and SB migration are performed.

2.17.1.4 Hardware and virtual infrastructure


All the NetAct standard hardware and infrastructure are SHA2 compatible and do not need any as-
sessment. Certificate migration for hardware and virtual infrastructure can be performed independent
of others.

2.17.1.5 Node manager


By default, the Node Managers for NetAct support SHA2 certificates and can proceed for migration
without assessment. Certificate migration for Node Manager can be performed independent of others.

2.17.1.6 Customization and other OSS products


Certificate changes (change of trust) performed as part of SHA2 migration on NetAct can impact cus-
tomization and other OSS products (for example, Network 360 and Eden-NET) integration. Collect the
NetAct interfaces used by these products or customizations by referring to their corresponding docu-
mentation and plan accordingly.

2.17.1.7 NTCApp

NTCApp receives VNF lifecycle notifications from Cloud Band Application Manager (CBAM) or Zero
Touch Services (ZTS). CBAM and ZTS must support SHA2 for NTCApp migration. Certificate migra-
tion for NTCApp can be performed.

2.17.2 Hardware certificate migration


Default certificates are applied for the following hardware applications:

• HPE onboard administrator


• HPE iLO

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 60


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

• EMC VNX storage


• HPE Virtual Connect
• SAN SWITCH
• MSA Storage (2040/2050)
• Managing certificate for HPE SIM server

For instructions on changing the certificates, see Managing certificates for hardware devices and Man-
aging certificate for HPE SIM server.

2.17.3 Virtual infrastructure certificate migration


Default certificates are used in VMware vSphere components within NetAct such as:

• vCenter Server Appliance


• ESXi hosts

For instructions on changing certificates, see Managing certificates for VMware vSphere.

2.17.4 Node Manager certificate migration


Node Manager Server (NMS) is a platform based on Windows and provides graphical user interfaces
to access the Windows-based applications, Node Managers, or Element Managers.

Certificates are used in Citrix Delivery Controller (CTXDC) and Citrix Virtual Delivery Agent (VDA)
to communicate with the workstations and within NMS. Certificate migration for Node Manager will
change the certificates for these services.

For more information, see Using third-party certificates on Node Manager Server in Administering
Node Manager Server.

2.17.5 Southbound certificate migration


After successful assessment for migration, the steps to be followed for migrating NetAct SB are:

Figure 4: Southbound certificate migration

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 61


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

After successful completion of the steps, NetAct will be using SHA2 certificates for SB communication.

Note:

• Certificate migration for Radio network elements would be mandatory in case of PKI
change.
• Southbound migration would be considered complete when migration is done success-
fully for NetAct WebApps.

2.17.5.1 Generating certificates


Certificates must be generated for all the impacted NetAct SB interfaces using the following usecases:

• ne3sws
• nwi3
• isdk_corba_fm
• xoh
• dirsrv_access

For generating certificates, see Creating certificates.

Note: It is recommended to generate the certificates for the above listed usecases using the
same Certification Authority (CA) to avoid multiple CA certificates import on the Network Ele-
ments.

2.17.5.2 Importing Network Element root certificate to NetAct services

Note: In case of Radio network elements, if the network element root certificate is same as
the NetAct root certificate, then skip the below steps.

For secure communication between network elements and NetAct where network elements act as the
server, the network element trust certificates (root CA) has to be imported to all the relevant NetAct SB
services.

1. Get the network element root certificates:

a. In case of Core network elements, the root certificate will be same as the NetAct root certificate
generated as part of Generating certificates.
b. In case of Radio network element, use the root certificate which will be used for generating the
network element certificates.
2. Based on the network element O&M interface, the impacted service list has to be identified. Below
table lists the impacted services per O&M interface/functionality.

O&M Interface/Functionality Impacted NetAct Services

NE3S common_mediations, cmwas

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 62


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

O&M Interface/Functionality Impacted NetAct Services

NWI3 nwi3, nwi3-http, cmwas

CNUM dirsrv

Element Management launch syswas

Table 6: Impacted NetAct services based on O&M interface/functionality

3. Follow the instructions provided in Adding additional trust anchors for adding Network element root
certificates to impacted NetAct services.

2.17.5.3 Generating and applying end-entity certificates for Core Network Elements
To generate and use new Transport Layer Security (TLS) certificates for the Core network elements,
do the following:

1. Disable TLS for network elements which have enabled before the migration. See NE related inte-
gration document for disabling TLS.
2. Enable TLS for network elements with the new certificate. See NE related integration document for
enabling TLS.

Note: If signing is by NetAct CA, the configuration items such as <systemName> and
<hashingAlgorithm> must be same as those provided in Generating certificates.

2.17.5.4 Importing NetAct root certificate to Network Elements


To secure communication between NetAct and Network Elements (NEs), where NetAct is acting as
server, the NetAct root certificates have to be added to the Network Elements.

Import rootCA certificate of the relevant NetAct usecases to all the NEs if:

• The Certification Authority(CA) used for generating certificates for NetAct usecases in Generating
certificates is different from the CA used before the Certificate Migration for those NetAct usecas-
es, and
• The CA certificate is not present in NE. To know the CA certificates available in NE, see the re-
spective NE user documentation.

Note:

To know the CA name with which the certificates are applied for the usecase before, see Get
issuer name.

Based on the NetAct usecases, the O&M interface and functionality of the impacted network
elements list has to be identified. Impacted NE's O&M interface/functionality lists the impact-
ed NE's O&M interface/functionality.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 63


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

O&M interface/ functionality of impacted


NetAct usecases
NEs

ne3sws NE3S

nwi3 NWI3

xoh XOH

dirsrv_access CNUM

Table 7: Impacted NE's O&M interface/functionality

1. Get the NetAct root certificate used to generate end-entity certificates for the relevant usecases in
Generating certificates to add to the NEs.
2. For instructions to import CA certificates on network elements, see the respective NE user
documentation.

2.17.5.5 Applying certificates to NetAct services


NetAct end-entity certificates generated in Generating certificates have to be applied. Follow the
instructions provided in Installing certificates for usecases ne3sws, nwi3, isdk_corba_fm, xoh,
and dirsrv_access.

2.17.5.6 Generating and applying end-entity certificates on Radio Network Elements


End-entity certificates have to be generated and applied on the network elements. For instructions to
import certificates, see the respective NE user documentation.

2.17.6 Northbound certificate migration


After assessment for migration, there are three NBI interfaces which need certificates migration:

• 3GPP Release 6 CORBA FM NBI


• RESTful Web Service Data Access API

3GPP Release 6 CORBA FM NBI depends on NBI3GCOM and there is a usecase for NBI certificate
migration.

• 3gpp_corba_nbi: For nbi3gcom and nbi3gc services


• nbi_open_api: For restda service

Additionally, migration has to be done for Security Log NBI. For migration instructions, see Configuring
SLNBI to send syslog messages in Security Log NBI.

Note: Northbound migration would be considered complete when migration is done


successfully for NetAct WebApps.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 64


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

2.17.6.1 Generating certificates for NBI services

Generate the certificates for NBI services using the following usecases:

• 3gpp_corba_nbi
• nbi_open_api

For information on generating certificates, see Creating Certificates.

2.17.6.2 Importing NetAct root certificates to High Level Systems


To establish secure communication between NBI and High Level Systems when NetAct NBI services
act as Server, the NetAct root certificates used to generate end-entity certificates in Generating certifi-
cates for NBI services have to be imported to High Level Systems.

For instructions to import certificates on High Level Systems, see the respective High Level Systems
user documentation.

2.17.6.3 Applying certificates to NBI services


Apply the certificates to NBI services using the following usecases:

• 3gpp_corba_nbi
• nbi_open_api

For more information, see Installing certificates.

2.17.6.4 Importing High Level Systems root certificate to NetAct NBI services

Note: If the High Level Systems root certificate is same as the NetAct root certificate, then
skip this chapter.

To establish secure communication between High Level Systems and NetAct NBI where High Level
Systems acts as the server, the High Level Systems trust certificates (root CA) are used as part of
Generating certificates for NBI services have to be imported to NetAct NBI services (nbi3gcom,
nbi3gc, and restda). For instructions to import the High Level Systems Root Certificate, see Adding
additional trust anchors.

2.17.6.5 Generating and applying certificates on High Level Systems


Generate and apply certificates for High Level Systems, if required. For instructions, see the respec-
tive High Level System user documentation.

2.17.7 NetAct WebApps migration


All the web and rich applications of NetAct are accessed through 443 port of IBM HTTP server(IHS).
All the communications to this service are through TLS. The clients for this service include work sta-
tions, NEs, and other OSS products. As part of NetAct WebApps migration, the ihs:443 end-entity cer-

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 65


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

tificate will be replaced. The truststore of the clients communicating with ihs:443 must be updated with
the NetAct root certificate.

1. Generate certificates for the usecase netact_webapps. For instructions on generating certifi-
cates, see Creating certificates.
2. The truststores of Network360, TMF615 clients, SBTS, OMS, and NetAct workstations have to be
updated with NetAct root certificate.
3. Apply certificates for usecase netact_webapps. For instructions on applying certificates, see In-
stalling certificates.

Note: Migrating NetAct WebApps will be performed as part of both northbound and
southbound migration.

2.17.8 NTCApp migration


Nokia Telco Cloud Application (NTCApp) receives VNF lifecycle notifications from Cloud Band
Application Manager (CBAM) or Zero Touch Services (ZTS). Before the NTCApp certificate migration,
the CBAM and ZTS truststores have to be updated to ensure secure communication with NTCApp.

1. Generate certificates for the usecase ntcapp. For instructions on generating certificates, see
Creating certificates.

2. Get the NetAct root certificate used to generate certificates for ntcapp usecase in the previous
step.

• Add it to the CBAM truststore. For detailed instruction, see CloudBand Application Manager,
<CBAM release>, Operating Documentation on Support portal in https://customer.nokia.com.
Accessing the documentation and software in the portal requires authentication. The
navigation path is CloudBand Application Manager Administrator Guide → Security
configuration → Certificate management → Truststore configuration.
Or

• Add it to the ZTS truststore. For detailed instruction, see Configurations for selective NBI
ONAP, NetAct, and LMS chapter in Life Cycle Management of OAM and Cloud Native VNFs
(DN261913520) of the corresponding ZTS release.

3. Apply certificates for usecase ntcapp. For instructions on applying certificates, see Installing
certificates.

2.18 Creating keystore with end-entity certificate and immediate issuer

Prerequisites

• The private key and certificate for the end-entity are available in the NetAct system.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 66


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

• The issuing CA certificate for the end-entity is available.


• All certificates and private keys need to be in PEM format.

This section provides the steps to create the PKCS12 keystore with the end-entity private key and cer-
tificate along with the immediate issuer.

1. Log in as omc user to the NetAct VM where dmgr is running through SSH and switch to the root
user.

To locate the dmgr VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. To find the issuer of the end-entity certificate, execute:

Change the command to /usr/bin/openssl x509 -in <certificatePath> -


issuer -noout | sed 's/issuer= //'

Note: <certificatePath>: File path for the end-entity certificate

3. For every CA certificate, execute:

/usr/bin/openssl x509 -in <issuerCertificatePath> -subject -noout |


sed 's/subject= //'

For an issuer CA, the output of the command in Step 2 is same as the above command.

Note: <issuerCertificatePath>: File path for the issuer certificate

4. To create the PKCS12 keystore, execute:

/usr/bin/openssl pkcs12 -export -passin pass:<inkeyPassword> -inkey


<privateKeyPath> \
-in <certificatePath> -certfile <issuerCertificatePath> -name
<alias> \
-passout pass:<outputPassword> -nodes -out <p12Path>

/usr/bin/keytool -importcert -alias <issuerAlias> -file


<issuerCertificatePath> \
-keystore <p12Path> -storepass <outputPassword> -storetype PKCS12 -
noprompt

where:

• <inkeyPassword>: Password to decrypt the private key


• <privateKeyPath>: File path for the end-entity private key

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 67


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates

• <certificatePath>: File path for the end-entity certificate


• <issuerCertificatePath>: File path for the issuer certificate (Identified in step 3)
• <alias>: Name to refer the private-key entry within the keystore
• <outputPassword>: Password to encrypt the private-key and the keystore
• <p12Path>: File path where the PKCS12 need to be created
• <issuerAlias>: Name to refer the trust entry in keystore

Note: You must enclose the parameter values containing the special characters in single
quotes.

For example:

If the value of the passin parameter is pass:HW!hardeninG%^~ and value of the


passout parameter is pass:HW!hardeninG%^~, then enclose these parameter values
in single quotes in the command to export PKCS12 keystore as follows:

/usr/bin/openssl pkcs12 -export -passin 'pass:HW!hardeninG%^~'


-inkey /opt/oss/NSN-sm_conf_cert/generated/server/NetAct_123_
ntcapp_ntcappKey.pem -in /opt/oss/NSN-sm_conf_cert/generated/
server/NetAct_123_ntcapp_ntcappCert.pem -name ntcapp -chain
-CAfile /tmp/smcert.cetYNzo/caCerts.T8bI0.pem -out /var/tmp/
cert_ntcapp.p12 -nodes -passout 'pass:HW!hardeninG%^~'

2.19 Troubleshooting
For information on certificate management troubleshooting, see Troubleshooting NetAct Smart-Certifi-
cate (SMCert) Tool in Troubleshooting Security Management.

For information on security related troubleshooting, see Troubleshooting Security Management.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 68


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for hardware
devices

3 Managing certificates for hardware devices

If the Common Name is specified as an FQDN, make sure that the fully
qualified domain name is set on the domain name directory. All Hardwares
should have the NetAct 18 recommended firmware installed.

3.1 HPE onboard administrator

3.1.1 Steps to generate CSR

1. Login to HPE Active Onboard Administrator Web application as an administrator.

For example: https://<FQDN/IP of Active OA> /

2. Navigate to the Active Onboard Administrator → Certificate Administration → Certificate


Request.

3. To generate a CSR, select Generate a certificate-signing request (CSR).

4. Fill the needed information. The Certificate Request tab enables you to enter the information
needed to generate a standardized certificate signing request to a certificate authority.

Enter the following details to generate a CSR:

• Country (C) - The two character country code identifies the country where the company
or organization that owns this OA subsystem is located. Enter the two letter abbreviation in
capital letters.
• State (ST) - The state where the company or organization that owns this OA subsystem is
located.
• City or Locality (L) - The city or locality where the company or organization that owns this OA
subsystem is located.
• Organization Name (O) - The name of the company or organization that owns this OA
subsystem.
• Common Name (CN) - The FQDN/IP of this OA subsystem.

Select Standby OA Host Name to include a request for a Standby Onboard Administrator cer-
tificate. Enter the information in the Standby Common Name (CN) field, which must be 1 to 60

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 69


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for hardware
devices

characters in length. This selection only appears if you have a Standby Onboard Administrator
in the enclosure.

5. Click Apply to generate a standardized certificate signing request.

6. For signing with certificate authority, see Common certificate related information for hardware
devices.

Note: Signed certificate should be in .pem format.

3.1.2 Import certificate

1. Import certificates to Active Onboard Administrator.


a) Navigate to Active Onboard Administrator → Certificate Administration → Certificate
Upload.
b) Open the PEM file and copy the content starting from BEGIN CERTIFICATE till END
CERTIFICATE.
c) Paste the signed certificate (including BEGIN CERTIFICATE and END CERTIFICATE line)
into the text field and click Upload.

If the new certificate is successfully accepted and installed by the Onboard Administrator,
then you are automatically signed out. The HTTP server is reset for the new certificate to take
effect.

2. Import certificates to Standby Onboard Administrator.


a) Navigate to Standby Onboard Administrator → Certificate Administration → Certificate
Upload.
b) Open the PEM file and copy the content starting from BEGIN CERTIFICATE till END
CERTIFICATE.
c) Paste the signed certificate (including BEGIN CERTIFICATE and END CERTIFICATE line)
into the text field and click Upload.

After successfully accepting and installing the new certificate, the Standby Onboard Adminis-
trator automatically restarts for the new certificate to take effect.

3. Verify the certificate. For more information on verifying the certificate, see SSL certificate
verification.

Note: The life-cycle (for example, expiry and revocation) of certificates configured should
be managed by customers.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 70


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for hardware
devices

3.2 HPE iLO

3.2.1 Steps to Generate CSR

1. Login to HPE iLO as an administrator.

For example: https://<FQDN/IP of ILO> /

2. Navigate to the applicable iLO:

For iLO4, navigate to the Administration → Security → SSL Certificate.

Or

For iLO5, navigate to the Security → SSL Certificate.

3. Click Customize Certificate.

4. On the SSL Certificate Customization page enter the following details to generate a CSR:

• Country (C) - The two character country code identifies the country where the company or
organization that owns this iLO subsystem is located. Enter the two letter abbreviation in
capital letters.
• State (ST) - The state where the company or organization that owns this iLO subsystem is
located.
• City or Locality (L) - The city or locality where the company or organization that owns this iLO
subsystem is located.
• Organization Name (O) - The name of the company or organization that owns this iLO
subsystem.
• Organization Unit (OU) - The unit within the company or organization that owns this iLO
subsystem.
• Common Name (CN) - The FQDN/IP of this iLO subsystem.

5. Click Generate CSR.

A message notifies you that a certificate is being generated and that the process might take up to
ten minutes.

6. After ten minutes, click Generate CSR again.

The CSR is displayed.

7. For signing with certificate authority, see Common certificate related information for hardware
devices.

Note: Signed certificate should be in .pem format.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 71


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for hardware
devices

3.2.2 Import certificate

1. Navigate to the applicable iLO:

For iLO4, navigate to the Administration → Security → SSL Certificate.

Or

For iLO5, navigate to the Security → SSL Certificate.

2. Click Customize Certificate → Import Certificate.

3. In the Import Certificate area, paste the signed certificate (including BEGIN CERTIFICATE and
END CERTIFICATE line) into the text field and click Import.

Once the certificate import is successful, the iLO will reset automatically.

4. Verify the certificate. For more information on verifying the certificate, see SSL certificate
verification.

Note: The life-cycle (for example, expiry and revocation) of certificates configured should
be managed by customers.

3.3 HPE Virtual Connect

3.3.1 Steps to generate CSR

1. Login to HPE Virtual Connect as an administrator.

For example: //<IP/FQDN of VC> /

2. Navigate to the Users/Authentication → SSL Certificate.

3. Select Certificate Signing Request tab.

4. Enter the following details and click Apply:

• Country (C) - The two character country code identifies the country where the company or
organization that owns this VC is located. Enter the two letter abbreviation in capital letters.
• State or Province (ST) - The state where the company or organization that owns this VC is
located.
• City or Locality (L) - The city or locality where the company or organization that owns this VC
is located.
• Organization Name (O) - The name of the company or organization that owns this VC.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 72


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for hardware
devices

• Common Name (CN) - The FQDN/IP of this VC.

5. The CSR is displayed.

6. For signing with certificate authority, see Common certificate related information for hardware
devices.

Note: Signed certificate should be in .pem format.

3.3.2 Import certificate

1. Navigate to the Users/Authentication → SSL Certificate page.

2. Select Certificate upload tab.

3. In the Certificate upload area, paste the signed certificate (including BEGIN CERTIFICATE and
END CERTIFICATE line) into the text field and click Upload.

4. Verify the certificate. For more information on verifying the certificate, see SSL certificate
verification.

Note: The life-cycle (for example, expiry and revocation) of certificates configured should
be managed by customers.

3.4 HPE Synergy 12000

3.4.1 OneView

3.4.1.1 Steps to generate CSR

1. Login to HPE OneView application as an administrator.

For example: https://<FQDN/IP of OneView> /

2. In the left pane, click Settings → Security.

3. To generate a CSR, click Actions → Create appliance certificate signing request.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 73


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for hardware
devices

The Create appliance certificate signing request dialog box appears.

4. Fill the required information. The Certificate Request tab enables you to enter the information
required to generate a standardized certificate signing request to a certificate authority.

Enter the following details to generate a CSR:

• Country (C) - The two character country code identifies the country where the company
or organization that owns this OV subsystem is located. Enter the two letter abbreviation in
capital letters.
• State (ST) - The state where the company or organization that owns this OV subsystem is
located.
• City or Locality (L) - The city or locality where the company or organization that owns this OV
subsystem is located.
• Organization Name (O) - The name of the company or organization that owns this OV
subsystem.
• Common Name (CN) - The FQDN/IP of this OneView subsystem.

5. Click OK to generate a standardized certificate signing request.

6. If you are using third party CA, to sign the CSR using third party CA, copy HPOV.csr files (created
using Generating certificate signing requests and keys in Administering NetAct System Security) to
the CA machine for signing.

Note:

• Copy the generated certificate request and sign the CSR using NetAct CA by
following the procedure provided in Signing using NetAct CA section.
• Signed certificate should be in .pem format.
• For more information on the common certificate related information, see Common
certificate related information for hardware devices.

3.4.1.2 Adding root/intermediate CA certificate to OneView and browser

1. Install the root CA into the browser. For more information, see Installing the Root CA certificate to a
browser in Installing and Configuring NetAct User Workstations.

2. Log in to the OneView console.

3. In the left pane, click Settings → Security → Manage certificates.

4. Click Add Certificates.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 74


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for hardware
devices

The Add Certificates dialog box appears.

5. Select Paste certificate check box and paste the CA certificate content in the text field.

6. Click Validate certificate.

7. Click Add and Close.

3.4.1.3 Import certificate

Obtain the signed server certificate and import the certificate content by doing the following:

1. Log in as an administrator to the HPE OneView console.

2. In the left pane, click Settings → Security.

Note: If any intermediate CA certificate is used, then that intermediate CA certificate


must also be uploaded using the above steps.

3. Click Actions → Import appliance certificate.

The Import appliance certificate dialog box appears.

4. In the text field, paste the signed certificate content.

Note: The OneView application disconnects from the browser when a new certificate is
used. The error message appears if the CA is not listed in the trusted authority list of the
browser.

5. Click OK.

3.4.2 Synergy 480 Gen10 iLO

3.4.2.1 Steps to generate CSR

1. Log in as an administrator to the Synergy 480 Gen10 iLO console.

For example: https://<FQDN/IP of Synergy 480 Gen10 iLO> /

2. Navigate to Security → SSL Certificate.

3. Click Customize Certificate.

The Security - SSL Certificate Customization window appears.

4. To generate a Certificate Signing Request (CSR), enter the following details:

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 75


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for hardware
devices

• Country (C) - The two character country code identifies the country where the company
or organization that owns this Synergy 480 subsystem is located. Enter the two letter
abbreviation in capital letters.
• State (ST) - The state where the company or organization that owns this Synergy 480
subsystem is located.
• City or Locality (L) - The city or locality where the company or organization that owns this
Synergy 480 subsystem is located.
• Organization Name (O) - The name of the company or organization that owns this Synergy
480 subsystem.
• Organization Unit (OU) - The unit within the company or organization that owns this Synergy
480 subsystem.
• Common Name (CN) - The FQDN/IP of this Synergy 480 subsystem.

5. Click Generate CSR.

A message notifies you that a certificate is being generated and that the process might take up to
ten minutes.

6. After ten minutes, click Generate CSR again.

The CSR is displayed.

7. For signing with certificate authority, see Common certificate related information for hardware
devices.

Note: Signed certificate must be in the .pem format.

3.4.2.2 Import certificate

Prerequisites

• The root/intermediate CA certificate must be added to OneView and the browser. For more
information, see Adding root/intermediate CA certificate to OneView and browser.

1. Log in to the Synergy 480 Gen10 iLO console.

2. Navigate to Security → SSL Certificate.

3. Click Customize Certificate → Import Certificate.

4. In the Import a Certificate area, paste the signed certificate (including BEGIN CERTIFICATE and
END CERTIFICATE line) into the text field and click Import.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 76


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for hardware
devices

The Apply and Reset confirmation window appears.

5. Click Yes, apply and reset.

6. Verify the certificate. For more information on verifying the certificate, see SSL certificate
verification.

Note: The life-cycle (for example, expiry and revocation) of certificates configured should
be managed by customers.

3.5 EMC VNX storage

3.5.1 Steps to generate CSR

1. Log in to WEB UI as administrator user array through https://<SPA_IP/FQDN>/setup.

2. Select Manage SSL/TLS Certificate.

3. Click Generate a Certificate Signing Request.

4. Enter details in the following mandatory fields:

• Common Name (Domain Name) - The FQDN/IP of EMC storage.


• Common Name (IPv4) - IPv4 address of EMC storage.
• Common Name (IPv6) - IPv6 address of EMC storage.
• Organizational Unit Name - The unit within the company or organization that owns EMC
storage.

Note: If you are generating a CSR by entering only FQDN as Common Name, ensure
that DNS is enabled on EMC storage. If DNS is disabled, enable it. For more information,
see Enabling DNS on the array via GUI.

5. After filling in the above details, click Generate a Certificate Signing Request.

The CSR is displayed.

Note: For signing with certificate authority, see Common certificate related information for
hardware devices.

3.5.1.1 Enabling DNS on the array via GUI


Enable DNS on the array via GUI to generate Certificate Signing Request (CSR) by using only FQDN
as Common Name.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 77


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for hardware
devices

Prerequisites

Ensure that you add EMC storage details in the DNS server.

1. Log in to the EMC storage WEB UI as admin user by doing the following:
a) In the address field of your internet browser, type the following URL address:

https://<SPA_IP/FQDN>

where <SPA_IP/FQDN> is the IP address and fully qualified domain name of the EMC storage
processor.
b) Type the Username and Password.
c) Click Login.

The EMC Unisphere home page appears.

2. From the All Systems drop-down list, select the corresponding array.

The EMC Unisphere dashboard page appears.

3. On the taskbar, click Settings.

The EMC Unisphere settings page appears.

4. In the right pane, under the Network Settings area, click Configure DNS.

The DNS Configuration for Storage Domain Local dialog box appears.

5. In the DNS Domain Suffix field, enter the DNS domain name.

6. In the DNS Server IP address field, enter the IP address.

7. Click Add and then click OK.

8. At the prompt, click Yes.

Expected outcome

The DNS is enabled on the array via GUI.

3.5.2 Import certificate


On the array, perform the following steps to import the certificate to the EMC storage:

1. Login to WEB UI as administrator user array through https://<SPA_IP>/setup.

2. Select Manage SSL/TLS Certificate.

3. Click Import Signed certificate and paste the signed certificate (including BEGIN CERTIFICATE
and END CERTIFICATE line).

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 78


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for hardware
devices

Perform the same steps for Generating and importing certificates for SPB also, instead of SPA
provide SPB IP (https://SPB_IP/setup).

4. Verify the certificate. For more information on verifying the certificate, see SSL certificate
verification.

Note: The life-cycle (for example, expiry and revocation) of certificates configured should
be managed by customers.

3.6 EMC Unity storage

3.6.1 Steps to generate CSR

1. Log in to EMC Unity storage SP using SSH protocol with service user.

Note: By default, SSH will be disabled. To enable the SSH, do the following:

a) Log in to WEB UI as admin user through https://<SPA_IP/FQDN>.


b) Navigate to SYSTEM → Service.
c) Select Service Tasks tab on the right hand side.
d) Under Storage System click Enable SSH.
e) Click Execute.

A pop window appears.


f) Provide the Service Password.
g) Click OK.

2. Create Private key on SPA by entering:

service@storage~/user# openssl genrsa -des3 -out unitycert.key -


passout pass:PASSWORD

Sample output is:

Generating RSA private key, 2048 bit long modulus


............................+++
..................................................................
....................................................+++

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 79


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for hardware
devices

e is 65537 (0x10001)

3. Remove passphrase from the key on SP.

Note: This step is very important, if we do not remove passphrase from the key, it will
cause SP panic.

In the following example, password used as PASSWORD which is the same password used in the
previous step.

service@storage~/user# openssl rsa -in unitycert.key -passin


pass:PASSWORD -out unitycert.pk

Sample output:

writing RSA key

4. Request CSR on SP by entering:

service@storage~/user# openssl req -new -sha256 -key unitycert.pk -


out unitycert.csr -days 1825 -subj '/C=IN/ST=KA/L=BLR/O=Nokia/CN=<SPA
IP or SPA FQDN>'

In the above command, -subj '/C=IN/ST=KA/L=BLR/O=Nokia/CN= SPA IP or SPA


FQDN' is an example. Ensure to change the details as per customer environment.

5. Open the CSR file using cat command then copy the content and save it as unitycert.csr.

For example:

service@storage~/user# cat unitycert.csr

Note: Ensure that you are copying the content including BEGIN CERTIFICATE
REQUEST till END CERTIFICATE REQUEST.

6. Sign the server certificate with certificate authority. For more information, see Common certificate
related information for hardware devices.

Note: EMC Unity allows only third party signed CA having .crt extension. If the third
party signed CA certificate is with .pem format, this needs to be converted to .crt
format.

Use the following openssl command to convert the signed certificate from .pem to .crt format:

From any of the openssl installed Linux machine as root user, enter:

[root] # openssl x509 -outform PEM -in certificate.pem -out


certificate.crt

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 80


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for hardware
devices

3.6.2 Import certificate

1. Log in to EMC Unity SPA as service user.

2. Upload the CA signed certificate to the path /home/service/user on EMC Unity storage (using
WINSCP). Save the signed certificate name corresponding to the private key generated for EMC
Unity storage in step 3 of the procedure Steps to generate CSR.

Note: Ensure that the already generated private key file (unitycert.pk) and CA
signed certificate file (unitycert.crt) has the same name.

3. Install the certificate by entering:

service@unknown spb:~/user# svc_custom_cert <certificate name>

For example:

service@unknown spb:~/user# svc_custom_cert unitycert


Successfully installed custom certificate files.
Restarting web server ...Wed Sep 27 06:55:36 2017:7e30\
0x7fb45d87b7c0:32:Module CIC/1.1.10.6 loaded
service@unknown spba:~/mycerts>

4. Verify the certificate. For more information on verifying the certificate, see SSL certificate
verification.

Note: The life-cycle (for example, expiry and revocation) of certificates configured should
be managed by customers.

5. Disable the SSH by doing the following:


a) Log in to WEB UI as admin user through https://<SPA_IP/FQDN>.
b) Navigate to SYSTEM → Service.
c) Select Service Tasks tab on the right hand side.
d) Under Storage System click Disable SSH.
e) Click Execute.

A pop window appears.


f) Provide the Service Password.
g) Click OK.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 81


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for hardware
devices

3.7 SAN SWITCH


Configure SSL access for a switch by obtaining, installing, and activating digital certificates.

Configuring SSL involves the following processes.

3.7.1 Steps to generate CSR

3.7.1.1 Generating a public/private key pair

Use the following procedure to generate a public/private key pair.

• Connect to the switch using SSH and log in using an account with admin permissions.
• Enter the secCertUtil genkey command to generate a public/private key pair.

The system reports that this process will disable secure protocols, delete any existing CSR, and
delete any existing certificates.
• Respond to the prompts to continue and select the key size.

3.7.1.2 Generating and storing a certificate signing request

After generating a public/private key pair, you must generate and store a certificate signing request
(CSR).

1. Connect to the switch using SSH and log in using an account with admin permissions.
2. Enter secCertUtil gencsr.
3. Enter the requested information.

• Country Name - The two character country code identifies the country where the company or
organization that owns this switch is located.
• State or Province Name - The state where the company or organization that owns this switch
is located.
• Locality Name - The city or locality where the company or organization that owns this switch
is located.
• Organization Name (company name) - The name of the company or organization that owns
this switch.
• Organization Unit Name (department name) - The unit within the company or organization
that owns this switch.
• Common Name (Fully qualified Domain Name, or IP address) - The FQDN/IP of this
switch.

3.7.1.3 Obtaining certificates

Once you have generated a CSR, you will need to follow the instructions on the website of the certifi-
cate issuing authority that you want to use and then obtain the certificate.

Use the following procedure to obtain a security certificate.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 82


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for hardware
devices

1. Connect to the switch using SSH and log in using an account with admin permissions.
2. Enter secCertUtil showcsr. The contents of the CSR are displayed.
3. For signing with certificate authority, see Common certificate related information for hardware
devices.

3.7.2 Import certificate


On the array, import the certificate to the SAN switch by doing the following:

1. Connect to switch using ssh and log in using an account with admin permissions.

2. Import the received CA certificate from the signed authority and enable https by entering:

seccertmgmt import -ca -server https

At prompt, enter the following details:

• select a protocol
• IP address of the host on which the CA certificate is saved
• server login name and password then provide the CA certificate name

Example of installing the CA certificate in interactive mode switch:

swd77:admin> seccertmgmt import -ca -server https


Select protocol [ftp or scp]: scp
Enter IP address: 10.53.170.51
Enter remote directory: /root
Enter certificate name (must have ".pem" suffix):rootCA.pem
Enter Login Name: root
root@10.53.170.51's password:
Success: imported https certificate [rootCA.pem].
Certificate file in configuration has been updated.

Note: In case if the csr is signing with intermediate CA, it is mandatory to merge all the
Root and Intermediate CA certificates into a single pem file and then import the merged
CA certificate.

3. Once the CA certificate import is successful to the San switch, import the signed San switch
certificate by doing the following:

• Import the certificate by entering:

seccertutil import -config swcert -enable https

At prompt, enter the following details:

• select a protocol
• IP address of the host on which the switch certificate is saved

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 83


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for hardware
devices

• SCP server login name and password then provide the signed certificate name

Example of installing a switch certificate in interactive mode:

swd77:admin> seccertutil import -config swcert -enable https


secCertUtil CLI will be deprecated. Use secCertMgmt for
Certificate related operations.
Select protocol [ftp or scp]: scp
Enter IP address: 10.53.170.51
Enter remote directory: /root
Enter certificate name (must have ".crt" or ".cer" ".pem" or ".
psk" suffix):switchcert.pem
Enter Login Name: root
root@10.53.170.51's password:
Success: imported certificate [switchcert.pem].
Certificate file in configuration has been updated.
Secure http has been enabled.
swd77:admin>

3.8 MSA Storage (2040/2050)

3.8.1 Steps to generate CSR


1. Generate CSR and Private key for the MSA storage using openssl on any Linux machine having
openssl.

For example:

openssl req -out NetAct_MSA.csr -new -newkey rsa:2048 -nodes -keyout


NetAct_MSA.key
Generating a 2048 bit RSA private key
..........................+++
...................................................+++
writing new private key to 'NetAct_MSA.key'
-----
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or
a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:KA
Locality Name (eg, city) [Default City]:BLR

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 84


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for hardware
devices

Organization Name (eg, company) [Default Company Ltd]:NOKIA


Organizational Unit Name (eg, section) []:NOKIABLR
Common Name (eg, your name or your server's hostname) []:10.63.0.30
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Note: Common Name (CN)-The FQDN/IP of this MSA

2. For signing with certificate authority, seeCommon certificate related information for hardware de-
vices.

Note: The Signed certificate and the Private key generated using openssl need to be placed
in the FTP server. NetAct node where q3user service runs, can be used as FTP server.

3.8.2 Import certificate

1. Open a Command Prompt (Windows) or a terminal window (UNIX) and navigate to the directory
that contains the certificate files.

2. Enter ftp controller-network-address.

Example: ftp 10.1.0.9

3. Log in as a user that has permission to use the FTP interface.

4. Enter: put <certificate-file-name> cert-file where certificate-file-name is the name of


the signed server certificate and CA certificate file.

5. Enter: put <key-file-name> cert-key-file where key-file-name is the name of the


private-key file for your specific system.

Note: Ignore if any warning appears after the certificate import.

6. Reboot the storage controllers to apply the changes.

7. Verify the certificate. For more information on verifying the certificate, see SSL certificate
verification.

Note: To generate a certificate for other controller, repeat Import certificate and then 1 to
step 7 with the corresponding controller IP.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 85


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for hardware
devices

Note: The life-cycle (for example, expiry and revocation) of certificates configured should
be managed by customers.

3.9 Common certificate related information for hardware devices


For all the hardware devices mentioned in the section Managing certificates for hardware devices, do
the following:

1. For signing with third party certificate Authority, copy the content from generated CSR (including
BEGIN CERTIFICATION REQUEST and END CERTIFICATE REQUEST line) and send it to third
party certificate authority.

For Signing with NetAct CA, see Signing using NetAct CA.

2. Ensure root CA is available in the browser. If intermediate CA is used for signing, ensure the
rootCA certificate and intermediate CA certificates are available in the browser.

To install Root CA certificate on the IE browser, see Installing root certificate on Internet Explorer.

To install Root CA certificate on Google Chrome, see Installing root certificate on Google Chrome.

To install Root CA certificate on Mozilla FireFox, see Installing root certificate on Firefox.

To install Root CA certificate on Microsoft Edge browser, click and click Open with Internet
Explorer and follow the instructions in Installing root certificate on Internet Explorer.

3. To import the intermediate CA certificates on

• IE browser do the following:

1. Save the intermediate CA certificate to a temporary directory on the local file system.
2. Open Internet Explorer.
3. Navigate to Tools → Internet options → Content → Certificates.
4. Select Intermediate Certification Authorities tab.
5. Click Import.

Certificate Import Wizard opens.


6. Click Next.
7. Browse or enter the file name saved at the temporary directory and click Next.
8. Click Finish.

Security warning is displayed with the certificate name (for example, NetAct Root CA -
<systemName>) and the thumbprint (sha1). If the certificate was transmitted through the
network or another insecure channel, check if the thumbprint is the same as the one com-
municated through a secure channel. If it differs, click No. If the certificate is fine, click Yes
to complete the import.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 86


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for hardware
devices

Note: The following steps to import the intermediate CA certificates on the


chrome browser can be skipped if the Internet Explorer trust is updated with the
intermediate CA in the same workstation.

Or

• Google chrome browser, do the following:

1. Save the intermediate CA certificate to a temporary directory on the local file system.
2. Open Google Chrome.
3. Navigate to Settings → Advanced → Privacy and security → Manage certificates.
4. Select Intermediate Certification Authorities tab.
5. Click Import.

Certificate Import Wizard opens.


6. Click Next.
7. Browse or enter the file name saved at the temporary directory and click Next.
8. Click Finish.

Security warning is displayed with the certificate name (for example, NetAct Root CA -
<systemName>) and the thumbprint (sha1). If the certificate was transmitted through the
network or another insecure channel, check if the thumbprint is the same as the one com-
municated through a secure channel. If it differs, click No. If the certificate is fine, click Yes
to complete the import.

Or

• For Microsoft Edge browser, click and click Open with Internet Explorer. Follow the
steps mentioned for IE to import the intermediate CA certificates.

4. Import your certificate into the JRE keystore with the keytool application.

Example:

C:\Document and Settings\Administrator> "C:\Program Files\Java\


jre<java_version>\bin\keytool.exe" -import -file "C:\<path to root CA
certificate>" -storepass password -alias my-server-ca -keystore "C:\
Program Files\Java\jre<java_version>\lib\security\cacerts"

5. For Windows 7, if 32-bit browser is used, the keytool path is C:\Program Files(x86)\Java
\jre<java_version>\bin\keytool.exe

• For Keytool scripts parameter password is the password for accessing the certificate in
keystore.
• The parameter alias defines a label that helps to identify the certificate, especially if you
have multiple certificates in the keystore for different servers. The alias must be unique. The
above example sets my-server-ca as the alias value. Type yes when prompted with Trust
this certificate.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 87


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for hardware
devices

3.10 SSL certificate verification

1. Open the web browser (Internet Explorer/ FireFox/ Google Chrome).

2. Log in to the hardware device Management IP where the correct certificate is already imported.

3. For IE and Mozilla Firefox, click on the Padlock icon on the Web Browser near the address bar
and click the View Certificate button.

For Google Chrome, click on → More Tools → Developer Tools. Click on Security tab and
click the View Certificate button.

Expected outcome

Certificate dialog opens and shows the following information:

• Issued to:
• Issued by:
• Valid from:

Ensure that the information created during the certificate creation is the same as the information
displayed in the Certificate dialog.

4. For Microsoft Edge browser, click and click Open with Internet Explorer. Follow step 3 to
check the certificate from Internet Explorer.

3.11 Installing root certificate on browser


Use a secure communication channel, for example USB stick, email with signature or provide it on a
trusted server using https secured by an already known and a trusted certificate.

Ensure that the fingerprint of the downloaded certificate matches with that at the server even if the
communication channel is not secure.

Go to http://httpFqdn/ca and save Root-Certificate to your local hard-disk. The fingerprint of the
certificate will be displayed by the browser before the import is completed.

Note: To know the IBMHttpServer FQDN (httpFqdn), see Locating the right virtual machine
for a service in Administering NetAct Virtual Infrastructure.

On the server side it can be calculated using:

openssl x509 -in <certificate-file-name> -sha1 -fingerprint -noout

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 88


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for hardware
devices

3.11.1 Installing root certificate on Internet Explorer


Steps to install the root certificate:

1. Save the root CA certificate to a temporary directory on the local file system.

2. Open Internet Explorer.

3. Go to Tools → Internet Options → Content → Certificates.

4. Select the tab Trusted Root Certification Authorities.

5. Select Import → Next.

6. Enter the file name saved at the temporary directory and click Next.

7. Click Finish.

3.11.2 Installing root certificate on Google Chrome


This section can be skipped, if the Internet Explorer trust is updated with the root CA in the same
workstation.

Steps to install the root certificate:

1. Save the rootCA certificate to a temporary directory on the local file system.

2. Open Google Chrome.

3. Go to Settings → Advanced → Privacy and security → Manage Certificates.

4. Select the tab Trusted Root Certification Authorities.

5. Select Import → Next.

6. Enter the file name at the temporary directory and click Next.

7. Click Finish.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 89


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for hardware
devices

3.11.3 Installing root certificate on Firefox


Steps to install the root certificate:

1. Save the root CA certificate to a temporary directory on the local file system.

2. Open FireFox.

3. Go to Options → Advanced → Certificates → View Certificates → Authorities.

4. Select Import.

5. Select the saved file to be imported and click Open.

6. View the certificate.

7. For security reasons, compare the SHA1 fingerprint with the one provided through the safe
communication channel. Abort the import if they differ. Click Close.

8. Choose only Trust this CA to identify websites and click OK.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 90


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificate for HPE SIM server

4 Managing certificate for HPE SIM server


Follow the instructions in this section to replace HPE SIM server's self-signed certificate with certificate
signed by certificate authority (CA).

4.1 Generating and Installing Certificates

4.1.1 Generating configuration files and certificate request

1. Log in to the VM where the HPE SIM service is running and switch to root user.

To locate the VM where the HPE SIM service is running, see Locating the right virtual machine for
a service in Administering NetAct Virtual Infrastructure.

2. Generate a certificate-signing request (CSR) with the existing parameters by entering:

mxcert -c > /tmp/hpsimcert.csr

3. Verify the csr details (Subject) before signing it with a CA by entering:

openssl req -in /tmp/hpsimcert.csr -noout -text

4. If any parameters within the Subject has to be changed, create a new csr by entering:

mxcert -n [CN=common-name] [ALT=alternative name(s)]


[OU=organizational-unit] [O=organization] [L=location] [ST=state]
[C=country-code (2 chars)] [-s 2048|4096]

For example:

mxcert -n CN=Bob OU=”Bob Co” L=Anytown C=US ALT=alt -s 2048

5. Execute step 2 to generate csr with the modified details and step 3 to verify the update.

4.1.2 Signing server certificates


The certificate request generated must be sent to the CA for signing server certificate. The CA sends
the signed certificate along with the CA chain, that includes rootCA and intermediate CA’s, if any. For
the certificate chain to be trusted, the root certificate and all the intermediate certificates must be in-
stalled on the server which is requesting the certificate.

The server certificates can be signed using the following two methods:

• Signing using NetAct CA

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 91


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificate for HPE SIM server

• Signing using Third party CA

4.1.2.1 Signing using NetAct CA


To sign certificate signing requests (CSR) using NetAct CA, do the following steps:

1. Log in to the VM where the dmgr service is running and switch to root user.

2. Copy the server’s csr file generated in the Generating configuration files and certificate request
section to the /opt/oss/NSN-sm_conf_cert/generated/server/ directory.

Note:

Copy the destination file name with name as <systemName>_<certId>.csr where:

• <systemName> must be the same as used in the section Providing basic


configuration data. If third party CA is used, select the systemName. It must be a
valid Unix file name (spaces are not allowed).
• <certId> is the device or service name.

For example:

NetAct_OA.csr

3. Switch to directory templates by entering:

cd /opt/oss/NSN-sm_conf_cert/templates/

4. Copy the template configuration file by entering:

cp server.cnf ../generated/server/<systemName>_<certId>.cnf

5. Change the permission of the file by entering:

chmod 600 ../generated/server/<systemName>_<certId>.cnf

6. Go to ../generated/server/ directory by entering:

cd ../generated/server/

7. Edit <systemName>_<certId>.cnf configuration file and add IPV4, DNS, and if available
IPV6 details under [alt_names].

[ alt_names ]
DNS.1 = Fully qualified hostname
DNS.2 = IPV4 address
DNS.3 = [IPV6 address]

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 92


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificate for HPE SIM server

IP.1 = IPV4 address

IP.2 = IPV6 address

A sample for adding the entries in [alt_names] is as follows:

[ alt_names ]
DNS.1 = vm7.netact.example.com
DNS.2 = 10.92.232.97
DNS.3 = [2a00:8a00:4000:20c::16:61]

IP.1 = 10.92.232.97

IP.2 = 2a00:8a00:4000:20c::16:61

Note: The CommonName of the csr should also be present in the alt_names.

8. To get the signed certificate, see Signing using NetAct CA and use the same certId used here.

9. The rootCA certificates are found under /opt/oss/NSN-sm_conf_cert/generated/


certificationAuthority/ and signed server certificates are found under /opt/oss/NSN-
sm_conf_cert/generated/server/<systemName>_<certId>Cert.pem.

4.1.2.2 Signing using Third party CA


To sign certificate signing requests (CSR) using Third party CA, copy the hpsimcert.csr files
(created using the previous section Generating configuration files and certificate request) present
under /tmp/ on the HPE SIM VM of NetAct to the CA machine for signing.

Note: To locate the HPE SIM VM, see Locating the right virtual machine for a service in
Administering NetAct Virtual Infrastructure.

4.1.3 Installing certificates


If NetAct CA is used for signing the server certificate, then the rootCA certificates are found
under /opt/oss/NSN-sm_conf_cert/generated/certificationAuthority/rootCA/
and signed server certificates are found under /opt/oss/NSN-sm_conf_cert/generated/
certificationAuthority/server/.

1. Log in to the virtual machine where the HPE SIM service is running and switch to root user.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 93


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificate for HPE SIM server

To locate the VM where the HPE SIM service is running, see Locating the right virtual machine for
a service in Administering NetAct Virtual Infrastructure.

2. Copy signed server certificate and rootCA certificate from CA machine to the VM where the HPE
SIM service is running.

3. Import the CA certificate into the trusted certificates.

Note: If intermediate CAs are used, all the intermediate certificates has to be imported
including the rootCA certificate mxcert -t -f <CACertificate_file>.

For example:

mxcert -t -f /tmp/<systemName>_L0[_S2]CACert.pem

4. Import the signed server certificate into HPE SIM by entering:

mxcert -i -f /path/signedServerCert.pem

For example:

mxcert -i -f /tmp/MySystemName_hpsimCert.pem

5. Restart the HPE SIM service.


a) Stop the HPE SIM service by entering:

smanager.pl stop service hpsim

Sample output

Service hpsim stopped


b) Start the HPE SIM service by entering:

smanager.pl start service hpsim

Sample output

Service hpsim started on node <VM where the hpsim service is located>

6. To install the rootCA into the browser, see Installing the Root CA certificate to a browser in
Installing and Configuring NetAct User Workstations .

7. Verify the certificate. For more information on verifying the certificate, see SSL certificate
verification.

Note: The life-cycle (for example, expiry and revocation) of certificates configured should
be managed by customers.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 94


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for VMware
vSphere

5 Managing certificates for VMware vSphere


Follow the instructions in below sections to replace self-signed certificates for VMware vSphere com-
ponents such as vCenter Server Appliance and ESXi hosts.

Note: vCenter self-signed certificates must be replaced with third party certificates before the
ESXi self-signed certificate replacement.

5.1 Configuring certificates signed by custom third-party CA for


vCenter Server Appliance 7.x
Configuring certificates signed by Certificate Authority (CA) includes:

• Creating the certificate requests


• Getting the certificates
• Installing and configuring certificates for all components

Before configuring the certificates, stop the services that contact vCenter with HTTPS. Stop the follow-
ing services:

• vmanager
• vcenterselfmon

To stop the services:

1. Unharden the vSphere security by following the procedure provided in De-activating of security
settings.

2. Log in as omc user to any NetAct VM and switch to root user.

3. Locate the virtual machine hosting the cpfvmanager by entering:

smanager.pl status service cpfvmanager

4. Log in as omc user to NetAct virtual machine and switch to root user found in Step 3, and enter:

/opt/cpf/install/bin/cpfvmanager_configure.sh --stop

5. Stop vcenterselfmon by entering the commands below from any virtual machine:

smanager.pl stop service vcenterselfmon

5.1.1 System and Environment requirements


To configure the certificate, ensure that:

• vSphere 7.x environment is available.


• The environment is using the vCenter Server Appliance.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 95


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for VMware
vSphere

• OpenSSL v0.9.8 or above is installed.

Certificates used by the vCenter Server Appliance must adhere to the following requirements:

• Key Length- 2048 bits (minimum) to 16384 bits (maximum) (PEM encoded).

• Key File Format- VMware supports PKCS8 and PKCS1 (RSA keys). When you add keys to
VECS, they are converted to PKCS8.

The signal for PKCS8 key is; ----- BEGIN PRIVATE KEY

The signal for PKCS1 key is; ----- BEGIN RSA PRIVATE KEY

• Cert File Format- Only some components support the PEM format of the cert file. Make sure
the cert file can be loaded by all components. Remove all lines before the ----- BEGIN
CERTIFICATE.
• Certificate content- The commonName field in the subject must be the hostname.
subjectAltName must include the hostname and IP address of the host.
• Elliptic Curve Keys- These are currently not supported.

5.1.2 Generating and installing certificate for vCenter


Each component in the vCenter Server Appliance must have a certificate with an appropriate
organizational unit name encoded in the certificate.

Following certificates are required for vCenter Server Appliance:

• vSphere Client
• Vmware Appliance Management Interface (VAMI)
• vSphere Log Browser

This section describes procedure to create different openssl.cfg files for each components.

Note: Use /ssl/service to store all the files before the certificates are installed.

5.1.2.1 Generating, installing, and configuring certificates for vCenter

Procedure

• To generate and install machine ssl certificate, see VMWare documentation.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 96


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for VMware
vSphere

5.1.2.2 Updating vManager and vcenterselfmon vcenter certificates

1. Log in as omc user to NetAct virtual machine and switch to root user.

2. Locate the virtual machine hosting the cpfvmanager service by entering:

[root]# smanager.pl status service cpfvmanager

3. Log in as omc user to NetAct virtual machine hosting the cpfvmanager service and switch to root
user, and enter:

[root]# /opt/cpf/install/bin/cpfvmanager_import_vcenter_certificate.sh

[root]# /opt/cpf/install/bin/cpfvmanager_configure.sh --restart

4. Locate the virtual machine hosting the vcenterselfmon service by entering the following
command on any virtual machine:

[root]# smanager.pl status service vcenterselfmon

5. Log in as omc user to NetAct virtual machine hosting the vcenterselfmon service and switch to
root user, and enter:

[root]# /opt/cpf/install/bin/cpfvcenterselfmon_import_vcenter_
certificate.sh

[root]# smanager.pl start service vcenterselfmon

5.2 Generating, installing, and configuring custom third-party CA


certificates for ESXi host
Perform the following procedures provided in VMWare documentation.

1. Generating a Certificate Request

Note:

• Installing Open SSL package in Windows OS requires Administrator privilege.


• The default folder c:\OpenSSL-Win32" and "c:\OpenSSL-Win32\bin men-
tioned in the VMWare documentation might not be at the same location. Hence, note
down the path during installation of the openssl on Windows OS.
• The file openssl.cfg might not be available in the mentioned location. In that case,
create the file manually with Administrator privilege. Make sure that the name is ex-
actly same with the .cfg extension along with the information provided in step 2 of
the Configuration section.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 97


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for VMware
vSphere

• The windows command prompt must be open with Administrator privilege to execute
the commands.

2. Getting the Certificates → For Commercial CAs (for getting certificate signed by third-party CA)
3. Installing and configuring the certificate on the ESXi host.

Note:

• For information about certificate retention during vSphere upgrade, see Changing
certificate mode to custom.
• Do not perform Process to update the vCenter Server database with the new certifi-
cate thumbprint section.

4. To update the vCenter server database with the new certificate thumbprint, do the following:

a. Log in to vCenter Server.


b. Place the host into the Maintenance Mode.
c. Right-click the host and click Disconnect.

Note: Wait for the disconnect process to complete before going to the next step.

d. Right-click on the disconnected host and select Connect.

Note: After executing the above procedures, harden the vSphere security by following the
procedure provided in Activating Virtual Infrastructure Security Settings.

5.3 Changing certificate mode to custom


To make the certificate persistent across the upgrades, perform the procedure provided in VMWare
documentation.

Note: Changing the certificate mode will trigger an alarm vSphere vCenter Host Cer-
tificate Management Mode in the vCenter server which can be safely ignored and Re-
set To Green.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 98


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for VMware
vSphere

5.4 Rollback or regenerate vSphere certificates to use self-signed


VMware CA

1. Unharden the vSphere security by following the procedure provided in De-activating of security
settings.

2. Rollback or regenerate vSphere certificates to use self-signed VMware Certificate Authority by


following the procedure provided in VMWare documentation.

3. Harden the vSphere security by following the procedure provided in Activating Virtual Infrastructure
Security Settings.

5.5 Verifying installed certificates

Note:

• Make sure that the vCenter and ESXI hosts are reachable from the command prompt.
• Make sure the Open SSL is installed on your system. To install, follow the Setup
OpenSSL procedure (step 1 and 2) in VMWare documentation.

Procedure

• To verify the vCenter certificate, on the command prompt, enter:

openssl s_client -connect <vCenterIP>:443 -showcerts | openssl x509 -


text

The command output provides the information on ssl certificate. Verify if the installed certificate is
signed by third-party CA.
• To verify the ESXI certificate , on the command prompt, enter:

openssl s_client -connect <ESXi host IP>:443 -showcerts | openssl


x509 -text

The command output provides the information on ssl certificate. Verify if the installed certificate is
signed by third-party CA.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 99


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for AVE and
AVECP

6 Managing certificates for AVE and AVECP

This chapter provides instructions on how to manage certificates for Avamar Virtual Edition (AVE) and
Avamar Virtual Edition Combined Proxy (AVECP).

6.1 Managing certificates for AVE

Prerequisites

• Only RSA keys and related certificates are supported


• The keys must be in PKCS1 format
• The certificates must be in X509 format
• All CA certificates must be merged into a single file
• Ensure that no backup and recovery operations are in progress
• Importing the same certificate with a different alias name is not permitted

If the existing certificates, for the web services, are not suitable for your security purposes, you can re-
place these certificates by manually adding the files in the Avamar Management Web User Interface
(AUI).

To replace the self-signed certificate with the certificate signed by a Certificate Authority (CA), do the
following:

1. Create certificates (server.crt and CA.crt) and private keys (server.key) by doing the
following:
a) Log in as admin user to AVE VM and switch to root user.
b) Create the certs directory in the /home/admin path and go to the /home/admin/certs
path.

For example: root@ave:/home/admin/#: mkdir -p /home/admin/certs; cd /


home/admin/certs
c) Take a back up of the Apache security certificate by entering:

root@ave:/home/admin/certs/#: cp -p /etc/apache2/ssl.crt/server.crt
/home/admin/certs/server.crt.bak

root@ave:/home/admin/certs/#: cp -p /etc/apache2/ssl.key/server.key
/home/admin/certs/server.key.bak

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 100


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for AVE and
AVECP

d) Create server.key and server.csr by entering:

openssl req -new -newkey rsa:3072 -nodes -keyout server.key -out


server.csr -subj "/C=<Country>/ST=<StateName>/L=<LocalityName>/
O=<Organization>/OU=<OrganizationUnit>/CN=<CommonName>/
emailAddress=<EmailContact>"

where:

Field Description

Country The two-letter ISO abbreviation of the country.

StateName In countries where it is applicable, name of the state or


province where the organization is located. This entry
cannot be abbreviated.

LocalityName Name of the city where the organization is located.

Organization The exact legal name of the company. This entry cannot be
abbreviated.

OrganizationUnit Optional entry for more information about the organization,


such as a department name.

CommonName FQDN of the AVE VM. For example, ave.customer.com.

EmailContact The email address of the primary administrator of the server


or servers.

Note:

• Ensure that there are no spaces in the subj parameter.


• Use only AVE FQDN in the CN parameter.

For example:

root@ave:/home/admin/certs/#: openssl req -new -newkey


rsa:3072 -nodes -keyout server.key -out server.csr -subj "/C=FI/
ST=Pirkanmaa/L=TRE/O=NSN/OU=NSW/CN=ave.netact.nsn-rdnet.net/
emailAddress=test@nokia.com"

e) Obtain the CSR from the system at /home/admin/certs/server.csr and submit it to a CA


for signing.
f) Obtain the certificate file (server.crt) that is signed by CA and place it on /home/admin/
certs/ directory in the AVE server.
g) If created server.key files are not in the PKCS #1 format, convert keys to the PKCS #1
format by entering:

openssl rsa -in xxx.key -out xxx.key

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 101


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for AVE and
AVECP

For example:

root@ave:/home/admin/certs/#: openssl rsa -in server.key -out


server.key

Note:

If the FIPS mode is enabled in AVE, the PKCS #1 conversion will not work. Hence,
you must copy the server.key file to Administration server and execute the above
step in the Administration server. Power on Administration server if not powered on.

For example:

root@ave: cp /home/admin/certs/server.key root@<admin_


server>:/root/server.key

root@<admin_server># openssl rsa -in server.key -out server.


key

h) Obtain the CA certificate file from the CA that contains the signed security certificate and place
it in the /home/admin/certs/ directory in the AVE server.

The CA may supply additional security certificates, such as an intermediate or root CA


certificate, or a certificate chain. If there are no certificate chains, then do not execute the
following commands. If the certificate chain exists, then use the cat command with the
redirectand append operators to combine the certificates by entering:

# cat chain-cert-1 > CA.crt

# cat chain-cert-2 >> CA.crt

# cat chain-cert-3 >> CA.crt

# cat chain-cert-4 >> CA.crt

# cat chain-cert-5 >> CA.crt

where:

• chain-cert-1 through chain-cert-5 represent the path to each certificate in the


certificate chain.
• CA.crt is the name that you provide for the combined file.
i) Download CA.crt, server.crt, and server.key files from AVE (/home/admin/certs/
directory) to a local system to upload to the Avamar AUI.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 102


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for AVE and
AVECP

Note: If the FIPS mode is enabled in AVE, download server.key files from the
Administration server (/root/ directory) to a local system to upload to the
Avamar AUI.

2. Replace key and certificate for avinstaller, aam/flr/dtlt, mcsdk, rmi, and AUI by doing
the following:
a) In the Avamar AUI, go to Administration → System.

The System pane appears.


b) Click Certificate → Private Key tab.

A private certificate entry for the Web Server appears in the table.
c) Click the option button next to the Web Server type.

Note: If you want to check the current private entry details, click VIEW.

d) Click +REPLACE.

The Replace Private Entry dialog box appears.


e) In the Private Key field, click Browse to locate and select the certificate's private key
(server.key).
f) In the Certificate field, click Browse to locate and select the certificate file (server.crt).
g) In the Certificate Chain field, click Browse to locate and select the certificate chain file
(CA.crt).

Note: If the same trusted certificates in the chain file are imported in the Certificates
tab, remove them.

h) Optional: If the private key is protected, provide the passphrase.


i) Click NEXT.

The The private key, certificate and certificate chain are matched.
Please restart web services to take effect. message appears.

Note: The key, certificate, and certificate chain must be an exact match, otherwise
the validation fails.

j) Click FINISH, when validation completes successfully.


k) In the System pane, click RESTART SERVICES.

The Warning dialog box appears.


l) Click YES.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 103


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for AVE and
AVECP

Note:

• Before restarting the web services, you can import the private entry multiple times
with different contents, and the last entry you import will be the one used after
services are restarted.
• After restarting the web services, you can review the private entry details in the
Private Key tab. Ensure that you have imported the correct private key and
certificate combination. The trusted certificates can be found in the Raw field of
private entry details instead of the Trust Certificate tab.

3. Log in as admin user to the AVE VM and verify the new certificates by entering:

openssl s_client -connect <AVE IP>:443 -showcerts | openssl x509 -text

openssl s_client -connect <AVE IP>:7543 -showcerts | openssl x509 -


text

openssl s_client -connect <AVE IP>:8543 -showcerts | openssl x509 -


text

openssl s_client -connect <AVE IP>:9443 -showcerts | openssl x509 -


text

4. After the operation is complete, start the Avamar Scheduler service by entering:

root@ave:~/#: dpnctl start sched

5. After applying the new patches, ensure that all the services except ConnectEMC are operational
by entering:

root@ave:~/#: dpnctl status

Note:

• You can ignore the ConnectEMC service status and do not start this service.
• If you have replaced the private entry with an incorrect key, you can rollback to the
latest available certificate by logging in to the Avamar server as an admin user and
enter:

sudo -A /usr/local/avamar/bin/revertcerts.sh

Ensure that, you wait for the services to restart and then verify the private entry.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 104


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for AVE and
AVECP

• Since the port number 30002 to 30009 are used for client communication over SSL,
the third party certificate installed is not applied to these ports. To block these (30002
to 30009) ports, do the following:

1. Open the avfwb_custom_config.txt file stored in/usr/local/ava-


mar/lib/admin/security/ directory in VI editor:

root@ave:~/#: vi /usr/local/avamar/lib/admin/security/
avfwb_custom_config.txt

2. Add the following port information at the end of the


avfwb_custom_config.txt file:

|||30002,30003,30004,30005,30006,30007,30008,30009|tcp||
REJECT|INPUT|ALL|I

3. Save and exit.


4. Stop the avfirewall service by entering:

root@ave:~/#: service avfirewall stop

5. Start the avfirewall service by entering:

root@ave:~/#: service avfirewall start

6. Check if the avfirewall service is active by entering:

root@ave:~/#: service avfirewall status

Example output:

* avfirewall.service - Avamar Firewall Service


Loaded: loaded (/usr/lib/systemd/system/avfirewall.
service; enabled; vendor preset: disabled)
Active: active (exited) since Fri 2021-02-26 13:53:59
EET; 30min ago
Process: 1027 ExecStart=/etc/init.d/avfirewall start
(code=exited, status=0/SUCCESS)
Main PID: 1027 (code=exited, status=0/SUCCESS)
Tasks: 0
CGroup: /system.slice/avfirewall.service

6. Power off the Administration server if powered on during AVE certificate installation.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 105


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for AVE and
AVECP

6.2 Managing certificates during AVE upgrade


If you have replaced AVE default self-signed certificates with third party certificates in AVE 18.2 and
after AVE 18.2 is upgraded to AVE 19.3, ensure that the previous third party certificates still exist by
entering:

openssl s_client -connect <AVE IP>:443 -showcerts | openssl x509 -text

openssl s_client -connect <AVE IP>:7543 -showcerts | openssl x509 -text

openssl s_client -connect <AVE IP>:8543 -showcerts | openssl x509 -text

openssl s_client -connect <AVE IP>:9443 -showcerts | openssl x509 -text

6.3 Managing certificates for AVECP


Avamar Virtual Edition Combined Proxy (AVECP) by Dell EMC is used for backup and restore
operations of NetAct virtual machines. Manage certificates for AVECP for the security of NetAct
system.

1. Connect to AVECP VM via ssh as admin user.

2. Generate private key and Certificate Signing Request (CSR) for AVECP by entering:

admin@avecp:~> openssl req -new -newkey rsa:2048 -nodes -keyout


server.key -out server.csr -subj "/C=<Country>/ST=<StateName>/
L=<LocalityName>/O=<Organization>/OU=<OrganizationUnit>/
CN=<CommonName>/emailAddress=<EmailContact>"

where:

Field Description

Country The two-letter ISO abbreviation for the country.

StateName In countries where it is applicable, name of the state or


province where the organization is located. This entry cannot
be abbreviated.

LocalityName Name of the city where the organization is located.

Organization The exact legal name of the company. This entry cannot be
abbreviated.

OrganizationalUnit Optional entry for more information about the organization,


such as a department name.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 106


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for AVE and
AVECP

Field Description

CommonName FQDN of the AVECP VM. For example,


avecp.customer.com.

EmailContact The email address of the primary administrator of the server


or servers.

For example,

admin@avecp:~> openssl req -new -newkey rsa:2048 -nodes -


keyout server.key -out server.csr -subj "/C=FI/ST=STATENAME/
L=CITYNAME/O=COMPANYNAME/OU=DEPARTMENTNAME/CN=avecp.customer.com/
emailAddress=user@customer.com"

Note: server.key and server.csr files will be generated in the existing directory
where the above command is executed.

3. Do one of the following:

• Sign the AVECP certificate using NetAct CA. For more information, see Signing certificate for
AVECP using NetAct CA.
Or

• Sign the AVECP certificate using third-party CA. For more information, see Signing certificate
for AVECP using third-party CA.

4. To install certificates on AVECP, do the following:


a) Power on the Administration server if it is not powered on already and connect as root user.
b) Copy the AVECP certificate installation interface (pxychangecert.sh) from the
Administration server to AVECP VM by entering:

root@<admin_server># scp /opt/oss/ave/bin/pxychangecert.sh


admin@<AVECP IP Address>:/home/admin

Enter the AVECP admin user password when prompted.


c) Connect to AVECP VM via ssh as admin user and switch to root user.
d) Set the permissions of the pxychangecert.sh file by entering:

avecp:~ # chmod 700 /home/admin/pxychangecert.sh

e) Convert server.key to serverkey.pem by entering:

avecp:~ # openssl rsa -in /home/admin/server.key -text > /home/


admin/serverkey.pem

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 107


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for AVE and
AVECP

f) Copy the signed server certificate (avecpserver.pem) from the CA machine to the AVECP /
home/admin directory.

Note:

• Obtain certificate files from the CA that contains the signed security certificate
and place it on the /home/admin/ directory in AVECP VM. The CA may supply
additional security certificates, such as root CA certificate or CA certificate chain
(CA.pem or CAchain.pem). Copy CA.pem or CAchain.pem certificate to the /
home/admin/ directory.

• The private key must not be encrypted.


• The Common Name (CN) of the certificate must match the hostname of this
proxy.
• The extensions of the certificate must meet the following requirements:

• No keyUsage extension or the keyUsage must contain


digitalSignature, keyEncipherment, and keyAgreement
properties.
• No extendedKeyUsage extension or the extendedKeyUsage must
contains both serverAuth and clientAuth properties.
• The certificate chain should contain all trusted rootCA of this certificate. If
the certificate to be replaced is a self-signed certificate, use the same file for
certificate and chain.

g) Import the signed certificate to AVECP by entering:

avecp:~ # /home/admin/pxychangecert.sh <Path_Of_PrivateKey> <Path_


Of_Certificate> <Path_Of_Certificates_Chain>

where:

• <Path_Of_PrivateKey> is the private key created as part of step 2.


• <Path_Of_Certificate> is the signed certificate obtained as part of step 3.
• <Path_Of_Certificates_Chain> is the CA chain certificate or CA certificate.

For example:

[root]:~ # /home/admin/pxychangecert.sh /home/admin/serverkey.pem /


home/admin/avecpserver.pem /home/admin/CA.pem

Sample output:

Restarting services...
Successfully

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 108


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for AVE and
AVECP

h) Verify the new AVECP certificate by entering:

avecp:~ # openssl s_client -CAfile /home/admin/CA.pem -connect


<AVECP IP Address>:443 -showcerts | openssl x509 -text

Note: You can ignore “verify return:1” from the output.

i) Power off the Administration server if it was powered on in step a and publish it.

6.3.1 Signing certificate for AVECP using NetAct CA


Sign the certificate using NetAct CA for managing certificates for Avamar Virtual Edition Combined
Proxy (AVECP).

1. Log in as omc user to the NetAct Virtual Machine (VM) hosting the dmgr service and switch to root
user.

2. Copy the CSR file to /opt/oss/NSN-sm_conf_cert/generated/server/ directory. For


more information on the CSR file, see step 2 in Managing certificates for AVECP.

Note:

• Copy the csr file with name as <systemName>_<certId>.csr

where:

• <systemName> must be the same as used in the section Providing basic config-
uration data. If the third-party CA is used, select the systemName. It must be a
valid Unix filename (spaces are not allowed).
• <certId> is the device or service name.

For example, NetAct_OA.csr

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 109


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for AVE and
AVECP

• Ensure that you enter the same <certId> wherever it is required in this chapter.

3. Go to the templates directory by entering:

[root] cd /opt/oss/NSN-sm_conf_cert/templates/

4. Copy the template configuration file by entering:

[root] cp server.cnf ../generated/server/<systemName>_<certId>.cnf

5. Change the permissions of the template configuration file to read and write by entering:

[root] chmod 600 ../generated/server/<systemName>_<certId>.cnf

6. Go to ../generated/server/ directory by entering:

[root] cd ../generated/server/

7. Edit the <systemName>_<certId>.cnf configuration file and add IPv4, DNS, and IPv6 (if
available) details under [alt_names].

[ alt_names ]
DNS.1 = Fully qualified hostname
DNS.2 = IPV4 address
DNS.3 = [IPV6 address]

IP.1 = IPV4 address

IP.2 = IPV6 address

For example:

[ alt_names ]
DNS.1 = vm7.netact.example.com
DNS.2 = 10.92.232.97
DNS.3 = [2a00:8a00:4000:20c::16:61]

IP.1 = 10.92.232.97

IP.2 = 2a00:8a00:4000:20c::16:61

Note: The CommonName of the CSR file must also be present in the alt_names.

8. Get the signed certificate. For more information, see Signing using NetAct CA.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 110


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for AVE and
AVECP

Note: The rootCA certificates are available in /opt/oss/NSN-sm_conf_cert/


generated/certificationAuthority/ directory and signed server certificates
are available in /opt/oss/NSN-sm_conf_cert/generated/server/
<systemName>_<certId>Cert.pem directory.

Expected outcome

Signing certificate using NetAct CA is successful for AVECP.

6.3.2 Signing certificate for AVECP using third-party CA


Sign the certificate using third-party CA for managing certificates for Avamar Virtual Edition Combined
Proxy (AVECP).

• Copy the Certificate Signing Request (CSR) file from AVECP to the CA machine for signing.
Expected outcome

Signing certificate using third-party CA is successful for AVECP.

6.4 Managing certificates during AVECP upgrade


If you have replaced AVE default self-signed certificates with third party certificates in AVE 18.2 and af-
ter AVE 18.2 version is to the AVE 19.3 version, certificates must be applied by following the instruc-
tions provided in Managing certificates for AVECP as AVECP VM is recreated during AVE 19.3 up-
grade.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 111


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for Nokia Telco
Cloud Application (NTCApp)

7 Managing certificates for Nokia Telco Cloud


Application (NTCApp)
This chapter describes the operations on managing certificates for Nokia Telco Cloud Application
(NTCApp).

7.1 Generating and installing certificates for NTCApp


Before integrating CloudBand Application Manager (CBAM) or Zero Touch Services (ZTS) with NetAct
through NTCApp, you must create and install certificates for NTCApp TLS connection.

The default certificates in NTCApp keystore and NetAct Keycloak cannot be used to integrate CBAM
and ZTS. Check if the certificate for NTCApp and Keycloak is ready before integration.

1. Log in as omc user to the NetAct VM hosting the dmgr service.

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. Check if the IP address is present in certificate installed on the Keycloak and ntcapp services by
entering:

[omc@<dmgr_vm>]# echo -n | openssl s_client -connect <NTCApp_NODE_


HOSTNAME>:17443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/
p' | openssl x509 -text | grep "DNS"

[omc@<dmgr_vm>]# echo -n | openssl s_client -connect <KEYCLOAK_NODE_


HOSTNAME>:10448 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/
p' | openssl x509 -text | grep "DNS"

To locate the VM hosting keycloak or ntcapp service, see Locating the right virtual machine for
a service in Administering NetAct Virtual Infrastructure.

The output must contain IP address as shown below:

• IP Address: <LBWAS_IP_ADDRESS>
• DNS: clabxxxxlbwas.netact.nsn-rdnet.net

For ntcapp service, the output must also contain IP address as shown below:

• IP Address: <NTCApp_NODE_IP_ADDRESS>
• DNS: <NTCApp_NODE_HOSTNAME>

If the IP address is not present, regenerate the certificate using the CA that was used for
generating existing certificate and install on the Keycloak and ntcapp service. For more

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 112


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for Nokia Telco
Cloud Application (NTCApp)

information about regenerating and installing the certificate on Keycloak and ntcapp service,
see Managing certificates.

Note: The keycloak and ntcapp must be the name of the usecase mentioned in the
Managing certificates.

For information on how to configure certificates for NetAct Keycloak, see Accessing Keycloak
server.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 113


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for Centralized
License Server (CLS)

8 Managing certificates for Centralized License Server


(CLS)
This chapter describes the operations on managing certificates for Centralized License Server (CLS).

8.1 Generating certificates for CLS

1. Enable the direct root login on CLS Frontend (VM74) by entering:

# /opt/cpf/bin/cpfsecurity_actionmgr.pl --disable SSH_NO_ROOT_LOGIN

2. Log in as root user to the CLS Frontend VM.

3. Create a directory for certificate creation by entering:

# mkdir /root/cls.fe.ssl/ && cd /root/cls.fe.ssl/

4. Create the OpenSSL configuration file by entering:

# cat > openssl.cnf <<'zzzEOFzzz'


[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = yes
[req_distinguished_name]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName=${ENV::SUBJ_ALT_NAME}
zzzEOFzzz

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 114


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for Centralized
License Server (CLS)

Note: The OpenSSL configuration file will be used during private key and CSR creation.

5. Create the environment variable with the CLS Frontend FQDN by entering:

# export SUBJ_ALT_NAME="DNS:$(hostname -f)"

6. Generate the CLS Frontend private key by entering:

# openssl genrsa -out cls.fe.key 4096

7. Create CSR and certificate by entering:

# openssl req -new -sha512 -key cls.fe.key -out cls.fe.csr -config


openssl.cnf

Sample output:

You are about to be asked to enter information that will be


incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or
a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:

8. Submit the generated cls.fe.csr file to your Certificate Authority (CA).

9. Copy the received CLS certificate to /root/cls.fe.ssl/cls.fe.crt and received CA


certificate to /root/cls.fe.ssl/ca.crt.

10. Disable the direct root login on CLS Frontend (VM74) by entering:

# /opt/cpf/bin/cpfsecurity_actionmgr.pl --enable SSH_NO_ROOT_LOGIN

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 115


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for Centralized
License Server (CLS)

8.2 Installing certificates on CLS Frontend VM

1. Enable the direct root login on the CLS Frontend VM (VM74) by entering:

# /opt/cpf/bin/cpfsecurity_actionmgr.pl --disable SSH_NO_ROOT_LOGIN

2. Log in as root user to the CLS Frontend VM.

3. Create a backup of all files in the /etc/opt/oss/Nokia-cls-lb/certificate directory by


entering:

# mkdir /root/certbkp
# cp /etc/opt/oss/Nokia-cls-lb/certificate/* /root/certbkp/

4. Copy the CLS Frontend certificate to the /etc/opt/oss/Nokia-cls-lb/certificate/


CLS_Frontend.crt file by entering:

# cp /root/cls.fe.ssl/cls.fe.crt /etc/opt/oss/Nokia-cls-lb/
certificate/CLS_Frontend.crt

5. Copy the CLS Frontend private key to the /etc/opt/oss/Nokia-cls-lb/certificate/


CLS_Frontend.pem file by entering:

# cp /root/cls.fe.ssl/cls.fe.key /etc/opt/oss/Nokia-cls-lb/
certificate/CLS_Frontend.pem

6. Copy all CA certificates (root and intermediate) to the /etc/opt/oss/Nokia-cls-lb/


certificate/NetAct-CA.crt file by entering:

# cp /root/cls.fe.ssl/ca.crt /etc/opt/oss/Nokia-cls-lb/certificate/
NetAct-CA.crt

7. Change the owner of certificate files by entering:

# chown 1000:1000 /etc/opt/oss/Nokia-cls-lb/certificate/*

8. Restart the CLS lb service by entering:

systemctl restart cls-lb.service

9. Disable the direct root login on the Frontend VM (VM74) by entering:

# /opt/cpf/bin/cpfsecurity_actionmgr.pl --enable SSH_NO_ROOT_LOGIN

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 116


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for Centralized
License Server (CLS)

Note: If there is an issue, restore the original CLS certificates and restart both (VM74 and
VM75) CLS services. For more information, see Troubleshooting Centralized License Server
(CLS) custom certificates in Troubleshooting Security Management.

8.3 Installing certificate on CLS Backend VM

1. Enable the direct root login on the CLS Backend VM (VM75) by entering:

# /opt/cpf/bin/cpfsecurity_actionmgr.pl --disable SSH_NO_ROOT_LOGIN

2. Log in as root user to the CLS Backend VM.

3. Create a directory for CLS certificates by entering:

# mkdir /root/cls.fe.ssl/ && cd /root/cls.fe.ssl/

4. Copy certificates from the CLS Frontend VM (VM74) by entering:

# scp <CLS.FE.FQDN>:/root/cls.fe.ssl/* /root/cls.fe.ssl/

5. Create a backup of all files in the /etc/opt/oss/Nokia-cls-web/certificate directory by


entering:

# mkdir /root/certbkp

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 117


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for Centralized
License Server (CLS)

# cp /etc/opt/oss/Nokia-cls-web/certificate/* /root/certbkp/

6. Copy the CLS Frontend certificate to the /etc/opt/oss/Nokia-cls-web/certificate/


CLS_Frontend.crt file by entering:

# cp /root/cls.fe.ssl/cls.fe.crt /etc/opt/oss/Nokia-cls-web/
certificate/CLS_Frontend.crt

7. Copy the CLS Frontend private key to the /etc/opt/oss/Nokia-cls-web/certificate/


CLS_Frontend.pem file by entering:

# cp /root/cls.fe.ssl/cls.fe.key /etc/opt/oss/Nokia-cls-web/
certificate/CLS_Frontend.pem

8. Copy CA root certificate to the /etc/opt/oss/Nokia-cls-web/certificate/NetAct-


CA.crt file by entering:

# cp /root/cls.fe.ssl/ca.crt /etc/opt/oss/Nokia-cls-web/certificate/
NetAct-CA.crt

9. Change the owner of certificate files by entering:

# chown 4444:4444 /etc/opt/oss/Nokia-cls-web/certificate/*

10. Restart the CLS web service by entering:

# systemctl restart cls-web.service

11. Disable the direct root login on the CLS Backend VM (VM75) by entering:

# /opt/cpf/bin/cpfsecurity_actionmgr.pl --enable SSH_NO_ROOT_LOGIN

Note: If there is an issue, restore the original CLS certificates and restart both (VM74 and
VM75) CLS services. For more information, see Troubleshooting Centralized License Server
(CLS) custom certificates in Troubleshooting Security Management.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 118


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring southbound interface (SBI)
and HTTP for TLS

9 Configuring southbound interface (SBI) and HTTP


for TLS
It is recommended to perform the hardening procedure to use secure southbound interfaces.

For NE3S/WS mediation, follow the process below:

• Configuring NE3S/WS southbound interface for TLS connection.

9.1 Configuring NE3S/WS southbound interface for TLS connection


Configuring the NE3S/WS southbound interface for the Transport Layer Security (TLS) connection
with certificates signed by a common certificate authority involves the following steps:

9.1.1 Creating keys and certificates and installing certificates for TLS connection
Before integrating network elements with TLS mode, you need to create and install certificates
for NE3S/WS mediation TLS connection. How to create and install certificates for NE3S/WS
mediation, see Managing certificates. The default certificates which are applied in http.conf and
common_mediations truststore cannot be used to integrate network elements.

Note: The ne3sws should be the name of usecase in the above mentioned chapter.

9.1.2 Enabling Transport Layer Security connection for existing objects


To enable the Transport Layer Security (TLS) connection for existing objects, perform the following
steps:

1. Log in as the omc user to the NetAct VM where the common_mediations service is running
through SSH.

2. Unregister the existing objects using the ne3swsUnRegisterAgent.sh script available at /opt/
oss/NSN-ne3sws_core/install/bin/ne3swsUnRegisterAgent.sh with Agent DN as an
argument.

sh /opt/oss/NSN-ne3sws_core/install/bin/ne3swsUnRegisterAgent.sh
'<Distinguished name of agent>'

3. Log in to NetAct Start Page, and click Monitoring → Monitor.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 119


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring southbound interface (SBI)
and HTTP for TLS

The Monitor application opens.

4. In Monitor, open Object Explore by selecting Tools → Managed Objects → Object Explore.

5. Expand the sub-object tree of the integrated Distinguished Name, and select NE3SWS.

6. Right-click NE3SWS and select properties.

7. In HTTPS Port, fill in the TLS port of network element.

8. In Security Mode, select TLS and then click Save.

9. Register the agent using the ne3swsRegisterAgent.sh script available at /opt/oss/NSN-


ne3sws_core/install/bin/ne3swsRegisterAgent.sh and provide Agent DN as an
argument as follows:

sh /opt/oss/NSN-ne3sws_core/install/bin/ne3swsRegisterAgent.sh
'<Distinguished name of agent>'

9.1.3 Disabling Transport Layer Security connection for existing objects


This section describes the steps to disable the Transport Layer Security (TLS) connection for objects
that are already integrated with TLS.

1. Log in as the omc user to the NetAct VM where the common_mediations service is running
through SSH.

2. Unregister the existing objects using the ne3swsUnRegisterAgent.sh script available at /opt/
oss/NSN-ne3sws_core/install/bin/ne3swsUnRegisterAgent.sh with Agent DN as an
argument.

sh /opt/oss/NSN-ne3sws_core/install/bin/ne3swsUnRegisterAgent.sh
'<Distinguished name of agent>'

3. Log in to NetAct Start Page, and click Monitoring → Monitor.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 120


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring southbound interface (SBI)
and HTTP for TLS

The Monitor application opens.

4. In Monitor, open Object Explore by selecting Tools → Managed Objects → Object Explore.

5. Expand the sub-object tree of the integrated Distinguished Name, and select NE3SWS.

6. Right-click NE3SWS and select properties.

7. In HTTP Port, fill in the no TLS port of network element.

8. In Security Mode, select no TLS and then click Save.

9. Register the agent using the ne3swsRegisterAgent.sh script, available at /opt/oss/NSN-


ne3sws_core/install/bin/ne3swsRegisterAgent.sh and provide Agent DN as an
argument as follows:

sh /opt/oss/NSN-ne3sws_core/install/bin/ne3swsRegisterAgent.sh
'<Distinguished name of agent>'

9.1.4 Decrypting passwords


Passwords provided to the keystore or truststore are available in an encrypted format in the
mf.properties file.

1. Log in as the root user to any of the NetAct VMs.


2. Check the nodes that have mediation service by executing below command:
[root]# /opt/cpf/sbin/smanager.pl status service <ServiceName>

For example, to check on which node common_mediation service running, execute:

[root]# /opt/cpf/sbin/smanager.pl status service common_mediations


3. Log as the root user in to one of the VM.
4. To find the decrypted password, provide the encrypted password as the argument:

/opt/oss/NSN-mf_swp/bin/decryptpasswd.sh <Encrypted Password>

Example: sh /opt/oss/NSN-mf_swp/bin/decryptpasswd.sh 344c8fc7a66b5a3d

Output: The decrypted value for the password 344c8fc7a66b5a3d : tests.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 121


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Northbound Interfaces

10 Configuring Northbound Interfaces


Different NBIs need to enable different security configuration, refer to Integration documents.

10.1 Security Configuration for SNMP V3


Configuration for SNMP (Simple Network Management Protocol) V3 requires the following:

• Setting filters for the alarm notifications received by the external network management system
(NMS).
• Setting User-based Security Model (USM) credential for SNMP v3.
• Configuring notification enrichment function to enable the SNMP notification enrichment function.
• Configuring all the required configurable items in /opt/oss/NSN-nbisnmp/smx/mf-conf/
nbi-snmp.properties.

For more information on configuring SNMP V3, see Configuring SNMP Northbound Interface in North-
bound Interfaces document.

10.2 Configuring secure communication for NBI

10.2.1 NBI Overview


NBI provides secure Internet Inter-ORB Protocol (IIOP), HTTP and Socket communication function be-
tween external NMS and NetAct. You can enable or disable this function based on your requirement.

While you establish IIOP connection:

• If the function is enabled, NBI authenticates the external NMS and encrypts the data transmitted.
• If the function is disabled, NBI does not authenticates the external NMS or encrypts the data trans-
mitted.

Following are the components that use IIOP directly:

• Notification Service supports the function to forward notifications to external NMS using IIOP.
• Naming Service supports the function to fetch IOR of IRP directly using IIOP.
• 3GPP Release 6 CORBA FM NBI supports the following functions using IIOP:

– Alarm IRP
– Basic CM IRP
– Kernel CM IRP
– CS IRP
– EP IRP
– Notification IRP

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 122


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Northbound Interfaces

– FT IRP

Following are the components that use IIOP indirectly:

• 3GPP XML Format PM NBI depends on the functions of Notification IRP and FTIRP of 3GPP Re-
lease 6 CORBA FM NBI.
• XML Based Inventory Data Export depends on the functions of Notification IRP and FTIRP of
3GPP Release 6 CORBA FM NBI.

Following are the components that use HTTP and Socket directly:

• 3GPP Release 6 CORBA FM NBI fetch the EPIRP or Notification Service IOR for integrating.

Following are the components that use HTTP and Socket indirectly:

• 3GPP XML Format PM NBI depends on 3GPP Release 6 CORBA FM NBI for integrating.
• XML Based Inventory Data Export depends on 3GPP Release 6 CORBA FM NBI for integrating.

Note: There are dependencies among NBI components. Just enable/disable secure commu-
nication function in a single component cannot make the whole NetAct system secure. NBI
only supports the cases when all NBI components use secure communication, or when all
NBI components use insecure communication.

NBI supports TLS1.0, TLS1.1 and TLS1.2 security protocols.

To enable secure IIOP, the NMS should not use weak cipher suites, such as RC4, DES, MD5, and
SHA-1.

The cipher suites must be used from the following list:

• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
• TLS_DHE_RSA_WITH_AES_256_CBC_SHA
• TLS_RSA_WITH_AES_256_GCM_SHA384
• TLS_RSA_WITH_AES_256_CBC_SHA256
• TLS_RSA_WITH_AES_256_CBC_SHA
• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_DHE_RSA_WITH_AES_128_CBC_SHA
• TLS_RSA_WITH_AES_128_GCM_SHA256
• TLS_RSA_WITH_AES_128_CBC_SHA256
• TLS_RSA_WITH_AES_128_CBC_SHA

By default, the below strong ciphers suits are used in NBI:

• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_RSA_WITH_AES_256_GCM_SHA384
• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_RSA_WITH_AES_128_GCM_SHA256

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 123


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Northbound Interfaces

Note: There are dependencies among NBI components. The enable or disable weak ciphers
function in a single component cannot make the whole Nokia system secure. NBI supports
only in the case when all NBI components disable or enable weak ciphers.

10.2.2 Enabling secure communication for NBI


To enable secure IIOP for NBI:

1. Log in as the omc user to the NetAct VM where the nbi3gcom service is running, and switch to
the root user.
2. Copy external NMS certificate.

Export NMS certificate and upload to JBI_NBI3GC node.

Upload <NMS_CERT_FILE> to JBI_NBI3GC node.


3. Execute the following command to import certificate:

[root]# /opt/oss/Nokia-nbi3gcom/bin/nbiNMSCertMgr.sh --importcert


<NMS_CERT_FILE> <NMS_CERT_ALIAS>

Note:

• Ensure that there are no errors after the execution.


• NMS alias must be unique. If the alias already exists, the import fails.

4. Execute the following command to enable secure communication:

[root]# /opt/oss/Nokia-nbi3gcom/bin/nbiSecureMgr.sh --enable

Note: This operation leads to restarting of NBI services. Outcome may differ based on
the current configuration of your jacorb.properties file. The same alias name cannot
be imported to the same keystore, different alias names must be used for each of the cer-
tificates.

5. Export Root CA certificate for NetAct NBI services to the external NMS, see Root CA certificate for
NetAct services.

Note:

• Fetch Root CA certificate for NetAct NBI services nbi3gcom and nbi3gc and import
these certificates to NMS.
• Refer the external NMS documentation for how to enable secure configuration.
• Ensure that there are no errors after the execution.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 124


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Northbound Interfaces

10.2.3 Disabling secure communication for NBI


To disable secure IIOP for NBI:

1. Log in as the omc user to the NetAct VM where the nbi3gcom service is running, and switch to
the root user.

2. Execute the below command to disable secure communications:

[root]# /opt/oss/Nokia-nbi3gcom/bin/nbiSecureMgr.sh --disable

Note: Ensure that there are no errors after the execution.

10.2.4 Enabling weak ciphers of SSL/TLS for NBI

10.2.4.1 Enabling weak ciphers of SSL/TLS for nbi3gcom

To enable weak ciphers of SSL/TLS for nbi3gcom:

1. Log in as the omc user to the NetAct VM where the nbi3gcom service is running, and switch to the
root user.
2. Stop the nbi3gcom service in the VM by typing:

[root]# smanager.pl stop service nbi3gcom

Expected outcome:

Service nbi3gcom stopped

3. Execute the below command to enable weak ciphers.

[root]# /opt/oss/Nokia-nbi3gcom/bin/nbi3gcomCipherMgr.sh --enable

Note:

• Ensure that there are no errors after the execution.


• Below ciphers suite is used after executing:

• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
• TLS_DHE_RSA_WITH_AES_256_CBC_SHA
• TLS_RSA_WITH_AES_256_GCM_SHA384
• TLS_RSA_WITH_AES_256_CBC_SHA256
• TLS_RSA_WITH_AES_256_CBC_SHA
• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 125


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Northbound Interfaces

• TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_DHE_RSA_WITH_AES_128_CBC_SHA
• TLS_RSA_WITH_AES_128_GCM_SHA256
• TLS_RSA_WITH_AES_128_CBC_SHA256
• TLS_RSA_WITH_AES_128_CBC_SHA
• SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
• SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
• SSL_RSA_WITH_3DES_EDE_CBC_SHA
• TLS_DHE_DSS_WITH_AES_128_CBC_SHA

4. Execute the below command to start nbi3gcom service.

[root]# smanager.pl start service nbi3gcom

Expected outcome:

Service nbi3gcom started on node NetActvm01

10.2.4.2 Enabling weak ciphers of SSL/TLS for 3GPP Rel6 CORBA FM NBI
To enable weak ciphers of SSL/TLS for 3GPP Rel6 CORBA FM NBI:

1. Log in as the omc user to the NetAct VM where the nbi3gc service is running, and switch to the
root user.
2. Stop the nbi3gc service in the VM by typing:

[root]# smanager.pl stop service nbi3gc

Expected outcome:

Service nbi3gc stopped

3. Execute the below command to enable weak ciphers.

[root]# /opt/oss/NSN-nbi3gc/bin/nbi3gcCipherMgr.sh --enable

Note:

• Ensure that there are no errors after the execution.


• Below ciphers suite is used after executing:

• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
• TLS_DHE_RSA_WITH_AES_256_CBC_SHA
• TLS_RSA_WITH_AES_256_GCM_SHA384
• TLS_RSA_WITH_AES_256_CBC_SHA256

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 126


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Northbound Interfaces

• TLS_RSA_WITH_AES_256_CBC_SHA
• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_DHE_RSA_WITH_AES_128_CBC_SHA
• TLS_RSA_WITH_AES_128_GCM_SHA256
• TLS_RSA_WITH_AES_128_CBC_SHA256
• TLS_RSA_WITH_AES_128_CBC_SHA

4. Execute the below command to start nbi3gc service.

[root]# smanager.pl start service nbi3gc

Expected outcome:

Service nbi3gc started on node NetActvm01

10.2.5 Disabling weak ciphers of SSL/TLS for NBI

10.2.5.1 Disabling weak ciphers of SSL/TLS for nbi3gcom

To disable weak ciphers of SSL/TLS for nbi3gcom:

1. Log in as the omc user to the NetAct VM where the nbi3gcom service is running, and switch to the
root user.
2. Stop the nbi3gcom service in the VM, by typing:

[root]# smanager.pl stop service nbi3gcom

Expected outcome:

Service nbi3gcom stopped.

3. Execute the below command to disable weak ciphers.

[root]# /opt/oss/Nokia-nbi3gcom/bin/nbi3gcomCipherMgr.sh --disable

Note:

• Ensure that there are no errors after the execution.


• Below ciphers suite is used after executing:

• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_RSA_WITH_AES_256_GCM_SHA384
• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_RSA_WITH_AES_128_GCM_SHA256

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 127


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Northbound Interfaces

4. Execute the below command to start nbi3gcom service.

[root]# smanager.pl start service nbi3gcom

Expected outcome:

Service nbi3gcom started on node.

10.2.5.2 Disabling weak ciphers of SSL/TLS for 3GPP Rel6 CORBA FM NBI
To disable weak ciphers of SSL/TLS for 3GPP Rel6 CORBA FM NBI:

1. Log in as the omc user to the NetAct VM where the nbi3gc service is running, and switch to the
root user.
2. Stop the nbi3gc service in the VM by typing:

[root]# smanager.pl stop service nbi3gc

Expected outcome:

Service nbi3gc stopped.

3. Execute the below command to disable weak ciphers.

[root]# /opt/oss/NSN-nbi3gc/bin/nbi3gcCipherMgr.sh --disable

Note:

• Ensure that there are no errors after the execution.


• Below ciphers suite is used after executing:

• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_RSA_WITH_AES_256_GCM_SHA384
• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_RSA_WITH_AES_128_GCM_SHA256

4. Execute the below command to start nbi3gc service.

[root]# smanager.pl start service nbi3gc

Expected outcome:

Service nbi3gc started on node.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 128


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing NWI3 Interface Security

11 Managing NWI3 Interface Security

11.1 Adding certificates for CM upload


Certificate file in PEM format of the Root CA which issued the certificate used on the network element
(for this communication).

Note: If various network elements use certificates issued by multiple Root CAs then you
have to add the certificates of each Root CA used.

To enable the secure communication during file transfer from network elements such as CM plan file
transfer the WAS truststore needs to contain the certificates of the network elements or their trust an-
chor.

The certificate can be imported to truststore by following the instructions provided in Adding additional
trust anchors.

Note:

cmwas will be the endpoint name in the above mentioned chapter.

After certificate import restart cmwas service in all WAS nodes. To restart cmwas service, see Restart-
ing all WebSphere services in parallel in Administering Java EE.

Note:

cmwas will be the group name in the above mentioned chapter.

11.2 Adding network element certificate to NWI3 mediation's truststore

Prerequisites

Ensure to have a signed certificate of the network element or of its root anchor or one of the
intermediate certificates in a file named for example, RootCAcert.pem.

To enable the secure communication during file transfer from network elements such as PM file trans-
fer, system level trace offline mode file transfer, and software upload, the NWI3 mediation's truststore
needs to contain the certificates of the network elements or their trust anchor.

The certificate can be imported to truststore by following the instructions provided in Adding additional
trust anchors.

Note: nwi3 will be the endpoint name in the above mentioned chapter.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 129


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing NWI3 Interface Security

11.3 Configuring the Tomcat NWI3-HTTP server

11.3.1 Installing New Certificate for Tomcat NWI3-HTTP Server


To generate and install certificate for NWI3-HTTP Server, follow the instructions provided in Managing
certificates.

Note: nwi3 will be the usecase name in the above mentioned chapter.

11.3.2 Disabling HTTP to enforce secure communication

1. Locate the VM where nwi3 service is running.

For information on how to locate the correct VM, see Locating the right virtual machine for a
service in Administering NetAct Virtual Infrastructure.

2. Log in to the nwi3 VM by executing the following command:

ssh root@<nwi3-vmnode>

3. Disable HTTP by executing the following command:

$NWI3_HOME/bin/disableHTTP.sh

Note:

• This action will restart the NWI3 HTTP service and cause NWI3 SWM downtime.
• Execute this operation on the standby site as well if the disaster recovery system was
set up.

11.3.3 Restoring HTTP

1. Locate the VM where nwi3 service is running.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 130


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing NWI3 Interface Security

For information on how to locate the correct VM, see Locating the right virtual machine for a
service in Administering NetAct Virtual Infrastructure.

2. Log in to the nwi3 VM by executing the following command:

ssh root@<nwi3-vmnode>

3. Enable HTTP by executing the following command:

$NWI3_HOME/bin/enableHTTP.sh

Note:

• This action will restart the NWI3 HTTP service and cause NWI3 SWM downtime.
• Execute this operation on the standby site as well if the disaster recovery system was
set up.

11.3.4 Enabling CRL checking of network element certificates by Tomcat

1. Locate the VM where nwi3 service is running.

For information on how to locate the correct VM, see Locating the right virtual machine for a
service in Administering NetAct Virtual Infrastructure.

2. Log in to the nwi3 VM by executing the following command:

ssh root@<nwi3-vmnode>

3. Enable CRL checking by executing the following command:

$NWI3_HOME/bin/enableCRL.sh

Note:

• This action will restart the NWI3 HTTP service and cause NWI3 SWM downtime.
• Execute this operation on the standby site as well if the disaster recovery system was
set up.

11.3.5 Disabling CRL checking of network element certificates by Tomcat

1. Locate the VM where nwi3 service is running.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 131


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing NWI3 Interface Security

For information on how to locate the correct VM, see Locating the right virtual machine for a
service in Administering NetAct Virtual Infrastructure.

2. Log in to the nwi3 VM by executing the following command:

ssh root@<nwi3-vmnode>

3. Enable CRL checking by executing the following command:

$NWI3_HOME/bin/disableCRL.sh

Note:

• This action will restart the NWI3 HTTP service and cause NWI3 SWM downtime.
• Execute this operation on the standby site as well if the disaster recovery system was
set up.

11.3.6 Configuring DHE keysize


By default the NWI3 HTTP service sets the DHE keysize to 1024 bits for backward compatibility with
old version NE. But, DHE keysize <= 1024 is considered to be vulnerable because of Logjam security
flaw.

To configure the DHE keysize for NWI3 HTTP service:

1. Locate the VM where NWI3 service is running.

For information on how to locate the correct VM, see Locating the right virtual machine for a
service in Administering NetAct Virtual Infrastructure.

2. Log in as omc user to the nwi3 VM and then switch to the root user.

3. Configure the DHE keysize.

• If there are no backward compatibility problems, set it to 2048.

/opt/oss/NSN-nwi3/bin/nwi3_tomcat_set_dhe_keysize.sh 2048

• If keysize 2048 cause connection problems with NE, set it back to 1024.

/opt/oss/NSN-nwi3/bin/nwi3_tomcat_set_dhe_keysize.sh 1024

Note:

• This action will restart NWI3 HTTP service and cause NWI3 SWM downtime.
• Execute this operation on the standby site as well if the disaster recovery system was
set up.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 132


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing NWI3 Interface Security

11.4 Turning on CRL checking of network element certificates on NetAct


1. Identify which VM is running the nwi3 service. Log in to one of the NetAct nodes and execute
the command smanager.pl status. The hostname of the VM is the one under which nwi3 is
displayed as one of the services (see also Locating the right virtual machine for a service in
Administering NetAct Virtual Infrastructure).

2. Log onto that VM by executing: ssh omc@<nwi3-VM>.

3. Modify the mediation property file by executing:

$NWI3_HOME/bin/enableCRLChecking.sh

11.5 Configuring certificates on network elements

11.5.1 CMP server


The CMP server is a server compliant with the Certificate Management Protocol (RFC 4210, RFC
4211) for obtaining X.509 digital certificates in a public key infrastructure (PKI). For information on set-
ting up certificates in the certificate authority, see Requirements for the end-entity certificate on the
network element to communicate successfully with NetAct, Requirements for the CA certificate on the
network element to communicate successfully with NetAct and Requirements for the CRLs used by
NetAct and by the network element to function correctly.

The CMP server is crucial part in almost all usage of NWI3 certificate management CLI tool, see Using
NWI3 certificate Management CLI tool.

Figure 5: Trigger CMP initialization operation shows an example of triggering the CMP initialization op-
eration.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 133


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing NWI3 Interface Security

Figure 5: Trigger CMP initialization operation

1. The user uses cerma.sh tool to trigger the CMP initialization request to network element.
2. The network element requests a certificate from CMP server.
3. The network element installs the certificate returned from the CMP server and update CA certifi-
cates in the certificate's trust chain into its trust store.

11.5.2 Generation and installation of a new certificate on a network element

Prerequisites

• A network element is registered to NetAct.


• A CMP server and a CR server are available and running.
• You must also know the parameters:

cmpServerIpAddress - IP address of CMP server,


cmpServerPort -port number of CMP server,
cmpURL - relative path to the root server (if CMP server is started on http://0.0.0.0:8081/pkix/
then cmpURL=pkix/)
crServerIpAddress - IP adress of certificate repository (ldap),
crServerPort - port number of certificate repository (usually 389),
cmpRecipient - Certificate Authority DN (for example, C=COM,O=NSN,CN=RootCA)
cmpPreSharedKey - preshared key to access CMP server,
cmpRefNum - reference number to access CMP server.

1. Identify which vmnode is running the nwi3 service. Log in to one of the NetAct nodes and execute
the command smanager.pl status. The hostname of the vmnode is the one under which nwi3
is displayed as one of the services (see also Locating the right virtual machine for a service in
Administering NetAct Virtual Infrastructure).

2. Log onto that vmnode by executing the command ssh omc@<nwi3-vmnode>.

3. Configure the network element to use the desired CMP and CR servers by running the cerma
tool's set operation.

• Consider the following command targeting PLMN-PLMN/OMS-2069:

/opt/oss/NSN-nwi3/bin/cerma.sh set -d PLMN-PLMN/OMS-2069 -


cmpServerIpAddress 10.41.100.254 -cmpServerPort 8081 -crServerIpAddress 10.
41.100.254 -crServerPort 389 -cmpPreSharedKey "HJZd-pBZg-p5kq-EGKP-G4cd"
-cmpRefNum "7553A8c2638p" -cmpRecipient"C=COM,O=NSN,CN=RootCA" -cmpURL
"pkix/"

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 134


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing NWI3 Interface Security

• Consider the following command targeting all WBTS network elements located under RNC
network elements:

/opt/oss/NSN-nwi3/bin/cerma.sh set -qf fileWithMoQuery.txt -


cmpServerIpAddress 10.41.100.254 -cmpServerPort 8081 -crServerIpAddress 10.
41.100.254 -crServerPort 389 -cmpPreSharedKey "HJZd-pBZg-p5kq-EGKP-G4cd"
-cmpRefNum "7553A8c2638p" -cmpRecipient"C=COM,O=NSN,CN=RootCA" -cmpURL
"pkix/"

where the file fileWithMoQuery.txt contains //PLMN//RNC//WBTS

If the first command is executed, the network element with FQDN PLMN-PLMN/OMS-2069
(assuming such a network element is registered to NetAct) will be configured to use the specified
addresses and ports to communicate with the CMP and CR servers during certificate generation
and to use the specified pre-shared key and reference number during the CMP communication.
Second command will configure all WBTS network elements under RNC network elements. For
detailed usage of the set command see the cerma tool guide in chapter Using NWI3 certificate
Management CLI tool.

4. Trigger certificate generation and installation on the network element by running the cerma tool's
trigger CMP initialization operation.

• Consider the following command targeting PLMN-PLMN/OMS-2069:

/opt/oss/NSN-nwi3/bin/cerma.sh triggerCmpInitSequence -d PLMN-PLMN/


OMS-2069

• Consider the following command targeting all WBTS network elements located under RNC
network elements:

/opt/oss/NSN-nwi3/bin/cerma.sh triggerCmpInitSequence -qf


fileWithMoQuery.txt

where the file fileWithMoQuery.txt contains /PLMN//RNC//WBTS.

The first command will cause the network element to generate a private/public RSA key pair, send
it in a request to the CMP server to create a certificate and then install this certificate as its default
certificate. This command will also cause the network element to obtain the certificate of CA which
issued the certificate and all ancestor CAs (i.e. along the certificate issuing chain) and put these
certificates into its trust store. The second command will do the same, but for all WBTS network el-
ements under RNC network elements.

Note: For selecting multiple network elements, see the cerma tool guide in Common
options namely the usage of the -qf parameter.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 135


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing NWI3 Interface Security

11.5.3 Using NWI3 certificate Management CLI tool


The Certificate Management tool, or cerma.sh, is a command line tool for managing certificates on
WCDMA and LTE radio elements, using the NWI3 protocol. It is available on the node containing the
NWI3 mediation in /opt/oss/NSN-nwi3/bin/cerma.sh. This tool is accessible only for omc user.

This is an optional procedure in system hardening measures.

The operations provided by the Cerma tool for managing certificates include:

• Set operation
• Remove root certificate operation
• Trigger CMP initialization operation
• Trigger CMP key update Sequence operation
• Trigger Update on Certificate Revocation List operation

11.5.3.1 Common options

• -d <DNs>: This specifies the network elements to be targeted by the set operation by listing their
DNs as a comma-separated list.

• -df <file name>

Specifies the name of the file containing DNs of the network elements to be targeted by the cerma
operation. The DNs should be separated by line breaks and lines starting with the '#' character are
treated as comments.

For example, running the following command:

cerma.sh set -df ./DNDir/DNFile.txt -cmpServerIpAddress 10.125.212.89

where a file at ./DNDir/DNFile.txt exists and contains the following:

#OMS DN File
PLMN-123/OMS-1000
PLMN-123/OMS-1001

produces the same effect as running the following command:

cerma.sh set -d PLMN-123/OMS-1000,PLMN-123/OMS-1001 -


cmpServerIpAddress 10.125.212.89

• -qf <file name>

Specifies the name of the file containing MOQuery strings defining the DNs of the network ele-
ments to be targeted by the cerma operation. Each MOQuery must be separated from any other
by at least one blank line.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 136


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing NWI3 Interface Security

For example, running the following command:

cerma.sh set -qf ./MOQueryDir/QueryFile.txt -cmpServerIpAddress 10.


125.212.89

where a file at ./MOQueryDir/QueryFile.txt exists and contains the following:

#WBTS Query File


//PLMN//RNC//WBTS
[instance() like :pattern]
--variable pattern %Silesia%
//PLMN//MRBTS//LNBTS

will target all WBTS network elements located under RNC network elements whose id includes the
string 'Silesia' and all LNBTS network elements.

Lines in the MOQuery file which start with the '#' character are treated as comments. Some useful
functions available in MOQuery are listed in the table below:

function value returned

classAbbr()# The MO's associated managed object class abbreviation (e.g. 'OMS' in case of OMS ob-
ject).

dn()# The MO's fully qualified distinguished name.

instance()# The MO's object instance (part of the relative distinguished name).

version()# The MO's associated NASDA adaptation version.

Some useful conditions available in MOQuery are listed in the table below:

condition syntax

=# <value1> = <value2>#

like# <expression> like <pattern>#

and# <condition1> and <condition2>#

or# <condition1> or <condition2>#

not# not <expression>#

For example, the MOQuery file below can be used to target all LNBTS network elements whose
NASDA adaptation version is 1.0 that belong to the PLMN named PLMN-Silesia but not those
whose instance contains the word backup or test:

//PLMN//MRBTS//LNBTS
[version() = :pattern1 and dn() like :pattern2 and not (instance()
like :pattern3 or instance() like :pattern4)]

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 137


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing NWI3 Interface Security

--variable pattern1 1.0


--variable pattern2 PLMN-Silesia%
--variable pattern3 %backup%
--variable pattern4 %test%

• -f <file name>

Specifies the name of the file containing the whole command to be run. Each option and value
should be separated by line breaks and lines starting with the '#' character are treated as com-
ments.

For example, running the following command:

cerma.sh -f ./commandDir/commandFile.txt

where a file at ./commandDir/commandFile.txt exists and contains the following:

set
-d
PLMN-PLMN/OMS-2069,PLMN-PLMN/OMS-2070
-cmpServerIpAddress
10.41.100.254
-cmpServerPort8081
-crServerIpAddress
10.41.100.254
-crServerPort
389
-cmpPreSharedKey
HJZd-pBZg-p5kq-EGKP-G4cd
-cmpRecipientC=FI,O=NSN,CN=MBBTampereRootCA-cmpRefNum
BA987654321

produces the same effect as running the following command:

cerma.sh set -d PLMN-PLMN/OMS-2069,PLMN-PLMN/OMS-2070


-cmpServerIpAddress 10.41.100.254 -cmpServerPort 8081 -
crServerIpAddress 10.41.100.254 -crServerPort 389 -cmpPreSharedKey
HJZd-pBZg-p5kq-EGKP-G4cd -cmpRecipient C=FI,O=NSN,CN=MBBTampereRootCA
-cmpRefNum BA987654321

• -logLevel <log level>

Specifies the amount of logs to show when running the given operation. Possible values are:

0, which shows the least amount of logs and is the default if the logLevel option isn't used
1, which shows more logs
2, which shows the most logs

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 138


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing NWI3 Interface Security

Here is an example invocation which shows all possible logs to the user executing it:

/opt/oss/NSN-nwi3/bin/cerma.sh set -d PLMN-PLMN/OMS-2069 -


cmpServerIpAddress 10.41.100.254 -logLevel 2

11.5.3.2 Set operation


The set operation sets certificate management related parameters on the network element for use in
future certificate management operations.

The following command is used to invoke the set operation:

<cerma tool location> set <options>

The options available for this operation are:

• – -cmpServerIpAddress <ip>
– -cmpServerPort <port>
– -cmpPreSharedKey <key>
– -cmpRefNum <nbr>
– -cmpRecipient <name>
– -cmpURL <path>

These options are used to specify the CMP (certificate management protocol) server which should
be used by the network element in future operations. Each of the options specify a new value for
the parameter with the same name as the option.

The cmpServerIPAddress and cmpServerPort parameters define the IP address and port to com-
municate with the CMP server. The cmpServerPort option must be invoked with a value from 1024
to 49152.

The cmpRefNum and cmpPreSharedKey parameters define the reference number and shared se-
cret key needed to access the CMP server. The cmpRefNum and cmpPreSharedKey options must
be invoked with a value from 10 to 30 characters and from 20 to 30 characters respectively. The
characters supported for both options are 7 bit US ASCII except for US-ASCII coded characters
0x00 to 0x1F, 0x20, 0x7F and <, >, ", {, }, |, \, ^, ', and :.

The cmpRecipient parameter defines the subject name of the CMP protocol. This also identifies
the CMP server. For example, 'C=COM,O=NSN,CN=RootCA'.

Note:

Spaces inside the cmpRecipient value are not recognized correctly. For example,
C=COM, O=NSN, CN=RootCA will not work as expected. If spaces are necessary, then
use the -f file option to input the command in a file, where spaces are allowed, instead of
on the command line.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 139


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing NWI3 Interface Security

The cmpURL parameter defines the relative path of the CMP server directory and must have 1 to
32 characters.

– -crServerIpAddress <ip>
– -crServerPort <port>

These two options are used to specify the CR (certificate registration) server which should be
used by the network element in future operations. The first option specifies the IP address of the
CR server and the second option specifies its port. The crServerPort option must be invoked with
a value from 1024 to 49152 (Requirement BTSC_SMGR_490).

• -eeSubjectName <name>

This option is used to specify the value for the end entity subject name which should be generated
during future certificate creation. If this option isn't supported by the network element, the
cerma.sh tool will show an error message during the set operation such as:

PLMN-PLMN/OMS-2093, Network element couldn't set all parameters.


Unrecognized parameters[eeSubjectName:C=FI,O=NSN,CN=10.9.143.192;]

Any number and combination of parameters to be changed can be specified when invoking the set
command.

• Example invocation of the set operation:

/opt/oss/NSN-nwi3/bin/cerma.sh set -d PLMN-PLMN/OMS-2069


-cmpServerIpAddress 10.41.100.254 -cmpServerPort 8081 -
crServerIpAddress 10.41.100.254 -crServerPort 389 -cmpPreSharedKey
"HJZd-pBZg-p5kq-EGKP-G4cd" -cmpRefNum "7553A8c2638p" -eeSubjectName
'C=COM,O=NSN,CN=1.2.3.4'

11.5.3.3 Remove root certificate operation


This operation causes the targeted network elements to remove their copies of the root certificate.

The options available for this operation are:

1. -issuer '<issuer>'

This mandatory option specifies the issuer of the root certificate to be deleted from the
network element. The value of the issuer must be surrounded by single quotation marks.
The OMS element accepts only reversed notation for the issuer, for example, -issuer
'CN=RootCA,O=NSN,C=COM'. Additionally, cerma.sh supports multiple issuers of certificate, but
it must be surrounded by single quotation marks and divide them with semicolon between different
issuers, for example, -issuer 'CN=Root CA,DC=NSN Ulm;CN=Root CA,DC=NSN Ulm'.
2. -serialNumber '<nbr>'

This mandatory option specifies the serial number of the certificate to be deleted from the network
element. Additionally, cerma.sh supports multiple serial numbers of certificate, but it must be

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 140


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing NWI3 Interface Security

surrounded by single quotation marks and divide them with semicolon between different issuers,
for example, -serialNumber '68a0ac7;ba8627'.

If operate with multiple issuers and multiple serial numbers, the number of issuers and serial num-
bers should be exactly the same.

Example invocation of the remove root certificate operation:

Removing single CA

/opt/oss/NSN-nwi3/bin/cerma.sh removeRootCertificate -d PLMN-PLMN/OMS-


2059 -issuer 'CN=Nwi3TestIntermediateCA1,O=NSN,C=FI' -serialNumber
05850c3e

Removing multiple CA

/opt/oss/NSN-nwi3/bin/cerma.sh removeRootCertificate -d PLMN-PLMN/


OMS-2059 -issuer 'CN=Root CA,DC=NSN Ulm;CN=Root CA,DC=NSN Ulm' -
serialNumber '68a0ac7;ba8627'

11.5.3.4 Trigger CMP initialization operation


The trigger CMP initialization operation indicates to the NE that it should request a certificate for itself
from the CMP server which it's configured to use and install this certificate. The NE will also download
the root CA and intermediate CA certificates in the certificate's trust chain into its trust store.

The only options for this operation are the common ones listed in Using NWI3 certificate Management
CLI tool.

This is an example invocation of the trigger CMP initialization operation:

/opt/oss/NSN-nwi3/bin/cerma.sh triggerCmpInitSequence -d PLMN-PLMN/OMS-


2059

11.5.3.5 Trigger CMP key update sequence operation


The trigger CMP key update sequence operation indicates to the NE that it should obtain a new certifi-
cate for itself from its CMP server.

The NE generates a public/private RSA key pair and sends it in a request to the CMP server to create
a certificate, then installs this certificate as its default certificate

The only options for this operation are the common ones listed in Using NWI3 certificate Management
CLI tool.

This is an example invocation of the trigger CMP key update sequence operation:

/opt/oss/NSN-nwi3/bin/cerma.sh triggerCmpKeyUpdateSequence -d PLMN-PLMN-


OMS-2059,PLMN-PLMN-OMS-2070

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 141


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing NWI3 Interface Security

11.5.3.6 Trigger Update on Certificate Revocation List operation

The NE updates its CRL data by polling the distribution points of its certificate and any higher-level
certificates up to the trust anchor certificate.

The only options for this operation are the common ones listed in Using NWI3 certificate Management
CLI tool.

Here is an example invocation of the trigger update on CRL operation:

/opt/oss/NSN-nwi3/bin/cerma.sh updateCRL -d PLMN-PLMN/OMS-2059

11.6 Requirements for the end-entity certificate on the network element


to communicate successfully with NetAct
• The subject field must follow the rule that the CN attribute must be the IP address of the remote
HTTP server, and that the remaining attributes must be the same as in the Issuer field.

• The certificate must contain the following x509v3 extensions and values:

– X509v3 Basic Constraints:

CA:FALSE

– X509v3 Key Usage:

Digital Signature, Non Repudiation, Key Encipherment

– X509v3 Subject Key Identifier:

39:79:7C:E8:68:55:37:A4:48:84:92:A4:7F:EB:7C:6D:F2:CA:15:8E

– X509v3 Authority Key Identifier:

keyid:4D:D9:7C:13:05:65:D7:09:82:0A:29:BE:0F:69:0E:DC:EA:42:F3:9E

The subject key identifier and authority key identifier values are examples and in reality will be dif-
ferent than those illustrated above.

• If you want to use CRL, one more x509v3 extension is required:

– X509v3 CRL Distribution Points:

Full Name:

URI:http://localhost/NetworkElementCA.crl

where the URI value specifies the location of the CRL published by the end-entity certificate's
issuer.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 142


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing NWI3 Interface Security

Here is an example certificate:

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 9243041901530842167 (0x8045e1a340cc0437)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=FI, O=NSN, CN=NetworkElementCA
Validity
Not Before: Oct 17 16:13:02 2013 GMT
Not After : Aug 26 16:13:02 2023 GMT
Subject: C=FI, O=NSN, CN=10.9.221.192
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:9e:ad:8a:f7:5e:a8:60:85:7a:6d:42:06:aa:35:
73:f9:e0:2a:a1:a4:a8:a7:9c:d7:5e:34:32:dd:96:
2e:a9:ab:99:36:4a:a9:e4:2e:09:1e:74:c2:53:c2:
df:d0:19:27:1d:9d:d3:e2:9d:28:66:76:a5:4d:a4:
46:08:fa:49:ba:45:ae:d2:ce:08:0a:53:75:ea:22:
94:89:98:ef:09:f7:a3:ed:d7:2b:ab:eb:c1:5e:af:
2e:d5:1f:a3:36:2d:7f:bd:a5:96:9e:52:a5:44:03:
41:32:eb:9d:8a:8b:49:69:8c:e4:84:e4:2c:d8:8e:
52:72:1c:64:78:34:3c:d5:89:11:22:ea:23:5c:90:
28:a9:a0:32:73:af:5f:91:5a:25:2a:9a:c8:04:1f:
0a:e1:2e:b9:10:c9:78:61:b0:64:b6:3e:d3:87:35:
36:0d:82:ad:1b:7e:d8:f7:54:0a:0d:7f:e5:9f:93:
62:fb:40:fe:7d:53:72:bb:c0:f8:2e:12:02:31:9b:
3f:1e:9a:91:6a:d3:a6:b8:9f:e5:9a:f9:ab:80:e2:
b4:8c:27:7c:13:a9:b3:f5:7d:16:e6:6d:f8:5b:61:
dc:cf:41:e4:30:6e:43:7f:d6:29:77:67:7f:49:ca:
94:b5:a9:c8:f7:49:85:66:78:32:53:d2:c9:01:f3:
c9:0f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
39:79:7C:E8:68:55:37:A4:48:84:92:A4:7F:EB:7C:6D:F2:CA:15:8E
X509v3 Authority Key Identifier:
keyid:4D:D9:7C:13:05:65:D7:09:82:0A:29:BE:0F:69:0E:DC:EA:42:F3:9E
X509v3 CRL Distribution Points:
Full Name:
URI:http://localhost/NetworkElementCA.crl

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 143


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing NWI3 Interface Security

Signature Algorithm: sha1WithRSAEncryption


3b:ae:c5:92:d5:7b:e9:6d:8b:90:7e:26:65:04:9b:87:94:69:
37:c6:58:50:41:2d:bb:66:2c:3d:1f:b8:4e:e7:21:c3:59:b8:
19:f3:a8:c1:db:b9:9e:5c:37:91:f4:1c:68:ab:0c:64:8d:8b:
11:ad:38:b2:42:31:de:dd:43:30:0c:eb:5d:79:ac:82:8f:06:
2d:0e:9c:dc:3a:07:5f:1e:cd:31:be:46:8e:91:75:81:ed:de:
f5:40:d3:78:2b:78:a2:03:f1:a4:2c:6a:59:62:93:99:df:a7:
74:58:31:33:ae:6e:a5:65:b4:d9:73:c2:97:8a:42:7b:7c:e8:
7a:7d:89:8b:39:89:63:58:e4:c1:69:2d:67:45:09:41:d7:4d:
3a:0e:5f:75:a1:0f:ff:60:e6:ae:4f:90:59:dd:24:72:79:fc:
e9:2b:4d:66:a6:a2:ed:8b:30:3b:36:5e:a0:57:72:56:73:a7:
21:80:fe:e1:65:4e:4b:fb:a2:b1:53:52:77:8e:07:dd:c1:3d:
2d:78:ca:c9:27:d4:77:0e:b2:5f:7c:a4:b6:36:ee:00:9a:05:
b8:72:31:28:80:af:cd:19:cd:62:1b:a1:78:0b:d0:f2:ad:28:
0f:01:b6:60:88:2d:be:43:36:6d:18:bb:50:69:86:9c:e0:15:
20:a6:5f:72:0f:53:5a:86:e2:94:6b:f6:d3:8a:6b:83:d6:1f:
44:0c:b2:c4:fa:69:bb:a3:a5:20:83:85:b2:aa:35:0b:e2:0b:
45:f0:e1:18:4b:bd:85:6b:c3:36:c7:87:65:69:da:58:1a:3f:
76:ff:94:ab:1b:63:2d:cb:4b:30:48:b9:09:77:42:cc:f4:63:
43:84:95:be:89:64:9c:d3:bc:0b:b1:9b:9a:28:26:a4:cd:9c:
9c:4a:87:6a:c0:b6:65:e9:4f:54:be:fe:9f:2b:d3:4f:b8:11:
44:69:72:bf:2f:58:a6:67:f8:8c:63:2f:8c:60:ec:60:62:74:
0e:4b:db:49:51:9b:8e:c1:ef:f7:bf:eb:d6:a0:fd:ec:dd:0b:
28:55:48:6f:0b:cf:99:e2:0f:46:8e:6e:68:07:4e:fc:4f:28:
02:c5:17:4a:e9:5d:79:49:6e:97:c6:c0:fa:1a:d5:58:63:59:
09:b6:30:05:33:4e:2f:a5:52:e3:ea:fd:20:95:c3:c0:52:5f:
fe:7b:18:a0:0b:2b:bd:1d:2a:0e:c4:10:ec:ed:37:da:c7:93:
25:f5:21:3c:e6:33:0b:b6:09:84:63:b7:9c:e7:8f:14:77:da:
f3:1d:f7:51:5f:1e:1c:7c:18:ae:65:60:5d:22:fc:d5:78:64:
9c:7e:11:9b:c3:81:b8:1e
-----BEGIN CERTIFICATE-----
MIIE6TCCAtGgAwIBAgIJAIBF4aNAzAQ3MA0GCSqGSIb3DQEBBQUAMDYxCzAJBgNV
BAYTAkZJMQwwCgYDVQQKDANOU04xFzAVBgNVBAMMDkludGVybWVkaWF0ZUNBMB4X
DTEzMTAxNzE2MDUzNloXDTIzMDgyNjE2MDUzNlowNjELMAkGA1UEBhMCRkkxDDAK
BgNVBAoMA05TTjEZMBcGA1UEAwwQTmV0d29ya0VsZW1lbnRDQTCCAiIwDQYJKoZI
hvcNAQEBBQADggIPADCCAgoCggIBALCpIZxUwIy3+i3hiantWU/pyeQtvdo1KoEh
lH7tmdmXIpcKbkXLEAJy4yU1WB45I9jB3xma43qLq9nkpPoHkuC8i5ASDW1ptZSv
QPkrPazt0zJR2bWWtVZXiXeYTeiueBYxmZ9TzUzMmVEm7cjzhsaEEj8aaPc1J9ZN
HoRXNPjHohq5d9T4O3v2b4AOBFFNgOt/J+q4bPxcBsvJptH0nu9ZBZ9vCIXRphtl
5+w9v31+AuX7WJFA8A4llwWg9uknugp83pMNXMcj3pdsfnqn9ThzkfBe0YQ2aFO6
Xaqe6gyXOeRdXtyOijfRGftmsCNm7hmMglQJNK8mItA4kOsItqsHWsHMEVWfq7Wp
uZwM0+K62FetjHbXl5YVONeEfdxPt5gBhVP+r1FLLOlm2nKeh1R3Yt0CS/3USZYm
YtLQO7nCe2WZYwD8az9p3gesiWa2g8aZBjq4j4wj4sEYS10cjZ3pHmCHUvUnb0cq
3KnVSpedUiiIzCg5mUyBUk/wQ+8ZqO/+Xr/BeWLzmeMg4r4Luds9tVhL/WEXjztr
sDCKhbmU4NwCYYqLHHWMDN+liTmmTMdLb8tuRsscWA5jcmbM6Z78TdNbXRKz2Vlj
V+ptacmflUT0Gq+kevd6GJkdjzvyELVbIf/EwMXWuraPLIvRtl1e9GmCPQWxaSAJ
IkOyD1cFAgMBAAGjgc4wgcswHQYDVR0OBBYEFE3ZfBMFZdcJggopvg9pDtzqQvOe
MB8GA1UdIwQYMBaAFJinP/7oeRBcf4qMJYkGc2bKriKhMAwGA1UdEwQFMAMBAf8w
CwYDVR0PBAQDAgEGMG4GA1UdHwRnMGUwY6AnoCWGI2h0dHA6Ly9sb2NhbGhvc3Qv
SW50ZXJtZWRpYXRlQ0EuY3JsojikNjA0MQswCQYDVQQGEwJGSTEMMAoGA1UEChMD
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 144
Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing NWI3 Interface Security

TlNOMRcwFQYDVQQDEw5JbnRlcm1lZGlhdGVDQTANBgkqhkiG9w0BAQUFAAOCAgEA
UUHWax4K213BNrendr+0alnENQMK9Hr8hj5s7GGmsB1ZjN0HVKXGNURNvMNsJuu2
M/MhbaWEZeqOzwAk+xdapGj2gmrnXY9EGWBi+hAiJwFr2TEGLUhlQzidoQfsOJZU
FPkp1U2nvC6Yfkuh28sBh8tAEnZdNhDl6Rpfcrsv0MAFuFpFYlnTi+gYGxdCD5CW
U6vJbPvzNA4Lv8Bq+CsatPDBZJuJiNb1tkaR5tRd99Yob6fACWkuP5VjE0QrL2nW
OtF5fd5M83u6bdyG+qmoE01b0lbOsoa5DeiaEPGhUDdIgWIrHQ7Lh5oXD8GjQ7X/
dzNiLl4/AkClBeL2HV1tw21AKoC4qT9fRr1kPvBUC4w+ozL9MnycYK7gFt4ufA2a
zIhOh31asp3mABw4775tSP+kwSsiPnEzTmvH1pqwhd8P6RuT4XSswAX8Gm262gaO
3vIGc3MwVBXTOSn5/D15chhKxalOzUH5fxmeun3UMiax+TW4Y0/FXY58pzIP2BEb
jfzIJPl34MbNu9utasofzxISJO5tI/ZX8yDbwIyVSf3jEl5sRDJ90PISVLFTOdcB
H1h9by8tHaIaDUlgxPAep0pNyLa0oOJhdiEkC1GVVSyYmbeJKxVdZkzhP+sQ5GTn
v6u7cWyCnw7b/kz5dT2Rg6Oqb57NGKugi0iNyrUi7uE=
-----END CERTIFICATE-----

11.7 Requirements for the CA certificate on the network element to


communicate successfully with NetAct
• The subject field must follow the rule that the attributes must be the same as in the Issuer field, ex-
cept for the CN attribute. Ideally the CN attribute shouldn't contain spaces as this may cause prob-
lems on some network elements.
• The certificate must contain the following x509v3 extensions and values:

– X509v3 Basic Constraints:

CA:TRUE

– X509v3 Key Usage:

Certificate Sign

– X509v3 Subject Key Identifier:

4D:D9:7C:13:05:65:D7:09:82:0A:29:BE:0F:69:0E:DC:EA:42:F3:9E

– X509v3 Authority Key Identifier:

keyid:98:A7:3F:FE:E8:79:10:5C:7F:8A:8C:25:89:06:73:66:CA:AE:22:A1

The subject key identifier and authority key identifier values are of course just examples and in
reality will be different than those illustrated above.

• If you want to use CRL, one more x509v3 extension is required:

– X509v3 CRL Key Usage:

Certificate Sign, CRL Sign

and one more x509v3 extension is required:

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 145


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing NWI3 Interface Security

– X509v3 CRL Distribution Points:

Full Name:

URI:http://localhost/IntermediateCA.crl

where the URI value specifies the location of the CRL published by the CA's issuer. Note that
this means that root CAs don't have CRL distribution points, because they don't have issuers
which could issue CRLs to them.

Here is an example certificate:

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 9298153040308033327 (0x8109aced2ac7572f)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=FI, O=NSN, CN=IntermediateCA
Validity
Not Before: Oct 17 16:05:36 2013 GMT
Not After : Aug 26 16:05:36 2023 GMT
Subject: C=FI, O=NSN, CN=NetworkElementCA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:b0:a9:21:9c:54:c0:8c:b7:fa:2d:e1:89:a9:ed:
59:4f:e9:c9:e4:2d:bd:da:35:2a:81:21:94:7e:ed:
99:d9:97:22:97:0a:6e:45:cb:10:02:72:e3:25:35:
58:1e:39:23:d8:c1:df:19:9a:e3:7a:8b:ab:d9:e4:
a4:fa:07:92:e0:bc:8b:90:12:0d:6d:69:b5:94:af:
40:f9:2b:3d:ac:ed:d3:32:51:d9:b5:96:b5:56:57:
89:77:98:4d:e8:ae:78:16:31:99:9f:53:cd:4c:cc:
99:51:26:ed:c8:f3:86:c6:84:12:3f:1a:68:f7:35:
27:d6:4d:1e:84:57:34:f8:c7:a2:1a:b9:77:d4:f8:
3b:7b:f6:6f:80:0e:04:51:4d:80:eb:7f:27:ea:b8:
6c:fc:5c:06:cb:c9:a6:d1:f4:9e:ef:59:05:9f:6f:
08:85:d1:a6:1b:65:e7:ec:3d:bf:7d:7e:02:e5:fb:
58:91:40:f0:0e:25:97:05:a0:f6:e9:27:ba:0a:7c:
de:93:0d:5c:c7:23:de:97:6c:7e:7a:a7:f5:38:73:
91:f0:5e:d1:84:36:68:53:ba:5d:aa:9e:ea:0c:97:
39:e4:5d:5e:dc:8e:8a:37:d1:19:fb:66:b0:23:66:
ee:19:8c:82:54:09:34:af:26:22:d0:38:90:eb:08:
b6:ab:07:5a:c1:cc:11:55:9f:ab:b5:a9:b9:9c:0c:
d3:e2:ba:d8:57:ad:8c:76:d7:97:96:15:38:d7:84:
7d:dc:4f:b7:98:01:85:53:fe:af:51:4b:2c:e9:66:
da:72:9e:87:54:77:62:dd:02:4b:fd:d4:49:96:26:
62:d2:d0:3b:b9:c2:7b:65:99:63:00:fc:6b:3f:69:
de:07:ac:89:66:b6:83:c6:99:06:3a:b8:8f:8c:23:
e2:c1:18:4b:5d:1c:8d:9d:e9:1e:60:87:52:f5:27:

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 146


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing NWI3 Interface Security

6f:47:2a:dc:a9:d5:4a:97:9d:52:28:88:cc:28:39:
99:4c:81:52:4f:f0:43:ef:19:a8:ef:fe:5e:bf:c1:
79:62:f3:99:e3:20:e2:be:0b:b9:db:3d:b5:58:4b:
fd:61:17:8f:3b:6b:b0:30:8a:85:b9:94:e0:dc:02:
61:8a:8b:1c:75:8c:0c:df:a5:89:39:a6:4c:c7:4b:
6f:cb:6e:46:cb:1c:58:0e:63:72:66:cc:e9:9e:fc:
4d:d3:5b:5d:12:b3:d9:59:63:57:ea:6d:69:c9:9f:
95:44:f4:1a:af:a4:7a:f7:7a:18:99:1d:8f:3b:f2:
10:b5:5b:21:ff:c4:c0:c5:d6:ba:b6:8f:2c:8b:d1:
b6:5d:5e:f4:69:82:3d:05:b1:69:20:09:22:43:b2:
0f:57:05
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
4D:D9:7C:13:05:65:D7:09:82:0A:29:BE:0F:69:0E:DC:EA:42:F3:9E
X509v3 Authority Key Identifier:
keyid:98:A7:3F:FE:E8:79:10:5C:7F:8A:8C:25:89:06:73:66:CA:AE:22:A1
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
X509v3 CRL Distribution Points:
Full Name:
URI:http://localhost/IntermediateCA.crl
Signature Algorithm: sha1WithRSAEncryption
51:41:d6:6b:1e:0a:db:5d:c1:36:b7:a7:76:bf:b4:6a:59:c4:
35:03:0a:f4:7a:fc:86:3e:6c:ec:61:a6:b0:1d:59:8c:dd:07:
54:a5:c6:35:44:4d:bc:c3:6c:26:eb:b6:33:f3:21:6d:a5:84:
65:ea:8e:cf:00:24:fb:17:5a:a4:68:f6:82:6a:e7:5d:8f:44:
19:60:62:fa:10:22:27:01:6b:d9:31:06:2d:48:65:43:38:9d:
a1:07:ec:38:96:54:14:f9:29:d5:4d:a7:bc:2e:98:7e:4b:a1:
db:cb:01:87:cb:40:12:76:5d:36:10:e5:e9:1a:5f:72:bb:2f:
d0:c0:05:b8:5a:45:62:59:d3:8b:e8:18:1b:17:42:0f:90:96:
53:ab:c9:6c:fb:f3:34:0e:0b:bf:c0:6a:f8:2b:1a:b4:f0:c1:
64:9b:89:88:d6:f5:b6:46:91:e6:d4:5d:f7:d6:28:6f:a7:c0:
09:69:2e:3f:95:63:13:44:2b:2f:69:d6:3a:d1:79:7d:de:4c:
f3:7b:ba:6d:dc:86:fa:a9:a8:13:4d:5b:d2:56:ce:b2:86:b9:
0d:e8:9a:10:f1:a1:50:37:48:81:62:2b:1d:0e:cb:87:9a:17:
0f:c1:a3:43:b5:ff:77:33:62:2e:5e:3f:02:40:a5:05:e2:f6:
1d:5d:6d:c3:6d:40:2a:80:b8:a9:3f:5f:46:bd:64:3e:f0:54:
0b:8c:3e:a3:32:fd:32:7c:9c:60:ae:e0:16:de:2e:7c:0d:9a:
cc:88:4e:87:7d:5a:b2:9d:e6:00:1c:38:ef:be:6d:48:ff:a4:
c1:2b:22:3e:71:33:4e:6b:c7:d6:9a:b0:85:df:0f:e9:1b:93:
e1:74:ac:c0:05:fc:1a:6d:ba:da:06:8e:de:f2:06:73:73:30:
54:15:d3:39:29:f9:fc:3d:79:72:18:4a:c5:a9:4e:cd:41:f9:
7f:19:9e:ba:7d:d4:32:26:b1:f9:35:b8:63:4f:c5:5d:8e:7c:
a7:32:0f:d8:11:1b:8d:fc:c8:24:f9:77:e0:c6:cd:bb:db:ad:
6a:ca:1f:cf:12:12:24:ee:6d:23:f6:57:f3:20:db:c0:8c:95:
49:fd:e3:12:5e:6c:44:32:7d:d0:f2:12:54:b1:53:39:d7:01:
1f:58:7d:6f:2f:2d:1d:a2:1a:0d:49:60:c4:f0:1e:a7:4a:4d:
NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 147
Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing NWI3 Interface Security

c8:b6:b4:a0:e2:61:76:21:24:0b:51:95:55:2c:98:99:b7:89:
2b:15:5d:66:4c:e1:3f:eb:10:e4:64:e7:bf:ab:bb:71:6c:82:
9f:0e:db:fe:4c:f9:75:3d:91:83:a3:aa:6f:9e:cd:18:ab:a0:
8b:48:8d:ca:b5:22:ee:e1
-----BEGIN CERTIFICATE-----
MIIFvDCCA6SgAwIBAgIJAIEJrO0qx1cvMA0GCSqGSIb3DQEBBQUAMDQxCzAJBgNV
BAYTAkZJMQwwCgYDVQQKDANOU04xFzAVBgNVBAMMDkludGVybWVkaWF0ZUNBMB4X
DTEzMTAxNzE2MDUzNloXDTIzMDgyNjE2MDUzNlowNjELMAkGA1UEBhMCRkkxDDAK
BgNVBAoMA05TTjEZMBcGA1UEAwwQTmV0d29ya0VsZW1lbnRDQTCCAiIwDQYJKoZI
hvcNAQEBBQADggIPADCCAgoCggIBALCpIZxUwIy3+i3hiantWU/pyeQtvdo1KoEh
lH7tmdmXIpcKbkXLEAJy4yU1WB45I9jB3xma43qLq9nkpPoHkuC8i5ASDW1ptZSv
QPkrPazt0zJR2bWWtVZXiXeYTeiueBYxmZ9TzUzMmVEm7cjzhsaEEj8aaPc1J9ZN
HoRXNPjHohq5d9T4O3v2b4AOBFFNgOt/J+q4bPxcBsvJptH0nu9ZBZ9vCIXRphtl
5+w9v31+AuX7WJFA8A4llwWg9uknugp83pMNXMcj3pdsfnqn9ThzkfBe0YQ2aFO6
Xaqe6gyXOeRdXtyOijfRGftmsCNm7hmMglQJNK8mItA4kOsItqsHWsHMEVWfq7Wp
uZwM0+K62FetjHbXl5YVONeEfdxPt5gBhVP+r1FLLOlm2nKeh1R3Yt0CS/3USZYm
YtLQO7nCe2WZYwD8az9p3gesiWa2g8aZBjq4j4wj4sEYS10cjZ3pHmCHUvUnb0cq
3KnVSpedUiiIzCg5mUyBUk/wQ+8ZqO/+Xr/BeWLzmeMg4r4Luds9tVhL/WEXjztr
sDCKhbmU4NwCYYqLHHWMDN+liTmmTMdLb8tuRsscWA5jcmbM6Z78TdNbXRKz2Vlj
V+ptacmflUT0Gq+kevd6GJkdjzvyELVbIf/EwMXWuraPLIvRtl1e9GmCPQWxaSAJ
IkOyD1cFAgMBAAGjgc4wgcswHQYDVR0OBBYEFE3ZfBMFZdcJggopvg9pDtzqQvOe
MB8GA1UdIwQYMBaAFJinP/7oeRBcf4qMJYkGc2bKriKhMAwGA1UdEwQFMAMBAf8w
CwYDVR0PBAQDAgEGMG4GA1UdHwRnMGUwY6AnoCWGI2h0dHA6Ly9sb2NhbGhvc3Qv
SW50ZXJtZWRpYXRlQ0EuY3JsojikNjA0MQswCQYDVQQGEwJGSTEMMAoGA1UEChMD
TlNOMRcwFQYDVQQDEw5JbnRlcm1lZGlhdGVDQTANBgkqhkiG9w0BAQUFAAOCAgEA
UUHWax4K213BNrendr+0alnENQMK9Hr8hj5s7GGmsB1ZjN0HVKXGNURNvMNsJuu2
M/MhbaWEZeqOzwAk+xdapGj2gmrnXY9EGWBi+hAiJwFr2TEGLUhlQzidoQfsOJZU
FPkp1U2nvC6Yfkuh28sBh8tAEnZdNhDl6Rpfcrsv0MAFuFpFYlnTi+gYGxdCD5CW
U6vJbPvzNA4Lv8Bq+CsatPDBZJuJiNb1tkaR5tRd99Yob6fACWkuP5VjE0QrL2nW
OtF5fd5M83u6bdyG+qmoE01b0lbOsoa5DeiaEPGhUDdIgWIrHQ7Lh5oXD8GjQ7X/
dzNiLl4/AkClBeL2HV1tw21AKoC4qT9fRr1kPvBUC4w+ozL9MnycYK7gFt4ufA2a
zIhOh31asp3mABw4775tSP+kwSsiPnEzTmvH1pqwhd8P6RuT4XSswAX8Gm262gaO
3vIGc3MwVBXTOSn5/D15chhKxalOzUH5fxmeun3UMiax+TW4Y0/FXY58pzIP2BEb
jfzIJPl34MbNu9utasofzxISJO5tI/ZX8yDbwIyVSf3jEl5sRDJ90PISVLFTOdcB
H1h9by8tHaIaDUlgxPAep0pNyLa0oOJhdiEkC1GVVSyYmbeJKxVdZkzhP+sQ5GTn
v6u7cWyCnw7b/kz5dT2Rg6Oqb57NGKugi0iNyrUi7uE=
-----END CERTIFICATE-----

11.8 Requirements for the CRLs used by NetAct and by the network
element to function correctly
• The CRL must be in the der format.
• The CRL's Issuer field must specify the same CA as the Issuer field of the certificate which con-
tains a distribution point specifying the CRL. This should be kept in mind when specifying CRL dis-
tribution points during certificate creation.
• The certificate must contain the following x509v3 extensions and values:

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 148


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing NWI3 Interface Security

– X509v3 Authority Key Identifier:

keyid:BA:25:43:54:D2:C7:EC:24:4F:1B:B1:EF:6F:F5:CB:11:D0:C5:12:9A

– X509v3 Issuing Distribution Point: critical:

Full Name:

URI:ftp://10.9.137.138/pub/NetActCA.crl

Indirect CRL

The authority key identifier value is of course just an example and in reality will be different
than the one above.

The URI value must point to the CRL file itself.

Here is an example certificate:

Certificate Revocation List (CRL):


Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=FI/O=NSN/CN=NetActCA
Last Update: Oct 18 08:42:55 2013 GMT
Next Update: Nov 17 08:42:55 2013 GMT
CRL extensions:X509v3 Authority Key Identifier:
keyid:BA:25:43:54:D2:C7:EC:24:4F:1B:B1:EF:6F:F5:CB:11:D0:C5:12:9A
X509v3 Issuing Distrubution Point: critical
Full Name:
URI:ftp://10.9.137.138/pub/NetActCA.crl
Indirect CRL
X509v3 CRL Number:
44
No Revoked Certificates.
Signature Algorithm: sha1WithRSAEncryption
15:cd:39:91:69:9b:a8:87:c0:2d:67:ff:38:ce:da:30:9b:68:
4a:85:68:fa:46:20:b8:d9:8c:72:68:e8:44:a3:bf:82:54:72:
3a:f6:42:f1:97:04:15:99:2c:01:42:b9:41:de:4b:20:ef:39:
ec:46:95:62:6a:71:ba:f3:38:f0:c9:b2:e7:d4:37:72:25:c2:
9b:f2:af:0e:8e:a4:76:13:4d:76:06:d6:e4:92:55:b8:f2:02:
b0:e4:b7:8e:d0:f8:19:59:29:b2:98:1c:04:2f:75:4b:6a:7a:
c0:58:d6:52:f0:52:04:4a:43:4b:57:8e:c1:28:2d:c2:8e:97:
07:9c:b7:18:86:22:85:72:75:bb:2b:b5:20:fb:eb:bb:a7:52:
66:ae:f6:6f:96:87:80:bc:f4:b8:23:05:17:59:8e:6c:b6:ae:
b9:79:11:1d:9e:03:1f:74:96:31:00:24:ea:4f:b5:19:d5:3b:
45:b0:c5:76:ca:52:ca:bf:53:2d:b6:32:74:ab:13:35:10:a9:
7b:fc:ec:b7:69:92:2b:29:ac:90:e5:c1:31:72:9a:c2:be:f1:
6a:fe:46:91:7e:19:4d:be:12:9c:44:3e:98:ac:63:38:27:0b:
18:ba:62:69:17:72:e4:cc:b3:45:ec:79:b5:16:d5:36:43:fd:
5f:4d:b8:6a:fd:57:d2:71:33:72:a0:e9:db:3f:a5:ea:e6:3c:

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 149


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing NWI3 Interface Security

2e:6d:6a:b2:68:ec:36:75:d4:51:d1:07:c4:e9:36:da:1a:d5:
39:ee:c8:9e:d9:87:27:ed:d7:76:75:9b:b2:1d:9f:1a:63:16:
ef:74:c0:93:05:ec:3a:d7:e7:46:16:9f:5e:c6:9d:2a:b5:90:
f1:44:fd:34:8b:4f:bf:b9:59:6d:87:fe:20:22:89:73:c7:21:
9b:9a:98:30:96:f2:54:a4:6d:78:19:8c:5b:5d:03:91:02:de:
3a:2c:4a:c0:45:63:ab:51:4e:61:97:ec:24:0b:bb:62:0e:c6:
1f:c9:8e:75:45:5d:cb:11:a2:b4:07:3c:92:65:8c:6e:46:9f:
76:f7:61:a9:3c:0b:12:74:62:12:57:f8:63:aa:6c:32:ab:aa:
4a:a2:29:b8:00:7b:81:6a:31:78:84:aa:38:90:c7:22:08:f4:
de:4c:3e:27:ea:7b:6f:1d:02:ef:e0:a3:f6:16:8c:eb:2b:bf:
5c:c7:29:ae:38:e0:10:8c:72:37:e3:bb:b5:df:ee:18:a7:d0:
14:a4:93:15:a9:f9:2c:c4:ff:91:ba:bc:22:63:1b:48:ee:37:
95:1d:78:c0:ed:19:fa:ba:20:97:8c:0e:4c:98:f6:69:1e:7b:
b9:a3:96:0b:c1:17:aa:47
-----BEGIN X509 CRL-----
MIIC4jCBywIBATANBgkqhkiG9w0BAQUFADAuMQswCQYDVQQGEwJGSTEMMAoGA1UE
CgwDTlNOMREwDwYDVQQDDAhOZXRBY3RDQRcNMTMxMDE4MDg0MjU1WhcNMTMxMTE3
MDg0MjU1WqBpMGcwHwYDVR0jBBgwFoAUuiVDVNLH7CRPG7Hvb/XLEdDFEpowOAYD
VR0cAQH/BC4wLKAnoCWGI2Z0cDovLzEwLjkuMTM3LjEzOC9wdWIvTmV0QWN0Q0Eu
Y3JshAH/MAoGA1UdFAQDAgEsMA0GCSqGSIb3DQEBBQUAA4ICAQAVzTmRaZuoh8At
Z/84ztowm2hKhWj6RiC42YxyaOhEo7+CVHI69kLxlwQVmSwBQrlB3ksg7znsRpVi
anG68zjwybLn1DdyJcKb8q8OjqR2E012BtbkklW48gKw5LeO0PgZWSmymBwEL3VL
anrAWNZS8FIESkNLV47BKC3CjpcHnLcYhiKFcnW7K7Ug++u7p1JmrvZvloeAvPS4
IwUXWY5stq65eREdngMfdJYxACTqT7UZ1TtFsMV2ylLKv1MttjJ0qxM1EKl7/Oy3
aZIrKayQ5cExcprCvvFq/kaRfhlNvhKcRD6YrGM4JwsYumJpF3LkzLNF7Hm1FtU2
Q/1fTbhq/VfScTNyoOnbP6Xq5jwubWqyaOw2ddRR0QfE6TbaGtU57sie2Ycn7dd2
dZuyHZ8aYxbvdMCTBew61+dGFp9exp0qtZDxRP00i0+/uVlth/4gIolzxyGbmpgw
lvJUpG14GYxbXQORAt46LErARWOrUU5hl+wkC7tiDsYfyY51RV3LEaK0BzySZYxu
Rp9292GpPAsSdGISV/hjqmwyq6pKoim4AHuBajF4hKo4kMciCPTeTD4n6ntvHQLv
4KP2FozrK79cxymuOOAQjHI347u13+4Yp9AUpJMVqfksxP+RurwiYxtI7jeVHXjA
7Rn6uiCXjA5MmPZpHnu5o5YLwReqRw==
-----END X509 CRL-----

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 150


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing XoH Interface Security

12 Managing XoH Interface Security

12.1 Supported XOH ciphers


Table 8: Cipher suite name lists the XOH ciphers and their orders. The XOH ciphers are ordered from
strong to weak.

If disabling of any weak cipher causes connection problem, enable the weak cipher with the Equivalent
JSSE cipher suite name in the table. For the detailed instructions, see Enabling weak ciphers.

If you want to disable more ciphers with the Equivalent JSSE cipher suite name listed in the table, see
the instructions in Disabling weak ciphers.

Cipher suite name in TLS RFC spec- Weak/Strong Ci-


Equivalent JSSE cipher suite name
ification pher

TLS_ECDHE_ECDSA_WITH_AES_ TLS_ECDHE_ECDSA_WITH_AES_ Strong


256_GCM_SHA384 256_GCM_SHA384

TLS_ECDHE_ECDSA_WITH_AES_ TLS_ECDHE_ECDSA_WITH_AES_ Strong


128_GCM_SHA256 128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_256_ TLS_ECDHE_RSA_WITH_AES_256_ Strong


GCM_SHA384 GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_128_ TLS_ECDHE_RSA_WITH_AES_128_ Strong


GCM_SHA256 GCM_SHA256

TLS_ECDHE_ECDSA_WITH_AES_ TLS_ECDHE_ECDSA_WITH_AES_ Strong


256_CBC_SHA384 256_CBC_SHA384

TLS_ECDHE_ECDSA_WITH_AES_ TLS_ECDHE_ECDSA_WITH_AES_ Strong


128_CBC_SHA256 128_CBC_SHA256

TLS_ECDHE_ECDSA_WITH_AES_ TLS_ECDHE_ECDSA_WITH_AES_ Strong


128_CBC_SHA256 128_CBC_SHA256

TLS_ECDHE_RSA_WITH_AES_256_ TLS_ECDHE_RSA_WITH_AES_256_ Strong


CBC_SHA384 CBC_SHA384

TLS_ECDHE_RSA_WITH_AES_128_ TLS_ECDHE_RSA_WITH_AES_128_ Strong


CBC_SHA256 CBC_SHA256

TLS_ECDH_ECDSA_WITH_AES_ TLS_ECDH_ECDSA_WITH_AES_ Strong


256_GCM_SHA384 256_GCM_SHA384

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 151


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing XoH Interface Security

Cipher suite name in TLS RFC spec- Weak/Strong Ci-


Equivalent JSSE cipher suite name
ification pher

TLS_ECDH_ECDSA_WITH_AES_ TLS_ECDH_ECDSA_WITH_AES_ Strong


128_GCM_SHA256 128_GCM_SHA256

TLS_ECDH_ECDSA_WITH_AES_ TLS_ECDH_ECDSA_WITH_AES_ Strong


256_CBC_SHA384 256_CBC_SHA384

TLS_ECDH_RSA_WITH_AES_256_ TLS_ECDH_RSA_WITH_AES_256_ Strong


GCM_SHA384 GCM_SHA384

TLS_ECDH_RSA_WITH_AES_128_ TLS_ECDH_RSA_WITH_AES_128_ Strong


GCM_SHA256 GCM_SHA256

TLS_ECDH_ECDSA_WITH_AES_ TLS_ECDH_ECDSA_WITH_AES_ Strong


256_CBC_SHA384 256_CBC_SHA384

TLS_ECDH_ECDSA_WITH_AES_ TLS_ECDH_ECDSA_WITH_AES_ Strong


128_CBC_SHA256 128_CBC_SHA256

TLS_ECDH_RSA_WITH_AES_256_ TLS_ECDH_RSA_WITH_AES_256_ Strong


CBC_SHA384 CBC_SHA384

TLS_ECDH_RSA_WITH_AES_128_ TLS_ECDH_RSA_WITH_AES_128_ Strong


CBC_SHA256 CBC_SHA256

TLS_DHE_RSA_WITH_AES_128_ TLS_DHE_RSA_WITH_AES_128_ Strong


GCM_SHA256 GCM_SHA256

TLS_DHE_RSA_WITH_AES_256_ TLS_DHE_RSA_WITH_AES_256_ Strong


GCM_SHA384 GCM_SHA384

TLS_DHE_DSS_WITH_AES_128_ TLS_DHE_DSS_WITH_AES_128_ Strong


GCM_SHA256 GCM_SHA256

TLS_DHE_RSA_WITH_AES_256_ TLS_DHE_RSA_WITH_AES_256_ Strong


CBC_SHA256 CBC_SHA256

TLS_DHE_RSA_WITH_AES_128_ TLS_DHE_RSA_WITH_AES_128_ Strong


CBC_SHA256 CBC_SHA256

TLS_DHE_DSS_WITH_AES_256_ TLS_DHE_DSS_WITH_AES_256_ Strong


CBC_SHA256 CBC_SHA256

TLS_DHE_DSS_WITH_AES_128_ TLS_DHE_DSS_WITH_AES_128_ Strong


CBC_SHA256 CBC_SHA256

TLS_RSA_WITH_AES_256_GCM_ TLS_RSA_WITH_AES_256_GCM_ Strong


SHA384 SHA384

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 152


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing XoH Interface Security

Cipher suite name in TLS RFC spec- Weak/Strong Ci-


Equivalent JSSE cipher suite name
ification pher

TLS_RSA_WITH_AES_128_GCM_ TLS_RSA_WITH_AES_128_GCM_ Strong


SHA256 SHA256

TLS_RSA_WITH_AES_256_CBC_ TLS_RSA_WITH_AES_256_CBC_ Strong


SHA256 SHA256

TLS_RSA_WITH_AES_128_CBC_ TLS_RSA_WITH_AES_128_CBC_ Strong


SHA256 SHA256

TLS_DH_anon_WITH_AES_256_ TLS_DH_anon_WITH_AES_256_ Strong


GCM_SHA384 GCM_SHA384

TLS_DH_anon_WITH_AES_128_ TLS_DH_anon_WITH_AES_128_ Strong


GCM_SHA256 GCM_SHA256

TLS_DH_anon_WITH_AES_256_ TLS_DH_anon_WITH_AES_256_ Strong


CBC_SHA256 CBC_SHA256

TLS_DH_anon_WITH_AES_128_ TLS_DH_anon_WITH_AES_128_ Strong


CBC_SHA256 CBC_SHA256

TLS_ECDHE_ECDSA_WITH_AES_ TLS_ECDHE_ECDSA_WITH_AES_ Weak


256_CBC_SHA 256_CBC_SHA

TLS_ECDHE_ECDSA_WITH_AES_ TLS_ECDHE_ECDSA_WITH_AES_ Weak


128_CBC_SHA 128_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_256_ TLS_ECDHE_RSA_WITH_AES_256_ Weak


CBC_SHA CBC_SHA

TLS_ECDHE_RSA_WITH_AES_128_ TLS_ECDHE_RSA_WITH_AES_128_ Weak


CBC_SHA CBC_SHA

TLS_ECDH_ECDSA_WITH_AES_ TLS_ECDH_ECDSA_WITH_AES_ Weak


256_CBC_SHA 256_CBC_SHA

TLS_ECDH_ECDSA_WITH_AES_ TLS_ECDH_ECDSA_WITH_AES_ Weak


128_CBC_SHA 128_CBC_SHA

TLS_ECDH_RSA_WITH_AES_128_ TLS_ECDH_RSA_WITH_AES_128_ Weak


CBC_SHA CBC_SHA

TLS_DHE_RSA_WITH_AES_256_ TLS_DHE_RSA_WITH_AES_256_ Weak


CBC_SHA CBC_SHA

TLS_DHE_RSA_WITH_AES_128_ TLS_DHE_RSA_WITH_AES_128_ Weak


CBC_SHA CBC_SHA

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 153


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing XoH Interface Security

Cipher suite name in TLS RFC spec- Weak/Strong Ci-


Equivalent JSSE cipher suite name
ification pher

TLS_DHE_DSS_WITH_AES_256_ TLS_DHE_DSS_WITH_AES_256_ Weak


CBC_SHA CBC_SHA

TLS_DHE_DSS_WITH_AES_128_ TLS_DHE_DSS_WITH_AES_128_ Weak


CBC_SHA CBC_SHA

TLS_RSA_WITH_AES_256_CBC_ TLS_RSA_WITH_AES_256_CBC_ Weak


SHA SHA

TLS_RSA_WITH_AES_128_CBC_ TLS_RSA_WITH_AES_128_CBC_ Weak


SHA SHA

TLS_ECDH_anon_WITH_AES_256_ TLS_ECDH_anon_WITH_AES_256_ Weak


CBC_SHA CBC_SHA

TLS_ECDH_anon_WITH_AES_128_ TLS_ECDH_anon_WITH_AES_128_ Weak


CBC_SHA CBC_SHA

TLS_DH_anon_WITH_AES_256_ TLS_DH_anon_WITH_AES_256_ Weak


CBC_SHA CBC_SHA

TLS_ECDHE_RSA_WITH_3DES_ TLS_ECDHE_RSA_WITH_3DES_ Weak


EDE_CBC_SHA EDE_CBC_SHA

TLS_DH_anon_WITH_AES_128_ TLS_DH_anon_WITH_AES_128_ Weak


CBC_SHA CBC_SHA

TLS_ECDHE_ECDSA_WITH_3DES_ TLS_ECDHE_ECDSA_WITH_3DES_ Weak


EDE_CBC_SHA EDE_CBC_SHA

TLS_ECDH_ECDSA_WITH_3DES_ TLS_ECDH_ECDSA_WITH_3DES_ Weak


EDE_CBC_SHA EDE_CBC_SHA

TLS_ECDH_RSA_WITH_3DES_EDE_ TLS_ECDH_RSA_WITH_3DES_EDE_ Weak


CBC_SHA CBC_SHA

TLS_ECDH_anon_WITH_3DES_EDE_ TLS_ECDH_anon_WITH_3DES_EDE_ Weak


CBC_SHA CBC_SHA

TLS_DHE_RSA_WITH_3DES_EDE_ SSL_DHE_RSA_WITH_3DES_EDE_ Weak


CBC_SHA CBC_SHA

TLS_RSA_WITH_3DES_EDE_CBC_ SSL_RSA_WITH_3DES_EDE_CBC_ Weak


SHA SHA

SSL_DHE_DSS_WITH_3DES_EDE_ SSL_DHE_DSS_WITH_3DES_EDE_ Weak


CBC_SHA CBC_SHA

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 154


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing XoH Interface Security

Cipher suite name in TLS RFC spec- Weak/Strong Ci-


Equivalent JSSE cipher suite name
ification pher

SSL_DH_anon_WITH_3DES_EDE_ SSL_DH_anon_WITH_3DES_EDE_ Weak


CBC_SHA CBC_SHA

TLS_KRB5_WITH_3DES_EDE_CBC_ TLS_KRB5_WITH_3DES_EDE_CBC_ Weak


SHA SHA

SSL_DHE_RSA_WITH_DES_CBC_ SSL_DHE_RSA_WITH_DES_CBC_ Weak


SHA SHA

SSL_DHE_DSS_WITH_DES_CBC_ SSL_DHE_DSS_WITH_DES_CBC_ Weak


SHA SHA

SSL_RSA_WITH_DES_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA Weak

SSL_DH_anon_WITH_DES_CBC_ SSL_DH_anon_WITH_DES_CBC_ Weak


SHA SHA

TLS_KRB5_WITH_DES_CBC_SHA TLS_KRB5_WITH_DES_CBC_SHA Weak

SSL_DHE_RSA_EXPORT_WITH_ SSL_DHE_RSA_EXPORT_WITH_ Weak


DES40_CBC_SHA DES40_CBC_SHA

SSL_DHE_DSS_EXPORT_WITH_ SSL_DHE_DSS_EXPORT_WITH_ Weak


DES40_CBC_SHA DES40_CBC_SHA

SSL_RSA_EXPORT_WITH_DES40_ SSL_RSA_EXPORT_WITH_DES40_ Weak


CBC_SHA CBC_SHA

SSL_DH_anon_EXPORT_WITH_ SSL_DH_anon_EXPORT_WITH_ Weak


DES40_CBC_SHA DES40_CBC_SHA

TLS_KRB5_EXPORT_WITH_DES_ TLS_KRB5_EXPORT_WITH_DES_ Weak


CBC_40_SHA CBC_40_SHA

TLS_ECDHE_ECDSA_WITH_RC4_ TLS_ECDHE_ECDSA_WITH_RC4_ Weak


128_SHA 128_SHA

TLS_ECDHE_RSA_WITH_RC4_128_ TLS_ECDHE_RSA_WITH_RC4_128_ Weak


SHA SHA

TLS_ECDH_ECDSA_WITH_RC4_ TLS_ECDH_ECDSA_WITH_RC4_ Weak


128_SHA 128_SHA

TLS_ECDH_RSA_WITH_RC4_128_ TLS_ECDH_RSA_WITH_RC4_128_ Weak


SHA SHA

TLS_ECDH_anon_WITH_RC4_128_ TLS_ECDH_anon_WITH_RC4_128_ Weak


SHA SHA

SSL_RSA_WITH_RC4_128_SHA SSL_RSA_WITH_RC4_128_SHA Weak

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 155


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing XoH Interface Security

Cipher suite name in TLS RFC spec- Weak/Strong Ci-


Equivalent JSSE cipher suite name
ification pher

TLS_KRB5_WITH_RC4_128_SHA TLS_KRB5_WITH_RC4_128_SHA Weak

TLS_KRB5_EXPORT_WITH_RC4_ TLS_KRB5_EXPORT_WITH_RC4_ Weak


40_SHA 40_SHA

TLS_RSA_WITH_NULL_SHA256 TLS_RSA_WITH_NULL_SHA256 Weak

TLS_ECDHE_ECDSA_WITH_NULL_ TLS_ECDHE_ECDSA_WITH_NULL_ Weak


SHA SHA

TLS_ECDHE_RSA_WITH_NULL_SHA TLS_ECDHE_RSA_WITH_NULL_SHA Weak

TLS_ECDH_ECDSA_WITH_NULL_ TLS_ECDH_ECDSA_WITH_NULL_ Weak


SHA SHA

TLS_ECDH_RSA_WITH_NULL_SHA TLS_ECDH_RSA_WITH_NULL_SHA Weak

TLS_ECDH_anon_WITH_NULL_SHA TLS_ECDH_anon_WITH_NULL_SHA Weak

SSL_RSA_WITH_NULL_SHA SSL_RSA_WITH_NULL_SHA Weak

TLS_EMPTY_RENEGOTIATION_IN- TLS_EMPTY_RENEGOTIATION_IN- Weak


FO_SCSV FO_SCSV

Table 8: Cipher suite name

12.2 Enabling weak ciphers


This section describes how to enable weak ciphers for the XOH interface.

By default, the following weak ciphers are disabled by xoh service:

SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, SSL_DH_anon_WITH_RC4_


128_MD5, SSL_RSA_EXPORT_WITH_RC4_40_MD5,
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, TLS_KRB5_WITH_RC4_128_SHA, TLS_KRB5_
WITH_RC4_128_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA, TLS_KRB5_EXPORT_WITH_
RC4_40_MD5, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_
DHE_DSS_WITH_DES_CBC_SHA,
SSL_DH_anon_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_
CBC_MD5,
TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5,
SSL_RSA_WITH_NULL_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_RSA_WITH_3DES_
EDE_CBC_SHA,
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_NULL_SHA

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 156


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing XoH Interface Security

If disabling the above weak ciphers cause problems in TLS connection, do the following steps to en-
able these weak ciphers.

1. Log in as the omc user to the NetAct VM where the xoh service is running, and then switch to the
root user.

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. Enable the weak ciphers by executing the following command:

vi /opt/oss/NSN-xoh/conf/mediation_south_xoh_tls.properties

Add the weak ciphers to be enabled in the com.nsn.oss.xoh.sslcontext.cipher.include


option value.

If the names of the weak ciphers exist in the


com.nsn.oss.xoh.sslcontext.cipher.exclude option value, remove these weak ciphers'
names from the com.nsn.oss.xoh.sslcontext.cipher.exclude option firstly, and then
add them at the end of the com.nsn.oss.xoh.sslcontext.cipher.include option value.
Separate each cipher with comma.

In addition to the weak ciphers mentioned above, see the list of weak ciphers and find their Equiva-
lent JSSE cipher suite name in the Table 8: Cipher suite name table in Supported XOH ciphers.

3. Restart the xoh service.

How to restart the xoh service, see Stopping XoH SBI in Administering XoH Southbound Interface
and Starting XoH SBI in Administering XoH Southbound Interface.

12.3 Disabling weak ciphers


This section describes how to disable weak ciphers for the XOH interface.

Note: Disabling all weak ciphers results in disabling the TLSv1 and TLSv1.1 protocols in the
XoH interface. Therefore, before disabling all weak ciphers, ensure that none of the network
elements requires the TLSv1 or TLSv1.1 protocols for communication with the XoH interface.

If it is confirmed that disabling the weak ciphers does not cause problems in TLS connection, the weak
cipher can be disabled by executing the following steps:

1. Log in as the omc user to the NetAct VM where the xoh service is running, and then switch to the
root user.

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. Disable the weak ciphers by executing the following command:

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 157


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing XoH Interface Security

vi /opt/oss/NSN-xoh/conf/mediation_south_xoh_tls.properties

Add the weak ciphers to be disabled in the com.nsn.oss.xoh.sslcontext.cipher.exclude


option value.

If the names of the weak ciphers exist in the


com.nsn.oss.xoh.sslcontext.cipher.include option value, remove these weak ciphers'
names from the com.nsn.oss.xoh.sslcontext.cipher.include option firstly, and then
add them at the end of the com.nsn.oss.xoh.sslcontext.cipher.exclude option value.
Separate each cipher with comma.

To get the weak cipher names, check the Equivalent JSSE cipher suite name list in the Table 8: Ci-
pher suite name table in Supported XOH ciphers.

3. Restart the xoh service.

How to restart the xoh service, see Stopping XoH SBI in Administering XoH Southbound Interface
and Starting XoH SBI in Administering XoH Southbound Interface.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 158


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for GSM BTS

13 Managing certificates for GSM BTS


GSM BTS certificates are used for IP Security Architecture (IPsec) only. NetAct supports Automated
Certificate Management (ACM) for Flexi Multiradio BTS.

13.1 Verifying ACM license


GSM BTS ACM is controlled by BSC license.

• FEATURE CODE is 5496.


• FEATURE NAME is Automated Certificate Management.

Follow below steps to check whether the ACM license is activated or not.

1. Log in to BSC through MML session.

2. Enter the following command:

ZW7I:FEA,FULL:FEA=5496;

Expected outcome

FlexiBSC DX220-LAB 626262 2015-06-29 10:41:03


FEATURE INFORMATION:
----------------------------------------------
FEATURE CODE:..............5496
FEATURE NAME:..............Automated Certificate Management
FEATURE STATE:.............ON
COMMAND EXECUTED

Note: The FEATURE STATE is ON. It means the license is installed successfully and the
ACM feature is activated.

3. If the FEATURE STATE is OFF, activate the feature with the following command:

ZW7M:FEA=5496:ON:;

4. If output is NO SUCH FEATURES FOUND, it means the license is not installed and activated.
Follow below steps to install and activate the license:
a) Transfer the license file (for example, E1234567.XML) to DW0-/LICENCE/ directory on OMU
disk of BSC.
b) Install the license by entering command:

ZW7L:E1234567;
c) Activate the license by entering command:

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 159


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for GSM BTS

ZW7M:FEA=5496:ON:;

13.2 ACM configuration


GSM BTS ACM can be configured by BTS Site Manager or Configuration Management(CM).

BTS Site Manager provides the ACM configuration function for one BTS each time. For detailed in-
structions, see the Certificate Management chapter located in BTS Site Manager Online Help.

Configuration Management provides the upload and provisioning of ACM parameters (CERTH object)
for Flexi Multiradio BTS with EX16 software release.

For detailed parameters information, see Browsing parameters in Object Information Browser Help.

For site rollout instructions, see Introduction to rolling out GSM/GSM-R in Creating and Rolling out
GSM BTS Sites.

13.3 Command Line Interface (CLI)


The GSM BTS ACM q3cerm.sh is used for managing BTS certificates.

• Trigger MML commands from NetAct to BSC.


• BSC MML commands initiates the operation to BTS.
• Get results of the operations from BSC.

The q3cerm.sh is available on the node where the q3user service is running. The path is: /opt/
oss/NSN-q3med-cerm/bin/q3cerm.sh.

Figure 6: Certificate Management in BTS

Following operations are supported by GSM BTS ACM CLI:

• Initialize operator certificate.


• Update operator certificate.
• Revocation list download.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 160


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for GSM BTS

• Remove root certificate.

13.3.1 User setting for CLI

1. Log in to the NetAct VM on which OSI service is running as sysop group user.

2. Extract q3usr credentials using below command:

/opt/nokia/oss/bin/syscredacc.sh -user q3usr -type APPSERV -instance


APPSERV

<password of q3usr>

3. Change the user login to q3usr using below command:

su - q3usr

Password:

<password of q3usr>

13.3.2 Command options

Usage: sh /opt/oss/NSN-q3med-cerm/bin/q3cerm.sh <operationType> [-d <dn> | -


f <file name>] [-issuer <issuer>] [-serialNumber <serialNumber>]

• operationType:

triggerCmpInitSequence | triggerCmpKeyUpdateSequence | updateCRL |


removeRootCertificate

• -d <dn>: FQDN of the BSC or BCF. If the BSC 's DN is given, the operation targets to the
supported BCF under the BSC.

Command example:

sh /opt/oss/NSN-q3med-cerm/bin/q3cerm.sh triggerCmpInitSequence -d
PLMN-PLMN/BSC-1/BCF-1,PLMN-PLMN/BSC-2
sh /opt/oss/NSN-q3med-cerm/bin/q3cerm.sh triggerCmpKeyUpdateSequence -
d PLMN-PLMN/BSC-1/BCF-1

• -f <file name>: The name of the file where the FQDN of BSC or BCF are listed. File content only
includes BSC DN and BCF DN.

Command example:

sh /opt/oss/NSN-q3med-cerm/bin/q3cerm.sh updateCRL -f /tmp/DNFile.txt

The file /tmp/DNFile.txt contains:

PLMN-PLMN/BSC-626262/BCF-137

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 161


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for GSM BTS

PLMN-PLMN/BSC-54148

Note:

– q3usr has the read access to the file.


– One line only contains one DN.

• -issuer <issuer>: Name of root CA which issues the root certificate. It is used for
removeRootCertificate only.

• -serialNumber <serialNumber>: Serial number of root certificate. It is used for


removeRootCertificate only.

Command example:

sh /opt/oss/NSN-q3med-cerm/bin/q3cerm.sh removeRootCertificate -d
PLMN-PLMN/BSC-1/BCF-1 -issuer ACMRootCA -serialNumber 068c

• -h: Help instruction.

13.3.3 Initialize operator certificate


The initialize operator certificate operation triggers BTS:

• Download the root certificate and subordinate certificate to build up the trust chain from the CMP/
CA server.
• Request the BTS certificate from the CMP/CA server.

Operation type: triggerCmpInitSequence. For detailed instructions, see Command Options.

Command example:

sh /opt/oss/NSN-q3med-cerm/bin/q3cerm.sh triggerCmpInitSequence -d PLMN-


PLMN/BSC-626262/BCF-137

Expected output:

The number of BCF is 1. Timeout value is 30s.


Processing...
Total number: 1 Number of processed: 1
PLMN-PLMN/BSC-626262/BCF-137:OK
For detail information, you can refer to /opt/oss/NSN-q3med-cerm/data/
response/CERM_Response_5989PLMN-PLMN_BSC-626262.detail
Command executed.

13.3.4 Update operator certificate


When the BTS certificate is expired or a new key pair is generated, the update operator
certificate operation can be invoked to request a new certificate.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 162


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for GSM BTS

The initialize operator certificate operation is executed and the trust chain is built up.

Operation type: triggerCmpKeyUpdateSequence. For detailed instructions, see Command Options.

Command example:

sh /opt/oss/NSN-q3med-cerm/bin/q3cerm.sh triggerCmpKeyUpdateSequence -d
PLMN-PLMN/BSC-626262/BCF-137

Expected output:

The number of BCF is 1. Timeout value is 30s.


Processing...
Total number: 1 Number of processed: 1
PLMN-PLMN/BSC-626262/BCF-137:OK
For detail information, you can refer to /opt/oss/NSN-q3med-cerm/data/
response/CERM_Response_29961PLMN-PLMN_BSC-626262.detail
Command executed.

13.3.5 Certificate Revocation List (CRL) download


The certificate revocation list download operation triggers BTS to download the
certificate revocation list.

The initialize operator certificate operation is executed and the trust chain is built up.

Operation type: updateCRL. For more details, see Command Options.

Command example:

sh /opt/oss/NSN-q3med-cerm/bin/q3cerm.sh updateCRL -d PLMN-PLMN/BSC-


626262/BCF-137

Expected output:

The number of BCF is 1. Timeout value is 30s.


Processing...
Total number: 1 Number of processed: 0
Total number: 1 Number of processed: 1
PLMN-PLMN/BSC-626262/BCF-137:OK
For detail information, you can refer to /opt/oss/NSN-q3med-cerm/data/
response/CERM_Response_610PLMN-PLMN_BSC-626262.detail
Command executed.

13.3.6 Remove root certificate


The remove root certificate operation triggers BTS to remove the root certificate.

The initialize operator certificate operation is executed and the trust chain is built up.

Operation type: removeRootCertificate. For detailed instructions, see Command Options.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 163


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing certificates for GSM BTS

CAUTION! remove root certificate needs be used with caution because it is associ-
ated with trust chain removal. If the removed root certificate is used for existing IPSEC tun-
nel setup and new BTS certificates are not installed, system outage may occur. Only recov-
ery mechanism is able to initiate a HW reset from Site Element Manager after installing new
certificates on the BTS.

Command example:

sh /opt/oss/NSN-q3med-cerm/bin/q3cerm.sh removeRootCertificate -d PLMN-


PLMN/BSC-626262/BCF-137 -issuer ACMRootCA -serialNumber 068c

Expected output:

Processing...
The number of BCF is 1. Timeout value is 30s.
Total number: 1 Number of processed: 0
Total number: 1 Number of processed: 1
PLMN-PLMN/BSC-626262/BCF-137:OK
For detail information, you can refer to /opt/oss/NSN-q3med-cerm/data/
response/CERM_Response_10786PLMN-PLMN_BSC-626262.detail
Command executed.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 164


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening of NetAct Virtual Infrastructure
(VI)

14 Hardening of NetAct Virtual Infrastructure (VI)


Hardening of the NetAct Virtual Infrastructure (VI) covers the below aspects of the virtual infrastruc-
ture:

• Virtual Machines
• Hypervisor (ESXi hosts)
• Networking (over LAN access of the hardware)

An overview of virtualization is provided in NetAct Operational Documentation at:

• NetAct system overview → NetAct Deployment and Configurations → NetAct architecture


• Installation → NetAct Installation Overview → NetAct installation and commissioning
process
• NetAct Administration → NetAct Administration Overview and Operations → Virtualization
in NetAct (Rich Media)

Figure 7: Virtualization overview and hardening scopes

The Virtual Infrastructure (VI) runs at the hardware and comprises of VMware ESXi Hypervisor and the
virtual machines (VM). This chapter describes the hardening operations for the virtual infrastructure.
Hardening of NetAct applications, mediations and services hosted as guest systems within the virtual
machines is described in the following areas:

Activating Virtual Infrastructure Security Settings

De-activating Virtual Infrastructure Security Settings

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 165


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening of NetAct Virtual Infrastructure
(VI)

Modifying Virtual Infrastructure Security Settings

14.1 Activating Virtual Infrastructure Security Settings


VI security is already set by NetAct installation. This comprises the following steps:

• Activation of the security settings by the hardening tool for NetAct virtual infrastructure
• Encryption of configuration files required for installation

Note:

The following steps are required only if the security settings were disabled or were changed
manually.

Services which are not essential for running and administering the NetAct virtual
infrastructure are also disabled during NetAct installation. Before running the script to check
the hardening status or to activate the security settings, you have to restore the installation
config files. These files were encrypted after NetAct installation.

14.1.1 Restore installation config files

Prerequisites

• The config files must be encrypted again after executing the scripts.
• Power on the Administration server if it is not powered on already.

To restore the config files:

1. Log in to NetAct Administration server as root user.

2. Check if the following files are available:

/var/builds/hosts/<systemname>/config/<system_name>_ vmware_install.yml

/opt/vse/samples/valid_security_conf.yml

3. If the files are not available, decrypt and restore the files by executing the following command:

/opt/misserver/scripts/decrypt_configuration_files.sh -z /var/builds/
hosts/<systemname>/configuration_files_<systemname>.zip

To encrypt these files again:

1. Set the SYSTEMNAME shell environment variable, if it has not been set already:

export SYSTEMNAME=<systemname>

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 166


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening of NetAct Virtual Infrastructure
(VI)

2. Execute the encryption script.

/opt/misserver/scripts/encrypt_configuration_files.sh -c /var/
${SYSTEMNAME}_cluster_info.txt

The script asks for the following during execution:

• The password for encrypting zip file twice.

Note: The password must be stored for future usage.

• The omc user password of the nodes, where the zip is transferred.

14.1.2 Verifying Virtual Infrastructure Hardening


The default NetAct Virtual Infrastructure security hardening settings have been verified with vSphere
VMware Hardening Guidelines Checker. This tool by VMware can be run at any time to verify the con-
formity of NetAct Virtual Infrastructure against the hardening guidelines.

Note:

Services which are not essential for running and administering the NetAct virtual infrastruc-
ture will be disabled.

14.1.3 Activating security settings


Run the hardening tool (only), if the hardening status is not as expected:

1. Log in to NetAct Administration server as root user.

2. Activate the NetAct virtual infrastructure security settings by entering:

/opt/vse/bin/vse security --set-all -c <VSE global configuration


file> -s <VI security settings configuration>

where:

• <VSE global configuration> is the location of the configuration file created for NetAct
installation to control the NetAct virtualized server environment installation. The NetAct
virtualized server environment installation setting configuration file can be found at the
following location:

/var/builds/hosts/<systemname>/config/<system_name>_ vmware_
install.yml

• <VI security settings configuration> is the location of the configuration file where
the security settings are defined. If the security settings are not defined, all the default settings
are set.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 167


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening of NetAct Virtual Infrastructure
(VI)

The security setting configuration file is located at /opt/vse/samples/


valid_security_conf.yml.

Note:

• If network segregation is enabled, exclude the Network Segregation port groups and
run the hardening tool for virtual infrastructure by entering:

/opt/vse/bin/vse security --set-all -c <VSE global


configuration file> -s <VI security settings configuration>
-e <Network segregation vconf yaml file>

where:

• <VSE global configuration> is the location of the configuration


file created for NetAct installation to control the NetAct virtualized server
environment installation. The NetAct virtualized server environment installation
setting configuration file can be found at the following location:

/var/builds/hosts/<systemname>/config/<system_name>_
vmware_install.yml

• <VI security settings configuration> is the location of the


configuration file where the security settings are defined. If the security settings
are not defined, all the default settings are set.

The security setting configuration file is located in /opt/vse/samples/


valid_security_conf.yml.
• <Network segregation vconf yaml file> is the location of the
configuration file where the Network Segregation settings are defined.
• Only the specified objects, that is, vCenter, ESXi, network, or VMs can be hardened
by entering:

/opt/vse/bin/vse security --set [vcenter | esxi | network


| vm] -c <VSE global configuration file> -s <VI security
settings configuration>

Multiple objects can be hardened by providing the inputs as space separated.

3. Check the results from the log file: /var/builds/hosts/<systemname>/install.log

Ensure that no errors are found from the log file.

Note: Power off the Administration server if it was powered on to execute the above
procedure.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 168


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening of NetAct Virtual Infrastructure
(VI)

14.2 De-activating of security settings


The security settings have to be de-activated (unhardened) for performing specific administration or
troubleshooting tasks, such as for NetAct release upgrade.

Note: In case of NetAct release upgrade the security settings are automatically de-activated
and activated again at the end. There is no need to de-activate them manually, if not explicit-
ly requested such as to install a hotfix.

Follow the instruction below to revert the security settings of the NetAct virtual infrastructure manually:

1. Power on the Administration server if it is not powered on already and connect as root user.

2. Restore installation config files. For more information, see Activating Virtual Infrastructure
Security Settings.

3. De-activate the NetAct virtual infrastructure security settings by entering:

/opt/vse/bin/vse security --reset-all -c <VSE global configuration


file>

where:

• <VSE global configuration> is the location of the configuration file created for NetAct
installation to control the NetAct virtualized server environment installation. The NetAct
virtualized server environment installation setting configuration file can be found at the
following location:

/var/builds/hosts/<systemname>/config/<systemname>_vmware_install.
yml

Note:

• If network segregation is enabled, exclude the Network Segregation port groups and
run the hardening tool for virtual infrastructure by entering:

/opt/vse/bin/vse security --reset-all -c <VSE global


configuration file> -e <Network segregation vconf yaml file>

where:

• <VSE global configuration>: is the location of the configuration file creat-


ed for NetAct installation to control the NetAct virtualized server environment in-

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 169


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening of NetAct Virtual Infrastructure
(VI)

stallation. The NetAct virtualized server environment installation setting configu-


ration file can be found at the following location:

/var/builds/hosts/<systemname>/config/<systemname>_
vmware_install.yml

• <Network segregation vconf yaml file> is the location of the configu-


ration file where the Network Segregation settings are defined.
• Only the specified objects, that is, vCenter, ESXi, network, or VMs can be
unhardened by entering:

/opt/vse/bin/vse security --reset [vcenter | esxi | network


| vm] -c <VSE global configuration file>

Multiple objects can be unhardened by providing the inputs as space separated.

4. Check the results from the log file /var/builds/hosts/<systemname>/install.log.

Ensure that no errors are found from the log file.

5. Check VI status after de-activating by entering:


vse_cli host secure --status --hostname <ESXi Hostname> -i <VC IP> -u <VC user> -p <VC Password>

Expected output:

List of host esx02 security parameters:


lockdown_mode: off
ssh: on
esxi-shell: on
dcui: on
Host esx02 is not secured.
VSE_CLI action executed successfully

6. After completing the maintenance tasks, ensure that the security settings are re-activated and the
configuration files are encrypted again as described in Activating Virtual Infrastructure Security
Settings.

Note: Power off the Administration server if it was powered on to execute the above
procedure.

14.3 Modifying Virtual Infrastructure Security Settings


You can also modify the security settings using vSphere Client as an alternative for the command line
based activation and de-activation.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 170


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening of NetAct Virtual Infrastructure
(VI)

Perform the following steps to enable or disable the security settings, for example, for the duration of
maintenance or troubleshooting tasks carried out on the environment.

1. Log in to vSphere Client as an Administrator@vsphere.local.

2. Perform the below instructions to disable security settings:


a) To regain command line access to ESXi hosts, edit the security settings for each host by doing
the following:

1. From the Menu drop-down list, click Hosts and Clusters.


2. In the left pane, expand the vCenter Server → NetAct Data Center → NetAct Cluster.

A complete list of existing hosts and VMs in a cluster appears.


3. Select a host.
4. Click Configure → System → Services and edit the following settings:

Direct Console UI (set to stop)


ESXi shell (set to stop)
SSH (set to stop)
5. Click Configure → System → Security Profile and edit the Lockdown Mode (set to
Disabled) setting.
b) If networking security settings need to be edited for troubleshooting or other planned tasks, do
the following:

1. Click Menu → Hosts and Clusters.


2. In the left pane, expand vCenter Server → NetAct Data Center → NetAct Cluster.

A complete list of existing hosts and VMs in a cluster appears.


3. Select a host.
4. Click Configure → Networking → Virtual switches.
5. From the inventory select a Port Group and click Edit Settings.

The <Switch> - Edit Settings dialog box appears.


6. Click Security and edit the required security settings.

Note: Repeat the same procedure for all the hosts present in the NetAct cluster.

c) If individual VM's security settings need to be edited for troubleshooting or other planned tasks,
do the following:

1. Click Home → Hosts and Clusters.


2. In the left pane, expand vCenter Server → NetAct Data Center → NetAct Cluster.

A complete list of existing hosts and VMs in a cluster appears.


3. Select a NetAct VM.
4. Click Configure.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 171


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening of NetAct Virtual Infrastructure
(VI)

5. From the Actions drop-down list, select Edit Settings....

The Edit Settings dialog box appears.


6. Click VM Options → Advanced → Configuration Parameters.
7. Click EDIT CONFIGURATION...

The Configuration Parameters dialog box appears.


8. Edit the required security settings.

Note: VM must be powered off to be able to change the settings.

3. Perform the planned upgrade on the VMware components or extensions/changes in the NetAct
HW.

4. Re-enable all the following security settings:

Direct Console UI (set to start)


ESXi shell (set to start)
SSH (set to start)
Lockdown Mode (set to Disabled)

Note:

• Enabling ESXi Lockdown Mode and Disabling Direct Console User Interface (DCUI)
are not done as part of VI hardening procedure.
• Therefore, troubleshooting can be done on the ESXi host when it is disconnected
or not responding in vCenter server. If an ESXi host is disconnected with Lockdown
Mode enabled and DCUI disabled, reinstall ESXi host to recover.

14.4 Managing TLSv1 protocol for vCenter and ESXI


This section provides the procedure for managing TLSv1.0 in vCenter and ESXI.

• Creating backup for existing TLS configuration


• Disabling TLSv1 protocol
• Enabling TLSv1 protocol

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 172


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening of NetAct Virtual Infrastructure
(VI)

14.4.1 Creating backup for existing TLS configuration


To create backup for existing TLS configuration in the system, do the following:

1. Connect to the vCenter server appliance using an SSH session. If the Bash shell is not enabled,
enter:

shell.set --enabled true

• To access the Bash shell, enter:

shell

2. In the Bash shell, change directories to the following directory:

• for vSphere 6.5: cd /usr/lib/vmware-vSphereTlsReconfigurator/


VcTlsReconfigurator
• for vSphere 7.0: cd /usr/lib/vmware-TlsReconfigurator/VcTlsReconfigurator

3. To backup TLS configuration in vCenter server appliance manually, enter:

# ./reconfigureVc backup

By default, the output is in /tmp/<year><month><day>T<time> directory. To receive the output


in to a specific directory, enter:

# ./reconfigureVc backup -d <backup directory path>

14.4.2 Disabling TLSv1 protocol


To disable the TLSv1 protocol, do the following:

Note:

• All vCenter services are restarted automatically during disable of TLSv1 procedure.
• Manual restart of ESXi requires to be done sequentially after disabling TLSv1.

1. Stop the vManager service.


a) Log in to a Virtual Machine (VM) hosting the cpfvmanager service, and switch to the root user.

To locate the right VM, see Locating the right virtual machine for a service in Administering Net-
Act Virtual Infrastructure.
b) Verify whether all NetAct virtual machines are available and are reporting the status of their
services by entering:

[root]# smanager.pl status

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 173


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening of NetAct Virtual Infrastructure
(VI)

Note: The smanager.pl command cannot reboot a virtual machine if it is not


accessible.

c) Stop the vManager service so that it does not handle VM reset operations by entering:

[root]# /opt/cpf/install/bin/cpfvmanager_configure.sh --disable_


vcenter --disable_alarms --stop

2. Connect to the vCenter server appliance using an SSH session. If the Bash shell is not enabled,
enter:

shell.set --enabled true

• To access the Bash shell, enter:

shell

3. In the Bash shell, change directories to the following directory:

• for vSphere 6.5: cd /usr/lib/vmware-vSphereTlsReconfigurator/


VcTlsReconfigurator
• for vSphere 7.0: cd /usr/lib/vmware-TlsReconfigurator/VcTlsReconfigurator

4. Update all configurations for all the supported services on the vCenter server. To update, do the
following:

Note: If you have products communicating to the vCenter server which still require
TLSv1 to be enabled, ceases the connectivity.

1. Disable TLSv1 on the vCenter server and enable a higher versions of TLSv1.x. To enable,
enter:

#./reconfigureVc update -p TLSv1.1 TLSv1.2

OR
2. Disable TLSv1 and TLSv1.1 on the vCenter server and enable TLSv1.2. To enable, enter:

# ./reconfigureVc update -p TLSv1.2

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 174


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening of NetAct Virtual Infrastructure
(VI)

Note: There will be a delay in the start of vSphere Client service. You can monitor it
through the shell by entering:

# service-control --status vsphere-ui

5. Update all configurations for all supported services on the ESXi hosts. This can be done
on a per-host or per-cluster basis in addition to disabling TLSv1 and enabling TLSv1.1
and TLSv1.2 or disabling TLSv1, TLSv1.1, and enabling TLSv1.2. Change directory to the
EsxTlsReconfigurator by entering:

cd ../EsxTlsReconfigurator

Note: If --protocol or -p is not included, it will default to TLSv1.2.

1. To disable TLSv1 and enable both TLSv1.1 and TLSv1.2 on an ESXi which is a part of cluster
in vCenter, enter the following to do reconfiguration.

# ./reconfigureEsx vCenterCluster -c <Cluster_Name> -u


<Administrative_User> -p TLSv1.1 TLSv1.2

OR

To disable TLSv1 and TLSv1.1 and enable TLSv1.2 on an ESXi which is part of cluster in
vCenter, enter the following to do reconfiguration.

# ./reconfigureEsx vCenterCluster -c <Cluster_Name> -u


<Administrative_User> -p TLSv1.2

2. To disable TLSv1 and enable both TLSv1.1 and TLSv1.2 on an individual ESXi in vCenter
server and are not part of cluster, enter the following to do reconfiguration:

# ./reconfigureEsx vCenterHost -h <ESXi_Host_Name> -u


<Administrative_User> -p TLSv1.1 TLSv1.2

OR

To disable TLSv1 and TLSv1.1 and enable TLSv1.2 on an individual ESXi in vCenter server
and are not part of cluster, enter the following to do reconfiguration:

# ./reconfigureEsx vCenterHost -h <ESXi_Host_Name> -u


<Administrative_User> -p TLSv1.2

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 175


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening of NetAct Virtual Infrastructure
(VI)

3. To disable TLSv1 and enable both TLSv1.1 and TLSv1.2 on a standalone ESXi server, enter
the following to do reconfiguration:

# ./reconfigureEsx ESXiHost -h <ESXi_Host_Name> -u <Administrative_


User> -p TLSv1.1 TLSv1.2

OR

To disable TLSv1 and TLSv1.1 and enable TLSv1.2 on a standalone ESXi server, enter the
following to do reconfiguration:

# ./reconfigureEsx ESXiHost -h <ESXi_Host_Name> -u <Administrative_


User> -p TLSv1.2

Once completed, the hosts are flagged to reboot. Put ESXI server on maintenance mode and
reboot the ESXi hosts in order to complete the TLS protocol changes. Repeat the above proce-
dure on the next cluster or ESXi host within the managing vCenter server, if required.

6. To disable the Web Based Management (WBEM) services for TLSv1 protocol for port 5989, do the
following:
a) If ESXi version is 6.0U3:

1. Log in to ESXi using an SSH session and root credentials.


2. To stop the sfcbd service and edit the config file using the VI editor, enter:

/etc/init.d/sfcbd-watchdog stop && vi /etc/sfcb/sfcb.cfg

3. Change the value to false by setting the protocols to true or false.

For example:

enableTLSv1: true/false
enableTLSv1_1: true/false
enableTLSv1_2: true/false

Note: If the entry is not available, make an entry and make it as true or false.

4. Save and exit the file.


5. Restart SFCBD service for the configuration to begin by entering:

/etc/init.d/sfcbd-watchdog start

b) If ESXi version is 6.5:

1. Log in to ESXi using an SSH session and root credentials.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 176


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening of NetAct Virtual Infrastructure
(VI)

2. Edit the sfcb.cfg file by entering:

esxcli system wbem set --enable 0 && vi /etc/sfcb/sfcb.cfg

3. Change the value to false by setting the protocols to true or false.

For example:

enableTLSv1: true/false
enableTLSv1_1: true/false
enableTLSv1_2: true/false

Note: If the entry is not available, make an entry and make it as true or false.

4. Save and exit the file.


5. Restart SFCBD service for the configuration to begin by entering:

esxcli system wbem set --enable 1

a) If ESXi version is 7.0:

1. Log in to ESXi using an SSH session and root credentials.


2. Edit the sfcb.cfg file by entering:

esxcli system wbem set --enable 0 && vi /etc/sfcb/sfcb.cfg

3. Change the value to false by setting the protocols to true or false.

For example:

enableTLSv1: true/false
enableTLSv1_1: true/false
enableTLSv1_2: true/false

Note: If the entry is not available, make an entry and make it as true or false.

4. Save and exit the file.


5. Restart SFCBD service for the configuration to begin by entering:

esxcli system wbem set --enable 1

Note:

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 177


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening of NetAct Virtual Infrastructure
(VI)

Enter the following command to verify if the Web Based Management (WBEM)
services for TLSv1 protocol for port 5989 is disabled (this command is applicable only
for the ESXi version 7.0):

esxcli system wbem get

Sample output:

[root@esxi:~] esxcli system wbem get


Enabled: true
WS-Management Service: true
Enable HTTPS: true
Authorization Model: password
Port: 5989
HTTP Procs: 2
HTTPS Procs: 4
Provider Procs: 16
Keepalive Timeout: 1
Keepalive Max Requests: 10
Provider Sample Interval: 30
Provider Timeout Interval: 120
HTTP Max Content Length: 1048576
Max Message Length: 40000000
Thread Stack Size: 524288
Provider Resource Pool Override:
SSL Cipher List: !aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA
+AESGCM:kECDH+AES:ECDH+AES:RSA+AES
Threadpool Size: 5
Readonly: false
Log Level: warning
Service Location Protocol PID: 2099713
WS-Management PID: 3558724
CIM Object Manager PID: 3558806
Enabled SSL Protocols:
Enabled System SSL Protocols: tlsv1.2
Enabled Running SSL Protocols: tlsv1.2

7. Start the vManager service.


a) Log in to a Virtual Machine (VM) hosting the cpfvmanager service, and switch to the root user.

To locate the right VM, see Locating the right virtual machine for a service in Administering Net-
Act Virtual Infrastructure.
b) Verify whether all NetAct virtual machines are available and are reporting the status of their
services by entering:

[root]# smanager.pl status

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 178


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening of NetAct Virtual Infrastructure
(VI)

Note: The smanager.pl command cannot reboot a virtual machine if it is not


accessible.

c) Start the vManager service so that it does not handle VM reset operations by entering:

[root]# /opt/cpf/install/bin/cpfvmanager_configure.sh --enable_


vcenter --enable_alarms --start

14.4.3 Enabling TLSv1 protocol

Note:

• All vCenter services are restarted automatically during disable of TLSv1 procedure.
• Manual restart of ESXi requires to be done sequentially after disabling TLSv1.

1. Stop the vManager service.


a) Log in to a Virtual Machine (VM) hosting the cpfvmanager service, and switch to the root user.

To locate the right VM, see Locating the right virtual machine for a service in Administering Net-
Act Virtual Infrastructure.
b) Verify whether all NetAct virtual machines are available and are reporting the status of their
services by entering:

[root]# smanager.pl status

Note: The smanager.pl command cannot reboot a virtual machine if it is not


accessible.

c) Stop the vManager service so that it does not handle VM reset operations by entering:

[root]# /opt/cpf/install/bin/cpfvmanager_configure.sh --disable_


vcenter --disable_alarms --stop

2. Connect to the vCenter server appliance using an SSH session. If the Bash shell is not enabled,
enter:

shell.set --enabled true

• To access the Bash shell, enter:

shell

3. In the Bash shell, change directories to the following directory:

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 179


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening of NetAct Virtual Infrastructure
(VI)

• for vSphere 6.5: cd /usr/lib/vmware-vSphereTlsReconfigurator/


VcTlsReconfigurator
• for vSphere 7.0: cd /usr/lib/vmware-TlsReconfigurator/VcTlsReconfigurator

4. Update all configurations for all the supported services on the vCenter server.

1. Enable TLSv1.0 on the vCenter server and enable a higher versions of TLSv1.x. To enable
TLSv1, TLSv1.1, and TLSv1.2, enter the following to do the reconfiguration:

# ./reconfigureVc update -p TLSv1.0 TLSv1.1 TLSv1.2

OR
2. To enable TLSv1.0 on the vCenter server, enter the following to do the reconfiguration:

# ./reconfigureVc update -p TLSv1.0

Note: There will be a delay in the start of vSphere Client service. You can monitor it
through the shell by entering:

# service-control --status vsphere-ui

5. Update all configurations for all the supported services on the ESXi hosts. This can be done on a
per-host or per-cluster basis in addition to enabling TLSv1.0, TLSv1.1, and TLSv1.2 or enabling
TLSv1. Change directory to the EsxTlsReconfigurator by entering:

cd ../EsxTlsReconfigurator

Note: If --protocol or -p is not included, it will default to TLSv1.2.

1. To enable TLSv1.0 and higher versions of TLSv1.x on an ESXi cluster, enter the following to do
reconfiguration:

# ./reconfigureEsx vCenterCluster -c <Cluster_Name> -u


<Administrative_User> -p TLSv1.0 TLSv1.1 TLSv1.2

OR

To enable TLSv1.0 on an ESXi cluster, enter the following to do reconfiguration:

# ./reconfigureEsx vCenterCluster -c <Cluster_Name> -u


<Administrative_User> -p TLSv1.0

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 180


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening of NetAct Virtual Infrastructure
(VI)

2. To enable TLSv1.0 and higher versions of TLSv1.x on an individual ESXi in vCenter server and
ESXi are not part of cluster, enter the following to do reconfiguration:

# ./reconfigureEsx vCenterHost -h <ESXi_Host_Name> -u


<Administrative_User> -p TLSv1.0 TLSv1.1 TLSv1.2

OR

To enable TLSv1.0 on an individual ESXi in vCenter server and ESXi are not part of cluster,
enter the following to do reconfiguration:

# ./reconfigureEsx vCenterHost -h <ESXi_Host_Name> -u


<Administrative_User> -p TLSv1.0

3. To enable TLSv1.x and higher versions of TLSv1.x on a standalone ESXi server, enter the
following to do reconfiguration:

# ./reconfigureEsx ESXiHost -h <ESXi_Host_Name> -u < Administrative_


User> -p TLSv1.1 TLSv1.2

OR

To enable TLSv1.x on a standalone ESXi server, enter the following to do reconfiguration:

# ./reconfigureEsx ESXiHost -h <ESXi_Host_Name> -u <Administrative_


User> -p TLSv1.2

Once completed, the hosts are flagged to reboot. Reboot the ESXi hosts in order to complete the
TLS protocol changes. Repeat the above procedure on the next cluster or ESXi host within the
managing vCenter server, if required.

6. Start the vManager service.


a) Log in to a Virtual Machine (VM) hosting the cpfvmanager service, and switch to the root user.

To locate the right VM, see Locating the right virtual machine for a service in Administering Net-
Act Virtual Infrastructure.
b) Verify whether all NetAct virtual machines are available and are reporting the status of their
services by entering:

[root]# smanager.pl status

Note: The smanager.pl command cannot reboot a virtual machine if it is not


accessible.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 181


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening of NetAct Virtual Infrastructure
(VI)

c) Start the vManager service so that it does not handle VM reset operations by entering:

[root]# /opt/cpf/install/bin/cpfvmanager_configure.sh --enable_


vcenter --enable_alarms --start

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 182


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

15 Hardening for NetAct applications and services


The NetAct applications, mediations, and services are hosted as guest systems within the virtual ma-
chines (VMs). Security hardening for the operating system, the services and applications in each VM
is performed to enhance the security of the system.

A default hardening is performed during NetAct installation automatically and by additional manual
steps. In certain cases site specific adaptations to the default hardening and security configuration
might be needed due to customer specific security policies or to support specific services or remote
systems communicating with NetAct. This chapter describes operations to ensure that the system is
correctly hardened and how to adapt these settings, if required.

The system administrator should keep track of hardening performed on the system. The information
on hardening settings is helpful in troubleshooting situations when contacting Nokia support, and in
product upgrade. Before an upgrade a backup should be taken of all modified configuration data.

The security hardening of the operating system follows Nokia security guidelines and is based on the
Guide to the Secure Configuration of Red Hat Enterprise available at http://www.nsa.gov/.

• Hardening of Configuration Management Applications and NASDA Web Services


• Enabling or disabling ciphers
• Configuring anonymous LDAP bind
• Controlling Root SSH login
• Changing passwords
• Configuring trust anchors for dirsrv truststore
• Configuring su access permissions
• Disabling of additional unnecessary services
• Handling slow HTTP denial of service attack
• Managing TLS ciphers in IHS server
• Hardening Ciphers, MACs, and KexAlgorithms in SSH server
• Hardening core mediation or application
• Hardening ciphers for SSH client of MML mediation
• Managing TLS ciphers in NWI3 HTTPS client
• Hardening ciphers for SSH client of SCLI mediation

Note: These hardening measures might requires restarting of few NetAct services including
WebSphere application server, which involves system downtime. Ensure that the system is
not in use when executing these steps.

15.1 Managing TLS version protocol and TLS cipher configuration


This section provides information about how to enable or disable TLSv1 or TLSv1.1 protocol and TLS
Ciphers in various applications, mediations, and services.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 183


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

15.1.1 Managing TLS protocol configuration


NetAct provides the TLS configuration management tool (command line tool) to manage the following
TLS protocol configurations of the NetAct services:

• TLSv1 (TLSv1.0)
• TLSv1.1

The TLS configuration management tool:

• is available in VM hosting the dmgr service. Only root user can run the TLS configuration manage-
ment tool.
• allows disabling or enabling of TLSv1 and TLSv1.1 protocols and performs necessary configura-
tion changes internally. As part of this configuration change, services are restarted for the change
to be effective.

Execution of the tool is not allowed if another instance of the tool is in progress. Once the tool execu-
tion starts, interruptions are not allowed.

15.1.1.1 TLS protocol assessment tool

NetAct provides the TLS protocol assessment tool (utility tool) to find the highest TLS protocol version
enabled on the given host and port. The TLS protocol assessment tool generates a summary report in
the form of the CSV file, which provides the TLS protocol version on each host and port.

The TLS protocol assessment tool is available in the NetAct VM hosting the dmgr service. Only root
user can run the TLS protocol assessment tool.

Note:

• The TLS protocol assessment tool supports TLSv1, TLSv1.1, and TLSv1.2 protocol
versions. In the TLS protocol assessment tool outputs and reports, the TLS versions are
also mentioned as TLSv1_0, TLSv1_1, and TLSv1_2 respectively.
• If the TLS protocol version is enabled on any service or system without any of its
supported ciphers, then the TLS version is considered as disabled.

Table 9: Supported options in the TLS protocol assessment tool lists the supported options in the TLS
protocol assessment tool to check the status (enabled or disabled) of the TLS protocol versions.

Options Descriptions

--file <filename> <filename> is the name of an input text file that includes filename
along with its path. The file must be a text file and include the fol-
lowing information:

• Name: name of the external system

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 184


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

Options Descriptions
• Interface: name of the interface to which the external system
belongs to. For example, NBI and SBI

• Host/ipaddress: hostname or ip address of the host

• Ports: series of ports, port numbers, or port ranges separated


with a comma.

For example: The following is the sample content for


inputfile.txt

CSCF|SBI|1.2.3.4|8443
TMF|NBI|1.2.3.5|994,567

Note: The input file must be a text file. The content


of the text file must use | as the delimiter between
fields.

Example command:

TLSVersionDetectorTool.py --file /var/tmp/


inputfile.txt

The output of the command provides the information about the


highest TLS protocol version enabled on the given host and
port.

Sample output:

In one or many hosts following the highest version of TLS pro-


tocol are enabled:

TLSv1_2

For more details, check the output file /var/opt/


oss/nokianetworks-sm_tls_mgmttool/
tlsassementoutputfiles/outputfile20210726_
151253_5641.csv

The generated summary report in the CSV file that includes


the enabled TLS protocol version on each host and port. The
CSV file is generated in the same directory from where the
command is executed.

Sample output of the generated CSV file:

Name,Interface,Node,Port,TLSv1_2,TLSv1_1,
TLSv1_0,HighestTLSPEnabled
CSCF,SBI, 1.2.3.4,8443,Yes,Yes,Yes,TLSv1_2

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 185


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

Options Descriptions
TMF,NBI, 1.2.3.5,994,Port Not Reachable,
Port Not Reachable,Port Not Reachable,None
TMF,NBI, 1.2.3.5,567,Yes,Yes,No,TLSv1_2

where HighestTLSPEnabled is the highest TLS protocol


version enabled on the given host and port.

--host <hostname/ipaddress> -- • hostname/ipaddress: hostname or ip address of the host


port <portnumbers> • portnumbers: series of ports, port numbers, or port ranges
separated with a comma

Example command:

TLSVersionDetectorTool.py --host 127.0.0.1 --


port 443

The output of the command provides the information about the


highest TLS protocol version enabled on the given host and port.

Sample output:

In one or many hosts following the highest version of TLS protocol


are enabled:

TLSv1_2

For more details, check the output file /var/opt/


oss/nokianetworks-sm_tls_mgmttool/
tlsassementoutputfiles/outputfile20210726_151253_
5641.csv

The generated summary report in the CSV file that includes the
enabled TLS protocol version on each host and port. The CSV file
is generated in the same directory from where the command is
executed.

Sample output of the generated CSV file:

Node,Port,TLSv1_2,TLSv1_1,TLSv1_0,
HighestTLSPEnabled
127.0.0.1,443,Yes,Yes,Yes,TLSv1_2

where HighestTLSPEnabled is the highest TLS protocol version


enabled on the given host and port.

--all_services Shows enabled TLS versions for all registered services in the TLS
configuration management tool.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 186


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

Options Descriptions
The output provides the actual enabled TLS versions for each ser-
vice which is registered in the TLS configuration management tool.
This tool requires all the NetAct services in the started state. It al-
so performs health check.

Note: The TLS protocol assessment tool excludes the


service that only communicates as a client.

--help,-h Shows help

Table 9: Supported options in the TLS protocol assessment tool

Note: For any issues or details, see logs in the /var/opt/oss/log/nokianet-


works-sm_tls_mgmttool/tlsversion_detector.log directory.

15.1.1.2 Checking TLS configuration state of NetAct system


Before enabling or disabling the TLS protocol in the NetAct services, you can check the TLS
configuration status of the NetAct system.

Prerequisites

• Before checking the TLS configuration status, ensure that all NetAct services are in the started
state.

Note: For the TLS configuration management tool, to retrieve the configured TLS status from
all NetAct services, enable the root SSH login on all NetAct VMs. Alternatively, TLS protocol
assessment tool that can be used to get enabled TLS protocol version for all NetAct services
does not require enabling the root SSH login.

1. Log in as omc user to the NetAct VM hosting the dmgr service and switch to root user.

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. Enable the root SSH login on all NetAct VMs if it is not enabled. For more information, see
Enabling root SSH login.

3. Check the TLS version protocol configuration state of the NetAct system by entering:

• [root] TLSConfigManagement.sh --systemState

Or

• [root] TLSConfigManagement.sh -s

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 187


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

The output of this command indicates the state of the TLSv1 and TLSv1.1 protocol version
configuration in the NetAct services.

• Sample output 1:

If the TLSv1 and TLSv1.1 protocols are disabled in all the NetAct services, then the sample
output is:

Starting preliminary checks.


Reading TLS state of system.
System health check completed.
Status check for service: dirsrv
Successfully read the TLS status for service: dirsrv
Status check for service: dmgr
Successfully read the TLS status for service: dmgr
---
---
---
TLSv1 is disabled.
TLSv1.1 is disabled.

• Sample output 2:

If the TLSv1 and TLSv1.1 protocols are enabled in all the NetAct services, then the sample
output is:

Starting preliminary checks.


Reading TLS state of system.
---
TLSv1 is enabled.
TLSv1.1 is enabled.

• Sample output 3:
If TLSv1 and TLSv1.1 protocols have different status, then the output appears accordingly for
that TLS version.

For example, if TLSv1 protocol is disabled on all NetAct services and TLSv1.1 protocol is
enabled on all NetAct services, then the sample output is:

Starting preliminary checks.


Reading TLS state of system.
---
TLSv1 is disabled.
TLSv1.1 is possibly enabled.

• If TLSv1 or TLSv1.1 protocol status is not uniform in all services, then the sample output is:

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 188


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

For example, If TLSv1 protocol is disabled on few NetAct services but enabled on remaining
NetAct services and TLSv1.1 protocol is enabled on all NetAct services, then the sample
output is:

Starting preliminary checks.


Reading TLS state of system.
---
TLSv1 is partially enabled.
TLSv1.1 is enabled.

Note: In the DR environment, if a TLS configuration change is performed in active site


then few services can automatically sync its configuration update to the standby site. To
avoid a partially configured TLS state in the standby site, Nokia recommends performing
Syncing TLS states of all service between active and standby site. If the active site has a
partially enabled TLS state, then configure the TLS version first to a completely enabled
or disabled state on the active site before syncing the TLS state to the standby site.

4. Disable the root SSH login on all NetAct VMs if it was enabled in step 2. For more information, see
Disabling root SSH login.

15.1.1.3 Disabling TLS version from NetAct services


Even though TLSv1 and TLS v1.1 have known security issues (vulnerabilities), TLS is enabled by
default in NetAct services to support older network elements and other systems which do not support
higher versions of TLS protocol. Hence, TLSv1 and TLSv1.1 cannot be disabled by default. If all the
integrated network elements and higher level systems use TLSv2 or higher version, then both TLSv1
and TLSv1.1 can be disabled from NetAct services to improve security.

Note:

• Before disabling TLSv1 or TLSv1.1, ensure that all network elements and higher-level
systems which are integrated to NetAct use the TLS version, which is mentioned in Table
10: TLS version to be disabled to connect to NetAct.

Expected TLS versions supported by


TLS version to be disabled Network elements or higher-level sys-
tems

TLSv1 TLSv1.1 or higher version

TLSv1.1 TLSv1.2 or higher version

Table 10: TLS version to be disabled

• Disabling TLSv1 or TLSv1.1 involves service restarts, because of which there will be a
downtime and the script execution might be delayed.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 189


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

• Disabling of TLSv1 disables only TLSv1 whereas TLSv1.1 disables both TLSv1 and
TLSv1.1.

1. Log in as omc user to the NetAct VM hosting the dmgr service and switch to root user.

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. Enable the root SSH login on all NetAct VMs if it is not enabled. For more information, see
Enabling root SSH login.

3. Disable the TLS version by entering:

• [root] TLSConfigManagement.sh --disable <TLS version>

Or

• [root] TLSConfigManagement.sh -d <TLS version>

where <TLS version> is TLSv1 or TLSv1.1.

4. At prompt, type y or yes. If you enter any other option apart from y or yes (case sensitive), tool is
terminated.

Note: Confirmation prompts during execution of the tool can be suppressed with --
noPrompt option.

[root] TLSConfigManagement.sh --disable <TLS version> --


noPrompt

Or

[root] TLSConfigManagement.sh -d <TLS version> -n

where <TLS version> is TLSv1 or TLSv1.1.

After the confirmation, the tool starts configuring each of the services sequentially. For each ser-
vice, necessary configuration changes and service restart are done by the tool internally. Tool skips
configuration for a service, if the required TLS version is already disabled for that service.

If there is any service configuration failure, rollback is attempted for both TLSv1 and TLSv1.1 ver-
sion of failed service configuration to restore the previous state. Successful service configurations
are retained. After rollback, execution is terminated and remaining service configurations are not
attempted.

Note:

• After the rollback for a failed service configuration fails, further execution of the TLS
configuration management tool is not allowed till the issue is marked resolved. For

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 190


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

information, see Failed to revert configuration for service in Troubleshooting Security


Management.
• After the TLS version disabling is successful, see the Syncing TLS states of all
service between active and standby site section to sync the TLS states of services
between active and the stand by site.

5. Disable the root SSH login on all NetAct VMs if it was enabled in step 2. For more information, see
Disabling root SSH login.

Note: For HPE SIM service, due to OEM limitation, TLSv1 cannot be disabled on
external port number 50004 and internal ports used by mxdomainmgr and mxdtf
services. These internal port numbers are dynamically selected (from range 32768 to
61000) during service start up.

15.1.1.4 Enabling TLS version in NetAct services


TLS configuration management tool can be used to enable TLSv1 ot TLSv1.1, if required.

Note: Enabling TLSv1 or TLSv1.1 involves service restarts, because of which there will be a
downtime and the script execution might be delayed.

1. Log in as omc user to the NetAct VM hosting the dmgr service and switch to root user.

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. Enable the root SSH login on all NetAct VMs if it is not enabled. For more information, see
Enabling root SSH login.

3. Enable the TLS version by entering:

• [root] TLSConfigManagement.sh --enable <TLS version>

Or

• [root] TLSConfigManagement.sh -e <TLS version>

where <TLS version> is TLSv1 or TLSv1.1.

Note: If the higher TLS version (TLSv1.1) state of NetAct system is disabled or partially
enabled, then you cannot enable lower TLS version (TLSv1). Hence, before enabling the
lower TLS version, you must enable the higher TLS version.

4. At prompt, type y or yes. If you enter any other option apart from y or yes (case sensitive), tool is
terminated.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 191


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

Note: Confirmation prompts during execution of the tool can be suppressed with --no-
Prompt option.

[root] TLSConfigManagement.sh --enable <TLS version> --noPrompt

Or

[root] TLSConfigManagement.sh -e <TLS version> -n

After the confirmation, the tool starts configuring each of the services sequentially. For each ser-
vice, necessary configuration changes and service restart are done by the tool internally. Tool skips
configuration for a service, if the required TLS version is already enabled for that service.

If there is any service configuration failure, rollback is attempted for both TLSv1 and TLS v1.1
failed service configuration to restore the previous state. Successful service configurations are
retained. After rollback, execution is terminated and remaining service configurations are not at-
tempted.

Note:

• After the rollback for a failed service configuration fails, further execution of the TLS
configuration management tool is not allowed till the issue is resolved. For more
information, see Failed to revert configuration for service in Troubleshooting Security
Management.
• After the TLS version disabling is successful, see the Syncing TLS states of all
service between active and standby site section to sync the TLS states of services
between active and the stand by site.

5. Disable the root SSH login on all NetAct VMs if it was enabled in step 2. For more information, see
Disabling root SSH login.

15.1.1.5 Managing TLS protocol configuration for Oracle EM Database Express


Oracle supports only one TLS version to be enabled at any time. You must configure any one of the
TLS version namely, TLSv1.0, TLSv1.1, and TLSv1.2 for Oracle EM Database (DB) express.

Note: In NetAct, TLS1.2 is enabled from NetAct 18A SP1904 and later releases by default.
Once the TLS is configured, DB must be restarted.

1. Log in to DB VM as omc user and switch to root user.

2. Enable any one of the following TLS versions.


a) For TLSv1.0, enter:

[root@<DBVM>]# /opt/cpf/bin/cpforacle_manage_tls.sh --enable_tlsv1_0

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 192


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

Note: If TLSv1.0 is enabled, TLSv1.1 and TLSv1.2 are disabled.

b) For TLSv1.1, enter:

[root@<DBVM>]# /opt/cpf/bin/cpforacle_manage_tls.sh --enable_tlsv1_1

Note: If TLSv1.1 is enabled, TLSv1.0 and TLSv1.2 are disabled.

c) In case of TLSv1.2, enter:

[root@<DBVM>]# /opt/cpf/bin/cpforacle_manage_tls.sh --enable_tlsv1_2

Note: If TLSv1.2 is enabled, TLSv1.0 and TLSv1.1 are disabled.

3. Set the HPE SIM and DB into maintenance mode by entering:

[root@<DBVM>]# smanager.pl maintenance hpsim on

[root@<DBVM>]# smanager.pl maintenance db on

4. Stop HPE SIM and DB services by entering:

[root@<DBVM>]# smanager.pl stop service hpsim

[root@<DBVM>]# smanager.pl stop service db

5. Start DB and HPE SIM services by entering:

[root@<DBVM>]# smanager.pl start service db

[root@<DBVM>]# smanager.pl start service hpsim

6. Remove the maintenance mode for HPE SIM and DB by entering:

[root@<DBVM>]# smanager.pl maintenance hpsim off

[root@<DBVM>]# smanager.pl maintenance db off

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 193


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

7. Verify the configured TLS version by entering:

[root@<DBVM>]# openssl s_client -connect <DB Hostname>:1158 -<TLS


version>

For the required TLS version, enter:

• tls1 for TLSv1.0


• tls1_1 for TLSv1.1
• tls1_2 for TLSv1.2

15.1.1.6 Taking backup of current TLS status of system


The TLS configuration management tool can be used to take backup of the TLS configuration status
which is helpful to restore the system to the required configuration.

Prerequisites

• Before taking backup, ensure that all NetAct services are in the started state.

1. Log in as omc user to the NetAct VM hosting the dmgr service and switch to root user.

To locate the right NetAct VM, see Locating the right virtual machine for a service in Administering
NetAct Virtual Infrastructure.

2. Enable the root SSH login on all NetAct VMs if it is not enabled. For more information, see
Enabling root SSH login.

3. Take the backup by entering:

• [root] TLSConfigManagement.sh --backup

Or

• [root] TLSConfigManagement.sh -b

After the backup operation is successful, backup is available in the /


var/opt/oss/nokianetworks-sm_tls_mgmttool/backup/
backup_<year_month_day_hours_minutes_seconds>.properties backup file.

4. Disable the root SSH login on all NetAct VMs if it was enabled in step 2. For more information, see
Disabling root SSH login.

15.1.1.7 Restoring TLS status of the system

You can restore the TLS status of the system based on the TLS configuration state stored in the
provided backup file using the TLS configuration management tool.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 194


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

Note: The restore operation involves service restarts, because of which there will be a
downtime and the script execution might be delayed.

1. Log in as omc user to the NetAct VM hosting the dmgr service and switch to root user.

To locate the right NetAct VM, see Locating the right virtual machine for a service in Administering
NetAct Virtual Infrastructure.

2. Enable the root SSH login on all NetAct VMs if it is not enabled. For more information, see
Enabling root SSH login.

3. Perform restore by entering:

• [root] TLSConfigManagement.sh --restore --file <file_path>

Or

• [root] TLSConfigManagement.sh -r -f <file_path>

where <file_path> is the path of the backup file.

Backup files are present in the /var/opt/oss/nokianetworks-sm_tls_mgmttool/backup/


directory.

Sample command:

[root] TLSConfigManagement.sh -r -f /var/opt/oss/nokianetworks-sm_tls_


mgmttool/backup/backup_2021_05_25_15_51_12.properties

4. At prompt, type y or yes. If you enter any other option apart from y or yes (case sensitive), tool is
terminated.

Note: The confirmation prompts during execution of the tool can be suppressed with --
noPrompt option.

[root] TLSConfigManagement.sh --restore --file <file_path> --


noPrompt

Or

[root] TLSConfigManagement.sh -r -f <file_path> -n

After confirmation, the tool starts configuring each of the services sequentially based on the
provided backup file. For each service, the necessary configuration changes and service restart
are done by the tool internally. If the required TLS version is already configured for the service,
then tool skips configuration for that service.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 195


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

Note:

• If failed TLS states are present in the provided backup file, then the tool does not
allow to restore the system.
• If the system is in an unstable state where a lower TLS version is enabled and the
higher TLS version is disabled, then the tool does not allow to restore the system to
the required configuration.

If there is any service configuration failure, rollback is attempted for failed service configuration to
restore the previous state. Successful service configurations are retained. After the rollback, exe-
cution is terminated and the remaining service configurations are not attempted.

Note: After the rollback for a failed service configuration fails, further execution of the
TLS configuration management tool is not allowed till the issue is marked resolved.
For more information, see Failed to revert configuration for service in Troubleshooting
Security Management.

5. Disable the root SSH login on all NetAct VMs if it was enabled in step 2. For more information, see
Disabling root SSH login.

15.1.1.8 Listing backup files


You can list the backup files along with their corresponding system status by using the TLS
configuration management tool.

1. Log in as omc user to the NetAct VM hosting the dmgr service and switch to root user.

To locate the right NetAct VM, see Locating the right virtual machine for a service in Administering
NetAct Virtual Infrastructure.

2. List the backup files by entering:

• [root] TLSConfigManagement.sh --listBackup

Or

• [root] TLSConfigManagement.sh -l

This shows the backup files and its corresponding status only if the backup files are present in the
/var/opt/oss/nokianetworks-sm_tls_mgmttool/backup directory.

Expected outcome

Sample output:

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 196


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

The backup files along with its corresponding system status present in the /var/opt/oss/
nokianetworks-sm_tls_mgmttool/backup directory are:

| SERIAL_NO | BACKUP_FILE_NAME |
TLS_VERSION_STATUS |
----------------------------------------------------------------------
---------------------------------
| 1 | backup_2021_05_25_15_51_12.properties |
TLSv1.1 is disabled.TLSv1 is disabled. |
| 2 | backup_2021_05_25_15_48_46.properties |
TLSv1 is disabled.TLSv1.1 is enabled. |

15.1.1.9 Syncing TLS states of all service between active and standby site
In the DR environment, you can sync the TLS states of the services managed by the TLS
management framework from the active site to the standby site. This operation must be performed
after successful execution of the enable or disable TLS operation in the active site.

1. Log in as omc user to the NetAct VM in active site hosting the dmgr service and switch to root
user.

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. Enable the root SSH login on all NetAct VMs if it is not enabled. For more information, see
Enabling root SSH login.

3. To sync status from active site to the standby site, enter:

• [root] TLSConfigManagement.sh --sync-to-standby-site --noPrompt

Or

• [root] TLSConfigManagement.sh -y -n

After the confirmation, the tool starts syncing the TLS states of all services from the active site to
the standby site. For each service, necessary configuration changes and service restart are done
by the tool internally in the standby site

Note: If the previous enable or disable TLS operation was not successful on the active
site, then the DR sync operation will not be performed and will fail the operation.

4. Disable the root SSH login on all NetAct VMs if it was enabled in step 2. For more information, see
Disabling root SSH login.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 197


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

15.1.2 Managing TLS cipher configuration

15.1.2.1 Managing TLS ciphers in IHS server


By default, RC4 ciphers are disabled. However, you may have to enable RC4 cipher when required by
an application. For example, while integrating network elements such as OMS (LTE and WCDMA) and
mcRNC.

15.1.2.1.1 Disabling weak ciphers configuration in IHS

Note: Disabling the weak ciphers results in disabling the TLSv1 and TLSv1.1 protocols in the
IHS. Therefore, before disabling the weak ciphers, ensure that none of the clients requires
the TLSv1 or TLSv1.1 protocols for communication with the IHS.

To disable weak ciphers for all external ports on all IHS nodes, do the following:

Note: Disabling weak ciphers need to be executed on any one VM that hosts the IHS ser-
vice.

1. Enable SSH login as root on all NetAct nodes. For information on how to enable root SSH login,
see Enabling root SSH login.

2. Log in as omc user to VM where dmgr service is running and switch to the root user.

3. To locate the VM where IHS service is running, enter:

[root]# /opt/cpf/sbin/netact_status.sh status | grep ihs

4. Log in to any one of IHS VM.

5. Ensure that IHS services are in started state in all nodes.

[root]# smanager.pl status service ihs


ihs-<nodename>:<nodename>:started
ihs-<nodename>:<nodename>:started

6. Disable the weak Ciphers configuration for IHS services by entering:

[root]# perl /opt/cpf/bin/cpfihs_cipher_configuration.pl --configure -


disable

After disabling the weak ciphers on all IHS nodes, the IHS service restarts automatically.

Logs can be found in /var/log/cpf/ihs/cpf_cipher_config_ihs.log.

Note:

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 198


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

• In case if the above operation fails, to restore the system, see Troubleshooting weak
Ciphers for IHS in Troubleshooting Security Management. Logs must be collected for
debugging.
• Disable the root login in all VMs, if it was enabled as mentioned in the pre-requisite.
For information on how to disable root login, see Disabling root SSH login.

15.1.2.1.2 Enabling weak ciphers configuration in IHS

To enable weak ciphers for all external ports on all IHS nodes, do the following:

Note: Enabling weak Ciphers need to be executed on any one VM that hosts the IHS ser-
vice.

1. Enable SSH login as root on all NetAct nodes. For information on how to enable root SSH login,
see Enabling root SSH login.

2. Log in as omc user to VM where dmgr service is running and switch to the root user.

3. To locate the VM where IHS service is running, enter:

[root]# /opt/cpf/sbin/netact_status.sh status | grep ihs

4. Log in to any one of IHS VM.

5. Ensure that IHS services are in started state in all nodes.

[root]# smanager.pl status service ihs


ihs-<nodename>:<nodename>:started
ihs-<nodename>:<nodename>:started

6. To enable the weak ciphers configuration in each of IHS node, enter:

[root]# perl /opt/cpf/bin/cpfihs_cipher_configuration.pl --configure -


enable

After enabling the weak ciphers on all IHS nodes, the IHS service restarts automatically.

Note:

• In case if the above operation fails, to restore the system, see Troubleshooting weak
Ciphers for IHS in Troubleshooting Security Management. Logs must be collected for
debugging.
• Disable the root login in all VMs, if it was enabled as mentioned in the pre-requisite.
For information on how to disable root login, see Disabling root SSH login.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 199


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

15.1.2.2 Managing TLS ciphers in NWI3 HTTPS client

15.1.2.2.1 Enabling RC4 ciphers in NWI3 HTTPS client

When collecting audit log from Flexi Release 2 BTS through https, RC4 cipher
SSL_RSA_WITH_RC4_128_SHA and SSL_RSA_WITH_RC4_128_MD5 are required to be enabled
since Flexi Release 2 BTS only support RC4 ciphers.

Follow the instructions below to enable RC4 ciphers SSL_RSA_WITH_RC4_128_SHA and


SSL_RSA_WITH_RC4_128_MD5 in NWI3 service:

1. Log in to the NetAct VM where the NWI3 service is running as the omc user. To locate the
right VM, see Locating the right virtual machine for a service in Administering NetAct Virtual
Infrastructure.

2. Enable the RC4 ciphers in NWI3 service by performing the following steps:
a) Update the configuration to enable RC4 ciphers by executing:

$NWI3_HOME/bin/enableRC4.sh

Expected outcome

There are two possible outputs of the command.

• If RC4 ciphers SSL_RSA_WITH_RC4_128_SHA and SSL_RSA_WITH_RC4_128_MD5 are


already enabled, and no more steps required, then following is the output:

RC4 ciphers SSL_RSA_WITH_RC4_128_SHA and SSL_RSA_WITH_RC4_128_MD5


have been enabled already.
• If the output is following, then perform the remaining steps to finish RC4 ciphers enabling:

RC4 ciphers SSL_RSA_WITH_RC4_128_SHA and SSL_RSA_WITH_RC4_128_MD5


are enabled.

b) Restart NWI3 service by:

• Stopping the NWI3 service in Administering NWI3 Southbound Interface.


• Starting the NWI3 service in Administering NWI3 Southbound Interface.

15.1.2.2.2 Disabling RC4 ciphers in NWI3 HTTPS client

Follow the instructions in this section to disable all RC4 ciphers in http client side of nwi3 service.

1. Log in to the NetAct VM where the NWI3 service is running as the omc user. To locate the
right VM, see Locating the right virtual machine for a service in Administering NetAct Virtual
Infrastructure.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 200


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

2. Disable the RC4 ciphers in NWI3 service by performing the following steps:
a) Update the configuration to disable RC4 ciphers by executing the following command:

$NWI3_HOME/bin/disableRC4.sh

Expected outcome

There are two possible outputs of the command.

• If RC4 ciphers already disabled, and no more steps required, then following is the output:

RC4 ciphers have been disabled already.


• If the output is following, then perform the remaining steps to finish RC4 ciphers disabling:

RC4 ciphers are disabled.

b) Restart NWI3 service by:

• Stopping the NWI3 service in Administering NWI3 Southbound Interface.


• Starting the NWI3 service in Administering NWI3 Southbound Interface.

15.1.2.3 Managing TLS ciphers in httpd service

This section describes how to manage the TLS ciphers in the NE3S/WS httpd service. You can enable
or disable a specific cipher in the NE3S/WS httpd service.

15.1.2.3.1 Listing supported ciphers in NE3S/WS httpd service

Before enabling or disabling a specific cipher, you can get a list of all the supported ciphers in the
NE3S/WS httpd service.

1. Log in as omc user to any NetAct virtual machine (VM) hosting the httpd service, and then switch
to root user.

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. List the supported ciphers by entering:

[root]# sh /opt/oss/NSN-ne3sws_httpd/bin/NE3SWS_HTTPD_cipher.sh --list

Sample output:

===========================================================
The supported cipher in NE3SWS httpd server
===========================================================
ECDHE-RSA-AES256-GCM-SHA384

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 201


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-SHA256
DHE-RSA-AES256-SHA
DHE-RSA-CAMELLIA256-SHA
AES256-SHA
CAMELLIA256-SHA
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES128-SHA
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA
DHE-RSA-CAMELLIA128-SHA
AES128-SHA
CAMELLIA128-SHA
ECDHE-RSA-DES-CBC3-SHA
EDH-RSA-DES-CBC3-SHA

Expected outcome

The supported ciphers in the NE3S/WS httpd service are listed.

15.1.2.3.2 Disabling or enabling cipher in NE3S/WS httpd service

If all the NE3S/WS based networks do not support a weak cipher, then you can disable the weak
cipher in the NE3S/WS httpd service. If you want a specific cipher to be supported in the NE3S/WS
httpd service, then you can enable the cipher.

Note: This operation impacts the communication with the NE3S/WS httpd service. Before
disabling a cipher, ensure that the cipher is not used by any NE3S/WS based network ele-
ment.

1. Log in as omc user to any NetAct virtual machine (VM) hosting the httpd service, and then switch
to root user.

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. To disable or enable the cipher, do one of the following:

• Disable the cipher by entering:


[root]# sh /opt/oss/NSN-ne3sws_httpd/bin/NE3SWS_HTTPD_cipher.sh --
disable '<one cipher name or multiple cipher names separated by
comma>'

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 202


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

where <one cipher name or multiple cipher names separated by comma> is


one or multiple comma separated:

• ciphers listed in Listing supported ciphers in NE3S/WS httpd service


• valid cipher string like 3DES

For example:

[root]# sh /opt/oss/NSN-ne3sws_httpd/bin/NE3SWS_HTTPD_cipher.sh --
disable '3DES,AES128-SHA'

Sample output:

disable 3DES,AES128-SHA in NE3SWS httpd server


3DES is valid.
AES128-SHA is valid.
Removing old backups for /etc/httpd/conf/httpd.conf.
No need to clear old backups for /etc/httpd/conf/httpd.conf.
the /etc/httpd/conf/httpd.conf will be backed up as /etc/httpd/conf/
httpd.conf.bak.20210726052205
Reloading httpd configuration.
Httpd configuration is reloaded successfully.
disable 3DES,AES128-SHA in NE3SWS httpd service on clab2323node12
successfully.

Or

• Enable the cipher by entering:


[root]# sh /opt/oss/NSN-ne3sws_httpd/bin/NE3SWS_HTTPD_cipher.sh --
enable '<one cipher name or multiple cipher name separated by comma>'

where <one cipher name or multiple cipher names separated by comma> is


one or multiple comma separated:

• ciphers listed in Listing supported ciphers in NE3S/WS httpd service


• valid cipher string like 3DES

For example:

[root]# sh /opt/oss/NSN-ne3sws_httpd/bin/NE3SWS_HTTPD_cipher.sh --
enable '3DES,AES128-SHA'

Sample output:

enable 3DES,AES128-SHA in NE3SWS httpd server


3DES is valid.
AES128-SHA is valid.
Removing old backups for /etc/httpd/conf/httpd.conf.
No need to clear old backups for /etc/httpd/conf/httpd.conf.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 203


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

the /etc/httpd/conf/httpd.conf will be backed up as /etc/httpd/conf/


httpd.conf.bak.20210726052229
Reloading httpd configuration.
Httpd configuration is reloaded successfully.
enable 3DES,AES128-SHA in NE3SWS httpd service on clab2323node12
successfully.

3. Repeat step 1 and step 2 on the other httpd service nodes.

Note: For DR based NetAct, synchronize the cipher change on the standby site. For
more information, see Synchronizing cipher change on standby site for DR based
system.

Expected outcome

The cipher is disabled or enabled in the NE3S/WS httpd service.

15.1.2.3.3 Synchronizing cipher change on standby site for DR based system

If you change the cipher setting in the active site, then you must synchronize the change on the
standby site.

1. Check if the DR system is deployed or enabled. For more information, see Checking the status of
DR system in Administering NE3S/WS Southbound Interface.

Note: If the DR system is neither deployed nor enabled, skip this section.

2. Synchronize the cipher change on the standby site by doing the following:
a) Disable the cipher by entering:

[root@db]# /opt/oss/NSN-dr/bin/drTransmitCommand.pl -service httpd -


cmd "sh /opt/oss/NSN-ne3sws_httpd/bin/NE3SWS_HTTPD_cipher.sh --disable
<cipher name>" -timeOut 800
b) Enable the cipher by entering:

[root@db]# /opt/oss/NSN-dr/bin/drTransmitCommand.pl -service httpd -


cmd "sh /opt/oss/NSN-ne3sws_httpd/bin/NE3SWS_HTTPD_cipher.sh --enable
<cipher name>" -timeOut 800

Note: For more information, see Changing the configuration of NE3S/WS mediation
on standby site in Administering NE3S/WS Southbound Interface.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 204


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

Expected outcome

The cipher change is synchronized on the standby site for the DR based system.

15.1.2.4 Managing TLS ciphers in common_mediations

This section provides the information on configuring the TLS ciphers in the common_mediations ser-
vice.

The tool for configuring TLS cipher consists of a console log output when running and
its detailed log output is stored in the /var/opt/oss/log/install/NSN-jbi_cpf/
NE3SWSClientManagerCipherTool_xxxxx.log log file of the common_mediations node.

15.1.2.4.1 Listing supported cipher in common_mediations service

Before enabling or disabling a specific cipher, you can get a list of all the supported ciphers in the
common_mediations service.

1. Log in as omc user to each NetAct virtual machine (VM) hosting the common_mediations
service, and then switch to esbadmin user.

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. List the currently configured ciphers by entering:

[esbadmin@xxxxx ~]$ sh /opt/oss/NSN-common_mediations/smx/mf-


persistance/NE3SWSClientManagerCipherTool.sh --list

Sample output:

Currently configured cipher:


TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_
SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_
GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_
GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_
AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_
AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_
RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDH_
ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_
DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_
ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_
RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_
RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_
WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_
RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 205


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_
DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_
SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_
DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_
ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_
ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_
RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_
RENEGOTIATION_INFO_SCSV

Expected outcome

The supported ciphers in the common_mediations service are listed.

15.1.2.4.2 Restoring default cipher setting in common_mediations service

If you encounter some issue and want to clear the cipher setting in the common_mediations service,
then you can restore to the default cipher setting.

1. Log in as omc user to each NetAct virtual machine (VM) hosting the common_mediations
service, and then switch to esbadmin user.

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. Set the default ciphers by entering:

[esbadmin@xxxxx ~]$ sh /opt/oss/NSN-common_mediations/smx/mf-


persistance/NE3SWSClientManagerCipherTool.sh --setdefault

Sample output:

executing: /opt/oss/NSN-common_mediations/smx/mf-persistance/
NE3SWSClientManagerCipherTool.sh -setdefault
Successfully updated the /opt/oss/NSN-common_mediations/smx/mf-conf/
cipher-enable-list according to /opt/oss/NSN-common_mediations/smx/mf-
conf/cipher-disable-list.
After using the tool to configure the cipher, the cipher-enable-list is
equal to the properties file minus cipher-disable-list.

Expected outcome

The default cipher setting is restored in the common_mediations service.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 206


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

15.1.2.4.3 Disabling or enabling ciphers in common_mediations service

If all the communications with the common_mediations service do not support a weak cipher, then
you can disable the weak cipher in the common_mediations service. If you want a specific cipher to
be supported in the common_mediations service, then you can enable the cipher.

1. Log in as omc user to any NetAct virtual machine (VM) hosting the common_mediations service,
and then switch to esbadmin user.

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. To configure the cipher for the common_mediations service, do one of the following :

• Disable the cipher by entering:


sh /opt/oss/NSN-common_mediations/smx/mf-persistance/
NE3SWSClientManagerCipherTool.sh --disable "<One or more complete
cipher names, separated by commas>"

where "<One or more complete cipher names, separated by commas>" is the


comma separated cipher names.

Note: The pair of quotation marks is mandatory. It must be used when disabling a
single or multiple ciphers.

For example:

[esbadmin@xxxxx ~]$ sh /opt/oss/NSN-common_mediations/smx/


mf-persistance/NE3SWSClientManagerCipherTool.sh --disable
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384"

Sample output:

executing: /opt/oss/NSN-common_mediations/smx/mf-persistance/
NE3SWSClientManagerCipherTool.sh --disable TLS_ECDHE_RSA_WITH_AES_
256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384
Successfully updated the /opt/oss/NSN-common_mediations/smx/mf-conf/
cipher-enable-list according /opt/oss/NSN-common_mediations/smx/mf-
conf/cipher-disable-list.
After using the tool to configure the cipher, the cipher-enable-list
is equal to the properties file minus the cipher-disable-list.

Note: If all ciphers are disabled, then the default cipher configuration is set by the
startup script.

Or

• Enable the cipher by entering:

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 207


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

sh /opt/oss/NSN-common_mediations/smx/mf-persistance/
NE3SWSClientManagerCipherTool.sh --enable "<One or more complete
cipher names, separated by commas>"

where "<One or more complete cipher names, separated by commas>" is the


comma separated cipher names.

Note: The pair of quotation marks is mandatory. It must be used when enabling a
single or multiple ciphers.

For example:

[esbadmin@xxxxx ~]$ sh /opt/oss/NSN-common_mediations/smx/


mf-persistance/NE3SWSClientManagerCipherTool.sh --enable
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384"

Sample output:

executing: /opt/oss/NSN-common_mediations/smx/mf-persistance/
NE3SWSClientManagerCipherTool.sh --enable TLS_ECDHE_RSA_WITH_AES_256_
GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384
Successfully updated the file(/opt/oss/NSN-common_mediations/smx/mf-
conf/cipher-enable-list according to /opt/oss/NSN-common_mediations/
smx/mf-conf/cipher-disable-list.
After using the tool to configure the cipher, the cipher-enable-list
is equal to the properties file minus the cipher-disable-list.

3. For the new cipher configuration to take effect, switch to root user and restart the
common_mediations service by entering:

[root]# smanager.pl stop service common_mediations-<node name>


[root]# smanager.pl start service common_mediations-<node name>

when the tool completes the cipher configuration, while restarting the mediation, you need to pay
attention to whether there are errors. If there is an error related to this cipher configuration, you
need to restore the cipher configuration. That is, which ciphers were previously disabled, and these
ciphers need to be re-enabled.

4. Repeat step 2 and step 3 on the other common_mediations service nodes.

Note: For DR based NetAct system, after the change is effective on the active site, the
cipher disable and enable list files are generated or updated.

• The cipher disable and enable list files are automatically synchronized to
the standby site by the DR system. To activate the configurations, restart the
common_mediations services on the standby site.
• You can also manually synchronize the cipher disable and enable list files
immediately by repeating step 1 to step 4 on the standby site.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 208


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

Expected outcome

The ciphers are disabled or enabled in the common_mediations service.

15.1.2.5 Managing TLS ciphers in NBI

15.1.2.5.1 Disabling DES ciphers

For information about disabling DES ciphers, see Enabling and disabling SSL/TLS cipher suites (SHA
and DES) for RESTDA HTTP interface in RESTful Web Service Data Access API.

15.1.2.6 Managing TLS ciphers in directory server

15.1.2.6.1 Enabling or disabling ciphers in directory server

1. Log in as omc user to the VM where dmgr service is running and switch to root user.

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. Obtain the password of the cn=Manager account by entering:

[root]# /opt/nokia/oss/bin/syscredacc.sh -user cn=Manager -type DS

Sample output

[case-sensitive password]

3. Log in to the VM hosting the dirsrv service as omc user and switch to root user.

4. Set dirsrv and dirsrv-secondary services to maintenance mode:


a) Set dirsrv service to maintenance mode by entering:

[root]# smanager.pl maintenance dirsrv on

Expected outcome

Service dirsrv maintenance mode is set to on

b) Set dirsrv-secondary service to maintenance mode by entering:

[root]# smanager.pl maintenance dirsrv-secondary on

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 209


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

Expected outcome

Service dirsrv-secondary maintenance mode is set to on

5. Obtain the existing cipher configurations by entering:

[root]# ldapsearch -h localhost -W -D "cn=manager" -b "cn=encryption,


cn=config" nsSSL3Ciphers| perl -p00e 's/\r?\n //g'|grep nsSSL3Ciphers|
grep -v "#"

When prompted for Enter LDAP password, enter the password of cn=Manager user.

Sample output

nsSSL3Ciphers: +all,-TLS_RSA_WITH_RC4_128_MD5,+TLS_RSA_WITH_RC4_128_SHA,
+TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_DES_CBC_SHA,-TLS_RSA_WITH_
NULL_MD5,-TLS_RSA_WITH_NULL_SHA,-TLS_DHE_DSS_WITH_DES_CBC_SHA,+TLS_DHE_
DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_DES_CBC_SHA,+TLS_DHE_RSA_
WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_
AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_
CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_
SHA,+TLS_DHE_DSS_WITH_RC4_128_SHA

6. To enable weak ciphers, use + before each cipher name. To disable weak ciphers, use - before
each cipher name. For the list of supported DirSrv ciphers, see Supported dirsrv ciphers.

7. Create a <filename>.txt file under/var/tmp directory and add the following entries:

For example:

[root]# cat /var/tmp/cipher_input.txt


+all,-TLS_RSA_WITH_RC4_128_MD5,+TLS_RSA_WITH_RC4_128_SHA,+TLS_RSA_
WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_DES_CBC_SHA,-TLS_RSA_WITH_NULL_
MD5,-TLS_RSA_WITH_NULL_SHA,-TLS_DHE_DSS_WITH_DES_CBC_SHA,+TLS_DHE_DSS_
WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_DES_CBC_SHA,+TLS_DHE_RSA_WITH_
3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_
128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_
CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_
CBC_SHA,+TLS_DHE_DSS_WITH_RC4_128_SHA

Note:

• The entry contains the result from step 5 and the modifications made to define which
ciphers are enabled or disabled. To avoid any issues, make sure that there is no
space or carriage return within the one-liner entry.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 210


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

• Ensure that the created /var/tmp/<filename>.txt cipher file contains the


needed cipher configurations because the Enabling or disabling ciphers in directory
server operation always overwrites the existing cipher configuration.

8. Apply updates in the nSSL3 ciphers entry by entering:

[root]# /opt/cpf/bin/cpfrhdsconf_configure_instance_parameters.sh --
DN='cn=encryption,cn=config' --attribute=nsSSL3Ciphers --value=$(cat /
var/tmp/<filename>.txt)

For example:

[root]# /opt/cpf/bin/cpfrhdsconf_configure_instance_parameters.sh --
DN='cn=encryption,cn=config' --attribute=nsSSL3Ciphers --value=$(cat /
var/tmp/cipher_input.txt)

Sample output

/opt/cpf/bin/cpfrhdsconf_configure_instance_parameters.sh begins
Setting value of nsSSL3Ciphers in cn=encryption,cn=config to +all,-SSL_
CK_RC4_128_WITH_MD5,-SSL_CK_RC4_128_EXPORT40_WITH_MD5,
... -TLS_DHE_DSS_WITH_RC4_128_SHA
executing: /usr/bin/ldapmodify -h localhost -D "cn=manager" -w
"########"
exited with code 0
executing: /usr/bin/ldapsearch -LLL -s base -h localhost -
D "cn=manager" -w "########" -b "cn=encryption,cn=config"
"(objectclass=*)" nsSSL3Ciphers
exited with code 0
/opt/cpf/bin/cpfrhdsconf_configure_instance_parameters.sh ends

9. Copy the created cipher file to the VM hosting the dirsrv-secondary service by entering:

[root]# scp /var/tmp/<filename>.txt omc@<hostname_dirsrv_secondary>:/


var/tmp

For example:

[root]# scp /var/tmp/cipher_input.txt omc@custvm05:/var/tmp


omc@custvm05's password:

Note: When prompted, enter the password of omc user.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 211


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

Sample output

cipher_input.txt 100% 522 33.4KB/s 00:00

10. Log in to the VM hosting the dirsrv-secondary service as omc user and switch to root user.

11. Update nSSL3 ciphers on the VM hosting dirsrv-secondary service by entering:

[root]# /opt/cpf/bin/cpfrhdsconf_configure_instance_parameters.sh --
DN='cn=encryption,cn=config' --attribute=nsSSL3Ciphers --value=$(cat /
var/tmp/<filename>.txt)

For example:

[root]# /opt/cpf/bin/cpfrhdsconf_configure_instance_parameters.sh --
DN='cn=encryption,cn=config' --attribute=nsSSL3Ciphers --value=$(cat /
var/tmp/cipher_input.txt)

Sample output

/opt/cpf/bin/cpfrhdsconf_configure_instance_parameters.sh begins
Setting value of nsSSL3Ciphers in cn=encryption,cn=config to +all,-SSL_
CK_RC4_128_WITH_MD5,-SSL_CK_RC4_128_EXPORT40_WITH_MD5,
... -TLS_DHE_DSS_WITH_RC4_128_SHA
executing: /usr/bin/ldapmodify -h localhost -D "cn=manager" -w
"########"
exited with code 0
executing: /usr/bin/ldapsearch -LLL -s base -h localhost -
D "cn=manager" -w "########" -b "cn=encryption,cn=config"
"(objectclass=*)" nsSSL3Ciphers
exited with code 0
/opt/cpf/bin/cpfrhdsconf_configure_instance_parameters.sh ends

12. Restart the directory server on the VM hosting the dirsrv-secondary service by entering:

[root]# systemctl restart cpfdirsrv

a) Check whether the dirsrv-secondary is active by entering:

[root]# systemctl is-active cpfdirsrv

Sample output

active

13. Log in to the VM hosting the dirsrv service as omc user and switch to root user.

14. Restart the directory server by entering:

[root]# systemctl restart cpfdirsrv

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 212


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

a) Check the status by entering:

[root]# systemctl is-active cpfdirsrv

Sample output

active

15. Remove dirsrv and dirsrv-secondary services from the maintenance mode.
a) Remove the dirsrv service from the maintenance mode by entering:

[root]# smanager.pl maintenance dirsrv off

Expected outcome

Service dirsrv maintenance mode is set to off

b) Remove the dirsrv-secondary service from the maintenance mode by entering:

[root]# smanager.pl maintenance dirsrv-secondary off

Expected outcome

Service dirsrv-secondary maintenance mode is set to off

16. Verify that the changes are reflected by repeating step 5 on dirsrv and dirsrv-secondary
VMs.

17. Remove the /var/tmp/<filename>.txt on both dirsrv VMs by entering:

[root]# rm -rf /var/tmp/<filename>.txt

15.1.2.6.1.1 Supported dirsrv ciphers

Table 11: Cipher suite name lists the DirSrv ciphers and their order. The DirSRv ciphers are ordered
from strong to weak. If disabling of any weak cipher causes connection problem, enable the weak ci-
pher by following the instructions provided in Enabling or disabling ciphers in directory server.

Weak/
Cipher suite name Strong ci- Disabled Enabled
pher

TLS_ECDHE_ECDSA_ Strong -TLS_ECDHE_ECDSA_WITH_ +TLS_ECDHE_


WITH_AES_256_ AES_256_GCM_SHA384 ECDSA_WITH_AES_
GCM_SHA384 256_GCM_SHA384

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 213


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

Weak/
Cipher suite name Strong ci- Disabled Enabled
pher

TLS_ECDHE_ECDSA_ Strong -TLS_ECDHE_ECDSA_WITH_ +TLS_ECDHE_


WITH_AES_128_ AES_128_GCM_SHA256 ECDSA_WITH_AES_
GCM_SHA256 128_GCM_SHA256

TLS_ECDHE_ECDSA_ Strong -TLS_ECDHE_ECDSA_WITH_ +TLS_ECDHE_


WITH_AES_256_CBC_ AES_256_CBC_SHA384 ECDSA_WITH_AES_
SHA384 256_CBC_SHA384

TLS_ECDHE_ECDSA_ Strong -TLS_ECDHE_ECDSA_WITH_ +TLS_ECDHE_


WITH_AES_128_CBC_ AES_128_CBC_SHA256 ECDSA_WITH_AES_
SHA256 128_CBC_SHA256

TLS_ECDHE_RSA_ Strong -TLS_ECDHE_RSA_WITH_AES_ +TLS_ECDHE_RSA_


WITH_AES_256_ 256_GCM_SHA384 WITH_AES_256_
GCM_SHA384 GCM_SHA384

TLS_ECDHE_RSA_ Strong -TLS_ECDHE_RSA_WITH_AES_ +TLS_ECDHE_RSA_


WITH_AES_128_ 128_GCM_SHA256 WITH_AES_128_
GCM_SHA256 GCM_SHA256

TLS_ECDHE_RSA_ Strong -TLS_ECDHE_RSA_WITH_AES_ +TLS_ECDHE_RSA_


WITH_AES_256_CBC_ 256_CBC_SHA384 WITH_AES_256_CBC_
SHA384 SHA384

TLS_ECDHE_RSA_ Strong -TLS_ECDHE_RSA_WITH_AES_ +TLS_ECDHE_RSA_


WITH_AES_128_CBC_ 128_CBC_SHA256 WITH_AES_128_CBC_
SHA256 SHA256

TLS_DHE_RSA_ Strong -TLS_DHE_RSA_WITH_AES_256_ +TLS_DHE_RSA_


WITH_AES_256_ GCM_SHA384 WITH_AES_256_
GCM_SHA384 GCM_SHA384

TLS_DHE_RSA_ Strong -TLS_DHE_RSA_WITH_AES_128_ +TLS_DHE_RSA_


WITH_AES_128_ GCM_SHA256 WITH_AES_128_
GCM_SHA256 GCM_SHA256

TLS_DHE_RSA_ Strong -TLS_DHE_RSA_WITH_AES_256_ +TLS_DHE_RSA_


WITH_AES_256_CBC_ CBC_SHA256 WITH_AES_256_CBC_
SHA256 SHA256

TLS_DHE_RSA_ Strong -TLS_DHE_RSA_WITH_AES_128_ +TLS_DHE_RSA_


WITH_AES_128_CBC_ CBC_SHA256 WITH_AES_128_CBC_
SHA256 SHA256

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 214


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

Weak/
Cipher suite name Strong ci- Disabled Enabled
pher

TLS_DHE_DSS_ Strong -TLS_DHE_DSS_WITH_AES_256_ +TLS_DHE_DSS_


WITH_AES_256_ GCM_SHA384 WITH_AES_256_
GCM_SHA384 GCM_SHA384

TLS_DHE_DSS_ Strong -TLS_DHE_DSS_WITH_AES_128_ +TLS_DHE_DSS_


WITH_AES_128_ GCM_SHA256 WITH_AES_128_
GCM_SHA256 GCM_SHA256

TLS_DHE_DSS_ Strong -TLS_DHE_DSS_WITH_AES_256_ +TLS_DHE_DSS_


WITH_AES_256_CBC_ CBC_SHA256 WITH_AES_256_CBC_
SHA256 SHA256

TLS_DHE_DSS_ Strong -TLS_DHE_DSS_WITH_AES_128_ +TLS_DHE_DSS_


WITH_AES_128_CBC_ CBC_SHA256 WITH_AES_128_CBC_
SHA256 SHA256

TLS_RSA_WITH_ Strong -TLS_RSA_WITH_AES_256_GCM_ +TLS_RSA_WITH_


AES_256_GCM_ SHA384 AES_256_GCM_
SHA384 SHA384

TLS_RSA_WITH_ Strong -TLS_RSA_WITH_AES_128_GCM_ +TLS_RSA_WITH_


AES_128_GCM_ SHA256 AES_128_GCM_
SHA256 SHA256

TLS_RSA_WITH_ Strong -TLS_RSA_WITH_AES_256_CBC_ +TLS_RSA_WITH_


AES_256_CBC_ SHA256 AES_256_CBC_
SHA256 SHA256

TLS_RSA_WITH_ Strong -TLS_RSA_WITH_AES_128_CBC_ +TLS_RSA_WITH_


AES_128_CBC_ SHA256 AES_128_CBC_
SHA256 SHA256

TLS_ECDHE_ECDSA_ Strong -TLS_ECDHE_ECDSA_WITH_ +TLS_ECDHE_


WITH_CHACHA20_ CHACHA20_POLY1305_SHA256 ECDSA_WITH_
POLY1305_SHA256 CHACHA20_
POLY1305_SHA256

TLS_ECDHE_RSA_ Strong -TLS_ECDHE_RSA_WITH_ +TLS_ECDHE_RSA_


WITH_CHACHA20_ CHACHA20_POLY1305_SHA256 WITH_CHACHA20_
POLY1305_SHA256 POLY1305_SHA256

TLS_DHE_RSA_ Strong -TLS_DHE_RSA_WITH_ +TLS_DHE_RSA_


WITH_CHACHA20_ CHACHA20_POLY1305_SHA256 WITH_CHACHA20_
POLY1305_SHA256 POLY1305_SHA256

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 215


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

Weak/
Cipher suite name Strong ci- Disabled Enabled
pher

TLS_ECDHE_ECDSA_ Weak -TLS_ECDHE_ECDSA_WITH_ +TLS_ECDHE_


WITH_AES_256_CBC_ AES_256_CBC_SHA ECDSA_WITH_AES_
SHA 256_CBC_SHA

TLS_ECDHE_ECDSA_ Weak -TLS_ECDHE_ECDSA_WITH_ +TLS_ECDHE_


WITH_AES_128_CBC_ AES_128_CBC_SHA ECDSA_WITH_AES_
SHA 128_CBC_SHA

TLS_ECDHE_RSA_ Weak -TLS_ECDHE_RSA_WITH_AES_ +TLS_ECDHE_RSA_


WITH_AES_256_CBC_ 256_CBC_SHA WITH_AES_256_CBC_
SHA SHA

TLS_ECDHE_RSA_ Weak -TLS_ECDHE_RSA_WITH_AES_ +TLS_ECDHE_RSA_


WITH_AES_128_CBC_ 128_CBC_SHA WITH_AES_128_CBC_
SHA SHA

TLS_ECDH_ECDSA_ Weak -TLS_ECDH_ECDSA_WITH_AES_ +TLS_ECDH_ECDSA_


WITH_AES_256_CBC_ 256_CBC_SHA WITH_AES_256_CBC_
SHA SHA

TLS_ECDH_ECDSA_ Weak -TLS_ECDH_ECDSA_WITH_AES_ +TLS_ECDH_ECDSA_


WITH_AES_128_CBC_ 128_CBC_SHA WITH_AES_128_CBC_
SHA SHA

TLS_ECDH_RSA_ Weak -TLS_ECDH_RSA_WITH_AES_ +TLS_ECDH_RSA_


WITH_AES_128_CBC_ 128_CBC_SHA WITH_AES_128_CBC_
SHA SHA

TLS_ECDH_RSA_ Weak -TLS_ECDH_RSA_WITH_AES_ +TLS_ECDH_RSA_


WITH_AES_256_CBC_ 256_CBC_SHA WITH_AES_256_CBC_
SHA SHA

TLS_DHE_RSA_ Weak -TLS_DHE_RSA_WITH_AES_256_ +TLS_DHE_RSA_


WITH_AES_256_CBC_ CBC_SHA WITH_AES_256_CBC_
SHA SHA

TLS_DHE_RSA_ Weak -TLS_DHE_RSA_WITH_AES_128_ +TLS_DHE_RSA_


WITH_AES_128_CBC_ CBC_SHA WITH_AES_128_CBC_
SHA SHA

TLS_DHE_DSS_ Weak -TLS_DHE_DSS_WITH_AES_256_ +TLS_DHE_DSS_


WITH_AES_256_CBC_ CBC_SHA WITH_AES_256_CBC_
SHA SHA

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 216


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

Weak/
Cipher suite name Strong ci- Disabled Enabled
pher

TLS_DHE_DSS_ Weak -TLS_DHE_DSS_WITH_AES_128_ +TLS_DHE_DSS_


WITH_AES_128_CBC_ CBC_SHA WITH_AES_128_CBC_
SHA SHA

TLS_RSA_WITH_ Weak -TLS_RSA_WITH_AES_256_CBC_ +TLS_RSA_WITH_


AES_256_CBC_SHA SHA AES_256_CBC_SHA

TLS_RSA_WITH_ Weak -TLS_RSA_WITH_AES_128_CBC_ +TLS_RSA_WITH_


AES_128_CBC_SHA SHA AES_128_CBC_SHA

TLS_DHE_RSA_ Weak -TLS_DHE_RSA_WITH_CAMEL- +TLS_DHE_RSA_


WITH_CAMELLIA_ LIA_256_CBC_SHA WITH_CAMELLIA_
256_CBC_SHA 256_CBC_SHA

TLS_DHE_RSA_ Weak -TLS_DHE_RSA_WITH_CAMEL- +TLS_DHE_RSA_


WITH_CAMELLIA_ LIA_128_CBC_SHA WITH_CAMELLIA_
128_CBC_SHA 128_CBC_SHA

TLS_DHE_DSS_ Weak -TLS_DHE_DSS_WITH_CAMEL- +TLS_DHE_DSS_


WITH_CAMELLIA_ LIA_256_CBC_SHA WITH_CAMELLIA_
256_CBC_SHA 256_CBC_SHA

TLS_DHE_DSS_ Weak -TLS_DHE_DSS_WITH_CAMEL- +TLS_DHE_DSS_


WITH_CAMELLIA_ LIA_128_CBC_SHA WITH_CAMELLIA_
128_CBC_SHA 128_CBC_SHA

TLS_RSA_WITH_ Weak -TLS_RSA_WITH_CAMELLIA_256_ +TLS_RSA_WITH_


CAMELLIA_256_CBC_ CBC_SHA CAMELLIA_256_CBC_
SHA SHA

TLS_RSA_WITH_ Weak -TLS_RSA_WITH_CAMELLIA_128_ +TLS_RSA_WITH_


CAMELLIA_128_CBC_ CBC_SHA CAMELLIA_128_CBC_
SHA SHA

TLS_ECDHE_ECDSA_ Weak -TLS_ECDHE_ECDSA_WITH_ +TLS_ECDHE_


WITH_3DES_EDE_ 3DES_EDE_CBC_SHA ECDSA_WITH_3DES_
CBC_SHA EDE_CBC_SHA

TLS_ECDHE_RSA_ Weak -TLS_ECDHE_RSA_WITH_3DES_ +TLS_ECDHE_RSA_


WITH_3DES_EDE_ EDE_CBC_SHA WITH_3DES_EDE_
CBC_SHA CBC_SHA

TLS_ECDH_ECDSA_ Weak -TLS_ECDH_ECDSA_WITH_ +TLS_ECDH_ECDSA_


WITH_3DES_EDE_ 3DES_EDE_CBC_SHA WITH_3DES_EDE_
CBC_SHA CBC_SHA

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 217


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

Weak/
Cipher suite name Strong ci- Disabled Enabled
pher

TLS_ECDH_RSA_ Weak -TLS_ECDH_RSA_WITH_3DES_ +TLS_ECDH_RSA_


WITH_3DES_EDE_ EDE_CBC_SHA WITH_3DES_EDE_
CBC_SHA CBC_SHA

TLS_DHE_RSA_ Weak -TLS_DHE_RSA_WITH_3DES_ +TLS_DHE_RSA_


WITH_3DES_EDE_ EDE_CBC_SHA WITH_3DES_EDE_
CBC_SHA CBC_SHA

TLS_DHE_DSS_ Weak -TLS_DHE_DSS_WITH_3DES_ +TLS_DHE_DSS_


WITH_3DES_EDE_ EDE_CBC_SHA WITH_3DES_EDE_
CBC_SHA CBC_SHA

TLS_RSA_WITH_ Weak -TLS_RSA_WITH_3DES_EDE_ +TLS_RSA_WITH_


3DES_EDE_CBC_SHA CBC_SHA 3DES_EDE_CBC_SHA

TLS_DHE_RSA_ Weak -TLS_DHE_RSA_WITH_DES_ +TLS_DHE_RSA_


WITH_DES_CBC_SHA CBC_SHA WITH_DES_CBC_SHA

TLS_DHE_DSS_ Weak -TLS_DHE_DSS_WITH_DES_ +TLS_DHE_DSS_


WITH_DES_CBC_SHA CBC_SHA WITH_DES_CBC_SHA

TLS_RSA_WITH_ Weak -TLS_RSA_WITH_DES_CBC_SHA +TLS_RSA_WITH_


DES_CBC_SHA DES_CBC_SHA

TLS_ECDHE_ECDSA_ Weak -TLS_ECDHE_ECDSA_WITH_ +TLS_ECDHE_


WITH_RC4_128_SHA RC4_128_SHA ECDSA_WITH_RC4_
128_SHA

TLS_ECDHE_RSA_ Weak -TLS_ECDHE_RSA_WITH_RC4_ +TLS_ECDHE_RSA_


WITH_RC4_128_SHA 128_SHA WITH_RC4_128_SHA

TLS_ECDH_ECDSA_ Weak -TLS_ECDH_ECDSA_WITH_RC4_ +TLS_ECDH_ECDSA_


WITH_RC4_128_SHA 128_SHA WITH_RC4_128_SHA

TLS_ECDH_RSA_ Weak -TLS_ECDH_RSA_WITH_RC4_ +TLS_ECDH_RSA_


WITH_RC4_128_SHA 128_SHA WITH_RC4_128_SHA

TLS_DHE_DSS_ Weak -TLS_DHE_DSS_WITH_RC4_128_ +TLS_DHE_DSS_


WITH_RC4_128_SHA SHA WITH_RC4_128_SHA

TLS_RSA_WITH_ Weak -TLS_RSA_WITH_RC4_128_SHA +TLS_RSA_WITH_


RC4_128_SHA RC4_128_SHA

TLS_RSA_WITH_ Weak -TLS_RSA_WITH_RC4_128_MD5 +TLS_RSA_WITH_


RC4_128_MD5 RC4_128_MD5

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 218


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

Weak/
Cipher suite name Strong ci- Disabled Enabled
pher

TLS_RSA_WITH_ Weak -TLS_RSA_WITH_SEED_CBC_ +TLS_RSA_WITH_


SEED_CBC_SHA SHA SEED_CBC_SHA

TLS_ECDHE_ECDSA_ Weak -TLS_ECDHE_ECDSA_WITH_ +TLS_ECDHE_


WITH_NULL_SHA NULL_SHA ECDSA_WITH_NULL_
SHA

TLS_ECDHE_RSA_ Weak -TLS_ECDHE_RSA_WITH_NULL_ +TLS_ECDHE_RSA_


WITH_NULL_SHA SHA WITH_NULL_SHA

TLS_ECDH_ECDSA_ Weak -TLS_ECDH_ECDSA_WITH_ +TLS_ECDH_ECDSA_


WITH_NULL_SHA NULL_SHA WITH_NULL_SHA

TLS_ECDH_RSA_ Weak -TLS_ECDH_RSA_WITH_NULL_ +TLS_ECDH_RSA_


WITH_NULL_SHA SHA WITH_NULL_SHA

TLS_RSA_WITH_ Weak -TLS_RSA_WITH_NULL_SHA256 +TLS_RSA_WITH_


NULL_SHA256 NULL_SHA256

TLS_RSA_WITH_ Weak -TLS_RSA_WITH_NULL_SHA +TLS_RSA_WITH_


NULL_SHA NULL_SHA

TLS_RSA_WITH_ Weak -TLS_RSA_WITH_NULL_MD5 +TLS_RSA_WITH_


NULL_MD5 NULL_MD5

Table 11: Cipher suite name

15.1.2.7 Managing TLS ciphers in Node Manager server

15.1.2.7.1 Enabling or disabling ciphers

Node Manager Server hardening is performed automatically during installation of the Node Manager.

To enable and disable ciphers, see Enabling and disabling ciphers in Node Manager Server in Admin-
istering Node Manager Server.

15.1.2.8 Managing TLS ciphers in IBM WebSphere application server (WAS)

15.1.2.8.1 Disabling weak ciphers configuration in IBM webSphere application server (WAS)

To disable weak Ciphers in WAS on all WAS nodes , do the following:

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 219


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

Note: Disabling weak ciphers need to be executed on dmgr VM that hosts the dmgr-<vm
name> service.

1. Log in as omc user and switch to root user on the Deployment Manager node.

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. Ensure that all WAS services are in started state by entering:

[root@clab1521node14 ~]# smanager.pl status group was


Status of NetAct
Domain Node Service Status VirtualIP
Site: Local
All
clab1521node14
dmgr-clab1521node14 started standAlone
pmwas-clab1521node14 started standAlone
syswas-clab1521node14 started standAlone
fmwas-clab1521node14 started standAlone
cmwas-clab1521node14 started standAlone
itsmwas-clab1521node14 started standAlone
intgwas-clab1521node14 started standAlone
nodeagent-clab1521node14 started standAlone
clab1521node15
pmwas-clab1521node15 started standAlone
syswas-clab1521node15 started standAlone
fmwas-clab1521node15 started standAlone
cmwas-clab1521node15 started standAlone
itsmwas-clab1521node15 started standAlone
intgwas-clab1521node15 started standAlone
nodeagent-clab1521node15 started standAlone

3. To list all the weak Ciphers which need to be disabled, enter:

[root]# /opt/cpf/bin/cpfwas_ciphers_config.sh --listweakciphers

4. Disable the weak Ciphers configuration for all WAS servers by entering:

[root]# /opt/cpf/bin/cpfwas_ciphers_config.sh --disable

Disabling weak ciphers are executed in three steps such as changing configuration, node syn-
chronisation, and restarting WAS group. WAS restart requires no downtime as it is executed in two
batches such as WAS nodes are restarted parallelly as first batch and once restarted successfully,
next half of WAS nodes is restarted parallelly as second batch.

Example:

• 4 WAS nodes if number of WAS nodes are 8

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 220


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

• 2 WAS nodes if number of WAS nodes are 4

5. To list all the Ciphers which are configured in WAS currently, enter:

[root]# /opt/cpf/bin/cpfwas_ciphers_config.sh --listciphers

Note: In case if the above operation fails, to restore the system, see Failed to disable
or enable WAS weak Cipher in Troubleshooting Security Management. Logs must be
collected for debugging.

15.1.2.8.2 Enabling weak ciphers configuration in IBM webSphere application server (WAS)

To enable weak ciphers which are disabled or removed in Disabling weak ciphers configuration in IBM
webSphere application server (WAS) for all WAS servers on all WAS nodes, do the following:

1. Log in as omc user and switch to root user on the Deployment Manager node.

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. Ensure that all WAS services are in started state by entering:

[root@clab1521node14 ~]# smanager.pl status group was


Status of NetAct
Domain Node Service Status VirtualIP
Site: Local
All
clab1521node14
dmgr-clab1521node14 started standAlone
pmwas-clab1521node14 started standAlone
syswas-clab1521node14 started standAlone
fmwas-clab1521node14 started standAlone
cmwas-clab1521node14 started standAlone
itsmwas-clab1521node14 started standAlone
intgwas-clab1521node14 started standAlone
nodeagent-clab1521node14 started standAlone
clab1521node15
pmwas-clab1521node15 started standAlone
syswas-clab1521node15 started standAlone
fmwas-clab1521node15 started standAlone
cmwas-clab1521node15 started standAlone
itsmwas-clab1521node15 started standAlone
intgwas-clab1521node15 started standAlone
nodeagent-clab1521node15 started standAlone

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 221


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

3. To list all the weak Ciphers which need to be enabled, enter:

[root]# /opt/cpf/bin/cpfwas_ciphers_config.sh --listweakciphers

4. Enable the weak Ciphers configuration for all WAS services by entering:

[root]# /opt/cpf/bin/cpfwas_ciphers_config.sh --enable

Enabling weak Ciphers are executed in three steps such as changing configuration, node syn-
chronisation, and restarting WAS group. WAS restart requires no downtime as it is executed in two
batches such as WAS nodes are restarted parallelly as first batch and once restarted successfully,
next half of WAS nodes is restarted parallelly as second batch.

5. To list all the Ciphers which are configured in WAS currently, enter:

[root]# /opt/cpf/bin/cpfwas_ciphers_config.sh --listciphers

Note: In case if the above operation fails, to restore the system, see Failed to disable
or enable WAS weak Cipher in Troubleshooting Security Management. Logs must be
collected for debugging.

15.1.2.9 Managing TLS ciphers in HPE SIM


This section provides information about disabling and enabling weak ciphers configuration in HPE
SIM.

15.1.2.9.1 Disabling weak ciphers configuration in HPE SIM

Prerequisites

• Ensure that the HPE SIM service is in the started state.

Note: Disabling weak Ciphers need to be executed on NetAct VM hosting the HPE SIM
service. After weak Ciphers are disabled, TLS 1.0 and TLS 1.1 supported client will not be
able to communicate with HPE SIM.

1. Log in as omc user to the NetAct VM hosting the HPE SIM service and switch to root user.

For information on how to locate the correct VM, see Locating the right virtual machine for a
service in Administering NetAct Virtual Infrastructure.

2. List all the weak Ciphers that need to be disabled by entering:

[root]# /opt/cpf/bin/cpfhpsim_ciphers_tool.sh --listWeakCiphers

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 222


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

Sample output

List of weak ciphers : TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_


128_CBC_SHA

3. Disable specific or all weak Ciphers configuration in the HPE SIM service.

Note: This action restarts the HPE SIM service. The HPE SIM service restart requires
downtime of around 5 to 60 minutes. If restart of the HPE SIM service is not performed,
the changes will not take effect.

a) To disable specific weak Ciphers, enter:

[root]# /opt/cpf/bin/cpfhpsim_ciphers_tool.sh --disableWeakCiphers


<cipher1>,<cipher2> [--restartHPSIM]

Example

[root]# /opt/cpf/bin/cpfhpsim_ciphers_tool.sh --disableWeakCiphers


TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA --
restartHPSIM

Sample output

List of all weak ciphers to be disabled are TLS_RSA_WITH_AES_128_CBC_


SHA,TLS_RSA_WITH_AES_256_CBC_SHA
weak_ciphers_to_be_enabled are
Updating /var/opt/cpf/hpsim/conf/cpfhpsim_custom_ciphers.config with
TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
Updating /etc/opt/mx/config/SecuritySettings.props with TLS_ECDHE_
ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_
SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_
GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_
128_CBC_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_
GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_
SHA256
allow user-defined cipher
HPSIM service restart required
Restarting HPSIM
b) To disable all weak Ciphers, enter:

[root]# /opt/cpf/bin/cpfhpsim_ciphers_tool.sh --disableWeakCiphers


all --restartHPSIM

Sample output

List of all weak ciphers to be disabled are TLS_RSA_WITH_AES_128_CBC_


SHA,TLS_RSA_WITH_AES_256_CBC_SHA

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 223


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

weak_ciphers_to_be_enabled are
Updating /var/opt/cpf/hpsim/conf/cpfhpsim_custom_ciphers.config with
TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
Updating /etc/opt/mx/config/SecuritySettings.props with TLS_ECDHE_
ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_
SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_
GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_
128_CBC_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_
GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_
SHA256
allow user-defined cipher
HPSIM service restart required
Restarting HPSIM

Expected outcome

Weak Ciphers configuration is disabled in HPE SIM.

Note: For HPE SIM service, due to OEM limitation, TLS ciphers cannot be disabled on the
external port number 50004 and internal ports used by mxdomainmgr and mxdtf services.
These internal port numbers are dynamically selected (from range 32768 to 61000) during
service start up.

15.1.2.9.2 Enabling weak ciphers configuration in HPE SIM

Prerequisites

• Ensure that the HPE SIM service is in the started state.

1. Log in as omc user to the NetAct VM hosting the HPE SIM service and switch to root user.

For information on how to locate the right VM, see Locating the right virtual machine for a service
in Administering NetAct Virtual Infrastructure.

2. List all the weak Ciphers that needs to be enabled by entering:

[root]# /opt/cpf/bin/cpfhpsim_ciphers_tool.sh --listWeakCiphers

Sample output

List of weak ciphers : TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_


128_CBC_SHA

3. Enable specific or all weak Ciphers configuration in the HPE SIM service:

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 224


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

Note: This action restarts the HPE SIM service. The HPE SIM service restart requires
downtime of around 5 to 60 minutes. If restart of HPE SIM service is not performed, the
changes will not take effect.

a) To enable specific weak Ciphers, enter:

[root]# /opt/cpf/bin/cpfhpsim_ciphers_tool.sh --enableWeakCiphers


<cipher1>,<cipher2> [--restartHPSIM]

Example

[root]# /opt/cpf/bin/cpfhpsim_ciphers_tool.sh --enableWeakCiphers


TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA --
restartHPSIM

Sample output

weak_ciphers_to_be_enabled are TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_


WITH_AES_128_CBC_SHA
already_enabled_weak_ciphers are
enable_weak_ciphers list are TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_
WITH_AES_128_CBC_SHA
disable_weak_ciphers list are
final_list_of_ciphers_to_be_enabled are TLS_ECDHE_ECDSA_WITH_AES_256_
CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_
AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_RSA_
WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_
RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_
RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_
WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_
AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA
Updating /var/opt/cpf/hpsim/conf/cpfhpsim_custom_ciphers.config with
Updating /etc/opt/mx/config/SecuritySettings.props with TLS_ECDHE_
ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_
SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_
GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_
128_CBC_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_
GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_
SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA
allow user-defined cipher
HPSIM service restart required
b) To enable all weak Ciphers, enter:

[root]# /opt/cpf/bin/cpfhpsim_ciphers_tool.sh --enableWeakCiphers


all --restartHPSIM

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 225


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

Sample output

weak_ciphers_to_be_enabled are TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_


WITH_AES_128_CBC_SHA
already_enabled_weak_ciphers are
enable_weak_ciphers list are TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_
WITH_AES_128_CBC_SHA
disable_weak_ciphers list are
final_list_of_ciphers_to_be_enabled are TLS_ECDHE_ECDSA_WITH_AES_256_
CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_
AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_RSA_
WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_
RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_
RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_
WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_
AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA
Updating /var/opt/cpf/hpsim/conf/cpfhpsim_custom_ciphers.config with
Updating /etc/opt/mx/config/SecuritySettings.props with TLS_ECDHE_
ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_
SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_
GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_
128_CBC_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_
GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_
SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA
allow user-defined cipher
HPSIM service restart required
Restarting HPSIM

Expected outcome

Weak Ciphers configuration is enabled in HPE SIM.

15.2 Hardening SSH client configuration

15.2.1 Hardening core mediation or application

15.2.1.1 SSH hardening in core mediation or application

15.2.1.1.1 Enabling or disabling ciphers

Prerequisites

To check the existing ciphers, do the following:

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 226


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

1. Log in as omc user to the NetAct VM where dmgr is running.

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.
2. Enter the following command to list the current configured ciphers for your component:

/opt/oss/NSN-NEUpgradeDataMigrationTool/install/bin/configure_cipher.
sh --list --confFile "<confFile>" [--serviceName "<serviceName>"] [--
singleConfig] [--componentId "<componentId>"]

Note: Refer to Component List table for your component and Options in
configure_cipher.sh script table for command usage.

Example usage:

/opt/oss/NSN-NEUpgradeDataMigrationTool/install/bin/configure_cipher.
sh --list --confFile "/var/opt/oss/global/NSN-ne3sws_dynamicadaptation/
conf/NSN-ne3sws_dynamicadaptation_cipher.properties" --singleConfig --
componentId "PDDS"

Sample outcome:

2017-07-27T03:30:18.548 | INFO | Retrieve cipher configuration from conf


file '/var/opt/oss/global/NSN-ne3sws_dynamicadaptation/conf/NSN-ne3sws_
dynamicadaptation_cipher.properties'
2017-07-27T03:30:18.562 | INFO | Cipher suite: aes256-ctr,aes192-ctr,
aes128-ctr
2017-07-27T03:30:18.572 | INFO | Cipher key exchange: diffie-hellman-
group-exchange-sha256
2017-07-27T03:30:18.580 | INFO | Cipher MAC: hmac-sha2-256

To configure the cipher, do the following:

1. Log in as omc user to the NetAct VM where dmgr is running.

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. Navigate to the configure_cipher.sh script in the following directory:

cd /opt/oss/NSN-NEUpgradeDataMigrationTool/install/bin/

3. Enter the following command to configure the current configured ciphers for your component:

./configure_cipher.sh --confFile "<confFile>" [--componentName


"<componentName>"] [--serviceName "<serviceName>"] [--singleConfig] [-
-componentId "<componentId>"] [--kex "<kex>"] [--cipher "<cipher>"] [-
-mac "<mac>"]

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 227


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

Note:

1. Refer to Component List table for your component and Options in configure_cipher.sh
script table for command usage.
2. Ensure all the integrated Network Elements supported by component which supports
the target cipher.

Example usage:

./configure_cipher.sh --componentName "AM" --confFile "/var/opt/oss/


NSN-cse_jetty/conf/NSN-cse_jetty_cipher.properties" --serviceName
"intgwas" --cipher "aes256-ctr,aes192-ctr,aes128-ctr"

Sample outcome:

2017-07-27T05:56:40.075 | INFO | Retrieve all VM instances where


'intgwas' service is up and running
2017-07-27T05:56:41.298 | INFO | Total number of 4 VM instances
(clabxxxnode18,clabxxxnode19,clabxxxnode20,clabxxxnode21) are found
2017-07-27T05:56:42.478 | INFO |
=============================================================
2017-07-27T05:56:42.480 | INFO | = Start to update cipher conf on
host (clabxxxnode18)
2017-07-27T05:56:42.481 | INFO |
=============================================================
2017-07-27T05:56:42.483 | INFO | Start to update cipher configuration
in '/var/opt/oss/NSN-cse_jetty/conf/NSN-cse_jetty_cipher.properties'
file
2017-07-27T05:56:42.505 | INFO | /var/opt/oss/NSN-cse_jetty/conf/NSN-
cse_jetty_cipher.properties copied to temporary folder as /tmp/NSN-
cse_jetty_cipher.properties.20170727055642
2017-07-27T05:56:42.507 | INFO | Start to update cipher suite...
2017-07-27T05:56:42.515 | INFO | Property 'ssh.cipher' is updated
successfully from 'aes256-ctr,aes192-ctr,aes128-ctr,aes256' to
'aes256-ctr,aes192-ctr,aes128-ctr'
2017-07-27T05:56:42.519 | INFO | Conf file '/var/opt/oss/NSN-cse_
jetty/conf/NSN-cse_jetty_cipher.properties' is updated successfully
2017-07-27T05:56:42.520 | INFO | Temporary file '/tmp/NSN-cse_jetty_
cipher.properties.20170727055642' is removed
2017-07-27T05:56:42.522 | INFO |
=============================================================
2017-07-27T05:56:42.523 | INFO | = Start to update cipher conf on
host (clabxxxnode19)
2017-07-27T05:56:42.525 | INFO |
=============================================================
2017-07-27T05:56:42.698 | INFO | Start to transfer script file '/opt/
oss/NSN-NEUpgradeDataMigrationTool/install/bin/configure_cipher.sh'
to remote host (clabxxxnode19:/tmp/20170727055642.sh)

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 228


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

2017-07-27T05:56:42.827 | INFO | File transferred to clabxxxnode19


successfully
You are about to access a private system. This system is for use of
authorized users only. All connections are logged. Any unauthorized
access or access attempts are punishable to the fullest extent of
local legislation.
2017-07-27T05:56:42.950 | INFO | Start to update cipher configuration
in '/var/opt/oss/NSN-cse_jetty/conf/NSN-cse_jetty_cipher.properties'
file
2017-07-27T05:56:42.957 | INFO | /var/opt/oss/NSN-cse_jetty/conf/NSN-
cse_jetty_cipher.properties copied to temporary folder as /tmp/NSN-
cse_jetty_cipher.properties.20170727055642
2017-07-27T05:56:42.959 | INFO | Start to update cipher suite...
2017-07-27T05:56:42.966 | INFO | Property 'ssh.cipher' is updated
successfully from 'aes256-ctr,aes192-ctr,aes128-ctr,aes256' to
'aes256-ctr,aes192-ctr,aes128-ctr'
2017-07-27T05:56:42.970 | INFO | Conf file '/var/opt/oss/NSN-cse_
jetty/conf/NSN-cse_jetty_cipher.properties' is updated successfully
2017-07-27T05:56:42.972 | INFO | Temporary file '/tmp/NSN-cse_jetty_
cipher.properties.20170727055642' is removed
2017-07-27T05:56:43.087 | INFO | Temporary file '/tmp/20170727055642.
sh' is removed from clabxxxnode19
2017-07-27T05:56:43.089 | INFO |
=============================================================
2017-07-27T05:56:43.090 | INFO | = Start to update cipher conf on
host (clabxxxnode20)
2017-07-27T05:56:43.092 | INFO |
=============================================================
2017-07-27T05:56:43.288 | INFO | Start to transfer script file '/opt/
oss/NSN-NEUpgradeDataMigrationTool/install/bin/configure_cipher.sh'
to remote host (clabxxxnode20:/tmp/20170727055643.sh)
2017-07-27T05:56:43.449 | INFO | File transferred to clabxxxnode20
successfully
You are about to access a private system. This system is for use of
authorized users only. All connections are logged. Any unauthorized
access or access attempts are punishable to the fullest extent of
local legislation.
2017-07-27T05:56:43.621 | INFO | Start to update cipher configuration
in '/var/opt/oss/NSN-cse_jetty/conf/NSN-cse_jetty_cipher.properties'
file
2017-07-27T05:56:43.627 | INFO | /var/opt/oss/NSN-cse_jetty/conf/NSN-
cse_jetty_cipher.properties copied to temporary folder as /tmp/NSN-
cse_jetty_cipher.properties.20170727055643
2017-07-27T05:56:43.629 | INFO | Start to update cipher suite...
2017-07-27T05:56:43.635 | INFO | Property 'ssh.cipher' is updated
successfully from 'aes256-ctr,aes192-ctr,aes128-ctr,aes256' to
'aes256-ctr,aes192-ctr,aes128-ctr'
2017-07-27T05:56:43.640 | INFO | Conf file '/var/opt/oss/NSN-cse_
jetty/conf/NSN-cse_jetty_cipher.properties' is updated successfully

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 229


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

2017-07-27T05:56:43.641 | INFO | Temporary file '/tmp/NSN-cse_jetty_


cipher.properties.20170727055643' is removed
2017-07-27T05:56:43.805 | INFO | Temporary file '/tmp/20170727055643.
sh' is removed from clabxxxnode20
2017-07-27T05:56:43.807 | INFO |
=============================================================
2017-07-27T05:56:43.808 | INFO | = Start to update cipher conf on
host (clabxxxnode21)
2017-07-27T05:56:43.810 | INFO |
=============================================================
2017-07-27T05:56:44.018 | INFO | Start to transfer script file '/opt/
oss/NSN-NEUpgradeDataMigrationTool/install/bin/configure_cipher.sh'
to remote host (clabxxxnode21:/tmp/20170727055643.sh)
2017-07-27T05:56:44.178 | INFO | File transferred to clabxxxnode21
successfully
You are about to access a private system. This system is for use of
authorized users only. All connections are logged. Any unauthorized
access or access attempts are punishable to the fullest extent of
local legislation.
2017-07-27T05:56:44.346 | INFO | Start to update cipher configuration
in '/var/opt/oss/NSN-cse_jetty/conf/NSN-cse_jetty_cipher.properties'
file
2017-07-27T05:56:44.356 | INFO | /var/opt/oss/NSN-cse_jetty/conf/NSN-
cse_jetty_cipher.properties copied to temporary folder as /tmp/NSN-
cse_jetty_cipher.properties.20170727055644
2017-07-27T05:56:44.358 | INFO | Start to update cipher suite...
2017-07-27T05:56:44.365 | INFO | Property 'ssh.cipher' is updated
successfully from 'aes256-ctr,aes192-ctr,aes128-ctr,aes256' to
'aes256-ctr,aes192-ctr,aes128-ctr'
2017-07-27T05:56:44.371 | INFO | Conf file '/var/opt/oss/NSN-cse_
jetty/conf/NSN-cse_jetty_cipher.properties' is updated successfully
2017-07-27T05:56:44.373 | INFO | Temporary file '/tmp/NSN-cse_jetty_
cipher.properties.20170727055644' is removed
2017-07-27T05:56:44.524 | INFO | Temporary file '/tmp/20170727055643.
sh' is removed from clabxxxnode21
2017-07-27T05:56:44.526 | INFO | Statistics: 4 succeeded in conf file
update, 0 failed
2017-07-27T05:56:44.527 | INFO | For the failed update, please refer
the output error description of this script!

Single
Component
Service Name Conf File Component Id Con-
Name
fig

DA ne3sws_dynami- /var/opt/oss/glob- DA_MED Y


cadaptation al/NSN-ne3sws_dynam-
Note: For
icadaptation/conf/
external
NSN-ne3sws_dynami-

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 230


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

Single
Component
Service Name Conf File Component Id Con-
Name
fig

cadaptation_cipher. communica-
properties tion

DA ne3sws_dynami- /var/opt/oss/glob- PDDS Y


cadaptation al/NSN-ne3sws_dynam-
Note: For in-
icadaptation/conf/
ternal com-
NSN-ne3sws_dynami-
munication
cadaptation_cipher.
properties

MUS intgwas /opt/oss/NSN-mus-


ne3spm/conf/mus_ci-
pher.properties

FlexiNS_ common_media- /opt/oss/NSN-common_ com.nsn.fns.jsch


MED tions mediations/smx/mf-
Note: Cipher
conf/com.nsn.fns_ci-
supported in
pher.properties
jsch library

FlexiNS_ common_media- /opt/oss/NSN-common_ com.nsn.fns.sshj


MED tions mediations/smx/mf-
Note: Cipher
conf/com.nsn.fns_ci-
supported in
pher.properties
sshj library

XOH_MED xoh /opt/oss/NSN-xoh/ com.nsn.oss.xoh


conf/mediation_
south_xoh_ssh.prop-
erties

HPHW_MED common_media- /var/opt/oss/NSN-


tions hphw/conf/NSN-hphw_
cipher.properties

SAU_MED nwi3 /etc/opt/oss/global/ com.nsn.oss.sau Y


NSN-saucnt/conf/cus-
tomer.properties

ActiveSWM_ common_media- /var/opt/oss/NSN-


MED tions nthlrfeis_mediation/
conf/NSN-nthlrfeis_

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 231


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

Single
Component
Service Name Conf File Component Id Con-
Name
fig

mediation_cipher.
properties

HPHW_SNM- common_media- /var/opt/oss/NSN-


PCONFIG tions hphw/conf/NSN-hphw_
cipher.properties

NEIW intgwas /opt/oss/NSN-AutoIn- external.com.


tegrationFramework/ nokia.oss.neiw
conf/customized.
Note: For
properties
external
communica-
tion

NEIW intgwas /opt/oss/NSN-AutoIn- internal.com.


tegrationFramework/ nokia.oss.neiw
conf/customized.
Note: For in-
properties
ternal com-
munication

MPM intgwas /opt/oss/mpm/conf/ com.nokia.oss.mpm


mpmCipherConfigure.
properties

jetty intgwas /var/opt/oss/NSN-


cse_jetty/conf/NSN-
cse_jetty_cipher.
properties

Note: Only inter-


nal communica-
tion is available

Table 12: Component list

Option Description M/O Remarks

--serviceName The name of the ser- O Mandatory if the conf


vice in NetAct VM file is not located in
where component is global folder
up and running. For

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 232


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

Option Description M/O Remarks

example, intgwas,
common_mediations

--confFile The absolute path of M


cipher conf file in com-
ponent

--componentName The name of compo- O


nent

--componentId The name of compo- O Mandatory in --list


nent Id mode if component id
exists

--cipher The target cipher suite O Mandatory in configu-


to be set in conf file ration mode:

--kex The target cipher key O • At least one option


exchange to be set in must be given
conf file • Separated by
commas for multi-
--mac The target cipher MAC O
ple values
to be set in conf file

--list Show current ciphers O


configured in conf file

--singleConfig The flag to indicate O Mandatory if the conf


configuration happens file located in global
once only folder

--help Print usage on console O

Table 13: Options in configure_cipher.sh script

Note: In case the communication is broken after cipher configure in component, it might
be caused by unsupported cipher in the SSH library used by the component. Try revert or
configure by using other ciphers.

15.2.2 Hardening ciphers for SSH client of MML mediation

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 233


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

15.2.2.1 Enabling weak ciphers for SSH client of MML mediation

If disabling weak ciphers (by following the instructions provided in Disabling weak ciphers for SSH
client of MML mediation) causes any SSH connection problems, follow the below instructions to en-
able them.

1. Locate the VM where nx2s service is running.

For information on how to locate the correct VM, see Locating the right virtual machine for a
service in Administering NetAct Virtual Infrastructure.

2. Log in as omc user to the nx2s VM and then switch to the root user.

3. Enable the weak ciphers, weak mac, and weak key exchanges mentioned in Disabling weak
ciphers for SSH client of MML mediation by executing the following command:

/opt/oss/NSN-mml/bin/mml_enable_weak_ciphers.sh

15.2.2.2 Disabling weak ciphers for SSH client of MML mediation


By default, the MML service enables the following weak ciphers:

• ciphers: aes256-cbc,aes192-cbc,aes128-cbc,serpent256-cbc,serpent192-cbc,serpent128-
cbc,twofish256-cbc,twofish192-cbc,twofish128-cbc,twofish-cbc,blowfish-cbc,3des-cbc,cast128-
cbc,idea-cbc,arcfour256,arcfour128,arcfour
• mac: hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5
• key exchanges: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hell-
man-group1-sha1

If it is confirmed that disabling any of above ciphers, mac, and key exchanges will not cause SSH con-
nection problems, they can be disabled by doing the following:

1. Locate the VM where nx2s service is running.

For information on how to locate the correct VM, see Locating the right virtual machine for a
service in Administering NetAct Virtual Infrastructure.

2. Login in as omc user to the nx2s VM and then switch to the root user.

3. Disable the weak ciphers, weak mac, and weak key exchanges listed above by executing:

/opt/oss/NSN-mml/bin/mml_disable_weak_ciphers.sh

15.2.3 Hardening ciphers for SSH client of SCLI mediation

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 234


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

15.2.3.1 Enabling weak ciphers for SSH client of SCLI mediation

If disabling weak ciphers (by following the instructions provided in Disabling weak ciphers for SSH
client of SCLI mediation) causes any SSH connection problems, follow the below instructions to en-
able them.

1. Locate the VM where nx2s service is running.

For information on how to locate the correct VM, see Locating the right virtual machine for a ser-
vice in Administering NetAct Virtual Infrastructure.
2. Log in as omc user to the nx2s VM and then switch to the root user.
3. Enable the weak ciphers, weak mac, and weak key exchanges mentioned in Disabling weak ci-
phers for SSH client of SCLI mediation by executing the following command:

/opt/oss/NSN-scli/bin/scli_enable_weak_ciphers.sh

15.2.3.2 Disabling weak ciphers for SSH client of SCLI mediation


By default, the SCLI mediation enables the following weak ciphers:

• ciphers: aes256-cbc,aes192-cbc,aes128-cbc,blowfish-cbc,3des-cbc
• mac: hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5
• key exchanges: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hell-
man-group1-sha1

If it is confirmed that disabling any of the above ciphers, mac, and key exchanges will not cause SSH
connection problems, they can be disabled by doing the following:

1. Locate the VM where nx2s service is running.

For information on how to locate the correct VM, see Locating the right virtual machine for a ser-
vice in Administering NetAct Virtual Infrastructure.
2. Log in as omc user to the nx2s VM and then switch to the root user.
3. Disable the weak ciphers, weak mac, and weak key exchanges listed above by executing the fol-
lowing command:

/opt/oss/NSN-scli/bin/scli_disable_weak_ciphers.sh

15.2.4 Hardening ciphers for SSH client of CM application

15.2.4.1 Enabling weak ciphers for SSH client of CM application

If disabling weak ciphers (by following the instructions provided in Disabling weak ciphers for SSH
client of CM application) causes any SSH connection problems, do the following to enable them.

1. Log in to NetAct VM as omc user on which the was service is running.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 235


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

For information on how to locate the right VM for a service in Administering NetAct Virtual
Infrastructure, see Locating the right virtual machine for a service in Administering NetAct Virtual
Infrastructure.

2. Go to $ETCROOT/custom/conf/rac directory and check if configurator.properties file


exists. If the file does not exist, do the following:
a) Go to $ETCROOT/rac/conf directory by executing the following command:

[omc]$ cd $ETCROOT/rac/conf

b) Copy configurator.properties file to $ETCROOT/custom/conf/rac directory.

3. In configurator.properties file, update the properties for the following:

• ssh_kex_algorithms: to add weak key exchange algorithms


• ssh_ciphers: to add weak ciphers
• ssh_hmac_algorithms: to add weak mac algorithms

Note:

The following weak ciphers are in order from strong to weak and maintain the same order
when adding them:

• ciphers: aes256-cbc,aes192-cbc,aes128-cbc,blowfish-cbc,3des-cbc
• mac: hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5
• key exchanges: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-
sha1,diffie-hellman-group1-sha1

15.2.4.2 Disabling weak ciphers for SSH client of CM application


By default, the CM application enables the following weak ciphers:

• ciphers: aes256-cbc,aes192-cbc,aes128-cbc,blowfish-cbc,3des-cbc
• mac: hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5
• key exchanges: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hell-
man-group1-sha1

If it is confirmed that disabling any of above ciphers, mac, and key exchanges will not cause SSH con-
nection problems, they can be disabled by doing the following:

1. Log in to the NetAct VM as omc user on which the was service is running.

For information on how to locate the right VM for a service in Administering NetAct Virtual
Infrastructure, see Locating the right virtual machine for a service in Administering NetAct Virtual
Infrastructure.

2. Go to $ETCROOT/custom/conf/rac directory and check if configurator.properties file


exists. If the file does not exist, do the following:

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 236


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

a) Go to $ETCROOT/rac/conf directory by executing the following command:

[omc]$ cd $ETCROOT/rac/conf

b) Copy configurator.properties file to $ETCROOT/custom/conf/rac directory.

3. In configurator.properties file, update the properties for the following:

• ssh_kex_algorithms: to remove weak key exchange algorithms


• ssh_ciphers: to remove weak ciphers
• ssh_hmac_algorithms: to remove weak mac algorithms

Note: Once the changes are done in configurator.properties file, CM applications


needs to be relaunched to reflect the changes.

15.2.5 Hardening ciphers for SSH client of Monitor application

15.2.5.1 Enabling weak ciphers for SSH client of Monitor application

If disabling the weak ciphers (by following the instructions provided in Disabling weak ciphers for SSH
client of Monitor application) causes any SSH connection problems, do the following to enable them:

1. Log in to NetAct VM as omc user where dmgr service is running.

2. Navigate to the directory cd /opt/oss/NSN-fm_inst_monitoringdesktop/bin/.

3. On the command line, enter:

/opt/oss/NSN-fm_inst_monitoringdesktop/bin/AddCiphersMacsKeys.pl --
Operation M --objectClass alf --ciphers "<cipher suites in order>" --
macs "< macs in order>" --kex "< kex in order>"

Example:

/opt/oss/NSN-fm_inst_monitoringdesktop/bin/AddCiphersMacsKeys.pl --
Operation M --objectClass alf --ciphers "aes256-ctr,aes192-ctr,aes128-
ctr,aes256-cbc,aes192-cbc,aes128-cbc,blowfish-cbc,3des-ctr,3des-cbc,
arcfour256,arcfour128,arcfour" --macs "hmac-sha2-256,hmac-sha1-96,
hmac-sha1,hmac-md5-96,hmac-md5" --kex "ecdh-sha2-nistp521,ecdh-sha2-
nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,
diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-
hellman-group1-sha1"

Note: Ensure that all the integrated Network Elements are supported by the component
which supports the target cipher.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 237


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

15.2.5.2 Disabling weak ciphers for SSH client of Monitor application

By default, all strong and weak Ciphers, MACs, and KexAlgorithms are supported for all SSH launch-
es. If it is confirmed that disabling any of Ciphers, Macs, and KexAlgorithms will not cause SSH con-
nection problems, they can be disabled by following the below instructions. For the list of weak Ci-
phers, Macs, and KexAlgorithms, See Table 14: List of weak Ciphers, MACs, and KexAlgorithms.

Ciphers MACs KexAlgorithms

aes256-cbc hmac-sha1-96 diffie-hellman-group-ex-


change-sha1

aes192-cbc hmac-sha1 diffie-hellman-group14-sha1

aes128-cbc hmac-md5-96 diffie-hellman-group1-sha1

blowfish-cbc hmac-md5

3des-cbc

arcfour256

arcfour128

arcfour

Table 14: List of weak Ciphers, MACs, and KexAlgorithms

1. Log in to NetAct VM as omc where dmgr service is running.

2. Navigate to the directory cd /opt/oss/NSN-fm_inst_monitoringdesktop/bin/.

3. On the command line, enter:

/opt/oss/NSN-fm_inst_monitoringdesktop/bin/AddCiphersMacsKeys.pl --
Operation M --objectClass alf --ciphers "<cipher suites in order>" --
macs "<macs in order>" --kex "<kex in order>"

Table 15: Parameter description lists the description of the parameters used in the command.

Attributes Description

Operation M for modify

ObjectClass ‘alf’ for default SSH settings

ciphers Ciphers are separated by comma in the order in


which they are acceptable by network element

macs Macs separated by comma in the order which is


acceptable by network element

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 238


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

Attributes Description

kex Key exchange algorithm separated by comma


in the order which is acceptable by network ele-
ment

Table 15: Parameter description

Example:

/opt/oss/NSN-fm_inst_monitoringdesktop/bin/AddCiphersMacsKeys.pl
--Operation M --objectClass alf --ciphers "aes256-ctr,aes192-ctr,
aes128-ctr" --macs "hmac-sha2-256" --kex "ecdh-sha2-nistp521,ecdh-
sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256"

Note: Ensure that all the integrated Network Elements are supported by the component
which supports the target cipher.

15.2.6 Hardening SSH and SFTP client of Q3 mediation

Q3 mediation attempts to use different encryption ciphers, key exchange, and MAC algorithms.

This section describes how to do hardening for SSH and SFTP client secure algorithms of Q3 media-
tion.

Table 16: Components and protocol lists the components that support hardening for SSH and SFTP
client algorithms of Q3 mediation.

Component Protocol

FM SFTP

PM SSH and SFTP

TM SSH

CM VersionChange SSH

HW SSH and SFTP

LM SSH and SFTP

SWM SSH and SFTP

Backup and restore SSH and SFTP

NEAC SSH

ATL SSH

SLT SSH

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 239


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

Component Protocol

IDU SSH

Table 16: Components and protocol

15.2.6.1 Disabling weak secure algorithms for SSH and SFTP client of Q3 mediation
By default, the Q3 mediation enables the following weak algorithms for SSH and SFTP client:

• ciphers: aes256-cbc,aes192-cbc,aes128-cbc,blowfish-cbc,3des-cbc
• key exchanges: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hell-
man-group1-sha1
• mac: hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5,umac-64-
etm@openssh.com,umac-128-etm@openssh.com

If it is confirmed that disabling any of the above ciphers, mac, and key exchanges does not cause SSH
connection problems, they can be disabled by doing the following:

Note: Ensure that all the integrated network elements supported by Q3 mediation support
the target algorithms.

1. Log in as q3usr user to the NetAct VM hosting the q3user service.

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. Edit the q3user property file /opt/oss/NSN-q3_mediations/smx/mf-conf/


com.nsn.oss.q3.editable.properties.

3. Add the weak secure algorithms:

com.nsn.oss.q3.common.ciphers.weak=aes256-cbc,aes192-cbc,aes128-cbc,
blowfish-cbc,3des-cbc
com.nsn.oss.q3.common.kex.weak=diffie-hellman-group-exchange-sha1,
diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
com.nsn.oss.q3.common.mac.weak=hmac-sha1-96,hmac-sha1,hmac-md5-96,
hmac-md5,umac-64-etm@openssh.com,umac-128-etm@openssh.com

15.2.6.2 Enabling weak secure algorithms for SSH and SFTP client of Q3 mediation
If disabling weak secure algorithms (by following the instructions provided in Disabling weak secure al-
gorithms for SSH and SFTP client of Q3 mediation) causes any SSH or SFTP connection problems,
enable them by doing the following:

1. Log in as q3usr user to the NetAct VM hosting the q3user service.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 240


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. Edit the q3user property file /opt/oss/NSN-q3_mediations/smx/mf-conf/


com.nsn.oss.q3.editable.properties.

3. Comment out the weak secure algorithms:

#com.nsn.oss.q3.common.ciphers.weak=aes256-cbc,aes192-cbc,aes128-cbc,
blowfish-cbc,3des-cbc
#com.nsn.oss.q3.common.kex.weak=diffie-hellman-group14-sha1,diffie-
hellman-group1-sha1
#com.nsn.oss.q3.common.mac.weak=hmac-sha1-96,hmac-sha1,hmac-md5-96,
hmac-md5,umac-64-etm@openssh.com,umac-128-etm@openssh.com

Note: The following weak ciphers are in order from strong to weak and maintain the
same order when adding them:

• ciphers: aes256-cbc,aes192-cbc,aes128-cbc,blowfish-cbc,3des-cbc
• key exchanges: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-
sha1,diffie-hellman-group1-sha1
• mac: hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5,umac-64-
etm@openssh.com,umac-128-etm@openssh.com

15.2.7 Hardening ciphers,macs, Key exchanges for SFTP client of SAM mediation

15.2.7.1 Enabling weak ciphers, macs, key exchanges for SFTP client of SAM mediation

By default, the following weak ciphers, macs, and key exchanges are disabled for SFTP client of SAM
mediation:

• ciphers: aes256-cbc, aes192-cbc, aes128-cbc, 3des-cbc, blowfish-cbc


• macs: hmac-sha1-96, hmac-sha1, hmac-md5-96, hmac-md5
• key exchanges: diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hell-
man-group1-sha1

If disabling weak ciphers, macs, and key exchanges cause any SFTP connection problems between
SAM mediation and NSP or SAM, enable the weak ciphers, macs, and key exchanges by doing the
following:

1. Locate the NetAct VM hosting the sam_med service.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 241


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

To locate the right NetAct VM, see Locating the right virtual machine for a service in Administering
NetAct Virtual Infrastructure.

2. Log in as sammed user to the sam_med VM.

To find the password of the sammed user, see Retrieving password of system users in
Administering Users and Permissions.

3. Enable weak ciphers, macs, key exchanges mentioned above by entering:

/opt/oss/nokianetworks-sam_med/bin/change_ciphers.sh weak

15.2.7.2 Disabling weak ciphers, macs, key exchanges for SFTP client of SAM mediation

If it is confirmed that disabling the weak ciphers, macs, and key exchanges mentioned in Enabling
weak ciphers, macs, key exchanges for SFTP client of SAM mediation will not cause SFTP connection
problems between SAM mediation and NSP or SAM, they can be disabled by doing the following:

1. Locate the NetAct VM hosting the sam_med service.

To locate the right NetAct VM, see Locating the right virtual machine for a service in Administering
NetAct Virtual Infrastructure.

2. Log in as sammed user to the sam_med VM.

To find the password of the sammed user, see Retrieving password of system users in
Administering Users and Permissions.

3. Disable weak ciphers, macs, key exchanges mentioned above by entering:

/opt/oss/nokianetworks-sam_med/bin/change_ciphers.sh strong

15.3 Hardening SSH server configuration

15.3.1 Hardening Ciphers, MACs, and KexAlgorithms in SSH server

Note: Do not copy paste the command directly.

This section provides the information about how SSH server can be hardened by disabling all weak
Ciphers, MACs, and KexAlgorithms mentioned in Ciphers, MACs, and KexAlgorithms using the /
opt/cpf/bin/cpfopenssh_hardening_sshd_wrapper.py interface. Also, it supports enabling
of weak Ciphers, MACs, and KexAlgorithms in SSH server. The Ciphers, MACs, and KexAlgorithms

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 242


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

provides the list of supported weak Ciphers, MACs, and KexAlgorithms which can be enabled or
disabled from NetAct OpenSSH server configuration.

Note:

• If a new node is introduced as part of upgrade or scaling, the interface must be executed
on the new node to harden Ciphers, MACs, and KexAlgorithms.
• In RHEL8, the default Ciphers, MACs, and KexAlgorithms enabled are based on the
system-wide crypto policy configuration. The Ciphers, MACs, and KexAlgorithms defined
in /etc/crypto-policies/back-ends/openssh.config file is taken as default.
The default SSH server configuration /etc/ssh/sshd_config file does not have
any entries starting with Ciphers, MACs, and KexAlgorithms. It is possible to configure
Ciphers, MACs, and KexAlgorithms in the /etc/ssh/sshd_config file and enable
weak ciphers that are not deprecated by RHEL OS using the interface.
• Once Ciphers, MACs, and KexAlgorithms are configured in the /etc/ssh/
sshd_config file, this configuration in /etc/ssh/ sshd_config file overrides the
RHEL8 default system-wide crypto policy configuration.

For more information, see Enabling weak Ciphers, MACs, and KexAlgorithms in SSH server.
Modifying strong Ciphers, MACs, and KexAlgorithms by editing /etc/ssh/sshd_config file is
not supported and it is expected to use only interface to disable or enable weak Ciphers, MACs, and
KexAlgorithms.

Type Ciphers MACs KexAlgorithms

Weak Ciphers, MACs, • aes256-cbc • hmac-sha1-96- • diffie-hell-


and KexAlgorithms • aes192-cbc etm@openssh.com man-group-ex-
• aes128-cbc • hmac-sha1- change-sha1

• 3des-cbc etm@openssh.com • diffie-hell-

• rijn- • umac-128- man-group14-sha1

dael-cbc@lysator. etm@openssh.com • diffie-hell-


liu.se • umac-64- man-group1-sha1
etm@openssh.com
• hmac-md5-96-
etm@openssh.com
• hmac-md5-
etm@openssh.com
• hmac-sha1-96
• hmac-sha1
• hmac-md5-96
• hmac-md5

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 243


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

Table 17: Ciphers, MACs, and KexAlgorithms

The key value pair [Ciphers <comma separated values> ], [MACs <comma separated
values>], and [ KexAlgorithms <comma separated values>] are added to the SSH server
configuration file /etc/ssh/sshd_config to override default behaviour of SSH server with respect
to Ciphers, MACs, and KexAlgorithms.

/etc/ssh/sshd_config defines which Ciphers, MACs, and KexAlgorithms sshd daemon must use.

The interface /opt/cpf/bin/cpfopenssh_hardening_sshd_wrapper.py can be used


to disable or enable weak Ciphers, MACs, and KexAlgorithms. All strong Ciphers, MACs, and
KexAlgorithms are always present in the sshd configuration which is also a default behaviour of the
interface.

The following are the interface /opt/cpf/bin/cpfopenssh_hardening_sshd_wrapper.py


parameters:

• --disable or --enable or --disable_all


• --vm [ "all" or comma separated hostnames]
• --restart [yes or no]
• --Ciphers [comma separated Ciphers]
• --MACs [comma separated MACs]
• --KexAlgorithms [comma separated KexAlgorithms]

Note:

• The above mentioned parameters must be in the order and --restart yes restarts
the SSH server service(sshd).

For more information on the interface, execute the following command:

/opt/cpf/bin/cpfopenssh_hardening_sshd_wrapper.py --help

• After enabling or disabling weak Ciphers, MACs, and KexAlgorithms, if the environment
is DR environment, synchronize the hardened SSH server configuration file to stand-by
site by following the instructions provided Performing sshd hardening on standby NetAct
in Administering Disaster Recovery.

15.3.1.1 Disabling weak Ciphers, MACs, and KexAlgorithms in SSH server

Prerequisites

• Enable root login in all VMs, if NetAct system is hardened. For information on how to enable the
root login, see Enabling root SSH login.
• Operating system in the NetAct VMs must be Red Hat Enterprise Linux Server release 8.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 244


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

Note: Do not copy paste the command directly.

By default, weak Ciphers, MACs, and KexAlgorithms listed in the /etc/crypto-policies/back-


ends/openssh.config file are supported if the interface is not executed. When a few sets of
weak Ciphers, MACs, and KexAlgorithms are disabled using the interface, the remaining weak weak
Ciphers, MACs, and KexAlgorithms listed in Table 17: Ciphers, MACs, and KexAlgorithms will still be
available with SSH configuration /etc/ssh/sshd_config file.

1. Login as root user to any of the NetAct VM.

2. To disable all supported weak Ciphers, MACs, and KexAlgoirthms in SSH server from all the
NetAct nodes, execute the following command:
# /opt/cpf/bin/cpfopenssh_hardening_sshd_wrapper.py --disable_all --vm all --restart yes --Ciphers --
MACs --KexAlgorithms

Verify the Ciphers, MACs, and KexAlgorithms entries from /etc/ssh/sshd_config file by
executing the following command:
# egrep 'Ciphers|MACs|KexAlgorithms' /etc/ssh/sshd_config

The --disable_all parameter can be used to disable all weak Ciphers, MACs, and
KexAlgorithms without passing any comma separated arguments for Ciphers, MACs, and
KexAlgorithms parameters. This internally hardens the SSH server by adding all strong Ciphers,
MACs, and KexAlgorithms in to the SSH server configuration file and set only strong Ciphers,
MACs and KexAlgorithms entries. This overwrites all existing Ciphers, MACs, and KexAlgorithms
entries.

Note: In case if any of the node is not able to connect through SSH during the interface
execution, then the interface fails. It is expected to fix the SSH connectivity issue and
rerun the interface. The following --restart yes restarts the SSH service. The SSH
service will be down during the interface execution.

SSH Server configuration will have only strong Ciphers, MACs and KexAlgorithms after executing
the above command and it will disable all weak Ciphers, MACs and KexAlgorithms.

3. If the use case is to disable the specific set of weak Ciphers, MACs, and KexAlgoirthms in SSH
server which are mentioned in Ciphers, MACs, and KexAlgorithms from a list of NetAct nodes,
execute the following command:

Example:
# /opt/cpf/bin/cpfopenssh_hardening_sshd_wrapper.py --disable --vm vm1,vm2 --restart yes --Ciphers
aes256-cbc,aes128-cbc,aes192-cbc --MACs hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5 --KexAlgorithms
diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

Verify the Ciphers, MACs, and KexAlgorithms entries from /etc/ssh/sshd_config file by
executing the following command:
# egrep 'Ciphers|MACs|KexAlgorithms' /etc/ssh/sshd_config

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 245


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

Disabling few set of weak Ciphers, MACs, and KexAlgorithms add always strong Ciphers, MACs,
and KexAlgorithms and disable only the weak Ciphers, MACs, and KexAlgorithms which are
passed as arguments. If all weak Ciphers, MACs, and KexAlgorithms are already disabled, then
the execution of the above command is not required.

4. If the use case is to disable only the specific set of weak Ciphers from all NetAct nodes without
restarting the sshd service, execute the following command:

Example:
# /opt/cpf/bin/cpfopenssh_hardening_sshd_wrapper.py --disable --vm all --restart no --Ciphers aes256-
cbc,aes128-cbc

Verify the Ciphers entries from /etc/ssh/sshd_config file by executing the following
command:
# egrep 'Ciphers' /etc/ssh/sshd_config

Disabling few set of weak Ciphers add always strong Ciphers and disable only the weak Ciphers
which are passed as arguments. If all weak Ciphers are already disabled, then the execution of the
above command is not required.

5. If the use case is to disable only the specific set of weak MACs from one NetAct node without
restarting the sshd service, execute the following command:

Example:
# /opt/cpf/bin/cpfopenssh_hardening_sshd_wrapper.py --disable --vm vm1 --restart no --MACs hmac-md5,
hmac-md5-96

Verify the MACs entries from /etc/ssh/sshd_config file by executing the following command:
# egrep 'MACs' /etc/ssh/sshd_config

Disabling few set of weak MACs add always strong MACs and disable only the weak MACs which
are passed as arguments. If all weak MACs are already disabled, then the execution of the above
command is not required.

6. If the use case is to disable only one weak KexAlgorithms from all NetAct nodes without restarting
the sshd service, execute the following command:

Example:
# /opt/cpf/bin/cpfopenssh_hardening_sshd_wrapper.py --disable --vm all --restart no --KexAlgorithms
diffie-hellman-group1-sha1

Verify the KexAlgorithms entry from /etc/ssh/sshd_config file by executing the following
command:
# egrep 'KexAlgorithms' /etc/ssh/sshd_config

Disabling one weak KexAlgorithms adds always strong KexAlgorithms and disable only the weak
KexAlgorithms which are passed as argument. If all weak KexAlgorithms are already disabled,
then the execution of the above command is not required.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 246


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

Note: Disable the root login in all VMs, if it was enabled as mentioned in Prerequisites.
For information on how to disable root login, see Disabling root SSH login.

15.3.1.2 Enabling weak Ciphers, MACs, and KexAlgorithms in SSH server

Prerequisites

• Enable root login in all VMs, if NetAct system is hardened. For information on how to enable the
root login, see Enabling root SSH login.
• Operating system in the NetAct VMs must be Red Hat Enterprise Linux Server release 8.

Note: Do not copy paste the command directly.

Note:

In RHEL8, default Ciphers, MACs, and KexAlgorithms enabled will be based on the sys-
tem-wide crypto policy configuration.

Enabling weak Ciphers, MACs, and KexAlgorithms using the interface will add weak Ciphers,
MACs, and KexAlgorithms in to the SSH server configuration file. Hence, enabling weak ci-
phers must be done only if it is mandatory since this will change the system from its default
behavior. Normally, enabling weak Ciphers, MACs, and KexAlgorithms can be used if any of
the weak Cipher is mandatory for system functionality after the SSH server is hardened (dis-
abling all weak Ciphers, MACs, and KexAlgorithms ) by executing the steps provided in Dis-
abling weak Ciphers, MACs, and KexAlgorithms in SSH server.

Enabling few sets of weak Ciphers, MACs, and KexAlgorithms using the following interface indicate
only the weak ciphers which are added will be available along with all strong ciphers in the SSH server
configuration after the interface is executed with the enable option.

1. Login as root user to any of the NetAct VM.

2. If the use case is to enable specific set of weak Ciphers, MACs, and KexAlgoirthms in SSH server
which are mentioned in Ciphers, MACs, and KexAlgorithms, execute the following command:

Example:
[root@<vm>]# /opt/cpf/bin/cpfopenssh_hardening_sshd_wrapper.py --enable --vm vm1,vm2 --restart yes -
-Ciphers rijndael-cbc@lysator.liu.se --MACs hmac-sha1-96,hmac-md5-96,hmac-md5 --KexAlgorithms diffie-
hellman-group-exchange-sha1,diffie-hellman-group14-sha1

Verify the Ciphers, MACs, and KexAlgorithms entries from /etc/ssh/sshd_config file by
executing the following command:

# egrep 'Ciphers|MACs|KexAlgorithms' /etc/ssh/sshd_config

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 247


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

Enabling few set of weak Ciphers, MACs, and KexAlgorithms indicates adding only those set of
weak Ciphers, MACs, and KexAlgorithms along with all strong Ciphers, MACs, and KexAlgorithms
in to the /etc/ssh/sshd_config file. If already all weak Ciphers, MACs, and KexAlgorithms are
enabled, then execution of the above command is not required.

3. If the use case is to enable only the specific set of weak Ciphers from all NetAct nodes without
restarting the sshd service, execute the following command:

Example:
# /opt/cpf/bin/cpfopenssh_hardening_sshd_wrapper.py --enable --vm all --restart no --Ciphers aes256-cbc,
aes128-cbc

Verify the Ciphers entry from the /etc/ssh/sshd_config file by executing the following
command:

# egrep 'Ciphers' /etc/ssh/sshd_config

Enabling few set of weak Ciphers indicates adding only those set of weak Ciphers along with all
strong Ciphers in to the /etc/ssh/sshd_config file. If already all weak Ciphers are enabled,
then execution of the above command is not required.

4. If the use case is to enable only the specific set of weak MACs from one NetAct node without
restarting the sshd service, execute the following command:

Example:
# /opt/cpf/bin/cpfopenssh_hardening_sshd_wrapper.py --enable --vm vm1 --restart no --MACs hmac-md5,hmac-
md5-96

Verify the MACs entries from /etc/ssh/sshd_config file by executing the following command:
# egrep 'MACs' /etc/ssh/sshd_config

Enabling few set of weak MACs indicates append only those weak MACs along with all strong
MACs in to the /etc/ssh/sshd_config file. If already all weak MACs are enabled, then the
execution of the above command is not required.

5. If the use case is to enable only one weak KexAlgorithms from all NetAct nodes without restarting
the sshd service, execute the following command:

Example:
# /opt/cpf/bin/cpfopenssh_hardening_sshd_wrapper.py --enable --vm all --restart no --KexAlgorithms
diffie-hellman-group1-sha1

Verify the KexAlgorithms entries from /etc/ssh/sshd_config file by executing the following
command:

# egrep 'KexAlgorithms' /etc/ssh/sshd_config

Enabling one weak KexAlgorithms indicates appending only that weak KexAlgorithms along
with all existing KexAlgorithms in to the /etc/ssh/sshd_config file. If already all weak
KexAlgorithms are enabled, then the execution of the above command is not required.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 248


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

Note: Disable the root login in all VMs, if it was enabled as mentioned in Prerequisites.
For information on how to disable root login, see Disabling root SSH login.

15.4 Hardening of Configuration Management Applications and NASDA


Web Services
Stack traces for Java operations are not visible by default, because the stack traces contain internal
information about the system, which could be used for a potential attack. Stack traces are visible after
the proper permission is added to a role, which is assigned to a user. For instructions how to manage
permission see, chapter Granting permissions to a role in Permission Management Help.

15.4.1 Enabling showing stack traces in CM Applications and CLI


To see stack traces in CM Applications and CLI, complete steps 1 - 4 from Granting permissions to a
role in Permission Management Help, then:

1. Select the context root OES from the Select Context Root drop-down list.

2. Select a permission object Configuration applications from the Available Permission


Objects list box.

3. Select a permission operation Operation allows to show traces for unexpected


behaviour from the Available Permission Operations of the Selected Object list box.

4. Click the move right arrow icon.

5. Click OK.

15.4.2 Enabling showing stack traces in NASDA Web Services


To see stack traces in NASDA Web Services, complete steps 1-4 from Granting permissions to a role
in Permission Management Help, then:

1. Select the context root OES from the Select Context Root drop-down list.

2. Select a permission object NASDA Web Services from the Available Permission Objects list
box.

3. Select a permission operation Operation allows to show traces for unexpected


behaviour from the Available Permission Operations of the Selected Object list box.

4. Click the move right arrow icon.

5. Click OK.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 249


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

15.5 Configuring anonymous LDAP bind

15.5.1 Disabling anonymous bind to LDAP


Disabling anonymous bind (the so-called null bind) to directory server (LDAP) is a good safety practice
and important when LDAP directory server is opened to communication from network elements to en-
able Centralized Network Element User Management (CNUM, a NetAct feature). Anonymous LDAP
bind means that read-access to the directory server is possible without binding with a user name and
password.

Verify if the anonymous LDAP bind is disabled and disable it if necessary.

1. Login as omc user and switch to root user on the Deployment Manager node.

To locate the correct virtual machine, refer to Locating the right virtual machine for a service in Ad-
ministering NetAct Virtual Infrastructure.

2. Verify whether anonymous LDAP bind is disabled by entering the following command:

[root] /opt/oss/NSN-sm_hardening/bin/ConfigureAnonymousLdapBind.sh -
verify

If the output of the command contains:

----------------------Summary Start-----------------------------------
----
Overall configuration status is : CONFIGURED
Anonymous LDAP bind is currently : 'Disabled'
--------------------------------Summary End---------------------------
----

No further steps are needed as anonymous LDAP bind is already disabled.

If the output of the command contains:

-------------------------------Summary Start--------------------------
----
Overall configuration status is : CONFIGURED
Anonymous LDAP bind is currently : 'Restricted'
(Restricted anonymous LDAP access for CNUM support)
--------------------------------Summary End---------------------------
----

Restricted anonymous LDAP access is enabled for supporting CNUM for eNB network elements.
In this case no further steps are needed. For more information, see Restricted anonymous login to
the LDAP directory step in NetAct prerequisites in Administering Users and Permissions.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 250


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

If the output of the command contains:

-------------------------------Summary Start--------------------------
----
Overall configuration status is : CONFIGURED
Anonymous LDAP bind is currently : 'Enabled'
--------------------------------Summary End---------------------------
----

Proceed with Step 3 to disable anonymous LDAP bind.

If the output of the command contains

-------------------------------Summary Start--------------------------
----
Overall configuration status is : CONFIGURATION ERROR

NetAct is not configured properly for anonymous LDAP bind to be disabled.

In this case change the passwords for the users cn=sysproxy, cn=httpdproxy, cn=ihsproxy
and cn=wasproxy as described in Type and individual operation way of password tool in
Administering Users and Permissions and execute the following command to verify again:

[root] /opt/oss/NSN-sm_hardening/bin/ConfigureAnonymousLdapBind.sh -
verify

If this does not solve the problem contact Nokia Technical Support.

3. Disable anonymous LDAP bind, by executing:

[root] /opt/oss/NSN-sm_hardening/bin/ConfigureAnonymousLdapBind.sh -
disable

4. Check whether anonymous LDAP access is disabled:

[root] /opt/oss/NSN-sm_hardening/bin/ConfigureAnonymousLdapBind.sh -
accessTest

If the output of the command contains:

Anonymous LDAP bind is currently:'Disabled'

You are done.

15.5.2 Enabling anonymous bind to LDAP


This section describes how to enable anonymous bind to LDAP if it is disabled.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 251


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

Note: For security reasons, it is recommended not to perform the provided steps unless
required.

1. Login as omc user and switch to root user on the Deployment Manager node.

To locate the correct virtual machine, refer to Locating the right virtual machine for a service in Ad-
ministering NetAct Virtual Infrastructure.

2. Verify if the restricted anonymous LDAP access is enabled or disabled by executing:

[root@ ~] /opt/oss/NSN-sm_hardening/bin/configureRestrictedLdapAccess.
sh -s

Note: Restricted anonymous LDAP access is enabled while supporting CNUM for eNB
network elements. For more information, see Restricted anonymous login to the LDAP
directory in Administering Users and Permissions.

• If the output displays the following message, it indicates that LDAP restriction is not applied:
Anonymous LDAP access is disabled, or

Anonymous LDAP access allowed

• If the output displays the following message:


Restricted anonymous LDAP access allowed

Revert the restrictions by executing:

[root@ ~]/opt/oss/NSN-sm_hardening/bin/
configureRestrictedLdapAccess.sh -r

Note: You must execute revert LDAP restriction command first to ensure anonymous
LDAP access support.

3. Verify if anonymous LDAP bind is enabled or disabled, by executing:

[root@ ~]/opt/oss/NSN-sm_hardening/bin/ConfigureAnonymousLdapBind.sh -
verify

If the output of the command contains:

=======================SUMMARY START========================
Overall configuration status is:CONFIGURED
Anonymous LDAP bind is currently:'Enabled'
====================================SUMMARY
END==========================

You are done.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 252


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

Otherwise, proceed with the next step.

4. Enable anonymous login to LDAP by executing the below command as root user:

[root] /opt/oss/NSN-sm_hardening/bin/ConfigureAnonymousLdapBind.sh -
enable

5. Verify if anonymous LDAP access is enabled by executing:

[root] /opt/oss/NSN-sm_hardening/bin/ConfigureAnonymousLdapBind.sh -
verify

If the output of the command contains:

----------------------SUMMARY START-----------------------------
Overall configuration status is:CONFIGURED
Anonymous LDAP bind is currently:'Enabled'
-----------------------------------SUMMARY END------------------------
------

You are done.

Expected outcome

Execution of above command should result in successful bind to LDAP which indicates that the
anonymous bind is enabled.

15.6 Controlling Root SSH login

15.6.1 Disabling root SSH login


This is the mandatory procedure required after completing the system hardening measures.

Disabling root login by a script can be done on NetAct VMs. Root login for these VMs cannot be dis-
abled.

1. Log in as omc user to the NetAct VM hosting the dmgr service and switch to root user.

To locate the right NetAct VM, see Locating the right virtual machine for a service in Administering
NetAct Virtual Infrastructure.

2. Enter the following command:

/opt/oss/NSN-sm_hardening/bin/set_security.sh -n

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 253


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

The script is available on VMs with dmgr role or was role.

3. At prompt to disable RootLogin, enter y.

Enter the root password (if one or more nodes have already disabled root login).

Sample output:

[root@clab1695node04 bin]# /opt/oss/NSN-sm_hardening/bin/set_security.sh -n


Thu Jun 15 11:04:42 EEST 2017|| get list of all UNIFY nodes
Thu Jun 15 11:04:42 EEST 2017| HINT | Total number of PM Nodes [ 0 ]
Thu Jun 15 11:04:42 EEST 2017| INFO | PM Node List : [ ]
Thu Jun 15 11:04:42 EEST 2017| INFO | Host list : clab1695node01 clab1695node02
clab1695node03 clab1695node04 clab1695node05 clab1695node06 clab1695node07
clab1695node08 clab1695node09
Thu Jun 15 11:04:42 EEST 2017| HINT | Total number of Nodes [ 9 ]
disableRootLogin y/n ?
y
Thu Jun 15 11:04:47 EEST 2017| INFO |
Thu Jun 15 11:04:47 EEST 2017| INFO | Now disabling Root login on all nodes by
operator command...
Thu Jun 15 11:04:47 EEST 2017| INFO | Current root-login setting on all nodes:
clab1695node01 root access is granted this is a potential vulnerability and should be
changed by the administrator!
clab1695node02 root access is granted this is a potential vulnerability and should be
changed by the administrator!
clab1695node03 root access is granted this is a potential vulnerability and should be
changed by the administrator!
..
..
clab1695node09 root access is granted this is a potential vulnerability and should be
changed by the administrator!
Please enter current 'root' password
******
DISABLE root access on node(s):
clab1695node01
clab1695node02
clab1695node03
..............
Wed Oct 16 19:37:24 EEST 2013|INFO| Disabled root login for node clab436node01
Wed Oct 16 19:37:24 EEST 2013|INFO| Disabled root login for node clab436node02
Wed Oct 16 19:37:24 EEST 2013|INFO| Disabled root login for node clab436node03
..
..
..
Wed Oct 16 19:37:29 EEST 2013|INFO| Disabled root login for node clab436node19
Wed Oct 16 19:37:29 EEST 2013|INFO| Disabled root login for node clab436node20
Wed Oct 16 19:37:29 EEST 2013|INFO| Disabled root login for node clab436node21

15.6.2 Enabling root SSH login


Enabling the root login is a mandatory procedure required for performing some hardening measures.
Enabling root login by a script can be done on NetAct VMs.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 254


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

Note: Disable root login upon completing the hardening procedures to enhance security.

1. Log in as omc user to the NetAct VM hosting the dmgr service and switch to root user.

To locate the right NetAct VM, see Locating the right virtual machine for a service in Administering
NetAct Virtual Infrastructure.

2. Enter the following command:

[root] /opt/oss/NSN-sm_hardening/bin/set_security.sh -r

The script is available on VMs with dmgr role or was role.

3. At prompt to enable RootLogin, enter y.

Enter the root password.

Sample output:

[root@clab1695node04 bin]# /opt/oss/NSN-sm_hardening/bin/set_security.sh -r


Thu Jun 15 11:06:21 EEST 2017|| get list of all UNIFY nodes
Thu Jun 15 11:06:21 EEST 2017| HINT | Total number of PM Nodes [ 0 ]
Thu Jun 15 11:06:21 EEST 2017| INFO | PM Node List : [ ]
Thu Jun 15 11:06:21 EEST 2017| INFO | Host list : clab1695node01 clab1695node02
clab1695node03 clab1695node04 clab1695node05 clab1695node06 clab1695node07
clab1695node08 clab1695node09
Thu Jun 15 11:06:21 EEST 2017| HINT | Total number of Nodes [ 9 ]
enableRootLogin y/n ?
y
Thu Jun 15 11:06:23 EEST 2017| INFO |
Thu Jun 15 11:06:23 EEST 2017| INFO | Now enabling Root login on all nodes by operator
command...
Thu Jun 15 11:06:23 EEST 2017| INFO | Current root-login setting on all nodes:
clab1695node01 root access is denied (3)
clab1695node02 root access is denied (3)
clab1695node03 root access is denied (3)
............. .... ........ ...... ..
clab1695node09 root access is denied (3)
Thu Jun 15 11:06:25 EEST 2017| INFO | enable root access on clab1695node01
clab1695node02 clab1695node03 ............. clab1695node09
Please enter current 'root' password
******
ENABLE root access on node(s):
clab1695node01
clab1695node02
clab1695node03
..............
clab1695node09
[root@clab1695node04 bin]#

15.7 Changing passwords


Changing default password of system users is mandatory after installation.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 255


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

For more information about changing password of System Users, see Changing password of directory
server, database, OS, and active directory users in Administering Users and Permissions

Changing password of all the system users is recommended periodically, after installation. For infor-
mation on password change instructions for system users, see Administering Users and Permis-
sions.

To change password of users created through User Management application, see Changing NetAct
end users password in Administering Users and Permissions.

15.8 Configuring trust anchors for dirsrv truststore

15.8.1 Adding extra trust anchor to dirsrv service truststore


Add extra trust anchors only when more than one trust anchors must be present in the truststore of
dirsrv service. For example, if the current CA key gets compromised, replace it on all components
with the newly generated root certificates.

As replacement of compromised root certificate takes considerable amount of time:

• NetAct dirsrv must support both old and new certificates until replacement of all old certificates
is complete.
• There can be access failure to dirsrv from components using the new root certificates during the
replacement period.

Hence, you must add new certificates to dirsrv truststore temporarily.

1. Log in to primary and secondary dirsrv nodes as omc user.

To locate the right node, see Locating the right virtual machine for a service in Administering Net-
Act Virtual Infrastructure.

2. Switch to root user by executing the following command:

su root

3. Copy the certificate to be added to both primary and secondary dirsrv nodes.

4. Execute the following command on both primary and secondary dirsrv nodes:

certutil -A -n <cert_name> -t "CT,," -d /etc/dirsrv/slapd-oss -i


<certificate_file>

Where:

• <cert_name> is the name with which the certificate must be added to the database. Wrap
the <cert_name> string with quotation marks if it contains spaces. For example, "My root
CA”.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 256


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

• <certificate_file>: Specify the name of the certificate to be added. If the file is in a dif-
ferent directory, specify the full path of the file.

For example,

#certutil -A -n “My root CA” -t "CT,," -d /etc/dirsrv/slapd-oss -i /


root/certs/NetAct_L2_CACert.pem

5. Execute the following command to verify if the certificates are added to the database:

certutil -L -d /etc/dirsrv/slapd-oss

Note:

Ensure that the output displays the <cert_name> used in the previous step.

For example.

Certificate Nickname Trust Attributes


My root CA CT,,
Server-Cert u,u,u

6. Stop and start both primary and secondary dirsrv nodes.

For information on how to stop and start dirsrv nodes, see Stopping the directory server in
Administering Directory Service and Starting the directory server in Administering Directory
Service.

15.8.2 Removing a trust anchor from dirsrv service truststore


Perform the following steps to remove certificates from dirsrv service truststore.

1. Log in to primary and secondary dirsrv nodes as omc user.

To locate the right node, see Locating the right virtual machine for a service in Administering Net-
Act Virtual Infrastructure.

2. Switch to root user by executing the following command:

su root

3. Execute the following command to list the certificates in the dirsrv service database:

certutil -L -d /etc/dirsrv/slapd-oss

Note:

Ensure that the output displays the name of the certificate to be removed.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 257


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

For example.

Certificate Nickname Trust Attributes


My root CA CT,,
Server-Cert u,u,u

4. Execute the following command on primary and secondary dirsrv nodes:

certutil -D -d /etc/dirsrv/slapd-oss -n <cert_name>

where <cert_name> is the nickname with which the certificate is present in database.

For example, #certutil -D -d /etc/dirsrv/slapd-oss -n “My root CA”

5. Execute the following command on both primary and secondary dirsrv nodes to list certificates
in dirsrv service database and ensure that certificates are deleted:

certutil -L -d /etc/dirsrv/slapd-oss

6. Stop and start both primary and secondary dirsrv nodes.

For information on how to stop and start dirsrv nodes, see Stopping the directory server in
Administering Directory Service and Starting the directory server in Administering Directory
Service.

15.9 Configuring su access permissions


During NetAct installation su usage is automatically restricted to users omc and system.

Allowing su usage for additional users is possible by adding these specific users to the wheel group.
The wheel group is a group that defines the users allowed to use the su utility when general su usage
is forbidden.

In case additional users require permission to use su utility, NetAct administrator must perform the
following steps:

Note:

This has to be done on all NetAct nodes where these users exist. If you are uncertain about
the NetAct nodes, refer to the chapters Node structure overview and Locating the right virtual
machine for a service in Administering NetAct Virtual Infrastructure.

1. Login as the root user.


2. Add relevant user to the wheel group:
# usermod -a -G wheel <USER>

<USER> is the username added to the wheel group.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 258


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

Note: Execute this step for each user separately.

3. To verify that all the relevant users have been successfully added to wheel group, enter:
# getent group wheel

Check the content if the desired users are contained. For example,
wheel:x:10:omc,system,<USER>.
4. Repeat steps 1 to 3 on all nodes where the usage of su must be permitted for the user.

Note: Standard NetAct operation does not require additional users with su permission.
Hence, addition of users to wheel group must be well-considered.

15.10 Disabling of additional unnecessary services


As a part of NetAct installation and upgrade, Linux services that are not essential for NetAct opera-
tions are disabled by default.

However, for an upgraded NetAct system, few services are left in their current state and are exclud-
ed from being disabled by default. You can evaluate the need for such excluded services and disable
them using the instructions provided in this section.

Note:

The instructions must be performed on all NetAct virtual machines (VMs). If you are uncer-
tain about the VMs, see Chapter Locating the right virtual machine for a service in Adminis-
tering NetAct Virtual Infrastructure.

1. Log in as the root user.

2. To disable all unused Linux services, enter:

/opt/cpf/bin/cpfsecurity_actionmgr.pl --enable DISABLE_UNUSED_


SERVICES --conf <configuration file>

In a new NetAct installation, the following Linux services are disabled by default:

Services Description

abrt-ccpp Is an ABRT service that provides the C/C++ problems analyzer.

abrt-oops Is an ABRT service that provides the kernel oopses analyzer.

abrtd Is an ABRT daemon which runs under the root user as a back-
ground service.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 259


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

Services Description

atd Is the daemon for the at job processor that enables you to run
the tasks at specified times.

cpuspeed Is the daemon that adjusts the CPU speed based on the pow-
er consumption. Less power is used when the CPU is idle, and
more power is utilized to improve performance.

haldaemon Is a daemon that maintains a database of the devices connected


to the system in real-time.

mdmonitor Is a service that starts, stops, and reloads the mdadm (multipath
device monitoring and management) software RAID monitoring
and management utilities.

Note: Run these daemons only if you have RAID stor-


age in your system.

postfix This daemon is a mail transport agent.

Note: Run this daemon only if your system is a mail


relay server.

restorecond Is a SELinux daemon. The restorecond service monitors file


creation listed in the /etc/selinux/restorecond.conf file
and then ensures that the files have the correct file context as-
sociated with the policy, and then sets the default SELinux file
context.

rpcgssd The rpcgssd and rpcsvcgssd daemons handle security for


RPC. The rpcidmapd service maps username to User ID (UID)
and Group ID (GID).

Table 18: Disabled Linux Services

You can also see the same list of services in the /etc/opt/cpf/conf/
cpfsecurity_disable_unused_services_install.conf file.

However, when previous NetAct releases are upgraded to the current release, the following ser-
vices are not disabled by default:

• atd
• postfix

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 260


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

If you want to disable the above services after upgrade, proceed to next step.

3. To disable unnecessary Linux services, enter:

/opt/cpf/bin/cpfsecurity_actionmgr.pl --enable DISABLE_SERVICES --


services \<service>,<service>...

For example, after an upgrade, enter:

/opt/cpf/bin/cpfsecurity_actionmgr.pl --enable DISABLE_SERVICES --


services atd,postfix

When you need to enable Linux services that have already been disabled, enter:

/opt/cpf/bin/cpfsecurity_actionmgr.pl --disable DISABLE_SERVICES --


services \<service>,<service>...

Note:

• Source packages are not deleted during the disabling of unnecessary services.
• When the services are disabled, they remain disabled even after the subsequent
NetAct upgrades.

4. To verify if the disabling operation is successful, check the /var/log/cpf_install.log file.

15.10.1 Enabling of disabled Linux services


To enable the services that were disabled, enter:

1. Log in as omc user to the NetAct VM where dmgr is running and switch to root user.

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. To enable disabled init services, enter:

/opt/cpf/bin/cpfsecurity_actionmgr.pl --disable DISABLE_SERVICES --


services \<service>, <service>...

To enable the remaining unused services in Upgrade, enter:

/opt/cpf/bin/cpfsecurity_actionmgr.pl --disable DISABLE_SERVICES --


services atd,autofs,postfix

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 261


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening for NetAct applications and
services

15.11 Handling slow HTTP denial of service attack


Login to NetAct VM where the ihs service is running and switch to root user and perform the
following operations:

1. To Add the module mod_reqtimeout and its corresponding RequestReadTimeout value,


execute:

[root~]# /opt/cpf/install/bin/cpfihs_update_httpd_conf.sh --update -


-httpd_file=/opt/IBMHttpServer/conf/httpd.conf --module="reqtimeout_
module" --mod_attr="RequestReadTimeout" --mod_header="20-40" --mod_
header_minrate="500" --mod_body="20" --mod_body_minrate="500" --mod_
file="mod_reqtimeout" --restart_ihs

2. To Modify or Update existing value in module mod_reqtimeout execute:

[root~]# /opt/cpf/install/bin/cpfihs_update_httpd_conf.sh --update -


-httpd_file=/opt/IBMHttpServer/conf/httpd.conf --module="reqtimeout_
module" --mod_attr="RequestReadTimeout" --mod_header="30-40" --mod_
header_minrate="600" --mod_body="30" --mod_body_minrate="600" --mod_
file="mod_reqtimeout" --restart_ihs

3. To Disable the module mod_reqtimeout, execute:

[root~]# /opt/cpf/install/bin/cpfihs_update_httpd_conf.sh --disable


--httpd_file=/opt/IBMHttpServer/conf/httpd.conf --module="reqtimeout_
module" --mod_file="mod_reqtimeout" --restart_ihs

4. To Enable the module mod_reqtimeout, execute:

[root~]# /opt/cpf/install/bin/cpfihs_update_httpd_conf.sh --enable -


-httpd_file=/opt/IBMHttpServer/conf/httpd.conf --module="reqtimeout_
module" --mod_file="mod_reqtimeout" --restart_ihs

Where,

• mod_header="20-40"

Allow 20 seconds to receive the request containing the headers but do not allow more than 40
seconds.
• mod_body="20"

Allow 20 seconds to receive the body.


• mod_header_minrate="500" and mod_body_minrate="500"

If the client sends data, increase the timeout by one second for every 500 bytes received. If
the data is huge, increase this value.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 262


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing auditd service in Avamar
Virtual Edition

16 Managing auditd service in Avamar Virtual Edition

The auditd service is a SLES feature that implements a CAPP-compliant (Controlled Access
Protection Profiles) auditing feature, which continually monitors the server for any changes that could
affect the server’s ability to perform as intended. The auditd service writes log output in /var/log/
audit/audit.log.

The auditd service is a level-1 hardening feature that is implemented as part of the base SLES
operating system.

Note: The auditd service is disabled by default. If the auditd service is enabled, it will
introduce a negative impact on the system performance.

16.1 Enabling auditd service

1. Log in to the AVE VM as an admin user through SSH and switch to root user.

2. Enable the auditd service by entering:

root@ave:~/#: systemctl start auditd

3. Check the auditd service status by entering:

root@ave:~/#: systemctl status auditd

16.2 Disabling auditd service

1. Log in to the AVE VM as an admin user through SSH and switch to root user.

2. Disable the auditd service by entering:

root@ave:~/#: systemctl stop auditd

3. Check the auditd service status by entering:

root@ave:~/#: systemctl status auditd

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 263


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing FIPS in Avamar Virtual Edition

17 Managing FIPS in Avamar Virtual Edition

Avamar 19.3 provides cryptographic protection mechanism to secure data at rest and data transmis-
sion using the Federal Information Processing Standards (FIPS) 140-2 validated modules. To use
these modules in a compliant manner, the Avamar 19.3 FIPS mode must be enabled. To ensure the
continued compliance, you must replace the default certificates and cryptographic keys. These should
use the security parameters consisting with NIST SP 800-57 and SP 800-131A publications. For some
security relevant features that Avamar acts as a client is expected to meet FIPS compliance.

17.1 Enabling FIPS

Prerequisites

• Ensure that the Management Console Server (MCS) and Global Storage Area Network (GSAN)
are functioning correctly.
• The server status must be idle and the activities such as backup or restore sessions, Garbage
Collection (GC), or hfscheck must not be running. For example, server up: idle.
• Ensure that there is a validated checkpoint within the past 36 hours.
• Ensure that there is an MC flush data within the past 24 hours.

1. Log in as an admin user to the AVE VM through SSH and switch to root user.

2. Enable the FIPS mode by entering:

root@ave:~/#: /usr/local/avamar/bin/fips.sh on

An Avamar server reboot prompt appears.

3. At the prompt, type y and then press ENTER.

4. Type a minimum of eight characters for generating the Encryption-At-Rest salt.

Avamar server restarts. Do not disturb the restart process as it could damage the system.

5. Log in as an admin user to the AVE VM through SSH and switch to root user.

6. Check the status of FIPS mode by entering:

root@ave:~/#: /usr/local/avamar/bin/fips.sh status

7. Ensure that all the required dpn services are in the started state by entering:

root@ave:~/#: dpnctl status all

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 264


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing FIPS in Avamar Virtual Edition

Note: If any dpn service is not in the started state except ConnectEMC service, start the
service manually. Do not start the ConnectEMC service.

17.2 Disabling FIPS

Prerequisites

• Ensure that the Management Console Server (MCS) and Global Storage Area Network (GSAN)
are functioning correctly.
• The server status must be idle and the activities such as backup or restore sessions, Garbage
Collection (GC), or hfscheck must not be running. For example, server up: idle.
• Ensure that there is a validated checkpoint within the past 36 hours.
• Ensure that there is an MC flush data within the past 24 hours.

1. Log in as an admin user to the AVE VM through SSH and switch to root user.

2. Disable the FIPS mode by entering:

root@ave:~/#: /usr/local/avamar/bin/fips.sh off

The Avamar server restarts. Do not disturb the restart process as it could damage the system.

3. Log in as an admin user to the AVE VM through SSH and switch to root user.

4. Check the status of the FIPS mode by entering:

root@ave:~/#: /usr/local/avamar/bin/fips.sh status

5. Ensure that all the required dpn services are in the started state by entering:

root@ave:~/#: dpnctl status all

Note: If any dpn service is not in the started state except ConnectEMC service, start the
service manually. Do not start the ConnectEMC service.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 265


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring additional audit rules

18 Configuring additional audit rules

To remove the security related vulnerabilities, configure the additional audit rules. As part of the config-
uration, you can:

• update the additional audit rules, see Updating audit rules


• revoke the additional audit rules, see Revoking audit rules
• verify if the updates are effective, see Verifying audit rules

18.1 Updating audit rules


You can update the audit rules on the Redhat Linux VMs to track the additional security related
information.

1. Log in as root user to the NetAct VM hosting the dmgr service.

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. Enable the root SSH login on all NetAct VMs if it is not enabled.

To enable the root SSH login, see Enabling root SSH login in Administering NetAct System
Security.

Note: In the disaster recovery environment, enable the root SSH login on all NetAct VMs
in both active and standby sites.

3. Update the audit rules by doing any one of the following:

• If the system is non disaster recovery system, then enter:

[root@<dmgr-vm>]# psh /opt/cpf/bin/cpfaudit_rule_update.py --update

Sample output:

[1] <time> [SUCCESS] vm8


MM DD <time> root: [INFO] Successfully updated audit rule
[2] <time> [SUCCESS] vm12
MM DD <time> root: [INFO] Successfully updated audit rule
..........................................................

Or

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 266


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring additional audit rules

• If the system is disaster recovery system, then enter:

[root@<dmgr-vm>]# psh /opt/cpf/bin/cpfaudit_rule_update.py --


update --disasterRecovery

Sample output:

[1] <time> [SUCCESS] drlab8vm9


MM DD <time> root: [INFO] Successfully updated audit rule
[2] <time> [SUCCESS] drlab8vm74
MM DD <time> root: [INFO] Successfully updated audit rule
[3] <time> [SUCCESS] drlab8vm6
MM DD <time> root: [INFO] Successfully updated audit
rule…………………………………………………………………………
MM DD <time> root: [INFO] Successfully updated audit rule
System is DR enviroment
MM DD <time> root: [INFO] Successfully performed CIS audit rule
operation on stand by site

4. Disable the root SSH login on all NetAct VMs, if it was enabled in step 2.

To disable the root SSH login, see Disabling root SSH login in Administering NetAct System
Security.

18.2 Revoking audit rules


You can revoke the audit rule changes done in the Updating audit rules section on the Redhat Linux
VM.

1. Log in as root user to the NetAct VM hosting the dmgr service.

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. Enable the root SSH login on all NetAct VMs if it is not enabled.

To enable the root SSH login, see Enabling root SSH login in Administering NetAct System
Security.

Note: In the disaster recovery environment, enable the root SSH login on all NetAct VMs
in both active and standby sites.

3. Revoke the audit rules by doing any one of the following:

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 267


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring additional audit rules

• If the system is non disaster recovery system, then enter:

[root@<dmgr-vm>]# psh /opt/cpf/bin/cpfaudit_rule_update.py --revoke

Sample output:

[1] <time> [SUCCESS] vm3


MM DD <time> root: [INFO] Revoke operation Successfully
[2] <time> [SUCCESS] vm5
MM DD <time> root: [INFO] Revoke operation Successfully
……………………………………………………………………………………………………………………………..

Or

• If the system is disaster recovery system, then enter:

[root@<dmgr-vm>]# psh /opt/cpf/bin/cpfaudit_rule_update.py --


revoke --disasterRecovery

Sample output:

[1] <time> [SUCCESS] drlab8vm14


MM DD <time> root: [INFO] Revoke operation Successfully
[2] <time> [SUCCESS] drlab8vm13
MM DD <time> root: [INFO] Revoke operation Successfully
[3] <time> [SUCCESS] drlab8vm6
MM DD <time> root: [INFO] Revoke operation Successfully
[4] <time> [SUCCESS] drlab8vm5……………………………………………………..
System is DR enviroment
MM DD <time> root: [INFO] Successfully performed CIS audit rule
operation on stand by site

4. Disable the root SSH login on all NetAct VMs, if it was enabled in step 2.

To disable the root SSH login, see Disabling root SSH login in Administering NetAct System
Security.

18.3 Verifying audit rules


After updating or revoking the audit rules, you can verify the changes done on the Redhat Linux VM.

1. Log in as root user to the NetAct VM hosting the dmgr service.

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. Enable the root SSH login on all NetAct VMs if it is not enabled.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 268


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring additional audit rules

To enable the root SSH login, see Enabling root SSH login in Administering NetAct System
Security.

Note: In the disaster recovery environment, enable the root SSH login on all NetAct VMs
in both active and standby sites.

3. Verify the audit rules by doing any one of the following:

• If the system is non disaster recovery system, then enter:

[root@<dmgr-vm>]# psh /opt/cpf/bin/cpfaudit_rule_update.py --verify

Sample output 1:

[1] <time> [SUCCESS] vm4


MM DD <time> root: [INFO] Audit Rule already exists in auditctl
: '-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-
change'...
MM DD <time> root: [INFO] Audit Rule already exists in auditctl :
'-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -
k time-change'
...................................................................
...................................................................
..........................

Sample output 2:

[1] <time> [SUCCESS] vm4


MM DD <time> root: [INFO] Audit Rule not updated in auditctl : '-
a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k
time-change'... Please perform update operation
MM DD <time> root: [INFO] Audit Rule not updated in auditctl :
'-a always,exit -F arch=b64 -S clock_settime -k time-change'...
Please perform update operation
...................................................................
...................................................................
..........................

Or

• If the system is disaster recovery system, then enter:

[root@<dmgr-vm>]# psh /opt/cpf/bin/cpfaudit_rule_update.py --


verify --disasterRecovery

Sample output:

[1] <time> [SUCCESS] drlab8vm6

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 269


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring additional audit rules

MM DD <time> root: [INFO] Audit Rule not updated in auditctl:


'-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-
change'... Please perform update operation
MM DD <time> root: [INFO] Audit Rule not updated in auditctl: '-
a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k
time-change'... Please perform update operation
MM DD <time> root: [INFO] Audit Rule not updated in auditctl:
'-a always,exit -F arch=b64 -S clock_settime -k time-change'...
Please perform update operation
……….
…….
System is DR enviroment
MM DD <time> root: [INFO] Successfully performed CIS audit rule
operation on stand by site

4. Disable the root SSH login on all NetAct VMs, if it was enabled in step 2.

To disable the root SSH login, see Disabling root SSH login in Administering NetAct System
Security.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 270


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Operating System Hardening

19 Operating System Hardening

Operating System hardening helps to minimize security vulnerabilities. The purpose of system hard-
ening is to eliminate as many security risks as possible. This is typically done by disabling all non-es-
sential features from the Operating System. While these configurations may offer useful features to the
user, which can be optionally enabled and disabled as needed.

19.1 Managing specific hardening features

19.1.1 Managing core dumps

19.1.1.1 Enabling core dumps


If required, the core dumps can be enabled. This creates a dump of the application memory which can
be used for debugging the application.

1. Log in to NetAct Virtual Machine (VM) where you want to enable core dump, and switch to root
user.

2. To enable core dump, enter:

/opt/cpf/bin/cpfsecurity_actionmgr.pl --disable NO_CORE_DUMP

Note: Disable the core dumps once the debugging is done. See Disabling core dumps.

19.1.1.2 Disabling core dumps

By default, the core dumps are disabled on the system. If the core dump is disabled, the system will
not create dump of the application memory for debugging.

1. Log in to NetAct Virtual Machine (VM) where you want to disable core dump, and switch to root
user.

2. To disable core dump, enter:

/opt/cpf/bin/cpfsecurity_actionmgr.pl --enable NO_CORE_DUMP

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 271


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Operating System Hardening

19.1.2 Hardening partition

This section describes the hardening for /var, /tmp, /home, and /dev/shm partitions with nosuid,
nodev, and noexec mount options.

• The noexec mount option specifies that the file system cannot contain executable binaries.
• The nosuid mount option disallows the use of a setuid program. The nosuid mount option dis-
ables the setuser-identifier or set-group-identifier bits. This prevents the remote
users from gaining higher privileges by running the setuid program.
• The nodev mount option prevents the device-files from being processed as a hardware de-
vice by the client.

Note: If the container is mounted with /dev/shm, hardening cannot be applied for /dev/
shm partition.

19.1.2.1 Enabling restrictions for partition


This section provides the instructions to configure nosuid, nodev, and noexec mount options on /
var, /tmp, /home, and /dev/shm partitions.

1. Log in to the VM hosting the dmgr service and switch to root user.

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. Enable root SSH login on all NetAct VMs.

To enable the root SSH login, see Enabling root SSH login in Administering NetAct System
Security.

Note: In the disaster recovery environment, enable root SSH login on all NetAct VMs in
both active and standby sites.

3. Enable restrictions for partitions by doing the following:


a) Enable restrictions for the /var partition by entering:

[root@<dmgr-vm>]# psh /opt/cpf/bin/cpfsecurity_os_hardening.py --


component mount_option --parameter_and_value /var=defaults,nosuid,
nodev,noexec

Sample output:

[1] <time> [SUCCESS] vm10


MM DD <time> root: [INFO] mount option hardening successfully
completed for ['/var=defaults,nosuid,nodev,noexec']
[2] <time> [SUCCESS] vm07

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 272


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Operating System Hardening

MM DD <time> root: [INFO] mount option hardening successfully


completed for ['/var=defaults,nosuid,nodev,noexec']
[3] <time> [SUCCESS] vm19
MM DD <time> root: [INFO] mount option hardening successfully
completed for ['/var=defaults,nosuid,nodev,noexec']
....................................................................
.................................................
....................................................................
.................................................

b) Enable restrictions for the /tmp partition by entering:

[root@<dmgr-vm>]# psh /opt/cpf/bin/cpfsecurity_os_hardening.py --


component mount_option --parameter_and_value /tmp=defaults,nosuid,
nodev,noexec

Sample output:

[1] <time> [SUCCESS] vm19


MM DD <time> root: [INFO] mount option hardening successfully
completed for ['/tmp=defaults,nosuid,nodev,noexec']
[2] <time> [SUCCESS] vm07
MM DD <time> root: [INFO] mount option hardening successfully
completed for ['/tmp=defaults,nosuid,nodev,noexec']
[3] <time> [SUCCESS] vm16
MM DD <time> root: [INFO] mount option hardening successfully
completed for ['/tmp=defaults,nosuid,nodev,noexec']
....................................................................
.................................................
....................................................................
.................................................

c) To support processing hardware alarms automatically, revise restrictions for the /tmp partition
on the VM hosting the hpsim service by entering:

Note: Execute this command only if the cluster is configured with the hpsim service.

[root@dmgr-vm]# ssh -q root@`/opt/cpf/install/bin/smanager_


configuration.pl nodeMap service hpsim` "/opt/cpf/bin/cpfsecurity_
os_hardening.py -c mount_option -p /tmp=defaults,nosuid,nodev"

Sample output:

MM DD <time> root: [INFO] mount option hardening successfully


completed for ['/tmp=defaults,nosuid,nodev']

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 273


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Operating System Hardening

d) Enable restrictions for the /home partition by entering:

[root@<dmgr-vm>]# psh /opt/cpf/bin/cpfsecurity_os_hardening.py -c


mount_option -p /home=defaults,nodev

Sample output:

[1] 08:16:28 [FAILURE] vm03 Exited with error code 1


MM DD <time> root: [ERROR] invalid mount_point /home
MM DD <time> root: [ERROR] invalid argument /home=defaults,nodev.
Argument must contain key=value
usage: /opt/cpf/bin/cpfsecurity_os_hardening.py
MM DD <time> root: [ERROR] failed while hardening/unhardening mount_
option component
[2] <time> [SUCCESS] vm02
MM DD <time> root: [INFO] mount option hardening successfully
completed for ['/home=defaults,nodev']
[3] <time> [SUCCESS] vm07
....................................................................
.............................................
....................................................................
...........................

Note: You can ignore the above error. In the nfs VM, /etc/fstab does not contain
the information about nfs shares. Hence, the error is seen in the sample output.

e) Enable restrictions for the /dev/shm partition by entering:

[root@<dmgr-vm>]# psh /opt/cpf/bin/cpfsecurity_os_hardening.py -


-component mount_option --parameter_and_value /dev/shm=defaults,
nosuid,nodev,noexec

Sample output:

[1] 09:32:32 [SUCCESS] vm03


MM DD <time> root: [INFO] mount option hardening successfully
completed for ['/dev/shm=defaults,nosuid,nodev,noexec']
[2] <time> [SUCCESS] vm08
MM DD <time> root: [INFO] mount option hardening successfully
completed for ['/dev/shm=defaults,nosuid,nodev,noexec']
[3] <time> [SUCCESS] vm11
MM DD <time> root: [INFO] mount option hardening successfully
completed for ['/dev/shm=defaults,nosuid,nodev,noexec']
....................................................................
..................................................

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 274


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Operating System Hardening

....................................................................
..................................................

4. Disable root SSH login on all NetAct VMs if it was enabled in step2.

To disable the root SSH login, see Disabling root SSH login in Administering NetAct System
Security.

19.1.2.2 Reverting partition restrictions to default settings

You can revert the partition restrictions done as part of Enabling restrictions for partition to default set-
tings.

1. Log in to the VM hosting the dmgr service and switch to root user.

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. Enable root SSH login on all NetAct VMs.

To enable the root SSH login, see Enabling root SSH login in Administering NetAct System
Security.

Note: In the disaster recovery environment, enable root SSH login on all NetAct VMs in
both active and standby sites.

3. Revert restrictions enabled on all partitions by entering:

[root@<dmgr-vm>]# psh /opt/cpf/bin/cpfsecurity_os_hardening.py --


component mount_option --default

Sample output:

[1] <time> [SUCCESS] vm10


MM DD <time> root: [INFO] mount option unhardening operation
successfully completed for ['/var=defaults', '/tmp=defaults', '/dev/
shm=defaults']
[2] <time> [SUCCESS] vm11
MM DD <time> root: [INFO] mount option unhardening operation
successfully completed for ['/var=defaults', '/tmp=defaults', '/dev/
shm=defaults']
[3] <time> [SUCCESS] vm12
MM DD <time> root: [INFO] mount option unhardening operation
successfully completed for ['/var=defaults', '/tmp=defaults', '/dev/
shm=defaults']
......................................................................
......................................................................
.......

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 275


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Operating System Hardening

......................................................................
......................................................................
.......

4. Disable root SSH login on all NetAct VMs if it was enabled in step2.

To disable the root SSH login, see Disabling root SSH login in Administering NetAct System
Security.

19.1.3 Handling insecure FTP port

File Transfer Protocol (FTP) is a standard network protocol used to copy a file from one host to anoth-
er over a TCP/IP-based network. It is used for file transfers between the network elements and Net-
Act. It is recommended to use SFTP only if the file transfer is required. Unless there is a need to run
the system as an FTP server (for example, to allow anonymous downloads), it is recommended that
the service be disabled to reduce the potential attack surface.

19.1.3.1 Disabling insecure FTP port

You can block the FTP port request towards NetAct by following the instructions provided in this
section.

1. Log in to the VM hosting the dmgr service and switch to root user.

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. Enable root SSH login on all NetAct VMs.

To enable the root SSH login, see Enabling root SSH login in Administering NetAct System
Security.

Note: In the disaster recovery environment, enable root SSH login on all NetAct VMs in
both active and standby sites.

3. Disable FTP port on all NetAct VMs by entering:

[root@<dmgr-vm>]# psh /opt/cpf/bin/cpfsecurity_os_hardening.py --


component ftp

Sample output:

IPv4 lab

[1] <time> [SUCCESS] vm01


MM DD <time> root: [INFO] Successfully disabled ftp port 21 for ipv4.
[2] <time> [SUCCESS] vm03

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 276


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Operating System Hardening

MM DD <time> root: [INFO] Successfully disabled ftp port 21 for ipv4.


[3] <time> [SUCCESS] vm04
MM DD <time> root: [INFO] Successfully disabled ftp port 21 for ipv4.

DualStack lab

[1] <time> [SUCCESS] vm01


MM DD <time> root: [INFO]Successfully disabled ftp port 21 for ipv4.
MM DD <time> root: [INFO]Successfully disabled ftp port 21 for ipv6.
[2] <time> [SUCCESS] vm03
MM DD <time> root: [INFO]Successfully disabled ftp port 21 for ipv4.
MM DD <time> root: [INFO]Successfully disabled ftp port 21 for ipv6.
[3] <time> [SUCCESS] vm04
MM DD <time> root: [INFO]Successfully disabled ftp port 21 for ipv4.
MM DD <time> root: [INFO]Successfully disabled ftp port 21 for ipv6.

4. Disable root SSH login on all NetAct VMs if it was enabled in step2.

To disable the root SSH login, see Disabling root SSH login in Administering NetAct System
Security.

19.1.3.2 Enabling insecure FTP port

1. Log in to the VM hosting the dmgr service and switch to root user.

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. Enable root SSH login on all NetAct VMs.

To enable the root SSH login, see Enabling root SSH login in Administering NetAct System
Security.

Note: In the disaster recovery environment, enable root SSH login on all NetAct VMs in
both active and standby sites.

3. Enable FTP port on all NetAct VMs by entering:

[root@<dmgr-vm>]# psh /opt/cpf/bin/cpfsecurity_os_hardening.py --


component ftp --default

Sample output:

IPv4 lab

[1] <time> [SUCCESS] vm01


MM DD <time> root: [INFO] Successfully enabled ftp port 21 for ipv4.
[2] <time> [SUCCESS] vm03

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 277


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Operating System Hardening

MM DD <time> root: [INFO] Successfully enabled ftp port 21 for ipv4.


[3] <time> [SUCCESS] vm04
MM DD <time> root: [INFO] Successfully enabled ftp port 21 for ipv4.

DualStack lab

[1] <time> [SUCCESS] vm01


MM DD <time> root: [INFO]Successfully enabled ftp port 21 for ipv4.
MM DD <time> root: [INFO]Successfully enabled ftp port 21 for ipv6.
[2] <time> [SUCCESS] vm03
MM DD <time> root: [INFO]Successfully enabled ftp port 21 for ipv4.
MM DD <time> root: [INFO]Successfully enabled ftp port 21 for ipv6.
[3] <time> [SUCCESS] vm04
MM DD <time> root: [INFO]Successfully enabled ftp port 21 for ipv4.
MM DD <time> root: [INFO]Successfully enabled ftp port 21 for ipv6.

4. Disable root SSH login on all NetAct VMs if it was enabled in step2.

To disable the root SSH login, see Disabling root SSH login in Administering NetAct System
Security.

19.1.4 Hardening SSHD configuration

This section describes how to reconfigure the SSHD parameters such as:

• ClientAliveInterval: The ClientAliveInterval parameter specifies the SSHD sessions that


have no activity for the specified length of time are terminated.
• MaxAuthTries: The MaxAuthTries parameter specifies the maximum number of authentication
attempts permitted per connection.
• LoginGraceTime: The LoginGraceTime parameter specifies the time allowed for successful au-
thentication to the SSH server.

19.1.4.1 Reconfiguring SSHD parameters

1. Log in to the VM hosting the dmgr service and switch to root user.

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. Enable root SSH login on all NetAct VMs.

To enable the root SSH login, see Enabling root SSH login in Administering NetAct System
Security.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 278


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Operating System Hardening

Note: In the disaster recovery environment, enable root SSH login on all NetAct VMs in
both active and standby sites.

3. Reconfigure SSHD parameters by doing the following:


a) To reconfigure ClientAliveInterval parameter, enter:

Note: The ClientAliveInterval parameter value must be in the range of 300 -


3600.

[root@<dmgr-vm>]# psh /opt/cpf/bin/cpfsecurity_os_hardening.py --


component sshd --parameter_and_value ClientAliveInterval=<value>

For example:

[root@<dmgr-vm>]# psh /opt/cpf/bin/cpfsecurity_os_hardening.py --


component sshd --parameter_and_value ClientAliveInterval=300

Sample output:

[1] <time> [SUCCESS] vm01


MM DD <time> root: [INFO] sshd parameter hardening successfully
completed for ['ClientAliveInterval=300'].
[2] <time> [SUCCESS] vm09
MM DD <time> root: [INFO] sshd parameter hardening successfully
completed for ['ClientAliveInterval=300'].
[3] <time> [SUCCESS] vm05
MM DD <time> root: [INFO] sshd parameter hardening successfully
completed for ['ClientAliveInterval=300'].
....................................................................
.......................................
....................................................................
.......................................

b) To reconfigure MaxAuthTries parameter, enter:

Note: The MaxAuthTries parameter value must be in the of range 4 - 6.

[root@<dmgr-vm>]# psh /opt/cpf/bin/cpfsecurity_os_hardening.py --


component sshd --parameter_and_value MaxAuthTries=<value>

For example:

[root@<dmgr-vm>]# psh /opt/cpf/bin/cpfsecurity_os_hardening.py --


component sshd --parameter_and_value MaxAuthTries=4

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 279


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Operating System Hardening

Sample output:

[1] <time> [SUCCESS] vm01


MM DD <time> root: [INFO] sshd parameter hardening successfully
completed for ['MaxAuthTries=4'].
[2] <time> [SUCCESS] vm09
MM DD <time> root: [INFO] sshd parameter hardening successfully
completed for ['MaxAuthTries=4'].
[3] <time> [SUCCESS] vm05
MM DD <time> root: [INFO] sshd parameter hardening successfully
completed for ['MaxAuthTries=4'].

c) To reconfigure LoginGraceTime parameter, enter:

Note: The LoginGraceTime parameter value must be in the range of 120 - 180.

[root@<dmgr-vm>]# psh /opt/cpf/bin/cpfsecurity_os_hardening.py --


component sshd --parameter_and_value LoginGraceTime=<value>

For example:

[root@<dmgr-vm>]# psh /opt/cpf/bin/cpfsecurity_os_hardening.py --


component sshd --parameter_and_value LoginGraceTime=120

Sample output:

[1] <time> [SUCCESS] vm01


MM DD <time> root: [INFO] sshd parameter hardening successfully
completed for ['LoginGraceTime=120'].
[2] <time> [SUCCESS] vm08
MM DD <time> root: [INFO] sshd parameter hardening successfully
completed for ['LoginGraceTime=120'].
[3] <time> [SUCCESS] vm09
MM DD <time> root: [INFO] sshd parameter hardening successfully
completed for ['LoginGraceTime=120'].
....................................................................
..................................
....................................................................
..................................

4. Disable root SSH login on all NetAct VMs if it was enabled in step2.

To disable the root SSH login, see Disabling root SSH login in Administering NetAct System
Security.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 280


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Operating System Hardening

19.1.4.2 Reverting SSHD configuration to default setting

1. Log in to the VM hosting the dmgr service and switch to root user.

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. Enable root SSH login on all NetAct VMs.

To enable the root SSH login, see Enabling root SSH login in Administering NetAct System
Security.

Note: In the disaster recovery environment, enable root SSH login on all NetAct VMs in
both active and standby sites.

3. Set to default SSHD configuration by entering:

[root@<dmgr-vm>]# psh /opt/cpf/bin/cpfsecurity_os_hardening.py --


component sshd --default

Sample output:

[1] <time> [SUCCESS] vm01


MM DD <time> root: [INFO] sshd parameter unhardening operation
successfully completed for ['clientaliveinterval=3600',
'logingracetime=180', 'maxauthtries=6']
[2] <time> [SUCCESS] vm04
MM DD <time> root: [INFO] sshd parameter unhardening operation
successfully completed for ['clientaliveinterval=3600',
'logingracetime=180', 'maxauthtries=6']
[3] <time> [SUCCESS] vm07
MM DD <time> root: [INFO] sshd parameter unhardening operation
successfully completed for ['clientaliveinterval=3600',
'logingracetime=180', 'maxauthtries=6']
......................................................................
......................................................................
......................
......................................................................
......................................................................
......................

4. Disable root SSH login on all NetAct VMs if it was enabled in step2.

To disable the root SSH login, see Disabling root SSH login in Administering NetAct System
Security.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 281


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Operating System Hardening

19.1.5 Strengthening OS user password configuration

19.1.5.1 Setting password policy for OS users

To set the password policy for OS users, do the following:

• Setting password minimum length for OS users


• Setting minimum number of days between password change value

19.1.5.1.1 Setting password minimum length for OS users

Setting a higher value of minimum length for OS user, enforce strong password, there by protects the
system from brute force attack.

1. Log in to the VM hosting the dmgr service and switch to root user.

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. Enable root SSH login on all NetAct VMs.

To enable the root SSH login, see Enabling root SSH login in Administering NetAct System
Security.

Note: In the disaster recovery environment, enable root SSH login on all NetAct VMs in
both active and standby sites.

3. Set the minimum length of the password for OS users by entering:

Note: The password_min_length parameter value must be in the range of 9 - 50.

[root@<dmgr-vm>]# psh /opt/cpf/bin/cpfsecurity_os_hardening.py


--component password_policy --parameter_and_value password_min_
length=<value>

Sample output:

[1] <time> [SUCCESS] vm07


MM DD <time> root: [INFO] password policy hardening successfully
completed for ['password_min_length=14']
[2] <time> [SUCCESS] vm01
MM DD <time> root: [INFO] password policy hardening successfully
completed for ['password_min_length=14']
[3] <time> [SUCCESS] vm19

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 282


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Operating System Hardening

MM DD <time> root: [INFO] password policy hardening successfully


completed for ['password_min_length=14']

4. Disable root SSH login on all NetAct VMs if it was enabled in step2.

To disable the root SSH login, see Disabling root SSH login in Administering NetAct System
Security.

19.1.5.1.2 Setting minimum number of days between password change value

An administrator can prevent users from repeatedly changing their password in an attempt to avoid the
password reuse controls by setting the minimum number of days between the password change for
OS users.

1. Log in to the VM hosting the dmgr service and switch to root user.

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. Enable root SSH login on all NetAct VMs.

To enable the root SSH login, see Enabling root SSH login in Administering NetAct System
Security.

Note: In the disaster recovery environment, enable root SSH login on all NetAct VMs in
both active and standby sites.

3. Set the PASS_MIN_DAYS parameter for OS users by entering:

Note: The password_min_days parameter value must be in the range of 0-4999.

[root@<dmgr-vm>]# psh /opt/cpf/bin/cpfsecurity_os_hardening.py


--component password_policy --parameter_and_value password_min_
days=<value>

Sample output:

[1] <time> [SUCCESS] vm01


MM DD <time> root: [INFO] password policy hardening successfully
completed for ['password_min_days=7']
[2] <time> [SUCCESS] vm04
MM DD <time> root: [INFO] password policy hardening successfully
completed for ['password_min_days=7']
[3] <time> [SUCCESS] vm05

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 283


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Operating System Hardening

MM DD <time> root: [INFO] password policy hardening successfully


completed for ['password_min_days=7']

4. Disable root SSH login on all NetAct VMs if it was enabled in step2.

To disable the root SSH login, see Disabling root SSH login in Administering NetAct System
Security.

19.1.6 Reverting password policy settings

1. Log in to the VM hosting the dmgr service and switch to root user.

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. Enable root SSH login on all NetAct VMs.

To enable the root SSH login, see Enabling root SSH login in Administering NetAct System
Security.

3. Revert the password policy for OS users by entering:

[root@<dmgr-vm>]# psh /opt/cpf/bin/cpfsecurity_os_hardening.py --


component password_policy --default

Sample output:

[1] <time> [SUCCESS] vm86


MM DD <time> root: [INFO] password policy unhardening operation
successfully completed for ['password_min_length=9', 'password_min_
days=0']
[2] <time> [SUCCESS] vm85
MM DD <time> root: [INFO] password policy unhardening operation
successfully completed for ['password_min_length=9', 'password_min_
days=0']
[3] <time> [SUCCESS] vm17
MM DD <time> root: [INFO] password policy unhardening operation
successfully completed for ['password_min_length=9', 'password_min_
days=0']
[4] <time> [SUCCESS] vm11
MM DD <time> root: [INFO] password policy unhardening operation
successfully completed for ['password_min_length=9', 'password_min_
days=0']
[5] <time> [SUCCESS] vm4
MM DD <time> root: [INFO] password policy unhardening operation
successfully completed for ['password_min_length=9', 'password_min_
days=0']
[6] <time> [SUCCESS] vm7

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 284


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Operating System Hardening

MM DD <time> root: [INFO] password policy unhardening operation


successfully completed for ['password_min_length=9', 'password_min_
days=0']
[7] <time> [SUCCESS] vm12
MM DD <time> root: [INFO] password policy unhardening operation
successfully completed for ['password_min_length=9', 'password_min_
days=0']
----------------------------------------------------------------------
----------------------------------------------------------------------
-
----------------------------------------------------------------------
----------------------------------------------------------------------
-

4. Disable root SSH login on all NetAct VMs if it was enabled in step2.

To disable the root SSH login, see Disabling root SSH login in Administering NetAct System
Security.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 285


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening of Node Manager Server

20 Hardening of Node Manager Server

Node Manager Server (NMS) hardening applies security settings which minimizes security vulnerabil-
ities. Users can enable or disable the Windows hardening in the NMS servers. Users can also check
the status of the Windows hardening.

All applications and tasks that require administrative privileges must be opened with the Run as Ad-
ministrator option.

User needs to confirm the User Account Control (UAC) prompt to run the applications and tasks that
require administrative privileges.

20.1 Configuring Node Manager Server Hardening


You must configure the Node Manager Server (NMS) hardening settings in NetAct for the security set-
tings to take effect.

1. Log in as the <domain name>\<administrator account> user to the master DC.

2. Create a new NMS domain administrator by entering the following command in Windows
Powershell:

cd C:\Apps\Oss\platform_sw\WindowsHardening\Scripts

.\AdminUserCreation.ps1 -NewAdminUserName <userName>

At the prompt, type the Administrator user password.

New Administrator User created successfully message appears.

3. Perform hardening configurations by entering:

.\DC_configForHardening.ps1 -NewAdminUserName <AdminUserName>

At the prompt, type the Administrator user password.

After successful execution of the command, Successfully completed the Hardening


configuration message appears.

4. Set hardening policies by entering:

.\HardeningSettings.ps1 -Enable -NewAdminUserName <AdminUserName> -


OldDomainAdminUserName <OldAdminUserName>

where:

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 286


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening of Node Manager Server

• NewAdminUserName is the newly created Administrator user name in Step 2.


• OldDomainAdminUserName is the Administrator, that is, the default domain admin user
created during NMS installation (or when the same user has been renamed).

At the prompt, type the New Administrator user password.

After successful execution of the command, Successfully Enabled hardening settings


message appears.

5. If the previous session is closed, start a new one using the newly created Administrator user in
Step 2.

6. Set consistency of Group Policy.


a) Open Command Prompt and enter the following command:

gpmc.msc

The Group Policy Management application opens.


b) In the Group Policy Management pane, select Forest: <forest name> → Domains →
<domain name> → Group Policy Objects.
c) Click Default Domain Policy.

The Group Policy Management dialog box appears.


d) Click OK to set consistency in the permissions for the GPO in the SYSVOL folder and Active
Directory.
e) Click Default Domain Controller Policy.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 287


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening of Node Manager Server

The Group Policy Management dialog box appears.


f) Click OK to set consistency in the permissions for the GPO in the SYSVOL folder and Active
Directory.

7. Add NetAct and Citrix URLs to IE trusted zone.


a) To add NetAct Start Page to IE trusted zone, open Command Prompt as Administrator and
enter:

C:\config\configuration\SetTrustSite\SetTrustSite.exe <NetAct Start


Page URL>

For example: C:\config\configuration\SetTrustSite\SetTrustSite.exe


https://clab1649lbwas.netact.nsn-rdnet.net/
b) To add Citrix StoreWeb to IE trusted Zone, open Command Prompt as Administrator and
enter:

C:\config\configuration\SetTrustSite\SetTrustSite.exe <Citrix StoreWeb


URL>

For example: C:\config\configuration\SetTrustSite\SetTrustSite.exe


https://na18actxdc1.na18a.netact.nsn-rdnet.net/Citrix/StoreWeb

Note:

• In case of two CTXDCs, add the Citrix URL of both.


• If NLB is configured, then add the NLB URL.

If you use the Remote Desktop or any other console (for example, VMware console)
to connect to NMS nodes, then do not minimize the Remote Desktop Window before
the configuration is completed.

8. Modify security policies.


a) Click Start and click Windows Administrative Tools to open the Administrative Tools
window.
b) In the Administrative Tools window, double-click Group Policy Management.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 288


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening of Node Manager Server

c) In the Group Policy Management window, expand Forest: <domain name> → Domains →
<domain name> → Group Policy Objects, right-click NokiaUserSettings (click Yes if there
is a pop-up window), and then select Edit....

Edit the policies as listed in the Table 19: Policies to be set in NokiaUserSettings

Policy Path Policy Setting Name Policy Value

Computer Configuration\Poli- Turn off the Windows Mes- Enabled


cies\Administrative Tem- senger Customer Experience
plates: Policy definitions (AD- Improvement Program
MX files) retrieved from the
local computer\System\Inter-
net Communication Manage-
ment\Internet Communication
settings

Computer Configuration\Poli- Interactive logon: Number of 4


cies\Windows Settings\Se- previous logons to cache (in
curity Settings\Local Poli- case domain controller is not
cies\Security Options available)

Computer Configuration\Poli- Network security: Force logoff Enabled


cies\Windows Settings\Se- when logon hours expire
curity Settings\Local Poli-
cies\Security Options

Computer Configuration\Poli- Allow log on locally Administrators


cies\Windows Settings\Se-
curity Settings\Local Poli-
cies\User Rights Assignment

Computer Configuration\Poli- Deny access to this computer Guests, Local Account


cies\Windows Settings\Se- from the network
curity Settings\Local Poli-
cies\User Rights Assignment

Computer Configuration \Poli- Require trusted path for cre- Not Configured
cies\Administrative Tem- dential entry
Note: Ensure the
plates: Policy definitions (AD-
policy value is set
MX files) retrieved from the
to Not Configured,
local computer\Windows
if DCAP and 2G
Components\Credential User
NEs are integrated.
Interface

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 289


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening of Node Manager Server

Table 19: Policies to be set in NokiaUserSettings

d) In the Group Policy Management window, expand Forest: <domain name> → Domains
→ <domain name> → Group Policy Objects, right-click Default Domain Policy (click Yes if
there is a pop-up window), and then select Edit....

Policy Path Policy Setting Name Policy Value

Computer Configuration\Poli- Set a default associations con- C:\config\browsers\chrome.xml


cies\Administrative Templates: figuration file
Policy definitions (ADMX
files) retrieved from the local
computer\Windows Compo-
nents\File Explorer

Note: It is mandato-
ry to set this policy if
Google Chrome has
been set as default
browser.

Table 20: Policies to be set in Default Domain Policy

Note: You can assess the additional policies under Group Policy Objects → Default
Domain Policy and modify the settings as per your requirement. For further information,
see Additional group policy settings.

9. Log in to the master DC as the new Administrator user created in Step 2. Skip this step if a new
session has been started in Step 4.

10. Open Windows Powershell and enter:

C:\Apps\Oss\platform_sw\Scripts\UpdateGPO.ps1

The hardening settings are enabled after the command is executed successfully.

Note: For a comprehensive list of Policy Settings, see Appendix I: Node manager server
hardening policies in Administering Node Manager Server.

20.1.1 Additional group policy settings

You can assess the individual group policy settings under Default Domain Policy and set the suitable
policies as per your requirement from Table 21: Additional group policy settings in Default Domain Pol-
icy .

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 290


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening of Node Manager Server

Policy Path Policy Setting Name Policy Value Comments

Computer Configura- MSDT interactive com- Disabled This policy setting con-
tion\Policies\Adminis- munication with support figures Microsoft Sup-
trative Templates: Pol- provider port Diagnostic Tool
icy definitions (ADMX (MSDT) interactive
files) retrieved from the communication with the
local computer\Sys- support provider. MSDT
tem\Troubleshooting gathers diagnostic data
and Diagnostics\Mi- for analysis by support
crosoft Support Diag- professionals.
nostic Tool\Microsoft
Support Diagnostic
Tool: Turn on MSDT
interactive commu-
nication with support
provider

Computer Configura- Restrict Remote Desk- Enabled If you enable this policy
tion\Policies\Adminis- top Services users to a setting, users who log
trative Templates: Pol- single Remote Desktop on remotely by using
icy definitions (ADMX Services session Remote Desktop Ser-
files) retrieved from the vices will be restricted
local computer\Win- to a single session (ei-
dows Components\Re- ther active or discon-
mote Desktop Ser- nected) on that serv-
vices\Remote Desk- er. If the user leaves
top Session Host\Con- the session in a discon-
nections\Restrict Re- nected state, the user
mote Desktop Services automatically recon-
users to a single Re- nects to that session at
mote Desktop Services the next log on.
session

Computer Configura- Always prompt for Enabled If you enable this pol-
tion\Policies\Adminis- password upon connec- icy setting, users can-
trative Templates: Pol- tion not automatically log
icy definitions (ADMX on to Remote Desktop
files) retrieved from the Services by supplying
local computer\Win- their passwords in the
dows Components\Re- Remote Desktop Con-
mote Desktop Ser- nection client. They are
vices\Remote Desktop prompted for a pass-
Session Host\Securi- word to log on.
ty\Always prompt for

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 291


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening of Node Manager Server

Policy Path Policy Setting Name Policy Value Comments

password upon connec-


tion

Computer Configura- Set time limit for active Enabled: <Time> in If you enable this policy
tion\Policies\Adminis- but idle Remote Desk- minutes or less setting, you must select
trative Templates: Pol- top Services sessions the desired time limit
icy definitions (ADMX in the Idle session lim-
files) retrieved from the it list. Remote Desktop
local computer\Win- Services will automati-
dows Components\Re- cally disconnect active
mote Desktop Ser- but idle sessions after
vices\Remote Desktop the specified amount of
Session Host\Session time. The user receives
Time Limits\Set time a warning two minutes
limit for active but idle before the session dis-
Remote Desktop Ser- connects, which allows
vices sessions the user to press a key
or move the mouse to
keep the session ac-
tive. If you have a con-
sole session, idle ses-
sion time limits do not
apply.

Computer Configura- Set time limit for dis- Enabled: <Time > in If you enable this poli-
tion\Policies\Adminis- connected sessions minutes cy setting, disconnect-
trative Templates: Pol- ed sessions are delet-
icy definitions (ADMX ed from the server after
files) retrieved from the the specified amount of
local computer\Win- time.
dows Components\Re-
mote Desktop Ser-
vices\Remote Desktop
Session Host\Session
Time Limits\Set time
limit for disconnected
sessions

Computer Configura- Accounts: Rename Any Name Guest account is dis-


tion\Policies\Windows guest account abled. This setting can
Settings\Security Set- be set if you want to still
tings\Local Policies\Se- rename the account
curity Options\Ac-

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 292


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening of Node Manager Server

Policy Path Policy Setting Name Policy Value Comments

counts: Rename guest


account

Computer Configura- Interactive logon: Mes- Any Message This security setting
tion\Policies\Windows sage text for users at- specifies a text mes-
Settings\Security Set- tempting to log on sage that is displayed
tings\Local Policies\Se- to users when they log
curity Options\Interac- on.
tive logon: Message
text for users attempt-
ing to log on

Computer Configura- Interactive logon: Mes- Any Message This security setting al-
tion\Policies\Windows sage title for users at- lows the specification of
Settings\Security Set- tempting to log on a title to appear in the
tings\Local Policies\Se- title bar of the window
curity Options\Interac- that contains the Inter-
tive logon: Message ti- active logon: Message
tle for users attempting text for users attempt-
to log on ing to log on.

Table 21: Additional group policy settings in Default Domain Policy

20.2 Managing hardening settings


You can enable the hardening settings, disable the already created settings, and check the status of
the hardening settings, if required.

20.2.1 Enabling hardening settings

1. Log in as the <domain name>\<administrator account> user to the master DC.

2. Press Win key on the keyboard and type PowerShell in the search window. Select Windows
PowerShell.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 293


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening of Node Manager Server

Windows PowerShell console opens.

3. Enter:

cd C:\Apps\Oss\platform_sw\WindowsHardening\Scripts

.\HardeningSettings.ps1 -Enable -NewAdminUserName <AdminUserName> -


OldDomainAdminUserName <OldAdminUserName>

where:

• NewAdminUserName is the newly created Administrator user name in Step 2 of section Con-
figuring Node Manager Server Hardening.
• OldDomainAdminUserName is the Administrator, that is, the default domain administrator
user created during NMS installation (or when the same user has been renamed).

At the prompt, type the New Administrator user password.

After successful execution of command, Successfully Enabled hardening settings


message appears.

4. Set value for Group Policy setting.


a) In the Group Policy Management window, expand Forest: <domain name> → Domains →
<domain name> → Group Policy Objects, right-click <GPO Name> (click Yes if there is a
pop-up window), and then select Edit....
b) Edit the policies as listed in Table 22: Group policy setting values.

GPO Name Policy Path Policy Setting Name Policy Value

Default Domain Poli- Computer Configura- Set a default associa- C:\config\browsers


cy tion\Policies\Adminis- tions configuration file \chrome.xml
trative Templates: Pol-
icy definitions (ADMX
files) retrieved from the
local computer\Win-
dows Components\File
Explorer

Note: It is
mandato-
ry to set
this policy
if Google
Chrome has
been set

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 294


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening of Node Manager Server

GPO Name Policy Path Policy Setting Name Policy Value

as default
browser.

NokiaUserSettings Computer Configura- Set a default associa- C:\config\browsers


tion\Policies\Adminis- tions configuration file \chrome.xml
trative Templates: Pol-
icy definitions (ADMX
files) retrieved from the
local computer\Win-
dows Components\File
Explorer

Note: It is
mandato-
ry to set
this policy
if Google
Chrome has
been set
as default
browser.

Table 22: Group policy setting values

Note:

• If the error message, Unexpected error while Enabling windows


hardening. Please check the log file C:\Apps\Oss\log
\SecurityHardening.log is seen while executing Step 3, check the log file C:
\Apps\Oss\log\SecurityHardening.log.
• If the log file has the following error message for the latest run, The directory is
not empty. (Exception from HRESULT: 0x80070091), repeat Step 3.

20.2.2 Disabling hardening settings


You can disable already existing hardening settings.

1. Log in as the <domain name>\<administrator account> user to the master DC.

2. Press Win key on the keyboard and type PowerShell in the search window. Select Windows
PowerShell.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 295


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening of Node Manager Server

The Windows PowerShell console opens.

3. Enter:

cd C:\Apps\Oss\platform_sw\WindowsHardening\Scripts

.\HardeningSettings.ps1 -Disable -NewAdminUserName <AdminUserName> -


OldDomainAdminUserName <OldAdminUserName>

where:

• NewAdminUserName is the newly created Administrator user name in Step 2 of section Con-
figuring Node Manager Server Hardening.
• OldDomainAdminUserName is the Administrator, that is, the default domain admin user
created during NMS installation (or when the same user has been renamed).

Enter the new administrator user password message appears on the console.

4. At the prompt, type the Administrator user password.

Enter the Old Domain administrator user password message appears on the
console.

5. At the prompt, type the Old domain Administrator user password.

6. Press Enter at the prompt when the message Press Enter to reboot all NMS nodes
appears.

All NMS nodes are restarted.

7. Log in as the <domain name>\<administrator account> user to the master DC.

8. Set consistency of Group Policy.


a) Open Command Prompt and enter the following command:

gpmc.msc

The Group Policy Management application opens.


b) In the Group Policy Management pane, select Forest: <forest name> → Domains →
<domain name> → Group Policy Objects.
c) Click Default Domain Policy.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 296


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening of Node Manager Server

The Group Policy Management dialog box appears.


d) Click OK to set consistency in the permissions for the GPO in the SYSVOL folder and Active
Directory.
e) Click Default Domain Controller Policy.

The Group Policy Management dialog box appears.


f) Click OK to set consistency in the permissions for the GPO in the SYSVOL folder and Active
Directory.

9. Set value for Group Policy setting.


a) In the Group Policy Management window, expand Forest: <domain name> → Domains →
<domain name> → Group Policy Objects, right-click <GPO Name> (click Yes if there is a
pop-up window), and then select Edit....
b) Edit the policies as listed in Table 23: Group policy setting values.

GPO Name Policy Path Policy Setting Name Policy Value

Default Domain Poli- Computer Configura- Set a default associa- C:\config\browsers


cy tion\Policies\Adminis- tions configuration file \chrome.xml
trative Templates: Pol-
icy definitions (ADMX
files) retrieved from the
local computer\Win-

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 297


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening of Node Manager Server

GPO Name Policy Path Policy Setting Name Policy Value

dows Components\File
Explorer

Note: It is
mandato-
ry to set
this policy
if Google
Chrome has
been set
as default
browser.

NokiaUserSettings Computer Configura- Set a default associa- C:\config\browsers


tion\Policies\Adminis- tions configuration file \chrome.xml
trative Templates: Pol-
icy definitions (ADMX
files) retrieved from the
local computer\Win-
dows Components\File
Explorer

Note: It is
mandato-
ry to set
this policy
if Google
Chrome has
been set
as default
browser.

Table 23: Group policy setting values

10. Add Citrix StoreWeb to IE trusted Zone by opening the Command Prompt as Administrator and
enter:

C:\config\configuration\SetTrustSite\SetTrustSite.exe <Citrix StoreWeb


URL>

Note:

1. In case of two CTXDCs, add the Citrix URL of both.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 298


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening of Node Manager Server

2. If NLB is configured, then add the NLB URL.

If you use the Remote Desktop or any other console (for example, VMware console) to
connect to NMS nodes, then do not minimize the Remote Desktop Window before the
configuration is completed.

11. Open Windows Powershell as Administrator and enter:

C:\Apps\Oss\platform_sw\Scripts\UpdateGPO.ps1

Hardening settings are disabled after the command is executed successfully.

Note:

• If the error message, Error occured while reverting windows


hardening settings. Please check the log file C:\Apps\Oss\log
\SecurityHardening.log is seen while executing Step 3, check the C:\Apps\Oss
\log\SecurityHardening.log log file.
• If the log file has the following error message for the latest run, The directory is
not empty. (Exception from HRESULT: 0x80070091), repeat Step 3.

20.2.3 Checking hardening status


You can check if the hardening settings have been enabled or disabled.

1. Log in as the <domain name>\<administrator account> user to the master DC.

2. Press Win key on the keyboard and type PowerShell in the search window. Select Windows
PowerShell.

Windows PowerShell console opens.

3. Enter:

cd C:\Apps\Oss\platform_sw\WindowsHardening\Scripts

.\HardeningSettings.ps1 -StatusCheck

Note: If WARNING: Node Manager Server hardening policies are


compliant with Windows 2012. If you choose to update Node Manager
Server hardening policies that are compliant with windows version
2019, then the hardening must be re-enabled. message appears, then re-
enable the hardening settings by following instructions in Enabling hardening settings.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 299


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening of Node Manager Server

20.3 Configuring Windows Defender Remote Credential Guard


During Remote Desktop sessions, you can use the Windows Defender Remote Credential Guard to
safeguard the security of the target device. This protects your credentials from being exposed because
both the credential and the credential derivatives do not get passed over the network to the target
device.

Note: Configuring the Windows Defender Remote Credential Guard is an optional


procedure.

When accessing the Node Manager Server (NMS) nodes within the NMS domain, the follow-
ing is true:

• Windows Defender Remote Credential Guard supports Remote Desktop Connection to


NMS nodes using hostname or FQDN of the node.
• Windows Defender Remote Credential Guard does not support Remote Desktop Con-
nection to NMS nodes using IP address.

1. Log in as the <domain name>\<administrator account> user to DC1 of Node Manager


Server.

2. From the Windows task bar, select Start → Windows Administrative Tools.

The Administrative Tools window appears.

3. Double-click Group Policy Management.

The Group Policy Management application opens.

4. In the Group Policy Management pane, select Forest: <forest name> → Domains → <domain
name> → Group Policy Objects.

5. Right-click Default Domain Policy and select Edit...

The Group Policy Management Editor application opens.

6. In the Default Domain Policy <domain_name> pane, select Computer Configuration →


Policies → Administrative Templates → System → Credentials Delegation.

The right pane displays all the available settings and their corresponding states.

7. Double-click Restrict delegation of credentials to remote servers.

The Restrict delegation of credentials to remote servers dialog box appears.

8. Select the Enabled option button.

9. In the Options area, from the Use the following restricted mode drop-down list, select Require
Remote Credential Guard.

10. Click Apply and then click OK.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 300


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Hardening of Node Manager Server

The state of Restrict delegation of credentials to remote servers appears as Enabled.

11. Open the Command Prompt and enter the following command:

gpupdate /force

The GPO policy is updated.

12. Log in as the <domain name>\<administrator account> user to all the NMS nodes and do
the following:
a) Click Search, type cmd.
b) Right-click Command Prompt and select Run as administrator.
c) Enter the following commands:

reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v


DisableRestrictedAdmin /d 0 /t REG_DWORD

gpupdate /force

Expected outcome

The Windows Defender Remote Credential Guard is configured.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 301


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Microsoft Defender Antivirus

21 Microsoft Defender Antivirus

The Windows Defender Antivirus solution is an optional feature which can be enabled for Node Man-
ager Server (NMS).

The Windows Defender Antivirus is provided with a number of real-time security agents that monitor
several common areas of Windows and look for changes that might be caused by spyware. If another
antivirus is installed, then that antivirus application replaces the Windows Defender as a system secu-
rity application.

21.1 Verifying Microsoft Defender Antivirus status


You can verify if the Microsoft Defender Antivirus is installed on all the NMS nodes.

1. Log in as the <domain name>\<administrator account> user to NMS DC1.

2. From the Windows taskbar, select Start and type Windows PowerShell.

3. Right-click Windows Powershell and select Run as administrator from the shortcut menu.

4. At the prompt, enter:

Get-WindowsFeature | where {$_.name -eq "Windows-Defender"}

Expected outcome

Display Name Name Install State


------------ ---- -------------
[X] Windows Defender Antivirus Windows-Defender Installed

Note:

• If the output shows the Install State as Installed, then the Windows Defender
Antivirus is installed successfully.
• If the output shows the Install State as Available, then the Windows Defender
Antivirus is not installed.

5. Log in as <domain name>\<administrator account> user to all the NMS nodes and repeat
Steps 2 to 4.

21.2 Enabling Windows Defender Antivirus


Follow the instructions to enable Windows Defender Antivirus on all NMS nodes.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 302


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Microsoft Defender Antivirus

1. Log in as <domain name>\<administrator account> user to NMS DC1.

2. From the Windows taskbar, select Start and type Windows PowerShell.

3. Right-click Windows Powershell and select Run as administrator from the shortcut menu.

4. At the prompt, enter:

Install-WindowsFeature -Name Windows-Defender

Expected outcome

Success Restart Needed Exit Code Feature Result


------- -------------- --------- --------------
True Yes SuccessRest... {Windows Defender Antivirus}

Note:

• If the Success value is True, then the Windows Defender Antivirus is installed.
• If the Success value is False, then contact Nokia Support.

5. For the installation process to take effect restart the NMS server.

6. Log in as <domain name>\<administrator account> user to all the NMS nodes and repeat
Steps 2 to 5.

21.3 Updating the Windows Defender Antivirus Definitions


Windows Defender Antivirus (AV) definition is an executable .exe file that must be downloaded from
https://www.microsoft.com/en-us/wdsi/defenderupdates.

Note:

• Microsoft’s servers look for viruses, Trojans, and so on, in real-time. Based on the
threats, Microsoft releases AV definitions more than thrice a day.
• Nokia does not provide the AV definitions in real-time and in SP releases, so the cus-
tomer must download the definitions from https://www.microsoft.com/en-us/wdsi/defend-
erupdates.
• It is the customer's responsibility to enable the Microsoft Defender AV and update the de-
finitions.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 303


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Microsoft Defender Antivirus

• No downtime is required for the AV definition updates.

1. Log in as <domain name>\<administrator account> user to the Primary DC of NMS.

2. From the Windows taskbar, select Start and type Windows PowerShell.

3. Right-click Windows Powershell and select Run as administrator from the shortcut menu.

4. Create a new folder (AVUpdates) in the C:\Config\ directory by entering:

New-Item -Path C:\Config\AVUpdates -ItemType directory

5. Download and copy the mpam-fe.exe definition file from https://www.microsoft.com/en-us/wdsi/


defenderupdates to AVUpdates folder.

6. Copy the AVUpdates folder to all the NMSs by entering:

C:\Apps\Oss\platform_sw\Scripts\Remote-Copy.ps1 -FilePath C:\Config


\AVUpdates

7. Update the AV definition by entering:

C:\Config\AVUpdates\mpam-fe.exe

8. To verify if the AV definition is updated, from the Windows taskbar, select Start → Windows
Security → Virus & threat protection.

If the AV definitions are up to date, then No action needed message appears.

Note: If the Protection definitions are out of date message appears, then
the AV definitions must be updated by repeating Step 7.

9. Log in as <DomainName>\<administrator account> user to all the NMS nodes and repeat
Steps 7 and 8.

21.4 Disabling Windows Defender Antivirus


You can disable the Windows Defender Antivirus on all the NMS nodes.

1. Log in as <domain name>\<administrator account> user to NMS DC1.

2. From the Windows taskbar, select Start and type Windows PowerShell.

3. Right-click Windows Powershell and select Run as administrator from the shortcut menu.

4. At the prompt, enter:

Uninstall-WindowsFeature -Name Windows-Defender

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 304


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Microsoft Defender Antivirus

Expected outcome

Success Restart Needed Exit Code Feature Result


------- -------------- --------- --------------
True Yes SuccessRest... {Windows Defender Antivirus}

Note:

• If the value of Success is True in the output, then the Windows Defender Antivirus is
disabled successfully.
• If the value of Success is False in the output, then contact Nokia Support.

5. For the uninstallation process to take effect restart the server.

6. Log in as <domain name>\<administrator account> user to all the NMS nodes and repeat
Steps 2 to 5.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 305


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing TLS version protocol for NetAct
hardware devices

22 Managing TLS version protocol for NetAct hardware


devices
For appropriate firmware versions to configure the TLS version, see Firmware and hardware recom-
mendations in NetAct Release Changes. It is mandatory to have NetAct 20 recommended firmware
version to disable the TLS version. In case of DR environment, the instructions provided to disable the
TLS version must be executed on both active and standby site (SITE -A and SITE-B) hardware de-
vices.

Note:

• The following are the hardware devices with firmware version for which disabling TLSv1
is not supported by OEM vendor.

Hardware device Firmware version

MSA2000 TS252P005

EMC VNX1 storages (VNX5100, 05.32.000.5.225


VNX5300)

EMC VNX2 storages (VNX5200, 05.33.009.5.218


VNX5400)

Table 24: Hardware devices for which disabling TLSv1 is not supported

• The following are the hardware devices with firmware version for which TLSv1 is dis-
abled by default, but OEM vendor doesn’t support enabling TLSv1.

Hardware device Firmware version

MSA2040 GL225R003

MSA2050 VL270R001

HPE 3PAR service processor SP-4.4.0.GA-110

HPE 3PAR StoreServ 7200/8200 3.2.2 (MU6) Patches: P99,P104,P107

Table 25: Hardware devices for which TLSv1 is disabled by default in the latest version
of the firmware

Note: For HPE 3PAR service processor, HPE 3PAR StoreServ, and MSA2050,
TLSv1.1 is disabled by default.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 306


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing TLS version protocol for NetAct
hardware devices

22.1 HPE Onboard Administrator

Note: Https uses port number 443. By default, TLSv1.2, TLSv1.1, and TLSv1 is enabled.

22.1.1 Disabling TLS version

1. Login to Active OA using SSH with an account having admin permissions.

2. Disable the TLS version by entering:

OA-X> disable ssl protocol <TLS version>

where <TLS version> is TLSv1 or TLSv1.1.

Sample output:

Disabling These Items:


TLSv1
Protocols successfully changed.

Note:

OA webserver will reset, when the TLS version is enabled or disabled. A Critical alarm
will be seen in NetAct monitor and HPE SIM. Ignore the alarm and clear from HPE SIM
UI as soon as the OA comes up. However, there is no downtime for NetAct.

Not required to execute this on Standby OA.

22.1.2 Enabling TLS version

1. Login to Active OA using SSH with an account having admin permissions.

2. Enable the TLS version by entering:

OA-X> enable ssl protocol <TLS version>

where <TLS version> is TLSv1 or TLSv1.1.

Sample output:

Enabling These Items:


TLSv1
Protocols successfully changed.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 307


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing TLS version protocol for NetAct
hardware devices

Note:

OA webserver will reset, when the TLS version is enabled or disabled. A Critical alarm
will be seen in NetAct monitor and HPE SIM. Ignore the alarm and clear from HPE SIM
UI as soon as the OA comes up. However, there is no downtime for NetAct.

Not required to execute this on Standby OA.

22.2 HPE iLO

Note: Https uses port number 443. By default, TLSv1.2, TLSv1.1, and TLSv1 is enabled.

22.2.1 HPE iLO4

22.2.1.1 Disabling TLS version

1. Login to the iLO using Web UI.

2. Go to Administration → Security → Encryption.

3. Select Enabled for Enforce AES/3DES Encryption.

4. Click Apply.

Note: A major alarm will be seen in NetAct monitor and HPE SIM. Ignore the alarm and
clear from HPE SIM UI as soon as the iLO comes up. However, there is no downtime for
NetAct.

22.2.1.2 Enabling TLS version

1. Login to the iLO using Web UI.

2. Go to Administration → Security → Encryption.

3. Select Disabled for Enforce AES/3DES Encryption.

4. Click Apply.

Note: A major alarm will be seen in NetAct monitor and HPE SIM. Ignore the alarm and
clear from HPE SIM UI as soon as the iLO comes up. However, there is no downtime for
NetAct.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 308


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing TLS version protocol for NetAct
hardware devices

22.2.2 HPE iLO5

HPE iLO5 is introduced in Gen10 Server.

22.2.2.1 Disabling TLS version

1. Login to the iLO using Web UI.

2. Go to Security → Encryption.

3. Select HighSecurity for Security Settings.

4. Click Apply.

Note: There is no downtime for NetAct.

22.2.2.2 Enabling TLS version

1. Login to the iLO using Web UI.

2. Go to Security → Encryption.

3. Select Production for Security Settings.

4. Click Apply.

Note: There is no downtime for NetAct.

22.3 HPE SAN switch


If HTTPS is used for managing SAN switch, follow the instructions to configure TLS.

Note:

• To enable https, see SAN SWITCH


• Https uses port number 443. By default, TLSv1.2, TLSv1.1, and TLSv1 is enabled.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 309


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing TLS version protocol for NetAct
hardware devices

22.3.1 Disabling TLS version

1. Connect to SAN switch management IP using SSH with an account having admin permissions.

2. To show the lists of https ciphers, execute the following command:

X:admin> seccryptocfg --show

The following lists will be displayed (the details mentioned with each list are examples):

HTTPS Cipher List : !ECDH:!DH:HIGH:-MD5:!CAMELLIA:!SRP:!PSK:!


AESGCMSSH Cipher List : 3des-cbc,aes128-cbc,aes192-cbc,
aes256-cbc
SSH Kex Algorithms List : ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-
sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-
group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-
sha1
SSH MACs List : hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha2-
512.

Make a note of the existing HTTPS Cipher List.

3. Enter the following command to the disable TLS version by appending :!SSLv3 to the existing
HTTPS Cipher List.

hpeX:admin> seccryptocfg --replace -type https -cipher '!ECDH:!


DH:HIGH:-MD5:!CAMELLIA:!SRP:!PSK:!AESGCM:!SSLv3'

Output:

This command requires the daemon(s) HTTP to be restarted.


Existing sessions will be terminated.
Please confirm and provide the preferred option
Press Yes(Y,y), No(N,n) [N]:y

HTTP cipher list configured successfully.

Enter y when it prompts for confirmation.

Note: HTTPS restarts when the TLS version is enabled or disabled. However, there is no
downtime for NetAct.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 310


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing TLS version protocol for NetAct
hardware devices

22.3.2 Enabling TLS version

1. Connect to SAN switch management IP using SSH with an account having admin permissions.

2. Execute the following command to show the lists of https ciphers

Note: To get the existing HTTPS Cipher List, see Step 2 of Disable TLSv1.

hpeX:admin> seccryptocfg --replace -type https -cipher '!ECDH:!


DH:HIGH:-MD5:!CAMELLIA:!SRP:!PSK:!AESGCM'

Output:

This command requires the daemon(s) HTTP to be restarted.


Existing sessions will be terminated.
Please confirm and provide the preferred option
Press Yes(Y,y), No(N,n) [N]:y

HTTP cipher list configured successfully.

Enter y when it prompts for confirmation.

Note: HTTPS restarts when the TLS version is enabled or disabled. However, there is no
downtime for NetAct.

22.4 HPE Virtual Connect

Note: Https uses port number 443. By default, TLSv1.2, TLSv1.1, and TLSv1 is enabled.

22.4.1 Disabling TLS version

1. Connect to active virtual connect using SSH with an account having admin permission.

2. Disable the TLS version by entering:

->set ssl TLS=strict

Output:

WARNING: Web users may be logged out and will need to login again.
Are you sure you want to continue? (yes/no): yes

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 311


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing TLS version protocol for NetAct
hardware devices

SUCCESS: SSL configuration modified

Enter yes when it prompts for confirmation.

Note: The virtual connect webserver will reset when the TLS version is enabled or
disabled. There is no downtime for NetAct.

22.4.2 Enabling TLS version

1. Connect to active virtual connect using SSH with an account having admin permission.

2. Enable the TLS version by entering:

->set ssl TLS=all

Output:

WARNING: Web users may be logged out and will need to login again.
Are you sure you want to continue? (yes/no): yes
SUCCESS: SSL configuration modified

Enter yes when it prompts for confirmation.

Note: The virtual connect webserver will reset when the TLS version is enabled or
disabled. There is no downtime for NetAct.

22.5 EMC Unity Storage


Note:

• Https uses port number 443. By default, TLSv1.2, TLSv1.1, and TLSv1 is enabled.
• To install UnisphereCLI rpm, see Installing and Configuring EMC Unity Storage docu-
ment.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 312


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing TLS version protocol for NetAct
hardware devices

22.5.1 Disabling TLS version

1. Power on the Administration server if it is not powered on already.

2. Connect to Administration server where UnisphereCLI rpm is installed.

3. Disable the TLS version by connecting to Administration server by entering:

[root@as ~]# uemcli -d 10.92.53.104 -u Local/admin -p Admin123! /sys/


security set -tlsMode <TLS version>

For example:

[root@as ~]# uemcli -d 10.92.53.104 -u Local/admin -p Admin123! /sys/


security set -tlsMode TLSv1.2

Sample output:

Please refer to the Security Configuration Guide for backward


compatibility.
This change may impact running operations (e.g. replication) and the
management services will be automatically restarted for the change to
take effect.
Do you want to continue?
yes / no: yes
Operation completed successfully.

At prompt, type yes for the confirmation.

Note: This operation restart the management services and takes 4-5 minutes to come
up. During this time, the web UI of the storage will not be accessible.

22.5.2 Enabling TLS version

1. Power on the Administration server if it is not powered on already.

2. Connect to Administration server where UnisphereCLI rpm is installed.

3. Enable the TLS version by connecting to Administration server by entering:

[root@test ~]# uemcli -d 10.92.53.104 -u Local/admin -p Admin123! /


sys/security set -tlsMode <TLS version>

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 313


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing TLS version protocol for NetAct
hardware devices

For example:

uemcli -d 10.92.53.104 -u Local/admin -p Admin123! /sys/security set -


tlsMode TLSv1.1

Sample output:

Please refer to the Security Configuration Guide for backward


compatibility.
This change may impact running operations (e.g. replication) and the
management services will be automatically restarted for the change to
take effect.
Do you want to continue?
yes / no: yes
Operation completed successfully.

At prompt, type yes for the confirmation.

Note: This operation restart the management services and takes 4-5 minutes to come
up. During this time, the web UI of the storage will not be accessible.

22.6 EMC VNX2

Note:

• Https uses port number 443. By default, TLSv1.2, TLSv1.1, and TLSv1 is enabled.
• To install Naviseccli rpm, see Installing and Configuring EMC Storage Array with
Unisphere document.

22.6.1 Disabling TLS version

1. Connect to Admin server or any Linux machine where Naviseccli rpm is installed.

2. Disable the TLS version by entering:

[root@test ~]# /opt/Navisphere/bin/naviseccli -User emc -Password


emc -Scope 0 -Address 10.92.53.89 security -tls -set <TLS version>

For example:

[root@test ~]# /opt/Navisphere/bin/naviseccli -User emc -Password emc


-Scope 0 -Address 10.92.53.89 security -tls -set TLSv1.2

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 314


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing TLS version protocol for NetAct
hardware devices

Sample output:

WARNING: You are about to change TLS version. Any other existing
background management tasks will be interrupted and the system will
be unavailable for management while the environment restarts. IO to
the system will be unaffected.
Proceed?(y/n)

At prompt, type y for the confirmation.

Note: This operation restart the management services and takes 4-5 minutes to come
up. During this time, the web UI of the storage will not be accessible.

22.6.2 Enabling TLS version

1. Connect to Admin server or any Linux machine where Naviseccli rpm is installed.

2. Enable the TLS version by entering:

[root@test ~]# /opt/Navisphere/bin/naviseccli -User emc -Password emc


-Scope 0 -Address 10.92.53.89 security -tls -set <TLS version>

For example:

[root@test ~]# /opt/Navisphere/bin/naviseccli -User emc -Password emc


-Scope 0 -Address 10.92.53.89 security -tls -set TLSv1.1

Sample output:

WARNING: You are about to change TLS version. Any other existing
background management tasks will be interrupted and the system will
be unavailable for management while the environment restarts. IO to
the system will be unaffected.
Proceed?(y/n)

At prompt, type y for the confirmation.

Note: This operation restart the management services and takes 4-5 minutes to come
up. During this time, the web UI of the storage will not be accessible.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 315


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing TLS version protocol for NetAct
hardware devices

22.7 HPE 5500/ 5510/5900 LAN switches


LAN switches are managed using CLI. Hence, the http and https access for LAN switches must be dis-
abled. To disable LAN switches, see Disabling http/https access in Integrating DCN Backbone to Net-
Act.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 316


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing TLS cipher configuration for
hardware devices

23 Managing TLS cipher configuration for hardware


devices

A cipher suite is a complete set of algorithms needed to secure a network connection through Secure
Sockets Layer (SSL) / Transport Layer Security (TLS). The name of each set is representative of the
specific algorithms comprising it.

Weak ciphers are generally known as encryption or decryption algorithms that use key sizes that are
less than 128 bits. Using an insufficient length for a key in an encryption or decryption algorithm opens
up the possibility that the encryption scheme could be broken or cracked.

For firmware recommendations, see the current Firmware Recommendations for NetAct Hardware
document.

Note: Currently, HPE Onboard Administrator and HPE iLO are qualified to support enabling
or disabling of weak ciphers.

23.1 HPE Onboard Administrator

23.1.1 Disabling weak ciphers


TLS is the protocol behind HTTPS, and ciphers suites are the building blocks of the connection. TLS
(among other things) is responsible for encrypting the traffic between the client and the server. The
only way to protect from such an issue is to disable weak cipher suites on the server side.

1. Login to the Onboard Administrator application with an account having admin permissions.

The Rack Overview page appears.

2. In the System and Devices pane, expand Enclosure Settings and click Network Access.

The Enclosure Settings page appears.

3. Click the FIPS tab.

The FIPS Mode page appears.

4. In the FIPS Mode page, click Edit Advanced Security Settings.

Advanced Security Settings section appears.

5. Uncheck the check box of the Security Ciphers that you want to disable.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 317


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing TLS cipher configuration for
hardware devices

Note:

• The following are the weak ciphers:

• TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
• TLS_RSA_WITH_AES_128_CBC_SHA
• TLS_RSA_WITH_AES_256_CBC_SHA
• TLS_DHE_RSA_WITH_AES_128_CBC_SHA
• TLS_DHE_RSA_WITH_AES_256_CBC_SHA
• After the weak ciphers are disabled, you cannot access the HPE Onboard
Administrator using Mozilla Firefox.

6. Click Apply.

The following message is displayed.

Warning: Modifying these settings will cause the Onboard


Administrator's Web server to restart.

7. Click OK.

The Onboard Administrator Webserver restarts in 90 seconds.

Expected outcome

The unchecked ciphers are disabled after the restart.

23.1.2 Enabling weak ciphers


If disabling the weak ciphers causes any connection problems, enable the weak ciphers by doing the
following.

1. Login to the Onboard Administrator application with an account having admin permissions.

The Rack Overview page appears.

2. In the System and Devices pane, expand Enclosure Settings and click Network Access.

The Enclosure Settings page appears.

3. Click the FIPS tab.

The FIPS Mode page appears.

4. In the FIPS Mode page, click Edit Advanced Security Settings.

Advanced Security Settings section appears.

5. Select the check box of the Security Ciphers that you want to enable.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 318


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing TLS cipher configuration for
hardware devices

Note: The following are the weak ciphers:

• TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
• TLS_RSA_WITH_AES_128_CBC_SHA
• TLS_RSA_WITH_AES_256_CBC_SHA
• TLS_DHE_RSA_WITH_AES_128_CBC_SHA
• TLS_DHE_RSA_WITH_AES_256_CBC_SHA

6. Click Apply.

The following message is displayed.

Warning: Modifying these settings will cause the Onboard


Administrator's Web server to restart.

7. Click OK.

The Onboard Administrator Webserver restarts in 90 seconds.

Expected outcome

The selected ciphers are enabled after the restart.

23.2 HPE iLO

23.2.1 HPE iLO4

23.2.1.1 Disabling weak ciphers


TLS is the protocol behind HTTPS, and ciphers suites are the building blocks of the connection. TLS
(among other things) is responsible for encrypting the traffic between the client and the server. The
only way to protect from such an issue is to disable weak cipher suites on the server side.

1. Login to the iLO using Web UI.

2. Go to Administration → Security → Encryption.

3. Select Enabled for Enforce AES/3DES Encryption.

4. Click Apply.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 319


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing TLS cipher configuration for
hardware devices

Note: Also, these instructions disable TLSv1.1. iLO will reset when TLSv1 is disabled. A
major alarm will be seen in NetAct monitor and HPE SIM. Ignore the alarm and clear from
HPE SIM UI as soon as the iLO comes up. However, there is no downtime for NetAct.

23.2.1.2 Enabling weak ciphers


If disabling the weak ciphers causes any connection problems, enable the weak ciphers by doing the
following.

1. Login to the iLO using Web UI.

2. Go to Administration → Security → Encryption.

3. Select Disabled for Enforce AES/3DES Encryption.

4. Click Apply.

Note: Also, these instructions enable TLSv1.1. iLO will reset whenTLSv1 is enabled. A
major alarm will be seen in NetAct monitor and HPE SIM. Ignore the alarm and clear from
HPE SIM UI as soon as the iLO comes up. However, there is no downtime for NetAct.

23.2.2 HPE iLO5

23.2.2.1 Disabling weak ciphers

TLS is the protocol behind HTTPS, and ciphers suites are the building blocks of the connection. TLS
(among other things) is responsible for encrypting the traffic between the client and the server. The
only way to protect from such an issue is to disable weak cipher suites on the server side.

To disable the weak ciphers, do the following:

1. Login to the iLO using Web UI.

2. Go to Security → Encryption.

3. Select HighSecurity for Security Settings.

4. Click Apply.

Note: Also, these instructions disable TLSv1.1. iLO resets when TLSv1 is disabled.
However, there is no downtime for NetAct.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 320


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing TLS cipher configuration for
hardware devices

23.2.2.2 Enabling weak ciphers

If disabling the weak ciphers causes any connection problems, enable the weak ciphers by doing the
following.

1. Login to the iLO using Web UI.

2. Go to Security → Encryption.

3. Select Production for Security Settings.

4. Click Apply.

Note: Also, these instructions enable TLSv1.1. iLO resets whenTLSv1 is enabled.
However, there is no downtime for NetAct.

23.3 HPE Virtual Connect


HPE Virtual Connect supports strong and weak ciphers. However, the option to enable or disable
weak ciphers is currently not available on HPE Virtual Connect.

23.4 EMC Unity Storage


Note:

• HTTPS uses port number 443. By default, TLSv1.2, TLSv1.1, and TLSv1 are enabled.
• To install UnisphereCLI rpm, see Installing and Configuring EMC Unity Storage docu-
ment.
• You can enable or disable all the ciphers of TLSv1 collectively, however, you cannot en-
able or disable all the ciphers of TLSv1 selectively. Weak ciphers of TLS1.1 and TLS1.2
can not be disabled.

23.4.1 Disabling weak ciphers


TLS is the protocol behind HTTPS, and ciphers suites are the building blocks of the connection. TLS
(among other protocols) is responsible for encrypting the traffic between the client and the server. The

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 321


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing TLS cipher configuration for
hardware devices

only way to secure HTTPS traffic from any security violations is to disable weak cipher suites on the
server side.

1. Connect to Admin server or any Linux machine where UnisphereCLI RPM is installed as root
user.

2. Disable all the weak ciphers of TLSv1 by entering:

uemcli -d <IP of unity storage>-u Local/<admin username of unity


storage> -p <admin password of unity storage> /sys/security set -
tls1Enabled no

Sample output
Please refer to the Security Configuration Guide for backward
compatibility.
This change may impact running operations (e.g. replication) and the
management services will be automatically restarted for the change to
take effect.
Do you want to continue?
yes / no: yes
Operation completed successfully.

Enter yes when it prompts for confirmation.

Note: This operation restarts the management services and takes four to five minutes for
the management services to come up. During this restart time, the web UI of the storage
is not accessible.

3. Display the current ciphers by entering:

uemcli -d <IP of unity storage> -u Local/admin -p Password123! /sys/


security show

Sample output:
Storage system address: <IP of unity storage>
Storage system port: 443
HTTPS connection
1: FIPS 140 mode = disabled
TLS 1.0 mode = disabled

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 322


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing TLS cipher configuration for
hardware devices

23.4.2 Enabling weak ciphers


If disabling the weak ciphers causes any connection problems, enable the weak ciphers.

1. Connect to Admin server or any Linux machine where UnisphereCLI RPM is installed as root
user.

2. Enable all the weak ciphers of TLSv1 by entering:

uemcli -d <IP of unity storage>-u Local/<admin username of unity


storage> -p <admin password of unity storage> /sys/security set -
tls1Enabled yes
Storage system address: <Enter storage system address>
Storage system port: <Enter port number>
HTTPS connection

Enter storage system address and storage system port number when prompted.

Sample output
Please refer to the Security Configuration Guide for backward
compatibility.
This change may impact running operations (e.g. replication) and the
management services will be automatically restarted for the change to
take effect.
Do you want to continue?
yes / no: yes
Operation completed successfully.

Enter yes when it prompts for confirmation.

Note: This operation restarts the management services and takes four to five minutes for
the management services to come up. During this restart time, the web UI of the storage
is not accessible.

3. Display the current ciphers by entering:

uemcli -d <IP of unity storage> -u Local/admin -p Password123! /sys/


security show

Sample output:
Storage system address: <IP of unity storage>
Storage system port: 443
HTTPS connection
1: FIPS 140 mode = disabled
TLS 1.0 mode = enabled

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 323


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing TLS cipher configuration for
hardware devices

23.5 EMC VNX2

Note:

• HTTPS uses port number 443. By default, TLSv1.2, TLSv1.1, and TLSv1 are enabled.
• To install Naviseccli RPM, see Installing and Configuring EMC Storage Array with
Unisphere document.
• You can enable or disable all the ciphers of TLSv1 collectively, however, you cannot
enable or disable all the ciphers of TLSv1 selectively. Weak ciphers of TLS1.1 and
TLS1.2 can not be disabled.

23.5.1 Disabling weak ciphers


TLS is the protocol behind HTTPS, and ciphers suites are the building blocks of the connection. TLS
(among other protocols) is responsible for encrypting the traffic between the client and the server. The
only way to secure HTTPS traffic from any security violations is by disabling weak cipher suites on the
server side.

1. Connect to Admin server or any Linux machine where Naviseccli RPM is installed as root user.

2. Disable all the weak ciphers of TLSv1 by entering:

/opt/Navisphere/bin/naviseccli -User <admin user of VNX2 storage>


-Password <admin password of VNX2 storage> -Scope 0 -Address <IOP
Address of VNX2 storage> security -tls -set -all tls1disabled

Sample output
WARNING: You are about to change TLS version. Any other existing
background management tasks will be interrupted and the system will be
unavailable for management while the environment restarts. IO to the
system will be unaffected.
Proceed?(y/n)

Enter y when it prompts for confirmation.

Note: This operation restarts the management services and takes four to five minutes for
the management services to come up. During this restart time, the web UI of the storage
is not accessible.

3. Display the current ciphers by entering:

/opt/Navisphere/bin/naviseccli -User emc -Password emc -Scope 0 -


Address 10.53.170.242 security -tls -get

Sample output:
TLS Versions:

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 324


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing TLS cipher configuration for
hardware devices

ManagementServer : TLSv1.1, TLSv1.2


LDAP : TLSv1.1, TLSv1.2

23.5.2 Enabling weak ciphers


If disabling the weak ciphers causes any connection problems, enable the weak ciphers.

1. Connect to Admin server or any Linux machine where Naviseccli RPM is installed as root user.

2. Enable all the weak ciphers of TLSv1 by entering:

[root@test ~]#/opt/Navisphere/bin/naviseccli -User <admin user of


VNX2 storage> -Password <admin password of VNX2 storage> -Scope
0 -Address <IOP Address of VNX2 storage> security -tls -set -all
tls1enabled

Sample output
WARNING: You are about to change TLS version. Any other existing
background management tasks will be interrupted and the system will be
unavailable for management while the environment restarts. IO to the
system will be unaffected.
Proceed?(y/n)

Enter y when it prompts for confirmation.

Note: This operation restarts the management services and takes four to five minutes for
the management services to come up. During this restart time, the web UI of the storage
is not accessible.

3. Display the current ciphers by entering:

/opt/Navisphere/bin/naviseccli -User emc -Password emc -Scope 0 -


Address 10.53.170.242 security -tls -get

Sample output:
TLS Versions:
ManagementServer : TLSv1.0, TLSv1.1, TLSv1.2
LDAP : TLSv1.0, TLSv1.1, TLSv1.2

23.6 HPE 3PAR storage


The HPE 3PAR storage does not have the option to enable or disable weak ciphers. As confirmed by
HPE, from HPE 3PAR 3.2.2 MU6 firmware version onwards, TLSv1.0 and TLSv1.1 are disabled by de-
fault.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 325


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing TLS cipher configuration for
hardware devices

23.7 HPE MSA storage

23.7.1 HPE MSA 2040


The HPE MSA 2040 supports strong and weak ciphers. However, the option to enable or disable weak
ciphers is currently not available on the HPE MSA 2040 storage. Therefore, all the TLS protocols in-
cluding TLSv1.0, TLSv1.1, and TLSv1.2 are enabled.

23.7.2 HPE MSA 2050


The HPE MSA 2050 does not have the option to enable or disable weak ciphers. As confirmed by
HPE, from VL270R001 firmware version onwards, only TLSv1 and TLSv1.1 are disabled by default.

23.7.3 HPE Switches

For HPE switches, by default the web interface is disabled as per DCN templates. Hence, TLS proto-
col selection is not required for HPE Switches.

23.8 HPE Synergy 12000

23.8.1 OneView

23.8.1.1 Disabling weak ciphers

1. Log in as root user to the NetAct Admin VM.

2. Collect the OneView session ID by entering:

Example command:

val=$(curl -k --location --request POST 'https://10.10.136.


200/rest/login-sessions' --header 'X-API-Version:800' --header
'Content-Type: application/json' --data '{"authLoginDomain":"Local",

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 326


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing TLS cipher configuration for
hardware devices

"password":"administrator_password","userName":"administrator"}' |
awk -F'"' '$0=$4' )

3. Print the session ID value from the variable by entering:

echo $val

4. Place session ID after Auth in the following command and enter:

curl -k --location --request PUT 'https://10.10.136.200/rest/security-


standards/protocols' --header 'X-API-Version: 1200' --header
'Auth: OTEwMTI5MTY3OTA2HOULVAbXwgSR4g5VqDW5EAhUlQfHYpDD' --header
'Content-Type: application/json' --data ' [ {"protocolName":"TLSv1",
"enabled":false}, {"protocolName":"TLSv1.1", "enabled":false},
{"protocolName":"TLSv1.2", "enabled":true} ] '

Note: Oneview webserver will reset when weak ciphers are enabled or disabled.
However, there is no downtime for NetAct.

23.8.1.2 Enabling weak ciphers


You can enable the weak ciphers if there are any connection problems because of disabling the weak
ciphers.

1. Log in as root user to the NetAct Admin VM.

2. Collect the OneView session ID by entering:

Example command:

val=$(curl -k --location --request POST 'https://10.10.136.


200/rest/login-sessions' --header 'X-API-Version:800' --header
'Content-Type: application/json' --data '{"authLoginDomain":"Local",
"password":"administrator_password","userName":"administrator"}' |
awk -F'"' '$0=$4' )

3. Print the session ID value from the variable by entering:

echo $val

4. Place session ID after Auth in the following command and enter:

curl -k --location --request PUT 'https://10.10.136.200/rest/security-


standards/protocols' --header 'X-API-Version: 1200' --header
'Auth: OTEwMTI5MTY3OTA2HOULVAbXwgSR4g5VqDW5EAhUlQfHYpDD' --header
'Content-Type: application/json' --data ' [ {"protocolName":"TLSv1",

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 327


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing TLS cipher configuration for
hardware devices

"enabled":false}, {"protocolName":"TLSv1.1", "enabled":true},


{"protocolName":"TLSv1.2", "enabled":true} ] '

Note: Oneview webserver will reset when weak ciphers are enabled or disabled.
However, there is no downtime for NetAct.

23.8.2 Synergy 480 Gen10 iLO

TLS is the protocol behind HTTPS, and ciphers suites are the building blocks of the connection. TLS
(among other things) is responsible for encrypting the traffic between the client and the server.

23.8.2.1 Disabling weak ciphers

1. Log in to the Synergy 480 Gen10 iLO console using Web UI.

2. Go to Security → Encryption.

The Security - Encryption Settings page appears.

3. From the Security Settings drop-down list, select High Security.

4. Click Apply.

The Apply and Reset confirmation window appears.

5. Click Yes, apply and reset.

Note: Also, the above instructions disable TLSv1.1 weak ciphers. The Synergy 480
Gen10 iLO resets when the TLSv1 weak ciphers are disabled. However, there is no
downtime for NetAct.

23.8.2.2 Enabling weak ciphers


You can enable the weak ciphers if there are any connection problems because of disabling the weak
ciphers.

1. Log in to the Synergy 480 Gen10 iLO console using Web UI.

2. Go to Security → Encryption.

The Security - Encryption Settings page appears.

3. From the Security Settings drop-down list, select Production.

4. Click Apply.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 328


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing TLS cipher configuration for
hardware devices

The Apply and Reset confirmation window appears.

5. Click Yes, apply and reset.

Note: Also, the above instructions enable TLSv1.1 weak ciphers. The Synergy 480
Gen10 iLO resets when the TLSv1 weak ciphers are enabled. However, there is no
downtime for NetAct.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 329


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing SSH cipher configuration for
hardware devices

24 Managing SSH cipher configuration for hardware


devices
A cipher suite is a complete set of algorithms needed to secure a network connection through Secure
Shell (SSH). The name of each set is representative of the specific algorithms comprising it.

Weak ciphers are generally known as encryption or decryption algorithms that use key sizes that are
less than 128 bits. Using an insufficient length for a key in an encryption or decryption algorithm opens
up the possibility that the encryption scheme could be broken or cracked.

24.1 HPE 5510, 5900, and 6127 xlg switches


Table 26: Recommended Ciphers list provides the list of strong and weak Ciphers, MACs, and KexAl-
gorithms.

Type Ciphers MACs KexAlgorithms

Strong • aes256-ctr • sha2-512 • ecdh-sha2-nistp384


• aes192-ctr • sha2-256 • ecdh-sha2-nistp256
• aes128-ctr
• aes256-gcm
• aes128-gcm

Weak • aes256-cbc • sha1-96 • dh-group-ex-


• aes128-cbc • sha1 change-sha1
• 3des-cbc • md5-96 • dh-group14-sha1
• des-cbc • md5 • dh-group1-sha1

Table 26: Recommended Ciphers list

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 330


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing SSH cipher configuration for
hardware devices

24.1.1 Disabling weak ciphers

The SSH protocol is used for secure remote login from one device to another. It (among other
protocols) is responsible for encrypting the traffic between the client and the server. To avoid any
security violations, you must disable weak cipher suites on the server side.

1. Connect to switch through SSH as admin user.

2. Switch to the configuration mode.

system-view

3. Disable weak ciphers of SSHv1 by entering:

undo ssh server compatible-ssh1x

4. Disable weak Ciphers, MACs, and KexAlgorithms of SSHv2.


a) Disable weak ciphers by entering:

ssh2 algorithm cipher <ciphers>

For example:

• To remove the specific cipher such as aes128-cbc, enter:

ssh2 algorithm cipher aes128-gcm aes128-ctr aes256-ctr aes256-


gcm aes192-ctr aes256-cbc 3des-cbc des-cbc

• To remove all weak ciphers, enter:

ssh2 algorithm cipher aes128-gcm aes128-ctr aes256-ctr aes256-


gcm aes192-ctr

b) Disable weak MAC algorithms by entering:

ssh2 algorithm mac <mac algorithms>

For example:

• To remove the specific MAC algorithm such as sha1, enter:

ssh2 algorithm mac sha2-256 sha2-512 sha1-96 md5-96 md5

• To remove all weak MAC Algorithms, enter:

ssh2 algorithm mac sha2-256 sha2-512

c) Disable weak key-exchange algorithms by entering:

ssh2 algorithm key-exchange <key-exchange algorithms>

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 331


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing SSH cipher configuration for
hardware devices

For example:

• To remove the specific key-exchange algorithm such as dh-group-exchange-sha1, enter:

ssh2 algorithm key-exchange ecdh-sha2-nistp256 ecdh-sha2-


nistp384 dh-group1-sha1 dh-group14-sha1

• To remove all weak key-exchange algorithms, enter:

ssh2 algorithm key-exchange ecdh-sha2-nistp256 ecdh-sha2-nistp384

d) Display the current ciphers by entering:

display ssh2 algorithm

Sample output
Key exchange algorithms : ecdh-sha2-nistp256 ecdh-sha2-nistp384
Public key algorithms : rsa
Encryption algorithms : aes128-gcm aes128-ctr aes256-ctr aes256-gcm
aes192-ctr
MAC algorithms : sha2-256 sha2-512

5. Save changes by entering:

save

Sample output
The current configuration will be written to the device. Are you sure?
[Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
flash:/startup.cfg exists, overwrite? [Y/N]:y
Validating file. Please wait...
Saved the current configuration to mainboard device successfully.
Slot 2:
Save next configuration file successfully.

Enter y when it prompts for confirmation.

Expected outcome

The weak ciphers are disabled.

24.2 HPE 5500 switch


As confirmed by HPE, the ciphers are not editable for HPE 5500 switch.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 332


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing SSH cipher configuration for
hardware devices

24.3 HPE SAN switch


Table 27: Recommended Ciphers list provides the list of strong and weak Ciphers, MACs, and KexAl-
gorithms.

Type Ciphers MACs KexAlgorithms

Strong • aes256-ctr • hmac-sha2-256 • ecdh-sha2-nistp256


• aes192-ctr • hmac-sha2-512 • ecdh-sha2-nistp384
• aes128-ctr • ecdh-sha2-nistp521
• diffie-hell-
man-group-ex-
change-sha256

Weak • aes128-cbc • hmac-md5 • diffie-hell-


• 3des-cbc • hmac-sha1 man-group-ex-
• aes192-cbc change-sha1

• aes256-cbc • diffie-hell-
man-group14-sha1
• diffie-hell-
man-group1-sha1

Table 27: Recommended Ciphers list

24.3.1 Disabling weak ciphers


The SSH protocol is used for secure remote login from one device to another. It (among other
protocols) is responsible for encrypting the traffic between the client and the server. To avoid any
security violations, you must disable weak cipher suites on the server side.

1. Connect to SAN switch management IP using SSH as admin user.

2. Get the list of SSH ciphers by entering:

X:admin> seccryptocfg --show

Sample output
HTTPS Cipher List : !ECDH:!DH:HIGH:-MD5:!CAMELLIA:!SRP:!PSK:!AESGCM
SSH Cipher List : aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,
3des-cbc,aes192-cbc,aes256-cbc

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 333


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing SSH cipher configuration for
hardware devices

SSH Kex Algorithms List : ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-


sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-
exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
SSH MACs List : hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha2-
512

Make a note of the existing SSH cipher list, SSH Kex algorithms list, and SSH MACs list.

3. Disable weak ciphers of SSH by enabling the recommended/strong ciphers:

seccryptocfg --replace -type SSH [-cipher < cipher string > | -kex
<value> | -mac <value>]

Example

seccryptocfg --replace -type SSH -cipher aes128-ctr,aes192-ctr,aes256-


ctr -kex ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256 -mac hmac-sha2-256,hmac-sha2-512

Sample output:

This command requires the daemon(s) SSH to be restarted


Existing sessions will be terminated.
Please confirm and provide the preferred option
Press Yes(Y,y), No(N,n) [N]:y
Terminating all SSH/SCP sessions running

Enter y when it prompts for confirmation.

Expected outcome

The weak ciphers of SSH are disabled.

Note: Disabling of weak ciphers terminate the SSH connection. The SSH connection
must be reestablished.

24.3.2 Enabling weak ciphers


If disabling the weak ciphers causes any connection problems, enable the weak ciphers.

1. Connect to SAN switch management IP using SSH as admin user.

2. Get the list of SSH ciphers by entering:

X:admin> seccryptocfg --show

Sample output

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 334


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing SSH cipher configuration for
hardware devices

HTTPS Cipher List : !ECDH:!DH:HIGH:-MD5:!CAMELLIA:!SRP:!PSK:!AESGCM


SSH Cipher List : aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,
3des-cbc,aes192-cbc,aes256-cbc
SSH Kex Algorithms List : ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-
sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-
exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
SSH MACs List : hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha2-
512

Make a note of the existing SSH cipher list, SSH Kex algorithms list, and SSH MACs list.

3. Enable weak ciphers of SSH by enabling the recommended/strong ciphers:

seccryptocfg --replace -type SSH [-cipher < cipher string > | -kex
<value> | -mac <value>]

Example

seccryptocfg --replace -type SSH -cipher aes128-ctr,aes192-ctr,aes256-


ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc -kex ecdh-sha2-nistp256,
ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-
sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,
diffie-hellman-group1-sha1 -mac hmac-md5,hmac-sha1,hmac-sha2-256,hmac-
sha2-512

Sample output
This command requires the daemon(s) SSH to be restarted
Existing sessions will be terminated.
Please confirm and provide the preferred option
Press Yes(Y,y), No(N,n) [N]:y
Terminating all SSH/SCP sessions running

Enter y when it prompts for confirmation.

Expected outcome

The weak ciphers of SSH are enabled.

Note: Disabling of weak ciphers terminate the SSH connection. The SSH connection
must be reestablished.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 335


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Managing SSL 2.0 and SSL 3.0 for
AVECP

25 Managing SSL 2.0 and SSL 3.0 for AVECP

25.1 Disabling SSL 2.0 and SSL 3.0


To secure SSL 2.0 and SSL 3.0 vulnerabilities, disable the port 5489. To disable, do the following:

1. Log in to AVECP as admin user and switch to root user.

2. Disable the port 5489 by entering:

/usr/sbin/iptables -I input_ext 1 -i eth0 -p tcp --dport 5489 -j


REJECT

/usr/sbin/iptables-save

25.2 Enabling SSL 2.0 and SSL 3.0

1. Log in to AVECP as admin user and switch to root user.

2. Enable the port 5489 by entering:

/usr/sbin/iptables -D input_ext -i eth0 -p tcp --dport 5489 -j REJECT

/usr/sbin/iptables-save

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 336


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Brute Force protection

26 Configuring Brute Force protection


Brute force attempt is a way to breach NetAct security by systematically trying every possible combi-
nation of letters, numbers, and symbols until a correct password combination is found that works.

26.1 Brute Force attacks

26.1.1 Brute force attack on NetAct VMs


An attack to access the NetAct VMs via SSH. All the VMs are periodically monitored to check the num-
ber of failed access attempts. In a given monitoring window when this number exceeds the defined
threshold, the attacker’s IP address is blocked. The blocking is applicable only for the attacked VM.

For details on configuration, see Configuring brute force protection for SSH.

26.1.2 Brute force attack on NetAct Web services

An attack to access the NetAct web services via HTTP/HTTPS. All the web servers keep track of the
failure attempts and in a given monitoring window, if the number of failed attempts exceeds the defined
threshold, the attacker’s IP address is blocked and further requests from the same IP address is de-
nied. Based on the policy settings, the username used in the attacks might also get blocked. The IP
address or username blocking is applicable only for the attacked web server instance. In case where
the same web service is hosted in multiple VMs, the blocking at a web server instance happens only
when the number of failed attempts in that particular instance exceeds the defined threshold.

For details on configuration, see Configuring brute force protection for web services.

26.1.3 Brute force attack on NetAct Oracle DB


An attack to access the NetAct Oracle DB. NetAct Oracle DB is periodically monitored to check the
number of failed access attempts. In a given monitoring window when this number exceeds the de-
fined threshold, this could be a potential brute-force attempt and needs immediate attention.

For details on configuration, see Configuring brute force detection for Oracle Database.

26.2 Configuring brute force protection for SSH

Prerequisites

Enable root login in all VM's if NetAct system is hardened.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 337


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Brute Force protection

Change the brute force protection parameters for SSH, by executing the script /opt/oss/NSN-
sm_common/bin/sm_ssh_brute_force_mgmt.sh.

We have the following brute force protection parameters to detect the brute force attempt:

Parameter name Range Default value Description

SSH login delay (login_ 1 to 60 5 This parameter represents SSH


delay) login delay for every unsuccess-
ful attempt. The value for login_
delay must be in seconds.

Note: Expected delay


can have small devia-
tion from the configured
value.

Log interval (log_inter- 10 to 60 10 This parameter represents the


val) time interval to collect the log de-
tails of the unsuccessful attempts.
The value for log_interval
must be in minutes.

Unsuccessful attempts (un- 40 to 240 40 This parameter represents the


successful_attempts) number of unsuccessful attempts
from the same IP in the log inter-
val. The value for unsuccess-
ful_attempts must be an inte-
ger.

Block duration (block_du- 10 to 1440 10 This parameter represents the


ration) blocking time of the suspicious
IP address, in case of preconfig-
ured unsuccessful_attempts
made in a given log_interval.
The value for block_duration
must be in minutes.

Table 28: Brute force protection parameters

1. Log in as root user to the VM where dmgr service is running. To locate the correct virtual
machine, refer to Locating the right virtual machine for a service in Administering NetAct Virtual
Infrastructure.

2. Configure the SSH login delay, by typing:


[root]# sh /opt/oss/NSN-sm_common/bin/sm_ssh_brute_force_mgmt.sh -login_delay <login_delay>

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 338


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Brute Force protection

where, <login_delay> is a mandatory parameter in seconds.

3. Configure the log interval, unsuccessful attempts and, block duration, by typing:
[root]# sh /opt/oss/NSN-sm_common/bin/sm_ssh_brute_force_mgmt.sh -log_interval <log_interval> -
unsuccessful_attempts <unsuccessful_attempts> -block_duration <block_duration>

where,

<log_interval> is a mandatory parameter in minutes.

<unsuccessful_attempts> is a mandatory parameter, and is an integer.

<block_duration> is a mandatory parameter in minutes.

4. Unblock the blocked IP, by typing:


[root]# sh /opt/oss/NSN-sm_common/bin/sm_ssh_brute_force_mgmt.sh -unblock <host_name> <IP1> <IP2> ...
<IPn>

where,

<host_name> is the hostname of VM in which the respective IP’s are blocked. It is a mandatory
parameter.

<IP1> <IP2>...<IPn> are the IP addresses to be unblocked. It is mandatory to provide at least


one IP address.

Note: Disable the root login in all VM's, if it was enabled as mentioned in the pre-
requisite. For information on how to disable root login, see Disable the root SSH login.

26.3 Configuring brute force protection for Admin Server

Prerequisites

Login to Admin Server as root.

Change the SSH brute force protection parameters for Admin Server, by executing the commands as
described below.

We have the following brute force protection parameters to detect the brute force attempt:

Parameter name Range Default value Description

SSH login delay (login_ 1 to 60 5 This parameter represents SSH


delay) login delay for every unsuccess-
ful attempt. The value for login_
delay must be in seconds.

Note: Expected delay


can have small devia-

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 339


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Brute Force protection

Parameter name Range Default value Description

tion from the configured


value.

To modify this, execute: /opt/


mistools/bin/brute_force_
protection_pam_update.sh

Interval (seconds) 1 to 240 240 This parameter represents the


time interval to monitor SSH at-
tempts from the same IP address.
The value for interval must be in
seconds. The IP address detected
performing brute-force attack will
be blocked for the same interval
and will be un-blocked automati-
cally after this interval.

To update this value, execute: /


opt/mistools/bin/update_
brute_force_protection.sh

SSH attempts (hits) 1 to 17 17 This parameter represents the


number of SSH attempts from the
same IP in the interval. The val-
ue for hits must be a number be-
tween 1 and 17. If there are more
than 17 SSH attempts from same
IP within 240 seconds, the default
value of 17 hits and 240 seconds
is monitored.

To update this value, execute: /


opt/mistools/bin/update_
brute_force_protection.sh

Table 29: Brute force protection parameters

1. Log in as root user to the Admin Server.

2. Configure the SSH login delay, by typing:


[root]# sh /opt/mistools/bin/brute_force_protection_pam_update.sh --logindelay <login_delay>

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 340


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Brute Force protection

where, <login_delay> is a mandatory parameter in seconds.

3. Configure the log interval, unsuccessful attempts and, block duration, by typing:
[root]# sh /opt/mistools/bin/update_brute_force_protection.sh --sec <seconds> --hits <hitcount>

where,

<seconds> is the window for monitoring and blocking any IP Address. Default is 240 seconds if
not given.

<hitcount> is the number of SSH attempts for detecting brute force attempt and blocking any IP.
Default is 17 if not given.

26.4 Configuring brute force protection for web services


Enable root login in all VMs if NetAct system is hardened. Log in as root user to the VM hosting the
dmgr service.

Note:

To locate the right VM, see Locating the right virtual machine for a service in Administering
NetAct Virtual Infrastructure.

1. To see the current brute force protection status, enter:

[root]# sh sm_bruteforce_mgmt.sh -serviceType ws -s

The display format is as explained below:

######################################################################
brute force protection :enabled/disabled/unsynchronized
service_name host status
----------------------------------------------------------------------

<name> <node> enabled/disabled/


unknown
... ... ...
----------------------------------------------------------------------
policy parameters : default/fromFile
----------------------------------------------------------------------

<parameter_name_1> <value>
... ...
----------------------------------------------------------------------

white-list:

<IP1>,<IP2>,<IP3>...

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 341


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Brute Force protection

######################################################################

Brute force protection status:

• enabled - when brute force protection is enabled on all the web servers
• disabled - when brute force protection is disabled on all the web servers
• unsynchronized - when brute force protection is enabled in few web servers and is disabled
in the rest. This situation arises when the enabling or disabling operation fails for some
services in the particular node. The corresponding status for the failed service_name, host
pair will be shown as unknown.

Policy parameters:

• default - if the last configuration was used with default values.


• fromFile - if the last configuration was used by reading the values from the file.

White-list: The existing passlist IP addresses in CSV format.

Note: If any operation triggered on the sm_bruteforce_mgmt.sh fails to update any


service (such as, ihs, nwi3-http, httpd, restda, ntcapp), then the operator
must resolve the issue and re-execute the same operation to overcome sync issues on
all services.

2. To re-configure the threshold values of the parameters, enter:

[root]# sh sm_bruteforce_mgmt.sh -serviceType ws -c -o [default/


fromFile]

The threshold values of the following parameters can be reconfigured:

Parameter Name Range Default value Description

userMaxFailAttempts > 0 (number) 50 This parameter rep-


resents the maximum
number of unsuccess-
ful attempts allowed
for a username. Once
the threshold value
is reached, the user-
name is blocked for
the userBlocking-
Window duration.

userBlockingWindow > 0 (minutes) 10 minutes This parameter rep-


resents the duration
of time during which
the username will be
blocked. The time win-

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 342


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Brute Force protection

Parameter Name Range Default value Description

dow starts on detec-


tion of brute-force at-
tack. The username is
unblocked automati-
cally after the blocking
window elapses.

userMonitoringWindow > 0 (minutes) 10 minutes This parameter rep-


resents the time win-
dow during which
the unsuccessful at-
tempts are counted
and if threshold de-
fined by userMax-
FailAttempts is
reached, the user-
name is blocked. The
monitoring window
starts on the first un-
successful attempt.

ipMaxFailAttempts > 0 (number) 40 This parameter rep-


resents the maximum
number of unsuccess-
ful attempts allowed
for an IP address.
Once the threshold
value is reached, the
IP address is blocked
for the ipBlocking-
Window duration.

ipBlockingWindow > 0 (minutes) 10 minutes This parameter rep-


resents the duration
of time during which
the IP address will be
blocked. The time win-
dow starts on detec-
tion of brute-force at-
tack. The IP address
is unblocked automati-
cally after the blocking
window elapses.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 343


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Brute Force protection

Parameter Name Range Default value Description

ipMonitoringWindow > 0 (minutes) 10 minutes This parameter rep-


resents the time win-
dow during which the
unsuccessful attempts
are counted and if
threshold defined by
ipMaxFailAttempts
is reached, the IP ad-
dress is blocked. The
monitoring window
starts on the first un-
successful attempt.

Table 30: Brute force parameters for web services

If brute force protection is enabled, this command re-configures the threshold values of the
above parameters. For the default option, default threshold values are used. For the fromFile
option, threshold values are read from the file located at /etc/opt/oss/NSN-sm_common/
bruteforce/conf/sm_bruteforce_params.conf.

The file should contain values for all the parameters and the valid file format is as following:

• userMaxFailAttempts = 50
• userBlockingWindow = 10
• userMonitoringWindow = 10
• ipMaxFailAttempts = 40
• ipBlockingWindow = 10
• ipMonitoringWindow = 10

3. To disable brute force protection, enter:

[root]# sh sm_bruteforce_mgmt.sh -serviceType ws -d

If brute force protection is not already disabled, this command will disable brute force protection in
all the relevant web servers.

Note: Disabling brute force protection will unblock all the blocked IPs and USERs.

4. To enable brute force protection, enter:

[root]# sh sm_bruteforce_mgmt.sh -serviceType ws -a -o [default/


fromFile]

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 344


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Brute Force protection

If brute force protection is not already enabled, this command will enable brute force protection in
all the web servers.

5. To unblock the blocked IP and user, enter:

[root]# sh sm_bruteforce_mgmt.sh -serviceType ws -u

If brute force protection is enabled, this command will unblock all the blocked IPs and USERs in all
the web servers. The monitored IPs and USERs are also reset.

Note: If you are unable to access the web-service using unblock command, check and
unlock the user in user management, if locked. To unlock an account under login profile,
see Unlocking account under login profile in User Management Help.

6. To add IP addresses into the passlist, enter:

[root]# sh sm_bruteforce_mgmt.sh -serviceType ws -wa <IP1>,<IP2>,….

Where, <IP1> is a valid IPv4 or IPv6 address. CIDR notation for subnet information is also
supported. If brute force protection is enabled, this command will add the input IP addresses into
the passlist.

Note: IP addresses present in the passlist will never be blocked irrespective of the
number of failed login attempts.

7. To remove addresses from the passlist, enter:

[root]# sh sm_bruteforce_mgmt.sh -serviceType ws -wr <IP1>,<IP2>,….

Where, <IP1> is a valid IPv4 or IPv6 address and is already existing in the passlist. CIDR notation
for subnet information is also supported. If brute force protection is enabled, this command will
remove the input IP addresses from the passlist.

8. To configure the brute force alarm processing interval, enter:

[root]# sh sm_bruteforce_configure_alarm_processing.sh --interval 20

Where, --interval <value>, is alarm processing interval to be configured in minutes. The


allowed values are in the range 1 to 30. The default interval value is 15 minutes. However, when
configured to higher or lower than the provided default value, there could be minimal impact on the
system performance.

The alarm processing involves identifying the blocked IPs and user login information in the past --
interval <value> and raise alarms with the attacker details.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 345


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Brute Force protection

Note: This script works only for ihs and httpd.

Disable the root login in all VM's, if it was enabled as mentioned in the pre-requisite. For information
on how to disable root login, see Disable the root SSH login.

26.5 Configuring brute force detection for Oracle Database

Prerequisites

Enable root login in all VM's if NetAct system is hardened.

Log in as root user to the VM where dmgr service is running.

Note: To locate the correct virtual machine, refer to Locating the right virtual machine for a
service in Administering NetAct Virtual Infrastructure.

1. To see the current brute force detection status, execute:

[root]# sh sm_bruteforce_mgmt.sh -serviceType db -s

The display format is as explained below:

######################################################################
brute force detection activated/deactivated
----------------------------------------------------------------------
<parameter_name_1> <value>
... ...
----------------------------------------------------------------------
######################################################################

Brute force detection status:

• activated - when brute force detection is enabled on the Oracle DB


• deactivated - when brute force detection is disabled on the Oracle DB

The parameters section displays the various detection parameters and their values.

2. To re-configure the threshold values of the parameters, execute:


[root]# sh sm_bruteforce_mgmt.sh -serviceType db -c -o [default/fromFile]

The threshold values of the following parameters can be reconfigured:

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 346


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Brute Force protection

Parameter name Range Default value Description

maxFailAttempts 40 to 240 at- 40 This parameter represents the


tempts number of unsuccessful attempts
from the same IP in the moni-
toringWindow after which a
security alarm will be raised. The
value for maxFailAttempts
must be an integer.

monitoringWindow 10 to 60 min- 10 minutes This parameter represents the


utes time window during which the
unsuccessful attempts are count-
ed and if threshold defined by
maxFailAttempts is reached,
a security alarm is raised.

Table 31: Brute force detection parameters for Oracle DB

If brute force detection is enabled, this command re-configures the threshold values of the above
parameters. For the default option, default threshold values are used. For the fromFile option,
threshold values are read from the file located at

/etc/opt/oss/NSN-sm_common/bruteforce/conf/sm_db_bruteforce_params.
conf

The file should contain values for all the parameters, the valid file format is given below:

• maxFailAttempts=40
• monitoringWindow=10

3. To deactivate brute force detection, execute:


[root]# sh sm_bruteforce_mgmt.sh -serviceType db -d

If brute force detection is not already deactivated, this command will deactivate brute force detec-
tion on the Oracle DB.

4. To activate brute force detection, execute:


[root]# sh sm_bruteforce_mgmt.sh -serviceType db -a -o [default/fromFile]

If brute force detection is not already activated, this command will activate brute force detection on
the Oracle DB.

Note: This feature is not activated by default in upgrade scenarios. However, once acti-
vated (deactivated) this feature will continue to be activated (deactivated) during further
release upgrades.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 347


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Brute Force protection

Disable the root login in all VM's, if it was enabled as mentioned in the pre-requisite. For informa-
tion on how to disable root login, see Disable the root SSH login.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 348


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

27 Configuring Firewall for NetAct


This is mandatory for system hardening measures.

27.1 Initial Setup for Firewall Environment


Firewalls are needed to protect IT systems from unwanted access. To gain this it is necessary to know
what the allowed communications are. This information can be found in Chapter Firewall rules and
chapters following it.

The communication information contains:

• Source

Who wants to start communication and what port does it want to use.

• Destination

To whom does the source want to send and what port does the destination want to use.

• Protocols

Over what protocols should the communication be held:

- Application layer protocol (AL)


- Transport layer protocol (TL)

• Service Object

Readable name for the port number for the firewall administrator.

• Description

For additional information.

To achieve communication, determine the firewall rules in the same order as mentioned above. The
firewall checks communication using the rules in the top-down order. The communication is allowed if
it matches a rule. Communication cannot be achieved if it does not match any rule.

Example:

The following table contains (as an example only) the communication information that can be got from
Firewall rules.

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

User Work- ephemeral DB 22 SSH TCP ssh port used to log into a remote ma-
station Apps chine and execute commands

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 349


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

User Work- ephemeral DB 22 SSH TCP ssh port used to log into a remote ma-
station Mgmt chine and execute commands

Higher Level ephemeral DB 22 SSH TCP ssh port used to log into a remote ma-
System chine and execute commands

DB 123 Time Server: 123 chrony UDP chronyd NetAct server clock time set to actual
Higher Level time from external NTP server
System

DB 323 Time Server: 323 chrony UDP chronyd NetAct server clock time set to actual
Higher Level time from external NTP server
System

From this information, you can determine the following firewall rules:

# Source/ Port Destination/ Port Service Object Action

1 User Worksta- all nodes/ 22 ssh Accept


tion Apps / User
Workstation Mgmt /
ephemeral

2 User Worksta- LB socks: Accept


HTTP
tion Apps / User
80 HTTPS
Workstation Mgmt /
443, 444
ephemeral

... ... ... Accept

5 Any Any Any Drop

• Source
• Destination
• Service Object
• Action

Note:

• ephemeral = temporarily taking the next free port


• LB = load-balancer

The figure below shows the default placement of firewalls.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 350


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Figure 8: Firewalls in a virtual infrastructure

In Chapter Firewall rules you can find the communication information that helps you to configure the
mandatory default firewalls.

There is communication to and from:

• NetAct workstations (Presentation Tier)


• Upper level systems (via Northbound Interface (NBI))
• Lower level systems (via Southbound Interface (SBI))

There is communication information, for example, for Virtual Machines (VMs):

• VMware
• VMs that host the database
• VMs that host DNS and/or LDAP
• VMs that host ESXi
• VMs that host FM
• VMs that host load-balancer (LB) and/or socks server
• VMs that host the NetAct self-monitoring and/or HPE SIM
• VMs that host NFS
• VMs that host the NodeManager
• VMs that host WebSphere
• VMs that host NWI3 mediations
• VMs that host NX2S and/or XOH mediations
• VMs that host Q3 mediations
• VMs that host vCSA

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 351


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

• VMs that host AVE and AVECP

Note: The following service names are the actual names which are same as websphere:

• pmwas
• syswas
• fmwas
• cmwas
• itsmwas
• intgwas

27.1.1 TCP Session Timeout


TCP keepalive timers are essential in a network equipped with firewalls. The TCP session timeout
is defined in every firewall environment and it means the amount of time that the firewall waits until
an IDLE TCP connection becomes blocked. It is important to set the TCP session timeout value
according to the system requirements. The firewall environment defines the TCP session timeout
by default to 1 hour. In the normal NetAct environment equipped with firewalls the value should
be set to 10800 seconds (Three hours). This value is chosen to fit it with the system level TCP
keepalive timers for each platform used in NetAct. Linux has three timers: tcp_keepalive_time,
tcp_keepalive_intvl and tcp_keepalive_probes. They have an effect on the TCP session
timeout value defined for the firewall. The total effect of the Linux TCP keepalive timers is Two hours
11 minutes.

Refer to the platform specific administration guides for more information on keepalive timers.

27.1.2 Juniper JunOS


Juniper JunOS is a network operating system that includes all needed services bundled into one prod-
uct. The NetAct system uses Juniper SRX240, which has 16 Gigabit ethernet ports and can handle all
the LAN/WAN routing protocols required by NetAct. It includes a policy-based stateful firewall with cen-
tralized management of rules and services. The high availability functions help to prevent loss of traffic
by creating a logical entity with no single point of failure.

For more information, see www.juniper.net/customers/support/

27.1.3 Internet Control Message Protocol


NetAct performs network element state checks on the O&M connections by implementing Internet
Control Message Protocol (ICMP). It is not mandatory to allow ICMP traffic in the customer office net-
work interface. ICMP traffic should be allowed if there is a need to perform, for example, certain net-
work troubleshooting procedures between the customer office network and NetAct. Generally firewall
environments are unique and it is impossible to create a universally applicable security policy for all
systems. Therefore it is the responsibility of the firewall administrator to create a proper security policy
model for ICMP communication based on the network infrastructure and functional requirements.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 352


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Details about the ICMP for NE support is described in the NE Integration documents. ICMP has to be
allowed for Administration Server to ESXi during installation and for the HPE SIM support.

27.2 Firewall rules

27.2.1 Firewall rules for NetAct workstation


Firewall rules for NetAct workstations (presentation tier) that should be applied to the corresponding
VMs.

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

vCSA ephemeral User Work- 9009 HTTP TCP pichat Used to allow a vCenter Server Ap-
station Mgmt pliance to communicate with the
vSphere Client.

User Work- ephemeral lb-unify-pri- 22 SSH TCP ssh To allow SSH from user work sta-
station Apps mary tions.

User Work- ephemeral Higher Level 162 SNMP UDP sn- Used by SNMP Traps
station Apps System mp-trap-
listener

User Work- ephemeral Higher Level 162 SNMP UDP sn- Used by SNMP Traps
station Mgmt System mp-trap-
listener

27.2.2 Firewall rules for All VMs

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

ALL_Unify_ 323 Time Server- 323 chrony UDP chronyd NetAct server clock time set to actual
VM Higher Level time from external NTP server
System

ALL_Unify_ 123 Time Server- 123 chrony UDP chronyd NetAct server clock time set to actual
VM Higher Level time from external NTP server
System

User Work- na ALL_Unify_ na na ICMP na Connectivity check / troubleshoot-


station Mgmt VM ing optional Echo Request (8) / Echo
Reply (0)

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 353


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

User Work- na ALL_Unify_ na na ICMP na Connectivity check / troubleshoot-


station Apps VM ing optional Echo Request (8) / Echo
Reply (0)

27.2.3 Firewall rules for VMs that host Administration Server

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

AS ephemeral Time Server- 123 chrony UDP chronyd AS clock time set to actual time from
Higher Level external NTP server
System

AS ephemeral Time Server- 323 chrony UDP chronyd AS clock time set to actual time from
Higher Level external NTP server
System

User Work- na AS na na ICMP na Connectivity check / troubleshoot-


station Mgmt ing optional Echo Request (8) / Echo
Reply (0)

ESXi ephemeral AS 81 HTTP TCP http http server

ESXi ephemeral AS 53 DNS UDP named Initial OS installation. Optional. Used


when AS is configured as DNS serv-
er.

User Work- ephemeral AS 22 SSH TCP ssh Port used to log into a remote ma-
station Mgmt chine and execute commands

ESXi ephemeral AS 69 TFTP UDP UDP Initial OS installation. Used for ESXi
PXE boot.

ESXi 67 AS 67 BOOTP TCP/ TCP/ Initial OS installation. Network boot.


UDP UDP-67 DHCP.; Bootstrap Protocol Serv-
er. Listening port on bootp & DHCP
servers.

27.2.4 Firewall rules for CLS_BackEnd

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

itsmwas re- Ephemeral CLS Back- 443 HTTPS TCP https Access from SWAM (located at a re-
mote End mote NetAct) to Centralized License
Server (CLS) backend node

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 354


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

CSCF Ephemeral CLS Back- 443 HTTPS TCP https Access to Centralized License Serv-
End er (CLS) backend node from CSCF
element.

NTAS Cloud Ephemeral CLS Back- 443 HTTPS TCP https Access to Centralized License Serv-
End er (CLS) backend node from NTAS
element.

User Work- Ephemeral CLS Back- 8443 HTTPS TCP https-alt2 HTTPS access to Jboss
station Apps End

itsmwas Ephemeral CLS Back- 443 HTTPS TCP https Access to Centralized License Serv-
End Remote er (CLS) backend node (located at a
remote NetAct)

27.2.5 Firewall rules for CLS_FrontEnd

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

User Work- Ephemeral CLS Fron- 443 HTTPS TCP https HTTPS access to CLS web interface
station Apps tEnd

User Work- Ephemeral CLS Fron- 80 HTTP TCP http HTTP access to CLS web interface
station Apps tEnd Optional: This firewall rule is not re-
quired if the respective secure proto-
col is used.

27.2.6 Firewall rules for VMs with the database

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

User Work- ephemeral DB 1158 HTTPS TCP tcp-1158 Port on which Oracle Enterprise
station Apps Manager is running. This port can be
opened if required

27.2.7 Firewall rules for NAPD

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 355


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

User Work- Ephemeral napd 8022 HTTPS TCP HTTPS Used to launch NAPD GUI applica-
station Mgmt tion from User Work Station.

27.2.8 Firewall rules for VMs to upper OSS through NBI


Firewall rules for VMs that realize connections to upper OSS through north bound interface (NBI).

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

NTCAPP ephemeral ZTS LCM 8082 HTTPS TCP https NTCApp can send LCM requests to
ZTS via Mutual TLS.

nbisnmp 16604 SNMP High- Higher Level SNMP UDP snmp-fm- SNMP agent port published by SN-
er Level Sys- System de- agent MP NB to export traps
tem cided

SNMP High- ephemeral nbisnmp 16604 SNMP UDP snmp-fm- SNMP agent port published by SN-
er Level Sys- agent MP NB to receive request
tem

NTCAPP ephemeral ZTS LCM 8076 HTTPS TCP https NTCApp can send LCM requests to
ZTS.

NTCAPP ephemeral CBAM LCM 443 HTTPS TCP https NTCApp can send LCM requests to
CBAM. (OR_VNFM_NFVO zone for
SOL003 and VE_VNFM_EM zone
for SOL002).

NTCAPP ephemeral CBAM VNF 443 HTTPS TCP https NTCApp can send VNF Resource
Resource Alarm operation requests to CBAM.
Alarm Man- (VE_VNFM_EM zone for SOL002).
agement

CM Oper- ephemeral LB JBI virtu- 80 HTTP TCP tcp-80 Executing standard CM operations
ations WS al IP and user defined workflows. Option-
Higher Level al: This firewall rule is not required
System if the respective secure protocol is
used

CM Oper- ephemeral LB JBI virtu- 443 HTTPS TCP tcp-443 Executing standard CM operations
ations WS al IP and user defined workflows
Higher Level
System

Higher Level ephemeral nbi3gcom 65001 IIOP/ TCP notifica- Export CORBA notification service.
System TLS tion-ser- This is used for all CORBA NBIs to
vice send CORBA notification to notifica-
tion service. Optional: This firewall

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 356


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

rule is not required if the respective


insecure protocol is used

Higher Level ephemeral nbi3gcom 65001 IIOP TCP notifica- Export CORBA notification service.
System tion-ser- This is used for all CORBA NBIs to
vice send CORBA notification to notifica-
tion service. Optional: This firewall
rule is not required if the respective
secure protocol is used

nbi3gcom 65050 - Higher Level Higher Level IIOP TCP tcp- Higher Level System should expose
65090 System System de- ephemer- a port for receiving CORBA notifica-
cided al tions. Optional: This firewall rule is
not required if the respective secure
protocol is used

nbi3gcom 65050 - Higher Level Higher Level IIOP TCP tcp- Higher Level System should expose
65099 System System de- ephemer- a port for receiving CORBA notifica-
cided al tions. Optional: This firewall rule is
not required if the respective secure
protocol is used

nbi3gcom 65050 - Higher Level Higher Level IIOP/ TCP tcp- Higher Level System should expose
65099 System System de- TLS ephemer- a port for receiving CORBA notifica-
cided al tions. Optional: This firewall rule is
not required if the respective inse-
cure protocol is used

Higher Level ephemeral nbi3gcom 65000 IIOP TCP name- Exporting CORBA name service for
System service upper level system. This is used for
all CORBA NBIs. Customer could
get the IOR by accessing the Name
Service directly. Optional: This fire-
wall rule is not required if the respec-
tive secure protocol is used

Higher Level ephemeral nbi3gcom 65000 IIOP/ TCP name- Exporting CORBA name service for
System TLS service upper level system. This is used for
all CORBA NBIs. Customer could
get the IOR by accessing the Name
Service directly. Optional: This fire-
wall rule is not required if the respec-
tive insecure protocol is used

RESTDA ephemeral restda 22 SSH/ TCP ssh Exporting restda files for users.
Higher Level SFTP
System

XML based ephemeral nbi3gc 8249 IIOP TCP ft-irp Access FT IRP in North Bound Inter-
Inventory face in IRPAgent 3 Note: This fire-
Data Export wall rule is not required if the respec-
Higher Level tive secure protocol is used.
System

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 357


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

XML based ephemeral nbi3gc 8249 IIOP/ TCP ft-irp Access FT IRP in North Bound Inter-
Inventory TLS face in IRPAgent 3 Note: This fire-
Data Export wall rule is not required if the respec-
Higher Level tive insecure protocol is used.
System

XML based ephemeral nbi3gc 8269 IIOP TCP ft-irp Access FT IRP in North Bound Inter-
Inventory face in IRPAgent 2 Note: This fire-
Data Export wall rule is not required if the respec-
Higher Level tive secure protocol is used.
System

XML based ephemeral nbi3gc 8269 IIOP/ TCP ft-irp Access FT IRP in North Bound Inter-
Inventory TLS face in IRPAgent 2 Note: This fire-
Data Export wall rule is not required if the respec-
Higher Level tive insecure protocol is used.
System

3GPP XML ephemeral nbi3gc 8249 IIOP TCP ft-irp Exporting FT IRP in North Bound In-
Format PM terface in IRPAgent 3 Note: This fire-
Higher Level wall rule is not required if the respec-
System tive secure protocol is used.

3GPP XML ephemeral nbi3gc 8249 IIOP/ TCP ft-irp Exporting FT IRP in North Bound In-
Format PM TLS terface in IRPAgent 3 Note: This fire-
Higher Level wall rule is not required if the respec-
System tive insecure protocol is used.

3GPP XML ephemeral nbi3gc 8252 IIOP TCP notifica- Exporting Notification IRP for upper
Format PM tion-irp level system in IRPAgent 3 Note:
Higher Level This firewall rule is not required if the
System respective secure protocol is used.

3GPP XML ephemeral nbi3gc 8252 IIOP/ TCP notifica- Exporting Notification IRP for upper
Format PM TLS tion-irp level system in IRPAgent 3 Note:
Higher Level This firewall rule is not required if the
System respective insecure protocol is used.

3GPP XML ephemeral nbi3gc 8253 IIOP TCP ep-irp Exporting EP IRP for upper level
Format PM system in IRPAgent 3 Note: This fire-
Higher Level wall rule is not required if the respec-
System tive secure protocol is used.

3GPP XML ephemeral nbi3gc 8253 IIOP/ TCP ep-irp Exporting EP IRP for upper level
Format PM TLS system in IRPAgent 3 Note: This fire-
Higher Level wall rule is not required if the respec-
System tive insecure protocol is used.

3GPP XML ephemeral nbi3gc 8254 IIOP TCP cs-irp Exporting CS IRP for upper level
Format PM system in IRPAgent 3 Note: This fire-
Higher Level wall rule is not required if the respec-
System tive secure protocol is used.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 358


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

3GPP XML ephemeral nbi3gc 8254 IIOP/ TCP cs-irp Exporting CS IRP for upper level
Format PM TLS system in IRPAgent 3 Note: This fire-
Higher Level wall rule is not required if the respec-
System tive insecure protocol is used.

3GPP Cor- ephemeral nbi3gc 8258 HTTP TCP http-ior Exporting Naming Service ior or EP
ba FM High- IRP ior for upper level system in IR-
er Level Sys- PAgent 3 Note: Optional: This fire-
tem wall rule is not required if the respec-
tive secure protocol is used

3GPP Cor- ephemeral nbi3gc 8258 SOCK- TCP http-ior Exporting Naming Service ior or EP
ba FM High- ET/TLS IRP ior for upper level system in IR-
er Level Sys- PAgent 3 Note: This firewall rule is
tem not required if the respective inse-
cure protocol is used.

3GPP XML ephemeral nbi3gc 8258 HTTP TCP http-ior Exporting Naming Service ior or EP
Format PM IRP ior for upper level system in IR-
Higher Level PAgent 3 Note: This firewall rule is
System not required if the respective secure
protocol is used.

3GPP XML ephemeral nbi3gc 8258 HTTPS TCP http-ior Exporting Naming Service ior or EP
Format PM IRP ior for upper level system in IR-
Higher Level PAgent 3 Note: This firewall rule is
System not required if the respective inse-
cure protocol is used.

3GPP XML ephemeral nbi3gc 8258 SOCK- TCP http-ior Exporting Naming Service ior or EP
Format PM ET IRP ior for upper level system in IR-
Higher Level PAgent 3 Note: This firewall rule is
System not required if the respective secure
protocol is used.

3GPP XML ephemeral nbi3gc 8258 SOCK- TCP http-ior Exporting Naming Service ior or EP
Format PM ET/TLS IRP ior for upper level system in IR-
Higher Level PAgent 3 Note: This firewall rule is
System not required if the respective inse-
cure protocol is used.

3GPP XML ephemeral nbi3gc 8269 IIOP TCP ft-irp Exporting FT IRP in North Bound In-
Format PM terface in IRPAgent 2 Note: This fire-
Higher Level wall rule is not required if the respec-
System tive secure protocol is used.

3GPP XML ephemeral nbi3gc 8269 IIOP/ TCP ft-irp Exporting FT IRP in North Bound In-
Format PM TLS terface in IRPAgent 2 Note: This fire-
Higher Level wall rule is not required if the respec-
System tive insecure protocol is used.

3GPP XML ephemeral nbi3gc 8272 IIOP TCP notifica- Exporting Notification IRP for upper
Format PM tion-irp level system in IRPAgent 2 Note:

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 359


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

Higher Level This firewall rule is not required if the


System respective secure protocol is used.

3GPP XML ephemeral nbi3gc 8272 IIOP/ TCP notifica- Exporting Notification IRP for upper
Format PM TLS tion-irp level system in IRPAgent 2 Note:
Higher Level This firewall rule is not required if the
System respective insecure protocol is used.

3GPP XML ephemeral nbi3gc 8273 IIOP TCP ep-irp Exporting EP IRP for upper level
Format PM system in IRPAgent 2 Note: This fire-
Higher Level wall rule is not required if the respec-
System tive secure protocol is used.

3GPP XML ephemeral nbi3gc 8273 IIOP/ TCP ep-irp Exporting EP IRP for upper level
Format PM TLS system in IRPAgent 2 Note: This fire-
Higher Level wall rule is not required if the respec-
System tive insecure protocol is used.

3GPP XML ephemeral nbi3gc 8274 IIOP TCP cs-irp Exporting CS IRP for upper level
Format PM system in IRPAgent 2 Note: This fire-
Higher Level wall rule is not required if the respec-
System tive secure protocol is used.

3GPP XML ephemeral nbi3gc 8274 IIOP/ TCP cs-irp Exporting CS IRP for upper level
Format PM TLS system in IRPAgent 2 Note: This fire-
Higher Level wall rule is not required if the respec-
System tive insecure protocol is used.

3GPP Cor- ephemeral nbi3gc 8278 HTTPS TCP http-ior Exporting Naming Service ior or EP
ba FM High- IRP ior for upper level system in IR-
er Level Sys- PAgent 2 Note: This firewall rule is
tem not required if the respective inse-
cure protocol is used.

3GPP Cor- ephemeral nbi3gc 8278 SOCK- TCP http-ior Exporting Naming Service ior or EP
ba FM High- ET/TLS IRP ior for upper level system in IR-
er Level Sys- PAgent 2 Note: This firewall rule is
tem not required if the respective inse-
cure protocol is used.

3GPP XML ephemeral nbi3gc 8278 HTTP TCP http-ior Exporting Naming Service ior or EP
Format PM IRP ior for upper level system in IR-
Higher Level PAgent 2 Note: This firewall rule is
System not required if the respective secure
protocol is used.

3GPP XML ephemeral nbi3gc 8278 HTTPS TCP http-ior Exporting Naming Service ior or EP
Format PM IRP ior for upper level system in IR-
Higher Level PAgent 2 Note: This firewall rule is
System not required if the respective inse-
cure protocol is used.

3GPP XML ephemeral nbi3gc 8278 SOCK- TCP http-ior Exporting Naming Service ior or EP
Format PM ET IRP ior for upper level system in IR-

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 360


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

Higher Level PAgent 2 Note: This firewall rule is


System not required if the respective secure
protocol is used.

3GPP XML ephemeral nbi3gc 8278 SOCK- TCP http-ior Exporting Naming Service ior or EP
Format PM ET/TLS IRP ior for upper level system in IR-
Higher Level PAgent 2 Note: This firewall rule is
System not required if the respective inse-
cure protocol is used.

Higher Level ephemeral nbi3gc 31232 SOCK- TCP tcp-31232 Optional Port for customer specif-
System ET ic NBI usage: Exporting Alarm Mes-
sage for upper level system

Higher Level ephemeral nbi3gc 31233 SOCK- TCP tcp-31233 Optional Port for customer specif-
System ET ic NBI usage: Exporting Alarm Mes-
sage for upper level system

Higher Level ephemeral nbi3gc 31234 SOCK- TCP tcp-31234 Optional Port for customer specif-
System ET ic NBI usage: Exporting Alarm Mes-
sage for upper level system

Higher Level ephemeral nbi3gc 31235 SOCK- TCP tcp-31235 Optional Port for customer specif-
System ET ic NBI usage: Exporting Alarm Mes-
sage for upper level system

Higher Level ephemeral nbi3gc 31236 SOCK- TCP tcp-31236 Optional Port for customer specif-
System ET ic NBI usage: Exporting Alarm Mes-
sage for upper level system

Higher Level ephemeral nbi3gc 31237 SOCK- TCP tcp-31237 Optional Port for customer specif-
System ET ic NBI usage: Exporting Alarm Mes-
sage for upper level system

Higher Level ephemeral nbi3gc 31238 SOCK- TCP tcp-31238 Optional Port for customer specif-
System ET ic NBI usage: Exporting Alarm Mes-
sage for upper level system

Higher Level ephemeral nbi3gc 31239 SOCK- TCP tcp-31239 Optional Port for customer specif-
System ET ic NBI usage: Exporting Alarm Mes-
sage for upper level system

Higher Level ephemeral nbi3gc 31240 SOCK- TCP tcp-31240 Optional Port for customer specif-
System ET ic NBI usage: Exporting Alarm Mes-
sage for upper level system

Higher Level ephemeral nbi3gc 31241 SOCK- TCP tcp-31241 Optional Port for customer specif-
System ET ic NBI usage: Exporting Alarm Mes-
sage for upper level system

XML based ephemeral nbi3gc 8298 HTTPS TCP http-ior Exporting Naming Service ior or EP
Inventory IRP ior for upper level system Note:
Data Export This firewall rule is not required if the
Higher Level respective insecure protocol is used.
System

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 361


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

XML based ephemeral nbi3gc 8298 HTTP TCP http-ior Exporting Naming Service ior or EP
Inventory IRP ior for upper level system Note:
Data Export Optional: This firewall rule is not re-
Higher Level quired if the respective secure proto-
System col is used

XML based ephemeral nbi3gc 8298 SOCK- TCP http-ior Exporting Naming Service ior or EP
Inventory ET/TLS IRP ior for upper level system Note:
Data Export This firewall rule is not required if the
Higher Level respective insecure protocol is used.
System

XML based ephemeral nbi3gc 8298 SOCK- TCP http-ior Exporting Naming Service ior or EP
Inventory ET IRP ior for upper level system Note:
Data Export Optional: This firewall rule is not re-
Higher Level quired if the respective secure proto-
System col is used

3GPP XML ephemeral nbi3gc 8298 HTTPS TCP http-ior Exporting Naming Service ior or EP
Format PM IRP ior for upper level system Note:
Higher Level This firewall rule is not required if the
System respective insecure protocol is used.

3GPP XML ephemeral nbi3gc 8298 HTTP TCP http-ior Exporting Naming Service ior or EP
Format PM IRP ior for upper level system Note:
Higher Level Optional: This firewall rule is not re-
System quired if the respective secure proto-
col is used

3GPP XML ephemeral nbi3gc 8298 SOCK- TCP http-ior Exporting Naming Service ior or EP
Format PM ET/TLS IRP ior for upper level system Note:
Higher Level Optional: This firewall rule is not re-
System quired if the respective secure proto-
col is used

3GPP XML ephemeral nbi3gc 8298 SOCK- TCP http-ior Exporting Naming Service ior or EP
Format PM ET IRP ior for upper level system Note:
Higher Level This firewall rule is not required if the
System respective secure protocol is used.

nbisnmp 56604 SNMP High- Higher Level SNMP UDP snmp-fm- Optional Port for customer specific
er Level Sys- System de- agent NBI usage: SNMP agent port pub-
tem cided lished by SNMP NBI to export traps

3GPP Cor- ephemeral nbi3gc 8298 HTTPS TCP http-ior Exporting Naming Service ior or EP
ba BulkCM IRP ior for upper level system Note:
Higher Level Optional: This firewall rule is not re-
System quired if the respective insecure pro-
tocol is used

3GPP Cor- ephemeral nbi3gc 8298 SOCK- TCP http-ior Exporting Naming Service ior or EP
ba BulkCM ET/TLS IRP ior for upper level system Note:
Optional: This firewall rule is not re-

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 362


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

Higher Level quired if the respective insecure pro-


System tocol is used

3GPP Cor- ephemeral nbi3gc 8298 HTTP TCP http-ior Exporting Naming Service ior or EP
ba FM High- IRP ior for upper level system in IR-
er Level Sys- PAgent 1 Note: Optional: This fire-
tem wall rule is not required if the respec-
tive secure protocol is used.

3GPP Cor- ephemeral nbi3gc 8298 SOCK- TCP http-ior Exporting Naming Service ior or EP
ba FM High- ET IRP ior for upper level system in IR-
er Level Sys- PAgent 1 Note: This firewall rule is
tem not required if the respective secure
protocol is used.

3GPP Cor- ephemeral nbi3gc 8298 SOCK- TCP http-ior Exporting Naming Service ior or EP
ba FM High- ET/TLS IRP ior for upper level system in IR-
er Level Sys- PAgent 1 Note: This firewall rule is
tem not required if the respective inse-
cure protocol is used.

3GPP Cor- 20 nbi3gc ephemeral FTP TCP ex- Exporting Bulk CM IRP for upper lev-
ba BulkCM port-bulk- el system Note: This firewall rule is
Higher Level cm-irp not required if the respective secure
System protocol is used

3GPP Cor- ephemeral nbi3gc 8292 IIOP TCP notifica- Exporting Notification IRP for upper
ba BulkCM tion-irp level system Note: Optional: This
Higher Level firewall rule is not required if the re-
System spective insecure protocol is used

3GPP Cor- ephemeral nbi3gc 8292 IIOP/ TCP notifica- Exporting Notification IRP for upper
ba BulkCM TLS tion-irp level system Note: Optional: This
Higher Level firewall rule is not required if the re-
System spective secure protocol is used

3GPP Cor- ephemeral nbi3gc 8293 IIOP TCP ep-irp This firewall rule is not required if the
ba BulkCM respective insecure protocol is used.
Higher Level Note: Optional: This firewall rule is
System not required if the respective inse-
cure protocol is used

3GPP Cor- ephemeral nbi3gc 8293 IIOP/ TCP ep-irp Exporting EP IRP for upper level
ba BulkCM TLS system Note: Optional: This firewall
Higher Level rule is not required if the respective
System secure protocol is used

3GPP Cor- ephemeral nbi3gc 8294 IIOP TCP cs-irp Exporting CS IRP for upper level
ba BulkCM system Note: Optional: This firewall
Higher Level rule is not required if the respective
System secure protocol is used

3GPP Cor- ephemeral nbi3gc 8294 IIOP/ TCP cs-irp Exporting CS IRP for upper level
ba BulkCM TLS system Note: Optional: This firewall

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 363


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

Higher Level rule is not required if the respective


System insecure protocol is used

3GPP Cor- ephemeral nbi3gc 8298 HTTP TCP http-ior Exporting Naming Service ior or EP
ba BulkCM IRP ior for upper level system Note:
Higher Level Optional: This firewall rule is not re-
System quired if the respective secure proto-
col is used

3GPP Cor- ephemeral nbi3gc 8298 SOCK- TCP http-ior Exporting Naming Service ior or EP
ba BulkCM ET IRP ior for upper level system Note:
Higher Level Optional: This firewall rule is not re-
System quired if the respective secure proto-
col is used

Corba Bulk ephemeral nbi3gc 8292 IIOP TCP tcp-8292 Executing CM upload and provision-
CM Higher ing of NetAct regional clusters. Note:
Level Sys- Optional: This firewall rule is not re-
tem quired if the respective secure proto-
col is used

Corba Bulk ephemeral nbi3gc 8293 IIOP TCP tcp-8293 Executing CM upload and provision-
CM Higher ing of NetAct regional clusters. Note:
Level Sys- Optional: This firewall rule is not re-
tem quired if the respective secure proto-
col is used

Corba Bulk ephemeral nbi3gc 8298 HTTP TCP tcp-8298 Executing CM upload and provision-
CM Higher ing of NetAct regional clusters. Op-
Level Sys- tional: This firewall rule is not re-
tem quired if the respective secure proto-
col is used

Corba Bulk ephemeral rac3gp 10200 IIOP TCP tcp-10200 Executing CM upload and provision-
CM Higher ing of NetAct regional clusters.
Level Sys-
tem

Corba Bulk ephemeral rac3gp 10201 IIOP TCP tcp-10201 Executing CM upload and provision-
CM Higher ing of NetAct regional clusters.
Level Sys-
tem

Corba Bulk ephemeral nbi3gc 22 SSH/ TCP tcp-22 Executing CM upload and provision-
CM Higher SFTP ing of NetAct regional clusters.
Level Sys-
tem

nbi3gc ephemeral Corba Bulk Higher Level IIOP TCP <unde- Higher level System should expose
CM Higher System de- fined> a port for receiving notifications sent
Level Sys- cided by NB directly
tem

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 364


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

Corba Bulk ephemeral nbi3gc 8298 HTTPS TCP tcp-8298 Executing CM upload and provision-
CM Higher ing of NetAct regional clusters.
Level Sys-
tem

3GPP XML ephemeral nbi3gc 21 FTP TCP ftp Exporting PM files for upper level
Format PM system to upload Note: This firewall
Higher Level rule is not required if the respective
System secure protocol is used.

3GPP XML ephemeral nbi3gc 22 SSH/ TCP ssh Exporting PM files for upper level
Format PM SFTP system to upload Note: This firewall
Higher Level rule is not required if the respective
System insecure protocol is used.

CM Data ephemeral LB WAS vir- 443 HTTPS TCP tcp-443 Read/Write CM Data in NetAct
Repository tual IP
WS Higher
Level Sys-
tem

CM Data ephemeral LB JBI virtu- 80 HTTP TCP tcp-80 Read/Write CM Data in NetAct. Op-
Repository al IP tional: This firewall rule is not re-
WS Higher quired if the respective secure proto-
Level Sys- col is used
tem

3GPP Cor- ephemeral rac3gp 10200 - IIOP TCP ex- Exporting Bulk CM IRP for upper lev-
ba BulkCM 10201 port-bulk- el system
Higher Level cm-irp
System

3GPP Cor- ephemeral rac3gp 10202 IIOP/ TCP ex- Exporting Bulk CM IRP for upper lev-
ba BulkCM TLS port-bulk- el system
Higher Level cm-irp
System

3GPP Cor- ephemeral nbi3gc 8250 IIOP TCP basic-cm Exporting BasicCM IRP for upper
ba FM High- level system in IRPAgent 3 Note:
er Level Sys- This firewall rule is not required if the
tem respective secure protocol is used.

3GPP Cor- ephemeral nbi3gc 8250 IIOP/ TCP basic-cm Exporting BasicCM IRP for upper
ba FM High- TLS level system in IRPAgent 3 Note:
er Level Sys- This firewall rule is not required if the
tem respective insecure protocol is used.

3GPP Cor- ephemeral nbi3gc 8251 IIOP TCP alarm-irp Exporting Alarm IRP for upper level
ba FM High- system in IRPAgent 3 Note: This fire-
er Level Sys- wall rule is not required if the respec-
tem tive secure protocol is used.

3GPP Cor- ephemeral nbi3gc 8251 IIOP/ TCP alarm-irp Exporting Alarm IRP for upper level
ba FM High- TLS system in IRPAgent 3 Note: This fire-

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 365


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

er Level Sys- wall rule is not required if the respec-


tem tive insecure protocol is used.

3GPP Cor- ephemeral nbi3gc 8252 IIOP TCP notifica- Exporting Notification IRP for upper
ba FM High- tion-irp level system in IRPAgent 3 Note:
er Level Sys- This firewall rule is not required if the
tem respective secure protocol is used.

3GPP Cor- ephemeral nbi3gc 8252 IIOP/ TCP notifica- Exporting Notification IRP for upper
ba FM High- TLS tion-irp level system in IRPAgent 3 Note:
er Level Sys- This firewall rule is not required if the
tem respective insecure protocol is used.

3GPP Cor- ephemeral nbi3gc 8253 IIOP TCP ep-irp Exporting EP IRP for upper level
ba FM High- system in IRPAgent 3 Note: This fire-
er Level Sys- wall rule is not required if the respec-
tem tive secure protocol is used.

3GPP Cor- ephemeral nbi3gc 8253 IIOP/ TCP ep-irp Exporting EP IRP for upper level
ba FM High- TLS system in IRPAgent 3 Note: This fire-
er Level Sys- wall rule is not required if the respec-
tem tive insecure protocol is used.

3GPP Cor- ephemeral nbi3gc 8254 IIOP TCP cs-irp Exporting CS IRP for upper level
ba FM High- system in IRPAgent 3 Note: This fire-
er Level Sys- wall rule is not required if the respec-
tem tive secure protocol is used.

3GPP Cor- ephemeral nbi3gc 8254 IIOP/ TCP cs-irp Exporting CS IRP for upper level
ba FM High- TLS system in IRPAgent 3 Note: This fire-
er Level Sys- wall rule is not required if the respec-
tem tive insecure protocol is used.

3GPP Cor- ephemeral nbi3gc 8255 IIOP TCP ker- Exporting KernelCM IRP for upper
ba FM High- nel-cm-irp level system in IRPAgent 3 Note:
er Level Sys- This firewall rule is not required if the
tem respective secure protocol is used.

3GPP Cor- ephemeral nbi3gc 8255 IIOP/ TCP ker- Exporting KernelCM IRP for upper
ba FM High- TLS nel-cm-irp level system in IRPAgent 3 Note:
er Level Sys- This firewall rule is not required if the
tem respective insecure protocol is used.

3GPP Cor- ephemeral nbi3gc 8270 IIOP TCP basic-cm Exporting BasicCM IRP for upper
ba FM High- level system in IRPAgent 2 Note:
er Level Sys- This firewall rule is not required if the
tem respective secure protocol is used.

3GPP Cor- ephemeral nbi3gc 8270 IIOP/ TCP basic-cm Exporting BasicCM IRP for upper
ba FM High- TLS level system in IRPAgent 2 Note:
er Level Sys- This firewall rule is not required if the
tem respective insecure protocol is used.

3GPP Cor- ephemeral nbi3gc 8271 IIOP TCP alarm-irp Exporting Alarm IRP for upper level
ba FM High- system in IRPAgent 2 Note: This fire-

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 366


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

er Level Sys- wall rule is not required if the respec-


tem tive secure protocol is used.

3GPP Cor- ephemeral nbi3gc 8271 IIOP/ TCP alarm-irp Exporting Alarm IRP for upper level
ba FM High- TLS system in IRPAgent 2 Note: This fire-
er Level Sys- wall rule is not required if the respec-
tem tive insecure protocol is used.

3GPP Cor- ephemeral nbi3gc 8272 IIOP TCP notifica- Exporting Notification IRP for upper
ba FM High- tion-irp level system in IRPAgent 2 Note:
er Level Sys- This firewall rule is not required if the
tem respective secure protocol is used.

3GPP Cor- ephemeral nbi3gc 8272 IIOP/ TCP notifica- Exporting Notification IRP for upper
ba FM High- TLS tion-irp level system in IRPAgent 2 Note:
er Level Sys- This firewall rule is not required if the
tem respective insecure protocol is used.

3GPP Cor- ephemeral nbi3gc 8273 IIOP TCP ep-irp Exporting EP IRP for upper level
ba FM High- system in IRPAgent 2 Note: This fire-
er Level Sys- wall rule is not required if the respec-
tem tive secure protocol is used.

3GPP Cor- ephemeral nbi3gc 8273 IIOP/ TCP ep-irp Exporting EP IRP for upper level
ba FM High- TLS system in IRPAgent 2 Note: This fire-
er Level Sys- wall rule is not required if the respec-
tem tive insecure protocol is used.

3GPP Cor- ephemeral nbi3gc 8274 IIOP TCP cs-irp Exporting CS IRP for upper level
ba FM High- system in IRPAgent 2 Note: This fire-
er Level Sys- wall rule is not required if the respec-
tem tive secure protocol is used.

3GPP Cor- ephemeral nbi3gc 8274 IIOP/ TCP cs-irp Exporting CS IRP for upper level
ba FM High- TLS system in IRPAgent 2 Note: This fire-
er Level Sys- wall rule is not required if the respec-
tem tive insecure protocol is used.

3GPP Cor- ephemeral nbi3gc 8275 IIOP TCP ker- Exporting KernelCM IRP for upper
ba FM High- nel-cm-irp level system in IRPAgent 2 Note:
er Level Sys- This firewall rule is not required if the
tem respective secure protocol is used.

3GPP Cor- ephemeral nbi3gc 8275 IIOP/ TCP ker- Exporting KernelCM IRP for upper
ba FM High- TLS nel-cm-irp level system in IRPAgent 2 Note:
er Level Sys- This firewall rule is not required if the
tem respective insecure protocol is used.

XML based ephemeral nbi3gc 8289 IIOP TCP ft-irp Access FT IRP in North Bound Inter-
Inventory face in IRPAgent 1 Note: This fire-
Data Export wall rule is not required if the respec-
Higher Level tive secure protocol is used.
System

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 367


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

XML based ephemeral nbi3gc 8289 IIOP/ TCP ft-irp Access FT IRP in North Bound Inter-
Inventory TLS face in IRPAgent 1 Note: This fire-
Data Export wall rule is not required if the respec-
Higher Level tive insecure protocol is used.
System

3GPP XML ephemeral nbi3gc 8289 IIOP TCP ft-irp Access FT IRP in North Bound Inter-
Format PM face in IRPAgent 1 Note: This fire-
Higher Level wall rule is not required if the respec-
System tive secure protocol is used.

3GPP XML ephemeral nbi3gc 8289 IIOP/ TCP ft-irp Access FT IRP in North Bound Inter-
Format PM TLS face in IRPAgent 1 Note: This fire-
Higher Level wall rule is not required if the respec-
System tive insecure protocol is used.

3GPP Cor- ephemeral nbi3gc 8290 IIOP TCP basic-cm Exporting BasicCM IRP for upper
ba FM High- level system in IRPAgent 1 Note:
er Level Sys- This firewall rule is not required if the
tem respective secure protocol is used.

3GPP Cor- ephemeral nbi3gc 8290 IIOP/ TCP basic-cm Exporting BasicCM IRP for upper
ba FM High- TLS level system in IRPAgent 1 Note:
er Level Sys- This firewall rule is not required if the
tem respective insecure protocol is used.

3GPP Cor- ephemeral nbi3gc 8291 IIOP TCP alarm-irp Exporting Alarm IRP for upper level
ba FM High- system in IRPAgent 1 Note: This fire-
er Level Sys- wall rule is not required if the respec-
tem tive secure protocol is used.

3GPP Cor- ephemeral nbi3gc 8291 IIOP/ TCP alarm-irp Exporting Alarm IRP for upper level
ba FM High- TLS system in IRPAgent 1 Note: This fire-
er Level Sys- wall rule is not required if the respec-
tem tive insecure protocol is used.

3GPP Cor- ephemeral nbi3gc 8292 IIOP TCP notifica- Exporting Notification IRP for upper
ba FM High- tion-irp level system in IRPAgent 1 Note:
er Level Sys- This firewall rule is not required if the
tem respective secure protocol is used.

3GPP Cor- ephemeral nbi3gc 8292 IIOP/ TCP notifica- Exporting Notification IRP for upper
ba FM High- TLS tion-irp level system in IRPAgent 1 Note:
er Level Sys- This firewall rule is not required if the
tem respective insecure protocol is used.

XML based ephemeral nbi3gc 8292 IIOP TCP notifica- Exporting Notification IRP for upper
Inventory tion-irp level system Note: Optional: This
Data Export firewall rule is not required if the re-
Higher Level spective secure protocol is used
System

XML based ephemeral nbi3gc 8292 IIOP/ TCP notifica- Exporting Notification IRP for upper
Inventory TLS tion-irp level system Note: This firewall rule

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 368


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

Data Export is not required if the respective inse-


Higher Level cure protocol is used.
System

3GPP XML ephemeral nbi3gc 8292 IIOP TCP notifica- Exporting Notification IRP for upper
Format PM tion-irp level system Note: This firewall rule
Higher Level is not required if the respective se-
System cure protocol is used.

3GPP XML ephemeral nbi3gc 8292 IIOP/ TCP notifica- Exporting Notification IRP for upper
Format PM TLS tion-irp level system Note: This firewall rule
Higher Level is not required if the respective inse-
System cure protocol is used.

3GPP Cor- ephemeral nbi3gc 8293 IIOP TCP ep-irp Exporting EP IRP for upper level
ba FM High- system in IRPAgent 1 Note: This fire-
er Level Sys- wall rule is not required if the respec-
tem tive secure protocol is used.

3GPP Cor- ephemeral nbi3gc 8293 IIOP/ TCP ep-irp Exporting EP IRP for upper level
ba FM High- TLS system in IRPAgent 1 Note: This fire-
er Level Sys- wall rule is not required if the respec-
tem tive insecure protocol is used.

XML based ephemeral nbi3gc 8293 IIOP TCP ep-irp Exporting EP IRP for upper level
Inventory system Note: Optional: This firewall
Data Export rule is not required if the respective
Higher Level secure protocol is used
System

XML based ephemeral nbi3gc 8293 IIOP/ TCP ep-irp Exporting EP IRP for upper level
Inventory TLS system Note: This firewall rule is not
Data Export required if the respective insecure
Higher Level protocol is used.
System

3GPP XML ephemeral nbi3gc 8293 IIOP TCP ep-irp Exporting EP IRP for upper level
Format PM system Note: This firewall rule is not
Higher Level required if the respective secure pro-
System tocol is used.

3GPP XML ephemeral nbi3gc 8293 IIOP/ TCP ep-irp Exporting EP IRP for upper level
Format PM TLS system Note: This firewall rule is not
Higher Level required if the respective insecure
System protocol is used.

3GPP Cor- ephemeral nbi3gc 8294 IIOP TCP cs-irp Exporting CS IRP for upper level
ba FM High- system in IRPAgent 1 Note: This fire-
er Level Sys- wall rule is not required if the respec-
tem tive secure protocol is used.

3GPP Cor- ephemeral nbi3gc 8294 IIOP/ TCP cs-irp Exporting CS IRP for upper level
ba FM High- TLS system in IRPAgent 1 Note: This fire-

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 369


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

er Level Sys- wall rule is not required if the respec-


tem tive insecure protocol is used.

XML based ephemeral nbi3gc 8294 IIOP TCP cs-irp Exporting CS IRP for upper level
Inventory system Note: Optional: This firewall
Data Export rule is not required if the respective
Higher Level secure protocol is used
System

XML based ephemeral nbi3gc 8294 IIOP/ TCP cs-irp Exporting CS IRP for upper level
Inventory TLS system Note: This firewall rule is not
Data Export required if the respective insecure
Higher Level protocol is used.
System

3GPP XML ephemeral nbi3gc 8294 IIOP TCP cs-irp Exporting CS IRP for upper level
Format PM system Note: This firewall rule is not
Higher Level required if the respective secure pro-
System tocol is used.

3GPP XML ephemeral nbi3gc 8294 IIOP/ TCP cs-irp Exporting CS IRP for upper level
Format PM TLS system Note: This firewall rule is not
Higher Level required if the respective insecure
System protocol is used.

3GPP Cor- ephemeral nbi3gc 8295 IIOP TCP ker- Exporting KernelCM IRP for upper
ba FM High- nel-cm-irp level system in IRPAgent 1 Note:
er Level Sys- This firewall rule is not required if the
tem respective secure protocol is used.

3GPP Cor- ephemeral nbi3gc 8295 IIOP/ TCP ker- Exporting KernelCM IRP for upper
ba FM High- TLS nel-cm-irp level system in IRPAgent 1 Note:
er Level Sys- This firewall rule is not required if the
tem respective insecure protocol is used.

nbi3gc ephemeral 3GPP Cor- 21 FTP TCP ex- Exporting Bulk CM IRP for upper lev-
ba BulkCM port-bulk- el system Note: This firewall rule is
Higher Level cm-irp not required if the respective secure
System protocol is used

nbi3gc ephemeral 3GPP Cor- 22 SFTP TCP ex- Exporting Bulk CM IRP for upper lev-
ba BulkCM port-bulk- el system
Higher Level cm-irp
System

Higher Level ephemeral nbi3gc 58291 IIOP TCP alarm-irp Optional Port for customer specific
System NBI usage: Exporting Alarm IRP for
upper level system

Higher Level ephemeral nbi3gc 58294 IIOP TCP cs-irp Optional Port for customer specific
System NBI usage: Exporting CS IRP for up-
per level system

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 370


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

Higher Level ephemeral nbi3gc 58298 HTTP TCP http-ior Optional Port for customer specific
System NBI usage: Exporting Naming Ser-
vice ior or EP IRP ior for upper level
system

Higher Level ephemeral nbi3gc 58298 SOCK- TCP http-ior Optional Port for customer specific
System ET NBI usage: Exporting Naming Ser-
vice ior or EP IRP ior for upper level
system

Higher Level ephemeral nbi3gc 58299 IIOP TCP 3gpp-cor- Optional Port for customer specific
System ba-bc NBI usage: Exporting iterator part of
Alarm IRP and Basic CM IRP for up-
per level system

SNMP High- ephemeral nbisnmp 56604 SNMP UDP snmp-fm- Optional Port for customer specific
er Level Sys- agent NBI usage: SNMP agent port pub-
tem lished by SNMP NBI to receive re-
quest

nbi3gc ephemeral 3GPP Cor- Higher Level IIOP TCP 3gpp-cor- Higher Level System should
ba FM High- System de- ba-bc expose a port for receiving
er Level Sys- cided heartbeat,alarmsync and cmsync
tem notifications, these notifications are
sent by NBI directly.

3GPP Cor- ephemeral nbi3gc 8258 HTTPS TCP http-ior Exporting Naming Service ior or EP
ba FM High- IRP ior for upper level system in IR-
er Level Sys- PAgent 3 Note: This firewall rule is
tem not required if the respective inse-
cure protocol is used.

3GPP Cor- ephemeral nbi3gc 8258 SOCK- TCP http-ior Exporting Naming Service ior or EP
ba FM High- ET IRP ior for upper level system in IR-
er Level Sys- PAgent 3 Note: This firewall rule is
tem not required if the respective secure
protocol is used.

3GPP Cor- ephemeral nbi3gc 8259 IIOP TCP 3gpp-cor- Exporting iterator part of Alarm IRP
ba FM High- ba-bc and Basic CM IRP for upper level
er Level Sys- system in IRPAgent 3 Note: This fire-
tem wall rule is not required if the respec-
tive secure protocol is used.

3GPP Cor- ephemeral nbi3gc 8259 IIOP/ TCP 3gpp-cor- Exporting iterator part of Alarm IRP
ba FM High- TLS ba-bc and Basic CM IRP for upper level
er Level Sys- system in IRPAgent 3 Note: This fire-
tem wall rule is not required if the respec-
tive insecure protocol is used.

3GPP Cor- ephemeral nbi3gc 8278 HTTP TCP http-ior Exporting Naming Service ior or EP
ba FM High- IRP ior for upper level system in IR-
PAgent 2 Note: This firewall rule is

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 371


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

er Level Sys- not required if the respective secure


tem protocol is used.

3GPP Cor- ephemeral nbi3gc 8278 SOCK- TCP http-ior Exporting Naming Service ior or EP
ba FM High- ET IRP ior for upper level system in IR-
er Level Sys- PAgent 2 Note: This firewall rule is
tem not required if the respective secure
protocol is used.

3GPP Cor- ephemeral nbi3gc 8279 IIOP TCP 3gpp-cor- Exporting iterator part of Alarm IRP
ba FM High- ba-bc and Basic CM IRP for upper level
er Level Sys- system in IRPAgent 2 Note: This fire-
tem wall rule is not required if the respec-
tive secure protocol is used.

3GPP Cor- ephemeral nbi3gc 8279 IIOP/ TCP 3gpp-cor- Exporting iterator part of Alarm IRP
ba FM High- TLS ba-bc and Basic CM IRP for upper level
er Level Sys- system in IRPAgent 2 Note: This fire-
tem wall rule is not required if the respec-
tive insecure protocol is used.

XML based ephemeral nbi3gc 21 FTP TCP ftp Exporting Inventory files for upper
Inventory level system to upload Note: This
Data Export firewall rule is not required if the re-
Higher Level spective secure protocol is used.
System

XML based ephemeral nbi3gc 22 SSH/ TCP ssh Exporting Inventory files for upper
Inventory SFTP level system to upload Note: This
Data Export firewall rule is not required if the re-
Higher Level spective insecure protocol is used.
System

3GPP Cor- ephemeral nbi3gc 8298 HTTPS TCP http-ior Exporting Naming Service ior or EP
ba FM High- IRP ior for upper level system in IR-
er Level Sys- PAgent 1 Note: This firewall rule is
tem not required if the respective inse-
cure protocol is used.

3GPP Cor- ephemeral nbi3gc 8299 IIOP TCP 3gpp-cor- Exporting iterator part of Alarm IRP
ba FM High- ba-bc and Basic CM IRP for upper level
er Level Sys- system in IRPAgent 1 Note: This fire-
tem wall rule is not required if the respec-
tive secure protocol is used.

3GPP Cor- ephemeral nbi3gc 8299 IIOP/ TCP 3gpp-cor- Exporting iterator part of Alarm IRP
ba FM High- TLS ba-bc and Basic CM IRP for upper level
er Level Sys- system in IRPAgent 1 Note: This fire-
tem wall rule is not required if the respec-
tive insecure protocol is used.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 372


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

27.2.9 Firewall rules for VMs that host SBI-Common Mediation


Firewall rules for VMs that realize communication to network elements at the south side through south
side interface (SBI).

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

SBI-Com- ephemeral HSSFE 8080 HTTP/ TCP http-ne3s- CM, FM, PM SB outgoing request
monMedia- SOAP communi- integration for HSSFE. Applicable
tion cation for below versions: HSSFE 18.5
onwards, HSSFE 18.5C onwards,
HSSFE 18.5VI onwards. Optional:
This firewall rule is not required if the
respective secure protocol is used
(port 8443).

SBI-Com- ephemeral HSS 8080 HTTP/ TCP http-ne3s- FM, PM SB outgoing request in-
monMedia- SOAP communi- tegration for HSS VM. Applicable
tion cation for below versions: HSS 18.5VI on-
wards.

SBI-Com- ephemeral HSS 8443 HTTPS/ TCP https- Basic CM, FM, PM SB outgoing re-
monMedia- SOAP ne3s- quest integration for HSS VM. Ap-
tion communi- plicable for below versions: HSS 18.
cation 5VI onwards.

SBI-Com- ephemeral HSSFE 8443 HTTPS/ TCP https- Basic CM, FM, PM SB outgoing re-
monMedia- SOAP ne3s- quest integration for HSSFE. Applic-
tion communi- able for below versions: HSSFE 18.
cation 5 onwards, HSSFE 18.5C onwards,
HSSFE 18.5VI onwards.

SBI-Com- ephemeral FHGW 8080 HTTP/ TCP tcp-8080 FHGW integration with non-TLS
monMedia- SOAP mode. Optional: This firewall rule is
tion not required if the respective secure
protocol is used.

SBI-Com- ephemeral FHGW 8443 HTTPS/ TCP tcp-8443 FHGW integration with TLS mode.
monMedia- SOAP
tion

SBI-Com- ephemeral NREG 5000-5050 HTTPS/ TCP https- Basic FM, PM SB outgoing request
monMedia- SOAP ne3s- to ZTS envoyLB or ZTS Istio Note:
tion communi- Firewall to be opened for all ZTS en-
cation voyLB or ZTS Istio IP

SBI-Com- ephemeral CNNPC 5000-5050 HTTP/ TCP http- Basic FM and PM SB outgoing re-
monMedia- SOAP ne3sws- quest to ZTS EnvoyLB or ZTS Istio.
tion communi- Note: Firewall to be opened for all
cation ZTS envoyLB or ZTS Istio IP.

SBI-Com- ephemeral CNNPC 5000-5050 HTTPS/ TCP https- Basic FM and PM SB outgoing re-
monMedia- SOAP ne3sws- quest to ZTS EnvoyLB or ZTS Istio.
tion communi- Note: Firewall to be opened for all
cation ZTS envoyLB or ZTS Istio IP.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 373


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

SBI-Com- ephemeral ECTRL 22 SFTP TCP sftp-data For fetching PM data through SFTP
monMedia- from ECTRL
tion

SBI-Com- ephemeral ECTRL 161 SNMP UDP snmp-get For SNMP operations to ECTRL
monMedia- snmp-set
tion

SBI-Com- ephemeral GLS Prov 22 SFTP TCP isdk-ftp- For fetching Performance Measure-
monMedia- pm ments files through SFTP from GLS
tion Provisioning Server.

SBI-Com- ephemeral GLS Prov 18001 SNMP UDP snmp-get For fetching alarms through SNMP
monMedia- from GLS Provisioning Server.
tion

SBI-Com- ephemeral Nokia Medi- ephemeral SNMP UDP snmp-get For SNMP operations towards Nokia
monMedia- ation Mediation
tion

SBI-Com- ephemeral Nokia Medi- ephemeral SFTP TCP sftp-data Fetching PM counter files from Nokia
monMedia- ation Mediation
tion

isdk-ftp-pm ephemeral SNMPDE- 22 SFTP TCP isdk-ftp- For SFTP get operations to SNM-
VICE pm PDEVICE

SBI-Com- ephemeral NCOM 30000-32767 SNMP UDP snmp-get This configuration is needed for
monMedia- snmp-set CALM based SNMP configuration to
tion connect the NCOM Virtual IP. Ports
to be obtained, refer Prepare NCOM
section.

SBI-Com- ephemeral BNGLB 8443 HTTPS/ TCP https- Basic CM, FM, PM SB outgoing re-
monMedia- SOAP ne3s- quest integration for BNGLB. Applic-
tion communi- able for below versions: BNGLB 18.
cation 5C onwards.

SBI-Com- ephemeral BNGLB 8080 HTTP/ TCP http-ne3s- Basic CM, FM, PM SB outgoing re-
monMedia- SOAP communi- quest integration for BNGLB. Applic-
tion cation able for below versions: BNGLB 18.
5C onwards. Optional: This firewall
rule is not required if the respective
secure protocol is used (port 8443).

SBI-Com- ephemeral PKI 161 SNMP UDP snmp-get For SNMP GET operations to PKI
monMedia- and NCM Certificate Expiration Re-
tion porting Tool

SBI-Com- ephemeral IMSOAM 8443 HTTPS/ TCP https- Basic CM, FM, PM SB outgoing re-
monMedia- SOAP ne3s- quest integration for IMSOAM. Ap-
tion communi- plicable for below versions: IMSOAM
cation 18.5VI onwards.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 374


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

SBI-Com- ephemeral IMSOAM 10351-10500 HTTPS/ TCP https- FM, PM SB outgoing request inte-
monMedia- SOAP ne3s- gration for CSCF/CSCF_TD_Core/
tion communi- CSCF_L2TD VM; Map to CSCF/
cation CSCF_TD_Core/CSCF_L2TD VM
port 8443. Applicable for below ver-
sions: CSCF 18.5VI onwards.

SBI-Com- ephemeral IMSOAM 10201-10350 HTTP/ TCP tcp-10201-10250


FM, PM SB outgoing request inte-
monMedia- SOAP gration for CSCF/CSCF_TD_Core/
tion CSCF_L2TD VM; Map to CSCF/
CSCF_TD_Core/CSCF_L2TD VM
port 8080. Applicable for below ver-
sions: CSCF 18.5VI onwards.

SBI-Com- ephemeral IMSOAM 8080 HTTP/ TCP http-ne3s- FM, PM SB outgoing request inte-
monMedia- SOAP communi- gration for IMS OAM Unit. Applicable
tion cation for below versions: IMSOAM 18.5VI
onwards.

SBI-Com- ephemeral Repo Server 8080 HTTP/ TCP http-ne3s- FM SB outgoing request integra-
monMedia- SOAP communi- tion for Centralized CM Repo Serv-
tion cation er. Applicable for below versions:
REPOSERVER 18.5CI onwards,
REPOSERVER 18.5VI and RE-
POSERVER 18.5VNF onwards.

SBI-Com- ephemeral Repo Server 7070 HTTP/ TCP http-ne3s- FM SB outgoing request integra-
monMedia- SOAP communi- tion for Centralized CM Repo Serv-
tion cation er. Applicable for below versions:
REPOSERVER 18.5CI onwards,
REPOSERVER 18.5VI and RE-
POSERVER 18.5VNF onwards. Op-
tional: This firewall rule is not re-
quired if the respective secure proto-
col is used (port 7443)

SBI-Com- ephemeral Repo Server 8443 HTTPS/ TCP https- Basic CM, FM, PM SB outgoing re-
monMedia- SOAP ne3s- quest integration for REPOSERVER.
tion communi- Applicable for below versions: RE-
cation POSERVER 18.5VI onwards.

SBI-Com- ephemeral Repo Server 7443 HTTPS/ TCP https- FM SB outgoing request integration
monMedia- SOAP ne3s- for Centralized CM Repo Server.
tion communi- Applicable for below versions: RE-
cation POSERVER 18.5CI onwards.

SBI-Com- ephemeral CSCF 8080 HTTP/ TCP http-ne3s- Basic CM, FM, PM SB outgoing re-
monMedia- SOAP communi- quest integration for CSCF. Optional:
tion cation This firewall rule is not required if the
respective secure protocol is used
(port 8443). Applicable for 18.5C ver-
sion onwards

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 375


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

SBI-Com- ephemeral CSCF-LB 8080 HTTP/ TCP http-ne3s- FM, PM SB outgoing request inte-
monMedia- SOAP communi- gration for CSCF-LB. Applicable for
tion cation 18.5VI version onwards

SBI-Com- ephemeral CSCF-LB 8443 HTTPS/ TCP https- Basic CM, FM, PM SB outgoing re-
monMedia- SOAP ne3s- quest integration for CSCF-LB. Ap-
tion communi- plicable for 18.5VI version onwards
cation

SBI-Com- ephemeral CSCF 8443 HTTPS/ TCP https- Basic CM, FM, PM SB outgoing re-
monMedia- SOAP ne3s- quest integration for CSCF. Applica-
tion communi- ble for 18.5C version onwards
cation

SBI-Com- ephemeral NetAct HW 161 SNMP UDP snmp-get For SNMP GET/GETBULK opera-
monMedia- tions to NetAct HW. Applicable for
tion below version: 1.0, 2.0HP

SBI-Com- ephemeral MRF 30092 SNMP UDP snmp-get For fetching data through SNMP
monMedia- snmp-set from RadiSys Containerized MRF
tion

SBI-Com- ephemeral MRF 30095 SFTP TCP isdk-ftp- For fetching Performance Mea-
monMedia- pm surements files through SFTP
tion from RadiSys MRF. Applicable for
RadiSys Containerized MRF.

SBI-Com- ephemeral NCS Monitor 1161 SNMP UDP isdk-sn- SNMP outgoing request to NCS.
monMedia- Cluster mp-fm
tion

SBI-Com- ephemeral NCS Monitor 22 SFTP TCP isdk-ftp- For fetching Performance Measure-
monMedia- Cluster pm ment files from NCS.
tion

SBI-Com- ephemeral ARC Man- 8443 HTTPS/ TCP https- Basic FM, PM SB outgoing request
monMedia- agement SOAP ne3s- integration for ARC. Applicable for
tion Node communi- ARC (OMAgent NE3S/WS).
cation

SBI-Com- ephemeral NADCM 443 HTTPS TCP HTTPS For HTTPS connection to NADCM
monMedia- to access REST end points to get
tion topology data.

SBI-Com- ephemeral SPS-SM 22 SFTP TCP sftp-data Fetching PM counter files. Same rule
monMedia- need to be used for SPS Co-located
tion environment as well.

SBI-Com- ephemeral NCC ephemeral SFTP TCP sftp-data NetAct for fetching PM data through
monMedia- SFTP from NCC.
tion

SBI-Com- ephemeral NCC ephemeral SNMP UDP snmp-get For SNMP operations to NCC
monMedia-
tion

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 376


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

SBI-Com- ephemeral CSBC 5000-6000 HTTPS/ TCP http- Basic FM and PM SB outgoing re-
monMedia- SOAP ne3sws- quest to ZTS EnvoyLB or ZTS Istio
tion communi- Note: Firewall to be opened for all
cation ZTS EnvoyLB or ZTS Istio IP

SBI-Com- ephemeral CSBC 5000-6000 HTTP/ TCP https- Basic FM, PM SB outgoing request
monMedia- SOAP ne3s- to ZTS EnvoyLB or ZTS Istio Note:
tion communi- Firewall to be opened for all ZTS En-
cation voyLB or ZTS Istio IP

SBI-Com- ephemeral CNAAA 22 SFTP TCP isdk-ftp- Fetching PM counter files


monMedia- pm
tion

SBI-Com- ephemeral CNAAA 1161 SNMP UDP isdk-sn- SNMP FM operations


monMedia- mp-fm
tion

SBI-Com- ephemeral NTASCN 5000-5050 HTTP/ TCP http-ne3s- Basic FM and PM SB outgoing re-
monMedia- SOAP communi- quest to ZTS EnvoyLB or ZTS Is-
tion cation tioNote: Firewall to be opened for all
ZTS envoyLB or ZTS Istio IP

SBI-Com- ephemeral NTASCN 5000-5050 HTTPS/ TCP https- Basic FM and PM SB outgoing re-
monMedia- SOAP ne3s- quest to ZTS EnvoyLB or ZTS Istio
tion communi- Note: Firewall to be opened for all
cation ZTS envoyLB or ZTS Istio IP

SBI-Com- ephemeral NCS Edge ephemeral SNMP UDP isdk-sn- SNMP outgoing request to NCS.
monMedia- Node mp-fm
tion

SBI-Com- ephemeral NCS Edge ephemeral SFTP TCP isdk-ftp- For fetching Performance Measure-
monMedia- Node pm ment files from NCS.
tion

SBI-Com- ephemeral MicroCFX 5000-5050 HTTP/ TCP http- Basic FM, PM SB outgoing request
monMedia- SOAP ne3sws- to ZTS EnvoyLB or ZTS Istio Note:
tion communi- Firewall to be opened for all ZTS En-
cation voyLB or ZTS Istio IP

SBI-Com- ephemeral MicroCFX 5000-5050 HTTPS/ TCP https- Basic FM and PM SB outgoing re-
monMedia- SOAP ne3sws- quest to ZTS EnvoyLB or ZTS Istio
tion communi- Note: Firewall to be opened for all
cation ZTS EnvoyLB or ZTS Istio IP

SBI-Com- ephemeral Registers 5000-6000 HTTPS/ TCP https- Basic FM and PM SB outgoing re-
monMedia- SOAP ne3sws- quest to ZTS EnvoyLB or ZTS Istio
tion communi- Note: Firewall to be opened for all
cation ZTS EnvoyLB or ZTS Istio IP

SBI-Com- ephemeral Registers 5000-6000 HTTP/ TCP http- Basic FM, PM SB outgoing request
monMedia- SOAP ne3sws- to ZTS EnvoyLB or ZTS Istio Note:
tion

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 377


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

communi- Firewall to be opened for all ZTS En-


cation voyLB or ZTS Istio IP

SBI-Com- ephemeral CNCSD 5000-5050 HTTPS/ TCP https- Basic FM and PM SB outgoing re-
monMedia- SOAP ne3sws- quest to ZTS EnvoyLB or ZTS Istio
tion communi- Note: Firewall to be opened for all
cation ZTS envoyLB or ZTS Istio IP

SBI-Com- ephemeral CNCSD 5000-5050 HTTP/ TCP http- Basic FM and PM SB outgoing re-
monMedia- SOAP ne3sws- quest to ZTS EnvoyLB or ZTS Istio
tion communi- Note: Firewall to be opened for all
cation ZTS envoyLB or ZTS Istio IP

SBI-Com- ephemeral NEF 5000-5050 HTTPS/ TCP https- Basic FM and PM SB outgoing re-
monMedia- SOAP ne3sws- quest to ZTS EnvoyLB or ZTS Istio
tion communi- Note: Firewall to be opened for all
cation ZTS envoyLB or ZTS Istio IP

SBI-Com- ephemeral NEF 5000-5050 HTTP/ TCP http- Basic FM and PM SB outgoing re-
monMedia- SOAP ne3sws- quest to ZTS EnvoyLB or ZTS Istio
tion communi- Note: Firewall to be opened for all
cation ZTS envoyLB or ZTS Istio IP

SBI-Com- ephemeral NREG 5000-5050 HTTP/ TCP http-ne3s- Basic FM, PM SB outgoing request
monMedia- SOAP communi- to ZTS envoyLB or ZTS Istio. Note:
tion cation Firewall to be opened for all ZTS en-
voyLB or ZTS Istio IP

SBI-Com- ephemeral ZTS 5000-6000 HTTPS/ TCP https- Basic FM/PM SB outgoing request
monMedia- SOAP ne3sws- to ZTS envoyLB or ZTS Istio Note:
tion communi- Firewall to be opened for all ZTS en-
cation voyLB or ZTS Istio IP

SBI-Com- ephemeral ZTS 5000-6000 HTTP/ TCP http- Basic FM/PM SB outgoing request
monMedia- SOAP ne3sws- to ZTS envoyLB or ZTS Istio Note:
tion communi- Firewall to be opened for all ZTS en-
cation voyLB or ZTS Istio IP

SBI-Com- ephemeral DCAP 9443 HTTPS/ TCP tcp-9443 Outgoing request to DCAP Load
monMedia- SOAP Balancer and DCAP Linux with TLS
tion mode. This rule is only applicable to
DCAP Load Balancer and DCAP Lin-
ux.

SBI-Com- ephemeral DCAP 9080 HTTP/ TCP tcp-9080 Outgoing request to DCAP Load Bal-
monMedia- SOAP ancer and DCAP Linux with non-TLS
tion mode. This rule is only applicable to
DCAP Load Balancer and DCAP Lin-
ux.

SBI-Com- ephemeral CBND 161 SNMP UDP snmp-get This configuration is needed for JO-
monMedia- snmp-set MA based SNMP Configuration to
tion connect the CBND Virtual IP. Note:

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 378


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

JOMA based SNMP is not supported


from CBND 20.5 onwards in NetAct.

SBI-Com- ephemeral CBND 1162 SNMP UDP snmp-get This configuration is needed for
monMedia- snmp-set CALM Based SNMP Configuration
tion to connect the CBND VMs. Note:
CALM Based SNMP Configuration is
supported from CBND 20.5 onwards
in NetAct. Need to open firewalls for
all VMs from NetAct as NetAct will
connect to VM, not Virtual IP of CB-
ND.

SBI-Com- ephemeral Data Refin- 1161 SNMP UDP snmp-get FM operations from NetAct
monMedia- ery
tion

SBI-Com- ephemeral HPE On- 161 SNMP UDP snmp-get For SNMP GET/GETBULK opera-
monMedia- board Ad- tions to HPE Onboard Administrator.
tion ministrator

SBI-Com- ephemeral HPE Storage 161 SNMP UDP snmp-get For SNMP GET/GETBULK opera-
monMedia- System tions to HPE Storage System.
tion

SBI-Com- ephemeral HPE Fiber 161 SNMP UDP snmp-get For SNMP GET/GETBULK opera-
monMedia- Channel tions to HPE Fiber Channel Switch
tion Switch or or HPE Switch.
HPE Switch

SBI-Com- ephemeral HPE 161 SNMP UDP snmp-get For SNMP GET/GETBULK opera-
monMedia- BladeSys- tions to HPE BladeSystem Virtual-
tion tem Virtu- Connect FlexFabric.
alConnect
FlexFabric

SBI-Com- ephemeral HPE iLO 161 SNMP UDP snmp-get For SNMP GET/GETBULK opera-
monMedia- Module tions to HPE iLO 4 onwards Module
tion for HPE blade and HPE Rack Mount-
ed Server

SBI-Com- ephemeral AUS 5000-5050 HTTP/ TCP http- Basic FM and PM SB outgoing re-
monMedia- SOAP ne3sws- quest to ZTS EnvoyLB Note: Firewall
tion communi- to be opened for all ZTS envoyLB IP
cation

SBI-Com- ephemeral AUS 5000-5050 HTTPS/ TCP https- Basic FM and PM SB outgoing re-
monMedia- SOAP ne3sws- quest to ZTS EnvoyLB Note: Firewall
tion communi- to be opened for all ZTS envoyLB IP
cation

SBI-Com- ephemeral SPS-ME ephemeral SNMP UDP snmp-get FM operations from NetAct
monMedia-
tion

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 379


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

SBI-Com- ephemeral SPS-ME 22 SFTP TCP sftp-data Fetching PM counter files


monMedia-
tion

SBI-Com- ephemeral SPS-SM ephemeral SNMP UDP snmp-get FM operations from NetAct. Same
monMedia- rule need to be used for SPS Co-lo-
tion cated environment as well.

SBI-Com- ephemeral TIAMS 8080 HTTP/ TCP http-ne3s- Basic CM, FM, PM SB outgoing re-
monMedia- SOAP communi- quest integration for TIAMS Optional:
tion cation This firewall rule is not required if the
respective secure protocol is used
(port 8443)

SBI-Com- ephemeral TIAMS 8443 HTTPS/ TCP https- Basic CM, FM, PM SB outgoing re-
monMedia- SOAP ne3s- quest integration for TIAMS.
tion communi-
cation

SBI-Com- ephemeral TIAMS 9090 HTTP/ TCP http-ne3s- Basic CM, FM outgoing request in-
monMedia- SOAP communi- tegration for TIAMS(HW Inventory
tion cation management) Optional: This firewall
rule is not required if the respective
secure protocol is used (port 9443)

SBI-Com- ephemeral TIAMS 9443 HTTPS/ TCP https- Basic CM, FM outgoing request in-
monMedia- SOAP ne3s- tegration for TIAMS(HW Inventory
tion communi- management)
cation

SBI-Com- ephemeral NTHLR FE 22 SSH/ TCP NTHLRFE- SFTP data connection, This firewall
monMedia- SFTP IS_SWM rule is required for NTHLR FE Cloud
tion

SBI-Com- ephemeral NTHLR FE 8080 HTTP TCP http- Basic CM, FM, PM SB outgoing re-
monMedia- ne3sws- quest integration for NTHLR FE Ap-
tion communi- plicable for all versions, This firewall
cation rule is required for NTHLR FE Cloud
Optional: This firewall rule is not re-
quired if the respective secure proto-
col is used

SBI-Com- ephemeral NTHLR FE 8443 HTTPS TCP https- Basic CM, FM, PM SB outgoing re-
monMedia- ne3sws- quest integration for NTHLR FE Ap-
tion communi- plicable for all versions
cation

SBI-Com- ephemeral ASI 6080 HTTP/ TCP NE3S/WS ASI integration with non-TLS mode
monMedia- SOAP Optional: This firewall rule is not re-
tion quired if the respective secure proto-
col is used.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 380


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

SBI-Com- ephemeral ASI 6443 HTTPS/ TCP NE3S/WS ASI integration with TLS mode.
monMedia- SOAP
tion

SBI-Com- ephemeral Nokia AAA 1161 SNMP UDP isdk-sn- SNMP outgoing request to Nokia
monMedia- mp-fm AAA. This rule is applicable to Nokia
tion AAA 20.0 cloud solution with CALM.

isdk-sn- ephemeral SNMPDE- 161 SNMP UDP snmp-get For network element discovery
mp-discov- VICE
ery

SBI-Com- ephemeral DP 8060 HTTP/ TCP http-ne3s- Nokia CBRS DP integration with
monMedia- SOAP communi- non-TLS mode. Optional: This fire-
tion cation wall rule is not required if the respec-
tive secure protocol is used.

SBI-Com- ephemeral DP 8059 HTTPS/ TCP http-ne3s- Nokia CBRS DP integration with TLS
monMedia- SOAP communi- mode
tion cation

SBI-Com- ephemeral HSS 8080 HTTP/ TCP http-ne3s- FM, PM SB outgoing request inte-
monMedia- MGMTVNFC SOAP communi- gration for HSS VNF with Manage-
tion cation ment VNFC. Optional: This firewall
rule is not required if the respective
secure protocol is used (port 8443).

SBI-Com- ephemeral CSCF 8080 HTTP/ TCP http-ne3s- FM, PM SB outgoing request inte-
monMedia- MGMTVNFC SOAP communi- gration for CSCF VNF with Manage-
tion cation ment VNFC. Optional: This firewall
rule is not required if the respective
secure protocol is used (port 8443).

SBI-Com- ephemeral CBIS VIP 1161 SNMP UDP snmp-get For aliveness checking of HAProxy
monMedia- and alarm upload
tion

SBI-Com- ephemeral MRF 22 SFTP TCP isdk-ftp- For fetching Performance Mea-
monMedia- pm surements files through SFTP
tion from RadiSys MRF. Applicable for
RadiSys MRF V13, D13.1 and later
releases.

isdk-sn- na SERVER na na ICMP na For ICMP Aliveness Check to NDCS


mp-fm Servers.

isdk-sn- na SWITCH na na ICMP na For ICMP Aliveness Check to NDCS


mp-fm Switches.

isdk-sn- na CBIS VIP na na ICMP na For aliveness checking of HAProxy


mp-fm

isdk-sn- na CBIS CTRL na na ICMP na For aliveness checking of CBIS con-


mp-fm troller

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 381


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

isdk-sn- na NCIR CON- na na ICMP na For ICMP Aliveness Check to NCIR


mp-fm TROLLERS CONTROLLERS.

isdk-sn- na NCIR HA na na ICMP na For ICMP Aliveness Check to NCIR


mp-fm Proxy HA Proxy.

SBI-Com- ephemeral Nokia AAA 9161 SNMP UDP isdk-sn- SNMP outgoing request to Nokia
monMedia- mp-fm AAA. This rule is applicable to Nokia
tion AAA 18.0, Nokia AAA 18.0 cloud so-
lution and Nokia AAA 19.0 cloud so-
lution

SBI-Com- ephemeral One-AAA 8443 HTTPS TCP https- Basic CM, FM, PM SB outgoing re-
monMedia- OAM Node ne3sws- quest integration for One-AAA. Ap-
tion communi- plicable for below version One-AAA
cation 7 SP1 One-AAA 8 One-AAA 8 VI
One-AAA 8.1 VI One-AAA 9.0 One-
AAA 9.0 VI One-AAA 10.0 One-AAA
10.0 VI

SBI-Com- ephemeral One-AAA 8080 HTTP TCP http- Basic CM, FM, PM SB outgoing re-
monMedia- OAM Node ne3sws- quest integration for One-AAA. Ap-
tion communi- plicable for below versions One-AAA
cation 6 SP1 One-AAA 7 One-AAA 7 SP1
One-AAA 8 One-AAA 8 VI One-AAA
8.1 VI One-AAA 9.0 One-AAA 9.0
VI One-AAA 10.0 One-AAA 10.0 VI
Optional: This firewall rule is not re-
quired if the respective secure proto-
col is used (port 8443).

SBI-Com- ephemeral Single RAN 8080 HTTP/ TCP tcp-8080 SBTS integration with non-TLS
monMedia- BTS SOAP mode Optional: This firewall rule is
tion not required if the respective secure
protocol is used.

SBI-Com- ephemeral Nokia AAA 22 SFTP TCP isdk-ftp- For fetching Performance Measure-
monMedia- pm ments files from Nokia AAA. For
tion Nokia AAA cloud solution, the des-
tination is the virtual IP address of
OAM nodes.

SBI-Com- ephemeral RFC 161 SNMP UDP snmp-get For SNMP GET/walk operations to
monMedia- RFC
tion

SBI-Com- ephemeral MRBTS 8080 HTTP/ TCP NE3S/WS MRBTS integration with non-TLS
monMedia- SOAP mode Optional: This firewall rule is
tion not required if the respective secure
protocol is used.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 382


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

SBI-Com- ephemeral MRBTS 8443 HTTPS/ TCP NE3S/WS MRBTS integration with TLS mode.
monMedia- SOAP
tion

SBI-Com- ephemeral RFSA 8080 HTTP/ TCP NE3S/WS Outgoing request to RFSA with non-
monMedia- SOAP TLS mode
tion

SBI-Com- ephemeral GROUTER 22 SFTP TCP sftp-data For fetching PM data through SFTP
monMedia- from GROUTER
tion

SBI-Com- ephemeral GROUTER 161 SNMP UDP snmp-get For SNMP operations to GROUTER
monMedia- snmp-set
tion

SBI-Com- ephemeral NRBTS 8443 HTTPS/ TCP tcp-8443 5G BTS integration with TLS mode.
monMedia- SOAP
tion

isdk-sn- ephemeral SNMPDE- 161 SNMP UDP snmp-get Get PM data from SNMPDEVICE
mp-pm VICE

SBI-Com- ephemeral One-EIR 8081 HTTP/ TCP http- Basic CM, FM, PM SB outgoing re-
monMedia- System SOAP ne3sws- quest integration for One-EIR. Ap-
tion Monitor communi- plicable for below versions: One-
cation EIR 5.2, One-EIR 16, One-EIR 16.
5, One-EIR Cloud 16.5, One-EIR 17,
One-EIR Cloud 17, One-EIR 18 on-
wards, One-EIR Cloud 18 onwards.
Optional: For One-EIR 16.5 onwards
and One-EIR Cloud 16.5 onwards,
this firewall rule is not required if the
respective secure protocol is used
(port 8443).

SBI-Com- ephemeral One-EIR 8443 HTTP/ TCP http- Basic CM, FM, PM SB outgoing re-
monMedia- System SOAP ne3sws- quest integration for One-EIR with
tion Monitor communi- TLS support. Applicable for below
cation versions: One-EIR 16.5, One-EIR
Cloud 16.5, One-EIR 17, One-EIR
Cloud 17, One-EIR 18 onwards,
One-EIR Cloud 18 onwards.

isdk-sn- ephemeral SNMPDE- 161 SNMP UDP snmp-get For agent supervision
mp-fm VICE

SBI-Com- ephemeral Data Refin- 22 SFTP TCP sftp-data Fetching PM counter files
monMedia- ery
tion

SBI-Com- ephemeral InfobloxD- 161 SNMP UDP snmp-get For SNMP GET operations to In-
monMedia- NS Passive fobloxDNS Passive Node. Applicable
tion Node for below versions: 8 onwards

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 383


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

SBI-Com- ephemeral NPO System 9080 HTTP/ TCP tcp-9080 Outgoing request to NPO with non-
monMedia- SOAP TLS mode
tion

SBI-Com- ephemeral NPO System 7443 HTTPS/ TCP tcp-7443 Outgoing request to NPO with TLS
monMedia- SOAP mode
tion

SBI-Com- ephemeral NCIR HA 8888 HTTPS/ TCP https- FM and PM communication with TLS
monMedia- Proxy SOAP ne3sws- mode.
tion communi-
cation

SBI-Com- ephemeral BIG IP 161 SNMP UDP snmp-get SNMP based GET operation. Applic-
monMedia- able for below version: BIG IP 6900,
tion BIG IP TMOS version 13.

SBI-Com- ephemeral InfobloxDNS 161 SNMP UDP snmp-get For SNMP GET operations to In-
monMedia- fobloxDNS. Applicable for below ver-
tion sions: 8 onwards

SBI-Com- ephemeral NRBTS 8080 HTTP/ TCP tcp-8080 5G BTS integration with non-TLS
monMedia- SOAP mode. Optional: This firewall rule is
tion not required if the respective secure
protocol is used.

SBI-Com- ephemeral EPPSM 22 SFTP TCP sftp-data For fetching PM data through SFTP
monMedia- from EPPSM
tion

SBI-Com- ephemeral EPPSM 161 SNMP UDP snmp-get For SNMP operations to EPPSM
monMedia- snmp-set
tion

SBI-Com- ephemeral eSM virtual 161 SNMP UDP snmp-get For SNMP operations to eSM
monMedia- address snmp-set
tion

SBI-Com- ephemeral SDME Oper- 1161 SNMP UDP snmp-get SNMP based GET/GETBULK opera-
monMedia- ation Service tions to Virtual IP of SDME operation
tion service

SBI-Com- ephemeral SDME Oper- 22 SFTP TCP sftp-data For fetching PM data through SFTP
monMedia- ation Service from Virtual IP of SDME operation
tion service

isdk-sn- ephemeral Nuage 210 161 SNMP UDP snmp-get For SNMP GET operations to 210
mp-pm WBX Switch WBX switch.

isdk-sn- ephemeral Nuage 210 161 SNMP UDP snmp-get For SNMP GET operations to 210
mp-fm WBX Switch WBX switch.

SBI-Com- ephemeral CDRPP 22 SFTP TCP sftp-data For fetching PM data through SFTP
monMedia- from CDRPP/CDRPPGW
tion

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 384


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

SBI-Com- ephemeral CDRPP 161 SNMP UDP snmp-get For SNMP operations to CDRPP/
monMedia- snmp-set CDRPPGW
tion

SBI-Com- ephemeral DCAP 8443 HTTPS/ TCP tcp-8443 Outgoing request to DCAP with TLS
monMedia- SOAP mode. This rule is only applicable
tion to DCAP Windows except DCAP17
FP2.

SBI-Com- ephemeral Traffica 161 SNMP UDP snmp-get SNMP GET/SET. Note: This firewall
monMedia- rule applies to version 17isdk and
tion later

SBI-Com- ephemeral DRA 8080 HTTP/ TCP http-ne3s- Basic CM, FM, PM SB outgoing re-
monMedia- SOAP communi- quest integration for DRA. Applic-
tion cation able for below versions: DRA 9.1,
DRA 10.1, DRA 11.0, DRA 15.5C
onwards. Optional: This firewall rule
is not required if the respective se-
cure protocol is used (port 8443).

SBI-Com- ephemeral PCC 8080 HTTP TCP http-alt1 Basic CM, FM, PM SB outgoing re-
monMedia- quest integration for PCC Applicable
tion for all versions, Optional: This fire-
wall rule is not required if the respec-
tive secure protocol is used

SBI-Com- ephemeral MGMTVNFC 8080 HTTP/ TCP http-ne3s- FM, PM SB outgoing request inte-
monMedia- SOAP communi- gration for MGMTVNFC. Applicable
tion cation for below versions: MGMTVNFC 17.
0VI onwards.

SBI-Com- ephemeral DRA-LB 8080 HTTP/ TCP http-ne3s- FM, PM SB outgoing request inte-
monMedia- SOAP communi- gration for DRA-LB. Applicable for
tion cation below version: DRA-LB 15.5VI on-
wards.

SBI-Com- ephemeral MGMTVNFC 8443 HTTPS/ TCP https- Basic CM, FM, PM SB outgoing
monMedia- SOAP ne3s- request integration for MGMTVN-
tion communi- FC. Applicable for below versions:
cation MGMTVNFC 17.0VI onwards.

SBI-Com- ephemeral DRA 8443 HTTPS/ TCP https- Basic FM, PM SB outgoing request
monMedia- SOAP ne3s- integration for DRA. Applicable for
tion communi- below versions: DRA 10.1, DRA 11.
cation 0, DRA 15.5C onwards.

SBI-Com- ephemeral CSCF 8443 HTTPS/ TCP https- FM, PM SB outgoing request inte-
monMedia- MGMTVNFC SOAP ne3s- gration for CSCF VNF with Manage-
tion communi- ment VNFC.
cation

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 385


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

SBI-Com- ephemeral HSS 8443 HTTPS/ TCP https- FM, PM SB outgoing request inte-
monMedia- MGMTVNFC SOAP ne3s- gration for HSS VNF with Manage-
tion communi- ment VNFC.
cation

SBI-Com- ephemeral PCC 8443 HTTPS TCP https-ui Basic CM, FM, PM SB outgoing re-
monMedia- quest integration for PCC Applicable
tion for all versions

SBI-Com- ephemeral SS7 9090 HTTP TCP http-alt1 Basic CM, FM, PM SB outgoing re-
monMedia- quest integration for SS7 Applicable
tion for all versions Optional: This firewall
rule is not required if the respective
secure protocol is used

SBI-Com- ephemeral SS7 9443 HTTPS TCP https-ui Basic CM, FM, PM SB outgoing re-
monMedia- quest integration for SS7 Applicable
tion for all versions

SBI-Com- ephemeral NTHLRFE 22 SSH/ TCP NTHLRFE- SFTP data connection


monMedia- Install Server SFTP IS_SWM
tion

isdk-sn- ephemeral SMM 161 SNMP UDP snmp-get For SNMP GET operations to SMM
mp-fm

isdk-sn- ephemeral SMM 161 SNMP UDP snmp-get For SNMP GET operations to SMM
mp-pm

SBI-Com- ephemeral AGCF 161 SNMP UDP snmp-get Fetching PM data and for FM opera-
monMedia- tions from NetAct
tion

SBI-Com- ephemeral Data Refin- 8443 HTTPS/ TCP NE3S/WS Outgoing request to Data Refinery
monMedia- ery SOAP with TLS mode
tion

SBI-Com- ephemeral Data Refin- 8080 HTTP/ TCP NE3S/WS Outgoing request to Data Refinery
monMedia- ery SOAP with non-TLS mode
tion

isdk-sn- ephemeral SERVER 161 SNMP UDP snmp-get For SNMP GET operations to NDCS
mp-pm Servers.

isdk-sn- ephemeral SERVER 161 SNMP UDP snmp-get For SNMP GET operations to NDCS
mp-fm Servers.

isdk-sn- ephemeral NCIR HA 161 SNMP UDP snmp-get For SNMP GET operations to NCIR
mp-fm Proxy HA Proxy.

isdk-ftp-pm ephemeral CBIS HV 22 SFTP TCP isdk-ftp- For SFTP get operations to CBIS
pm

isdk-sn- ephemeral ENETNODE 161 SNMP UDP snmp-get For aliveness checking of Eden-NET
mp-fm self-monitoring node.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 386


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

isdk-sn- ephemeral CBIS VIP 161 SNMP UDP snmp-get For aliveness checking of HAProxy
mp-fm

isdk-sn- ephemeral Juniper 161 SNMP UDP sn- For SNMP GET/walk operations to
mp-fm mp-trap- Juniper
get

isdk-sn- ephemeral Juniper 161 SNMP UDP sn- For SNMP GET/walk operations to
mp-pm mp-trap- Juniper
get

isdk-sn- ephemeral SWITCH 161 SNMP UDP snmp-get For SNMP GET operations to NDCS
mp-pm Switches.

isdk-sn- ephemeral SWITCH 161 SNMP UDP snmp-get For SNMP GET operations to NDCS
mp-fm Switches.

isdk-sn- ephemeral FPRB 161 SNMP UDP snmp-get For SNMP GET operations to FPRB.
mp-fm

isdk-sn- ephemeral FPRB 161 SNMP UDP snmp-get For SNMP GET operations to FPRB.
mp-pm

SBI-Com- ephemeral IECCF 161 SNMP UDP snmp-get FM operations from NetAct
monMedia-
tion

SBI-Com- ephemeral IECCF 22 SFTP TCP sftp-data Fetching PM counter files


monMedia-
tion

SBI-Com- ephemeral eSM virtual 22 SFTP TCP sftp-data For SFTP connection to get perfor-
monMedia- address mance data of eSM
tion

SBI-Com- ephemeral OCS 22 SFTP TCP sftp-data For fetching PM data through SFTP
monMedia- from OCS
tion

SBI-Com- ephemeral RDR 22 SFTP TCP sftp-data For fetching PM data through SFTP
monMedia- from RDR
tion

SBI-Com- ephemeral OCS 161 SNMP UDP snmp-get For SNMP operations to OCS
monMedia- snmp-set
tion

SBI-Com- ephemeral RDR 161 SNMP UDP snmp-get For SNMP operations to RDR
monMedia- snmp-set
tion

SBI-Com- ephemeral eCGS 22 SFTP TCP sftp-data For fetching PM data through SFTP
monMedia- from eCGS
tion

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 387


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

SBI-Com- ephemeral eCGS 161 SNMP UDP snmp-get For SNMP operations to eCGS
monMedia- snmp-set
tion

Nokia MRF 1165 SBI-Com- ephemeral SNMP UDP snmp-get Only used in Duplex mode and High
monMedia- Availability mode for SNMP GET.
tion Nokia MRF address: MRFC MNGT
physical IP addresses

SBI-Com- ephemeral Nokia De- 8001 SNMP UDP isdk-sn- SNMP outgoing request to Nokia De-
monMedia- composed mp-fm composed SBC Signaling Plane
tion SBC Signal-
ing Plane

SBI-Com- ephemeral Nokia De- 22 SFTP TCP isdk-ftp- For receiving Performance Measure-
monMedia- composed pm ments files from Nokia Decomposed
tion SBC Signal- SBC Signaling Plane
ing Plane

SBI-Com- ephemeral Nokia Inte- 22 SFTP TCP isdk-ftp- For receiving Performance Measure-
monMedia- grated SBC pm ments files from Nokia Integrated
tion SBC

SBI-Com- ephemeral Nokia MRF 22 SFTP TCP sftp For SFTP connection to get per-
monMedia- formance data (Nokia MRF ad-
tion dress: use MRFC MNGT IP address
for Simplex mode, and use MR-
FC MNGT VIP address and MRFC
MNGT physical IP addresses both
Duplex mode and High Availability
mode)

SBI-Com- ephemeral Nokia De- 161 SNMP UDP snmp-get For fetching data through SNMP
monMedia- composed snmp-set from Nokia Decomposed SBC Media
tion SBC Media Plane
Plane

SBI-Com- ephemeral MRF 161 SNMP UDP snmp-get For fetching data through SNMP
monMedia- snmp-set from RadiSys MRF
tion

SBI-Com- ephemeral Nokia MRF 1165 SNMP UDP snmp-get For SNMP GET operation to Nokia
monMedia- MRF (Nokia MRF address: use MR-
tion FC MNGT IP address for Simplex
mode and use MRFC MNGT VIP
address for Duplex mode and High
Availability mode)

SBI-Com- ephemeral ASCBTS 8443 HTTPS/ TCP tcp-8443 AirScale Cloud BTS integration with
monMedia- SOAP TLS mode.
tion

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 388


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

SBI-Com- ephemeral FCOSS 21 FTP TCP ftp-data PM FTP outgoing request for Flexi
monMedia- Cluster
tion

SBI-Com- ephemeral FCOSS 22 SFTP TCP sftp-data PM SFTP outgoing request for Flexi
monMedia- Cluster Optional: This firewall rule is
tion not required if the respective secure
protocol is used

FCOSS 10020 SBI-Com- ephemeral FTP TCP ftp-data FTP file transfer
monMedia-
tion

SBI-Com- ephemeral One-MNP 8081 HTTP/ TCP http- Basic CM, FM, PM SB outgoing re-
monMedia- System SOAP ne3sws- quest integration for One-MNP. Ap-
tion Monitor communi- plicable for below versions: One-
cation MNP 15.5, One-MNP 16, One-MNP
16.5, One-MNP Cloud 16.5, One-
MNP 17, One-MNP Cloud 17, One-
MNP 18, One-MNP Cloud 18. Op-
tional: For One-MNP 16.5 onwards
and One-MNP Cloud 16.5 onwards,
this firewall rule is not required if the
respective secure protocol is used
(port 8443).

SBI-Com- ephemeral One-MNP 8443 HTTP/ TCP http- Basic CM, FM, PM SB outgoing re-
monMedia- System SOAP ne3sws- quest integration for One-MNP with
tion Monitor communi- TLS support. Applicable for below
cation versions: One-MNP 16.5, One-MNP
Cloud 16.5, One-MNP 17, One-MNP
Cloud 17, One-MNP 18, One-MNP
Cloud 18.

SBI-Com- ephemeral Sun Rack 161 SNMP UDP snmp-get For SNMP GET/GETBULK opera-
monMedia- Server tions to Sun Rack Server
tion

SBI-Com- ephemeral NPC 9080 HTTP/ TCP tcp-9080 Outgoing request to NPC with non-
monMedia- SOAP TLS mode
tion

SBI-Com- ephemeral NPC 9443 HTTPS/ TCP tcp-9443 Outgoing request to NPC with TLS
monMedia- SOAP mode
tion

SBI-Com- ephemeral DSC CS 22 SFTP TCP ftp-data NetAct for fetching PM data through
monMedia- SFTP from DSC CS Applicable for
tion below version: DSC 17.4

SBI-Com- ephemeral DSC PS 22 SFTP TCP ftp-data NetAct for fetching PM data through
monMedia- SFTP from DSC CS Applicable for
tion below version: DSC 17.4

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 389


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

SBI-Com- ephemeral SDL Teleme- 22 SFTP TCP sftp-data For fetching PM data through SFTP
monMedia- try Service from Virtual IP of SDL VNF telemetry
tion service

SBI-Com- ephemeral PGW 22 SFTP TCP sftp-data For fetching PM data through SFTP
monMedia- Telemetry from Virtual IP of PGW VNF teleme-
tion Service try service

SBI-Com- ephemeral CBAM O&M 443 HTTPS/ TCP https- Basic FM outgoing request integra-
monMedia- Agent SOAP ne3sws- tion for CBAM Applicable
tion communi-
cation

SBI-Com- ephemeral SDL Teleme- 1161 SNMP UDP snmp-get SNMP based GET/GETBULK op-
monMedia- try Service erations to Virtual IP of SDL VNF
tion telemetry service

SBI-Com- ephemeral PGW 1161 SNMP UDP snmp-get SNMP based GET/GETBULK op-
monMedia- Telemetry erations to Virtual IP of PGW VNF
tion Service telemetry service

SBI-Com- ephemeral NTAS Cloud 8080 HTTP TCP NE3S/WS NTAS integration in no TLS mode
monMedia- Optional: This firewall rule is not re-
tion quired if the respective secure proto-
col is used (port 8443)

SBI-Com- ephemeral NTAS Cloud 8443 HTTPS TCP NE3S/WS NTAS integration in TLS mode
monMedia-
tion

SBI-Com- ephemeral DCAP 8080 HTTP/ TCP tcp-8080 Outgoing request to DCAP with non-
monMedia- SOAP TLS mode. This rule is only applica-
tion ble to DCAP Windows.

SBI-Com- ephemeral EMC 161 SNMP UDP snmp-get SNMP based GET operation. Ap-
monMedia- plicable for below versions: EMC
tion CX4-120, EMC VNX5100.

SBI-Com- ephemeral Flexi NG 8059 HTTPS/ TCP tcp-8059 FM&PM function integration with
monMedia- SOAP TLS mode: Flexi NG17 onwards
tion

SBI-Com- ephemeral Nokia Inte- 8001 SNMP UDP isdk-sn- SNMP outgoing request to Nokia In-
monMedia- grated SBC mp-fm tegrated SBC
tion

SBI-Com- ephemeral BTSMED 8080 HTTP/ TCP NE3S/WS BTSMED integration with non-TLS
monMedia- SOAP mode Optional: This firewall rule is
tion not required if the respective secure
protocol is used. This port is also
used in SOAM BTS integration.

SBI-Com- ephemeral BTSMED 8443 HTTPS/ TCP NE3S/WS BTSMED integration with TLS mode.
monMedia- SOAP This port is also used in SOAM BTS
tion integration.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 390


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

SBI-Com- ephemeral DDE 22 SFTP TCP sftp-data NetAct for fetching PM data through
monMedia- SFTP from DDE
tion

SBI-Com- ephemeral DDE 161 SNMP UDP snmp-get For SNMP operations to DDE
monMedia- snmp-set
tion

SBI-Com- ephemeral SM 22 SFTP TCP sftp-data NetAct for fetching PM data through
monMedia- SFTP from Service Manager
tion

SBI-Com- ephemeral SM 161 SNMP UDP snmp-get For SNMP operations to Service
monMedia- snmp-set Manager
tion

SBI-Com- ephemeral Open MGW 8059 HTTPS/ TCP tcp-8059 OMGW integration with TLS mode
monMedia- SOAP
tion

SBI-Com- ephemeral Nokia AAA 161 SNMP UDP isdk-sn- SNMP outgoing request to Nokia
monMedia- mp-fm AAA. This rule is only applicable to
tion Nokia AAA 10.0.

isdk-cor- ephemeral isdk-cor- 32100 IIOP TCP isdk-cor- CORBA ORBD Initial port
ba-fm ba-fm ba-fm

isdk-cor- ephemeral isdk-cor- 32101 IIOP TCP isdk-cor- CORBA ORBD OAPORT
ba-fm ba-fm ba-fm

isdk-cor- ephemeral isdk-cor- 32102 IIOP TCP isdk-cor- CORBA NOTIFICATION SERVICE
ba-fm ba-fm ba-fm

isdk-cor- ephemeral isdk-cor- 32103 IIOP TCP isdk-cor- CORBA SSL support
ba-fm ba-fm ba-fm

TI- ephemeral SBI-Com- 22 SFTP TCP sftp For receiving PM counters files from
TAN-MASTER monMedia- TITAN MASTER
tion

SBI-Com- ephemeral TI- 161 SNMP UDP snmp-get Mediation do SNMPGet for ISDK
monMedia- TAN-MASTER
tion

SBI-Com- ephemeral TI- 161 SNMP UDP snmp-get Mediation do SNMPGet for ISDK
monMedia- TAN-EDGE
tion

SBI-Com- ephemeral DSC PS 161 SNMP UDP snmp-get For SNMP GET/GETBULK opera-
monMedia- tions to DSC PS Applicable for be-
tion low versions: DSC 9.0 R3,DSC 9.0
R5,DSC 17.4

SBI-Com- ephemeral DSC CS 161 SNMP UDP snmp-get For SNMP GET/GETBULK opera-
monMedia- tions to DSC CS Applicable for be-
tion

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 391


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

low versions: DSC 9.0 R3,DSC 9.0


R5,DSC 17.4

CWLC ephemeral SBI-Com- 30505 HTTP TCP tcp-30505 NE3S/WS SMI for CWLC FM/PM no-
monMedia- tification Optional: This firewall rule is
tion not required if the respective secure
protocol is used

CWLC ephemeral SBI-Com- 30510 HTTPS TCP tcp-30510 NE3S/WS SMI for CWLC FM/PM no-
monMedia- tification
tion

SBI-Com- ephemeral One-NDS 8092 HTTPS/ TCP http- Basic CM, FM, PM, SWM SB out-
monMedia- Status Ser- SOAP ne3sws- going request integration for One-
tion vice communi- NDS with TLS support. Applicable
cation for below versions: One-NDS 16.5;
One-NDS 17; One-NDS 19. Note:
SWM supported from One-NDS 17
onwards.

SBI-Com- ephemeral CWLC 8059 HTTPS/ TCP tcp-8059 Nokia Wi-Fi integration with TLS
monMedia- SOAP mode
tion

SBI-Com- ephemeral CWLC 8060 HTTP/ TCP tcp-8060 Nokia Wi-Fi integration with non-TLS
monMedia- SOAP mode Optional: This firewall rule is
tion not required if the respective secure
protocol is used

SBI-Com- ephemeral ASCBTS 8080 HTTP/ TCP tcp-8080 AirScale Cloud BTS integration with
monMedia- SOAP non-TLS mode. Optional: This fire-
tion wall rule is not required if the respec-
tive secure protocol is used.

SBI-Com- ephemeral Open BGW 8060 HTTP/ TCP tcp-8060 OBGW integration with non-TLS
monMedia- Cloud SOAP mode
tion

SBI-Com- ephemeral SPM OAM 8080 HTTP TCP http- Basic CM, FM, PM SB outgoing re-
monMedia- node ne3sws- quest integration for SPM. Applicable
tion communi- for below version SPM 2.0 SPM 3.
cation 0 SPM 3.0 VI Optional: This firewall
rule is not required if the respective
secure protocol is used (port 8443).

SBI-Com- ephemeral SPM OAM 8443 HTTPS TCP https- Basic CM, FM, PM SB outgoing re-
monMedia- node ne3sws- quest integration for SPM. Applicable
tion communi- for below version SPM 2.0 SPM 3.0
cation SPM3.0 VI

SBI-Com- ephemeral Open TAS 8059 HTTPS TCP gen-med- Open TAS Cloud SEE integration
monMedia- Cloud SEE mgt-da- with TLS mode
tion ta-up-
load-https

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 392


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

SBI-Com- ephemeral One-NDS 11000 HTTPS TCP gen-med- HWM/SWM HTTPS service. Applic-
monMedia- Administra- mgt-da- able for below versions One-NDS 9
tion tor Server ta-up- SP2; One-NDS 16; One-NDS 16.5.
load-https

SBI-Com- ephemeral One-NDS 11000 HTTPS TCP gen-med- HWM/SWM HTTPS service. Applic-
monMedia- Provision- mgt-da- able for below versions One-NDS 9
tion ing Gateway ta-up- SP2; One-NDS 16; One-NDS 16.5.
Server load-https

SBI-Com- ephemeral One-NDS 11000 HTTPS TCP gen-med- HWM/SWM HTTPS service. Applic-
monMedia- Directory mgt-da- able for below versions One-NDS 9
tion Server ta-up- SP2; One-NDS 16; One-NDS 16.5.
load-https

SBI-Com- ephemeral MRF 161 SNMP UDP snmp-get Mediation does SNMPGet while do-
monMedia- ing Integration Data Upload for MRF
tion MPX-12000

SBI-Com- ephemeral One-NDS 8090 HTTP/ TCP http- Basic CM, FM, PM, SWM SB out-
monMedia- Status Ser- SOAP ne3sws- going request integration for One-
tion vice communi- NDS. Applicable for below versions:
cation One-NDS 9 SP2; One-NDS 16; One-
NDS 16.5; One-NDS 17; One-NDS
19. Optional: From One-NDS 16.5.
This firewall rule is not required if the
respective secure protocol is used
(port 8092). Note: SWM supported
from One-NDS 17 onwards.

SBI-Com- ephemeral Single RAN 8443 HTTPS/ TCP tcp-8443 SBTS integration with TLS mode.
monMedia- BTS SOAP
tion

SBI-Com- ephemeral SBTS 8080 HTTP/ TCP tcp-8080 SBTS integration with non-TLS
monMedia- SOAP mode Optional: This firewall rule is
tion not required if the respective secure
protocol is used. Note: During the
Plug and Play Process, this firewall
rule must be applied additionally for
SBTS using the temporary IP ad-
dress.

SBI-Com- ephemeral SBTS 8443 HTTPS/ TCP tcp-8443 SBTS integration with TLS mode.
monMedia- SOAP Note: During the Plug and Play
tion Process, this firewall rule must be
applied additionally for SBTS using
the temporary IP address.

SBI-Com- ephemeral DXT 20 FTP TCP ftp-data PM Files FTP outgoing request in-
monMedia- tegration for DXT Note: This firewall
tion rule is not required if the respective
secure protocol is used

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 393


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

SBI-Com- ephemeral DXT 21 FTP TCP ftp-data PM Files FTP outgoing request in-
monMedia- tegration for DXT Note: This firewall
tion rule is not required if the respective
secure protocol is used

SBI-Com- ephemeral DXT 22 SFTP TCP sftp-data PM Files SFTP outgoing request in-
monMedia- tegration for DXT
tion

FZCP ephemeral SBI-Com- 30510 HTTPS TCP tcp-30510 NE3S/WS SMI for FZC FM/PM notifi-
monMedia- cation
tion

FZCP ephemeral SBI-Com- 30505 HTTP TCP tcp-30505 NE3S/WS SMI for FZC FM/PM noti-
monMedia- fication Optional: This firewall rule is
tion not required if the respective secure
protocol is used

SBI-Com- ephemeral FZCP 8059 HTTPS TCP tcp-8059 FZCP integration with TLS mode
monMedia-
tion

SBI-Com- ephemeral FZCP 8060 HTTP TCP tcp-8060 FZCP integration with non-TLS
monMedia- mode Optional: This firewall rule is
tion not required if the respective secure
protocol is used

SBI-Com- ephemeral iNUM OAM 8443 HTTPS/ TCP https- Basic CM, FM, PM SB outgoing re-
monMedia- Node SOAP ne3sws- quest integration for iNUM OAM Unit
tion communi- with TLS support Applicable for be-
cation low version iNUM v15.5 bare-met-
al iNUM v16 bare-metal iNUM v16.5
bare-metal iNUM v17 bare-metal

SBI-Com- ephemeral PCS5000 8080 HTTP/ TCP http- Basic CM, FM, PM, SB outgoing re-
monMedia- SOAP ne3sws- quest integration for PCS5000. Ap-
tion communi- plicable for below version PCS5000
cation 6.2 PCS5000 6.3ATCA PCS5000 6.
3RMS NOTE:HTTPS is not support-
ed

SBI-Com- ephemeral @vantage 22 SFTP TCP ftp-data NetAct uses SFTP to get PM 3GPP
monMedia- Commander files from @vantage Commander for
tion PCS5000 PM

SBI-Com- ephemeral SBI-Com- 32000 IIOP TCP tcp-32000 Naming Service for hosting 3GPP
monMedia- monMedia- CORBA consumer
tion tion

SBI-Com- ephemeral Flexi NG 22 SFTP TCP ftp-data AOM SFTP outgoing request inte-
monMedia- gration for Flexi NG Applicable for
tion below versions Flexi NG 2.x

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 394


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

SBI-Com- ephemeral Flexi NG 161 SNMP UDP sn- AOM SNMP outgoing request inte-
monMedia- mp-trap- gration for Flexi NG Applicable for
tion get below versions Flexi NG 2.x

SBI-Com- ephemeral iNUM OAM 8080 HTTP/ TCP http- Basic CM, FM, PM, SB outgoing re-
monMedia- Node SOAP ne3sws- quest integration for iNUM. Applic-
tion communi- able for below versions iNUM v11
cation iNUM v15.5 iNUM v16 iNUM v16.5
iNUM v17 Optional: This firewall rule
is not required if the respective se-
cure protocol is used (port 8443).

SBI-Com- ephemeral Flexi NS 23 TELNET TCP telnet TELNET terminal connection for
monMedia- MMLs Command Note: This firewall
tion rule is not required if the respective
secure protocol is used.

SBI-Com- ephemeral Open BGW 8059 HTTPS/ TCP tcp-8059 OBGW integration with TLS mode
monMedia- SOAP
tion

SBI-Com- ephemeral Open MGW 8060 HTTP TCP tcp-8060 OMGW integration with no TLS
monMedia- mode Optional: This firewall rule is
tion not required if the respective secure
protocol is used.

SBI-Com- ephemeral Open BGW 8060 HTTP/ TCP tcp-8060 OBGW integration with non-TLS
monMedia- SOAP mode Optional: This firewall rule is
tion not required if HTTPS is used.

Flexi NS 20 SBI-Com- ephemeral FTP TCP ftp-data FTP-DATA channel under FTP Ac-
monMedia- tive Mode will use this rule for FTP
tion data translate Note: This firewall rule
is not required if the respective se-
cure protocol is used.

SBI-Com- ephemeral Flexi NS 21 FTP TCP FTP Flexi NS FTP mediation for PM inte-
monMedia- gration. Note: This firewall rule is not
tion required if the respective secure pro-
tocol is used.

SBI-Com- ephemeral HPE On- 22 SSH TCP ssh For SSH Access to HPHW Onboard
monMedia- board Ad- Administrator
tion ministrator

SBI-Com- ephemeral CAM 8083 HTTPS/ TCP ne3sws Basic communication between Net-
monMedia- SOAP Act common mediation and JOMA.
tion

SBI-Com- ephemeral Flexi NS 22 SSH/ TCP ssh Flexi NS CLI integration


monMedia- SFTP
tion

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 395


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

SBI-Com- ephemeral Flexi NG 8060 HTTP/ TCP tcp-8060 FM&PM function integration: Flexi
monMedia- SOAP NG15 onwards
tion

SBI-Com- ephemeral Flexi NS 60000 HTTP/ TCP NE3S/WS Flexi NS integration.


monMedia- SOAP
tion

AXC ephemeral SBI-Com- 49400 - IIOP TCP tcp-49400 CM NWI3


monMedia- 49499 - 49499
tion

OMS ephemeral SBI-Com- 49400 - IIOP TCP tcp-49400 CM NWI3


monMedia- 49499 - 49499
tion

OMS ephemeral SBI-Com- 80 HTTP TCP http CM NWI3 data file transfer. Optional:
monMedia- This firewall rule is not required if the
tion respective secure protocol is used
(port 8443).

SBI-Com- ephemeral OMS 80 HTTP TCP http CM NWI3 data file transfer. Optional:
monMedia- This firewall rule is not required if the
tion respective secure protocol is used
(port 443).

OMS ephemeral SBI-Com- 443 HTTPS TCP tcp-443 CM NWI3 data file transfer
monMedia-
tion

SBI-Com- ephemeral OMS 443 HTTPS TCP https CM NWI3 data file transfer
monMedia-
tion

27.2.10 Firewall rules for VMs with DNS and LDAP

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

LDAP ephemeral Customer 179 BGP TCP tcp For BGP operations between the
Edge Router NCS service and Customer Edge
Router

LDAP 179 Customer ephemeral BGP TCP tcp For BGP Operations between NCS
Edge Router service and Customer Edge Router

LDAP-SE- ephemeral Corporate 389 LDAP TCP/ ldap Port used by NetAct Directory Serv-
CONDARY Windows UDP er to communicate to Corporate Win-
Domain dows Domain Controller if integrated
Controller to NetAct.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 396


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

LDAP-SE- ephemeral Corporate 636 LDAPS TCP ldap Port used by NetAct Directory Serv-
CONDARY Windows er to communicate to Corporate Win-
Domain dows Domain Controller if integrated
Controller to NetAct.

ESXi ephemeral DNS-Slave 53 DNS TCP/ dns DNS Client


UDP

ALL_NE ephemeral DNS-Slave 53 DNS TCP/ dns Optional. To be used if NetAct is


UDP used as DNS for the NE. DNS pri-
marily uses this port to serve re-
quests.

3GPP Cor- ephemeral DNS-Slave 53 DNS TCP/ dns Optional. To be used if NetAct is
ba FM High- UDP used as DNS for the Higher Level
er Level Sys- System. DNS primarily uses this port
tem to serve requests.

XML based ephemeral DNS-Slave 53 DNS TCP/ dns Optional. To be used if NetAct is
Inventory UDP used as DNS for the Higher Level
Data Export System. DNS primarily uses this port
Higher Level to serve requests.
System

3GPP XML ephemeral DNS-Slave 53 DNS TCP/ dns Optional. To be used if NetAct is
Format PM UDP used as DNS for the Higher Level
Higher Level System. DNS primarily uses this port
System to serve requests.

ALL_NE ephemeral DNS-Slave 953 DNS TCP/ TCP-953 port used by Remote DNS daemon
UDP (named) control service.

3GPP Cor- ephemeral DNS-Slave 53 DNS TCP/ dns Optional. To be used if NetAct is
ba BulkCM UDP used as DNS for the NE. DNS pri-
Higher Level marily uses this port to serve re-
System quests.

LDAP ephemeral Corporate 389 LDAP TCP/ ldap Port used by NetAct Directory Serv-
Windows UDP er to communicate to Corporate Win-
Domain dows Domain Controller if integrated
Controller to NetAct.

LDAP ephemeral Corporate 636 LDAPS TCP ldap Port used by NetAct Directory Serv-
Windows er to communicate to Corporate Win-
Domain dows Domain Controller if integrated
Controller to NetAct.

3GPP Cor- ephemeral DNS 53 DNS TCP/ dns Optional. To be used if NetAct is
ba BulkCM UDP used as DNS for the NE. DNS pri-
Higher Level marily uses this port to serve re-
System quests.

ALL_NE ephemeral DNS 53 DNS TCP/ dns Optional. To be used if NetAct is


UDP used as DNS for the NE. DNS pri-

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 397


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

marily uses this port to serve re-


quests.

Higher Level ephemeral DNS 53 DNS TCP/ dns Optional. To be used if NetAct is
System UDP used as DNS for the Higher Level
System. DNS primarily uses this port
to serve requests.

3GPP Cor- ephemeral DNS 53 DNS TCP/ dns Optional. To be used if NetAct is
ba FM High- UDP used as DNS for the Higher Level
er Level Sys- System. DNS primarily uses this port
tem to serve requests.

XML based ephemeral DNS 53 DNS TCP/ dns Optional. To be used if NetAct is
Inventory UDP used as DNS for the Higher Level
Data Export System. DNS primarily uses this port
Higher Level to serve requests.
System

3GPP XML ephemeral DNS 53 DNS TCP/ dns Optional. To be used if NetAct is
Format PM UDP used as DNS for the Higher Level
Higher Level System. DNS primarily uses this port
System to serve requests.

ALL_NE ephemeral DNS 953 DNS TCP TCP-953 port used by Remote DNS daemon
(named) control service.

ESXi ephemeral DNS 53 DNS UDP dns DNS Client

27.2.11 Firewall rules for AVE

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

User Work- Ephemeral AVE 700 TCP TCP/ tcp login manager
station Mgmt UDP

AVECP ephemeral Time Server- 123 UDP UDP ntp Provides clock synchronization from
Higher Level the NTP servers
System

User Work- ephemeral AVE 8543 HTTPS TCP TCP-8543 vSphere Client port for AVE appli-
station Mgmt ance management, Redirect for
Tomcat

User Work- ephemeral AVE 9443 HTTPS TCP http AVE Web Services
station Mgmt

User Work- ephemeral AVE 7543 HTTPS TCP http Avamar installation manager
station Mgmt

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 398


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

User Work- ephemeral AVE 7778-7781 HTTPS TCP http Avamar Administrator console
station Mgmt

User Work- ephemeral AVECP 22 SSH TCP SSH Secure shell access
station Mgmt

User Work- ephemeral AVECP 443 HTTPS TCP HTTPS HTTPS access to Avamar proxy VM
station Mgmt

AVE ephemeral Time Server- 123 NTP UDP ntp AS clock time set to actual time from
Higher Level external NTP server
System

User Work- ephemeral AVE 443 HTTPS TCP https AVE web client
station Mgmt

User Work- ephemeral AVE 22 SSH TCP ssh port used to log into a remote ma-
station Mgmt chine and execute commands

AVE ephemeral ESXi 902 TCP TCP tcp NFC

27.2.12 Firewall rules for ESXi

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

User Work- ephemeral ESXi 443 HTTPS TCP https vSphere Client to ESXi/ESX Host
station Mgmt management connection

User Work- ephemeral ESXi 902 HTTPS TCP/ iss-re- vSphere Client access to virtual
station Mgmt UDP alsecure machine consoles (MKS) vSphere
Client uses this ports to display virtu-
al machine consoles.

User Work- ephemeral ESXi 427 SLP TCP/ svrloc CIM Service Location Protocol (SLP)
station Mgmt UDP

AS ephemeral ESXi 22 SSH TCP ssh ESXi CLI

AS ephemeral ESXi 443 HTTPS TCP https HTTPs

SelfMon and ephemeral ESXi 161 SNMP UDP sn- This port is use to send traps for
HPE SIM mp-trap- alarms
get

SelfMon and ephemeral ESXi 5989 HTTPS TCP TCP-5989 This port is use for CIM transactions
HPE SIM over HTTPS

AS ephemeral ESXi 69 TFTP UDP UDP-69 PXE booting hypervisors

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 399


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

ESXi ephemeral Time Server- 123 NTP UDP ntp NetAct server clock time set to actual
Higher Level time from external NTP server
System

User Work- ephemeral ESXi 22 SSH TCP ssh SSH Serverp ort used to log into a
station Mgmt remote machine and execute com-
mands

User Work- ephemeral ESXi 80 HTTPS TCP tcp-80 Redirect Web Browser to HTTPS
station Mgmt Service (443)

nbisnmp ephemeral ESXi 161 SNMP UDP sn- SNMP Polling. Not used in ESXi 3.x
mp-trap-
get

SelfMon and ephemeral ESXi 2069 HTTP TCP TCP-2069 Web port used by OSEM service to
HPE SIM receive events from managed sys-
tems

ESXi ephemeral vCSA 5988 HTTP TCP TCP-5988 CIM transactions over http

ESXi ephemeral vCSA 5989 HTTPS TCP TCP-5989 CIM XML transactions over https

vCSA ephemeral ESXi 5989 HTTPS TCP TCP-5989 CIM XML transactions over https

vCSA ephemeral ESXi 80 RMCP TCP TCP-80 DPM with IPMI (iLO/BMC) ASF Re-
mote Management and Control Pro-
tocol

vCSA ephemeral ESXi 902 HTTPS TCP/ vpxd vCenter Server system uses to send
UDP data to managed hosts. This port
must not be blocked by firewalls be-
tween the server and the hosts or
between hosts. Managed hosts send
a regular heartbeat to the vCenter
Server system. This port must not
be blocked by firewalls between the
server and the hosts or between
hosts

vCSA ephemeral ESXi 623 RMCP UDP UDP-623 DPM with IPMI (iLO/BMC) ASF Re-
mote Management and Control Pro-
tocol

vCSA ephemeral ESXi 8222 HTTPS TCP TCP-8222 To connect to the host with the
VMware Management Interface, you
need to open up port 8333 (and port
8222 if you plan to disable SSL for
the management interface).

27.2.13 Firewall rules for VMs that host Fault Management (FM)

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 400


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

FM ephemeral Email Server 25 SMTP TCP smtp Port is used for sending alarm con-
tent through email in FM use case.

FM ephemeral Email Server 25 SMTP/ TCP smpt Port is used for sending alarm con-
START- tent through email in FM usecase se-
TLS cured with TLS protocol.

27.2.14 Firewall rules for HW objects

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

HPE ephemeral HPE Virtu- 443 HTTPS TCP https HPE Synergy OneView HTTPS com-
OneView al Connect munication to HPE Virtual Connect.
Manager

HPE ephemeral HPE Virtu- 162 SNMP UDP snmp HPE Synergy OneView to HPE Vir-
OneView al Connect tual Connect interconnects and trap
Manager forwarding.

HPE ephemeral HPE Virtu- 161 SNMP UDP snmp HPE Synergy OneView to HPE Vir-
OneView al Connect tual Connect interconnects and trap
Manager forwarding.

HPE ephemeral HPE iLO 443 HTTPS TCP https HPE Synergy OneView used for se-
OneView cure SSL access to the iLO

HPE ephemeral HPE iLO 123 NTP UDP ntp HPE Synergy OneView acts as an
OneView NTP server, iLO requires access.

HPE ephemeral HPE iLO 162 SNMP UDP snmp HPE Synergy OneView SNMP trap
OneView support from the iLO, and HPE iP-
DU devices. This port is also used
to monitor the VC interconnects and
trap forwarding.

HPE ephemeral HPE iLO 161 SNMP UDP snmp HPE Synergy OneView SNMP GET
OneView calls to monitored and managed de-
vices, such as, server iLO, HPE In-
telligent Power Distribution Unit, and
SAN Managers.

HPE ephemeral HPE Bro- 443 HTTPS TCP https HPE Synergy OneView HTTPS com-
OneView cade San munication to Brocade FOS for SAN
Switch management.

HPE ephemeral HPE Bro- 5989 HTTPS TCP https HPE Synergy OneView CIM/SMI
OneView cade San communication to Brocade BNA for
Switch SAN management.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 401


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

HPE ephemeral Time Server- 123 Open- UDP ntp HPE Synergy OneView Clock syn-
OneView Higher Level Wire (not chronization with reference clock
System sure) source

User Work- ephemeral HPE 443 HTTPS TCP https User Workstation to HPE Synergy
station Mgmt OneView OneView communication

User Work- ephemeral HPE 80 HTTP TCP http User Workstation to HPE Synergy
station Mgmt OneView OneView communication

User Work- ephemeral HPE 22 SSH TCP ssh User workstation to HPE Synergy
station Mgmt OneView OneView communication

ESXi ephemeral AS 443 HTTPS TCP HTTPS This port is used for firmware au-
tomation with HPE SUM

AS ephemeral ESXi 5989 HTTPS TCP wbem- This port is used for firmware au-
https tomation with HPE SUM to discover
ESXi host using WBEM

Unity Stor- ephemeral Time Server- 123 NTP UDP ntp Clock synchronization with reference
age Man- Higher Level closck source
agement System

HPE Virtu- ephemeral Time Server- 123 NTP UDP ntp Clock synchronization with reference
al Connect Higher Level closck source
Manager System

HPE iLO ephemeral Time Server- 123 NTP UDP ntp Clock synchronization with reference
Higher Level closck source
System

HPE MSA ephemeral Time Server- 123 NTP UDP ntp Clock synchronization with reference
Storage Higher Level closck source
Management System

User Work- ephemeral VNX Storage 22 SSH TCP ssh Port is used for ssh access
station Mgmt Unisphere
Management

User Work- ephemeral VNX Storage 6389 HTTPS TCP clari- To allow the Unisphere Host Agent to
station Mgmt Unisphere ion-env01 function
Management

User Work- ephemeral Unity Stor- 22 SSH TCP ssh Port is used for ssh access
station Mgmt age Man-
agement

SelfMon and ephemeral Unity Stor- 162 SNMP TCP sn- This port is used for SNMP get and
HPE SIM age Man- mp-trap- set
agement get

User Work- ephemeral Unity Stor- 443 HTTPS TCP https Port is used to manage EMC Uni-
station Mgmt age Man- sphere storage
agement

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 402


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

User Work- ephemeral Juniper/Net- 22 SSH TCP ssh Port is used for ssh access
station Mgmt Act

User Work- ephemeral HPE Virtu- 20 FTP TCP https Used to upload the configuration
station Mgmt al Connect from backup
Manager

User Work- ephemeral HPE MSA 22 SSH TCP ssh Port is used for secured SSH Access
station Mgmt Storage
Management

User Work- ephemeral HPE 3PAR 8443 HTTPS TCP wbem- Port is used for secured UI Access
station Mgmt Service https
Processor

User Work- ephemeral HPE 3PAR 22 SSH TCP ssh Port is used for secured Shell Con-
station Mgmt Service nection
Processor

HPE 3PAR ephemeral Time Server- 123 NTP UDP ntp Clock synchronization with reference
Management Higher Level closck source
Console System

SelfMon and ephemeral HPE iLO 161 snmp UDP snmp-trap This port is used for SNMP get and
HPE SIM set

User Work- ephemeral HPE iLO 17990 HTTPS TCP hp-ilo-re- Port used by iLO Remote Console
station Mgmt mote-con-
sole-con-
sole

User Work- ephemeral HPE iLO 17988 HTTPS TCP hp-virtu- Port used by Virtual media from PC
station Mgmt al-media to iLO

User Work- ephemeral VNX Storage 443 HTTPS TCP https Port is used to manage EMC Uni-
station Mgmt Unisphere sphere storage
Management

HPE OA ephemeral Time Server- 123 NTP UDP ntp Clock synchronization with reference
Higher Level closck source
System

HPE Bro- ephemeral Time Server- 123 NTP UDP ntp Clock synchronization with reference
cade San Higher Level closck source
Switch System

HPE Switch ephemeral Time Server- 123 NTP UDP ntp Clock synchronization with reference
Higher Level closck source
System

VNX Storage ephemeral Time Server- 123 NTP UDP ntp Clock synchronization with reference
Unisphere Higher Level closck source
Management System

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 403


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

User Work- ephemeral HPE Virtu- 443 HTTPS TCP https Port is used for secured UI Connec-
station Mgmt al Connect tion
Manager

User Work- ephemeral HPE MSA 443 HTTPS TCP https Port is used for secured UI Access
station Mgmt Storage
Management

User Work- ephemeral HPE 3PAR 443 HTTPS TCP https Port is used for secured UI Access
station Mgmt Management
Console

User Work- ephemeral HPE 3PAR 22 SSH TCP ssh Port is used for secured Shell Con-
station Mgmt Management nection
Console

User Work- ephemeral HPE Switch 22 SSH TCP ssh Port is used for secured Shell Con-
station Mgmt nection

User Work- ephemeral HPE Switch 23 TELNET TCP telnet Port is used for unsecured Shell
station Mgmt Connection. Optional: This firewall
rule is not required if the respective
secure protocol is used (22)

User Work- ephemeral HPE OA 22 SSH TCP ssh This port is used to access the Net-
station Mgmt Act HW HP Onboard Administrator
via CLI

User Work- ephemeral HPE OA 443 HTTPS TCP https This port is used to access the Net-
station Mgmt Act HW HP Onboard Administrator
via secured web service

User Work- ephemeral HPE OA 3389 HTTPS TCP rdp Port used by terminal services pass-
station Mgmt through from PC to iLO

User Work- ephemeral HPE Bro- 22 SSH TCP ssh Port used to log into a remote ma-
station Mgmt cade San chine and execute commands
Switch

User Work- ephemeral HPE Bro- 443 HTTPS TCP https Port is used for secured UI Connec-
station Mgmt cade San tion
Switch

User Work- ephemeral HPE Virtu- 22 SSH TCP ssh Port used to log into a remote ma-
station Mgmt al Connect chine and execute commands
Manager

SelfMon and ephemeral HPE OA 161 SNMP UDP sn- This port is used for SNMP get and
HPE SIM mp-trap- set
get

SelfMon and ephemeral VNX Storage 161 SNMP TCP sn- This port is used for SNMP get and
HPE SIM Unisphere mp-trap- set
Management get

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 404


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

SelfMon and ephemeral HPE Bro- 161 SNMP TCP sn- This port is used for SNMP get and
HPE SIM cade San mp-trap- set
Switch get

SelfMon and Ephemeral HPE Virtu- 161 SNMP TCP sn- This port is use to send traps for
HPE SIM al Connect mp-trap- alarms
Manager get

SelfMon and Ephemeral HPE MSA 161 SNMP TCP sn- This port is use to send traps for
HPE SIM Storage mp-trap- alarms
Management get

SelfMon and Ephemeral HPE 3PAR 161 SNMP UDP sn- This port is use to send traps for
HPE SIM Management mp-trap- alarms
Console get

SelfMon and Ephemeral HPE Switch 161 SNMP TCP sn- This port is use to send traps for
HPE SIM mp-trap- alarms
get

27.2.15 Firewall rules for VMs that host IHS

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

ZTS ephemeral LB WAS vir- 10448 HTTPS TCP Keycloak Request from client
tual IP

CBAM VNF ephemeral LB WAS vir- 10448 HTTPS TCP Keycloak Accept request from client
Resource tual IP
Alarm Notifi-
cation

CBAM LCN ephemeral LB WAS vir- 10448 HTTPS TCP Keycloak Accept request from client
tual IP

27.2.16 Firewall rules for VMs that host loadbalancer (LB) and socks

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

HSS ephemeral LB JBI virtu- 30505 HTTP/ TCP http- FM, PM SB incoming request in-
al IP SOAP ne3sws- tegration for HSS VM. Applicable
notifica- for below versions: HSS 18.5VI on-
tions wards.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 405


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

NRBTS ephemeral LB WAS vir- 80 HTTP TCP http NE3S/WS SMI for 5G BTS CM noti-
tual IP fications. A port used by 5G BTS to
transfer 5G BTS software from Net-
Act Software Manager to 5G BTS,
when IPSec not in use. Optional:
This firewall rule is not required if the
respective secure protocol is used.

NRBTS ephemeral LB WAS vir- 389 LDAP TCP ldap LDAP port used by 5G BTS that is
tual IP configured for CNUM. Note: During
the Plug and Play Process, this fire-
wall rule must be applied additional-
ly for 5G BTS using the temporary IP
address.

HSS ephemeral LB JBI virtu- 30510 HTTPS/ TCP https- Basic CM, FM, PM SB incoming re-
al IP SOAP ne3sws- quest integration for HSS VM. Ap-
notifica- plicable for below versions: HSS 18.
tions 5VI onwards.

HSSFE ephemeral LB JBI virtu- 30510 HTTPS/ TCP https- Basic CM, FM, PM SB incoming re-
al IP SOAP ne3sws- quest integration for HSSFE. Ap-
notifica- plicable for below versions: Applica-
tions ble for below versions: HSSFE 18.
5 onwards, HSSFE 18.5C onwards,
HSSFE 18.5VI onwards.

HSSFE ephemeral LB JBI virtu- 30505 HTTP/ TCP http- FM, PM SB incoming request inte-
al IP SOAP ne3sws- gration for HSSFE. Applicable for be-
notifica- low versions: HSSFE 18.5 onwards,
tions HSSFE 18.5C onwards, HSSFE 18.
5VI onwards. Optional: This firewall
rule is not required if the respective
secure protocol is used (port 30510)

HSSFE ephemeral LB WAS vir- 389 LDAP TCP ldap This rule is to support CNUM for
tual IP HSSFE, for HSSFE 18.5C onwards.

FHGW ephemeral LB JBI virtu- 30505 HTTP TCP tcp-30505 NE3S/WS SMI for FHGW FM/ PM
al IP notification. Optional: This firewall
rule is not required if the respective
secure protocol is used.

FHGW ephemeral LB JBI virtu- 30508 HTTP TCP tcp-30508 Software Manager outgoing request.
al IP Optional: This firewall rule is not re-
quired if the respective secure proto-
col is used.

FHGW ephemeral LB JBI virtu- 30509 HTTPS TCP tcp-30509 Software Manager outgoing request.
al IP Should be enabled when secure pro-
tocol is in use.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 406


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

FHGW ephemeral LB WAS vir- 10510 HTTP TCP tcp-10510 NE3S/WS SMI for FHGW CM notifi-
tual IP cations. Optional: This firewall rule is
not required if the respective secure
protocol is used This firewall rule is
required if default port 80 is disabled.

FHGW ephemeral LB WAS vir- 80 HTTP TCP http NE3S/WS SMI for FHGW CM noti-
tual IP fications. A port used by FHGW to
transfer FHGW software from NetAct
Software Manager to FHGW, when
IPSec not in use. Optional: This fire-
wall rule is not required if the respec-
tive secure protocol is used.

FHGW ephemeral LB WAS vir- 448 HTTPS TCP tcp-448 NE3S/WS SMI for CM notifications.
tual IP

FHGW ephemeral LB JBI virtu- 30510 HTTPS TCP tcp-30510 NE3S/WS SMI for FM/PM notifica-
al IP tion.

ECTRL ephemeral LB JBI virtu- 162 SNMP UDP sn- For listening to SNMP Traps from
al IP mp-trap- ECTRL
listener

CNNPC ephemeral LB JBI virtu- 30505 HTTP TCP tcp-30505 NE3S/WS SMI for CNNPC FM/
al IP PM notification from ZTS EnvoyLB
or ZTS Istio. Note: Firewall to be
opened for all ZTS envoyLB or ZTS
Istio IP.

Socks ephemeral ECTRL ephemeral HTTPS TCP https For WebUI Launch to ECTRL

CNNPC ephemeral LB JBI virtu- 30510 HTTPS TCP tcp-30510 NE3S/WS SMI for CNNPC FM/
al IP PM notification from ZTS EnvoyLB
or ZTS Istio. Note: Firewall to be
opened for all ZTS envoyLB or ZTS
Istio IP.

GLS Prov ephemeral LB JBI virtu- 162 SNMP UDP sn- For listening to SNMP Traps from
al IP mp-trap- GLS Provisioning Server.
listener

Socks ephemeral GLS Prov 8843 HTTPS TCP https For HTTPS connection to GLS Provi-
sioning Server Web UI.

Socks ephemeral GLS Prov 443 HTTPS TCP https For HTTPS connection to GLS Pro-
visioning Server Web UI. Applicable
for GLS Provisioning server 21.5

Open MGW ephemeral LB JBI virtu- 30505 HTTP/ TCP http- NE3SWS SMI for FM/PM notification
al IP SOAP ne3sws- with non-TLS modeOptional: This
notifica- firewall rule is not required if the re-
tions spective secure protocol is used

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 407


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

Open MGW ephemeral LB WAS vir- 10510 HTTP/ TCP tcp-10510 CM SB feedback channel integration
tual IP SOAP for OpenMGW. This firewall rule is
required if default port 80 is disabled.
Optional: This firewall rule is not re-
quired if the respective secure proto-
col is used

Open MGW ephemeral LB WAS vir- 80 HTTP/ TCP http CM SB feedback channel integration
tual IP SOAP for OpenMGW. Optional: This fire-
wall rule is not required if the respec-
tive secure protocol is used

Open MGW ephemeral LB WAS vir- 448 HTTPS/ TCP tcp-448 CM SB feedback channel integration
tual IP SOAP for OpenMGW with TLS support.

VNF_CFPU ephemeral LB WAS vir- 389 LDAP TCP ldap LDAP port used by ASRNC that is
tual IP configured for CNUM.

PKI ephemeral LB JBI virtu- 162 SNMP UDP sn- For SNMP trap operations to PKI In-
al IP mp-trap- sta and NCM Certificate Expiration
listener Reporting Tool

Socks ephemeral IMSOAM 10751-10900 HTTPS TCP tsp-ui CSCF/CSCF_TD_Core/CSCF_L2TD


VI web application integration: TSP
web gui, process & node manage-
ment; Map to CSCF/CSCF_TD_
Core/CSCF_L2TD VI port 8099. Ap-
plicable for below versions: CSCF
18.5VI onwards.

IMSOAM ephemeral LB JBI virtu- 30510 HTTPS/ TCP https- Basic CM, FM, PM SB incoming re-
al IP SOAP ne3sws- quest integration for IMSOAM VM
notifica- and CSCF VM. Applicable for below
tions versions: IMSOAM 18.5VI onwards,
CSCF 18.5VI onwards

IMSOAM ephemeral LB JBI virtu- 30505 HTTP/ TCP http- FM, PM SB incoming request inte-
al IP SOAP ne3sws- gration for CSCF/DRA VI and IMS
notifica- OAM Unit VI. Applicable for below
tions versions: CSCF 18.5VI onwards,
DRA 18.5VI onwards, IMSOAM 18.
5VI onwards.

IMSOAM ephemeral LB WAS vir- 448 HTTPS/ TCP tcp-448 CM SB feedback channel integration
tual IP SOAP for IMSOAM with TLS support used
by AoM. Applicable 18.5 onwards

BNGLB ephemeral LB JBI virtu- 30505 HTTP/ TCP http- Basic CM, FM, PM SB incoming re-
al IP SOAP ne3sws- quest integration for BNGLB. Applic-
notifica- able for below versions: BNGLB 18.5
tions onwards. Optional: This firewall rule
is not required if the respective se-
cure protocol is used (port 30510).

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 408


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

BNGLB ephemeral LB JBI virtu- 30510 HTTPS/ TCP https- Basic CM, FM, PM SB incoming re-
al IP SOAP ne3sws- quest integration for BNGLB. Applic-
notifica- able for below versions: BNGLB 18.
tions 5 onwards.

TIAMS ephemeral LB JBI virtu- 30510 HTTPS/ TCP https- Basic CM, FM, PM SB incoming re-
al IP SOAP ne3sws- quest integration for TIAMS. Applic-
notifica- able for 18.5C, 18.5, 18.5Cc version
tions onwards

TIAMS ephemeral LB JBI virtu- 30505 HTTP/ TCP http- Basic CM, FM, PM SB incoming re-
al IP SOAP ne3sws- quest integration for TIAMS Option-
notifica- al: This firewall rule is not required
tions if the respective secure protocol is
used (port 30510) Applicable for 18.
5C, 18.5, 18.5Cc version onwards

TIAMS ephemeral LB WAS vir- 389 LDAP TCP ldap This rule is to support CNUM for
tual IP TIAMS. Applicable for 18.5 version
onwards

Repo Server ephemeral LB JBI virtu- 30510 HTTPS/ TCP https- FM SB incoming request integration
al IP SOAP ne3sws- for Centralized CM Repo Server. Ap-
notifica- plicable for versions: REPOSERVER
tions 18.5CI onwards

Repo Server ephemeral LB JBI virtu- 30505 HTTP/ TCP http- FM, PM SB incoming request inte-
al IP SOAP ne3sws- gration for Repo Server. Applicable
notifica- for versions: REPOSERVER 18.5VI
tions onwards FM SB incoming request in-
tegration for Centralized CM Repo
Server. Optional: This firewall rule is
not required if the respective secure
protocol is used (port 30510) for RE-
POSERVER 18.5CI onwards (Cen-
tralized CM Repo Server).

CSCF-LB ephemeral LB WAS vir- 448 HTTPS/ TCP tcp-448 CM SB feedback channel integration
tual IP SOAP for CSCF-LB with TLS support used
by AoM. Applicable for 18.5 version
onwards

CSCF-LB ephemeral LB JBI virtu- 30510 HTTPS/ TCP https- Basic CM, FM, PM SB incoming re-
al IP SOAP ne3sws- quest integration for CSCF-LB. Ap-
notifica- plicable for 18.5VI version onwards
tions

CSCF ephemeral LB JBI virtu- 30505 HTTP/ TCP http- FM, PM SB incoming request inte-
al IP SOAP ne3sws- gration for CSCF. Optional: This fire-
notifica- wall rule is not required if the respec-
tions tive secure protocol is used (port
30510). Applicable for 18.5C version
onwards

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 409


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

CSCF-LB ephemeral LB JBI virtu- 30505 HTTP/ TCP http- FM, PM SB incoming request inte-
al IP SOAP ne3sws- gration for CSCF-LB. Applicable for
notifica- 18.5VI version onwards
tions

CSCF ephemeral LB JBI virtu- 30510 HTTPS/ TCP https- Basic CM, FM, PM SB incoming re-
al IP SOAP ne3sws- quest integration for CSCF. Applica-
notifica- ble for 18.5C version onwards
tions

NCOM ephemeral LB JBI virtu- 162 SNMP UDP sn- For listening to SNMP traps from
al IP mp-trap- NCOM
listener

Socks ephemeral NCOM 443 HTTPS TCP https Web Portal Launch

ZTS LCN ephemeral LB WAS vir- 17443 HTTPS TCP nt- ZTS can send LCNs to NTCApp.
tual IP capp-17443

CBAM LCN ephemeral LB WAS vir- 17443 HTTPS TCP nt- CBAM can send LCNs to NT-
tual IP capp-17443 CApp. (OR_VNFM_NFVO zone for
SOL003 and VE_VNFM_EM zone
for SOL002).

CBAM VNF ephemeral LB WAS vir- 17443 HTTPS TCP nt- CBAM can send VNF Resource
Resource tual IP capp-17443 Alarm Notifications to NTCApp. (VE_
Alarm Notifi- VNFM_EM zone for SOL002).
cation

MRBTS ephemeral LB WAS vir- 10510 HTTPS TCP NE3S/WS A port used by the MRBTS to send
tual IP notifications to Configurator Manage-
ment. Optionally, the firewall rule is
not required when the respective un-
secure protocol is used.

MRBTS ephemeral LB WAS vir- 80 HTTP TCP NE3S/WS A port used by the MRBTS to com-
tual IP municate with Configurator Manage-
ment. Optionally, the firewall rule is
not required when the respective un-
secure protocol is used.

MRBTS ephemeral LB WAS vir- 448 HTTPS TCP NE3S/WS A port used by the MRBTS to com-
tual IP municate with Configurator Manage-
ment. Optionally, the firewall rule is
not required when the respective un-
secure protocol is used.

Socks ephemeral NetAct HW 443 HTTPS TCP https Used to remote access NetAct HW
via Web UI. Applicable for below ver-
sion: 2.0EMC

NetAct HW ephemeral LB JBI virtu- 162 SNMP UDP sn- For listening to SNMP Traps from
al IP mp-trap- NetAct HWs
listener

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 410


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

Socks ephemeral MRF 30091 HTTPS TCP https For HTTPS connection to RadiSys
Containerized MRF Web GUI

NCS Monitor ephemeral LB JBI virtu- 162 SNMP UDP lb-unify Listening to SNMP Traps from NCS.
Cluster al IP

Nokia Medi- ephemeral LB JBI virtu- 162 SNMP UDP sn- Receiving SNMP traps from Nokia
ation al IP mp-trap- Mediation
listener

ARC Man- ephemeral LB JBI virtu- 162 SNMP UDP sn- SNMP notification from ARC. Applic-
agement al IP mp-trap- able for ARC (Zabbix SNMP).
Node listener

ARC Man- ephemeral LB JBI virtu- 30510 HTTPS TCP tcp NE3S/WS SMI for Register FM/PM
agement al IP notification from ARC (OMAgent
Node NE3S/WS).

NCC ephemeral LB JBI virtu- 162 SNMP UDP sn- For listening to SNMP traps from
al IP mp-trap- NCC.
listener

Socks ephemeral NCC-SM ephemeral HTTPS TCP https NCC-SM GUI launch. Same rule
needs to be used for NCC Co-locat-
ed environment as well.

CNAAA ephemeral LB JBI virtu- 162 SNMP UDP lb-unify Receiving SNMP Traps from CNAAA
al IP

NTASCN ephemeral LB JBI virtu- 30505 HTTP TCP tcp-30505 NE3S/WS SMI for NTASCN FM/
al IP PM notification from ZTS EnvoyLB
or ZTS Istio. Note: Firewall to be
opened for all ZTS envoyLB or ZTS
Istio IP

NTASCN ephemeral LB JBI virtu- 30510 HTTPS TCP tcp-30510 NE3S/WS SMI for NTASCN FM/
al IP PM notification from ZTS EnvoyLB
or ZTS Istio. Note: Firewall to be
opened for all ZTS envoyLB or ZTS
Istio IP

DP ephemeral LB WAS vir- 80 HTTP TCP tcp-80 NE3S/WS SMI for CBRS DP CM no-
tual IP tifications Optional: This firewall rule
is not required if the respective se-
cure protocol is used

DP ephemeral LB WAS vir- 448 HTTPS TCP tcp-448 NE3S/WS SMI for CBRS DP CM no-
tual IP tifications

NCS Edge ephemeral LB JBI virtu- 162 SNMP UDP lb-unify Listening to SNMP Traps from NCS.
Node al IP

MicroCFX ephemeral LB JBI virtu- 30510 HTTPS TCP tcp-30510 NE3S/WS SMI for MicroCFX FM/
al IP PM notification from ZTS EnvoyLB
or ZTS Istio. Note: Firewall to be

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 411


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

opened for all ZTS EnvoyLB or ZTS


Istio IP

MicroCFX ephemeral LB JBI virtu- 30505 HTTP TCP tcp-30505 NE3S/WS SMI for MicroCFX FM/
al IP PM notification from ZTS EnvoyLB
or ZTS Istio Note: Firewall to be
opened for all ZTS EnvoyLB or ZTS
Istio IP

Registers ephemeral LB JBI virtu- 30510 HTTPS TCP tcp-30510 NE3S/WS SMI for Register FM/
al IP PM notification from ZTS EnvoyLB
or ZTS Istio Note: Firewall to be
opened for all ZTS EnvoyLB or ZTS
Istio IP

Registers ephemeral LB JBI virtu- 30505 HTTP TCP tcp-30505 NE3S/WS SMI for Register FM/
al IP PM notification from ZTS EnvoyLB
or ZTS Istio Note: Firewall to be
opened for all ZTS EnvoyLB or ZTS
Istio IP

EIR ephemeral LB JBI virtu- 30505 HTTP TCP tcp-30505 NE3S/WS SMI for EIR FM/PM notifi-
al IP cation from ZTS EnvoyLB or ZTS Is-
tio. Note: Firewall to be opened for
all ZTS envoyLB or ZTS Istio IP

CNCSD ephemeral LB JBI virtu- 30510 HTTPS TCP tcp-30510 NE3S/WS SMI for CNCSD FM/
al IP PM notification from ZTS EnvoyLB
or ZTS Istio. Note: Firewall to be
opened for all ZTS envoyLB or ZTS
Istio IP

CNCSD ephemeral LB JBI virtu- 30505 HTTP TCP tcp-30505 NE3S/WS SMI for CNCSD FM/
al IP PM notification from ZTS EnvoyLB
or ZTS Istio. Note: Firewall to be
opened for all ZTS envoyLB or ZTS
Istio IP

EIR ephemeral LB JBI virtu- 30510 HTTPS TCP tcp-30510 NE3S/WS SMI for EIR FM/PM notifi-
al IP cation from ZTS EnvoyLB or ZTS Is-
tio. Note: Firewall to be opened for
all ZTS envoyLB or ZTS Istio IP

NEF ephemeral LB JBI virtu- 30505 HTTP TCP tcp-30505 NE3S/WS SMI for NEF FM/PM no-
al IP tification from ZTS EnvoyLB or ZTS
Istio. Note: Firewall to be opened for
all ZTS envoyLB or ZTS Istio IP

NEF ephemeral LB JBI virtu- 30510 HTTPS TCP tcp-30510 NE3S/WS SMI for NEF FM/PM no-
al IP tification from ZTS EnvoyLB or ZTS
Istio. Note: Firewall to be opened for
all ZTS envoyLB or ZTS Istio IP

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 412


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

NREG ephemeral LB JBI virtu- 30510 HTTPS TCP tcp-30510 NE3S/WS SMI for NREG FM/PM no-
al IP tification from ZTS envoyLB or ZTS
Istio Note: Firewall to be opened for
all ZTS envoyLB or ZTS Istio IP

NREG ephemeral LB JBI virtu- 30505 HTTP TCP tcp-30505 NE3S/WS SMI for NREG FM/PM no-
al IP tification from ZTS envoyLB or ZTS
Istio Note: Firewall to be opened for
all ZTS envoyLB or ZTS Istio IP

ZTS ephemeral LB JBI virtu- 30510 HTTPS TCP tcp-30510 NE3S/WS SMI for ZTS FM/PM notifi-
al IP cation from ZTS envoyLB or ZTS Is-
tio Note: Firewall to be opened for all
ZTS envoyLB or ZTS Istio IP

ZTS ephemeral LB JBI virtu- 30505 HTTP TCP tcp-30505 NE3S/WS SMI for ZTS FM/PM notifi-
al IP cation from ZTS envoyLB or ZTS Is-
tio Note: Firewall to be opened for all
ZTS envoyLB or ZTS Istio IP

Socks ephemeral CBND 7443 HTTPS TCP https Web Portal Launch Note: Deprecat-
ed port . Not supported from CBND
20.5 onwards in NetAct.

HPE Fiber ephemeral LB JBI virtu- 162 SNMP UDP sn- SNMP trap notification from HPE
Channel al IP mp-trap- Fiber Channel Switch or HPE Switch
Switch or listener
HPE Switch

HPE On- ephemeral LB JBI virtu- 162 SNMP UDP sn- SNMP trap notification from HPE
board Ad- al IP mp-trap- Onboard Administrator
ministrator listener

HPE Storage ephemeral LB JBI virtu- 162 SNMP UDP sn- SNMP trap notification from HPE
System al IP mp-trap- Storage System
listener

HPE ephemeral LB WAS vir- 162 SNMP UDP sn- SNMP trap notification from HPE
BladeSys- tual IP mp-trap- BladeSystem VirtualConnect Flex-
tem Virtu- listener Fabric
alConnect
FlexFabric

HPE iLO ephemeral LB JBI virtu- 162 SNMP UDP sn- SNMP trap notification from HPE iLO
Module al IP mp-trap- 4 onwards Module for HPE blade
listener and HPE Rack Mounted Server

HPE iLO ephemeral LB WAS vir- 162 SNMP UDP sn- SNMP trap notification from HPE iLO
Module tual IP mp-trap- 4 onwards Module for HPE blade
listener and HPE Rack Mounted Server

HPE ephemeral LB JBI virtu- 162 SNMP UDP sn- SNMP trap notification from HPE
BladeSys- al IP mp-trap- BladeSystem VirtualConnect Flex-
tem Virtu- listener Fabric

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 413


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

alConnect
FlexFabric

HPE Fiber ephemeral LB WAS vir- 162 SNMP UDP sn- SNMP trap notification from HPE
Channel tual IP mp-trap- Fiber Channel Switch or HPE Switch
Switch or listener
HPE Switch

AUS ephemeral LB JBI virtu- 30505 HTTP TCP tcp-30505 NE3S/WS SMI for AUS FM/PM no-
al IP tification from ZTS EnvoyLB. Note:
Firewall to be opened for all ZTS en-
voyLB IP

AUS ephemeral LB JBI virtu- 30510 HTTPS TCP tcp-30510 NE3S/WS SMI for AUS FM/PM no-
al IP tification from ZTS EnvoyLB. Note:
Firewall to be opened for all ZTS en-
voyLB IP

Socks ephemeral SPS-SM 8443 HTTPS TCP https For HTTPS connection to SPS-SM.
Same rule need to be used for SPS
Co-located environment as well.

Repo Server ephemeral LB JBI virtu- 30510 HTTPS/ TCP https- Basic CM, FM, PM SB incoming re-
al IP SOAP ne3sws- quest integration for REPOSERVER.
notifica-
tions

Socks ephemeral NTHLR FE 9081 HTTPS TCP nthlrfe- NTHLR FE web application inte-
ss7-ui gration, SS7 administration GUI
(Telesys) Applicable for NTHLR
FE which have Telesys Stack in-
stalled. This firewall rule is required
for NTHLR FE Cloud

NTHLR FE ephemeral LB WAS vir- 389 LDAP TCP ldap This rule is to support CNUM for
tual IP NTHLR FE 18.5C and onwards.

NTHLR FE ephemeral LB WAS vir- 80 HTTP/ TCP http CM SB feedback channel integra-
tual IP SOAP tion for NTHLR FE, This firewall rule
is required for NTHLR FE Cloud.
Optional: This firewall rule is not re-
quired if the respective secure proto-
col is used

NTHLR FE ephemeral LB WAS vir- 10510 HTTP/ TCP tcp-10510 CM SB feedback channel integra-
tual IP SOAP tion for NTHLR FE. This firewall rule
is required if default port 80 is dis-
abled. This firewall rule is required
for NTHLR FE Cloud Optional: This
firewall rule is not required if the re-
spective secure protocol is used.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 414


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

NTHLR FE ephemeral LB JBI virtu- 30510 HTTPS TCP https- Basic CM, FM, PM SB incoming re-
al IP ne3sws- quest integration for NTHLR FE Ap-
notifica- plicable for all versions
tions

NTHLR FE ephemeral LB JBI virtu- 30505 HTTP TCP http- Basic CM, FM, PM SB incoming re-
al IP ne3sws- quest integration for NTHLR FE Ap-
notifica- plicable for all versions, This firewall
tions rule is required for NTHLR FE Cloud
Optional: This firewall rule is not re-
quired if the respective secure proto-
col is used

ASI ephemeral LB WAS vir- 448 HTTPS TCP tcp-448 NE3S/WS SMI for ASI CM notifica-
tual IP tions

ASI ephemeral LB WAS vir- 10510 HTTP TCP tcp-10510 NE3S/WS SMI for ASI CM notifica-
tual IP tions.This firewall rule is required if
default port 80 is disabled

ASI ephemeral LB WAS vir- 80 HTTP TCP tcp-80 NE3S/WS SMI for ASI CM notifica-
tual IP tions Optional: This firewall rule is
not required if the respective secure
protocol is used

PDL Valida- ephemeral LB WAS vir- 443 WebSer- TCP https REST API for accessing PDL Valida-
tion Service tual IP vice/ tion Service (Callback IF), used for
HTTPS Configurator pre-validate operation

ASI ephemeral LB JBI virtu- 30510 HTTPS TCP tcp-30510 NE3S/WS SMI for FM notification.
al IP

ASI ephemeral LB JBI virtu- 30505 HTTP TCP tcp-30505 NE3S/WS SMI for FM notification.
al IP Optional: This firewall rule is not re-
quired if the respective secure proto-
col is used (port 30510).

NRBTS ephemeral LB JBI virtu- 30509 HTTPS TCP tcp-30509 Software Manager outgoing request.
al IP Should be enabled when secure pro-
tocol is in use.

NRBTS ephemeral LB JBI virtu- 30508 HTTP TCP tcp-30508 Software Manager outgoing request.
al IP Optional: This firewall rule is not re-
quired if the respective secure proto-
col is used.

DP ephemeral LB JBI virtu- 30505 HTTP/ TCP tcp NE3S/WS SMI for Nokia CBRS DP
al IP SOAP FM/PM notification. Optional: This
firewall rule is not required if the re-
spective secure protocol is used.

Socks ephemeral DP 443 HTTPS TCP HTTPS Used to remote access NOKIA
CBRS DP via Web UI

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 415


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

DP ephemeral LB JBI virtu- 30510 HTTPS/ TCP tcp NE3S/WS SMI for Nokia CBRS DP
al IP SOAP FM/PM notification

MRBTS ephemeral LB WAS vir- 8185 HTTP TCP btsom A port used by the MRBTS to down-
tual IP load new Factory Software from the
Compatibility Service. Optionally, the
firewall rule is not required when the
respective secure protocol is used.

MRBTS ephemeral LB WAS vir- 8003 BTSOM TCP btsoms A port used for secure communica-
tual IP +SSL tion between MRBTS and the Com-
patibility Server. Optionally, the fire-
wall rule is not required when the re-
spective unsecure protocol is used.

MRBTS ephemeral LB WAS vir- 8002 BTSOM TCP btsom A port used for unsecure communi-
tual IP cation between MRBTS and Com-
patibility Service. Optionally, the fire-
wall rule is not required when the re-
spective secure protocol is used.

HSS ephemeral LB JBI virtu- 30505 HTTP/ TCP http- FM, PM SB incoming request inte-
MGMTVNFC al IP SOAP ne3sws- gration for HSS VNF with Manage-
notifica- ment VNFC. Optional: This firewall
tions rule is not required if the respective
secure protocol is used (port 30510).

CSCF ephemeral LB JBI virtu- 30505 HTTP/ TCP http- FM, PM SB incoming request inte-
MGMTVNFC al IP SOAP ne3sws- gration for CSCF VNF with Manage-
notifica- ment VNFC. Optional: This firewall
tions rule is not required if the respective
secure protocol is used (port 30510).

Repo Server ephemeral LB WAS vir- 389 LDAP TCP ldap This rule is to support CNUM for CM
tual IP Repo Server BM. Supported only for
versions supporting* CNUM.

BNGLB ephemeral LB WAS vir- 389 LDAP TCP ldap This rule is to support CNUM for
tual IP BNGLB, only for BNGLB 18.5 (from
BNGLB 18.5 SP3) and later ver-
sions.

CSCF ephemeral LB WAS vir- 389 LDAP TCP ldap This rule is to support CNUM for
tual IP CSCF, only for CSCF 18.5 (from
CSCF 18.5 SP3) and later versions.

DCAP ephemeral LB WAS vir- 389 LDAP TCP ldap Port used by DCAP that is config-
tual IP ured for CNUM. This rule is only ap-
plicable to DCAP Windows except
DCAP17 FP2.

Nokia AAA ephemeral LB JBI virtu- 162 SNMP UDP lb-unify Listening to SNMP Traps from Nokia
al IP AAA. For Nokia AAA 18.0 cloud so-
lution and Nokia AAA 19.0 cloud so-

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 416


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

lution, the source are the static IPs


of both the active and standby OAM
nodes. For Nokia AAA 19.5 cloud so-
lution, the source is the virtual IP ad-
dress of OAM nodes.

Socks ephemeral CBIS HV 443 HTTPS TCP https For HTTPS connection to CBIS Man-
ager.

Socks ephemeral SNMPDE- 443 HTTPS TCP https Web UI launch via HTTPS for SN-
VICE MPDEVICE NOTE: There is no de-
fault port for SNMPDEVICE Web UI
Launch, and port 443 is used as an
example.

Socks ephemeral TI- 443 HTTPS TCP https GUI Launch


TAN-EDGE

Socks ephemeral TI- 443 HTTPS TCP https GUI Launch


TAN-MASTER

SM ephemeral LB JBI virtu- 162 SNMP UDP sn- For listening to SNMP traps from
al IP mp-trap- Service Manager
listener

Socks ephemeral SM 443 HTTPS TCP https Launch SMANAGER-GUI

Socks ephemeral SM 8443 HTTPS TCP https Launch Ganglia GUI

Socks ephemeral DDE 8143 HTTPS TCP https Launch SMANAGER-GUI-Bare Met-
al Only

Socks ephemeral DDE 8443 HTTPS TCP https Launch Ganglia GUI

DDE ephemeral LB JBI virtu- 162 SNMP UDP sn- For listening to SNMP traps from
al IP mp-trap- DDE
listener

SPM OAM ephemeral LB JBI virtu- 30510 HTTPS/ TCP https- Basic CM, FM, PM SB incoming re-
node al IP SOAP ne3sws- quest integration for SPM. Applicable
notifica- for below version SPM 2.0 SPM 3.0
tions SPM 3.0 VI

Socks ephemeral MRF 443 HTTPS TCP https For HTTPS connection to RadiSys
MRF Web GUI

Socks ephemeral MRF 80 HTTP TCP http For HTTP connection to RadiSys
MRF Web GUI

One-AAA ephemeral LB JBI virtu- 30510 HTTPS/ TCP https- Basic CM, FM, PM SB incoming re-
OAM Node al IP SOAP ne3sws- quest integration for One-AAA. Ap-
notifica- plicable for below version One-AAA
tions 7 SP1 One-AAA 8 One-AAA 8 VI
One-AAA 8.1 VI One-AAA 9.0 One-
AAA 9.0 VI One-AAA 10.0 One-AAA
10.0 VI

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 417


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

One-AAA ephemeral LB JBI virtu- 30505 HTTP/ TCP http- Basic CM, FM, PM SB incoming re-
OAM Node al IP SOAP ne3sws- quest integration for One-AAA. Ap-
notifica- plicable for below versions One-AAA
tions 6 SP1 One-AAA 7 One-AAA 7 SP1
One-AAA 8 One-AAA 8 VI One-AAA
8.1 VI One-AAA 9.0 One-AAA 9.0
VI One-AAA 10.0 One-AAA 10.0 VI
Optional: This firewall rule is not re-
quired if the respective secure proto-
col is used (port 30510)

OMS ephemeral LB WAS vir- 443 HTTPS TCP https CM upload feedback in secure
tual IP mode.

Single RAN ephemeral LB JBI virtu- 30510 HTTPS TCP tcp-30510 NE3S/WS SMI for SBTS FM/PM no-
BTS al IP tification.

Single RAN ephemeral LB JBI virtu- 30505 HTTP TCP tcp-30505 NE3S/WS SMI for SBTS FM/PM no-
BTS al IP tification. Optional: This firewall rule
is not required if the respective se-
cure protocol is used.

Single RAN ephemeral LB WAS vir- 80 HTTP TCP http NE3S/WS SMI for SBTS CM noti-
BTS tual IP fications. A port used by SBTS to
transfer SBTS software from NetAct
Software Manager to SBTS, when
IPSec not in use. Optional: This fire-
wall rule is not required if the respec-
tive secure protocol is used.

Single RAN ephemeral LB WAS vir- 10510 HTTP TCP tcp-10510 NE3S/WS SMI for SBTS CM notifi-
BTS tual IP cations. Optional: This firewall rule is
not required if the respective secure
protocol is used This firewall rule is
required if default port 80 is disabled.

Single RAN ephemeral LB WAS vir- 448 HTTPS TCP tcp-448 NE3S/WS SMI for SBTS CM notifi-
BTS tual IP cations.

Single RAN ephemeral LB JBI virtu- 30509 HTTPS TCP tcp-30509 SWM outgoing request.
BTS al IP

Single RAN ephemeral LB JBI virtu- 30508 HTTP TCP tcp-30508 SWM outgoing request. Optional:
BTS al IP This firewall rule is not required if the
respective secure protocol is used.

Single RAN ephemeral LB WAS vir- 389 LDAP TCP ldap LDAP port used by SBTS that is con-
BTS tual IP figured for CNUM.

Socks ephemeral RFC 8080 HTTPS TCP https For RFC Web UI launch

RFC ephemeral LB JBI virtu- 162 SNMP UDP sn- LB JBI virtual IP for listening to SN-
al IP mptraplis- MP traps from RFC
tener

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 418


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

MRBTS ephemeral LB JBI virtu- 30508 HTTP TCP tcp-30508 SWM outgoing request
al IP

MRBTS ephemeral LB JBI virtu- 30509 HTTPS TCP tcp-30509 SWM outgoing request
al IP

RFSA ephemeral LB JBI virtu- 30505 HTTP TCP tcp-30505 NE3S/WS SMI for FM notification.
al IP Optional: This firewall rule is not re-
quired if the respective secure proto-
col is used (port 30510).

MRBTS ephemeral LB JBI virtu- 30510 HTTPS TCP tcp-30510 NE3S/WS SMI for FM/PM notifica-
al IP tion.

MRBTS ephemeral LB JBI virtu- 30505 HTTP TCP tcp-30505 NE3S/WS SMI for FM/PM notifica-
al IP tion. Optional: This firewall rule is not
required if the respective secure pro-
tocol is used (port 30510).

GROUTER ephemeral LB JBI virtu- 162 SNMP UDP sn- For listening to SNMP Traps from
al IP mp-trap- GROUTER
listener

Socks ephemeral GROUTER ephemeral HTTPS TCP https For WebUI Launch to GROUTER

One-EIR ephemeral LB JBI virtu- 30505 HTTP/ TCP http- Basic CM, FM, PM SB incoming re-
System al IP SOAP ne3sws- quest integration for One-EIR. Ap-
Monitor notifica- plicable for below versions: One-
tions EIR 5.2, One-EIR 16, One-EIR 16.
5, One-EIR Cloud 16.5, One-EIR 17,
One-EIR Cloud 17, One-EIR 18 on-
wards, One-EIR Cloud 18 onwards.
Optional: For One-EIR 16.5 onwards
and One-EIR Cloud 16.5 onwards.
this firewall rule is not required if the
respective secure protocol is used
(port 30510).

One-EIR ephemeral LB JBI virtu- 30510 HTTP/ TCP http- Basic CM, FM, PM SB incoming re-
System al IP SOAP ne3sws- quest integration for One-EIR with
Monitor notifica- TLS support. Applicable for below
tions versions: One-EIR 16.5, One-EIR
Cloud 16.5, One-EIR 17, One-EIR
Cloud 17, One-EIR 18 onwards,
One-EIR Cloud 18 onwards.

Socks ephemeral One-EIR 80 HTTP TCP http One-EIR Management Server Web
Management Application integration. Applicable for
Server below versions: One-EIR 4.0 SP1,
One-EIR 5.0, One-EIR 5 SP1, One-
EIR 5.2, One-EIR 16. One-EIR 16.
5, One-EIR Cloud 16.5, One-EIR 17,

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 419


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

One-EIR Cloud 17, One-EIR 18 on-


wards, One-EIR Cloud 18 onwards.

Data Refin- ephemeral LB JBI virtu- 162 SNMP UDP sn- FM function Integration
ery al IP mp-trap-
listener

SNMPDE- ephemeral LB JBI virtu- 162 SNMP UDP sn- LB JBI virtual IP for listening to SN-
VICE al IP mptraplis- MP traps from SNMPDEVICE
tener

InfobloxD- ephemeral LB JBI virtu- 162 SNMP UDP sn- For listening to SNMP Traps from In-
NS Passive al IP mp-trap- fobloxDNS Passive Node. Applicable
Node listener for below versions: 8 onwards

NTAS Cloud ephemeral LB WAS vir- 80 HTTP/ TCP http CM SB feedback channel integration
tual IP SOAP for NTAS cloud. Needed for AoM.
Optional: This firewall rule is not re-
quired if the respective secure proto-
col is used and it is supported from
NTAS17 SP1 onwards

NTAS Cloud ephemeral LB WAS vir- 10510 HTTP/ TCP tcp-10510 CM SB feedback channel integra-
tual IP SOAP tion for NTAS cloud.Needed for AoM.
This firewall rule is required if default
port 80 is disabled. Optional: This
firewall rule is not required if the re-
spective secure protocol is used and
it is supported from NTAS 17 SP1
onwards

NTAS Cloud ephemeral LB WAS vir- 448 HTTPS/ TCP tcp-448 CM SB feedback channel integration
tual IP SOAP for NTAS cloud with TLS support and
supported from NTAS 17 SP1 on-
wards. Needed for AoM.

SOAM BTS ephemeral LB JBI virtu- 30509 HTTPS TCP tcp-30509 SWM outgoing request
al IP

NPO System ephemeral LB JBI virtu- 30505 HTTP TCP tcp-30505 NE3S/WS SMI for NPO FM/PM noti-
al IP fication with no TLS mode

NPO System ephemeral LB JBI virtu- 30510 HTTPS TCP tcp-30510 NE3S/WS SMI for NPO FM/PM noti-
al IP fication with TLS mode

SOAM BTS ephemeral LB JBI virtu- 30508 HTTP TCP tcp-30508 SWM outgoing request
al IP

NCIR CON- ephemeral LB JBI virtu- 30510 HTTPS/ TCP tcp-30510 NE3SWS SMI for FM/PM notification
TROLLERS al IP SOAP with TLS mode.

SWITCH ephemeral LB JBI virtu- 162 SNMP UDP sn- For listening to SNMP v3 traps from
al IP mp-trap- NDCS Switches.
listener

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 420


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

BIG IP ephemeral LB JBI virtu- 162 SNMP UDP sn- SNMP notification from BIG IP. Ap-
al IP mp-trap- plicable for below version: BIG IP
listener 6900, BIG IP TMOS version 13.

Socks ephemeral BIG IP 443 HTTPS TCP https BIG IP Web Application integration.
Applicable for below versions: BIG
IP 6400, BIG IP 6900, BIG IP TMOS
version 10, BIG IP TMOS version
11, BIG IP TMOS version 13. Note: if
configuration utility address of BIG-
IP is different from management in-
terface address of BIG-IP, this fire-
wall rule should be applicable to con-
figuration utility address of BIG-IP

InfobloxDNS ephemeral LB JBI virtu- 162 SNMP UDP sn- For listening to SNMP Traps from In-
al IP mp-trap- fobloxDNS Applicable for below ver-
listener sions: 8 onwards

NRBTS ephemeral LB JBI virtu- 30505 HTTP TCP tcp-30505 NE3S/WS SMI for 5G BTS FM/PM
al IP notification. Optional: This firewall
rule is not required if the respective
secure protocol is used.

NRBTS ephemeral LB WAS vir- 10510 HTTP TCP tcp-10510 NE3S/WS SMI for 5G BTS CM notifi-
tual IP cations. Optional: This firewall rule is
not required if the respective secure
protocol is used This firewall rule is
required if default port 80 is disabled.

NRBTS ephemeral LB JBI virtu- 30510 HTTPS TCP tcp-30510 NE3S/WS SMI for FM/PM notifica-
al IP tion.

NRBTS ephemeral LB WAS vir- 448 HTTPS TCP tcp-448 NE3S/WS SMI for CM notifications.
tual IP

Socks ephemeral EPPSM ephemeral HTTPS TCP https For WebUI Launch to EPPSM.

EPPSM ephemeral LB JBI virtu- 162 SNMP UDP sn- For listening to SNMP Traps from
al IP mp-trap- EPPSM
listener

SDME Oper- ephemeral LB JBI virtu- 162 SNMP UDP sn- For listening to SNMP Traps from
ation Service al IP mp-trap- SDME Virtual IP of operation service
listener

Nuage 210 ephemeral LB JBI virtu- 162 SNMP UDP sn- For listening to SNMP traps from
WBX Switch al IP mp-trap- 210 WBX switch.
listener

CBND ephemeral LB JBI virtu- 162 SNMP UDP sn- For listening to SNMP traps from
al IP mp-trap- CBND
listener

Socks ephemeral CBND 443 HTTPS TCP https Web Portal Launch

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 421


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

CBAM appli- ephemeral LB JBI virtu- 30510 HTTPS/ TCP https- Basic FM incoming request inte-
cation node al IP SOAP ne3sws- gration for CBAM. For single node
1 notifica- CBAM, the source is the permanent
tions public IP address of the CBAM virtu-
al machine.

CDRPP ephemeral LB JBI virtu- 162 SNMP UDP sn- For listening to SNMP Traps from
al IP mp-trap- CDRPP/CDRPPGW
listener

DCAP ephemeral LB JBI virtu- 30510 HTTPS TCP tcp-30510 NE3S/WS SMI for DCAP FM/PM no-
al IP tification with TLS mode. This rule is
not applicable to DCAP17 FP2.

Traffica ephemeral LB JBI virtu- 162 SNMP UDP sn- FM, incoming trap integration for
al IP mp-trap- Traffica. Note: This firewall rule ap-
listener plies to version 17isdk and later

Socks ephemeral NDCS Man- 443 HTTPS TCP https For HTTPS connection to Nokia Air-
ager Frame System Manager (NASM) or
Nokia AirFrame Data Center Manag-
er (NADCM). Element Management
launch of NASM or NADCM is not
supported in NCIR adaption versions
1.0 and 17.

NTHLR FE ephemeral LB WAS vir- 448 HTTPS/ TCP tcp-448 CM SB feedback channel integration
tual IP SOAP for NTHLR FE with TLS support

PCC ephemeral LB WAS vir- 80 HTTP/ TCP http CM SB feedback channel integration
tual IP SOAP for PCC Optional: This firewall rule is
not required if the respective secure
protocol is used and it is supported
from PCC 6.0 SP1 onwards

PCC ephemeral LB WAS vir- 10510 HTTP/ TCP tcp-10510 CM SB feedback channel integration
tual IP SOAP for PCC. This firewall rule is required
if default port 80 is disabled. Option-
al: This firewall rule is not required
if the respective secure protocol is
used and it is supported from PCC 6.
0 SP1 onwards

PCC ephemeral LB JBI virtu- 30505 HTTP TCP http- Basic CM, FM, PM SB outgoing re-
al IP ne3sws- quest integration for PCC Applicable
notifica- for all versions Optional: This firewall
tions rule is not required if the respective
secure protocol is used

PCC ephemeral LB JBI virtu- 30510 HTTPS TCP https- Basic CM, FM, PM SB outgoing re-
al IP ne3sws- quest integration for PCC Applicable
notifica- for all versions
tions

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 422


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

PCC ephemeral LB WAS vir- 448 HTTPS/ TCP tcp-448 CM SB feedback channel integration
tual IP SOAP for PCC with TLS support

Repo Server ephemeral LB WAS vir- 80 HTTP/ TCP http CM SB feedback channel integration
tual IP SOAP for Repo Server

Repo Server ephemeral LB WAS vir- 10510 HTTP/ TCP tcp-10510 CM SB feedback channel integration
tual IP SOAP for Repo Server. This firewall rule is
required if default port 80 is disabled.

Repo Server ephemeral LB WAS vir- 448 HTTPS/ TCP tcp-448 CM SB feedback channel integration
tual IP SOAP for Repo Server with TLS support

Socks ephemeral DRA 8090 HTTPS TCP dra-con- DRA web application integration:
figura- DRA Configurator. Applicable for be-
tor-ui low version: DRA 16.5C onwards.
This is only needed for DRA dis-
patcher node.

Socks ephemeral DRA 8099 HTTPS TCP tsp-ui DRA web application integration:
TSP web gui, process & node man-
agement. Applicable for below ver-
sions: DRA 10.1, DRA 11.0, DRA 15.
5C onwards.

Socks ephemeral DRA 9099 HTTP TCP tsp-ui DRA web application integration:
TSP web gui, process & node man-
agement. Applicable for below ver-
sions: DRA 9.1, DRA 10.1, DRA 11.
0, DRA 15.5C onwards. Optional:
This firewall rule is not required if the
respective secure protocol is used
(port 8099).

Socks ephemeral DRA 9881 HTTPS TCP trace-ui DRA web application integration:
@vantage home page, Trace man-
agement gui. Applicable for below
versions: DRA 10.1, DRA 11.0, DRA
15.5C onwards.

Socks ephemeral DRA 9880 HTTP TCP trace-ui DRA web application integration:
@vantage home page, Trace man-
agement gui. Applicable for below
versions: DRA 9.1, DRA 10.1, DRA
11.0, DRA 15.5C onwards. Optional:
This firewall rule is not required if the
respective secure protocol is used
(port 9881).

BNGLB ephemeral LB WAS vir- 80 HTTP/ TCP http CM SB feedback channel integra-
tual IP SOAP tion for BNGLB Optional: This fire-
wall rule is not required if the respec-
tive secure protocol is used

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 423


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

BNGLB ephemeral LB WAS vir- 10510 HTTP/ TCP tcp-10510 CM SB feedback channel integra-
tual IP SOAP tion for BNGLB This firewall rule is
required if default port 80 is disabled.
Optional: This firewall rule is not re-
quired if the respective secure proto-
col is used

BNGLB ephemeral LB WAS vir- 448 HTTPS/ TCP tcp-448 CM SB feedback channel integration
tual IP SOAP for BNGLB with TLS support

Socks ephemeral iNUM 8443 HTTPS TCP https For HTTPS connection to iNUM web
interface when you use Socks proxy

Socks ephemeral PCC 8099 HTTPS TCP tsp-ui PCC web application integration:
TSP Web Administration Applicable
for all versions.

Socks ephemeral PCC 9099 HTTP TCP tsp-ui PCC web application integration:
TSP Web Administration Applicable
for all versions. Optional: This fire-
wall rule is not required if the respec-
tive secure protocol is used (port
8099).

Socks ephemeral PCC 9880 HTTP TCP trace-ui PCC web application integration:
@vantage home page, trace man-
agement Applicable for all versions,
Optional: This firewall rule is not re-
quired if the respective secure proto-
col is used.

Socks ephemeral PCC 9881 HTTPS TCP trace-ui PCC web application integration:
@vantage home page, trace man-
agement Applicable for all versions.

MGMTVNFC ephemeral LB JBI virtu- 30510 HTTPS/ TCP https- Basic CM, FM, PM SB incoming
al IP SOAP ne3sws- request integration for MGMTVN-
notifica- FC. Applicable for below versions:
tions MGMTVNFC 17.0VI onwards.

Socks ephemeral PCC 80 HTTP TCP http PCC web application integration:
Single ware Web GUI Applicable for
all versions

CSCF ephemeral LB WAS vir- 80 HTTP/ TCP http CM SB feedback channel integration
tual IP SOAP for CSCF Optional: This firewall rule
is not required if the respective se-
cure protocol is used

Socks ephemeral DRA-LB 9099 HTTP TCP tsp-ui DRA-LB web application integration:
TSP web gui, process & node man-
agement. Applicable for below ver-
sion: DRA-LB 15.5VI onwards.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 424


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

CSCF ephemeral LB WAS vir- 10510 HTTP/ TCP tcp-10510 CM SB feedback channel integra-
tual IP SOAP tion for CSCF This firewall rule is re-
quired if default port 80 is disabled.
Optional: This firewall rule is not re-
quired if the respective secure proto-
col is used

CSCF ephemeral LB WAS vir- 448 HTTPS/ TCP tcp-448 CM SB feedback channel integration
tual IP SOAP for CSCF with TLS support

Socks ephemeral DRA-LB 9880 HTTP TCP trace-ui DRA-LB web application integration:
@vantage home page, Trace man-
agement gui. Applicable for below
version: DRA-LB 15.5VI onwards.

CSCF-LB ephemeral LB WAS vir- 80 HTTP/ TCP http CM SB feedback channel integration
tual IP SOAP for CSCF VI used by AoM.

Socks ephemeral DRA-LB 8090 HTTP TCP dra-con- DRA-LB web application integration:
figura- DRA Configurator GUI. Applicable
tor-ui for below version: DRA-LB 16.5VI
onwards.

CSCF-LB ephemeral LB WAS vir- 10510 HTTP/ TCP tcp-10510 CM SB feedback channel integration
tual IP SOAP for CSCF VI used by AoM. This fire-
wall rule is required if default port 80
is disabled.

CSCF ephemeral LB JBI virtu- 30510 HTTPS/ TCP https- FM, PM SB incoming request inte-
MGMTVNFC al IP SOAP ne3sws- gration for CSCF VNF with Manage-
notifica- ment VNFC.
tions

HSS ephemeral LB JBI virtu- 30510 HTTPS/ TCP https- FM, PM SB incoming request inte-
MGMTVNFC al IP SOAP ne3sws- gration for HSS VNF with Manage-
notifica- ment VNFC.
tions

DRA ephemeral LB JBI virtu- 30510 HTTPS/ TCP https- Basic CM, FM, PM SB incoming re-
al IP SOAP ne3sws- quest integration for DRA. Applicable
notifica- for below versions: DRA 10.1, DRA
tions 11.0, DRA 15.5C onwards.

DRA ephemeral LB JBI virtu- 30505 HTTP/ TCP http- Basic CM, FM, PM SB incoming re-
al IP SOAP ne3sws- quest integration for DRA. Applic-
notifica- able for below versions: DRA 9.1,
tions DRA 10.1, DRA 11.0, DRA 15.5C
onwards. Optional: This firewall rule
is not required if the respective se-
cure protocol is used (port 30510).

DRA ephemeral LB WAS vir- 80 HTTP/ TCP http CM SB feedback channel integration
tual IP SOAP for DRA Optional: This firewall rule is
not required if the respective secure

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 425


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

protocol is used and it is supported


from DRA 10.0 onwards

DRA ephemeral LB WAS vir- 10510 HTTP/ TCP tcp-10510 CM SB feedback channel integration
tual IP SOAP for DRA This firewall rule is required
if default port 80 is disabled. Option-
al: This firewall rule is not required
if the respective secure protocol is
used and it is supported from DRA
10.0 onwards

DRA ephemeral LB WAS vir- 448 HTTPS/ TCP tcp-448 CM SB feedback channel integration
tual IP SOAP for DRA with TLS support

DRA-LB ephemeral LB JBI virtu- 30505 HTTP/ TCP http- FM, PM SB incoming request inte-
al IP SOAP ne3sws- gration for DRA-LB. Applicable for
notifica- below version: DRA-LB 15.5VI on-
tions wards.

DRA-LB ephemeral LB WAS vir- 80 HTTP/ TCP http CM SB feedback channel integration
tual IP SOAP for DRA AoM. Applicable for all DRA
VI versions,

DRA-LB ephemeral LB WAS vir- 10510 HTTP/ TCP tcp-10510 CM SB feedback channel integration
tual IP SOAP for DRA AoM. This firewall rule is re-
quired if default port 80 is disabled.
Applicable for all DRA VI versions,

SS7 ephemeral LB JBI virtu- 30510 HTTPS TCP https- Basic CM, FM, PM SB outgoing re-
al IP ne3sws- quest integration for SS7 Applicable
notifica- for all versions
tions

SS7 ephemeral LB JBI virtu- 30505 HTTP TCP http- Basic CM, FM, PM SB outgoing re-
al IP ne3sws- quest integration for SS7 Applicable
notifica- for all versions Optional: This firewall
tions rule is not required if the respective
secure protocol is used

SS7 ephemeral LB WAS vir- 80 HTTP/ TCP http CM SB feedback channel integration
tual IP SOAP for SS7. Optional: This firewall rule is
not required if the respective secure
protocol is used

SS7 ephemeral LB WAS vir- 10510 HTTP/ TCP tcp-10510 CM SB feedback channel integration
tual IP SOAP for SS7. This firewall rule is required
if default port 80 is disabled. Option-
al: This firewall rule is not required
if the respective secure protocol is
used

SS7 ephemeral LB WAS vir- 448 HTTPS TCP https CM SB feedback channel integration
tual IP for SS7 with TLS support. Applicable
SS7 15.5 onwards

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 426


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

TIAMS ephemeral LB WAS vir- 80 HTTP/ TCP http CM SB feedback channel integration
tual IP SOAP for TIAMS Applicable for below ver-
sions Optional: This firewall rule is
not required if the respective secure
protocol is used

TIAMS ephemeral LB WAS vir- 10510 HTTP/ TCP tcp-10510 CM SB feedback channel integration
tual IP SOAP for TIAMS Applicable for below ver-
sions This firewall rule is required if
default port 80 is disabled. Optional:
This firewall rule is not required if the
respective secure protocol is used

TIAMS ephemeral LB WAS vir- 448 HTTPS/ TCP tcp-448 CM SB feedback channel integration
tual IP SOAP for TIAMS with TLS support

HSSFE ephemeral LB WAS vir- 80 HTTP/ TCP http CM SB feedback channel integra-
tual IP SOAP tion for HSSFE Optional: This fire-
wall rule is not required if the respec-
tive secure protocol is used

HSSFE ephemeral LB WAS vir- 10510 HTTP/ TCP tcp-10510 CM SB feedback channel integra-
tual IP SOAP tion for HSSFE This firewall rule is
required if default port 80 is disabled.
Optional: This firewall rule is not re-
quired if the respective secure proto-
col is used

HSSFE ephemeral LB WAS vir- 448 HTTPS/ TCP tcp-448 CM SB feedback channel integration
tual IP SOAP for HSS FE with TLS support

MGMTVNFC ephemeral LB JBI virtu- 30505 HTTP/ TCP http- FM, PM SB incoming request inte-
al IP SOAP ne3sws- gration for MGMTVNFC. Applicable
notifica- for below versions: MGMTVNFC 17.
tions 0VI onwards.

IMSOAM ephemeral LB WAS vir- 80 HTTP/ TCP http CM SB feedback channel integration
tual IP SOAP for IMSOAM, DRA VI and CSCF VI
used by AoM.

IMSOAM ephemeral LB WAS vir- 10510 HTTP/ TCP tcp-10510 CM SB feedback channel integration
tual IP SOAP for IMSOAM DRA VI and CSCF VI
used by AoM. This firewall rule is re-
quired if default port 80 is disabled.

Data Refin- ephemeral LB JBI virtu- 30505 HTTP/ TCP http- NE3SWS SMI for Data Refinery FM
ery al IP SOAP ne3sws- notification
notifica-
tions

Data Refin- ephemeral LB JBI virtu- 30510 HTTPS/ TCP https- NE3SWS SMI for Data Refinery FM
ery al IP SOAP ne3sws- notification with TLS mode
notifica-
tions

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 427


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

Socks ephemeral AGCF 443 HTTPS TCP https For HTTPS connection to AGCF
Web GUI

AGCF ephemeral LB JBI virtu- 162 SNMP UDP sn- FM function Integration
al IP mp-trap-
listener

SPS-ME ephemeral LB JBI virtu- 162 SNMP UDP sn- FM function Integration
al IP mp-trap-
listener

SPS-SM ephemeral LB JBI virtu- 162 SNMP UDP sn- FM function Integration. Same rule
al IP mp-trap- need to be used for SPS Co-located
listener environment as well.

IECCF ephemeral LB JBI virtu- 162 SNMP UDP sn- FM function Integration
al IP mp-trap-
listener

MRF ephemeral LB WAS vir- 162 SNMP UDP sn- For listening to SNMP Traps from
tual IP mp-trap- RadiSys MRF
listener

Nokia De- ephemeral LB JBI virtu- 162 SNMP UDP sn- For listening to SNMP Traps from
composed al IP mp-trap- Nokia Decomposed SBC Media
SBC Media listener Plane
Plane

Nokia De- ephemeral LB JBI virtu- 162 SNMP UDP lb-unify For listening to SNMP Traps from
composed al IP Nokia Decomposed SBC Signaling
SBC Signal- Plane
ing Plane

Socks ephemeral CBIS VIP 443 HTTPS TCP https For HTTPS connection to CBIS Hori-
zon or CBIS controller Zabbix.

Socks ephemeral eSM virtual 8080 HTTPS TCP https For WebUI Launch to eSM. If the
address HTTPS port of eSM isn't 8080, en-
sure to open the firewall for the cor-
rect port.

eSM trap ephemeral LB JBI virtu- 162 SNMP UDP sn- For listening to SNMP Traps from
source ad- al IP mp-trap- eSM node
dresses listener

OCS ephemeral LB JBI virtu- 162 SNMP UDP sn- For listening to SNMP Traps from
al IP mp-trap- OCS
listener

RDR ephemeral LB JBI virtu- 162 SNMP UDP sn- For listening to SNMP Traps from
al IP mp-trap- RDR
listener

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 428


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

eCGS ephemeral LB JBI virtu- 162 SNMP UDP sn- For listening to SNMP Traps from
al IP mp-trap- eCGS
listener

Socks ephemeral Nokia MRF 8081 HTTP TCP http For launching applet to check alarms
on WebOAM GUI (Nokia MRF ad-
dress: use MRFC MNGT IP address
for Simplex mode and use MRFC
MNGT VIP address for Duplex mode
and High Availability mode)

Socks ephemeral Nokia MRF 8082 HTTPS TCP https For launching Nokia MRF WebOAM
(Nokia MRF address: use MRFC
MNGT IP address for Simplex mode
and use MRFC MNGT VIP address
for Duplex mode and High Availabili-
ty mode)

Nokia MRF ephemeral LB JBI virtu- 162 SNMP UDP sn- For listening to SNMP Traps from
al IP mp-trap- Nokia MRF (Nokia MRF address:
listener use MRFC MNGT IP address for
Simplex mode and use MRFC
MNGT physical IP addresses for
Duplex mode and High Availability
mode)

Socks ephemeral Nokia Inte- 8443 HTTPS TCP https For WebUI Launch to Nokia Integrat-
grated SBC ed SBC

ASCBTS ephemeral LB JBI virtu- 30510 HTTPS TCP tcp-30510 NE3S/WS SMI for AirScale Cloud
al IP BTS FM/PM notification.

Socks ephemeral SWITCH 443 HTTPS TCP https For HTTPS connection to NDCS
Switches Web GUI

MRF ephemeral LB JBI virtu- 162 SNMP UDP sn- For listening to SNMP Traps from
al IP mp-trap- RadiSys MRF
listener

One-MNP ephemeral LB JBI virtu- 30505 HTTP/ TCP http- Basic CM, FM, PM SB incoming re-
System al IP SOAP ne3sws- quest integration for One-MNP. Ap-
Monitor notifica- plicable for below versions: One-
tions MNP 15.5, One-MNP 16, One-MNP
16.5, One-MNP Cloud 16.5, One-
MNP 17, One-MNP Cloud 17, One-
MNP 18, One-MNP Cloud 18. Op-
tional: For One-MNP 16.5 onwards
and One-MNP Cloud 16.5 onwards,
this firewall rule is not required if the
respective secure protocol is used
(port 30510).

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 429


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

One-MNP ephemeral LB JBI virtu- 30510 HTTPS/ TCP http- Basic CM, FM, PM SB incoming re-
System al IP SOAP ne3sws- quest integration for One-MNP with
Monitor notifica- TLS support. Applicable for below
tions versions: One-MNP 16.5, One-MNP
Cloud 16.5, One-MNP 17, One-MNP
Cloud 17, One-MNP 18, One-MNP
Cloud 18.

Socks ephemeral One-MNP 80 HTTP TCP http One-MNP Management Server Web
Management Application integration. Applicable for
Server below versions: One-MNP 8.0 SP6,
One-MNP 9.0, One-MNP 15.5, One-
MNP 16. One-MNP 16.5, One-MNP
Cloud 16.5, One-MNP 17, One-MNP
Cloud 17, One-MNP 18, One-MNP
Cloud 18.

SWITCH ephemeral LB JBI virtu- 162 SNMP UDP sn- For listening to SNMP traps from
al IP mp-trap- NDCS Switches.
listener

Sun Rack ephemeral LB JBI virtu- 162 SNMP UDP sn- SNMP trap notification from Sun
Server al IP mp-trap- Rack Server
listener

ASCBTS ephemeral LB WAS vir- 448 HTTPS TCP tcp-448 NE3S/WS SMI for AirScale Cloud
tual IP BTS CM notifications.

ASCBTS ephemeral LB JBI virtu- 30509 HTTPS TCP tcp-30509 SWM outgoing request.
al IP

ASCBTS ephemeral LB JBI virtu- 30508 HTTP TCP tcp-30508 SWM outgoing request. Optional:
al IP This firewall rule is not required if the
respective secure protocol is used.

NPC ephemeral LB JBI virtu- 30505 HTTP TCP tcp-30505 NE3S/WS SMI for NPC FM/PM noti-
al IP fication with non-TLS mode

NPC ephemeral LB JBI virtu- 30510 HTTPS TCP tcp-30510 NE3S/WS SMI for NPC FM/PM noti-
al IP fication with TLS mode

Socks ephemeral SERVER 443 HTTPS TCP https For HTTPS connection to NDCS
Servers Web GUI

SERVER ephemeral LB JBI virtu- 162 SNMP UDP sn- For listening to SNMP traps from
al IP mp-trap- NDCS Servers.
listener

GeoServer ephemeral LB WAS vir- 10443 HTTPS/ TCP https Sending trace data to TraceViewer
tual IP SOAP Applicable after IHS Modularity

Remote ephemeral LB WAS vir- 10443 HTTPS/ TCP https Connection between NetAct in-
TraceViewer tual IP SOAP stances, Applicable after IHS Modu-
InterCluster larity

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 430


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

Socks ephemeral OCS ephemeral HTTPS TCP https For WebUI Launch to OCS.

Socks ephemeral RDR ephemeral HTTPS TCP https For WebUI Launch to RDR.

Socks ephemeral eCGS ephemeral HTTPS TCP https For WebUI Launch to eCGS.

Socks ephemeral CDRPP ephemeral HTTPS TCP https For WebUI Launch to CDRPP/
CDRPPGW.

FCOSS ephemeral LB JBI virtu- 162 SNMP UDP sn- For listening to SNMP traps from
al IP mp-trap- Flexi Cluster system
listener

Socks ephemeral FCOSS 8080 HTTP TCP http Support for Web UI launch to Flexi
Cluster system

Socks ephemeral Juniper 443 HTTPS TCP https For Junos Space launch operations
to Juniper

CBAM O&M ephemeral LB JBI virtu- 30510 HTTPS/ TCP https- Basic FM incoming request integra-
Agent al IP SOAP ne3sws- tion for CBAM
notifica-
tions

Socks ephemeral CBAM Web 443 HTTPS TCP https Web UI launch
UI

Socks ephemeral NTAS Cloud 8443 HTTPS TCP http EM launch for NTAS

NTAS Cloud ephemeral LB JBI virtu- 30505 HTTP TCP http- FM/PM Notifications from NTAS in
al IP ne3sws- no TLS mode Optional: This firewall
notifica- rule is not required if the respective
tions secure protocol is used (port 30510)

NTAS Cloud ephemeral LB JBI virtu- 30510 HTTPS TCP http- FM/PM Notifications from NTAS in
al IP ne3sws- TLS mode
notifica-
tions

Socks ephemeral NCIR HA 443 HTTPS TCP https For HTTPS connection to NCIR HA
Proxy Proxy.

NCIR HA ephemeral LB JBI virtu- 162 SNMP UDP sn- For listening to SNMP traps from
Proxy al IP mp-trap- NCIR HA Proxy.
listener

NCIR CON- ephemeral LB JBI virtu- 162 SNMP UDP sn- For listening to SNMP traps from
TROLLERS al IP mp-trap- NCIR CONTROLLERS.
listener

Socks ephemeral CBIS VIP 80 HTTP TCP http For HTTP connection to CBIS Hori-
zon or CBIS controller Zabbix. HTTP
connection is not supported for CBIS
adaptation version 17.5 and 18.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 431


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

CBIS CTRL ephemeral LB JBI virtu- 162 SNMP UDP sn- For listening to SNMP traps from
al IP mp-trap- CBIS controller
listener

SDL Teleme- ephemeral LB JBI virtu- 162 SNMP UDP sn- For listening to SNMP Traps from
try Service al IP mp-trap- Virtual IP of SDL VNF telemetry ser-
listener vice

PGW ephemeral LB JBI virtu- 162 SNMP UDP sn- For listening to SNMP Traps from
Telemetry al IP mp-trap- Virtual IP of PGW VNF telemetry ser-
Service listener vice

DCAP ephemeral LB JBI virtu- 30505 HTTP TCP tcp-30505 NE3S/WS SMI for DCAP FM/PM no-
al IP tification

Juniper ephemeral LB JBI virtu- 162 SNMP UDP sn- For SNMP trap operations to Juniper
al IP mp-trap-
listener

EMC ephemeral LB JBI virtu- 162 SNMP UDP sn- SNMP trap notification from for EMC.
al IP mp-trap- Applicable for below versions: EMC
listener CX4-120, EMC VNX5100.

Flexi NG ephemeral LB WAS vir- 448 HTTPS/ TCP tcp-448 CM SB feedback channel integra-
tual IP SOAP tion for FlexiNG with TLS support
required for AOM. Applicable from
FlexiNG 17 onwards.

User Work- ephemeral LB WAS vir- 10443 HTTPS TCP https-alt1 Assigned port used by HTTPS trans-
station Apps tual IP port secure port. Optimizer uses
Https port 10443 in CLA feature for
file upload through secure SSL port.
Optimizer is phased out from Net-
act18. Hence this port will not be
used by Optimizer from Netact18 on-
wards. SW import Manager uses the
port for transfer via HTTPS protocol
with client's SSL certificate authenti-
cation.

BTSMED ephemeral LB JBI virtu- 30505 HTTP TCP tcp-30505 NE3S/WS SMI for FM/PM notifica-
al IP tion. Optional: This firewall rule is not
required if the respective secure pro-
tocol is used (port 30510).

BTSMED ephemeral LB WAS vir- 80 HTTP TCP http NE3S/WS SMI for CM notifications.
tual IP A port is used to transfer software
from NetAct Software Manager to
BTSMED, when IPSec not in use.
Optional: This firewall rule is not re-
quired if the respective secure proto-
col is used.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 432


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

Socks ephemeral ENET 443 HTTPS TCP https For https operations to Eden-NET
Web Browser.

Socks ephemeral ENETNODE 443 HTTPS TCP https For https operations to Zabbix Web
Browser.

ENETNODE ephemeral LB JBI virtu- 162 SNMP UDP sn- For listening to SNMP traps from
al IP mp-trap- Eden-NET self-monitoring node.
listener

Flexi NG ephemeral LB JBI virtu- 30510 HTTPS/ TCP http- NE3SWS connection from Flexi
al IP SOAP ne3sws- NG to NetAct with TLS mode: Flexi
notifica- NG17 onwards
tions

Open BGW ephemeral LB WAS vir- 448 HTTPS/ TCP tcp-448 CM SB feedback channel integra-
tual IP SOAP tion for OpenBGW with TLS support.
Applicable from OpenBGW16.5 on-
wards

BTSMED ephemeral LB JBI virtu- 30510 HTTPS TCP tcp-30510 NE3S/WS SMI for FM/PM notifica-
al IP tion.

BTSMED ephemeral LB WAS vir- 10510 HTTP TCP tcp-10510 NE3S/WS SMI for CM notifications.
tual IP Optional: This firewall rule is not re-
quired if the respective secure pro-
tocol is used This firewall rule is re-
quired if default port 80 is disabled.

BTSMED ephemeral LB WAS vir- 448 HTTPS TCP tcp-448 NE3S/WS SMI for CM notifications.
tual IP

BTSMED ephemeral LB JBI virtu- 30509 HTTPS TCP tcp-30509 SWM outgoing request.
al IP

BTSMED ephemeral LB JBI virtu- 30508 HTTP TCP tcp-30508 SWM outgoing request. Optional:
al IP This firewall rule is not required if the
respective secure protocol is used.

SOAM BTS ephemeral LB WAS vir- 389 LDAP TCP ldap LDAP port used by SOAM BTS that
tual IP is configured for CNUM.

Open MGW ephemeral LB JBI virtu- 30510 HTTPS/ TCP http- NE3SWS SMI for FM/PM notification
al IP SOAP ne3sws- with TLS mode.
notifica-
tions

RESTDA ephemeral LB WAS vir- 9527 HTTPS TCP restda Provide RESTful web service Data
Higher Level tual IP Access API to RESTDA Higher Level
System System (Customer)

ASRNC_CF- ephemeral LB WAS vir- 389 LDAP TCP ldap LDAP port used by ASRNC that is
PU tual IP configured for CNUM

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 433


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

TI- ephemeral LB JBI virtu- 162 SNMP UDP sn- For listening to SNMP Traps from TI-
TAN-MASTER al IP mp-trap- TAN
listener

TI- ephemeral LB JBI virtu- 162 SNMP UDP sn- For listening to SNMP Traps from TI-
TAN-EDGE al IP mp-trap- TAN
listener

Nokia Inte- ephemeral LB JBI virtu- 162 SNMP UDP lb-unify For listening to SNMP Traps from
grated SBC al IP Nokia Integrated SBC

Socks ephemeral SMM 443 HTTP TCP http For HTTP connection to SMM.

Nokia 9926 ephemeral LB LTEA vir- 162 SNMP UDP ltea-sn- For Listening to SNMP traps from
eNodeB tual IP mp-trap Nokia 9926 eNodeB

DSC PS ephemeral LB JBI virtu- 162 SNMP UDP sn- For listening to SNMP Traps from
al IP mp-trap- DSC PS Applicable for below ver-
listener sions: DSC 9.0 R3,DSC 9.0 R5,DSC
17.4

Socks ephemeral DSC PS 443 HTTPS TCP https For HTTPS connection to DSC PS
Applicable for below versions: DSC
9.0 R3,DSC 9.0 R5,DSC 17.4

DSC CS ephemeral LB JBI virtu- 162 SNMP UDP sn- For listening to SNMP Traps from
al IP mp-trap- DSC CS Applicable for below ver-
listener sions: DSC 9.0 R3,DSC 9.0 R5,DSC
17.4

Socks ephemeral DSC CS 443 HTTPS TCP https For HTTPS connection to DSC CS
Applicable for below versions: DSC
9.0 R3,DSC 9.0 R5,DSC 17.4

mcRNC_CF- ephemeral LB WAS vir- 389 LDAP TCP ldap LDAP port used by mcRNC that is
PU tual IP configured for CNUM

Socks ephemeral FPRB 80 HTTP TCP http For HTTP connection to FPRB.

FPRB ephemeral LB JBI virtu- 162 SNMP UDP sn- For listening to SNMP traps from
al IP mp-trap- FPRB.
listener

SMM ephemeral LB JBI virtu- 162 SNMP UDP sn- For listening to SNMP traps from
al IP mp-trap- SMM
listener

CWLC ephemeral LB WAS vir- 448 HTTPS TCP tcp-448 Port used for CM operations notifica-
tual IP tions.

CWLC ephemeral LB WAS vir- 448 HTTP TCP tcp-448 Port used for CM operations notifi-
tual IP cations. This rule is optional, and not
needed if relevant secure protocol is
used.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 434


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

SBTS ephemeral LB WAS vir- 443 HTTPS TCP https A port used by SBTS to transfer
tual IP SBTS software from NetAct Software
Manager to SBTS, when IPSec not
in use. Note: During the Plug and
Play process, this firewall rule must
be applied only for SBTS using tem-
porary IP address.

SBTS ephemeral LB JBI virtu- 30510 HTTPS TCP tcp-30510 NE3S/WS SMI for SBTS FM/PM no-
al IP tification. Note: During the Plug and
Play Process, this firewall rule must
be applied additionally for SBTS us-
ing the temporary IP address.

SBTS ephemeral LB JBI virtu- 30505 HTTP TCP tcp-30505 NE3S/WS SMI for SBTS FM/PM no-
al IP tification. Optional: This firewall rule
is not required if the respective se-
cure protocol is used. Note: During
the Plug and Play Process, this fire-
wall rule must be applied additionally
for SBTS using the temporary IP ad-
dress.

SBTS ephemeral LB WAS vir- 80 HTTP TCP http NE3S/WS SMI for SBTS CM noti-
tual IP fications. A port used by SBTS to
transfer SBTS software from NetAct
Software Manager to SBTS, when
IPSec not in use. Optional: This fire-
wall rule is not required if the respec-
tive secure protocol is used. Note:
During the Plug and Play Process,
this firewall rule must be applied ad-
ditionally for SBTS using the tempo-
rary IP address.

SBTS ephemeral LB WAS vir- 10510 HTTP TCP tcp-10510 NE3S/WS SMI for SBTS CM notifi-
tual IP cations. Optional: This firewall rule
is not required if the respective se-
cure protocol is used This firewall
rule is required if default port 80 is
disabled. Note: During the Plug and
Play Process, this firewall rule must
be applied additionally for SBTS us-
ing the temporary IP address.

SBTS ephemeral LB WAS vir- 448 HTTPS TCP tcp-448 NE3S/WS SMI for SBTS CM notifi-
tual IP cations. Note: During the Plug and
Play Process, this firewall rule must
be applied additionally for SBTS us-
ing the temporary IP address.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 435


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

SBTS ephemeral LB JBI virtu- 30509 HTTPS TCP tcp-30509 SWM outgoing request. Note: During
al IP the Plug and Play Process, this fire-
wall rule must be applied additionally
for SBTS using the temporary IP ad-
dress.

SBTS ephemeral LB JBI virtu- 30508 HTTP TCP tcp-30508 SWM outgoing request. Optional:
al IP This firewall rule is not required if
the respective secure protocol is
used. Note: During the Plug and Play
Process, this firewall rule must be
applied additionally for SBTS using
the temporary IP address.

SBTS ephemeral LB WAS vir- 389 LDAP TCP ldap LDAP port used by SBTS that is con-
tual IP figured for CNUM. Note: During the
Plug and Play Process, this firewall
rule must be applied additionally for
SBTS using the temporary IP ad-
dress.

One-NDS ephemeral LB WAS vir- 448 HTTPS/ TCP tcp-448 CM SB feedback channel integration
Status Ser- tual IP SOAP for One-NDS with TLS support. Ap-
vice plicable for OneNDS 16.5 onwards.

One-NDS ephemeral LB JBI virtu- 30510 HTTPS/ TCP http- Basic CM, FM, PM SB incoming re-
Status Ser- al IP SOAP ne3sws- quest integration for One-NDS with
vice notifica- TLS support. Applicable for below
tions versions: One-NDS 16.5; One-NDS
17; One-NDS 19.

CWLC ephemeral LB JBI virtu- 30510 HTTPS TCP tcp-30510 NE3S/WS SMI for Nokia Wi-Fi FM/
al IP PM notification

CWLC ephemeral LB JBI virtu- 30505 HTTP TCP tcp-30505 NE3S/WS SMI for Nokia Wi-Fi FM/
al IP PM notification Optional: This firewall
rule is not required if the respective
secure protocol is used

CWLC ephemeral LB JBI virtu- 30509 HTTPS TCP tcp-30509 SWM outgoing request
al IP

CWLC ephemeral LB JBI virtu- 30508 HTTP TCP tcp-30508 SWM outgoing request Optional:
al IP This firewall rule is not required if the
respective secure protocol is used

BSC ephemeral LB WAS vir- 389 LDAP TCP ldap Used for BSC CNUM
tual IP

ASCBTS ephemeral LB JBI virtu- 30505 HTTP TCP tcp-30505 NE3S/WS SMI for AirScale Cloud
al IP BTS FM/PM notification. Optional:
This firewall rule is not required if the
respective secure protocol is used.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 436


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

ASCBTS ephemeral LB WAS vir- 80 HTTP TCP http NE3S/WS SMI for AirScale Cloud
tual IP BTS CM notifications. Optional: This
firewall rule is not required if the re-
spective secure protocol is used.

ASCBTS ephemeral LB WAS vir- 10510 HTTP TCP tcp-10510 NE3S/WS SMI for AirScale Cloud
tual IP BTS CM notifications.This firewall
rule is required if default port 80 is
disabled. Optional: This firewall rule
is not required if the respective se-
cure protocol is used

Open BGW ephemeral LB JBI virtu- 30505 HTTP/ TCP http- NE3SWS SMI for FM/PM notification
Cloud al IP SOAP ne3sws- with non-TLS mode
communi-
cation

SPM OAM ephemeral LB JBI virtu- 30505 HTTP/ TCP http- Basic CM, FM, PM SB incoming re-
node al IP SOAP ne3sws- quest integration for SPM. Applicable
notifica- for below version SPM 2.0 SPM 3.
tions 0 SPM 3.0 VI Optional: This firewall
rule is not required if the respective
secure protocol is used (port 30510).

Open BGW ephemeral LB WAS vir- 389 LDAP TCP ldap For Open BGW CNUM, applicable
tual IP for version: OpenBGW16

Open TAS ephemeral LB JBI virtu- 30510 HTTPS TCP tcp-30510 NE3S/WS SMI for FM/PM notifica-
Cloud SEE al IP tion with TLS mode

Socks ephemeral Open TAS 8443 HTTPS TCP https Web GUI Launch support for Open
Cloud SEE TAS Cloud SEE

IPA-RNC ephemeral LB WAS vir- 389 LDAP TCP ldap LDAP port used by IPA-RNC that is
tual IP configured for CNUM

WBTS ephemeral LB WAS vir- 389 LDAP TCP ldap LDAP port used by WBTS that is
tual IP configured for CNUM

Socks ephemeral MSTP 443 HTTPS TCP https For HTTPS connection to TP2300/
2700

Socks ephemeral PKI 8083 HTTP TCP http For HTTP connection to PKI Insta
Certifier.

One-NDS ephemeral LB JBI virtu- 30505 HTTP/ TCP http- Basic CM, FM, PM SB incoming re-
Status Ser- al IP SOAP ne3sws- quest integration for One-NDS. Ap-
vice notifica- plicable for below versions: One-
tions NDS 9 SP2; One-NDS 16; One-NDS
16.5; One-NDS 17; One-NDS 19.
Optional: From One-NDS 16.5. This
firewall rule is not required if the re-
spective secure protocol is used
(port 30510).

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 437


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

Socks ephemeral One-NDS 443 HTTPS TCP https One-NDS Provisioning Gateway
Provision- Web Application integration. Applic-
ing Gateway able for below versions One-NDS 9
Server SP2; One-NDS 16; One-NDS 16.5;
One-NDS 17; One-NDS 19.

Socks ephemeral One-NDS 8443 HTTPS TCP https One-NDS Administrator server Web
Administra- Application integration. Applicable
tor Server for below versions: One-NDS 9 SP2;
One-NDS 16; One-NDS 16.5; One-
NDS 17; One-NDS 19.

SADM ephemeral LB WAS vir- 262 SNMP UDP sn- NE3S/SNMP notification from
tual IP mp-ne3ssnmp-
SADM. Applicable for below ver-
notifica- sions: SADM 9.0, SADM 10, SADM
tions 16.

DPA ephemeral LB WAS vir- 262 SNMP UDP sn- NE3S/SNMP notification from DPA.
tual IP mp-ne3ssnmp-
Applicable for below version DPA 16
notifica-
tions

Socks ephemeral SADM 8443 HTTPS TCP https SADM Web Application integration.
Applicable for below versions: SADM
9.0, SADM 10, SADM 16.

ePDG ephemeral LB WAS vir- 162 SNMP UDP sn- FM, incoming trap integration for
tual IP mp-trap- ePDG 9.1
listener

ATS ephemeral LB WAS vir- 162 SNMP UDP sn- For SNMP trap operations to ATS
tual IP mp-trap-
listener

CDD ephemeral LB WAS vir- 162 SNMP UDP sn- For SNMP trap operations to CDD
tual IP mp-trap-
listener

EPD ephemeral LB WAS vir- 162 SNMP UDP sn- For SNMP trap operations to EPD
tual IP mp-trap-
listener

TACTILON ephemeral LB WAS vir- 162 SNMP UDP sn- For SNMP trap operations to TAC-
tual IP mp-trap- TILON
listener

TCS ephemeral LB WAS vir- 162 SNMP UDP sn- For SNMP trap operations to TCS
tual IP mp-trap-
listener

User Work- ephemeral Socks 1080 Socks TCP Socks- Used by Network proxy server
station Apps proxy

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 438


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

FZCP ephemeral LB WAS vir- 10510 HTTP TCP tcp-10510 NE3S/WS SMI for FZC CM notifica-
tual IP tions. This firewall rule is required if
default port 80 is disabled

FZCP ephemeral LB WAS vir- 448 HTTPS TCP tcp-448 NE3S/WS SMI for FZC CM notifica-
tual IP tions

FZCP ephemeral LB WAS vir- 389 LDAP TCP ldap LDAP port used by FZCP that is con-
tual IP figured for CNUM

FZCP ephemeral LB WAS vir- 80 HTTP TCP http NE3S/WS SMI for FZC CM notifica-
tual IP tions. Optional: This firewall rule is
not required if the respective secure
protocol is used.

FZCP ephemeral LB JBI virtu- 30510 HTTPS TCP tcp-30510 NE3S/WS SMI for FZC FM/PM notifi-
al IP cation

FZCP ephemeral LB JBI virtu- 30505 HTTP TCP tcp-30505 NE3S/WS SMI for FZC FM/PM noti-
al IP fication Optional: This firewall rule is
not required if the respective secure
protocol is used

iNUM OAM ephemeral LB JBI virtu- 30505 HTTP/ TCP http- Basic CM, FM, PM SB incoming re-
Node al IP SOAP ne3sws- quest integration for iNUM. Applic-
notifica- able for below versions iNUM v11
tions iNUM v15.5 iNUM v16 iNUM v16.5
iNUM v17 Optional: This firewall rule
is not required if the respective se-
cure protocol is used (port 30510).

iNUM OAM ephemeral LB JBI virtu- 30510 HTTPS/ TCP https- Basic CM, FM, PM SB incoming re-
Node al IP SOAP ne3sws- quest integration for iNUM OAM Unit
notifica- Applicable for below version iNUM
tions v15.5 bare-metal iNUM v16 bare-
metal iNUM v16.5 bare-metal iNUM
v17 bare-metal

User Work- ephemeral Socks 10443 HTTPS TCP https-alt1 1. Used to read and write workspace
station Apps settings. 2. Provides HTTPS API
for desktop applications. 3. Used to
store/read the Network View style
details and to do the rexec type
launches

User Work- ephemeral LB WAS vir- 443 HTTPS TCP https Default port used by HTTPS trans-
station Apps tual IP port secure port Optimizer expos-
es a REST/HTTP interface that the
scheduled SON Operations use
to retrieve the scope Optimizer is
phased out from Netact18. Hence
this port will not be used by Optimiz-
er from Netact18 onwards..

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 439


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

User Work- ephemeral LB WAS vir- 9810 IIOP TCP net- WebSphere BOOTSTRAP_AD-
station Apps tual IP act-uw- DRESS. Poseidon based applica-
boots-as tions communicate with TraceView-
er server side RMI/IIOP. This is used
for initiating connections when client
requests JNDI services from serv-
er. Platypus based applications com-
municate with server side RMI/IIOP
services: CM Editor, CM Operations,
CM Reference, CM Command Man-
ager. This is used for initiating con-
nections when client requests JNDI
services from server. Similar mecha-
nism used with Platypus based Opti-
mizer Client to server side RMI/IIOP
Services offered by Optimizer Serv-
er Based Application logic. Optimizer
is phased out from Netact18. Hence
this port will not be used by Optimiz-
er from Netact18 onwards.

User Work- ephemeral Socks 443 HTTPS TCP https HTTPS port for WebSphere Applica-
station Apps tion Server

MRBTS ephemeral LB WAS vir- 389 LDAP TCP ldap LDAP port used by any NE that is
tual IP configured for CNUM

OMS ephemeral LB WAS vir- 389 LDAP TCP ldap LDAP port used by OMS that is con-
tual IP figured for CNUM

Socks ephemeral Open MGW 443 HTTPS TCP https Open MGW EM launch

Open BGW ephemeral LB JBI virtu- 30508 HTTP TCP tcp-30508 SWM outgoing request Optional:
al IP This firewall rule is not required if the
respective secure protocol is used

Open MGW ephemeral LB JBI virtu- 30508 HTTP TCP tcp-30508 SWM outgoing request Optional:
al IP This firewall rule is not required if the
respective secure protocol is used

Open MGW ephemeral LB JBI virtu- 30509 HTTPS TCP tcp-30509 SWM outgoing request
al IP

BCUBTS ephemeral LB JBI virtu- 30508 HTTP TCP tcp-30508 SWM outgoing request Optional:
al IP This firewall rule is not required if the
respective secure protocol is used

BCUBTS ephemeral LB JBI virtu- 30509 HTTPS TCP tcp-30509 SWM outgoing request
al IP

BCUMED ephemeral LB JBI virtu- 30508 HTTP TCP tcp-30508 SWM outgoing request Optional:
al IP This firewall rule is not required if the
respective secure protocol is used

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 440


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

BCUMED ephemeral LB JBI virtu- 30509 HTTPS TCP tcp-30509 SWM outgoing request
al IP

CSLSRV ephemeral LB JBI virtu- 30508 HTTP TCP tcp-30508 SWM outgoing request Optional:
al IP This firewall rule is not required if the
respective secure protocol is used

CSLSRV ephemeral LB JBI virtu- 30509 HTTPS TCP tcp-30509 SWM outgoing request
al IP

Socks ephemeral EMC 443 HTTPS TCP https SNMP trap notification from for EMC.
Applicable for below versions: EMC
CX4-120, EMC VNX5100.

Flexi NS ephemeral LB WAS vir- 389 LDAP TCP ldap For Flexi NS CNUM
tual IP

TMF615 ephemeral LB WAS vir- 443 HTTPS TCP https TMF 615 Webservice NBI used by
UMS-C tual IP an external UMS-C

One-NDS ephemeral LB WAS vir- 80 HTTP/ TCP http CM SB feedback channel integra-
Status Ser- tual IP SOAP tion for One-NDS 9 SP2 , One-NDS
vice 16 onwards Optional: One-NDS 16.
5 onwards, this firewall rule is not re-
quired if the respective secure proto-
col is used (port 448).

One-NDS ephemeral LB WAS vir- 10510 HTTP/ TCP tcp-10510 CM SB feedback channel integra-
Status Ser- tual IP SOAP tion for One-NDS 9 SP2 , One-NDS
vice 16 onwards. This firewall rule is re-
quired if default port 80 is disabled.
Optional: One-NDS 16.5 onwards,
this firewall rule is not required if the
respective secure protocol is used
(port 448).

Nelmon ephemeral LB WAS vir- 162 SNMP UDP snmp-trap Nelmon trap receiver
tual IP

Socks ephemeral Open BGW 443 HTTPS TCP https OBGW Web UI launch ( Only from
NA8 EP2 PT3 onwards )

Socks ephemeral Nelmon 443 HTTPS TCP https Nelmon Web UI launch

HPE On- ephemeral LB WAS vir- 162 SNMP UDP sn- SNMP trap notification from HP On-
board Ad- tual IP mp-trap- board Administrator
ministrator listener

HPE Storage ephemeral LB WAS vir- 162 SNMP UDP sn- SNMP trap notification from HP Stor-
System tual IP mp-trap- age System
listener

Socks ephemeral InfobloxDNS 443 HTTPS TCP https support for Web UI launch
GUI

Socks ephemeral LIG 80 HTTP TCP http support for Web UI launch

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 441


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

Socks ephemeral NBG 8443 HTTPS TCP https support for Web UI launch

Socks ephemeral SAAM 443 HTTPS UDP https SAAM Web Application integration.
Applicable for below versions SAAM
7.0 SAAM 8.0

Socks ephemeral IBMBC 80 HTTP TCP http IBM BladeCenter Web Application
integration.

@vantage ephemeral LB WAS vir- 162 SNMP UDP sn- FM, incoming trap integration for
Commander tual IP mp-trap- PCS5000
listener

Socks ephemeral PCS5000 9881 HTTPS TCP https Launch PCM Web GUI from PCSNE
support for PCS5000

Socks ephemeral PCS5000 9880 HTTP TCP http @vantage Homepage and PCM
Web GUI from PCSNE Launch sup-
port for PCS5000

Socks ephemeral SNMPDE- 80 HTTP TCP http Web UI launch via HTTP for SNM-
VICE PDEVICE. NOTE: There is no de-
fault port for SNMPDEVICE Web UI
Launch, and port 80 is used as an
example.

ISON or oth- ephemeral LB WAS vir- 9999 HTTPS/ TCP https Open CM web service API port for
er external tual IP SOAP external Nokia products like ISON
Nokia prod-
ucts

Juniper ephemeral LB JBI virtu- 262 SNMP UDP sn- For SNMP trap operations to Juniper
al IP mp-trap-
listener

Socks ephemeral iNUM OAM 10443 HTTPS TCP https iNUM Web Application integration.
Node Applicable for below versions iNUM
v11 iNUM v15.5 iNUM v16 iNUM
v16.5 iNUM v17

SAAM ephemeral LB WAS vir- 262 SNMP UDP sn- NE3S/SNMP notification from
tual IP mp-ne3ssnmp-
SAAM. Applicable for below versions
notifica- SAAM 7.0 SAAM 8.0
tions

Open BGW ephemeral LB WAS vir- 10510 HTTP/ TCP tcp-10510 CM SB feedback channel integration
tual IP SOAP for Open BGW. This firewall rule is
required if default port 80 is disabled.
Optional: This firewall rule is not re-
quired if the respective secure proto-
col is used and it is supported from
OpenBGW16.5 onwards.

Flexi NG ephemeral LB WAS vir- 10510 HTTP/ TCP tcp-10510 CM SB feedback channel integration
tual IP SOAP for Flexi NG 3.x AOM. This firewall

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 442


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

rule is required if default port 80 is


disabled.

Open BGW ephemeral LB WAS vir- 80 HTTP/ TCP http CM SB feedback channel integration
tual IP SOAP for Open BGW. Optional: This fire-
wall rule is not required if the respec-
tive secure protocol is used and it is
supported from OpenBGW16.5 on-
wards.

One-EIR ephemeral LB WAS vir- 262 SNMP UDP sn- NE3S/SNMP notification from One-
System tual IP mp-ne3ssnmp-
EIR. Applicable for below versions:
Monitor notifica- One-EIR 4.0 SP1, One-EIR 5.0,
tions One-EIR 5 SP1.

One-MNP ephemeral LB WAS vir- 262 SNMP UDP sn- NE3S/SNMP notification from One-
System tual IP mp-ne3ssnmp-
MNP. Applicable for below versions:
Monitor notifica- One-MNP 8.0 SP6, One-MNP 9.0.
tions

BIG IP ephemeral LB WAS vir- 262 SNMP UDP sn- NE3S/SNMP notification from BIG
tual IP mp-ne3ssnmp-
IP. Applicable for below versions:
notifica- BIG IP 6400, BIG IP 6900, BIG IP
tions TMOS version 10, BIG IP TMOS ver-
sion 11.

FSC Rack ephemeral LB WAS vir- 162 SNMP UDP sn- SNMP trap notification from FSC
Server tual IP mp-trap- Rack Server
listener

IBM ephemeral LB WAS vir- 162 SNMP UDP sn- SNMP trap notification from IBM
tual IP mp-trap- BladeCenter
listener

LIG ephemeral LB WAS vir- 162 NE3S UDP sn- NE to NetAct communication
tual IP SNMP mp-trap-
listener

Socks ephemeral CAM 8443 HTTPS TCP https CAM GUI Launch

Flexi NG ephemeral LB WAS vir- 80 HTTP/ TCP http CM SB feedback channel integration
tual IP SOAP for Flexi NG 3.x AOM

Flexi NS ephemeral LB JBI virtu- 30505 HTTP/ TCP http- NE3SWS SMI for Flexi NS FM/PM
al IP SOAP ne3sws- notification
notifica-
tions

InfobloxDNS ephemeral LB WAS vir- 162 NE3S UDP sn- For listening to SNMP Traps from In-
tual IP SNMP mp-trap- fobloxDNS Applicable for below ver-
listener sions: 6.6

Cisco ephemeral LB WAS vir- 162 SNMP UDP sn- For SNMP trap operations to Cisco
tual IP mp-trap-
listener

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 443


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

Symmetri- ephemeral LB WAS vir- 162 SNMP UDP sn- For SNMP trap operations to
com TP5000 tual IP mp-trap- TP5000
listener

Open BGW ephemeral LB JBI virtu- 30505 HTTP/ TCP http- NE3SWS SMI for FM/PM notification
al IP SOAP ne3sws- with non-TLS mode Optional: This
communi- firewall rule is not required if HTTPS
cation is used.

Open BGW ephemeral LB JBI virtu- 30510 HTTPS/ TCP http- NE3SWS SMI for FM/PM notification
al IP SOAP ne3sws- with TLS mode
communi-
cation

OMS ephemeral LB WAS vir- 80 HTTP TCP http Exchange files between netAct and
tual IP NE using HTTP protocol. Optional:
This firewall rule is not required if the
respective secure protocol is used

OMS ephemeral LB WAS vir- 446 IIOP TCP cm-lte- HTTPS port in WebSphere Applica-
tual IP oms-pro- tion Server used for CM LTE -> OMS
vision provisioning purpose.

NBG ephemeral LB WAS vir- 162 NE3S UDP sn- NBG FM integration
tual IP SNMP mp-trap-
listener

FNG ephemeral LB WAS vir- 162 NE3S UDP sn- FNG in NBG FM integration
tual IP SNMP mp-trap-
listener

Flexi NG ephemeral LB JBI virtu- 30505 HTTP/ TCP http- FM/PM notification from Flexi NG:
al IP SOAP ne3sws- Flexi NG15 onwards
notifica-
tions

Flexi CMD ephemeral LB WAS vir- 162 SNMP UDP sn- NE3S/SNMP trap service
tual IP mp-trap-
listener

iNUM ephemeral LB WAS vir- 262 SNMP UDP sn- For listening to SNMP Traps from
tual IP mp-ne3ssnmp-
iNUM 9.0/10.0
notifica-
tions

PCS5000 ephemeral LB JBI virtu- 30505 HTTP/ TCP http- Basic FM, PM SB incoming request
al IP SOAP ne3sws- integration for PCS5000 Applica-
notifica- ble for below versions PCS5000 6.
tions 2 PCS5000 6.3ATCA PCS5000 6.
3RMS Note: HTTPS is not supported

Socks ephemeral PCS5000 8099 HTTP TCP web-ac- PCS5000 TSP Web GUI HTTP
cess-proxy port Applicable for below versions
PCS5000 6.2 PCS5000 6.3ATCA

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 444


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

PCS5000 6.3RMS NOTE:HTTPS is


not supported

Socks ephemeral PCS5000 443 HTTPS TCP https PCS5000 Web GUI HTTPS port Ap-
plicable for below versions PCS5000
6.2 PCS5000 6.3ATCA PCS5000 6.
3RMS

Traffica ephemeral LB WAS vir- 162 NE3S UDP sn- FM, incoming trap integration for
tual IP SNMP mp-trap- Traffica. Note: This firewall rule ap-
listener plies to version 17 and earlier

User Work- ephemeral Socks 444 HTTPS TCP tcp-444 HTTP over SSL communication for
station Apps Audit trail purpose

27.2.17 Firewall rules for VMs that host LTE-A_Mediation

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

Nokia 9926 ephemeral LB LTEA vir- 162 SNMP UDP ltea-sn- This Port is used for the receiving
eNodeB tual IP mp-trap traps from the Nokia 9926 eNodeB

SAM media- ephemeral 5620 8080 HTTP/ TCP sam_med Send SOAP request to SAM for
tion SAM main SOAP Topology/FM/PM Optional: This fire-
server(s) wall rule is not required if the respec-
tive secure protocol is used

Socks ephemeral 5620 80 HTTP TCP sam-o- Launch SAM web GUI Optional: This
SAM main webgui firewall rule is not required if the re-
server(s) spective secure protocol is used

Socks ephemeral 5620 8085 HTTP TCP sam-o- Launch SAM client Optional: This
SAM main javagui firewall rule is not required if the re-
server(s) spective secure protocol is used

SAM media- ephemeral NFM-P main 8080 HTTP/ TCP sam_med Send SOAP request to NFM-P for
tion server(s) SOAP Topology/FM/PM Optional: This fire-
wall rule is not required if the respec-
tive secure protocol is used

SAM media- ephemeral NFM-P main 1099 JNDI/ TCP sam_med Query JMS service on NFM-P for
tion server(s) TLS Topology/FM/PM

SAM media- ephemeral NFM-P main 4447 JMS TCP sam_med Receive JMS notification from NFM-
tion server(s) P for Topology/FM/PM

SAM media- ephemeral NFM-P main 8443 HTTPS/ TCP sam_med Send SOAP request to NFM-P for
tion server(s) SOAP Topology/FM/PM

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 445


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

SAM media- ephemeral NFM-P main 22 SFTP TCP sam_med Retrieve PM files from NFM-P
tion server(s)

SAM media- ephemeral NFM-P auxil- 22 SFTP TCP sam_med Retrieve PM files from NFM-P
tion iary server(s)

SAM media- ephemeral 5620 1099 JNDI/ TCP sam_med Query JMS service on SAM for
tion SAM main TLS Topology/FM/PM
server(s)

SAM media- ephemeral 5620 4447 JMS TCP sam_med Receive JMS notification from SAM
tion SAM main for Topology/FM/PM
server(s)

SAM media- ephemeral 5620 8443 HTTPS/ TCP sam_med Send SOAP request to SAM for
tion SAM main SOAP Topology/FM/PM
server(s)

SAM media- ephemeral 5620 22 SFTP TCP sam_med Retrieve PM files from SAM
tion SAM main
server(s)

SAM media- ephemeral 5620 SAM 22 SFTP TCP sam_med Retrieve PM files from SAM
tion auxiliary
server(s)

Socks ephemeral 5620 443 HTTPS TCP sam-o- Launch SAM web GUI
SAM main webgui
server(s)

Socks ephemeral 5620 8444 HTTPS TCP sam-o- Launch SAM client
SAM main javagui
server(s)

Nokia 9926 ephemeral LTE-A Medi- 22 SFTP TCP sftp Download software from Software
eNodeB ation Manager

LTE-A Medi- ephemeral Nokia 9926 830 NET- TCP ltea-net- For NetConf interface operation to
ation eNodeB CONF conf Nokia 9926 eNodeB

NPO System ephemeral LTE-A Medi- 22 SSH/ TCP sftp/ssh This port is used for exposing the
ation SFTP SFTP/SSH Interface to NPO System

LTE-A Medi- ephemeral Nokia 9926 161 SNMP UDP snmp-get- For SNMP SET/GET/GETBulk/walk
ation eNodeB set operations to Nokia 9926 eNodeB

27.2.18 Firewall rules for VMs that host NWI3 mediations

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 446


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

Radio NE ephemeral NWI3 546 DHCP UDP dhcpd6 A DHCP server dynamically assigns
IP addresses

Radio NE ephemeral NWI3 68 DHCP UDP dhcpd A DHCP server dynamically assigns
IP addresses

Radio NE ephemeral NWI3 67 DHCP UDP dhcpd A DHCP server dynamically assigns
IP addresses

Radio NE ephemeral NWI3 547 DHCP UDP dhcpd6 A DHCP server dynamically assigns
IP addresses

OMS ephemeral NWI3 323 chrony UDP chronyd OMS clock time set to NWI3 node
which is used as one of NTP server
in NetAct.

OMS ephemeral NWI3 123 chrony UDP chronyd OMS clock time set to NWI3 node
which is used as one of NTP server
in NetAct.

OMS ephemeral NWI3 80 HTTP TCP nwi3-http Used for SWM downloading for http
protocol. Port 80 forwards to port
9294 by iptable rule

OMS ephemeral NWI3 443 HTTPS TCP nwi3-http Used for SWM downloading for https
protocol. Port 443 forwards to port
9295 by iptable rule.

NWI3 ephemeral NEMU 2381 HTTPS TCP tcp-2381 HPE ProLiant Web Management

NWI3 ephemeral NTAS Cloud 22 SSH TCP ssh Execute CLI commands on network
element.

NWI3 ephemeral NTAS Cloud 22 SFTP TCP sftp Get counter files from network ele-
ment.

NWI3 ephemeral OMS 49376 IIOP TCP nwi3- NWI3 Topology Service (IPv6 port for
topolo- dual stack OMS)
gy-ser-
vice

NWI3 ephemeral OMS 49385 IIOP TCP nwi3- NWI3 Symptom data upload (IPv6
symp- port for dual stack OMS)
tom-da-
ta-upload

NWI3 ephemeral OMS 49387 IIOP TCP nwi3-sw- NWI3 SW Agent (IPv6 port for dual
agent stack OMS)

NWI3 ephemeral OMS 49370 IIOP TCP nwi3- NWI3 Security fragment (IPv6 port
securi- for dual stack OMS)
ty-frag-
ment

NWI3 ephemeral OMS 49377 IIOP TCP nwi3-pm- NWI3 PM Service (IPv6 port for dual
service stack OMS)

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 447


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

NWI3 ephemeral OMS 49371 IIOP TCP nwi3-li- NWI3 LM Agent (IPv6 port for dual
cense-mgr- stack OMS)
agent

NWI3 ephemeral OMS 49379 IIOP TCP nwi3-cer- NWI3 Certificate Service (IPv6 port
ma-ser- for dual stack OMS)
vice

NWI3 ephemeral OMS 49380 IIOP TCP nwi3-au- NWI3 Audit Trail Service (IPv6 port
ditlog-ser- for dual stack OMS)
vice

NWI3 ephemeral OMS 49569 IIOP TCP nwi3- NWI3 Adapter (IPv6 port for dual
adapter stack OMS)

OMS ephemeral NWI3 49355 IIOP TCP tcp-49355 NWI3 Symptom data upload

NWI3 ephemeral OMS 49366 IIOP TCP nwi3- NWI3 Symptom data upload
symp-
tom-da-
ta-upload

NWI3 ephemeral SBTS 8080 HTTP TCP http A port used for checking SBTS
NE3S interface availability. Option-
al: This firewall rule is not required
when respective secure protocol is
used. Note: During the Plug and Play
process, this firewall rule must be
applied only for SBTS using tempo-
rary IP address.

SBTS ephemeral NWI3 55580 HTTP TCP http A port used by SBTS to transfer
SBTS software from NetAct Software
Manager to SBTS, when IPSec in
use. Optional: This firewall rule is not
required if the respective secure pro-
tocol is used. Note: During the Plug
and Play process, this firewall rule
must be applied only for SBTS using
temporary IP address.

NWI3 ephemeral SBTS 8443 HTTPS TCP https A port used for checking SBTS
NE3S interface availability. Note:
During the Plug and Play process,
this firewall rule must be applied on-
ly for SBTS using temporary IP ad-
dress.

SBTS ephemeral NWI3 55443 HTTPS TCP https A port used by SBTS to transfer
SBTS software from NetAct Software
Manager to SBTS, when IPSec in
use. Note: During the Plug and Play
process, this firewall rule must be

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 448


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

applied only for SBTS using tempo-


rary IP address.

NWI3 ephemeral OMS 49375 IIOP TCP nwi3-au- NWI3 Audit Trail Service
ditlog-ser-
vice

NWI3 ephemeral OMS 49368 IIOP TCP nwi3-cer- NWI3 Certificate Service
ma-ser-
vice

NWI3 ephemeral Corba Bulk Higher Level IIOP TCP <unde- Higher level System should expose a
CM Higher System de- fined> port for receiving corba notifications
Level Sys- cided
tem

NWI3 ephemeral NEMU 80 HTTP TCP http Integration Data Upload

NWI3 ephemeral Open TAS 22 SSH/ TCP ssh Execute MML command on network
SFTP element, and get counter files from
network element

Open TAS ephemeral NWI3 ephemeral FTP TCP ftp-data Optional: This firewall rule is not re-
Cloud quired if SFTP is used. FTP-DATA
channel under FTP Active Mode will
use this rule for FTP data translate.

Open TAS ephemeral NWI3 ephemeral FTP TCP ftp-data Optional: This firewall rule is not re-
quired if SFTP is used. FTP-DATA
channel under FTP Passive Mode
will use this rule for FTP data trans-
late.

NWI3 ephemeral Open TAS 21 FTP TCP ftp Optional: This firewall rule is not re-
Cloud quired if SFTP is used. Get counter
files from network element.

NWI3 ephemeral Open TAS 23 TELNET TCP telnet Execute MML command on network
Cloud element. Open this port only if you
want to use Telnet instead of SSH for
SAUCNT.

OMS ephemeral NWI3 49300 IIOP TCP nwi3-cm- NWI3 CM event consumer
event-no-
tification

OMS ephemeral NWI3 49350 IIOP TCP nwi3-hw- NWI3 HW event consumer
agent

NWI3 ephemeral RNC 21 FTP TCP ftp FTP file transfers from RNC Option-
al: This firewall rule is not required
if the respective secure protocol is
used

NWI3 ephemeral OMS 80 HTTP TCP http HTTP file transfers from OMS Op-
tional: This firewall rule is not re-

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 449


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

quired if the respective secure proto-


col is used

NWI3 ephemeral WBTS 6000 HTTP TCP http HTTP file transfers from WBTS Op-
tional: This firewall rule is not re-
quired if the respective secure proto-
col is used

NWI3 ephemeral OMS 443 HTTPS TCP https HTTPS file transfers from OMS

NWI3 ephemeral WBTS 6001 HTTPS TCP https HTTPS file transfers from WBTS

OMS ephemeral NWI3 49619 IIOP TCP tcp-49619 NWI3 CNUM mediator management

OMS ephemeral NWI3 49620 IIOP TCP nwi3- NWI3 integration mediator manage-
media- ment
tor-call-
back

OMS ephemeral NWI3 49622 IIOP TCP nwi3-lo- NWI3 user management
cal-secu-
rity-call-
back

NWI3 ephemeral RNC 22 SFTP TCP ssh SFTP file transfers from RNC

NWI3 ephemeral OMS 22 SSH/ TCP sshd Secured shell and secured file trans-
SFTP fer from OMS

OMS ephemeral NWI3 49510 IIOP TCP nwi3-cert- NWI3 certificate management
agent

NEMU ephemeral NWI3 49152 IIOP TCP nwi3-reg- NWI3 registration service
service

NEMU ephemeral NWI3 49164 IIOP TCP nwi3-no- NWI3 notification service
tific-ser-
vice

NEMU ephemeral NWI3 49179 IIOP TCP nwi3- NWI3 alarm event consumer
alarm-
event-
consumer

NEMU ephemeral NWI3 49311 IIOP TCP nwi3- NWI3 topology service
topolo-
gy-ser-
vice-call-
back

NWI3 ephemeral NEMU 49152-49652 IIOP TCP tcp-49152-49652


Dynamic port range for MS RPC/
DCOM

NEMU ephemeral NWI3 49620 IIOP TCP nwi3- NWI3 mediator management
media-

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 450


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

tor-call-
back

OMS ephemeral NWI3 49312 IIOP TCP nwi3- NWI3 topology delete
topolo-
gy-delete-
callback

OMS ephemeral NWI3 49311 IIOP TCP nwi3- NWI3 topology service
topolo-
gy-ser-
vice-call-
back

OMS ephemeral NWI3 80 HTTP TCP http HTTP port used by OMS file down-
load (hardcoded in OMS). Optional:
This firewall rule is not required if the
respective secure protocol is used

OMS ephemeral NWI3 443 HTTPS TCP https HTTPS port used by OMS software
download (hardcoded in OMS).

OMS ephemeral NWI3 49561 IIOP TCP nwi3-sw- NWI3 Software Commit/Rollback
commit

OMS ephemeral NWI3 49509 IIOP TCP nwi3-li- NWI3 license event consumer
cense-event-
consumer

OMS ephemeral NWI3 49530 IIOP TCP nwi3-pm- NWI3 pm event consumer
event-
consumer

OMS ephemeral NWI3 49557 IIOP TCP nwi3-sw- NWI3 Software Upload
upload

OMS ephemeral NWI3 49558 IIOP TCP nwi3-sw- NWI3 Software Download
download

OMS ephemeral NWI3 49559 IIOP TCP nwi3-sw- NWI3 Software change event con-
change- sumer
event-
consumer

OMS ephemeral NWI3 49560 IIOP TCP nwi3- NWI3 Software update event con-
sw-up- sumer
date-event-
consumer

OMS ephemeral NWI3 49600 IIOP TCP nwi3-au- NWI3 audit trail event consumer
dit-trail-
event-
consumer

NWI3 ephemeral OMS 49341 IIOP TCP nwi3- NWI3 Security fragment
securi-

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 451


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

ty-frag-
ment

NWI3 ephemeral OMS 49342 IIOP TCP nwi3-li- NWI3 LM Agent


cense-mgr-
agent

NWI3 ephemeral OMS 49351 IIOP TCP nwi3- NWI3 Topology Service
topolo-
gy-ser-
vice

NWI3 ephemeral OMS 49361 IIOP TCP nwi3-pm- NWI3 PM Service


service

NWI3 ephemeral OMS 49363 IIOP TCP nwi3-sw- NWI3 SW Agent


agent

NWI3 ephemeral OMS 49566 IIOP TCP nwi3- NWI3 Adapter


adapter

OMS ephemeral NWI3 49152 IIOP TCP nwi3-reg- NWI3 registration service
service

OMS ephemeral NWI3 49164 IIOP TCP nwi3-no- NWI3 notification service
tific-ser-
vice

OMS ephemeral NWI3 49177 IIOP TCP nwi3- NWI3 topology event consumer
topolo-
gy-event-
consumer

OMS ephemeral NWI3 49179 IIOP TCP nwi3- NWI3 alarm event consumer
alarm-
event-
consumer

OMS ephemeral NWI3 49192 IIOP TCP nwi3- NWI3 trace event consumer
trace-
event-
consumer

OMS ephemeral NWI3 49354 IIOP TCP nwi3-au- NWI3 audit trail
dit-trail-
callback

NWI3 123 Time Server- 123 NTP UDP ntp NetAct server clock time set to actual
Higher Level time from external NTP server
System

27.2.19 Firewall rules for VMs that host NX2S and XOH

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 452


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

ne3sws_dy- ephemeral HSSFE 22 SFTP TCP sftp HSSFE Dynamic Adaptation. Applic-
namicadap- able for below versions: HSSFE 18.
tation 5 onwards, HSSFE 18.5C onwards,
HSSFE 18.5VI onwards.

ne3sws_dy- ephemeral HSS 22 SFTP TCP sftp HSS VM Dynamic Adaptation. Ap-
namicadap- plicable for below versions: HSS 18.
tation 5VI onwards.

ne3sws_dy- ephemeral Open MGW 22 SFTP TCP sftp Open MGW NE3S/WS Dynamic
namicadap- Adaptation.
tation

NX2S and ephemeral VNF 22 SSH/ TCP ssh SCLI commands towards NE.
XOH SFTP

ne3sws_dy- ephemeral BNGLB 22 SFTP TCP sftp BNGLB Dynamic Adaptation. Applic-
namicadap- able for below versions: BNGLB 18.
tation 5C onwards.

ne3sws_dy- ephemeral IMSOAM 22 SFTP TCP sftp IMS OAM Unit Dynamic Adapta-
namicadap- tion. Applicable for below versions:
tation IMSOAM 18.5VI onwards.

ne3sws_dy- ephemeral IMSOAM 10501-10600 SFTP TCP sftp CSCF/CSCF_TD_Core/CSCF_


namicadap- L2TDVI Dynamic Adaptation; Map to
tation CSCF/CSCF_TD_Core/CSCF_L2TD
VI port 22. Applicable for below ver-
sions: CSCF 18.5VI onwards.

ne3sws_dy- ephemeral Repo Server 22 SFTP TCP sftp Repo Server Dynamic Adaptation.
namicadap- Applicable for below versions: RE-
tation POSERVER 18.5VI onwards.

ne3sws_dy- ephemeral TIAMS 22 SFTP TCP sftp TIAMS Dynamic Adaptation Applica-
namicadap- ble for 18.5, 18.5C, 18.5Cc
tation

ne3sws_dy- ephemeral CSCF 22 SFTP TCP sftp CSCF Dynamic Adaptation. Applica-
namicadap- ble for 18.5C version onwards
tation

ne3sws_dy- ephemeral CSCF-LB 22 SFTP TCP sftp CSCF-LB Dynamic Adaptation. Ap-
namicadap- plicable for 18.5VI version onwards
tation

ne3sws_dy- ephemeral NTHLR FE 22 SFTP TCP sftp NTHLRFE Dynamic Adaptation inte-
namicadap- gration, This firewall rule is required
tation for NTHLR FE Cloud

NDAP ephemeral ne3sws_dy- 22 SFTP/ TCP sftp/ssh For NDAP to transfer fast pass pack-
namicadap- SSH age to NetAct and trigger fast pass
tation package installation

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 453


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

NX2S and ephemeral Open BGW 22 SSH TCP tcp-22 SSH


XOH

ne3sws_dy- ephemeral One-AAA 22 SFTP TCP sftp One-AAA NE3S/WS Dynamic Adap-
namicadap- OAM Node tation. Applicable for below versions
tation One-AAA 6 SP1 One-AAA 7 One-
AAA 7 SP1 One-AAA 8 One-AAA
8 VI One-AAA 8.1 VI One-AAA 9.0
One-AAA 9.0 VI One-AAA 10.0 One-
AAA 10.0 VI

ne3sws_dy- ephemeral One-EIR 22 SSH/ TCP sftp/ssh One-EIR Dynamic Adaptation. Ap-
namicadap- System SFTP plicable for below versions: One-
tation Monitor EIR 5.2, One-EIR 16, One-EIR 16.
5, One-EIR Cloud 16.5, One-EIR 17,
One-EIR Cloud 17, One-EIR 18 on-
wards, One-EIR Cloud 18 onwards.

NX2S and ephemeral SMM 22 SSH TCP ssh File transfer from NetAct to SMM
XOH

ne3sws_dy- ephemeral DRA 22 SFTP TCP sftp DRA Dynamic Adaptation. Applic-
namicadap- able for below versions: DRA 10.1,
tation DRA 11.0, DRA 15.5C onwards.

ne3sws_dy- ephemeral PCC 22 SFTP TCP sftp PCC Dynamic Adaptation integration
namicadap- Applicable for versions above and in-
tation clude PCC 16.0

ne3sws_dy- ephemeral DRA-LB 22 SFTP TCP sftp DRA-LB Dynamic Adaptation. Ap-
namicadap- plicable for below version: DRA-LB
tation 15.5VI onwards.

ne3sws_dy- ephemeral MGMTVNFC 22 SFTP TCP sftp MGMTVNFC Dynamic Adapta-


namicadap- tion. Applicable for below versions:
tation MGMTVNFC 17.0VI onwards.

ne3sws_dy- ephemeral CSCF 22 SFTP TCP sftp Dynamic Adaptation for CSCF VNF
namicadap- MGMTVNFC with Management VNFC.
tation

ne3sws_dy- ephemeral HSS 22 SFTP TCP sftp Dynamic Adaptation for HSS VNF
namicadap- MGMTVNFC with Management VNFC.
tation

NX2S and ephemeral SMM 22 SSH TCP ssh SCLI commands towards NE
XOH

ne3sws_dy- ephemeral One-MNP 22 SSH/ TCP sftp/ssh One-MNP Dynamic Adaptation. Ap-
namicadap- System SFTP plicable for below versions: One-
tation Monitor MNP 15.5, One-MNP 16, One-MNP
16.5, One-MNP Cloud 16.5, One-
MNP 17, One-MNP Cloud 17, One-
MNP 18, One-MNP Cloud 18.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 454


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

ne3sws_dy- ephemeral CBAM SFTP 22 SFTP TCP sftp CBAM Dynamic Adaptation.
namicadap- Server
tation

ne3sws_dy- ephemeral NTAS Cloud 22 SFTP TCP sftp NTAS Dynamic Adaptation.
namicadap-
tation

NX2S and ephemeral IPA-RNC 22 SSH/ TCP ssh SSH is used to send MML com-
XOH SFTP mands towards NE, SFTP is used to
download software package to NE.

ne3sws_dy- ephemeral Flexi CMD 22 SFTP TCP sftp CMD Dynamic Adaptation. Applica-
namicadap- ble for below versions: Flexi CMD 17
tation and later release Flexi CMD Cloud
17 and later release

ne3sws_dy- ephemeral Open TAS 22 SFTP TCP sftp Dynamic Adaptation for Open TAS
namicadap- Cloud SEE Cloud SEE Note: This rule is only
tation applicable for the release from Open
TAS Cloud SEE 16.5 onwards.

NX2S and ephemeral ASRNC 22 SSH/ TCP ssh SCLI commands towards NE; SFTP
XOH SFTP for downloading software package
on ASRNC

NX2S and ephemeral Open MSS 21 FTP TCP ftp Optional: This firewall rule is not re-
XOH Cloud quired if SFTP is used. NetAct us-
es FTP to get data from network el-
ement via this port. MML mediation
uses FTP for Software Download.

NX2S and ephemeral Open MSS ephemeral FTP TCP ftp Optional: This firewall rule is not re-
XOH Cloud quired if SFTP is used. FTP-DATA
channel under FTP Passive Mode
uses this rule for FTP data translate.

NX2S and ephemeral Open MSS 22 SSH/ TCP ssh Log in to NE via this port when in-
XOH Cloud SFTP tegrate NE to NetAct by SSH. MML
Mediation sends commands by SSH
and uses SFTP for Software Down-
load. NetAct uses SFTP to get data
from NE via this port.

NX2S and ephemeral Open MSS 80 HTTP TCP http Optional: This firewall rule is not
XOH Cloud required if HTTPS is used. NetAct
sends kinds of request to network
element via this port when NetAct
communicates with network element
by HTTP.

NX2S and ephemeral Open MSS 443 HTTPS TCP https NetAct sends kinds of request to NE
XOH Cloud via this port when NetAct communi-
cate with NE by HTTPS

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 455


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

NX2S and ephemeral Open MSS 23 TELNET TCP telnet Log in to network element via Telnet
XOH Cloud before SSH is activated. MML Medi-
ation sends commands by Telnet.

Open MSS ephemeral NX2S and 4000 HTTP TCP tcp-4000 Optional: This firewall rule is not re-
Cloud XOH quired if HTTPS is used. Network el-
ement sends kinds of notification to
NetAct via this port when network el-
ement communicates with NetAct by
HTTP.

Open MSS ephemeral NX2S and 4443 HTTPS TCP tcp-4443 NE send kinds of notification to Net-
Cloud XOH Act via this port when NE communi-
cate with NetAct by HTTPS

NX2S and ephemeral Open BGW 22 SSH TCP ssh SSH


XOH Cloud

ne3sws_dy- ephemeral Open BGW 22 SFTP TCP sftp Dynamic Adaptation for Open BGW
namicadap- Cloud Cloud
tation

ne3sws_dy- ephemeral iNUM OAM 22 SFTP TCP sftp iNUM Dynamic Adaptation Applic-
namicadap- Node able for below versions iNUM v11
tation iNUM v15.5 iNUM v16 iNUM v16.5
iNUM v17

ne3sws_dy- ephemeral SPM OAM 22 SFTP TCP sftp SPM NE3S/WS Dynamic Adaptation.
namicadap- node Applicable for below version SPM 2.
tation 0 SPM 3.0 SPM 3.0 VI

NX2S and ephemeral Open TAS 80 HTTP TCP http Optional: This firewall rule is not
XOH Cloud required if HTTPS is used. NetAct
sends kinds of request to network
element via this port when NetAct
communicates with network element
by HTTP.

NX2S and ephemeral FZCP 22 SSH TCP ssh SCLI commands towards NE
XOH

NX2S and ephemeral Open TAS 80 HTTP TCP http Optional: This firewall rule is not
XOH required if HTTPS is used. NetAct
sends kinds of request to network
element via this port when NetAct
communicates with network element
by HTTP

NX2S and ephemeral Open TAS 443 HTTPS TCP https NetAct sends kinds of request to net-
XOH work element via this port when Net-
Act communicates with network ele-
ment by HTTPS

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 456


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

NX2S and ephemeral Open TAS 23 TELNET TCP telnet Log in to network element via Telnet
XOH before SSH is activated. MML Medi-
ation sends commands by TELNET.

Open TAS ephemeral NX2S and 4000 HTTP TCP tcp-4000 Optional: This firewall rule is not re-
XOH quired if HTTPS is used. Network el-
ement sends kinds of notification to
NetAct via this port when network el-
ement communicate with NetAct by
HTTP

Open TAS ephemeral NX2S and 4443 HTTPS TCP tcp-4443 Network element sends kinds of no-
XOH tification to NetAct via this port when
network element communicate with
NetAct by HTTPS

NX2S and ephemeral Open TAS 21 FTP TCP ftp Optional: This firewall rule is not re-
XOH quired if SFTP is used. NetAct us-
es FTP to get data from network el-
ement via this port. MML mediation
uses FTP for Software Download.

NX2S and ephemeral Open TAS ephemeral FTP TCP ftp Optional: This firewall rule is not re-
XOH quired if SFTP is used. FTP-DATA
channel under FTP Passive Mode
will use this rule for FTP data trans-
late.

NX2S and ephemeral Open TAS 22 SSH/ TCP ssh User login network element via this
XOH SFTP port when integrate network element
to NetAct by SSH. MML Mediation
sends commands by SSH. NetAct
uses SFTP to get data from network
element via this port. MML mediation
uses SFTP for Software Download.

ne3sws_dy- ephemeral Open BGW 22 SFTP TCP sftp Open BGW NE3S/WS Dynamic
namicadap- Adaptation. Applicable for below ver-
tation sion OpenBGW 15.5

BSC 20 NX2S and ephemeral FTP TCP ftp-data Used for FTP data connection under
XOH FTP active mode. Note: This firewall
rule is not required if the respective
secure protocol is used.

NX2S and ephemeral BSC 21 FTP TCP ftp Used for FTP communication chan-
XOH nel. Note: This firewall rule is not re-
quired if the respective secure proto-
col is used.

NX2S and ephemeral BSC 22 SSH TCP ssh Send MML commands from NetAct
XOH to BSC.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 457


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

NX2S and ephemeral BSC 23 TELNET TCP telnet Send MML commands from NetAct
XOH to BSC. Note: This firewall rule is not
required if the respective secure pro-
tocol is used.

NX2S and ephemeral BSC ephemeral FTP TCP ftp-data Used for FTP data connection under
XOH FTP passive mode. Note: This fire-
wall rule is not required if the respec-
tive secure protocol is used.

NX2S and ephemeral HLR ephemeral FTP TCP ftp Optional: This firewall rule is not re-
XOH quired if SFTP is used. FTP-DATA
channel under FTP Passive Mode
uses this rule for FTP data translate.

NX2S and ephemeral MSC ephemeral FTP TCP ftp Optional: This firewall rule is not re-
XOH quired if SFTP is used. FTP-DATA
channel under FTP Passive Mode
uses this rule for FTP data translate.

NX2S and ephemeral CDS ephemeral FTP TCP ftp Optional: This firewall rule is not re-
XOH quired if SFTP is used. FTP-DATA
channel under FTP Passive Mode
uses this rule for FTP data translate.

NX2S and ephemeral MSC 80 HTTP TCP http Optional: This firewall rule is not
XOH required if HTTPS is used. NetAct
sends kinds of request to network
element via this port when NetAct
communicates with network element
by HTTP.

NX2S and ephemeral CDS 80 HTTP TCP http Optional: This firewall rule is not
XOH required if HTTPS is used. NetAct
sends kinds of request to network
element via this port when NetAct
communicates with network element
by HTTP.

NX2S and ephemeral HLR 443 HTTPS TCP https NetAct sends kinds of request to NE
XOH via this port when NetAct communi-
cate with NE by HTTPS

NX2S and ephemeral MSC 443 HTTPS TCP https NetAct sends kinds of request to NE
XOH via this port when NetAct communi-
cate with NE by HTTPS

NX2S and ephemeral CDS 443 HTTPS TCP https NetAct sends kinds of request to NE
XOH via this port when NetAct communi-
cate with NE by HTTPS

NX2S and ephemeral HLR 23 TELNET TCP telnet Log in to network element via Telnet
XOH before SSH is activated. MML Medi-
ation sends commands by Telnet.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 458


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

NX2S and ephemeral MSC 23 TELNET TCP telnet Log in to network element via Telnet
XOH before SSH is activated. MML Medi-
ation sends commands by Telnet.

NX2S and ephemeral CDS 23 TELNET TCP telnet Log in to network element via Telnet
XOH before SSH is activated. MML Medi-
ation sends commands by Telnet.

HLR ephemeral NX2S and 4000 HTTP TCP tcp-4000 Optional: This firewall rule is not re-
XOH quired if HTTPS is used. Network el-
ement sends kinds of notification to
NetAct via this port when network el-
ement communicates with NetAct by
HTTP.

MSC ephemeral NX2S and 4000 HTTP TCP tcp-4000 Optional: This firewall rule is not re-
XOH quired if HTTPS is used. Network el-
ement sends kinds of notification to
NetAct via this port when network el-
ement communicates with NetAct by
HTTP.

CDS ephemeral NX2S and 4000 HTTP TCP tcp-4000 Optional: This firewall rule is not re-
XOH quired if HTTPS is used. Network el-
ement sends kinds of notification to
NetAct via this port when network el-
ement communicates with NetAct by
HTTP.

HLR ephemeral NX2S and 4443 HTTPS TCP tcp-4443 NE send kinds of notification to Net-
XOH Act via this port when NE communi-
cate with NetAct by HTTPS

MSC ephemeral NX2S and 4443 HTTPS TCP tcp-4443 NE send kinds of notification to Net-
XOH Act via this port when NE communi-
cate with NetAct by HTTPS

CDS ephemeral NX2S and 4443 HTTPS TCP tcp-4443 NE send kinds of notification to Net-
XOH Act via this port when NE communi-
cate with NetAct by HTTPS

NX2S and ephemeral HLR 21 FTP TCP ftp Optional: This firewall rule is not re-
XOH quired if SFTP is used. NetAct us-
es FTP to get data from network el-
ement via this port. MML mediation
uses FTP for Software Download.

NX2S and ephemeral MSC 21 FTP TCP ftp Optional: This firewall rule is not re-
XOH quired if SFTP is used. NetAct us-
es FTP to get data from network el-
ement via this port. MML mediation
uses FTP for Software Download.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 459


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

NX2S and ephemeral CDS 21 FTP TCP ftp Optional: This firewall rule is not re-
XOH quired if SFTP is used. NetAct us-
es FTP to get data from network el-
ement via this port. MML mediation
uses FTP for Software Download.

NX2S and ephemeral HLR 22 SSH/ TCP ssh Log in to NE via this port when in-
XOH SFTP tegrate NE to NetAct by SSH. MML
Mediation sends commands by SSH
and uses SFTP for Software Down-
load. NetAct uses SFTP to get data
from NE via this port.

NX2S and ephemeral MSC 22 SSH/ TCP ssh Log in to NE via this port when in-
XOH SFTP tegrate NE to NetAct by SSH. MML
Mediation sends commands by SSH
and uses SFTP for Software Down-
load. NetAct uses SFTP to get data
from NE via this port.

NX2S and ephemeral CDS 22 SSH/ TCP ssh Log in to NE via this port when in-
XOH SFTP tegrate NE to NetAct by SSH. MML
Mediation sends commands by SSH
NetAct uses SFTP to get data from
NE via this port. MML mediation us-
es SFTP for Software Download.

NX2S and ephemeral HLR 80 HTTP TCP http Optional: This firewall rule is not
XOH required if HTTPS is used. NetAct
sends kinds of request to network
element via this port when NetAct
communicates with network element
by HTTP.

NX2S and ephemeral Open TAS 443 HTTPS TCP https NetAct sends kinds of request to net-
XOH Cloud work element via this port when Net-
Act communicates with network ele-
ment by HTTPS.

NX2S and ephemeral Open TAS 23 TELNET TCP telnet Log in to network element via Telnet
XOH Cloud before SSH is activated. MML Medi-
ation sends commands by TELNET.

Open TAS ephemeral NX2S and 4000 HTTP TCP tcp-4000 Optional: This firewall rule is not re-
Cloud XOH quired if HTTPS is used. Network el-
ement sends kinds of notification to
NetAct via this port when network el-
ement communicates with NetAct by
HTTP.

Open TAS ephemeral NX2S and 4443 HTTPS TCP tcp-4443 Network element sends kinds of no-
Cloud XOH tification to NetAct via this port when

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 460


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

network element communicates with


NetAct by HTTPS.

NX2S and ephemeral Open TAS 21 FTP TCP ftp Optional: This firewall rule is not re-
XOH Cloud quired if SFTP is used. NetAct us-
es FTP to get data from network el-
ement via this port. MML mediation
uses FTP for Software Download.

NX2S and ephemeral Open TAS ephemeral FTP TCP ftp Optional: This firewall rule is not re-
XOH Cloud quired if SFTP is used. FTP-DATA
channel under FTP Passive Mode
will use this rule for FTP data trans-
late.

NX2S and ephemeral Open TAS 22 SSH/ TCP ssh User login NE via this port when in-
XOH Cloud SFTP tegrate NE to NetAct by SSH. MML
Mediation sends commands by SSH.
NetAct uses SFTP to get data from
NE via this port. MML mediation us-
es SFTP for Software Download.

NX2S and ephemeral Flexi NS ephemeral FTP TCP ftp-data FTP-DATA channel under FTP Pas-
XOH sive Mode will use this rule for FTP
data translate Note: This firewall rule
is not required if the respective se-
cure protocol is used.

NX2S and ephemeral Flexi NS 21 FTP TCP ftp For transferring software package to
XOH NE Note: This firewall rule is not re-
quired if the respective secure proto-
col is used.

NX2S and ephemeral Flexi NS 22 SSH/ TCP ssh MML commands, transferring soft-
XOH SFTP ware package over SFTP

NX2S and ephemeral Flexi NS 23 TELNET TCP telnet MML commands towards NE Note:
XOH This firewall rule is not required if the
respective secure protocol is used.

NX2S and ephemeral mcRNC 22 SSH/ TCP ssh SCLI commands towards NE SFTP
XOH SFTP for download software package on
mcRNC

NX2S and ephemeral Flexi NG 22 SSH TCP ssh SCLI commands towards NE
XOH

NX2S and ephemeral Open MGW 22 SSH/ TCP ssh SCLI commands towards NE
XOH SFTP

NX2S and ephemeral MCTC 22 SSH TCP ssh Send SCLI commands from NetAct
XOH to MCTC.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 461


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

27.2.20 Firewall rules for VMs that host the Node Manager

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

NodeMgr ephemeral MSC 22 SSH TCP ssh EM launch for NOKMSS-Mr17.


0IP,NOKMSS-Md17.0IP this firewall
rule is not needed in NetAct15.5

NRBTS ephemeral NodeMgr 13062-13092 HTTPS TCP x-window File transfer via HTTPS. Note: It
is only applicable for 5G19ACLA,
5G19BCLA, and 5G20ACLA.

NodeMgr ephemeral NRBTS 12030 IIOP TCP entextxid ASIR Manager – ASIR Controller
connection. Note: It is only applica-
ble for 5G19ACLA, 5G19BCLA, and
5G20ACLA.

NodeMgr ephemeral NRBTS 6030 HTTP TCP http File transfer via HTTP Optional: This
firewall rule is not required if the re-
spective secure protocol is used.
Note: It is ASiR Manager related
rule, only applicable for 5G19ACLA,
5G19BCLA, and 5G20ACLA.

NodeMgr ephemeral NRBTS 6031 HTTPS TCP https File transfer via HTTPS. Note: It is
ASiR Manager related rule, only ap-
plicable for 5G19ACLA, 5G19BCLA,
and 5G20ACLA.

NodeMgr ephemeral ASI 12030 IIOP TCP entextxid ASIR Manager – ASIR Controller
connection. Note: This firewall is ap-
plicable to ASI20B and earlier re-
leases.

NodeMgr ephemeral ASI 6031 HTTPS TCP https File transfer via HTTPs. Note: This
firewall is applicable to ASI20B and
earlier releases.

NodeMgr ephemeral ASI 6030 HTTP TCP http File transfer via HTTP. Optional: This
firewall rule is not required if the re-
spective secure protocol is used.
Note: This firewall is applicable to
ASI20B and earlier releases.

SOAM BTS ephemeral NodeMgr 13062-13092 HTTPS TCP x-window File transfer via HTTPS Note: It is a
firewall rule related to ASiR Manag-
er.

NodeMgr ephemeral SOAM BTS 6031 HTTPS TCP https File transfer via HTTPS Note: It is a
firewall rule related to ASiR Manag-
er.

NodeMgr ephemeral SOAM BTS 6030 HTTP TCP http File transfer via HTTP Optional: This
firewall rule is not required if the re-
spective secure protocol is used.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 462


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

Note: It is a firewall rule related to


ASiR Manager.

Single RAN ephemeral NodeMgr 13062-13092 HTTPS TCP x-window File transfer via HTTPS Note: It is
BTS only applicable for SBTS20B and
earlier releases, which is related to
ASiR Manager.

NodeMgr ephemeral Single RAN 12030 IIOP TCP entextxid ASIR Manager – ASIR Controller
BTS connection Note: It is only applicable
for SBTS20B and earlier releases.

NodeMgr ephemeral Single RAN 6031 HTTPS TCP https File transfer via HTTPS Note: It is
BTS only applicable for SBTS20B and
earlier releases, which is related to
ASiR Manager.

NodeMgr ephemeral Single RAN 6030 HTTP TCP http File transfer via HTTP. Optional:
BTS This firewall rule is not required if
the respective secure protocol is
used. Note: It is only applicable
for SBTS20B and earlier releases,
which is related to ASiR Manager.

NodeMgr ephemeral SOAM BTS 12030 IIOP TCP entextxid ASIR Manager – ASIR Controller
connection.

Corporate ephemeral NMS DC 88 Kerberos TCP/ kdc User Authentication when Corporate
Windows UDP Domain user attempts to log in to
Domain Node Manager domain member
Controller

NodeMgr ephemeral Corporate 88 Kerberos TCP/ kdc User Authentication when Corporate
Windows UDP Domain user attempts to log in to
Domain Node Manager domain member
Controller

NodeMgr ephemeral Corporate 464 Kerberos TCP/ Kerberos User Authentication when corporate
Windows UDP Password domain user attempts to change its
Domain V5 password after login to Node Manag-
Controller er domain computer

NodeMgr ephemeral Corporate 445 SMB/ TCP/ srv2.sys Group Policy apply when corporate
Windows CIFS/ UDP domain user attempts to login to
Domain SMB2/ Node Manager domain computer;
Controller DFSN/ Node Manager domain resource ac-
LSARPC/ cess remotely & NTLM user authen-
NbtSS tication

NodeMgr ephemeral Corporate 53 DNS TCP/ dns User and Computer Authentication,
DNS Server UDP Name Resolution, Trusts.

Corporate ephemeral NMS DC 53 DNS TCP/ dns User and Computer Authentication,
DNS Server UDP Name Resolution, Trusts

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 463


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

Corporate ephemeral NMS DC 445 SMB/ TCP/ srv2.sys Group Policy apply when Corporate
Windows CIFS/ UDP domain administrator propagates
Domain SMB2/ changes from corporate domain pol-
Controller DFSN/ icy
LSARPC/
NbtSS

NodeMgr na Nokia 9926 na na ICMP na Connectivity check to the NetWork


eNodeB Element.

NodeMgr ephemeral Single RAN 443 HTTPS TCP https Used to access SOAM BTS Element
BTS Manager via WebUI.

NodeMgr ephemeral Delivery 89 Local TCP Set-Bro- Used by Secondary Broker when
Controller Host kerSite LHC is enabled in 7.12 and above.
Cache -Local- (This use of port 89 might change in
Host- future releases)
CacheEn-
abled

NodeMgr ephemeral CBAM Web 443 HTTPS TCP cbam-we- Launch CBAM Web GUI Applicable
UI bgui for below versions: CBAM 19 and
later release

NodeMgr ephemeral MRBTS 80 HTTP TCP http BTS Site Manager launch

NodeMgr ephemeral MRBTS 6030 HTTP TCP http File transfer via HTTP Optional: This
firewall rule is not required if the re-
spective secure protocol is used

NodeMgr ephemeral MRBTS 6031 HTTPS TCP https File transfer via HTTPS

NodeMgr ephemeral MRBTS 12030 IIOP TCP entextxid ASIR Manager – ASIR Controller
connection

Corporate ephemeral NMS DC 135 RPC/ TCP/ RpcSs Netlogon, group policy, trusts, other
Windows EPM UDP services require MSRPC call
Domain
Controller

Corporate ephemeral NMS DC 389 LDAP TCP/ ldap Connections to Directory, User Au-
Windows UDP thentication, Group Policy, Trusts
Domain
Controller

Corporate ephemeral NMS DC 636 LDAP TCP ldaps Connections to Directory, User Au-
Windows thentication, Group Policy, Trusts
Domain
Controller

Corporate ephemeral NMS DC 3268 LDAP TCP ldap Connections to Directory, User Au-
Windows thentication, Group Policy, Trusts
Domain
Controller

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 464


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

Corporate ephemeral NMS DC 3269 LDAPS TCP ldaps Connections to Directory, User Au-
Windows thentication, Group Policy, Trusts
Domain
Controller

NodeMgr ephemeral Corporate 135 RPC/ TCP/ RpcSs Netlogon, group policy, trusts, other
Windows EPM UDP services require MSRPC call.
Domain
Controller

NodeMgr ephemeral Corporate 389 LDAP TCP/ ldap Connections to Directory, User Au-
Windows UDP thentication, Group Policy, Trusts
Domain
Controller

NodeMgr ephemeral Corporate 636 LDAP TCP ldaps Connections to Directory, User Au-
Windows thentication, Group Policy, Trusts
Domain
Controller

NodeMgr ephemeral Corporate 3268 LDAP TCP ldap Connections to Directory, User Au-
Windows thentication, Group Policy, Trusts
Domain
Controller

NodeMgr ephemeral Corporate 3269 LDAPS TCP ldaps Connections to Directory, User Au-
Windows thentication, Group Policy, Trusts
Domain
Controller

NodeMgr ephemeral NRBTS 443 HTTPS TCP https Used to access 5G BTS Element
Manager NetAct Monitor.

NodeMgr ephemeral intgwas 9110 IIOP/ TCP tcp-9110 ORB Listener Port for Websphere
CSIv2 application server

NodeMgr ephemeral intgwas 9418 IIOP/ TCP tcp-9418 CSIV2 Client Authentication Listener
CSIv2 Port

NodeMgr ephemeral intgwas 7285 Secure TCP tcp-7285 WebSphere SIB endpoint secure ad-
JMS dress for intgserver

NodeMgr ephemeral syswas 9108 IIOP/ TCP tcp-9108 ORB Listener Port for Websphere
CSIv2 application server

NodeMgr ephemeral syswas 9416 IIOP/ TCP tcp-9416 CSIV2 Client Authentication Listener
CSIv2 Port

NodeMgr ephemeral syswas 7283 Secure TCP tcp-7283 WebSphere SIB endpoint secure ad-
JMS dress for sysserver

NodeMgr ephemeral cmwas 9106 IIOP/ TCP tcp-9106 ORB Listener Port for Websphere
CSIv2 application server

NodeMgr ephemeral cmwas 9414 IIOP/ TCP tcp-9414 CSIV2 Client Authentication Listener
CSIv2 Port

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 465


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

NodeMgr ephemeral cmwas 7281 Secure TCP tcp-7281 WebSphere SIB endpoint secure ad-
JMS dress for cmserver

NodeMgr ephemeral LB WAS vir- 10443 HTTPS TCP https NetAct Monitor application https
tual IP communication.

NodeMgr ephemeral fmwas 9402 IIOP TCP csiv2- Used for CORBA communication
ssl-mutu- from Web application or other appli-
al-auth- cation. WebSphere CSIV2 SSL mu-
listener tual authentication listener address.

NodeMgr ephemeral fmwas 9100 RMI/ TCP tcp-9100 This is used for initiating connections
IIOP when client requests JNDI services
from server. Used to communicate
with RMI/IIOP service of CertGen

NodeMgr ephemeral fmwas 9105 IIOP/ TCP tcp-9105 ORB Listener Port for Websphere
CSIv2 application server

NodeMgr ephemeral fmwas 9413 IIOP/ TCP tcp-9413 CSIV2 Client Authentication Listener
CSIv2 Port

NodeMgr ephemeral fmwas 9102 IIOP/ TCP tcp-9102 ORB Listener Port
CSIv2

NodeMgr ephemeral fmwas 9202 IIOP/ TCP tcp-9202 CSIV2 Client Authentication Listener
CSIv2 Port

NodeMgr ephemeral fmwas 7280 Secure TCP tcp-7280 WebSphere SIB endpoint secure ad-
JMS dress for fmserver

NodeMgr ephemeral itsmwas 9109 IIOP/ TCP tcp-9109 ORB Listener Port for Websphere
CSIv2 application server

NodeMgr ephemeral itsmwas 9417 IIOP/ TCP tcp-9417 CSIV2 Client Authentication Listener
CSIv2 Port

NodeMgr ephemeral itsmwas 7284 Secure TCP tcp-7284 WebSphere SIB endpoint secure ad-
JMS dress for itsmserver

NodeMgr ephemeral TVG 1494 ICA TCP ICA For ICA connection to TVG

NodeMgr ephemeral TCS 3389 NE3S/ TCP/ tcp/ Port is used for establishing Terminal
SNMP UDP udp-3389 Services connection from Node Man-
age VM to TCS

NodeMgr ephemeral fmwas 22 SFTP TCP putty Element management component


update. Optional:This firewall rule is
only required when Element man-
agement component need update in
Node manager server.

NMS DC ephemeral DNS 53 DNS TCP/ dns Node manager server access NetAct
UDP DNS server

NodeMgr ephemeral LB WAS vir- 443 HTTPS TCP HTTPS Node manager server access NetAct
tual IP LB WAS

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 466


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

syswas ephemeral NodeMgr 636 LDAPS TCP ldaps Port is used to connect to Active Di-
rectory server over SSL.

NodeMgr ephemeral SLNBI 22 na TCP Putty Connectivity check among node


manager server

User Work- ephemeral NodeMgr 637 RPC UDP lanserver Port is used to connect to NFS.
station Apps

NodeMgr ephemeral SOAM BTS 443 HTTPS TCP https Used to access SOAM BTS Element
Manager via WebUI.

NodeMgr ephemeral 5620 8085 HTTP TCP sam-o- Launch SAM client Optional: This
SAM main javagui firewall rule is not required if the re-
server(s) spective secure protocol is used

NodeMgr ephemeral 5620 80 HTTP TCP sam-o- Launch SAM client Optional: This
SAM main javagui firewall rule is not required if the re-
server(s) spective secure protocol is used

NodeMgr ephemeral NFM-P main 443 HTTPS TCP nfm-p-we- Launch NFM-P web GUI Applicable
server(s) bgui for below versions: NSP 17.9 and
later release

NodeMgr ephemeral 5620 1097 JMS TCP sam-o- Launch SAM client
SAM main javagui
server(s)

NodeMgr ephemeral 5620 1099 IIOP TCP sam-o- Launch SAM client
SAM main javagui
server(s)

NodeMgr ephemeral 5620 4447 JMS TCP sam-o- Launch SAM client
SAM main javagui
server(s)

NodeMgr ephemeral 5620 6100 - 6119 SOCK- UDP sam-o- Launch SAM client
SAM main ET javagui
server(s)

NodeMgr ephemeral 5620 8087 HTTPS TCP sam-o- Launch SAM client
SAM main javagui
server(s)

NodeMgr ephemeral 5620 8088 HTTPS TCP sam-o- Launch SAM client
SAM main javagui
server(s)

NodeMgr ephemeral 5620 8089 HTTPS TCP sam-o- Launch SAM client
SAM main javagui
server(s)

NodeMgr ephemeral 5620 8444 HTTPS TCP sam-o- Launch SAM client
SAM main javagui
server(s)

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 467


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

NodeMgr ephemeral 5620 443 HTTPS TCP sam-o- Launch SAM client
SAM main javagui
server(s)

NodeMgr ephemeral DCAP 3389 RDP TCP/ tcp/ Port is used for Windows remote
UDP udp-3389 desktop launch. This rule is only ap-
plicable to DCAP Windows.

NodeMgr ephemeral Nokia De- 8443 HTTPS TCP PCSYNCHTTPS


For MI-GUI Launch to Nokia Decom-
composed posed SBC Signaling Plane
SBC Signal-
ing Plane

NodeMgr ephemeral Nokia De- 1099 RMI TCP RMIREGISTRY


For MI-GUI Launch to Nokia Decom-
composed posed SBC Signaling Plane
SBC Signal-
ing Plane

NodeMgr ephemeral Nokia De- 1234 RMI TCP SEARCHA- For MI-GUI Launch to Nokia Decom-
composed GENT posed SBC Signaling Plane
SBC Signal-
ing Plane

NodeMgr ephemeral Nokia De- 1235 RMI TCP MI Agen- For MI-GUI Launch to Nokia Decom-
composed tWebN- posed SBC Signaling Plane
SBC Signal- MS java
ing Plane process

NodeMgr ephemeral Nokia De- 4567 RMI TCP MI-Agent For MI-GUI Launch to Nokia Decom-
composed GUI posed SBC Signaling Plane
SBC Signal-
ing Plane

NodeMgr ephemeral Nokia De- 42000 RMI TCP Client- For MI-GUI Launch to Nokia Decom-
composed server posed SBC Signaling Plane
SBC Signal- communi-
ing Plane cation

NodeMgr ephemeral Nokia 9926 161 SNMP UDP snmp-get For SNMP SET/GET/GETBulk/walk
eNodeB operations to Nokia 9926 eNodeB

Nokia 9926 ephemeral NodeMgr 162 SNMP UDP sn- This Port is used for the receiving
eNodeB mp-trap- traps from the Nokia 9926 eNodeB
listener

NodeMgr ephemeral Nokia 9926 830 NET- TCP netconf For NETCONF actions to Nokia
eNodeB CONF

NodeMgr ephemeral MRBTS 443 HTTPS TCP https Secured HTTP connection to
MRBTS

NodeMgr ephemeral MRBTS 3600 HTTPS TCP https Web element manager launch

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 468


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

User Work- ephemeral NodeMgr 5985 WS- TCP WinRM Port is used by Windows internal
station Apps manage- component - Windows Remote Man-
ment agement

NodeMgr ephemeral Cisco Prime 12443 ICA/TLS TCP guis-ica For ICA connection to Cisco client.
Network
Client

NodeMgr ephemeral MSC 23 TELNET TCP telnet Optional: This firewall rule is not re-
quired if SSH is used EM launch

NodeMgr ephemeral SBTS 443 HTTPS TCP https Used to access SBTS Element Man-
ager via WebUI. Note: During the
Plug and Play Process, this firewall
rule must be applied additionally for
SBTS using the temporary IP ad-
dress.

NodeMgr ephemeral CWLC 443 HTTPS TCP https Used to remote access CWLC via
Web UI

NodeMgr ephemeral ASCBTS 443 HTTPS TCP https Used to access AirScale Cloud BTS
Element Manager NetAct Monitor.

NodeMgr ephemeral Cisco 4440 HTTPS TCP https For HTTPS connection to Cisco
Prime Performance Manager. (HTTP
is not required if HTTPS is used)

NodeMgr ephemeral Cisco Prime 443 HTTPS TCP https For HTTPS connection to Cisco
Network client.
Client

NodeMgr ephemeral Cisco Prime 80 HTTP TCP http For HTTP connection to Cisco client.
Network (this is also required for the setup of
Client HTTPS connection)

NodeMgr ephemeral WBTS 6000 HTTP TCP http File transfer via HTTP Optional: This
firewall rule is not required if the re-
spective secure protocol is used

NodeMgr ephemeral WBTS 6001 HTTPS TCP https File transfer via HTTPS

NodeMgr ephemeral MRBTS 6000 HTTP TCP http File transfer via HTTP Optional: This
firewall rule is not required if the re-
spective secure protocol is used

NodeMgr ephemeral MRBTS 6001 HTTPS TCP https File transfer via HTTPS

NodeMgr ephemeral ATS 10000 HTTPS TCP https For HTTP connection to webmin
console in ATS

NodeMgr ephemeral EPD 10000 HTTPS TCP https For HTTP connection to webmin
console in EPD

NodeMgr ephemeral TVG 10000 HTTPS TCP https For HTTP connection to webmin
console in TVG

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 469


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

NodeMgr ephemeral CDD 22 SSH TCP ssh For SSH EM Launch for CDD

NodeMgr ephemeral TACTILON 22 SSH TCP ssh For SSH EM Launch for TACTILON

NodeMgr ephemeral ATS 22 SSH TCP ssh For SSH EM Launch for ATS

NodeMgr ephemeral EPD 22 SSH TCP ssh For SSH EM Launch for EPD

NodeMgr ephemeral Juniper 443 HTTPS TCP https For Junos space launch operations
to Juniper

NodeMgr ephemeral Cisco 4440 HTTP TCP http For HTTP connection to Cisco Prime
Performance Manager

WBTS ephemeral NodeMgr 13062-13092 HTTPS TCP x-window File transfer via HTTPS

NodeMgr ephemeral OMS 22 SSH TCP ssh Element manager connections

MRBTS ephemeral NodeMgr 13062-13092 HTTPS TCP x-window File transfer via HTTPS

NodeMgr ephemeral Cisco Prime 1494 ICA TCP guis-ica For ICA connection to Cisco client
Network Optional: This firewall rule is only re-
Client quired if SSL/TLS ICA connection is
not enabled.

OMS ephemeral NodeMgr 49152 - IIOP TCP ne-ap- listening ports for CORBA call-
49652 plaunch- backs between OMS and Application
er-oms Launcher in NodeMgr server

User Work- ephemeral NodeMgr 80 HTTP TCP http port is used for HTTP web request to
station Apps Citrix Server

User Work- ephemeral NodeMgr 389 LDAP TCP/ ldap Port is used by Active Directory in
station Apps UDP Windows Domain Controller

User Work- ephemeral NodeMgr 443 HTTPS TCP https Port is used for HTTPS web request
station Apps to Citrix Server

User Work- ephemeral NodeMgr 1494 ICA TCP tcp-1494 Port is used to Connect Citrix Server
station Apps via Citrix ICA client

User Work- ephemeral NodeMgr 2598 ICA TCP Cit- Port is used for Citrix connection via
station Apps rixXTEServ-Citrix ICA Session Reliability
er

User Work- ephemeral NodeMgr 3389 RDP TCP/ tcp/ Port is used for Terminal Services
station Apps UDP udp-3389 connection

User Work- ephemeral NodeMgr 9389 Active TCP ADWS Port is used for Active Directory Web
station Apps Directo- Services by user management con-
ry Web nection.
Service

NodeMgr ephemeral vCSA 443 HTTPS TCP https node manager to access vCSA.

NodeMgr ephemeral VDP 8543 HTTPS TCP https node manager to access VDP

NodeMgr ephemeral OMS 500 IIOP UDP udp-500 Ipsec IKE negotiation

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 470


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

NodeMgr ephemeral MCTC 22 SSH TCP ssh Used for SSH terminal connection in
SCLI session.

NodeMgr ephemeral IPA-RNC 23 TELNET TCP telnet Putty telnet connection to RNC. This
rule is retained is to keep compati-
bility with RU30 NEs. Optional: This
firewall rule is not required if the re-
spective secure protocol is used.

NodeMgr ephemeral RNC 22 SSH/ TCP SSH Putty ssh connection to RNC. This
SFTP rule is retained is to keep compatibili-
ty with RU30 NEs.

NodeMgr ephemeral HLR 22 SSH TCP ssh EM launch

NodeMgr ephemeral CDS 22 SSH TCP ssh EM launch

NodeMgr ephemeral HLR 23 TELNET TCP telnet Optional: This firewall rule is not re-
quired if SSH is used EM launch

NodeMgr ephemeral CDS 23 TELNET TCP telnet Optional: This firewall rule is not re-
quired if SSH is used EM launch

NodeMgr ephemeral NEMU 80 HTTP TCP http EM launch

NodeMgr ephemeral NEMU 49152-49160 IIOP TCP tcp-49152-49160


EM launch

NodeMgr ephemeral MRBTS 12000 IIOP TCP entextxid SEM-FTM connection

NodeMgr ephemeral OMS 636 LDAPS TCP ldaps Application Launcher launch

NodeMgr ephemeral OMS 49152-49652 IIOP TCP ne-ap- Ephemeral ports used by OMS Ap-
plaunch- plication launcher internal applica-
er-oms tions, i.e.: Measurement manage-
ment, Fault management.

NodeMgr ephemeral OMS 49568 IIOP TCP tcp-49568 OMS connection needed for EM
Launch

NodeMgr ephemeral WBTS 443 HTTPS TCP https Secured HTTP collection to WBTS

NodeMgr ephemeral WBTS 12000 IIOP TCP entextxid SEM-FTM connection

NodeMgr ephemeral OMS 80 HTTP TCP http Used to access OMS Element Man-
ager via WebUI only for IPv6.

NodeMgr ephemeral OMS 443 HTTPS TCP https Used to access OMS Element Man-
ager via WebUI.

NodeMgr ephemeral Open MGW 22 SSH TCP ssh EM launch

NodeMgr ephemeral Open MGW 443 HTTPS TCP https EM launch

27.2.21 Firewall rules for VMs that host Q3

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 471


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

Q3 ephemeral BSC ephemeral FTP TCP ftp-data Used for FTP data connection under
FTP passive mode. Note: This fire-
wall rule is not required if the respec-
tive secure protocol is used.

Q3 ephemeral BSC 22 SSH/ TCP ssh Used to log in to BSC and execute
SFTP commands via a secure protocol.

Q3 ephemeral BSC 21 FTP TCP ftp Used by FTP daemon to initiate and
control connections to FTP servers.
Note: This firewall rule is not re-
quired if the respective secure proto-
col is used.

BSC 20 Q3 ephemeral FTP TCP ftp-data Used for FTP data connection under
FTP active mode. Note: This firewall
rule is not required if the respective
secure protocol is used.

BSC ephemeral Q3 22 SFTP TCP sftp Used by CM change event notifica-


tion.

Q3 ephemeral Open MSS 21 FTP TCP ftp Used by FTP (File Transfer Protocol)
Cloud Daemon to initiate and control con-
nections to FTP servers. Note: Q3
start to support sftp since NA15.5.
This firewall rule is not required if the
respective secure protocol is used.

Q3 ephemeral Open MSS 22 SSH/ TCP ssh Port used to log into a remote ma-
Cloud SFTP chine and execute commands. SFTP
data connection.

Q3 ephemeral Open MSS 23 TELNET TCP telnet Used to establish a connec-


Cloud tion to Transmission Control
Protocol (TCP) port number 23,
where a Telnet server application
(telnetd) is listening. Note: Open this
port only if you want use Telnet in-
stead of SSH.

Q3 20 BSC ephemeral FTP TCP ftp-data Used for FTP data connection under
FTP active mode. Note: Some BSCs
of old versions do not support SFTP.

BSC ephemeral Q3 ephemeral FTP TCP ftp-data Used for FTP data connection un-
der FTP passive mode. Note: Some
BSCs of old versions do not support
SFTP.

Q3 ephemeral DXT 21 FTP TCP ftp FTP Daemon Note: This firewall rule
is not required if the respective se-
cure protocol is used

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 472


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

DXT 20 Q3 ephemeral FTP TCP ftp FTP Daemon Note: This firewall rule
is not required if the respective se-
cure protocol is used

Q3 ephemeral DXT 22 SSH/ TCP ssh SSH/SFTP Daemon


SFTP

Q3 ephemeral DXT 23 TELNET TCP telnet TELNET Daemon Note: This firewall
rule is not required if the respective
secure protocol is used

Q3 ephemeral DXT 102 Q3 OSI TCP tsap Q3 OSI stack, X400 Protocol

DXT ephemeral Q3 102 Q3 OSI TCP tsap Q3 OSI stack, X400 Protocol

Q3 ephemeral MSC 21 FTP TCP ftp Used by FTP (File Transfer Protocol)
Daemon to initiate and control con-
nections to FTP servers. Note: Q3
start to support sftp since NA15.5.
This firewall rule is not required if the
respective secure protocol is used.

Q3 ephemeral HLR 21 FTP TCP ftp Used by FTP (File Transfer Protocol)
Daemon to initiate and control con-
nections to FTP servers. Note: Q3
start to support sftp since NA15.5.
This firewall rule is not required if the
respective secure protocol is used.

Q3 ephemeral CDS 21 FTP TCP ftp Used by FTP (File Transfer Protocol)
Daemon to initiate and control con-
nections to FTP servers. Note: Q3
start to support sftp since NA15.5.
This firewall rule is not required if the
respective secure protocol is used.

Q3 ephemeral Open TAS 22 SSH TCP ssh Login a remote machine and execute
commands Q3 support SFTP since
NetAct 15.5

Q3 ephemeral Open TAS 23 TELNET TCP telnet Establish a connection to Transmis-


sion Control Protocol (TCP) port
number 23, where a Telnet serv-
er application (telnetd) is listening.
Open this port only if you want use
Telnet instead of SSH.

Q3 ephemeral Open TAS 22 SSH TCP ssh Login a remote machine and execute
Cloud commands Q3 support SFTP since
NetAct 15.5

Q3 ephemeral Open TAS 23 TELNET TCP telnet Establish a connection to Transmis-


Cloud sion Control Protocol (TCP) port
number 23, where a Telnet serv-
er application (telnetd) is listening.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 473


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

Open this port only if you want use


Telnet instead of SSH.

Q3 ephemeral BSC 102 Q3 OSI TCP tsap Used for Q3 OSI stack and X400
protocol.

Q3 ephemeral MSC 22 SSH/ TCP ssh Port used to log into a remote ma-
SFTP chine and execute commands. SFTP
data connection.

Q3 ephemeral HLR 22 SSH/ TCP ssh Port used to log into a remote ma-
SFTP chine and execute commands. SFTP
data connection.

Q3 ephemeral IPA-RNC 22 SSH/ TCP ssh Port used to log into a remote ma-
SFTP chine and execute commands. SFTP
data connection. Q3 support SFTP
since NetAct 15.5

Q3 ephemeral CDS 22 SSH/ TCP ssh Port used to log into a remote ma-
SFTP chine and execute commands. SFTP
data connection. Q3 support SFTP
since NetAct 15.5

Q3 ephemeral BSC 23 TELNET TCP telnet Used to establish a connection to


Transmission Control Protocol (TCP)
port 23, where a Telnet server appli-
cation is listening. Note: This firewall
rule is not required if the respective
secure protocol is used.

Q3 ephemeral MSC 23 TELNET TCP telnet Used to establish a connec-


tion to Transmission Control
Protocol (TCP) port number 23,
where a Telnet server application
(telnetd) is listening. Note: Open this
port only if you want use Telnet in-
stead of SSH.

Q3 ephemeral HLR 23 TELNET TCP telnet Used to establish a connec-


tion to Transmission Control
Protocol (TCP) port number 23,
where a Telnet server application
(telnetd) is listening. Note: Open this
port only if you want use Telnet in-
stead of SSH.

Q3 ephemeral IPA-RNC 23 TELNET TCP telnet Used to establish a connec-


tion to Transmission Control
Protocol (TCP) port number 23,
where a Telnet server application
(telnetd) is listening. Optional: This
firewall rule is not required if the re-
spective secure protocol is used.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 474


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

Q3 ephemeral CDS 23 TELNET TCP telnet Used to establish a connec-


tion to Transmission Control
Protocol (TCP) port number 23,
where a Telnet server application
(telnetd) is listening. Note: Open this
port only if you want use Telnet in-
stead of SSH.

BSC ephemeral Q3 21 FTP TCP ftp Used by CM change event notifica-


tion.

Q3 ephemeral Flexi NS 21 FTP TCP ftp Used by Flexi NS License Manage-


ment. Note: Q3 start to support sftp
since NA15.5 Note: This firewall rule
is not required if the respective se-
cure protocol is used.

Q3 ephemeral Flexi NS ephemeral FTP TCP ftp-data FTP data connection under FTP
Passive Mode Note: Q3 start to sup-
port sftp since NA15.5 Note: This
firewall rule is not required if the re-
spective secure protocol is used.

Q3 ephemeral Flexi NS 22 SSH/ TCP ssh SSH terminal connection for MMLs
SFTP Applicable. SFTP data connection.
Q3 support SFTP since NetAct 15.5

Q3 ephemeral Flexi NS 23 TELNET TCP telnet TELNET terminal connection for


MMLs Command Note: This firewall
rule is not required if the respective
secure protocol is used.

BSC ephemeral Q3 102 Q3 OSI TCP tsap Used for Q3 OSI stack and X400
protocol.

27.2.22 Firewall rules for VMs that host Self Monitoring (Self Mon) and/or Hewlett-
Packard Enterprise Systems Insight Manager (HPE SIM)

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

HPE OA ephemeral SelfMon and 1162 HTTP UDP UDP-1162 Web server for HPE SIM; Web agent
HPE SIM auto-start port

HPE OA ephemeral SelfMon and 1001 HTTP TCP TCP-1001 Web server for HPE SIM; Web agent
HPE SIM auto-start port

HPE OA ephemeral SelfMon and 697 HTTP TCP TCP-697 Web server for HPE SIM; Web agent
HPE SIM auto-start port

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 475


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

HPE OA ephemeral SelfMon and 280 HTTP TCP TCP-280 Web server for HPE SIM; Web agent
HPE SIM auto-start port

User Work- ephemeral SelfMon and 50004 HTTPS TCP TCP-50004 WBEM event receiver (configurable
station Apps HPE SIM 7)

User Work- ephemeral SelfMon and 50002 HTTPS TCP TCP-50002 Optional:HPE SIM SOAP with client
station Apps HPE SIM certificate authentication

User Work- ephemeral SelfMon and 50001 HTTPS TCP TCP-50001 Optional: HPE SIM SOAP
station Apps HPE SIM

HPE OA ephemeral SelfMon and 2367 HTTP TCP TCP-2367 HPE SIM RMI connection
HPE SIM

User Work- ephemeral SelfMon and 50000 HTTPS TCP TCP-50000 used to launch HPE SIM start page
station Apps HPE SIM

HPE iLO ephemeral SelfMon and 162 SNMP TCP sn- This port is use to send traps for
HPE SIM mp-trap- alarms
listener

SelfMon and ephemeral vCSA 443 HTTPS TCP vcenter- vCSA endpoint, which is used to get
HPE SIM selfmon alarms and pm data

SelfMon and ephemeral vCSA 443 HTTPS TCP cpfvman- The vCSA endpoint. Valid only in
HPE SIM ager NetAct VMWare deliveries. In Net-
Act Cloud VMWare this is an optional
feature

ESXi ephemeral SelfMon and 162 SNMP UDP sn- This port is use to send traps for
HPE SIM mp-trap- alarms
listener

HPE OA ephemeral SelfMon and 162 SNMP TCP TCP-162 This port is use to send traps for
HPE SIM alarms

VNX Storage ephemeral SelfMon and 162 SNMP TCP TCP-162 This port is use to send traps for
Unisphere HPE SIM alarms
Management

VNX Storage ephemeral SelfMon and 50162 SNMP TCP TCP-50162 This port is use to send traps for
Unisphere HPE SIM alarms
Management

HPE Bro- ephemeral SelfMon and 162 SNMP TCP TCP-162 This port is use to send traps for
cade San HPE SIM alarms
Switch

HPE Virtu- Ephemeral SelfMon and 162 SNMP TCP TCP-162 This port is use to send traps for
al Connect HPE SIM alarms
Manager

HPE MSA Ephemeral SelfMon and 162 SNMP TCP TCP-162 This port is use to send traps for
Storage HPE SIM alarms
Management

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 476


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

HPE 3PAR Ephemeral SelfMon and 162 SNMP TCP TCP-162 This port is use to send traps for
Management HPE SIM alarms
Console

HPE Switch Ephemeral SelfMon and 162 SNMP TCP TCP-162 This port is use to send traps for
HPE SIM alarms

HPE Virtu- Ephemeral SelfMon and 50162 SNMP TCP TCP-50162 This port is use to send traps for
al Connect HPE SIM alarms
Manager

HPE MSA Ephemeral SelfMon and 50162 SNMP TCP TCP-50162 This port is use to send traps for
Storage HPE SIM alarms
Management

HPE 3PAR Ephemeral SelfMon and 50162 SNMP TCP TCP-50162 This port is use to send traps for
Management HPE SIM alarms
Console

HPE Switch Ephemeral SelfMon and 50162 SNMP TCP TCP-50162 This port is use to send traps for
HPE SIM alarms

Unity Stor- ephemeral SelfMon and 162 SNMP TCP sn- This port is use to send traps for
age Man- HPE SIM mp-trap- alarms
agement listener

27.2.23 Firewall rules for VMs that host the Security Log NBI (SLNBI)

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

SLNBI ephemeral Security Log 514 RSYSLOG TCP TCP-514 Receiving syslog messages in se-
Higher Level cure way
System

SLNBI ephemeral Security Log 556 RSYSLOG TCP tcp-556 Receiving syslog messages in se-
Higher Level cure way
System

SLNBI ephemeral Security Log 555 RSYSLOG TCP tcp-555 Receiving syslog messages in se-
Higher Level cure way
System

SLNBI ephemeral Security Log 557 RSYSLOG TCP tcp-557 Receiving syslog messages in se-
Higher Level cure way
System

SLNBI ephemeral Security Log 558 RSYSLOG TCP tcp-558 Receiving syslog messages in se-
Higher Level cure way
System

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 477


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

SLNBI ephemeral Security Log 559 RSYSLOG TCP tcp-559 Receiving syslog messages in se-
Higher Level cure way
System

27.2.24 Firewall rules for Thresholder and Profiler

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

TP_SERV- ephemeral Email Server 25 SMTP TCP sqm-spg- Used to deliver T&P alarm content
ER email-plu- through email. Optional: This fire-
gin wall rule is not necessary if a secure
SMTP mail server is available, check
info on port 465.

TP_SERV- ephemeral Email Server 465 SMTPS TCP smtps Used to deliver T&P alarm content
ER through email. Optional: This firewall
rule is not necessary if no SMTP se-
cure server is available.

27.2.25 Firewall rules for VMs that host vCSA

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

User Work- ephemeral vCSA 443 HTTPS TCP https vCenter Server system uses to lis-
station Mgmt ten for connections from the vSphere
Client/vSphere client. Client Server
to vCenter Server connection

User Work- ephemeral vCSA 9090 HTTP TCP zeus-ad- vSphere Client Server HTTP con-
station Mgmt min nection. Optional: This firewall rule is
not required if the respective secure
protocol is used (9443)

User Work- ephemeral vCSA 9443 HTTPS TCP tung- vSphere Client Access
station Mgmt sten-https

User Work- ephemeral vCSA 5480 HTTPS TCP va- Appliance Management Interface
station Apps mi-lighttpd Open endpoint serving all HTTPS,
XMLRPS, and JSON-RPC requests
over HTTPS.

User Work- ephemeral vCSA 443 HTTPS TCP HTTPS The default port that the vCenter
station Apps Server system uses to listen for con-

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 478


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

nections from the vSphere Client.


To enable the vCenter Server sys-
tem to receive data from the vSphere
Client, open port 443 in the firewall.

User Work- ephemeral vCSA 80 HTTP TCP http vCenter Server requires port 80 for
station Apps direct HTTP connections. Port 80
redirects requests to HTTPS port
443. This redirection is useful if you
accidentally use http://server instead
of https://server

User Work- na vCSA na na ICMP na Connectivity check / troubleshoot-


station Mgmt ing optional Echo Request (8) / Echo
Reply (0)

User Work- ephemeral vCSA 902 HTTPS TCP TCP-10443 (UDP) Status update (heartbeat)
station Mgmt connection

ESXi ephemeral vCSA 514 HTTP TCP/ TCP-514 Remote syslog logging
UDP

ESXi ephemeral vCSA 1514 HTTPS TCP TCP-1514 Remote syslog logging (SSL)

ESXi ephemeral vCSA 68 DHCP UDP UDP-68 communication with DHCP client on
ESXi

User Work- ephemeral vCSA 22 SSH TCP ssh SSH Serverp ort used to log into a
station Mgmt remote machine and execute com-
mands

User Work- ephemeral vCSA 80 HTTP TCP http vCenter Server requires port 80 for
station Mgmt direct HTTP connections. Optional:
This firewall rule is not required if the
respective secure protocol is used
(443)

ESXi ephemeral vCSA 902 HTTPS TCP/ ideaf- (UDP) Status update (heartbeat)
UDP arm-door connection from ESXi to vCenter
Server

ESXi ephemeral vCSA 8000 HTTP TCP TCP-8000 Network coredump web port

User Work- ephemeral vCSA 8443 HTTPS TCP https Web Services HTTPS. Used for the
station Mgmt VMware VirtualCenter Management
Web Services.

User Work- ephemeral vCSA 5480 HTTPS TCP va- Only applicable for vCenter Server
station Mgmt mi-lighttpd Virtual Appliance - used for access-
ing VAMI page of vCenter Server Ap-
pliance over HTTPS

User Work- ephemeral vCSA 8080 HTTP TCP http-proxy Web Services HTTP. Used for the
station Mgmt VMware VirtualCenter Management
Web Services. Optional: This firewall

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 479


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

rule is not required if the respective


secure protocol is used (8443)

ESXi ephemeral vCSA 5988 HTTP TCP TCP-5988 CIM transactions over http

ESXi ephemeral vCSA 5989 HTTPS TCP wbem- CIM XML transactions over HTTPS
https

ESXi ephemeral vCSA 6500 na UDP UDP-6500 Network coredump server

ESXi ephemeral vCSA 8001 na TCP TCP-8001 Network syslog server

User Work- ephemeral vCSA 10080 HTTP TCP TCP-10080 vCenter Inventory Service HTTP.
station Mgmt Optional: This firewall rule is not re-
quired if the respective secure proto-
col is used (10443)

User Work- ephemeral vCSA 12443 HTTPS TCP TCP-12443 Port used for accessing the logs
station Mgmt

27.2.26 Firewall rules for VMs that host WebSphere

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

intgwas ephemeral Flexi NS 22 SFTP TCP SFTP Auto-integration for Flexi NS

cmwas ephemeral HSSFE 22 SSH TCP ssh SSH terminal connection for HSS FE
for Ulticom. Applicable Release: 18.
5 onwards

cmwas ephemeral HSSFE 8080 HTTP/ TCP tcp-8080 AOM & CM SB outgoing request
SOAP integration for HSSFE. Applicable
for below versions: HSSFE 18.5
onwards, HSSFE 18.5C onwards.
HSSFE 18.5VI onwards. Optional:
This firewall rule is not required if the
respective secure protocol is used
(port 8443).

cmwas ephemeral HSSFE 8443 HTTPS/ TCP tcp-8443 CM SB outgoing request integration
SOAP for HSS FE supporting TLS. Applic-
able for below versions: HSSFE 18.
5 onwards, HSSFE 18.5C onwards,
HSSFE 18.5VI onwards.

cmwas ephemeral HSSFE 22 SSH TCP ssh HSSFE CLI integration. Applica-
ble for below versions: HSSFE 18.
5 onwards, HSSFE 18.5C onwards,
HSSFE 18.5VI onwards. SSH termi-
nal connection for HSS FE.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 480


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

cmwas ephemeral HSSFE 8080 HTTP/ TCP tcp-8080 AOM & CM SB outgoing request
SOAP integration for HSSFE. Applicable
for below versions: HSSFE 18.5
onwards, HSSFE 18.5C onwards,
HSSFE 18.5VI onwards. Optional:
This firewall rule is not required if the
respective secure protocol is used
(port 8443).

cmwas ephemeral HSSFE 8443 HTTPS/ TCP tcp-8443 CM SB outgoing request integration
SOAP for HSS FE supporting TLS. Applica-
ble for below versions: HSSFE 18.5
onwards, HSSFE 18.5C onwards.

fmwas ephemeral HSSFE 22 SSH TCP ssh HSSFE CLI integration. Applica-
ble for below versions: HSSFE 18.
5 onwards, HSSFE 18.5C onwards,
HSSFE 18.5VI onwards. SSH termi-
nal connection for HSS FE.

syswas ephemeral HSSFE 8080 HTTP/ TCP tcp-8080 Element Manager launch SSO (Sin-
SOAP gle Sign-on) support for HSSFE. Ap-
plicable for below versions: HSSFE
18.5 onwards, HSSFE 18.5C on-
wards, HSSFE 18.5VI onwards. Op-
tional: This firewall rule is not re-
quired if the respective secure proto-
col is used (port 8443).

syswas ephemeral HSSFE 8443 HTTPS/ TCP tcp-8443 Element Manager launch SSO (Sin-
SOAP gle Sign-on) support for HSSFE. Ap-
plicable for below versions: HSSFE
18.5 onwards, HSSFE 18.5C on-
wards, HSSFE 18.5VI onwards.

fmwas ephemeral HSS 22 SSH TCP ssh HSS VM CLI integration. Applicable
for below versions: HSS 18.5VI on-
wards.

fmwas ephemeral FHGW 22 SSH TCP ssh SSH terminal connection to FHGW

cmwas ephemeral FHGW 8080 HTTP/ TCP tcp-8080 NE3S/WS communication from Con-
SOAP figurator to FHGW. Optional: This
firewall rule is not required if the re-
spective secure protocol is used.

cmwas ephemeral FHGW 8443 HTTPS/ TCP tcp-8443 NE3S/WS communication from Con-
SOAP figurator to FHGW.

fmwas ephemeral FHGW 33434-33933 na UDP udp-33434-33933


Used for checking the connection
between NetAct and FHGW with
traceroute command

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 481


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

ne3sws_dy- ephemeral CNNPC 7655 SFTP TCP sftp Dynamic Adaptation for CNNPC
namicadap- through ZTS EnvoyLB or ZTS Istio.
tation

fmwas ephemeral ECTRL 22 SSH TCP ssh SSH launch to ECTRL

fmwas ephemeral GLS Prov 22 SSH TCP ssh SSH terminal connection for GLS
Provisioning Server.

cmwas ephemeral Open MGW 8060 HTTP/ TCP tcp-8060 CM SB outgoing request integration
SOAP for OpenMGW. Optional: This fire-
wall rule is not required if the respec-
tive secure protocol is used

cmwas ephemeral Open MGW 8059 HTTPS/ TCP tcp-8059 CM SB outgoing request integration
SOAP

fmwas ephemeral VNF 22 SSH TCP ssh SSH shell from NetAct Monitor.

syswas ephemeral BNGLB 8443 HTTPS/ TCP tcp-8443 Element Manager launch SSO (Sin-
SOAP gle Sign-on) support for BNGLB. Ap-
plicable for below versions: BNGLB
18.5C onwards.

syswas ephemeral BNGLB 8080 HTTP/ TCP tcp-8080 Element Manager launch SSO (Sin-
SOAP gle Sign-on) support for BNGLB. Ap-
plicable for below versions: BNGLB
18.5C onwards. Optional: This fire-
wall rule is not required if the respec-
tive secure protocol is used (port
8443).

fmwas ephemeral BNGLB 22 SSH TCP ssh BNGLB CLI integration. Applica-
ble for below versions: BNGLB 18.
5C onwards. Note: This firewall rule
is required for BNGLB node1 and
node2.

cmwas ephemeral BNGLB 8443 HTTPS/ TCP tcp-8443 CM SB outgoing request integration
SOAP for BNGLB supporting TLS. Applic-
able for below versions: BNGLB 18.
5C onwards.

cmwas ephemeral BNGLB 8080 HTTP/ TCP tcp-8080 CM SB outgoing request integra-
SOAP tion for BNGLB. Applicable for below
versions: BNGLB 18.5C onwards.
Optional: This firewall rule is not re-
quired if the respective secure proto-
col is used (port 8443).

cmwas ephemeral BNGLB 8443 HTTPS/ TCP tcp-8443 CM SB outgoing request integration
SOAP for BNGLB supporting TLS. Applic-
able for below versions: BNGLB 18.
5C onwards.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 482


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

cmwas ephemeral BNGLB 8080 HTTP/ TCP tcp-8080 CM SB outgoing request integra-
SOAP tion for BNGLB. Applicable for below
versions: BNGLB 18.5C onwards.
Optional: This firewall rule is not re-
quired if the respective secure proto-
col is used (port 8443).

syswas ephemeral IMSOAM 10201-10350 HTTP/ TCP http-alt1 Element Manager launch SSO (Sin-
SOAP gle Sign-on) and AOM support for
CSCF/CSCF_TD_Core/CSCF_L2TD
VI; Map to CSCF/CSCF_TD_Core/
CSCF_L2TD VI port 8080. Applica-
ble for below versions: CSCF 18.5VI
onwards.

syswas ephemeral IMSOAM 8080 HTTP/ TCP http-ne3s- Element Manager launch SSO (Sin-
SOAP communi- gle Sign-on) and AOM support for
cation IMSOAM. Applicable for below ver-
sions: IMSOAM 18.5VI onwards.

syswas ephemeral IMSOAM 10351-10500 HTTPS/ TCP tcp-8443 Element Manager launch SSO (Sin-
SOAP gle Sign-on) and AOM support for
CSCF/CSCF_TD_Core/CSCF_L2TD
VI; Map to CSCF/CSCF_TD_Core/
CSCF_L2TD VI port 8443. Applica-
ble for below versions: CSCF 18.5VI
onwards.

fmwas ephemeral IMSOAM 10501-10600 SSH TCP ssh CSCF/CSCF_TD_Core/CSCF_L2TD


VI CLI integration; Map to CSCF/
CSCF_TD_Core/CSCF_L2TD VI
port 22. Applicable for below ver-
sions: CSCF 18.5VI onwards.

cmwas ephemeral IMSOAM 8080 HTTP/ TCP http-ne3s- AOM support for IMSOAM. Applica-
SOAP communi- ble for below versions: IMSOAM 18.
cation 5VI onwards. Optional: This firewall
rule is not required if the respective
secure protocol is used (port 8443).

cmwas ephemeral IMSOAM 10351-10500 HTTPS/ TCP tcp-8443 AOM support for CSCF/CSCF_TD_
SOAP Core/CSCF_L2TD VI; Applicable for
below versions: CSCF 18.5VI on-
wards.

cmwas ephemeral IMSOAM 8443 HTTPS/ TCP tcp-8443 CM SB outgoing request integration
SOAP for IMSOAM supporting TLS. Applic-
able for below versions: IMSOAM
18.5VI onwards.

cmwas ephemeral IMSOAM 10201-10350 HTTP/ TCP http-alt1 AOM support for CSCF/CSCF_TD_
SOAP Core/CSCF_L2TD VI; Map to CSCF/
CSCF_TD_Core/CSCF_L2TD VI

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 483


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

port 8080. Applicable for below ver-


sions: CSCF 18.5VI onwards.

syswas ephemeral IMSOAM 8443 HTTPS/ TCP tcp-8443 Element Manager launch SSO (Sin-
SOAP gle Sign-on) support for IMSOAM.
Applicable for below versions:
IMSOAM 18.5VI onwards.

syswas ephemeral Repo Server 8443 HTTPS/ TCP tcp-8443 Element Manager launch SSO
SOAP (Single Sign-on) support for RE-
POSERVER. Applicable for below
versions: REPOSERVER 18.5VI on-
wards.

cmwas ephemeral Repo Server 8080 HTTP/ TCP http-ne3s- CM SB outgoing request integration
SOAP communi- for Repo Server. Optional: This fire-
cation wall rule is not required if the respec-
tive secure protocol is used Applica-
ble for below versions: REPOSERV-
ER 18.5VI onwards.

cmwas ephemeral Repo Server 8443 HTTPS/ TCP tcp-8443 CM SB outgoing request integration
SOAP for REPOSERVER supporting TLS.
Applicable for below versions: RE-
POSERVER 18.5VI onwards.

syswas ephemeral Repo Server 8080 HTTP/ TCP http-ne3s- Element Manager launch SSO (Sin-
SOAP communi- gle Sign-on). Applicable for below
cation versions: REPOSERVER 18.5VI on-
wards.

fmwas ephemeral Repo Server 22 SSH TCP ssh Repo Server CLI integration. Ap-
plicable for below versions: RE-
POSERVER 18.5VI onwards.

cmwas ephemeral TIAMS 9090 HTTP/ TCP tcp-9090 CM SB outgoing request integration
SOAP for IMS HWM Optional: This firewall
rule is not required if the respective
secure protocol is used.

fmwas ephemeral CSCF 22 SSH TCP ssh CSCF CLI integration. Applicable for
18.5C version onwards

syswas ephemeral CSCF 8443 HTTPS/ TCP tcp-8443 Element Manager launch SSO (Sin-
SOAP gle Sign-on) support for CSCF. Ap-
plicable for 18.5C version onwards

syswas ephemeral CSCF 8080 HTTP/ TCP tcp-8080 Element Manager launch SSO (Sin-
SOAP gle Sign-on) support for CSCF. Op-
tional: This firewall rule is not re-
quired if the respective secure pro-
tocol is used (port 8443). Applicable
for 18.5C version onwards

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 484


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

syswas ephemeral CSCF-LB 8080 HTTP/ TCP http-alt1 Element Manager launch SSO (Sin-
SOAP gle Sign-on) and AOM support for
CSCF-LB. Applicable for 18.5VI ver-
sion onwards

cmwas ephemeral CSCF-LB 8080 HTTPS/ TCP http-ne3s- CM SB outgoing request integration
SOAP communi- for CSCF-LB supporting TLS. Applic-
cation able for 18.5VI version onwards

fmwas ephemeral CSCF-LB 22 SSH TCP ssh CSCF-LB CLI integration. Applicable
for 18.5VI version onwards

syswas ephemeral CSCF-LB 8443 HTTPS/ TCP tcp-8443 Element Manager launch SSO (Sin-
SOAP gle Sign-on) support for CSCF-LB.
Applicable for 18.5VI version on-
wards

cmwas ephemeral CSCF-LB 8443 HTTPS/ TCP tcp-8443 CM SB outgoing request integration
SOAP for CSCF-LB supporting TLS. Applic-
able for below versions: CSCF-LB
18.5VI onwards.

cmwas ephemeral CSCF 8443 HTTPS/ TCP tcp-8443 CM SB outgoing request integration
SOAP for CSCF supporting TLS. Applicable
for below versions: CSCF 18.5 on-
wards, CSCF 18.5C onwards.

cmwas ephemeral CSCF 8080 HTTP/ TCP tcp-8080 CM SB outgoing request integration
SOAP for CSCF. Applicable for below ver-
sions: CSCF 18.5 onwards, CSCF
18.5C onwards. Optional: This fire-
wall rule is not required if the respec-
tive secure protocol is used (port
8443).

cmwas ephemeral CSCF 8443 HTTPS/ TCP tcp-8443 CM SB outgoing request integration
SOAP for CSCF supporting TLS. Applic-
able for below versions: CSCF 18.
5,CSCF 18.5C onwards.

Socks ephemeral NCS Instal- 443 HTTPS TCP https NCS Manager Portal.
lation Server

cmwas ephemeral MRBTS 8443 HTTPS/ TCP tcp-8443 NE3S/WS communication from Con-
SOAP figurator to SBTS.

cmwas ephemeral MRBTS 8080 HTTP/ TCP tcp-8080 NE3S/WS communication from Con-
SOAP figurator to MRBTS. Optional: This
firewall rule is not required if the re-
spective secure protocol is used.

fmwas ephemeral NRBTS 33434-33933 na UDP udp-33434-33933


Used for checking the connection
between NetAct and 5G BTS with
traceroute command

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 485


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

fmwas ephemeral NetAct HW 22 SSH TCP SSH SSH EM launch support. Applicable
for below version: 1.0, 2.0HP

fmwas ephemeral MRF 30095 SSH TCP ssh For SSH connection to RadiSys
Containerized MRF

cmwas ephemeral MRF 30095 NET- TCP net- For Netconf Actions to RadiSys Con-
CONF conf-ac- tainerized MRF
tion

fmwas ephemeral NCS Instal- 22 SSH TCP ssh SSH session launch
lation Server

Socks ephemeral ARC Avamar 443 HTTPS TCP https ARC Web Application integration.
Node

fmwas ephemeral ARC Man- 7722 SSH TCP ssh ARC SSH connection.
agement
Node

fmwas ephemeral CNAAA 22 SSH TCP ssh SSH request for CBAM integration
CBAM

fmwas ephemeral SPS-ME 22 SSH TCP ssh SSH session launch

fmwas ephemeral NCC 22 SSH TCP ssh SSH session launch to NCC. Not ap-
plicable to NCC CNF.

ne3sws_dy- ephemeral CSBC 7655 SFTP TCP sftp Dynamic Adaptation for CSBC
namicadap- through ZTS EnvoyLB or ZTS Istio
tation

cmwas ephemeral CSBC 2010-3000 NET- TCP net- For NETCONF Action to ZTS En-
CONF conf-ac- voyLB or ZTS Istio
tion

cmwas ephemeral NTASCN 2010-3000 NET- TCP net- For NETCONF Action to ZTS En-
CONF conf-ac- voyLB or ZTS Istio
tion

ne3sws_dy- ephemeral NTASCN 7655 SFTP TCP sftp Dynamic Adaptation for NTASCN
namicadap- through ZTS EnvoyLB or ZTS Istio
tation

cmwas ephemeral DP 8059 HTTPS/ TCP tcp NE3S/WS communication from Con-
SOAP figurator to CBRS DP.

cmwas ephemeral DP 8060 HTTP/ TCP tcp NE3S/WS communication from Con-
SOAP figurator to CBRS DP. Optional: this
firewall rule is not required if respec-
tive secure protocol is used

Socks ephemeral NCS Control 8082 HTTPS TCP https NCS Portal integration.
Node

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 486


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

ne3sws_dy- ephemeral MicroCFX 7655 SFTP TCP sftp Dynamic Adaptation for MicroCFX
namicadap- through ZTS EnvoyLB or ZTS Istio
tation

cmwas ephemeral MicroCFX 2010-3000 NET- TCP net- For NETCONF Action to ZTS En-
CONF conf-ac- voyLB or ZTS Istio
tion

ne3sws_dy- ephemeral Registers 7655 SFTP TCP sftp Dynamic Adaptation for Register
namicadap- through ZTS EnvoyLB or ZTS Istio
tation

cmwas ephemeral Registers 2010-3000 NET- TCP net- For NETCONF Action to ZTS En-
CONF conf-ac- voyLB or ZTS Istio
tion

ne3sws_dy- ephemeral CNCSD 7655 SFTP TCP sftp Dynamic Adaptation for CNCSD
namicadap- through ZTS EnvoyLB or ZTS Istio
tation

cmwas ephemeral NEF 2010-3000 NET- TCP net- For NETCONF Action to ZTS En-
CONF conf-ac- voyLB or ZTS Istio
tion

ne3sws_dy- ephemeral NEF 7655 SFTP TCP sftp Dynamic Adaptation for NEF through
namicadap- ZTS EnvoyLB or ZTS Istio
tation

ne3sws_dy- ephemeral NREG 7655 SFTP TCP SFTP Dynamic Adaptation for NREG
namicadap- through ZTS envoyLB or ZTS Istio
tation

cmwas ephemeral NREG 2010-3000 NET- TCP net- For NETCONF Action to ZTS En-
CONF conf-ac- voyLB or ZTS Istio
tion

ne3sws_dy- ephemeral ZTS 7655 SFTP TCP sftp Dynamic Adaptation for ZTS through
namicadap- ZTS envoyLB or ZTS Istio
tation

fmwas ephemeral SOAM BTS 33434-33523 na UDP udp-33434-33523


Used for Displaying the route and
measuring transit delays of packet

fmwas ephemeral DCAP 22 SSH TCP ssh Port is used for DCAP Load Bal-
ancer and DCAP Linux launch. This
rule is only applicable to DCAP Load
Balancer and DCAP18 FP3 Linux.

HPE OA ephemeral WebSphere 50028 HTTP TCP TCP-50028 Used by HPE SIM RMI connection

HPE OA ephemeral WebSphere 50015 HTTP TCP tcp-50015 Used by HPE SIM RMI connection

HPE OA ephemeral WebSphere 50014 HTTP TCP tcp-50014 Used by HPE SIM RMI connection

HPE OA ephemeral WebSphere 50013 HTTP TCP tcp-50013 Used by HPE SIM RMI connection

HPE OA ephemeral WebSphere 4446 HTTPS TCP TCP-4446 Used by HPE SIM RMI connection

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 487


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

intgwas ephemeral HPE iLO 161 SNMP UDP snmp-get For SNMP GET/GETBULK opera-
Module tions to HPE iLO 4 onwards Module
for HPE blade and HPE Rack Mount-
ed Server

fmwas ephemeral SPS-SM 22 SSH TCP ssh SSH session launch. Same rule
need to be used for SPS Co-located
environment as well.

cmwas ephemeral AUS 2010-3000 NET- TCP net- For NETCONF Action to ZTS En-
CONF conf-ac- voyLB
tion

fmwas ephemeral IMSOAM 22 SSH TCP ssh IMS OAM Unit CLI integration. Ap-
plicable for below versions: IMSOAM
17.5VI onwards.

cmwas ephemeral TIAMS 8080 HTTP/ TCP tcp-8080 CM SB outgoing request integration
SOAP for TIAMS. Optional: This firewall
rule is not required if the respective
secure protocol is used (port 8443)

cmwas ephemeral TIAMS 8443 HTTPS/ TCP tcp-8443 CM SB outgoing request integration
SOAP for TIAMS supporting TLS.

fmwas ephemeral TIAMS 22 SSH TCP ssh TIAMS CLI integration. Note: For HP
TIAMS cluster, this firewall rule is re-
quired for TIAMS node1 and node2.

syswas ephemeral TIAMS 8080 HTTP/ TCP tcp-8080 Element Manager launch SSO (Sin-
SOAP gle Sign-on) support for TIAMS. Op-
tional: This firewall rule is not re-
quired if the respective secure proto-
col is used (port 8443)

syswas ephemeral TIAMS 8443 HTTPS/ TCP tcp-8443 Element Manager launch SSO (Sin-
SOAP gle Sign-on) support for TIAMS.

cmwas ephemeral CSCF 8080 HTTP/ TCP tcp-8080 CM SB outgoing request integration
SOAP for CSCF. Optional: This firewall rule
is not required if the respective se-
cure protocol is used (port 8443).

fmwas ephemeral NTHLR FE 22 SSH TCP ssh SSH terminal connection for and CLI
integration for NTHLR FE Applicable
for all versions, This firewall rule is
required for NTHLR FE Cloud

cmwas ephemeral NTHLR FE 8080 HTTP/ TCP tcp-8080 CM SB outgoing request integration
SOAP for NTHLR FE Applicable for all ver-
sion Optional: This firewall rule is not
required if the respective secure pro-
tocol is used

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 488


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

cmwas ephemeral NTHLR FE 8443 HTTPS/ TCP tcp-8443 CM SB outgoing request integration
SOAP support for NTHLR FE with TLS Ap-
plicable for all version

cmwas ephemeral NTHLR FE 22 SSH TCP ssh SSH terminal connection for and CLI
integration for NTHLR FE Applicable
for all versions, This firewall rule is
required for NTHLR FE Cloud

cmwas ephemeral NTHLR FE 8080 HTTP/ TCP tcp-8080 CM SB outgoing request integration
SOAP for NTHLR FE Applicable for all ver-
sion, This firewall rule is required for
NTHLR FE Cloud Optional: This fire-
wall rule is not required if the respec-
tive secure protocol is used

syswas ephemeral NTHLR FE 8080 HTTP/ TCP tcp-8080 Element Manager launch SSO (Sin-
SOAP gle Sign-on) support. Applicable for
all version, This firewall rule is re-
quired for NTHLR FE Cloud Option-
al: This firewall rule is not required
if the respective secure protocol is
used

cmwas ephemeral PDL Valida- 443, 8443 WebSer- TCP https REST API for accessing PDL Valida-
tion Service vice/ tion Service, used for Configurator
HTTPS pre-validate operation

ne3sws_dy- ephemeral AUS 7655 SFTP TCP sftp Dynamic Adaptation for AUS through
namicadap- ZTS EnvoyLB
tation

cmwas ephemeral ASI 6443 HTTP/ TCP tcp NE3S/WS communication from Con-
SOAP figurator to ASI.

ZTS ephemeral dmgr 22 SSH/ TCP ssh/sftp SSH connectivity between ZTS con-
SFTP troller/edge node and NetAct dmgr
node

cmwas ephemeral ASI 6080 HTTP/ TCP tcp NE3S/WS communication from Con-
SOAP figurator to ASI. Optional: This fire-
wall rule is not required if the respec-
tive secure protocol is used.

fmwas ephemeral ASI 33434-33523 ICMP UDP udp-33434-33523


Used for Displaying the route and
measuring transit delays of packet

fmwas na SOAM BTS na na ICMP na For checking the aliveness from Net-
Act to SBTS with ping command.

fmwas ephemeral DP 22 SSH TCP SSH Used to remote access NOKIA


CBRS DP via SSH session

fmwas na Single RAN na na ICMP na For checking the aliveness from Net-
BTS Act to SBTS with ping command.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 489


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

WebSphere na ALL_NE na na ICMP na Connectivity check Echo Request


(8) / Echo Reply (0) Check the re-
spective NE Integration document
whether a NE supports ICMP con-
nectivity check

fmwas ephemeral One-AAA 22 SSH TCP ssh One-AAA OAM node SSH connec-
OAM Node tion. Applicable for below versions:
One-AAA 6 SP1 One-AAA 7 One-
AAA 7 SP1 One-AAA 8 One-AAA
8 VI One-AAA 8.1 VI One-AAA 9.0
One-AAA 9.0 VI One-AAA 10.0 One-
AAA 10.0 VI

User Work- ephemeral dmgr 9060 HTTP TCP TCP-9060 Used by Administrative Console
station Apps Port. Optional: This firewall rule is
not required if the respective secure
protocol is used (9043)

User Work- ephemeral dmgr 9043 HTTPS TCP TCP-9043 Used by Administrative Console Se-
station Apps cure Port

cmwas ephemeral SMM 22 SSH TCP SSH For SSH terminal connections to
SMM

cmwas ephemeral Single RAN 8443 HTTPS/ TCP tcp-8443 NE3S/WS communication from Con-
BTS SOAP figurator to SBTS.

cmwas ephemeral Single RAN 8080 HTTP/ TCP tcp-8080 NE3S/WS communication from Con-
BTS SOAP figurator to SBTS. Optional: This fire-
wall rule is not required if the respec-
tive secure protocol is used.

fmwas ephemeral Single RAN 33434-33463 na UDP udp-33434-33463


Used for checking the connection
BTS between NetAct and SBTS with
traceroute command.

fmwas ephemeral RFC 22 SSH TCP ssh For SSH access to RFC

syswas ephemeral Corporate 389 LDAP TCP/ ldap Connection to corporate windows
Windows UDP domain controller for getting autho-
Domain rization data
Controller

syswas ephemeral Corporate 636 LDAP TCP/ ldaps Connection to corporate windows
Windows UDP domain controller for getting autho-
Domain rization data
Controller

cmwas ephemeral Nokia Inte- 830 NET- TCP net- For NetConf Action to ISBC
grated SBC CONF conf-ac-
tion

fmwas ephemeral GROUTER 22 SSH TCP ssh SSH launch to GROUTER

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 490


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

fmwas ephemeral One-EIR 22 SSH TCP ssh One-EIR System Monitor SSH con-
System nection. Applicable for below ver-
Monitor sions: One-EIR 4.0 SP1, One-EIR
5.0, One-EIR 5 SP1, One-EIR 5.2,
One-EIR 16, One-EIR 16.5, One-
EIR Cloud 16.5, One-EIR 17, One-
EIR Cloud 17, One-EIR 18 onwards,
One-EIR Cloud 18 onwards.

fmwas ephemeral SNMPDE- 22 SSH TCP ssh SSH terminal connection to SNM-
VICE PDEVICE

fmwas ephemeral InfobloxD- 22 SSH TCP ssh SSH Launch to InfobloxDNS Passive
NS Passive Node
Node

intgwas ephemeral InfobloxD- 22 SSH TCP ssh For SSH connections to InfobloxDNS
NS Passive Passive Node during NEIW integra-
Node tion. Applicable for below versions: 8
onwards

cmwas ephemeral NTAS Cloud 8443 HTTPS/ TCP tcp-8443 CM SB outgoing request integration
SOAP for NTAS Cloud with TLS. Needed
for AoM. Applicable NTAS17 SP1
onwards

cmwas ephemeral NTAS Cloud 8080 HTTP/ TCP tcp-8080 CM SB outgoing request integration
SOAP for NTAS Cloud. Needed for AoM.
Applicable NTAS17 SP1 onwards
Optional: This firewall rule is not re-
quired if the respective secure proto-
col is used

fmwas ephemeral NPO System 22 SSH TCP ssh For launching SSH terminal from
NetAct to NPO.

cmwas ephemeral PGW Opera- 2022 NET- TCP net- For NetConf Action to PGW VNF
tion Service CONF conf-ac- Operation Service
tion

fmwas ephemeral BIG IP 22 SSH TCP ssh BIG IP SSH connection. Applica-
ble for below versions: BIG IP 6400,
BIG IP 6900, BIG IP TMOS version
10, BIG IP TMOS version 11, BIG IP
TMOS version 13.

cmwas ephemeral NRBTS 8080 HTTP/ TCP tcp-8080 NE3S/WS communication from Con-
SOAP figurator to 5G BTS. Optional: This
firewall rule is not required if the re-
spective secure protocol is used.

cmwas ephemeral NRBTS 8443 HTTPS/ TCP tcp-8443 NE3S/WS communication from Con-
SOAP figurator to 5G BTS.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 491


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

intgwas ephemeral InfobloxDNS 443 HTTPS TCP https For HTTPS connections to In-
GUI fobloxDNS GUI during NEIW integra-
tion. Applicable for below versions: 8
onwards

intgwas ephemeral InfobloxDNS 22 SSH TCP ssh For SSH connections to InfobloxDNS
during NEIW integration. Applicable
for below versions: 8 onwards

fmwas ephemeral EPPSM 22 SSH TCP ssh SSH launch to EPPSM

intgwas ephemeral Nuage 210 22 SSH TCP sshd Used for SCLI connection to manage
WBX Switch 210 WBX Nuage switch

cmwas ephemeral MRF 830 NET- TCP net- For Netconf Actions to RadiSys MRF
CONF conf-ac-
tion

fmwas ephemeral CBND 22 SSH TCP ssh SSH launch to CBND

fmwas ephemeral CDRPP 22 SSH TCP ssh SSH launch to CDRPP/CDRPPGW

cmwas ephemeral Open MSS ephemeral FTP TCP ftp File Transfer Protocol data channel
Cloud under FTP Passive Mode Optional:
This firewall rule is not required if the
respective secure protocol is used.

cmwas ephemeral HLR ephemeral FTP TCP ftp File Transfer Protocol data channel
under FTP Passive Mode

cmwas ephemeral Flexi NS ephemeral FTP TCP ftp-data FTP-DATA channel under FTP Pas-
sive Mode will use this rule for FTP
data translate Note: This firewall rule
is not required if the respective se-
cure protocol is used.

cmwas ephemeral CDS ephemeral FTP TCP ftp File Transfer Protocol data channel
under FTP Passive Mode

cmwas ephemeral MSC ephemeral FTP TCP ftp File Transfer Protocol data channel
under FTP Passive Mode Optional:
This firewall rule is not required if the
respective secure protocol is used.

cmwas ephemeral Open TAS ephemeral FTP TCP ftp FTP-DATA channel under FTP Pas-
Cloud sive Mode will use this rule for FTP
data translate Note: This firewall rule
is not required if the respective se-
cure protocol is used.

fmwas ephemeral NPC 22 SSH TCP ssh For launching SSH terminal from
NetAct to NPC

fmwas ephemeral Nokia Inte- 22 SSH TCP ssh SSH terminal connection to Nokia In-
grated SBC tegrated SBC

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 492


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

fmwas ephemeral Nokia MRF 22 SSH TCP ssh For launching SSH terminal from
NetAct to Nokia MRF (Nokia MRF
address: use MRFC MNGT IP ad-
dress for Simplex mode, and use
MRFC MNGT VIP address and MR-
FC MNGT physical IP addresses for
both Duplex mode and High Avail-
ability mode)

fmwas ephemeral Nokia AAA 9022 SSH TCP ssh SSH terminal connection to Nokia
AAA policy server. This rule is not
applicable to Nokia AAA Cloud Solu-
tion.

intgwas ephemeral NRBTS 443 HTTPS TCP HTTPS Used to check 5G BTS instance ID
when integrating 5G BTS via NEIW

itsmwas ephemeral GeoServer 1024-49151 HTTPS/ TCP tcp-1024-49151


RNC Collector management (default
SOAP port is 8091)

cmwas ephemeral SDL Opera- 2022 NET- TCP net- For NetConf Action to SDL Opera-
tion Service CONF conf-ac- tion Service
tion

intgwas ephemeral CBIS UC 22 SSH TCP sshd For SSH connection to CBIS under-
cloud to list NDCS Servers informa-
tion that is used for automatic inte-
gration. This does not apply for CBIS
adaptation version 17 and 17.5.

cmwas ephemeral Open TAS 23 TELNET TCP telnet For CM: TELNET terminal connec-
Cloud tion Optional: This firewall rule is not
required if the respective secure pro-
tocol is used Optional: This firewall
rule is not required if the respective
secure protocol is used

cmwas ephemeral Open TAS 21 FTP TCP ftp For CM: FTP connection downloads
Cloud files. NetAct uses FTP to get data
from network element through this
port. Optional: This firewall rule is not
required if the respective secure pro-
tocol is used.

cmwas ephemeral Open TAS 22 SSH/ TCP ssh For CM: SSH terminal connection for
Cloud SFTP Open TAS Cloud.

CBAM O&M ephemeral intgwas 22 SSH/ TCP ssh/sftp Auto-integration for Open MSS
Agent SFTP Cloud via CBAM

cmwas ephemeral Nokia De- 161 SNMP UDP udp SNMP terminal connection for Nokia
composed Decomposed SBC Media Plane
SBC Media
Plane

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 493


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

cmwas ephemeral Nokia De- 9650 SSH TCP ssh SSH terminal connection to Nokia
composed Decomposed SBC Signaling Plane.
SBC Signal- This port is used while communicat-
ing Plane ing with the CNFG IP of Nokia De-
composed SBC Signaling Plane

cmwas ephemeral Nokia De- 22 SSH TCP ssh SSH terminal connection to Nokia
composed Decomposed SBC Signaling Plane
SBC Signal-
ing Plane

cmwas ephemeral Open TAS 23 TELNET TCP telnet For CM: TELNET terminal connec-
tion. Optional: This firewall rule is not
required if the respective secure pro-
tocol is used.

cmwas ephemeral Open TAS 22 SSH/ TCP ssh For CM: SSH terminal connection for
SFTP Open TAS.

syswas ephemeral NTHLR FE 8443 HTTPS/ TCP tcp-8443 Element Manager launch SSO (Sin-
SOAP gle Sign-on) with TLS. Applicable for
all version

intgwas ephemeral iNUM 11261 SNMP UDP sn- For SNMP to iNUM 9.0/10.0
mp-ne3s-
requests

fmwas ephemeral DRA 22 SSH TCP ssh DRA CLI integration. Applicable for
below versions: DRA 9.1, DRA 10.1,
DRA 11.0, DRA 15.5C onwards.

fmwas ephemeral MGMTVNFC 22 SSH TCP ssh MGMTVNFC CLI integration. Applic-
able for below versions: MGMTVN-
FC 17.0VI onwards.

syswas ephemeral DRA 8080 HTTP/ TCP tcp-8080 Element Manager launch SSO (Sin-
SOAP gle Sign-on) support for DRA. Ap-
plicable for below versions: DRA 9.
1, DRA 10.1, DRA 11.0, DRA 15.5C
onwards. Optional: This firewall rule
is not required if the respective se-
cure protocol is used (port 8443).

syswas ephemeral DRA 8443 HTTPS/ TCP tcp-8443 Element Manager launch SSO (Sin-
SOAP gle Sign-on) support for DRA. Applic-
able for below versions: DRA 10.1,
DRA 11.0, DRA 15.5C onwards.

intgwas ephemeral iNUM 8443 HTTPS TCP https-ui For HTTPS connection to iNUM web
interface

fmwas ephemeral MRF 22 SSH TCP ssh For SSH connection to RadiSys
MRF

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 494


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

intgwas ephemeral MRF 161 SNMP UDP snmp-get For SNMP GET/GETBULK opera-
tions to MRF O&M

fmwas ephemeral NTHLRFE 22 SSH TCP ssh ssh EM launch support


Install Server

syswas ephemeral DRA-LB 8080 HTTP/ TCP http-alt1 Element Manager launch SSO (Sin-
SOAP gle Sign-on) for DRA-LB. Applicable
for below version: DRA-LB 15.5VI
onwards.

fmwas ephemeral DRA-LB 22 SSH TCP ssh DRA-LB CLI integration. Applicable
for below version: DRA-LB 15.5VI
onwards.

fmwas ephemeral CSCF 22 SSH TCP ssh CLI integration for CSCF VNF with
MGMTVNFC Management VNFC.

iNUM 20 intgwas ephemeral FTP TCP ftp-data For FTP data connections to iNUM
9.0/10.0

fmwas ephemeral HSS 22 SSH TCP ssh CLI integration for HSS VNF with
MGMTVNFC Management VNFC.

intgwas ephemeral iNUM 21 FTP TCP ftp For FTP command connections to
iNUM 9.0/10.0 Note: SFTP is not
supported

fmwas ephemeral CSCF 10801-11100 SSH TCP ssh CLI integration for CSCF VNF with
MGMTVNFC individual VMs.

fmwas ephemeral HSS 10801-11100 SSH TCP ssh CLI integration for HSS VNF with in-
MGMTVNFC dividual VMs.

intgwas ephemeral iNUM 22 SSH TCP ssh For SSH connections to iNUM

fmwas ephemeral PCC 22 SSH TCP ssh SSH terminal connection and CLI in-
tegration for PCC Applicable for all
versions

syswas ephemeral PCC 8443 HTTPS/ TCP tcp-8443 Element Manager launch SSO (Sin-
SOAP gle Sign-on) with TLS Applicable for
all version

syswas ephemeral PCC 8080 HTTP/ TCP tcp-8080 Element Manager launch SSO (Sin-
SOAP gle Sign-on) for PCC. Applicable for
all version Optional: This firewall rule
is not required if the respective se-
cure protocol is used

intgwas ephemeral SWITCH 22 SSH TCP ssh For SCLI connections to NDCS
Switches.

intgwas ephemeral SERVER 22 SSH TCP ssh For SSH connections to NDCS
Servers.

intgwas ephemeral SMM 22 SSH TCP ssh For SSH connections to SMM

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 495


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

intgwas ephemeral ENETNODE 22 SSH TCP ssh For SSH operations to Eden-NET
virtual machines.

intgwas ephemeral NCIR HA 22 SSH TCP ssh For SSH connections to NCIR HA
Proxy Proxy.

intgwas ephemeral NCIR HA 161 SNMP UDP snmp-get For SNMP GET operations to NCIR
Proxy HA Proxy during NEIW integration.

intgwas ephemeral Juniper 22 SSH TCP ssh For SSH operations to Juniper

intgwas ephemeral Symmetri- 22 SSH TCP ssh For SSH operations to TP5000
com TP5000

intgwas ephemeral Cisco 22 SSH TCP ssh For SSH operations to Cisco

intgwas ephemeral PKI 22 SSH TCP ssh For SSH operations to PKI

intgwas ephemeral Symmetri- 161 SNMP UDP sn- For SNMP SET/GET/walk operations
com TP5000 mp-trap- to TP5000
get

intgwas ephemeral Cisco 161 SNMP UDP sn- For SNMP SET/GET/walk operations
mp-trap- to Cisco
get

intgwas ephemeral PKI 161 SNMP UDP sn- For SNMP SET/GET/walk operations
mp-trap- to PKI
get

fmwas ephemeral CWLC 22 SSH TCP ssh Used to remote access CWLC via
SSH session

OMS ephemeral cmwas 446 HTTPS TCP cm-lte- HTTPS port in WebSphere Applica-
oms-pro- tion Server used for CM LTE -> OMS
vision provisioning purpose.

intgwas ephemeral FPRB 80 HTTP TCP http HTTP post to FPRB to configure SN-
MP trap destination IP.

cmwas ephemeral CWLC 8060 HTTP/ TCP tcp-8060 NE3S/WS communication from Con-
SOAP figurator to CWLC Optional: This fire-
wall rule is not required if the respec-
tive secure protocol is used

cmwas ephemeral CWLC 80 HTTP/ TCP tcp-80 Notifications communication be-


SOAP tween Configurator and CWLC. Op-
tional: This firewall rule is not re-
quired if the respective secure proto-
col is used

cmwas ephemeral CWLC 448 HTTPS/ TCP tcp-448 Notifications communication be-
SOAP tween Configurator and CWLC.

fmwas ephemeral FZCP 22 SSH TCP ssh SCLI Session Launch

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 496


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

fmwas ephemeral ATS 161 SNMP UDP snmp-get For SNMP GET/WALK response
from ATS during integration verifica-
tion

fmwas ephemeral EPD 161 SNMP UDP snmp-get For SNMP GET/WALK response
from EPD during integration verifica-
tion

fmwas ephemeral TVG 161 SNMP UDP snmp-get For SNMP GET/WALK response
from TVG during integration verifica-
tion

fmwas ephemeral CDD 161 NE3S UDP snmp-get For SNMP GET/WALK response
SNMP from CDD during integration verifica-
tion

fmwas ephemeral TCS 161 NE3S UDP snmp-get For SNMP GET/WALK response
SNMP from TCS during integration verifica-
tion

cmwas ephemeral Open BGW 8060 HTTP/ TCP tcp-8060 CM SB outgoing request integration
SOAP for Open BGW. Optional: This fire-
wall rule is not required if the respec-
tive secure protocol is used and is
applicable from OpenBGW16.5 on-
wards.

cmwas ephemeral MSC 23 TELNET TCP telnet For CM: TELNET terminal connec-
tion Optional: This firewall rule is not
required if the respective secure pro-
tocol is used

cmwas ephemeral Open TAS 21 FTP TCP ftp For CM: FTP connection downloads
files. NetAct uses FTP to get HW da-
ta from network element through this
port. Optional: This firewall rule is not
required if the respective secure pro-
tocol is used.

cmwas ephemeral CDS 23 TELNET TCP telnet For CM: TELNET terminal connec-
tion Optional: This firewall rule is not
required if the respective secure pro-
tocol is used

cmwas ephemeral Open BGW 8059 HTTPS/ TCP tcp-8059 CM SB outgoing request integration
SOAP for OpenBGW and is applicable for
OpenBGW16.5 onwards.

cmwas ephemeral MSC 21 FTP TCP ftp For CM: FTP connection to down-
load files Optional: This firewall rule
is not required if the respective se-
cure protocol is used.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 497


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

cmwas ephemeral NTAS Cloud 830 NET- TCP net- For NetConf Action to NTAS Cloud
CONF conf-ac-
tion

cmwas ephemeral Open MGW 22 SSH TCP ssh For CM: SSH terminal connection for
Open MGW

cmwas ephemeral MSC 22 SSH/ TCP ssh/sftp For CM: SSH terminal connection for
SFTP MSC

fmwas ephemeral DXT 23 TELNET TCP telnet Used for DXT integration purpose
and TELNET terminal connection
Note: This firewall rule is not re-
quired if the respective secure proto-
col is used.

cmwas ephemeral CDS 22 SSH/ TCP ssh Core CM: For CM SB communica-
SFTP tion

cmwas ephemeral DXT 23 TELNET TCP telnet Used for DXT integration purpose
and TELNET terminal connection
Note: This firewall rule is not re-
quired if the respective secure proto-
col is used.

cmwas ephemeral DXT 22 SSH TCP ssh Used for DXT integration purpose
and SSH/SFTP Daemon

cmwas ephemeral DXT 22 SSH/ TCP ssh Used for DXT integration purpose
SFTP and SSH/SFTP Daemon

fmwas ephemeral DXT 22 SSH TCP ssh Used for DXT integration purpose
and SSH/SFTP Daemon

fmwas ephemeral DXT 22 SSH/ TCP ssh Used for DXT integration purpose
SFTP and SSH/SFTP Daemon

fmwas ephemeral CDD 22 SSH TCP ssh SSH terminal connection

fmwas ephemeral ATS 22 SSH TCP ssh SSH terminal connection

fmwas ephemeral EPD 22 SSH TCP ssh SSH terminal connection

fmwas ephemeral TACTILON 161 SNMP UDP snmp-get For SNMP SET/GET/walk operations
to TACTILON

fmwas ephemeral TACTILON 22 SSH TCP ssh SSH terminal connection

fmwas ephemeral TVG 22 SSH TCP ssh SSH terminal connection

cmwas ephemeral Flexi NS 23 TELNET TCP telnet TELNET terminal connection Option-
al: This firewall rule is not required
if the respective secure protocol is
used

cmwas ephemeral Flexi NS 21 FTP TCP ftp FTP connection to download files
Optional: This firewall rule is not re-

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 498


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

quired if the respective secure proto-


col is used

intgwas ephemeral NFM-P main 22 SSH TCP ssh NSP auto integration
server(s)

fmwas ephemeral FNG 22 SSH TCP ssh SSH terminal connection

intgwas ephemeral LIG 161 NE3S UDP sn- SNMP get/set for LIG6.0
SNMP mp-trap-
get

intgwas ephemeral InfobloxDNS 161 SNMP UDP sn- For SNMP GET operations to In-
mp-trap- fobloxDNS. Applicable for below ver-
get sions: 6.6

cmwas ephemeral Flexi NG 8060 HTTP/ TCP tcp-8060 CM SB outgoing request integration
SOAP for Flexi NG 3.x AOM

intgwas ephemeral @vantage 12161 SNMP UDP sn- SNMP set for PCS5000 FM on
Commander mp-trap- PCS5000
set

intgwas ephemeral @vantage 22 SSH TCP ssh SSH EM launch support for @van-
Commander tage Commander

cmwas ephemeral Flexi NS 22 SSH/ TCP ftp-data FTP-DATA channel under FTP Pas-
SFTP sive Mode will use this rule for FTP
data translate Note: This firewall rule
is not required if the respective se-
cure protocol is used.

cmwas ephemeral Flexi NG 22 SSH/ TCP ssh/sftp SSH/SFTP terminal connection for
SFTP Flexi NG

cmwas ephemeral Flexi NG 8059 HTTPS/ TCP tcp-8059 CM SB outgoing request integration
SOAP for Flexi NG with TLS support, re-
quired for AOM and is applicable for
Flexi NG 17 onwards.

fmwas ephemeral NBG 22 SSH TCP ssh SSH terminal connection

fmwas ephemeral LIG 22 SSH TCP ssh open SSH connection

fmwas ephemeral InfobloxDNS 22 SSH TCP ssh SSH Launch to InfobloxDNS

intgwas ephemeral Flexi CMD 21 FTP TCP ftp File Transfer Protocol (FTP) commu-
nication channel Migrating integra-
tion. Optional: This firewall rule is not
required if SFTP is used.

intgwas ephemeral Flexi CMD 22 SSH/ TCP ssh Secure Shell for using TCP/ IP proto-
SFTP col for accessing remote computers

intgwas ephemeral Flexi CMD 1061 SNMP UDP sn- NE3S/SNMP get/set service
mp-cmd-
service

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 499


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

intgwas ephemeral ePDG 161 SNMP UDP Sn- FM&PM function integration for
mp-trap- ePDG 9.1
get

Flexi CMD 20 intgwas ephemeral FTP TCP ftp-data FTP-DATA channel under FTP Ac-
tive Mode will use this rule for FTP
data translate Note: This firewall rule
is not required if the respective se-
cure protocol is used.

fmwas ephemeral ePDG 22 SSH TCP SSH SSH terminal connection for ePDG

intgwas ephemeral Traffica 161 NE3S UDP sn- SNMP get/set. Note: This firewall
SNMP mp-trap- rule applies to version 17 and earlier
get

fmwas ephemeral MRBTS 33434-33523 ICMP UDP udp-33434-33523


Used for Displaying the route and
measuring transit delays of packet

fmwas ephemeral OMS 33434-33523 ICMP UDP udp-33434-33523


Used for checking the connection
between NetAct and OMS with
traceroute command

cmwas ephemeral TIAMS 9443 HTTPS/ TCP tcp-9443 CM SB outgoing request integration
SOAP for IMS HWM

cmwas ephemeral CDS 21 FTP TCP ftp For CM: NetAct uses FTP to get HW
data from network element through
this port.

cmwas ephemeral Open TAS ephemeral FTP TCP ftp File Transfer Protocol data channel
under FTP Passive Mode. Optional:
This firewall rule is not required if the
respective secure protocol is used

intgwas ephemeral Open TAS 23 TELNET TCP telnet For Auto-Integration: TELNET termi-
nal connection. Optional: This fire-
wall rule is not required if the respec-
tive secure protocol is used

intgwas ephemeral Open MSS 23 TELNET TCP telnet For NetAct: In auto integration, this
Cloud port must be open. In MSC Server
Pool Monitor, this port is used to ex-
ecute MML commands on NE if the
Open MSS Cloud is integrated using
Telnet. Optional: This firewall rule is
not required if the respective secure
protocol is used

cmwas ephemeral Open MSS 23 TELNET TCP telnet For CM: TELNET terminal connec-
Cloud tion Optional: This firewall rule is not
required if the respective secure pro-
tocol is used

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 500


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

intgwas ephemeral Open MSS 22 SSH/ TCP ssh/sftp For Auto-Integration: Open MSS
Cloud SFTP Cloud NE integration and auto inte-
gration. In MSC Server Pool Moni-
tor, this port is used to execute MML
commands on NE if the Open MSS
Cloud is integrated using SSH.

cmwas ephemeral Open MSS 22 SSH/ TCP ssh/sftp For CM: SSH terminal connection for
Cloud SFTP Open MSS Cloud

fmwas ephemeral Open MSS 22 SSH TCP ssh For EM: SSH terminal connection for
Cloud Open MSS Cloud.

intgwas ephemeral Open MSS 21 FTP TCP ftp For Auto-Integration: For MSS Cloud
Cloud NE Auto Integration use FTP to mod-
ify the configuration file in NE side.
Optional: This firewall rule is not re-
quired if the respective secure proto-
col is used.

cmwas ephemeral Open MSS 21 FTP TCP ftp For CM: FTP connection to down-
Cloud load files Optional: This firewall rule
is not required if the respective se-
cure protocol is used.

intgwas ephemeral Open MSS ephemeral FTP TCP ftp For Auto-Integration: File Transfer
Cloud Protocol data channel under FTP
Passive Mode Optional: This firewall
rule is not required if the respective
secure protocol is used.

cmwas ephemeral Open BGW 22 SSH TCP ssh SSH terminal connection for Open
BGW, and SCLI launch.

fmwas ephemeral Open BGW 22 SSH TCP ssh For EM: EM launch with SCLI ses-
sion.

intgwas ephemeral Open TAS 21 FTP TCP ftp For Auto-integration. Optional: This
firewall rule is not required if the re-
spective secure protocol is used

intgwas ephemeral Open TAS ephemeral FTP TCP ftp For Auto-Integration: File Transfer
Protocol data channel under FTP
Passive Mode. Optional: This firewall
rule is not required if the respective
secure protocol is used

intgwas ephemeral Open MGW 22 SSH TCP SSH For Auto-Integration.

fmwas ephemeral Open MGW 22 SSH TCP SSH Open MGW EM launch through
SSH.

intgwas ephemeral MSC 23 TELNET TCP telnet For Auto-Integration: In auto integra-
tion, this port must be open. In MSC
Server Pool Monitor, this port is used

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 501


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

to execute MML commands on NE if


the MSC is integrated using Telnet.
Optional: This firewall rule is not re-
quired if the respective secure proto-
col is used

cmwas ephemeral HLR 23 TELNET TCP telnet For CM: TELNET terminal connec-
tion Optional: This firewall rule is not
required if the respective secure pro-
tocol is used

intgwas ephemeral Open TAS 22 SSH/ TCP ssh For Auto-Integration: SSH/SFTP ter-
SFTP minal connection for Open TAS.

fmwas ephemeral MSC 23 TELNET TCP telnet For EM: Perform EM launch through
Telnet instead of SSH. Optional: This
firewall rule is not required if the re-
spective secure protocol is used

fmwas ephemeral Open TAS 22 SSH TCP ssh For EM: SSH terminal connection for
Open TAS.

fmwas ephemeral HLR 23 TELNET TCP telnet For EM: Perform EM launch through
Telnet instead of SSH. Optional: This
firewall rule is not required if SSH is
used EM launch

intgwas ephemeral Nelmon 161 SNMP UDP snmp-get For SNMP GET operations to Nel-
mon

fmwas ephemeral CDS 23 TELNET TCP telnet For EM: Perform EM launch through
Telnet instead of SSH. Optional: This
firewall rule is not required if SSH is
used EM launch

fmwas ephemeral CDS 23 TELNET TCP telnet For EM: Perform EM launch through
Telnet instead of SSH. Optional: This
firewall rule is not required if SSH is
used EM launch

intgwas ephemeral Open TAS 23 TELNET TCP telnet For Auto-Integration: Open this port
Cloud only in auto integration. Optional:
This firewall rule is not required if the
respective secure protocol is used

intgwas ephemeral MSC 21 FTP TCP ftp For Auto-Integration: FTP connection
to download files. Optional: This fire-
wall rule is not required if the respec-
tive secure protocol is used.

intgwas ephemeral MSC ephemeral FTP TCP ftp For Auto-Integration: File Transfer
Protocol data channel under FTP
Passive Mode. Optional: This firewall

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 502


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

rule is not required if the respective


secure protocol is used.

cmwas ephemeral HLR 22 FTP TCP ftp For CM: FTP connection to down-
load files Optional: This firewall rule
is not required if the respective se-
cure protocol is used

cmwas ephemeral HLR 21 FTP TCP ftp For CM: FTP connection to down-
load files Optional: This firewall rule
is not required if the respective se-
cure protocol is used

intgwas ephemeral Open TAS 21 FTP TCP ftp For Auto-Integration: Open this port
Cloud only in auto integration. Optional:
This firewall rule is not required if the
respective secure protocol is used

intgwas ephemeral Open TAS ephemeral FTP TCP ftp For Auto-Integration: File Transfer
Cloud Protocol data channel under FTP
Passive Mode. Open this port only in
auto integration. Optional: This fire-
wall rule is not required if the respec-
tive secure protocol is used

fmwas ephemeral NTAS Cloud 2222 SSH TCP ssh EM launch for NTAS NOTE: There
is no default port for SSH Session
Launch, and port 2222 is used as an
example.

intgwas ephemeral MSC 22 SSH/ TCP ssh/sftp For Auto-Integration: MSC NE au-
SFTP to integration. In MSC Server Pool
Monitor, this port is used to execute
MML commands on NE if the MSC is
integrated using SSH.

fmwas ephemeral MSC 22 SSH/ TCP ssh/sftp For EM: EM launch, For NOK-
SFTP MSS-Ma16.2IP, NOKMSS-Md16.2IP,
NOKMSS-Mr17.0IP and NOKMSS-
Ma17.0IP in NetAct15.5

fmwas ephemeral HLR 22 SSH/ TCP ssh For EM: SSH terminal connection for
SFTP HLR.

fmwas ephemeral CDS 22 SSH/ TCP ssh For EM: SSH terminal connection for
SFTP CDS.

intgwas ephemeral Open TAS 22 SSH/ TCP ssh For Auto integration: SSH/SFTP
Cloud SFTP terminal connection for Open TAS
Cloud.

fmwas ephemeral Open TAS 22 SSH TCP ssh For EM: SSH terminal connection for
Cloud Open TAS Cloud.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 503


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

cmwas ephemeral Open TAS 22 SSH TCP ssh SSH terminal connection for Open
Cloud SEE TAS Cloud SEE

intgwas ephemeral Open TAS 22 SSH TCP ssh For Auto-Integration: SSH terminal
Cloud SEE connection for Open TAS Cloud SEE

fmwas ephemeral Open TAS 22 SSH TCP ssh EM launch SSH terminal connection
Cloud SEE for Open TAS Cloud SEE

cmwas ephemeral FZCP 8059 HTTPS TCP tcp-8059 NE3S/WS communication from Con-
figurator to FZCP

cmwas ephemeral FZCP 8060 HTTP TCP tcp-8060 NE3S/WS communication from Con-
figurator to FZCP. Optional: This fire-
wall rule is not required if the respec-
tive secure protocol is used

fmwas ephemeral AGCF 22 SSH TCP ssh SSH session launch

fmwas ephemeral IECCF 22 SSH TCP ssh SSH session launch

cmwas ephemeral FlexiISN 23 TELNET TCP telnet TELNET terminal connection

cmwas ephemeral FlexiISN 22 SSH TCP ssh SSH terminal connection for Flexi
ISN

cmwas ephemeral NTHLR FE 8443 HTTPS/ TCP tcp-8443 CM SB outgoing request integration
SOAP support for NTHLR FE with TLS Ap-
plicable for all version

cmwas ephemeral DRA 8080 HTTP/ TCP tcp-8080 Applicable for below versions: DRA
SOAP 10.0, DRA 9.1, DRA 10.1, DRA 11.
0, DRA 15.5C onwards. CM SB out-
going request integration for DRA.
Applicable for below versions: DRA
10.0, DRA 9.1, DRA 10.1, DRA 11.
0. Below version applicable for AOM:
DRA 15.5C onwards. Optional: This
firewall rule is not required if the re-
spective secure protocol is used
(port 8443).

cmwas ephemeral DRA 8443 HTTPS/ TCP tcp-8443 Applicable for below versions: DRA
SOAP 10.0, DRA 10.1, DRA 11.0, DRA 15.
5C onwards. CM SB outgoing re-
quest integration for DRA supporting
TLS. Applicable for below versions:
DRA 10.0, DRA 10.1, DRA 11.0. Be-
low version applicable for AOM: DRA
15.5C onwards.

fmwas ephemeral Nokia De- 22 SSH TCP ssh SSH terminal connection for Nokia
composed Decomposed SBC Media Plane
SBC Media
Plane

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 504


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

fmwas ephemeral Nokia De- 22 SSH TCP ssh SSH terminal connection to Nokia
composed Decomposed SBC Signaling Plane
SBC Signal-
ing Plane

cmwas ephemeral DRA 8080 HTTP/ TCP tcp-8080 CM SB outgoing request integra-
SOAP tion for DRA. Applicable for below
versions: DRA 9.1, DRA 10.1, DRA
11.0. Below version applicable for
AOM: DRA 15.5C onwards. Option-
al: This firewall rule is not required
if the respective secure protocol is
used (port 8443).

cmwas ephemeral DRA 8443 HTTPS/ TCP tcp-8443 CM SB outgoing request integration
SOAP for DRA supporting TLS. Applicable
for below versions: DRA 10.1, DRA
11.0. Below version applicable for
AOM: DRA 15.5C onwards.

cmwas ephemeral Repo Server 7070 HTTP/ TCP tcp-7070 CM SB outgoing request integra-
SOAP tion for Centralized CM Repo Server
and CM Repo Server (VI and VNF)
with Local Redundancy and overload
support. Optional: This firewall rule is
not required if the respective secure
protocol is used

cmwas Ephemeral BCUBTS 8080 HTTP/ TCP http CM SB outgoing request integration
Mediation SOAP for BCUBTS Mediation Server
Server

cmwas ephemeral Repo Server 7443 HTTPS/ TCP tcp-7443 CM SB outgoing request integration
SOAP for Centralized CM Repo Server (CI)
and CM Repo Server (VI and VNF)
with Local Redundancy and overload
support.

cmwas ephemeral SS7 9090 HTTP/ TCP tcp-9090 CM SB outgoing request integration
SOAP for SS7 Applicable from SS7 15.5
version onwards Optional: This fire-
wall rule is not required if the respec-
tive secure protocol is used

cmwas ephemeral SS7 9443 HTTPS/ TCP tcp-9443 CM SB outgoing request integration
SOAP for SS7 to support TLS (AOM) Ap-
plicable from SS7 15.5 version on-
wards

cmwas ephemeral PCC 22 SSH TCP ssh SSH terminal connection and CLI in-
tegration for PCC Applicable for all
versions

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 505


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

cmwas ephemeral PCC 8443 HTTPS/ TCP tcp-8443 CM SB outgoing request integration
SOAP for PCC with TLS Applicable for all
version

cmwas ephemeral PCC 8080 HTTP/ TCP tcp-8080 CM SB outgoing request integration
SOAP for PCC Applicable for all version
Optional: This firewall rule is not re-
quired if the respective secure proto-
col is used

cmwas ephemeral OMS 49569 IIOP TCP nwi3- NWI3 Adapter(IPv6 port for dual
adapter stack OMS

fmwas ephemeral PGW Opera- 22 SSH TCP ssh For SSH Access to PGW VNF oper-
tion Service ation service

intgwas ephemeral BSC 23 TELNET TCP telnet Used for BSC automatic integra-
tion. Note: This firewall rule is not re-
quired if the respective secure proto-
col is used.

intgwas ephemeral BSC 22 SSH TCP ssh Used for BSC automatic integration.

fmwas ephemeral eSM virtual 22 SSH TCP ssh SSH EM launch support
address

fmwas ephemeral OCS 22 SSH TCP ssh SSH launch to OCS

fmwas ephemeral RDR 22 SSH TCP ssh SSH launch to RDR

cmwas ephemeral ASCBTS 8443 HTTPS/ TCP tcp-8443 NE3S/WS communication from Con-
SOAP figurator to AirScale Cloud BTS.

fmwas ephemeral eCGS 22 SSH TCP ssh SSH launch to eCGS

fmwas ephemeral One-MNP 22 SSH TCP ssh One-MNP System Monitor SSH con-
System nection. Applicable for below ver-
Monitor sions: One-MNP 8.0 SP6, One-MNP
9, One-MNP 15.5, One-MNP 16,
One-MNP 16.5, One-MNP Cloud 16.
5, One-MNP 17, One-MNP Cloud
17, One-MNP 18, One-MNP Cloud
18.

User Work- ephemeral syswas 9108 IIOP/ TCP tcp-9108 ORB Listener Port for Websphere
station Apps CSIv2 application server

User Work- ephemeral cmwas 9106 IIOP/ TCP tcp-9106 ORB Listener Port for Websphere
station Apps CSIv2 application server

User Work- ephemeral intgwas 9110 IIOP/ TCP tcp-9110 ORB Listener Port for Websphere
station Apps CSIv2 application server

User Work- ephemeral itsmwas 9109 IIOP/ TCP tcp-9109 ORB Listener Port for Websphere
station Apps CSIv2 application server

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 506


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

User Work- ephemeral cmwas 9414 IIOP/ TCP tcp-9414 CSIV2 Client Authentication Listener
station Apps CSIv2 Port

User Work- ephemeral intgwas 9418 IIOP/ TCP tcp-9418 CSIV2 Client Authentication Listener
station Apps CSIv2 Port

User Work- ephemeral itsmwas 9417 IIOP/ TCP tcp-9417 CSIV2 Client Authentication Listener
station Apps CSIv2 Port

User Work- ephemeral syswas 9416 IIOP/ TCP tcp-9416 CSIV2 Client Authentication Listener
station Apps CSIv2 Port

User Work- ephemeral cmwas 7281 Secure TCP tcp-7281 WebSphere SIB endpoint secure ad-
station Apps JMS dress for cmserver

User Work- ephemeral intgwas 7285 Secure TCP tcp-7285 WebSphere SIB endpoint secure ad-
station Apps JMS dress for intgserver

User Work- ephemeral itsmwas 7284 Secure TCP tcp-7284 WebSphere SIB endpoint secure ad-
station Apps JMS dress for itsmserver

User Work- ephemeral syswas 7283 Secure TCP tcp-7283 WebSphere SIB endpoint secure ad-
station Apps JMS dress for sysserver

cmwas ephemeral LB WAS vir- 10443 HTTPS TCP https-alt1 HTTPS for WebSphere Application
tual IP Server

cmwas ephemeral BTSMED 8443 HTTPS/ TCP tcp-8443 NE3S/WS communication from Con-
SOAP figurator to BTSMED/SOAMBTS.

cmwas ephemeral BTSMED 8080 HTTP/ TCP tcp-8080 NE3S/WS communication from Con-
SOAP figurator to BTSMED/SOAMBTS.
Optional: This firewall rule is not re-
quired if the respective secure proto-
col is used.

fmwas ephemeral BTSMED 22 SSH TCP ssh For SCLI connections to BTSMED

fmwas ephemeral SDL Opera- 22 SSH TCP ssh For SSH and SCLI Access to SDL
tion Service VNF operation service

fmwas ephemeral DDE 22 SSH TCP ssh SSH launch to DDE

pmwas ephemeral Email Server 25 SMTP TCP smtp-25 Optional: This rule is required if PM
scheduled reports is sending e-mail
notifications or if Info-center feed-
back loop is enabled and feedback
message is send in e-mail notifi-
cations through unsecure external
SMTP server using port 25 (provided
by Customer)

User Work- ephemeral fmwas 9105 IIOP/ TCP tcp-9105 ORB Listener Port for Websphere
station Apps CSIv2 application server

User Work- ephemeral fmwas 9413 IIOP/ TCP tcp-9413 CSIV2 Client Authentication Listener
station Apps CSIv2 Port

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 507


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

User Work- ephemeral fmwas 9102 IIOP/ TCP tcp-9102 ORB Listener Port
station Apps CSIv2

User Work- ephemeral fmwas 9202 IIOP/ TCP tcp-9202 CSIV2 Client Authentication Listener
station Apps CSIv2 Port

User Work- ephemeral fmwas 7280 Secure TCP tcp-7280 WebSphere SIB endpoint secure ad-
station Apps JMS dress for fmserver

fmwas ephemeral SM 22 SSH TCP ssh SSH launch to Service Manager

fmwas ephemeral Nokia 9926 22 SSH TCP ssh For SSH connections to Nokia 9926
eNodeB eNodeB

cmwas ephemeral Nokia 9926 830 NET- TCP net- For NetConf Action to Nokia 9926
eNodeB CONF conf-ac- eNodeB
tion

fmwas ephemeral ASRNC 22 SSH TCP ssh SSH shell from NetAct Monitor

fmwas ephemeral TI- 22 SSH TCP ssh ssh EM launch support


TAN-MASTER

fmwas ephemeral TI- 22 SSH TCP ssh ssh EM launch support


TAN-EDGE

fmwas ephemeral DSC PS 22 SSH TCP ssh For SSH connections to DSC PS Ap-
plicable for below versions: DSC 9.0
R3,DSC 9.0 R5,DSC 17.4

fmwas ephemeral DSC CS 22 SSH TCP ssh For SSH connections to DSC CS Ap-
plicable for below versions: DSC 9.0
R3,DSC 9.0 R5,DSC 17.4

pmwas ephemeral Email Server 25 SMTP/ TCP smtp- Optional: This rule is required if PM
START- starttls-25 scheduled reports is sending e-mail
TLS notifications or if Info-center feed-
back loop is enabled and feedback
message is sent in e-mail notifica-
tions through STARTTLS external
SMTP server using port 25 (provided
by Customer)

pmwas ephemeral Email Server 587 SMTP/ TCP smtp- Optional: This rule is required if PM
START- start- scheduled reports is sending e-mail
TLS tls-587 notifications or if Info-center feed-
back loop is enabled and feedback
message is sent in e-mail notifica-
tions through STARTTLS external
SMTP server using port 587 (provid-
ed by Customer)

fmwas ephemeral ASCBTS 33434-33933 na UDP udp-33434-33933


Used for checking the connection
between NetAct and AirScale Cloud
BTS with traceroute command

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 508


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

cmwas ephemeral One-NDS 8092 HTTPS/ TCP tcp-8092 CM SB outgoing request integration
Status Ser- SOAP for One-NDS 16.5 onwards to sup-
vice port AOM and One-NDS 17 onwards
to support HWM with TLS

cmwas ephemeral ASCBTS 8080 HTTP/ TCP tcp-8080 NE3S/WS communication from Con-
SOAP figurator to AirScale Cloud BTS. Op-
tional: This firewall rule is not re-
quired if the respective secure proto-
col is used.

cmwas ephemeral CWLC 8059 HTTPS/ TCP tcp-8059 NE3S/WS communication from Con-
SOAP figurator to CWLC

fmwas ephemeral SAAM 22 SSH TCP ssh SAAM SSH connections. Applica-
ble for below versions: SAAM 7.0,
SAAM 8.0.

intgwas ephemeral SAAM 22 SFTP TCP sftp Secure File Transfer Protocol com-
munication channel Applicable for
below version: SAAM 8.0 and on-
wards.

SAAM 20 intgwas ephemeral FTP TCP ftp-data File Transfer Protocol data channel
under FTP Active Mode. Applicable
for below versions SAAM 7.0 SAAM
8.0 Optional: This firewall rule is not
required if the respective secure pro-
tocol is used.

intgwas ephemeral SAAM 21 FTP TCP ftp File Transfer Protocol communica-
tion channel Applicable for below
versions SAAM 7.0 SAAM 8.0 Op-
tional: This firewall rule is not re-
quired if the respective secure proto-
col is used.

cmwas ephemeral IPA-RNC 23 TELNET TCP telnet For IPA-RNC, Executing MML com-
mands through Command manager -
optional insecure protocol, rule is not
required if respective secure protocol
is used

fmwas ephemeral SPM OAM 22 SSH TCP ssh SPM OAM node SSH connection.
node Applicable for below version: SPM 2.
0 SPM 3.0 SPM 3.0 VI

intgwas ephemeral EPD 161 SNMP UDP snmp-get For SNMP GET/WALK response
from EPD during integration verifica-
tion

intgwas ephemeral TVG 161 SNMP UDP snmp-get For SNMP GET/WALK response
from TVG during integration verifica-
tion

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 509


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

intgwas ephemeral TCS 161 NE3S UDP snmp-get For SNMP GET/WALK response
SNMP from TCS during integration verifica-
tion

intgwas ephemeral ATS 161 SNMP UDP snmp-get For SNMP GET/WALK response
from ATS during integration verifica-
tion

intgwas ephemeral One-NDS 8443 HTTPS TCP https-ui Web application SSO servlet con-
Administra- nection to One-NDS Administra-
tor Server tor server. Applicable for below ver-
sions: One-NDS 9 SP2; One-NDS
16; One-NDS 16.5; One-NDS 17;
One-NDS 19.

fmwas ephemeral One-NDS 22 SSH TCP ssh One-NDS Status Service SSH con-
Status Ser- nection. Applicable for below ver-
vice sions: One-NDS 9 SP2; One-NDS
16; One-NDS 16.5; One-NDS 17;
One-NDS 19.

fmwas ephemeral One-NDS 22 SSH TCP ssh One-NDS Directory Servers SSH
Directory connection. Applicable for below ver-
Server sions: One-NDS 9 SP2; One-NDS
16; One-NDS 16.5; One-NDS 17;
One-NDS 19.

fmwas ephemeral One-NDS 22 SSH TCP ssh One-NDS Administrator Servers


Administra- SSH connection. Applicable for be-
tor Server low versions: One-NDS 9 SP2; One-
NDS 16; One-NDS 16.5; One-NDS
17; One-NDS 19.

fmwas ephemeral One-NDS 22 SSH TCP ssh One-NDS Provisioning Gateway


Provision- Servers SSH connection. Applicable
ing Gateway for below versions: One-NDS 9 SP2;
Server One-NDS 16; One-NDS 16.5; One-
NDS 17; One-NDS 19.

intgwas ephemeral SADM 8085 SNMP UDP sn- NE3S/SNMP based data provider
mp-ne3ssnmp-
service Applicable for below version:
data SADM 9.0, SADM 10, SADM 16.

intgwas ephemeral DPA 8085 SNMP UDP sn- NE3S/SNMP based data provider
mp-ne3ssnmp-
service Applicable for below version
data DPA 16

fmwas ephemeral SADM 22 SSH TCP ssh SADM SSH connections. Applica-
ble for below versions: SADM 9.0,
SADM 10, SADM 16.

intgwas ephemeral SADM 22 SFTP TCP sftp Secure File Transfer Protocol com-
munication channel Applicable for
below version: SADM 10, SADM 16.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 510


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

fmwas ephemeral DPA 22 SSH TCP ssh DPA SSH connections. Applicable
for below version DPA 16

fmwas ephemeral SBTS 33434-33933 na UDP udp-33434-33933


Used for checking the connection
between NetAct and SBTS with
traceroute command. Note: During
the Plug and Play Process, this fire-
wall rule must be applied additionally
for SBTS using the temporary IP ad-
dress.

cmwas ephemeral SBTS 8443 HTTPS/ TCP tcp-8443 NE3S/WS communication from Con-
SOAP figurator to SBTS. Note: During the
Plug and Play Process, this firewall
rule must be applied additionally for
SBTS using the temporary IP ad-
dress.

cmwas ephemeral SBTS 8080 HTTP/ TCP tcp-8080 NE3S/WS communication from Con-
SOAP figurator to SBTS. Optional: This fire-
wall rule is not required if the respec-
tive secure protocol is used. Note:
During the Plug and Play Process,
this firewall rule must be applied ad-
ditionally for SBTS using the tempo-
rary IP address.

fmwas ephemeral RNC 33400-33600 na UDP udp-33400-33600


Used for checking the connection
between NetAct and RNC with
traceroute command

fmwas ephemeral WBTS 33434-33933 na UDP udp-33434-33933


Used for checking the connection
between NetAct and WBTS with
traceroute command

cmwas ephemeral IPA-RNC 22 SSH TCP ssh For IPA-RNC, Executing MML com-
mands through Command manager

fmwas ephemeral mcRNC 22 SSH TCP ssh SSH shell from NetAct Monitor

cmwas ephemeral One-NDS 8090 HTTP/ TCP tcp-8090 CM SB outgoing request integration
Status Ser- SOAP for One-NDS 9 SP2, One-NDS 16
vice onwards to support AOM and One-
NDS 17 onwards to support HWM.
Optional: One-NDS 16.5 onwards,
this firewall rule is not required if the
respective secure protocol is used
(port 8092).

intgwas ephemeral HPE Storage 161 SNMP UDP snmp-get For SNMP GET/GETBULK opera-
System tions to HP Storage System.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 511


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

intgwas ephemeral HPE Fiber 161 SNMP UDP snmp-get For SNMP GET/GETBULK opera-
Channel tions to HP Fiber Channel Switch or
Switch or HP Switch.
HPE Switch

intgwas ephemeral HPE 161 SNMP UDP snmp-get For SNMP GET/GETBULK opera-
BladeSys- tions to HP BladeSystem VirtualCon-
tem Virtu- nect FlexFabric.
alConnect
FlexFabric

intgwas ephemeral HPE 22 SSH TCP ssh HP BladeSystem VirtualConnect


BladeSys- FlexFabric SSH connection to per-
tem Virtu- form snmpv3 auto-configuration
alConnect
FlexFabric

intgwas ephemeral HPE On- 161 SNMP UDP snmp-get For SNMP GET/GETBULK opera-
board Ad- tions to HP Onboard Administrator.
ministrator

intgwas ephemeral HPE On- 22 SSH TCP ssh HP Onboard Administrator SSH con-
board Ad- nection to perform snmpv3 auto-con-
ministrator figuration.

intgwas ephemeral SAAM 8161 SNMP UDP sn- NE3S/SNMP based data provider
mp-ne3ssnmp-
service Applicable for below versions
data SAAM 7.0 SAAM 8.0

User Work- ephemeral syswas 9810 RMI TCP net- Used by Bootstrap port
station Apps act-uw-
boots-as

fmwas ephemeral iNUM OAM 22 SSH TCP ssh iNUM OAM node SSH connection.
Node Applicable for below versions iNUM
v11 iNUM v15.5 iNUM v16 iNUM
v16.5 iNUM v17

SADM 20 intgwas ephemeral FTP TCP ftp-data File Transfer Protocol data channel
under FTP Active Mode. Applicable
for below version SADM 9.0

One-EIR 20 intgwas ephemeral FTP TCP ftp-data File Transfer Protocol data channel
System under FTP Active Mode. Applica-
Monitor ble for below versions: One-EIR 4.0
SP1, One-EIR 5.0, One-EIR 5 SP1.

One-MNP 20 intgwas ephemeral FTP TCP ftp-data File Transfer Protocol data channel
System under FTP Active Mode. Applicable
Monitor for below versions: One-MNP 8.0
SP6, One-MNP 9.

intgwas ephemeral FSC Rack 161 SNMP UDP snmp-get For SNMP GET/GETBULK opera-
Server tions to FSC Rack Server.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 512


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

intgwas ephemeral BIG IP 161 SNMP UDP snmp-get SNMP based GET operation. Ap-
plicable for below versions: BIG IP
6400, BIG IP 6900, BIG IP TMOS
version 10, BIG IP TMOS version 11.

intgwas ephemeral IBMBC 161 SNMP UDP snmp-get For SNMP GET/GETBULK opera-
tions to IBM BladeCenter.

intgwas ephemeral SADM 21 FTP TCP ftp File Transfer Protocol communica-
tion channel Applicable for below
version SADM 9.0

intgwas ephemeral One-EIR 21 FTP TCP ftp File Transfer Protocol communica-
System tion channel. Applicable for below
Monitor versions: One-EIR 4.0 SP1, One-EIR
5.0, One-EIR 5 SP1.

intgwas ephemeral One-MNP 21 FTP TCP ftp File Transfer Protocol communica-
System tion channel. Applicable for below
Monitor versions: One-MNP 8.0 SP6, One-
MNP 9.0.

intgwas ephemeral One-MNP 8085 SNMP UDP sn- NE3S/SNMP based data provider
System mp-ne3ssnmp-
service. Applicable for below ver-
Monitor data sions: One-MNP 8.0 SP6, One-MNP
9.0.

intgwas ephemeral One-EIR 8085 SNMP UDP sn- NE3S/SNMP based data provider
System mp-ne3ssnmp-
service. Applicable for below ver-
Monitor data sions: One-EIR 4.0 SP1, One-EIR 5.
0, One-EIR 5 SP1.

OMS ephemeral cmwas 49400-49499 IIOP TCP https For CM upload

User Work- ephemeral fmwas 9100 RMI/ TCP tcp-9100 This is used for initiating connections
station Apps IIOP when client requests JNDI services
from server. Used to communicate
with RMI/IIOP service of CertGen

fmwas ephemeral IBMBC 22 SSH TCP ssh IBM BladeCenter SSH connection.

fmwas ephemeral One-NDS In- 22 SSH TCP ssh SSH Launch to One-NDS Install
stall Server Server

itsmwas ephemeral OMS 49363 IIOP TCP nwi3-sw- NWI3 SW Agent


agent

cmwas ephemeral OMS 443 HTTPS TCP https CM outgoing request.

cmwas ephemeral RNC 49400-49499 TCP TCP tcp-49400-49499


Port range for feedback objects of
RNCs

cmwas ephemeral OMS 80 HTTP TCP http CM outgoing request. Optional: This
firewall rule is not required if the re-
spective secure protocol is used.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 513


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Configuring Firewall for NetAct

Appli- Trans-
Service
Source Source Port Destination Dest. Port cation port Description
Object
Layer Layer

fmwas ephemeral OMS 22 SSH TCP ssh SSH

cmwas ephemeral OMS 49367 IIOP TCP nwi3- NWI3 Measurement Handler
measure-
ment-hndlr

itsmwas ephemeral OMS 49350 IIOP TCP nwi3-hw- NWI3 HW Agent


agent

cmwas ephemeral OMS 49357 IIOP TCP nwi3- NWI3 CM Plan Management
cm-plan-
mgmt

cmwas ephemeral OMS 49566 IIOP TCP nwi3- NWI3 Adapter


adapter

User Work- ephemeral fmwas 9402 IIOP TCP csiv2- Used for CORBA communication
station Apps ssl-mutu- from Web application or other appli-
al-auth- cation. WebSphere CSIV2 SSL mu-
listener tual authentication listener address.

27.2.27 Changes in firewall rules

For the list of changes in firewall rules introduced in NetAct 22 in comparison to NetAct 20, see
Changes in firewall rules in NetAct 22 in NetAct Release Changes.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 514


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Integrating external authentication and
authorization server to NetAct

28 Integrating external authentication and authorization


server to NetAct

NetAct supports the integration of external authentication and authorization server so that login with
the user credentials in external repository along with proper control of access rights are possible in
NetAct. Integration involves operation in both NetAct and in the external authentication and authoriza-
tion server. This section provides the sequence of operation that needs to be performed by the NetAct
administrator and the external server administrator for integrating external authentication and autho-
rization server to NetAct.

Note: External server administrators are the most privileged users in the external authentica-
tion server who manages the external user accounts and groups to be administered centrally.

28.1 Overview of external authentication and authorization server


integration
This section describes the integration workflow of external authentication and authorization server inte-
gration to NetAct. Integration of the external authentication and authorization server to NetAct involves
actions in NetAct and external authentication and authorization server.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 515


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Integrating external authentication and
authorization server to NetAct

Figure 9: External authentication server and authorization integration

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 516


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Integrating external authentication and
authorization server to NetAct

28.2 Preparing external authentication and authorization server


For integrating the external authentication and authorization server with NetAct, the external server ad-
ministrator must obtain the necessary listed parameters and prepare the external authentication and
authorization server. The parameters obtained or requirements mentioned in this section act as pre-
requisite for the integration of NetAct with the external authentication and authorization server.

Table 32: External authentication and authorization server prerequisites lists the prerequisites to inte-
grate external authentication and authorization server to NetAct.

Requirements Instructions

External authentication and authorization servers External authentication and authorization servers
must be powered on and all services must be in
started state.

External authentication and authorization servers Windows server 2012 R2 or higher.


operating system version

External authentication and authorization servers For firewall configuration in external authentica-
firewall configuration tion and authorization server for server port rele-
vant to specific windows release, see Microsoft
Support Site.

Domain name of external authentication and au- Domain name under which all external authen-
thorization servers tication and authorization servers are function-
al. All external authentication and authorization
servers for integration with NetAct are required
to be under single domain. Domain name will be
used during login to external authentication and
authorization server by providing login name in
<domain name>\<login name> format.

Credentials for external authentication and autho- Domain administrator credentials required during
rization servers integration integration must be obtained from external server
administrator.

IP address (IPv4 or IPv6), subnet mask, and IPv4 or IPv6 address along with subnet mask and
FQDN of all external authentication and autho- FQDN of all the external authentication and au-
rization servers thorization servers under domain, need to be ob-
tained from external authentication and autho-
rization server administrator.

Note: Ensure to have high availabili-


ty from the external authentication and

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 517


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Integrating external authentication and
authorization server to NetAct

Requirements Instructions
authorization server to have a seam-
less connectivity with NetAct.

User container Relative Distinguished Name User container RDN of the external authentica-
(RDN) of external authentication and authoriza- tion and authorization server needs to be ob-
tion server tained from external server administrator. For in-
structions, see Obtaining users container RDN of
external authentication and authorization server.

Note:

Ensure that RDN value does not con-


tain the following characters as these
characters are not supported in NetAct.

• plus (+)
• comma (,)
• double quote (”)
• forward slash (/)
• backward slash (\)
• left angle bracket (<)
• right angle bracket (>)
• semicolon (;)
• equals (=)
• consecutive spaces

For example, if RDN is CN=test,


+h,DC=nalab675,DC=netact,DC=nsn-
rdnet,DC=net, DC and CN are
separated by comma but CN or DC
value cannot contain comma or any
other unsupported characters. In this
example, test,+h is not supported
as this contains comma and plus
characters.

External authentication and authorization server ldap and ldaps port in external authentication and
ports for ldap/ldaps access authorization server. Need to be obtained from
external server administrator. All external authen-
tication and authorization servers are required to
support same ldap and ldaps port.

Root CA certificate of server certificate in external Secure mode of communication between Net-
authentication and authorization servers Act and external authentication and authorization

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 518


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Integrating external authentication and
authorization server to NetAct

Requirements Instructions
server is done using certificates. Root CA certifi-
cate of signer in server certificate of external au-
thentication and authorization server is required
in NetAct directory server trust store while estab-
lishing a secure connection. For instructions, see
Exporting root CA certificate from external au-
thentication and authorization server.

Note: Server certificate of external au-


thentication and authorization servers
under same domain can be signed by
different Certification Authority (CA).
In such case, export of different root
CA certificate in use needs to be per-
formed.

Server Certificate of external authentication and NetAct supports communication with external au-
authorization server thentication and authorization server in secure
mode only. If server certificates are missing, it
needs to be procured and installed by external
server administrator. For more details, see Server
certificate requirements of external authentication
and authorization server.

Groups in external authentication and authoriza- New groups need to be created in external au-
tion server thentication and authorization server for control-
ling the user access. For instructions, see Creat-
ing new group in external authentication and au-
thorization server.

Assigning external user account to universal For instructions, see Adding external user to uni-
group versal group of external authentication and au-
thorization server.

Bi-directional DNS (Domain Name System) setup Both the sides of trust must be able to resolve
each other's services and names. This can be
achieved by setting up stub zones or conditional
forwarders. For more information, see Setup bi-
directional DNS forwarding.

Note: This step can be done as part of


the preparation phase, but it requires
port 53 to be open and accessible.
For complete list of ports which are re-

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 519


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Integrating external authentication and
authorization server to NetAct

Requirements Instructions
quired to be opened, see Setting up
firewall rules.

Synchronized clocks between Node Manager For the Kerberos protocol to work, ensure that
and external domain both Node Manager VMs and external domain
controllers have synchronized clocks. By default,
5 minutes time difference is tolerated, but this
policy is configurable. For more information, see
Maximum tolerance for computer clock synchro-
nization.

If there is a difference in the domain controller's


clocks, ensure that NTP servers used by domain
controllers on both sides are in sync.

Note: Time zone differences are irrele-


vant, the skew is calculated using UTC
time.

Table 32: External authentication and authorization server prerequisites

28.2.1 Obtaining users container RDN of external authentication and authorization


server
The external server administrator must execute this procedure in the external authentication and
authorization server. It provides information on how to obtain users container Relative Distinguished
Name (RDN) in the external authentication and authorization server of type Active Directory (AD).

1. Log in to external authentication and authorization server as <domain name>\<administrator


account> user.

2. Open Windows PowerShell by doing the following:


a) Right-click Start and select Search.

The Search pane appears.


b) In the search field, type Windows PowerShell.
c) Click Windows PowerShell.

The Windows PowerShell prompt appears.

3. In the Windows PowerShell prompt, enter the following command to obtain the users container
RDN of external authentication and authorization server:

Get-ADDomain | Select UsersContainer

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 520


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Integrating external authentication and
authorization server to NetAct

Sample output:

PS D:\Users\Administrator> Get-ADDomain | Select UsersContainer


UsersContainer
--------------
CN=Users,DC=domain007,DC=test,DC=net

4. Exit the Windows PowerShell by typing exit in the command line.

5. Log out from external authentication and authorization server.

Expected outcome

The users container RDN of the external authentication and authorization server is obtained.

28.2.2 Exporting root CA certificate from external authentication and authorization


server
The root CA certificate helps in establishing trust between NetAct and the external authentication and
authorization server that is needed for secure mode of communication. This procedure explains how
the external server administrator exports the root CA certificate from an external authentication and
authorization server of type Active Directory (AD).

1. Log in to external authentication and authorization server as <domain name>\<administrator


account> user.

2. Open Microsoft management console by pressing WINDOWS+R on keyboard and type


mmc.exe in the Run dialog box.

The Console Root window appears.

3. In the Microsoft management console, configure Certificates snap-in for Active Directory
Domain Services.
a) From the File menu, select Add/Remove Snap-in....

The Add or Remove Snap-ins dialog box appears.


b) In Available Snap-ins, select Certificates and click Add>.

The Certificate snap-in dialog box appears.


c) Select Computer account and click Next.

The Select Computer dialog box appears.

Note:

If no certificates are found in the Service account, repeat the below steps for the
Computer account instead.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 521


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Integrating external authentication and
authorization server to NetAct

d) Select Local computer and click Finish.


e) Click OK.

4. In the Logical Store Name pane, click Personal.

The Object Type pane appears.

5. In the Object Type pane, click Certificates.

6. In the server certificate listed, note down the signer from the Issued by field and click OK.

Note: Ensure that only one server certificate is listed. If there are multiple server
certificates listed, identify the certificate that will be presented. For more details, contact
external server administrator.

7. In the left pane, under Console root, select Trusted Root Certification Authorities and click
Certificates.

8. Select Certificate under Issued By as identified in step 4 and right click on it. Select All Tasks
and click Export...

Certificate Export Wizard dialog box appears.

Note: The root CA certificate must be valid and not expired. You can check in the Valid
from field by double clicking the relevant certificate.

9. In Certificate Export Wizard, click Next and select DER or Base 64 encoded X.509 and click
Next.

10. Enter the filename of certificate to be exported and click Next.

11. Note the certificate file path displayed in the wizard and click Finish.

The following message is displayed if the export is successful:


The export was successful.

Note: The exported certificate will be used when integrating NetAct directory server with
external authentication and authorization server. For more information, see Enabling
NetAct directory server authorization with external authentication and authorization
server section.

12. Close Microsoft management console by selecting File → Exit and select No in the Save
Console Setting dialog box.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 522


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Integrating external authentication and
authorization server to NetAct

28.2.3 Creating new group in external authentication and authorization server

This section provides information about identifying groups in NetAct and Node Manager Server (NMS)
followed by instructions to create corresponding group in the external authentication and authorization
server.

• Identifying groups
• Creating universal groups

28.2.3.1 Identifying groups

This section provides information about identification of groups in NetAct and Node Manager Server
(NMS) so that the corresponding groups in the external authentication and authorization server can be
created.

• Identifying NetAct groups


• Creating universal groups

28.2.3.1.1 Identifying NetAct groups

NetAct groups in a cluster needs to be identified to create corresponding groups in the external au-
thentication and authorization server.

To identify the groups within the NetAct cluster, see Viewing groups list in User Management Help us-
ing User Management application.

To obtain NetAct groups in Command Line Interface (CLI), see Exporting NetAct groups in Administer-
ing Users and Permissions.

28.2.3.1.2 Identifying Node Manager groups

By default, NetAct recognizes the following Node Manager groups:

• NetAct_Users
• NetAct_Administrator
• ApplicationLaunchOnly
• NetAct_BTS_Admins

The NetAct Administrator can add additional Node Manager groups to NetAct. For more information,
see Supporting additional Node Manager Server user groups in NetAct User Management in Permis-
sion Management Help.

1. Log in to the VM where the dmgr service is running as the omc user.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 523


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Integrating external authentication and
authorization server to NetAct

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. On the command line, enter the following command to check if the /etc/opt/oss/global/
custom/conf/javaprefs/um/Pref_ADGroups.xml file exists:

[omc@testlabvm18 ~]$ ls /etc/opt/oss/global/custom/conf/javaprefs/um/


Pref_ADGroups.xml

If the file does not exist, then the user-defined groups are not added to the Node Manager server
(NMS). In this case, only the default groups listed earlier must be considered.

3. If the file exists, enter the following command:

[omc@testlabvm18 ~]$ grep "adGroupNames" /etc/opt/oss/global/custom/


conf/javaprefs/um/Pref_ADGroups.xml

Expected outcome

The NMS groups recognized by NetAct will be listed on the console.

28.2.3.2 Creating universal groups

The external server administrator must create a universal group corresponding to each of identified
groups as mentioned in Identifying groups. Nokia recommends to name the groups similar to NetAct
groups or prefixed with identifier (for example, clusterID) for easy administration. The recommended
format is
NA<NetAct Cluster Identifier>_<group name identifier>

For example:

• NAcluster1_Users
• NAcluster1_Administrators
• NAcluster1_sysop
• NAcluster1_ApplicationLaunchOnly

Universal groups must be added in the external server providing authentication and authorization ser-
vice by the external server administrator to manage the user permissions in NetAct and Node Manag-
er Server (NMS).

When creating new groups, use Group Scope as Universal and Group Type as Security.

The steps to create the groups are beyond the scope of this document. For more information, see
Microsoft’s Knowledge base corresponding to your version of Active Directory server.

In case multiple NetAct clusters are integrated to same external authentication and authorization serv-
er, creation of separate universal groups are optimized. For more information, see Considerations in
universal groups creation for integration with multiple NetAct clusters.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 524


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Integrating external authentication and
authorization server to NetAct

Note: Windows Active Directory provides adding group to another group option. But,
universal groups created for NetAct operation cannot have other groups as it’s member to
ensure that access rights are checked properly during login from NetAct.

28.2.3.2.1 Considerations in universal groups creation for integration with multiple NetAct clusters

After logging into NetAct Start page, access rights of a user depends on the associated NetAct groups.
Similarly, when the user authorization is controlled by the external authentication and authorization
server, the user access rights in NetAct depend on the groups associated in the external authentica-
tion and authorization server.

Creating NetAct specific groups in external authentication and authorization server and associating
them to intended users is an activity that needs to be carried out by external server administrator after
gathering inputs regarding NetAct groups from the NetAct administrator. If multiple NetAct clusters are
integrated to same external authentication and authorization server, universal groups created for Net-
Act specific use is planned as follows:

• Same universal groups for all NetAct clusters: This approach is recommended for NetAct
groups, which have same permissions across NetAct clusters for example, NetAct and Node Man-
ager Server (NMS) default groups, such as sysop, NetAct_Users, and so on, and operator created
groups with same permissions across clusters.
• Different universal group for each NetAct cluster: This approach is recommended for groups,
which have different permissions across NetAct clusters. Operator created NetAct groups with dif-
ferent permissions in each NetAct cluster comes under this section. Nokia recommends to create
separate universal groups and then associating users with these distinct universal groups in exter-
nal authentication and authorization server.

It is possible to have the same NetAct group name across different NetAct clusters with different ac-
cess rights. Even though it is possible to create common universal group mapped to NetAct group with
the same name across clusters, Nokia recommends to create a separate universal group to distin-
guish the different level of access granted to the same NetAct group.

28.2.4 Adding external user to universal group of external authentication and


authorization server

External server administrator needs to add universal group to the user in external authentication and
authorization server having direct correspondence to the NetAct and Node Manager groups to have
effective rights in place.

You can achieve this by associating the user account to appropriate universal group created in Cre-
ating new group in external authentication and authorization server. For information about user group
association, see Microsoft’s Knowledge base corresponding to your version of Active Directory server
version.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 525


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Integrating external authentication and
authorization server to NetAct

28.2.5 Server certificate requirements of external authentication and authorization


server

Server certificate needs to be available in relevant certificate store in external authentication and au-
thorization server. It is used to establish secure connection between NetAct and external authentica-
tion server. This section provides the requirements of the server certificate needs to have for success-
ful integration and use.

The server certificate present in the external authentication and authorization server must meet the fol-
lowing requirements:

• Nokia recommends that the server certificate is SHA2 compliant with a key length of at least 2048
bits.
• The server certificate must have Server Authentication in the Enhanced Key Usage field.
• The server certificate must not be expired. This can be checked through Valid from field in the
certificate details. The means for prevention and notification of certificate expiration in external
authentication and authorization server must be taken care by the external server administrator.
• The Common Name (CN) attribute of the subject field must have Fully Qualified Domain Name
(FQDN) of external authentication and authorization server. This is used by NetAct directory server
to ensure that connection is made to the intended host, thereby preventing man in the middle
attacks. It can be checked by Issued To field in the server certificate.
• The server certificate must not be self-signed. It is possible to have self-signed certificates to be
used as server certificate but is not recommended from security perspective.

Note: To check server certificate details, perform step 1 to step 6 of Exporting root CA
certificate from external authentication and authorization server.

28.3 Preparing NetAct


Table 33: Prerequisites on NetAct lists the prerequisites in NetAct required before integration to the ex-
ternal authentication and authorization server.

Requirements Instructions

NetAct installation is successful See Running Preventive Health Check in Preven-


tive Health Check.

Understand NetAct node structure See Node structure overview in Administering


NetAct System Security.

Check if the NetAct services are running See Understanding the status of a service from
the smanager.pl command in NetAct Administra-
tion Overview and Operations. If any service is
not started, contact the system administrator for
further investigation.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 526


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Integrating external authentication and
authorization server to NetAct

Requirements Instructions

Check the license for external authentication and See Checking NetAct licenses needed for exter-
authorization server integration nal authentication and authorization server inte-
gration for instructions.

Table 33: Prerequisites on NetAct

28.3.1 Checking NetAct licenses needed for external authentication and authorization
server integration
The NetAct licenses enable you to integrate external authentication and authorization server to NetAct
successfully. This procedure describes how the NetAct Administrator checks the NetAct licenses which
are needed for the external authentication and authorization server integration.

1. Log in to the NetAct Start Page as a user having permission to launch the License Manager
application.

2. To open the license file:


a) Navigate to Configuration → License Manager.
b) In License Manager, if the License Browser view is not open, click Licenses → License
Browser.
c) In the License Browser, click NetAct™ Software Licenses tab if it is not selected.
d) Click files in the License filename column.

3. Check if the feature code of the needed license is displayed.

Feature code Feature name

0000039064 NetAct to Central AD Basic

0000039065 NetAct to Central AD Volume

0000052482 NetAct to Central AD – Authorization

Note: If the feature code is not displayed, contact the system administrator to procure
and install the license.

28.4 Preparing intermediate system


This section provides information regarding the intermediate system configuration needed for the suc-
cessful integration between NetAct and external server supporting authentication and authorization.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 527


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Integrating external authentication and
authorization server to NetAct

28.4.1 Setting up firewall rules

For communication between NetAct and external server providing authentication and authorization
service, ports need to be enabled by the NetAct Administrator and the external server administrator. In
case of any intermediate system between NetAct and external authentication and authorization serv-
er, the following ports need to be enabled on the intermediate system by the intermediate system's ad-
ministrator.

Configuration of firewall rules in NetAct is needed in the VMs hosting the directory server service
(dirsrv), WebSphere service (syswas), and in the Node Manager Server (NMS) that act as the
client when connecting to the external authentication and authorization server of type active directory.

Table 34: Port configuration in external server and NetAct lists the configuration of ports for communi-
cation between NetAct and external server providing authentication and authorization service.

Source Destina- Destina- Applica- Transport Service Destina-


Source *
port** tion tion port tion layer layer Object tion

VM's host- ephemeral External 389 LDAP TCP/UDP ldap External


ing dirsrv authenti- authenti-
service cation and cation and
authoriza- authoriza-
tion server tion serv-
er access
through
ldap

VM's host- ephemeral External 636 LDAPS TCP ldaps External


ing dirsrv authenti- authenti-
service cation and cation and
authoriza- authoriza-
tion server tion serv-
er access
through
ldaps

VM’s host- ephemeral External 389 LDAP TCP/UDP ldap External


ing syswas authenti- authenti-
service cation and cation and
VM’s host- authoriza- authoriza-
ing syswas tion server tion serv-
service er access
through
ldap

VM’s host- ephemeral External 636 LDAPS TCP ldaps External


ing syswas authenti- authenti-
service cation and cation and

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 528


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Integrating external authentication and
authorization server to NetAct

Source Destina- Destina- Applica- Transport Service Destina-


Source *
port** tion tion port tion layer layer Object tion
VM’s host- authoriza- authoriza-
ing syswas tion server tion serv-
service er access
through
ldaps

Node man- ephemeral External 389 LDAP TCP/UDP ldap Connec-


ager serv- authenti- tions to
er cation and Directo-
authoriza- ry, User
tion server Authen-
tication,
Group Pol-
icy, Trusts

Node man- ephemeral External 636 LDAPS TCP ldaps Connec-


ager serv- authenti- tions to
er cation and Directo-
authoriza- ry, User
tion server Authen-
tication,
Group Pol-
icy, Trusts

Node man- ephemeral External 3268 LDAP TCP ldap Connec-


ager serv- authenti- tions to
er cation and Directo-
authoriza- ry, User
tion server Authen-
tication,
Group Pol-
icy, Trusts

Node man- ephemeral External 3269 LDAPS TCP ldaps Connec-


ager serv- authenti- tions to
er cation and Directo-
authoriza- ry, User
tion server Authen-
tication,
Group Pol-
icy, Trusts

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 529


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Integrating external authentication and
authorization server to NetAct

Source Destina- Destina- Applica- Transport Service Destina-


Source *
port** tion tion port tion layer layer Object tion

Node man- ephemeral External 88 Kerberos TCP/UDP kdc User Au-


ager serv- authenti- thentica-
er cation and tion when
authoriza- corporate
tion server domain
user at-
tempts
to log in
to Node
manag-
er domain
member

Node man- ephemeral External 464 Kerberos TCP/UDP Kerberos User au-
ager serv- authenti- Password thentica-
er cation and V5 tion when
authoriza- corporate
tion server domain
user at-
tempts to
change its
password
after login
to Node
Manag-
er domain
computer

Node man- ephemeral External 53 DNS TCP/UDP dns User and


ager serv- DNS serv- Comput-
er er er Au-
thentica-
tion, Name
Resolu-
tion, Trusts

Node man- ephemeral External 445 SMB,CIFS, TCP/UDP srv2.sys Group Pol-
ager serv- authenti- SMB2, icy ap-
er cation and DFSN, plies when
authoriza- LSARPC, the corpo-
tion server NbtSS rate do-
main user

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 530


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Integrating external authentication and
authorization server to NetAct

Source Destina- Destina- Applica- Transport Service Destina-


Source *
port** tion tion port tion layer layer Object tion
attempts
to login
to Node
Manag-
er domain
comput-
er; Node
Manager
domain re-
source ac-
cess re-
motely and
NTLM user
authentica-
tion

Node man- ephemeral External 135 RPC, EPM TCP RpcSs Netlo-
ager serv- authenti- gon, group
er cation and policy,
authoriza- trusts, oth-
tion server er services
require
MSRPC
call

*
Destination ports mentioned can be different if External authentication and authorization server is
configured to use different ports for protocol access.
**
Source ports mentioned as ephemeral are also called dynamic port range. This range is customiz-
able and may vary based on the corporate infrastructure. By default, this range is from 49152 to
65535. All ports in this range must be opened bi-directionally.

Table 34: Port configuration in external server and NetAct

Note: The Node Manager Server (NMS) can also be in server role under certain scenarios
when communicating with the external authentication and authorization server. So, the above
mentioned standard destination ports also need to be enabled for incoming communications
to NMS.

28.4.2 Setting up routes in network segregation environment

A segregated environment with NetGuard requires routes to be added for communication with external
authentication and authorization server.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 531


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Integrating external authentication and
authorization server to NetAct

Note: NetAct Network Segregation is a licensed feature, which is not enabled by default.

To add routes for external authentication and authorization server in NetGuard, see Adding routes in
NetGuard in Administering Network Segregation in NetAct.

Add routes for all the Domain Controller IP addresses of external authentication and authorization
server.

28.5 Integrating external authentication and authorization server


Integration with external authentication and authorization server involves configuring NetAct directory
server and Node Manager Server (NMS).

• Enabling NetAct directory server authorization with external authentication and authorization serv-
er
• Integrating NetAct NMS with external authentication and authorization server

28.5.1 Enabling NetAct directory server authorization with external authentication and
authorization server
Enabling NetAct directory server authorization to external authentication and authorization server
is done so that users in the external repository accessing NetAct (from Start Page and SSH) are
authenticated and authorized by the external authentication and authorization server. Enabling
authorization needs integration to external server to be enabled. Hence, enabling authorization
performs integration if not integrated.

Note:

• Enabling authorization of external authentication and authorization server to NetAct


involves service restarts, because of which there will be a downtime and the script
execution may take time to complete. Service restarts will not be performed if only
authorization needs to be enabled.
• To perform only integration operation, see Integrating NetAct directory server with
external authentication and authorization server.

1. Log in as omc user to the NetAct VM hosting the dmgr service and switch to root user.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 532


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Integrating external authentication and
authorization server to NetAct

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. Enable SSH login as root on all NetAct nodes. For information on how to enable root SSH login,
see Enabling root SSH login.

3. Copy the Pref_ExternalAuthServerConfig.xml file to /etc/opt/oss/global/custom/


conf/javaprefs/um location by entering:

[root] cp -pn /opt/oss/Nokia-sm_external_authentication/conf/


Pref_ExternalAuthServerConfig.xml /etc/opt/oss/global/custom/conf/
javaprefs/um/

4. Open the integration input parameter /etc/opt/oss/global/custom/conf/javaprefs/um/


Pref_ExternalAuthServerConfig.xml file using the text editor and change the values as
mentioned in Updating external authentication and authorization server integration configuration
file and save it.

5. Obtain the root CA certificate from external authentication and authorization servers as described
in Exporting root CA certificate from external authentication and authorization server.

To convert the exported certificates to PEM format, see Converting certificates to PEM format.
Copy the certificates exported in /opt/oss/conf/external_authentication/cacerts
directory.

6. Update NetAct groups with corresponding groups mapped in external authentication and
authorization server. For instructions, see Exporting NetAct groups in Administering Users and
Permissions and Mapping external group to NetAct group in Administering Users and Permissions.

7. Enable external user authorization in NetAct directory server by entering one of the following
commands:

• [root] ExternalAuthServerMgmt.sh --enableAuthorization

Or

• [root] ExternalAuthServerMgmt.sh -e

Tool performs integration followed by enabling authorization. Integration and enabling authorization
will be skipped if it is already integrated and enabled.

A confirmation for service restart is prompted, if needed as part of integration operation. The tool
operation is terminated if the input is not provided within 15 minutes or if options apart from y or
yes (case insensitive) is provided after three attempts.

Note:

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 533


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Integrating external authentication and
authorization server to NetAct

• To suppress the confirmation prompt during the execution of the tool, enter one of the
following commands:

[root] ExternalAuthServerMgmt.sh --enableAuthorization --


noPrompt

Or

[root] ExternalAuthServerMgmt.sh -e -n

• To update integration parameters or forcefully re-enable the external authentication


and authorization server with NetAct irrespective of the current integration state,
enter one of the following commands:

[root] ExternalAuthServerMgmt.sh --enableAuthorization --


ignoreIntegrationState

Or

[root] ExternalAuthServerMgmt.sh -e -f

• To check the status of integration and authorization with external authentication and
authorization server, enter one of the following commands:

[root] ExternalAuthServerMgmt.sh --integrationStatus

Or

[root] ExternalAuthServerMgmt.sh -s

The tool execution stops, if any of the integration steps fails. To resolve the issue,
see Troubleshooting external authentication and authorization server integration fail-
ure in Troubleshooting Security Management.

8. Test the connectivity for Red Hat Directory Server by entering:

[root] ldapsearch -xLLL -D <DN_of_an_external_user> -W -s base

where DN is the full distinguished name for any external user.

For example:

root] ldapsearch -xLLL -D "CN=extuser22,CN=Users,DC=extlab,DC=netact,


DC=nsn-rdnet,DC=net" -W -s base

9. At the prompt, enter the user password.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 534


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Integrating external authentication and
authorization server to NetAct

Note: The ldapsearch command execution might take upto five minutes.

10. Disable SSH login as root on all NetAct nodes, if it was enabled in Step 2. For more information on
how to disable SSH login, see Disabling root SSH login.

Expected outcome

The NetAct directory server is integrated and authorization is enabled with the external authentication
and authorization server.

28.5.1.1 Updating external authentication and authorization server integration configuration file

External authentication and authorization server integration configuration file (that is /etc/opt/
oss/global/custom/conf/javaprefs/um/Pref_ExternalAuthServerConfig.xml)
has the relevant parameters of external authentication and authorization servers, needed during
integration with NetAct. Integration configuration file serves as input to the external server integration
tool (ExternalAuthServerMgmt.sh). The values for these parameters must be provided by the
external server administrator.

Note: Obtain the value of the parameters listed in Table 1 by following the instructions pro-
vided in Preparing external authentication and authorization server.

If the value of the parameters listed in Table 1 contains special characters such as double
quote (“), ampersand (&), left angle bracket (<), right angle bracket (>), apostrophe (‘),
consecutive spaces, escape these characters by referring xml specification. For example, if
a domain name of external server is na”lab2903, then escape double quote with &quot;
and update the value in xml as na&quot;lab2093.

Table 35: Parameter values lists the description for each of the parameters.

Parameter placeholder Value

domain_name Change with the actual domain name of the ex-


ternal authentication and authorization server.
Nokia recommends using the NETBIOS domain
name.

Note:

• The integration of external authen-


tication server supports only single
domain name.
• The domain name must not be
modified once the integration is
done. However, if there are no ac-

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 535


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Integrating external authentication and
authorization server to NetAct

Parameter placeholder Value


counts imported or migrated yet,
domain name can still be modi-
fied. If domain name needs to be
changed later, contact Nokia Tech-
nical Support.

baseDN Change with user container RDN of external au-


thentication and authorization server. For more
information, see Obtaining users container RDN
of external authentication and authorization serv-
er for details.

Note:

Ensure that RDN value does not con-


tain the following characters as these
characters are not supported in NetAct.

• plus (+)
• comma (,)
• double quote (”)
• forward slash (/)
• backward slash (\)
• left angle bracket (<)
• right angle bracket(>)
• semicolon (;)
• equals (=)
• consecutive spaces

For example, if RDN is CN=test,


+h,DC=nalab675,DC=netact,DC=nsn-
rdnet,DC=net, DC and CN are
separated by comma but CN or DC
value cannot contain comma or any
other unsupported characters. In this
example, test,+h is not supported
as this contains comma and plus
characters.

FQDN_ExtAuth1...N Change with FQDN names of all external authen-


tication and authorization servers. Add addition-
al nodes in the configuration file for additional au-
thentication servers in same domain_name.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 536


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Integrating external authentication and
authorization server to NetAct

Parameter placeholder Value


Obtain the FQDN values from the external
AD administrator. If unable to get it from the
administrator, enter the following command from
the user workstation:

nslookup -type=SRV _ldap._tcp.dc.


_msdcs.<External Server Domain
Name>

where <External Server Domain Name>


is the Active Directory domain name. Physically
closest Active Directory domain must be
preferred to reduce the latency.

Sample outcome:

C:\> nslookup -type=SRV _ldap._


tcp.dc._msdcs.xxx-xxx.net
Server: in0211udhxxx.in.xxxx-
xxxxx.com
Address: 135.xxx.xxx.xxx
Non-authoritative answer:
_ldap._tcp.dc._msdcs.xxx-xxx.net
SRV service location:


svr hostname = fihedxxxx.xxx-
xxx.net

Note: In the above output, the svr


hostname value indicates the FQDN.

externalAuthServerIPv4 Change with IPv4 address of external authentica-


tion and authorization server relevant to external
authentication and authorization server FQDN.
Any valid IP address in dotted decimal format or
in the CIDR notation. Remove this entry from the
configuration file if the external authentication
and authorization server does not support IPv4
address.

externalIPv4SubnetMask Change with subnet mask of IPv4 address of ex-


ternal authentication and authorization server in
dotted decimal format relevant to external au-
thentication and authorization server FQDN. This

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 537


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Integrating external authentication and
authorization server to NetAct

Parameter placeholder Value


can be omitted if IP address is provided using CI-
DR notation or external authentication and autho-
rization server does not support IPv4 address.

externalAuthServerIPv6 Change with IPv6 address of external authentica-


tion and authorization server relevant to external
authentication and authorization server FQDN.
Any valid IP address in hexadecimal colon format
or in CIDR notation. Remove this entry from the
configuration file if external authentication and
authorization server does not support IPv6 ad-
dress.

externalIPv6SubnetMask Change with subnet mask of IPv6 address of ex-


ternal authentication and authorization server in
hexadecimal colon format relevant to external au-
thentication and authorization server FQDN. This
can be omitted if IP address is provided using CI-
DR notation or external authentication and autho-
rization server does not support IPv6 address.

tlsProtocol Change value to startTLS/ldaps according to the


preferred secure mode of communication to the
external authentication and authorization server.
By default, this will be set to ldaps.

ldapsPort ldaps port used for connecting to external au-


thentication and authorization server. By default,
this value will be 636. Change if any other port is
used.

ldapPort ldap port used for connecting to external authen-


tication and authorization server. By default, this
value will be 389. Change if any other port is
used.

Note: externalAuthServerIPv4, externalIPv4SubnetMask, externalAuthServerIPv6 and


externalIPv6SubnetMask need to be removed from integration configuration file according
to external authentication and authorization server network configuration. For example, if
external authentication and authorization server supports only IPv4, fields relevant to IPv4
are only needed.

Table 35: Parameter values

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 538


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Integrating external authentication and
authorization server to NetAct

28.5.1.2 Integrating NetAct directory server with external authentication and authorization server

Integration of NetAct directory server to external authentication and authorization server is done
so that users in the external repository accessing NetAct (from Start Page and SSH) are only
authenticated by the external authentication and authorization server.

Note: Performing integration with external authentication and authorization server in NetAct
involves service restarts, because of which there will be a downtime and the script execution
might take time to complete.

1. Log in as omc user to the NetAct VM hosting the dmgr service and switch to root user.

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. Enable SSH login as root on all NetAct nodes. For information on how to enable root SSH login,
see Enabling root SSH login.

3. Copy the Pref_ExternalAuthServerConfig.xml file to /etc/opt/oss/global/custom/


conf/javaprefs/um location by entering:

[root] cp -pn /opt/oss/Nokia-sm_external_authentication/conf/


Pref_ExternalAuthServerConfig.xml /etc/opt/oss/global/custom/conf/
javaprefs/um/

4. Open the /etc/opt/oss/global/custom/conf/javaprefs/um/


Pref_ExternalAuthServerConfig.xml integration input parameter file using test editor and
change the values as mentioned in Updating external authentication and authorization server
integration configuration file and save it.

5. Obtain the root CA certificate from external authentication and authorization servers as described
in Exporting root CA certificate from external authentication and authorization server.

To convert the exported certificates to PEM format, see Converting certificates to PEM format.
Copy the certificates exported in /opt/oss/conf/external_authentication/cacerts
directory.

6. Enable external user authentication in NetAct directory server by entering one of the following
commands:

• [root] ExternalAuthServerMgmt.sh --integrate

Or

• [root] ExternalAuthServerMgmt.sh -i

Tool skips enabling, if authentication is enabled already.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 539


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Integrating external authentication and
authorization server to NetAct

A confirmation for service restart is prompted as part of enabling external authentication feature.
The tool operation is terminated, if the input is not provided within 15 minutes or if options apart
from y or yes (case insensitive) is provided after three attempts.

The tool execution stops, if any of the integration step fails during enabling authentication. To
resolve the issue, see Troubleshooting external authentication and authorization server integration
failure in Troubleshooting Security Management.

7. Test the connectivity for Red Hat Directory Server by entering:

[root] ldapsearch -xLLL -D <DN_of_an_external_user> -W -s base

where DN is the full distinguished name for any external user.

For example:

root] ldapsearch -xLLL -D "CN=extuser22,CN=Users,DC=extlab,DC=netact,


DC=nsn-rdnet,DC=net" -W -s base

8. At the prompt, enter the user password.

Note: The ldapsearch command execution might take upto five minutes.

9. Disable SSH login as root on all NetAct nodes if it was enabled in step 2. For more information on
how to disable SSH login, see Disabling root SSH login.

Note:

• To suppress the confirmation prompt during the execution of the tool, enter one of the
following commands:

[root] ExternalAuthServerMgmt.sh --integrate --noPrompt

Or

[root] ExternalAuthServerMgmt.sh -i -n

• To update integration parameters or forcefully integrate external authentication


with NetAct irrespective of the current integration state, enter one of the following
commands:

[root] ExternalAuthServerMgmt.sh --integrate --


ignoreIntegrationState

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 540


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Integrating external authentication and
authorization server to NetAct

Or

[root] ExternalAuthServerMgmt.sh -i -f

• To check the status of the external authentication server integration with NetAct,
enter one of the following commands:

[root] ExternalAuthServerMgmt.sh --integrationStatus

or

[root] ExternalAuthServerMgmt.sh -s

28.5.2 Integrating NetAct NMS with external authentication and authorization server

Integrate the NetAct NMS to external authentication server so that the users from external reposito-
ry accessing NetAct Access Server (from Citrix or RDP) are authenticated and authorized in external
repository.

28.5.2.1 Setup bi-directional DNS forwarding

Note: To setup bi-directional DNS forwarding, use any of the following method:

• Setup forwarding using stub zones


• Setup forwarding using conditional forwarders

It is important that the NMS and external authentication and authorization servers resolve each others
services and names. The Domain Name Service (DNS) servers handle the name and service resolu-
tion.

As part of this activity:

• The NetAct administrator and the external server administrators are jointly required to understand,
plan, and select the stub zone vs. conditional forwarder based on:

– the corporate network infrastructure.


– the frequency of the DNS server IP addresses change.
– any corporate zone transfer security policies in place.

For more information, see Stub zone and conditional forwarders comparison.
• If non-Microsoft based DNS servers are used in the corporate domain, check with the vendor for
the recommended approach.
• The external server administrator must setup stub zone or conditional forwarder towards Node
Manager's DNS servers.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 541


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Integrating external authentication and
authorization server to NetAct

• The NetAct administrator must setup stub zone or conditional forwarder towards external DNS
server. To setup stub zone, see Setup forwarding using stub zones. To setup conditional for-
warder, see Setup forwarding using conditional forwarders.

Note: The DNS setup is verified with the Microsoft provided DNS servers. All the standard
DNS servers can be used to accomplish the bi-directional lookups. The procedure mentioned
in the following sections might vary, check with the DNS vendor for support.

28.5.2.1.1 Stub zone and conditional forwarders comparison

Table 36: Stub zone vs. conditional forwarders lists the differences between the stub zone and condi-
tional forwarders.

Stub zone Conditional forwarders

A stub zone is a copy of a zone that contains only A conditional forwarder forwards the DNS queries
the resource records necessary to identify the au- according to the DNS domain name in the query
thoritative Domain Name System (DNS) servers to preset the DNS servers. This does not require
for that zone. This includes Name Server (NS) a zone transfer.
and Start of Authority (SOA) records. The stub
• The conditional forwarder matches the do-
zone performs a zone transfer for these records.
main name in the query and forwards the
• The stub zone automatically updates the query to the Node Manager's DNS server.
NS records, that is, if you add the new DNS • There is no zone transfer required for con-
servers or remove the existing DNS servers ditional forwarders. Few administrators con-
in the corporate AD, the NS records are repli- sider conditional forwarders to be more se-
cated in the NMS DNS server automatically cure because there is no need to expose any
and the other way around. zone information to other side.
• The stub zone requires zone transfer, which • The conditional forwarders are preferred in
might require permissions to be granted in case DNS servers are fixed IP, which does
the target DNS servers. not change.
• The DNS server of other side is responsi- • If conditional forwarders are used, the admin-
ble to respond to the queries for A and SRV istrators of both the corporate AD and Net-
records. Act are required to notify each other when-
• Stub zones are helpful if the name server's ever DNS server IP address changes. For
IP addresses are not fixed and might change the Node Manager, this might happen if Do-
frequently. main Controllers VMs are added or removed.
To modify the conditional forwarders in the
Node Manager's DNS servers, see Modifying
conditional forwarder (post integration step).
For more information, see Contrasting stub
zones and conditional forwarders.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 542


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Integrating external authentication and
authorization server to NetAct

Table 36: Stub zone vs. conditional forwarders

28.5.2.1.2 Setup forwarding using stub zones

If the NetAct administrator and the external server administrators jointly choose to setup stub zones,
do the following procedures in sequential order:

1. Enabling zone transfer for specific DNS servers


2. Configuring Node Manager DNS zone in external DNS server
3. Creating forward lookup stub zone from NetAct NMS to external DNS server

28.5.2.1.2.1 Enabling zone transfer for specific DNS servers


By default, the zone transfer is disabled in the Microsoft provided DNS servers. For setting up the stub
zones, the zone transfer must be enabled from the Node Manager DNS servers to the specific DNS
servers.

1. Log in as domain administrator to the master NMS DC VM.

Note: To identify the master NMS DC VM, see Appendix B: Checking role information on
Node Manager Server in Administering Node Manager Server.

2. Click Start → Windows Administrative Tools.

The Administrative Tools window opens.

3. Double-click DNS.

The DNS application opens.

4. Expand <domain name> → Forward Lookup Zone.

5. Right-click the DNS domain's zone name and click Properties.

Note: The DNS domain's zone name must not start with _msdcs.

The Properties dialog box appears.

6. Click the Zone Transfers tab.

Ensure Allow zone transfers check box is selected.

7. Select Only to the following servers option.

8. Click Edit.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 543


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Integrating external authentication and
authorization server to NetAct

The Allow Zone Transfers dialog box appears.

9. Type the IP addresses of all corporate DNS servers and click OK.

10. Click OK.

The modifications are saved.

11. Close the zone's Properties dialog box.

Note: Similarly, zone transfer must be enabled in the external DNS server.

Expected outcome

The zone transfer is enabled for specific DNS servers.

28.5.2.1.2.2 Configuring Node Manager DNS zone in external DNS server


The external authentication and authorization servers must resolve the Node Manager domain
member's IP address and service records.

To create a stub zone in the external DNS server, the NetAct administrator must provide the following
information to the external server administrator:

• The DNS domain name of the Node Manager domain


• The IP address of all the Node Manager DNS servers

Note: For the stub zone, the communication between the DNS servers of both sides must be
through port 53. For more information, see Preparing intermediate system.

Procedure

• To find the DNS domain name of the Node Manager domain, do the following:
a) Log in to the master NMS DC VM as a domain administrator.

To identify the master DC VM, see Appendix B: Checking role information on Node Manager
Server in Administering Node Manager Server.
b) Open the Windows PowerShell by doing the following:

1. Right-click Start and select Search.


2. In the search field, type Windows PowerShell.
3. Click Windows PowerShell.

The Windows PowerShell prompt appears.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 544


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Integrating external authentication and
authorization server to NetAct

4. Enter the following command:

PS C:\> Get-ADDomain | Select DNSRoot

28.5.2.1.2.3 Creating forward lookup stub zone from NetAct NMS to external DNS server
The forward lookup stub zone enables the Node Manager to resolve the external authentication and
authorization server's service records and Fully Qualified Domain Name (FQDN) to IP addresses.
The NetAct Administrator creates the forward lookup zones from the NetAct NMS to the external
authentication and authorization server.

1. Ensure that the zone transfer is possible from external DNS server. The external server
administrator must ensure that the zone transfer is permitted for the Node Manager Domain
controllers.

2. Log in as domain administrator to the master NMS DC VM.

Note: To identify the master NMS DC VM, see Appendix B: Checking role information on
Node Manager Server in Administering Node Manager Server.

3. Open Windows PowerShell by doing the following:


a) Right-click Start and select Search.
b) In the search field, type Windows PowerShell.
c) Click Windows PowerShell.

The Windows PowerShell prompt appears.

4. Create a forward lookup zone by entering:

Add-DnsServerStubZone -Name <External Server DNS Domain Name> -


MasterServers <External Server DNS IP> -PassThru -ReplicationScope
"Forest"

where:

• <External Server DNS Domain Name> is the external authentication and authorization
server DNS zone’s domain name (this is different from the Active Directory's domain name,
though both might be the same).
• <External Server DNS IP> is the IP address of the external authentication and authoriza-
tion server hosting the DNS service.

• The DNS server specified must be authoritative for this DNS zone.
• Enter comma separated IP addresses for multiple DNS servers.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 545


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Integrating external authentication and
authorization server to NetAct

For example:

PS C:\> Add-DnsServerStubZone -Name clabxxx.netact.nsn-rdnet.net -


MasterServers 10.93.134.1,10.93.134.2 -PassThru -ReplicationScope
"Forest"

Note: Wait for the zone transfer to complete. This might take several minutes depending
on the network connectivity and the complexity of the corporate infrastructure.

5. Check the zone transfer completion status by entering:

Get-DnsServerZone -Name <External Server DNS Domain Name> | Select


LastSuccessfulZoneTransfer

where <External Server DNS Domain Name> is the external authentication and authorization
server DNS zone’s domain name used in step 4.

If the time appears around 1/1/1970, the zone transfer is still ongoing. If the zone transfer is
completed, the current date and time appears.

Note: If the zone transfer is incomplete, wait for sometime, and then re-execute the
command.

6. Verify if the zone returns the service records (SRV) for the external authentication and
authorization server by entering:

nslookup -type=SRV _ldap._tcp.dc._msdcs.<External Server Domain Name>

where <External Server Domain Name> is the Active Directory domain name.

Expected outcome

The forward lookup zone from the NetAct NMS to the external authentication and authorization server
is created and nslookup resolves the queried domain.

Sample output:

PS C:\> nslookup -type=SRV _ldap._tcp.dc._msdcs.clabxxx.netact.nsn-rdnet.


net
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
primary name server = 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
responsible mail addr = (root)
serial = 0
refresh = 28800 (8 hours)
retry = 7200 (2 hours)

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 546


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Integrating external authentication and
authorization server to NetAct

expire = 604800 (7 days)


default TTL = 86400 (1 day)
Server: UnKnown
Address: ::1
Non-authoritative answer:
_ldap._tcp.dc._msdcs.clabxxx.netact.nsn-rdnet.net SRV service
location:
priority = 0
weight = 100
port = 389
svr hostname = clabxxxnode01.clabxxx.netact.nsn-rdnet.net
clabxxxnode01.clabxxx.netact.nsn-rdnet.net internet address = 192.0.
2.0

28.5.2.1.3 Setup forwarding using conditional forwarders

To resolve the IP address and the service records of other domain, forwarding must be set up using
the conditional forwarders. To set up the forwarding using conditional forwarders, do the following pro-
cedures in sequential order:

1. Configuring forwarding to Node Manager DNS in external DNS server


2. Creating conditional forwarder from NetAct NMS to external DNS server
3. Modifying conditional forwarder (post integration step)

28.5.2.1.3.1 Configuring forwarding to Node Manager DNS in external DNS server


It is necessary that the external authentication and authorization servers resolve the Node Manager's
domain member's IP address and the service records.

To create a conditional forwarder in the external DNS server, the NetAct administrator must provide
the following information to the external server administrator:

• The DNS domain name of the Node Manager domain


• The IP address of all the Node Manager DNS servers

Note:

– If the new Node Manager Domain Controllers are added or the existing ones are re-
moved, the IP addresses of the Node Manager DNS servers must be manually up-
dated by the external server administrator.
– For the conditional forwarder to function, the communication must be through port
53. For more information, see Preparing intermediate system.

Procedure

• To find the DNS domain name of the Node Manager domain, do the following:
a) Log in as domain administrator to the master NMS DC VM.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 547


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Integrating external authentication and
authorization server to NetAct

To identify the master NMS DC VM, see Appendix B: Checking role information on Node
Manager Server in Administering Node Manager Server.
b) Open the Windows PowerShell by doing the following:

1. Right-click Start and select Search.


2. In the search field, type Windows PowerShell.
3. Click Windows PowerShell.

The Windows PowerShell prompt appears.


4. Enter the following command:

PS C:\> Get-ADDomain | Select DNSRoot

28.5.2.1.3.2 Creating conditional forwarder from NetAct NMS to external DNS server
The conditional forwarder redirects the DNS queries to the external DNS server so that the Node
Manager can resolve the external authentication and authorization server's service records and fully
qualified domain name to IP address. The NetAct Administrator creates the conditional forwarder from
the NetAct NMS to the external authentication and authorization server.

1. Log in as domain administrator to the master NMS DC VM.

Note: To identify the master NMS DC VM, see Appendix B: Checking role information on
Node Manager Server in Administering Node Manager Server.

2. Open the Windows PowerShell by doing the following:

1. Right-click Start and select Search.


2. In the search field, type Windows PowerShell.
3. Click Windows PowerShell.

The Windows PowerShell prompt appears.

3. Create a forward lookup zone by entering:

Add-DnsServerConditionalForwarderZone -Name <External Server DNS


Domain Name> -MasterServers <External Server DNS IP> -PassThru -
ReplicationScope "Forest"

where:

• <External Server DNS Domain Name> is the external authentication and authorization
server DNS zone’s domain name (this is different from Active Directory's domain name, though
both might be the same).
• <External Server DNS IP> is the IP address of the external authentication and authoriza-
tion server hosting the DNS service.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 548


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Integrating external authentication and
authorization server to NetAct

• The DNS server specified must be authoritative for this DNS zone.
• Enter comma separated IP addresses for multiple DNS servers.

For example:

PS C:\> Add-DnsServerConditionalForwarderZone -Name clabxxx.


netact.nsn-rdnet.net -MasterServers 10.93.134.1,10.93.134.2 -
PassThru -ReplicationScope "Forest"

4. Verify if the zone can return the service records (SRV) for the external authentication and
authorization server by entering:

nslookup -type=SRV _ldap._tcp.dc._msdcs.<External Server Domain Name>

where <External Server Domain Name> is the Active Directory domain name.

Expected outcome

The forward lookup zone from the NetAct NMS to the external authentication and authorization server
is created and nslookup resolves the queried domain.

Sample output for a domain with one Domain Controller:

PS C:\> nslookup -type=SRV _ldap._tcp.dc._msdcs.clabxxx.netact.nsn-rdnet.


net
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
primary name server = 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
responsible mail addr = (root)
serial = 0
refresh = 28800 (8 hours)
retry = 7200 (2 hours)
expire = 604800 (7 days)
default TTL = 86400 (1 day)
Server: UnKnown
Address: ::1
Non-authoritative answer:
_ldap._tcp.dc._msdcs.clabxxx.netact.nsn-rdnet.net SRV service
location:
priority = 0
weight = 100
port = 389
svr hostname = clabxxxnode01.clabxxx.netact.nsn-rdnet.net
clabxxxnode01.clabxxx.netact.nsn-rdnet.net internet address = 192.0.
2.0

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 549


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Integrating external authentication and
authorization server to NetAct

28.5.2.1.3.3 Modifying conditional forwarder (post integration step)


This section describes how to modify a conditional forwarder when new external DNS servers are
added, existing DNS servers are removed, or if the IP address of the DNS server changes.

1. Log in as domain administrator to the master NMS DC VM.

Note: To identify the master NMS DC VM, see Appendix B: Checking role information on
Node Manager Server in Administering Node Manager Server.

2. Open the Windows PowerShell by doing the following:

1. Right-click Start and select Search.


2. In the search field, type Windows PowerShell.
3. Click Windows PowerShell.

The Windows PowerShell prompt appears.

3. Create a forward lookup zone by entering:

Set-DnsServerConditionalForwarderZone -Name <External Server DNS


Domain Name> -MasterServers <External Server DNS IP> -PassThru

where:

• <External Server DNS Domain Name> is the external authentication and authorization
server DNS zone’s domain name (this is different from the Active Directory's domain name,
though both might be the same).
• <External Server DNS IP> is the IP address of the external authentication and authoriza-
tion server hosting the DNS service.

• The DNS server specified must be authoritative for this DNS zone.
• Enter comma separated IP addresses for multiple DNS servers.

For example:

PS C:\> Set-DnsServerConditionalForwarderZone -Name clabxxx.


netact.nsn-rdnet.net -MasterServers 10.93.134.1,10.93.134.2 -
PassThru

4. Verify if the zone returns the service records (SRV) for the external authentication and
authorization server by entering:

nslookup -type=SRV _ldap._tcp.dc._msdcs.<External Server Domain Name>

where <External Server Domain Name> is the Active Directory domain name.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 550


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Integrating external authentication and
authorization server to NetAct

Expected outcome

The forward lookup zone from the NetAct NMS to the external authentication and authorization server
is created and nslookup resolves the queried domain.

Sample output:

PS C:\> nslookup -type=SRV _ldap._tcp.dc._msdcs.clabxxx.netact.nsn-rdnet.


net
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
primary name server = 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
responsible mail addr = (root)
serial = 0
refresh = 28800 (8 hours)
retry = 7200 (2 hours)
expire = 604800 (7 days)
default TTL = 86400 (1 day)
Server: UnKnown
Address: ::1
Non-authoritative answer:
_ldap._tcp.dc._msdcs.clabxxx.netact.nsn-rdnet.net SRV service
location:
priority = 0
weight = 100
port = 389
svr hostname = clabxxxnode01.clabxxx.netact.nsn-rdnet.net
clabxxxnode01.clabxxx.netact.nsn-rdnet.net internet address = 192.0.
2.0

Note: If the Node Manager domain controllers are added or removed, you must update the
records in the external DNS servers also.

28.5.2.2 Creating one-way external trust


One-way trust between NetAct NMS and external server providing authentication and authorization
service (of type active directory) is created by the NetAct administrator to ensure that the users in the
external authentication and authorization server can access resource only in NetAct NMS.

1. Log in to the master NMS DC VM as domain administrator.

Note: To identify the master DC VM, see Appendix B: Checking role information on Node
Manager Server in Administering Node Manager Server.

2. Go to Start → Windows Administrative Tools → Active Directory Domains and Trusts.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 551


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Integrating external authentication and
authorization server to NetAct

The Active Directory Domains and Trusts window appears.

3. Right click the NMS domain name and select Properties.

The domain name Properties dialog box appears.

4. Click Trusts tab.

5. Click New Trust....

The New Trust Wizard dialog box appears.

6. Click Next.

7. Enter the DNS zone’s domain name of the external authentication and authorization server in the
Name field and click Next.

For example: mydomain.mycompany.com

8. Select External Trust and click Next.

The Direction of Trust window appears.

9. Select One-way: outgoing and click Next.

10. Select Both this domain and the specified domain and click Next.

The User Name and Password window appears.

11. Type User name and Password of the domain admin from the external authentication and
authorization server and click Next.

The Outgoing Trust Authentication Level-Local Domain window appears.

12. Select Domain-wide authentication and click Next.

The Trust Selections Complete window appears.

13. Verify Trust settings and click Next.

The Trust Creation Complete window appears.

14. Verify Status of changes and click Next.

The Confirm Outgoing Trust window appears.

15. Select Yes, confirm the outgoing trust option and click Next.

16. Click Finish to close New Trust Wizard.

17. Click OK to close the domain’s Properties dialog box.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 552


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Integrating external authentication and
authorization server to NetAct

Note:

Based on corporate domain's security policies, Active Directory Domain Services dia-
log box may appear informing about SID filtering.

SID filtering is a security feature from Microsoft and normally does not impact login to
NetAct Node Manager Server (NMS) as external user.

18. Click OK to close the dialog box.

Expected outcome

The new trust is created successfully.

28.5.2.3 Adding universal group of external authentication and authorization server as member of NMS
groups
The Node Manager Server (NMS) groups already define fine-grained policies to access NMS
resources. Universal groups in external authentication and authorization servers must be associated
to these groups so that users associated to the universal groups in external authentication and
authorization server is also managed. This procedure must be performed by the NetAct Administrator.

Note: As NetAct_Administrator is a domain local group, it cannot be associated


to the universal groups in external authentication and authorization server. Instead,
add the universal groups corresponding to NetAct_Administrator (for example,
NAcluster1_Administrators) in external authentication and authorization server to NMS
group extNetAct_Administrators.

1. Login into master NMS DC VM as domain administrator.

Note: To identify the master DC VM, see Appendix B: Checking role information on Node
Manager Server in Administering Node Manager Server.

2. Open Windows PowerShell by doing the following:


a) Right-click Start and select Search.
b) In the search field, type Windows PowerShell.
c) Click Windows PowerShell.

The Windows PowerShell prompt appears.

3. Authenticate with corporate user credentials by entering:

$Cred = Get-Credential <corp-domain>\<corp-user>

where:

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 553


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Integrating external authentication and
authorization server to NetAct

• <corp-domain> is the domain name of the external authentication and authorization server
Active Directory.
• <corp-user> is the login name for external authentication and authorization server directory.
This login account must be a domain administrator (member of Domain Admins group) in the
external authentication and authorization server directory.

At the prompt, provide the <corp-domain> or <corp-user> password, and then click OK.

4. For each NMS group identified in Creating new group in external authentication and authorization
server, do the following:
a) On the command line, enter the following command to fetch the Universal group object of
external authentication and authorization server:

$Group = Get-ADGroup -Server <Domain Name of external server> -


Identity <Universal Group in external server> -Credential $Cred

where:

• <Domain Name of external server> is the external authentication and authorization


server DNS zone’s domain name.
• <Universal Group in external server> is the universal groups in external au-
thentication and authorization server name. Example: NAcluster1_Users.
b) On the command line, enter the following command to add the external authentication server
group as member of NMS AD group:

Add-ADGroupMember -Identity <NMS AD Group with Domain Local scope> -


Members $Group

where, <NMS AD Group with Domain Local scope> is the NMS group to which the
universal groups in external authentication and authorization server must be added.

For example: NetAct_Users.

28.5.2.4 Adding universal group from external authentication and authorization server as member of
default Administrators group in NMS AD (Optional)

This procedure is optional. Because of the sensitivity of the Domain Controllers, by design, the
members of extNetAct_Administrators are not permitted to perform administrative tasks in Domain
Controller VMs of NetAct NMS. However, if extNetAct_Administrators must perform administration
tasks in Domain Controller, this behaviour can be modified by the NetAct Administrator.

1. Log in to the master NMS DC VM as domain administrator.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 554


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Integrating external authentication and
authorization server to NetAct

Note: To identify the master DC VM, see Appendix B: Checking role information on Node
Manager Server in Administering Node Manager Server.

2. Open Windows PowerShell by doing the following:


a) Right-click Start and select Search.
b) In the search field, type Windows PowerShell.
c) Click Windows PowerShell.

The Windows PowerShell prompt appears.

3. On the command line, enter the following command to fetch the Universal group object of external
authentication and authorization server.

$Group = Get-ADGroup -Server <Domain Name of external server> -


Identity <Universal Group of NetAct administrator in external server>
-Credential <corp-domain>\<corp-user>

Where:

• <Domain Name of external server> is the external authentication and authorization


server DNS zone’s domain name.
• <Universal Group of NetAct administrator in external server> is the
external authentication and authorization server universal group name. For example,
NAcluster1_Administrators.
• <corp-domain> is the domain used to log in to trusted members of the corporate Active Di-
rectory.
• <corp-user> is the login name for corporate directory. This login account must be a domain
administrator (member of Domain Admins group) in the corporate directory.

At the prompt, provide the <corp-domain>\<corp-user> password, and then click OK.

4. On the command line, enter the following command to add the external authentication and
authorization server group as member of NMS Master DC VM default Administrators group:

Add-ADGroupMember -Identity Administrators -Members $Group

Expected outcome

The universal group from external authentication and authorization server gets added as a member of
default Administrators group in NMS AD.

28.5.2.5 Creating password policy container for EM launch accounts in Node Manager server
The policy container needs to be created in Node Manager Server and associated to external
accounts by the NetAct Administrator to avoid implementation of local password policy.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 555


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Integrating external authentication and
authorization server to NetAct

1. Log in to the master NMS DC VM as domain administrator.

Note: To identify the master DC VM, see Appendix B: Checking role information on Node
Manager Server in Administering Node Manager Server.

2. Open Windows PowerShell by doing the following:


a) Right-click Start and select Search.
b) In the search field, type Windows PowerShell.
c) Click Windows PowerShell.

The Windows PowerShell prompt appears.

3. On the Windows PowerShell, enter the following command to create a new password policy
container for EM launch accounts:

New-ADFineGrainedPasswordPolicy -Name "ExternalUserContainer"


-Precedence 10 -ComplexityEnabled $true -Description "External
Users Password Policy" -DisplayName "ExternalUserContainer" -
LockoutDuration "0.00:05:00" -LockoutObservationWindow "0.00:05:00"
-LockoutThreshold 3 -PasswordHistoryCount 6 -MinPasswordLength 8 -
MinPasswordAge "0.00:00:00" -MaxPasswordAge "1.00:00:00"

Expected outcome

A new password policy container for EM launch accounts is created in the Node Manager server.

28.5.2.6 Modifying password expiry duration of EM launch users (Optional)


This procedure is optional. By default, the password expiry duration for EM launch accounts is set to
24 hours. The NetAct Administrator can change the password expiry duration to their desired values.

1. Login into master NMS DC VM as domain administrator.

Note: To identify the master DC VM, see Appendix B: Checking role information on Node
Manager Server in Administering Node Manager Server.

2. Open Windows PowerShell by doing the following:


a) Right-click Start and select Search.
b) In the search field, type Windows PowerShell.
c) Click Windows PowerShell.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 556


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Integrating external authentication and
authorization server to NetAct

The Windows PowerShell prompt appears.

3. On the Windows PoweSshell, enter the following command to modify the password expiry
duration of EM launch accounts:

Set-ADFineGrainedPasswordPolicy -Identity "ExternalUserContainer" -


MaxPasswordAge "0.01:00:00"

Where, ExternalUserContainer is the password policy container created in Creating


password policy container for EM launch accounts in Node Manager server in Administering
NetAct System Security section.

This sets the password expiry duration to one hour.

Note: The allowed range for MaxPasswordAge is from 1 hour to 5 days. Minutes and
seconds are ignored.

Specify the time interval to set in the following format:

D.H:0:0

Where:

• D is the number of days (0 to 5)


• H is the hours (0 to 23)

4. Update the same value for password expiry duration in the preference file for the change to take
effect.
a) Log in to dmgr VM as any sysop group user.
b) Check if the Pref_ExternalUserTokenExpiryConfig.xml file exists in the /etc/
opt/oss/global/custom/conf/javaprefs/um location. If it exists, enter the following
command to take backup. Else, proceed to next step.

[omc@lab ~]$ mv /etc/opt/oss/global/custom/conf/javaprefs/


um/Pref_ExternalUserTokenExpiryConfig.xml /var/tmp/Pref_
ExternalUserTokenExpiryConfig.bkp

c) Check if the directory exists in /etc/opt/oss/global/custom/conf/javaprefs/um


location. If it exists, proceed to next step. Else, do the following:

• Create a directory in /etc/opt/oss/global/custom/conf/javaprefs/um location


by entering the following command as root user, and assign the directory ownership and
permission:

[omc@lab ~]$ su - root


Password: <Enter root password here>
[root@lab ~]# mkdir -p /etc/opt/oss/global/custom/conf/
javaprefs/um; chown omc:sysop /etc/opt/oss/global/custom/

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 557


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Integrating external authentication and
authorization server to NetAct

conf/javaprefs/um; chmod 775 /etc/opt/oss/global/custom/conf/


javaprefs/um
[root@lab ~]# exit

d) On the command line, enter the following command to copy the required preference file to the
location used for providing non-default configuration:

[omc@lab ~]$ cp -p /var/opt/oss/global/javaprefs/um/Pref_


ExternalUserTokenExpiryConfig.xml /etc/opt/oss/global/custom/conf/
javaprefs/um

e) Update the value of NMSTokenExpiryDuration in the preference file/etc/opt/oss/


global/custom/conf/javaprefs/um/Pref_ExternalUserTokenExpiryConfig.xml
with the same value in hours as that of MaxPasswordAge value updated in Step 3.

<entry key="NMSTokenExpiryDuration" value="24" />

Note:

• To set password expiry duration to 2 days, update the


NMSTokenExpiryDuration value as 48 (2 * 24 hours a day).
• The permitted range for NMSTokenExpiryDuration is from 1 to 120 hours.

f) You can set the grace time for password expiry duration so that if any token request
comes in this grace time, a new token is generated. Default grace time is set to 30
minutes. To change the grace time, modify the GraceNMSTokenExpiryDuration
in the preference file /etc/opt/oss/global/custom/conf/javaprefs/um/
Pref_ExternalUserTokenExpiryConfig.xml.

<entry key="GraceNMSTokenExpiryDuration" value="30" />

Note: Permitted range for GraceNMSTokenExpiryDuration is from 5 to 30 minutes.

g) Change other non-default set values from the backup file if taken in step
4.b to /etc/opt/oss/global/custom/conf/javaprefs/um/
Pref_ExternalUserTokenExpiryConfig.xml.

Remove the backup file after changing the non-default set values.

Expected outcome

The password expiry duration of EM launch users is updated.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 558


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Integrating external authentication and
authorization server to NetAct

28.5.3 Preparing external users

The external users are needed if NetAct is integrated with external authentication and authorization
server to perform operations in NetAct.

Note: This section is optional if NetAct has authorization with external server enabled as ex-
ternal user will be created automatically during successful user login if not available.

The external users in NetAct can be created by the NetAct Administrator with inputs from the external
server administrator by doing one of the following:

• If NetAct already has users who need to be converted to external accounts, migration of exist-
ing accounts can be performed. To migrate existing users to external users, see Migrating NetAct
users to external users.

Or

• External accounts can be freshly created in NetAct. To create external accounts, see Importing ex-
ternal accounts using CLI in Administering Users and Permissions.

Note: External users associated with sshaccess NetAct group or with a group in the
external authentication and authorization server mapped to sshaccess group in NetAct
can have their shell login enabled automatically. For more information, see Configuring
automatic shell access for external users in Administering Users and Permissions.

28.5.4 Verifying external authentication and authorization server integration with


NetAct
Verification of external authentication and authorization server integration with NetAct can be done
by performing login to NetAct start page and Node Manager Server (through RDP) with an external
user. A successful login followed by access right checks verifies the successful integration of NetAct
directory server and Node Manager Server (NMS) to external authentication and authorization server.

Prerequisites

• External users in NetAct must be prepared by following the instructions provided in Preparing
external users.

1. Open NetAct Start Page. Log in using the external user credentials without providing the domain
name.

Login will be successful if integration has happened successfully. If login fails, see Login failure for
external user in NetAct in Troubleshooting Security Management to identify and resolve the issue.

2. Open RDP session or Citrix login page of NetAct NMS server and login with external user
credential by providing username in domainName\loginname format, where domainName is the
name of domain of external authentication and authorization server.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 559


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Integrating external authentication and
authorization server to NetAct

Login will be successful if integration has happened successfully. If login fails, see Login failure for
external user in NMS in Troubleshooting Security Management to identify and resolve the issue.

Access rights for external user post successful login will be allowed based on the groups
associated in external authentication and authorization server which are mapped into
corresponding groups in NetAct and Node Manager server. For example, External user
(extuser) associated with groups NA_sysop, NA_NetAct_Users, and extGroup in external
authentication and authorization server. If NA_sysop is mapped to sysop group in NetAct and
NA_NetAct_Users is mapped to NetAct_Users in NMS, then only access rights permissible for
sysop and NetAct_Users will be in effect upon login to NetAct and NMS respectively.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 560


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Migrating NetAct users to external users

29 Migrating NetAct users to external users

The local NetAct accounts which correspond to the users in external authentication and authorization
server need to be migrated by the NetAct administrator in order to access NetAct through external au-
thentication and authorization server credentials.

Note: External authentication server administrators are the most privileged users in the Ex-
ternal authentication and authorization server who manages the external users accounts.

29.1 Overview of migrating NetAct users to external users


After NetAct is successfully integrated with an external authentication and authorization server, you
can migrate local NetAct accounts to external accounts so that it can be authenticated and authorized
in the external authentication and authorization server.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 561


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Migrating NetAct users to external users

Figure 10: Migrating NetAct users

29.2 Exporting NetAct users and NM groups for NetAct users


The local NetAct accounts need to be migrated to external accounts for authentication and authoriza-
tion on the external authentication and authorization server. For migration, the local NetAct users and
Node Manager (NM) groups need to be exported by the NetAct administrator. The user to NM group
mapping needs to be updated in external authentication and authorization server by the external serv-
er administrator.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 562


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Migrating NetAct users to external users

Note: External server administrators are the most privileged users in the external authentica-
tion server who manages the external user accounts and groups to be administered centrally.

29.2.1 Exporting NetAct users


The local NetAct accounts need to be migrated to external accounts for authentication and
authorization on the external authentication and authorization server. For migration, local NetAct users
must be exported by the NetAct administrator.

1. Log in as omc user to the NetAct VM hosting the dmgr service and switch to root user.

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. Enter any one of the following command to export NetAct accounts:

• extUserMigrationTool.sh -e

Or

• extUserMigrationTool.sh --export

Expected outcome

All NetAct accounts are exported to the /var/opt/oss/Nokia-sm_external_authentication/


migration/export/exportLocalUser_<time stamp>.csv file.

Note: The system users and deactivated accounts are excluded in the exported template. To
migrate deactivated accounts, you must reactivate them and retrigger the export operation.

29.2.2 Exporting NM groups for NetAct users


The end users in NetAct are associated with groups in the Node Manager Server (NMS). As NMS
groups are administered in external authentication and authorization server through universal groups,
export of user to group association in NMS helps in assigning user with the corresponding universal
group in the external authentication and authorization server mapped to the NMS group.

1. Log in as omc user to the NetAct VM hosting the dmgr service and switch to root user.

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. Enter any one of the following command to export the NetAct accounts to NMS groups mapping:

• extUserMigrationTool.sh -en

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 563


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Migrating NetAct users to external users

Or

• extUserMigrationTool.sh --export-nmsgroups

Expected outcome

All NetAct accounts to NM groups mapping are exported to the /var/opt/oss/Nokia-


sm_external_authentication/migration/export/accountId_NmGroups_<time
stamp>.csv file.

Where, <time stamp> is the time at which the CSV file was exported in the yyyyMMddHHmmss
format.

Note:

• The system users and deactivated accounts are excluded in the exported template.
To migrate deactivated accounts, you must reactivate them and retrigger the export
operation.
• The exported file can then be used by the external authentication and authorization
server administrator to assign the corresponding universal group in the external
authentication and authorization server mapped to the NMS group.

29.3 Updating exported files for migration


When the local NetAct users are exported, the output file contains only the local account ID in all three
columns (LOCAL_ACCOUNT_ID, EXTERNAL_ACCOUNT_ID, and EXTERNAL_COMMON_NAME).
An external account ID and external common name needs to be updated in the output file for each of
the local NetAct users.

1. Copy the output file exported in Exporting NetAct users and rename it.

2. Open the file to edit.

Table 37: User export file details lists the column name and their description in the exported file.

Note: If the value contains special characters such as double quote or comma in the
Table 37: User export file details, escape these special characters using appropriate
escape character. To escape special characters, see the csv document. For example,
if EXTERNAL_ACCOUNT_ID is test”user, escape double quotes by preceding it with
another double quote as test””user.

Column name Description

LOCAL_ACCOUNT_ID This is the account ID local to NetAct.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 564


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Migrating NetAct users to external users

Column name Description

EXTERNAL_ACCOUNT_ID This is the corresponding account of LOCAL_


ACCOUNT_ID present in the external authenti-
cation and authorization server.

Note:

• Supported characters in login


name and maximum length of lo-
gin name fields need to be modi-
fied as mentioned in Login name
policy in Administering Users and
Permissions.
• The value of EXTERNAL_AC-
COUNT_ID and EXTERNAL_
COMMON_NAME must be up-
dated by the NetAct administrator
and the values must be provided
by the external server administra-
tor.

EXTERNAL_COMMON_NAME This is the account name which will be used to


search the user in the external authentication
and authorization server. Example for common-
Name is provided in Updating external accounts
configuration file in Administering Users and
Permissions.

Table 37: User export file details

3. For each NetAct account that has to be migrated, specify the values for
EXTERNAL_ACCOUNT_ID and EXTERNAL_COMMON_NAME.

Delete all other entries of the NetAct accounts for which migration is not required.

Note:

• If NetAct account ID is different from external account ID, access to user content
of original NetAct account is no longer granted after migration. If required, take
the backup of the user content from NetAct and Node Manager Server (NMS)
home directories before migration or it will require administrator intervention post
migration. Post migration, shell access is granted to the external account ID if the
corresponding NetAct account ID had shell access.
• If NetAct account ID is same as external account ID, access to user content of the
account in NetAct Linux VMs is retained. If required, take the backup of the user

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 565


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Migrating NetAct users to external users

content from NMS home directories before migration or it requires administrator


intervention post migration. Post migration, shell access is retained for the external
account ID if the corresponding NetAct account ID had shell access.

29.4 Verifying input file before migration


The input file must be verified for any errors by the NetAct administrator before it can be used for
migrating local NetAct accounts to external accounts.

Prerequisites

• External authentication and authorization server must be integrated to NetAct. For more
information, see Integrating external authentication and authorization server to NetAct.
• Ensure that the users to be migrated are not system users.
• The account ID in NetAct can be same or different from the account ID in the external
authentication and authorization server. In case NetAct account ID is mapped to a different
external account ID, ensure that the name of this external account must not be same to any
existing NetAct account name.
• Ensure that the NetAct accounts exist in NetAct. For more information, see Viewing users list in
User Management Help.
• Ensure that the used external accounts must exist in external authentication and authorization
server.

1. Log in as omc user to the NetAct VM hosting the dmgr service and switch to root user.

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. Edit the /var/opt/oss/Nokia-sm_external_authentication/migration/conf/


migration.properties file and update domain, userIdentifier, and branchRDN.

Table 38: Input file property details lists the details of domain, userIdentifier, and branchRDN.

Property name Description

domain This is a mandatory attribute. Update it with the


actual domain of the external authentication
and authorization server. This is used during lo-
gin to the external authentication and authoriza-
tion server by providing login name in <domain
name>\<login name> format. It must match
the domain name specified in Updating external
authentication and authorization server integra-
tion configuration file.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 566


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Migrating NetAct users to external users

Property name Description

userIdentifier This is an optional attribute. The default value


is CN. It is the relative distinguished name at-
tribute of the user object in the external authen-
tication and authorization server.

branchRDN This is an optional attribute. If the domain of the


external authentication and authorization server
has multiple branches, provide the correspond-
ing branch relative distinguished name where
the users are present.

Table 38: Input file property details

For examples of domain, userIdentifier, and branchRDN, see Updating external accounts configu-
ration file in Administering Users and Permissions.

3. Validate the input file by entering any one of the following command:

• extUserMigrationTool.sh -p -f <file name>

Or

• extUserMigrationTool.sh --precheck --file <file name>

where <file name> is the name of the file which was edited after the export operation.

29.5 Checking NetAct licenses needed for migrating NetAct users


The migration will fail if the required feature codes are not available with NetAct. NetAct Administra-
tor must check for the required feature codes in the license file before proceeding with the local NetAct
account migration. For more information, see Checking NetAct licenses needed for external authenti-
cation and authorization server integration.

29.6 Migrating NetAct users


The local NetAct users can be migrated to the external authentication and authorization server for
authentication on the external server by the NetAct administrator.

Note:

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 567


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Migrating NetAct users to external users

The NetAct accounts which have to be migrated to external accounts must be in logged out
state and must not be used during the migration process.

1. Log in as omc user to the NetAct VM hosting the dmgr service and switch to root user.

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. Migrate NetAct accounts by entering any one of the following command:

• extUserMigrationTool.sh -m -f <file name>

Or

• extUserMigrationTool.sh --migrate --file <file name>

where, <file name> is the file that was updated with user details in Updating exported files for
migration.

Note:

• NetAct users mapped to Node Manager (NM) groups are exported to a CSV file. For
more information on exporting NM groups for NetAct users, see Exporting NM groups
for NetAct users.

Table 39: User mapping sample details shows the mapping of users to NM groups.

ACCOUNT_ID NM_GROUPS

john_paul [ApplicationLaunchOnly; NetAct_Users]

Table 39: User mapping sample details

This indicates that the local NetAct account john_paul has the
ApplicationLaunchOnly and NetAct_Users groups. The external server
administrator needs to add an external account ID corresponding to john_paul to
the corresponding Universal user groups. For more information, see Adding universal
group of external authentication and authorization server as member of NMS groups.
• This operation performs migration in the particular NetAct system where it is
executed. In case if the external authentication and authorization server is integrated
to multiple NetAct systems, migration operation must be performed on all the
required NetAct systems.
• Once the local NetAct accounts are successfully migrated, the NetAct administrator
must inform the external authentication and authorization server administrator that
the specified accounts have been migrated successfully and that the users can login
to NetAct with the external user credentials.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 568


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Migrating NetAct users to external users

• In the migration scenario where the external username is same as the local NetAct
username, the shadow account in NetAct is created with the same case as the local
user.

For example:

• Scenario1:

Consider the scenario of local user JohnPaul in NetAct and its corresponding
user in the external authentication and authorization server is johnpaul. If
the migration operation is triggered for JohnPaul, the shadow user in NetAct
would be created with JohnPaul (not with johnpaul) as it will be considered
as the same name migration. The SSH operation only works with the JohnPaul
username and will not succeed with johnpaul username.
• Scenario 2:

Consider the scenario of local user johnpaul in NetAct and its corresponding
user in the external authentication and authorization server is JohnPaul. If
the migration operation is triggered for johnpaul, the shadow user in NetAct
would be created with johnpaul (not with JohnPaul) as it will be considered
as the same name migration. The SSH operation only works with the johnpaul
username and will not succeed with JohnPaul username.

29.6.1 Listing migrated users


The migrated users can be listed with their corresponding NetAct accounts after migration along with
their cleanup status.

1. Log in as omc user to the NetAct VM hosting the dmgr service and switch to root user.

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. Enter any one of the following command to list the migrated NetAct accounts:

• extUserMigrationTool.sh -l

Or

• extUserMigrationTool.sh --list

The tool provides the list of migrated accounts.

The sample output can be in the following format:


| S.NO | Local User | External User | Cleanup Status
|
------------------------------------------------------------------------
-------------

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 569


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Migrating NetAct users to external users

| 1 | john.paul | pauljohn | Done


|

Where:

• Local User is the NetAct local user which is migrated to an external account
• External User is the migrated account from the local NetAct user. If an external user is not
available corresponding to its local user, it displays Account is missing.
• Cleanup Status is the cleanup status of the NetAct local user after it is migrated as external
user. The following are the valid values for Cleanup Status:

• Done status indicates that the local user account is cleaned up after it was migrated as an
external account. It is not possible to revert the external user to local user.
• Not Done status indicates that the local user account is not yet cleaned up after it was mi-
grated as an external account. You can revert the external user back to local user.

29.6.2 Cleaning up local users after migration


The local NetAct accounts need to be cleaned up after they are migrated as external accounts.
Nokia recommends to verify the functionality with the external account after it is migrated from the
local NetAct account. Once the external account is functioning as expected, do a cleanup of the
corresponding local accounts.

1. Log in as omc user to the NetAct VM hosting the dmgr service and switch to root user.

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. Enter any one of the following command to do the cleanup of the local accounts after migration:

• extUserMigrationTool.sh -c -f <file name>

Or

• extUserMigrationTool.sh --cleanup --file <file name>

Where, <file name> is the file that contains the account ID of the local NetAct users which are
required to be cleaned up after they are migrated as external users.

Note:

• Account IDs must already be migrated as external users.


• Each account IDs must be specified in a new line in the input file.
• The input file must not contain duplicate entries.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 570


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Migrating NetAct users to external users

29.6.3 Reverting external users to local users


The external accounts can be reverted back to the local NetAct users so that authentication and
authorization of the reverted accounts do not happen in the external authentication and authorization
server.

Note: The revert operation performs in the particular NetAct system where it is executed. If
the external authentication and authorization server is integrated to multiple NetAct systems,
the revert operation must be performed on all the required NetAct systems.

1. Log in as omc user to the NetAct VM hosting the dmgr service and switch to root user.

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. Revert the migrated accounts by entering one of the following commands:

• extUserMigrationTool.sh -r -f <filename>

Or

• extUserMigrationTool.sh --revert --file <filename>

where <file name> is the file which contains the account IDs of the external users which are
required to be reverted as local NetAct users.

Note:

• Cleanup status of the local user corresponding to its external account ID must be Not
Done. To check the cleanup status, see Listing migrated users.
• Each account IDs must be specified in a new line in the input file.
• The input file must not contain duplicate entries.
• The account ID must be of an external user.
• Existing associated groups of a migrated external account will be retained in its local
NetAct account after the revert operation.
• If the NetAct account ID is different from an external account ID, access to user con-
tent of original NetAct account is regranted. But, user contents created after migra-
tion is not available for the local account. If required, take backup of the user content
from NetAct and NMS home directories before revert or it will require administrator
intervention post revert operation.
• If NetAct account ID is same as external account ID, access to user content of the
account in NetAct Linux VMs is retained. If required, take a backup of the user con-
tent from Node Manager Server (NMS) home directories before revert or it will re-
quire administrator intervention post revert operation.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 571


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Disintegrating external authentication and
authorization server from NetAct

30 Disintegrating external authentication and


authorization server from NetAct

NetAct supports disintegration of external authentication server from NetAct so that login with user cre-
dentials in external repository is not possible in NetAct. This section provides the sequence of opera-
tions that needs to be performed for disintegrating external authentication server from NetAct.

Note: External authentication server administrators are the most privileged users in the ex-
ternal authentication server who manages the external users accounts.

30.1 Overview of external authentication and authorization server


disintegration
This chapter describes the disintegration workflow of external authentication and authorization server
from NetAct.

Successful disintegration of external authentication and authorization server from NetAct does not al-
low external user to log in to NetAct.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 572


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Disintegrating external authentication and
authorization server from NetAct

Figure 11: External authentication and authorization server disintegration

30.2 Disintegrating external authentication and authorization server


This section provides instruction to be executed for disintegrating NetAct directory server and Node
Manager Server ( NMS) from the external authentication and authorization server.

30.2.1 Disintegrating external authentication and authorization server from NetAct


directory server
Disintegration of the external authentication and authorization server from NetAct directory server
is performed by the NetAct administrator so that the users in external repository accessing NetAct
(from Start Page and SSH) are not authenticated and authorized by an external authentication and
authorization server.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 573


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Disintegrating external authentication and
authorization server from NetAct

Note:

• This operation disables external user authentication and authorization. It must be done
in each NetAct system in which external user authentication and authorization has to be
disabled.
• To perform disabling of authorization only, see Disabling authorization for external
authentication and authorization server.

1. Log in as omc user to the NetAct VM hosting the dmgr service and switch to root user.

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. Enable SSH login as root on all NetAct nodes. For information on how to enable root SSH login,
see Enabling root SSH login.

3. Disintegrate the external authentication and authorization server from NetAct directory server by
entering any one of the following command:

• [root] ExternalAuthServerMgmt.sh --disintegrate

Or

• [root] ExternalAuthServerMgmt.sh -d

A confirmation prompt appears on the screen to continue the execution of the command. Tool ter-
minates the operation if input apart from y or yes (case sensitive) is provided after three attempts
or no input is provided for 15 minutes.

After confirmation, the tool starts executing the disintegration operation. Disintegration operation
performs disabling of authorization followed by disabling of authentication operation. If disabling of
authentication to external authentication and authorization operation fails, rollback is performed to
revert back to previous state.

Note:

• A confirmation prompt during execution of the tool can be suppressed by entering


any one of the following command:

[root] ExternalAuthServerMgmt.sh --disintegrate --noPrompt

Or

[root] ExternalAuthServerMgmt.sh -d -n

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 574


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Disintegrating external authentication and
authorization server from NetAct

• To forcefully disintegrate external authentication and authorization server from


NetAct irrespective of the current disintegration state, enter any one of the following
command:

[root] ExternalAuthServerMgmt.sh --disintegrate --


ignoreIntegrationState

Or

[root] ExternalAuthServerMgmt.sh -d -f

• To check the disintegration status of the external authentication and authorization


server from NetAct, enter any one of the following command:

[root] ExternalAuthServerMgmt.sh --integrationStatus

Or

[root] ExternalAuthServerMgmt.sh -s

Tool execution will stop if any of the above step fails. To resolve the issue, see Trou-
bleshooting external authentication and authorization server disintegration in Trou-
bleshooting Security Management.

4. Disable SSH login as root on all NetAct nodes. For information on how to disable root SSH login,
see Disabling root SSH login.

30.2.2 Disintegrating external authentication and authorization server from NetAct


Node Manager Server

Disintegration of the external authentication and authorization server from NetAct Node Manager Serv-
er (NMS) is done so that the users from external repository accessing NetAct Access Server (from Cit-
rix, RDP) will no longer be authenticated and authorized by external server.

Note: This operation performs disintegration of external authentication and authorization


server from the particular NMS where it is executed. If the disintegration of external
authentication and authorization server from multiple NetAct NMS is to be done, this
operations must be performed on each of the NetAct NMS.

30.2.2.1 Removing one-way external trust


The NetAct Administrator must execute the following procedure as it is necessary for NMS to remove
trust with external authentication and authorization server. After this NMS cannot authenticate and
query the external authentication and authorization server for user, group, and so on.

1. Login to the master NMS DC VM as domain administrator.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 575


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Disintegrating external authentication and
authorization server from NetAct

Note: To identify the master DC VM, see Appendix B: Checking role information on Node
Manager Server in Administering Node Manager Server.

2. Navigate to Start → Windows Administrative Tools → Active Directory Domains and Trusts.

The Active Directory Domains and Trusts window appears.

3. Right click the NMS AD domain name and select Properties.

The domain name Properties dialog box appears.

4. Click Trusts.

5. Select DNS zone’s domain name of the external authentication and authorization server which
needs to be removed in Domain trusted by this domain (outgoing trusts).

If DNS zone’s domain name is not present, click Cancel to close the domain’s Properties dialog
box.

6. Click Remove.

The Active Directory Domain Services dialog box appears.

7. Select Yes, remove the trust from both the local domain and the other domain.

8. Enter user name and password of a domain admin in the external authentication and authorization
server and click OK.

9. Do one of the following:

• Click Yes, if you want to remove the outgoing trust from external authentication and
authorization server DNS zone’s domain name.
Or

• Click No.

10. Click OK to close the dialog box.

Expected outcome

The one-way external trust is removed.

30.2.2.2 Removing universal group of external authentication and authorization server as member of
NMS groups
The NMS groups already define fine grained policies to access NMS resources. Universal groups in
external authentication and authorization servers can be dissociated to these groups by the NetAct
administrator by following this procedure.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 576


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Disintegrating external authentication and
authorization server from NetAct

Note: This can be an optional step as this dissociates users to the universal groups in
external authentication server.

1. Log in to the master NMS DC VM as domain administrator.

Note: To identify the master DC VM, see Appendix B: Checking role information on Node
Manager Server in Administering Node Manager Server.

2. Open Windows PowerShell by doing the following:


a) Right-click Start and select Search.
b) In the search field, type Windows PowerShell.
c) Click Windows PowerShell.

The Windows PowerShell prompt appears.

3. For each NMS group identified in Creating new group in external authentication and authorization
server, do the following:
a) To obtain the Universal group object of external authentication and authorization server, enter:

$Group = Get-ADGroup -Server <Domain Name of external server> -


Identity <Universal Group in external server> -Credential <corp-
domain>\<corp-user>

where:

• <Domain Name of external server> is the external authentication and authorization


server DNS zone’s domain name.
• <Universal Group in external server> is the universal groups in external au-
thentication and authorization server name. Example: NAcluster1_Users.
• <corp-domain> is the domain used to login to trusted members of the external authenti-
cation and authorization server Active Directory.
• <corp-user> is the login name for external authentication and authorization server di-
rectory. This login account must be a domain administrator (member of Domain Admins
group) in the external authentication and authorization server directory.

At the prompt, provide the <corp-domain>\<corp-user> password, and then click OK.
b) To remove external authentication and authorization server group as member of NMS AD
group, enter the following command:

Remove-ADGroupMember -Identity <NMS AD Group with Domain Local


scope> -Members $Group

Where, <NMS AD Group with Domain Local scope> is the NMS group from which the
universal groups in external authentication and authorization server must be removed. For
example: NetAct_Users.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 577


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Disintegrating external authentication and
authorization server from NetAct

This command gives the following output. You can press Enter to continue.

Confirm
Are you sure you want to perform this action?
Performing the operation "Set" on target "CN=NA_ExtGroup,CN=Users,
DC=test,DC=net".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help
(default is "Y"):

Note:

If the built-in administrators group was also associated to universal group as instructed in
Adding universal group from external authentication and authorization server as member
of default Administrators group in NMS AD (Optional), remove the association by enter-
ing the following commands:

1. $Group = Get-ADGroup -Server <DN of external server> -


Identity <Universal Group in external server> -Credential
<corp-domain>\<corp-user>

At the prompt, provide the <corp-domain>\<corp-user> password, and then


click OK.
2. Remove-ADGroupMember -Identity Administrators -Members $Group

30.2.2.3 Removing forwarding zone from NMS (Optional)


If a stub zone or a conditional forwarder was created during integration, it can be removed. This
procedure can also be used while switching from stub zone to conditional forwarders or the other way
around.

1. Log in as domain administrator to the master NMS DC VM.

Note: To identify the master NMS DC VM, see Appendix B: Checking role information on
Node Manager Server in Administering Node Manager Server.

2. Open the Windows PowerShell by doing the following:


a) Right-click Start and select Search.
b) In the search field, type Windows PowerShell.
c) Click Windows PowerShell.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 578


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Disintegrating external authentication and
authorization server from NetAct

The Windows PowerShell prompt appears.

3. Remove the forwarding zone by entering:

PS C:\> Remove-DnsServerZone "<DNS Domain Name of external server>" -


PassThru -Verbose

where <DNS Domain Name of external server> is the external authentication and
authorization server DNS zone’s domain name.

Sample output:

Confirm
This will also remove all the records in the zone and the server will
no longer host the zone, do you want to continue?
[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"):

4. Press Enter.

Expected outcome

The forwarding zone is removed from the NMS.

30.2.3 Disabling authorization for external authentication and authorization server


Disabling authorization is performed by the NetAct Administrator so that the users in external
repository accessing NetAct (from Start Page and SSH) are no longer authorized by an external
authentication and authorization server. However, users in external repository are authorized by local
NetAct Permission Management.

Note:

• Disabling authorization does not have impact on authentication.


• The disabling authorization operation disables the authorization in specific NetAct
system where it is executed. If disabling authorization is required in multiple NetAct
installations, then disabling must be done on each NetAct installation.

1. Log in as omc user to the NetAct VM hosting the dmgr service and switch to root user.

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. Disable central user authorization by entering one of the following commands:

• [root] ExternalAuthServerMgmt.sh -x

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 579


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Disintegrating external authentication and
authorization server from NetAct

Or

• [root] ExternalAuthServerMgmt.sh --disableAuthorization

A confirmation prompt appears on the screen to continue the execution of the command.

3. Enter y or yes to continue the execution.

Note: The ExternalAuthServerMgmt.sh tool terminates the operation, if input apart


from y or yes (case-insensitive) is provided after three attempts.

Expected outcome

The authorization for external authentication and authorization server is disabled.

Note:

• To suppress the confirmation prompt during the execution of the tool, enter one of the
following commands:

[root] ExternalAuthServerMgmt.sh -x -n

Or

[root] ExternalAuthServerMgmt.sh --disableAuthorization --


noPrompt

• To forcefully disable authorization from external authentication and authorization server,


irrespective of the current authorization state, enter one of the following commands:

[root] ExternalAuthServerMgmt.sh -x -n -f

Or

[root] ExternalAuthServerMgmt.sh --disableAuthorization --


ignoreintegrationstate

• To check the status of disable authorization operation with the external authentication
and authorization server from NetAct, enter one of the following commands:

[root] ExternalAuthServerMgmt.sh -s

Or

[root] ExternalAuthServerMgmt.sh --integrationstatus

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 580


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Disintegrating external authentication and
authorization server from NetAct

30.3 Verifying external authentication and authorization server


disintegration from NetAct
Verification of external authentication and authorization server disintegration can be done by
performing a login with external user in NetAct. If the disintegration is successful the external user will
not be able to login to NetAct.

1. Open NetAct Start Page and log in using an external user login credentials without providing the
domain name.

Login fails if disintegration has happened successfully. If login succeeds, see Login success for
external user after disintegration in Troubleshooting Security Management to identify and resolve
the problem.

2. Open RDP session or Citrix login page of NetAct NMS server and log in with an external user
credential.

Provide the username in domainName\loginname format

Where, domainName is the name of the domain of the external authentication and authorization
server.

Note: If only authorization with external authentication and authorization server is


disabled, user will still be able to login to NetAct with the access rights available to user
before disabling.

Expected outcome

Login fails if disintegration is successful.

30.4 Deleting external user accounts from NetAct (Optional)


This is an optional procedure which can be skipped, if integration of external authentication and au-
thorization server to NetAct needs to be performed in the future. The external accounts present in the
NetAct can be manually removed using the Command Line Interface (CLI) tool. This will delete the
external user accounts from NetAct. Deletion of external users prevents the external users to access
NetAct.

Note: In case if the external authentication and authorization server is integrated to multiple
NetActs, this operation must be performed on all the NetAct systems.

To delete external users which are listed as part of Listing external users accounts using CLI in Admin-
istering Users and Permissions, see Deleting external accounts using CLI in Administering Users and
Permissions.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 581


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Accessing Keycloak server

31 Accessing Keycloak server

Keycloak server provides OAuth2.0 tokens to applications so that service requests to applications reg-
istered with Keycloak server are securely authenticated and authorized.

Note: Keycloak supports TLS1.2 protocol and it does not support lower versions of TLS.

31.1 Addition of certificates for Keycloak OAuth 2.0 client authentication


To establish secure communication between network elements and Keycloak, add certificates to key-
cloak OAuth 2.0 client authentication.

• Enable secure communication between CBAM and keycloak


• Enable secure communication between ZTS and keycloak

31.1.1 Enable secure communication between CBAM and keycloak

To enable the secure communication between CloudBand Application Manager (CBAM) and Keycloak
server for OAuth 2.0 client authentication, Keycloak truststore must contain the trust anchor of CBAM.

The certificate is imported to truststore by performing the instructions in Adding additional trust an-
chors section. The certificate must be added to Keycloak endpoint.

Note: If multiple CBAM instances use certificates issued by multiple Root Certification
Authorities (CAs), then used certificates of each Root CA must be added.

31.1.2 Enable secure communication between ZTS and keycloak

To enable the secure communication between Zero Touch Service (ZTS) and Keycloak server for
OAuth 2.0 client authentication, Keycloak truststore must contain the trust anchor of ZTS.

The certificate is imported to truststore by performing the instructions in Adding additional trust an-
chors section. The certificate must be added to Keycloak endpoint.

Note: If multiple ZTS instances use certificates issued by multiple Root Certification
Authorities (CAs), then used certificates of each Root CA must be added.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 582


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Accessing Keycloak server

31.2 Configuration of NetAct CA certificates on CBAM


To configure NetAct Certification Authority (CA) certificates on CBAM for Transport Layer Security
(TLS) mode, download NetAct Certification Authority (CA) certificate.

To download NetAct CA certificates, see Root CA certificate for NetAct services.

Note: Use service name as keycloak.

For detailed instructions on how to add NetAct CA certificates to CBAM truststore, see Cloudband Ap-
plication Manager Operating documentation in Support portal in https://customer.nokia.com. Accessing
the documentation and software in the portal requires authentication.

31.3 Configuration of NetAct CA certificates on ZTS


To configure NetAct Certification Authority (CA) certificates on Zero Touch Service (ZTS) for Transport
Layer Security (TLS) mode, download NetAct Certification Authority (CA) certificate.

To download NetAct CA certificates, see Root CA certificate for NetAct services.

Note: Use service name as keycloak.

For detailed instructions on how to add NetAct CA certificates to ZTS truststore, see Configurations
for selective NBI ONAP, NetAct, and LMS section in the Life Cycle Management of OAM and Cloud
Native VNFs (DN261913520) document of the corresponding ZTS release in Support portal in https://
customer.nokia.com. Accessing the documentation and software in the portal requires authentication..

31.4 Requesting initial access token from Keycloak server


The initial access token is required for applications to register with the Keycloak server. This token
is used only once to register a client in the Keycloak server within the expiration time. NetAct
applications, such as NTCApp can request for the initial access token from Keycloak server to register
itself at Keycloak.

1. Log in as sysop group user to the NetAct VM hosting the ntcapp service.

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. Obtain the initial access token by entering one of the following commands:

• $ keycloakAccess.sh --initialaccesstoken

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 583


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Accessing Keycloak server

Or

• $ keycloakAccess.sh -i

Expected outcome

Sample output:

$ keycloakAccess.sh -i
{"id":"22061c51-b962-417d-84c1-701d2dc8db51",
"token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIi....",
"timestamp":1549518878,"expiration":300,"count":1,"remainingCount":1}

Note:

• On the command line, enter # keycloakAccess.sh -t -p <arg> command to


obtain the token endpoint Uniform Resource Identifier (URI) of Keycloak server to
introspect OAuth2.0 tokens. This endpoint must be used by applications to verify the
received token at Keycloak server. The supported <arg> are ipv4 or ipv6.

Sample output:

$ keycloakAccess.sh -t
{"endpoint":"https://<lbwas-fqdn>:<https-port>/auth/realms/
<realm-name>"}

Or

$ keycloakAccess.sh -t -p ipv4
{"endpoint":"https://<lbwas-IPV4-Address>:<https-port>/auth/
realms/<realm-name>"}

Or

$ keycloakAccess.sh -t -p ipv6
{"endpoint":"https://<lbwas-IPV6-Address>:<https-port>/auth/
realms/<realm-name>"}

• On the command line, enter # keycloakAccess.sh -a command to obtain the admin


endpoint URI of Keycloak server to register the clients. This endpoint must be used by
applications to create client in Keycloak server.

Sample output:

$ keycloakAccess.sh -a
{"endpoint":"https://<lbwas-fqdn>:<https-admin-port>/auth/
realms/<realm-name>"}

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 584


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Accessing Keycloak server

31.5 Accessing keycloak admin console


You can access the Keycloak admin console to perform operations allowed for logged in Keycloak
admin realm user.

Prerequisites

• You must know the Keycloak realm admin username, realm name, and password to access the
Keycloak admin console. To retrieve the Keycloak realm admin user password, see Retrieving
Keycloak realm admin user password.

1. In the address field of your Internet browser, type the following URL address:

https://<system_FQDN>:10449/auth/admin/<realm_name>/console

where:

• <system_FQDN> is the fully qualified domain name of the NetAct cluster load balancer for
WebSphere (WAS).
• <realm_name> indicates the realm name of the Keycloak realm admin user.

Note: To determine the system FQDN of the NetAct cluster load balancer WAS, do the
following:

1. Log in as omc user to a Virtual Machine (VM) hosting any of the lb-unify services.

To locate the VM hosting the lb-unify services, see Locating the right virtual
machine for a service in Administering NetAct Virtual Infrastructure.
2. Determine the system FQDN for NetAct Start Page by entering:

[omc]$ /opt/cpf/bin/cpf_list_lb_address.sh --lb WAS

Expected outcome:

The system FQDN appears. For example,

lbha1.netact.customer.com

2. Type the Username and Password, and then click Log In.

Expected outcome

The Keycloak admin console opens.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 585


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Accessing Keycloak server

31.6 Retrieving Keycloak realm admin user password


You can retrieve the Keycloak realm admin user password to login to the Keycloak admin console and
manage the realm.

1. Log in as omc user to a Virtual Machine (VM) hosting one of the ntcapp services.

To locate the VM hosting the ntcapp services, see Locating the right virtual machine for a service
in Administering NetAct Virtual Infrastructure.

2. Retrieve the Keycloak realm user password by entering:

[omc@ntcapp-host ~] $ /opt/oss/Nokia-sm_keycloak-service-handler/
install/bin/keycloak_user_mgmt.sh --get --realm <realm_name> --user
<user_name>

where:

• <realm_name> is the name of the realm.


• <user_name> is the login name of the user.

Expected outcome

The Keycloak realm admin user password is displayed.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 586


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Verifying NetAct security

32 Verifying NetAct security

32.1 Verifying hardening during runtime


The hardening state of the NetAct nodes during runtime should be checked in frequent manner.

1. Preparation
a) Login as omc user and switch to root user on the Deployment Manager node.

To locate the correct virtual machine, see Locating the right virtual machine for a service in
Administering NetAct Virtual Infrastructure.

2. To check the hardening status of NetAct, do the following:


a) Enter the following command on dmgr node:
/opt/oss/NSN-sm_hardening/bin/set_security.sh -v

b) Enter password for root user (if root login is disabled on another node).

The following output is displayed:


[root@clab635node04 bin]# ./set_security.sh -v
Thu Jul 17 16:52:22 EEST 2014|INFO| Now executing setSecurityVerify() ..
Thu Jul 17 16:52:22 EEST 2014|INFO| TRACING : false
......
Thu Jul 17 16:52:46 EEST 2014|INFO| -------------------
Thu Jul 17 16:52:46 EEST 2014|INFO| verifyhardening Run executed
Thu Jul 17 16:52:46 EEST 2014|INFO| Number of warnings:
Thu Jul 17 16:52:46 EEST 2014|INFO| 0
Thu Jul 17 16:52:46 EEST 2014|INFO| Additional verification hints:
Thu Jul 17 16:52:46 EEST 2014|INFO| 6
Thu Jul 17 16:52:46 EEST 2014|INFO| ---------------------------------------------------------------
------
Thu Jul 17 16:52:46 EEST 2014|INFO| Detailed logging information for all nodes in:
Thu Jul 17 16:52:46 EEST 2014|INFO| /var/opt/oss/log/hardening/verifyhardening_details.log
Thu Jul 17 16:52:46 EEST 2014|INFO|
Thu Jul 17 16:52:46 EEST 2014|INFO| Latest short summary in /var/opt/oss/log/hardening/security_run-
result.log
Thu Jul 17 16:52:46 EEST 2014|INFO| Complete summary log in /var/opt/oss/log/hardening/
verifyhardening_summary.log
Thu Jul 17 16:52:46 EEST 2014|INFO| Return code=0

Expected Outcome

Following are the available log files to check under /var/opt/oss/log/hardening:

• verifyhardening_summary.log: Detailed verification info per node.

WARNING means that an automated hardening measure of the operating system is not
applied.

HINT means that a manual measurement of the operation system is not applied.
• security_run-result.log: Execution exit status of all set_security.sh runs.
• security_hardening.status: Listing of all activated hardening measurements for each
node.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 587


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Verifying NetAct security

• security_hardening_history.log: History of all executions of script set_security.sh.

3. Verify that no illegal process instances are running under root user on any Unify node for the
selected process types.

Note: This is an optional activity.

a) Execute the following command on dmgr node:


/opt/oss/NSN-sm_hardening/bin/checkForIllegalRootProcessInstances.sh

b) Enter current password for root user when requested.


c) Check console output for detail information on illegal process instances under root user on all
NetAct Unify nodes.

Note: Details are recorded in the corresponding log file. The path to log file is listed in
the script at the end of the executive output on console, in case any illegal process is
found.

32.2 Verifying File Access rights


File access rights to user directories and files in NetAct must be restricted. It is recommended to check
regularly by the administrator.

32.2.1 Checking that user home directories are not world-readable


User home directories should not be world-readable. If a subset of users need the read access to one
another’s home directories, this can be done by using groups.

Note:

• For the omc user, the current home directory privileges must remain unchanged.
• For other users, verification is needed on one node only (one NetAct node, for example,
dmgr node). For information on NetAct nodes, see Locating the right virtual machine for
a service in Administering NetAct Virtual Infrastructure.

1. Log in as omc user to the NetAct VM where dmgr is running and switch to root user.

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. For each human user of the system, view the permissions of the user’s home directory by
executing the following command:

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 588


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Verifying NetAct security

find /home/ -maxdepth 1 -mindepth 1 -name "*" -perm /o+x,o+r,o+w

3. If any directory or file listed using the find command, execute the following command to repair the
permissions. In the following command, replace <USER> with the user name.

Note:

Do not run the following command for the omc user and ftirpftp group users.

Sample command:

# chmod o-rwx /home/<USER>

Sample output:

In this example, a directory (import) is world-readable:

drwxrwxrwx 2 <USER> 10031353 3864 <Date> <time> import

32.2.2 Checking that user dot-files are not group- or world-writable


A user who can modify the configuration files of another user can execute commands with the other
user’s privileges, including stealing data, destroying files, or launching further attacks on the system.

Note:

Verification is needed on one node only (one NetAct node, such as, dmgr node). For infor-
mation on NetAct nodes, see Locating the right virtual machine for a service in Administering
NetAct Virtual Infrastructure.

1. Log in as omc user to the NetAct VM where dmgr is running and switch to root user.

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. For each user of the system, view the permissions of all dot-files in the user’s home directory by
executing the following command:

find /home/ -name "\.*" -perm /g+w,o+w

Note: The dot-files are hidden files and directories.

3. Ensure that none of these files and directories are group or world-writable.

Correct each misconfigured file <FILE> by executing the following command. In the command
below, replace <USER> with the user name.

# chmod go-w /home/<USER>/<FILE>

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 589


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Verifying NetAct security

Correct each misconfigured directory <DIRECTORY> by executing the following command:

# chmod go-w /home/<USER>/<DIRECTORY>

32.3 Checking for certificates that are about to expire

32.3.1 Checking for WebSphere certificates

1. Log in to the virtual machine where the dmgr service is running and switch to root user.

To locate the VM where the dmgr service is running, see Locating the right virtual machine for a
service in Administering NetAct Virtual Infrastructure.

2. Check the certificate status by entering:

[root]# /opt/cpf/bin/cpfCertificateManagement_status.pl --
checkJ2eeCerts

Expected outcome

Sample output is:

Checking certificates
J2EE:
Certificate 1511864490/cpfcertman in keystore OESClientKeyStore expires
Feb 12 16:37:13 2018 GMT
Subject: /CN=xxxxxxx
Scope: cell: xxxxxxx node: SOL

Note: If not found, then there is no certificate that is about to expire.

32.3.2 Checking for directory server

The following instructions are useful to validate the user certificates stored in the directory server.

1. Log in to the VM where the dirsrv service is running and switch to root user.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 590


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Verifying NetAct security

To locate the VM where the dirsrv service is running, see Locating the right virtual machine for a
service in Administering NetAct Virtual Infrastructure.

2. Check the certificate status by entering:

[root]# /opt/cpf/bin/cpfCertificateManagement_status.pl --
checkLdapCerts

Expected outcome

Sample output is:

Checking certificates
Directory server:
C=FI, ST=Tampere, L=Pirkanmaa, CN=netact.noklab.net expires in 19 days.
DN: uid=xyz,dc=netact,dc=net

Note: If not found, then there is no certificate that is about to expire.

32.3.3 Checking for filesystem certificates

1. Log in to any NetAct virtual machine and switch to root user.

2. Check the certificate status by entering:

[root]# /opt/cpf/bin/cpfCertificateManagement_status.pl --
checkFilesystemCerts

Expected outcome

Sample output is:

Checking certificates
File system:
Checking filesystem certificates
CN=mf_dummy, C=IN (/d/oss/global/certificate/smx/common_mediations/mf_
dummy.pem) will expire after 88 days

Note: If not found, then there is no certificate that is about to expire.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 591


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Verifying NetAct security

32.4 Checking WebSphere application server (WAS) configuration


WAS hardening is performed by NetAct installation. That following operations can be used to verify
WAS hardening state.

Verifying that dynamic SSL configuration update functionality is disabled.

Checking the SSL security settings for WebSphere application server.

32.4.1 Verifying that dynamic SSL configuration update functionality is disabled


It is highly recommended to disable dynamic SSL configuration when SSL configuration changes oc-
cur.

To ensure that the dynamic SSL configuration is disabled:

1. Open the IBM WebSphere Administrative Console, see Accessing WebSphere Application Server
Administrative Console in Administering Java EE.

2. In the WebSphere console page, click Security → SSL Certificate and Key Management and
check if the Dynamically update the run time when SSL configuration changes occur check
box is unchecked (disabled).

3. If the setting is enabled, then uncheck this box.

4. Click Apply.

32.4.2 Checking SSL security settings for WebSphere application server


Use the following steps to list the SSL settings used by WebSphere application server.

1. Log in to the Deployment Manager virtual machine and switch to root user.

To locate the right VM, see Locating the right virtual machine for a service in Administering NetAct
Virtual Infrastructure.

2. Execute the following command:

/opt/cpf/bin/cpfwas_list_ssl__security_settings.sh

32.5 Verifying status of disabling anonymous bind to LDAP

1. Login as omc user and switch to the root user on the dmgr node.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 592


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Verifying NetAct security

To locate the correct virtual machine, see Locating the right virtual machine for a service in
Administering NetAct Virtual Infrastructure.

2. To verify if the anonymous LDAP access is disabled, enter:

[root] /opt/oss/NSN-sm_hardening/bin/ConfigureAnonymousLdapBind.sh -
accessTest

Expected outcome

Anonymous LDAP bind is currently:'Disabled'

32.6 Verifying status of brute force protection for web services

1. Login as omc user and switch to the root user on the dmgr node.

To locate the correct virtual machine, see Locating the right virtual machine for a service in
Administering NetAct Virtual Infrastructure.

2. To verify the current brute force protection status, enter:

[root]# sh sm_bruteforce_mgmt.sh -serviceType ws -s

Expected outcome

######################################################################
brute force protection :enabled
service_name host status
----------------------------------------------------------------------
<name> <node> enabled
... ... ...
----------------------------------------------------------------------
policy parameters : default/fromFile
----------------------------------------------------------------------
<parameter_name_1> <value>
... ...
----------------------------------------------------------------------
white-list:
<IP1>,<IP2>,<IP3>...
######################################################################

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 593


Final Use subject to agreed restrictions on disclosure and use.
Administering NetAct System Security DN0979438_C 5-2 Verifying NetAct security

32.7 Verifying status of brute force detection for Oracle database


configuration

1. Login as omc user and switch to the root user on the dmgr node.

To locate the correct virtual machine, see Locating the right virtual machine for a service in
Administering NetAct Virtual Infrastructure.

2. To verify the current brute force detection status, enter:

[root]# sh sm_bruteforce_mgmt.sh -serviceType db -s

Expected outcome

The brute force detection is activated.

NetAct™ 22 © 2021 Nokia. Nokia Confidential Information 594


Final Use subject to agreed restrictions on disclosure and use.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy